Retire EXPERIMENTAL_REQUIRETLS
authorJeremy Harris <jgh146exb@wizmail.org>
Fri, 15 Mar 2019 22:01:07 +0000 (22:01 +0000)
committerJeremy Harris <jgh146exb@wizmail.org>
Fri, 15 Mar 2019 23:11:43 +0000 (23:11 +0000)
27 files changed:
doc/doc-txt/experimental-spec.txt
src/src/EDITME
src/src/acl.c
src/src/child.c
src/src/config.h.defaults
src/src/deliver.c
src/src/exim.c
src/src/expand.c
src/src/globals.c
src/src/globals.h
src/src/macro_predef.c
src/src/macros.h
src/src/readconf.c
src/src/smtp_in.c
src/src/spool_in.c
src/src/spool_out.c
src/src/transports/smtp.c
src/src/verify.c
test/confs/5910 [deleted file]
test/log/5910 [deleted file]
test/mail/5910.dump [deleted file]
test/scripts/5910-REQUIRETLS/5910 [deleted file]
test/scripts/5910-REQUIRETLS/5911 [deleted file]
test/scripts/5910-REQUIRETLS/5912 [deleted file]
test/scripts/5910-REQUIRETLS/REQUIRES [deleted file]
test/stderr/4052
test/stdout/5910 [deleted file]

index 84fd54716c7397b70006e8f00a2bcfaeb6f2bdcb..9b472c080dbe506cb47844f5e47f0ca7915a73f1 100644 (file)
@@ -871,41 +871,6 @@ used via the transport in question.
 
 
 
-REQUIRETLS support
-------------------
-Ref: https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03
-
-If compiled with EXPERIMENTAL_REQUIRETLS support is included for this
-feature, where a REQUIRETLS option is added to the MAIL command.
-The client may not retry in clear if the MAIL+REQUIRETLS fails (or was never
-offered), and the server accepts an obligation that any onward transmission
-by SMTP of the messages accepted will also use REQUIRETLS - or generate a
-fail DSN.
-
-The Exim implementation includes
-- a main-part option tls_advertise_requiretls; host list, default "*"
-- an observability variable $requiretls returning yes/no
-- an ACL "control = requiretls" modifier for setting the requirement
-- Log lines and Received: headers capitalise the S in the protocol
-  element: "P=esmtpS"
-
-Differences from spec:
-- we support upgrading the requirement for REQUIRETLS, including adding
-  it from cold, within an MTA.  The spec only define the sourcing MUA
-  as being able to source the requirement, and makes no mention of upgrade.
-- No support is coded for the RequireTLS header (which can be used
-  to annul DANE and/or STS policiy). [this can _almost_ be done in
-  transport option expansions, but not quite: it requires tha DANE-present
-  but STARTTLS-failing targets fallback to cleartext, which current DANE
-  coding specifically blocks]
-
-Note that REQUIRETLS is only advertised once a TLS connection is achieved
-(in contrast to STARTTLS).  If you want to check the advertising, do something
-like "swaks -s 127.0.0.1 -tls -q HELO".
-
-
-
-
 Early pipelining support
 ------------------------
 Ref: https://datatracker.ietf.org/doc/draft-harris-early-pipe/
index a5bc8d0aa0c4699a7a2bb4d6135aaaf940c7dcd4..43cf13c8139293df0338ce772002deb5d4769406 100644 (file)
@@ -514,11 +514,6 @@ DISABLE_MAL_MKS=yes
 # Uncomment the following line to add queuefile transport support
 # EXPERIMENTAL_QUEUEFILE=yes
 
-# Uncomment the following to add REQUIRETLS support.
-# You must also have SUPPORT_TLS enabled.
-# Ref: https://datatracker.ietf.org/doc/draft-fenton-smtp-require-tls
-# EXPERIMENTAL_REQUIRETLS=yes
-
 ###############################################################################
 #                 THESE ARE THINGS YOU MIGHT WANT TO SPECIFY                  #
 ###############################################################################
index 8fbd2250f7499f08dbd003b2e653c6e4022f94db..6168187ec2efc7821ff872b7b24d9efd7d78d91f 100644 (file)
@@ -367,9 +367,6 @@ enum {
   CONTROL_NO_PIPELINING,
 
   CONTROL_QUEUE_ONLY,
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-  CONTROL_REQUIRETLS,
-#endif
   CONTROL_SUBMISSION,
   CONTROL_SUPPRESS_LOCAL_FIXUPS,
 #ifdef SUPPORT_I18N
@@ -515,16 +512,6 @@ static control_def controls_list[] = {
   },
 
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-[CONTROL_REQUIRETLS] =
-  { US"requiretls",             FALSE,
-         (unsigned)
-         ~(ACL_BIT_MAIL | ACL_BIT_RCPT | ACL_BIT_PREDATA |
-           ACL_BIT_DATA | ACL_BIT_MIME |
-           ACL_BIT_NOTSMTP)
-  },
-#endif
-
 [CONTROL_SUBMISSION] =
   { US"submission",              TRUE,
          (unsigned)
@@ -3168,11 +3155,6 @@ for (; cb; cb = cb->next)
        cancel_cutthrough_connection(TRUE, US"queueing forced");
        break;
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-       case CONTROL_REQUIRETLS:
-       tls_requiretls |= REQUIRETLS_MSG;
-       break;
-#endif
        case CONTROL_SUBMISSION:
        originator_name = US"";
        f.submission_mode = TRUE;
index 2262678eb47c5716e577ea0ecde7f86c2aca8e51..e53e448ed09539085631aad439bf878c997fa42d 100644 (file)
 
 static void (*oldsignal)(int);
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-static uschar tls_requiretls_copy = 0;
-#endif
-
 
