summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2017-08-30 23:52:40 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2017-08-31 16:16:51 +0100
commita2673768b71ee86c71e16e46d53d0ffc4f66b0de (patch)
treeda233bde5ae8f8ba16d7447411a3fefbf223d8db
parenta5853d7c97b23bf0e4c4438a3ac3f67f28292d6c (diff)
Logging: TCP Fast Open
-rw-r--r--doc/doc-docbook/spec.xfpt1
-rw-r--r--doc/doc-txt/NewStuff4
-rw-r--r--src/OS/os.h-FreeBSD18
-rw-r--r--src/src/deliver.c16
-rw-r--r--src/src/globals.c4
-rw-r--r--src/src/globals.h4
-rw-r--r--src/src/ip.c17
-rw-r--r--src/src/receive.c11
-rw-r--r--src/src/smtp_in.c63
-rw-r--r--src/src/smtp_out.c27
-rw-r--r--src/src/structs.h1
-rw-r--r--src/src/transports/smtp.c4
-rw-r--r--test/confs/199048
-rw-r--r--test/confs/205267
-rw-r--r--test/confs/215268
-rw-r--r--test/log/199015
-rw-r--r--test/log/205212
-rw-r--r--test/log/21529
-rw-r--r--test/scripts/1990-TCP-Fast-Open/199039
-rw-r--r--test/scripts/1990-TCP-Fast-Open/REQUIRES1
-rw-r--r--test/scripts/2000-GnuTLS/205222
-rw-r--r--test/scripts/2100-OpenSSL/215221
22 files changed, 245 insertions, 227 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 8086f0b46..862c8f91d 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -36040,6 +36040,7 @@ the following table:
&`SNI `& server name indication from TLS client hello
&`ST `& shadow transport name
&`T `& on &`<=`& lines: message subject (topic)
+&`TFO `& connection took advantage of TCP Fast Open
&` `& on &`=>`& &`**`& and &`==`& lines: transport name
&`U `& local user or RFC 1413 identity
&`X `& TLS cipher suite
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 3e1da34ee..e57192e58 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -47,6 +47,10 @@ Version 4.90
11. Millisecond timetamps in logs, on log_selector "millisec". Also affects
log elements QT, DT and D, and timstamps in debug output.
+12. TCP Fast Open logging. As a server, logs when the SMTP banner was sent
+ while still in SYN_RECV state; as a client logs when the connection
+ is opened with a TFO cookie.
+
Version 4.89
------------
diff --git a/src/OS/os.h-FreeBSD b/src/OS/os.h-FreeBSD
index 9b47de3d1..3a06e766e 100644
--- a/src/OS/os.h-FreeBSD
+++ b/src/OS/os.h-FreeBSD
@@ -43,4 +43,22 @@ performance on outgoing mail a bit. */
#define OS_SENDFILE
extern ssize_t os_sendfile(int, int, off_t *, size_t);
+
+/*******************/
+
+/* TCP_FASTOPEN support. There does not seems to be a
+MSG_FASTOPEN defined yet... */
+
+#include <netinet/tcp.h> /* for TCP_FASTOPEN */
+#include <sys/socket.h> /* for MSG_FASTOPEN */
+#if defined(TCP_FASTOPEN) && !defined(MSG_FASTOPEN)
+# define MSG_FASTOPEN 0x20000000
+#endif
+
+/* for TCP state-variable values, for TFO logging */
+#include <netinet/tcp_fsm.h>
+#define TCP_SYN_RECV TCPS_SYN_RECEIVED
+
+/*******************/
+
/* End */
