From 67d81c106c8dd7da50b57eb5ceeb61d91a2c51e8 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 9 Mar 2014 16:51:00 +0000 Subject: [PATCH] Log port and TLS details for a failed delivery --- doc/doc-txt/ChangeLog | 3 +++ src/src/deliver.c | 57 ++++++++++++++++++++++++++++--------------- src/src/smtp_in.c | 10 ++++++-- test/log/0547 | 1 - test/log/2003 | 2 +- test/log/2014 | 6 ++--- test/log/2103 | 2 +- test/log/2114 | 6 ++--- test/rejectlog/2003 | 2 +- test/rejectlog/2014 | 6 ++--- test/rejectlog/2103 | 2 +- test/rejectlog/2114 | 6 ++--- 12 files changed, 65 insertions(+), 38 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 0c51bc393..493861fec 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -51,6 +51,9 @@ JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau. JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log selectors, in both main and reject logs. +JH/06 Log outbound-TLS and port details, subject to log selectors, for a + failed delivery. + Exim version 4.82 ----------------- diff --git a/src/src/deliver.c b/src/src/deliver.c index df93a114e..121f7c2e0 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -673,8 +673,36 @@ while (addr->parent != NULL) +static uschar * +d_hostlog(uschar * s, int * sizep, int * ptrp, address_item * addr) +{ + s = string_append(s, sizep, ptrp, 5, US" H=", addr->host_used->name, + US" [", addr->host_used->address, US"]"); + if ((log_extra_selector & LX_outgoing_port) != 0) + s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d", + addr->host_used->port)); + return s; +} + +#ifdef SUPPORT_TLS +static uschar * +d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr) +{ + if ((log_extra_selector & LX_tls_cipher) != 0 && addr->cipher != NULL) + s = string_append(s, sizep, ptrp, 2, US" X=", addr->cipher); + if ((log_extra_selector & LX_tls_certificate_verified) != 0 && + addr->cipher != NULL) + s = string_append(s, sizep, ptrp, 2, US" CV=", + testflag(addr, af_cert_verified)? "yes":"no"); + if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL) + s = string_append(s, sizep, ptrp, 3, US" DN=\"", + string_printing(addr->peerdn), US"\""); + return s; +} +#endif + /* If msg is NULL this is a delivery log and logchar is used. Otherwise -this is a nonstandard call; no two-characher delivery flag is written +this is a nonstandard call; no two-character delivery flag is written but sender-host and sender are prefixed and "msg" is inserted in the log line. Arguments: @@ -767,11 +795,7 @@ else { if (addr->host_used != NULL) { - s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name, - US" [", addr->host_used->address, US"]"); - if ((log_extra_selector & LX_outgoing_port) != 0) - s = string_append(s, &size, &ptr, 2, US":", string_sprintf("%d", - addr->host_used->port)); + s = d_hostlog(s, &size, &ptr, addr); if (continue_sequence > 1) s = string_cat(s, &size, &ptr, US"*", 1); @@ -786,15 +810,7 @@ else } #ifdef SUPPORT_TLS - if ((log_extra_selector & LX_tls_cipher) != 0 && addr->cipher != NULL) - s = string_append(s, &size, &ptr, 2, US" X=", addr->cipher); - if ((log_extra_selector & LX_tls_certificate_verified) != 0 && - addr->cipher != NULL) - s = string_append(s, &size, &ptr, 2, US" CV=", - testflag(addr, af_cert_verified)? "yes":"no"); - if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL) - s = string_append(s, &size, &ptr, 3, US" DN=\"", - string_printing(addr->peerdn), US"\""); + s = d_tlslog(s, &size, &ptr, addr); #endif if (addr->authenticator) @@ -1239,9 +1255,7 @@ else if (used_return_path != NULL && (log_extra_selector & LX_return_path_on_delivery) != 0) - { s = string_append(s, &size, &ptr, 3, US" P=<", used_return_path, US">"); - } if (addr->router != NULL) s = string_append(s, &size, &ptr, 2, US" R=", addr->router->name); @@ -1249,8 +1263,11 @@ else s = string_append(s, &size, &ptr, 2, US" T=", addr->transport->name); if (addr->host_used != NULL) - s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name, - US" [", addr->host_used->address, US"]"); + s = d_hostlog(s, &size, &ptr, addr); + + #ifdef SUPPORT_TLS + s = d_tlslog(s, &size, &ptr, addr); + #endif if (addr->basic_errno > 0) s = string_append(s, &size, &ptr, 2, US": ", @@ -7168,4 +7185,6 @@ acl_where = ACL_WHERE_UNKNOWN; return final_yield; } +/* vi: aw ai sw=2 +*/ /* End of deliver.c */ diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 9981e8d51..fbfe1ed7b 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1183,8 +1183,14 @@ s_tlslog(uschar * s, int * sizep, int * ptrp) s = string_append(s, &size, &ptr, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); - if (sizep) *sizep = size; - if (ptrp) *ptrp = ptr; + if (s) + { + s[ptr] = '\0'; + if (sizep) *sizep = size; + if (ptrp) *ptrp = ptr; + } + else + s = US""; return s; } #endif diff --git a/test/log/0547 b/test/log/0547 index 3b86d2bd5..6a5b233e0 100644 --- a/test/log/0547 +++ b/test/log/0547 @@ -1,5 +1,4 