[exim-cvs] Retire EXPERIMENTAL_REQUIRETLS

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Retire EXPERIMENTAL_REQUIRETLS
Gitweb: https://git.exim.org/exim.git/commitdiff/9883af7240d3c25b7a8a859c9e8482caacd5f1aa
Commit:     9883af7240d3c25b7a8a859c9e8482caacd5f1aa
Parent:     6ce06eea5dcccf1615c6bbe52391f9c367de6cf7
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Fri Mar 15 22:01:07 2019 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri Mar 15 23:11:43 2019 +0000


    Retire EXPERIMENTAL_REQUIRETLS
---
 doc/doc-txt/experimental-spec.txt     |  35 ---------
 src/src/EDITME                        |   5 --
 src/src/acl.c                         |  18 -----
 src/src/child.c                       |  16 ----
 src/src/config.h.defaults             |   1 -
 src/src/deliver.c                     |   5 --
 src/src/exim.c                        |  13 ----
 src/src/expand.c                      |   3 -
 src/src/globals.c                     |   5 --
 src/src/globals.h                     |   5 --
 src/src/macro_predef.c                |   3 -
 src/src/macros.h                      |  11 +--
 src/src/readconf.c                    |   3 -
 src/src/smtp_in.c                     |  60 ---------------
 src/src/spool_in.c                    |   7 --
 src/src/spool_out.c                   |   4 -
 src/src/transports/smtp.c             |  67 +----------------
 src/src/verify.c                      |   7 --
 test/confs/5910                       | 136 ----------------------------------
 test/log/5910                         |  23 ------
 test/mail/5910.dump                   |  20 -----
 test/scripts/5910-REQUIRETLS/5910     |  64 ----------------
 test/scripts/5910-REQUIRETLS/5911     | 125 -------------------------------
 test/scripts/5910-REQUIRETLS/5912     |  37 ---------
 test/scripts/5910-REQUIRETLS/REQUIRES |   2 -
 test/stderr/4052                      |   6 +-
 test/stdout/5910                      |  60 ---------------
 27 files changed, 9 insertions(+), 732 deletions(-)


diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 84fd547..9b472c0 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -871,41 +871,6 @@ used via the transport in question.



-REQUIRETLS support
-------------------
-Ref: https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03
-
-If compiled with EXPERIMENTAL_REQUIRETLS support is included for this
-feature, where a REQUIRETLS option is added to the MAIL command.
-The client may not retry in clear if the MAIL+REQUIRETLS fails (or was never
-offered), and the server accepts an obligation that any onward transmission
-by SMTP of the messages accepted will also use REQUIRETLS - or generate a
-fail DSN.
-
-The Exim implementation includes
-- a main-part option tls_advertise_requiretls; host list, default "*"
-- an observability variable $requiretls returning yes/no
-- an ACL "control = requiretls" modifier for setting the requirement
-- Log lines and Received: headers capitalise the S in the protocol
- element: "P=esmtpS"
-
-Differences from spec:
-- we support upgrading the requirement for REQUIRETLS, including adding
- it from cold, within an MTA. The spec only define the sourcing MUA
- as being able to source the requirement, and makes no mention of upgrade.
-- No support is coded for the RequireTLS header (which can be used
- to annul DANE and/or STS policiy). [this can _almost_ be done in
- transport option expansions, but not quite: it requires tha DANE-present
- but STARTTLS-failing targets fallback to cleartext, which current DANE
- coding specifically blocks]
-
-Note that REQUIRETLS is only advertised once a TLS connection is achieved
-(in contrast to STARTTLS). If you want to check the advertising, do something
-like "swaks -s 127.0.0.1 -tls -q HELO".
-
-
-
-
Early pipelining support
------------------------
Ref: https://datatracker.ietf.org/doc/draft-harris-early-pipe/
diff --git a/src/src/EDITME b/src/src/EDITME
index a5bc8d0..43cf13c 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -514,11 +514,6 @@ DISABLE_MAL_MKS=yes
# Uncomment the following line to add queuefile transport support
# EXPERIMENTAL_QUEUEFILE=yes

-# Uncomment the following to add REQUIRETLS support.
-# You must also have SUPPORT_TLS enabled.
-# Ref: https://datatracker.ietf.org/doc/draft-fenton-smtp-require-tls
-# EXPERIMENTAL_REQUIRETLS=yes
-
 ###############################################################################
 #                 THESE ARE THINGS YOU MIGHT WANT TO SPECIFY                  #
 ###############################################################################
diff --git a/src/src/acl.c b/src/src/acl.c
index 8fbd225..6168187 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -367,9 +367,6 @@ enum {
   CONTROL_NO_PIPELINING,


CONTROL_QUEUE_ONLY,
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
- CONTROL_REQUIRETLS,
-#endif
CONTROL_SUBMISSION,
CONTROL_SUPPRESS_LOCAL_FIXUPS,
#ifdef SUPPORT_I18N
@@ -515,16 +512,6 @@ static control_def controls_list[] = {
},


