From fc16abb4d06c7ae375b227bd83473412c8985c6f Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 16 May 2016 19:58:20 +0100 Subject: Logging: dnssec status on accept & delivery lines --- doc/doc-docbook/spec.xfpt | 10 +++++++ doc/doc-txt/NewStuff | 4 ++- src/src/deliver.c | 22 +++++++++------ src/src/globals.c | 1 + src/src/macros.h | 13 +++++---- src/src/receive.c | 11 ++++---- src/src/smtp_in.c | 16 +++++++---- test/confs/4804 | 50 +++++++++++++++++++++++++++++++++ test/log/4804 | 19 +++++++++++++ test/scripts/4800-dnssec-dnslookup/4804 | 11 ++++++++ 10 files changed, 131 insertions(+), 26 deletions(-) create mode 100644 test/confs/4804 create mode 100644 test/log/4804 create mode 100644 test/scripts/4800-dnssec-dnslookup/4804 diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index ba32403d6..736a45800 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -35528,6 +35528,7 @@ the following table: &`CV `& certificate verification status &`D `& duration of &"no mail in SMTP session"& &`DN `& distinguished name from peer certificate +&`DS `& DNSSEC secured lookups &`DT `& on &`=>`& lines: time taken for a delivery &`F `& sender address (on delivery lines) &`H `& host name and IP address @@ -35618,6 +35619,7 @@ selection marked by asterisks: &` deliver_time `& time taken to perform delivery &` delivery_size `& add &`S=`&&'nnn'& to => lines &`*dnslist_defer `& defers of DNS list (aka RBL) lookups +&` dnssec `& DNSSEC secured lookups &`*etrn `& ETRN commands &`*host_lookup_failed `& as it says &` ident_timeout `& timeout for ident connection @@ -35725,6 +35727,14 @@ the &"=>"& line, tagged with S=. &%dnslist_defer%&: A log entry is written if an attempt to look up a host in a DNS black list suffers a temporary error. .next +.cindex log dnssec +.cindex dnssec logging +&%dnssec%&: For message acceptance and (attempted) delivery log lines, when +dns lookups gave secure results a tag of DS is added. +For acceptance this covers the reverse and forward lookups for host name verification. +It does not cover helo-name verification. +For delivery this covers the SRV, MX, A and/or AAAA lookups. +.next .cindex "log" "ETRN commands" .cindex "ETRN" "logging" &%etrn%&: Every valid ETRN command that is received is logged, before the ACL diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 07e6f1dba..659c830bd 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -9,9 +9,11 @@ the documentation is updated, this file is reduced to a short list. Version 4.88 ------------ - 1. The new perl_tainmode option allows to run the embedded perl + 1. The new perl_taintmode option allows to run the embedded perl interpreter in taint mode. + 2. New log_selector: dnssec, adds a "DS" tag to acceptance and delivery lines. + Version 4.87 ------------ diff --git a/src/src/deliver.c b/src/src/deliver.c index 743fc83e8..1421852aa 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -711,25 +711,31 @@ return s; static uschar * -d_hostlog(uschar *s, int *sizep, int *ptrp, address_item *addr) +d_hostlog(uschar * s, int * sp, int * pp, address_item * addr) { -s = string_append(s, sizep, ptrp, 5, US" H=", addr->host_used->name, - US" [", addr->host_used->address, US"]"); +host_item * h = addr->host_used; + +s = string_append(s, sp, pp, 2, US" H=", h->name); + +if (LOGGING(dnssec) && h->dnssec == DS_YES) + s = string_cat(s, sp, pp, US" DS"); + +s = string_append(s, sp, pp, 3, US" [", h->address, US"]"); + if (LOGGING(outgoing_port)) - s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d", - addr->host_used->port)); + s = string_append(s, sp, pp, 2, US":", string_sprintf("%d", h->port)); #ifdef SUPPORT_SOCKS if (LOGGING(proxy) && proxy_local_address) { - s = string_append(s, sizep, ptrp, 3, US" PRX=[", proxy_local_address, US"]"); + s = string_append(s, sp, pp, 3, US" PRX=[", proxy_local_address, US"]"); if (LOGGING(outgoing_port)) - s = string_append(s, sizep, ptrp, 2, US":", string_sprintf("%d", + s = string_append(s, sp, pp, 2, US":", string_sprintf("%d", proxy_local_port)); } #endif -return d_log_interface(s, sizep, ptrp); +return d_log_interface(s, sp, pp); } diff --git a/src/src/globals.c b/src/src/globals.c index be1fae849..0586fdd98 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -864,6 +864,7 @@ bit_table log_options[] = { /* must be in alphabetical order */ BIT_TABLE(L, deliver_time), BIT_TABLE(L, delivery_size), BIT_TABLE(L, dnslist_defer), + BIT_TABLE(L, dnssec), BIT_TABLE(L, etrn), BIT_TABLE(L, host_lookup_failed), BIT_TABLE(L, ident_timeout), diff --git a/src/src/macros.h b/src/src/macros.h index 275458b8f..53abeb5c2 100644 --- a/src/src/macros.h +++ b/src/src/macros.h @@ -446,15 +446,19 @@ enum { LOG_BIT(smtp_protocol_error), LOG_BIT(smtp_syntax_error), - Li_acl_warn_skipped = BITWORDSIZE, + Li_8bitmime = BITWORDSIZE, + Li_acl_warn_skipped, Li_arguments, Li_deliver_time, Li_delivery_size, + Li_dnssec, Li_ident_timeout, Li_incoming_interface, Li_incoming_port, + Li_outgoing_interface, Li_outgoing_port, Li_pid, + Li_proxy, Li_queue_time, Li_queue_time_overall, Li_received_sender, @@ -464,6 +468,7 @@ enum { Li_sender_on_delivery, Li_sender_verify_fail, Li_smtp_confirmation, + Li_smtp_mailauth, Li_smtp_no_mail, Li_subject, Li_tls_certificate_verified, @@ -471,12 +476,8 @@ enum { Li_tls_peerdn, Li_tls_sni, Li_unknown_in_list, - Li_8bitmime, - Li_smtp_mailauth, - Li_proxy, - Li_outgoing_interface, - log_selector_size = BITWORD(Li_outgoing_interface) + 1 + log_selector_size = BITWORD(Li_unknown_in_list) + 1 }; #define LOGGING(opt) BIT_TEST(log_selector, log_selector_size, Li_##opt) diff --git a/src/src/receive.c b/src/src/receive.c index 2628570d8..92ec2cd87 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -1123,16 +1123,17 @@ Returns: the extended string */ static uschar * -add_host_info_for_log(uschar *s, int *sizeptr, int *ptrptr) +add_host_info_for_log(uschar * s, int * sizeptr, int * ptrptr) { -if (sender_fullhost != NULL) +if (sender_fullhost) { + if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */ + s = string_cat(s, sizeptr, ptrptr, US" DS"); s = string_append(s, sizeptr, ptrptr, 2, US" H=", sender_fullhost); if (LOGGING(incoming_interface) && interface_address != NULL) { - uschar *ss = string_sprintf(" I=[%s]:%d", interface_address, - interface_port); - s = string_cat(s, sizeptr, ptrptr, ss); + s = string_cat(s, sizeptr, ptrptr, + string_sprintf(" I=[%s]:%d", interface_address, interface_port)); } } if (sender_ident != NULL) diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 1398e620b..d66b59e30 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -2837,14 +2837,18 @@ is closing if required and return 2. */ if (log_reject_target != 0) { #ifdef SUPPORT_TLS - uschar * s = s_tlslog(NULL, NULL, NULL); - if (!s) s = US""; + uschar * tls = s_tlslog(NULL, NULL, NULL); + if (!tls) tls = US""; #else - uschar * s = US""; + uschar * tls = US""; #endif - log_write(0, log_reject_target, "%s%s %s%srejected %s%s", - host_and_ident(TRUE), s, - sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg); + log_write(0, log_reject_target, "%s%s%s %s%srejected %s%s", + LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"", + host_and_ident(TRUE), + tls, + sender_info, + rc == FAIL ? US"" : US"temporarily ", + what, log_msg); } if (!drop) return 0; diff --git a/test/confs/4804 b/test/confs/4804 new file mode 100644 index 000000000..a1ba90dd1 --- /dev/null +++ b/test/confs/4804 @@ -0,0 +1,50 @@ +# Exim test configuration 4804 + +SERVER= +OPT= + +exim_path = EXIM_PATH +keep_environment = +host_lookup_order = bydns +primary_hostname = myhost.test.ex +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +timezone = UTC + +# ----- Main settings ----- + +acl_smtp_rcpt = accept + +log_selector = OPT +tls_advertise_hosts = : + +# ------ ACL ------ + +begin acl + +# ----- Routers ----- + +begin routers + +server: + condition = ${if eq {SERVER}{server} {yes}{no}} + driver = redirect + data = :blackhole: + +client: + driver = dnslookup + dnssec_request_domains = * + self = send + transport = send_to_server + +# ----- Transports ----- + +begin transports + +send_to_server: + driver = smtp + port = PORT_D + +# End diff --git a/test/log/4804 b/test/log/4804 new file mode 100644 index 000000000..c7ae7058e --- /dev/null +++ b/test/log/4804 @@ -0,0 +1,19 @@ +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaX-0005vi-00 => nologging@l-sec.test.ex R=client T=send_to_server H=l-sec.test.ex [127.0.0.1] C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 => withlogging@l-sec.test.ex R=client T=send_to_server H=l-sec.test.ex DS [127.0.0.1] C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtp S=sss id=E10HmbB-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbC-0005vi-00 Completed +1999-03-02 09:44:33 10HmbB-0005vi-00 => withlogging@thishost.test.ex R=client T=send_to_server H=thishost.test.ex [127.0.0.1] C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmbB-0005vi-00 Completed diff --git a/test/scripts/4800-dnssec-dnslookup/4804 b/test/scripts/4800-dnssec-dnslookup/4804 new file mode 100644 index 000000000..ea4f2dec0 --- /dev/null +++ b/test/scripts/4800-dnssec-dnslookup/4804 @@ -0,0 +1,11 @@ +# dnssec log_selector (client) +exim -DSERVER=server -bd -oX PORT_D +**** +exim -DOPT= -odf nologging@l-sec.test.ex +**** +exim -DOPT=+dnssec -odf withlogging@l-sec.test.ex +**** +exim -DOPT=+dnssec -odf withlogging@thishost.test.ex +**** +killdaemon +no_msglog_check -- cgit v1.2.3