TLS: move from SUPPORT_TLS to DISABLE_TLS macro for the build

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 789593ab3a479fa2b68606c4df701ef1a4767700..73ed33e86b37722f3f67684a128e2adeb5e57dbe 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -108,8 +108,14 @@ JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
       not do so.
 
 JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
       not do so.
 
 JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by

-      default.  If built with the facility, DANE will be used.  The facility is
-      now enabled in the prototype build Makefile "EDITME".
+      default.  If built with the facility, DANE will be used.  The facility
+      SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
+
+JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
+      is replaced with DISABLE_TLS.  You must still, unless you define
+      DISABLE_TLS, manage the choice of TLS library and the include-dir and
+      library-file requirements that go with that choice.  Non-TLS builds
+      are still supported.

 
 
 
 
 
 

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index c437b38fd384d35525ea9778e3cfd45899f0639f..b0ae9c132d44fc67349396599657d19aa2c6a106 100644 (file)
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -28,8 +28,6 @@ Version 4.93
 
  8. Expansion operator ${sha2_N:} for N=256, 384, 512.
 
 
  8. Expansion operator ${sha2_N:} for N=256, 384, 512.
 

- 9. Build options SUPPORT_DANE and SUPPORT_TLS default to yes
-

 
 Version 4.92
 --------------
 
 Version 4.92
 --------------

diff --git a/src/OS/unsupported/Makefile-CYGWIN b/src/OS/unsupported/Makefile-CYGWIN
index 006e9feff3e8826423791ee9007311d2ac5ce845..5e608fe9e8febb5bdf37c298b79fa617fbb7b824 100644 (file)
--- a/src/OS/unsupported/Makefile-CYGWIN
+++ b/src/OS/unsupported/Makefile-CYGWIN
@@ -43,7 +43,7 @@ AUTH_CRAM_MD5=yes
 AUTH_PLAINTEXT=yes
 AUTH_SPA=yes
 
 AUTH_PLAINTEXT=yes
 AUTH_SPA=yes
 

-SUPPORT_TLS=yes
+#DISABLE_TLS=yes

 TLS_LIBS=-lssl -lcrypto
 
 ROUTER_ACCEPT=yes
 TLS_LIBS=-lssl -lcrypto
 
 ROUTER_ACCEPT=yes

diff --git a/src/src/EDITME b/src/src/EDITME
index 58756e1bdb1af9b8e03dd0dd4abc06728a693995..264d2eaffc8976106c7879b0d8603196e69cb6c0 100644 (file)
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -179,6 +179,106 @@ SPOOL_DIRECTORY=/var/spool/exim
 
 
 
 
 
 

+###############################################################################
+#                            TLS                                              #
+###############################################################################
+# Exim is built by default to support the SMTP STARTTLS command, which implements
+# Transport Layer Security using SSL (Secure Sockets Layer). This requires you
+# must install the OpenSSL library package or the GnuTLS library. Exim contains
+# no cryptographic code of its own.
+
+# If you are running Exim as a (TLS) server, just building it with TLS support
+# is all you need to do, as tls_advertise_hosts is set to '*' by
+# default. But you are advised to create a suiteable certificate, and tell
+# Exim about it by means of the tls_certificate and tls_privatekey run
+# time options, otherwise Exim will create a self signed certificate on
+# the fly.  If you are running Exim only as a (TLS) client, building it with
+# TLS support is all you need to do.
+#
+# If you are using pkg-config then you should not need to worry where
+# the libraries and headers are installed, as the pkg-config .pc
+# specification should include all -L/-I information necessary.
+# Enabling the USE_*_PC options should be sufficient. If not using
+# pkg-config, then you have to specify the libraries, and you mmight
+# need to specify the locations too.
+
+# no cryptographic code of its own. Uncomment the following lines if you want
+# to build Exim without any TLS support (either OpenSSL or GnuTLS):
+# DISABLE_TLS=yes
+
+# If you are buliding with TLS, the library configuration must be done:
+
+# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
+# and an optional location.
+# USE_OPENSSL_PC=openssl
+# TLS_LIBS=-lssl -lcrypto
+# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+
+# Uncomment this if you are using GnuTLS
+# USE_GNUTLS=yes
+# Uncomment one of these settings if you are using GnuTLS; pkg-config vs not
+# and an optional location. If you disable SUPPORT_DANE below, you
+# can remove the gnutls-dane references here.
+# USE_GNUTLS_PC=gnutls gnutls-dane
+# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+
+# Uncomment the first and either the second or the third of these if you
+# are using GnuTLS.  If you have pkg-config, then the second, else the third.
+# USE_GNUTLS=yes
+# USE_GNUTLS_PC=gnutls
+# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
+
+# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
+# build process will require libgcrypt-config to exist in your $PATH.  A
+# version that old is likely to become unsupported by Exim in 2017.
+
+# The security fix we provide with the gnutls_allow_auto_pkcs11 option
+# (4.82 PP/09) introduces a compatibility regression.  The symbol is
+# not available if GnuTLS is build without p11-kit (--without-p11-kit
+# configure option).  In this case use AVOID_GNUTLS_PKCS11=yes when
+# building Exim.
+# AVOID_GNUTLS_PKCS11=yes
+
+# If you are running Exim as a server, note that just building it with TLS
+# support is not all you need to do. You also need to set up a suitable
+# certificate, and tell Exim about it by means of the tls_certificate
+# and tls_privatekey run time options. You also need to set tls_advertise_hosts
+# to specify the hosts to which Exim advertises TLS support. On the other hand,
+# if you are running Exim only as a client, building it with TLS support
+# is all you need to do.
+
+# If you are using pkg-config then you should not need to worry where the
+# libraries and headers are installed, as the pkg-config .pc specification
+# should include all -L/-I information necessary.  If not using pkg-config
+# then you might need to specify the locations too.
+
+# Additional libraries and include files are required for both OpenSSL and
+# GnuTLS. The TLS_LIBS settings above assume that the libraries are installed
+# with all your other libraries. If they are in a special directory, you may
+# need something like
+
+# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+
+# or
+
+# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+# If not using DANE under GnuTLS we can lose one library
+# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt
+
+# TLS_LIBS is included only on the command for linking Exim itself, not on any
+# auxiliary programs. If the include files are not in a standard place, you can
+# set TLS_INCLUDE to specify where they are, for example:
+
+# TLS_INCLUDE=-I/usr/local/openssl/include/
+# or
+# TLS_INCLUDE=-I/opt/gnu/include
+
+# You don't need to set TLS_INCLUDE if the relevant directories are already
+# specified in INCLUDE.
+
+
+

 ###############################################################################
 #           THESE ARE THINGS YOU PROBABLY WANT TO SPECIFY                     #
 ###############################################################################
 ###############################################################################
 #           THESE ARE THINGS YOU PROBABLY WANT TO SPECIFY                     #
 ###############################################################################


@@ -757,67 +857,6 @@ HEADERS_CHARSET="ISO-8859-1"
 # *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
 
 
 # *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
 
 

-#------------------------------------------------------------------------------
-# Exim can be built to support the SMTP STARTTLS command, which implements
-# Transport Layer Security using SSL (Secure Sockets Layer). To do this, you
-# must install the OpenSSL library package or the GnuTLS library. Exim contains
-# no cryptographic code of its own.
-#
-# If you are running Exim as a (TLS) server, just building it with TLS support
-# is all you need to do, as tls_advertise_hosts is set to '*' by
-# default. But you are advised to create a suiteable certificate, and tell
-# Exim about it by means of the tls_certificate and tls_privatekey run
-# time options, otherwise Exim will create a self signed certificate on
-# the fly.  If you are running Exim only as a (TLS) client, building it with
-# TLS support is all you need to do.
-#
-# If you are using pkg-config then you should not need to worry where
-# the libraries and headers are installed, as the pkg-config .pc
-# specification should include all -L/-I information necessary.
-# Enabling the USE_*_PC options should be sufficient. If not using
-# pkg-config, then you have to specify the libraries, and you mmight
-# need to specify the locations too.
-
-# This setting is required for any TLS support (either OpenSSL or GnuTLS)
-SUPPORT_TLS=yes
-
-# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
-# and an optional location.
-# USE_OPENSSL_PC=openssl
-# TLS_LIBS=-lssl -lcrypto
-# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
-
-# Uncomment one of these settings if you are using GnuTLS; pkg-config vs not
-# and an optional location. If you disabled SUPPORT_DANE above, you
-# can remove the gnutls-dane references here.
-# USE_GNUTLS=yes
-# USE_GNUTLS_PC=gnutls gnutls-dane
-# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
-# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
-
-# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
-# build process will require libgcrypt-config to exist in your $PATH.  A
-# version that old is likely to become unsupported by Exim in 2017.
-
-# The security fix we provide with the gnutls_allow_auto_pkcs11 option
-# (4.82 PP/09) introduces a compatibility regression.  The symbol is
-# not available if GnuTLS is build without p11-kit (--without-p11-kit
-# configure option).  In this case use AVOID_GNUTLS_PKCS11=yes when
-# building Exim.
-# AVOID_GNUTLS_PKCS11=yes
-
-# If the include files for your TLS libraries are not in a standard
-# place and you didn't use the pkg-config route, you you can set
-# TLS_INCLUDE to specify where they are, for example:
-
-# TLS_INCLUDE=-I/usr/local/openssl/include/
-# or
-# TLS_INCLUDE=-I/opt/gnu/include
-
-# You don't need to set TLS_INCLUDE if the relevant directories are already
-# specified in INCLUDE.
-
-

 #------------------------------------------------------------------------------
 # The default distribution of Exim contains only the plain text form of the
 # documentation. Other forms are available separately. If you want to install
 #------------------------------------------------------------------------------
 # The default distribution of Exim contains only the plain text form of the
 # documentation. Other forms are available separately. If you want to install

diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c
index 1c9c77d130417ce9db87e4ef04ed45cba114edd8..faf30bb8aee924b0781f7d7333ea8c2c070f673c 100644 (file)
--- a/src/src/auths/gsasl_exim.c
+++ b/src/src/auths/gsasl_exim.c
@@ -286,7 +286,7 @@ if (ob->server_realm)
   }
 /* We don't support protection layers. */
 gsasl_property_set(sctx, GSASL_QOPS, "qop-auth");
   }
 /* We don't support protection layers. */
 gsasl_property_set(sctx, GSASL_QOPS, "qop-auth");