 /*************************************************
 *          Ensure an fd has a given value        *
@@ -79,10 +75,6 @@ int n = 0;
 int extra = pcount ? *pcount : 0;
 uschar **argv;
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls) extra++;
-#endif
-
 argv = store_get((extra + acount + MAX_CLMACROS + 18) * sizeof(char *));
 
 /* In all case, the list starts out with the path, any macros, and a changed
@@ -129,11 +121,6 @@ if (!minimal)
     }
   }
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls_copy & REQUIRETLS_MSG)
-  argv[n++] = US"-MS";
-#endif
-
 /* Now add in any others that are in the call. Remember which they were,
 for more helpful diagnosis on failure. */
 
@@ -243,9 +230,6 @@ occur. */
 
 if (pid == 0)
   {
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-  tls_requiretls_copy = tls_requiretls;
-#endif
   force_fd(pfd[pipe_read], 0);
   (void)close(pfd[pipe_write]);
   if (debug_fd > 0) force_fd(debug_fd, 2);
index 55688295de20f9dc87dd70faa5b07a53c11911c8..dc69e2f8923ef7cf2e6697e5e9b585df2d0a5334 100644 (file)
@@ -201,7 +201,6 @@ Do not put spaces between # and the 'define'.
     #define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
 #define EXPERIMENTAL_LMDB
 #define EXPERIMENTAL_PIPE_CONNECT
-#define EXPERIMENTAL_REQUIRETLS
 #define EXPERIMENTAL_QUEUEFILE
 #define EXPERIMENTAL_SRS
 
index 071187942629cdacb081480a2edc24a8fa2b2e7a..c1396a7f7d754384450924733ad8d378f9fbeb37 100644 (file)
@@ -8507,11 +8507,6 @@ if (!regex_AUTH) regex_AUTH =
 #ifdef SUPPORT_TLS
 if (!regex_STARTTLS) regex_STARTTLS =
   regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
-
-# ifdef EXPERIMENTAL_REQUIRETLS
-if (!regex_REQUIRETLS) regex_REQUIRETLS =
-  regex_must_compile(US"\\n250[\\s\\-]REQUIRETLS(\\s|\\n|$)", FALSE, TRUE);
-# endif
 #endif
 
 if (!regex_CHUNKING) regex_CHUNKING =
index 8e700f7114d151b20003782f75581c10d4e86c1a..7c9aa0e3fff2004a6654f3ef0a26d551c70488ca 100644 (file)
@@ -903,9 +903,6 @@ fprintf(fp, "Support for:");
 #ifdef EXPERIMENTAL_DSN_INFO
   fprintf(fp, " Experimental_DSN_info");
 #endif
-#ifdef EXPERIMENTAL_REQUIRETLS
-  fprintf(fp, " Experimental_REQUIRETLS");
-#endif
 #ifdef EXPERIMENTAL_PIPE_CONNECT
   fprintf(fp, " Experimental_PIPE_CONNECT");
 #endif
@@ -2710,16 +2707,6 @@ for (i = 1; i < argc; i++)
       break;
       }
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-    /* -MS   set REQUIRETLS on (new) message */
-
-    else if (*argrest == 'S')
-      {
-      tls_requiretls |= REQUIRETLS_MSG;
-      break;
-      }
-#endif
-
     /* -M[x]: various operations on the following list of message ids:
        -M    deliver the messages, ignoring next retry times and thawing
        -Mc   deliver the messages, checking next retry times, no thawing
index d395436fa8ab1410ed428fdbd87d5238ea46d954..2fc3a81f1bb337ed033d87329ab28f4fb056ca9d 100644 (file)
@@ -668,9 +668,6 @@ static var_entry var_table[] = {
   { "regex_match_string",  vtype_stringptr,   &regex_match_string },
 #endif
   { "reply_address",       vtype_reply,       NULL },
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-  { "requiretls",          vtype_bool,        &tls_requiretls },
-#endif
   { "return_path",         vtype_stringptr,   &return_path },
   { "return_size_limit",   vtype_int,         &bounce_return_size_limit },
   { "router_name",         vtype_stringptr,   &router_name },
index 94fab000d498729cb608e235de24e0aae936d005..f52ae92cec76ffe32f11fdbbad5ab51f434bd830 100644 (file)
@@ -161,11 +161,6 @@ uschar *tls_ocsp_file          = NULL;
 uschar *tls_privatekey         = NULL;
 BOOL    tls_remember_esmtp     = FALSE;
 uschar *tls_require_ciphers    = NULL;
-# ifdef EXPERIMENTAL_REQUIRETLS
-uschar  tls_requiretls         = 0;    /* REQUIRETLS_MSG etc. bit #defines */
-uschar *tls_advertise_requiretls = US"*";
-const pcre *regex_REQUIRETLS   = NULL;
-# endif
 uschar *tls_try_verify_hosts   = NULL;
 uschar *tls_verify_certificates= US"system";
 uschar *tls_verify_hosts       = NULL;
index 12cc1af568627138f884fd0382898642bd006ca3..a0c1977a2bdec9500fab9433b60b45e7943e9326 100644 (file)
@@ -122,11 +122,6 @@ extern uschar *tls_eccurve;            /* EC curve */
 extern uschar *tls_ocsp_file;          /* OCSP stapling proof file */
 # endif
 extern uschar *tls_privatekey;         /* Private key file */
-# ifdef EXPERIMENTAL_REQUIRETLS
-extern uschar  tls_requiretls;         /* REQUIRETLS active for this message */
-extern uschar *tls_advertise_requiretls; /* hosts for which REQUIRETLS adv */
-extern const pcre *regex_REQUIRETLS;   /* for recognising the command */
-# endif
 extern BOOL    tls_remember_esmtp;     /* For YAEB */
 extern uschar *tls_require_ciphers;    /* So some can be avoided */
 extern uschar *tls_try_verify_hosts;   /* Optional client verification */
index f92671ae2b85db5d96d00dfb37d517fe970bd1b4..86be52f542c0f2ee1fda557c6cacf2ace36d26f0 100644 (file)
@@ -197,9 +197,6 @@ due to conflicts with other common macros. */
 #ifdef EXPERIMENTAL_DSN_INFO
   builtin_macro_create(US"_HAVE_DSN_INFO");
 #endif
-#ifdef EXPERIMENTAL_REQUIRETLS
-  builtin_macro_create(US"_HAVE_REQTLS");
-#endif
 #ifdef EXPERIMENTAL_PIPE_CONNECT
   builtin_macro_create(US"_HAVE_PIPE_CONNECT");
 #endif
index 759955019a60a5e7cb23c966cdfc31a57b8d5331..a1dd99901ef7643f961bb6bce8405caf7c74f147 100644 (file)
@@ -559,9 +559,7 @@ table exim_errstrings[] in log.c */
 #ifdef SUPPORT_I18N
 # define ERRNO_UTF8_FWD      (-49)   /* target not supporting SMTPUTF8 */
 #endif
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-# define ERRNO_REQUIRETLS    (-50)   /* REQUIRETLS session not started */
-#endif
+                               /* -50 free for re-use */
 
