not do so.
JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
- default. If built with the facility, DANE will be used. The facility is
- now enabled in the prototype build Makefile "EDITME".
+ default. If built with the facility, DANE will be used. The facility
+ SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
+
+JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
+ is replaced with DISABLE_TLS. You must still, unless you define
+ DISABLE_TLS, manage the choice of TLS library and the include-dir and
+ library-file requirements that go with that choice. Non-TLS builds
+ are still supported.
8. Expansion operator ${sha2_N:} for N=256, 384, 512.
- 9. Build options SUPPORT_DANE and SUPPORT_TLS default to yes
-
Version 4.92
--------------
AUTH_PLAINTEXT=yes
AUTH_SPA=yes
-SUPPORT_TLS=yes
+#DISABLE_TLS=yes
TLS_LIBS=-lssl -lcrypto
ROUTER_ACCEPT=yes
+###############################################################################
+# TLS #
+###############################################################################
+# Exim is built by default to support the SMTP STARTTLS command, which implements
+# Transport Layer Security using SSL (Secure Sockets Layer). This requires you
+# must install the OpenSSL library package or the GnuTLS library. Exim contains
+# no cryptographic code of its own.
+
+# If you are running Exim as a (TLS) server, just building it with TLS support
+# is all you need to do, as tls_advertise_hosts is set to '*' by
+# default. But you are advised to create a suiteable certificate, and tell
+# Exim about it by means of the tls_certificate and tls_privatekey run
+# time options, otherwise Exim will create a self signed certificate on
+# the fly. If you are running Exim only as a (TLS) client, building it with
+# TLS support is all you need to do.
+#
+# If you are using pkg-config then you should not need to worry where
+# the libraries and headers are installed, as the pkg-config .pc
+# specification should include all -L/-I information necessary.
+# Enabling the USE_*_PC options should be sufficient. If not using
+# pkg-config, then you have to specify the libraries, and you mmight
+# need to specify the locations too.
+
+# no cryptographic code of its own. Uncomment the following lines if you want
+# to build Exim without any TLS support (either OpenSSL or GnuTLS):
+# DISABLE_TLS=yes
+
+# If you are buliding with TLS, the library configuration must be done:
+
+# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
+# and an optional location.
+# USE_OPENSSL_PC=openssl
+# TLS_LIBS=-lssl -lcrypto
+# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+
+# Uncomment this if you are using GnuTLS
+# USE_GNUTLS=yes
+# Uncomment one of these settings if you are using GnuTLS; pkg-config vs not
+# and an optional location. If you disable SUPPORT_DANE below, you
+# can remove the gnutls-dane references here.
+# USE_GNUTLS_PC=gnutls gnutls-dane
+# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+
+# Uncomment the first and either the second or the third of these if you
+# are using GnuTLS. If you have pkg-config, then the second, else the third.
+# USE_GNUTLS=yes
+# USE_GNUTLS_PC=gnutls
+# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
+
+# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
+# build process will require libgcrypt-config to exist in your $PATH. A
+# version that old is likely to become unsupported by Exim in 2017.
+
+# The security fix we provide with the gnutls_allow_auto_pkcs11 option
+# (4.82 PP/09) introduces a compatibility regression. The symbol is
+# not available if GnuTLS is build without p11-kit (--without-p11-kit
+# configure option). In this case use AVOID_GNUTLS_PKCS11=yes when
+# building Exim.
+# AVOID_GNUTLS_PKCS11=yes
+
+# If you are running Exim as a server, note that just building it with TLS
+# support is not all you need to do. You also need to set up a suitable
+# certificate, and tell Exim about it by means of the tls_certificate
+# and tls_privatekey run time options. You also need to set tls_advertise_hosts
+# to specify the hosts to which Exim advertises TLS support. On the other hand,
+# if you are running Exim only as a client, building it with TLS support
+# is all you need to do.
+
+# If you are using pkg-config then you should not need to worry where the
+# libraries and headers are installed, as the pkg-config .pc specification
+# should include all -L/-I information necessary. If not using pkg-config
+# then you might need to specify the locations too.
+
+# Additional libraries and include files are required for both OpenSSL and
+# GnuTLS. The TLS_LIBS settings above assume that the libraries are installed
+# with all your other libraries. If they are in a special directory, you may
+# need something like
+
+# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+
+# or
+
+# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+# If not using DANE under GnuTLS we can lose one library
+# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt
+
+# TLS_LIBS is included only on the command for linking Exim itself, not on any
+# auxiliary programs. If the include files are not in a standard place, you can
+# set TLS_INCLUDE to specify where they are, for example:
+
+# TLS_INCLUDE=-I/usr/local/openssl/include/
+# or
+# TLS_INCLUDE=-I/opt/gnu/include
+
+# You don't need to set TLS_INCLUDE if the relevant directories are already
+# specified in INCLUDE.