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 2d2850cf5..b8a55b20a 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -752,7 +752,12 @@ if (LOGGING(proxy) && proxy_local_address)
}
#endif
-return d_log_interface(s, sp, pp);
+s = d_log_interface(s, sp, pp);
+
+if (testflag(addr, af_tcp_fastopen))
+ s = string_catn(s, sp, pp, US" TFO", 4);
+
+return s;
}
@@ -3560,6 +3565,10 @@ while (!done)
setflag(addr, af_chunking_used);
break;
+ case 'T':
+ setflag(addr, af_tcp_fastopen);
+ break;
+
case 'D':
if (!addr) goto ADDR_MISMATCH;
memcpy(&(addr->dsn_aware), ptr, sizeof(addr->dsn_aware));
@@ -3979,7 +3988,6 @@ for (;;) /* Normally we do not repeat this loop */
{
readycount--;
if (par_read_pipe(poffset, FALSE)) /* Finished with this pipe */
- {
for (;;) /* Loop for signals */
{
pid_t endedpid = waitpid(pid, &status, 0);
@@ -3989,7 +3997,6 @@ for (;;) /* Normally we do not repeat this loop */
"%d (errno = %d) from waitpid() for process %d",
(int)endedpid, errno, (int)pid);
}
- }
}
}
@@ -4856,6 +4863,9 @@ for (delivery_count = 0; addr_remote; delivery_count++)
if (testflag(addr, af_chunking_used))
rmt_dlv_checked_write(fd, 'K', '0', NULL, 0);
+ if (testflag(addr, af_tcp_fastopen))
+ rmt_dlv_checked_write(fd, 'T', '0', NULL, 0);
+
memcpy(big_buffer, &addr->dsn_aware, sizeof(addr->dsn_aware));
rmt_dlv_checked_write(fd, 'D', '0', big_buffer, sizeof(addr->dsn_aware));
diff --git a/src/src/globals.c b/src/src/globals.c
index f3fdb5975..97debee58 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1417,7 +1417,11 @@ BOOL system_filter_uid_set = FALSE;
BOOL system_filtering = FALSE;
BOOL tcp_fastopen_ok = FALSE;
+BOOL tcp_in_fastopen = FALSE;
+BOOL tcp_in_fastopen_logged = FALSE;
BOOL tcp_nodelay = TRUE;
+BOOL tcp_out_fastopen = FALSE;
+BOOL tcp_out_fastopen_logged= FALSE;
#ifdef USE_TCP_WRAPPERS
uschar *tcp_wrappers_daemon_name = US TCP_WRAPPERS_DAEMON_NAME;
#endif
diff --git a/src/src/globals.h b/src/src/globals.h
index bd8d14288..7578a1d82 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -922,7 +922,11 @@ extern BOOL system_filter_uid_set; /* TRUE if uid set */
extern BOOL system_filtering; /* TRUE when running system filter */
extern BOOL tcp_fastopen_ok; /* appears to be supported by kernel */
+extern BOOL tcp_in_fastopen; /* conn used fastopen */
+extern BOOL tcp_in_fastopen_logged; /* one-time logging */
extern BOOL tcp_nodelay; /* Controls TCP_NODELAY on daemon */
+extern BOOL tcp_out_fastopen; /* conn used fastopen */
+extern BOOL tcp_out_fastopen_logged; /* one-time logging */
#ifdef USE_TCP_WRAPPERS
extern uschar *tcp_wrappers_daemon_name; /* tcpwrappers daemon lookup name */
#endif
diff --git a/src/src/ip.c b/src/src/ip.c
index 09b4c439e..08d32f21b 100644
--- a/src/src/ip.c
+++ b/src/src/ip.c
@@ -235,14 +235,15 @@ connect in FASTOPEN mode but with zero data.
