Add tls_verify_hosts and tls_try_verify_hosts to smtp transport. Bug 1371

Code by Wolfgang Breyha, docs and testsuite by Jeremy Harris

3 files changed, 35 insertions, 0 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index cab1c82dd..ae4d75ecb 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23027,6 +23027,14 @@ unknown state), opens a new one to the same host, and then tries the delivery
 in clear.
 
 
+.option tls_try_verify_hosts smtp "host list&!! unset
+.cindex "TLS" "server certificate verification"
+.cindex "certificate" "verification of server"
+For OpenSSL only, this option gives a list of hosts for which, on encrypted connections,
+certificate verification will be tried but need not succeed.
+The &%tls_verify_certificates%& option must also be set.
+
+
 .option tls_verify_certificates smtp string&!! unset
 .cindex "TLS" "server certificate verification"
 .cindex "certificate" "verification of server"
@@ -23041,6 +23049,20 @@ single file if you are using GnuTLS. The values of &$host$& and
 &$host_address$& are set to the name and address of the server during the
 expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.
 
+For back-compatability, or when GnuTLS is used,
+if neither tls_verify_hosts nor tls_try_verify_hosts are set
+and certificate verification fails the TLS connection is closed.
+
+
+.option tls_verify_hosts smtp "host list&!! unset
+.cindex "TLS" "server certificate verification"
+.cindex "certificate" "verification of server"
+For OpenSSL only, this option gives a list of hosts for which. on encrypted connections,
+certificate verification must succeed.
+The &%tls_verify_certificates%& option must also be set.
+If both this option and &%tls_try_verify_hosts%& are unset
+operation is as if this option selected all hosts.
+
 
 
 
@@ -25942,6 +25964,12 @@ for OpenSSL only (not GnuTLS), a directory, that contains a collection of
 expected server certificates. The client verifies the server's certificate
 against this collection, taking into account any revoked certificates that are
 in the list defined by &%tls_crl%&.
+Failure to verify fails the TLS connection unless either of the
+&%tls_verify_hosts%& or &%tls_try_verify_hosts%& options are set.
+
+The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict
+certificate verification to the listed servers.  Verification either must
+or need not succeed respectively.
 
 If
 &%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 04a7ce02e..c29f21cbf 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -56,6 +56,8 @@ JH/06 Log outbound-TLS and port details, subject to log selectors, for a
 
 JH/07 Add malware type "sock" for talking to simple daemon.
 
+JH/08 Bugzilla 1371: Add tls_{,try_}verify_hosts to smtp transport. OpenSSL only.
+
 
 Exim version 4.82
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index c4de902c0..95b4119d1 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -27,6 +27,11 @@ Version 4.83
     and a second regex to extract malware_name.  The mail spoofile name can
     be included in the command line.
 
+ 5. When built with OpenSSL the smtp transport now supports options
+    "tls_verify_hosts" and "tls_try_verify_hosts".  If either is set the
+    certificate verification is split from the encryption operation. The
+    default remains that a failed verification cancels the encryption.
+
 
 Version 4.82
 ------------