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (tls_channelbinding_b64)
   {
   /* Some auth mechanisms can ensure that both sides are talking withing the
 if (tls_channelbinding_b64)
   {
   /* Some auth mechanisms can ensure that both sides are talking withing the

diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c
index 426714f9113dee0ea6e1c57d71aab8d39972b0a2..71cf97b18d34e6821022890ffae3c666a4bc94f7 100644 (file)
--- a/src/src/buildconfig.c
+++ b/src/src/buildconfig.c
@@ -753,15 +753,15 @@ else if (isgroup)
     continue;
     }
 
     continue;
     }
 

-  /* DISABLE_DKIM is special; must be forced if no SUPPORT_TLS */
+  /* DISABLE_DKIM is special; must be forced if DISABLE_TLS */

   if (strcmp(name, "DISABLE_DKIM") == 0)
     {
     char *d_dkim = getenv("DISABLE_DKIM");
   if (strcmp(name, "DISABLE_DKIM") == 0)
     {
     char *d_dkim = getenv("DISABLE_DKIM");

-    char *tls = getenv("SUPPORT_TLS");
+    char *notls = getenv("DISABLE_TLS");

 
     if (d_dkim)
       fprintf(new, "#define DISABLE_DKIM          yes\n");
 
     if (d_dkim)
       fprintf(new, "#define DISABLE_DKIM          yes\n");

-    else if (!tls)
+    else if (notls)

       fprintf(new, "#define DISABLE_DKIM          yes /* forced by lack of TLS */\n");
     else
       fprintf(new, "/* DISABLE_DKIM not set */\n");
       fprintf(new, "#define DISABLE_DKIM          yes /* forced by lack of TLS */\n");
     else
       fprintf(new, "/* DISABLE_DKIM not set */\n");

diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index c5d5389baf9fbabd15d2fab53efd260953727119..f45a61a9a96d63ef5123f0a1524b8b8b7dde7bc2 100644 (file)
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -49,8 +49,9 @@ Do not put spaces between # and the 'define'.
 #define DISABLE_DNSSEC
 #define DISABLE_DKIM
 #define DISABLE_EVENT
 #define DISABLE_DNSSEC
 #define DISABLE_DKIM
 #define DISABLE_EVENT

-#define DISABLE_PRDR

 #define DISABLE_OCSP
 #define DISABLE_OCSP

+#define DISABLE_PRDR
+#define DISABLE_TLS

 #define DISABLE_D_OPTION
 
 #define ENABLE_DISABLE_FSYNC
 #define DISABLE_D_OPTION
 
 #define ENABLE_DISABLE_FSYNC


@@ -152,7 +153,6 @@ Do not put spaces between # and the 'define'.
 #define SUPPORT_PROXY
 #define SUPPORT_SOCKS
 #define SUPPORT_SPF
 #define SUPPORT_PROXY
 #define SUPPORT_SOCKS
 #define SUPPORT_SPF

-#define SUPPORT_TLS

 #define SUPPORT_TRANSLATE_IP_ADDRESS
 
 #define SYSLOG_LOG_PID
 #define SUPPORT_TRANSLATE_IP_ADDRESS
 
 #define SYSLOG_LOG_PID

diff --git a/src/src/daemon.c b/src/src/daemon.c
index cf5e09201fb8223e514b4d542d0fdc4fb4b879fe..0b4d347b94a88687e4314b7c5af1a463d776618a 100644 (file)
--- a/src/src/daemon.c
+++ b/src/src/daemon.c
@@ -645,7 +645,7 @@ if (pid == 0)
         /* Don't ever molest the parent's SSL connection, but do clean up
         the data structures if necessary. */
 
         /* Don't ever molest the parent's SSL connection, but do clean up
         the data structures if necessary. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

         tls_close(NULL, TLS_NO_SHUTDOWN);
 #endif
 
         tls_close(NULL, TLS_NO_SHUTDOWN);
 #endif
 


@@ -1985,7 +1985,7 @@ for (;;)
     handle_ending_processes();
     errno = select_errno;
 
     handle_ending_processes();
     errno = select_errno;
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     /* Create or rotate any required keys */
     tls_daemon_init();
 #endif
     /* Create or rotate any required keys */
     tls_daemon_init();
 #endif

diff --git a/src/src/dane.c b/src/src/dane.c
index 541e9cb02b91141a25f265b231847da63d225d85..5284a61c3266108d8044c0977ae873adc8d7b53e 100644 (file)
--- a/src/src/dane.c
+++ b/src/src/dane.c
@@ -29,7 +29,7 @@ static void dummy(int x) { dummy(x-1); }
 #else
 
 /* Enabling DANE without enabling TLS cannot work. Abort the compilation. */
 #else
 
 /* Enabling DANE without enabling TLS cannot work. Abort the compilation. */

-# ifndef SUPPORT_TLS
+# ifdef DISABLE_TLS

 #  error DANE support requires that TLS support must be enabled. Abort build.
 # endif
 
 #  error DANE support requires that TLS support must be enabled. Abort build.
 # endif
 

diff --git a/src/src/deliver.c b/src/src/deliver.c
index f79522d8e8a948c82f81529b5111b6f949694b63..dc7a7d5fbe24cd34741eb7dfade2566745c179bc 100644 (file)
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -801,7 +801,7 @@ return g;
 
 
 
 
 
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 static gstring *
 d_tlslog(gstring * g, address_item * addr)
 {
 static gstring *
 d_tlslog(gstring * g, address_item * addr)
 {


@@ -1231,7 +1231,7 @@ else
 #endif
     }
 
 #endif
     }
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   g = d_tlslog(g, addr);
 #endif
 
   g = d_tlslog(g, addr);
 #endif
 


@@ -1435,7 +1435,7 @@ if (addr->transport)
 if (addr->host_used)
   g = d_hostlog(g, addr);
 
 if (addr->host_used)
   g = d_hostlog(g, addr);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 g = d_tlslog(g, addr);
 #endif
 
 g = d_tlslog(g, addr);
 #endif
 


@@ -1635,7 +1635,7 @@ if (result == OK)
     }
 
   /* Certificates for logging (via events) */
     }
 
   /* Certificates for logging (via events) */

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   tls_out.ourcert = addr->ourcert;
   addr->ourcert = NULL;
   tls_out.peercert = addr->peercert;
   tls_out.ourcert = addr->ourcert;
   addr->ourcert = NULL;
   tls_out.peercert = addr->peercert;


@@ -1651,7 +1651,7 @@ if (result == OK)
 
   delivery_log(LOG_MAIN, addr, logchar, NULL);
 
 
   delivery_log(LOG_MAIN, addr, logchar, NULL);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   tls_free_cert(&tls_out.ourcert);
   tls_free_cert(&tls_out.peercert);
   tls_out.cipher = NULL;
   tls_free_cert(&tls_out.ourcert);
   tls_free_cert(&tls_out.peercert);
   tls_out.cipher = NULL;


@@ -3505,7 +3505,7 @@ while (!done)
     it in with the other info, in order to keep each message short enough to
     guarantee it won't be split in the pipe. */
 
     it in with the other info, in order to keep each message short enough to
     guarantee it won't be split in the pipe. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     case 'X':
       if (!addr) goto ADDR_MISMATCH;          /* Below, in 'A' handler */
       switch (*subid)
     case 'X':
       if (!addr) goto ADDR_MISMATCH;          /* Below, in 'A' handler */
       switch (*subid)


@@ -3543,7 +3543,7 @@ while (!done)
        }
       while (*ptr++);
       break;
        }
       while (*ptr++);
       break;

-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/

 
     case 'C':  /* client authenticator information */
       switch (*subid)
 
     case 'C':  /* client authenticator information */
       switch (*subid)


@@ -4805,7 +4805,7 @@ all pipes, so I do not see a reason to use non-blocking IO here
 # endif
 
       /* Use an X item only if there's something to send */
 # endif
 
       /* Use an X item only if there's something to send */

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

       if (addr->cipher)
         {
         ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->cipher) + 1;
       if (addr->cipher)
         {
         ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->cipher) + 1;


@@ -4848,7 +4848,7 @@ all pipes, so I do not see a reason to use non-blocking IO here
         rmt_dlv_checked_write(fd, 'X', '4', big_buffer, ptr - big_buffer);
        }
 # endif
         rmt_dlv_checked_write(fd, 'X', '4', big_buffer, ptr - big_buffer);
        }
 # endif

-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/

 
       if (client_authenticator)
         {
 
       if (client_authenticator)
         {


@@ -5012,7 +5012,7 @@ all pipes, so I do not see a reason to use non-blocking IO here
 
   if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
     {
 
   if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
     {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     if (cutthrough.is_tls)
       tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN);
 #endif
     if (cutthrough.is_tls)
       tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN);
 #endif


@@ -8513,7 +8513,7 @@ if (!regex_SIZE) regex_SIZE =
 if (!regex_AUTH) regex_AUTH =
   regex_must_compile(AUTHS_REGEX, FALSE, TRUE);
 
 if (!regex_AUTH) regex_AUTH =
   regex_must_compile(AUTHS_REGEX, FALSE, TRUE);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (!regex_STARTTLS) regex_STARTTLS =
   regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
 #endif
 if (!regex_STARTTLS) regex_STARTTLS =
   regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
 #endif


@@ -8603,7 +8603,7 @@ if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
   smtp_peer_options = cutthrough.peer_options;
   continue_sequence = 0;
 
   smtp_peer_options = cutthrough.peer_options;
   continue_sequence = 0;
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   if (cutthrough.is_tls)
     {
     int pfd[2], pid;
   if (cutthrough.is_tls)
     {
     int pfd[2], pid;


@@ -8646,7 +8646,7 @@ else
   }
 return;                /* compiler quietening; control does not reach here. */
 
   }
 return;                /* compiler quietening; control does not reach here. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 fail:
   log_write(0,
     LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
 fail:
   log_write(0,
     LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),

diff --git a/src/src/dkim_transport.c b/src/src/dkim_transport.c
index 8ce18c818186ce53ccd9ca12dd5adf4ad757b678..6b643927c9c1500c2feb89590240f3a515e6b451 100644 (file)
--- a/src/src/dkim_transport.c
+++ b/src/src/dkim_transport.c
@@ -83,7 +83,7 @@ else
 
     while (sread)
       {
 
     while (sread)
       {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

       wwritten = tls_out.active.sock == out_fd
        ? tls_write(tls_out.active.tls_ctx, p, sread, FALSE)
        : write(out_fd, CS p, sread);
       wwritten = tls_out.active.sock == out_fd
        ? tls_write(tls_out.active.tls_ctx, p, sread, FALSE)
        : write(out_fd, CS p, sread);

diff --git a/src/src/exim.c b/src/src/exim.c
index 1aa32b26986a5e41718409b876767bc6305f71b0..b2894aeb9fbd7f14378906543f060281ebd0ef16 100644 (file)
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -553,7 +553,7 @@ close_unwanted(void)
 {
 if (smtp_input)
   {
 {
 if (smtp_input)
   {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   tls_close(NULL, TLS_NO_SHUTDOWN);      /* Shut down the TLS library */
 #endif
   (void)close(fileno(smtp_in));
   tls_close(NULL, TLS_NO_SHUTDOWN);      /* Shut down the TLS library */
 #endif
   (void)close(fileno(smtp_in));


