Commit | Line | Data |
---|---|---|
12ee8cf9 JH |
1 | # DANE client: general |
2 | # | |
899b8bbc JH |
3 | exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D |
4 | **** | |
570cb1bd | 5 | ### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) |
899b8bbc JH |
6 | exim -odq CALLER@dane256ee.test.ex |
7 | Testing | |
12ee8cf9 | 8 | **** |
570cb1bd | 9 | ### TLSA (3 1 2) ( SHA2-512) |
899b8bbc | 10 | exim -odq CALLER@mxdane512ee.test.ex |
12ee8cf9 JH |
11 | Testing |
12 | **** | |
13 | exim -qf | |
14 | **** | |
899b8bbc JH |
15 | # |
16 | # | |
17 | ### Recipient callout | |
18 | exim -DOPT=callout -bhc 127.0.0.1 | |
19 | MAIL FROM: <CALLER@myhost.test.ex> | |
20 | RCPT TO: <rcptuser@dane256ee.test.ex> | |
21 | **** | |
22 | killdaemon | |
23 | # | |
24 | # | |
25 | exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D | |
26 | **** | |
570cb1bd | 27 | ### TLSA (2 0 1) (DANE-TA CERT SHA2-256) |
899b8bbc JH |
28 | exim -odf CALLER@mxdane256ta.test.ex |
29 | Testing | |
30 | **** | |
31 | killdaemon | |
32 | # | |
33 | # | |
34 | ### A server with a nonverifying cert and no TLSA | |
35 | # Check we get a non-CV but TLS connection, with try_dane but no require_dane | |
36 | exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D | |
37 | **** | |
38 | exim -odf CALLER@thishost.test.ex | |
39 | Testing | |
40 | **** | |
12ee8cf9 | 41 | killdaemon |
899b8bbc JH |
42 | # |
43 | ### A server with a verifying cert and no TLSA | |
44 | # Check we get a CV and TLS connection, with try_dane but no require_dane | |
45 | exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D | |
46 | **** | |
570cb1bd | 47 | exim -odf -DDETAILS=ca CALLER@thishost.test.ex |
899b8bbc JH |
48 | Testing |
49 | **** | |
50 | exim -DOPT=no_certname -qf | |
51 | **** | |
52 | killdaemon | |
53 | # | |
54 | # | |
55 | exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D | |
56 | **** | |
57 | ### A server with two MXs for which both TLSA lookups return defer (delivery should defer) | |
58 | exim -odq CALLER@mxdanelazy.test.ex | |
59 | Testing | |
60 | **** | |
61 | ### A server lacking a TLSA, dane required (should fail) | |
62 | exim -odq CALLER@dane.no.1.test.ex | |
63 | Testing | |
64 | **** | |
65 | ### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) | |
66 | exim -odq CALLER@dane.no.2.test.ex | |
67 | Testing | |
68 | **** | |
69 | ### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) | |
70 | exim -odq CALLER@danebroken1.test.ex | |
71 | Testing | |
72 | **** | |
73 | ### A server securely saying "no TLSA records here", dane required (delivery should fail) | |
74 | exim -odq CALLER@dane.no.3.test.ex | |
75 | Testing | |
76 | **** | |
77 | ### A server securely saying "no TLSA records here", dane requested only (should deliver) | |
78 | exim -odq CALLER@dane.no.4.test.ex | |
79 | Testing | |
80 | **** | |
81 | exim -qf | |
12ee8cf9 | 82 | **** |
899b8bbc JH |
83 | # |
84 | ### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) | |
85 | exim -odf CALLER@danebroken2.test.ex | |
86 | Testing | |
87 | **** | |
88 | ### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) | |
89 | exim -odf CALLER@danebroken3.test.ex | |
90 | Testing | |
91 | **** | |
92 | ### A server insecurely serving a good TLSA record, dane required (delivery should fail) | |
93 | exim -odf CALLER@danebroken4.test.ex | |
94 | Testing | |
95 | **** | |
96 | ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) | |
97 | exim -odf CALLER@danebroken5.test.ex | |
98 | Testing | |
99 | **** | |
100 | ### A server insecurely serving a good A record, dane required (delivery should fail) | |
101 | exim -odf CALLER@danebroken6.test.ex | |
102 | Testing | |
103 | **** | |
104 | # | |
94c13285 | 105 | ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode) |
59c0959a | 106 | # that way round to exercise more code in the implementation |
94c13285 JH |
107 | exim -odf CALLER@danemixed.test.ex |
108 | Testing | |
109 | **** | |
110 | # | |
899b8bbc | 111 | killdaemon |
94c13285 JH |
112 | # |
113 | # | |
114 | # | |
28646fa9 JH |
115 | ### A server with a name not matching the cert. TA-mode; should fail |
116 | exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D | |
117 | **** | |
118 | exim -odf CALLER@danebroken7.example.com | |
119 | Testing | |
120 | **** | |
121 | # | |
122 | ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode | |
123 | exim -odf CALLER@danebroken8.example.com | |
124 | Testing | |
125 | **** | |
59c0959a JH |
126 | killdaemon |
127 | # | |
28646fa9 | 128 | # |
59c0959a JH |
129 | sudo rm DIR/spool/db/retry |
130 | exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D | |
131 | **** | |
132 | ### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) | |
133 | exim -odf -DCONTROL=: CALLER@danebroken2.test.ex | |
134 | **** | |
28646fa9 | 135 | killdaemon |
59c0959a | 136 | # |
899b8bbc | 137 | no_msglog_check |