Gitweb:
http://git.exim.org/exim.git/commitdiff/6c9ed72eaa948d340dba0ea0a878f9570852ab35
Commit: 6c9ed72eaa948d340dba0ea0a878f9570852ab35
Parent: 69cbeaec9d414796f70ab0a98b581895cae0be89
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Mar 24 18:25:27 2015 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Tue Mar 24 18:25:27 2015 +0000
Use TLS by default on callouts/cutthroughs
---
doc/doc-docbook/spec.xfpt | 5 +++--
doc/doc-txt/ChangeLog | 2 ++
src/src/transports/smtp.c | 2 +-
test/confs/5840 | 4 ----
test/stderr/5840 | 3 +--
5 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5f0346e..f274db7 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23190,12 +23190,13 @@ that matches this list, even if the server host advertises PIPELINING support.
Exim will not try to start a TLS session when delivering to any host that
matches this list. See chapter &<<CHAPTLS>>& for details of TLS.
-.option hosts_verify_avoid_tls smtp "host list&!!" *
+.new
+.option hosts_verify_avoid_tls smtp "host list&!!" unset
.cindex "TLS" "avoiding for certain hosts"
Exim will not try to start a TLS session for a verify callout,
or when delivering in cutthrough mode,
to any host that matches this list.
-Note that the default is to not use TLS.
+.wen
.option hosts_max_try smtp integer 5
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 55af318..c0a965e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -81,6 +81,8 @@ JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
from 255 to 1024 chars.
+JH/24 Verification callouts now attempt to use TLS by default.
+
Exim version 4.85
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 6a8fbc4..b0fe177 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -224,7 +224,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
#endif
NULL, /* hosts_require_tls */
NULL, /* hosts_avoid_tls */
- US"*", /* hosts_verify_avoid_tls */
+ NULL, /* hosts_verify_avoid_tls */
NULL, /* hosts_avoid_pipelining */
NULL, /* hosts_avoid_esmtp */
NULL, /* hosts_nopass_tls */
diff --git a/test/confs/5840 b/test/confs/5840
index 0447ce3..4f468a3 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -66,12 +66,8 @@ send_to_server:
allow_localhost
port = PORT_D
- hosts_verify_avoid_tls = :
hosts_try_dane = *
hosts_require_dane = !thishost.test.ex
- hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
- {= {0}{$tls_out_tlsa_usage}} } \
- {*}{}}
tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
tls_verify_certificates = CDIR2/ca_chain.pem
diff --git a/test/stderr/5840 b/test/stderr/5840
index eeffc11..b2097c1 100644
--- a/test/stderr/5840
+++ b/test/stderr/5840
@@ -33,11 +33,10 @@ MUNGED: ::1 will be omitted in what follows
>>> 250-STARTTLS
>>> 250 HELP
>>> ip4.ip4.ip4.ip4 in hosts_avoid_tls? no (option unset)
->>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (end of list)
+>>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (option unset)
>>> SMTP>> STARTTLS
>>> SMTP<< 220 TLS go ahead
>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)
->>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? yes (matched "*")
>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)
>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? no (end of list)
>>> SMTP>> EHLO myhost.test.ex
