Logging: make cipher info available for continued-TLS connection deliveries

6 files changed, 19 insertions, 12 deletions

diff --git a/src/src/deliver.c b/src/src/deliver.c
index 7743d37c3..ccc32667e 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -4715,8 +4715,12 @@ for (delivery_count = 0; addr_remote; delivery_count++)
 
         rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
         }
-      else if (continue_proxy)		/* known TLS, but no cipher info */
-        rmt_dlv_checked_write(fd, 'X', '1', US"*\0", 3);
+      else if (continue_proxy_cipher)
+	{
+        ptr = big_buffer + sprintf(CS big_buffer, "%.128s", continue_proxy_cipher) + 1;
+	*ptr++ = 0;
+        rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
+	}
 
       if (addr->peercert)
 	{
diff --git a/src/src/exim.c b/src/src/exim.c
index fd08cc780..383382072 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -2710,7 +2710,7 @@ for (i = 1; i < argc; i++)
 
       /* Set up $sending_ip_address and $sending_port, unless proxied */
 
-      if (!continue_proxy)
+      if (!continue_proxy_cipher)
 	if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
 	    &size) == 0)
 	  sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
@@ -2774,13 +2774,15 @@ for (i = 1; i < argc; i++)
 #ifdef SUPPORT_TLS
     /* -MCt: similar to -MCT below but the connection is still open
     via a proxy proces which handles the TLS context and coding.
-    Require two arguments for the proxied local address and port.  */
+    Require three arguments for the proxied local address and port,
+    and the TLS cipher.  */
 
-	case 't': continue_proxy = TRUE;
-		  if (++i < argc) sending_ip_address = argv[i];
+	case 't': if (++i < argc) sending_ip_address = argv[i];
 		  else badarg = TRUE;
 		  if (++i < argc) sending_port = (int)(Uatol(argv[i]));
 		  else badarg = TRUE;
+		  if (++i < argc) continue_proxy_cipher = argv[i];
+		  else badarg = TRUE;
 		  /*FALLTHROUGH*/
 
     /* -MCT: set the tls_offered flag; this is useful only when it
diff --git a/src/src/globals.c b/src/src/globals.c
index f3e4bad96..9e417b0d2 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -529,11 +529,11 @@ uid_t   config_uid             = 0;
 #endif
 
 int     connection_max_messages= -1;
+uschar *continue_proxy_cipher  = NULL;
 uschar *continue_hostname      = NULL;
 uschar *continue_host_address  = NULL;
 BOOL    continue_more          = FALSE;
 int     continue_sequence      = 1;
-BOOL    continue_proxy	       = FALSE;
 uschar *continue_transport     = NULL;
 
 uschar *csa_status             = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 750a960eb..72be706a4 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -289,11 +289,11 @@ extern uschar *config_main_filelist;   /* List of possible config files */
 extern uschar *config_main_filename;   /* File name actually used */
 extern uschar *config_main_directory;  /* Directory where the main config file was found */
 extern uid_t   config_uid;             /* Additional owner */
+extern uschar *continue_proxy_cipher;  /* TLS cipher for proxied continued delivery */
 extern uschar *continue_hostname;      /* Host for continued delivery */
 extern uschar *continue_host_address;  /* IP address for ditto */
 extern BOOL    continue_more;          /* Flag more addresses waiting */
 extern int     continue_sequence;      /* Sequence num for continued delivery */
-extern BOOL    continue_proxy;	       /* Continued delivery is proxied for TLS */
 extern uschar *continue_transport;     /* Transport for continued delivery */
 
 extern uschar *csa_status;             /* Client SMTP Authorization result */
diff --git a/src/src/transport.c b/src/src/transport.c
index aca33762b..e6e327822 100644
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -1959,7 +1959,7 @@ DEBUG(D_transport) debug_printf("transport_pass_socket entered\n");
 
 if ((pid = fork()) == 0)
   {
-  int i = 19;
+  int i = 20;
   const uschar **argv;
 
   /* Disconnect entirely from the parent process. If we are running in the
@@ -1983,11 +1983,12 @@ if ((pid = fork()) == 0)
   if (smtp_peer_options & PEER_OFFERED_SIZE) argv[i++] = US"-MCS";
 #ifdef SUPPORT_TLS
   if (smtp_peer_options & PEER_OFFERED_TLS)
-    if (tls_out.active >= 0 || continue_proxy)
+    if (tls_out.active >= 0 || continue_proxy_cipher)
       {
       argv[i++] = US"-MCt";
       argv[i++] = sending_ip_address;
       argv[i++] = string_sprintf("%d", sending_port);
+      argv[i++] = tls_out.active >= 0 ? tls_out.cipher : continue_proxy_cipher;
       }
     else
       argv[i++] = US"-MCT";
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 52e04b8a5..34c96dbff 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1823,7 +1823,7 @@ else
   /* For a continued connection with TLS being proxied for us, nothing
   more to do. */
 
-  if (continue_proxy)
+  if (continue_proxy_cipher)
     {
     sx->peer_offered = smtp_peer_options;
     pipelining_active = !!(smtp_peer_options & PEER_OFFERED_PIPE);
@@ -3277,7 +3277,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
      || continue_more
      || (
 #ifdef SUPPORT_TLS
-	   (  tls_out.active < 0  &&  !continue_proxy
+	   (  tls_out.active < 0  &&  !continue_proxy_cipher
            || verify_check_given_host(&sx.ob->hosts_nopass_tls, host) != OK
 	   )
         &&