From 6c9ed72eaa948d340dba0ea0a878f9570852ab35 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 24 Mar 2015 18:25:27 +0000 Subject: Use TLS by default on callouts/cutthroughs --- doc/doc-docbook/spec.xfpt | 5 +++-- doc/doc-txt/ChangeLog | 2 ++ src/src/transports/smtp.c | 2 +- test/confs/5840 | 4 ---- test/stderr/5840 | 3 +-- 5 files changed, 7 insertions(+), 9 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 5f0346e6a..f274db74e 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23190,12 +23190,13 @@ that matches this list, even if the server host advertises PIPELINING support. Exim will not try to start a TLS session when delivering to any host that matches this list. See chapter &<>& for details of TLS. -.option hosts_verify_avoid_tls smtp "host list&!!" * +.new +.option hosts_verify_avoid_tls smtp "host list&!!" unset .cindex "TLS" "avoiding for certain hosts" Exim will not try to start a TLS session for a verify callout, or when delivering in cutthrough mode, to any host that matches this list. -Note that the default is to not use TLS. +.wen .option hosts_max_try smtp integer 5 diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 55af3186c..c0a965eeb 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -81,6 +81,8 @@ JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size from 255 to 1024 chars. +JH/24 Verification callouts now attempt to use TLS by default. + Exim version 4.85 diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 6a8fbc439..b0fe177e9 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -224,7 +224,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { #endif NULL, /* hosts_require_tls */ NULL, /* hosts_avoid_tls */ - US"*", /* hosts_verify_avoid_tls */ + NULL, /* hosts_verify_avoid_tls */ NULL, /* hosts_avoid_pipelining */ NULL, /* hosts_avoid_esmtp */ NULL, /* hosts_nopass_tls */ diff --git a/test/confs/5840 b/test/confs/5840 index 0447ce36d..4f468a384 100644 --- a/test/confs/5840 +++ b/test/confs/5840 @@ -66,12 +66,8 @@ send_to_server: allow_localhost port = PORT_D - hosts_verify_avoid_tls = : hosts_try_dane = * hosts_require_dane = !thishost.test.ex - hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \ - {= {0}{$tls_out_tlsa_usage}} } \ - {*}{}} tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}} tls_try_verify_hosts = thishost.test.ex tls_verify_certificates = CDIR2/ca_chain.pem diff --git a/test/stderr/5840 b/test/stderr/5840 index eeffc1103..b2097c1d8 100644 --- a/test/stderr/5840 +++ b/test/stderr/5840 @@ -33,11 +33,10 @@ MUNGED: ::1 will be omitted in what follows >>> 250-STARTTLS >>> 250 HELP >>> ip4.ip4.ip4.ip4 in hosts_avoid_tls? no (option unset) ->>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (end of list) +>>> ip4.ip4.ip4.ip4 in hosts_verify_avoid_tls? no (option unset) >>> SMTP>> STARTTLS >>> SMTP<< 220 TLS go ahead >>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset) ->>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? yes (matched "*") >>> ip4.ip4.ip4.ip4 in hosts_require_ocsp? no (option unset) >>> ip4.ip4.ip4.ip4 in hosts_request_ocsp? no (end of list) >>> SMTP>> EHLO myhost.test.ex -- cgit v1.2.3