summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2015-03-24 15:32:08 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2015-03-24 15:32:08 +0000
commitbf7aabb41b04efb076bed9de84b15b03f3006073 (patch)
treee1364a4cac4cad8722d2abff7d61175c52ac82fc /src
parentb8bf753b7092246e03152e934d7e92c5db80dca1 (diff)
Fix default-port TLSA lookup done by callout. Bug 1602
Diffstat (limited to 'src')
-rw-r--r--src/src/transports/smtp.c9
-rw-r--r--src/src/verify.c66
2 files changed, 39 insertions, 36 deletions
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 3c983220d..6a8fbc439 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1450,11 +1450,12 @@ if (continue_hostname == NULL)
if (host->dnssec == DS_YES)
{
- if( dane_required
- || verify_check_given_host(&ob->hosts_try_dane, host) == OK
+ if( ( dane_required
+ || verify_check_given_host(&ob->hosts_try_dane, host) == OK
+ )
+ && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
)
- if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK)
- return rc;
+ return rc;
}
else if (dane_required)
{
diff --git a/src/src/verify.c b/src/src/verify.c
index d85ef3b4f..678ee6315 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -575,9 +575,10 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount.
deliver_domain = addr->domain;
transport_name = addr->transport->name;
- if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
- US"callout") ||
- !smtp_get_port(tf->port, addr, &port, US"callout"))
+ if ( !smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
+ US"callout")
+ || !smtp_get_port(tf->port, addr, &port, US"callout")
+ )
log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
addr->message);
@@ -588,35 +589,6 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount.
HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
- {
- int rc;
-
- tls_out.dane_verified = FALSE;
- tls_out.tlsa_usage = 0;
-
- dane_required =
- verify_check_given_host(&ob->hosts_require_dane, host) == OK;
-
- if (host->dnssec == DS_YES)
- {
- if( dane_required
- || verify_check_given_host(&ob->hosts_try_dane, host) == OK
- )
- if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK)
- return rc;
- }
- else if (dane_required)
- {
- log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
- return FAIL;
- }
-
- if (dane)
- ob->tls_tempfail_tryclear = FALSE;
- }
-#endif /*DANE*/
-
/* Set up the buffer for reading SMTP response packets. */
inblock.buffer = inbuffer;
@@ -653,6 +625,36 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount.
continue;
}
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+ {
+ int rc;
+
+ tls_out.dane_verified = FALSE;
+ tls_out.tlsa_usage = 0;
+
+ dane_required =
+ verify_check_given_host(&ob->hosts_require_dane, host) == OK;
+
+ if (host->dnssec == DS_YES)
+ {
+ if( ( dane_required
+ || verify_check_given_host(&ob->hosts_try_dane, host) == OK
+ )
+ && (rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK
+ )
+ return rc;
+ }
+ else if (dane_required)
+ {
+ log_write(0, LOG_MAIN, "DANE error: %s lookup not DNSSEC", host->name);
+ return FAIL;
+ }
+
+ if (dane)
+ ob->tls_tempfail_tryclear = FALSE;
+ }
+#endif /*DANE*/
+
/* Expand the helo_data string to find the host name to use. */
if (tf->helo_data != NULL)