Add hosts_verify_avoid_tls option to smtp transport.
authorJeremy Harris <jgh146exb@wizmail.org>
Mon, 4 Jun 2012 13:54:13 +0000 (14:54 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Mon, 4 Jun 2012 13:57:04 +0000 (14:57 +0100)
14 files changed:
doc/doc-docbook/spec.xfpt
src/src/transports/smtp.c
src/src/transports/smtp.h
src/src/verify.c
test/confs/5410
test/confs/5420
test/log/5410
test/log/5420
test/scripts/5410-cutthrough-OpenSSL/5410
test/scripts/5420-cutthrough-GnuTLS/5420
test/stderr/5410
test/stderr/5420
test/stdout/5410
test/stdout/5420

index ee3193b..8584384 100644 (file)
@@ -22302,6 +22302,13 @@ that matches this list, even if the server host advertises PIPELINING support.
 Exim will not try to start a TLS session when delivering to any host that
 matches this list. See chapter &<<CHAPTLS>>& for details of TLS.
 
+.option hosts_verify_avoid_tls smtp "host list&!!" *
+.cindex "TLS" "avoiding for certain hosts"
+Exim will not try to start a TLS session for a verify callout,
+or when delivering in cutthrough mode,
+to any host that matches this list.
+Note that the default is to not use TLS.
+
 
 .option hosts_max_try smtp integer 5
 .cindex "host" "maximum number to try"
index a63f48f..94b8485 100644 (file)
@@ -106,6 +106,10 @@ optionlist smtp_transport_options[] = {
 #endif
   { "hosts_try_auth",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
+#ifdef SUPPORT_TLS
+  { "hosts_verify_avoid_tls", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, hosts_verify_avoid_tls) },
+#endif
   { "interface",            opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, interface) },
   { "keepalive",            opt_bool,
@@ -170,6 +174,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,                /* hosts_require_auth */
   NULL,                /* hosts_require_tls */
   NULL,                /* hosts_avoid_tls */
+  US"*",               /* hosts_verify_avoid_tls */
   NULL,                /* hosts_avoid_pipelining */
   NULL,                /* hosts_avoid_esmtp */
   NULL,                /* hosts_nopass_tls */
index 0676811..79f1b8c 100644 (file)
@@ -23,6 +23,7 @@ typedef struct {
   uschar *hosts_require_auth;
   uschar *hosts_require_tls;
   uschar *hosts_avoid_tls;
+  uschar *hosts_verify_avoid_tls;
   uschar *hosts_avoid_pipelining;
   uschar *hosts_avoid_esmtp;
   uschar *hosts_nopass_tls;
index 6e3e6a3..eaab14d 100644 (file)
@@ -601,7 +601,10 @@ else
     #ifdef SUPPORT_TLS
     if (tls_offered &&
        verify_check_this_host(&(ob->hosts_avoid_tls), NULL, host->name,
-         host->address, NULL) != OK)
+         host->address, NULL) != OK &&
+       verify_check_this_host(&(ob->hosts_verify_avoid_tls), NULL, host->name,
+         host->address, NULL) != OK
+       )
       {
       uschar buffer2[4096];
       if (  !smtps
index aff16fa..576967c 100644 (file)
@@ -1,4 +1,4 @@
-# Exim test configuration 5402
+# Exim test configuration 5410
 
 exim_path = EXIM_PATH
 host_lookup_order = bydns
@@ -52,7 +52,8 @@ smtp:
   driver = smtp
   interface = HOSTIPV4
   port = PORT_D
-  hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}}
+  hosts_avoid_tls =        ${if eq {$address_data}{usery}{*}{:}}
+  hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}}
 
 
 # End
index aff16fa..2a7ebda 100644 (file)
@@ -1,4 +1,4 @@
-# Exim test configuration 5402
+# Exim test configuration 5420
 
 exim_path = EXIM_PATH
 host_lookup_order = bydns
@@ -52,7 +52,8 @@ smtp:
   driver = smtp
   interface = HOSTIPV4
   port = PORT_D
-  hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}}
+  hosts_avoid_tls =        ${if eq {$address_data}{usery}{*}{:}}
+  hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}}
 
