Sync 4.next from master

10 files changed, 80 insertions, 51 deletions

diff --git a/src/src/dkim.c b/src/src/dkim.c
index 3fa11c800..70c9547ec 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -612,6 +612,7 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep,
 			 CS dkim_private_key_expanded,
 			 PDKIM_ALGO_RSA_SHA256,
 			 dkim->dot_stuffed);
+  dkim_private_key_expanded[0] = '\0';
   pdkim_set_optional(ctx,
 		      CS dkim_sign_headers_expanded,
 		      NULL,
diff --git a/src/src/exim.h b/src/src/exim.h
index 9ae96b2a0..d03b48c66 100644
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -551,10 +551,16 @@ union sockaddr_46 {
 };
 
 /* If SUPPORT_TLS is not defined, ensure that USE_GNUTLS is also not defined
-so that if USE_GNUTLS *is* set, we can assume SUPPORT_TLS is also set. */
+so that if USE_GNUTLS *is* set, we can assume SUPPORT_TLS is also set.
+Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
 
 #ifndef SUPPORT_TLS
 # undef USE_GNUTLS
+# ifndef DISABLE_OCSP
+#  define DISABLE_OCSP
+# endif
+# undef EXPERIMENTAL_CERTNAMES
+# undef AUTH_TLS
 #endif
 
 /* If SPOOL_DIRECTORY, LOG_FILE_PATH or PID_FILE_PATH have not been defined,
diff --git a/src/src/functions.h b/src/src/functions.h
index cc4e22b2e..04d941034 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -317,7 +317,7 @@ extern void    readconf_driver_init(uschar *, driver_instance **,
                  driver_info *, int, void *, int, optionlist *, int);
 extern uschar *readconf_find_option(void *);
 extern void    readconf_main(BOOL);
-extern void    readconf_options_from_list(optionlist *, unsigned, uschar *);
+extern void    readconf_options_from_list(optionlist *, unsigned, const uschar *, uschar *);
 extern void    readconf_options_routers(void);
 extern void    readconf_options_transports(void);
 extern void    readconf_print(uschar *, uschar *, BOOL);
diff --git a/src/src/globals.c b/src/src/globals.c
index 23bd6900c..55d9e98ae 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -153,7 +153,7 @@ that's the interop problem which has been observed: GnuTLS suggesting a higher
 bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */
 int     tls_dh_max_bits        = 2236;
 uschar *tls_dhparam            = NULL;
-uschar *tls_eccurve            = US"prime256v1";
+uschar *tls_eccurve            = US"auto";
 # ifndef DISABLE_OCSP
 uschar *tls_ocsp_file          = NULL;
 # endif
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 21328bd3a..c5bd41d47 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -796,76 +796,76 @@ due to conflicts with other common macros. */
 #endif
 
 #ifdef LOOKUP_LSEARCH
-  macro_create(US"_HAVE_LKUP_LSEARCH", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_LSEARCH", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_CDB
-  macro_create(US"_HAVE_LKUP_CDB", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_CDB", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_DBM
-  macro_create(US"_HAVE_LKUP_DBM", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_DBM", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_DNSDB
-  macro_create(US"_HAVE_LKUP_DNSDB", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_DNSDB", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_DSEARCH
-  macro_create(US"_HAVE_LKUP_DSEARCH", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_DSEARCH", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_IBASE
-  macro_create(US"_HAVE_LKUP_IBASE", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_IBASE", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_LDAP
-  macro_create(US"_HAVE_LKUP_LDAP", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_LDAP", US"y", FALSE, TRUE);
 #endif
 #ifdef EXPERIMENTAL_LMDB
-  macro_create(US"_HAVE_LKUP_LMDB", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_LMDB", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_MYSQL
-  macro_create(US"_HAVE_LKUP_MYSQL", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_MYSQL", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_NIS
-  macro_create(US"_HAVE_LKUP_NIS", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_NIS", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_NISPLUS
-  macro_create(US"_HAVE_LKUP_NISPLUS", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_NISPLUS", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_ORACLE
-  macro_create(US"_HAVE_LKUP_ORACLE", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_ORACLE", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_PASSWD
-  macro_create(US"_HAVE_LKUP_PASSWD", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_PASSWD", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_PGSQL
-  macro_create(US"_HAVE_LKUP_PGSQL", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_PGSQL", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_REDIS
-  macro_create(US"_HAVE_LKUP_REDIS", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_REDIS", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_SQLITE
-  macro_create(US"_HAVE_LKUP_SQLITE", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_SQLITE", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_TESTDB
-  macro_create(US"_HAVE_LKUP_TESTDB", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_TESTDB", US"y", FALSE, TRUE);
 #endif
 #ifdef LOOKUP_WHOSON
-  macro_create(US"_HAVE_LKUP_WHOSON", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_LOOKUP_WHOSON", US"y", FALSE, TRUE);
 #endif
 
