From 5d6bdf01a921a88030e9baec7ba5f238da90e979 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 7 May 2017 17:49:58 +0100 Subject: DANE: do not trust a non-dnssec NXDOMAIN return for the TLSA lookup --- test/log/5840 | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) (limited to 'test/log/5840') diff --git a/test/log/5840 b/test/log/5840 index 6d65bf25e..8d309e088 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -33,10 +33,8 @@ 1999-03-02 09:44:33 10HmbI-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL 1999-03-02 09:44:33 10HmbI-0005vi-00 CALLER@dane.no.1.test.ex: error ignored 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed -1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock -1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.2.test.ex" -1999-03-02 09:44:33 10HmbJ-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbK-0005vi-00" -1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbJ-0005vi-00 H=dane.no.2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@dane.no.2.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** @@ -60,6 +58,3 @@ 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbK-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbJ-0005vi-00@myhost.test.ex for CALLER@dane.no.2.test.ex -1999-03-02 09:44:33 10HmbK-0005vi-00 => :blackhole: R=server -1999-03-02 09:44:33 10HmbK-0005vi-00 Completed -- cgit v1.2.3 From b7e4352c99fe3dee2af93f06ef0ac74ee355d5ea Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 7 May 2017 15:37:18 +0100 Subject: Testsuite: add DANE testcase for TLSA lookup SERVFAIL --- test/confs/5840 | 4 ++-- test/dnszones-src/db.test.ex | 4 ++++ test/log/5840 | 3 +++ test/scripts/5840-DANE-OpenSSL/5840 | 15 +++++++++++++-- test/stderr/5840 | 15 +++++++-------- test/stdout/5840 | 10 ++++++---- 6 files changed, 35 insertions(+), 16 deletions(-) (limited to 'test/log/5840') diff --git a/test/confs/5840 b/test/confs/5840 index ac3578dc9..01c114252 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -61,10 +61,10 @@ begin transports send_to_server: driver = smtp allow_localhost - port = PORT_D + port = ${if match {$host}{\Ntest.ex$\N} {PORT_D}{25}} hosts_try_dane = * - hosts_require_dane = !thishost.test.ex + hosts_require_dane = HOSTIPV4 tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex tls_verify_certificates = CDIR2/ca_chain.pem diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 349fbd4d3..50bd6b073 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -465,6 +465,10 @@ DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns. DNSSEC dane.no.1 A HOSTIPV4 DNSSEC dane.no.2 A 127.0.0.1 +; a broken dane config (or under attack) where the TLSA lookup fails (as opposed to there not being one) +DNSSEC danebroken1 A 127.0.0.1 +_1225._tcp.danebroken1 CNAME test.fail.dns. + ; ------- Testing delays ------------ DELAY=500 delay500 A HOSTIPV4 diff --git a/test/log/5840 b/test/log/5840 index 8d309e088..d02a4c7d7 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -26,6 +26,7 @@ 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@mxdanelazy.test.ex 1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex +1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken1.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER @@ -35,6 +36,8 @@ 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed 1999-03-02 09:44:33 10HmbJ-0005vi-00 H=dane.no.2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@dane.no.2.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbK-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbK-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index d1da54913..fdff36119 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -61,14 +61,25 @@ exim -DSERVER=server -DDETAILS=ee -bd -oX PORT_D exim -odq CALLER@mxdanelazy.test.ex Testing **** -### A server lacking a TLSA, required +### A server lacking a TLSA, dane required (should fail) exim -odq CALLER@dane.no.1.test.ex Testing **** -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) exim -odq CALLER@dane.no.2.test.ex Testing **** +### A server where the A is dnssec and the TLSA _fails_ +exim -odq CALLER@danebroken1.test.ex +Testing +**** +# ### A server securely saying "no TLSA records here", dane required (should fail) +# exim -odq CALLER@dane.no.3.test.ex +# Testing +# ### A server securely saying "no TLSA records here", dane requested only (should