X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/fd9f0b7354ffc2986f0b2e7b074117feb29b5102..1d28cc061677bd07d9bed48dd84bd5c590247043:/src/src/transports/smtp.c

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index bbff1cad8..1183fa478 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -5,6 +5,7 @@
 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
 /* Copyright (c) University of Cambridge 1995 - 2018 */
 /* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
 
 #include "../exim.h"
 #include "smtp.h"
@@ -4695,7 +4696,10 @@ if (sx->completed_addr && sx->ok && sx->send_quit)
 	    open, we must shut down TLS.  Not all MTAs allow for the continuation
 	    of the SMTP session when TLS is shut down. We test for this by sending
 	    a new EHLO. If we don't get a good response, we don't attempt to pass
-	    the socket on. */
+	    the socket on.
+	    NB: TLS close is *required* per RFC 9266 when tls-exporter info has
+	    been used, which we do under TLSv1.3 for the gsasl SCRAM*PLUS methods.
+	    But we were always doing it anyway. */
 
 	  tls_close(sx->cctx.tls_ctx,
 	    sx->send_tlsclose ? TLS_SHUTDOWN_WAIT : TLS_SHUTDOWN_WONLY);