summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2022-04-15 10:36:56 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2022-04-15 11:22:04 +0100
commitec2a355fdc961aba7ace27c624c01accd58dc1ed (patch)
treef9641fcbe830c2c3c231fc833b7c9baded9bc4b3
parentfa714063ea46ef6dd92dbef3525781d85513394b (diff)
TLS resumption: support Outlook hosts-behind-loadbalancer
-rw-r--r--doc/doc-docbook/spec.xfpt30
-rw-r--r--doc/doc-txt/OptionLists.txt3
-rw-r--r--src/src/structs.h4
-rw-r--r--src/src/tls.c9
-rw-r--r--src/src/transports/smtp.c52
-rw-r--r--src/src/transports/smtp.h3
-rw-r--r--test/confs/58903
-rw-r--r--test/confs/58923
-rw-r--r--test/log/589080
-rw-r--r--test/log/589116
-rw-r--r--test/log/589280
-rw-r--r--test/scripts/5890-Resume-GnuTLS/589014
-rw-r--r--test/scripts/5891-Resume-GnuTLS-OCSP/5891 (renamed from test/scripts/5891-Resume-GnuTLS-OCSP/5890)2
-rw-r--r--test/scripts/5892-Resume-OpenSSL/589215
-rw-r--r--test/stderr/541096
-rw-r--r--test/stderr/542096
-rw-r--r--test/stdout/05721
17 files changed, 486 insertions, 21 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 98ca33d23..89f762436 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -25515,6 +25515,36 @@ helo_data = ${lookup dnsdb{ptr=$sending_ip_address} \
The use of &%helo_data%& applies both to sending messages and when doing
callouts.
+.new
+.option host_name_extract smtp "string list&!!" "see below"
+.cindex "load balancer" "hosts behind"
+.cindex TLS resumption
+Some mail-accepting sites
+(notably Microsoft)
+operate many servers behind a network load-balancer. When this is done,
+with separated TLS session caches, TLS session resuption becomes problematic.
+It will only succeed when the same server happens to be selected by the
+load-balancer, matching the session stored in the client's cache.
+
+Exim can pull out a server name, if there is one, from the response to the
+client's SMTP EHLO command.
+The default value of this option:
+.code
+ ${if and { {match {$host} {.outlook.com\$}} \
+ {match {$item} {\N^250-([\w.]+)\s\N}} \
+ } {$1}}
+.endd
+suffices for one known case.
+During the expansion of this option the &$item$& variable will have the
+server's EHLO response.
+The result of the option expansion is included in the key used to store and
+retrieve the TLS session, for sessino resumption.
+
+Operators of high-load sites may wish to evaluate their logs for indications
+of other destination sites operating load-balancers, and develop a suitable
+expression for this option.
+.wen
+
.option hosts smtp "string list&!!" unset
Hosts are associated with an address by a router such as &(dnslookup)&, which
finds the hosts by looking up the address domain in the DNS, or by
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 4314c534b..55b0f36fc 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -296,6 +296,9 @@ hold_domains domain list unset main
home_directory string* unset transports 4.00 replaces individual options
host_all_ignored string "defer" manualroute 4.67
host_find_failed string "freeze" manualroute 4.00
+host_name_extract string
+ "${if and {{match{.outlook.com\\$}{$host}} {match{$item}{\\N^250-([\\w.]+)\\s\\N}}} {$1}}"
+ smtp 4.96
host_lookup host list unset main 3.00
host_lookup_order string list "bydns:byaddr" main 4.30
host_reject_connection host list unset main 4.00
diff --git a/src/src/structs.h b/src/src/structs.h
index 9bf3aebe2..087683c49 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -830,8 +830,10 @@ typedef struct {
host_item * host;
int host_af;
uschar * interface;
- uschar * sending_ip_address; /* used for TLS resumption */
+
int sock; /* used for a bound but not connected socket */
+ uschar * sending_ip_address; /* used for TLS resumption */
+ const uschar * host_lbserver; /* ditto, for server-behind LB */
#ifdef SUPPORT_DANE
BOOL dane:1; /* connection must do dane */
diff --git a/src/src/tls.c b/src/src/tls.c
index c9bc556fc..e80dd9aaf 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -804,16 +804,19 @@ hctx * h = &tlsp->resume_hctx;
blob b;
gstring * g;
+DEBUG(D_tls) if (conn_args->host_lbserver)
+ debug_printf("TLS: lbserver '%s'\n", conn_args->host_lbserver);
+
#ifdef EXIM_HAVE_SHA2
exim_sha_init(h, HASH_SHA2_256);
#else
exim_sha_init(h, HASH_SHA1);
#endif
-