transmit) +# exim -odq CALLER@dane.no.4.test.ex +# Testing +# **** exim -qf **** killdaemon diff --git a/test/stderr/5840 b/test/stderr/5840 index e4cf15c51..75f938ab4 100644 --- a/test/stderr/5840 +++ b/test/stderr/5840 @@ -20,10 +20,7 @@ >>> Attempting full verification using callout >>> callout cache: no domain record found for dane256ee.test.ex >>> callout cache: no address record found for rcptuser@dane256ee.test.ex -MUNGED: ::1 will be omitted in what follows ->>> get[host|ipnode]byname[2] looked up these IP addresses: ->>> name=thishost.test.ex address=127.0.0.1 ->>> ip4.ip4.ip4.ip4 in hosts_require_dane? yes (end of list) +>>> ip4.ip4.ip4.ip4 in hosts_require_dane? yes (matched "ip4.ip4.ip4.ip4") >>> interface=NULL port=1225 >>> Connecting to dane256ee.test.ex [ip4.ip4.ip4.ip4]:1225 ... connected >>> SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 @@ -73,8 +70,9 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer -### A server lacking a TLSA, required -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA _fails_ ******** SERVER ******** ### TLSA (3 1 1) @@ -84,5 +82,6 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer -### A server lacking a TLSA, required -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA _fails_ diff --git a/test/stdout/5840 b/test/stdout/5840 index 1d94564ad..5071e7de5 100644 --- a/test/stdout/5840 +++ b/test/stdout/5840 @@ -14,8 +14,9 @@ ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer -### A server lacking a TLSA, required -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA _fails_ ******** SERVER ******** ### TLSA (3 1 1) @@ -25,5 +26,6 @@ ### A server with a nonverifying cert and no TLSA ### A server with a verifying cert and no TLSA ### A server with two MXs for which both TLSA lookups return defer -### A server lacking a TLSA, required -### A server lacking a TLSA, requested only +### A server lacking a TLSA, dane required (should fail) +### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) +### A server where the A is dnssec and the TLSA _fails_ -- cgit v1.2.3 From ce889807c90746896f1310e9f4957215f46f7836 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 7 May 2017 17:40:41 +0100 Subject: Testsuite: add DANE cases for DNS secure no-TLSA lookups --- test/dnszones-src/db.test.ex | 12 +++++++++++- test/log/5840 | 12 ++++++++++++ test/scripts/5840-DANE-OpenSSL/5840 | 15 ++++++++------- test/src/fakens.c | 16 ++++++++++++++-- test/stderr/5840 | 4 ++++ test/stdout/5840 | 4 ++++ 6 files changed, 53 insertions(+), 10 deletions(-) (limited to 'test/log/5840') diff --git a/test/dnszones-src/db.test.ex b/test/dnszones-src/db.test.ex index 50bd6b073..f7c9e313b 100644 --- a/test/dnszones-src/db.test.ex +++ b/test/dnszones-src/db.test.ex @@ -461,7 +461,8 @@ DNSSEC danelazy2 A 127.0.0.1 DNSSEC _1225._tcp.danelazy CNAME test.again.dns. DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns. -; hosts with no TLSA +; hosts with no TLSA (just missing here, hence the TLSA NXDMAIN is _insecure_; a broken dane config) +; 1 for dane-required, 2 for merely requested DNSSEC dane.no.1 A HOSTIPV4 DNSSEC dane.no.2 A 127.0.0.1 @@ -469,6 +470,15 @@ DNSSEC dane.no.2 A 127.0.0.1 DNSSEC danebroken1 A 127.0.0.1 _1225._tcp.danebroken1 CNAME test.fail.dns. +; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups +; 3 for dane-required, 4 for merely requested +; the TLSA data here is dummy; ignored +DNSSEC dane.no.3 A HOSTIPV4 +DNSSEC dane.no.4 A 127.0.0.1 + +DNSSEC NXDOMAIN _1225._tcp.dane.no.3 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741 +DNSSEC NXDOMAIN _1225._tcp.dane.no.4 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741 + ; ------- Testing delays ------------ DELAY=500 delay500 A HOSTIPV4 diff --git a/test/log/5840 b/test/log/5840 index d02a4c7d7..b2f949009 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -27,6 +27,8 @@ 1999-03-02 09:44:33 10HmbI-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.1.test.ex 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.2.test.ex 1999-03-02 09:44:33 10HmbK-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken1.test.ex +1999-03-02 09:44:33 10HmbL-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.3.test.ex +1999-03-02 09:44:33 10HmbM-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@dane.no.4.test.ex 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy.test.ex [ip4.ip4.ip4.ip4]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbH-0005vi-00 H=danelazy2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER @@ -38,6 +40,13 @@ 1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@dane.no.2.