+
+
+
###############################################################################
# THESE ARE THINGS YOU PROBABLY WANT TO SPECIFY #
###############################################################################
# *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
-#------------------------------------------------------------------------------
-# Exim can be built to support the SMTP STARTTLS command, which implements
-# Transport Layer Security using SSL (Secure Sockets Layer). To do this, you
-# must install the OpenSSL library package or the GnuTLS library. Exim contains
-# no cryptographic code of its own.
-#
-# If you are running Exim as a (TLS) server, just building it with TLS support
-# is all you need to do, as tls_advertise_hosts is set to '*' by
-# default. But you are advised to create a suiteable certificate, and tell
-# Exim about it by means of the tls_certificate and tls_privatekey run
-# time options, otherwise Exim will create a self signed certificate on
-# the fly. If you are running Exim only as a (TLS) client, building it with
-# TLS support is all you need to do.
-#
-# If you are using pkg-config then you should not need to worry where
-# the libraries and headers are installed, as the pkg-config .pc
-# specification should include all -L/-I information necessary.
-# Enabling the USE_*_PC options should be sufficient. If not using
-# pkg-config, then you have to specify the libraries, and you mmight
-# need to specify the locations too.
-
-# This setting is required for any TLS support (either OpenSSL or GnuTLS)
-SUPPORT_TLS=yes
-
-# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
-# and an optional location.
-# USE_OPENSSL_PC=openssl
-# TLS_LIBS=-lssl -lcrypto
-# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
-
-# Uncomment one of these settings if you are using GnuTLS; pkg-config vs not
-# and an optional location. If you disabled SUPPORT_DANE above, you
-# can remove the gnutls-dane references here.
-# USE_GNUTLS=yes
-# USE_GNUTLS_PC=gnutls gnutls-dane
-# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
-# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
-
-# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
-# build process will require libgcrypt-config to exist in your $PATH. A
-# version that old is likely to become unsupported by Exim in 2017.
-
-# The security fix we provide with the gnutls_allow_auto_pkcs11 option
-# (4.82 PP/09) introduces a compatibility regression. The symbol is
-# not available if GnuTLS is build without p11-kit (--without-p11-kit
-# configure option). In this case use AVOID_GNUTLS_PKCS11=yes when
-# building Exim.
-# AVOID_GNUTLS_PKCS11=yes
-
-# If the include files for your TLS libraries are not in a standard
-# place and you didn't use the pkg-config route, you you can set
-# TLS_INCLUDE to specify where they are, for example:
-
-# TLS_INCLUDE=-I/usr/local/openssl/include/
-# or
-# TLS_INCLUDE=-I/opt/gnu/include
-
-# You don't need to set TLS_INCLUDE if the relevant directories are already
-# specified in INCLUDE.
-
-
#------------------------------------------------------------------------------
# The default distribution of Exim contains only the plain text form of the
# documentation. Other forms are available separately. If you want to install
}
/* We don't support protection layers. */
gsasl_property_set(sctx, GSASL_QOPS, "qop-auth");
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_channelbinding_b64)
{
/* Some auth mechanisms can ensure that both sides are talking withing the
continue;
}
- /* DISABLE_DKIM is special; must be forced if no SUPPORT_TLS */
+ /* DISABLE_DKIM is special; must be forced if DISABLE_TLS */
if (strcmp(name, "DISABLE_DKIM") == 0)
{
char *d_dkim = getenv("DISABLE_DKIM");
- char *tls = getenv("SUPPORT_TLS");
+ char *notls = getenv("DISABLE_TLS");
if (d_dkim)
fprintf(new, "#define DISABLE_DKIM yes\n");
- else if (!tls)
+ else if (notls)
fprintf(new, "#define DISABLE_DKIM yes /* forced by lack of TLS */\n");
else
fprintf(new, "/* DISABLE_DKIM not set */\n");
#define DISABLE_DNSSEC
#define DISABLE_DKIM
#define DISABLE_EVENT
-#define DISABLE_PRDR
#define DISABLE_OCSP
+#define DISABLE_PRDR
+#define DISABLE_TLS
#define DISABLE_D_OPTION
#define ENABLE_DISABLE_FSYNC
#define SUPPORT_PROXY
#define SUPPORT_SOCKS
#define SUPPORT_SPF
-#define SUPPORT_TLS
#define SUPPORT_TRANSLATE_IP_ADDRESS
#define SYSLOG_LOG_PID
/* Don't ever molest the parent's SSL connection, but do clean up
the data structures if necessary. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(NULL, TLS_NO_SHUTDOWN);
#endif
handle_ending_processes();
errno = select_errno;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* Create or rotate any required keys */
tls_daemon_init();