-// TODO: word from server EHLO resp /* how, fer gossakes? Add item to conn_args or tls_support? */
-
+exim_sha_update_string(h, conn_args->host_lbserver);
+#ifdef SUPPORT_DANE
if (conn_args->dane)
exim_sha_update(h, CUS &conn_args->tlsa_dnsa, sizeof(dns_answer));
+#endif
exim_sha_update_string(h, conn_args->host->address);
exim_sha_update(h, CUS &conn_args->host->port, sizeof(conn_args->host->port));
exim_sha_update_string(h, conn_args->sending_ip_address);
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index f9e319c79..e2368da13 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -64,6 +64,9 @@ optionlist smtp_transport_options[] = {
{ "final_timeout", opt_time, LOFF(final_timeout) },
{ "gethostbyname", opt_bool, LOFF(gethostbyname) },
{ "helo_data", opt_stringptr, LOFF(helo_data) },
+#if !defined(DISABLE_TLS) && !defined(DISABLE_TLS_RESUME)
+ { "host_name_extract", opt_stringptr, LOFF(host_name_extract) },
+# endif
{ "hosts", opt_stringptr, LOFF(hosts) },
{ "hosts_avoid_esmtp", opt_stringptr, LOFF(hosts_avoid_esmtp) },
{ "hosts_avoid_pipelining", opt_stringptr, LOFF(hosts_avoid_pipelining) },
@@ -199,6 +202,9 @@ smtp_transport_options_block smtp_transport_option_defaults = {
.tls_tempfail_tryclear = TRUE,
.tls_try_verify_hosts = US"*",
.tls_verify_cert_hostnames = US"*",
+# ifndef DISABLE_TLS_RESUME
+ .host_name_extract = US"${if and {{match{$host}{.outlook.com\\$}} {match{$item}{\\N^250-([\\w.]+)\\s\\N}}} {$1}}",
+# endif
#endif
#ifdef SUPPORT_I18N
.utf8_downconvert = US"-1",
@@ -1066,6 +1072,7 @@ if (pending_EHLO)
if (tls_out.active.sock >= 0 || !(peer_offered & OPTION_TLS))
ehlo_response_limits_read(sx);
#endif
+/*XXX RESUMP - EHLO-resp avail here int sx->buffer */
if ( peer_offered != sx->peer_offered
|| (authbits = study_ehlo_auths(sx)) != *ap)
{
@@ -1874,6 +1881,28 @@ return checks;
+/* Grab a string differentiating server behind a loadbalancer, for TLS
+resumption when such servers do not share a session-cache */
+
+static const uschar *
+ehlo_response_lbserver(uschar * buffer, smtp_transport_options_block * ob)
+{
+#if !defined(DISABLE_TLS) && !defined(DISABLE_TLS_RESUME)
+/* want to make this a main-section option */
+const uschar * s;
+uschar * save_item = iterate_item;
+
+iterate_item = buffer;
+s = expand_cstring(ob->host_name_extract);
+iterate_item = save_item;
+return s && !*s ? NULL : s;
+#else
+return NULL;
+#endif
+}
+
+
+
/* Callback for emitting a BDAT data chunk header.
If given a nonzero size, first flush any buffered SMTP commands
@@ -2516,6 +2545,8 @@ goto SEND_QUIT;
: 0
)
#endif
+/*XXX RESUMP - sx->buffer has the EHLO-resp, but only if not early-pipe and not continued-connection */
+/* maybe disable resump on cont? */
);
#ifdef EXPERIMENTAL_ESMTP_LIMITS
if (tls_out.active.sock >= 0 || !(sx->peer_offered & OPTION_TLS))
@@ -2538,6 +2569,7 @@ goto SEND_QUIT;
}
}
#endif
+ sx->conn_args.host_lbserver = ehlo_response_lbserver(sx->buffer, ob);
}
/* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
@@ -2629,14 +2661,19 @@ if ( smtp_peer_options & OPTION_TLS
the response for the STARTTLS we just sent alone. On fail, assume wrong
cached capability and retry with the pipelining disabled. */
- if (sx->early_pipe_active && sync_responses(sx, 2, 0) != 0)
+ if (sx->early_pipe_active)
{
- HDEBUG(D_transport)
- debug_printf("failed reaping pipelined cmd responses\n");
- close(sx->cctx.sock);
- sx->cctx.sock = -1;
- sx->early_pipe_active = FALSE;
- goto PIPE_CONNECT_RETRY;
+ if (sync_responses(sx, 2, 0) != 0)
+ {
+ HDEBUG(D_transport)
+ debug_printf("failed reaping pipelined cmd responses\n");
+ close(sx->cctx.sock);
+ sx->cctx.sock = -1;
+ sx->early_pipe_active = FALSE;
+ goto PIPE_CONNECT_RETRY;
+ }
+/*XXX RESUMP - does this leave the EHLO-resp anywhere? Yes, sx->buffer */
+ sx->conn_args.host_lbserver = ehlo_response_lbserver(sx->buffer, ob);
}
#endif
@@ -2666,6 +2703,7 @@ if ( smtp_peer_options & OPTION_TLS
TLS_NEGOTIATE:
{
sx->conn_args.sending_ip_address = sending_ip_address;
+ /*XXX RESUMP want LB-server info here */
if (!tls_client_start(&sx->cctx, &sx->conn_args, sx->addrlist, &tls_out, &tls_errstr))
{
/* TLS negotiation failed; give an error. From outside, this function may
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 2ed6cfd51..8dbd1fcf3 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -83,7 +83,7 @@ typedef struct {
