https://bugs.exim.org/show_bug.cgi?id=2594
Bug ID: 2594 Summary: CNAME handing can break TLS certificate verification Product: Exim Version: 4.93 Hardware: x86-64 OS: Linux Status: NEW Severity: bug Priority: medium Component: TLS Assignee: jgh146...@wizmail.org Reporter: ch...@paulson-ellis.org CC: exim-dev@exim.org When the manualroute router looks up the IP address of a name in the route_data, if it encounters CNAME records, then it correctly follows them until it finds an A (or AAAA) record. However, it also uses the CNAME value as the domain name later used by the smtp transport to verify the TLS certificate returned by the server. This is wrong - or at least inconsistent with how web browsers work - the original (fully qualified) name in the route_data is the correct name for certificate verification. For example, in our organisation our internal servers (HTTPS & SMTP) use a wildcard certificate for *.dev.edesix.com. The mail server is resolved as follows... mail.dev.edesix.com CNAME mail.edesix.local mail.edesix.local A 192.168.1.6 For context - the *.dev.edesix.com wildcard certificate is a real (non-self signed) LetsEncrypt certificate. This set-up allows our developers to test TLS functionality on local servers only accessible on the LAN using a real TLS cert. It works fine with web servers and browsers, but not with exim as an SMTP client. Excerpt from debug of a delivery failure: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> routing r...@juno.edesix.com --------> smarthost router <-------- local_part=root domain=juno.edesix.com checking domains juno.edesix.com in ""? no (end of list) juno.edesix.com in "! +local_domains"? yes (end of list) calling smarthost router smarthost router called for r...@juno.edesix.com domain = juno.edesix.com original list of hosts = 'mail.dev.edesix.com' options = 'bydns ipv4_only' expanded list of hosts = 'mail.dev.edesix.com' options = 'bydns ipv4_only' set transport smarthost_smtp finding IP address for mail.dev.edesix.com doing DNS lookup mail.dev.edesix.com in "*"? yes (matched "*") DNS lookup of mail.dev.edesix.com (A) succeeded 192.168.1.6 in "<; 0.0.0.0 ; 127.0.0.0/8 ; ::1"? no (end of list) fully qualified name = mail.dev.edesix.com mail.edesix.local 192.168.1.6 mx=-1 sort=-470 queued for smarthost_smtp transport: local_part = root domain = juno.edesix.com errors_to=NULL domain_data=NULL localpart_data=NULL routed by smarthost router envelope to: r...@juno.edesix.com transport: smarthost_smtp host mail.edesix.local [192.168.1.6] >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Before I added 'bydns ipv4_only' to the route_data the DNS lookup was a little more complicated, but with the same result: finding IP address for mail.dev.edesix.com doing DNS lookup mail.dev.edesix.com in "*"? yes (matched "*") DNS lookup of mail.dev.edesix.com (AAAA) succeeded CNAME found: change to mail.edesix.local DNS lookup of mail.edesix.local (AAAA) gave NO_DATA returning DNS_NODATA faking res_search(AAAA) response length as 65535 writing neg-cache entry for mail.edesix.local-AAAA-800041, ttl 3600 DNS lookup of mail.dev.edesix.com (A/AAAA) requested AD, but got AA DNS lookup of mail.dev.edesix.com (A) succeeded 192.168.1.6 in "<; 0.0.0.0 ; 127.0.0.0/8 ; ::1"? no (end of list) fully qualified name = mail.dev.edesix.com mail.edesix.local 192.168.1.6 mx=-1 sort=-245 Here is the smtp transport debug output: smarthost_smtp transport entered r...@juno.edesix.com hostlist: 'mail.edesix.local' IP 192.168.1.6 port -1 checking status of mail.edesix.local locking /var/spool/exim/db/retry.lockfile locked /var/spool/exim/db/retry.lockfile EXIM_DBOPEN: file </var/spool/exim/db/retry> dir </var/spool/exim/db> flags=O_RDONLY returned from EXIM_DBOPEN: 0x5635b371d370 opened hints database /var/spool/exim/db/retry: flags=O_RDONLY dbfn_read: key=T:mail.edesix.local:192.168.1.6 dbfn_read: key=T:mail.edesix.local:192.168.1.6:1jiFk5-0006UE-9S EXIM_DBCLOSE(0x5635b371d370) closed hints database and lockfile no message retry record mail.edesix.local [192.168.1.6] retry-status = usable 192.168.1.6 in serialize_hosts? no (option unset) delivering 1jiFk5-0006UE-9S to mail.edesix.local [192.168.1.6] (r...@juno.edesix.com) set_process_info: 25033 delivering 1jiFk5-0006UE-9S to mail.edesix.local [192.168.1.6] (r...@juno.edesix.com) 192.168.1.6 in hosts_require_dane? no (option unset) Connecting to mail.edesix.local [192.168.1.6]:25 ... 192.168.1.6 in hosts_try_fastopen? yes (matched "*") TFO mode sendto, no data: EINPROGRESS connected read response data: size=72 SMTP<< 220 aulus.edesix.com ESMTP Exim 4.80.1 Mon, 08 Jun 2020 13:31:02 +0100 192.168.1.6 in hosts_avoid_esmtp? no (option unset) SMTP>> EHLO juno.edesix.local cmd buf flush 24 bytes read response data: size=134 SMTP<< 250-aulus.edesix.com Hello juno.edesix.local [192.168.1.10] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-STARTTLS 250 HELP 192.168.1.6 in hosts_avoid_tls? no (option unset) SMTP>> STARTTLS cmd buf flush 10 bytes read response data: size=18 SMTP<< 220 TLS go ahead 192.168.1.6 in hosts_require_ocsp? no (option unset) 192.168.1.6 in hosts_request_ocsp? yes (matched "*") setting SSL CTX options: 0x42004000 Diffie-Hellman initialized from default with 2048-bit prime Initialized TLS required ciphers: HIGH:!aNULL:@STRENGTH 192.168.1.6 in tls_verify_hosts? yes (matched "*") tls_verify_certificates: system 192.168.1.6 in tls_verify_cert_hostnames? yes (matched "*") Cert hostname to check: "mail.edesix.local" Setting TLS SNI "mail.dev.edesix.com" Calling SSL_connect SSL_connect: before SSL initialization SSL_connect: SSLv3/TLS write client hello SSL_connect: SSLv3/TLS write client hello SSL_connect: SSLv3/TLS read server hello SSL verify ok: depth=2 SN=/O=Digital Signature Trust Co./CN=DST Root CA X3 SSL verify ok: depth=1 SN=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 LOG: MAIN [192.168.1.6] SSL verify error: certificate name mismatch: DN="/CN=*.dev.edesix.com" H="mail.edesix.local" SSL3 alert write:fatal:internal error SSL_connect: error in error TLS error '(SSL_connect): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed' TLS session fail: (SSL_connect): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed SMTP(close)>> 192.168.1.6 in hosts_require_tls? yes (matched "*") set_process_info: 25033 delivering 1jiFk5-0006UE-9S: just tried mail.edesix.local [192.168.1.6] for r...@juno.edesix.com: result DEFER -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##