if (fastopen)
{
- if ( (rc = sendto(sock, NULL, 0, MSG_FASTOPEN, s_ptr, s_len)) < 0
- && errno == EOPNOTSUPP
- )
- {
- DEBUG(D_transport)
- debug_printf("Tried TCP Fast Open but apparently not enabled by sysctl\n");
- rc = connect(sock, s_ptr, s_len);
- }
+ if ((rc = sendto(sock, NULL, 0, MSG_FASTOPEN | MSG_DONTWAIT, s_ptr, s_len)) < 0)
+ if (errno == EINPROGRESS) /* the expected case */
+ rc = 0;
+ else if(errno == EOPNOTSUPP)
+ {
+ DEBUG(D_transport)
+ debug_printf("Tried TCP Fast Open but apparently not enabled by sysctl\n");
+ rc = connect(sock, s_ptr, s_len);
+ }
}
else
#endif
diff --git a/src/src/receive.c b/src/src/receive.c
index 71026ff4a..65e9fb415 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1303,7 +1303,7 @@ add_host_info_for_log(uschar * s, int * sizeptr, int * ptrptr)
if (sender_fullhost)
{
if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */
- s = string_cat(s, sizeptr, ptrptr, US" DS");
+ s = string_catn(s, sizeptr, ptrptr, US" DS", 3);
s = string_append(s, sizeptr, ptrptr, 2, US" H=", sender_fullhost);
if (LOGGING(incoming_interface) && interface_address != NULL)
{
@@ -1311,9 +1311,14 @@ if (sender_fullhost)
string_sprintf(" I=[%s]:%d", interface_address, interface_port));
}
}
-if (sender_ident != NULL)
+if (tcp_in_fastopen && !tcp_in_fastopen_logged)
+ {
+ s = string_catn(s, sizeptr, ptrptr, US" TFO", 4);
+ tcp_in_fastopen_logged = TRUE;
+ }
+if (sender_ident)
s = string_append(s, sizeptr, ptrptr, 2, US" U=", sender_ident);
-if (received_protocol != NULL)
+if (received_protocol)
s = string_append(s, sizeptr, ptrptr, 2, US" P=", received_protocol);
return s;
}
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index d6250d12d..36f685677 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1798,7 +1798,8 @@ for (i = 0; i < smtp_ch_index; i++)
}
if (s) s[ptr] = 0; else s = US"";
-log_write(0, LOG_MAIN, "no MAIL in SMTP connection from %s D=%s%s",
+log_write(0, LOG_MAIN, "no MAIL in %sSMTP connection from %s D=%s%s",
+ tcp_in_fastopen ? US"TFO " : US"",
host_and_ident(FALSE), string_timesince(&smtp_connection_start), s);
}
@@ -1941,17 +1942,17 @@ while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
n = v;
if (*v == '=')
-{
+ {
while(isalpha(n[-1])) n--;
/* RFC says SP, but TAB seen in wild and other major MTAs accept it */
if (!isspace(n[-1])) return FALSE;
n[-1] = 0;
-}
+ }
else
-{
+ {
n++;
if (v == smtp_cmd_data) return FALSE;
-}
+ }
*v++ = 0;
*name = n;
*value = v;
@@ -2331,6 +2332,28 @@ return FALSE;
}
+
+
+#ifdef TCP_FASTOPEN
+static void
+tfo_in_check(void)
+{
+# ifdef TCP_INFO
+struct tcp_info tinfo;
+socklen_t len = sizeof(tinfo);
+
+if ( getsockopt(fileno(smtp_out), IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0
+ && tinfo.tcpi_state == TCP_SYN_RECV
+ )
+ {
+ DEBUG(D_receive) debug_printf("TCP_FASTOPEN mode connection\n");
+ tcp_in_fastopen = TRUE;
+ }
+# endif
+}
+#endif
+
+
/*************************************************
* Start an SMTP session *
*************************************************/
@@ -2923,6 +2946,14 @@ if (!check_sync())
/* Now output the banner */
smtp_printf("%s", FALSE, ss);
+
+/* Attempt to see if we sent the banner before the last ACK of the 3-way
+handshake arrived. If so we must have managed a TFO. */
+
+#ifdef TCP_FASTOPEN
+tfo_in_check();
+#endif
+
return TRUE;
}
@@ -5459,18 +5490,22 @@ while (done <= 0)
just drop the call rather than sending QUIT, and it clutters up the logs.