@@ -857,7 +857,7 @@ fprintf(fp, "Support for:");
 #ifdef USE_TCP_WRAPPERS
   fprintf(fp, " TCPwrappers");
 #endif
 #ifdef USE_TCP_WRAPPERS
   fprintf(fp, " TCPwrappers");
 #endif

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 # ifdef USE_GNUTLS
   fprintf(fp, " GnuTLS");
 # else
 # ifdef USE_GNUTLS
   fprintf(fp, " GnuTLS");
 # else


@@ -1049,7 +1049,7 @@ DEBUG(D_any) do {
 
 show_db_version(fp);
 
 
 show_db_version(fp);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   tls_version_report(fp);
 #endif
 #ifdef SUPPORT_I18N
   tls_version_report(fp);
 #endif
 #ifdef SUPPORT_I18N


@@ -2712,7 +2712,7 @@ for (i = 1; i < argc; i++)
 
        case 'S': smtp_peer_options |= OPTION_SIZE; break;
 
 
        case 'S': smtp_peer_options |= OPTION_SIZE; break;
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     /* -MCt: similar to -MCT below but the connection is still open
     via a proxy process which handles the TLS context and coding.
     Require three arguments for the proxied local address and port,
     /* -MCt: similar to -MCT below but the connection is still open
     via a proxy process which handles the TLS context and coding.
     Require three arguments for the proxied local address and port,


@@ -3313,7 +3313,7 @@ for (i = 1; i < argc; i++)
 
     /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
 
 
     /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
 

-    #ifdef SUPPORT_TLS
+    #ifndef DISABLE_TLS

     else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
     #endif
 
     else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
     #endif
 

diff --git a/src/src/exim.h b/src/src/exim.h
index 79d1acf135c19d887e3765bf8e9182fa0020efba..0638167aad2c2e69016c77f0efa5c45cd51764bd 100644 (file)
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -539,11 +539,11 @@ union sockaddr_46 {
   struct sockaddr v0;
 };
 
   struct sockaddr v0;
 };
 

-/* If SUPPORT_TLS is not defined, ensure that USE_GNUTLS is also not defined
-so that if USE_GNUTLS *is* set, we can assume SUPPORT_TLS is also set.
+/* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined
+so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set.

 Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
 
 Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
 

-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS

 # undef USE_GNUTLS
 # ifndef DISABLE_OCSP
 #  define DISABLE_OCSP
 # undef USE_GNUTLS
 # ifndef DISABLE_OCSP
 #  define DISABLE_OCSP

diff --git a/src/src/expand.c b/src/src/expand.c
index 41eadefd00f13a6abce0ca2b7e4c22185015cd9a..31059c432af1176fd0da00119c548230bfba0e12 100644 (file)
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -756,7 +756,7 @@ static var_entry var_table[] = {
 #ifdef EXPERIMENTAL_TLS_RESUME
   { "tls_in_resumption",   vtype_int,         &tls_in.resumption },
 #endif
 #ifdef EXPERIMENTAL_TLS_RESUME
   { "tls_in_resumption",   vtype_int,         &tls_in.resumption },
 #endif

-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS

   { "tls_in_sni",          vtype_stringptr,   &tls_in.sni },
 #endif
   { "tls_out_bits",        vtype_int,         &tls_out.bits },
   { "tls_in_sni",          vtype_stringptr,   &tls_in.sni },
 #endif
   { "tls_out_bits",        vtype_int,         &tls_out.bits },


@@ -773,7 +773,7 @@ static var_entry var_table[] = {
 #ifdef EXPERIMENTAL_TLS_RESUME
   { "tls_out_resumption",  vtype_int,         &tls_out.resumption },
 #endif
 #ifdef EXPERIMENTAL_TLS_RESUME
   { "tls_out_resumption",  vtype_int,         &tls_out.resumption },
 #endif

-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS

   { "tls_out_sni",         vtype_stringptr,   &tls_out.sni },
 #endif
 #ifdef SUPPORT_DANE
   { "tls_out_sni",         vtype_stringptr,   &tls_out.sni },
 #endif
 #ifdef SUPPORT_DANE


@@ -781,7 +781,7 @@ static var_entry var_table[] = {
 #endif
 
   { "tls_peerdn",          vtype_stringptr,   &tls_in.peerdn },        /* mind the alphabetical order! */
 #endif
 
   { "tls_peerdn",          vtype_stringptr,   &tls_in.peerdn },        /* mind the alphabetical order! */

-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS

   { "tls_sni",             vtype_stringptr,   &tls_in.sni },   /* mind the alphabetical order! */
 #endif
 
   { "tls_sni",             vtype_stringptr,   &tls_in.sni },   /* mind the alphabetical order! */
 #endif
 


@@ -967,7 +967,7 @@ weirdness they'll twist this into.  The result should ideally handle fork().
 However, if we're stuck unable to provide this, then we'll fall back to
 appallingly bad randomness.
 
 However, if we're stuck unable to provide this, then we'll fall back to
 appallingly bad randomness.
 

-If SUPPORT_TLS is defined then this will not be used except as an emergency
+If DISABLE_TLS is not defined then this will not be used except as an emergency

 fallback.
 
 Arguments:
 fallback.
 
 Arguments:


@@ -975,13 +975,13 @@ Arguments:
 Returns     a random number in range [0, max-1]
 */
 
 Returns     a random number in range [0, max-1]
 */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 # define vaguely_random_number vaguely_random_number_fallback
 #endif
 int
 vaguely_random_number(int max)
 {
 # define vaguely_random_number vaguely_random_number_fallback
 #endif
 int
 vaguely_random_number(int max)
 {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 # undef vaguely_random_number
 #endif
 static pid_t pid = 0;
 # undef vaguely_random_number
 #endif
 static pid_t pid = 0;


@@ -1289,7 +1289,7 @@ return string_nextinlist(&list, &sep, NULL, 0);
 /* Certificate fields, by name.  Worry about by-OID later */
 /* Names are chosen to not have common prefixes */
 
 /* Certificate fields, by name.  Worry about by-OID later */
 /* Names are chosen to not have common prefixes */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 typedef struct
 {
 uschar * name;
 typedef struct
 {
 uschar * name;


@@ -1350,7 +1350,7 @@ expand_string_message =
   string_sprintf("bad field selector \"%s\" for certextract", field);
 return NULL;
 }
   string_sprintf("bad field selector \"%s\" for certextract", field);
 return NULL;
 }

-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/

 
 /*************************************************
 *        Extract a substring from a string       *
 
 /*************************************************
 *        Extract a substring from a string       *


@@ -3660,7 +3660,7 @@ return yield;
 }
 
 
 }
 
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 static gstring *
 cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
 {
 static gstring *
 cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
 {


@@ -4947,7 +4947,7 @@ while (*s != 0)
       uschar * server_name = NULL;
       host_item host;
       BOOL do_shutdown = TRUE;
       uschar * server_name = NULL;
       host_item host;
       BOOL do_shutdown = TRUE;

-      BOOL do_tls = FALSE;     /* Only set under SUPPORT_TLS */
+      BOOL do_tls = FALSE;     /* Only set under ! DISABLE_TLS */

       blob reqstr;
 
       if (expand_forbid & RDO_READSOCK)
       blob reqstr;
 
       if (expand_forbid & RDO_READSOCK)


@@ -4991,7 +4991,7 @@ while (*s != 0)
        while ((item = string_nextinlist(&list, &sep, NULL, 0)))
          if (Ustrncmp(item, US"shutdown=", 9) == 0)
            { if (Ustrcmp(item + 9, US"no") == 0) do_shutdown = FALSE; }
        while ((item = string_nextinlist(&list, &sep, NULL, 0)))
          if (Ustrncmp(item, US"shutdown=", 9) == 0)
            { if (Ustrcmp(item + 9, US"no") == 0) do_shutdown = FALSE; }

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

          else if (Ustrncmp(item, US"tls=", 4) == 0)
            { if (Ustrcmp(item + 9, US"no") != 0) do_tls = TRUE; }
 #endif
          else if (Ustrncmp(item, US"tls=", 4) == 0)
            { if (Ustrcmp(item + 9, US"no") != 0) do_tls = TRUE; }
 #endif


@@ -5098,7 +5098,7 @@ while (*s != 0)
 
         DEBUG(D_expand) debug_printf_indent("connected to socket %s\n", sub_arg[0]);
 
 
         DEBUG(D_expand) debug_printf_indent("connected to socket %s\n", sub_arg[0]);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        if (do_tls)
          {
          smtp_connect_args conn_args = {.host = &host };
        if (do_tls)
          {
          smtp_connect_args conn_args = {.host = &host };


@@ -5123,7 +5123,7 @@ while (*s != 0)
           DEBUG(D_expand) debug_printf_indent("writing \"%s\" to socket\n",
             reqstr.data);
           if ( (
           DEBUG(D_expand) debug_printf_indent("writing \"%s\" to socket\n",
             reqstr.data);
           if ( (

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

              do_tls ? tls_write(cctx.tls_ctx, reqstr.data, reqstr.len, FALSE) :
 #endif
                        write(cctx.sock, reqstr.data, reqstr.len)) != reqstr.len)
              do_tls ? tls_write(cctx.tls_ctx, reqstr.data, reqstr.len, FALSE) :
 #endif
                        write(cctx.sock, reqstr.data, reqstr.len)) != reqstr.len)


@@ -5152,13 +5152,13 @@ while (*s != 0)
         sigalrm_seen = FALSE;
         ALARM(timeout);
         yield =
         sigalrm_seen = FALSE;
         ALARM(timeout);
         yield =

