summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2017-03-21 15:54:00 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2017-03-21 16:01:20 +0000
commit5013d912e961203f2ab2d5f64be90255cda81b80 (patch)
treeed2dc51fe1d408ce29d7f1b6eefa94ca49491420
parent0a27a8228d3ccf0730f54710781abb1185ed26b5 (diff)
Logging: make cipher info available for continued-TLS connection deliveries
-rw-r--r--doc/doc-docbook/spec.xfpt11
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--src/src/deliver.c8
-rw-r--r--src/src/exim.c10
-rw-r--r--src/src/globals.c2
-rw-r--r--src/src/globals.h2
-rw-r--r--src/src/transport.c5
-rw-r--r--src/src/transports/smtp.c4
-rw-r--r--test/log/20134
-rw-r--r--test/log/21134
-rw-r--r--test/stderr/20134
-rw-r--r--test/stderr/21134
12 files changed, 33 insertions, 28 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 128ee8004..c62c1eecf 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3869,12 +3869,12 @@ by Exim in conjunction with the &%-MC%& option, and passes on the fact that the
host to which Exim is connected supports TLS encryption.
.new
-.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>
+.vitem &%-MCt%&&~<&'IP&~address'&>&~<&'port'&>&~<&'cipher'&>
.oindex "&%-MCt%&"
This option is not intended for use by external callers. It is used internally
by Exim in conjunction with the &%-MC%& option, and passes on the fact that the
connection is being proxied by a parent process for handling TLS encryption.
-The pair of arguments give the local address and port being proxied.
+The arguments give the local address and port being proxied, and the TLS cipher.
.wen
.vitem &%-Mc%&&~<&'message&~id'&>&~<&'message&~id'&>&~...
@@ -35774,10 +35774,9 @@ down a single SMTP connection, an asterisk follows the IP address in the log
lines for the second and subsequent messages.
.new
When two or more messages are delivered down a single TLS connection, the
-DNS and TLS-related information logged for the first message delivered
+DNS and some TLS-related information logged for the first message delivered
will not be present in the log lines for the second and subsequent messages.
-A TLS-marker indication of &'X=*'& is added to the log line instead of
-cipher information.
+TLS cipher information is still available.
.wen
.cindex "delivery" "cutthrough; logging"
@@ -35906,7 +35905,7 @@ the following table:
&`T `& on &`<=`& lines: message subject (topic)
&` `& on &`=>`& &`**`& and &`==`& lines: transport name
&`U `& local user or RFC 1413 identity
-&`X `& TLS cipher suite, or TLS usage mark
+&`X `& TLS cipher suite
.endd
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index ac35c75f1..3e5d6f7fc 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -24,8 +24,7 @@ JH/03 Rework the transport continued-connection mechanism: when TLS is active,
the passed-on TCP connection. Instead, proxy the child (and any
subsequent ones) for TLS via a unix-domain socket channel. Logging is
affected: the continued delivery log lines do not have any DNSSEC, TLS
- cipher, Certificate or OCSP information. A "continued-TLS" marker is
- added instead of the cipher information: "X=*".
+ Certificate or OCSP information. TLS cipher information is still logged.
JH/04 Shorten the log line for daemon startup by collapsing adjacent sets of
identical IP addresses on different listening ports. Will also affect
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 7743d37c3..ccc32667e 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -4715,8 +4715,12 @@ for (delivery_count = 0; addr_remote; delivery_count++)
rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
}
- else if (continue_proxy) /* known TLS, but no cipher info */
- rmt_dlv_checked_write(fd, 'X', '1', US"*\0", 3);
+ else if (continue_proxy_cipher)
+ {
+ ptr = big_buffer + sprintf(CS big_buffer, "%.128s", continue_proxy_cipher) + 1;
+ *ptr++ = 0;
+ rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
+ }
if (addr->peercert)
{
diff --git a/src/src/exim.c b/src/src/exim.c
index fd08cc780..383382072 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -2710,7 +2710,7 @@ for (i = 1; i < argc; i++)
/* Set up $sending_ip_address and $sending_port, unless proxied */
- if (!continue_proxy)
+ if (!continue_proxy_cipher)
if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
&size) == 0)
sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
@@ -2774,13 +2774,15 @@ for (i = 1; i < argc; i++)
#ifdef SUPPORT_TLS
/* -MCt: similar to -MCT below but the connection is still open
via a proxy proces which handles the TLS context and coding.