#endif
#else
/* Enabling DANE without enabling TLS cannot work. Abort the compilation. */
-# ifndef SUPPORT_TLS
+# ifdef DISABLE_TLS
# error DANE support requires that TLS support must be enabled. Abort build.
# endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
static gstring *
d_tlslog(gstring * g, address_item * addr)
{
#endif
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
g = d_tlslog(g, addr);
#endif
if (addr->host_used)
g = d_hostlog(g, addr);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
g = d_tlslog(g, addr);
#endif
}
/* Certificates for logging (via events) */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_out.ourcert = addr->ourcert;
addr->ourcert = NULL;
tls_out.peercert = addr->peercert;
delivery_log(LOG_MAIN, addr, logchar, NULL);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_free_cert(&tls_out.ourcert);
tls_free_cert(&tls_out.peercert);
tls_out.cipher = NULL;
it in with the other info, in order to keep each message short enough to
guarantee it won't be split in the pipe. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case 'X':
if (!addr) goto ADDR_MISMATCH; /* Below, in 'A' handler */
switch (*subid)
}
while (*ptr++);
break;
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
case 'C': /* client authenticator information */
switch (*subid)
# endif
/* Use an X item only if there's something to send */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (addr->cipher)
{
ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->cipher) + 1;
rmt_dlv_checked_write(fd, 'X', '4', big_buffer, ptr - big_buffer);
}
# endif
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
if (client_authenticator)
{
if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (cutthrough.is_tls)
tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN);
#endif
if (!regex_AUTH) regex_AUTH =
regex_must_compile(AUTHS_REGEX, FALSE, TRUE);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (!regex_STARTTLS) regex_STARTTLS =
regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
#endif
smtp_peer_options = cutthrough.peer_options;
continue_sequence = 0;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (cutthrough.is_tls)
{
int pfd[2], pid;
}
return; /* compiler quietening; control does not reach here. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
fail:
log_write(0,
LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
while (sread)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
wwritten = tls_out.active.sock == out_fd
? tls_write(tls_out.active.tls_ctx, p, sread, FALSE)
: write(out_fd, CS p, sread);
{
if (smtp_input)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
#endif
(void)close(fileno(smtp_in));
#ifdef USE_TCP_WRAPPERS
fprintf(fp, " TCPwrappers");
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# ifdef USE_GNUTLS
fprintf(fp, " GnuTLS");
# else
show_db_version(fp);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_version_report(fp);
#endif
#ifdef SUPPORT_I18N
case 'S': smtp_peer_options |= OPTION_SIZE; break;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* -MCt: similar to -MCT below but the connection is still open
via a proxy process which handles the TLS context and coding.
Require three arguments for the proxied local address and port,
/* -tls-on-connect: don't wait for STARTTLS (for old clients) */
- #ifdef SUPPORT_TLS
+ #ifndef DISABLE_TLS
else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
#endif
struct sockaddr v0;
};
-/* If SUPPORT_TLS is not defined, ensure that USE_GNUTLS is also not defined
-so that if USE_GNUTLS *is* set, we can assume SUPPORT_TLS is also set.
+/* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined
+so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set.
Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS
# undef USE_GNUTLS
# ifndef DISABLE_OCSP
# define DISABLE_OCSP
#ifdef EXPERIMENTAL_TLS_RESUME
{ "tls_in_resumption", vtype_int, &tls_in.resumption },
#endif
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
{ "tls_in_sni", vtype_stringptr, &tls_in.sni },
#endif
{ "tls_out_bits", vtype_int, &tls_out.bits },
#ifdef EXPERIMENTAL_TLS_RESUME
{ "tls_out_resumption", vtype_int, &tls_out.resumption },
#endif
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
{ "tls_out_sni", vtype_stringptr, &tls_out.sni },
#endif
#ifdef SUPPORT_DANE
#endif
{ "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
{ "tls_sni", vtype_stringptr, &tls_in.sni }, /* mind the alphabetical order! */
#endif
However, if we're stuck unable to provide this, then we'll fall back to
appallingly bad randomness.
