Move connect ACL before TLS-on-connect

10 files changed, 119 insertions, 29 deletions

diff --git a/test/confs/5711 b/test/confs/5711
index d66935645..57a9fef08 100644
--- a/test/confs/5711
+++ b/test/confs/5711
@@ -6,7 +6,7 @@ primary_hostname = myhost.test.ex
 
 # ----- Main settings -----
 
-acl_smtp_connect = accept logwrite = ACL conn
+acl_smtp_connect = check_conn
 acl_smtp_quit =    accept logwrite = ACL quit
 acl_smtp_notquit = accept logwrite = ACL notquit
 
@@ -16,13 +16,26 @@ tls_certificate = DIR/aux-fixed/cert1
 host_reject_connection = ${acl {hrc}}
 event_action = ${acl {tls_fail}}
 
+log_selector = +pid
+
 # ------ ACL ------
 
 begin acl
 
 hrc:
-  accept	logwrite = eval host_reject_connection
+  warn		logwrite = eval host_reject_connection
+  accept	condition = ${if eq {$received_port}{PORT_D}}
 		# no mesage= hence host_reject_connection should be empty
+  deny		condition = ${if eq {$received_port}{PORT_D2}}
+		message = *
+                # PORT_D2 gets a host_reject_connection
+
+check_conn:
+  warn		logwrite =	ACL conn
+  deny		condition =	${if eq {$received_port}{PORT_D3}}
+		log_message =	we dislike you
+		# PORT_D3 gets a conn ACL fail
+  accept
 
 tls_fail:
   warn		logwrite =  EV $event_name
diff --git a/test/confs/5721 b/test/confs/5721
index d156b1bf5..84c7785d9 100644
--- a/test/confs/5721
+++ b/test/confs/5721
@@ -6,7 +6,7 @@ primary_hostname = myhost.test.ex
 
 # ----- Main settings -----
 
-acl_smtp_connect = accept logwrite = ACL conn
+acl_smtp_connect = check_conn
 acl_smtp_quit =    accept logwrite = ACL quit
 acl_smtp_notquit = accept logwrite = ACL notquit
 
@@ -16,13 +16,26 @@ tls_certificate = DIR/aux-fixed/cert1
 host_reject_connection = ${acl {hrc}}
 event_action = ${acl {tls_fail}}
 
+log_selector = +pid
+
 # ------ ACL ------
 
 begin acl
 
 hrc:
-  accept	logwrite = eval host_reject_connection
+  warn		logwrite = eval host_reject_connection
+  accept	condition = ${if eq {$received_port}{PORT_D}}
 		# no mesage= hence host_reject_connection should be empty
+  deny		condition = ${if eq {$received_port}{PORT_D2}}
+		message = *
+                # PORT_D2 gets a host_reject_connection
+
+check_conn:
+  warn		logwrite =	ACL conn
+  deny		condition =	${if eq {$received_port}{PORT_D3}}
+		log_message =	we dislike you
+		# PORT_D3 gets a conn ACL fail
+  accept
 
 tls_fail:
   warn		logwrite =  EV $event_name
diff --git a/test/log/5711 b/test/log/5711
index 32556a618..baf38b97d 100644
--- a/test/log/5711
+++ b/test/log/5711
@@ -1,14 +1,20 @@
 
