10 files changed, 67 insertions, 32 deletions

diff --git a/src/src/deliver.c b/src/src/deliver.c
index 4cc05b4ae..27a4344c5 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -719,7 +719,7 @@ d_tlslog(uschar * s, int * sizep, int * ptrp, address_item * addr)
 
 
 #ifdef EXPERIMENTAL_EVENT
-int
+uschar *
 event_raise(uschar * action, uschar * event, uschar * ev_data)
 {
 uschar * s;
@@ -747,10 +747,10 @@ if (action)
     {
     DEBUG(D_deliver)
       debug_printf("Event(%s): event_action returned \"%s\"\n", event, s);
-    return DEFER;
+    return s;
     }
   }
-return OK;
+return NULL;
 }
 
 static void
diff --git a/src/src/exim.c b/src/src/exim.c
index 5faa6f97f..102d8504c 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -12,6 +12,13 @@ Also a few functions that don't naturally fit elsewhere. */
 
 #include "exim.h"
 
+#ifdef USE_GNUTLS
+# include <gnutls/gnutls.h>
+# if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
+#  define DISABLE_OCSP
+# endif
+#endif
+
 extern void init_lookup_list(void);
 
 
diff --git a/src/src/functions.h b/src/src/functions.h
index ba4760f7a..07d0eb413 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -158,7 +158,7 @@ extern BOOL    dscp_lookup(const uschar *, int, int *, int *, int *);
 extern void    enq_end(uschar *);
 extern BOOL    enq_start(uschar *);
 #ifdef EXPERIMENTAL_EVENT
-extern int     event_raise(uschar *, uschar *, uschar *);
+extern uschar *event_raise(uschar *, uschar *, uschar *);
 #endif
 extern void    exim_exit(int);
 extern void    exim_nullstd(void);
diff --git a/src/src/host.c b/src/src/host.c
index 2eef0ba70..7737704cd 100644
--- a/src/src/host.c
+++ b/src/src/host.c
@@ -3068,8 +3068,9 @@ DEBUG(D_host_lookup)
     yield);
   for (h = host; h != last->next; h = h->next)
     {
-    debug_printf("  %s %s MX=%d ", h->name,
-      (h->address == NULL)? US"<null>" : h->address, h->mx);
+    debug_printf("  %s %s MX=%d %s", h->name,
+      !h->address ? US"<null>" : h->address, h->mx,
+      h->dnssec == DS_YES ? US"DNSSEC " : US"");
     if (h->port != PORT_NONE) debug_printf("port=%d ", h->port);
     if (h->status >= hstatus_unusable) debug_printf("*");
     debug_printf("\n");
diff --git a/src/src/route.c b/src/src/route.c
index 6ba1d9f10..3834b836a 100644
--- a/src/src/route.c
+++ b/src/src/route.c
@@ -1969,7 +1969,7 @@ DEBUG(D_route)
     if (h->mx >= 0) debug_printf(" MX=%d", h->mx);
       else if (h->mx != MX_NONE) debug_printf(" rgroup=%d", h->mx);
     if (h->port != PORT_NONE) debug_printf(" port=%d", h->port);
-    /* if (h->dnssec != DS_UNK) debug_printf(" dnssec=%s", h->dnssec==DS_YES ? "yes" : "no"); */
+    if (h->dnssec != DS_UNK) debug_printf(" dnssec=%s", h->dnssec==DS_YES ? "yes" : "no");
     debug_printf("\n");
     }
   }
diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c
index e3f2588d7..530fcfec7 100644
--- a/src/src/smtp_out.c
+++ b/src/src/smtp_out.c
@@ -204,10 +204,10 @@ HDEBUG(D_transport|D_acl|D_v)
   }
 
 #ifdef EXPERIMENTAL_EVENT
-  /*XXX Called from both delivery and verify.  Is that status observable? */
   deliver_host_address = host->address;
   deliver_host_port = port;
-  if (event_raise(event, US"tcp:connect", NULL) == DEFER) return -1;
+  if (event_raise(event, US"tcp:connect", NULL)) return -1;
+  /* Logging?  Debug? */
 #endif
 
 /* Create the socket */
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 1966c557d..04de02d74 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1559,6 +1559,7 @@ const gnutls_datum * cert_list;
 unsigned int cert_list_size = 0;
 gnutls_x509_crt_t crt;
 int rc;
+uschar * yield;
 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
 
 cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
@@ -1574,11 +1575,12 @@ if (cert_list)
     }
 
   state->tlsp->peercert = crt;
-  if (event_raise(state->event_action,
-	      US"tls:cert", string_sprintf("%d", cert_list_size)) == DEFER)
+  if ((yield = event_raise(state->event_action,
+	      US"tls:cert", string_sprintf("%d", cert_list_size))))
     {
     log_write(0, LOG_MAIN,
-	      "SSL verify denied by event-action: depth=%d", cert_list_size);
+	      "SSL verify denied by event-action: depth=%d: %s",
+	      cert_list_size, yield);
     return 1;                     /* reject */
     }
   state->tlsp->peercert = NULL;
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index afc898ca7..63bf83b1d 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -294,8 +294,11 @@ verify_callback(int state, X509_STORE_CTX *x509ctx,
 {
 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
-uschar * ev;
 static uschar txt[256];
+#ifdef EXPERIMENTAL_EVENT
+uschar * ev;
+uschar * yield;
+#endif
 