*/
- if (sender_address != NULL || recipients_count > 0)
+ if (sender_address || recipients_count > 0)
log_write(L_lost_incoming_connection, LOG_MAIN,
- "unexpected %s while reading SMTP command from %s%s D=%s",
- sender_host_unknown ? "EOF" : "disconnection",
- host_and_ident(FALSE), smtp_read_error,
- string_timesince(&smtp_connection_start)
- );
+ "unexpected %s while reading SMTP command from %s%s%s D=%s",
+ sender_host_unknown ? "EOF" : "disconnection",
+ tcp_in_fastopen && !tcp_in_fastopen_logged ? US"TFO " : US"",
+ host_and_ident(FALSE), smtp_read_error,
+ string_timesince(&smtp_connection_start)
+ );
else
- log_write(L_smtp_connection, LOG_MAIN, "%s lost%s D=%s",
- smtp_get_connection_info(), smtp_read_error,
- string_timesince(&smtp_connection_start));
+ log_write(L_smtp_connection, LOG_MAIN, "%s %slost%s D=%s",
+ smtp_get_connection_info(),
+ tcp_in_fastopen && !tcp_in_fastopen_logged ? US"TFO " : US"",
+ smtp_read_error,
+ string_timesince(&smtp_connection_start)
+ );
done = 1;
break;
diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c
index 253d7670d..d5bf262be 100644
--- a/src/src/smtp_out.c
+++ b/src/src/smtp_out.c
@@ -140,6 +140,30 @@ return TRUE;
+#ifdef TCP_FASTOPEN
+static void
+tfo_out_check(int sock)
+{
+# ifdef TCP_INFO
+struct tcp_info tinfo;
+socklen_t len = sizeof(tinfo);
+
+if (getsockopt(sock, IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0)
+ {
+ /* This is a somewhat dubious detection method; totally undocumented so likely
+ to fail in future kernels. There seems to be no documented way. */
+
+ if (tinfo.tcpi_unacked > 1)
+ {
+ DEBUG(D_transport|D_v) debug_printf("TCP_FASTOPEN mode connection\n");
+ tcp_out_fastopen = TRUE;
+ }
+ }
+# endif
+}
+#endif
+
+
int
smtp_sock_connect(host_item * host, int host_af, int port, uschar * interface,
transport_instance * tb, int timeout)
@@ -239,6 +263,9 @@ else
return -1;
}
if (ob->keepalive) ip_keepalive(sock, host->address, TRUE);
+#ifdef TCP_FASTOPEN
+ tfo_out_check(sock);
+#endif
return sock;
}
}
diff --git a/src/src/structs.h b/src/src/structs.h
index a17b50332..beea57f34 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -610,6 +610,7 @@ typedef struct address_item {
BOOL af_cert_verified:1; /* delivered with verified TLS cert */
BOOL af_pass_message:1; /* pass message in bounces */
BOOL af_bad_reply:1; /* filter could not generate autoreply */
+ BOOL af_tcp_fastopen:1; /* delivery used TCP Fast Open */
#ifndef DISABLE_PRDR
BOOL af_prdr_used:1; /* delivery used SMTP PRDR */
#endif
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 3ed31d924..a3819fe49 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2504,6 +2504,9 @@ for (addr = sx->first_addr, address_count = 0;
BOOL no_flush;
uschar * rcpt_addr;
+ if (tcp_out_fastopen && !tcp_out_fastopen_logged)
+ setflag(addr, af_tcp_fastopen);
+
addr->dsn_aware = sx->peer_offered & OPTION_DSN
? dsn_support_yes : dsn_support_no;
@@ -2557,6 +2560,7 @@ for (addr = sx->first_addr, address_count = 0;
}
} /* Loop for next address */
+tcp_out_fastopen_logged = TRUE;
sx->next_addr = addr;
return 0;
}
diff --git a/test/confs/1990 b/test/confs/1990
new file mode 100644
index 000000000..4c2bdc29d
--- /dev/null
+++ b/test/confs/1990
@@ -0,0 +1,48 @@
+# Exim test configuration 1990
+# TCP Fast Open
+
+SERVER=
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+log_selector = +received_recipients +millisec
+
+# ----- Routers -----
+
+begin routers
+
+server:
+ driver = redirect
+ condition = ${if eq {SERVER}{server} {yes}{no}}
+ data = :blackhole:
+
+client:
+ driver = accept
+ condition = ${if eq {SERVER}{server}{no}{yes}}
+ transport = send_to_server
+
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ allow_localhost
+ hosts = 127.0.0.1
+ port = PORT_D
+ hosts_try_fastopen = *
+
+# ----- Retry -----
+
+begin retry
+
+* * F,5d,10s
+
+
+# End
diff --git a/test/confs/2052 b/test/confs/2052
deleted file mode 100644
index fd1f4d1c0..000000000
--- a/test/confs/2052
+++ /dev/null
@@ -1,67 +0,0 @@
-# Exim test configuration 2052
-# as per 2000 but with TCP Fast Open
-
-SERVER=
-
-.include DIR/aux-var/tls_conf_prefix
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-
-log_selector = +tls_peerdn