 #ifdef TRANSPORT_APPENDFILE
 # ifdef SUPPORT_MAILDIR
-  macro_create(US"_HAVE_TPT_APPEND_MAILDR", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_TRANSPORT_APPEND_MAILDR", US"y", FALSE, TRUE);
 # endif
 # ifdef SUPPORT_MAILSTORE
-  macro_create(US"_HAVE_TPT_APPEND_MAILSTORE", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_TRANSPORT_APPEND_MAILSTORE", US"y", FALSE, TRUE);
 # endif
 # ifdef SUPPORT_MBX
-  macro_create(US"_HAVE_TPT_APPEND_MBX", US"y", FALSE, TRUE);
+  macro_create(US"_HAVE_TRANSPORT_APPEND_MBX", US"y", FALSE, TRUE);
 # endif
 #endif
 }
 
 
 void
-readconf_options_from_list(optionlist * opts, unsigned nopt, uschar * group)
+readconf_options_from_list(optionlist * opts, unsigned nopt, const uschar * section, uschar * group)
 {
 int i;
 const uschar * s;
@@ -878,14 +878,17 @@ macros that have substrings are always discovered first during
 expansion. */
 
 for (i = 0; i < nopt; i++)  if (*(s = opts[i].name) && *s != '*')
-  macro_create(string_sprintf("_OPT_%T_%T", group, s), US"y", FALSE, TRUE);
+  if (group)
+    macro_create(string_sprintf("_OPT_%T_%T_%T", section, group, s), US"y", FALSE, TRUE);
+  else
+    macro_create(string_sprintf("_OPT_%T_%T", section, s), US"y", FALSE, TRUE);
 }
 
 
 static void
 readconf_options(void)
 {
-readconf_options_from_list(optionlist_config, nelem(optionlist_config), US"MAIN");
+readconf_options_from_list(optionlist_config, nelem(optionlist_config), US"MAIN", NULL);
 readconf_options_routers();
 readconf_options_transports();
 readconf_options_auths();
@@ -4349,12 +4352,12 @@ readconf_options_auths(void)
 {
 struct auth_info * ai;
 
-readconf_options_from_list(optionlist_auths, optionlist_auths_size, US"AU");
+readconf_options_from_list(optionlist_auths, optionlist_auths_size, US"AUTHENTICATORS", NULL);
 
 for (ai = auths_available; ai->driver_name[0]; ai++)
   {
-  macro_create(string_sprintf("_DRVR_AUTH_%T", ai->driver_name), US"y", FALSE, TRUE);
-  readconf_options_from_list(ai->options, (unsigned)*ai->options_count, ai->driver_name);
+  macro_create(string_sprintf("_DRIVER_AUTHENTICATOR_%T", ai->driver_name), US"y", FALSE, TRUE);
+  readconf_options_from_list(ai->options, (unsigned)*ai->options_count, US"AUTHENTICATOR", ai->driver_name);
   }
 }
 
diff --git a/src/src/route.c b/src/src/route.c
index 3ca1afbfb..bb220c69b 100644
--- a/src/src/route.c
+++ b/src/src/route.c
@@ -148,12 +148,12 @@ readconf_options_routers(void)
 {
 struct router_info * ri;
 
-readconf_options_from_list(optionlist_routers, nelem(optionlist_routers), US"RT");
+readconf_options_from_list(optionlist_routers, nelem(optionlist_routers), US"ROUTERS", NULL);
 
 for (ri = routers_available; ri->driver_name[0]; ri++)
   {
-  macro_create(string_sprintf("_DRVR_RTR_%T", ri->driver_name), US"y", FALSE, TRUE);
-  readconf_options_from_list(ri->options, (unsigned)*ri->options_count, ri->driver_name);
+  macro_create(string_sprintf("_DRIVER_ROUTER_%T", ri->driver_name), US"y", FALSE, TRUE);
+  readconf_options_from_list(ri->options, (unsigned)*ri->options_count, US"ROUTER", ri->driver_name);
   }
 }
 
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index d7080168a..148486161 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -3512,7 +3512,7 @@ while (done <= 0)
   uschar *orcpt = NULL;
   int flags;
 
-#if defined(SUPPORT_TLS) && defined(AUTH_TLS)
+#ifdef AUTH_TLS
   /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */
   if (  tls_in.active >= 0
      && tls_in.peercert
@@ -3928,7 +3928,7 @@ while (done <= 0)
       them in either case in the AUTH command. */
 
       if (  auths
-#if defined(SUPPORT_TLS) && defined(AUTH_TLS)
+#ifdef AUTH_TLS
 	 && !sender_host_authenticated
 #endif
          && verify_check_host(&auth_advertise_hosts) == OK
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 3762c7889..2862111ab 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -83,9 +83,6 @@ functions from the OpenSSL library. */
 #   define EXIM_HAVE_ECDH
 #  endif
 #  if OPENSSL_VERSION_NUMBER >= 0x10002000L
-#   if OPENSSL_VERSION_NUMBER < 0x10100000L
-#    define EXIM_HAVE_OPENSSL_ECDH_AUTO
-#   endif
 #   define EXIM_HAVE_OPENSSL_EC_NIST2NID
 #  endif
 # endif
@@ -729,16 +726,32 @@ if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve))
 if (!exp_curve || !*exp_curve)
   return TRUE;
 
