diff options
-rw-r--r-- | src/src/smtp_out.c | 2 | ||||
-rw-r--r-- | src/src/transport.c | 6 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 26 | ||||
-rw-r--r-- | test/stderr/2013 | 4 | ||||
-rw-r--r-- | test/stderr/2113 | 4 | ||||
-rw-r--r-- | test/stderr/2135 | 1 |
6 files changed, 16 insertions, 27 deletions
diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c index 86c3e4127..c4c409677 100644 --- a/src/src/smtp_out.c +++ b/src/src/smtp_out.c @@ -375,7 +375,7 @@ smtp_port_for_connect(host_item * host, int port) { if (host->port != PORT_NONE) { - HDEBUG(D_transport|D_acl|D_v) + HDEBUG(D_transport|D_acl|D_v) if (port != host->port) debug_printf_indent("Transport port=%d replaced by host-specific port=%d\n", port, host->port); port = host->port; diff --git a/src/src/transport.c b/src/src/transport.c index fd8da0f08..c2062e633 100644 --- a/src/src/transport.c +++ b/src/src/transport.c @@ -1901,7 +1901,11 @@ if (smtp_peer_options & OPTION_TLS) if (tls_out.sni) { - argv[i++] = tls_out.dane_verified ? US"-MCr" : US"-MCs"; + argv[i++] = +#ifdef SUPPORT_DANE + tls_out.dane_verified ? US"-MCr" : +#endif + US"-MCs"; argv[i++] = tls_out.sni; } } diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index dfc1c767c..dcff355e1 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1989,8 +1989,6 @@ if (sx->smtps) } #endif -#ifdef SUPPORT_DANE -/*XXX new */ /* If we have a proxied TLS connection, check usability for this message */ if (continue_hostname && continue_proxy_cipher) @@ -1998,8 +1996,10 @@ if (continue_hostname && continue_proxy_cipher) int rc; const uschar * sni = US""; +#ifdef SUPPORT_DANE /* Check if the message will be DANE-verified; if so force its SNI */ + tls_out.dane_verified = FALSE; smtp_port_for_connect(sx->conn_args.host, sx->port); if ( sx->conn_args.host->dnssec == DS_YES && ( sx->dane_required @@ -2023,15 +2023,17 @@ if (continue_hostname && continue_proxy_cipher) # endif return rc; } +#endif - /* If the SNI required for the new message differs from the existing conn - drop the connection to force a new one. */ + /* If the SNI or the DANE status required for the new message differs from the + existing conn drop the connection to force a new one. */ if (ob->tls_sni && !(sni = expand_cstring(ob->tls_sni))) log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's tls_sni value: %s", sx->addrlist->address, expand_string_message); +#ifdef SUPPORT_DANE if ( (continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni) && continue_proxy_dane == sx->conn_args.dane) { @@ -2039,6 +2041,10 @@ if (continue_hostname && continue_proxy_cipher) if ((tls_out.dane_verified = continue_proxy_dane)) sx->conn_args.host->dnssec = DS_YES; } +#else + if ((continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni)) + tls_out.sni = US sni; +#endif else { DEBUG(D_transport) @@ -2047,7 +2053,6 @@ if (continue_hostname && continue_proxy_cipher) HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP>> QUIT\n"); write(0, "QUIT\r\n", 6); close(0); - tls_out.dane_verified = FALSE; continue_hostname = continue_proxy_cipher = NULL; f.continue_more = FALSE; continue_sequence = 1; /* Unfortunately, this process cannot affect success log @@ -2055,7 +2060,6 @@ if (continue_hostname && continue_proxy_cipher) back through reporting pipe. */ } } -#endif /* Make a connection to the host if this isn't a continued delivery, and handle @@ -4251,16 +4255,6 @@ connection to a new process. However, not all servers can handle this (Exim can), so we do not pass such