int size_addition;
int hosts_max_try;
int hosts_max_try_hardlimit;
- int message_linelength_limit;
+ int message_linelength_limit;
BOOL address_retry_include_sender;
BOOL allow_localhost;
BOOL authenticated_sender_force;
@@ -108,6 +108,7 @@ typedef struct {
uschar *tls_privatekey;
uschar *tls_require_ciphers;
# ifndef DISABLE_TLS_RESUME
+ uschar *host_name_extract;
uschar *tls_resumption_hosts;
# endif
const uschar *tls_sni;
diff --git a/test/confs/5890 b/test/confs/5890
index 0c812fd89..88743cfd0 100644
--- a/test/confs/5890
+++ b/test/confs/5890
@@ -82,6 +82,9 @@ send_to_server1:
hosts = 127.0.0.1
port = PORT_D
helo_data = helo.data.changed
+.ifdef HELO_MSG
+ host_name_extract = HELO_MSG
+.endif
.ifdef VALUE
tls_resumption_hosts = *
.else
diff --git a/test/confs/5892 b/test/confs/5892
index a7738468f..0aec9bfaf 100644
--- a/test/confs/5892
+++ b/test/confs/5892
@@ -86,6 +86,9 @@ send_to_server1:
hosts = 127.0.0.1
port = PORT_D
helo_data = helo.data.changed
+.ifdef HELO_MSG
+ host_name_extract = HELO_MSG
+.endif
.ifdef VALUE
tls_resumption_hosts = *
.else
diff --git a/test/log/5890 b/test/log/5890
index 6d6a6a8b2..97f779835 100644
--- a/test/log/5890
+++ b/test/log/5890
@@ -156,6 +156,46 @@
1999-03-02 09:44:33 10HmbZ-0005vi-00 bits 256
1999-03-02 09:44:33 10HmbZ-0005vi-00 => notreq@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcA-0005vi-00"
1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for getticket@test.ex
+1999-03-02 09:44:33 10HmcB-0005vi-00 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmcB-0005vi-00 our cert subject
+1999-03-02 09:44:33 10HmcB-0005vi-00 peer cert subject CN=server1.example.com
+1999-03-02 09:44:33 10HmcB-0005vi-00 peer cert verified 1
+1999-03-02 09:44:33 10HmcB-0005vi-00 peer dn CN=server1.example.com
+1999-03-02 09:44:33 10HmcB-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcB-0005vi-00 bits 256
+1999-03-02 09:44:33 10HmcB-0005vi-00 => getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00"
+1999-03-02 09:44:33 10HmcB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for noresume@test.ex
+1999-03-02 09:44:33 10HmcD-0005vi-00 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmcD-0005vi-00 our cert subject
+1999-03-02 09:44:33 10HmcD-0005vi-00 peer cert subject CN=server1.example.com
+1999-03-02 09:44:33 10HmcD-0005vi-00 peer cert verified 1
+1999-03-02 09:44:33 10HmcD-0005vi-00 peer dn CN=server1.example.com
+1999-03-02 09:44:33 10HmcD-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcD-0005vi-00 bits 256
+1999-03-02 09:44:33 10HmcD-0005vi-00 => noresume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcE-0005vi-00"
+1999-03-02 09:44:33 10HmcD-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for resume@test.ex
+1999-03-02 09:44:33 10HmcF-0005vi-00 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmcF-0005vi-00 our cert subject
+1999-03-02 09:44:33 10HmcF-0005vi-00 peer cert subject CN=server1.example.com
+1999-03-02 09:44:33 10HmcF-0005vi-00 peer cert verified 1
+1999-03-02 09:44:33 10HmcF-0005vi-00 peer dn CN=server1.example.com
+1999-03-02 09:44:33 10HmcF-0005vi-00 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcF-0005vi-00 bits 256
+1999-03-02 09:44:33 10HmcF-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcG-0005vi-00"
+1999-03-02 09:44:33 10HmcF-0005vi-00 Completed
+1999-03-02 09:44:33 10HmcH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for resume@test.ex
+1999-03-02 09:44:33 10HmcH-0005vi-00 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmcH-0005vi-00 our cert subject
+1999-03-02 09:44:33 10HmcH-0005vi-00 peer cert subject CN=server1.example.com
+1999-03-02 09:44:33 10HmcH-0005vi-00 peer cert verified 1
+1999-03-02 09:44:33 10HmcH-0005vi-00 peer dn CN=server1.example.com
+1999-03-02 09:44:33 10HmcH-0005vi-00 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmcH-0005vi-00 bits 256
+1999-03-02 09:44:33 10HmcH-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcI-0005vi-00"
+1999-03-02 09:44:33 10HmcH-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
@@ -322,3 +362,43 @@
1999-03-02 09:44:33 10HmcA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for notreq@test.ex
1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <notreq@test.ex> R=server
