From ec2a355fdc961aba7ace27c624c01accd58dc1ed Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 15 Apr 2022 10:36:56 +0100 Subject: TLS resumption: support Outlook hosts-behind-loadbalancer --- doc/doc-docbook/spec.xfpt | 30 ++++++++++ doc/doc-txt/OptionLists.txt | 3 + src/src/structs.h | 4 +- src/src/tls.c | 9 ++- src/src/transports/smtp.c | 52 ++++++++++++++--- src/src/transports/smtp.h | 3 +- test/confs/5890 | 3 + test/confs/5892 | 3 + test/log/5890 | 80 ++++++++++++++++++++++++++ test/log/5891 | 16 +++--- test/log/5892 | 80 ++++++++++++++++++++++++++ test/scripts/5890-Resume-GnuTLS/5890 | 14 +++++ test/scripts/5891-Resume-GnuTLS-OCSP/5890 | 69 ---------------------- test/scripts/5891-Resume-GnuTLS-OCSP/5891 | 69 ++++++++++++++++++++++ test/scripts/5892-Resume-OpenSSL/5892 | 15 +++++ test/stderr/5410 | 96 +++++++++++++++++++++++++++++++ test/stderr/5420 | 96 +++++++++++++++++++++++++++++++ test/stdout/0572 | 1 + 18 files changed, 554 insertions(+), 89 deletions(-) delete mode 100644 test/scripts/5891-Resume-GnuTLS-OCSP/5890 create mode 100644 test/scripts/5891-Resume-GnuTLS-OCSP/5891 diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 98ca33d23..89f762436 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -25515,6 +25515,36 @@ helo_data = ${lookup dnsdb{ptr=$sending_ip_address} \ The use of &%helo_data%& applies both to sending messages and when doing callouts. +.new +.option host_name_extract smtp "string list&!!" "see below" +.cindex "load balancer" "hosts behind" +.cindex TLS resumption +Some mail-accepting sites +(notably Microsoft) +operate many servers behind a network load-balancer. When this is done, +with separated TLS session caches, TLS session resuption becomes problematic. +It will only succeed when the same server happens to be selected by the +load-balancer, matching the session stored in the client's cache. + +Exim can pull out a server name, if there is one, from the response to the +client's SMTP EHLO command. +The default value of this option: +.code + ${if and { {match {$host} {.outlook.com\$}} \ + {match {$item} {\N^250-([\w.]+)\s\N}} \ + } {$1}} +.endd +suffices for one known case. +During the expansion of this option the &$item$& variable will have the +server's EHLO response. +The result of the option expansion is included in the key used to store and +retrieve the TLS session, for sessino resumption. + +Operators of high-load sites may wish to evaluate their logs for indications +of other destination sites operating load-balancers, and develop a suitable +expression for this option. +.wen + .option hosts smtp "string list&!!" unset Hosts are associated with an address by a router such as &(dnslookup)&, which finds the hosts by looking up the address domain in the DNS, or by diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 4314c534b..55b0f36fc 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -296,6 +296,9 @@ hold_domains domain list unset main home_directory string* unset transports 4.00 replaces individual options host_all_ignored string "defer" manualroute 4.67 host_find_failed string "freeze" manualroute 4.00 +host_name_extract string + "${if and {{match{.outlook.com\\$}{$host}} {match{$item}{\\N^250-([\\w.]+)\\s\\N}}} {$1}}" + smtp 4.96 host_lookup host list unset main 3.00 host_lookup_order string list "bydns:byaddr" main 4.30 host_reject_connection host list unset main 4.00 diff --git a/src/src/structs.h b/src/src/structs.h index 9bf3aebe2..087683c49 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -830,8 +830,10 @@ typedef struct { host_item * host; int host_af; uschar * interface; - uschar * sending_ip_address; /* used for TLS resumption */ + int sock; /* used for a bound but not connected socket */ + uschar * sending_ip_address; /* used for TLS resumption */ + const uschar * host_lbserver; /* ditto, for server-behind LB */ #ifdef SUPPORT_DANE BOOL dane:1; /* connection must do dane */ diff --git a/src/src/tls.c b/src/src/tls.c index c9bc556fc..e80dd9aaf 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -804,16 +804,19 @@ hctx * h = &tlsp->resume_hctx; blob b; gstring * g; +DEBUG(D_tls) if (conn_args->host_lbserver) + debug_printf("TLS: lbserver '%s'\n", conn_args->host_lbserver); + #ifdef EXIM_HAVE_SHA2 exim_sha_init(h, HASH_SHA2_256); #else exim_sha_init(h, HASH_SHA1); #endif - -// TODO: word from server EHLO resp /* how, fer gossakes? Add item to conn_args or tls_support? */ - +exim_sha_update_string(h, conn_args->host_lbserver); +#ifdef SUPPORT_DANE if (conn_args->dane) exim_sha_update(h, CUS &conn_args->tlsa_dnsa, sizeof(dns_answer)); +#endif exim_sha_update_string(h, conn_args->host->address); exim_sha_update(h, CUS &conn_args->host->port, sizeof(conn_args->host->port)); exim_sha_update_string(h, conn_args->sending_ip_address); diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index f9e319c79..e2368da13 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -64,6 +64,9 @@ optionlist smtp_transport_options[] = { { "final_timeout", opt_time, LOFF(final_timeout) }, { "gethostbyname", opt_bool, LOFF(gethostbyname) }, { "helo_data", opt_stringptr, LOFF(helo_data) }, +#if !defined(DISABLE_TLS) && !defined(DISABLE_TLS_RESUME) + { "host_name_extract", opt_stringptr, LOFF(host_name_extract) }, +# endif { "hosts", opt_stringptr, LOFF(hosts) }, { "hosts_avoid_esmtp", opt_stringptr, LOFF(hosts_avoid_esmtp) }, { "hosts_avoid_pipelining", opt_stringptr, LOFF(hosts_avoid_pipelining) }, @@ -199,6 +202,9 @@ smtp_transport_options_block smtp_transport_option_defaults = { .tls_tempfail_tryclear = TRUE, .tls_try_verify_hosts = US"*", .tls_verify_cert_hostnames = US"*", +# ifndef DISABLE_TLS_RESUME + .host_name_extract = US"${if and {{match{$host}{.outlook.com\\$}} {match{$item}{\\N^250-([\\w.]+)\\s\\N}}} {$1}}", +# endif #endif #ifdef SUPPORT_I18N .utf8_downconvert = US"-1", @@ -1066,6 +1072,7 @@ if (pending_EHLO) if (tls_out.active.sock >= 0 || !(peer_offered & OPTION_TLS)) ehlo_response_limits_read(sx); #endif +/*XXX RESUMP - EHLO-resp avail here int sx->buffer */ if ( peer_offered != sx->peer_offered || (authbits = study_ehlo_auths(sx)) != *ap) { @@ -1874,6 +1881,28 @@ return checks; +/* Grab a string differentiating server behind a loadbalancer, for TLS +resumption when such servers do not share a session-cache */ + +static const uschar * +ehlo_response_lbserver(uschar * buffer, smtp_transport_options_block * ob) +{ +#if !defined(DISABLE_TLS) && !defined(DISABLE_TLS_RESUME) +/* want to make this a main-section option */ +const uschar * s; +uschar * save_item = iterate_item; + +iterate_item = buffer; +s = expand_cstring(ob->host_name_extract); +iterate_item = save_item; +return s && !*s ? NULL : s; +#else +return NULL; +#endif +} + + + /* Callback for emitting a BDAT data chunk header. If given a nonzero size, first flush any buffered SMTP commands @@ -2516,6 +2545,8 @@ goto SEND_QUIT; : 0 ) #endif +/*XXX RESUMP - sx->buffer has the EHLO-resp, but only if not early-pipe and not continued-connection */ +/* maybe disable resump on cont? */ ); #ifdef EXPERIMENTAL_ESMTP_LIMITS if (tls_out.active.sock >= 0 || !(sx->peer_offered & OPTION_TLS)) @@ -2538,6 +2569,7 @@ goto SEND_QUIT; } } #endif + sx->conn_args.host_lbserver = ehlo_response_lbserver(sx->buffer, ob); } /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */ @@ -2629,14 +2661,19 @@ if ( smtp_peer_options & OPTION_TLS the response for the STARTTLS we just sent alone. On fail, assume wrong cached capability and retry with the pipelining disabled. */ - if (sx->early_pipe_active && sync_responses(sx, 2, 0) != 0) + if (sx->early_pipe_active) { - HDEBUG(D_transport) - debug_printf("failed reaping pipelined cmd responses\n"); - close(sx->cctx.sock); - sx->cctx.sock = -1; - sx->early_pipe_active = FALSE; - goto PIPE_CONNECT_RETRY; + if (sync_responses(sx, 2, 0) != 0) + { + HDEBUG(D_transport) + debug_printf("failed reaping pipelined cmd responses\n"); + close(sx->cctx.sock); + sx->cctx.sock = -1; + sx->early_pipe_active = FALSE; + goto PIPE_CONNECT_RETRY; + } +/*XXX RESUMP - does this leave the EHLO-resp anywhere? Yes, sx->buffer */ + sx->conn_args.host_lbserver = ehlo_response_lbserver(sx->buffer, ob); } #endif @@ -2666,6 +2703,7 @@ if ( smtp_peer_options & OPTION_TLS TLS_NEGOTIATE: { sx->conn_args.sending_ip_address = sending_ip_address; + /*XXX RESUMP want LB-server info here */ if (!tls_client_start(&sx->cctx, &sx->conn_args, sx->addrlist, &tls_out, &tls_errstr)) { /* TLS negotiation failed; give an error. From outside, this function may diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 2ed6cfd51..8dbd1fcf3 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -83,7 +83,7 @@ typedef struct { int size_addition; int hosts_max_try; int hosts_max_try_hardlimit; - int message_linelength_limit; + int message_linelength_limit; BOOL address_retry_include_sender; BOOL allow_localhost; BOOL authenticated_sender_force; @@ -108,6 +108,7 @@ typedef struct { uschar *tls_privatekey; uschar *tls_require_ciphers; # ifndef DISABLE_TLS_RESUME + uschar *host_name_extract; uschar *tls_resumption_hosts; # endif const uschar *tls_sni; diff --git a/test/confs/5890 b/test/confs/5890 index 0c812fd89..88743cfd0 100644 --- a/test/confs/5890 +++ b/test/confs/5890 @@ -82,6 +82,9 @@ send_to_server1: hosts = 127.0.0.1 port = PORT_D helo_data = helo.data.changed +.ifdef HELO_MSG + host_name_extract = HELO_MSG +.endif .ifdef VALUE tls_resumption_hosts = * .else diff --git a/test/confs/5892 b/test/confs/5892 index a7738468f..0aec9bfaf 100644 --- a/test/confs/5892 +++ b/test/confs/5892 @@ -86,6 +86,9 @@ send_to_server1: hosts = 127.0.0.1 port = PORT_D helo_data = helo.data.changed +.ifdef HELO_MSG + host_name_extract = HELO_MSG +.endif .ifdef VALUE tls_resumption_hosts = * .else diff --git a/test/log/5890 b/test/log/5890 index 6d6a6a8b2..97f779835 100644 --- a/test/log/5890 +++ b/test/log/5890 @@ -156,6 +156,46 @@ 1999-03-02 09:44:33 10HmbZ-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbZ-0005vi-00 => notreq@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcA-0005vi-00" 1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmcB-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for getticket@test.ex +1999-03-02 09:44:33 10HmcB-0005vi-00 tls_out_resumption client requested new ticket, server provided +1999-03-02 09:44:33 10HmcB-0005vi-00 our cert subject +1999-03-02 09:44:33 10HmcB-0005vi-00 peer cert subject CN=server1.example.com +1999-03-02 09:44:33 10HmcB-0005vi-00 peer cert verified 1 +1999-03-02 09:44:33 10HmcB-0005vi-00 peer dn CN=server1.example.com +1999-03-02 09:44:33 10HmcB-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 10HmcB-0005vi-00 bits 256 +1999-03-02 09:44:33 10HmcB-0005vi-00 => getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcC-0005vi-00" +1999-03-02 09:44:33 10HmcB-0005vi-00 Completed +1999-03-02 09:44:33 10HmcD-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for noresume@test.ex +1999-03-02 09:44:33 10HmcD-0005vi-00 tls_out_resumption client requested new ticket, server provided +1999-03-02 09:44:33 10HmcD-0005vi-00 our cert subject +1999-03-02 09:44:33 10HmcD-0005vi-00 peer cert subject CN=server1.example.com +1999-03-02 09:44:33 10HmcD-0005vi-00 peer cert verified 1 +1999-03-02 09:44:33 10HmcD-0005vi-00 peer dn CN=server1.example.com +1999-03-02 09:44:33 10HmcD-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 10HmcD-0005vi-00 bits 256 +1999-03-02 09:44:33 10HmcD-0005vi-00 => noresume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcE-0005vi-00" +1999-03-02 09:44:33 10HmcD-0005vi-00 Completed +1999-03-02 09:44:33 10HmcF-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for resume@test.ex +1999-03-02 09:44:33 10HmcF-0005vi-00 tls_out_resumption session resumed, also new ticket +1999-03-02 09:44:33 10HmcF-0005vi-00 our cert subject +1999-03-02 09:44:33 10HmcF-0005vi-00 peer cert subject CN=server1.example.com +1999-03-02 09:44:33 10HmcF-0005vi-00 peer cert verified 1 +1999-03-02 09:44:33 10HmcF-0005vi-00 peer dn CN=server1.example.com +1999-03-02 09:44:33 10HmcF-0005vi-00 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx +1999-03-02 09:44:33 10HmcF-0005vi-00 bits 256 +1999-03-02 09:44:33 10HmcF-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcG-0005vi-00" +1999-03-02 09:44:33 10HmcF-0005vi-00 Completed +1999-03-02 09:44:33 10HmcH-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for resume@test.ex +1999-03-02 09:44:33 10HmcH-0005vi-00 tls_out_resumption session resumed, also new ticket +1999-03-02 09:44:33 10HmcH-0005vi-00 our cert subject +1999-03-02 09:44:33 10HmcH-0005vi-00 peer cert subject CN=server1.example.com +1999-03-02 09:44:33 10HmcH-0005vi-00 peer cert verified 1 +1999-03-02 09:44:33 10HmcH-0005vi-00 peer dn CN=server1.example.com +1999-03-02 09:44:33 10HmcH-0005vi-00 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx +1999-03-02 09:44:33 10HmcH-0005vi-00 bits 256 +1999-03-02 09:44:33 10HmcH-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcI-0005vi-00" +1999-03-02 09:44:33 10HmcH-0005vi-00 Completed ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D @@ -322,3 +362,43 @@ 1999-03-02 09:44:33 10HmcA-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for notreq@test.ex 1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmcA-0005vi-00 Completed +1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided +1999-03-02 09:44:33 our cert subject CN=server1.example.com +1999-03-02 09:44:33 peer cert subject +1999-03-02 09:44:33 peer cert verified 0 +1999-03-02 09:44:33 peer dn +1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 bits 256 +1999-03-02 09:44:33 10HmcC-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcB-0005vi-00@myhost.test.ex for getticket@test.ex +1999-03-02 09:44:33 10HmcC-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmcC-0005vi-00 Completed +1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided +1999-03-02 09:44:33 our cert subject CN=server1.example.com +1999-03-02 09:44:33 peer cert subject +1999-03-02 09:44:33 peer cert verified 0 +1999-03-02 09:44:33 peer dn +1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 bits 256 +1999-03-02 09:44:33 10HmcE-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmcD-0005vi-00@myhost.test.ex for noresume@test.ex +1999-03-02 09:44:33 10HmcE-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmcE-0005vi-00 Completed +1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket +1999-03-02 09:44:33 our cert subject +1999-03-02 09:44:33 peer cert subject +1999-03-02 09:44:33 peer cert verified 0 +1999-03-02 09:44:33 peer dn +1999-03-02 09:44:33 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx +1999-03-02 09:44:33 bits 256 +1999-03-02 09:44:33 10HmcG-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcF-0005vi-00@myhost.test.ex