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-[CONTROL_REQUIRETLS] =
-  { US"requiretls",         FALSE,
-      (unsigned)
-      ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
-        ACL_BIT_DATA | ACL_BIT_MIME |
-        ACL_BIT_NOTSMTP)
-  },
-#endif
-
 [CONTROL_SUBMISSION] =
   { US"submission",              TRUE,
       (unsigned)
@@ -3168,11 +3155,6 @@ for (; cb; cb = cb->next)
     cancel_cutthrough_connection(TRUE, US"queueing forced");
     break;


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-    case CONTROL_REQUIRETLS:
-    tls_requiretls |= REQUIRETLS_MSG;
-    break;
-#endif
     case CONTROL_SUBMISSION:
     originator_name = US"";
     f.submission_mode = TRUE;
diff --git a/src/src/child.c b/src/src/child.c
index 2262678..e53e448 100644
--- a/src/src/child.c
+++ b/src/src/child.c
@@ -10,10 +10,6 @@


static void (*oldsignal)(int);

-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-static uschar tls_requiretls_copy = 0;
-#endif
-

 /*************************************************
 *          Ensure an fd has a given value        *
@@ -79,10 +75,6 @@ int n = 0;
 int extra = pcount ? *pcount : 0;
 uschar **argv;


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls) extra++;
-#endif
-
argv = store_get((extra + acount + MAX_CLMACROS + 18) * sizeof(char *));

 /* In all case, the list starts out with the path, any macros, and a changed
@@ -129,11 +121,6 @@ if (!minimal)
     }
   }


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls_copy & REQUIRETLS_MSG)
- argv[n++] = US"-MS";
-#endif
-
/* Now add in any others that are in the call. Remember which they were,
for more helpful diagnosis on failure. */

@@ -243,9 +230,6 @@ occur. */

 if (pid == 0)
   {
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-  tls_requiretls_copy = tls_requiretls;
-#endif
   force_fd(pfd[pipe_read], 0);
   (void)close(pfd[pipe_write]);
   if (debug_fd > 0) force_fd(debug_fd, 2);
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 5568829..dc69e2f 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -201,7 +201,6 @@ Do not put spaces between # and the 'define'.
     #define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
 #define EXPERIMENTAL_LMDB
 #define EXPERIMENTAL_PIPE_CONNECT
-#define EXPERIMENTAL_REQUIRETLS
 #define EXPERIMENTAL_QUEUEFILE
 #define EXPERIMENTAL_SRS


diff --git a/src/src/deliver.c b/src/src/deliver.c
index 0711879..c1396a7 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -8507,11 +8507,6 @@ if (!regex_AUTH) regex_AUTH =
#ifdef SUPPORT_TLS
if (!regex_STARTTLS) regex_STARTTLS =
regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
-
-# ifdef EXPERIMENTAL_REQUIRETLS
-if (!regex_REQUIRETLS) regex_REQUIRETLS =
- regex_must_compile(US"\\n250[\\s\\-]REQUIRETLS(\\s|\\n|$)", FALSE, TRUE);
-# endif
#endif

 if (!regex_CHUNKING) regex_CHUNKING =
diff --git a/src/src/exim.c b/src/src/exim.c
index 8e700f7..7c9aa0e 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -903,9 +903,6 @@ fprintf(fp, "Support for:");
 #ifdef EXPERIMENTAL_DSN_INFO
   fprintf(fp, " Experimental_DSN_info");
 #endif
-#ifdef EXPERIMENTAL_REQUIRETLS
-  fprintf(fp, " Experimental_REQUIRETLS");
-#endif
 #ifdef EXPERIMENTAL_PIPE_CONNECT
   fprintf(fp, " Experimental_PIPE_CONNECT");
 #endif
@@ -2710,16 +2707,6 @@ for (i = 1; i < argc; i++)
       break;
       }