- Require two arguments for the proxied local address and port. */
+ Require three arguments for the proxied local address and port,
+ and the TLS cipher. */
- case 't': continue_proxy = TRUE;
- if (++i < argc) sending_ip_address = argv[i];
+ case 't': if (++i < argc) sending_ip_address = argv[i];
else badarg = TRUE;
if (++i < argc) sending_port = (int)(Uatol(argv[i]));
else badarg = TRUE;
+ if (++i < argc) continue_proxy_cipher = argv[i];
+ else badarg = TRUE;
/*FALLTHROUGH*/
/* -MCT: set the tls_offered flag; this is useful only when it
diff --git a/src/src/globals.c b/src/src/globals.c
index f3e4bad96..9e417b0d2 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -529,11 +529,11 @@ uid_t config_uid = 0;
#endif
int connection_max_messages= -1;
+uschar *continue_proxy_cipher = NULL;
uschar *continue_hostname = NULL;
uschar *continue_host_address = NULL;
BOOL continue_more = FALSE;
int continue_sequence = 1;
-BOOL continue_proxy = FALSE;
uschar *continue_transport = NULL;
uschar *csa_status = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 750a960eb..72be706a4 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -289,11 +289,11 @@ extern uschar *config_main_filelist; /* List of possible config files */
extern uschar *config_main_filename; /* File name actually used */
extern uschar *config_main_directory; /* Directory where the main config file was found */
extern uid_t config_uid; /* Additional owner */
+extern uschar *continue_proxy_cipher; /* TLS cipher for proxied continued delivery */
extern uschar *continue_hostname; /* Host for continued delivery */
extern uschar *continue_host_address; /* IP address for ditto */
extern BOOL continue_more; /* Flag more addresses waiting */
extern int continue_sequence; /* Sequence num for continued delivery */
-extern BOOL continue_proxy; /* Continued delivery is proxied for TLS */
extern uschar *continue_transport; /* Transport for continued delivery */
extern uschar *csa_status; /* Client SMTP Authorization result */
diff --git a/src/src/transport.c b/src/src/transport.c
index aca33762b..e6e327822 100644
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -1959,7 +1959,7 @@ DEBUG(D_transport) debug_printf("transport_pass_socket entered\n");
if ((pid = fork()) == 0)
{
- int i = 19;
+ int i = 20;
const uschar **argv;
/* Disconnect entirely from the parent process. If we are running in the
@@ -1983,11 +1983,12 @@ if ((pid = fork()) == 0)
if (smtp_peer_options & PEER_OFFERED_SIZE) argv[i++] = US"-MCS";
#ifdef SUPPORT_TLS
if (smtp_peer_options & PEER_OFFERED_TLS)
- if (tls_out.active >= 0 || continue_proxy)
+ if (tls_out.active >= 0 || continue_proxy_cipher)
{
argv[i++] = US"-MCt";
argv[i++] = sending_ip_address;
argv[i++] = string_sprintf("%d", sending_port);
+ argv[i++] = tls_out.active >= 0 ? tls_out.cipher : continue_proxy_cipher;
}
else
argv[i++] = US"-MCT";
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 52e04b8a5..34c96dbff 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1823,7 +1823,7 @@ else
/* For a continued connection with TLS being proxied for us, nothing
more to do. */
- if (continue_proxy)
+ if (continue_proxy_cipher)
{
sx->peer_offered = smtp_peer_options;
pipelining_active = !!(smtp_peer_options & PEER_OFFERED_PIPE);
@@ -3277,7 +3277,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
|| continue_more
|| (
#ifdef SUPPORT_TLS
- ( tls_out.active < 0 && !continue_proxy
+ ( tls_out.active < 0 && !continue_proxy_cipher
|| verify_check_given_host(&sx.ob->hosts_nopass_tls, host) != OK
)
&&
diff --git a/test/log/2013 b/test/log/2013
index ad78743ec..e66fdbfae 100644
--- a/test/log/2013
+++ b/test/log/2013
@@ -4,9 +4,9 @@
1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qqf
diff --git a/test/log/2113 b/test/log/2113
index 88eafe9b3..144154088 100644
--- a/test/log/2113
+++ b/test/log/2113
@@ -4,9 +4,9 @@
1999-03-02 09:44:33 Start queue run: pid=pppp -qqf
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbC-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qqf
diff --git a/test/stderr/2013 b/test/stderr/2013
index c183664d6..4c1b0ce12 100644
--- a/test/stderr/2013
+++ b/test/stderr/2013
@@ -49,7 +49,7 @@ cmd buf flush ddd bytes
SMTP<< 250 OK id=10HmbB-0005vi-00
SMTP(close)>>
LOG: MAIN
- => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00"
+ => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbB-0005vi-00"
LOG: MAIN
Completed
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
@@ -70,7 +70,7 @@ cmd buf flush ddd bytes
SMTP(close)>>
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
LOG: MAIN
- => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00"
+ => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no C="250 OK id=10HmbC-0005vi-00"
LOG: MAIN
Completed
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
diff --git a/test/stderr/2113 b/test/stderr/2113
index ae0044b99..af5ff730f 100644
--- a/test/stderr/2113
+++ b/test/stderr/2113
@@ -49,7 +49,7 @@ cmd buf flush ddd bytes
SMTP<< 250 OK id=10HmbB-0005vi-00
SMTP(close)>>
LOG: MAIN
- => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbB-0005vi-00"
+ => userz@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbB-0005vi-00"
LOG: MAIN
Completed
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
@@ -70,7 +70,7 @@ cmd buf flush ddd bytes
SMTP(close)>>
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
LOG: MAIN
- => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=* CV=no C="250 OK id=10HmbC-0005vi-00"
+ => usery@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1]* X=TLSv1:AES256-SHA:256 CV=no C="250 OK id=10HmbC-0005vi-00"
LOG: MAIN
Completed
>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>