-If SUPPORT_TLS is defined then this will not be used except as an emergency
+If DISABLE_TLS is not defined then this will not be used except as an emergency
fallback.
Arguments:
Returns a random number in range [0, max-1]
*/
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# define vaguely_random_number vaguely_random_number_fallback
#endif
int
vaguely_random_number(int max)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# undef vaguely_random_number
#endif
static pid_t pid = 0;
/* Certificate fields, by name. Worry about by-OID later */
/* Names are chosen to not have common prefixes */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
typedef struct
{
uschar * name;
string_sprintf("bad field selector \"%s\" for certextract", field);
return NULL;
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/*************************************************
* Extract a substring from a string *
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
static gstring *
cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
{
uschar * server_name = NULL;
host_item host;
BOOL do_shutdown = TRUE;
- BOOL do_tls = FALSE; /* Only set under SUPPORT_TLS */
+ BOOL do_tls = FALSE; /* Only set under ! DISABLE_TLS */
blob reqstr;
if (expand_forbid & RDO_READSOCK)
while ((item = string_nextinlist(&list, &sep, NULL, 0)))
if (Ustrncmp(item, US"shutdown=", 9) == 0)
{ if (Ustrcmp(item + 9, US"no") == 0) do_shutdown = FALSE; }
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
else if (Ustrncmp(item, US"tls=", 4) == 0)
{ if (Ustrcmp(item + 9, US"no") != 0) do_tls = TRUE; }
#endif
DEBUG(D_expand) debug_printf_indent("connected to socket %s\n", sub_arg[0]);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (do_tls)
{
smtp_connect_args conn_args = {.host = &host };
DEBUG(D_expand) debug_printf_indent("writing \"%s\" to socket\n",
reqstr.data);
if ( (
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
do_tls ? tls_write(cctx.tls_ctx, reqstr.data, reqstr.len, FALSE) :
#endif
write(cctx.sock, reqstr.data, reqstr.len)) != reqstr.len)
sigalrm_seen = FALSE;
ALARM(timeout);
yield =
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
do_tls ? cat_file_tls(cctx.tls_ctx, yield, sub_arg[3]) :
#endif
cat_file(fp, yield, sub_arg[3]);
ALARM_CLR(0);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (do_tls)
{
tls_close(cctx.tls_ctx, TRUE);
continue;
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case EITEM_CERTEXTRACT:
{
uschar *save_lookup_value = lookup_value;
save_expand_nlength);
continue;
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/* Handle list operations */
int c;
uschar *arg = NULL;
uschar *sub;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
var_entry *vp = NULL;
#endif
as we do not want to do the usual expansion. For most, expand the string.*/
switch(c)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case EOP_MD5:
case EOP_SHA1:
case EOP_SHA256:
}
case EOP_MD5:
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (vp && *(void **)vp->value)
{
uschar * cp = tls_cert_fprt_md5(*(void **)vp->value);
continue;
case EOP_SHA1:
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (vp && *(void **)vp->value)
{
uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value);
case EOP_STR2B64:
case EOP_BASE64:
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar * s = vp && *(void **)vp->value
? tls_cert_der_b64(*(void **)vp->value)
: b64encode(CUS sub, Ustrlen(sub));
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
extern const char *
std_dh_prime_default(void);
extern const char *
extern int tlsa_lookup(const host_item *, dns_answer *, BOOL);
# endif
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/* Everything else... */
extern const uschar *parse_quote_2047(const uschar *, int, uschar *, uschar *, int, BOOL);
extern uschar *parse_date_time(uschar *str, time_t *t);
extern int vaguely_random_number(int);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
extern int vaguely_random_number_fallback(int);
#endif
const pcre *regex_DSN = NULL;
uschar *dsn_advertise_hosts = NULL;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
BOOL gnutls_compat_mode = FALSE;
BOOL gnutls_allow_auto_pkcs11 = FALSE;
uschar *openssl_options = NULL;
uschar *tls_try_verify_hosts = NULL;
uschar *tls_verify_certificates= US"system";
uschar *tls_verify_hosts = NULL;
-#else /*!SUPPORT_TLS*/
+#else /*DISABLE_TLS*/
uschar *tls_advertise_hosts = NULL;
#endif
.return_filename = NULL,
.self_hostname = NULL,
.shadow_message = NULL,
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
.cipher = NULL,
.ourcert = NULL,
.peercert = NULL,
"${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}"
"by $primary_hostname "
"${if def:received_protocol {with $received_protocol }}"
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
"${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}"
#endif
"(Exim $version_number)\n\t"
extern tls_support tls_in;
extern tls_support tls_out;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
extern BOOL gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
extern uschar *openssl_options; /* OpenSSL compatibility options */
/* The socket is ready, read from it (via TLS if it's active). On EOF (i.e.