1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
+1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 our cert subject CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject
+1999-03-02 09:44:33 peer cert verified 0
+1999-03-02 09:44:33 peer dn
+1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits 256
+1999-03-02 09:44:33 10HmcC-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@myhost.test.ex for getticket@test.ex
+1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: <getticket@test.ex> R=server
+1999-03-02 09:44:33 10HmcC-0005vi-00 Completed
+1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 our cert subject CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject
+1999-03-02 09:44:33 peer cert verified 0
+1999-03-02 09:44:33 peer dn
+1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits 256
+1999-03-02 09:44:33 10HmcE-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcD-0005vi-00@myhost.test.ex for noresume@test.ex
+1999-03-02 09:44:33 10HmcE-0005vi-00 => :blackhole: <noresume@test.ex> R=server
+1999-03-02 09:44:33 10HmcE-0005vi-00 Completed
+1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket
+1999-03-02 09:44:33 our cert subject
+1999-03-02 09:44:33 peer cert subject
+1999-03-02 09:44:33 peer cert verified 0
+1999-03-02 09:44:33 peer dn
+1999-03-02 09:44:33 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits 256
+1999-03-02 09:44:33 10HmcG-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcF-0005vi-00@myhost.test.ex for resume@test.ex
+1999-03-02 09:44:33 10HmcG-0005vi-00 => :blackhole: <resume@test.ex> R=server
+1999-03-02 09:44:33 10HmcG-0005vi-00 Completed
+1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket
+1999-03-02 09:44:33 our cert subject
+1999-03-02 09:44:33 peer cert subject
+1999-03-02 09:44:33 peer cert verified 0
+1999-03-02 09:44:33 peer dn
+1999-03-02 09:44:33 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits 256
+1999-03-02 09:44:33 10HmcI-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcH-0005vi-00@myhost.test.ex for resume@test.ex
+1999-03-02 09:44:33 10HmcI-0005vi-00 => :blackhole: <resume@test.ex> R=server
+1999-03-02 09:44:33 10HmcI-0005vi-00 Completed
diff --git a/test/log/5891 b/test/log/5891
index 5ffb9ccf7..b33d5d27d 100644
--- a/test/log/5891
+++ b/test/log/5891
@@ -129,7 +129,7 @@
1999-03-02 09:44:33 10HmbQ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbS-0005vi-00"
1999-03-02 09:44:33 10HmbQ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbT-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for renewal@test.ex
-1999-03-02 09:44:33 10HmbT-0005vi-00 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmbT-0005vi-00 tls_out_resumption session resumed
1999-03-02 09:44:33 10HmbT-0005vi-00 our cert subject
1999-03-02 09:44:33 10HmbT-0005vi-00 peer cert subject CN=server1.example.com
1999-03-02 09:44:33 10HmbT-0005vi-00 peer cert verified 1
@@ -140,7 +140,7 @@
1999-03-02 09:44:33 10HmbT-0005vi-00 => renewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbU-0005vi-00"
1999-03-02 09:44:33 10HmbT-0005vi-00 Completed
1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for postrenewal@test.ex
-1999-03-02 09:44:33 10HmbV-0005vi-00 tls_out_resumption session resumed, also new ticket
+1999-03-02 09:44:33 10HmbV-0005vi-00 tls_out_resumption session resumed
1999-03-02 09:44:33 10HmbV-0005vi-00 our cert subject
1999-03-02 09:44:33 10HmbV-0005vi-00 peer cert subject CN=server1.example.com
1999-03-02 09:44:33 10HmbV-0005vi-00 peer cert verified 1
@@ -175,7 +175,7 @@
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 tls_in_resumption client offered session, server only provided new ticket
1999-03-02 09:44:33 our cert subject CN=server1.example.com
1999-03-02 09:44:33 peer cert subject
1999-03-02 09:44:33 peer cert verified 0
@@ -198,7 +198,7 @@
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <xyz@test.ex> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <resume@test.ex> R=server
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
-1999-03-02 09:44:33 tls_in_resumption not requested or offered
+1999-03-02 09:44:33 tls_in_resumption 0x05
1999-03-02 09:44:33 our cert subject CN=server1.example.com
1999-03-02 09:44:33 peer cert subject
1999-03-02 09:44:33 peer cert verified 0
@@ -242,7 +242,7 @@