 ******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTPS on port PORT_D
-1999-03-02 09:44:33 eval host_reject_connection
-1999-03-02 09:44:33 ACL conn
-1999-03-02 09:44:33 ACL quit
-1999-03-02 09:44:33 eval host_reject_connection
-1999-03-02 09:44:33 ACL conn
-1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
-1999-03-02 09:44:33 ACL notquit
-1999-03-02 09:44:33 eval host_reject_connection
-1999-03-02 09:44:33 EV tls:fail:connect
-1999-03-02 09:44:33 EVDATA: (gnutls_handshake): The TLS connection was non-properly terminated.
-1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer
+1999-03-02 09:44:33 [1237] exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTPS on port PORT_D port PORT_D2 port PORT_D3
+1999-03-02 09:44:33 [1238] eval host_reject_connection
+1999-03-02 09:44:33 [1238] ACL conn
+1999-03-02 09:44:33 [1238] ACL quit
+1999-03-02 09:44:33 [1239] eval host_reject_connection
+1999-03-02 09:44:33 [1239] ACL conn
+1999-03-02 09:44:33 [1239] TLS error on connection from [127.0.0.1] (recv): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 [1239] ACL notquit
+1999-03-02 09:44:33 [1234] eval host_reject_connection
+1999-03-02 09:44:33 [1234] refused connection from [127.0.0.1] (host_reject_connection)
+1999-03-02 09:44:33 [1235] eval host_reject_connection
+1999-03-02 09:44:33 [1235] ACL conn
+1999-03-02 09:44:33 [1235] H=[127.0.0.1] dropped by 'connect' ACL: we dislike you
+1999-03-02 09:44:33 [1240] eval host_reject_connection
+1999-03-02 09:44:33 [1240] ACL conn
+1999-03-02 09:44:33 [1240] EV tls:fail:connect
+1999-03-02 09:44:33 [1240] EVDATA: (gnutls_handshake): The TLS connection was non-properly terminated.
+1999-03-02 09:44:33 [1240] TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer
diff --git a/test/log/5721 b/test/log/5721
index a1c9f9e37..41583c55a 100644
--- a/test/log/5721
+++ b/test/log/5721
@@ -1,13 +1,19 @@
 
