diff options
-rw-r--r-- | doc/doc-txt/experimental-spec.txt | 35 | ||||
-rw-r--r-- | src/src/EDITME | 5 | ||||
-rw-r--r-- | src/src/acl.c | 18 | ||||
-rw-r--r-- | src/src/child.c | 16 | ||||
-rw-r--r-- | src/src/config.h.defaults | 1 | ||||
-rw-r--r-- | src/src/deliver.c | 5 | ||||
-rw-r--r-- | src/src/exim.c | 13 | ||||
-rw-r--r-- | src/src/expand.c | 3 | ||||
-rw-r--r-- | src/src/globals.c | 5 | ||||
-rw-r--r-- | src/src/globals.h | 5 | ||||
-rw-r--r-- | src/src/macro_predef.c | 3 | ||||
-rw-r--r-- | src/src/macros.h | 11 | ||||
-rw-r--r-- | src/src/readconf.c | 3 | ||||
-rw-r--r-- | src/src/smtp_in.c | 60 | ||||
-rw-r--r-- | src/src/spool_in.c | 7 | ||||
-rw-r--r-- | src/src/spool_out.c | 4 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 67 | ||||
-rw-r--r-- | src/src/verify.c | 7 | ||||
-rw-r--r-- | test/confs/5910 | 136 | ||||
-rw-r--r-- | test/log/5910 | 23 | ||||
-rw-r--r-- | test/mail/5910.dump | 20 | ||||
-rw-r--r-- | test/scripts/5910-REQUIRETLS/5910 | 64 | ||||
-rw-r--r-- | test/scripts/5910-REQUIRETLS/5911 | 125 | ||||
-rw-r--r-- | test/scripts/5910-REQUIRETLS/5912 | 37 | ||||
-rw-r--r-- | test/scripts/5910-REQUIRETLS/REQUIRES | 2 | ||||
-rw-r--r-- | test/stderr/4052 | 6 | ||||
-rw-r--r-- | test/stdout/5910 | 60 |
27 files changed, 9 insertions, 732 deletions
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 84fd54716..9b472c080 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -871,41 +871,6 @@ used via the transport in question. -REQUIRETLS support ------------------- -Ref: https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03 - -If compiled with EXPERIMENTAL_REQUIRETLS support is included for this -feature, where a REQUIRETLS option is added to the MAIL command. -The client may not retry in clear if the MAIL+REQUIRETLS fails (or was never -offered), and the server accepts an obligation that any onward transmission -by SMTP of the messages accepted will also use REQUIRETLS - or generate a -fail DSN. - -The Exim implementation includes -- a main-part option tls_advertise_requiretls; host list, default "*" -- an observability variable $requiretls returning yes/no -- an ACL "control = requiretls" modifier for setting the requirement -- Log lines and Received: headers capitalise the S in the protocol - element: "P=esmtpS" - -Differences from spec: -- we support upgrading the requirement for REQUIRETLS, including adding - it from cold, within an MTA. The spec only define the sourcing MUA - as being able to source the requirement, and makes no mention of upgrade. -- No support is coded for the RequireTLS header (which can be used - to annul DANE and/or STS policiy). [this can _almost_ be done in - transport option expansions, but not quite: it requires tha DANE-present - but STARTTLS-failing targets fallback to cleartext, which current DANE - coding specifically blocks] - -Note that REQUIRETLS is only advertised once a TLS connection is achieved -(in contrast to STARTTLS). If you want to check the advertising, do something -like "swaks -s 127.0.0.1 -tls -q HELO". - - - - Early pipelining support ------------------------ Ref: https://datatracker.ietf.org/doc/draft-harris-early-pipe/ diff --git a/src/src/EDITME b/src/src/EDITME index a5bc8d0aa..43cf13c81 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -514,11 +514,6 @@ DISABLE_MAL_MKS=yes # Uncomment the following line to add queuefile transport support # EXPERIMENTAL_QUEUEFILE=yes -# Uncomment the following to add REQUIRETLS support. -# You must also have SUPPORT_TLS enabled. -# Ref: https://datatracker.ietf.org/doc/draft-fenton-smtp-require-tls -# EXPERIMENTAL_REQUIRETLS=yes - ############################################################################### # THESE ARE THINGS YOU MIGHT WANT TO SPECIFY # ############################################################################### diff --git a/src/src/acl.c b/src/src/acl.c index 8fbd2250f..6168187ec 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -367,9 +367,6 @@ enum { CONTROL_NO_PIPELINING, CONTROL_QUEUE_ONLY, -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - CONTROL_REQUIRETLS, -#endif