 
 # End
index ba90ed7..efcee1b 100644 (file)
@@ -9,3 +9,8 @@
 1999-03-02 09:44:33 10HmbA-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbC-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmbC-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
index e859162..5dcefb3 100644 (file)
@@ -9,3 +9,8 @@
 1999-03-02 09:44:33 10HmbA-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbC-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmbC-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
index d670abf..9938e00 100644 (file)
@@ -1,6 +1,7 @@
 # cutthrough_delivery to target oferring TLS
 exim -DSERVER=server -bd -oX PORT_D
 ****
+# this one should succeed
 exim -d-all+acl+transport+expand+lists -bs
 EHLO myhost.test.ex
 MAIL FROM:<eximtest@myhost.test.ex>
@@ -10,7 +11,19 @@ DATA
 .
 QUIT
 ****
-# via a transport setting never-tls
+# via a transport setting hosts_avoid_tls
+# so this one should not use TLS
+exim -d-all+acl+transport+expand+lists -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<usery@domain.com>
+DATA
+
+.
+QUIT
+****
+# via a transport setting hosts_verify_avoid_tls
+# so this one should not use TLS
 exim -d-all+acl+transport+expand+lists -bs
 EHLO myhost.test.ex
 MAIL FROM:<eximtest@myhost.test.ex>
index d670abf..c43e186 100644 (file)
@@ -1,4 +1,4 @@
-# cutthrough_delivery to target oferring TLS
+# cutthrough_delivery to target offering TLS
 exim -DSERVER=server -bd -oX PORT_D
 ****
 exim -d-all+acl+transport+expand+lists -bs
@@ -10,7 +10,17 @@ DATA
 .
 QUIT
 ****
-# via a transport setting never-tls
+# via a transport setting hosts_avoid_tls
+exim -d-all+acl+transport+expand+lists -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<usery@domain.com>
+DATA
+
+.
+QUIT
+****
+# via a transport setting hosts_verify_avoid_tls
 exim -d-all+acl+transport+expand+lists -bs
 EHLO myhost.test.ex
 MAIL FROM:<eximtest@myhost.test.ex>
index 7babe35..f8b31a7 100644 (file)
@@ -64,6 +64,20 @@ expanding: :
 expanding: ${if eq {$address_data}{usery}{*}{:}}
    result: :
 127.0.0.1 in hosts_avoid_tls? no (end of list)
+expanding: $address_data
+   result: userx
+expanding: userz
+   result: userz
+condition: eq {$address_data}{userz}
+   result: false
+expanding: *
+   result: *
+skipping: result is not used
+expanding: :
+   result: :
+expanding: ${if eq {$address_data}{userz}{*}{:}}
+   result: :
+127.0.0.1 in hosts_verify_avoid_tls? no (end of list)
   SMTP>> STARTTLS
   SMTP<< 220 TLS go ahead
   SMTP>> EHLO myhost.test.ex
@@ -270,5 +284,137 @@ LOG: MAIN
 LOG: smtp_connection MAIN
   SMTP connection from CALLER closed by QUIT
 >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+  SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+   result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+   result: SERVER
+expanding: server
+   result: server
+condition: eq {SERVER}{server}
+   result: false
+expanding: queue
+   result: queue
+skipping: result is not used
+expanding: cutthrough
+   result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+   result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+   result: usery
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+   result: usery
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+   result: myhost.test.ex
+  SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+  SMTP>> EHLO myhost.test.ex
+  SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+         250-SIZE 52428800
+         250-8BITMIME
+         250-PIPELINING
+         250-STARTTLS
+         250 HELP
+expanding: $address_data
+   result: usery
+expanding: usery
+   result: usery
+condition: eq {$address_data}{usery}
+   result: true
+expanding: *
+   result: *
+expanding: :
+   result: :
+skipping: result is not used
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+   result: *
+127.0.0.1 in hosts_avoid_tls? yes (matched "*")
+  SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+  SMTP<< 250 OK
+  SMTP>> RCPT TO:<usery@domain.com>
+  SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+  SMTP>> DATA
+  SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+   result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+   result: false
+expanding: from $sender_rcvhost
+       
+   result: from 
+       
+skipping: result is not used
+condition: def:sender_ident
+   result: true
+expanding: $sender_ident
+   result: CALLER
+expanding: from ${quote_local_part:$sender_ident} 
+   result: from CALLER 
+condition: def:sender_helo_name
+   result: true
+expanding: (helo=$sender_helo_name)
+       
+   result: (helo=myhost.test.ex)
+       
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+       }}
+   result: from CALLER (helo=myhost.test.ex)
+       
+condition: def:received_protocol
+   result: true
+expanding: with $received_protocol
+   result: with local-esmtp
+condition: def:sender_address
+   result: true
+expanding: (envelope-from <$sender_address>)
+       
+   result: (envelope-from <CALLER@myhost.test.ex>)
+       
+condition: def:received_for
+   result: true
+expanding: 
+       for $received_for
+   result: 
+       for usery@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+   result: Tue, 2 Mar 1999 09:44:33 +0000
+  SMTP>> .
+  SMTP<< 250 OK id=10HmbB-0005vi-00
+LOG: MAIN
+  >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00"
+  SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+  <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+  Completed
+LOG: smtp_connection MAIN
+  SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
 