 /* These must be last, so all retry deferments can easily be identified */
 
@@ -1029,12 +1027,7 @@ enum { FILTER_UNSET, FILTER_FORWARD, FILTER_EXIM, FILTER_SIEVE };
 #define OPTION_PIPE            BIT(5)
 #define OPTION_SIZE            BIT(6)
 #define OPTION_CHUNKING                BIT(7)
-#define OPTION_REQUIRETLS      BIT(8)
-#define OPTION_EARLY_PIPE      BIT(9)
-
-/* Codes for tls_requiretls requests (usually by sender) */
-
-#define REQUIRETLS_MSG         BIT(0)  /* REQUIRETLS onward use */
+#define OPTION_EARLY_PIPE      BIT(8)
 
 /* Argument for *_getc */
 
index eb6844222fca64de7092a58855b6ca961302a2d7..71cdae899807aaaf7312e042b838831218c85048 100644 (file)
@@ -355,9 +355,6 @@ static optionlist optionlist_config[] = {
   { "timezone",                 opt_stringptr,   &timezone_string },
   { "tls_advertise_hosts",      opt_stringptr,   &tls_advertise_hosts },
 #ifdef SUPPORT_TLS
-# ifdef EXPERIMENTAL_REQUIRETLS
-  { "tls_advertise_requiretls", opt_stringptr,   &tls_advertise_requiretls },
-# endif
   { "tls_certificate",          opt_stringptr,   &tls_certificate },
   { "tls_crl",                  opt_stringptr,   &tls_crl },
   { "tls_dh_max_bits",          opt_int,         &tls_dh_max_bits },
index b071298c73d6e79f5601a9b641f7db32caa5b6c7..b46f3e876a9141844ba40e17db60a611f135fe1d 100644 (file)
@@ -135,9 +135,6 @@ static struct {
   BOOL auth_advertised                 :1;
 #ifdef SUPPORT_TLS
   BOOL tls_advertised                  :1;
-# ifdef EXPERIMENTAL_REQUIRETLS
-  BOOL requiretls_advertised           :1;
-# endif
 #endif
   BOOL dsn_advertised                  :1;
   BOOL esmtp                           :1;
@@ -267,9 +264,6 @@ enum {
   ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID,
 #ifdef SUPPORT_I18N
   ENV_MAIL_OPT_UTF8,
-#endif
-#ifdef EXPERIMENTAL_REQUIRETLS
-  ENV_MAIL_OPT_REQTLS,
 #endif
   };
 typedef struct {
@@ -289,10 +283,6 @@ static env_mail_type_t env_mail_type_list[] = {
     { US"ENVID",  ENV_MAIL_OPT_ENVID,  TRUE },
 #ifdef SUPPORT_I18N
     { US"SMTPUTF8",ENV_MAIL_OPT_UTF8,  FALSE },                /* rfc6531 */
-#endif
-#ifdef EXPERIMENTAL_REQUIRETLS
-    /* https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03 */
-    { US"REQUIRETLS",ENV_MAIL_OPT_REQTLS,  FALSE },
 #endif
     /* keep this the last entry */
     { US"NULL",   ENV_MAIL_OPT_NULL,   FALSE },
@@ -2476,9 +2466,6 @@ tls_in.ourcert = tls_in.peercert = NULL;
 tls_in.sni = NULL;
 tls_in.ocsp = OCSP_NOT_REQ;
 fl.tls_advertised = FALSE;
-# ifdef EXPERIMENTAL_REQUIRETLS
-fl.requiretls_advertised = FALSE;
-# endif
 #endif
 fl.dsn_advertised = FALSE;
 #ifdef SUPPORT_I18N
@@ -4237,9 +4224,6 @@ while (done <= 0)
       f.smtp_in_pipelining_advertised = FALSE;
 #ifdef SUPPORT_TLS
       fl.tls_advertised = FALSE;
-# ifdef EXPERIMENTAL_REQUIRETLS
-      fl.requiretls_advertised = FALSE;
-# endif
 #endif
       fl.dsn_advertised = FALSE;
 #ifdef SUPPORT_I18N
@@ -4439,17 +4423,6 @@ while (done <= 0)
          g = string_catn(g, US"-STARTTLS\r\n", 11);
          fl.tls_advertised = TRUE;
          }
-
-# ifdef EXPERIMENTAL_REQUIRETLS
-       /* Advertise REQUIRETLS only once we are in a secure connection */
-       if (  tls_in.active.sock >= 0
-          && verify_check_host(&tls_advertise_requiretls) != FAIL)
-         {
-         g = string_catn(g, smtp_code, 3);
-         g = string_catn(g, US"-REQUIRETLS\r\n", 13);
-         fl.requiretls_advertised = TRUE;
-         }
-# endif
 #endif
 
