Change the default for hosts_try_dane, enabling use by default

14 files changed, 75 insertions, 26 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 39757a156..856bb0c15 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -24696,7 +24696,7 @@ This option provides a list of servers to which, provided they announce
 CHUNKING support, Exim will attempt to use BDAT commands rather than DATA.
 BDAT will not be used in conjunction with a transport filter.
 
-.option hosts_try_dane smtp "host list&!!" unset
+.option hosts_try_dane smtp "host list&!!" *
 .cindex DANE "transport options"
 .cindex DANE "attempting for certain servers"
 If built with DANE support, Exim  will lookup a
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 065ec2812..789593ab3 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -107,6 +107,10 @@ JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
       for multiple message deliveries, by default.  Previoud the default was to
       not do so.
 
+JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
+      default.  If built with the facility, DANE will be used.  The facility is
+      now enabled in the prototype build Makefile "EDITME".
+
 
 
 Exim version 4.92
diff --git a/src/src/EDITME b/src/src/EDITME
index dea4e4cf8..415f021ee 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -367,10 +367,10 @@ PCRE_CONFIG=yes
 
 
 #------------------------------------------------------------------------------
-# Uncomment the following line to add DANE support
+# Comment out the following line to remove DANE support
 # Note: Enabling this unconditionally overrides DISABLE_DNSSEC
 # For DANE under GnuTLS we need an additional library.  See TLS_LIBS below.
-# SUPPORT_DANE=yes
+SUPPORT_DANE=yes
 
 #------------------------------------------------------------------------------
 # Additional libraries and include directories may be required for some
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 041ed9393..3d7aaae6b 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -240,7 +240,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .hosts_require_auth =		NULL,
   .hosts_try_chunking =		US"*",
 #ifdef SUPPORT_DANE
-  .hosts_try_dane =		NULL,
+  .hosts_try_dane =		US"*",
   .hosts_require_dane =		NULL,
   .dane_require_tls_ciphers =	NULL,
 #endif
diff --git a/test/confs/5820 b/test/confs/5820
index bcb1a8f34..b038558de 100644
--- a/test/confs/5820
+++ b/test/confs/5820
@@ -2,6 +2,7 @@
 # DANE/GnuTLS
 
 SERVER=
+CONTROL= *
 
 .include DIR/aux-var/tls_conf_prefix
 
@@ -66,7 +67,7 @@ send_to_server:
   allow_localhost
   port = PORT_D
 
-  hosts_try_dane =     *
+  hosts_try_dane =     CONTROL
   hosts_require_dane = HOSTIPV4
   tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
   tls_try_verify_hosts = thishost.test.ex
diff --git a/test/confs/5840 b/test/confs/5840
index 407846a8a..bda328a97 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -2,6 +2,7 @@
 # DANE/OpenSSL
 
