Make "system" location for certificate CA bundle the default

3 files changed, 7 insertions, 3 deletions

diff --git a/src/src/globals.c b/src/src/globals.c
index a7beec602..1b09008a1 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -166,7 +166,7 @@ uschar *tls_privatekey         = NULL;
 BOOL    tls_remember_esmtp     = FALSE;
 uschar *tls_require_ciphers    = NULL;
 uschar *tls_try_verify_hosts   = NULL;
-uschar *tls_verify_certificates= NULL;
+uschar *tls_verify_certificates= US"system";
 uschar *tls_verify_hosts       = NULL;
 #endif
 
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 4943f48b7..42d04224a 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -853,7 +853,11 @@ error message is provided. However, if we just refrain from setting anything up
 in that case, certificate verification fails, which seems to be the correct
 behaviour. */
 
-if (state->tls_verify_certificates && *state->tls_verify_certificates)
+if (  state->tls_verify_certificates && *state->tls_verify_certificates
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0
+#endif
+   )
   {
   if (!expand_check_tlsvar(tls_verify_certificates))
     return DEFER;
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index fe0e733f8..7bc0fa086 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -255,7 +255,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,                /* gnutls_require_mac */
   NULL,                /* gnutls_require_proto */
   NULL,                /* tls_sni */
-  NULL,                /* tls_verify_certificates */
+  US"system",          /* tls_verify_certificates */
   EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
                        /* tls_dh_min_bits */
   TRUE,                /* tls_tempfail_tryclear */