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-    /* -MS   set REQUIRETLS on (new) message */
-
-    else if (*argrest == 'S')
-      {
-      tls_requiretls |= REQUIRETLS_MSG;
-      break;
-      }
-#endif
-
     /* -M[x]: various operations on the following list of message ids:
        -M    deliver the messages, ignoring next retry times and thawing
        -Mc   deliver the messages, checking next retry times, no thawing
diff --git a/src/src/expand.c b/src/src/expand.c
index d395436..2fc3a81 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -668,9 +668,6 @@ static var_entry var_table[] = {
   { "regex_match_string",  vtype_stringptr,   &regex_match_string },
 #endif
   { "reply_address",       vtype_reply,       NULL },
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-  { "requiretls",          vtype_bool,        &tls_requiretls },
-#endif
   { "return_path",         vtype_stringptr,   &return_path },
   { "return_size_limit",   vtype_int,         &bounce_return_size_limit },
   { "router_name",         vtype_stringptr,   &router_name },
diff --git a/src/src/globals.c b/src/src/globals.c
index 94fab00..f52ae92 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -161,11 +161,6 @@ uschar *tls_ocsp_file          = NULL;
 uschar *tls_privatekey         = NULL;
 BOOL    tls_remember_esmtp     = FALSE;
 uschar *tls_require_ciphers    = NULL;
-# ifdef EXPERIMENTAL_REQUIRETLS
-uschar  tls_requiretls         = 0;    /* REQUIRETLS_MSG etc. bit #defines */
-uschar *tls_advertise_requiretls = US"*";
-const pcre *regex_REQUIRETLS   = NULL;
-# endif
 uschar *tls_try_verify_hosts   = NULL;
 uschar *tls_verify_certificates= US"system";
 uschar *tls_verify_hosts       = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 12cc1af..a0c1977 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -122,11 +122,6 @@ extern uschar *tls_eccurve;            /* EC curve */
 extern uschar *tls_ocsp_file;          /* OCSP stapling proof file */
 # endif
 extern uschar *tls_privatekey;         /* Private key file */
-# ifdef EXPERIMENTAL_REQUIRETLS
-extern uschar  tls_requiretls;         /* REQUIRETLS active for this message */
-extern uschar *tls_advertise_requiretls; /* hosts for which REQUIRETLS adv */
-extern const pcre *regex_REQUIRETLS;   /* for recognising the command */
-# endif
 extern BOOL    tls_remember_esmtp;     /* For YAEB */
 extern uschar *tls_require_ciphers;    /* So some can be avoided */
 extern uschar *tls_try_verify_hosts;   /* Optional client verification */
diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c
index f92671a..86be52f 100644
--- a/src/src/macro_predef.c
+++ b/src/src/macro_predef.c
@@ -197,9 +197,6 @@ due to conflicts with other common macros. */
 #ifdef EXPERIMENTAL_DSN_INFO
   builtin_macro_create(US"_HAVE_DSN_INFO");
 #endif
-#ifdef EXPERIMENTAL_REQUIRETLS
-  builtin_macro_create(US"_HAVE_REQTLS");
-#endif
 #ifdef EXPERIMENTAL_PIPE_CONNECT
   builtin_macro_create(US"_HAVE_PIPE_CONNECT");
 #endif
diff --git a/src/src/macros.h b/src/src/macros.h
index 7599550..a1dd999 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -559,9 +559,7 @@ table exim_errstrings[] in log.c */
 #ifdef SUPPORT_I18N
 # define ERRNO_UTF8_FWD      (-49)   /* target not supporting SMTPUTF8 */
 #endif
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-# define ERRNO_REQUIRETLS    (-50)   /* REQUIRETLS session not started */
-#endif
+                /* -50 free for re-use */


/* These must be last, so all retry deferments can easily be identified */

@@ -1029,12 +1027,7 @@ enum { FILTER_UNSET, FILTER_FORWARD, FILTER_EXIM, FILTER_SIEVE };
 #define OPTION_PIPE        BIT(5)
 #define OPTION_SIZE        BIT(6)
 #define OPTION_CHUNKING        BIT(7)
-#define OPTION_REQUIRETLS    BIT(8)
-#define OPTION_EARLY_PIPE    BIT(9)
-
-/* Codes for tls_requiretls requests (usually by sender) */
-
-#define REQUIRETLS_MSG        BIT(0)    /* REQUIRETLS onward use */
+#define OPTION_EARLY_PIPE    BIT(8)