for resume@test.ex +1999-03-02 09:44:33 10HmcG-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmcG-0005vi-00 Completed +1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket +1999-03-02 09:44:33 our cert subject +1999-03-02 09:44:33 peer cert subject +1999-03-02 09:44:33 peer cert verified 0 +1999-03-02 09:44:33 peer dn +1999-03-02 09:44:33 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx +1999-03-02 09:44:33 bits 256 +1999-03-02 09:44:33 10HmcI-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmcH-0005vi-00@myhost.test.ex for resume@test.ex +1999-03-02 09:44:33 10HmcI-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmcI-0005vi-00 Completed diff --git a/test/log/5891 b/test/log/5891 index 5ffb9ccf7..b33d5d27d 100644 --- a/test/log/5891 +++ b/test/log/5891 @@ -129,7 +129,7 @@ 1999-03-02 09:44:33 10HmbQ-0005vi-00 => abcd@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbS-0005vi-00" 1999-03-02 09:44:33 10HmbQ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbT-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for renewal@test.ex -1999-03-02 09:44:33 10HmbT-0005vi-00 tls_out_resumption session resumed, also new ticket +1999-03-02 09:44:33 10HmbT-0005vi-00 tls_out_resumption session resumed 1999-03-02 09:44:33 10HmbT-0005vi-00 our cert subject 1999-03-02 09:44:33 10HmbT-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbT-0005vi-00 peer cert verified 1 @@ -140,7 +140,7 @@ 1999-03-02 09:44:33 10HmbT-0005vi-00 => renewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbU-0005vi-00" 1999-03-02 09:44:33 10HmbT-0005vi-00 Completed 1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for postrenewal@test.ex -1999-03-02 09:44:33 10HmbV-0005vi-00 tls_out_resumption session resumed, also new ticket +1999-03-02 09:44:33 10HmbV-0005vi-00 tls_out_resumption session resumed 1999-03-02 09:44:33 10HmbV-0005vi-00 our cert subject 1999-03-02 09:44:33 10HmbV-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbV-0005vi-00 peer cert verified 1 @@ -175,7 +175,7 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided +1999-03-02 09:44:33 tls_in_resumption client offered session, server only provided new ticket 1999-03-02 09:44:33 our cert subject CN=server1.example.com 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 @@ -198,7 +198,7 @@ 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed -1999-03-02 09:44:33 tls_in_resumption not requested or offered +1999-03-02 09:44:33 tls_in_resumption 0x05 1999-03-02 09:44:33 our cert subject CN=server1.example.com 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 @@ -242,7 +242,7 @@ 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbG-0005vi-00@myhost.test.ex for timeout@test.ex 1999-03-02 09:44:33 10HmbH-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbH-0005vi-00 Completed -1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided +1999-03-02 09:44:33 tls_in_resumption client offered session, server only provided new ticket 1999-03-02 09:44:33 our cert subject CN=server1.example.com 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 @@ -253,7 +253,7 @@ 1999-03-02 09:44:33 10HmbJ-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbI-0005vi-00@myhost.test.ex for notreq@test.ex 1999-03-02 09:44:33 10HmbJ-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbJ-0005vi-00 Completed -1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided +1999-03-02 09:44:33 tls_in_resumption client offered session, server only provided new ticket 1999-03-02 09:44:33 our cert subject CN=server1.example.com 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 @@ -310,7 +310,7 @@ 1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for abcd@test.ex 1999-03-02 09:44:33 10HmbS-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbS-0005vi-00 Completed -1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket +1999-03-02 09:44:33 tls_in_resumption session resumed 1999-03-02 09:44:33 our cert subject 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 @@ -321,7 +321,7 @@ 1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbT-0005vi-00@myhost.test.ex for renewal@test.ex 1999-03-02 09:44:33 10HmbU-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbU-0005vi-00 Completed -1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket +1999-03-02 09:44:33 tls_in_resumption session resumed 1999-03-02 09:44:33 our cert subject 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 diff --git a/test/log/5892 b/test/log/5892 index b3d395f5e..58e9e6e6c 100644 --- a/test/log/5892 +++ b/test/log/5892 @@ -88,6 +88,46 @@ 1999-03-02 09:44:33 10HmbM-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbM-0005vi-00 => noverify_resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbN-0005vi-00" 1999-03-02 09:44:33 10HmbM-0005vi-00 Completed +1999-03-02 09:44:33 10HmbO-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for getticket@test.ex +1999-03-02 09:44:33 