Mailing List Archive

> On Aug 17, 2020, at 7:08 PM, admin--- via Exim-dev <exim-dev@exim.org> wrote:
>
> https://bugs.exim.org/show_bug.cgi?id=2265
>
> --- Comment #8 from Jeremy Harris <jgh146exb@wizmail.org> ---
> Disabling multi_domain turns out to be Extremely Painful because we don't find
> out
> that DANE was used until deep in the transport, well after the addresslist was
> built for a message - combined with all the ways Exim tries to re-use a
> connection for multiple messages. I can see it being a fertile source of bugs.

FWIW, yes connection and TLS session reuse are tricky in the context of potentially
different security policies for different destinations. This is a source of some
non-trivial complexity in the Postfix SMTP client.

The session and connection caches have multi-element lookup keys (run through
SHA256 in the case of the session cache) that combine some of the following
(partial list):

- transport (router) name
- nexthop domain
- TLS security level
- SNI name
- Remote IP address
- Remote name from first line ("250-<hostname>") of EHLO
- DANE TLSA RRset
- TLS reference identifiers (names to check in the cert)
- ...

This took quite time and effort to build, and there are dedicated
functions for constructing the lookup keys for saving and retrieving
live connections and cached TLS sessions.

The Exim case should be somewhat simpler since nothing is persisted
out of process, but also trickier, because you're trying to collect
multiple messages to send down the connection in real time, rather
than squirreling away the connection for potential reuse by another
separate delivery.

I don't know anything about the internals of multi-domain support
in Exim, but can see that this could be a pain. And yet, it is
largely an unavoidable issue. The security constraints do mean
that some messages that would otherwise be grouped for transmission
over a single channel, can no longer be correctly grouped that way.


--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

On 17/08/2020 23:33, Viktor Dukhovni via Exim-dev wrote:
> The Exim case should be somewhat simpler since nothing is persisted
> out of process

Not so.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2265

Git Commit <git@exim.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git@exim.org

--- Comment #9 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/7044dd8fd62e215572ecf5a2c7f1bb9581cf6628

commit 7044dd8fd62e215572ecf5a2c7f1bb9581cf6628
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Wed Aug 19 21:09:04 2020 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Thu Aug 20 00:00:22 2020 +0100

dane: force sni to use $domain. bug 2265

note: this is not a complete fix for the issue
----
doc/doc-docbook/spec.xfpt | 14 ++++++++++++--
doc/doc-txt/ChangeLog | 13 ++++++++++---
src/src/receive.c | 2 +-
src/src/smtp_in.c | 2 +-
src/src/tls-gnu.c | 2 +-
src/src/tls-openssl.c | 1 +
src/src/transports/smtp.c | 1 +
test/confs/5820 | 3 ++-
test/confs/5840 | 3 ++-
test/log/2030 | 2 +-
test/log/2031 | 4 ++--
test/log/2130 | 2 +-
test/log/2131 | 4 ++--
test/log/5820 | 10 +++++-----
test/log/5840 | 10 +++++-----
test/stderr/5820 | 2 +-
test/stderr/5840 | 2 +-
17 files changed, 49 insertions(+), 28 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2265

--- Comment #10 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/99350dede64ad634300ddf15d0d97a81fd75d330

commit 99350dede64ad634300ddf15d0d97a81fd75d330
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Sun Aug 23 15:32:48 2020 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Sun Aug 23 17:05:52 2020 +0100

dane: fix 2-rcpt message, diff domins case. bug 2265
----
doc/doc-docbook/spec.xfpt | 6 +++
src/src/debug.c | 1 +
src/src/deliver.c | 3 ++
src/src/macros.h | 1 +
src/src/transports/smtp.c | 71 ++++++++++++++++++++++++++++++-----
src/src/verify.c | 2 +-
test/confs/5801 | 89 ++++++++++++++++++++++++++++++++++++++++++++
test/dnszones-src/db.test.ex | 1 +
test/log/5801 | 13 +++++++
test/scripts/5800-DANE/5801 | 12 ++++++
10 files changed, 188 insertions(+), 11 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2265

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED

--- Comment #11 from Jeremy Harris <jgh146exb@wizmail.org> ---
Also see 79b19a30d9, b6054898ac.
I think that deals with the functional aspects.

There's a logging issue remaining; a cancelled continued-TLS connection is
still logged with a continuation marker.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##