summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/doc-docbook/spec.xfpt10
-rw-r--r--doc/doc-txt/NewStuff4
-rw-r--r--src/src/deliver.c22
-rw-r--r--src/src/globals.c1
-rw-r--r--src/src/macros.h13
-rw-r--r--src/src/receive.c11
-rw-r--r--src/src/smtp_in.c16
-rw-r--r--test/confs/480450
-rw-r--r--test/log/480419
-rw-r--r--test/scripts/4800-dnssec-dnslookup/480411
10 files changed, 131 insertions, 26 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ba32403d6..736a45800 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -35528,6 +35528,7 @@ the following table:
&`CV `& certificate verification status
&`D `& duration of &"no mail in SMTP session"&
&`DN `& distinguished name from peer certificate
+&`DS `& DNSSEC secured lookups
&`DT `& on &`=>`& lines: time taken for a delivery
&`F `& sender address (on delivery lines)
&`H `& host name and IP address
@@ -35618,6 +35619,7 @@ selection marked by asterisks:
&` deliver_time `& time taken to perform delivery
&` delivery_size `& add &`S=`&&'nnn'& to => lines
&`*dnslist_defer `& defers of DNS list (aka RBL) lookups
+&` dnssec `& DNSSEC secured lookups
&`*etrn `& ETRN commands
&`*host_lookup_failed `& as it says
&` ident_timeout `& timeout for ident connection
@@ -35725,6 +35727,14 @@ the &"=>"& line, tagged with S=.
&%dnslist_defer%&: A log entry is written if an attempt to look up a host in a
DNS black list suffers a temporary error.
.next
+.cindex log dnssec
+.cindex dnssec logging
+&%dnssec%&: For message acceptance and (attempted) delivery log lines, when
+dns lookups gave secure results a tag of DS is added.
+For acceptance this covers the reverse and forward lookups for host name verification.
+It does not cover helo-name verification.
+For delivery this covers the SRV, MX, A and/or AAAA lookups.
+.next
.cindex "log" "ETRN commands"
.cindex "ETRN" "logging"
&%etrn%&: Every valid ETRN command that is received is logged, before the ACL
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 07e6f1dba..659c830bd 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -9,9 +9,11 @@ the documentation is updated, this file is reduced to a short list.
Version 4.88
------------
- 1. The new perl_tainmode option allows to run the embedded perl
+ 1. The new perl_taintmode option allows to run the embedded perl
interpreter in taint mode.
+ 2. New log_selector: dnssec, adds a "DS" tag to acceptance and delivery lines.
+
Version 4.87
------------
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 743fc83e8..1421852aa 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -711,25 +711,31 @@ return s;
static uschar *
-d_hostlog(uschar *s, int *sizep, int *ptrp, address_item *addr)
+d_hostlog(uschar * s, int * sp, int * pp, address_item * addr)
{
-s = string_append(s, sizep, ptrp, 5, US" H=", addr->host_used->name,
- US" [", addr->host_used->address, US"]");
+host_item * h = addr->host_used;
+
+s = string_append(s, sp, pp, 2, US" H=", h->name);
+
+if (LOGGING(dnssec) && h->dnssec == DS_YES)
+ s = string_cat(s, sp, pp, US" DS");
+
+s = string_append(s, sp, pp, 3, US" [", h->address, US"]");
+
if (LOGGING(outgoing_port))
- s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d",
- addr->host_used->port));
+ s = string_append(s, sp, pp, 2, US":", string_sprintf("%d", h->port));
#ifdef SUPPORT_SOCKS
if (LOGGING(proxy) && proxy_local_address)
{
- s = string_append(s, sizep, ptrp, 3, US" PRX=[", proxy_local_address, US"]");
+ s = string_append(s, sp, pp, 3, US" PRX=[", proxy_local_address, US"]");
if (LOGGING(outgoing_port))
- s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d",
+ s = string_append(s, sp, pp, 2, US":", string_sprintf("%d",
proxy_local_port));
}
#endif
-return d_log_interface(s, sizep, ptrp);
+return d_log_interface(s, sp, pp);
}
diff --git a/src/src/globals.c b/src/src/globals.c
index be1fae849..0586fdd98 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -864,6 +864,7 @@ bit_table log_options[] = { /* must be in alphabetical order */
BIT_TABLE(L, deliver_time),
BIT_TABLE(L, delivery_size),
BIT_TABLE(L, dnslist_defer),
+ BIT_TABLE(L, dnssec),
BIT_TABLE(L, etrn),
BIT_TABLE(L, host_lookup_failed),
BIT_TABLE(L, ident_timeout),
diff --git a/src/src/macros.h b/src/src/macros.h
index 275458b8f..53abeb5c2 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -446,15 +446,19 @@ enum {
LOG_BIT(smtp_protocol_error),
LOG_BIT(smtp_syntax_error),
- Li_acl_warn_skipped = BITWORDSIZE,
+ Li_8bitmime = BITWORDSIZE,
+ Li_acl_warn_skipped,
Li_arguments,
Li_deliver_time,
Li_delivery_size,
+ Li_dnssec,
