From 6742503035564e057edc7d3eba88b108f7d3d74c Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 26 Aug 2020 23:59:28 +0100 Subject: [PATCH 36/37] Fix non-DANE build (cherry picked from commit 651946cbf8e3849687332049730e5fa23d42b4b7) --- src/smtp_out.c | 2 +- src/transport.c | 6 +++++- src/transports/smtp.c | 15 ++++++++++----- diff --git src/smtp_out.c src/smtp_out.c index 86c3e4127..c4c409677 100644 --- src/smtp_out.c +++ src/smtp_out.c @@ -375,7 +375,7 @@ smtp_port_for_connect(host_item * host, int port) { if (host->port != PORT_NONE) { - HDEBUG(D_transport|D_acl|D_v) + HDEBUG(D_transport|D_acl|D_v) if (port != host->port) debug_printf_indent("Transport port=%d replaced by host-specific port=%d\n", port, host->port); port = host->port; diff --git src/transport.c src/transport.c index b1cda55fd..609fd128c 100644 --- src/transport.c +++ src/transport.c @@ -1907,7 +1907,11 @@ if (smtp_peer_options & OPTION_TLS) if (tls_out.sni) { - argv[i++] = tls_out.dane_verified ? US"-MCr" : US"-MCs"; + argv[i++] = +#ifdef SUPPORT_DANE + tls_out.dane_verified ? US"-MCr" : +#endif + US"-MCs"; argv[i++] = tls_out.sni; } } diff --git src/transports/smtp.c src/transports/smtp.c index 7fc2a48bb..77335af09 100644 --- src/transports/smtp.c +++ src/transports/smtp.c @@ -1991,7 +1991,6 @@ if (sx->smtps) } #endif -#ifdef SUPPORT_DANE /* If we have a proxied TLS connection, check usability for this message */ if (continue_hostname && continue_proxy_cipher) @@ -1999,8 +1998,10 @@ if (continue_hostname && continue_proxy_cipher) int rc; const uschar * sni = US""; +#ifdef SUPPORT_DANE /* Check if the message will be DANE-verified; if so force its SNI */ + tls_out.dane_verified = FALSE; smtp_port_for_connect(sx->conn_args.host, sx->port); if ( sx->conn_args.host->dnssec == DS_YES && ( sx->dane_required @@ -2024,15 +2025,17 @@ if (continue_hostname && continue_proxy_cipher) # endif return rc; } +#endif - /* If the SNI required for the new message differs from the existing conn - drop the connection to force a new one. */ + /* If the SNI or the DANE status required for the new message differs from the + existing conn drop the connection to force a new one. */ if (ob->tls_sni && !(sni = expand_cstring(ob->tls_sni))) log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's tls_sni value: %s", sx->addrlist->address, expand_string_message); +#ifdef SUPPORT_DANE if ( (continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni) && continue_proxy_dane == sx->conn_args.dane) { @@ -2040,6 +2043,10 @@ if (continue_hostname && continue_proxy_cipher) if ((tls_out.dane_verified = continue_proxy_dane)) sx->conn_args.host->dnssec = DS_YES; } +#else + if ((continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni)) + tls_out.sni = US sni; +#endif else { DEBUG(D_transport) @@ -2048,7 +2055,6 @@ if (continue_hostname && continue_proxy_cipher) HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP>> QUIT\n"); write(0, "QUIT\r\n", 6); close(0); - tls_out.dane_verified = FALSE; continue_hostname = continue_proxy_cipher = NULL; f.continue_more = FALSE; continue_sequence = 1; /* Unfortunately, this process cannot affect success log @@ -2056,7 +2062,6 @@ if (continue_hostname && continue_proxy_cipher) back through reporting pipe. */ } } -#endif /* Make a connection to the host if this isn't a continued delivery, and handle -- 2.28.0