1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbG-0005vi-00@myhost.test.ex for timeout@test.ex
1999-03-02 09:44:33 10HmbH-0005vi-00 => :blackhole: <timeout@test.ex> R=server
1999-03-02 09:44:33 10HmbH-0005vi-00 Completed
-1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 tls_in_resumption client offered session, server only provided new ticket
1999-03-02 09:44:33 our cert subject CN=server1.example.com
1999-03-02 09:44:33 peer cert subject
1999-03-02 09:44:33 peer cert verified 0
@@ -253,7 +253,7 @@
1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbI-0005vi-00@myhost.test.ex for notreq@test.ex
1999-03-02 09:44:33 10HmbJ-0005vi-00 => :blackhole: <notreq@test.ex> R=server
1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed
-1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 tls_in_resumption client offered session, server only provided new ticket
1999-03-02 09:44:33 our cert subject CN=server1.example.com
1999-03-02 09:44:33 peer cert subject
1999-03-02 09:44:33 peer cert verified 0
@@ -310,7 +310,7 @@
1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for abcd@test.ex
1999-03-02 09:44:33 10HmbS-0005vi-00 => :blackhole: <abcd@test.ex> R=server
1999-03-02 09:44:33 10HmbS-0005vi-00 Completed
-1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket
+1999-03-02 09:44:33 tls_in_resumption session resumed
1999-03-02 09:44:33 our cert subject
1999-03-02 09:44:33 peer cert subject
1999-03-02 09:44:33 peer cert verified 0
@@ -321,7 +321,7 @@
1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbT-0005vi-00@myhost.test.ex for renewal@test.ex
1999-03-02 09:44:33 10HmbU-0005vi-00 => :blackhole: <renewal@test.ex> R=server
1999-03-02 09:44:33 10HmbU-0005vi-00 Completed
-1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket
+1999-03-02 09:44:33 tls_in_resumption session resumed
1999-03-02 09:44:33 our cert subject
1999-03-02 09:44:33 peer cert subject
1999-03-02 09:44:33 peer cert verified 0
diff --git a/test/log/5892 b/test/log/5892
index b3d395f5e..58e9e6e6c 100644
--- a/test/log/5892
+++ b/test/log/5892
@@ -88,6 +88,46 @@
1999-03-02 09:44:33 10HmbM-0005vi-00 bits 256
1999-03-02 09:44:33 10HmbM-0005vi-00 => noverify_resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbN-0005vi-00"
1999-03-02 09:44:33 10HmbM-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbO-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for getticket@test.ex
+1999-03-02 09:44:33 10HmbO-0005vi-00 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmbO-0005vi-00 our cert subject
+1999-03-02 09:44:33 10HmbO-0005vi-00 peer cert subject CN=server1.example.com
+1999-03-02 09:44:33 10HmbO-0005vi-00 peer cert verified 1
+1999-03-02 09:44:33 10HmbO-0005vi-00 peer dn /CN=server1.example.com
+1999-03-02 09:44:33 10HmbO-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbO-0005vi-00 bits 256
+1999-03-02 09:44:33 10HmbO-0005vi-00 => getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbP-0005vi-00"
+1999-03-02 09:44:33 10HmbO-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbQ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for noresume@test.ex
+1999-03-02 09:44:33 10HmbQ-0005vi-00 tls_out_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 10HmbQ-0005vi-00 our cert subject
+1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert subject CN=server1.example.com
+1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert verified 1
+1999-03-02 09:44:33 10HmbQ-0005vi-00 peer dn /CN=server1.example.com
+1999-03-02 09:44:33 10HmbQ-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbQ-0005vi-00 bits 256
+1999-03-02 09:44:33 10HmbQ-0005vi-00 => noresume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbR-0005vi-00"
+1999-03-02 09:44:33 10HmbQ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for resume@test.ex
+1999-03-02 09:44:33 10HmbS-0005vi-00 tls_out_resumption session resumed
+1999-03-02 09:44:33 10HmbS-0005vi-00 our cert subject
+1999-03-02 09:44:33 10HmbS-0005vi-00 peer cert subject CN=server1.example.com
+1999-03-02 09:44:33 10HmbS-0005vi-00 peer cert verified 1
+1999-03-02 09:44:33 10HmbS-0005vi-00 peer dn /CN=server1.example.com
+1999-03-02 09:44:33 10HmbS-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbS-0005vi-00 bits 256
+1999-03-02 09:44:33 10HmbS-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbT-0005vi-00"