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbK-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbK-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbL-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL +1999-03-02 09:44:33 10HmbL-0005vi-00 CALLER@dane.no.3.test.ex: error ignored +1999-03-02 09:44:33 10HmbL-0005vi-00 Completed +1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.4.test.ex" +1999-03-02 09:44:33 10HmbM-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbN-0005vi-00" +1999-03-02 09:44:33 10HmbM-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf ******** SERVER ******** @@ -61,3 +70,6 @@ 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 +1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex +1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbN-0005vi-00 Completed diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840 index fdff36119..142a25ad4 100644 --- a/test/scripts/5840-DANE-OpenSSL/5840 +++ b/test/scripts/5840-DANE-OpenSSL/5840 @@ -73,13 +73,14 @@ Testing exim -odq CALLER@danebroken1.test.ex Testing **** -# ### A server securely saying "no TLSA records here", dane required (should fail) -# exim -odq CALLER@dane.no.3.test.ex -# Testing -# ### A server securely saying "no TLSA records here", dane requested only (should transmit) -# exim -odq CALLER@dane.no.4.test.ex -# Testing -# **** +### A server securely saying "no TLSA records here", dane required (should fail) +exim -odq CALLER@dane.no.3.test.ex +Testing +**** +### A server securely saying "no TLSA records here", dane requested only (should transmit) +exim -odq CALLER@dane.no.4.test.ex +Testing +**** exim -qf **** killdaemon diff --git a/test/src/fakens.c b/test/src/fakens.c index 34f5ea670..583b01282 100644 --- a/test/src/fakens.c +++ b/test/src/fakens.c @@ -53,11 +53,15 @@ HOST_NOT_FOUND. Any DNS record line in a zone file can be prefixed with "DELAY=" and a number of milliseconds (followed by one space). -Any DNS record line in a zone file can be prefixed with "DNSSEC "; +Any DNS record line can be prefixed with "DNSSEC "; if all the records found by a lookup are marked as such then the response will have the "AD" bit set. -Any DNS record line in a zone file can be prefixed with "AA " +Any DNS record line can be prefixed with "NXDOMAIN "; +The record will be ignored (but the prefix set still applied); +This lets us return a DNSSEC NXDOMAIN. + +Any DNS record line can be prefixed with "AA " if all the records found by a lookup are marked as such then the response will have the "AA" bit set. @@ -354,6 +358,7 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) int qtlen = qtypelen; BOOL rr_sec = FALSE; BOOL rr_aa = FALSE; + BOOL rr_ignore = FALSE; int delay = 0; uint ttl = DEFAULT_TTL; @@ -379,6 +384,11 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) rr_sec = TRUE; p += 7; } + if (Ustrncmp(p, US"NXDOMAIN ", 9) == 0) /* ignore record content */ + { + rr_ignore = TRUE; + p += 9; + } else if (Ustrncmp(p, US"AA ", 3) == 0) /* tagged as authoritative */ { rr_aa = TRUE; @@ -464,6 +474,8 @@ while (fgets(CS buffer, sizeof(buffer), f) != NULL) if (aa && !rr_aa) *aa = FALSE; /* cancel AA return */ + if (rr_ignore) continue; + yield = 0; *countptr = *countptr + 1; diff --git a/test/stderr/5840 b/test/stderr/5840 index 75f938ab4..5ccf7cda0 100644 --- a/test/stderr/5840 +++ b/test/stderr/5840 @@ -73,6 +73,8 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] ### A server lacking a TLSA, dane required (should fail) ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) ### A server where the A is dnssec and the TLSA _fails_ +### A server securely saying "no TLSA records here", dane required (should fail) +### A server securely saying "no TLSA records here", dane requested only (should transmit) ******** SERVER ******** ### TLSA (3 1 1) @@ -85,3 +87,5 @@ LOG: unexpected disconnection while reading SMTP command from [127.0.0.1] ### A server lacking a TLSA, dane required (should fail) ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) ### A server where the A is dnssec and the TLSA _fails_ +### A server securely saying "no TLSA records here", dane