From 214042d23115fe1353ee41041ec91a9dbba3b23d Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 15 Mar 2014 12:29:31 +0000 Subject: Add documentation --- doc/doc-docbook/spec.xfpt | 28 ++++++++++++++++++++++++++++ doc/doc-txt/ChangeLog | 2 ++ doc/doc-txt/NewStuff | 5 +++++ 3 files changed, 35 insertions(+) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index edb577a11..748f5c9dc 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23018,6 +23018,14 @@ unknown state), opens a new one to the same host, and then tries the delivery in clear. +.option tls_try_verify_hosts smtp "host list&!! unset +.cindex "TLS" "server certificate verification" +.cindex "certificate" "verification of server" +For OpenSSL only, this option gives a list of hosts for which +certificate verification will be tried but need not succeed. +The &%tls_verify_certificates%& option must also be set. + + .option tls_verify_certificates smtp string&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" @@ -23032,6 +23040,20 @@ single file if you are using GnuTLS. The values of &$host$& and &$host_address$& are set to the name and address of the server during the expansion of this option. See chapter &<>& for details of TLS. +For back-compatability, or when GnuTLS is used, +if neither tls_verify_hosts nor tls_try_verify_hosts are set +and certificate verification fails the TLS connection is closed. + + +.option tls_verify_hosts smtp "host list&!! unset +.cindex "TLS" "server certificate verification" +.cindex "certificate" "verification of server" +For OpenSSL only, this option gives a list of hosts for which +certificate verification must succeed. +The &%tls_verify_certificates%& option must also be set. +If both this option and &%tls_try_verify_hosts%& are unset +operation is as if this option selected all hosts. + @@ -25933,6 +25955,12 @@ for OpenSSL only (not GnuTLS), a directory, that contains a collection of expected server certificates. The client verifies the server's certificate against this collection, taking into account any revoked certificates that are in the list defined by &%tls_crl%&. +Failure to verify fails the TLS connection unless either of the +&%tls_verify_hosts%& or &%tls_try_verify_hosts%& options are set. + +The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict +certificate verification to the listed servers. Verification either must +or need not succeed respectively. If &%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d5c09f4c5..c1640f73a 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -32,6 +32,8 @@ JH/02 Add ${listextract {number}{list}{success}{fail}}. TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents. Properly escape header and check for NULL return. +JH/03 Add tls_{,try_}verify_hosts to smtp transport. OpenSSL only. + Exim version 4.82 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 11cfcffa0..e4f2e29a1 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -14,6 +14,11 @@ Version 4.83 actual external source IP:host be used in exim instead of the IP of the proxy that is connecting to it. + 2. When built with OpenSSL the smtp transport now supports options + "tls_verify_hosts" and "tls_try_verify_hosts". If either is set the + certificate verification is split from the encryption operation. The + default remains that a failed verification cancels the encryption. + Version 4.82 ------------ -- cgit v1.2.3 From 02bf26279e41fa715e74ea45d2a5903635ad5ee1 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 15 Mar 2014 14:06:07 +0000 Subject: Testcases --- doc/doc-docbook/spec.xfpt | 4 +-- test/confs/2112 | 65 +++++++++++++++++++++++++++++++++++++++--- test/log/2112 | 27 ++++++++++++++++-- test/scripts/2100-OpenSSL/2112 | 9 ++++++ 4 files changed, 97 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 748f5c9dc..abf69a00d 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23021,7 +23021,7 @@ in clear. .option tls_try_verify_hosts smtp "host list&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" -For OpenSSL only, this option gives a list of hosts for which +For OpenSSL only, this option gives a list of hosts for which, on encrypted connections, certificate verification will be tried but need not succeed. The &%tls_verify_certificates%& option must also be set. @@ -23048,7 +23048,7 @@ and certificate verification fails the TLS connection is closed. .option tls_verify_hosts smtp "host list&!! unset .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" -For OpenSSL only, this option gives a list of hosts for which +For OpenSSL only, this option gives a list of hosts for which. on encrypted connections, certificate verification must succeed. The &%tls_verify_certificates%& option must also be set. If both this option and &%tls_try_verify_hosts%& are unset diff --git a/test/confs/2112 b/test/confs/2112 index 78733513e..242d2d67c 100644 --- a/test/confs/2112 +++ b/test/confs/2112 @@ -1,4 +1,5 @@ # Exim test configuration 2112 +# TLS client: verify certificate from server - fails SERVER= @@ -35,18 +36,53 @@ tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail} begin routers -client: +server_dump: + driver = redirect + condition = ${if eq {SERVER}{server}{yes}{no}} + data = :blackhole: + +client_x: + driver = accept + local_parts = userx + retry_use_local_part + transport = send_to_server_failcert + errors_to = "" + +client_y: + driver = accept + local_parts = usery + retry_use_local_part + transport = send_to_server_retry + +client_z: driver = accept - condition = ${if eq {SERVER}{server}{no}{yes}} + local_parts = userz retry_use_local_part - transport = send_to_server + transport = send_to_server_crypt + +client_q: + driver = accept + local_parts = userq + retry_use_local_part + transport = send_to_server_req_fail # ----- Transports ----- begin transports -send_to_server: +# this will fail to verify the cert at HOSTIPV4 so fail the crypt requirement +send_to_server_failcert: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = DIR/aux-fixed/cert2 + tls_verify_certificates = DIR/aux-fixed/cert2 + +# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok +send_to_server_retry: driver = smtp allow_localhost hosts = HOSTIPV4 : 127.0.0.1 @@ -56,4 +92,25 @@ send_to_server: tls_verify_certificates = \ ${if eq{$host_address}{127.0.0.1}{DIR/aux-fixed/cert1}{DIR/aux-fixed/cert2}} +# this will fail to verify the cert but continue unverified though cypted +send_to_server_crypt: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + hosts_require_tls = HOSTIPV4 + port = PORT_D + tls_certificate = DIR/aux-fixed/cert2 + tls_verify_certificates = DIR/aux-fixed/cert2 + tls_try_verify_hosts = * + +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +send_to_server_req_fail: + driver = smtp + allow_localhost + hosts = HOSTIPV4 + port = PORT_D + tls_certificate = DIR/aux-fixed/cert2 + tls_verify_certificates = DIR/aux-fixed/cert2 + tls_verify_hosts = * + # End diff --git a/test/log/2112 b/test/log/2112 index bee2f6fe3..3f77e65ea 100644 --- a/test/log/2112 +++ b/test/log/2112 @@ -1,13 +1,36 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 10HmaX-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@test.ex R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@test.ex R=client_x T=send_to_server_failcert defer (-37): failure while setting up TLS session +1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@test.ex: retry timeout exceeded +1999-03-02 09:44:33 10HmaX-0005vi-00 userx@test.ex: error ignored 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@test.ex R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 Completed +1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@test.ex R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbA-0005vi-00 TLS error on connection to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (SSL_connect): error: <> +1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00" +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaX-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <> +1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?) +1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex diff --git a/test/scripts/2100-OpenSSL/2112 b/test/scripts/2100-OpenSSL/2112 index 4793929bc..98ea4cb17 100644 --- a/test/scripts/2100-OpenSSL/2112 +++ b/test/scripts/2100-OpenSSL/2112 @@ -4,6 +4,15 @@ exim -DSERVER=server -bd -oX PORT_D exim userx@test.ex Testing **** +exim usery@test.ex +Testing +**** +exim userz@test.ex +Testing +**** +exim userq@test.ex +Testing +**** exim -qf **** killdaemon -- cgit v1.2.3