From ef3a1a30b2d5edba53f1a8c8d1dc594940cb39c1 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 3 Aug 2016 11:32:32 +0100
Subject: [PATCH] DANE: treat a TLSA response having only non-TLSA records the
 same as a no-match response

---
 doc/doc-txt/ChangeLog     | 4 ++++
 src/src/transports/smtp.c | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e1471b627..d99370a7e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -61,6 +61,10 @@ JH/14 Fix logging of errors under PIPELINING.  Previously the log line giving
 JH/15 Fix counting of empty lines in $body_linecount and $message_linecount.
       Previously they were not counted.
 
+JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
+      as one having no matching records.  Previously we deferred the message
+      that needed the lookup.
+
 
 Exim version 4.87
 -----------------
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c84323c17..bbfef0632 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1217,7 +1217,8 @@ switch (dns_lookup(dnsa, buffer, T_TLSA, &fullname))
   case DNS_AGAIN:
     return DEFER; /* just defer this TLS'd conn */
 
-  case DNS_NOMATCH:
+  case DNS_NODATA:	/* no TLSA RR for this lookup */
+  case DNS_NOMATCH:	/* no records at all for this lookup */
     return dane_required ? FAIL : FAIL_FORCED;
 
   default:
-- 
2.25.1