Li_ident_timeout,
Li_incoming_interface,
Li_incoming_port,
+ Li_outgoing_interface,
Li_outgoing_port,
Li_pid,
+ Li_proxy,
Li_queue_time,
Li_queue_time_overall,
Li_received_sender,
@@ -464,6 +468,7 @@ enum {
Li_sender_on_delivery,
Li_sender_verify_fail,
Li_smtp_confirmation,
+ Li_smtp_mailauth,
Li_smtp_no_mail,
Li_subject,
Li_tls_certificate_verified,
@@ -471,12 +476,8 @@ enum {
Li_tls_peerdn,
Li_tls_sni,
Li_unknown_in_list,
- Li_8bitmime,
- Li_smtp_mailauth,
- Li_proxy,
- Li_outgoing_interface,
- log_selector_size = BITWORD(Li_outgoing_interface) + 1
+ log_selector_size = BITWORD(Li_unknown_in_list) + 1
};
#define LOGGING(opt) BIT_TEST(log_selector, log_selector_size, Li_##opt)
diff --git a/src/src/receive.c b/src/src/receive.c
index 2628570d8..92ec2cd87 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1123,16 +1123,17 @@ Returns: the extended string
*/
static uschar *
-add_host_info_for_log(uschar *s, int *sizeptr, int *ptrptr)
+add_host_info_for_log(uschar * s, int * sizeptr, int * ptrptr)
{
-if (sender_fullhost != NULL)
+if (sender_fullhost)
{
+ if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */
+ s = string_cat(s, sizeptr, ptrptr, US" DS");
s = string_append(s, sizeptr, ptrptr, 2, US" H=", sender_fullhost);
if (LOGGING(incoming_interface) && interface_address != NULL)
{
- uschar *ss = string_sprintf(" I=[%s]:%d", interface_address,
- interface_port);
- s = string_cat(s, sizeptr, ptrptr, ss);
+ s = string_cat(s, sizeptr, ptrptr,
+ string_sprintf(" I=[%s]:%d", interface_address, interface_port));
}
}
if (sender_ident != NULL)
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 1398e620b..d66b59e30 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2837,14 +2837,18 @@ is closing if required and return 2. */
if (log_reject_target != 0)
{
#ifdef SUPPORT_TLS
- uschar * s = s_tlslog(NULL, NULL, NULL);
- if (!s) s = US"";
+ uschar * tls = s_tlslog(NULL, NULL, NULL);
+ if (!tls) tls = US"";
#else
- uschar * s = US"";
+ uschar * tls = US"";
#endif
- log_write(0, log_reject_target, "%s%s %s%srejected %s%s",
- host_and_ident(TRUE), s,
- sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg);
+ log_write(0, log_reject_target, "%s%s%s %s%srejected %s%s",
+ LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"",
+ host_and_ident(TRUE),
+ tls,
+ sender_info,
+ rc == FAIL ? US"" : US"temporarily ",
+ what, log_msg);
}
if (!drop) return 0;
diff --git a/test/confs/4804 b/test/confs/4804
new file mode 100644
index 000000000..a1ba90dd1
--- /dev/null
+++ b/test/confs/4804
@@ -0,0 +1,50 @@
+# Exim test configuration 4804
+
+SERVER=
+OPT=
+
+exim_path = EXIM_PATH
+keep_environment =
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+timezone = UTC
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+log_selector = OPT
+tls_advertise_hosts = :
+
+# ------ ACL ------
+
+begin acl
+
+# ----- Routers -----
+
+begin routers
+
+server:
+ condition = ${if eq {SERVER}{server} {yes}{no}}
+ driver = redirect
+ data = :blackhole:
+
+client:
+ driver = dnslookup
+ dnssec_request_domains = *
+ self = send
+ transport = send_to_server
+
+# ----- Transports -----
+
+begin transports
+
+send_to_server:
+ driver = smtp
+ port = PORT_D
+
+# End
diff --git a/test/log/4804 b/test/log/4804
new file mode 100644
index 000000000..c7ae7058e
--- /dev/null
+++ b/test/log/4804
@@ -0,0 +1,19 @@
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <nologging@l-sec.test.ex> R=server
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaX-0005vi-00 => nologging@l-sec.test.ex R=client T=send_to_server H=l-sec.test.ex [127.0.0.1] C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <withlogging@l-sec.test.ex> R=server
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => withlogging@l-sec.test.ex R=client T=send_to_server H=l-sec.test.ex DS [127.0.0.1] C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: <withlogging@thishost.test.ex> R=server
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 => withlogging@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
diff --git a/test/scripts/4800-dnssec-dnslookup/4804 b/test/scripts/4800-dnssec-dnslookup/4804
new file mode 100644
index 000000000..ea4f2dec0
--- /dev/null
+++ b/test/scripts/4800-dnssec-dnslookup/4804
@@ -0,0 +1,11 @@
+# dnssec log_selector (client)
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim -DOPT= -odf nologging@l-sec.test.ex
+****
+exim -DOPT=+dnssec -odf withlogging@l-sec.test.ex
+****
+exim -DOPT=+dnssec -odf withlogging@thishost.test.ex
+****
+killdaemon
+no_msglog_check