CONTROL_SUBMISSION, CONTROL_SUPPRESS_LOCAL_FIXUPS, #ifdef SUPPORT_I18N @@ -515,16 +512,6 @@ static control_def controls_list[] = { }, -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) -[CONTROL_REQUIRETLS] = - { US"requiretls", FALSE, - (unsigned) - ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA | - ACL_BIT_DATA | ACL_BIT_MIME | - ACL_BIT_NOTSMTP) - }, -#endif - [CONTROL_SUBMISSION] = { US"submission", TRUE, (unsigned) @@ -3168,11 +3155,6 @@ for (; cb; cb = cb->next) cancel_cutthrough_connection(TRUE, US"queueing forced"); break; -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - case CONTROL_REQUIRETLS: - tls_requiretls |= REQUIRETLS_MSG; - break; -#endif case CONTROL_SUBMISSION: originator_name = US""; f.submission_mode = TRUE; diff --git a/src/src/child.c b/src/src/child.c index 2262678eb..e53e448ed 100644 --- a/src/src/child.c +++ b/src/src/child.c @@ -10,10 +10,6 @@ static void (*oldsignal)(int); -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) -static uschar tls_requiretls_copy = 0; -#endif - /************************************************* * Ensure an fd has a given value * @@ -79,10 +75,6 @@ int n = 0; int extra = pcount ? *pcount : 0; uschar **argv; -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) -if (tls_requiretls) extra++; -#endif - argv = store_get((extra + acount + MAX_CLMACROS + 18) * sizeof(char *)); /* In all case, the list starts out with the path, any macros, and a changed @@ -129,11 +121,6 @@ if (!minimal) } } -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) -if (tls_requiretls_copy & REQUIRETLS_MSG) - argv[n++] = US"-MS"; -#endif - /* Now add in any others that are in the call. Remember which they were, for more helpful diagnosis on failure. */ @@ -243,9 +230,6 @@ occur. */ if (pid == 0) { -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - tls_requiretls_copy = tls_requiretls; -#endif force_fd(pfd[pipe_read], 0); (void)close(pfd[pipe_write]); if (debug_fd > 0) force_fd(debug_fd, 2); diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index 55688295d..dc69e2f89 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -201,7 +201,6 @@ Do not put spaces between # and the 'define'. #define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds" #define EXPERIMENTAL_LMDB #define EXPERIMENTAL_PIPE_CONNECT -#define EXPERIMENTAL_REQUIRETLS #define EXPERIMENTAL_QUEUEFILE #define EXPERIMENTAL_SRS diff --git a/src/src/deliver.c b/src/src/deliver.c index 071187942..c1396a7f7 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -8507,11 +8507,6 @@ if (!regex_AUTH) regex_AUTH = #ifdef SUPPORT_TLS if (!regex_STARTTLS) regex_STARTTLS = regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE); - -# ifdef EXPERIMENTAL_REQUIRETLS -if (!regex_REQUIRETLS) regex_REQUIRETLS = - regex_must_compile(US"\\n250[\\s\\-]REQUIRETLS(\\s|\\n|$)", FALSE, TRUE); -# endif #endif if (!regex_CHUNKING) regex_CHUNKING = diff --git a/src/src/exim.c b/src/src/exim.c index 8e700f711..7c9aa0e3f 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -903,9 +903,6 @@ fprintf(fp, "Support for:"); #ifdef EXPERIMENTAL_DSN_INFO fprintf(fp, " Experimental_DSN_info"); #endif -#ifdef EXPERIMENTAL_REQUIRETLS - fprintf(fp, " Experimental_REQUIRETLS"); -#endif #ifdef EXPERIMENTAL_PIPE_CONNECT fprintf(fp, " Experimental_PIPE_CONNECT"); #endif @@ -2710,16 +2707,6 @@ for (i = 1; i < argc; i++) break; } -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - /* -MS set REQUIRETLS on (new) message */ - - else if (*argrest == 'S') - { - tls_requiretls |= REQUIRETLS_MSG; - break; - } -#endif - /* -M[x]: various operations on the following list of message ids: -M deliver the messages, ignoring next retry times and thawing -Mc deliver the messages, checking next retry times, no thawing diff --git a/src/src/expand.c b/src/src/expand.c index d395436fa..2fc3a81f1 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -668,9 +668,6 @@ static var_entry var_table[] = { { "regex_match_string", vtype_stringptr, ®ex_match_string }, #endif { "reply_address", vtype_reply, NULL }, -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - { "requiretls", vtype_bool, &tls_requiretls }, -#endif { "return_path", vtype_stringptr, &return_path }, { "return_size_limit", vtype_int, &bounce_return_size_limit }, { "router_name", vtype_stringptr, &router_name }, diff --git a/src/src/globals.c b/src/src/globals.c index 94fab000d..f52ae92ce 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -161,11 +161,6 @@ uschar *tls_ocsp_file = NULL; uschar *tls_privatekey = NULL; BOOL tls_remember_esmtp = FALSE; uschar *tls_require_ciphers = NULL; -# ifdef EXPERIMENTAL_REQUIRETLS -uschar tls_requiretls = 0; /* REQUIRETLS_MSG etc. bit #defines */ -uschar *tls_advertise_requiretls = US"*"; -const pcre *regex_REQUIRETLS = NULL; -# endif uschar *tls_try_verify_hosts = NULL; uschar *tls_verify_certificates= US"system"; uschar *tls_verify_hosts = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index 12cc1af56..a0c1977a2 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -122,11 +122,6 @@ extern uschar *tls_eccurve; /* EC curve */ extern uschar *tls_ocsp_file; /* OCSP stapling proof file */ # endif extern uschar *tls_privatekey; /* Private key file */ -# ifdef EXPERIMENTAL_REQUIRETLS -extern uschar tls_requiretls; /* REQUIRETLS active for this message */ -extern uschar *tls_advertise_requiretls; /* hosts for which REQUIRETLS adv */ -extern const pcre *regex_REQUIRETLS; /* for recognising the command */ -# endif extern BOOL tls_remember_esmtp; /* For YAEB */ extern uschar *tls_require_ciphers; /* So some can be avoided */ extern uschar *tls_try_verify_hosts; /* Optional client verification */ diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c index f92671ae2..86be52f54 100644 --- a/src/src/macro_predef.c +++ b/src/src/macro_predef.c @@ -197,9 +197,6 @@ due to conflicts with other common macros. */ #ifdef EXPERIMENTAL_DSN_INFO builtin_macro_create(US"_HAVE_DSN_INFO"); #endif -#ifdef EXPERIMENTAL_REQUIRETLS - builtin_macro_create(US"_HAVE_REQTLS"); -#endif #ifdef EXPERIMENTAL_PIPE_CONNECT builtin_macro_create(US"_HAVE_PIPE_CONNECT"); #endif diff --git a/src/src/macros.h b/src/src/macros.h index 759955019..a1dd99901 100644 --- a/src/src/macros.h +++ b/src/src/macros.h @@ -559,9 +559,7 @@ table exim_errstrings[] in log.c */ #ifdef SUPPORT_I18N # define ERRNO_UTF8_FWD (-49) /* target not supporting SMTPUTF8 */ #endif -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) -# define ERRNO_REQUIRETLS (-50) /* REQUIRETLS session not started */ -#endif + /* -50 free for re-use */ /* These must be last, so all retry deferments can easily be identified */ @@ -1029,12 +1027,7 @@ enum { FILTER_UNSET, FILTER_FORWARD, FILTER_EXIM, FILTER_SIEVE }; #define OPTION_PIPE BIT(5) #define OPTION_SIZE BIT(6) #define OPTION_CHUNKING BIT(7) -#define OPTION_REQUIRETLS BIT(8) -#define OPTION_EARLY_PIPE BIT(9) - -/* Codes for tls_requiretls requests (usually by sender) */ - -#define REQUIRETLS_MSG BIT(0) /* REQUIRETLS onward use */ +#define OPTION_EARLY_PIPE BIT(8) /* Argument for *_getc */ diff --git a/src/src/readconf.c b/src/src/readconf.c index eb6844222..71cdae899 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -355,9 +355,6 @@ static optionlist optionlist_config[] = { { "timezone", opt_stringptr, &timezone_string }, { "tls_advertise_hosts", opt_stringptr, &tls_advertise_hosts }, #ifdef SUPPORT_TLS -# ifdef EXPERIMENTAL_REQUIRETLS - { "tls_advertise_requiretls", opt_stringptr, &tls_advertise_requiretls }, -# endif { "tls_certificate", opt_stringptr, &tls_certificate }, { "tls_crl", opt_stringptr, &tls_crl }, { "tls_dh_max_bits", opt_int, &tls_dh_max_bits }, diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index b071298c7..b46f3e876 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -135,9 +135,6 @@ static struct { BOOL auth_advertised :1; #ifdef SUPPORT_TLS BOOL tls_advertised :1; -# ifdef EXPERIMENTAL_REQUIRETLS - BOOL requiretls_advertised :1; -# endif #endif BOOL dsn_advertised :1; BOOL esmtp :1; @@ -268,9 +265,6 @@ enum { #ifdef SUPPORT_I18N ENV_MAIL_OPT_UTF8, #endif -#ifdef EXPERIMENTAL_REQUIRETLS - ENV_MAIL_OPT_REQTLS, -#endif }; typedef struct { uschar * name; /* option requested during MAIL cmd */ @@ -290,10 +284,6 @@ static env_mail_type_t env_mail_type_list[] = { #ifdef SUPPORT_I18N { US"SMTPUTF8",ENV_MAIL_OPT_UTF8, FALSE }, /* rfc6531 */ #endif -#ifdef EXPERIMENTAL_REQUIRETLS - /* https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03 */ - { US"REQUIRETLS",ENV_MAIL_OPT_REQTLS, FALSE }, -#endif /* keep this the last entry */ { US"NULL", ENV_MAIL_OPT_NULL, FALSE }, }; @@ -2476,9 +2466,6 @@ tls_in.ourcert = tls_in.peercert = NULL; tls_in.sni = NULL; tls_in.ocsp = OCSP_NOT_REQ; fl.tls_advertised = FALSE; -# ifdef EXPERIMENTAL_REQUIRETLS -fl.requiretls_advertised = FALSE; -# endif #endif fl.dsn_advertised = FALSE; #ifdef SUPPORT_I18N @@ -4237,9 +4224,6 @@ while (done <= 0) f.smtp_in_pipelining_advertised = FALSE; #ifdef SUPPORT_TLS fl.tls_advertised = FALSE; -# ifdef EXPERIMENTAL_REQUIRETLS - fl.requiretls_advertised = FALSE; -# endif #endif fl.dsn_advertised = FALSE; #ifdef SUPPORT_I18N @@ -4439,17 +4423,6 @@ while (done <= 0) g = string_catn(g, US"-STARTTLS\r\n", 11); fl.tls_advertised = TRUE; } - -# ifdef EXPERIMENTAL_REQUIRETLS - /* Advertise REQUIRETLS only once we are in a secure connection */ - if ( tls_in.active.sock >= 0 - && verify_check_host(&tls_advertise_requiretls) != FAIL) - { - g = string_catn(g, smtp_code, 3); - g = string_catn(g, US"-REQUIRETLS\r\n", 13); - fl.requiretls_advertised = TRUE; - } -# endif #endif #ifndef DISABLE_PRDR @@ -4774,28 +4747,6 @@ while (done <= 0) break; #endif -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - case ENV_MAIL_OPT_REQTLS: - { - uschar * r, * t; - - if (!fl.requiretls_advertised) - { - done = synprot_error(L_smtp_syntax_error, 555, NULL, - US"unadvertised MAIL option: REQUIRETLS"); - goto COMMAND_LOOP; - } - - DEBUG(D_receive) debug_printf("requiretls requested\n"); - tls_requiretls = REQUIRETLS_MSG; - - r = string_copy_malloc(received_protocol); - if ((t = Ustrrchr(r, 's'))) *t = 'S'; - received_protocol = r; - } - break; -#endif - /* No valid option. Stick back the terminator characters and break the loop. Do the name-terminator second as extract_option sets value==name when it found no equal-sign. @@ -4813,17 +4764,6 @@ while (done <= 0) if (arg_error) break; } -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - if (tls_requiretls & REQUIRETLS_MSG) - { - /* Ensure headers-only bounces whether a RET option was given or not. */ - - DEBUG(D_receive) if (dsn_ret == dsn_ret_full) - debug_printf("requiretls override: dsn_ret_full -> dsn_ret_hdrs\n"); - dsn_ret = dsn_ret_hdrs; - } -#endif - /* If we have passed the threshold for rate limiting, apply the current delay, and update it for next time, provided this is a limited host. */ diff --git a/src/src/spool_in.c b/src/src/spool_in.c index c9f37abf1..786eb514e 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -286,9 +286,6 @@ tls_free_cert(&tls_in.peercert); tls_in.peerdn = NULL; tls_in.sni = NULL; tls_in.ocsp = OCSP_NOT_REQ; -# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY) -tls_requiretls = 0; -# endif #endif #ifdef WITH_CONTENT_SCAN @@ -670,10 +667,6 @@ for (;;) tls_in.sni = string_unprinting(string_copy(big_buffer + 9)); else if (Ustrncmp(q, "ocsp", 4) == 0) tls_in.ocsp = big_buffer[10] - '0'; -# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY) - else if (Ustrncmp(q, "requiretls", 10) == 0) - tls_requiretls = strtol(CS big_buffer+16, NULL, 0); -# endif } break; #endif diff --git a/src/src/spool_out.c b/src/src/spool_out.c index 8b227dedb..3970206cb 100644 --- a/src/src/spool_out.c +++ b/src/src/spool_out.c @@ -250,10 +250,6 @@ if (tls_in.ourcert) fprintf(fp, "-tls_ourcert %s\n", CS big_buffer); } if (tls_in.ocsp) fprintf(fp, "-tls_ocsp %d\n", tls_in.ocsp); - -# ifdef EXPERIMENTAL_REQUIRETLS -if (tls_requiretls) fprintf(fp, "-tls_requiretls 0x%x\n", tls_requiretls); -# endif #endif #ifdef SUPPORT_I18N diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 5fd278e1d..3558fa65c 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -992,7 +992,7 @@ if (pending_EHLO) ? &sx->ehlo_resp.cleartext_auths : &sx->ehlo_resp.crypted_auths; peer_offered = ehlo_response(sx->buffer, - (tls_out.active.sock < 0 ? OPTION_TLS : OPTION_REQUIRETLS) + (tls_out.active.sock < 0 ? OPTION_TLS : 0) | OPTION_CHUNKING | OPTION_PRDR | OPTION_DSN | OPTION_PIPE | OPTION_SIZE | OPTION_UTF8 | OPTION_EARLY_PIPE ); @@ -1749,12 +1749,6 @@ size_t bsize = Ustrlen(buf); /* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */ #ifdef SUPPORT_TLS -# ifdef EXPERIMENTAL_REQUIRETLS -if ( checks & OPTION_REQUIRETLS - && pcre_exec(regex_REQUIRETLS, NULL, CS buf,bsize, 0, PCRE_EOPT, NULL,0) < 0) -# endif - checks &= ~OPTION_REQUIRETLS; - if ( checks & OPTION_TLS && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0) #endif @@ -2644,17 +2638,10 @@ else if ( sx->smtps # ifdef SUPPORT_DANE || sx->conn_args.dane # endif -# ifdef EXPERIMENTAL_REQUIRETLS - || tls_requiretls & REQUIRETLS_MSG -# endif || verify_check_given_host(CUSS &ob->hosts_require_tls, sx->conn_args.host) == OK ) { - errno = -# ifdef EXPERIMENTAL_REQUIRETLS - tls_requiretls & REQUIRETLS_MSG ? ERRNO_REQUIRETLS : -# endif - ERRNO_TLSREQUIRED; + errno = ERRNO_TLSREQUIRED; message = string_sprintf("a TLS session is required, but %s", smtp_peer_options & OPTION_TLS ? "an attempt to start TLS failed" : "the server did not offer TLS support"); @@ -2691,7 +2678,7 @@ if (continue_hostname == NULL #ifdef EXPERIMENTAL_PIPE_CONNECT | (sx->lmtp && ob->lmtp_ignore_quota ? OPTION_IGNQ : 0) | OPTION_DSN | OPTION_PIPE | OPTION_SIZE - | OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8 | OPTION_REQUIRETLS + | OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8 | (tls_out.active.sock >= 0 ? OPTION_EARLY_PIPE : 0) /* not for lmtp */ #else @@ -2707,9 +2694,6 @@ if (continue_hostname == NULL | OPTION_DSN | OPTION_PIPE | (ob->size_addition >= 0 ? OPTION_SIZE : 0) -# if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - | (tls_requiretls & REQUIRETLS_MSG ? OPTION_REQUIRETLS : 0) -# endif #endif ); #ifdef EXPERIMENTAL_PIPE_CONNECT @@ -2760,16 +2744,6 @@ if (continue_hostname == NULL DEBUG(D_transport) debug_printf("%susing DSN\n", sx->peer_offered & OPTION_DSN ? "" : "not "); -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - if (sx->peer_offered & OPTION_REQUIRETLS) - { - smtp_peer_options |= OPTION_REQUIRETLS; - DEBUG(D_transport) debug_printf( - tls_requiretls & REQUIRETLS_MSG - ? "using REQUIRETLS\n" : "REQUIRETLS offered\n"); - } -#endif - #ifdef EXPERIMENTAL_PIPE_CONNECT if ( sx->early_pipe_ok && !sx->early_pipe_active @@ -2855,22 +2829,6 @@ if (sx->utf8_needed && !(sx->peer_offered & OPTION_UTF8)) } #endif /*SUPPORT_I18N*/ -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - /*XXX should tls_requiretls actually be per-addr? */ - -if ( tls_requiretls & REQUIRETLS_MSG - && !(sx->peer_offered & OPTION_REQUIRETLS) - ) - { - sx->setting_up = TRUE; - errno = ERRNO_REQUIRETLS; - message = US"REQUIRETLS support is required from the server" - " but it was not offered"; - DEBUG(D_transport) debug_printf("%s\n", message); - goto TLS_FAILED; - } -#endif - return OK; @@ -2907,13 +2865,7 @@ return OK; #ifdef SUPPORT_TLS TLS_FAILED: -# ifdef EXPERIMENTAL_REQUIRETLS - if (errno == ERRNO_REQUIRETLS) - code = '5', yield = FAIL; - /*XXX DSN will be labelled 500; prefer 530 5.7.4 */ - else -# endif - code = '4', yield = DEFER; + code = '4', yield = DEFER; goto FAILED; #endif @@ -3051,11 +3003,6 @@ if ( sx->peer_offered & OPTION_UTF8 Ustrcpy(p, " SMTPUTF8"), p += 9; #endif -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) -if (tls_requiretls & REQUIRETLS_MSG) - Ustrcpy(p, " REQUIRETLS") , p += 11; -#endif - /* check if all addresses have DSN-lasthop flag; do not send RET and ENVID if so */ for (sx->dsn_all_lasthop = TRUE, addr = addrlist, address_count = 0; addr && address_count < sx->max_rcpt; @@ -4568,12 +4515,6 @@ same one in order to be passed to a single transport - or if the transport has a host list with hosts_override set, use the host list supplied with the transport. It is an error for this not to exist. */ -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) -if (tls_requiretls & REQUIRETLS_MSG) - ob->tls_tempfail_tryclear = FALSE; /*XXX surely we should have a local for this - rather than modifying the transport? */ -#endif - if (!hostlist || (ob->hosts_override && ob->hosts)) { if (!ob->hosts) diff --git a/src/src/verify.c b/src/src/verify.c index 43caac562..7bdfa8152 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -986,13 +986,6 @@ no_conn: } break; #endif -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - case ERRNO_REQUIRETLS: - addr->user_message = US"530 5.7.4 REQUIRETLS support required"; - yield = FAIL; - done = TRUE; - break; -#endif case ECONNREFUSED: sx.send_quit = FALSE; break; diff --git a/test/confs/5910 b/test/confs/5910 deleted file mode 100644 index 55838b3db..000000000 --- a/test/confs/5910 +++ /dev/null @@ -1,136 +0,0 @@ -# Exim test configuration 5910 - -SERVER= - -# advertise REQUIRETLS unless commandline override -SRV= * -# set on commandline to add an extra rcpt-time acl condition -ACL= - -exim_path = EXIM_PATH -keep_environment = -host_lookup_order = bydns -spool_directory = DIR/spool - -.ifdef SERVER -log_file_path = DIR/spool/log/SERVER%slog -.else -log_file_path = DIR/spool/log/%slog -.endif - -gecos_pattern = "" -gecos_name = CALLER_NAME -chunking_advertise_hosts = -.ifdef _HAVE_PIPE_CONNECT -pipelining_connect_advertise_hosts = -.endif - -primary_hostname = myhost.test.ex - -# ----- Main settings ----- - -acl_smtp_mail = m -acl_smtp_rcpt = r -acl_not_smtp = n - -log_selector = +tls_peerdn +received_recipients - -queue_only -queue_run_in_order - -tls_advertise_hosts = * -tls_advertise_requiretls = SRV - -# Set certificate only if server - -tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} -tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail} - -#tls_verify_hosts = * -#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} - - -# ----- ACL ----- - -begin acl - -m: - accept senders = : - deny condition = ${if eq {SERVER}{server}} - !sender_domains = test.ex : myhost.test.ex - accept - -r: - warn condition = ${if eq {SERVER}{server}} - logwrite = requiretls: $requiretls - -# define this to upgrade messages to REQUIRETLS -.ifdef OPT - warn - condition = ${if !bool{$requiretls}} - logwrite = upgrading - control = requiretls -.endif - accept ACL - -n: -.ifdef OPT - accept - condition = ${if !bool{$requiretls}} - logwrite = upgrading - control = requiretls -.endif - accept -# ----- Routers ----- - -begin routers - -bounces: - driver = redirect - condition = ${if !def:sender_address} - condition = ${if first_delivery} - data = :defer: - allow_defer - -final: - driver = accept - condition = ${if eq {$received_ip_address}{HOSTIPV4} {yes}{no}} - transport = file_a_bounce - -client: - driver = accept - transport = send_to_server - - -# ----- Transports ----- - -begin transports - -file_a_bounce: - driver = appendfile - delivery_date_add - envelope_to_add - file = DIR/test-mail/$local_part - return_path_add - user = CALLER - -send_to_server: - driver = smtp - allow_localhost - hosts = HOSTIPV4 - port = PORT_D - tls_certificate = DIR/aux-fixed/cert2 - tls_privatekey = DIR/aux-fixed/cert2 - tls_verify_certificates = DIR/aux-fixed/cert2 - tls_try_verify_hosts = : - - -# ----- Retry ----- - - -begin retry - -* * F,5d,10s - - -# End diff --git a/test/log/5910 b/test/log/5910 deleted file mode 100644 index e6357f29c..000000000 --- a/test/log/5910 +++ /dev/null @@ -1,23 +0,0 @@ -1999-03-02 09:44:33 Start queue run: pid=pppp -1999-03-02 09:44:33 10HmaX-0005vi-00 => dump@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS_proto_and_cipher CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -1999-03-02 09:44:33 Start queue run: pid=pppp -1999-03-02 09:44:33 10HmaY-0005vi-00 => dump <dump@test.ex> R=final T=file_a_bounce -1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp -1999-03-02 09:44:33 upgrading -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-smtp S=sss for b@test.ex -1999-03-02 09:44:33 Start queue run: pid=pppp -1999-03-02 09:44:33 10HmaZ-0005vi-00 => b@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS_proto_and_cipher CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00" -1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed -1999-03-02 09:44:33 End queue run: pid=pppp - -******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 requiretls: yes -1999-03-02 09:44:33 10HmaX-0005vi-00 <= a@test.ex H=(test.ex) [127.0.0.1] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss for dump@test.ex -1999-03-02 09:44:33 requiretls: yes -1999-03-02 09:44:33 10HmaY-0005vi-00 <= a@test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss for dump@test.ex -1999-03-02 09:44:33 requiretls: yes -1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for b@test.ex diff --git a/test/mail/5910.dump b/test/mail/5910.dump deleted file mode 100644 index 08957f32f..000000000 --- a/test/mail/5910.dump +++ /dev/null @@ -1,20 +0,0 @@ -From a@test.ex Tue Mar 02 09:44:33 1999 -Return-path: <a@test.ex> -Envelope-to: dump@test.ex -Delivery-date: Tue, 2 Mar 1999 09:44:33 +0000 -Received: from the.local.host.name ([ip4.ip4.ip4.ip4] helo=myhost.test.ex) - by myhost.test.ex with esmtpS (TLS_proto_and_cipher) - (Exim x.yz) - (envelope-from <a@test.ex>) - id 10HmaY-0005vi-00 - for dump@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 -Received: from [127.0.0.1] (helo=test.ex) - by myhost.test.ex with esmtpS (TLS_proto_and_cipher) - (Exim x.yz) - (envelope-from <a@test.ex>) - id 10HmaX-0005vi-00 - for dump@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 -Subject: foo - -content - diff --git a/test/scripts/5910-REQUIRETLS/5910 b/test/scripts/5910-REQUIRETLS/5910 deleted file mode 100644 index d1bbb61cb..000000000 --- a/test/scripts/5910-REQUIRETLS/5910 +++ /dev/null @@ -1,64 +0,0 @@ -# REQUIRETLS basics -# -munge tls_anycipher -# -# Server advertises feature, onward transmission, observability -exim -DSERVER=server -bd -oX PORT_D -**** -# -client-ssl 127.0.0.1 PORT_D -??? 220 -EHLO test.ex -??? 250- -??? 250-SIZE -??? 250-8BITMIME -??? 250-PIPELINING -??? 250-STARTTLS -??? 250 HELP -STARTTLS -??? 220 -EHLO test.ex -??? 250- -??? 250-SIZE -??? 250-8BITMIME -??? 250-PIPELINING -??? 250-REQUIRETLS -??? 250 HELP -MAIL FROM:<a@test.ex> REQUIRETLS -??? 250 -RCPT TO:<dump@test.ex> -??? 250 -DATA -??? 354 -Subject: foo - -content -. -??? 250 -QUIT -??? 221 -**** -# -exim -q -**** -exim -q -**** -# -# -# upgrade in-MTA -exim -DOPT=y -bs -MAIL FROM:<a@test.ex> -RCPT TO:<b@test.ex> -DATA -Subject: foo - -content -. -QUIT -**** -# -exim -q -**** -# -killdaemon -no_msglog_check diff --git a/test/scripts/5910-REQUIRETLS/5911 b/test/scripts/5910-REQUIRETLS/5911 deleted file mode 100644 index c744d8ab5..000000000 --- a/test/scripts/5910-REQUIRETLS/5911 +++ /dev/null @@ -1,125 +0,0 @@ -# REQUIRETLS bounce cases -# -munge tls_anycipher -# -# Server does not offer STARTTLS -server PORT_D -220 Hi there -EHLO -250 wotcher -QUIT -*eof -**** -exim -DOPT=requiretls -odf -bs -MAIL FROM:<a@test.ex> -RCPT TO:<a@test.ex> -DATA - -. -QUIT -**** -# ... the resulting bounce must be delivered with REQUIRETLS -exim -DSERVER=server -bd -oX PORT_D -**** -exim -qf -**** -killdaemon -# -# -# Server does not offer REQUIRETLS -# Client message upgraded in-MTA for "require" -exim -DSERVER=server -DSRV='' -bd -oX PORT_D -**** -exim -DOPT=requiretls -odf -bs -MAIL FROM:<b@test.ex> -RCPT TO:<b@test.ex> -DATA - -. -QUIT -**** -exim -qf -**** -exim -qf -**** -killdaemon -# -# -# Server does not offer REQUIRETLS -# Client message received with REQUIRETLS -exim -DSERVER=server -bd -oX PORT_S -**** -client-ssl 127.0.0.1 PORT_S -??? 220 -EHLO test.ex -??? 250- -??? 250-SIZE -??? 250-8BITMIME -??? 250-PIPELINING -??? 250-STARTTLS -??? 250 HELP -STARTTLS -??? 220 -EHLO test.ex -??? 250- -??? 250-SIZE -??? 250-8BITMIME -??? 250-PIPELINING -??? 250-REQUIRETLS -??? 250 HELP -MAIL FROM:<b@test.ex> REQUIRETLS -??? 250 -RCPT TO:<d@test.ex> -??? 250 -DATA -??? 354 -Subject: foo - -content -. -??? 250 -QUIT -??? 221 -**** -killdaemon -exim -DSERVER=server -DSRV='' -bd -oX PORT_D -**** -exim -qf -**** -exim -qf -**** -killdaemon -# -# -# Server refuses MAIL -exim -DSERVER=server -bd -oX PORT_D -**** -sudo exim -DOPT=requiretls -odf -f a@serverrefusethis.ex c@test.ex - -**** -exim -qf -**** -exim -qf -**** -killdaemon -# -# Server does not advertise REQUIRETLS, client tries to use it anyway -exim -DSERVER=server -bd -oX PORT_D -**** -client-ssl 127.0.0.1 PORT_D -??? 