summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/tls-openssl.c19
-rw-r--r--src/src/transports/smtp.c30
-rw-r--r--src/src/transports/smtp.h1
-rw-r--r--src/src/verify.c22
4 files changed, 47 insertions, 25 deletions
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 201636db0..0bd23ac63 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1618,15 +1618,8 @@ BOOL dane_required;
#endif
#ifdef EXPERIMENTAL_DANE
-/*XXX TBD: test for transport options, and for TLSA records */
-/*dane = TRUE;*/
-
-# ifdef notyet
dane_required = verify_check_this_host(&ob->hosts_require_dane, NULL,
host->name, host->address, NULL) == OK;
-# else
-dane_required = FALSE;
-#endif
if (host->dnssec == DS_YES)
{
@@ -1637,11 +1630,10 @@ if (host->dnssec == DS_YES)
{
/* move this out to host.c given the similarity to dns_lookup() ? */
uschar buffer[300];
- int prefix_length; /* why do we want this? */
uschar * fullname = buffer;
/* TLSA lookup string */
- (void)sprintf(CS buffer, "_%d._tcp.%n%.256s", host->port, &prefix_length,
+ (void)sprintf(CS buffer, "_%d._tcp.%.256s", host->port,
host->name);
switch (rc = dns_lookup(&tlsa_dnsa, buffer, T_TLSA, &fullname))
@@ -1653,7 +1645,7 @@ if (host->dnssec == DS_YES)
case DNS_FAIL:
if (dane_required)
{
- /* log that TLSA lookup failed */
+ log_write(0, LOG_MAIN, "DANE error: TLSA lookup failed");
return FAIL;
}
break;
@@ -1661,7 +1653,7 @@ if (host->dnssec == DS_YES)
case DNS_SUCCEED:
if (!dns_is_secure(&tlsa_dnsa))
{
- /*log it - tlsa should never be non-dnssec */
+ log_write(0, LOG_MAIN, "DANE error: TLSA lookup not DNSSEC");
return DEFER;
}
dane = TRUE;
@@ -1669,9 +1661,10 @@ if (host->dnssec == DS_YES)
}
}
}
-else if (dane_required && !dane)
+else if (dane_required)
{
- /* log that dnssec pre-req failed. Hmm - what? */
+ /* Hmm - what lookup, precisely? */
+ log_write(0, LOG_MAIN, "DANE error: previous lookup not DNSSEC");
return FAIL;
}
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 2e3a6ced4..9abc69d51 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -109,6 +109,10 @@ optionlist smtp_transport_options[] = {
{ "hosts_require_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
#ifdef SUPPORT_TLS
+# ifdef EXPERIMENTAL_DANE
+ { "hosts_require_dane", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, hosts_require_dane) },
+# endif
# ifndef DISABLE_OCSP
{ "hosts_require_ocsp", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) },
@@ -118,7 +122,7 @@ optionlist smtp_transport_options[] = {
#endif
{ "hosts_try_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
-#ifdef EXPERIMENTAL_DANE
+#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
{ "hosts_try_dane", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_dane) },
#endif
@@ -206,6 +210,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
NULL, /* hosts_require_auth */
#ifdef EXPERIMENTAL_DANE
NULL, /* hosts_try_dane */
+ NULL, /* hosts_require_dane */
#endif
#ifndef DISABLE_PRDR
NULL, /* hosts_try_prdr */
@@ -1571,8 +1576,13 @@ if (tls_out.active >= 0)
/* If the host is required to use a secure channel, ensure that we
have one. */
-else if (verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
- host->address, NULL) == OK)
+else if ( verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
+ host->address, NULL) == OK
+#ifdef EXPERIMENTAL_DANE
+ || verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name,
+ host->address, NULL) == OK
+#endif
+ )
{
save_errno = ERRNO_TLSREQUIRED;
message = string_sprintf("a TLS session is required for %s [%s], but %s",
@@ -3268,10 +3278,16 @@ for (cutoff_retry = 0; expired &&
happens inside smtp_deliver().] */
#ifdef SUPPORT_TLS
- if (rc == DEFER && first_addr->basic_errno == ERRNO_TLSFAILURE &&
- ob->tls_tempfail_tryclear &&
- verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
- host->address, NULL) != OK)
+ if ( rc == DEFER
+ && first_addr->basic_errno == ERRNO_TLSFAILURE
+ && ob->tls_tempfail_tryclear
+ && verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
+ host->address, NULL) != OK
+#ifdef EXPERIMENTAL_DANE
+ && verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name,
+ host->address, NULL) != OK
+#endif
+ )
{
log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
"to %s [%s] (not in hosts_require_tls)", host->name, host->address);
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 018f9cfef..d968a4d54 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -23,6 +23,7 @@ typedef struct {
uschar *hosts_require_auth;
#ifdef EXPERIMENTAL_DANE
uschar *hosts_try_dane;
+ uschar *hosts_require_dane;
#endif
#ifndef DISABLE_PRDR
uschar *hosts_try_prdr;
diff --git a/src/src/verify.c b/src/src/verify.c
index b1b9f29a4..c2ee47892 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -644,9 +644,16 @@ else
if the options permit it for this host. */
if (rc != OK)
{
- if (rc == DEFER && ob->tls_tempfail_tryclear && !smtps &&
- verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
- host->address, NULL) != OK)
+ if ( rc == DEFER
+ && ob->tls_tempfail_tryclear
+ && !smtps
+ && verify_check_this_host(&(ob->hosts_require_tls), NULL,
+ host->name, host->address, NULL) != OK
+#ifdef EXPERIMENTAL_DANE
+ && verify_check_this_host(&(ob->hosts_require_dane), NULL,
+ host->name, host->address, NULL) != OK
+#endif
+ )
{
(void)close(inblock.sock);
log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
@@ -676,8 +683,13 @@ else
/* If the host is required to use a secure channel, ensure that we have one. */
if (tls_out.active < 0)
- if (verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
- host->address, NULL) == OK)
+ if ( verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
+ host->address, NULL) == OK
+#ifdef EXPERIMENTAL_DANE
+ || verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name,
+ host->address, NULL) == OK
+#endif
+ )
{
/*save_errno = ERRNO_TLSREQUIRED;*/
log_write(0, LOG_MAIN, "a TLS session is required for %s [%s], but %s",