X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Fverify.c;h=c2ee4789288620bcee27469cc42497453cd9cfd2;hb=b50c8b8487f906a7e18580e9020783afde09d9f7;hp=b1b9f29a449ce232a7655a750aa57faa1ec9832d;hpb=00bff6f61e05faee0a5a76d3b882f6d1dd96537c;p=exim.git

diff --git a/src/src/verify.c b/src/src/verify.c
index b1b9f29a4..c2ee47892 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -644,9 +644,16 @@ else
            if the options permit it for this host. */
         if (rc != OK)
           {
-  	if (rc == DEFER && ob->tls_tempfail_tryclear && !smtps &&
-  	   verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
-  	     host->address, NULL) != OK)
+  	if (  rc == DEFER
+	   && ob->tls_tempfail_tryclear
+	   && !smtps
+	   && verify_check_this_host(&(ob->hosts_require_tls), NULL,
+	     host->name, host->address, NULL) != OK
+#ifdef EXPERIMENTAL_DANE
+	   && verify_check_this_host(&(ob->hosts_require_dane), NULL,
+	     host->name, host->address, NULL) != OK
+#endif
+	   )
   	  {
             (void)close(inblock.sock);
   	  log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
@@ -676,8 +683,13 @@ else
 
     /* If the host is required to use a secure channel, ensure that we have one. */
     if (tls_out.active < 0)
-      if (verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
-      	host->address, NULL) == OK)
+      if (  verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
+	      host->address, NULL) == OK
+#ifdef EXPERIMENTAL_DANE
+	 || verify_check_this_host(&(ob->hosts_require_dane), NULL, host->name,
+	      host->address, NULL) == OK
+#endif
+	 )
         {
         /*save_errno = ERRNO_TLSREQUIRED;*/
         log_write(0, LOG_MAIN, "a TLS session is required for %s [%s], but %s",