+1999-03-02 09:44:33 10HmbS-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for resume@test.ex
+1999-03-02 09:44:33 10HmbU-0005vi-00 tls_out_resumption session resumed
+1999-03-02 09:44:33 10HmbU-0005vi-00 our cert subject
+1999-03-02 09:44:33 10HmbU-0005vi-00 peer cert subject CN=server1.example.com
+1999-03-02 09:44:33 10HmbU-0005vi-00 peer cert verified 1
+1999-03-02 09:44:33 10HmbU-0005vi-00 peer dn /CN=server1.example.com
+1999-03-02 09:44:33 10HmbU-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 10HmbU-0005vi-00 bits 256
+1999-03-02 09:44:33 10HmbU-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbV-0005vi-00"
+1999-03-02 09:44:33 10HmbU-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
@@ -182,3 +222,43 @@
1999-03-02 09:44:33 10HmbN-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for noverify_resume@test.ex
1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: <noverify_resume@test.ex> R=server
1999-03-02 09:44:33 10HmbN-0005vi-00 Completed
+1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 our cert subject CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject
+1999-03-02 09:44:33 peer cert verified 0
+1999-03-02 09:44:33 peer dn
+1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits 256
+1999-03-02 09:44:33 10HmbP-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbO-0005vi-00@myhost.test.ex for getticket@test.ex
+1999-03-02 09:44:33 10HmbP-0005vi-00 => :blackhole: <getticket@test.ex> R=server
+1999-03-02 09:44:33 10HmbP-0005vi-00 Completed
+1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided
+1999-03-02 09:44:33 our cert subject CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject
+1999-03-02 09:44:33 peer cert verified 0
+1999-03-02 09:44:33 peer dn
+1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits 256
+1999-03-02 09:44:33 10HmbR-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for noresume@test.ex
+1999-03-02 09:44:33 10HmbR-0005vi-00 => :blackhole: <noresume@test.ex> R=server
+1999-03-02 09:44:33 10HmbR-0005vi-00 Completed
+1999-03-02 09:44:33 tls_in_resumption session resumed
+1999-03-02 09:44:33 our cert subject CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject
+1999-03-02 09:44:33 peer cert verified 0
+1999-03-02 09:44:33 peer dn
+1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits 256
+1999-03-02 09:44:33 10HmbT-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbS-0005vi-00@myhost.test.ex for resume@test.ex
+1999-03-02 09:44:33 10HmbT-0005vi-00 => :blackhole: <resume@test.ex> R=server
+1999-03-02 09:44:33 10HmbT-0005vi-00 Completed
+1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket
+1999-03-02 09:44:33 our cert subject CN=server1.example.com
+1999-03-02 09:44:33 peer cert subject
+1999-03-02 09:44:33 peer cert verified 0
+1999-03-02 09:44:33 peer dn
+1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx
+1999-03-02 09:44:33 bits 256
+1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbU-0005vi-00@myhost.test.ex for resume@test.ex
+1999-03-02 09:44:33 10HmbV-0005vi-00 => :blackhole: <resume@test.ex> R=server
+1999-03-02 09:44:33 10HmbV-0005vi-00 Completed
diff --git a/test/scripts/5890-Resume-GnuTLS/5890 b/test/scripts/5890-Resume-GnuTLS/5890
index d54973cef..d129da2db 100644
--- a/test/scripts/5890-Resume-GnuTLS/5890
+++ b/test/scripts/5890-Resume-GnuTLS/5890
@@ -65,5 +65,19 @@ Test message.
exim -odf notreq@test.ex
Test message, not requesting resumption.
****
+#
+# Test the host_name_extract transport option. Due to the change the second
+# message's connection should not offer a session. The third should (on the 2nd),
+# as should the fourth (on the 1st).
+sudo rm -f DIR/spool/db/tls*
+exim -DVALUE=resume -odf getticket@test.ex
+****
+exim -DVALUE=resume -DHELO_MSG=differenthost -odf noresume@test.ex
+****
+exim -DVALUE=resume -DHELO_MSG=differenthost -odf resume@test.ex
+****
+exim -DVALUE=resume -odf resume@test.ex
+****
+#
killdaemon
no_msglog_check
diff --git a/test/scripts/5891-Resume-GnuTLS-OCSP/5890 b/test/scripts/5891-Resume-GnuTLS-OCSP/5891
index 449b0eb3d..a497fbb0b 100644
--- a/test/scripts/5891-Resume-GnuTLS-OCSP/5890
+++ b/test/scripts/5891-Resume-GnuTLS-OCSP/5891
@@ -29,7 +29,7 @@ Test message.
exim -odf notreq@test.ex
Test message, not requesting resumption.
