diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2016-10-08 19:21:41 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2016-10-08 19:58:13 +0100 |
| commit | ae5afa61184b6c9b39f58804032b32b42e3ba44e (patch) | |
| tree | bd1d15db321a06edae46e9d72d379d12d8bae83b /src | |
| parent | 2ef40f49c81890cd1fdac572290e1631762a03f1 (diff) | |
Fix callouts connection fallback from TLS to cleartext. Bug 1897
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/transports/smtp.c | 5 | ||||
| -rw-r--r-- | src/src/verify.c | 34 |
2 files changed, 19 insertions, 20 deletions
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index ecdb8bf26..f506a75d6 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1948,12 +1948,9 @@ if ( smtp_peer_options & PEER_OFFERED_TLS if (rc != OK) { # ifdef EXPERIMENTAL_DANE - if (rc == DEFER && lflags.dane) - { - log_write(0, LOG_MAIN, + if (lflags.dane) log_write(0, LOG_MAIN, "DANE attempt failed; no TLS connection to %s [%s]", host->name, host->address); - } # endif save_errno = ERRNO_TLSFAILURE; diff --git a/src/src/verify.c b/src/src/verify.c index 1ff8cd17f..11f1e10eb 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -617,6 +617,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. addr->transport); if (inblock.sock < 0) { + HDEBUG(D_verify) debug_printf("connect: %s\n", strerror(errno)); addr->message = string_sprintf("could not connect to %s [%s]: %s", host->name, host->address, strerror(errno)); transport_name = NULL; @@ -820,24 +821,22 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. connection, if the options permit it for this host. */ if (rc != OK) { - if (rc == DEFER) - { - (void)close(inblock.sock); + HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n"); + (void)close(inblock.sock); # ifndef DISABLE_EVENT - (void) event_raise(addr->transport->event_action, - US"tcp:close", NULL); + (void) event_raise(addr->transport->event_action, + US"tcp:close", NULL); # endif - if ( ob->tls_tempfail_tryclear - && !smtps - && verify_check_given_host(&ob->hosts_require_tls, host) != OK - ) - { - log_write(0, LOG_MAIN, "TLS session failure:" - " delivering unencrypted to %s [%s] (not in hosts_require_tls)", - host->name, host->address); - suppress_tls = TRUE; - goto tls_retry_connection; - } + if ( ob->tls_tempfail_tryclear + && !smtps + && verify_check_given_host(&ob->hosts_require_tls, host) != OK + ) + { + log_write(0, LOG_MAIN, "TLS session failure:" + " callout unencrypted to %s [%s] (not in hosts_require_tls)", + host->name, host->address); + suppress_tls = TRUE; + goto tls_retry_connection; } /*save_errno = ERRNO_TLSFAILURE;*/ @@ -1093,6 +1092,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. #ifdef SUPPORT_TLS tls_close(FALSE, TRUE); #endif + HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n"); (void)close(inblock.sock); #ifndef DISABLE_EVENT (void) event_raise(addr->transport->event_action, @@ -1305,6 +1305,7 @@ can do it there for the non-rcpt-verify case. For this we keep an addresscount. #ifdef SUPPORT_TLS tls_close(FALSE, TRUE); #endif + HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n"); (void)close(inblock.sock); #ifndef DISABLE_EVENT (void) event_raise(addr->transport->event_action, US"tcp:close", NULL); @@ -1626,6 +1627,7 @@ if(cutthrough.fd >= 0) #ifdef SUPPORT_TLS tls_close(FALSE, TRUE); #endif + HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP(close)>>\n"); (void)close(cutthrough.fd); cutthrough.fd = -1; HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown (%s) ------------\n", why); |