[exim-cvs] Use TLS by default on callouts/cutthroughs

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Use TLS by default on callouts/cutthroughs
Gitweb: http://git.exim.org/exim.git/commitdiff/6c9ed72eaa948d340dba0ea0a878f9570852ab35
Commit:     6c9ed72eaa948d340dba0ea0a878f9570852ab35
Parent:     69cbeaec9d414796f70ab0a98b581895cae0be89
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Mar 24 18:25:27 2015 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Tue Mar 24 18:25:27 2015 +0000


    Use TLS by default on callouts/cutthroughs
---
 doc/doc-docbook/spec.xfpt |    5 +++--
 doc/doc-txt/ChangeLog     |    2 ++
 src/src/transports/smtp.c |    2 +-
 test/confs/5840           |    4 ----
 test/stderr/5840          |    3 +--
 5 files changed, 7 insertions(+), 9 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5f0346e..f274db7 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23190,12 +23190,13 @@ that matches this list, even if the server host advertises PIPELINING support.
Exim will not try to start a TLS session when delivering to any host that
matches this list. See chapter &<<CHAPTLS>>& for details of TLS.

-.option hosts_verify_avoid_tls smtp "host list&!!" *
+.new
+.option hosts_verify_avoid_tls smtp "host list&!!" unset
.cindex "TLS" "avoiding for certain hosts"
Exim will not try to start a TLS session for a verify callout,
or when delivering in cutthrough mode,
to any host that matches this list.
-Note that the default is to not use TLS.
+.wen


 .option hosts_max_try smtp integer 5
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 55af318..c0a965e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -81,6 +81,8 @@ JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
 JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
       from 255 to 1024 chars.


+JH/24 Verification callouts now attempt to use TLS by default.
+


 Exim version 4.85
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 6a8fbc4..b0fe177 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -224,7 +224,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
 #endif
   NULL,                /* hosts_require_tls */
   NULL,                /* hosts_avoid_tls */
-  US"*",               /* hosts_verify_avoid_tls */
+  NULL,                /* hosts_verify_avoid_tls */
   NULL,                /* hosts_avoid_pipelining */
   NULL,                /* hosts_avoid_esmtp */
   NULL,                /* hosts_nopass_tls */
diff --git a/test/confs/5840 b/test/confs/5840
index 0447ce3..4f468a3 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -66,12 +66,8 @@ send_to_server:
   allow_localhost
   port = PORT_D


-  hosts_verify_avoid_tls = :
   hosts_try_dane =     *
   hosts_require_dane = !thishost.test.ex
-  hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
-                 {= {0}{$tls_out_tlsa_usage}} } \
-                        {*}{}}
   tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
   tls_try_verify_hosts = thishost.test.ex
   tls_verify_certificates = CDIR2/ca_chain.pem
diff --git a/test/stderr/5840 b/test/stderr/5840
index eeffc11..b2097c1 100644
--- a/test/stderr/5840
+++ b/test/stderr/5840
@@ -33,11 +33,10 @@ MUNGED: ::1 will be omitted in what follows

 >>>          250-STARTTLS
 >>>          250 HELP
 >>> ip4.ip4.ip4.ip4 in hosts_avoid_tls? no (option unset)

->>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (end of list)
+>>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (option unset)
>>> SMTP>> STARTTLS
>>> SMTP<< 220 TLS go ahead
>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)

->>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? yes (matched "*")
>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)
>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? no (end of list)
>>> SMTP>> EHLO myhost.test.ex