From 4cea764f3d43217b9b7046310fc1567c4d63c01e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 21 May 2015 23:22:16 +0100 Subject: [PATCH] Fix DANE for multiple-MX when all TLSA lookup defer. Bug 1634 --- src/src/dns.c | 2 +- src/src/transports/smtp.c | 20 ++++++++++++-------- test/dnszones-src/db.test.ex | 22 +++++++++++++++++----- test/log/5840 | 7 +++++++ test/scripts/5840-DANE-OpenSSL/5840 | 12 ++++++++++++ 5 files changed, 49 insertions(+), 14 deletions(-) diff --git a/src/src/dns.c b/src/src/dns.c index 6358eada6..4ca349cd1 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -137,7 +137,7 @@ if (stat(CS utilname, &statbuf) >= 0) } else { - DEBUG(D_dns) debug_printf("fakens (%s) not found\n", utilname); + DEBUG(D_dns) debug_printf("fakens (%s) not found\n", utilname); } /* fakens utility not found, or it returned "pass on" */ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 986fcee6f..477e7b3bf 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1468,12 +1468,20 @@ if (continue_hostname == NULL) ) && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK ) - return rc; + { + set_errno(addrlist, ERRNO_DNSDEFER, + string_sprintf("DANE error: tlsa lookup %s", + rc == DEFER ? "DEFER" : "FAIL"), + rc, FALSE, NULL); + return rc; + } } else if (dane_required) { - log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name); - return FAIL; + set_errno(addrlist, ERRNO_DNSDEFER, + string_sprintf("DANE error: %s lookup not DNSSEC", host->name), + FAIL, FALSE, NULL); + return FAIL; } if (dane) @@ -3690,16 +3698,12 @@ for (cutoff_retry = 0; expired && case, see if any of them are deferred. */ if (rc == OK) - { - for (addr = addrlist; addr != NULL; addr = addr->next) - { + for (addr = addrlist; addr; addr = addr->next) if (addr->transport_return == DEFER) { some_deferred = TRUE; break; } - } - } /* If no addresses deferred or the result was ERROR, return. We do this for ERROR because a failing filter set-up or add_headers expansion is likely to diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 4acadce4d..09e84fee0 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -414,19 +414,31 @@ AA a-aa A V4NET.0.0.100 ; ------- Testing DANE ------------ ; full suite dns chain, sha512 -DNSSEC mxdane512ee MX 1 dane512ee. -DNSSEC dane512ee A HOSTIPV4 +DNSSEC mxdane512ee MX 1 dane512ee +DNSSEC dane512ee A HOSTIPV4 DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d ; A-only, sha256 -DNSSEC dane256ee A HOSTIPV4 +DNSSEC dane256ee A HOSTIPV4 DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3 ; full MX, sha256, TA-mode -DNSSEC mxdane256ta MX 1 dane256ta. -DNSSEC dane256ta A HOSTIPV4 +DNSSEC mxdane256ta MX 1 dane256ta +DNSSEC dane256ta A HOSTIPV4 DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4 +; ------- Testing DANE ------------ + +; full suite dns chain, sha512 +DNSSEC mxdanelazy MX 1 danelazy +DNSSEC mxdanelazy MX 2 danelazy2 + +DNSSEC danelazy A HOSTIPV4 +DNSSEC danelazy2 A 127.0.0.1 + +DNSSEC _1225._tcp.danelazy CNAME test.again.dns. +DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns. + ; ------- Testing delays ------------ DELAY=500 delay500 A HOSTIPV4 diff --git a/test/log/5840 b/test/log/5840 index 24d6e89e2..30bed39fc 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -23,6 +23,12 @@ 1999-03-02 09:44:33 10HmbF-0005vi-00 => CALLER@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00" 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdanelazy.test.ex +1999-03-02 09:44:33 Start queue run: pid=pppp -qf +1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbH-0005vi-00 == CALLER@mxdanelazy.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 @@ -44,3 +50,4 @@ 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex for CALLER@thishost.test.ex 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index deff4a6a4..e031b5d8f 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -54,3 +54,15 @@ exim -DOPT=no_certname -qf **** killdaemon # +# +# A server with two MXs for which both TLSA lookups return defer +exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D +**** +# TLSA (3 1 2) +exim -odq CALLER@mxdanelazy.test.ex +Testing +**** +exim -qf +**** +killdaemon +no_msglog_check -- 2.25.1