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

          do_tls ? cat_file_tls(cctx.tls_ctx, yield, sub_arg[3]) :
 #endif
                    cat_file(fp, yield, sub_arg[3]);
         ALARM_CLR(0);
 
          do_tls ? cat_file_tls(cctx.tls_ctx, yield, sub_arg[3]) :
 #endif
                    cat_file(fp, yield, sub_arg[3]);
         ALARM_CLR(0);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        if (do_tls)
          {
          tls_close(cctx.tls_ctx, TRUE);
        if (do_tls)
          {
          tls_close(cctx.tls_ctx, TRUE);


@@ -5992,7 +5992,7 @@ while (*s != 0)
       continue;
       }
 
       continue;
       }
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     case EITEM_CERTEXTRACT:
       {
       uschar *save_lookup_value = lookup_value;
     case EITEM_CERTEXTRACT:
       {
       uschar *save_lookup_value = lookup_value;


@@ -6072,7 +6072,7 @@ while (*s != 0)
         save_expand_nlength);
       continue;
       }
         save_expand_nlength);
       continue;
       }

-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/

 
     /* Handle list operations */
 
 
     /* Handle list operations */
 


@@ -6584,7 +6584,7 @@ while (*s != 0)
     int c;
     uschar *arg = NULL;
     uschar *sub;
     int c;
     uschar *arg = NULL;
     uschar *sub;

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     var_entry *vp = NULL;
 #endif
 
     var_entry *vp = NULL;
 #endif
 


@@ -6607,7 +6607,7 @@ while (*s != 0)
     as we do not want to do the usual expansion. For most, expand the string.*/
     switch(c)
       {
     as we do not want to do the usual expansion. For most, expand the string.*/
     switch(c)
       {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

       case EOP_MD5:
       case EOP_SHA1:
       case EOP_SHA256:
       case EOP_MD5:
       case EOP_SHA1:
       case EOP_SHA256:


@@ -6762,7 +6762,7 @@ while (*s != 0)
         }
 
       case EOP_MD5:
         }
 
       case EOP_MD5:

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        if (vp && *(void **)vp->value)
          {
          uschar * cp = tls_cert_fprt_md5(*(void **)vp->value);
        if (vp && *(void **)vp->value)
          {
          uschar * cp = tls_cert_fprt_md5(*(void **)vp->value);


@@ -6781,7 +6781,7 @@ while (*s != 0)
         continue;
 
       case EOP_SHA1:
         continue;
 
       case EOP_SHA1:

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        if (vp && *(void **)vp->value)
          {
          uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value);
        if (vp && *(void **)vp->value)
          {
          uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value);


@@ -7564,7 +7564,7 @@ while (*s != 0)
       case EOP_STR2B64:
       case EOP_BASE64:
        {
       case EOP_STR2B64:
       case EOP_BASE64:
        {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        uschar * s = vp && *(void **)vp->value
          ? tls_cert_der_b64(*(void **)vp->value)
          : b64encode(CUS sub, Ustrlen(sub));
        uschar * s = vp && *(void **)vp->value
          ? tls_cert_der_b64(*(void **)vp->value)
          : b64encode(CUS sub, Ustrlen(sub));

diff --git a/src/src/functions.h b/src/src/functions.h
index 87953c413bee518a0f7fd5f117b04bc8c528a4a6..11fb8b59e7a33a098d6fde1b8364e9b4b3e654ea 100644 (file)
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -22,7 +22,7 @@ extern uschar *init_perl(uschar *);
 #endif
 
 
 #endif
 
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 extern const char *
                std_dh_prime_default(void);
 extern const char *
 extern const char *
                std_dh_prime_default(void);
 extern const char *


@@ -77,7 +77,7 @@ extern BOOL    tls_is_name_for_cert(const uschar *, void *);
 extern int     tlsa_lookup(const host_item *, dns_answer *, BOOL);
 # endif
 
 extern int     tlsa_lookup(const host_item *, dns_answer *, BOOL);
 # endif
 

-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/

 
 
 /* Everything else... */
 
 
 /* Everything else... */


@@ -350,7 +350,7 @@ extern uschar *parse_message_id(uschar *, uschar **, uschar **);
 extern const uschar *parse_quote_2047(const uschar *, int, uschar *, uschar *, int, BOOL);
 extern uschar *parse_date_time(uschar *str, time_t *t);
 extern int     vaguely_random_number(int);
 extern const uschar *parse_quote_2047(const uschar *, int, uschar *, uschar *, int, BOOL);
 extern uschar *parse_date_time(uschar *str, time_t *t);
 extern int     vaguely_random_number(int);

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 extern int     vaguely_random_number_fallback(int);
 #endif
 
 extern int     vaguely_random_number_fallback(int);
 #endif
 

diff --git a/src/src/globals.c b/src/src/globals.c
index a2fa032bc55904c4f4d6df62f2754c2518629911..5ce04a6ed16e40df8eaf1263b2ad67d156b681be 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -115,7 +115,7 @@ int     dsn_ret                = 0;
 const pcre  *regex_DSN         = NULL;
 uschar *dsn_advertise_hosts    = NULL;
 
 const pcre  *regex_DSN         = NULL;
 uschar *dsn_advertise_hosts    = NULL;
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 BOOL    gnutls_compat_mode     = FALSE;
 BOOL    gnutls_allow_auto_pkcs11 = FALSE;
 uschar *openssl_options        = NULL;
 BOOL    gnutls_compat_mode     = FALSE;
 BOOL    gnutls_allow_auto_pkcs11 = FALSE;
 uschar *openssl_options        = NULL;


@@ -141,7 +141,7 @@ uschar *tls_resumption_hosts   = NULL;
 uschar *tls_try_verify_hosts   = NULL;
 uschar *tls_verify_certificates= US"system";
 uschar *tls_verify_hosts       = NULL;
 uschar *tls_try_verify_hosts   = NULL;
 uschar *tls_verify_certificates= US"system";
 uschar *tls_verify_hosts       = NULL;

-#else  /*!SUPPORT_TLS*/
+#else  /*DISABLE_TLS*/

 uschar *tls_advertise_hosts    = NULL;
 #endif
 
 uschar *tls_advertise_hosts    = NULL;
 #endif
 


@@ -548,7 +548,7 @@ address_item address_defaults = {
   .return_filename =   NULL,
   .self_hostname =     NULL,
   .shadow_message =    NULL,
   .return_filename =   NULL,
   .self_hostname =     NULL,
   .shadow_message =    NULL,

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   .cipher =            NULL,
   .ourcert =           NULL,
   .peercert =          NULL,
   .cipher =            NULL,
   .ourcert =           NULL,
   .peercert =          NULL,


@@ -1227,7 +1227,7 @@ uschar *received_header_text   = US
          "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}"
      "by $primary_hostname "
      "${if def:received_protocol {with $received_protocol }}"
          "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}"
      "by $primary_hostname "
      "${if def:received_protocol {with $received_protocol }}"

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

      "${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}"
 #endif
      "(Exim $version_number)\n\t"
      "${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}"
 #endif
      "(Exim $version_number)\n\t"

diff --git a/src/src/globals.h b/src/src/globals.h
index e98ff7fe1d69c99a90aaa7752fbaee263b75d8b5..d29fcc4e1b59e60b317ad93e736ad61ff2654475 100644 (file)
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -113,7 +113,7 @@ typedef struct {
 extern tls_support tls_in;
 extern tls_support tls_out;
 
 extern tls_support tls_in;
 extern tls_support tls_out;
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 extern BOOL    gnutls_compat_mode;     /* Less security, more compatibility */
 extern BOOL    gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
 extern uschar *openssl_options;        /* OpenSSL compatibility options */
 extern BOOL    gnutls_compat_mode;     /* Less security, more compatibility */
 extern BOOL    gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
 extern uschar *openssl_options;        /* OpenSSL compatibility options */

diff --git a/src/src/ip.c b/src/src/ip.c
index 8b506109e32a2d8082adb22cc006873a891ae40e..fb42f005107e442e92545b6bc806c1ec26024c3e 100644 (file)
--- a/src/src/ip.c
+++ b/src/src/ip.c
@@ -653,7 +653,7 @@ if (!fd_ready(cctx->sock, timeout))
 /* The socket is ready, read from it (via TLS if it's active). On EOF (i.e.
 close down of the connection), set errno to zero; otherwise leave it alone. */
 
 /* The socket is ready, read from it (via TLS if it's active). On EOF (i.e.
 close down of the connection), set errno to zero; otherwise leave it alone. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (cctx->tls_ctx)                                     /* client TLS */
   rc = tls_read(cctx->tls_ctx, buffer, buffsize);
 else if (tls_in.active.sock == cctx->sock)             /* server TLS */
 if (cctx->tls_ctx)                                     /* client TLS */
   rc = tls_read(cctx->tls_ctx, buffer, buffsize);
 else if (tls_in.active.sock == cctx->sock)             /* server TLS */

diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c
index 33249133ace87ef2270ca79a37b865ef1a1b6e23..ebb4cb98a689ae84f8be1eff72ccf5a721344baf 100644 (file)
--- a/src/src/macro_predef.c
+++ b/src/src/macro_predef.c
@@ -126,7 +126,7 @@ due to conflicts with other common macros. */
 #ifdef USE_TCP_WRAPPERS
   builtin_macro_create(US"_HAVE_TCPWRAPPERS");
 #endif
 #ifdef USE_TCP_WRAPPERS
   builtin_macro_create(US"_HAVE_TCPWRAPPERS");
 #endif

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   builtin_macro_create(US"_HAVE_TLS");
 # ifdef USE_GNUTLS
   builtin_macro_create(US"_HAVE_GNUTLS");
   builtin_macro_create(US"_HAVE_TLS");
 # ifdef USE_GNUTLS
   builtin_macro_create(US"_HAVE_GNUTLS");


@@ -290,7 +290,7 @@ options_routers();
 options_transports();
 options_auths();
 options_logging();
 options_transports();
 options_auths();
 options_logging();

-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS

 options_tls();
 #endif
 }
 options_tls();
 #endif
 }

diff --git a/src/src/macro_predef.h b/src/src/macro_predef.h
index 79a8d6f15bf13421cc33804bb153baef5980556f..4bc98e0df3ae9d49563bc4d2b19a37c0cb07df6f 100644 (file)
--- a/src/src/macro_predef.h
+++ b/src/src/macro_predef.h
@@ -20,7 +20,7 @@ extern void options_transports(void);
 extern void options_auths(void);
 extern void options_logging(void);
 extern void params_dkim(void);
 extern void options_auths(void);
 extern void options_logging(void);
 extern void params_dkim(void);

