X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/fd9f0b7354ffc2986f0b2e7b074117feb29b5102..e8297f953ed9c8e42f1b406b5ecad4ccdd9d95d3:/src/src/transports/smtp.c

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index bbff1cad8..ed5f83b3e 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -5,6 +5,7 @@
 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
 /* Copyright (c) University of Cambridge 1995 - 2018 */
 /* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
 
 #include "../exim.h"
 #include "smtp.h"
@@ -989,7 +990,7 @@ return FALSE;
 
 
 /* Return an auths bitmap for the set of AUTH methods offered by the server
-which match our authenticators. */
+which match our client-side authenticators. */
 
 static unsigned short
 study_ehlo_auths(smtp_context * sx)
@@ -1015,7 +1016,7 @@ for (au = auths, authnum = 0; au; au = au->next, authnum++) if (au->client)
   }
 
 DEBUG(D_transport)
-  debug_printf("server offers %s AUTH, methods '%s', bitmap 0x%04x\n",
+  debug_printf("server offers %s AUTH, methods '%s', usable-bitmap 0x%04x\n",
     tls_out.active.sock >= 0 ? "crypted" : "plaintext", names, authbits);
 
 if (tls_out.active.sock >= 0)
@@ -4695,7 +4696,10 @@ if (sx->completed_addr && sx->ok && sx->send_quit)
 	    open, we must shut down TLS.  Not all MTAs allow for the continuation
 	    of the SMTP session when TLS is shut down. We test for this by sending
 	    a new EHLO. If we don't get a good response, we don't attempt to pass
-	    the socket on. */
+	    the socket on.
+	    NB: TLS close is *required* per RFC 9266 when tls-exporter info has
+	    been used, which we do under TLSv1.3 for the gsasl SCRAM*PLUS methods.
+	    But we were always doing it anyway. */
 
 	  tls_close(sx->cctx.tls_ctx,
 	    sx->send_tlsclose ? TLS_SHUTDOWN_WAIT : TLS_SHUTDOWN_WONLY);