close down of the connection), set errno to zero; otherwise leave it alone. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (cctx->tls_ctx) /* client TLS */
rc = tls_read(cctx->tls_ctx, buffer, buffsize);
else if (tls_in.active.sock == cctx->sock) /* server TLS */
#ifdef USE_TCP_WRAPPERS
builtin_macro_create(US"_HAVE_TCPWRAPPERS");
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
builtin_macro_create(US"_HAVE_TLS");
# ifdef USE_GNUTLS
builtin_macro_create(US"_HAVE_GNUTLS");
options_transports();
options_auths();
options_logging();
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
options_tls();
#endif
}
extern void options_auths(void);
extern void options_logging(void);
extern void params_dkim(void);
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
extern void options_tls(void);
#endif
/* When built with TLS support, the act of flushing SMTP output becomes
a no-op once an SSL session is in progress. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
#define mac_smtp_fflush() if (tls_in.active.sock < 0) fflush(smtp_out);
#else
#define mac_smtp_fflush() fflush(smtp_out);
#ifndef DISABLE_DKIM /* entire file */
-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
+#ifdef DISABLE_TLS
+# error Must not DISABLE_TLS, for DKIM
#endif
#include "crypt_ver.h"
#if !defined(HASH_H) /* entire file */
#define HASH_H
-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
+#ifdef DISABLE_TLS
+# error Must not DISABLE_TLS, for DKIM
#endif
#include "crypt_ver.h"
#ifndef DISABLE_DKIM /* rest of file */
-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
+#ifdef DISABLE_TLS
+# error Must no DISABLE_TLS, for DKIM
#endif
{ "acl_smtp_predata", opt_stringptr, &acl_smtp_predata },
{ "acl_smtp_quit", opt_stringptr, &acl_smtp_quit },
{ "acl_smtp_rcpt", opt_stringptr, &acl_smtp_rcpt },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "acl_smtp_starttls", opt_stringptr, &acl_smtp_starttls },
#endif
{ "acl_smtp_vrfy", opt_stringptr, &acl_smtp_vrfy },
{ "freeze_tell", opt_stringptr, &freeze_tell },
{ "gecos_name", opt_stringptr, &gecos_name },
{ "gecos_pattern", opt_stringptr, &gecos_pattern },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "gnutls_allow_auto_pkcs11", opt_bool, &gnutls_allow_auto_pkcs11 },
{ "gnutls_compat_mode", opt_bool, &gnutls_compat_mode },
#endif
{ "mysql_servers", opt_stringptr, &mysql_servers },
#endif
{ "never_users", opt_uidlist, &never_users },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "openssl_options", opt_stringptr, &openssl_options },
#endif
#ifdef LOOKUP_ORACLE
{ "timeout_frozen_after", opt_time, &timeout_frozen_after },
{ "timezone", opt_stringptr, &timezone_string },
{ "tls_advertise_hosts", opt_stringptr, &tls_advertise_hosts },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "tls_certificate", opt_stringptr, &tls_certificate },
{ "tls_crl", opt_stringptr, &tls_crl },
{ "tls_dh_max_bits", opt_int, &tls_dh_max_bits },
Returns: bool for "okay"; false will cause caller to immediately exit.
*/
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
static BOOL
tls_dropprivs_validate_require_cipher(BOOL nowarn)
{
return status == 0;
}
-#endif /* SUPPORT_TLS */
+#endif /*DISABLE_TLS*/
host_number = n;
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* If tls_verify_hosts is set, tls_verify_certificates must also be set */
if ((tls_verify_hosts || tls_try_verify_hosts) && !tls_verify_certificates)
"openssl_options parse error: %s", openssl_options);
# endif
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
if (!nowarn && !keep_environment && environ && *environ)
log_write(0, LOG_MAIN,
g = add_host_info_for_log(g);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (LOGGING(tls_cipher) && tls_in.cipher)
{
g = string_append(g, 2, US" X=", tls_in.cipher);
* and not massaging CFLAGS in Local/Makefile is fully supported.