-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS

 extern void options_tls(void);
 #endif
 
 extern void options_tls(void);
 #endif
 

diff --git a/src/src/macros.h b/src/src/macros.h
index e3f1f4c281b77e086ab18fd4db79e1b8adc308e8..4189b6bd7e457208581e05dfbe06ac972b9a1093 100644 (file)
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -84,7 +84,7 @@ as unsigned. */
 /* When built with TLS support, the act of flushing SMTP output becomes
 a no-op once an SSL session is in progress. */
 
 /* When built with TLS support, the act of flushing SMTP output becomes
 a no-op once an SSL session is in progress. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 #define mac_smtp_fflush() if (tls_in.active.sock < 0) fflush(smtp_out);
 #else
 #define mac_smtp_fflush() fflush(smtp_out);
 #define mac_smtp_fflush() if (tls_in.active.sock < 0) fflush(smtp_out);
 #else
 #define mac_smtp_fflush() fflush(smtp_out);

diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c
index 6e154f5efd897803ca82e05c96c247c53121d54e..9ebcfc1b6676d8f724522d49e56e0950b302eb29 100644 (file)
--- a/src/src/pdkim/pdkim.c
+++ b/src/src/pdkim/pdkim.c
@@ -26,8 +26,8 @@
 
 #ifndef DISABLE_DKIM   /* entire file */
 
 
 #ifndef DISABLE_DKIM   /* entire file */
 

-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
+#ifdef DISABLE_TLS
+# error Must not DISABLE_TLS, for DKIM

 #endif
 
 #include "crypt_ver.h"
 #endif
 
 #include "crypt_ver.h"

diff --git a/src/src/pdkim/pdkim_hash.h b/src/src/pdkim/pdkim_hash.h
index 6299ae28a2f5530f24e4226c2e4724dc06cd1865..8f9a12628086722345abe52c2d562c9a099bdc7d 100644 (file)
--- a/src/src/pdkim/pdkim_hash.h
+++ b/src/src/pdkim/pdkim_hash.h
@@ -11,8 +11,8 @@
 #if !defined(HASH_H)   /* entire file */
 #define HASH_H
 
 #if !defined(HASH_H)   /* entire file */
 #define HASH_H
 

-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
+#ifdef DISABLE_TLS
+# error Must not DISABLE_TLS, for DKIM

 #endif
 
 #include "crypt_ver.h"
 #endif
 
 #include "crypt_ver.h"

diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c
index a47f824b81c9e9aedff11fdc85713e517484ba8c..53a8a7b45143b1a2f6c7f49c33ba27a38d1f418e 100644 (file)
--- a/src/src/pdkim/signing.c
+++ b/src/src/pdkim/signing.c
@@ -28,8 +28,8 @@ features_crypto(void)
 
 #ifndef DISABLE_DKIM   /* rest of file */
 
 
 #ifndef DISABLE_DKIM   /* rest of file */
 

-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
+#ifdef DISABLE_TLS
+# error Must no DISABLE_TLS, for DKIM

 #endif
 
 
 #endif
 
 

diff --git a/src/src/readconf.c b/src/src/readconf.c
index b6c41bc65ddf322dabb53b1921eef5cdc777218e..cffee4a0803afd437734f9443815a070da5dae3c 100644 (file)
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -60,7 +60,7 @@ static optionlist optionlist_config[] = {
   { "acl_smtp_predata",         opt_stringptr,   &acl_smtp_predata },
   { "acl_smtp_quit",            opt_stringptr,   &acl_smtp_quit },
   { "acl_smtp_rcpt",            opt_stringptr,   &acl_smtp_rcpt },
   { "acl_smtp_predata",         opt_stringptr,   &acl_smtp_predata },
   { "acl_smtp_quit",            opt_stringptr,   &acl_smtp_quit },
   { "acl_smtp_rcpt",            opt_stringptr,   &acl_smtp_rcpt },

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   { "acl_smtp_starttls",        opt_stringptr,   &acl_smtp_starttls },
 #endif
   { "acl_smtp_vrfy",            opt_stringptr,   &acl_smtp_vrfy },
   { "acl_smtp_starttls",        opt_stringptr,   &acl_smtp_starttls },
 #endif
   { "acl_smtp_vrfy",            opt_stringptr,   &acl_smtp_vrfy },


@@ -156,7 +156,7 @@ static optionlist optionlist_config[] = {
   { "freeze_tell",              opt_stringptr,   &freeze_tell },
   { "gecos_name",               opt_stringptr,   &gecos_name },
   { "gecos_pattern",            opt_stringptr,   &gecos_pattern },
   { "freeze_tell",              opt_stringptr,   &freeze_tell },
   { "gecos_name",               opt_stringptr,   &gecos_name },
   { "gecos_pattern",            opt_stringptr,   &gecos_pattern },

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   { "gnutls_allow_auto_pkcs11", opt_bool,        &gnutls_allow_auto_pkcs11 },
   { "gnutls_compat_mode",       opt_bool,        &gnutls_compat_mode },
 #endif
   { "gnutls_allow_auto_pkcs11", opt_bool,        &gnutls_allow_auto_pkcs11 },
   { "gnutls_compat_mode",       opt_bool,        &gnutls_compat_mode },
 #endif


@@ -224,7 +224,7 @@ static optionlist optionlist_config[] = {
   { "mysql_servers",            opt_stringptr,   &mysql_servers },
 #endif
   { "never_users",              opt_uidlist,     &never_users },
   { "mysql_servers",            opt_stringptr,   &mysql_servers },
 #endif
   { "never_users",              opt_uidlist,     &never_users },

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   { "openssl_options",          opt_stringptr,   &openssl_options },
 #endif
 #ifdef LOOKUP_ORACLE
   { "openssl_options",          opt_stringptr,   &openssl_options },
 #endif
 #ifdef LOOKUP_ORACLE


@@ -355,7 +355,7 @@ static optionlist optionlist_config[] = {
   { "timeout_frozen_after",     opt_time,        &timeout_frozen_after },
   { "timezone",                 opt_stringptr,   &timezone_string },
   { "tls_advertise_hosts",      opt_stringptr,   &tls_advertise_hosts },
   { "timeout_frozen_after",     opt_time,        &timeout_frozen_after },
   { "timezone",                 opt_stringptr,   &timezone_string },
   { "tls_advertise_hosts",      opt_stringptr,   &tls_advertise_hosts },

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   { "tls_certificate",          opt_stringptr,   &tls_certificate },
   { "tls_crl",                  opt_stringptr,   &tls_crl },
   { "tls_dh_max_bits",          opt_int,         &tls_dh_max_bits },
   { "tls_certificate",          opt_stringptr,   &tls_certificate },
   { "tls_crl",                  opt_stringptr,   &tls_crl },
   { "tls_dh_max_bits",          opt_int,         &tls_dh_max_bits },


@@ -3082,7 +3082,7 @@ Assumes:  tls_require_ciphers has been set, if it will be
 Returns:  bool for "okay"; false will cause caller to immediately exit.
 */
 
 Returns:  bool for "okay"; false will cause caller to immediately exit.
 */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 static BOOL
 tls_dropprivs_validate_require_cipher(BOOL nowarn)
 {
 static BOOL
 tls_dropprivs_validate_require_cipher(BOOL nowarn)
 {


@@ -3135,7 +3135,7 @@ signal(SIGCHLD, oldsignal);
 
 return status == 0;
 }
 
 return status == 0;
 }

-#endif /* SUPPORT_TLS */
+#endif /*DISABLE_TLS*/

 
 
 
 
 
 


@@ -3622,7 +3622,7 @@ if (host_number_string)
   host_number = n;
   }
 
   host_number = n;
   }
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 /* If tls_verify_hosts is set, tls_verify_certificates must also be set */
 
 if ((tls_verify_hosts || tls_try_verify_hosts) && !tls_verify_certificates)
 /* If tls_verify_hosts is set, tls_verify_certificates must also be set */
 
 if ((tls_verify_hosts || tls_try_verify_hosts) && !tls_verify_certificates)


@@ -3655,7 +3655,7 @@ if (openssl_options)
       "openssl_options parse error: %s", openssl_options);
 # endif
   }
       "openssl_options parse error: %s", openssl_options);
 # endif
   }

-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/

 
 if (!nowarn && !keep_environment && environ && *environ)
   log_write(0, LOG_MAIN,
 
 if (!nowarn && !keep_environment && environ && *environ)
   log_write(0, LOG_MAIN,

diff --git a/src/src/receive.c b/src/src/receive.c
index fbd32c8fa4e049b000135dc386079e74b84c4d58..9769e8893cd621cb6c03bc745a913233ffd440c1 100644 (file)
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -3978,7 +3978,7 @@ if (message_reference)
 
 g = add_host_info_for_log(g);
 
 
 g = add_host_info_for_log(g);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (LOGGING(tls_cipher) && tls_in.cipher)
   {
   g = string_append(g, 2, US" X=", tls_in.cipher);
 if (LOGGING(tls_cipher) && tls_in.cipher)
   {
   g = string_append(g, 2, US" X=", tls_in.cipher);

diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index 61408788b948d9c58ec03bcbc9e6d69920c0f1c7..a7e99f5068f69e628665c684344cfe186bac14ca 100644 (file)
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -16,7 +16,7 @@
  * and not massaging CFLAGS in Local/Makefile is fully supported.
  */
 
  * and not massaging CFLAGS in Local/Makefile is fully supported.
  */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 
 # define EXIM_HAVE_SHA2
 
 
 # define EXIM_HAVE_SHA2
 

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 40fd3083b550cc137e519df140078eb322bace00..049f5b5428a79ba96b777bc621588faf092c60cc 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -133,7 +133,7 @@ to the circular buffer that holds a list of the last n received. */
 
 static struct {
   BOOL auth_advertised                 :1;
 
 static struct {
   BOOL auth_advertised                 :1;

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   BOOL tls_advertised                  :1;
 #endif
   BOOL dsn_advertised                  :1;
   BOOL tls_advertised                  :1;
 #endif
   BOOL dsn_advertised                  :1;


@@ -194,7 +194,7 @@ static smtp_cmd_list cmd_list[] = {
   { "helo",       sizeof("helo")-1,       HELO_CMD, TRUE,  FALSE },
   { "ehlo",       sizeof("ehlo")-1,       EHLO_CMD, TRUE,  FALSE },
   { "auth",       sizeof("auth")-1,       AUTH_CMD, TRUE,  TRUE  },
   { "helo",       sizeof("helo")-1,       HELO_CMD, TRUE,  FALSE },
   { "ehlo",       sizeof("ehlo")-1,       EHLO_CMD, TRUE,  FALSE },
   { "auth",       sizeof("auth")-1,       AUTH_CMD, TRUE,  TRUE  },

