From 85f4056d71b45977bf269c7e595386647538d14b Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 13 Dec 2022 15:46:01 +0000
Subject: [PATCH] ACL: Permit the "encrypted" condition to be used in a
 HELO/EHLO ACL

---
 doc/doc-txt/ChangeLog | 6 ++++++
 src/src/acl.c         | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f8ab5da0c..db37c22bb 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -75,6 +75,12 @@ JH/16 Move running the smtp connect ACL to before, for TLS-on-connect ports,
       Also, avoid sending any SMTP fail response for either the connect ACL
       or host_reject_connection, for TLS-on-connect ports.
 
+JH/17 Permit the ACL "encrypted" condition to be used in a HELO/EHLO ACL,
+      Previously this was not permitted, but it makes reasonable sense.
+      While there, restore a restriction on using it from a connect ACL; given
+      the change JH/16 it could only return false (and before 4.91 was not
+      permitted).
+
 
 Exim version 4.96
 -----------------
diff --git a/src/src/acl.c b/src/src/acl.c
index 8e1d92457..74b59b0fe 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -223,7 +223,7 @@ static condition_def conditions[] = {
   },
   [ACLC_ENCRYPTED] =		{ US"encrypted",	FALSE, FALSE,
 				  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
-				    ACL_BIT_HELO,
+				    ACL_BIT_CONNECT
   },
 
   [ACLC_ENDPASS] =		{ US"endpass",	TRUE, TRUE,	0 },
-- 
2.30.2