X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/168dec3b8f4d729ccb7e56181b8ab4c4956726d1..6ebd79ec02c66e273975e48b481714768080790b:/src/src/transports/smtp.c?ds=sidebyside

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 094353415..087b10cda 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1279,6 +1279,7 @@ BOOL prdr_active;
 BOOL dsn_all_lasthop = TRUE;
 #if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
 BOOL dane = FALSE;
+BOOL dane_required;
 dns_answer tlsa_dnsa;
 #endif
 smtp_inblock inblock;
@@ -1365,8 +1366,6 @@ if (continue_hostname == NULL)
 
 #if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
     {
-    BOOL dane_required;
-
     tls_out.dane_verified = FALSE;
     tls_out.tlsa_usage = 0;
 
@@ -1605,6 +1604,17 @@ if (  tls_offered
 
     if (rc != OK)
       {
+# ifdef EXPERIMENTAL_DANE
+      if (rc == DEFER && dane && !dane_required)
+	{
+	log_write(0, LOG_MAIN, "DANE attempt failed;"
+	  " trying CA-root TLS to %s [%s] (not in hosts_require_dane)",
+	  host->name, host->address);
+	dane = FALSE;
+	goto TLS_NEGOTIATE;
+	}
+# endif
+
       save_errno = ERRNO_TLSFAILURE;
       message = US"failure while setting up TLS session";
       send_quit = FALSE;