Support optional server certificate name checking. Bug 1479

[exim.git] / src / src / transports / smtp.c

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 1232965b99d401171191590978ee0a13efc4a556..c175d2ffe941ba1519befcf1bcc438be76ae2f28 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -118,7 +118,7 @@ optionlist smtp_transport_options[] = {
 #endif
   { "hosts_try_auth",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
   { "hosts_try_prdr",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_prdr) },
 #endif
@@ -163,6 +163,10 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, tls_tempfail_tryclear) },
   { "tls_try_verify_hosts", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_try_verify_hosts) },
+#ifdef EXPERIMENTAL_CERTNAMES
+  { "tls_verify_cert_hostnames", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block,tls_verify_cert_hostnames)},
+#endif
   { "tls_verify_certificates", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_verify_certificates) },
   { "tls_verify_hosts",     opt_stringptr,
@@ -196,7 +200,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,                /* serialize_hosts */
   NULL,                /* hosts_try_auth */
   NULL,                /* hosts_require_auth */
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
   NULL,                /* hosts_try_prdr */
 #endif
 #ifdef EXPERIMENTAL_OCSP
@@ -245,6 +249,9 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   TRUE,                /* tls_tempfail_tryclear */
   NULL,                /* tls_verify_hosts */
   NULL                 /* tls_try_verify_hosts */
+# ifdef EXPERIMENTAL_CERTNAMES
+ ,NULL                 /* tls_verify_cert_hostnames */
+# endif
 #endif
 #ifndef DISABLE_DKIM
  ,NULL,                /* dkim_canon */
@@ -636,7 +643,7 @@ tpda_defer_errstr = addr->message
     ? string_sprintf("%s: %s", addr->message, strerror(addr->basic_errno))
     : string_copy(addr->message)
   : addr->basic_errno > 0
-    ? string_copy(strerror(addr->basic_errno))
+    ? string_copy(US strerror(addr->basic_errno))
     : NULL;
 
 DEBUG(D_transport)
@@ -1185,7 +1192,7 @@ BOOL completed_address = FALSE;
 BOOL esmtp = TRUE;
 BOOL pending_MAIL;
 BOOL pass_message = FALSE;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
 BOOL prdr_offered = FALSE;
 BOOL prdr_active;
 #endif
@@ -1386,7 +1393,7 @@ goto SEND_QUIT;
       PCRE_EOPT, NULL, 0) >= 0;
   #endif
 
-  #ifdef EXPERIMENTAL_PRDR
+  #ifndef DISABLE_PRDR
   prdr_offered = esmtp &&
     (pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(buffer), 0,
       PCRE_EOPT, NULL, 0) >= 0) &&
@@ -1585,7 +1592,7 @@ if (continue_hostname == NULL
   DEBUG(D_transport) debug_printf("%susing PIPELINING\n",
     smtp_use_pipelining? "" : "not ");
 
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
   prdr_offered = esmtp &&
     pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(CS buffer), 0,
       PCRE_EOPT, NULL, 0) >= 0 &&
@@ -1673,7 +1680,7 @@ if (smtp_use_size)
   while (*p) p++;
   }
 
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
 prdr_active = FALSE;
 if (prdr_offered)
   {
@@ -1909,7 +1916,7 @@ if (!ok) ok = TRUE; else
 
   smtp_command = US"end of data";
 
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
   /* For PRDR we optionally get a partial-responses warning
    * followed by the individual responses, before going on with
    * the overall response.  If we don't get the warning then deal
@@ -2004,7 +2011,7 @@ if (!ok) ok = TRUE; else
       address. For temporary errors, add a retry item for the address so that
       it doesn't get tried again too soon. */
 
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
       if (lmtp || prdr_active)
 #else
       if (lmtp)
@@ -2015,7 +2022,7 @@ if (!ok) ok = TRUE; else
           {
           if (errno != 0 || buffer[0] == 0) goto RESPONSE_FAILED;
           addr->message = string_sprintf(
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
            "%s error after %s: %s", prdr_active ? "PRDR":"LMTP",
 #else
            "LMTP error after %s: %s",
@@ -2029,7 +2036,7 @@ if (!ok) ok = TRUE; else
             errno = ERRNO_DATA4XX;
             addr->more_errno |= ((buffer[1] - '0')*10 + buffer[2] - '0') << 8;
             addr->transport_return = DEFER;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
             if (!prdr_active)
 #endif
               retry_add_item(addr, addr->address_retry_key, 0);
@@ -2052,12 +2059,12 @@ if (!ok) ok = TRUE; else
       addr->host_used = thost;
       addr->special_action = flag;
       addr->message = conf;
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
       if (prdr_active) addr->flags |= af_prdr_used;
 #endif
       flag = '-';
 
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
       if (!prdr_active)
 #endif
         {
@@ -2079,7 +2086,7 @@ if (!ok) ok = TRUE; else
         }
       }
 
-#ifdef EXPERIMENTAL_PRDR
+#ifndef DISABLE_PRDR
       if (prdr_active)
         {
        /* PRDR - get the final, overall response.  For any non-success
@@ -2919,6 +2926,9 @@ for (cutoff_retry = 0; expired &&
 
     deliver_host = host->name;
     deliver_host_address = host->address;
+    lookup_dnssec_authenticated = host->dnssec == DS_YES ? US"yes"
+                               : host->dnssec == DS_NO ? US"no"
+                               : US"";
 
     /* Set up a string for adding to the retry key if the port number is not
     the standard SMTP port. A host may have its own port setting that overrides