/* Argument for *_getc */

diff --git a/src/src/readconf.c b/src/src/readconf.c
index eb68442..71cdae8 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -355,9 +355,6 @@ static optionlist optionlist_config[] = {
   { "timezone",                 opt_stringptr,   &timezone_string },
   { "tls_advertise_hosts",      opt_stringptr,   &tls_advertise_hosts },
 #ifdef SUPPORT_TLS
-# ifdef EXPERIMENTAL_REQUIRETLS
-  { "tls_advertise_requiretls", opt_stringptr,   &tls_advertise_requiretls },
-# endif
   { "tls_certificate",          opt_stringptr,   &tls_certificate },
   { "tls_crl",                  opt_stringptr,   &tls_crl },
   { "tls_dh_max_bits",          opt_int,         &tls_dh_max_bits },
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index b071298..b46f3e8 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -135,9 +135,6 @@ static struct {
   BOOL auth_advertised            :1;
 #ifdef SUPPORT_TLS
   BOOL tls_advertised            :1;
-# ifdef EXPERIMENTAL_REQUIRETLS
-  BOOL requiretls_advertised        :1;
-# endif
 #endif
   BOOL dsn_advertised            :1;
   BOOL esmtp                :1;
@@ -268,9 +265,6 @@ enum {
 #ifdef SUPPORT_I18N
   ENV_MAIL_OPT_UTF8,
 #endif
-#ifdef EXPERIMENTAL_REQUIRETLS
-  ENV_MAIL_OPT_REQTLS,
-#endif
   };
 typedef struct {
   uschar *   name;  /* option requested during MAIL cmd */
@@ -290,10 +284,6 @@ static env_mail_type_t env_mail_type_list[] = {
 #ifdef SUPPORT_I18N
     { US"SMTPUTF8",ENV_MAIL_OPT_UTF8,  FALSE },        /* rfc6531 */
 #endif
-#ifdef EXPERIMENTAL_REQUIRETLS
-    /* https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03 */
-    { US"REQUIRETLS",ENV_MAIL_OPT_REQTLS,  FALSE },
-#endif
     /* keep this the last entry */
     { US"NULL",   ENV_MAIL_OPT_NULL,   FALSE },
   };
@@ -2476,9 +2466,6 @@ tls_in.ourcert = tls_in.peercert = NULL;
 tls_in.sni = NULL;
 tls_in.ocsp = OCSP_NOT_REQ;
 fl.tls_advertised = FALSE;
-# ifdef EXPERIMENTAL_REQUIRETLS
-fl.requiretls_advertised = FALSE;
-# endif
 #endif
 fl.dsn_advertised = FALSE;
 #ifdef SUPPORT_I18N
@@ -4237,9 +4224,6 @@ while (done <= 0)
       f.smtp_in_pipelining_advertised = FALSE;
 #ifdef SUPPORT_TLS
       fl.tls_advertised = FALSE;
-# ifdef EXPERIMENTAL_REQUIRETLS
-      fl.requiretls_advertised = FALSE;
-# endif
 #endif
       fl.dsn_advertised = FALSE;
 #ifdef SUPPORT_I18N
@@ -4439,17 +4423,6 @@ while (done <= 0)
       g = string_catn(g, US"-STARTTLS\r\n", 11);
       fl.tls_advertised = TRUE;
       }
-
-# ifdef EXPERIMENTAL_REQUIRETLS
-    /* Advertise REQUIRETLS only once we are in a secure connection */
-    if (  tls_in.active.sock >= 0
-       && verify_check_host(&tls_advertise_requiretls) != FAIL)
-      {
-      g = string_catn(g, smtp_code, 3);
-      g = string_catn(g, US"-REQUIRETLS\r\n", 13);
-      fl.requiretls_advertised = TRUE;
-      }
-# endif
 #endif


 #ifndef DISABLE_PRDR
@@ -4774,28 +4747,6 @@ while (done <= 0)
         break;
 #endif


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-      case ENV_MAIL_OPT_REQTLS:
-        {
-        uschar * r, * t;
-
-        if (!fl.requiretls_advertised)
-          {
-          done = synprot_error(L_smtp_syntax_error, 555, NULL,
-        US"unadvertised MAIL option: REQUIRETLS");
-          goto COMMAND_LOOP;
-          }
-
-        DEBUG(D_receive) debug_printf("requiretls requested\n");
-        tls_requiretls = REQUIRETLS_MSG;
-
-        r = string_copy_malloc(received_protocol);
-        if ((t = Ustrrchr(r, 's'))) *t = 'S';
-        received_protocol = r;
-        }
-        break;
-#endif
-
       /* No valid option. Stick back the terminator characters and break
       the loop.  Do the name-terminator second as extract_option sets
       value==name when it found no equal-sign.
@@ -4813,17 +4764,6 @@ while (done <= 0)
     if (arg_error) break;
     }


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-      if (tls_requiretls & REQUIRETLS_MSG)
-    {
-    /* Ensure headers-only bounces whether a RET option was given or not. */
-
-    DEBUG(D_receive) if (dsn_ret == dsn_ret_full)
-      debug_printf("requiretls override: dsn_ret_full -> dsn_ret_hdrs\n");
-    dsn_ret = dsn_ret_hdrs;
-    }
-#endif
-
       /* If we have passed the threshold for rate limiting, apply the current
       delay, and update it for next time, provided this is a limited host. */


diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index c9f37ab..786eb51 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -286,9 +286,6 @@ tls_free_cert(&tls_in.peercert);
tls_in.peerdn = NULL;
tls_in.sni = NULL;
tls_in.ocsp = OCSP_NOT_REQ;
-# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
-tls_requiretls = 0;
-# endif
#endif

 #ifdef WITH_CONTENT_SCAN
@@ -670,10 +667,6 @@ for (;;)
     tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
       else if (Ustrncmp(q, "ocsp", 4) == 0)
     tls_in.ocsp = big_buffer[10] - '0';
-# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
-      else if (Ustrncmp(q, "requiretls", 10) == 0)
-    tls_requiretls = strtol(CS big_buffer+16, NULL, 0);
-# endif
       }
     break;
 #endif
diff --git a/src/src/spool_out.c b/src/src/spool_out.c
index 8b227de..3970206 100644
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -250,10 +250,6 @@ if (tls_in.ourcert)
   fprintf(fp, "-tls_ourcert %s\n", CS big_buffer);
   }
 if (tls_in.ocsp)     fprintf(fp, "-tls_ocsp %d\n",   tls_in.ocsp);
-
-# ifdef EXPERIMENTAL_REQUIRETLS
-if (tls_requiretls)     fprintf(fp, "-tls_requiretls 0x%x\n", tls_requiretls);
-# endif
 #endif