 #ifndef DISABLE_PRDR
@@ -4774,28 +4747,6 @@ while (done <= 0)
            break;
 #endif
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-         case ENV_MAIL_OPT_REQTLS:
-           {
-           uschar * r, * t;
-
-           if (!fl.requiretls_advertised)
-             {
-             done = synprot_error(L_smtp_syntax_error, 555, NULL,
-               US"unadvertised MAIL option: REQUIRETLS");
-             goto COMMAND_LOOP;
-             }
-
-           DEBUG(D_receive) debug_printf("requiretls requested\n");
-           tls_requiretls = REQUIRETLS_MSG;
-
-           r = string_copy_malloc(received_protocol);
-           if ((t = Ustrrchr(r, 's'))) *t = 'S';
-           received_protocol = r;
-           }
-           break;
-#endif
-
          /* No valid option. Stick back the terminator characters and break
          the loop.  Do the name-terminator second as extract_option sets
          value==name when it found no equal-sign.
@@ -4813,17 +4764,6 @@ while (done <= 0)
        if (arg_error) break;
        }
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-      if (tls_requiretls & REQUIRETLS_MSG)
-       {
-       /* Ensure headers-only bounces whether a RET option was given or not. */
-
-       DEBUG(D_receive) if (dsn_ret == dsn_ret_full)
-         debug_printf("requiretls override: dsn_ret_full -> dsn_ret_hdrs\n");
-       dsn_ret = dsn_ret_hdrs;
-       }
-#endif
-
       /* If we have passed the threshold for rate limiting, apply the current
       delay, and update it for next time, provided this is a limited host. */
 
index c9f37abf1244c02f5838ee12f9288452618818c0..786eb514e9dc245b3a427a6fb1ef30eaeef75285 100644 (file)
@@ -286,9 +286,6 @@ tls_free_cert(&tls_in.peercert);
 tls_in.peerdn = NULL;
 tls_in.sni = NULL;
 tls_in.ocsp = OCSP_NOT_REQ;
-# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
-tls_requiretls = 0;
-# endif
 #endif
 
 #ifdef WITH_CONTENT_SCAN
@@ -670,10 +667,6 @@ for (;;)
        tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
       else if (Ustrncmp(q, "ocsp", 4) == 0)
        tls_in.ocsp = big_buffer[10] - '0';
-# if defined(EXPERIMENTAL_REQUIRETLS) && !defined(COMPILE_UTILITY)
-      else if (Ustrncmp(q, "requiretls", 10) == 0)
-       tls_requiretls = strtol(CS big_buffer+16, NULL, 0);
-# endif
       }
     break;
 #endif
index 8b227dedb139f669f87e77882ccd46103855a32b..3970206cb8be5fb5e64b3fb0fa845f1cab93856b 100644 (file)
@@ -250,10 +250,6 @@ if (tls_in.ourcert)
   fprintf(fp, "-tls_ourcert %s\n", CS big_buffer);
   }
 if (tls_in.ocsp)        fprintf(fp, "-tls_ocsp %d\n",   tls_in.ocsp);
-
-# ifdef EXPERIMENTAL_REQUIRETLS
-if (tls_requiretls)     fprintf(fp, "-tls_requiretls 0x%x\n", tls_requiretls);
-# endif
 #endif
 
