summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/doc-docbook/spec.xfpt5
-rw-r--r--doc/doc-txt/ChangeLog2
-rw-r--r--src/src/transports/smtp.c2
-rw-r--r--test/confs/58404
-rw-r--r--test/stderr/58403
5 files changed, 7 insertions, 9 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5f0346e6a..f274db74e 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23190,12 +23190,13 @@ that matches this list, even if the server host advertises PIPELINING support.
Exim will not try to start a TLS session when delivering to any host that
matches this list. See chapter &<<CHAPTLS>>& for details of TLS.
-.option hosts_verify_avoid_tls smtp "host list&!!" *
+.new
+.option hosts_verify_avoid_tls smtp "host list&!!" unset
.cindex "TLS" "avoiding for certain hosts"
Exim will not try to start a TLS session for a verify callout,
or when delivering in cutthrough mode,
to any host that matches this list.
-Note that the default is to not use TLS.
+.wen
.option hosts_max_try smtp integer 5
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 55af3186c..c0a965eeb 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -81,6 +81,8 @@ JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
from 255 to 1024 chars.
+JH/24 Verification callouts now attempt to use TLS by default.
+
Exim version 4.85
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 6a8fbc439..b0fe177e9 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -224,7 +224,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
#endif
NULL, /* hosts_require_tls */
NULL, /* hosts_avoid_tls */
- US"*", /* hosts_verify_avoid_tls */
+ NULL, /* hosts_verify_avoid_tls */
NULL, /* hosts_avoid_pipelining */
NULL, /* hosts_avoid_esmtp */
NULL, /* hosts_nopass_tls */
diff --git a/test/confs/5840 b/test/confs/5840
index 0447ce36d..4f468a384 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -66,12 +66,8 @@ send_to_server:
allow_localhost
port = PORT_D
- hosts_verify_avoid_tls = :
hosts_try_dane = *
hosts_require_dane = !thishost.test.ex
- hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
- {= {0}{$tls_out_tlsa_usage}} } \
- {*}{}}
tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
tls_try_verify_hosts = thishost.test.ex
tls_verify_certificates = CDIR2/ca_chain.pem
diff --git a/test/stderr/5840 b/test/stderr/5840
index eeffc1103..b2097c1d8 100644
--- a/test/stderr/5840
+++ b/test/stderr/5840
@@ -33,11 +33,10 @@ MUNGED: ::1 will be omitted in what follows
>>> 250-STARTTLS
>>> 250 HELP
>>> ip4.ip4.ip4.ip4 in hosts_avoid_tls? no (option unset)
->>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (end of list)
+>>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (option unset)
>>> SMTP>> STARTTLS
>>> SMTP<< 220 TLS go ahead
>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)
->>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? yes (matched "*")
>>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset)
>>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? no (end of list)
>>> SMTP>> EHLO myhost.test.ex