diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2018-02-15 21:32:30 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2018-02-15 22:09:07 +0000 |
| commit | c0635b6dfe65ee24c2fb8d165beabc608d2fd1a5 (patch) | |
| tree | a3e9ee10b881f1e99f073eee52214cb496669cb2 /src | |
| parent | 9631be11ff85fbdfe1bd8a745d9b0de2bef1af4b (diff) | |
DANE: move to mainline
Diffstat (limited to 'src')
| -rw-r--r-- | src/exim_monitor/em_globals.c | 2 | ||||
| -rw-r--r-- | src/src/EDITME | 13 | ||||
| -rw-r--r-- | src/src/config.h.defaults | 2 | ||||
| -rw-r--r-- | src/src/dane.c | 4 | ||||
| -rw-r--r-- | src/src/deliver.c | 8 | ||||
| -rw-r--r-- | src/src/exim.c | 6 | ||||
| -rw-r--r-- | src/src/exim.h | 2 | ||||
| -rw-r--r-- | src/src/expand.c | 4 | ||||
| -rw-r--r-- | src/src/functions.h | 4 | ||||
| -rw-r--r-- | src/src/globals.c | 6 | ||||
| -rw-r--r-- | src/src/globals.h | 4 | ||||
| -rw-r--r-- | src/src/macro_predef.c | 2 | ||||
| -rw-r--r-- | src/src/spool_in.c | 2 | ||||
| -rw-r--r-- | src/src/structs.h | 2 | ||||
| -rw-r--r-- | src/src/tls-gnu.c | 20 | ||||
| -rw-r--r-- | src/src/tls-openssl.c | 28 | ||||
| -rw-r--r-- | src/src/transports/smtp.c | 20 | ||||
| -rw-r--r-- | src/src/transports/smtp.h | 4 |
18 files changed, 69 insertions, 64 deletions
diff --git a/src/exim_monitor/em_globals.c b/src/exim_monitor/em_globals.c index e3e00c33b..50da58c82 100644 --- a/src/exim_monitor/em_globals.c +++ b/src/exim_monitor/em_globals.c @@ -220,7 +220,7 @@ tls_support tls_in = { -1, /* tls_active */ 0, /* bits */ FALSE, /* tls_certificate_verified */ -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE FALSE, /* dane_verified */ 0, /* tlsa_usage */ #endif diff --git a/src/src/EDITME b/src/src/EDITME index 9dcd174ca..b1b9af2c6 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -364,6 +364,12 @@ PCRE_CONFIG=yes #------------------------------------------------------------------------------ +# Uncomment the following line to add DANE support +# Note: Enabling this unconditionally overrides DISABLE_DNSSEC +# For DANE under GnuTLS we need an additional library. See TLS_LIBS below. +# SUPPORT_DANE=yes + +#------------------------------------------------------------------------------ # Additional libraries and include directories may be required for some # lookup styles (e.g. LDAP, MYSQL or PGSQL). LOOKUP_LIBS is included only on # the command for linking Exim itself, not on any auxiliary programs. You @@ -443,7 +449,7 @@ DISABLE_MAL_MKS=yes # By default, Exim has support for checking the AD bit in a DNS response, to # determine if DNSSEC validation was successful. If your system libraries # do not support that bit, then set DISABLE_DNSSEC to "yes" -# Note: Enabling EXPERIMENTAL_DANE unconditionally overrides this setting. +# Note: Enabling SUPPORT_DANE unconditionally overrides this setting. # DISABLE_DNSSEC=yes @@ -488,11 +494,6 @@ DISABLE_MAL_MKS=yes # CFLAGS += -I/opt/brightmail/bsdk-6.0/include # LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib -# Uncomment the following line to add DANE support -# Note: Enabling this unconditionally overrides DISABLE_DNSSEC -# For DANE under GnuTLS we need an additional library. See TLS_LIBS below. -# EXPERIMENTAL_DANE=yes - # Uncomment the following to include extra information in fail DSN message (bounces) # EXPERIMENTAL_DSN_INFO=yes diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index eddd02e50..2e6985aea 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -138,6 +138,7 @@ Do not put spaces between # and the 'define'. #define STRING_SPRINTF_BUFFER_SIZE (8192 * 4) #define SUPPORT_CRYPTEQ +#define SUPPORT_DANE #define SUPPORT_I18N #define SUPPORT_I18N_2008 #define SUPPORT_MAILDIR @@ -190,7 +191,6 @@ Do not put spaces between # and the 