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-# needed to force generation
-tls_dhparam = historic
-
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-
-tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
-
-
-# ----- Routers -----
-
-begin routers
-
-client:
- driver = accept
- condition = ${if eq {SERVER}{server}{no}{yes}}
- retry_use_local_part
- transport = send_to_server
-
-
-# ----- Transports -----
-
-begin transports
-
-send_to_server:
- driver = smtp
- allow_localhost
- hosts = 127.0.0.1
- port = PORT_D
- hosts_try_fastopen = *
- tls_certificate = DIR/aux-fixed/cert2
- tls_privatekey = DIR/aux-fixed/cert2
- tls_verify_certificates = DIR/aux-fixed/cert2
- tls_try_verify_hosts =
-
-
-# ----- Retry -----
-
-
-begin retry
-
-* * F,5d,10s
-
-
-# End
diff --git a/test/confs/2152 b/test/confs/2152
deleted file mode 100644
index a8b6c15f1..000000000
--- a/test/confs/2152
+++ /dev/null
@@ -1,68 +0,0 @@
-# Exim test configuration 2152
-# as per 2100 but with TCP Fast Open
-
-SERVER=
-
-.include DIR/aux-var/tls_conf_prefix
-
-primary_hostname = myhost.test.ex
-
-.ifdef _HAVE_TLS
-# that was purely to trigger the lazy-create of builtin macros
-.endif
-# ----- Main settings -----
-
-acl_smtp_rcpt = accept
-
-log_selector = +tls_peerdn
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-
-tls_verify_hosts = *
-tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
-
-
-# ----- Routers -----
-
-begin routers
-
-client:
- driver = accept
- condition = ${if eq {SERVER}{server}{no}{yes}}
- retry_use_local_part
- transport = send_to_server
-
-
-# ----- Transports -----
-
-begin transports
-
-send_to_server:
- driver = smtp
- allow_localhost
- hosts = 127.0.0.1
- port = PORT_D
- hosts_try_fastopen = *
- tls_certificate = DIR/aux-fixed/cert2
- tls_privatekey = DIR/aux-fixed/cert2
- tls_verify_certificates = DIR/aux-fixed/cert2
- tls_try_verify_hosts = :
-
-
-# ----- Retry -----
-
-
-begin retry
-
-* * F,5d,10s
-
-
-# End
diff --git a/test/log/1990 b/test/log/1990
new file mode 100644
index 000000000..36a7a56b6
--- /dev/null
+++ b/test/log/1990
@@ -0,0 +1,15 @@
+2017-07-30 18:51:05.712 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for a@test.ex
+2017-07-30 18:51:05.712 10HmaX-0005vi-00 => a@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
+2017-07-30 18:51:05.712 10HmaX-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for b@test.ex
+2017-07-30 18:51:05.712 10HmaZ-0005vi-00 => b@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] TFO C="250 OK id=10HmbA-0005vi-00"
+2017-07-30 18:51:05.712 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+2017-07-30 18:51:05.712 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+2017-07-30 18:51:05.712 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex for a@test.ex
+2017-07-30 18:51:05.712 10HmaY-0005vi-00 => :blackhole: <a@test.ex> R=server
+2017-07-30 18:51:05.712 10HmaY-0005vi-00 Completed
+2017-07-30 18:51:05.712 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] TFO P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for b@test.ex
+2017-07-30 18:51:05.712 10HmbA-0005vi-00 => :blackhole: <b@test.ex> R=server
+2017-07-30 18:51:05.712 10HmbA-0005vi-00 Completed
diff --git a/test/log/2052 b/test/log/2052
deleted file mode 100644
index 04c72f5eb..000000000
--- a/test/log/2052
+++ /dev/null
@@ -1,12 +0,0 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp -qf
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad
-1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/log/2152 b/test/log/2152
deleted file mode 100644
index 1ed6351ff..000000000
--- a/test/log/2152
+++ /dev/null
@@ -1,9 +0,0 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
-1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 => CALLER@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp -qf
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex
diff --git a/test/scripts/1990-TCP-Fast-Open/1990 b/test/scripts/1990-TCP-Fast-Open/1990
new file mode 100644
index 000000000..47b77af0e
--- /dev/null
+++ b/test/scripts/1990-TCP-Fast-Open/1990
@@ -0,0 +1,39 @@
+# TCP Fast Open
+#
+# Linux:
+# Both server and client-side TFO support must be enabled in the
+# kernel, 'sudo sh -c "echo 3 > /proc/sys/net/ipv4/tcp_fastopen"'.