required (should fail) +### A server securely saying "no TLSA records here", dane requested only (should transmit) diff --git a/test/stdout/5840 b/test/stdout/5840 index 5071e7de5..32425d2e2 100644 --- a/test/stdout/5840 +++ b/test/stdout/5840 @@ -17,6 +17,8 @@ ### A server lacking a TLSA, dane required (should fail) ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) ### A server where the A is dnssec and the TLSA _fails_ +### A server securely saying "no TLSA records here", dane required (should fail) +### A server securely saying "no TLSA records here", dane requested only (should transmit) ******** SERVER ******** ### TLSA (3 1 1) @@ -29,3 +31,5 @@ ### A server lacking a TLSA, dane required (should fail) ### A server lacking a TLSA, dane requested only (should fail, as the NXDOMAIN is not DNSSEC) ### A server where the A is dnssec and the TLSA _fails_ +### A server securely saying "no TLSA records here", dane required (should fail) +### A server securely saying "no TLSA records here", dane requested only (should transmit) -- cgit v1.2.3 From 6b5242044dfe4061d52edfd975c6020914e3c1be Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 14 May 2017 17:06:17 +0100 Subject: Revert "DANE: do not trust a non-dnssec NXDOMAIN return for the TLSA lookup" This reverts commit 5d6bdf01a921a88030e9baec7ba5f238da90e979. --- src/src/transports/smtp.c | 2 +- test/log/5840 | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) (limited to 'test/log/5840') diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 9c95a4124..8f1e0bff8 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1209,7 +1209,7 @@ switch (rc) case DNS_NODATA: /* no TLSA RR for this lookup */ case DNS_NOMATCH: /* no records at all for this lookup */ - return dane_required ? FAIL : sec ? FAIL_FORCED : DEFER; + return dane_required ? FAIL : FAIL_FORCED; default: case DNS_FAIL: diff --git a/test/log/5840 b/test/log/5840 index b2f949009..9d134ca6d 100644 --- a/test/log/5840 +++ b/test/log/5840 @@ -36,8 +36,10 @@ 1999-03-02 09:44:33 10HmbI-0005vi-00 ** CALLER@dane.no.1.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL 1999-03-02 09:44:33 10HmbI-0005vi-00 CALLER@dane.no.1.test.ex: error ignored 1999-03-02 09:44:33 10HmbI-0005vi-00 Completed -1999-03-02 09:44:33 10HmbJ-0005vi-00 H=dane.no.2.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER -1999-03-02 09:44:33 10HmbJ-0005vi-00 == CALLER@dane.no.2.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER +1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock +1999-03-02 09:44:33 10HmbJ-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.2.test.ex" +1999-03-02 09:44:33 10HmbJ-0005vi-00 => CALLER@dane.no.2.test.ex R=client T=send_to_server H=dane.no.2.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbN-0005vi-00" +1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbK-0005vi-00 H=danebroken1.test.ex [127.0.0.1]: DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbK-0005vi-00 == CALLER@danebroken1.test.ex R=client T=send_to_server defer (-36): DANE error: tlsa lookup DEFER 1999-03-02 09:44:33 10HmbL-0005vi-00 ** CALLER@dane.no.3.test.ex R=client T=send_to_server: DANE error: tlsa lookup FAIL @@ -45,7 +47,7 @@ 1999-03-02 09:44:33 10HmbL-0005vi-00 Completed 1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock 1999-03-02 09:44:33 10HmbM-0005vi-00 [127.0.0.1] SSL verify error: certificate name mismatch: DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" H="dane.no.4.test.ex" -1999-03-02 09:44:33 10HmbM-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbN-0005vi-00" +1999-03-02 09:44:33 10HmbM-0005vi-00 => CALLER@dane.no.4.test.ex R=client T=send_to_server H=dane.no.4.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbO-0005vi-00" 1999-03-02 09:44:33 10HmbM-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf @@ -70,6 +72,9 @@ 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex -1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbN-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbJ-0005vi-00@myhost.test.ex for CALLER@dane.no.2.test.ex +1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbN-0005vi-00 Completed +1999-03-02 09:44:33 10HmbO-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for CALLER@dane.no.4.test.ex +1999-03-02 09:44:33 10HmbO-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbO-0005vi-00 Completed -- cgit v1.2.3