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   { "starttls",   sizeof("starttls")-1,   STARTTLS_CMD, FALSE, FALSE },
   { "tls_auth",   0,                      TLS_AUTH_CMD, FALSE, FALSE },
 #endif
   { "starttls",   sizeof("starttls")-1,   STARTTLS_CMD, FALSE, FALSE },
   { "tls_auth",   0,                      TLS_AUTH_CMD, FALSE, FALSE },
 #endif


@@ -348,7 +348,7 @@ int fd, rc;
 fd_set fds;
 struct timeval tzero;
 
 fd_set fds;
 struct timeval tzero;
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (tls_in.active.sock >= 0)
  return !tls_could_read();
 #endif
 if (tls_in.active.sock >= 0)
  return !tls_could_read();
 #endif


@@ -945,7 +945,7 @@ if (fl.rcpt_in_progress)
 
 /* Now write the string */
 
 
 /* Now write the string */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (tls_in.active.sock >= 0)
   {
   if (tls_write(NULL, gs.s, gs.ptr, more) < 0)
 if (tls_in.active.sock >= 0)
   {
   if (tls_write(NULL, gs.s, gs.ptr, more) < 0)


@@ -1774,7 +1774,7 @@ return string_sprintf("SMTP connection from %s", hostname);
 
 
 
 
 
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 /* Append TLS-related information to a log line
 
 Arguments:
 /* Append TLS-related information to a log line
 
 Arguments:


@@ -1830,7 +1830,7 @@ if (sender_host_authenticated)
   if (authenticated_id) g = string_append(g, 2, US":", authenticated_id);
   }
 
   if (authenticated_id) g = string_append(g, 2, US":", authenticated_id);
   }
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 g = s_tlslog(g);
 #endif
 
 g = s_tlslog(g);
 #endif
 


@@ -2375,7 +2375,7 @@ return done - 2;  /* Convert yield values */
 
 
 
 
 
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 static BOOL
 smtp_log_tls_fail(uschar * errstr)
 {
 static BOOL
 smtp_log_tls_fail(uschar * errstr)
 {


@@ -2466,7 +2466,7 @@ if (!host_checking && !f.sender_host_notsocket)
   sender_host_auth_pubname = sender_host_authenticated = NULL;
 authenticated_by = NULL;
 
   sender_host_auth_pubname = sender_host_authenticated = NULL;
 authenticated_by = NULL;
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 tls_in.cipher = tls_in.peerdn = NULL;
 tls_in.ourcert = tls_in.peercert = NULL;
 tls_in.sni = NULL;
 tls_in.cipher = tls_in.peerdn = NULL;
 tls_in.ourcert = tls_in.peercert = NULL;
 tls_in.sni = NULL;


@@ -2903,7 +2903,7 @@ if (check_proxy_protocol_host())
   /* Start up TLS if tls_on_connect is set. This is for supporting the legacy
   smtps port for use with older style SSL MTAs. */
 
   /* Start up TLS if tls_on_connect is set. This is for supporting the legacy
   smtps port for use with older style SSL MTAs. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   if (tls_in.on_connect)
     {
     if (tls_server_start(tls_require_ciphers, &user_msg) != OK)
   if (tls_in.on_connect)
     {
     if (tls_server_start(tls_require_ciphers, &user_msg) != OK)


@@ -3404,7 +3404,7 @@ is closing if required and return 2.  */
 
 if (log_reject_target != 0)
   {
 
 if (log_reject_target != 0)
   {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   gstring * g = s_tlslog(NULL);
   uschar * tls = string_from_gstring(g);
   if (!tls) tls = US"";
   gstring * g = s_tlslog(NULL);
   uschar * tls = string_from_gstring(g);
   if (!tls) tls = US"";


@@ -3825,7 +3825,7 @@ if (*user_msgp)
 else
   smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
 
 else
   smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
 #endif
 
 tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
 #endif
 


@@ -3896,7 +3896,7 @@ chunking_state = f.chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED;
 cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
 cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
 cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
 cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
 #endif
 
 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
 #endif
 


@@ -4228,7 +4228,7 @@ while (done <= 0)
 
       fl.auth_advertised = FALSE;
       f.smtp_in_pipelining_advertised = FALSE;
 
       fl.auth_advertised = FALSE;
       f.smtp_in_pipelining_advertised = FALSE;

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

       fl.tls_advertised = FALSE;
 #endif
       fl.dsn_advertised = FALSE;
       fl.tls_advertised = FALSE;
 #endif
       fl.dsn_advertised = FALSE;


@@ -4421,7 +4421,7 @@ while (done <= 0)
        tls_advertise_hosts. We must *not* advertise if we are already in a
        secure connection. */
 
        tls_advertise_hosts. We must *not* advertise if we are already in a
        secure connection. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        if (tls_in.active.sock < 0 &&
            verify_check_host(&tls_advertise_hosts) != FAIL)
          {
        if (tls_in.active.sock < 0 &&
            verify_check_host(&tls_advertise_hosts) != FAIL)
          {


@@ -4459,7 +4459,7 @@ while (done <= 0)
       /* Terminate the string (for debug), write it, and note that HELO/EHLO
       has been seen. */
 
       /* Terminate the string (for debug), write it, and note that HELO/EHLO
       has been seen. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

       if (tls_in.active.sock >= 0)
        (void)tls_write(NULL, g->s, g->ptr,
 # ifdef EXPERIMENTAL_PIPE_CONNECT
       if (tls_in.active.sock >= 0)
        (void)tls_write(NULL, g->s, g->ptr,
 # ifdef EXPERIMENTAL_PIPE_CONNECT


@@ -5395,7 +5395,7 @@ while (done <= 0)
       break;
 
 
       break;
 
 

-    #ifdef SUPPORT_TLS
+    #ifndef DISABLE_TLS

 
     case STARTTLS_CMD:
       HAD(SCH_STARTTLS);
 
     case STARTTLS_CMD:
       HAD(SCH_STARTTLS);


@@ -5586,7 +5586,7 @@ while (done <= 0)
        uschar buffer[256];
        buffer[0] = 0;
        Ustrcat(buffer, " AUTH");
        uschar buffer[256];
        buffer[0] = 0;
        Ustrcat(buffer, " AUTH");

-       #ifdef SUPPORT_TLS
+       #ifndef DISABLE_TLS

        if (tls_in.active.sock < 0 &&
            verify_check_host(&tls_advertise_hosts) != FAIL)
          Ustrcat(buffer, " STARTTLS");
        if (tls_in.active.sock < 0 &&
            verify_check_host(&tls_advertise_hosts) != FAIL)
          Ustrcat(buffer, " STARTTLS");

diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c
index 4be7b9c179acb7de5dbf01973290a93de59e4316..d8cb42e01e11e8dd711d7aabe336551dba5d1c25 100644 (file)
--- a/src/src/smtp_out.c
+++ b/src/src/smtp_out.c
@@ -444,7 +444,7 @@ BOOL more = mode == SCMD_MORE;
 HDEBUG(D_transport|D_acl) debug_printf_indent("cmd buf flush %d bytes%s\n", n,
   more ? " (more expected)" : "");
 
 HDEBUG(D_transport|D_acl) debug_printf_indent("cmd buf flush %d bytes%s\n", n,
   more ? " (more expected)" : "");
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (outblock->cctx->tls_ctx)
   rc = tls_write(outblock->cctx->tls_ctx, outblock->buffer, n, more);
 else
 if (outblock->cctx->tls_ctx)
   rc = tls_write(outblock->cctx->tls_ctx, outblock->buffer, n, more);
 else

diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 95004c1030961b3ca9ffb30bf25485ac8a8af1a4..c466895061660da572f444aa98480c248e6c56e0 100644 (file)
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -273,7 +273,7 @@ f.dkim_disable_verify = FALSE;
 dkim_collect_input = 0;
 #endif
 
 dkim_collect_input = 0;
 #endif
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 tls_in.certificate_verified = FALSE;
 # ifdef SUPPORT_DANE
 tls_in.dane_verified = FALSE;
 tls_in.certificate_verified = FALSE;
 # ifdef SUPPORT_DANE
 tls_in.dane_verified = FALSE;


@@ -646,7 +646,7 @@ for (;;)
 #endif
     break;
 
 #endif
     break;
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     case 't':
     if (Ustrncmp(p, "ls_", 3) == 0)
       {
     case 't':
     if (Ustrncmp(p, "ls_", 3) == 0)
       {

diff --git a/src/src/spool_out.c b/src/src/spool_out.c
index d14914f94c2a39f093e79a4db5d284c5c593c00f..508e68cea4ce74659df47e20e0005eeb29606c5b 100644 (file)
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -233,7 +233,7 @@ if (f.sender_set_untrusted) fprintf(fp, "-sender_set_untrusted\n");
 if (bmi_verdicts) fprintf(fp, "-bmi_verdicts %s\n", bmi_verdicts);
 #endif
 
 if (bmi_verdicts) fprintf(fp, "-bmi_verdicts %s\n", bmi_verdicts);
 #endif
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n");
 if (tls_in.cipher)       fprintf(fp, "-tls_cipher %s\n", tls_in.cipher);
 if (tls_in.peercert)
 if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n");
 if (tls_in.cipher)       fprintf(fp, "-tls_cipher %s\n", tls_in.cipher);
 if (tls_in.peercert)

diff --git a/src/src/std-crypto.c b/src/src/std-crypto.c
index 161052c146d17138ae4ed6694b18ed9c5c50faa2..a045f6cc60811eff593e2c7fbb01e00992cb862c 100644 (file)
--- a/src/src/std-crypto.c
+++ b/src/src/std-crypto.c
@@ -17,7 +17,7 @@
 
 #include "exim.h"
 
 
 #include "exim.h"
 

-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS

 static void dummy(int x) { dummy(x-1); }
 #else
 
 static void dummy(int x) { dummy(x-1); }
 #else
 


@@ -1018,5 +1018,5 @@ std_dh_prime_named(const uschar *name)
   return NULL;
 }
 
   return NULL;
 }
 

-#endif /* SUPPORT_TLS */
+#endif /*DISABLE_TLS*/

 /* EOF */
 /* EOF */

diff --git a/src/src/structs.h b/src/src/structs.h
index 349aa38e85062bf3de63abffa14da9d0cfd2d32c..da61df24f1adf79aadbf3d50a34c339ea7eae769 100644 (file)
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -567,7 +567,7 @@ typedef struct address_item {
   uschar *self_hostname;          /* after self=pass */
   uschar *shadow_message;         /* info about shadow transporting */
 
   uschar *self_hostname;          /* after self=pass */
   uschar *shadow_message;         /* info about shadow transporting */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   uschar *cipher;                 /* Cipher used for transport */
   void   *ourcert;                /* Certificate offered to peer, binary */
   void   *peercert;               /* Certificate from peer, binary */
   uschar *cipher;                 /* Cipher used for transport */
   void   *ourcert;                /* Certificate offered to peer, binary */
   void   *peercert;               /* Certificate from peer, binary */