10HmbO-0005vi-00 tls_out_resumption client requested new ticket, server provided +1999-03-02 09:44:33 10HmbO-0005vi-00 our cert subject +1999-03-02 09:44:33 10HmbO-0005vi-00 peer cert subject CN=server1.example.com +1999-03-02 09:44:33 10HmbO-0005vi-00 peer cert verified 1 +1999-03-02 09:44:33 10HmbO-0005vi-00 peer dn /CN=server1.example.com +1999-03-02 09:44:33 10HmbO-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 10HmbO-0005vi-00 bits 256 +1999-03-02 09:44:33 10HmbO-0005vi-00 => getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbP-0005vi-00" +1999-03-02 09:44:33 10HmbO-0005vi-00 Completed +1999-03-02 09:44:33 10HmbQ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for noresume@test.ex +1999-03-02 09:44:33 10HmbQ-0005vi-00 tls_out_resumption client requested new ticket, server provided +1999-03-02 09:44:33 10HmbQ-0005vi-00 our cert subject +1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert subject CN=server1.example.com +1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert verified 1 +1999-03-02 09:44:33 10HmbQ-0005vi-00 peer dn /CN=server1.example.com +1999-03-02 09:44:33 10HmbQ-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 10HmbQ-0005vi-00 bits 256 +1999-03-02 09:44:33 10HmbQ-0005vi-00 => noresume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbR-0005vi-00" +1999-03-02 09:44:33 10HmbQ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbS-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for resume@test.ex +1999-03-02 09:44:33 10HmbS-0005vi-00 tls_out_resumption session resumed +1999-03-02 09:44:33 10HmbS-0005vi-00 our cert subject +1999-03-02 09:44:33 10HmbS-0005vi-00 peer cert subject CN=server1.example.com +1999-03-02 09:44:33 10HmbS-0005vi-00 peer cert verified 1 +1999-03-02 09:44:33 10HmbS-0005vi-00 peer dn /CN=server1.example.com +1999-03-02 09:44:33 10HmbS-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 10HmbS-0005vi-00 bits 256 +1999-03-02 09:44:33 10HmbS-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbT-0005vi-00" +1999-03-02 09:44:33 10HmbS-0005vi-00 Completed +1999-03-02 09:44:33 10HmbU-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for resume@test.ex +1999-03-02 09:44:33 10HmbU-0005vi-00 tls_out_resumption session resumed +1999-03-02 09:44:33 10HmbU-0005vi-00 our cert subject +1999-03-02 09:44:33 10HmbU-0005vi-00 peer cert subject CN=server1.example.com +1999-03-02 09:44:33 10HmbU-0005vi-00 peer cert verified 1 +1999-03-02 09:44:33 10HmbU-0005vi-00 peer dn /CN=server1.example.com +1999-03-02 09:44:33 10HmbU-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 10HmbU-0005vi-00 bits 256 +1999-03-02 09:44:33 10HmbU-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbV-0005vi-00" +1999-03-02 09:44:33 10HmbU-0005vi-00 Completed ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D @@ -182,3 +222,43 @@ 1999-03-02 09:44:33 10HmbN-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbM-0005vi-00@myhost.test.ex for noverify_resume@test.ex 1999-03-02 09:44:33 10HmbN-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbN-0005vi-00 Completed +1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided +1999-03-02 09:44:33 our cert subject CN=server1.example.com +1999-03-02 09:44:33 peer cert subject +1999-03-02 09:44:33 peer cert verified 0 +1999-03-02 09:44:33 peer dn +1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 bits 256 +1999-03-02 09:44:33 10HmbP-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbO-0005vi-00@myhost.test.ex for getticket@test.ex +1999-03-02 09:44:33 10HmbP-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbP-0005vi-00 Completed +1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided +1999-03-02 09:44:33 our cert subject CN=server1.example.com +1999-03-02 09:44:33 peer cert subject +1999-03-02 09:44:33 peer cert verified 0 +1999-03-02 09:44:33 peer dn +1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 bits 256 +1999-03-02 09:44:33 10HmbR-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbQ-0005vi-00@myhost.test.ex for noresume@test.ex +1999-03-02 09:44:33 10HmbR-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbR-0005vi-00 Completed +1999-03-02 09:44:33 tls_in_resumption session resumed +1999-03-02 09:44:33 our cert subject CN=server1.example.com +1999-03-02 09:44:33 peer cert subject +1999-03-02 09:44:33 peer cert verified 0 +1999-03-02 09:44:33 peer dn +1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 bits 256 +1999-03-02 09:44:33 10HmbT-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbS-0005vi-00@myhost.test.ex for resume@test.ex +1999-03-02 09:44:33 10HmbT-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbT-0005vi-00 Completed +1999-03-02 09:44:33 tls_in_resumption session resumed, also new ticket +1999-03-02 09:44:33 our cert subject CN=server1.example.com +1999-03-02 09:44:33 peer cert subject +1999-03-02 09:44:33 peer cert verified 0 +1999-03-02 09:44:33 peer dn +1999-03-02 09:44:33 