diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2015-03-24 15:32:08 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2015-03-24 15:32:08 +0000 |
commit | bf7aabb41b04efb076bed9de84b15b03f3006073 (patch) | |
tree | e1364a4cac4cad8722d2abff7d61175c52ac82fc /src | |
parent | b8bf753b7092246e03152e934d7e92c5db80dca1 (diff) |
Fix default-port TLSA lookup done by callout. Bug 1602
Diffstat (limited to 'src')
-rw-r--r-- | src/src/transports/smtp.c | 9 | ||||
-rw-r--r-- | src/src/verify.c | 66 |
2 files changed, 39 insertions, 36 deletions
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 3c983220d..6a8fbc439 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1450,11 +1450,12 @@ if (continue_hostname == NULL) if (host->dnssec == DS_YES) { - if( dane_required - || verify_check_given_host(&ob->hosts_try_dane, host) == OK + if( ( dane_required + || verify_check_given_host(&ob->hosts_try_dane, host) == OK + ) + && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK ) - if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK) - return rc; + return rc; } else if (dane_required) { diff --git a/src/src/verify.c b/src/src/verify.c index d85ef3b4f..678ee6315 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -575,9 +575,10 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. deliver_domain = addr->domain; transport_name = addr->transport->name; - if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface, - US"callout") || - !smtp_get_port(tf->port, addr, &port, US"callout")) + if ( !smtp_get_interface(tf->interface, host_af, addr, NULL, &interface, + US"callout") + || !smtp_get_port(tf->port, addr, &port, US"callout") + ) log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address, addr->message); @@ -588,35 +589,6 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port); -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) - { - int rc; - - tls_out.dane_verified = FALSE; - tls_out.tlsa_usage = 0; - - dane_required = - verify_check_given_host(&ob->hosts_require_dane, host) == OK; - - if (host->dnssec == DS_YES) - { - if( dane_required - || verify_check_given_host(&ob->hosts_try_dane, host) == OK - ) - if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK) - return rc; - } - else if (dane_required) - { - log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name); - return FAIL; - } - - if (dane) - ob->tls_tempfail_tryclear = FALSE; - } -#endif /*DANE*/ - /* Set up the buffer for reading SMTP response packets. */ inblock.buffer = inbuffer; @@ -653,6 +625,36 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. continue; } +#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) + { + int rc; + + tls_out.dane_verified = FALSE; + tls_out.tlsa_usage = 0; + + dane_required = + verify_check_given_host(&ob->hosts_require_dane, host) == OK; + + if (host->dnssec == DS_YES) + { + if( ( dane_required + || verify_check_given_host(&ob->hosts_try_dane, host) == OK + ) + && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK + ) + return rc; + } + else if (dane_required) + { + log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name); + return FAIL; + } + + if (dane) + ob->tls_tempfail_tryclear = FALSE; + } +#endif /*DANE*/ + /* Expand the helo_data string to find the host name to use. */ if (tf->helo_data != NULL) |