Add hosts_verify_avoid_tls option to smtp transport.

[exim.git] / src / src / verify.c
diff --git a/src/src/verify.c b/src/src/verify.c

index 23eab0598f822782a4e7b783f666df26dd8ae069..eaab14dc97bd2361070d7837fa35bedbd8e744ca 100644 (file)
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -407,13 +407,6 @@ else
  
    if (smtp_out != NULL && !disable_callout_flush) mac_smtp_fflush();
  
-  /* Precompile some regex that are used to recognize parameters in response
-  to an EHLO command, if they aren't already compiled. */
-  #ifdef SUPPORT_TLS
-  if (regex_STARTTLS == NULL) regex_STARTTLS =
-    regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
-  #endif
-
    /* Now make connections to the hosts and do real callouts. The list of hosts
    is passed in as an argument. */
  
@@ -505,7 +498,7 @@ else
      tls_retry_connection:
  
      inblock.sock = outblock.sock =
-      smtp_connect(host, host_af, port, interface, callout_connect, TRUE);
+      smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL);
      /* reconsider DSCP here */
      if (inblock.sock < 0)
        {
@@ -570,11 +563,11 @@ else
          goto SEND_FAILED;
        if (!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))
          {
-        if (errno != 0 || responsebuffer[0] == 0 || lmtp || !esmtp || tls_out.active >= 0)
-       {
-       done= FALSE;
-          goto RESPONSE_FAILED;
-       }
+       if (errno != 0 || responsebuffer[0] == 0 || lmtp || !esmtp || tls_out.active >= 0)
+         {
+         done= FALSE;
+         goto RESPONSE_FAILED;
+         }
          #ifdef SUPPORT_TLS
          tls_offered = FALSE;
          #endif
@@ -584,9 +577,16 @@ else
  
        /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
        #ifdef SUPPORT_TLS
-      tls_offered = esmtp && !suppress_tls &&  tls_out.active < 0  &&
-        pcre_exec(regex_STARTTLS, NULL, CS responsebuffer, Ustrlen(responsebuffer), 0,
-          PCRE_EOPT, NULL, 0) >= 0;
+      if (esmtp && !suppress_tls &&  tls_out.active < 0)
+        {
+          if (regex_STARTTLS == NULL) regex_STARTTLS =
+           regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
+
+          tls_offered = pcre_exec(regex_STARTTLS, NULL, CS responsebuffer,
+                       Ustrlen(responsebuffer), 0, PCRE_EOPT, NULL, 0) >= 0;
+       }
+      else
+        tls_offered = FALSE;
        #endif
        }
  
@@ -601,7 +601,10 @@ else
      #ifdef SUPPORT_TLS
      if (tls_offered &&
         verify_check_this_host(&(ob->hosts_avoid_tls), NULL, host->name,
-         host->address, NULL) != OK)
+         host->address, NULL) != OK &&
+       verify_check_this_host(&(ob->hosts_verify_avoid_tls), NULL, host->name,
+         host->address, NULL) != OK
+       )
        {
        uschar buffer2[4096];
        if (  !smtps
@@ -635,8 +638,7 @@ else
          ob->tls_certificate, ob->tls_privatekey,
          ob->tls_sni,
          ob->tls_verify_certificates, ob->tls_crl,
-        ob->tls_require_ciphers,
-        ob->gnutls_require_mac, ob->gnutls_require_kx, ob->gnutls_require_proto,
+        ob->tls_require_ciphers,     ob->tls_dh_min_bits,
          callout);
  
          /* TLS negotiation failed; give an error.  Try in clear on a new connection,
@@ -1711,6 +1713,9 @@ while (addr_new != NULL)
            }
          else
            {
+#ifdef SUPPORT_TLS
+         deliver_set_expansions(addr);
+#endif
            rc = do_callout(addr, host_list, &tf, callout, callout_overall,
              callout_connect, options, se_mailfrom, pm_mailfrom);
            }