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx +1999-03-02 09:44:33 bits 256 +1999-03-02 09:44:33 10HmbV-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbU-0005vi-00@myhost.test.ex for resume@test.ex +1999-03-02 09:44:33 10HmbV-0005vi-00 => :blackhole: R=server +1999-03-02 09:44:33 10HmbV-0005vi-00 Completed diff --git a/test/scripts/5890-Resume-GnuTLS/5890 b/test/scripts/5890-Resume-GnuTLS/5890 index d54973cef..d129da2db 100644 --- a/test/scripts/5890-Resume-GnuTLS/5890 +++ b/test/scripts/5890-Resume-GnuTLS/5890 @@ -65,5 +65,19 @@ Test message. exim -odf notreq@test.ex Test message, not requesting resumption. **** +# +# Test the host_name_extract transport option. Due to the change the second +# message's connection should not offer a session. The third should (on the 2nd), +# as should the fourth (on the 1st). +sudo rm -f DIR/spool/db/tls* +exim -DVALUE=resume -odf getticket@test.ex +**** +exim -DVALUE=resume -DHELO_MSG=differenthost -odf noresume@test.ex +**** +exim -DVALUE=resume -DHELO_MSG=differenthost -odf resume@test.ex +**** +exim -DVALUE=resume -odf resume@test.ex +**** +# killdaemon no_msglog_check diff --git a/test/scripts/5891-Resume-GnuTLS-OCSP/5890 b/test/scripts/5891-Resume-GnuTLS-OCSP/5890 deleted file mode 100644 index 449b0eb3d..000000000 --- a/test/scripts/5891-Resume-GnuTLS-OCSP/5890 +++ /dev/null @@ -1,69 +0,0 @@ -# TLS session resumption with OCSP -gnutls -# -# For keying info: -# (requires SSLKEYLOGFILE added to /etc/sudoers) -# SSLKEYLOGFILE=/home/jgh/git/exim/test/foo sudo exim -DSERVER=server -bd -oX PORT_D -# -### TLS1.2 -exim -DSERVER=server -DOPTION=NORMAL:!VERS-TLS1.3 -bd -oX PORT_D -**** -exim -DVALUE=resume -odf getticket@test.ex -Test message. Contains FF: ˙ -**** -exim -DVALUE=resume -odf resume@test.ex abcd@test.ex xyz@test.ex -Test message to two different hosts, one does not support resume -**** -# allow time for ticket to hit renewal time -sleep 3 -exim -DVALUE=resume -odf renewal@test.ex -Test message. -**** -exim -DVALUE=resume -odf postrenewal@test.ex -Test message. -**** -sleep 3 -exim -DVALUE=resume -odf timeout@test.ex -Test message. -**** -exim -odf notreq@test.ex -Test message, not requesting resumption. -**** -sudo rm -f DIR/spool/db/tls -exim -odf -DVALUE=resume noverify_getticket@test.ex -Dest on this means the server cert will not verify (but try_verify will permit it) -**** -exim -odf -DVALUE=resume noverify_resume@test.ex -Dest on this means the server cert will not verify (but try_verify will permit it) -**** -killdaemon -sleep 1 -sudo rm -f DIR/spool/db/tls -# -# -### TLS1.3 -exim -DSERVER=server -DOPTION=NORMAL -bd -oX PORT_D -**** -exim -DVALUE=resume -odf getticket@test.ex -Test message. Contains FF: ˙ -**** -exim -DVALUE=resume -odf resume@test.ex abcd@test.ex xyz@test.ex -Test message to two different hosts, one does not support resume -**** -# allow time for ticket to hit renewal time -sleep 3 -exim -DVALUE=resume -odf renewal@test.ex -Test message. -**** -exim -DVALUE=resume -odf postrenewal@test.ex -Test message. -**** -sleep 3 -exim -DVALUE=resume -odf timeout@test.ex -Test message. -**** -exim -odf notreq@test.ex -Test message, not requesting resumption. -**** -killdaemon -no_msglog_check diff --git a/test/scripts/5891-Resume-GnuTLS-OCSP/5891 b/test/scripts/5891-Resume-GnuTLS-OCSP/5891 new file mode 100644 index 000000000..a497fbb0b --- /dev/null +++ b/test/scripts/5891-Resume-GnuTLS-OCSP/5891 @@ -0,0 +1,69 @@ +# TLS session resumption with OCSP +gnutls +# +# For keying info: +# (requires SSLKEYLOGFILE added to /etc/sudoers) +# SSLKEYLOGFILE=/home/jgh/git/exim/test/foo sudo exim -DSERVER=server -bd -oX PORT_D +# +### TLS1.2 +exim -DSERVER=server -DOPTION=NORMAL:!VERS-TLS1.3 -bd -oX PORT_D +**** +exim -DVALUE=resume -odf getticket@test.ex +Test message. Contains FF: ˙ +**** +exim -DVALUE=resume -odf resume@test.ex abcd@test.ex xyz@test.ex +Test message to two different hosts, one does not support resume +**** +# allow time for ticket to hit renewal time +sleep 3 +exim -DVALUE=resume -odf renewal@test.ex +Test message. +**** +exim -DVALUE=resume -odf postrenewal@test.ex +Test message. +**** +sleep 3 +exim -DVALUE=resume -odf timeout@test.ex +Test message. +**** +exim -odf notreq@test.ex +Test message, not requesting resumption. +**** +sudo rm -f DIR/spool/db/tls* +exim -odf -DVALUE=resume noverify_getticket@test.ex +Dest on this means the server cert will not verify (but try_verify will permit it) +**** +exim -odf -DVALUE=resume noverify_resume@test.ex +Dest on this means the server cert will not verify (but try_verify will permit it) +**** +killdaemon +sleep 1 +sudo rm -f DIR/spool/db/tls +# +# +### TLS1.3 +exim -DSERVER=server -DOPTION=NORMAL -bd -oX PORT_D +**** +exim -DVALUE=resume -odf getticket@test.ex +Test message. Contains FF: ˙ +**** +exim -DVALUE=resume -odf resume@test.ex abcd@test.ex xyz@test.ex +Test message to two different hosts, one does not