'define'. /* EXPERIMENTAL features */ #define EXPERIMENTAL_BRIGHTMAIL -#define EXPERIMENTAL_DANE #define EXPERIMENTAL_DCC #define EXPERIMENTAL_DSN_INFO #define EXPERIMENTAL_DMARC diff --git a/src/src/dane.c b/src/src/dane.c index b632d80dd..541e9cb02 100644 --- a/src/src/dane.c +++ b/src/src/dane.c @@ -24,7 +24,7 @@ reference itself to stop picky compilers complaining that it is unused, and put in a dummy argument to stop even pickier compilers complaining about infinite loops. */ -#ifndef EXPERIMENTAL_DANE +#ifndef SUPPORT_DANE static void dummy(int x) { dummy(x-1); } #else @@ -43,6 +43,6 @@ static void dummy(int x) { dummy(x-1); } # endif -#endif /* EXPERIMENTAL_DANE */ +#endif /* SUPPORT_DANE */ /* End of dane.c */ diff --git a/src/src/deliver.c b/src/src/deliver.c index 5c34b929c..255b4d9c9 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -817,7 +817,7 @@ if (LOGGING(tls_certificate_verified) && addr->cipher) s = string_append(s, 2, US" CV=", testflag(addr, af_cert_verified) ? -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE testflag(addr, af_dane_verified) ? "dane" : @@ -1619,7 +1619,7 @@ if (result == OK) tls_out.cipher = addr->cipher; tls_out.peerdn = addr->peerdn; tls_out.ocsp = addr->ocsp; -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE tls_out.dane_verified = testflag(addr, af_dane_verified); # endif #endif @@ -1632,7 +1632,7 @@ if (result == OK) tls_out.cipher = NULL; tls_out.peerdn = NULL; tls_out.ocsp = OCSP_NOT_REQ; -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE tls_out.dane_verified = FALSE; # endif #endif @@ -4785,7 +4785,7 @@ all pipes, so I do not see a reason to use non-blocking IO here /* The certificate verification status goes into the flags */ if (tls_out.certificate_verified) setflag(addr, af_cert_verified); -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE if (tls_out.dane_verified) setflag(addr, af_dane_verified); #endif diff --git a/src/src/exim.c b/src/src/exim.c index fe1b1c19d..f95c10747 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -832,6 +832,9 @@ fprintf(f, "Support for:"); #ifdef WITH_CONTENT_SCAN fprintf(f, " Content_Scanning"); #endif +#ifdef SUPPORT_DANE + fprintf(f, " DANE"); +#endif #ifndef DISABLE_DKIM fprintf(f, " DKIM"); #endif @@ -875,9 +878,6 @@ fprintf(f, "Support for:"); #ifdef EXPERIMENTAL_BRIGHTMAIL fprintf(f, " Experimental_Brightmail"); #endif -#ifdef EXPERIMENTAL_DANE - fprintf(f, " Experimental_DANE"); -#endif #ifdef EXPERIMENTAL_DCC fprintf(f, " Experimental_DCC"); #endif diff --git a/src/src/exim.h b/src/src/exim.h index c272a0147..54e8d002d 100644 --- a/src/src/exim.h +++ b/src/src/exim.h @@ -593,7 +593,7 @@ default to EDQUOT if it exists, otherwise ENOSPC. */ #endif /* DANE w/o DNSSEC is useless */ -#if defined(EXPERIMENTAL_DANE) && defined(DISABLE_DNSSEC) +#if defined(SUPPORT_DANE) && defined(DISABLE_DNSSEC) # undef DISABLE_DNSSEC #endif diff --git a/src/src/expand.c b/src/src/expand.c index aaeec24b4..de38e3acb 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -738,7 +738,7 @@ static var_entry var_table[] = { { "tls_out_bits", vtype_int, &tls_out.bits }, { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified }, { "tls_out_cipher", vtype_stringptr, &tls_out.cipher }, -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE { "tls_out_dane", vtype_bool, &tls_out.dane_verified }, #endif { "tls_out_ocsp", vtype_int, &tls_out.ocsp }, @@ -748,7 +748,7 @@ static var_entry var_table[] = { #if defined(SUPPORT_TLS) { "tls_out_sni", vtype_stringptr, &tls_out.sni }, #endif -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE { "tls_out_tlsa_usage", vtype_int, &tls_out.tlsa_usage }, #endif diff --git a/src/src/functions.h b/src/src/functions.h index 00da0cf20..6dc3e4973 