 #ifdef SUPPORT_I18N
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 5fd278e..3558fa6 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -992,7 +992,7 @@ if (pending_EHLO)
       ? &sx->ehlo_resp.cleartext_auths : &sx->ehlo_resp.crypted_auths;


   peer_offered = ehlo_response(sx->buffer,
-      (tls_out.active.sock < 0 ?  OPTION_TLS : OPTION_REQUIRETLS)
+      (tls_out.active.sock < 0 ?  OPTION_TLS : 0)
     | OPTION_CHUNKING | OPTION_PRDR | OPTION_DSN | OPTION_PIPE | OPTION_SIZE
     | OPTION_UTF8 | OPTION_EARLY_PIPE
     );
@@ -1749,12 +1749,6 @@ size_t bsize = Ustrlen(buf);
 /* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */


 #ifdef SUPPORT_TLS
-# ifdef EXPERIMENTAL_REQUIRETLS
-if (  checks & OPTION_REQUIRETLS
-   && pcre_exec(regex_REQUIRETLS, NULL, CS buf,bsize, 0, PCRE_EOPT, NULL,0) < 0)
-# endif
-  checks &= ~OPTION_REQUIRETLS;
-
 if (  checks & OPTION_TLS
    && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 #endif
@@ -2644,17 +2638,10 @@ else if (  sx->smtps
 # ifdef SUPPORT_DANE
     || sx->conn_args.dane
 # endif
-# ifdef EXPERIMENTAL_REQUIRETLS
-    || tls_requiretls & REQUIRETLS_MSG
-# endif
     || verify_check_given_host(CUSS &ob->hosts_require_tls, sx->conn_args.host) == OK
     )
   {
-  errno =
-# ifdef EXPERIMENTAL_REQUIRETLS
-      tls_requiretls & REQUIRETLS_MSG ? ERRNO_REQUIRETLS :
-# endif
-      ERRNO_TLSREQUIRED;
+  errno = ERRNO_TLSREQUIRED;
   message = string_sprintf("a TLS session is required, but %s",
     smtp_peer_options & OPTION_TLS
     ? "an attempt to start TLS failed" : "the server did not offer TLS support");
@@ -2691,7 +2678,7 @@ if (continue_hostname == NULL
 #ifdef EXPERIMENTAL_PIPE_CONNECT
     | (sx->lmtp && ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
     | OPTION_DSN | OPTION_PIPE | OPTION_SIZE
-    | OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8 | OPTION_REQUIRETLS
+    | OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8
     | (tls_out.active.sock >= 0 ? OPTION_EARLY_PIPE : 0) /* not for lmtp */


 #else
@@ -2707,9 +2694,6 @@ if (continue_hostname == NULL
     | OPTION_DSN
     | OPTION_PIPE
     | (ob->size_addition >= 0 ? OPTION_SIZE : 0)
-# if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-    | (tls_requiretls & REQUIRETLS_MSG ? OPTION_REQUIRETLS : 0)
-# endif
 #endif
       );
 #ifdef EXPERIMENTAL_PIPE_CONNECT
@@ -2760,16 +2744,6 @@ if (continue_hostname == NULL
     DEBUG(D_transport) debug_printf("%susing DSN\n",
             sx->peer_offered & OPTION_DSN ? "" : "not ");


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-    if (sx->peer_offered & OPTION_REQUIRETLS)
-      {
-      smtp_peer_options |= OPTION_REQUIRETLS;
-      DEBUG(D_transport) debug_printf(
-    tls_requiretls & REQUIRETLS_MSG
-    ? "using REQUIRETLS\n" : "REQUIRETLS offered\n");
-      }
-#endif
-
 #ifdef EXPERIMENTAL_PIPE_CONNECT
     if (  sx->early_pipe_ok
        && !sx->early_pipe_active
@@ -2855,22 +2829,6 @@ if (sx->utf8_needed && !(sx->peer_offered & OPTION_UTF8))
   }
 #endif    /*SUPPORT_I18N*/


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-  /*XXX should tls_requiretls actually be per-addr? */
-
-if (  tls_requiretls & REQUIRETLS_MSG
-   && !(sx->peer_offered & OPTION_REQUIRETLS)
-   )
-  {
-  sx->setting_up = TRUE;
-  errno = ERRNO_REQUIRETLS;
-  message = US"REQUIRETLS support is required from the server"
-    " but it was not offered";
-  DEBUG(D_transport) debug_printf("%s\n", message);
-  goto TLS_FAILED;
-  }
-#endif
-
 return OK;



@@ -2907,13 +2865,7 @@ return OK;

 #ifdef SUPPORT_TLS
   TLS_FAILED:
-# ifdef EXPERIMENTAL_REQUIRETLS
-    if (errno == ERRNO_REQUIRETLS)
-      code = '5', yield = FAIL;
-      /*XXX DSN will be labelled 500; prefer 530 5.7.4 */
-    else
-# endif
-      code = '4', yield = DEFER;
+    code = '4', yield = DEFER;
     goto FAILED;
 #endif