 #ifdef SUPPORT_I18N
index 5fd278e1d334865e3cbd06684cbbabff56453fe0..3558fa65c7c73ddf5d8e61abe33ad73bc1a5df91 100644 (file)
@@ -992,7 +992,7 @@ if (pending_EHLO)
       ? &sx->ehlo_resp.cleartext_auths : &sx->ehlo_resp.crypted_auths;
 
   peer_offered = ehlo_response(sx->buffer,
-         (tls_out.active.sock < 0 ?  OPTION_TLS : OPTION_REQUIRETLS)
+         (tls_out.active.sock < 0 ?  OPTION_TLS : 0)
        | OPTION_CHUNKING | OPTION_PRDR | OPTION_DSN | OPTION_PIPE | OPTION_SIZE
        | OPTION_UTF8 | OPTION_EARLY_PIPE
        );
@@ -1749,12 +1749,6 @@ size_t bsize = Ustrlen(buf);
 /* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */
 
 #ifdef SUPPORT_TLS
-# ifdef EXPERIMENTAL_REQUIRETLS
-if (  checks & OPTION_REQUIRETLS
-   && pcre_exec(regex_REQUIRETLS, NULL, CS buf,bsize, 0, PCRE_EOPT, NULL,0) < 0)
-# endif
-  checks &= ~OPTION_REQUIRETLS;
-
 if (  checks & OPTION_TLS
    && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 #endif
@@ -2643,18 +2637,11 @@ have one. */
 else if (  sx->smtps
 # ifdef SUPPORT_DANE
        || sx->conn_args.dane
-# endif
-# ifdef EXPERIMENTAL_REQUIRETLS
-       || tls_requiretls & REQUIRETLS_MSG
 # endif
        || verify_check_given_host(CUSS &ob->hosts_require_tls, sx->conn_args.host) == OK
        )
   {
-  errno =
-# ifdef EXPERIMENTAL_REQUIRETLS
-      tls_requiretls & REQUIRETLS_MSG ? ERRNO_REQUIRETLS :
-# endif
-      ERRNO_TLSREQUIRED;
+  errno = ERRNO_TLSREQUIRED;
   message = string_sprintf("a TLS session is required, but %s",
     smtp_peer_options & OPTION_TLS
     ? "an attempt to start TLS failed" : "the server did not offer TLS support");
@@ -2691,7 +2678,7 @@ if (continue_hostname == NULL
 #ifdef EXPERIMENTAL_PIPE_CONNECT
        | (sx->lmtp && ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
        | OPTION_DSN | OPTION_PIPE | OPTION_SIZE
-       | OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8 | OPTION_REQUIRETLS
+       | OPTION_CHUNKING | OPTION_PRDR | OPTION_UTF8
        | (tls_out.active.sock >= 0 ? OPTION_EARLY_PIPE : 0) /* not for lmtp */
 
 #else
@@ -2707,9 +2694,6 @@ if (continue_hostname == NULL
        | OPTION_DSN
        | OPTION_PIPE
        | (ob->size_addition >= 0 ? OPTION_SIZE : 0)
-# if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-       | (tls_requiretls & REQUIRETLS_MSG ? OPTION_REQUIRETLS : 0)
-# endif
 #endif
       );
 #ifdef EXPERIMENTAL_PIPE_CONNECT
@@ -2760,16 +2744,6 @@ if (continue_hostname == NULL
     DEBUG(D_transport) debug_printf("%susing DSN\n",
                        sx->peer_offered & OPTION_DSN ? "" : "not ");
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-    if (sx->peer_offered & OPTION_REQUIRETLS)
-      {
-      smtp_peer_options |= OPTION_REQUIRETLS;
-      DEBUG(D_transport) debug_printf(
-       tls_requiretls & REQUIRETLS_MSG
-       ? "using REQUIRETLS\n" : "REQUIRETLS offered\n");
-      }
-#endif
-
 #ifdef EXPERIMENTAL_PIPE_CONNECT
     if (  sx->early_pipe_ok
        && !sx->early_pipe_active
@@ -2855,22 +2829,6 @@ if (sx->utf8_needed && !(sx->peer_offered & OPTION_UTF8))
   }
 #endif /*SUPPORT_I18N*/
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-  /*XXX should tls_requiretls actually be per-addr? */
-
-if (  tls_requiretls & REQUIRETLS_MSG
-   && !(sx->peer_offered & OPTION_REQUIRETLS)
-   )
-  {
-  sx->setting_up = TRUE;
-  errno = ERRNO_REQUIRETLS;
-  message = US"REQUIRETLS support is required from the server"
-    " but it was not offered";
-  DEBUG(D_transport) debug_printf("%s\n", message);
-  goto TLS_FAILED;
-  }
-#endif
-
 return OK;
 
 
@@ -2907,13 +2865,7 @@ return OK;
 
 #ifdef SUPPORT_TLS
   TLS_FAILED:
-# ifdef EXPERIMENTAL_REQUIRETLS
-    if (errno == ERRNO_REQUIRETLS)
-      code = '5', yield = FAIL;
-      /*XXX DSN will be labelled 500; prefer 530 5.7.4 */
-    else
-# endif
-      code = '4', yield = DEFER;
+    code = '4', yield = DEFER;
     goto FAILED;
 #endif
 