support resume +**** +# allow time for ticket to hit renewal time +sleep 3 +exim -DVALUE=resume -odf renewal@test.ex +Test message. +**** +exim -DVALUE=resume -odf postrenewal@test.ex +Test message. +**** +sleep 3 +exim -DVALUE=resume -odf timeout@test.ex +Test message. +**** +exim -odf notreq@test.ex +Test message, not requesting resumption. +**** +killdaemon +no_msglog_check diff --git a/test/scripts/5892-Resume-OpenSSL/5892 b/test/scripts/5892-Resume-OpenSSL/5892 index 1fdc7e949..814a27b6b 100644 --- a/test/scripts/5892-Resume-OpenSSL/5892 +++ b/test/scripts/5892-Resume-OpenSSL/5892 @@ -24,6 +24,7 @@ Test message. exim -odf notreq@test.ex Test message, not requesting resumption. **** +# sudo rm -f DIR/spool/db/tls* exim -odf -DVALUE=resume noverify_getticket@test.ex Dest on this means the server cert will not verify (but try_verify will permit it) @@ -31,5 +32,19 @@ Dest on this means the server cert will not verify (but try_verify will permit i exim -odf -DVALUE=resume noverify_resume@test.ex Dest on this means the server cert will not verify (but try_verify will permit it) **** +# +# Test the host_name_extract transport option. Due to the change the second +# message's connection should not offer a session. The third should (on the 2nd), +# as should the fourth (on the 1st). +sudo rm -f DIR/spool/db/tls* +exim -DVALUE=resume -odf getticket@test.ex +**** +exim -DVALUE=resume -DHELO_MSG=differenthost -odf noresume@test.ex +**** +exim -DVALUE=resume -DHELO_MSG=differenthost -odf resume@test.ex +**** +exim -DVALUE=resume -odf resume@test.ex +**** +# killdaemon no_msglog_check diff --git a/test/stderr/5410 b/test/stderr/5410 index 8599c878a..bbde8b873 100644 --- a/test/stderr/5410 +++ b/test/stderr/5410 @@ -80,6 +80,38 @@ cmd buf flush ddd bytes 250-PIPELINING 250-STARTTLS 250 HELP + â•­considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + â•­considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $host + ╰─────result: 127.0.0.1 + â•­considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───────text: .outlook.com + ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├backslashed: '\$' + ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: .outlook.com\$ + ╰─────result: .outlook.com$ + ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $item + ├─────result: + ╰───skipping: result is not used + ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}} + ├──protected: ^250-([\w.]+)\s + ├───scanning: }}} {$1}} + ├──expanding: \N^250-([\w.]+)\s\N + ├─────result: ^250-([\w.]+)\s + ╰───skipping: result is not used + ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} + ├─────result: false + ╭───scanning: $1}} + ├───scanning: }} + ├──expanding: $1 + ├─────result: + ╰───skipping: result is not used + ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ╰─────result: â•­considering: ${if eq {$address_data}{usery}{*}{:}} â•­considering: $address_data}{usery}{*}{:}} ├considering: }{usery}{*}{:}} @@ -604,6 +636,38 @@ cmd buf flush ddd bytes 250-PIPELINING 250-STARTTLS 250 HELP + â•­considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + â•­considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $host + ╰─────result: 127.0.0.1 + â•­considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───────text: .outlook.com + ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├backslashed: '\$' + ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: .outlook.com\$ + ╰─────result: .outlook.com$ + ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $item + ├─────result: + ╰───skipping: result is not used + ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}} + ├──protected: ^250-([\w.]+)\s + ├───scanning: }}} {$1}} + ├──expanding: \N^250-([\w.]+)\s\N + ├─────result: ^250-([\w.]+)\s + ╰───skipping: result is not used + ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} + ├─────result: false + ╭───scanning: $1}} + ├───scanning: }} + ├──expanding: $1 + ├─────result: + ╰───skipping: result is not used + ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ╰─────result: â•­considering: ${if eq {$address_data}{usery}{*}{:}} â•­considering: $address_data}{usery}{*}{:}} ├considering: }{usery}{*}{:}} @@ -1089,6 +1153,38 @@ cmd buf flush ddd bytes 250-PIPELINING 250-STARTTLS 250 HELP + â•­considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + â•­considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $host + ╰─────result: 127.0.0.1 + â•­considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───────text: .outlook.com + ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├backslashed: '\$' + ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: .outlook.com\$ + ╰─────result: .outlook.com$ + ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $item + ├─────result: + ╰───skipping: result is not used + ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}} + ├──protected: ^250-([\w.]