@@ -3051,11 +3003,6 @@ if ( sx->peer_offered & OPTION_UTF8
Ustrcpy(p, " SMTPUTF8"), p += 9;
#endif

-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls & REQUIRETLS_MSG)
-  Ustrcpy(p, " REQUIRETLS") , p += 11;
-#endif
-
 /* check if all addresses have DSN-lasthop flag; do not send RET and ENVID if so */
 for (sx->dsn_all_lasthop = TRUE, addr = addrlist, address_count = 0;
      addr && address_count < sx->max_rcpt;
@@ -4568,12 +4515,6 @@ same one in order to be passed to a single transport - or if the transport has
 a host list with hosts_override set, use the host list supplied with the
 transport. It is an error for this not to exist. */


-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls & REQUIRETLS_MSG)
-  ob->tls_tempfail_tryclear = FALSE;    /*XXX surely we should have a local for this
-                      rather than modifying the transport? */
-#endif
-
 if (!hostlist || (ob->hosts_override && ob->hosts))
   {
   if (!ob->hosts)
diff --git a/src/src/verify.c b/src/src/verify.c
index 43caac5..7bdfa81 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -986,13 +986,6 @@ no_conn:
     }
     break;
 #endif
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-      case ERRNO_REQUIRETLS:
-        addr->user_message = US"530 5.7.4 REQUIRETLS support required";
-    yield = FAIL;
-    done = TRUE;
-    break;
-#endif
       case ECONNREFUSED:
     sx.send_quit = FALSE;
     break;
diff --git a/test/confs/5910 b/test/confs/5910
deleted file mode 100644
index 55838b3..0000000
--- a/test/confs/5910
+++ /dev/null
@@ -1,136 +0,0 @@
-# Exim test configuration 5910
-
-SERVER=
-
-# advertise REQUIRETLS unless commandline override
-SRV= *
-# set on commandline to add an extra rcpt-time acl condition
-ACL=
-
-exim_path = EXIM_PATH
-keep_environment =
-host_lookup_order = bydns
-spool_directory = DIR/spool
-
-.ifdef SERVER
-log_file_path = DIR/spool/log/SERVER%slog
-.else
-log_file_path = DIR/spool/log/%slog
-.endif
-
-gecos_pattern = ""
-gecos_name = CALLER_NAME
-chunking_advertise_hosts =
-.ifdef _HAVE_PIPE_CONNECT
-pipelining_connect_advertise_hosts =
-.endif
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_mail = m
-acl_smtp_rcpt = r
-acl_not_smtp = n
-
-log_selector =  +tls_peerdn +received_recipients
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-tls_advertise_requiretls = SRV
-
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-
-#tls_verify_hosts = *
-#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
-
-
-# ----- ACL -----
-
-begin acl
-
-m:
-  accept        senders = :
-  deny        condition = ${if eq {SERVER}{server}}
-        !sender_domains = test.ex : myhost.test.ex
-  accept
- 
-r:
-  warn        condition = ${if eq {SERVER}{server}}
-        logwrite = requiretls: $requiretls
-
-# define this to upgrade messages to REQUIRETLS
-.ifdef OPT
-  warn
-        condition = ${if !bool{$requiretls}}
-        logwrite = upgrading
-        control = requiretls
-.endif
-  accept    ACL
-
-n:
-.ifdef OPT
-  accept
-        condition = ${if !bool{$requiretls}}
-        logwrite = upgrading
-        control = requiretls
-.endif
-  accept
-# ----- Routers -----
-
-begin routers
-
-bounces:
-  driver = redirect
-  condition = ${if !def:sender_address}
-  condition = ${if first_delivery}
-  data = :defer:
-  allow_defer
-
-final:
-  driver = accept
-  condition = ${if eq {$received_ip_address}{HOSTIPV4} {yes}{no}}
-  transport = file_a_bounce
-
-client:
-  driver = accept
-  transport = send_to_server
-
-
-# ----- Transports -----
-
-begin transports
-
-file_a_bounce:
-  driver = appendfile
-  delivery_date_add
-  envelope_to_add
-  file = DIR/test-mail/$local_part
-  return_path_add
-  user = CALLER
-
-send_to_server:
-  driver = smtp
-  allow_localhost
-  hosts = HOSTIPV4
-  port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_privatekey = DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert2
-  tls_try_verify_hosts = :
-
-
-# ----- Retry -----
-
-
-begin retry
-
-* * F,5d,10s
-
-
-# End
diff --git a/test/log/5910 b/test/log/5910
deleted file mode 100644
index e6357f2..0000000
--- a/test/log/5910
+++ /dev/null