220 -EHLO test.ex -??? 250- -??? 250-SIZE -??? 250-8BITMIME -??? 250-PIPELINING -??? 250-STARTTLS -??? 250 HELP -MAIL FROM:<d@test.ex> REQUIRETLS -??? 555 -QUIT -??? 221 -???*eof -**** -killdaemon -no_msglog_check diff --git a/test/scripts/5910-REQUIRETLS/5912 b/test/scripts/5910-REQUIRETLS/5912 deleted file mode 100644 index 87fe85e5b..000000000 --- a/test/scripts/5910-REQUIRETLS/5912 +++ /dev/null @@ -1,37 +0,0 @@ -# REQUIRETLS smtp-time fails -# Test these by having the MTA do a receipient-verify callout -# -# Server does not offer STARTTLS -server PORT_D -220 Hi there -EHLO -250 wotcher -QUIT -*eof -**** -exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs -MAIL FROM:<CALLER@myhost.test.ex> -RCPT TO:<a@test.ex> -QUIT -**** -# -# Sever does not offer REQUIRETLS -exim -DSERVER=server -DSRV='' -bd -oX PORT_D -**** -exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs -MAIL FROM:<CALLER@myhost.test.ex> -RCPT TO:<b@test.ex> -QUIT -**** -killdaemon -# -# Accepted callout -exim -DSERVER=server -bd -oX PORT_D -**** -exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs -MAIL FROM:<CALLER@myhost.test.ex> -RCPT TO:<c@test.ex> -QUIT -**** -killdaemon -# diff --git a/test/scripts/5910-REQUIRETLS/REQUIRES b/test/scripts/5910-REQUIRETLS/REQUIRES deleted file mode 100644 index 963233532..000000000 --- a/test/scripts/5910-REQUIRETLS/REQUIRES +++ /dev/null @@ -1,2 +0,0 @@ -support Experimental_REQUIRETLS -running IPv4 diff --git a/test/stderr/4052 b/test/stderr/4052 index 3b9772c5c..7f0bc3474 100644 --- a/test/stderr/4052 +++ b/test/stderr/4052 @@ -19,7 +19,7 @@ no message retry record 127.0.0.1 [127.0.0.1]:1111 retry-status = usable delivering 10HmbG-0005vi-00 to 127.0.0.1 [127.0.0.1] (extchange@test.ex) Transport port=25 replaced by host-specific port=1225 -EHLO response bits from cache: cleartext 0x0220 crypted 0x0000 +EHLO response bits from cache: cleartext 0x0120 crypted 0x0000 Using cached cleartext PIPE_CONNECT SMTP>> EHLO the.local.host.name using PIPELINING @@ -38,8 +38,8 @@ smtp_reap_early_pipe expect ehlo 250-X_PIPE_CONNECT 250-STARTTLS 250 ok -EHLO cleartext extensions changed, 0x0220/0x0000 -> 0x0221/0x0000 -writing clr 0221/0000 cry 0000/0000 +EHLO cleartext extensions changed, 0x0120/0x0000 -> 0x0121/0x0000 +writing clr 0121/0000 cry 0000/0000 sync_responses expect mail SMTP<< 250 mail-from accepted sync_responses expect rcpt diff --git a/test/stdout/5910 b/test/stdout/5910 deleted file mode 100644 index 278b76d14..000000000 --- a/test/stdout/5910 +++ /dev/null @@ -1,60 +0,0 @@ -Connecting to 127.0.0.1 port 1225 ... connected -??? 220 -<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 ->>> EHLO test.ex -??? 250- -<<< 250-myhost.test.ex Hello test.ex [127.0.0.1] -??? 250-SIZE -<<< 250-SIZE 52428800 -??? 250-8BITMIME -<<< 250-8BITMIME -??? 250-PIPELINING -<<< 250-PIPELINING -??? 250-STARTTLS -<<< 250-STARTTLS -??? 250 HELP -<<< 250 HELP ->>> STARTTLS -??? 220 -<<< 220 TLS go ahead -Attempting to start TLS -SSL connection using ke-RSA-AES256-SHAnnn -Succeeded in starting TLS ->>> EHLO test.ex -??? 250- -<<< 250-myhost.test.ex Hello test.ex [127.0.0.1] -??? 250-SIZE -<<< 250-SIZE 52428800 -??? 250-8BITMIME -<<< 250-8BITMIME -??? 250-PIPELINING -<<< 250-PIPELINING -??? 250-REQUIRETLS -<<< 250-REQUIRETLS -??? 250 HELP -<<< 250 HELP ->>> MAIL FROM:<a@test.ex> REQUIRETLS -??? 250 -<<< 250 OK ->>> RCPT TO:<dump@test.ex> -??? 250 -<<< 250 Accepted ->>> DATA -??? 354 -<<< 354 Enter message, ending with "." on a line by itself ->>> Subject: foo ->>> ->>> content ->>> . -??? 250 -<<< 250 OK id=10HmaX-0005vi-00 ->>> QUIT -??? 221 -<<< 221 myhost.test.ex closing connection -End of script -220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
-250 OK
-250 Accepted
-354 Enter message, ending with "." on a line by itself
-250 OK id=10HmaZ-0005vi-00
-221 myhost.test.ex closing connection
|