 SERVER=
+CONTROL= *
 
 .include DIR/aux-var/tls_conf_prefix
 
@@ -71,7 +72,7 @@ send_to_server:
   allow_localhost
   port = PORT_D
 
-  hosts_try_dane =     *
+  hosts_try_dane =     CONTROL
   hosts_require_dane = HOSTIPV4
   tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
   tls_try_verify_hosts = thishost.test.ex
diff --git a/test/log/5820 b/test/log/5820
index 8b6cd5f4d..4952d8337 100644
--- a/test/log/5820
+++ b/test/log/5820
@@ -68,6 +68,9 @@
 1999-03-02 09:44:33 10HmbZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken8.example.com
 1999-03-02 09:44:33 10HmbZ-0005vi-00 => CALLER@danebroken8.example.com R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="CN=server1.example.net" C="250 OK id=10HmcA-0005vi-00"
 1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken2.test.ex
+1999-03-02 09:44:33 10HmcB-0005vi-00 => CALLER@danebroken2.test.ex R=client T=send_to_server H=danebroken2.test.ex [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00"
+1999-03-02 09:44:33 10HmcB-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
@@ -123,3 +126,8 @@
 1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for CALLER@danebroken8.example.com
 1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <CALLER@danebroken8.example.com> R=server
 1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmcC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@myhost.test.ex for CALLER@danebroken2.test.ex
+1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: <CALLER@danebroken2.test.ex> R=server
+1999-03-02 09:44:33 10HmcC-0005vi-00 Completed
diff --git a/test/log/5840 b/test/log/5840
index 3cbc7d8bb..581a19ba0 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -68,6 +68,9 @@
 1999-03-02 09:44:33 10HmbZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken8.example.com
 1999-03-02 09:44:33 10HmbZ-0005vi-00 => CALLER@danebroken8.example.com R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=dane DN="/CN=server1.example.net" C="250 OK id=10HmcA-0005vi-00"
 1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken2.test.ex
+1999-03-02 09:44:33 10HmcB-0005vi-00 => CALLER@danebroken2.test.ex R=client T=send_to_server H=danebroken2.test.ex [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="/CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00"
+1999-03-02 09:44:33 10HmcB-0005vi-00 Completed
 
 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
@@ -124,3 +127,8 @@
 1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for CALLER@danebroken8.example.com
 1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <CALLER@danebroken8.example.com> R=server
 1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmcC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@myhost.test.ex for CALLER@danebroken2.test.ex
+1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: <CALLER@danebroken2.test.ex> R=server
+1999-03-02 09:44:33 10HmcC-0005vi-00 Completed
diff --git a/test/scripts/5820-DANE-GnuTLS/5820 b/test/scripts/5820-DANE-GnuTLS/5820
index d7824a38c..4b5f9dd87 100644
--- a/test/scripts/5820-DANE-GnuTLS/5820
+++ b/test/scripts/5820-DANE-GnuTLS/5820
@@ -103,7 +103,7 @@ Testing
 ****
 #
 ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
-# that way round to excersize more code in the implementation
+# that way round to exercise more code in the implementation
 exim -odf CALLER@danemixed.test.ex
 Testing
 ****
@@ -123,6 +123,15 @@ Testing
 exim -odf CALLER@danebroken8.example.com
 Testing
 ****
+killdaemon
+#
 #
+sudo rm DIR/spool/db/retry
+exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
+****
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
+exim -odf -DCONTROL=: CALLER@danebroken2.test.ex
+****
 killdaemon
+#
 no_msglog_check
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index 4d88131ea..f988cd1cd 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -2,11 +2,11 @@
 #
 exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D
 ****
-### TLSA (3 1 1)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
 exim -odq CALLER@dane256ee.test.ex
 Testing
 ****
-### TLSA (3 1 2)
+### TLSA (3 1 2) (            SHA2-512)
 exim -odq CALLER@mxdane512ee.test.ex
 Testing
 ****
@@ -24,7 +24,7 @@ killdaemon
 #
 exim -DSERVER=server -DDETAILS=ta -bd -oX PORT_D
 ****
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
 exim -odf CALLER@mxdane256ta.test.ex
 Testing
 ****
@@ -111,8 +111,9 @@ Testing
 ****
 #
 killdaemon
-
-
+#
+#
+#
 ### A server with a name not matching the cert.  TA-mode; should fail
 exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D
 ****
@@ -124,6 +125,15 @@ Testing
 exim -odf CALLER@danebroken8.example.com
 Testing
 ****
+killdaemon
+#
 #
+sudo rm DIR/spool/db/retry
+exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
+****
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
+exim -odf -DCONTROL=: CALLER@danebroken2.test.ex
+****
 killdaemon
+#
 no_msglog_check
diff --git a/test/stderr/5820 b/test/stderr/5820
index 84005afe3..f218f0c51 100644
--- a/test/stderr/5820
+++ b/test/stderr/5820
@@ -9,7 +9,7 @@
 >>> host in helo_verify_hosts? no (option unset)
 >>> host in helo_try_verify_hosts? no (option unset)
 >>> host in helo_accept_junk_hosts? no (option unset)
->>> processing "accept" (TESTSUITE/test-config 85)
+>>> processing "accept" (TESTSUITE/test-config 86)
 >>> check verify = recipient/callout
 >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 >>> routing rcptuser@dane256ee.test.ex
@@ -80,6 +80,7 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
 ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
 