 X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
 
@@ -305,7 +308,6 @@ if (state == 0)
     depth,
     X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
     txt);
-  tlsp->certificate_verified = FALSE;
   *calledp = TRUE;
   if (!*optionalp)
     {
@@ -335,13 +337,15 @@ else if (depth != 0)
   if (ev)
     {
     tlsp->peercert = X509_dup(cert);
-    if (event_raise(ev, US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+    if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
       {
       log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
-			      "depth=%d cert=%s", depth, txt);
-      tlsp->certificate_verified = FALSE;
+			      "depth=%d cert=%s: %s", depth, txt, yield);
       *calledp = TRUE;
-      return 0;			    /* reject */
+      if (!*optionalp)
+	return 0;			    /* reject */
+      DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+	"(host in tls_try_verify_hosts)\n");
       }
     X509_free(tlsp->peercert);
     tlsp->peercert = NULL;
@@ -390,7 +394,11 @@ else
       {
       log_write(0, LOG_MAIN,
 	"SSL verify error: certificate name mismatch: \"%s\"\n", txt);
-      return 0;				/* reject */
+      *calledp = TRUE;
+      if (!*optionalp)
+	return 0;			    /* reject */
+      DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+	"tls_try_verify_hosts)\n");
       }
     }
 # else
@@ -398,7 +406,11 @@ else
       {
       log_write(0, LOG_MAIN,
 	"SSL verify error: certificate name mismatch: \"%s\"\n", txt);
-      return 0;				/* reject */
+      *calledp = TRUE;
+      if (!*optionalp)
+	return 0;			    /* reject */
+      DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+	"tls_try_verify_hosts)\n");
       }
 # endif
 #endif	/*EXPERIMENTAL_CERTNAMES*/
@@ -406,13 +418,15 @@ else
 #ifdef EXPERIMENTAL_EVENT
   ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
   if (ev)
-    if (event_raise(ev, US"tls:cert", US"0") == DEFER)
+    if ((yield = event_raise(ev, US"tls:cert", US"0")))
       {
       log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
-			      "depth=0 cert=%s", txt);
-      tlsp->certificate_verified = FALSE;
+			      "depth=0 cert=%s: %s", txt, yield);
       *calledp = TRUE;
-      return 0;			    /* reject */
+      if (!*optionalp)
+	return 0;			    /* reject */
+      DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+	"(host in tls_try_verify_hosts)\n");
       }
 #endif
 
@@ -450,6 +464,7 @@ X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
 static uschar txt[256];
 #ifdef EXPERIMENTAL_EVENT
 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
+uschar * yield;
 #endif
 
 X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
@@ -461,11 +476,11 @@ tls_out.peercert = X509_dup(cert);
 #ifdef EXPERIMENTAL_EVENT
   if (client_static_cbinfo->event_action)
     {
-    if (event_raise(client_static_cbinfo->event_action,
-		    US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+    if ((yield = event_raise(client_static_cbinfo->event_action,
+		    US"tls:cert", string_sprintf("%d", depth))))
       {
       log_write(0, LOG_MAIN, "DANE verify denied by event-action: "
-			      "depth=%d cert=%s", depth, txt);
+			      "depth=%d cert=%s: %s", depth, txt, yield);
       tls_out.certificate_verified = FALSE;
       return 0;			    /* reject */
       }
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 6886fd518..12ae6e14d 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1414,14 +1414,20 @@ if (continue_hostname == NULL)
       ob->command_timeout)) goto RESPONSE_FAILED;
 
 #ifdef EXPERIMENTAL_EVENT
-    if (event_raise(tblock->event_action, US"smtp:connect", buffer)
-	== DEFER)
+      {
+      uschar * s;
+      lookup_dnssec_authenticated = host->dnssec==DS_YES ? US"yes"
+	: host->dnssec==DS_NO ? US"no" : NULL;
+      s = event_raise(tblock->event_action, US"smtp:connect", buffer);
+      if (s)
 	{
-	uschar *message = US"deferred by smtp:connect event expansion";
-	set_errno(addrlist, 0, message, DEFER, FALSE, NULL);
+	set_errno(addrlist, 0,
+	  string_sprintf("deferred by smtp:connect event expansion: %s", s),
+	  DEFER, FALSE, NULL);
 	yield = DEFER;
 	goto SEND_QUIT;
 	}
+      }
 #endif
 
     /* Now check if the helo_data expansion went well, and sign off cleanly if
diff --git a/src/src/verify.c b/src/src/verify.c
index f8e176b27..b74d6ab5e 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -584,12 +584,16 @@ else
         goto RESPONSE_FAILED;
 
 #ifdef EXPERIMENTAL_EVENT
+      lookup_dnssec_authenticated = host->dnssec==DS_YES ? US"yes"
+	: host->dnssec==DS_NO ? US"no" : NULL;
       if (event_raise(addr->transport->event_action,
-			    US"smtp:connect", responsebuffer) == DEFER)
+			    US"smtp:connect", responsebuffer))
 	{
+	lookup_dnssec_authenticated = NULL;
 	/* Logging?  Debug? */
 	goto RESPONSE_FAILED;
 	}
+      lookup_dnssec_authenticated = NULL;
 #endif
       }