From 578897ea8764001d0538b8b645d161524ba1fa4e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 27 Apr 2014 18:17:29 +0100 Subject: Add options dnssec_request_domains, dnssec_require_domains to the smtp transport Note there are no testsuite cases included. TODO in this area: - dnssec during verify-callouts - dnssec on the forward lookup of a verify=helo and verify=reverse_host_lookup --- doc/doc-docbook/spec.xfpt | 31 ++++++++++++++++++++++++++++--- doc/doc-txt/ChangeLog | 3 ++- doc/doc-txt/NewStuff | 2 ++ src/src/transports/smtp.c | 10 +++++++++- src/src/transports/smtp.h | 2 ++ 5 files changed, 43 insertions(+), 5 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 0e6a38bd9..0ecbaac5a 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11457,7 +11457,7 @@ the space value is -1. See also the &%check_log_space%& option. .vitem &$lookup_dnssec_authenticated$& .vindex "&$lookup_dnssec_authenticated$&" This variable is set after a DNS lookup done by -either a dnslookup router or a dnsdb lookup expansion. +a dnsdb lookup expansion, dnslookup router or smtp transport. It will be empty if &(DNSSEC)& was not requested, &"no"& if the result was not labelled as authenticated data and &"yes"& if it was. @@ -17673,8 +17673,6 @@ when there is a DNS lookup error. DNS lookups for domains matching &%dnssec_request_domains%& will be done with the dnssec request bit set. This applies to all of the SRV, MX A6, AAAA, A lookup sequence. - -See also the &$lookup_dnssec_authenticated$& variable. .wen @@ -22596,6 +22594,33 @@ See the &%search_parents%& option in chapter &<>& for more details. +.new +.option dnssec_request_domains smtp "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen + + + +.new +.option dnssec_require_domains smtp "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. Any returns not having the Authenticated Data bit +(AD bit) set wil be ignored and logged as a host-lookup failure. +This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen + + + .option dscp smtp string&!! unset .cindex "DCSP" "outbound" This option causes the DSCP value associated with a socket to be set to one diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index cff9803d7..d4240fa29 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -85,7 +85,8 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455. JH/14 New options dnssec_request_domains, dnssec_require_domains on the - dnslookup router (applying to the forward lookup). + dnslookup router and the smtp transport (applying to the forward + lookup). TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list of ldap servers used for a specific lookup. Patch provided by Heiko diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 6a1a5e8d1..33c66ceb9 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -42,6 +42,8 @@ Version 4.83 8. EXPERIMENTAL_OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that. + 9. Support for DNSSEC on outbound connections. + Version 4.82 ------------ diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 57b66b881..9e0ab1556 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -55,6 +55,10 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, dns_qualify_single) }, { "dns_search_parents", opt_bool, (void *)offsetof(smtp_transport_options_block, dns_search_parents) }, + { "dnssec_request_domains", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, dnssec_request_domains) }, + { "dnssec_require_domains", opt_stringptr, + (void *)offsetof(smtp_transport_options_block, dnssec_require_domains) }, { "dscp", opt_stringptr, (void *)offsetof(smtp_transport_options_block, dscp) }, { "fallback_hosts", opt_stringptr, @@ -213,6 +217,8 @@ smtp_transport_options_block smtp_transport_option_defaults = { FALSE, /* gethostbyname */ TRUE, /* dns_qualify_single */ FALSE, /* dns_search_parents */ + NULL, /* dnssec_request_domains */ + NULL, /* dnssec_require_domains */ TRUE, /* delay_after_cutoff */ FALSE, /* hosts_override */ FALSE, /* hosts_randomize */ @@ -2816,7 +2822,7 @@ for (cutoff_retry = 0; expired && rc = host_find_byname(host, NULL, flags, &canonical_name, TRUE); else rc = host_find_bydns(host, NULL, flags, NULL, NULL, NULL, - NULL, NULL, /*XXX todo: smtp tpt hosts_require_dnssec */ + ob->dnssec_request_domains, ob->dnssec_require_domains, &canonical_name, NULL); /* Update the host (and any additional blocks, resulting from @@ -3429,4 +3435,6 @@ DEBUG(D_transport) debug_printf("Leaving %s transport\n", tblock->name); return TRUE; /* Each address has its status */ } +/* vi: aw ai sw=2 +*/ /* End of transport/smtp.c */ diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 6d33802ab..6912ad83e 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -46,6 +46,8 @@ typedef struct { BOOL gethostbyname; BOOL dns_qualify_single; BOOL dns_search_parents; + uschar *dnssec_request_domains; + uschar *dnssec_require_domains; BOOL delay_after_cutoff; BOOL hosts_override; BOOL hosts_randomize; -- cgit v1.2.3