 ******** SERVER ********
 ### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
@@ -102,3 +103,4 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
 ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
diff --git a/test/stderr/5840 b/test/stderr/5840
index 6a2b6e209..0991dc695 100644
--- a/test/stderr/5840
+++ b/test/stderr/5840
@@ -1,5 +1,5 @@
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) (            SHA2-512)
 ### Recipient callout
 >>> host in hosts_connection_nolog? no (option unset)
 >>> host in host_lookup? no (option unset)
@@ -9,7 +9,7 @@
 >>> host in helo_verify_hosts? no (option unset)
 >>> host in helo_try_verify_hosts? no (option unset)
 >>> host in helo_accept_junk_hosts? no (option unset)
->>> processing "accept" (TESTSUITE/test-config 90)
+>>> processing "accept" (TESTSUITE/test-config 91)
 >>> check verify = recipient/callout
 >>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 >>> routing rcptuser@dane256ee.test.ex
@@ -63,7 +63,7 @@
 >>> accept: condition test succeeded in inline ACL
 >>> end of inline ACL: ACCEPT
 LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
 ### TLSA (2 1 1)
 ### A server with a nonverifying cert and no TLSA
 ### A server with a verifying cert and no TLSA
@@ -80,12 +80,13 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
 ### A server insecurely serving a good A record, dane required (delivery should fail)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
 
 ******** SERVER ********
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) (            SHA2-512)
 ### Recipient callout
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
 ### TLSA (2 1 1)
 ### A server with a nonverifying cert and no TLSA
 ### A server with a verifying cert and no TLSA
@@ -102,3 +103,4 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] D=qqs
 ### A server insecurely serving a good A record, dane required (delivery should fail)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
diff --git a/test/stdout/5820 b/test/stdout/5820
index 4b26b4c79..acaec1415 100644
--- a/test/stdout/5820
+++ b/test/stdout/5820
@@ -27,6 +27,7 @@
 ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
 
 ******** SERVER ********
 ### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
@@ -49,3 +50,4 @@
 ### A server with a mixed-usage set of TLSAs - the EE-mode one failing verify (should deliver, DANE-mode)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
diff --git a/test/stdout/5840 b/test/stdout/5840
index 947f802a7..e6bd55bf9 100644
--- a/test/stdout/5840
+++ b/test/stdout/5840
@@ -1,5 +1,5 @@
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) (            SHA2-512)
 ### Recipient callout
 
 **** SMTP testing session as if from host 127.0.0.1
@@ -10,7 +10,7 @@
 250 OK

 250 Accepted

 421 myhost.test.ex lost input connection

-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
 ### TLSA (2 1 1)
 ### A server with a nonverifying cert and no TLSA
 ### A server with a verifying cert and no TLSA
@@ -27,12 +27,13 @@
 ### A server insecurely serving a good A record, dane required (delivery should fail)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)
 
 ******** SERVER ********
-### TLSA (3 1 1)
-### TLSA (3 1 2)
+### TLSA (3 1 1) (DANE-EE SPKI SHA2-256)
+### TLSA (3 1 2) (            SHA2-512)
 ### Recipient callout
-### TLSA (2 0 1)
+### TLSA (2 0 1) (DANE-TA CERT SHA2-256)
 ### TLSA (2 1 1)
 ### A server with a nonverifying cert and no TLSA
 ### A server with a verifying cert and no TLSA
@@ -49,3 +50,4 @@
 ### A server insecurely serving a good A record, dane required (delivery should fail)
 ### A server with a name not matching the cert.  TA-mode; should fail
 ### A server with a name not matching the cert.  EE-mode; should deliver and claim DANE mode
+### A server securely serving a wrong TLSA record, dane not requested (delivery should work non-dane)