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -46,7 +46,7 @@ extern uschar * tls_cert_fprt_sha256(void *); extern int tls_client_start(int, host_item *, address_item *, transport_instance *, -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE dns_answer *, # endif uschar **); @@ -73,7 +73,7 @@ extern BOOL tls_openssl_options_parse(uschar *, long *); extern uschar * tls_field_from_dn(uschar *, const uschar *); extern BOOL tls_is_name_for_cert(const uschar *, void *); -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE extern int tlsa_lookup(const host_item *, dns_answer *, BOOL); # endif diff --git a/src/src/globals.c b/src/src/globals.c index bcc2a7a32..7e228d098 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -104,7 +104,7 @@ tls_support tls_in = { .active = -1, .bits = 0, .certificate_verified = FALSE, -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE .dane_verified = FALSE, .tlsa_usage = 0, #endif @@ -121,7 +121,7 @@ tls_support tls_out = { .active = -1, .bits = 0, .certificate_verified = FALSE, -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE .dane_verified = FALSE, .tlsa_usage = 0, #endif @@ -688,7 +688,7 @@ BOOL dmarc_enable_forensic = FALSE; uschar *dns_again_means_nonexist = NULL; int dns_csa_search_limit = 5; BOOL dns_csa_use_reverse = TRUE; -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE int dns_dane_ok = -1; #endif uschar *dns_ipv4_lookup = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index d6bc96a83..b5cb6407b 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -83,7 +83,7 @@ typedef struct { int active; /* fd/socket when in a TLS session */ int bits; /* bits used in TLS session */ BOOL certificate_verified; /* Client certificate verified */ -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE BOOL dane_verified; /* ... via DANE */ int tlsa_usage; /* TLSA record(s) usage */ #endif @@ -414,7 +414,7 @@ extern uschar *dns_again_means_nonexist; /* Domains that are badly set up */ extern int dns_csa_search_limit; /* How deep to search for CSA SRV records */ extern BOOL dns_csa_use_reverse; /* Check CSA in reverse DNS? (non-standard) */ extern uschar *dns_ipv4_lookup; /* For these domains, don't look for AAAA (or A6) */ -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE extern int dns_dane_ok; /* Ok to use DANE when checking TLS authenticity */ #endif extern int dns_retrans; /* Retransmission time setting */ diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c index 0d70826bb..601ceef66 100644 --- a/src/src/macro_predef.c +++ b/src/src/macro_predef.c @@ -183,7 +183,7 @@ due to conflicts with other common macros. */ #ifdef EXPERIMENTAL_BRIGHTMAIL builtin_macro_create(US"_HAVE_BRIGHTMAIL"); #endif -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE builtin_macro_create(US"_HAVE_DANE"); #endif #ifdef EXPERIMENTAL_DCC diff --git a/src/src/spool_in.c b/src/src/spool_in.c index d8272aa09..c8ddffe41 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -302,7 +302,7 @@ dkim_collect_input = FALSE; #ifdef SUPPORT_TLS tls_in.certificate_verified = FALSE; -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE tls_in.dane_verified = FALSE; # endif tls_in.cipher = NULL; diff --git a/src/src/structs.h b/src/src/structs.h index dfe5685e6..29dee2dbe 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -620,7 +620,7 @@ typedef struct address_item { #endif BOOL af_chunking_used:1; /* delivery used SMTP CHUNKING */ BOOL af_force_command:1; /* force_command in pipe transport */ -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE BOOL af_dane_verified:1; /* TLS cert verify done with DANE */ #endif #ifdef SUPPORT_I18N diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index b5bf17be6..dab96974c 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -66,13 +66,17 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP) # define SUPPORT_SRV_OCSP_STACK #endif -#if GNUTLS_VERSION_NUMBER >= 0x030000 && defined(EXPERIMENTAL_DANE) -# define SUPPORT_DANE -# define DANESSL_USAGE_DANE_TA 2 -# define DANESSL_USAGE_DANE_EE 3 -#endif -#if GNUTLS_VERSION_NUMBER < 0x999999 && defined(EXPERIMENTAL_DANE) -# define GNUTLS_BROKEN_DANE_VALIDATION + +#ifdef SUPPORT_DANE +# if GNUTLS_VERSION_NUMBER >= 0x030000 +# define DANESSL_USAGE_DANE_TA 2 +# define DANESSL_USAGE_DANE_EE 3 +# else +# error GnuTLS version too early for DANE +# endif +# if GNUTLS_VERSION_NUMBER < 0x999999 +# define GNUTLS_BROKEN_DANE_VALIDATION +# endif #endif #ifndef DISABLE_OCSP @@ -2249,7 +2253,7 @@ int tls_client_start(int fd, host_item *host, address_item *addr ARG_UNUSED, transport_instance * tb, -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE dns_answer * tlsa_dnsa, #endif uschar ** errstr) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 7a3ca81c2..71d748f5c 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -28,7 +28,7 @@ functions from the OpenSSL library. */ #ifndef DISABLE_OCSP # include <openssl/ocsp.h> #endif -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE # include "danessl.h" #endif @@ -512,7 +512,7 @@ return verify_callback(preverify_ok, x509ctx, &tls_in, } -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE /* This gets called *by* the dane library verify callback, which interposes itself. @@ -566,7 +566,7 @@ else return preverify_ok; } -#endif /*EXPERIMENTAL_DANE*/ +#endif /*SUPPORT_DANE*/ /************************************************* @@ -1996,7 +1996,7 @@ if (expciphers) optional, set up appropriately. */ tls_in.certificate_verified = FALSE; -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE tls_in.dane_verified = FALSE; #endif server_verify_callback_called = FALSE; @@ -2155,7 +2155,7 @@ return OK; } -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE static int dane_tlsa_load(SSL * ssl, host_item * host, dns_answer * dnsa, uschar ** errstr) { @@ -2210,7 +2210,7 @@ if (found) log_write(0, LOG_MAIN, "DANE error: No usable TLSA records"); return DEFER; } -#endif /*EXPERIMENTAL_DANE*/ +#endif /*SUPPORT_DANE*/ @@ -2236,7 +2236,7 @@ Returns: OK on success int tls_client_start(int fd, host_item *host, address_item *addr, transport_instance * tb, -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE dns_answer * tlsa_dnsa, #endif uschar ** errstr) @@ -2253,13 +2253,13 @@ BOOL request_ocsp = FALSE; BOOL require_ocsp = FALSE; #endif -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE tls_out.tlsa_usage = 0; #endif #ifndef DISABLE_OCSP { -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE if ( tlsa_dnsa && ob->hosts_request_ocsp[0] == '*' && ob->hosts_request_ocsp[1] == '\0' @@ -2277,7 +2277,7 @@ tls_out.tlsa_usage = 0; verify_check_given_host(&ob->hosts_require_ocsp, host) == OK)) request_ocsp = TRUE; else -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE if (!request_ocsp) # endif request_ocsp = @@ -2313,7 +2313,7 @@ if (expciphers) return tls_error(US"SSL_CTX_set_cipher_list", host, NULL, errstr); } -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE if (tlsa_dnsa) { SSL_CTX_set_verify(client_ctx, @@ -2361,7 +2361,7 @@ if (ob->tls_sni) } } -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE if (tlsa_dnsa) if ((rc = dane_tlsa_load(client_ssl, host, tlsa_dnsa, errstr)) != OK) return rc; @@ -2370,7 +2370,7 @@ if (tlsa_dnsa) #ifndef DISABLE_OCSP /* Request certificate status at connection-time. If the server does OCSP stapling we will get the callback (set in tls_init()) */ -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE if (request_ocsp) { const uschar * s; @@ -2407,7 +2407,7 @@ alarm(ob->command_timeout); rc = SSL_connect(client_ssl); alarm(0); -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE if (tlsa_dnsa) DANESSL_cleanup(client_ssl); #endif diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 1d78f2195..38660f797 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -105,7 +105,7 @@ optionlist smtp_transport_options[] = { { "hosts_require_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_auth) }, #ifdef SUPPORT_TLS -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE { "hosts_require_dane", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_dane) }, # endif @@ -120,7 +120,7 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, hosts_try_auth) }, { "hosts_try_chunking", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_chunking) }, -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) +#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) { "hosts_try_dane", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_dane) }, #endif @@ -219,7 +219,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { .hosts_try_auth = NULL, .hosts_require_auth = NULL, .hosts_try_chunking = US"*", -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE .hosts_try_dane = NULL, .hosts_require_dane = NULL, #endif @@ -1190,7 +1190,7 @@ return FALSE; -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE /* Lookup TLSA record for host/port. Return: OK success with dnssec; DANE mode DEFER Do not use this host now, may retry later @@ -1490,7 +1490,7 @@ Returns: OK - the connection was made and the delivery attempted; int smtp_setup_conn(smtp_context * sx, BOOL suppress_tls) { -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) +#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) dns_answer tlsa_dnsa; #endif BOOL pass_message = FALSE; @@ -1512,7 +1512,7 @@ sx->esmtp_sent = FALSE; sx->utf8_needed = FALSE; #endif sx->dsn_all_lasthop = TRUE; -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) +#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) sx->dane = FALSE; sx->dane_required = verify_check_given_host(&sx->ob->hosts_require_dane, sx->host) == OK; #endif @@ -1586,7 +1586,7 @@ if (!continue_hostname) smtp_port_for_connect(sx->host, sx->port); -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) +#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) /* Do TLSA lookup for DANE */ { tls_out.dane_verified = FALSE; @@ -1936,7 +1936,7 @@ if ( smtp_peer_options & OPTION_TLS address_item * addr; uschar * errstr; int rc = tls_client_start(sx->inblock.sock, sx->host, sx->addrlist, sx->tblock, -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE sx->dane ? &tlsa_dnsa : NULL, # endif &errstr); @@ -1947,7 +1947,7 @@ if ( smtp_peer_options & OPTION_TLS if (rc != OK) { -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE if (sx->dane) log_write(0, LOG_MAIN, "DANE attempt failed; TLS connection to %s [%s]: %s", sx->host->name, sx->host->address, errstr); @@ -2034,7 +2034,7 @@ if (tls_out.active >= 0) have one. */ else if ( sx->smtps -# ifdef EXPERIMENTAL_DANE +# ifdef SUPPORT_DANE || sx->dane # endif || verify_check_given_host(&sx->ob->hosts_require_tls, sx->host) == OK diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 33c5aaf03..14c0c7556 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -29,7 +29,7 @@ typedef struct { uschar *hosts_try_auth; uschar *hosts_require_auth; uschar *hosts_try_chunking; -#ifdef EXPERIMENTAL_DANE +#ifdef SUPPORT_DANE uschar *hosts_try_dane; uschar *hosts_require_dane; #endif @@ -115,7 +115,7 @@ typedef struct { BOOL utf8_needed:1; #endif BOOL dsn_all_lasthop:1; -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE) +#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) BOOL dane:1; BOOL dane_required:1; #endif |