 ******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTPS on port PORT_D
-1999-03-02 09:44:33 eval host_reject_connection
-1999-03-02 09:44:33 ACL conn
-1999-03-02 09:44:33 ACL quit
-1999-03-02 09:44:33 eval host_reject_connection
-1999-03-02 09:44:33 ACL conn
-1999-03-02 09:44:33 ACL notquit
-1999-03-02 09:44:33 eval host_reject_connection
-1999-03-02 09:44:33 EV tls:fail:connect
-1999-03-02 09:44:33 EVDATA: SSL_accept: TCP connection closed by peer
-1999-03-02 09:44:33 TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer
+1999-03-02 09:44:33 [1237] exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTPS on port PORT_D port PORT_D2 port PORT_D3
+1999-03-02 09:44:33 [1238] eval host_reject_connection
+1999-03-02 09:44:33 [1238] ACL conn
+1999-03-02 09:44:33 [1238] ACL quit
+1999-03-02 09:44:33 [1239] eval host_reject_connection
+1999-03-02 09:44:33 [1239] ACL conn
+1999-03-02 09:44:33 [1239] ACL notquit
+1999-03-02 09:44:33 [1234] eval host_reject_connection
+1999-03-02 09:44:33 [1234] refused connection from [127.0.0.1] (host_reject_connection)
+1999-03-02 09:44:33 [1235] eval host_reject_connection
+1999-03-02 09:44:33 [1235] ACL conn
+1999-03-02 09:44:33 [1235] H=[127.0.0.1] dropped by 'connect' ACL: we dislike you
+1999-03-02 09:44:33 [1240] eval host_reject_connection
+1999-03-02 09:44:33 [1240] ACL conn
+1999-03-02 09:44:33 [1240] EV tls:fail:connect
+1999-03-02 09:44:33 [1240] EVDATA: SSL_accept: TCP connection closed by peer
+1999-03-02 09:44:33 [1240] TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer
diff --git a/test/rejectlog/5711 b/test/rejectlog/5711
new file mode 100644
index 000000000..e9945c13e
--- /dev/null
+++ b/test/rejectlog/5711
@@ -0,0 +1,4 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 [1234] refused connection from [127.0.0.1] (host_reject_connection)
+1999-03-02 09:44:33 [1235] H=[127.0.0.1] dropped by 'connect' ACL: we dislike you
diff --git a/test/rejectlog/5721 b/test/rejectlog/5721
new file mode 100644
index 000000000..e9945c13e
--- /dev/null
+++ b/test/rejectlog/5721
@@ -0,0 +1,4 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 [1234] refused connection from [127.0.0.1] (host_reject_connection)
+1999-03-02 09:44:33 [1235] H=[127.0.0.1] dropped by 'connect' ACL: we dislike you
diff --git a/test/scripts/5710-GnuTLS-events/5711 b/test/scripts/5710-GnuTLS-events/5711
index 7c276229d..725703f2a 100644
--- a/test/scripts/5710-GnuTLS-events/5711
+++ b/test/scripts/5710-GnuTLS-events/5711
@@ -1,6 +1,6 @@
 # smtp-on-connect drop-before-tls-accept
 #
-exim -DSERVER=server -tls-on-connect -bd -oX PORT_D
+exim -DSERVER=server -tls-on-connect -bd -oX PORT_D:PORT_D2:PORT_D3
 ****
 #
 # Normal, full connect and quit
@@ -15,6 +15,16 @@ client-anytls -tls-on-connect 127.0.0.1 PORT_D
 ??? 220
 ****
 #
+# server rejects using host_reject_connection option
+client-anytls -tls-on-connect 127.0.0.1 PORT_D2
+???*
+****
+#
+# server rejects using conn ACL
+client-anytls -tls-on-connect 127.0.0.1 PORT_D3
+???*
+****
+#
 # client disconnects before server TLS accept completes
 client 127.0.0.1 PORT_D
 +++ 1
diff --git a/test/scripts/5720-OpenSSL-events/5721 b/test/scripts/5720-OpenSSL-events/5721
index 0f72c17d2..19f977c7b 100644
--- a/test/scripts/5720-OpenSSL-events/5721
+++ b/test/scripts/5720-OpenSSL-events/5721
@@ -1,6 +1,6 @@
 # smtp-on-connect drop-before-tls-accept
 #
-exim -DSERVER=server -tls-on-connect -bd -oX PORT_D
+exim -DSERVER=server -tls-on-connect -bd -oX PORT_D:PORT_D2:PORT_D3
 ****
 #
 # Normal, full connect and quit
@@ -15,6 +15,16 @@ client-anytls -tls-on-connect 127.0.0.1 PORT_D
 ??? 220
 ****
 #
+# server rejects using host_reject_connection option
+client-anytls -tls-on-connect 127.0.0.1 PORT_D2
+???*
+****
+#
+# server rejects using conn ACL
+client-anytls -tls-on-connect 127.0.0.1 PORT_D3
+???*
+****
+#
 # client disconnects before server TLS accept completes
 client 127.0.0.1 PORT_D
 +++ 1
diff --git a/test/stdout/5711 b/test/stdout/5711
index d3bf62e95..f96f81b96 100644
--- a/test/stdout/5711
+++ b/test/stdout/5711
@@ -13,6 +13,18 @@ Succeeded in starting TLS
 ??? 220
 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
 End of script
+Connecting to 127.0.0.1 port 1226 ... connected
+Attempting to start TLS
+Failed to start TLS
+???*
+Expected EOF read
+End of script
+Connecting to 127.0.0.1 port 1227 ... connected
+Attempting to start TLS
+Failed to start TLS
+???*
+Expected EOF read
+End of script
 Connecting to 127.0.0.1 port 1225 ... connected
 +++ 1
 End of script
diff --git a/test/stdout/5721 b/test/stdout/5721
index d3bf62e95..f96f81b96 100644
--- a/test/stdout/5721
+++ b/test/stdout/5721
@@ -13,6 +13,18 @@ Succeeded in starting TLS
 ??? 220
 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
 End of script
+Connecting to 127.0.0.1 port 1226 ... connected
+Attempting to start TLS
+Failed to start TLS
+???*
+Expected EOF read
+End of script
+Connecting to 127.0.0.1 port 1227 ... connected
+Attempting to start TLS
+Failed to start TLS
+???*
+Expected EOF read
+End of script
 Connecting to 127.0.0.1 port 1225 ... connected
 +++ 1
 End of script