 ******** SERVER ********
index 9059228..e711184 100644 (file)
@@ -64,6 +64,20 @@ expanding: :
 expanding: ${if eq {$address_data}{usery}{*}{:}}
    result: :
 127.0.0.1 in hosts_avoid_tls? no (end of list)
+expanding: $address_data
+   result: userx
+expanding: userz
+   result: userz
+condition: eq {$address_data}{userz}
+   result: false
+expanding: *
+   result: *
+skipping: result is not used
+expanding: :
+   result: :
+expanding: ${if eq {$address_data}{userz}{*}{:}}
+   result: :
+127.0.0.1 in hosts_verify_avoid_tls? no (end of list)
   SMTP>> STARTTLS
   SMTP<< 220 TLS go ahead
   SMTP>> EHLO myhost.test.ex
@@ -270,5 +284,137 @@ LOG: MAIN
 LOG: smtp_connection MAIN
   SMTP connection from CALLER closed by QUIT
 >>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+  SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+   result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+   result: SERVER
+expanding: server
+   result: server
+condition: eq {SERVER}{server}
+   result: false
+expanding: queue
+   result: queue
+skipping: result is not used
+expanding: cutthrough
+   result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+   result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+   result: usery
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+   result: usery
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+   result: myhost.test.ex
+  SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+  SMTP>> EHLO myhost.test.ex
+  SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+         250-SIZE 52428800
+         250-8BITMIME
+         250-PIPELINING
+         250-STARTTLS
+         250 HELP
+expanding: $address_data
+   result: usery
+expanding: usery
+   result: usery
+condition: eq {$address_data}{usery}
+   result: true
+expanding: *
+   result: *
+expanding: :
+   result: :
+skipping: result is not used
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+   result: *
+127.0.0.1 in hosts_avoid_tls? yes (matched "*")
+  SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+  SMTP<< 250 OK
+  SMTP>> RCPT TO:<usery@domain.com>
+  SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+  SMTP>> DATA
+  SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+   result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+   result: false
+expanding: from $sender_rcvhost
+       
+   result: from 
+       
+skipping: result is not used
+condition: def:sender_ident
+   result: true
+expanding: $sender_ident
+   result: CALLER
+expanding: from ${quote_local_part:$sender_ident} 
+   result: from CALLER 
+condition: def:sender_helo_name
+   result: true
+expanding: (helo=$sender_helo_name)
+       
+   result: (helo=myhost.test.ex)
+       
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+       }}
+   result: from CALLER (helo=myhost.test.ex)
+       
+condition: def:received_protocol
+   result: true
+expanding: with $received_protocol
+   result: with local-esmtp
+condition: def:sender_address
+   result: true
+expanding: (envelope-from <$sender_address>)
+       
+   result: (envelope-from <CALLER@myhost.test.ex>)
+       
+condition: def:received_for
+   result: true
+expanding: 
+       for $received_for
+   result: 
+       for usery@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+   result: Tue, 2 Mar 1999 09:44:33 +0000
+  SMTP>> .
+  SMTP<< 250 OK id=10HmbB-0005vi-00
+LOG: MAIN
+  >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00"
+  SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+  <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+  Completed
+LOG: smtp_connection MAIN
+  SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
 
 ******** SERVER ********
index 252c829..edf01f8 100644 (file)
 354 Enter message, ending with "." on a line by itself\r
 250 OK id=10HmbA-0005vi-00\r
 221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmbC-0005vi-00\r
+221 myhost.test.ex closing connection\r
index 252c829..edf01f8 100644 (file)
 354 Enter message, ending with "." on a line by itself\r
 250 OK id=10HmbA-0005vi-00\r
 221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmbC-0005vi-00\r
+221 myhost.test.ex closing connection\r