+#
+# A packet capture on the loopback interface will show the TFO
+# option on the SYN, but the fast-output SMTP banner will not
+# be seen unless you also deliberately emulate a long path:
+# 'sudo tc qdisc add dev lo root netem delay 100ms'
+#
+# First time runs will see a TFO request option only; subsequent
+# ones should see the TFO cookie and fast-output SMTP banner
+# (currently on a separate packet after the server SYN,ACK but before
+# the client ACK).
+#
+# The log <= line should have a "TFO" element.
+#
+# If the client-side is disabled in the kernel, Exim logs
+# will become noisy.
+#
+#
+# FreeBSD: it looks like you have to compile a custom kernel, with
+# 'options TCP_RFC7413' in the config. Also set
+# 'net.inet.tcp.fastopen.enabled=1' in /etc/sysctl.conf
+# Untested.
+#
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim a@test.ex
+Testing
+****
+sleep 3
+exim b@test.ex
+Testing
+****
+sleep 3
+killdaemon
+no_msglog_check
diff --git a/test/scripts/1990-TCP-Fast-Open/REQUIRES b/test/scripts/1990-TCP-Fast-Open/REQUIRES
new file mode 100644
index 000000000..48cd58b67
--- /dev/null
+++ b/test/scripts/1990-TCP-Fast-Open/REQUIRES
@@ -0,0 +1 @@
+support TCP_Fast_Open
diff --git a/test/scripts/2000-GnuTLS/2052 b/test/scripts/2000-GnuTLS/2052
deleted file mode 100644
index fa76b4849..000000000
--- a/test/scripts/2000-GnuTLS/2052
+++ /dev/null
@@ -1,22 +0,0 @@
-# TLS client: TLS setup fails - retry in clear (with fastopen)
-#
-# If all works you'll not see any difference. To enable in the
-# kernel, 'sudo sh -c "echo 3 > /proc/sys/net/ipv4/tcp_fastopen"'.
-# A packet capture on the loopback interface will show the TFU
-# option on the SYN, but the fast-output SMTP banner will not
-# be seen unless you also deliberately emulate a long path:
-# 'sudo tc qdisc add dev lo root netem delay 100ms'
-#
-# If the client-side is disabled in the kernel, Exim logs
-# will become noisy.
-#
-gnutls
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim CALLER@test.ex
-Testing
-****
-exim -qf
-****
-killdaemon
-no_msglog_check
diff --git a/test/scripts/2100-OpenSSL/2152 b/test/scripts/2100-OpenSSL/2152
deleted file mode 100644
index 12a482a93..000000000
--- a/test/scripts/2100-OpenSSL/2152
+++ /dev/null
@@ -1,21 +0,0 @@
-# TLS client: TLS setup fails - retry in clear (with fastopen)
-#
-# If all works you'll not see any difference. To enable in the
-# kernel, 'sudo sh -c "echo 3 > /proc/sys/net/ipv4/tcp_fastopen"'.
-# A packet capture on the loopback interface will show the TFO
-# option on the SYN, but the fast-output SMTP banner will not
-# be seen unless you also deliberately emulate a long path:
-# 'sudo tc qdisc add dev lo root netem delay 100ms'
-#
-# If the client-side is disabled in the kernel, Exim logs
-# will become noisy.
-#
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim CALLER@test.ex
-Testing
-****
-exim -qf
-****
-killdaemon
-no_msglog_check