*/
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# define EXIM_HAVE_SHA2
static struct {
BOOL auth_advertised :1;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
BOOL tls_advertised :1;
#endif
BOOL dsn_advertised :1;
{ "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE },
{ "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE },
{ "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE },
{ "tls_auth", 0, TLS_AUTH_CMD, FALSE, FALSE },
#endif
fd_set fds;
struct timeval tzero;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.active.sock >= 0)
return !tls_could_read();
#endif
/* Now write the string */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.active.sock >= 0)
{
if (tls_write(NULL, gs.s, gs.ptr, more) < 0)
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* Append TLS-related information to a log line
Arguments:
if (authenticated_id) g = string_append(g, 2, US":", authenticated_id);
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
g = s_tlslog(g);
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
static BOOL
smtp_log_tls_fail(uschar * errstr)
{
sender_host_auth_pubname = sender_host_authenticated = NULL;
authenticated_by = NULL;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_in.cipher = tls_in.peerdn = NULL;
tls_in.ourcert = tls_in.peercert = NULL;
tls_in.sni = NULL;
/* Start up TLS if tls_on_connect is set. This is for supporting the legacy
smtps port for use with older style SSL MTAs. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.on_connect)
{
if (tls_server_start(tls_require_ciphers, &user_msg) != OK)
if (log_reject_target != 0)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
gstring * g = s_tlslog(NULL);
uschar * tls = string_from_gstring(g);
if (!tls) tls = US"";
else
smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
#endif
cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
#endif
fl.auth_advertised = FALSE;
f.smtp_in_pipelining_advertised = FALSE;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
fl.tls_advertised = FALSE;
#endif
fl.dsn_advertised = FALSE;
tls_advertise_hosts. We must *not* advertise if we are already in a
secure connection. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.active.sock < 0 &&
verify_check_host(&tls_advertise_hosts) != FAIL)
{
/* Terminate the string (for debug), write it, and note that HELO/EHLO
has been seen. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.active.sock >= 0)
(void)tls_write(NULL, g->s, g->ptr,
# ifdef EXPERIMENTAL_PIPE_CONNECT
break;
- #ifdef SUPPORT_TLS
+ #ifndef DISABLE_TLS
case STARTTLS_CMD:
HAD(SCH_STARTTLS);
uschar buffer[256];
buffer[0] = 0;
Ustrcat(buffer, " AUTH");
- #ifdef SUPPORT_TLS
+ #ifndef DISABLE_TLS
if (tls_in.active.sock < 0 &&
verify_check_host(&tls_advertise_hosts) != FAIL)
Ustrcat(buffer, " STARTTLS");
HDEBUG(D_transport|D_acl) debug_printf_indent("cmd buf flush %d bytes%s\n", n,
more ? " (more expected)" : "");
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (outblock->cctx->tls_ctx)
rc = tls_write(outblock->cctx->tls_ctx, outblock->buffer, n, more);
else
dkim_collect_input = 0;
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_in.certificate_verified = FALSE;
# ifdef SUPPORT_DANE
tls_in.dane_verified = FALSE;
#endif
break;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case 't':
if (Ustrncmp(p, "ls_", 3) == 0)
{
if (bmi_verdicts) fprintf(fp, "-bmi_verdicts %s\n", bmi_verdicts);
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n");
if (tls_in.cipher) fprintf(fp, "-tls_cipher %s\n", tls_in.cipher);
if (tls_in.peercert)
#include "exim.h"
-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS
static void dummy(int x) { dummy(x-1); }
#else
return NULL;
}
-#endif /* SUPPORT_TLS */
+#endif /*DISABLE_TLS*/
/* EOF */
uschar *self_hostname; /* after self=pass */
uschar *shadow_message; /* info about shadow transporting */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar *cipher; /* Cipher used for transport */
void *ourcert; /* Certificate offered to peer, binary */
void *peercert; /* Certificate from peer, binary */
int host_af;
uschar * interface;
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
BOOL dane:1; /* connection must do dane */
dns_answer tlsa_dnsa;
#endif
#include "exim.h"
#include "transports/smtp.h"
-#if defined(MACRO_PREDEF) && defined(SUPPORT_TLS)
+#if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
# include "macro_predef.h"
# ifdef USE_GNUTLS
# include "tls-gnu.c"
in a dummy argument to stop even pickier compilers complaining about infinite
loops. */
-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS
static void dummy(int x) { dummy(x-1); }
#else
}
-#endif /* SUPPORT_TLS */
+#endif /*DISABLE_TLS*/
void
tls_modify_variables(tls_support * dest_tsp)
modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
modify_variable(US"tls_cipher", &dest_tsp->cipher);
modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
modify_variable(US"tls_sni", &dest_tsp->sni);
#endif
