X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/e1d04f48a45c9f8e8ff75610003048f8ead73219..2546388c27720eaaada4bb63574ba1f32e6ddf4e:/src/src/transports/smtp.c

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c1f5ad45a..02d1e671e 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1551,7 +1551,7 @@ if (continue_hostname == NULL)
     uschar * msg = NULL;
     if (sx->verify)
       {
-      msg = strerror(errno);
+      msg = US strerror(errno);
       HDEBUG(D_verify) debug_printf("connect: %s\n", msg);
       }
     set_errno_nohost(sx->addrlist,
@@ -1863,11 +1863,12 @@ if (  smtp_peer_options & PEER_OFFERED_TLS
   TLS_NEGOTIATE:
     {
     address_item * addr;
-    int rc = tls_client_start(sx->inblock.sock, sx->host, sx->addrlist, sx->tblock
+    uschar * errstr;
+    int rc = tls_client_start(sx->inblock.sock, sx->host, sx->addrlist, sx->tblock,
 # ifdef EXPERIMENTAL_DANE
-			     , sx->dane ? &tlsa_dnsa : NULL
+			     sx->dane ? &tlsa_dnsa : NULL,
 # endif
-			     );
+			     &errstr);
 
     /* TLS negotiation failed; give an error. From outside, this function may
     be called again to try in clear on a new connection, if the options permit
@@ -1877,12 +1878,12 @@ if (  smtp_peer_options & PEER_OFFERED_TLS
       {
 # ifdef EXPERIMENTAL_DANE
       if (sx->dane) log_write(0, LOG_MAIN,
-	  "DANE attempt failed; no TLS connection to %s [%s]",
-	  sx->host->name, sx->host->address);
+	  "DANE attempt failed; TLS connection to %s [%s]: %s",
+	  sx->host->name, sx->host->address, errstr);
 # endif
 
       errno = ERRNO_TLSFAILURE;
-      message = US"failure while setting up TLS session";
+      message = string_sprintf("TLS session: %s", errstr);
       sx->send_quit = FALSE;
       goto TLS_FAILED;
       }
@@ -3717,7 +3718,7 @@ for (cutoff_retry = 0;
       commonly points to a configuration error, but the best action is still
       to carry on for the next host. */
 
-      if (rc == HOST_FIND_AGAIN || rc == HOST_FIND_FAILED)
+      if (rc == HOST_FIND_AGAIN || rc == HOST_FIND_SECURITY || rc == HOST_FIND_FAILED)
         {
         retry_add_item(addrlist, string_sprintf("R:%s", host->name), 0);
         expired = FALSE;
@@ -3730,8 +3731,11 @@ for (cutoff_retry = 0;
           {
           if (addr->transport_return != DEFER) continue;
           addr->basic_errno = ERRNO_UNKNOWNHOST;
-          addr->message =
-            string_sprintf("failed to lookup IP address for %s", host->name);
+          addr->message = string_sprintf(
+	    rc == HOST_FIND_SECURITY
+	      ? "lookup of IP address for %s was insecure"
+	      : "failed to lookup IP address for %s",
+	    host->name);
           }
         continue;
         }
@@ -3870,6 +3874,7 @@ for (cutoff_retry = 0;
 	    {
 	    case hwhy_retry: hosts_retry++; break;
 	    case hwhy_failed:  hosts_fail++; break;
+	    case hwhy_insecure:
 	    case hwhy_deferred: hosts_defer++; break;
 	    }
 
@@ -4053,8 +4058,9 @@ for (cutoff_retry = 0;
 	 && verify_check_given_host(&ob->hosts_require_tls, host) != OK
 	 )
         {
-        log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
-          "to %s [%s] (not in hosts_require_tls)", host->name, host->address);
+        log_write(0, LOG_MAIN,
+	  "%s: delivering unencrypted to H=%s [%s] (not in hosts_require_tls)",
+	  first_addr->message, host->name, host->address);
         first_addr = prepare_addresses(addrlist, host);
         rc = smtp_deliver(addrlist, thost, host_af, port, interface, tblock,
           &message_defer, TRUE);