@@ -3051,11 +3003,6 @@ if (  sx->peer_offered & OPTION_UTF8
   Ustrcpy(p, " SMTPUTF8"), p += 9;
 #endif
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls & REQUIRETLS_MSG)
-  Ustrcpy(p, " REQUIRETLS") , p += 11;
-#endif
-
 /* check if all addresses have DSN-lasthop flag; do not send RET and ENVID if so */
 for (sx->dsn_all_lasthop = TRUE, addr = addrlist, address_count = 0;
      addr && address_count < sx->max_rcpt;
@@ -4568,12 +4515,6 @@ same one in order to be passed to a single transport - or if the transport has
 a host list with hosts_override set, use the host list supplied with the
 transport. It is an error for this not to exist. */
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-if (tls_requiretls & REQUIRETLS_MSG)
-  ob->tls_tempfail_tryclear = FALSE;   /*XXX surely we should have a local for this
-                                       rather than modifying the transport? */
-#endif
-
 if (!hostlist || (ob->hosts_override && ob->hosts))
   {
   if (!ob->hosts)
index 43caac56247de0aa7efdc872f66ce9650e2fffe8..7bdfa81523166e12b38fdc5b576adf696c188822 100644 (file)
@@ -985,13 +985,6 @@ no_conn:
        done = TRUE;
        }
        break;
-#endif
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
-      case ERRNO_REQUIRETLS:
-        addr->user_message = US"530 5.7.4 REQUIRETLS support required";
-       yield = FAIL;
-       done = TRUE;
-       break;
 #endif
       case ECONNREFUSED:
        sx.send_quit = FALSE;
diff --git a/test/confs/5910 b/test/confs/5910
deleted file mode 100644 (file)
index 55838b3..0000000
+++ /dev/null
@@ -1,136 +0,0 @@
-# Exim test configuration 5910
-
-SERVER=
-
-# advertise REQUIRETLS unless commandline override
-SRV= *
-# set on commandline to add an extra rcpt-time acl condition
-ACL=
-
-exim_path = EXIM_PATH
-keep_environment =
-host_lookup_order = bydns
-spool_directory = DIR/spool
-
-.ifdef SERVER
-log_file_path = DIR/spool/log/SERVER%slog
-.else
-log_file_path = DIR/spool/log/%slog
-.endif
-
-gecos_pattern = ""
-gecos_name = CALLER_NAME
-chunking_advertise_hosts =
-.ifdef _HAVE_PIPE_CONNECT
-pipelining_connect_advertise_hosts =
-.endif
-
-primary_hostname = myhost.test.ex
-
-# ----- Main settings -----
-
-acl_smtp_mail = m
-acl_smtp_rcpt = r
-acl_not_smtp = n
-
-log_selector =  +tls_peerdn +received_recipients
-
-queue_only
-queue_run_in_order
-
-tls_advertise_hosts = *
-tls_advertise_requiretls = SRV
-
-# Set certificate only if server
-
-tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-tls_privatekey = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
-
-#tls_verify_hosts = *
-#tls_verify_certificates = ${if eq {SERVER}{server}{DIR/aux-fixed/cert2}fail}
-
-
-# ----- ACL -----
-
-begin acl
-
-m:
-  accept        senders = :
-  deny         condition = ${if eq {SERVER}{server}}
-               !sender_domains = test.ex : myhost.test.ex
-  accept
-r:
-  warn         condition = ${if eq {SERVER}{server}}
-               logwrite = requiretls: $requiretls
-
-# define this to upgrade messages to REQUIRETLS
-.ifdef OPT
-  warn
-               condition = ${if !bool{$requiretls}}
-               logwrite = upgrading
-               control = requiretls
-.endif
-  accept       ACL
-
-n:
-.ifdef OPT
-  accept
-               condition = ${if !bool{$requiretls}}
-               logwrite = upgrading
-               control = requiretls
-.endif
-  accept
-# ----- Routers -----
-
-begin routers
-
-bounces:
-  driver = redirect
-  condition = ${if !def:sender_address}
-  condition = ${if first_delivery}
-  data = :defer:
-  allow_defer
-
-final:
-  driver = accept
-  condition = ${if eq {$received_ip_address}{HOSTIPV4} {yes}{no}}
-  transport = file_a_bounce
-
-client:
-  driver = accept
-  transport = send_to_server
-
-
-# ----- Transports -----
-
-begin transports
-
-file_a_bounce:
-  driver = appendfile
-  delivery_date_add
-  envelope_to_add
-  file = DIR/test-mail/$local_part
-  return_path_add
-  user = CALLER
-
-send_to_server:
-  driver = smtp
-  allow_localhost
-  hosts = HOSTIPV4
-  port = PORT_D
-  tls_certificate = DIR/aux-fixed/cert2
-  tls_privatekey = DIR/aux-fixed/cert2
-  tls_verify_certificates = DIR/aux-fixed/cert2
-  tls_try_verify_hosts = :
-
-
-# ----- Retry -----
-
-
-begin retry
-
-* * F,5d,10s
-
-
-# End
diff --git a/test/log/5910 b/test/log/5910
deleted file mode 100644 (file)