-#  ifdef EXIM_HAVE_OPENSSL_ECDH_AUTO
-/* check if new enough library to support auto ECDH temp key parameter selection */
+/* "auto" needs to be handled carefully.
+ * OpenSSL <  1.0.2: we do not select anything, but fallback to primve256v1
+ * OpenSSL <  1.1.0: we have to call SSL_CTX_set_ecdh_auto
+ *                   (openss/ssl.h defines SSL_CTRL_SET_ECDH_AUTO)
+ * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
+ *                   https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b
+ */
 if (Ustrcmp(exp_curve, "auto") == 0)
   {
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
   DEBUG(D_tls) debug_printf(
-    "ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n");
+    "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n");
+  exp_curve = "prime256v1";
+#else
+# if defined SSL_CTRL_SET_ECDH_AUTO
+  DEBUG(D_tls) debug_printf(
+    "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n");
   SSL_CTX_set_ecdh_auto(sctx, 1);
   return TRUE;
+# else
+  DEBUG(D_tls) debug_printf(
+    "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n");
+  return TRUE;
+# endif
+#endif
   }
-#  endif
 
 DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve);
 if (  (nid = OBJ_sn2nid       (CCS exp_curve)) == NID_undef
diff --git a/src/src/transport.c b/src/src/transport.c
index 8381913fc..c48f1575b 100644
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -116,14 +116,14 @@ readconf_options_transports(void)
 {
 struct transport_info * ti;
 
-readconf_options_from_list(optionlist_transports, nelem(optionlist_transports), US"TP");
+readconf_options_from_list(optionlist_transports, nelem(optionlist_transports), US"TRANSPORTS", NULL);
 
 for (ti = transports_available; ti->driver_name[0]; ti++)
   {
-  macro_create(string_sprintf("_DRVR_TPT_%T", ti->driver_name), US"y", FALSE, TRUE);
-  readconf_options_from_list(ti->options, (unsigned)*ti->options_count, ti->driver_name);
+  macro_create(string_sprintf("_DRIVER_TRANSPORT_%T", ti->driver_name), US"y", FALSE, TRUE);
+  readconf_options_from_list(ti->options, (unsigned)*ti->options_count, US"TRANSPORT", ti->driver_name);
   }
-} 
+}
 
 /*************************************************
 *             Initialize transport list           *
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index d04dfc200..527142967 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -285,10 +285,11 @@ static uschar *rf_names[] = { US"NEVER", US"SUCCESS", US"FAILURE", US"DELAY" };
 
 /* Local statics */
 
-static uschar *smtp_command;   /* Points to last cmd for error messages */
-static uschar *mail_command;   /* Points to MAIL cmd for error messages */
-static BOOL    update_waiting; /* TRUE to update the "wait" database */
-static BOOL    pipelining_active; /* current transaction is in pipe mode */
+static uschar *smtp_command;		/* Points to last cmd for error messages */
+static uschar *mail_command;		/* Points to MAIL cmd for error messages */
+static uschar *data_command = US"";	/* Points to DATA cmd for error messages */
+static BOOL    update_waiting;		/* TRUE to update the "wait" database */
+static BOOL    pipelining_active;	/* current transaction is in pipe mode */
 
 
 /*************************************************
@@ -1390,10 +1391,14 @@ uschar * buffer = tctx->buffer;
 /* Write SMTP chunk header command */
 
 if (chunk_size > 0)
+  {
   if((cmd_count = smtp_write_command(tctx->outblock, FALSE, "BDAT %u%s\r\n",
 			      chunk_size,
 			      flags & tc_chunk_last ? " LAST" : "")
      ) < 0) return ERROR;
+  if (flags & tc_chunk_last)
+    data_command = string_copy(big_buffer);  /* Save for later error message */
+  }
 
 prev_cmd_count = cmd_count += tctx->cmd_count;
 
@@ -2509,6 +2514,7 @@ if (  !(peer_offered & PEER_OFFERED_CHUNKING)
     default: goto RESPONSE_FAILED;       /* I/O error, or any MAIL/DATA error */
     }
   pipelining_active = FALSE;
+  data_command = string_copy(big_buffer);  /* Save for later error message */
   }
 
 /* If there were no good recipients (but otherwise there have been no
@@ -2732,7 +2738,7 @@ else
 #else
 	    "LMTP error after %s: %s",
 #endif
-            big_buffer, string_printing(buffer));
+            data_command, string_printing(buffer));
           setflag(addr, af_pass_message);   /* Allow message to go to user */
           if (buffer[0] == '5')
             addr->transport_return = FAIL;