@@ -805,7 +805,7 @@ typedef struct {
   int                   host_af;
   uschar *              interface;
 
   int                   host_af;
   uschar *              interface;
 

-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)

   BOOL dane:1;                 /* connection must do dane */
   dns_answer           tlsa_dnsa;
 #endif
   BOOL dane:1;                 /* connection must do dane */
   dns_answer           tlsa_dnsa;
 #endif

diff --git a/src/src/tls.c b/src/src/tls.c
index 7b8d7a2a3aae1504bb19942280ce544aad198250..1fd10d52b374000a425166f90804a88482076aea 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -19,7 +19,7 @@ functions from the OpenSSL or GNU TLS libraries. */
 #include "exim.h"
 #include "transports/smtp.h"
 
 #include "exim.h"
 #include "transports/smtp.h"
 

-#if defined(MACRO_PREDEF) && defined(SUPPORT_TLS)
+#if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)

 # include "macro_predef.h"
 # ifdef USE_GNUTLS
 #  include "tls-gnu.c"
 # include "macro_predef.h"
 # ifdef USE_GNUTLS
 #  include "tls-gnu.c"


@@ -37,7 +37,7 @@ reference itself to stop picky compilers complaining that it is unused, and put
 in a dummy argument to stop even pickier compilers complaining about infinite
 loops. */
 
 in a dummy argument to stop even pickier compilers complaining about infinite
 loops. */
 

-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS

 static void dummy(int x) { dummy(x-1); }
 #else
 
 static void dummy(int x) { dummy(x-1); }
 #else
 


@@ -217,7 +217,7 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
 }
 
 
 }
 
 

-#endif  /* SUPPORT_TLS */
+#endif  /*DISABLE_TLS*/

 
 void
 tls_modify_variables(tls_support * dest_tsp)
 
 void
 tls_modify_variables(tls_support * dest_tsp)


@@ -226,13 +226,13 @@ modify_variable(US"tls_bits",                 &dest_tsp->bits);
 modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
 modify_variable(US"tls_cipher",               &dest_tsp->cipher);
 modify_variable(US"tls_peerdn",               &dest_tsp->peerdn);
 modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
 modify_variable(US"tls_cipher",               &dest_tsp->cipher);
 modify_variable(US"tls_peerdn",               &dest_tsp->peerdn);

-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)

 modify_variable(US"tls_sni",                  &dest_tsp->sni);
 #endif
 }
 
 
 modify_variable(US"tls_sni",                  &dest_tsp->sni);
 #endif
 }
 
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 /************************************************
 *      TLS certificate name operations         *
 ************************************************/
 /************************************************
 *      TLS certificate name operations         *
 ************************************************/


@@ -364,7 +364,7 @@ else if ((subjdn = tls_cert_subject(cert, NULL)))
   }
 return FALSE;
 }
   }
 return FALSE;
 }

-#endif /*SUPPORT_TLS*/
+#endif /*!DISABLE_TLS*/

 #endif /*!MACRO_PREDEF*/
 
 /* vi: aw ai sw=2
 #endif /*!MACRO_PREDEF*/
 
 /* vi: aw ai sw=2

diff --git a/src/src/transport.c b/src/src/transport.c
index fb74dfdcde44919d4b99c736f025186dda4de57e..d745ef15fe7ab13bdfb46224c6e3e9246565b904 100644 (file)
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -238,7 +238,7 @@ for (int i = 0; i < 100; i++)
   if (transport_write_timeout <= 0)   /* No timeout wanted */
     {
     rc =
   if (transport_write_timeout <= 0)   /* No timeout wanted */
     {
     rc =

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
 #endif
 #ifdef MSG_MORE
        tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
 #endif
 #ifdef MSG_MORE


@@ -256,7 +256,7 @@ for (int i = 0; i < 100; i++)
     ALARM(local_timeout);
 
     rc =
     ALARM(local_timeout);
 
     rc =

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
 #endif
 #ifdef MSG_MORE
        tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
 #endif
 #ifdef MSG_MORE


@@ -1867,7 +1867,7 @@ if (smtp_peer_options & OPTION_CHUNKING)  argv[i++] = US"-MCK";
 if (smtp_peer_options & OPTION_DSN)            argv[i++] = US"-MCD";
 if (smtp_peer_options & OPTION_PIPE)           argv[i++] = US"-MCP";
 if (smtp_peer_options & OPTION_SIZE)           argv[i++] = US"-MCS";
 if (smtp_peer_options & OPTION_DSN)            argv[i++] = US"-MCD";
 if (smtp_peer_options & OPTION_PIPE)           argv[i++] = US"-MCP";
 if (smtp_peer_options & OPTION_SIZE)           argv[i++] = US"-MCS";

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (smtp_peer_options & OPTION_TLS)
   if (tls_out.active.sock >= 0 || continue_proxy_cipher)
     {
 if (smtp_peer_options & OPTION_TLS)
   if (tls_out.active.sock >= 0 || continue_proxy_cipher)
     {

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 3d7aaae6b587aade512cf30b851ed334e262114d..42517400b12d90f70ff2a4afef922ce3b1bc491a 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -90,7 +90,7 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, hosts_avoid_esmtp) },
   { "hosts_avoid_pipelining", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_avoid_pipelining) },
       (void *)offsetof(smtp_transport_options_block, hosts_avoid_esmtp) },
   { "hosts_avoid_pipelining", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_avoid_pipelining) },

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   { "hosts_avoid_tls",      opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_avoid_tls) },
 #endif
   { "hosts_avoid_tls",      opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_avoid_tls) },
 #endif


@@ -98,7 +98,7 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, hosts_max_try) },
   { "hosts_max_try_hardlimit", opt_int,
       (void *)offsetof(smtp_transport_options_block, hosts_max_try_hardlimit) },
       (void *)offsetof(smtp_transport_options_block, hosts_max_try) },
   { "hosts_max_try_hardlimit", opt_int,
       (void *)offsetof(smtp_transport_options_block, hosts_max_try_hardlimit) },

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   { "hosts_nopass_tls",     opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_nopass_tls) },
   { "hosts_noproxy_tls",    opt_stringptr,
   { "hosts_nopass_tls",     opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_nopass_tls) },
   { "hosts_noproxy_tls",    opt_stringptr,


@@ -112,13 +112,13 @@ optionlist smtp_transport_options[] = {
 #endif
   { "hosts_randomize",      opt_bool,
       (void *)offsetof(smtp_transport_options_block, hosts_randomize) },
 #endif
   { "hosts_randomize",      opt_bool,
       (void *)offsetof(smtp_transport_options_block, hosts_randomize) },

-#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP)
+#if !defined(DISABLE_TLS) && !defined(DISABLE_OCSP)

   { "hosts_request_ocsp",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) },
 #endif
   { "hosts_require_auth",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
   { "hosts_request_ocsp",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) },
 #endif
   { "hosts_require_auth",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_auth) },

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 # ifdef SUPPORT_DANE
   { "hosts_require_dane",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_dane) },
 # ifdef SUPPORT_DANE
   { "hosts_require_dane",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_dane) },


@@ -134,7 +134,7 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
   { "hosts_try_chunking",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_chunking) },
       (void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
   { "hosts_try_chunking",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_chunking) },

-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)

   { "hosts_try_dane",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_dane) },
 #endif
   { "hosts_try_dane",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_dane) },
 #endif


@@ -144,7 +144,7 @@ optionlist smtp_transport_options[] = {
   { "hosts_try_prdr",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_prdr) },
 #endif
   { "hosts_try_prdr",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_prdr) },
 #endif

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   { "hosts_verify_avoid_tls", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_verify_avoid_tls) },
 #endif
   { "hosts_verify_avoid_tls", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_verify_avoid_tls) },
 #endif


@@ -172,7 +172,7 @@ optionlist smtp_transport_options[] = {
   { "socks_proxy",          opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, socks_proxy) },
 #endif
   { "socks_proxy",          opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, socks_proxy) },
 #endif

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   { "tls_certificate",      opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_certificate) },
   { "tls_crl",              opt_stringptr,
   { "tls_certificate",      opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_certificate) },
   { "tls_crl",              opt_stringptr,


@@ -260,7 +260,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .hosts_pipe_connect =                NULL,
 #endif
   .hosts_avoid_esmtp =         NULL,
   .hosts_pipe_connect =                NULL,
 #endif
   .hosts_avoid_esmtp =         NULL,

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   .hosts_nopass_tls =          NULL,
   .hosts_noproxy_tls =         NULL,
 #endif
   .hosts_nopass_tls =          NULL,
   .hosts_noproxy_tls =         NULL,
 #endif


@@ -288,7 +288,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
 #ifdef SUPPORT_SOCKS
   .socks_proxy =               NULL,
 #endif
 #ifdef SUPPORT_SOCKS
   .socks_proxy =               NULL,
 #endif

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   .tls_certificate =           NULL,
   .tls_crl =                   NULL,
   .tls_privatekey =            NULL,
   .tls_certificate =           NULL,
   .tls_crl =                   NULL,
   .tls_privatekey =            NULL,


@@ -1687,7 +1687,7 @@ smtp_local_identity(uschar * sender, struct transport_instance * tblock)
 address_item * addr1;
 uschar * if1 = US"";
 uschar * helo1 = US"";
 address_item * addr1;
 uschar * if1 = US"";
 uschar * helo1 = US"";

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 uschar * tlsc1 = US"";
 #endif
 uschar * save_sender_address = sender_address;
 uschar * tlsc1 = US"";
 #endif
 uschar * save_sender_address = sender_address;


@@ -1705,7 +1705,7 @@ if (ob->interface)
 if (ob->helo_data)
   helo1 = expand_string(ob->helo_data);
 
 if (ob->helo_data)
   helo1 = expand_string(ob->helo_data);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (ob->tls_certificate)
   tlsc1 = expand_string(ob->tls_certificate);
 local_identity = string_sprintf ("%s^%s^%s", if1, helo1, tlsc1);
 if (ob->tls_certificate)
   tlsc1 = expand_string(ob->tls_certificate);
 local_identity = string_sprintf ("%s^%s^%s", if1, helo1, tlsc1);


