DANE: force SNI to use $domain. Bug 2265

Note: this is not a complete fix for the issue

2 files changed, 22 insertions, 5 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 37bfeb3f3..ab13a427b 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -25761,7 +25761,11 @@ See &<<SECTresumption>>& for details.
 .cindex "TLS" SNI
 .cindex SNI "setting in client"
 .vindex "&$tls_sni$&"
-If this option is set then it sets the $tls_out_sni variable and causes any
+If this option is set
+.new
+and the connection is not DANE-validated
+.wen
+then it sets the $tls_out_sni variable and causes any
 TLS session to pass this value as the Server Name Indication extension to
 the remote side, which can be used by the remote side to select an appropriate
 certificate and private key for the session.
@@ -29395,6 +29399,11 @@ nothing more to it.  Choosing a sensible value not derived insecurely is the
 only point of caution.  The &$tls_out_sni$& variable will be set to this string
 for the lifetime of the client connection (including during authentication).
 
+.new
+If DAVE validated the connection attempt then the value of the &%tls_sni%& option
+is forced to the domain part of the recipient address.
+.wen
+
 Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
 received from a client.
 It can be logged with the &%log_selector%& item &`+tls_sni`&.
@@ -29692,7 +29701,7 @@ by (a) is thought to be smaller than that of the set of root CAs.
 It also allows the server to declare (implicitly) that connections to it should use TLS.  An MITM could simply
 fail to pass on a server's STARTTLS.
 
-DANE scales better than having to maintain (and side-channel communicate) copies of server certificates
+DANE scales better than having to maintain (and communicate via side-channel) copies of server certificates
 for every possible target server.  It also scales (slightly) better than having to maintain on an SMTP
 client a copy of the standard CAs bundle.  It also means not having to pay a CA for certificates.
 
@@ -29837,6 +29846,7 @@ If DANE is requested and useable (see above) the following transport options are
   tls_verify_certificates
   tls_crl
   tls_verify_cert_hostnames
+  tls_sni
 .endd
 
 If DANE is not usable, whether requested or not, and CA-anchored
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 8c4126e89..eb64e0abf 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -100,9 +100,16 @@ JH/20 Bug 2631: ACL dnslist conditions now ignore and log any lookups returns
       not in 127.0.0.0/8 to help in spotting list domains taken over by a
       domain-parking registrar.
 
-JH/21 Bug 2630: Fix trace eol-replacement string for the ${readsocket }
-      expansion.  Previously when a whitespace character was specified it
-      was not inserted after removing the newline.
+JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
+      Previously when a whitespace character was specified it was not inserted
+      after removing the newline.
+
+JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
+      the domain part of the recipient address.  This overrides any tls_sni
+      option set, which was previously used.
+
+JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
+      in quotes.
 
 
 Exim version 4.94