index e6357f2..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaX-0005vi-00 => dump@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS_proto_and_cipher CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmaY-0005vi-00"
-1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp
-1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaY-0005vi-00 => dump <dump@test.ex> R=final T=file_a_bounce
-1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp
-1999-03-02 09:44:33 upgrading
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-smtp S=sss for b@test.ex
-1999-03-02 09:44:33 Start queue run: pid=pppp
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => b@test.ex R=client T=send_to_server H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS_proto_and_cipher CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbA-0005vi-00"
-1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
-1999-03-02 09:44:33 End queue run: pid=pppp
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 requiretls: yes
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= a@test.ex H=(test.ex) [127.0.0.1] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss for dump@test.ex
-1999-03-02 09:44:33 requiretls: yes
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= a@test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss for dump@test.ex
-1999-03-02 09:44:33 requiretls: yes
-1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtpS X=TLS_proto_and_cipher CV=no S=sss id=E10HmaZ-0005vi-00@myhost.test.ex for b@test.ex
diff --git a/test/mail/5910.dump b/test/mail/5910.dump
deleted file mode 100644 (file)
index 08957f3..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-From a@test.ex Tue Mar 02 09:44:33 1999
-Return-path: <a@test.ex>
-Envelope-to: dump@test.ex
-Delivery-date: Tue, 2 Mar 1999 09:44:33 +0000
-Received: from the.local.host.name ([ip4.ip4.ip4.ip4] helo=myhost.test.ex)
-       by myhost.test.ex with esmtpS (TLS_proto_and_cipher)
-       (Exim x.yz)
-       (envelope-from <a@test.ex>)
-       id 10HmaY-0005vi-00
-       for dump@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-Received: from [127.0.0.1] (helo=test.ex)
-       by myhost.test.ex with esmtpS (TLS_proto_and_cipher)
-       (Exim x.yz)
-       (envelope-from <a@test.ex>)
-       id 10HmaX-0005vi-00
-       for dump@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
-Subject: foo
-
-content
-
diff --git a/test/scripts/5910-REQUIRETLS/5910 b/test/scripts/5910-REQUIRETLS/5910
deleted file mode 100644 (file)
index d1bbb61..0000000
+++ /dev/null
@@ -1,64 +0,0 @@
-# REQUIRETLS basics
-#
-munge tls_anycipher
-#
-# Server advertises feature, onward transmission, observability
-exim -DSERVER=server -bd -oX PORT_D
-****
-#
-client-ssl 127.0.0.1 PORT_D
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-STARTTLS
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-REQUIRETLS
-??? 250 HELP
-MAIL FROM:<a@test.ex> REQUIRETLS
-??? 250
-RCPT TO:<dump@test.ex>
-??? 250
-DATA
-??? 354
-Subject: foo
-
-content
-.
-??? 250
-QUIT
-??? 221
-****
-#
-exim -q
-****
-exim -q
-****
-#
-#
-# upgrade in-MTA
-exim -DOPT=y -bs
-MAIL FROM:<a@test.ex>
-RCPT TO:<b@test.ex>
-DATA
-Subject: foo
-
-content 
-.
-QUIT
-****
-#
-exim -q
-****
-#
-killdaemon
-no_msglog_check
diff --git a/test/scripts/5910-REQUIRETLS/5911 b/test/scripts/5910-REQUIRETLS/5911
deleted file mode 100644 (file)
index c744d8a..0000000
+++ /dev/null
@@ -1,125 +0,0 @@
-# REQUIRETLS bounce cases
-#
-munge tls_anycipher
-#
-# Server does not offer STARTTLS
-server PORT_D
-220 Hi there
-EHLO
-250 wotcher
-QUIT
-*eof
-****
-exim -DOPT=requiretls -odf -bs
-MAIL FROM:<a@test.ex>
-RCPT TO:<a@test.ex>
-DATA
-
-.
-QUIT
-****
-# ... the resulting bounce must be delivered with REQUIRETLS
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim -qf
-****
-killdaemon
-#
-#
-# Server does not offer REQUIRETLS
-# Client message upgraded in-MTA for "require"
-exim -DSERVER=server -DSRV='' -bd -oX PORT_D
-****
-exim -DOPT=requiretls -odf -bs
-MAIL FROM:<b@test.ex>
-RCPT TO:<b@test.ex>
-DATA
-
-.
-QUIT
-****
-exim -qf
-****
-exim -qf
-****
-killdaemon
-#
-#
-# Server does not offer REQUIRETLS
-# Client message received with REQUIRETLS
-exim -DSERVER=server -bd -oX PORT_S
-****
-client-ssl 127.0.0.1 PORT_S
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-STARTTLS
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-REQUIRETLS