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=0s 1999-03-02 09:44:33 no MAIL in SMTP connection from [127.0.0.1] D=0s C=QUIT 1999-03-02 09:44:33 H=(x.y.z) [127.0.0.1] rejected VRFY a@b.c 1999-03-02 09:44:33 no MAIL in SMTP connection from (x.y.z) [127.0.0.1] D=0s C=EHLO,VRFY,QUIT diff --git a/test/log/2003 b/test/log/2003 index f6d0a987d..8c1c5c1ff 100644 --- a/test/log/2003 +++ b/test/log/2003 @@ -1,5 +1,5 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F= rejected RCPT : unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 +1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F= rejected RCPT : unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx R=abc T=local_delivery diff --git a/test/log/2014 b/test/log/2014 index feaf4be4c..7ed753049 100644 --- a/test/log/2014 +++ b/test/log/2014 @@ -1,8 +1,8 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu1.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate. -1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] F= rejected RCPT : certificate not verified: peerdn= +1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F= rejected RCPT : certificate not verified: peerdn= 1999-03-02 09:44:33 TLS error on connection from (rhu5.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): invalid -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu7.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): revoked -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock diff --git a/test/log/2103 b/test/log/2103 index bc6230d0f..e1d7eac9d 100644 --- a/test/log/2103 +++ b/test/log/2103 @@ -1,5 +1,5 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F= rejected RCPT : unacceptable cipher TLSv1:AES256-SHA:256 +1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 F= rejected RCPT : unacceptable cipher TLSv1:AES256-SHA:256 1999-03-02 09:44:33 10HmaX-0005vi-00 <= userx@test.ex H=(rhu.barb) [127.0.0.1] P=smtps X=TLSv1:AES256-SHA:256 S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx R=abc T=local_delivery diff --git a/test/log/2114 b/test/log/2114 index 862f93f1d..09738fd14 100644 --- a/test/log/2114 +++ b/test/log/2114 @@ -1,16 +1,16 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] F= rejected RCPT : certificate not verified: peerdn= +1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 F= rejected RCPT : certificate not verified: peerdn= 1999-03-02 09:44:33 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) 1999-03-02 09:44:33 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 SSL verify error: depth=0 error=certificate revoked cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) 1999-03-02 09:44:33 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 SSL verify error: depth=0 error=CRL signature failure cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock diff --git a/test/rejectlog/2003 b/test/rejectlog/2003 index 04c9f95c3..d495cde10 100644 --- a/test/rejectlog/2003 +++ b/test/rejectlog/2003 @@ -1 +1 @@ -1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F= rejected RCPT : unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 +1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F= rejected RCPT : unacceptable cipher TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 diff --git a/test/rejectlog/2014 b/test/rejectlog/2014 index fb9f7cd99..e9ccac71c 100644 --- a/test/rejectlog/2014 +++ b/test/rejectlog/2014 @@ -1,3 +1,3 @@ -1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] F= rejected RCPT : certificate not verified: peerdn= -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +1999-03-02 09:44:33 H=(rhu2tls.barb) [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 F= rejected RCPT : certificate not verified: peerdn= +1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock diff --git a/test/rejectlog/2103 b/test/rejectlog/2103 index 49eab8415..b505fccbd 100644 --- a/test/rejectlog/2103 +++ b/test/rejectlog/2103 @@ -1 +1 @@ -1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] F= rejected RCPT : unacceptable cipher TLSv1:AES256-SHA:256 +1999-03-02 09:44:33 H=[ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 F= rejected RCPT : unacceptable cipher TLSv1:AES256-SHA:256 diff --git a/test/rejectlog/2114 b/test/rejectlog/2114 index 143828731..c8becde39 100644 --- a/test/rejectlog/2114 +++ b/test/rejectlog/2114 @@ -1,3 +1,3 @@ -1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] F= rejected RCPT : certificate not verified: peerdn= -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 H=[127.0.0.1] F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 H=(rhu.barb) [127.0.0.1] X=TLSv1:AES256-SHA:256 F= rejected RCPT : certificate not verified: peerdn= +1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 H=[127.0.0.1] X=TLSv1:AES256-SHA:256 DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" F= rejected RCPT : certificate not verified: peerdn=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -- 2.25.1