+)\s + ├───scanning: }}} {$1}} + ├──expanding: \N^250-([\w.]+)\s\N + ├─────result: ^250-([\w.]+)\s + ╰───skipping: result is not used + ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} + ├─────result: false + ╭───scanning: $1}} + ├───scanning: }} + ├──expanding: $1 + ├─────result: + ╰───skipping: result is not used + ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ╰─────result: â•­considering: ${if eq {$address_data}{usery}{*}{:}} â•­considering: $address_data}{usery}{*}{:}} ├considering: }{usery}{*}{:}} diff --git a/test/stderr/5420 b/test/stderr/5420 index 384a11736..27889f255 100644 --- a/test/stderr/5420 +++ b/test/stderr/5420 @@ -80,6 +80,38 @@ cmd buf flush ddd bytes 250-PIPELINING 250-STARTTLS 250 HELP + â•­considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + â•­considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $host + ╰─────result: 127.0.0.1 + â•­considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───────text: .outlook.com + ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├backslashed: '\$' + ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: .outlook.com\$ + ╰─────result: .outlook.com$ + ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $item + ├─────result: + ╰───skipping: result is not used + ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}} + ├──protected: ^250-([\w.]+)\s + ├───scanning: }}} {$1}} + ├──expanding: \N^250-([\w.]+)\s\N + ├─────result: ^250-([\w.]+)\s + ╰───skipping: result is not used + ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} + ├─────result: false + ╭───scanning: $1}} + ├───scanning: }} + ├──expanding: $1 + ├─────result: + ╰───skipping: result is not used + ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ╰─────result: â•­considering: ${if eq {$address_data}{usery}{*}{:}} â•­considering: $address_data}{usery}{*}{:}} ├considering: }{usery}{*}{:}} @@ -605,6 +637,38 @@ cmd buf flush ddd bytes 250-PIPELINING 250-STARTTLS 250 HELP + â•­considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + â•­considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $host + ╰─────result: 127.0.0.1 + â•­considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───────text: .outlook.com + ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├backslashed: '\$' + ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: .outlook.com\$ + ╰─────result: .outlook.com$ + ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $item + ├─────result: + ╰───skipping: result is not used + ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}} + ├──protected: ^250-([\w.]+)\s + ├───scanning: }}} {$1}} + ├──expanding: \N^250-([\w.]+)\s\N + ├─────result: ^250-([\w.]+)\s + ╰───skipping: result is not used + ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} + ├─────result: false + ╭───scanning: $1}} + ├───scanning: }} + ├──expanding: $1 + ├─────result: + ╰───skipping: result is not used + ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ╰─────result: â•­considering: ${if eq {$address_data}{usery}{*}{:}} â•­considering: $address_data}{usery}{*}{:}} ├considering: }{usery}{*}{:}} @@ -1090,6 +1154,38 @@ cmd buf flush ddd bytes 250-PIPELINING 250-STARTTLS 250 HELP + â•­considering: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + â•­considering: $host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├considering: }{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $host + ╰─────result: 127.0.0.1 + â•­considering: .outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───────text: .outlook.com + ├considering: \$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├backslashed: '\$' + ├considering: }} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: .outlook.com\$ + ╰─────result: .outlook.com$ + ╭───scanning: $item}{\N^250-([\w.]+)\s\N}}} {$1}} + ├───scanning: }{\N^250-([\w.]+)\s\N}}} {$1}} + ├──expanding: $item + ├─────result: + ╰───skipping: result is not used + ╭───scanning: \N^250-([\w.]+)\s\N}}} {$1}} + ├──protected: ^250-([\w.]+)\s + ├───scanning: }}} {$1}} + ├──expanding: \N^250-([\w.]+)\s\N + ├─────result: ^250-([\w.]+)\s + ╰───skipping: result is not used + ├──condition: and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} + ├─────result: false + ╭───scanning: $1}} + ├───scanning: }} + ├──expanding: $1 + ├─────result: + ╰───skipping: result is not used + ├──expanding: ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} + ╰─────result: â•­considering: ${if eq {$address_data}{usery}{*}{:}} â•­considering: $address_data}{usery}{*}{:}} ├considering: }{usery}{*}{:}} diff --git a/test/stdout/0572 b/test/stdout/0572 index 0ba712dcf..3345451c3 100644 --- a/test/stdout/0572 +++ b/test/stdout/0572 @@ -48,6 +48,7 @@ fallback_hosts = final_timeout = 10m no_gethostbyname helo_data = $primary_hostname +host_name_extract = ${if and {{match{$host}{.outlook.com\$}} {match{$item}{\N^250-([\w.]+)\s\N}}} {$1}} hosts = hosts_avoid_esmtp = hosts_avoid_pipelining = -- cgit v1.2.3