-??? 250 HELP
-MAIL FROM:<b@test.ex> REQUIRETLS
-??? 250
-RCPT TO:<d@test.ex>
-??? 250
-DATA
-??? 354
-Subject: foo
-
-content
-.
-??? 250
-QUIT
-??? 221
-****
-killdaemon
-exim -DSERVER=server -DSRV='' -bd -oX PORT_D
-****
-exim -qf
-****
-exim -qf
-****
-killdaemon
-#
-#
-# Server refuses MAIL
-exim -DSERVER=server -bd -oX PORT_D
-****
-sudo exim -DOPT=requiretls -odf -f a@serverrefusethis.ex c@test.ex
-
-****
-exim -qf
-****
-exim -qf
-****
-killdaemon
-#
-# Server does not advertise REQUIRETLS, client tries to use it anyway
-exim -DSERVER=server -bd -oX PORT_D
-****
-client-ssl 127.0.0.1 PORT_D
-??? 220
-EHLO test.ex
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-MAIL FROM:<d@test.ex> REQUIRETLS
-??? 555
-QUIT
-??? 221
-???*eof
-****
-killdaemon
-no_msglog_check
diff --git a/test/scripts/5910-REQUIRETLS/5912 b/test/scripts/5910-REQUIRETLS/5912
deleted file mode 100644 (file)
index 87fe85e..0000000
+++ /dev/null
@@ -1,37 +0,0 @@
-# REQUIRETLS smtp-time fails
-# Test these by having the MTA do a receipient-verify callout
-#
-# Server does not offer STARTTLS
-server PORT_D
-220 Hi there
-EHLO
-250 wotcher
-QUIT
-*eof
-****
-exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs
-MAIL FROM:<CALLER@myhost.test.ex>
-RCPT TO:<a@test.ex>
-QUIT
-****
-#
-# Sever does not offer REQUIRETLS
-exim -DSERVER=server -DSRV='' -bd -oX PORT_D
-****
-exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs
-MAIL FROM:<CALLER@myhost.test.ex>
-RCPT TO:<b@test.ex>
-QUIT
-****
-killdaemon
-#
-# Accepted callout
-exim -DSERVER=server -bd -oX PORT_D
-****
-exim -DOPT=requiretls -DACL=verify=recipient/callout -odf -bs
-MAIL FROM:<CALLER@myhost.test.ex>
-RCPT TO:<c@test.ex>
-QUIT
-****
-killdaemon
-#
diff --git a/test/scripts/5910-REQUIRETLS/REQUIRES b/test/scripts/5910-REQUIRETLS/REQUIRES
deleted file mode 100644 (file)
index 9632335..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-support Experimental_REQUIRETLS
-running IPv4
index 3b9772c5c0df36a3faf50bc15ba52b9373c8bdf6..7f0bc3474330d2649fb0a621b062b0bfa3fc2c28 100644 (file)
@@ -19,7 +19,7 @@ no message retry record
 127.0.0.1 [127.0.0.1]:1111 retry-status = usable
 delivering 10HmbG-0005vi-00 to 127.0.0.1 [127.0.0.1] (extchange@test.ex)
 Transport port=25 replaced by host-specific port=1225
-EHLO response bits from cache: cleartext 0x0220 crypted 0x0000
+EHLO response bits from cache: cleartext 0x0120 crypted 0x0000
 Using cached cleartext PIPE_CONNECT
   SMTP>> EHLO the.local.host.name
 using PIPELINING
@@ -38,8 +38,8 @@ smtp_reap_early_pipe expect ehlo
          250-X_PIPE_CONNECT
          250-STARTTLS
          250 ok
-EHLO cleartext extensions changed, 0x0220/0x0000 -> 0x0221/0x0000
-writing clr 0221/0000 cry 0000/0000
+EHLO cleartext extensions changed, 0x0120/0x0000 -> 0x0121/0x0000
+writing clr 0121/0000 cry 0000/0000
 sync_responses expect mail
   SMTP<< 250 mail-from accepted
 sync_responses expect rcpt
diff --git a/test/stdout/5910 b/test/stdout/5910
deleted file mode 100644 (file)
index 278b76d..0000000
+++ /dev/null
@@ -1,60 +0,0 @@
-Connecting to 127.0.0.1 port 1225 ... connected
-??? 220
-<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
->>> EHLO test.ex
-??? 250-
-<<< 250-myhost.test.ex Hello test.ex [127.0.0.1]
-??? 250-SIZE
-<<< 250-SIZE 52428800
-??? 250-8BITMIME
-<<< 250-8BITMIME
-??? 250-PIPELINING
-<<< 250-PIPELINING
-??? 250-STARTTLS
-<<< 250-STARTTLS
-??? 250 HELP
-<<< 250 HELP
->>> STARTTLS
-??? 220
-<<< 220 TLS go ahead
-Attempting to start TLS
-SSL connection using ke-RSA-AES256-SHAnnn
-Succeeded in starting TLS
->>> EHLO test.ex
-??? 250-
-<<< 250-myhost.test.ex Hello test.ex [127.0.0.1]
-??? 250-SIZE
-<<< 250-SIZE 52428800
-??? 250-8BITMIME
-<<< 250-8BITMIME
-??? 250-PIPELINING
-<<< 250-PIPELINING
-??? 250-REQUIRETLS
-<<< 250-REQUIRETLS
-??? 250 HELP
-<<< 250 HELP
->>> MAIL FROM:<a@test.ex> REQUIRETLS
-??? 250
-<<< 250 OK
->>> RCPT TO:<dump@test.ex>
-??? 250
-<<< 250 Accepted
->>> DATA
-??? 354
-<<< 354 Enter message, ending with "." on a line by itself
->>> Subject: foo
->>> 
->>> content
->>> .
-??? 250
-<<< 250 OK id=10HmaX-0005vi-00
->>> QUIT
-??? 221
-<<< 221 myhost.test.ex closing connection
-End of script
-220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
-250 OK\r
-250 Accepted\r
-354 Enter message, ending with "." on a line by itself\r
-250 OK id=10HmaZ-0005vi-00\r
-221 myhost.test.ex closing connection\r