****
-sudo rm -f DIR/spool/db/tls
+sudo rm -f DIR/spool/db/tls*
exim -odf -DVALUE=resume noverify_getticket@test.ex
Dest on this means the server cert will not verify (but try_verify will permit it)
****
diff --git a/test/scripts/5892-Resume-OpenSSL/5892 b/test/scripts/5892-Resume-OpenSSL/5892
index 1fdc7e949..814a27b6b 100644
--- a/test/scripts/5892-Resume-OpenSSL/5892
+++ b/test/scripts/5892-Resume-OpenSSL/5892
@@ -24,6 +24,7 @@ Test message.
exim -odf notreq@test.ex
Test message, not requesting resumption.
****
+#
sudo rm -f DIR/spool/db/tls*
exim -odf -DVALUE=resume noverify_getticket@test.ex
Dest on this means the server cert will not verify (but try_verify will permit it)
@@ -31,5 +32,19 @@ Dest on this means the server cert will not verify (but try_verify will permit i
exim -odf -DVALUE=resume noverify_resume@test.ex
Dest on this means the server cert will not verify (but try_verify will permit it)
****
+#
+# Test the host_name_extract transport option. Due to the change the second
+# message's connection should not offer a session. The third should (on the 2nd),
+# as should the fourth (on the 1st).
+sudo rm -f DIR/spool/db/tls*
+exim -DVALUE=resume -odf getticket@test.ex
+****
+exim -DVALUE=resume -DHELO_MSG=differenthost -odf noresume@test.ex
+****
+exim -DVALUE=resume -DHELO_MSG=differenthost -odf resume@test.ex
+****
+exim -DVALUE=resume -odf resume@test.ex
+****
+#
killdaemon
no_msglog_check
diff --git a/test/stderr/5410 b/test/stderr/5410
index 8599c878a..bbde8b873 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -80,6 +80,38 @@ cmd buf flush ddd bytes
250-PIPELINING
250-STARTTLS
250 HELP
+ ╭considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╭considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $host
+ ╰─────result: 127.0.0.1
+ ╭considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───────text: .outlook.com
+ ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├backslashed: '\$'
+ ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: .outlook.com\$
+ ╰─────result: .outlook.com$
+ ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $item
+ ├─────result:
+ ╰───skipping: result is not used
+ ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}}
+ ├──protected: ^250-([\w.]+)\s
+ ├───scanning: }}} {$1}}
+ ├──expanding: \N^250-([\w.]+)\s\N
+ ├─────result: ^250-([\w.]+)\s
+ ╰───skipping: result is not used
+ ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}}
+ ├─────result: false
+ ╭───scanning: $1}}
+ ├───scanning: }}
+ ├──expanding: $1
+ ├─────result:
+ ╰───skipping: result is not used
+ ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╰─────result:
╭considering: ${if eq {$address_data}{usery}{*}{:}}
╭considering: $address_data}{usery}{*}{:}}
├considering: }{usery}{*}{:}}
@@ -604,6 +636,38 @@ cmd buf flush ddd bytes
250-PIPELINING
250-STARTTLS
250 HELP
+ ╭considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╭considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $host
+ ╰─────result: 127.0.0.1
+ ╭considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───────text: .outlook.com
+ ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├backslashed: '\$'
+ ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: .outlook.com\$
+ ╰─────result: .outlook.com$
+ ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $item
+ ├─────result:
+ ╰───skipping: result is not used
+ ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}}
+ ├──protected: ^250-([\w.]+)\s
+ ├───scanning: }}} {$1}}
+ ├──expanding: \N^250-([\w.]+)\s\N
+ ├─────result: ^250-([\w.]+)\s
+ ╰───skipping: result is not used
+ ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}}
+ ├─────result: false
+ ╭───scanning: $1}}
+ ├───scanning: }}
+ ├──expanding: $1
+ ├─────result:
+ ╰───skipping: result is not used
+ ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╰─────result:
╭considering: ${if eq {$address_data}{usery}{*}{:}}
╭considering: $address_data}{usery}{*}{:}}
├considering: }{usery}{*}{:}}
@@ -1089,6 +1153,38 @@ cmd buf flush ddd bytes
250-PIPELINING
250-STARTTLS
250 HELP
+ ╭considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╭considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $host
+ ╰─────result: 127.0.0.1
+ ╭considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───────text: .outlook.com
+ ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├backslashed: '\$'
+ ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: .outlook.com\$
+ ╰─────result: .outlook.com$
+ ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $item
+ ├─────result:
+ ╰───skipping: result is not used
+ ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}}
+ ├──protected: ^250-([\w.]+)\s
