Merge branch 'dane_require_tls_ciphers'

[exim.git] / src / src / transports / smtp.c

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c4a6c028350eec39448da697281b1c7a15eb6240..2dfb5b73af4ad31e9f192db1d82d648207f70100 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -38,6 +38,10 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, connect_timeout) },
   { "connection_max_messages", opt_int | opt_public,
       (void *)offsetof(transport_instance, connection_max_messages) },
+# ifdef SUPPORT_DANE
+  { "dane_require_tls_ciphers", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, dane_require_tls_ciphers) },
+# endif
   { "data_timeout",         opt_time,
       (void *)offsetof(smtp_transport_options_block, data_timeout) },
   { "delay_after_cutoff", opt_bool,
@@ -225,6 +229,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
 #ifdef SUPPORT_DANE
   .hosts_try_dane =            NULL,
   .hosts_require_dane =                NULL,
+  .dane_require_tls_ciphers =  NULL,
 #endif
   .hosts_try_fastopen =                NULL,
 #ifndef DISABLE_PRDR
@@ -2999,15 +3004,21 @@ else
     uschar * s = sx.ob->arc_sign;
     if (s)
       {
-      if (!(sx.ob->dkim.arc_signspec = expand_string(s)))
+      if (!(sx.ob->dkim.arc_signspec = s = expand_string(s)))
        {
-       message = US"failed to expand arc_sign";
-       sx.ok = FALSE;
-       goto SEND_FAILED;
+       if (!expand_string_forcedfail)
+         {
+         message = US"failed to expand arc_sign";
+         sx.ok = FALSE;
+         goto SEND_FAILED;
+         }
+       }
+      else if (*s)
+       {
+       /* Ask dkim code to hash the body for ARC */
+       (void) arc_ams_setup_sign_bodyhash();
+       sx.ob->dkim.force_bodyhash = TRUE;
        }
-      /* Ask dkim code to hash the body for ARC */
-      (void) arc_ams_setup_sign_bodyhash();
-      sx.ob->dkim.force_bodyhash = TRUE;
       }
     }
 # endif