test/scripts/5840-DANE-OpenSSL/5840

   1 # DANE client: general
   2 #
   3 exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
   4 ****
   5 ### TLSA (3 1 1)
   6 exim -odq CALLER@dane256ee.test.ex
   7 Testing
   8 ****
   9 ### TLSA (3 1 2)
  10 exim -odq CALLER@mxdane512ee.test.ex
  11 Testing
  12 ****
  13 exim -qf
  14 ****
  15 #
  16 #
  17 ### Recipient callout
  18 exim -DOPT=callout -bhc 127.0.0.1
  19 MAIL FROM: <CALLER@myhost.test.ex>
  20 RCPT TO: <rcptuser@dane256ee.test.ex>
  21 ****
  22 killdaemon
  23 #
  24 #
  25 exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
  26 ****
  27 ### TLSA (2 0 1)
  28 exim -odf CALLER@mxdane256ta.test.ex
  29 Testing
  30 ****
  31 killdaemon
  32 #
  33 # OpenSSL-specific regression testcase: certificate having Authority Key ID extension
  34 exim -DSERVER=server -DCERT=DIR/aux-fixed/exim-ca/example.com/server2.example.com/fullchain.pem -DALLOW=DIR/aux-fixed/exim-ca/example.com/server2.example.com/server2.example.com.unlocked.key -bd -oX PORT_D
  35 ****
  36 ### TLSA (2 1 1)
  37 exim -odf CALLER@mxdane256tak.test.ex
  38 Testing
  39 ****
  40 killdaemon
  41 #
  42 ### A server with a nonverifying cert and no TLSA
  43 # Check we get a non-CV but TLS connection, with try_dane but no require_dane
  44 exim -DSERVER=server -DDETAILS=no -bd -oX PORT_D
  45 ****
  46 exim -odf CALLER@thishost.test.ex
  47 Testing
  48 ****
  49 killdaemon
  50 #
  51 ### A server with a verifying cert and no TLSA
  52 # Check we get a CV and TLS connection, with try_dane but no require_dane
  53 exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
  54 ****
  55 exim -odf CALLER@thishost.test.ex
  56 Testing
  57 ****
  58 exim -DOPT=no_certname -qf
  59 ****
  60 killdaemon
  61 #
  62 #
  63 exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
  64 ****
  65 ### A server with two MXs for which both TLSA lookups return defer (delivery should defer)
  66 exim -odq CALLER@mxdanelazy.test.ex
  67 Testing
  68 ****
  69 ### A server lacking a TLSA, dane required (should fail)
  70 exim -odq CALLER@dane.no.1.test.ex
  71 Testing
  72 ****
  73 ### A server lacking a TLSA, dane requested only (should deliver, non-DANE, as the NXDOMAIN is not DNSSEC)
  74 exim -odq CALLER@dane.no.2.test.ex
  75 Testing
  76 ****
  77 ### A server where the A is dnssec and the TLSA lookup _fails_ (delivery should defer)
  78 exim -odq CALLER@danebroken1.test.ex
  79 Testing
  80 ****
  81 ### A server securely saying "no TLSA records here", dane required (delivery should fail)
  82 exim -odq CALLER@dane.no.3.test.ex
  83 Testing
  84 ****
  85 ### A server securely saying "no TLSA records here", dane requested only (should deliver)
  86 exim -odq CALLER@dane.no.4.test.ex
  87 Testing
  88 ****
  89 exim -qf
  90 ****
  91 #
  92 ### A server securely serving a wrong TLSA record, dane requested only (delivery should fail)
  93 exim -odf CALLER@danebroken2.test.ex
  94 Testing
  95 ****
  96 ### A server insecurely serving a good TLSA record, dane requested only (should deliver, non-DANE)
  97 exim -odf CALLER@danebroken3.test.ex
  98 Testing
  99 ****
 100 ### A server insecurely serving a good TLSA record, dane required (delivery should fail)
 101 exim -odf CALLER@danebroken4.test.ex
 102 Testing
 103 ****
 104 ### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
 105 exim -odf CALLER@danebroken5.test.ex
 106 Testing
 107 ****
 108 ### A server insecurely serving a good A record, dane required (delivery should fail)
 109 exim -odf CALLER@danebroken6.test.ex
 110 Testing
 111 ****
 112 #
 113 killdaemon
 114
 115
 116 ### A server with a name not matching the cert.  TA-mode; should fail
 117 exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D
 118 ****
 119 exim -odf CALLER@danebroken7.example.com
 120 Testing
 121 ****
 122 #
 123 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
 124 exim -odf CALLER@danebroken8.example.com
 125 Testing
 126 ****
 127 #
 128 killdaemon
 129 no_msglog_check