+ ├───scanning: }}} {$1}}
+ ├──expanding: \N^250-([\w.]+)\s\N
+ ├─────result: ^250-([\w.]+)\s
+ ╰───skipping: result is not used
+ ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}}
+ ├─────result: false
+ ╭───scanning: $1}}
+ ├───scanning: }}
+ ├──expanding: $1
+ ├─────result:
+ ╰───skipping: result is not used
+ ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╰─────result:
╭considering: ${if eq {$address_data}{usery}{*}{:}}
╭considering: $address_data}{usery}{*}{:}}
├considering: }{usery}{*}{:}}
diff --git a/test/stderr/5420 b/test/stderr/5420
index 384a11736..27889f255 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -80,6 +80,38 @@ cmd buf flush ddd bytes
250-PIPELINING
250-STARTTLS
250 HELP
+ ╭considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╭considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $host
+ ╰─────result: 127.0.0.1
+ ╭considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───────text: .outlook.com
+ ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├backslashed: '\$'
+ ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: .outlook.com\$
+ ╰─────result: .outlook.com$
+ ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $item
+ ├─────result:
+ ╰───skipping: result is not used
+ ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}}
+ ├──protected: ^250-([\w.]+)\s
+ ├───scanning: }}} {$1}}
+ ├──expanding: \N^250-([\w.]+)\s\N
+ ├─────result: ^250-([\w.]+)\s
+ ╰───skipping: result is not used
+ ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}}
+ ├─────result: false
+ ╭───scanning: $1}}
+ ├───scanning: }}
+ ├──expanding: $1
+ ├─────result:
+ ╰───skipping: result is not used
+ ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╰─────result:
╭considering: ${if eq {$address_data}{usery}{*}{:}}
╭considering: $address_data}{usery}{*}{:}}
├considering: }{usery}{*}{:}}
@@ -605,6 +637,38 @@ cmd buf flush ddd bytes
250-PIPELINING
250-STARTTLS
250 HELP
+ ╭considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╭considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $host
+ ╰─────result: 127.0.0.1
+ ╭considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───────text: .outlook.com
+ ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├backslashed: '\$'
+ ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: .outlook.com\$
+ ╰─────result: .outlook.com$
+ ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $item
+ ├─────result:
+ ╰───skipping: result is not used
+ ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}}
+ ├──protected: ^250-([\w.]+)\s
+ ├───scanning: }}} {$1}}
+ ├──expanding: \N^250-([\w.]+)\s\N
+ ├─────result: ^250-([\w.]+)\s
+ ╰───skipping: result is not used
+ ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}}
+ ├─────result: false
+ ╭───scanning: $1}}
+ ├───scanning: }}
+ ├──expanding: $1
+ ├─────result:
+ ╰───skipping: result is not used
+ ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╰─────result:
╭considering: ${if eq {$address_data}{usery}{*}{:}}
╭considering: $address_data}{usery}{*}{:}}
├considering: }{usery}{*}{:}}
@@ -1090,6 +1154,38 @@ cmd buf flush ddd bytes
250-PIPELINING
250-STARTTLS
250 HELP
+ ╭considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╭considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $host
+ ╰─────result: 127.0.0.1
+ ╭considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───────text: .outlook.com
+ ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├backslashed: '\$'
+ ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: .outlook.com\$
+ ╰─────result: .outlook.com$
+ ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}}
+ ├──expanding: $item
+ ├─────result:
+ ╰───skipping: result is not used
+ ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}}
+ ├──protected: ^250-([\w.]+)\s
+ ├───scanning: }}} {$1}}
+ ├──expanding: \N^250-([\w.]+)\s\N
+ ├─────result: ^250-([\w.]+)\s
+ ╰───skipping: result is not used
+ ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}}
+ ├─────result: false
+ ╭───scanning: $1}}
+ ├───scanning: }}
+ ├──expanding: $1
+ ├─────result:
+ ╰───skipping: result is not used
+ ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
+ ╰─────result:
╭considering: ${if eq {$address_data}{usery}{*}{:}}
╭considering: $address_data}{usery}{*}{:}}
├considering: }{usery}{*}{:}}
diff --git a/test/stdout/0572 b/test/stdout/0572
index 0ba712dcf..3345451c3 100644
--- a/test/stdout/0572
+++ b/test/stdout/0572
@@ -48,6 +48,7 @@ fallback_hosts =
final_timeout = 10m
no_gethostbyname
helo_data = $primary_hostname
+host_name_extract = ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}}
hosts =
hosts_avoid_esmtp =
hosts_avoid_pipelining =