a connection on if the host matches hosts_nopass_tls. */ -/*XXX do we have to veto all passing of DANE'd connections? -Can we be any more intelligent? - -I could see that unpleasantly impacting high-vol mailinglist. -Where many messages are queued for a single dest MX. - -But the wait-DB used by transport_check_waiting only records hosts, not domains. -So we cannot look for a domain mismatch. -*/ - DEBUG(D_transport) debug_printf("ok=%d send_quit=%d send_rset=%d continue_more=%d " "yield=%d first_address is %sNULL\n", sx->ok, sx->send_quit, diff --git a/test/stderr/2013 b/test/stderr/2013 index 682b53efc..f3c5421e3 100644 --- a/test/stderr/2013 +++ b/test/stderr/2013 @@ -45,7 +45,6 @@ configuration file is TESTSUITE/test-config trusted user admin user dropping to exim gid; retaining priv uid -Transport port=1225 replaced by host-specific port=1225 SMTP>> MAIL FROM:<CALLER@myhost.test.ex> SIZE=ssss SMTP>> RCPT TO:<userz@test.ex> SMTP>> DATA @@ -65,7 +64,6 @@ configuration file is TESTSUITE/test-config trusted user admin user dropping to exim gid; retaining priv uid -Transport port=1225 replaced by host-specific port=1225 SMTP>> MAIL FROM:<CALLER@myhost.test.ex> SIZE=ssss SMTP>> RCPT TO:<usery@test.ex> SMTP>> DATA @@ -133,7 +131,6 @@ configuration file is TESTSUITE/test-config trusted user admin user dropping to exim gid; retaining priv uid -Transport port=1225 replaced by host-specific port=1225 SMTP>> MAIL FROM:<CALLER@myhost.test.ex> SIZE=ssss SMTP>> RCPT TO:<userc@test.ex> SMTP>> DATA @@ -153,7 +150,6 @@ configuration file is TESTSUITE/test-config trusted user admin user dropping to exim gid; retaining priv uid -Transport port=1225 replaced by host-specific port=1225 SMTP>> MAIL FROM:<CALLER@myhost.test.ex> SIZE=ssss SMTP>> RCPT TO:<userb@test.ex> SMTP>> DATA diff --git a/test/stderr/2113 b/test/stderr/2113 index 6ccdea8c7..9541b65a2 100644 --- a/test/stderr/2113 +++ b/test/stderr/2113 @@ -45,7 +45,6 @@ configuration file is TESTSUITE/test-config trusted user admin user dropping to exim gid; retaining priv uid -Transport port=1225 replaced by host-specific port=1225 SMTP>> MAIL FROM:<CALLER@myhost.test.ex> SIZE=ssss SMTP>> RCPT TO:<userz@test.ex> SMTP>> DATA @@ -65,7 +64,6 @@ configuration file is TESTSUITE/test-config trusted user admin user dropping to exim gid; retaining priv uid -Transport port=1225 replaced by host-specific port=1225 SMTP>> MAIL FROM:<CALLER@myhost.test.ex> SIZE=ssss SMTP>> RCPT TO:<usery@test.ex> SMTP>> DATA @@ -133,7 +131,6 @@ configuration file is TESTSUITE/test-config trusted user admin user dropping to exim gid; retaining priv uid -Transport port=1225 replaced by host-specific port=1225 SMTP>> MAIL FROM:<CALLER@myhost.test.ex> SIZE=ssss SMTP>> RCPT TO:<userc@test.ex> SMTP>> DATA @@ -153,7 +150,6 @@ configuration file is TESTSUITE/test-config trusted user admin user dropping to exim gid; retaining priv uid -Transport port=1225 replaced by host-specific port=1225 SMTP>> MAIL FROM:<CALLER@myhost.test.ex> SIZE=ssss SMTP>> RCPT TO:<userb@test.ex> SMTP>> DATA diff --git a/test/stderr/2135 b/test/stderr/2135 index 7187d0d3e..70759060f 100644 --- a/test/stderr/2135 +++ b/test/stderr/2135 @@ -54,7 +54,6 @@ checking status of 127.0.0.1 127.0.0.1 [127.0.0.1]:1111 retry-status = usable delivering 10HmaX-0005vi-00 to 127.0.0.1 [127.0.0.1] (userb@test.ex) Transport port=25 replaced by host-specific port=1225 -Transport port=25 replaced by host-specific port=1225 continued connection, proxied TLS SMTP>> DATA cmd buf flush ddd bytes |