Commit | Line | Data |
---|---|---|
12ee8cf9 JH |
1 | # DANE client: general |
2 | # | |
82525c6f | 3 | exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D |
12ee8cf9 | 4 | **** |
59c0959a | 5 | ### TLSA (3 1 1) (DANE-EE SPKI SHA2-256) |
feb5343a | 6 | exim -odq t1@dane256ee.test.ex |
101de477 JH |
7 | Testing |
8 | **** | |
59c0959a | 9 | ### TLSA (3 1 2) ( SHA2-512) |
feb5343a | 10 | exim -odq t2@mxdane512ee.test.ex |
12ee8cf9 JH |
11 | Testing |
12 | **** | |
401a8935 | 13 | exim -qf |
12ee8cf9 | 14 | **** |
bf7aabb4 JH |
15 | # |
16 | # | |
cfe93a95 | 17 | ### Recipient callout |
bf7aabb4 | 18 | exim -DOPT=callout -bhc 127.0.0.1 |
feb5343a | 19 | MAIL FROM: <t3@myhost.test.ex> |
cfe93a95 | 20 | RCPT TO: <rcptuser@dane256ee.test.ex> |
bf7aabb4 | 21 | **** |
12ee8cf9 | 22 | killdaemon |
82525c6f JH |
23 | # |
24 | # | |
25 | exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D | |
26 | **** | |
59c0959a | 27 | ### TLSA (2 0 1) (DANE-TA CERT SHA2-256) |
feb5343a | 28 | exim -odf t4@mxdane256ta.test.ex |
82525c6f JH |
29 | Testing |
30 | **** | |
854586e1 JH |
31 | killdaemon |
32 | # | |
899b8bbc | 33 | # OpenSSL-specific regression testcase: certificate having Authority Key ID extension |
854586e1 JH |
34 | exim -DSERVER=server -DCERT=DIR/aux-fixed/exim-ca/example.com/server2.example.com/fullchain.pem -DALLOW=DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key -bd -oX PORT_D |
35 | **** | |
36 | ### TLSA (2 1 1) | |
feb5343a | 37 | exim -odf t5@mxdane256tak.test.ex |
854586e1 | 38 | Testing |
82525c6f JH |
39 | **** |
40 | killdaemon | |
281e72e4 | 41 | # |
cfe93a95 | 42 | ### A server with a nonverifying cert and no TLSA |
281e72e4 JH |
43 | # Check we get a non-CV but TLS connection, with try_dane but no require_dane |
44 | exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D | |
45 | **** | |
feb5343a | 46 | exim -odf t6@thishost.test.ex |
281e72e4 | 47 | Testing |
12ee8cf9 | 48 | **** |
281e72e4 JH |
49 | killdaemon |
50 | # | |
cfe93a95 | 51 | ### A server with a verifying cert and no TLSA |
281e72e4 JH |
52 | # Check we get a CV and TLS connection, with try_dane but no require_dane |
53 | exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D | |
54 | **** | |
feb5343a | 55 | exim -odf -DDETAILS=ca t7@thishost.test.ex |
281e72e4 JH |
56 | Testing |
57 | **** | |
01a4a5c5 | 58 | exim -DOPT=no_certname -qf |
281e72e4 JH |
59 | **** |
60 | killdaemon | |
61 | # | |
4cea764f | 62 | # |
4cea764f JH |
63 | exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D |
64 | **** | |
899b8bbc | 65 | ### A server with two MXs for which both TLSA lookups return defer (delivery should defer) |
feb5343a | 66 | exim -odq t8@mxdanelazy.test.ex |
4cea764f JH |
67 | Testing |
68 | **** | |
b7e4352c | 69 | ### A server lacking a TLSA, dane required (should fail) |
feb5343a | 70 | exim -odq t9@dane.no.1.test.ex |
6aa849d3 JH |
71 | Testing |
72 | **** | |
899b8bbc | 73 | ### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC) |
feb5343a | 74 | exim -odq t10@dane.no.2.test.ex |
6aa849d3 JH |
75 | Testing |
76 | **** | |
899b8bbc | 77 | ### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer) |
feb5343a | 78 | exim -odq t11@danebroken1.test.ex |
b7e4352c JH |
79 | Testing |
80 | **** | |
899b8bbc | 81 | ### A server securely saying "no TLSA records here", dane required (delivery should fail) |
feb5343a | 82 | exim -odq t12@dane.no.3.test.ex |
ce889807 JH |
83 | Testing |
84 | **** | |
899b8bbc | 85 | ### A server securely saying "no TLSA records here", dane requested only (should deliver) |
feb5343a | 86 | exim -odq t13@dane.no.4.test.ex |
ce889807 JH |
87 | Testing |
88 | **** | |
4cea764f JH |
89 | exim -qf |
90 | **** | |
feb5343a JH |
91 | exim -Mrm $msg1 $msg2 |
92 | **** | |
899b8bbc JH |
93 | # |
94 | ### A server securely serving a wrong TLSA record, dane requested only (delivery should fail) | |
feb5343a JH |
95 | #XXX it defers. |
96 | exim -odf t14@danebroken2.test.ex | |
899b8bbc JH |
97 | Testing |
98 | **** | |
99 | ### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE) | |
feb5343a | 100 | exim -odf t15@danebroken3.test.ex |
899b8bbc JH |
101 | Testing |
102 | **** | |
103 | ### A server insecurely serving a good TLSA record, dane required (delivery should fail) | |
feb5343a | 104 | exim -odf t16@danebroken4.test.ex |
899b8bbc JH |
105 | Testing |
106 | **** | |
107 | ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE) | |
feb5343a | 108 | exim -odf t17@danebroken5.test.ex |
899b8bbc JH |
109 | Testing |
110 | **** | |
111 | ### A server insecurely serving a good A record, dane required (delivery should fail) | |
feb5343a | 112 | exim -odf t18@danebroken6.test.ex |
899b8bbc JH |
113 | Testing |
114 | **** | |
115 | # | |
4cea764f | 116 | killdaemon |
59c0959a JH |
117 | # |
118 | # | |
119 | # | |
28646fa9 JH |
120 | ### A server with a name not matching the cert. TA-mode; should fail |
121 | exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D | |
122 | **** | |
feb5343a | 123 | exim -odf t19@danebroken7.example.com |
28646fa9 JH |
124 | Testing |
125 | **** | |
126 | # | |
127 | ### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode | |
feb5343a | 128 | exim -odf t20@danebroken8.example.com |
28646fa9 JH |
129 | Testing |
130 | **** | |
59c0959a JH |
131 | killdaemon |
132 | # | |
28646fa9 | 133 | # |
59c0959a JH |
134 | sudo rm DIR/spool/db/retry |
135 | exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D | |
136 | **** | |
137 | ### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane) | |
feb5343a | 138 | exim -odf -DCONTROL=: t21@danebroken2.test.ex |
59c0959a | 139 | **** |
feb5343a JH |
140 | # sleep needed to see the t14 brokenness |
141 | sleep 1 | |
28646fa9 | 142 | killdaemon |
feb5343a | 143 | sleep 1 |
59c0959a | 144 | # |
4cea764f | 145 | no_msglog_check |