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/************************************************
* TLS certificate name operations *
************************************************/
}
return FALSE;
}
-#endif /*SUPPORT_TLS*/
+#endif /*!DISABLE_TLS*/
#endif /*!MACRO_PREDEF*/
/* vi: aw ai sw=2
if (transport_write_timeout <= 0) /* No timeout wanted */
{
rc =
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
#endif
#ifdef MSG_MORE
ALARM(local_timeout);
rc =
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
#endif
#ifdef MSG_MORE
if (smtp_peer_options & OPTION_DSN) argv[i++] = US"-MCD";
if (smtp_peer_options & OPTION_PIPE) argv[i++] = US"-MCP";
if (smtp_peer_options & OPTION_SIZE) argv[i++] = US"-MCS";
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (smtp_peer_options & OPTION_TLS)
if (tls_out.active.sock >= 0 || continue_proxy_cipher)
{
(void *)offsetof(smtp_transport_options_block, hosts_avoid_esmtp) },
{ "hosts_avoid_pipelining", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_avoid_pipelining) },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "hosts_avoid_tls", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_avoid_tls) },
#endif
(void *)offsetof(smtp_transport_options_block, hosts_max_try) },
{ "hosts_max_try_hardlimit", opt_int,
(void *)offsetof(smtp_transport_options_block, hosts_max_try_hardlimit) },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "hosts_nopass_tls", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_nopass_tls) },
{ "hosts_noproxy_tls", opt_stringptr,
#endif
{ "hosts_randomize", opt_bool,
(void *)offsetof(smtp_transport_options_block, hosts_randomize) },
-#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP)
+#if !defined(DISABLE_TLS) && !defined(DISABLE_OCSP)
{ "hosts_request_ocsp", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) },
#endif
{ "hosts_require_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# ifdef SUPPORT_DANE
{ "hosts_require_dane", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_dane) },
(void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
{ "hosts_try_chunking", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_chunking) },
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
{ "hosts_try_dane", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_dane) },
#endif
{ "hosts_try_prdr", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_prdr) },
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "hosts_verify_avoid_tls", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_verify_avoid_tls) },
#endif
{ "socks_proxy", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, socks_proxy) },
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "tls_certificate", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, tls_certificate) },
{ "tls_crl", opt_stringptr,
.hosts_pipe_connect = NULL,
#endif
.hosts_avoid_esmtp = NULL,
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
.hosts_nopass_tls = NULL,
.hosts_noproxy_tls = NULL,
#endif
#ifdef SUPPORT_SOCKS
.socks_proxy = NULL,
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
.tls_certificate = NULL,
.tls_crl = NULL,
.tls_privatekey = NULL,
address_item * addr1;
uschar * if1 = US"";
uschar * helo1 = US"";
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar * tlsc1 = US"";
#endif
uschar * save_sender_address = sender_address;
if (ob->helo_data)
helo1 = expand_string(ob->helo_data);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (ob->tls_certificate)
tlsc1 = expand_string(ob->tls_certificate);
local_identity = string_sprintf ("%s^%s^%s", if1, helo1, tlsc1);
/* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if ( checks & OPTION_TLS
&& pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
#endif
uschar * message = NULL;
int yield = OK;
int rc;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar * tls_errstr;
#endif
sx->utf8_needed = FALSE;
#endif
sx->dsn_all_lasthop = TRUE;
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
sx->conn_args.dane = FALSE;
sx->dane_required =
verify_check_given_host(CUSS &ob->hosts_require_dane, sx->conn_args.host) == OK;
tls_out.ourcert = NULL;
tls_out.peercert = NULL;
tls_out.peerdn = NULL;
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
tls_out.sni = NULL;
#endif
tls_out.ocsp = OCSP_NOT_REQ;
tls_modify_variables(&tls_out);
-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS
if (sx->smtps)
{
set_errno_nohost(sx->addrlist, ERRNO_TLSFAILURE, US"TLS support not available",
smtp_port_for_connect(sx->conn_args.host, sx->port);
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
/* Do TLSA lookup for DANE */
{
tls_out.dane_verified = FALSE;
/* Alas; be careful, since this goto is not an error-out, so conceivably
we might set data between here and the target which we assume to exist
and be usable. I can see this coming back to bite us. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (sx->smtps)
{
smtp_peer_options |= OPTION_TLS;
/* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