@@ -1,23 +0,0 @@
-1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaX-0005vi-00 => dump@??? R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS_proto_and_cipher CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp
-1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaY-0005vi-00 => dump <dump@???> R=final T=file_a_bounce
-1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp
-1999-03-02 09:44:33 upgrading
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local-smtp S=sss for b@???
-1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => b@??? R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS_proto_and_cipher CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 requiretls: yes
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= a@??? H=(test.ex) [127.0.0.1] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss for dump@???
-1999-03-02 09:44:33 requiretls: yes
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= a@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss for dump@???
-1999-03-02 09:44:33 requiretls: yes
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss id=E10HmaZ-0005vi-00@??? for b@???
diff --git a/test/mail/5910.dump b/test/mail/5910.dump
deleted file mode 100644
index 08957f3..0000000
--- a/test/mail/5910.dump
+++ /dev/null
@@ -1,20 +0,0 @@
-From a@??? Tue Mar 02 09:44:33 1999
-Return-path: <a@???>
-Envelope-to: dump@???
-Delivery-date: Tue, 2 Mar 1999 09:44:33 +0000
-Received: from the.local.host.name ([ip4.ip4.ip4.ip4] helo=myhost.test.ex)
-    by myhost.test.ex with esmtpS (TLS_proto_and_cipher)
-    (Exim x.yz)
-    (envelope-from <a@???>)
-    id 10HmaY-0005vi-00
-    for dump@???; Tue, 2 Mar 1999 09:44:33 +0000
-Received: from [127.0.0.1] (helo=test.ex)
-    by myhost.test.ex with esmtpS (TLS_proto_and_cipher)
-    (Exim x.yz)
-    (envelope-from <a@???>)
-    id 10HmaX-0005vi-00
-    for dump@???; Tue, 2 Mar 1999 09:44:33 +0000
-Subject: foo
-
-content
-
diff --git a/test/scripts/5910-REQUIRETLS/5910 b/test/scripts/5910-REQUIRETLS/5910
deleted file mode 100644
index d1bbb61..0000000
--- a/test/scripts/5910-REQUIRETLS/5910
+++ /dev/null
@@ -1,64 +0,0 @@
-# REQUIRETLS basics
-#
-munge tls_anycipher
-#
-# Server advertises feature, onward transmission, observability
-exim -DSERVER=server -bd -oX PORT_D
-****
-#
-client-ssl 127.0.0.1 PORT_D
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-STARTTLS
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-REQUIRETLS
-??? 250 HELP
-MAIL FROM:<a@???> REQUIRETLS
-??? 250
-RCPT TO:<dump@???>
-??? 250
-DATA
-??? 354
-Subject: foo
-
-content
-.
-??? 250
-QUIT
-??? 221
-****
-#
-exim -q
-****
-exim -q
-****
-#
-#
-# upgrade in-MTA
-exim -DOPT=y -bs
-MAIL FROM:<a@???>
-RCPT TO:<b@???>
-DATA
-Subject: foo
-
-content 
-.
-QUIT
-****
-#
-exim -q
-****
-#
-killdaemon
-no_msglog_check
diff --git a/test/scripts/5910-REQUIRETLS/5911 b/test/scripts/5910-REQUIRETLS/5911
deleted file mode 100644
index c744d8a..0000000
--- a/test/scripts/5910-REQUIRETLS/5911
+++ /dev/null
@@ -1,125 +0,0 @@
-# REQUIRETLS bounce cases
-#
-munge tls_anycipher
-#
-# Server does not offer STARTTLS
-server PORT_D
-220 Hi there
-EHLO
-250 wotcher
-QUIT
-*eof
-****
-exim -DOPT=requiretls -odf -bs
-MAIL FROM:<a@???>
-RCPT TO:<a@???>
-DATA
-
-.
-QUIT
-****
-# ... the resulting bounce must be delivered with REQUIRETLS
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim -qf
-****
-killdaemon
-#
-#
-# Server does not offer REQUIRETLS
-# Client message upgraded in-MTA for "require"
-exim -DSERVER=server -DSRV='' -bd -oX PORT_D
-****
-exim -DOPT=requiretls -odf -bs
-MAIL FROM:<b@???>
-RCPT TO:<b@???>
-DATA
-
-.
-QUIT
-****
-exim -qf
-****
-exim -qf
-****
-killdaemon
-#
-#
-# Server does not offer REQUIRETLS
-# Client message received with REQUIRETLS
-exim -DSERVER=server -bd -oX PORT_S
-****
-client-ssl 127.0.0.1 PORT_S
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-STARTTLS
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-REQUIRETLS
-??? 250 HELP
-MAIL FROM:<b@???> REQUIRETLS
-??? 250
-RCPT TO:<d@???>
-??? 250
-DATA
-??? 354
-Subject: foo
-
-content
-.
-??? 250
-QUIT
-??? 221
-****
-killdaemon
