[exim-dev] [Bug 2594] New: CNAME handing can break TLS certificate verification

Mon, 08 Jun 2020 05:49:20 -0700 

https://bugs.exim.org/show_bug.cgi?id=2594

            Bug ID: 2594
           Summary: CNAME handing can break TLS certificate verification
           Product: Exim
           Version: 4.93
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: jgh146...@wizmail.org
          Reporter: ch...@paulson-ellis.org
                CC: exim-dev@exim.org

When the manualroute router looks up the IP address of a name in the
route_data, if it encounters CNAME records, then it correctly follows them
until it finds an A (or AAAA) record.

However, it also uses the CNAME value as the domain name later used by the smtp
transport to verify the TLS certificate returned by the server. This is wrong -
or at least inconsistent with how web browsers work -  the original (fully
qualified) name in the route_data is the correct name for certificate
verification.

For example, in our organisation our internal servers (HTTPS & SMTP) use a
wildcard certificate for *.dev.edesix.com. The mail server is resolved as
follows...

mail.dev.edesix.com CNAME mail.edesix.local
mail.edesix.local A 192.168.1.6

For context - the *.dev.edesix.com wildcard certificate is a real (non-self
signed) LetsEncrypt certificate. This set-up allows our developers to test TLS
functionality on local servers only accessible on the LAN using a real TLS
cert. It works fine with web servers and browsers, but not with exim as an SMTP
client.

Excerpt from debug of a delivery failure:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
routing r...@juno.edesix.com
--------> smarthost router <--------
local_part=root domain=juno.edesix.com
checking domains
juno.edesix.com in ""? no (end of list)
juno.edesix.com in "! +local_domains"? yes (end of list)
calling smarthost router
smarthost router called for r...@juno.edesix.com
  domain = juno.edesix.com
original list of hosts = 'mail.dev.edesix.com' options = 'bydns ipv4_only'
expanded list of hosts = 'mail.dev.edesix.com' options = 'bydns ipv4_only'
set transport smarthost_smtp
finding IP address for mail.dev.edesix.com
doing DNS lookup
mail.dev.edesix.com in "*"? yes (matched "*")
DNS lookup of mail.dev.edesix.com (A) succeeded
192.168.1.6 in "<; 0.0.0.0 ; 127.0.0.0/8 ; ::1"? no (end of list)
fully qualified name = mail.dev.edesix.com
mail.edesix.local 192.168.1.6 mx=-1 sort=-470 
queued for smarthost_smtp transport: local_part = root
domain = juno.edesix.com
  errors_to=NULL
  domain_data=NULL localpart_data=NULL
routed by smarthost router
  envelope to: r...@juno.edesix.com
  transport: smarthost_smtp
  host mail.edesix.local [192.168.1.6]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Before I added 'bydns ipv4_only' to the route_data the DNS lookup was a little
more complicated, but with the same result:

finding IP address for mail.dev.edesix.com
doing DNS lookup
mail.dev.edesix.com in "*"? yes (matched "*")
DNS lookup of mail.dev.edesix.com (AAAA) succeeded
CNAME found: change to mail.edesix.local
DNS lookup of mail.edesix.local (AAAA) gave NO_DATA
returning DNS_NODATA
faking res_search(AAAA) response length as 65535
 writing neg-cache entry for mail.edesix.local-AAAA-800041, ttl 3600
DNS lookup of mail.dev.edesix.com (A/AAAA) requested AD, but got AA
DNS lookup of mail.dev.edesix.com (A) succeeded
192.168.1.6 in "<; 0.0.0.0 ; 127.0.0.0/8 ; ::1"? no (end of list)
fully qualified name = mail.dev.edesix.com
mail.edesix.local 192.168.1.6 mx=-1 sort=-245

Here is the smtp transport debug output:

smarthost_smtp transport entered
  r...@juno.edesix.com
hostlist:
  'mail.edesix.local' IP 192.168.1.6 port -1
checking status of mail.edesix.local
 locking /var/spool/exim/db/retry.lockfile
 locked  /var/spool/exim/db/retry.lockfile
 EXIM_DBOPEN: file </var/spool/exim/db/retry> dir </var/spool/exim/db>
flags=O_RDONLY
 returned from EXIM_DBOPEN: 0x5635b371d370
 opened hints database /var/spool/exim/db/retry: flags=O_RDONLY
 dbfn_read: key=T:mail.edesix.local:192.168.1.6
 dbfn_read: key=T:mail.edesix.local:192.168.1.6:1jiFk5-0006UE-9S
 EXIM_DBCLOSE(0x5635b371d370)
 closed hints database and lockfile
no message retry record
mail.edesix.local [192.168.1.6] retry-status = usable
192.168.1.6 in serialize_hosts? no (option unset)
delivering 1jiFk5-0006UE-9S to mail.edesix.local [192.168.1.6]
(r...@juno.edesix.com)
set_process_info: 25033 delivering 1jiFk5-0006UE-9S to mail.edesix.local
[192.168.1.6] (r...@juno.edesix.com)
192.168.1.6 in hosts_require_dane? no (option unset)
Connecting to mail.edesix.local [192.168.1.6]:25 ... 192.168.1.6 in
hosts_try_fastopen? yes (matched "*")
 TFO mode sendto, no data: EINPROGRESS
 connected
read response data: size=72
  SMTP<< 220 aulus.edesix.com ESMTP Exim 4.80.1 Mon, 08 Jun 2020 13:31:02 +0100
192.168.1.6 in hosts_avoid_esmtp? no (option unset)
  SMTP>> EHLO juno.edesix.local
cmd buf flush 24 bytes
read response data: size=134
  SMTP<< 250-aulus.edesix.com Hello juno.edesix.local [192.168.1.10]
         250-SIZE 52428800
         250-8BITMIME
         250-PIPELINING
         250-STARTTLS
         250 HELP
192.168.1.6 in hosts_avoid_tls? no (option unset)
  SMTP>> STARTTLS
cmd buf flush 10 bytes
read response data: size=18
  SMTP<< 220 TLS go ahead
192.168.1.6 in hosts_require_ocsp? no (option unset)
192.168.1.6 in hosts_request_ocsp? yes (matched "*")
setting SSL CTX options: 0x42004000
Diffie-Hellman initialized from default with 2048-bit prime
Initialized TLS
required ciphers: HIGH:!aNULL:@STRENGTH
192.168.1.6 in tls_verify_hosts? yes (matched "*")
tls_verify_certificates: system
192.168.1.6 in tls_verify_cert_hostnames? yes (matched "*")
Cert hostname to check: "mail.edesix.local"
Setting TLS SNI "mail.dev.edesix.com"
Calling SSL_connect
SSL_connect: before SSL initialization
SSL_connect: SSLv3/TLS write client hello
SSL_connect: SSLv3/TLS write client hello
SSL_connect: SSLv3/TLS read server hello
SSL verify ok: depth=2 SN=/O=Digital Signature Trust Co./CN=DST Root CA X3
SSL verify ok: depth=1 SN=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
LOG: MAIN
  [192.168.1.6] SSL verify error: certificate name mismatch:
DN="/CN=*.dev.edesix.com" H="mail.edesix.local"
SSL3 alert write:fatal:internal error
SSL_connect: error in error
TLS error '(SSL_connect): error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed'
TLS session fail: (SSL_connect): error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
  SMTP(close)>>
192.168.1.6 in hosts_require_tls? yes (matched "*")
set_process_info: 25033 delivering 1jiFk5-0006UE-9S: just tried
mail.edesix.local [192.168.1.6] for r...@juno.edesix.com: result DEFER

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to