smtp_peer_options |= sx->peer_offered & OPTION_TLS;
#endif
}
the client not be required to use TLS. If the response is bad, copy the buffer
for error analysis. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if ( smtp_peer_options & OPTION_TLS
&& !suppress_tls
&& verify_check_given_host(CUSS &ob->hosts_avoid_tls, sx->conn_args.host) != OK
# endif
goto TLS_FAILED;
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/* If TLS is active, we have just started it up and re-done the EHLO command,
so its response needs to be analyzed. If TLS is not active and this is a
we skip this. */
if (continue_hostname == NULL
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
|| tls_out.active.sock >= 0
#endif
)
in message and errno, and setting_up will always be true. Treat as
a temporary error. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
TLS_FAILED:
code = '4', yield = DEFER;
goto FAILED;
if (sx->send_quit)
(void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n");
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (sx->cctx.tls_ctx)
{
tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/*****************************************************
* Proxy TLS connection for another transport process *
******************************************************/
if ( sx.first_addr != NULL
|| f.continue_more
|| (
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
( tls_out.active.sock < 0 && !continue_proxy_cipher
|| verify_check_given_host(CUSS &ob->hosts_nopass_tls, host) != OK
)
if (sx.ok)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
int pfd[2];
#endif
int socket_fd = sx.cctx.sock;
transport_pass_socket). If the caller has more ready, just return with
the connection still open. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_out.active.sock >= 0)
if ( f.continue_more
|| verify_check_given_host(CUSS &ob->hosts_noproxy_tls, host) == OK)
just passed the baton to. Fork a child to to do it, and return to
get logging done asap. Which way to place the work makes assumptions
about post-fork prioritisation which may not hold on all platforms. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_out.active.sock >= 0)
{
int pid = fork();
END_OFF:
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
sx.cctx.tls_ctx = NULL;
#endif
addr->basic_errno = 0;
addr->more_errno = (host->mx >= 0)? 'M' : 'A';
addr->message = NULL;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
addr->cipher = NULL;
addr->ourcert = NULL;
addr->peercert = NULL;
session, so the in-clear transmission after those errors, if permitted,
happens inside smtp_deliver().] */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if ( rc == DEFER
&& first_addr->basic_errno == ERRNO_TLSFAILURE
&& ob->tls_tempfail_tryclear
deferred_event_raise(first_addr, host);
# endif
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
}
/* Delivery attempt finished */
int fd = cutthrough.cctx.sock >= 0 ? cutthrough.cctx.sock : 0;
DEBUG(D_transport) debug_printf("no hosts match already-open connection\n");
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* A TLS conn could be open for a cutthrough, but not for a plain continued-
transport */
/*XXX doublecheck that! */
uschar *hosts_pipe_connect;
#endif
uschar *hosts_avoid_esmtp;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar *hosts_nopass_tls;
uschar *hosts_noproxy_tls;
#endif
#ifdef SUPPORT_SOCKS
uschar *socks_proxy;
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar *tls_certificate;
uschar *tls_crl;
uschar *tls_privatekey;
BOOL utf8_needed:1;
#endif
BOOL dsn_all_lasthop:1;
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
BOOL dane_required:1;
#endif
#ifdef EXPERIMENTAL_PIPE_CONNECT
if permitted */
yield = smtp_setup_conn(&sx, FALSE);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if ( yield == DEFER
&& addr->basic_errno == ERRNO_TLSFAILURE
&& ob->tls_tempfail_tryclear
HDEBUG(D_acl|D_v)
debug_printf_indent("problem after random/rset/mfrom; reopen conn\n");
random_local_part = NULL;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
#endif
HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n");
if (sx.cctx.sock >= 0)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (sx.cctx.tls_ctx)
{
tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
return TRUE;
if(
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
cutthrough.is_tls
? tls_write(cutthrough.cctx.tls_ctx, ctctx.outblock.buffer, n, FALSE)
:
/* Wait a short time for response, and discard it */
cutthrough_response(&tmp_ctx, '2', NULL, 1);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (cutthrough.is_tls)
{
tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
}
else
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
deliver_set_expansions(addr);
#endif
rc = do_callout(addr, host_list, &tf, callout, callout_overall,
callout_connect, options, se_mailfrom, pm_mailfrom);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
deliver_set_expansions(NULL);
#endif
}
git://git.exim.org / exim.git / commitdiff