-exim -DSERVER=server -DSRV='' -bd -oX PORT_D
-****
-exim -qf
-****
-exim -qf
-****
-killdaemon
-#
-#
-# Server refuses MAIL
-exim -DSERVER=server -bd -oX PORT_D
-****
-sudo exim -DOPT=requiretls -odf -f a@??? c@???
-
-****
-exim -qf
-****
-exim -qf
-****
-killdaemon
-#
-# Server does not advertise REQUIRETLS, client tries to use it anyway
-exim -DSERVER=server -bd -oX PORT_D
-****
-client-ssl 127.0.0.1 PORT_D
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-MAIL FROM:<d@???> REQUIRETLS
-??? 555
-QUIT
-??? 221
-???*eof
-****
-killdaemon
-no_msglog_check
diff --git a/test/scripts/5910-REQUIRETLS/5912 b/test/scripts/5910-REQUIRETLS/5912
deleted file mode 100644
index 87fe85e..0000000
--- a/test/scripts/5910-REQUIRETLS/5912
+++ /dev/null
@@ -1,37 +0,0 @@
-# REQUIRETLS smtp-time fails
-# Test these by having the MTA do a receipient-verify callout
-#
-# Server does not offer STARTTLS
-server PORT_D
-220 Hi there
-EHLO
-250 wotcher
-QUIT
-*eof
-****
-exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs
-MAIL FROM:<CALLER@???>
-RCPT TO:<a@???>
-QUIT
-****
-#
-# Sever does not offer REQUIRETLS
-exim -DSERVER=server -DSRV='' -bd -oX PORT_D
-****
-exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs
-MAIL FROM:<CALLER@???>
-RCPT TO:<b@???>
-QUIT
-****
-killdaemon
-#
-# Accepted callout
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs
-MAIL FROM:<CALLER@???>
-RCPT TO:<c@???>
-QUIT
-****
-killdaemon
-#
diff --git a/test/scripts/5910-REQUIRETLS/REQUIRES b/test/scripts/5910-REQUIRETLS/REQUIRES
deleted file mode 100644
index 9632335..0000000
--- a/test/scripts/5910-REQUIRETLS/REQUIRES
+++ /dev/null
@@ -1,2 +0,0 @@
-support Experimental_REQUIRETLS
-running IPv4
diff --git a/test/stderr/4052 b/test/stderr/4052
index 3b9772c..7f0bc34 100644
--- a/test/stderr/4052
+++ b/test/stderr/4052
@@ -19,7 +19,7 @@ no message retry record
 127.0.0.1 [127.0.0.1]:1111 retry-status = usable
 delivering 10HmbG-0005vi-00 to 127.0.0.1 [127.0.0.1] (extchange@???)
 Transport port=25 replaced by host-specific port=1225
-EHLO response bits from cache: cleartext 0x0220 crypted 0x0000
+EHLO response bits from cache: cleartext 0x0120 crypted 0x0000
 Using cached cleartext PIPE_CONNECT
   SMTP>> EHLO the.local.host.name
 using PIPELINING
@@ -38,8 +38,8 @@ smtp_reap_early_pipe expect ehlo
          250-X_PIPE_CONNECT
          250-STARTTLS
          250 ok
-EHLO cleartext extensions changed, 0x0220/0x0000 -> 0x0221/0x0000
-writing clr 0221/0000 cry 0000/0000
+EHLO cleartext extensions changed, 0x0120/0x0000 -> 0x0121/0x0000
+writing clr 0121/0000 cry 0000/0000
 sync_responses expect mail
   SMTP<< 250 mail-from accepted
 sync_responses expect rcpt
diff --git a/test/stdout/5910 b/test/stdout/5910
deleted file mode 100644
index 278b76d..0000000
--- a/test/stdout/5910
+++ /dev/null
@@ -1,60 +0,0 @@
-Connecting to 127.0.0.1 port 1225 ... connected
-??? 220
-<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
->>> EHLO test.ex
-??? 250-
-<<< 250-myhost.test.ex Hello test.ex [127.0.0.1]
-??? 250-SIZE
-<<< 250-SIZE 52428800
-??? 250-8BITMIME
-<<< 250-8BITMIME
-??? 250-PIPELINING
-<<< 250-PIPELINING
-??? 250-STARTTLS
-<<< 250-STARTTLS
-??? 250 HELP
-<<< 250 HELP
->>> STARTTLS
-??? 220
-<<< 220 TLS go ahead
-Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHAnnn
-Succeeded in starting TLS
->>> EHLO test.ex
-??? 250-
-<<< 250-myhost.test.ex Hello test.ex [127.0.0.1]
-??? 250-SIZE
-<<< 250-SIZE 52428800
-??? 250-8BITMIME
-<<< 250-8BITMIME
-??? 250-PIPELINING
-<<< 250-PIPELINING
-??? 250-REQUIRETLS
-<<< 250-REQUIRETLS
-??? 250 HELP
-<<< 250 HELP
->>> MAIL FROM:<a@???> REQUIRETLS
-??? 250
-<<< 250 OK
->>> RCPT TO:<dump@???>
-??? 250
-<<< 250 Accepted
->>> DATA
-??? 354
-<<< 354 Enter message, ending with "." on a line by itself
->>> Subject: foo
->>> 
->>> content
->>> .
-??? 250
-<<< 250 OK id=10HmaX-0005vi-00
->>> QUIT
-??? 221
-<<< 221 myhost.test.ex closing connection
-End of script
-220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
-250 OK
-250 Accepted
-354 Enter message, ending with "." on a line by itself
-250 OK id=10HmaZ-0005vi-00
-221 myhost.test.ex closing connection