@@ -1754,7 +1754,7 @@ size_t bsize = Ustrlen(buf);
 
 /* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */
 
 
 /* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (  checks & OPTION_TLS
    && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 #endif
 if (  checks & OPTION_TLS
    && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 #endif


@@ -1954,7 +1954,7 @@ BOOL pass_message = FALSE;
 uschar * message = NULL;
 int yield = OK;
 int rc;
 uschar * message = NULL;
 int yield = OK;
 int rc;

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 uschar * tls_errstr;
 #endif
 
 uschar * tls_errstr;
 #endif
 


@@ -1972,7 +1972,7 @@ sx->esmtp_sent = FALSE;
 sx->utf8_needed = FALSE;
 #endif
 sx->dsn_all_lasthop = TRUE;
 sx->utf8_needed = FALSE;
 #endif
 sx->dsn_all_lasthop = TRUE;

-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)

 sx->conn_args.dane = FALSE;
 sx->dane_required =
   verify_check_given_host(CUSS &ob->hosts_require_dane, sx->conn_args.host) == OK;
 sx->conn_args.dane = FALSE;
 sx->dane_required =
   verify_check_given_host(CUSS &ob->hosts_require_dane, sx->conn_args.host) == OK;


@@ -2019,7 +2019,7 @@ tls_out.cipher = NULL;    /* the one we may use for this transport */
 tls_out.ourcert = NULL;
 tls_out.peercert = NULL;
 tls_out.peerdn = NULL;
 tls_out.ourcert = NULL;
 tls_out.peercert = NULL;
 tls_out.peerdn = NULL;

-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)

 tls_out.sni = NULL;
 #endif
 tls_out.ocsp = OCSP_NOT_REQ;
 tls_out.sni = NULL;
 #endif
 tls_out.ocsp = OCSP_NOT_REQ;


@@ -2034,7 +2034,7 @@ For verify, unflipped once the callout is dealt with */
 
 tls_modify_variables(&tls_out);
 
 
 tls_modify_variables(&tls_out);
 

-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS

 if (sx->smtps)
   {
   set_errno_nohost(sx->addrlist, ERRNO_TLSFAILURE, US"TLS support not available",
 if (sx->smtps)
   {
   set_errno_nohost(sx->addrlist, ERRNO_TLSFAILURE, US"TLS support not available",


@@ -2056,7 +2056,7 @@ if (!continue_hostname)
 
   smtp_port_for_connect(sx->conn_args.host, sx->port);
 
 
   smtp_port_for_connect(sx->conn_args.host, sx->port);
 

-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)

     /* Do TLSA lookup for DANE */
     {
     tls_out.dane_verified = FALSE;
     /* Do TLSA lookup for DANE */
     {
     tls_out.dane_verified = FALSE;


@@ -2262,7 +2262,7 @@ goto SEND_QUIT;
   /* Alas; be careful, since this goto is not an error-out, so conceivably
   we might set data between here and the target which we assume to exist
   and be usable.  I can see this coming back to bite us. */
   /* Alas; be careful, since this goto is not an error-out, so conceivably
   we might set data between here and the target which we assume to exist
   and be usable.  I can see this coming back to bite us. */

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   if (sx->smtps)
     {
     smtp_peer_options |= OPTION_TLS;
   if (sx->smtps)
     {
     smtp_peer_options |= OPTION_TLS;


@@ -2388,7 +2388,7 @@ goto SEND_QUIT;
 
   /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
 
 
   /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     smtp_peer_options |= sx->peer_offered & OPTION_TLS;
 #endif
     }
     smtp_peer_options |= sx->peer_offered & OPTION_TLS;
 #endif
     }


@@ -2450,7 +2450,7 @@ negative, the original EHLO data is available for subsequent analysis, should
 the client not be required to use TLS. If the response is bad, copy the buffer
 for error analysis. */
 
 the client not be required to use TLS. If the response is bad, copy the buffer
 for error analysis. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (  smtp_peer_options & OPTION_TLS
    && !suppress_tls
    && verify_check_given_host(CUSS &ob->hosts_avoid_tls, sx->conn_args.host) != OK
 if (  smtp_peer_options & OPTION_TLS
    && !suppress_tls
    && verify_check_given_host(CUSS &ob->hosts_avoid_tls, sx->conn_args.host) != OK


@@ -2665,7 +2665,7 @@ else if (  sx->smtps
 # endif
   goto TLS_FAILED;
   }
 # endif
   goto TLS_FAILED;
   }

-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/

 
 /* If TLS is active, we have just started it up and re-done the EHLO command,
 so its response needs to be analyzed. If TLS is not active and this is a
 
 /* If TLS is active, we have just started it up and re-done the EHLO command,
 so its response needs to be analyzed. If TLS is not active and this is a


@@ -2673,7 +2673,7 @@ continued session down a previously-used socket, we haven't just done EHLO, so
 we skip this. */
 
 if (continue_hostname == NULL
 we skip this. */
 
 if (continue_hostname == NULL

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     || tls_out.active.sock >= 0
 #endif
     )
     || tls_out.active.sock >= 0
 #endif
     )


@@ -2874,7 +2874,7 @@ return OK;
   in message and errno, and setting_up will always be true. Treat as
   a temporary error. */
 
   in message and errno, and setting_up will always be true. Treat as
   a temporary error. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   TLS_FAILED:
     code = '4', yield = DEFER;
     goto FAILED;
   TLS_FAILED:
     code = '4', yield = DEFER;
     goto FAILED;


@@ -2917,7 +2917,7 @@ SEND_QUIT:
 if (sx->send_quit)
   (void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n");
 
 if (sx->send_quit)
   (void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n");
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 if (sx->cctx.tls_ctx)
   {
   tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
 if (sx->cctx.tls_ctx)
   {
   tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);


@@ -3261,7 +3261,7 @@ return 0;
 }
 
 
 }
 
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 /*****************************************************
 * Proxy TLS connection for another transport process *
 ******************************************************/
 /*****************************************************
 * Proxy TLS connection for another transport process *
 ******************************************************/


@@ -4148,7 +4148,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
   if (  sx.first_addr != NULL
      || f.continue_more
      || (
   if (  sx.first_addr != NULL
      || f.continue_more
      || (

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

           (  tls_out.active.sock < 0  &&  !continue_proxy_cipher
            || verify_check_given_host(CUSS &ob->hosts_nopass_tls, host) != OK
           )
           (  tls_out.active.sock < 0  &&  !continue_proxy_cipher
            || verify_check_given_host(CUSS &ob->hosts_nopass_tls, host) != OK
           )


@@ -4186,7 +4186,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
 
     if (sx.ok)
       {
 
     if (sx.ok)
       {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

       int pfd[2];
 #endif
       int socket_fd = sx.cctx.sock;
       int pfd[2];
 #endif
       int socket_fd = sx.cctx.sock;


@@ -4203,7 +4203,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
       transport_pass_socket).  If the caller has more ready, just return with
       the connection still open. */
 
       transport_pass_socket).  If the caller has more ready, just return with
       the connection still open. */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

       if (tls_out.active.sock >= 0)
        if (  f.continue_more
           || verify_check_given_host(CUSS &ob->hosts_noproxy_tls, host) == OK)
       if (tls_out.active.sock >= 0)
        if (  f.continue_more
           || verify_check_given_host(CUSS &ob->hosts_noproxy_tls, host) == OK)


@@ -4262,7 +4262,7 @@ propagate it from the initial
        just passed the baton to.  Fork a child to to do it, and return to
        get logging done asap.  Which way to place the work makes assumptions
        about post-fork prioritisation which may not hold on all platforms. */
        just passed the baton to.  Fork a child to to do it, and return to
        get logging done asap.  Which way to place the work makes assumptions
        about post-fork prioritisation which may not hold on all platforms. */

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        if (tls_out.active.sock >= 0)
          {
          int pid = fork();
        if (tls_out.active.sock >= 0)
          {
          int pid = fork();


@@ -4330,7 +4330,7 @@ if (sx.send_quit) (void)smtp_write_command(&sx, SCMD_FLUSH, "QUIT\r\n");
 
 END_OFF:
 
 
 END_OFF:
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

 tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
 sx.cctx.tls_ctx = NULL;
 #endif
 tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
 sx.cctx.tls_ctx = NULL;
 #endif


@@ -4449,7 +4449,7 @@ for (address_item * addr = addrlist; addr; addr = addr->next)
     addr->basic_errno = 0;
     addr->more_errno = (host->mx >= 0)? 'M' : 'A';
     addr->message = NULL;
     addr->basic_errno = 0;
     addr->more_errno = (host->mx >= 0)? 'M' : 'A';
     addr->message = NULL;

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     addr->cipher = NULL;
     addr->ourcert = NULL;
     addr->peercert = NULL;
     addr->cipher = NULL;
     addr->ourcert = NULL;
     addr->peercert = NULL;


@@ -5112,7 +5112,7 @@ retry_non_continued:
       session, so the in-clear transmission after those errors, if permitted,
       happens inside smtp_deliver().] */
 
       session, so the in-clear transmission after those errors, if permitted,
       happens inside smtp_deliver().] */
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

       if (  rc == DEFER
         && first_addr->basic_errno == ERRNO_TLSFAILURE
         && ob->tls_tempfail_tryclear
       if (  rc == DEFER
         && first_addr->basic_errno == ERRNO_TLSFAILURE
         && ob->tls_tempfail_tryclear


@@ -5132,7 +5132,7 @@ retry_non_continued:
           deferred_event_raise(first_addr, host);
 # endif
         }
           deferred_event_raise(first_addr, host);
 # endif
         }

-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/

       }
 
     /* Delivery attempt finished */
       }
 
     /* Delivery attempt finished */


@@ -5305,7 +5305,7 @@ retry_non_continued:
     int fd = cutthrough.cctx.sock >= 0 ? cutthrough.cctx.sock : 0;
 
     DEBUG(D_transport) debug_printf("no hosts match already-open connection\n");
     int fd = cutthrough.cctx.sock >= 0 ? cutthrough.cctx.sock : 0;
 
     DEBUG(D_transport) debug_printf("no hosts match already-open connection\n");

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     /* A TLS conn could be open for a cutthrough, but not for a plain continued-
     transport */
 /*XXX doublecheck that! */
     /* A TLS conn could be open for a cutthrough, but not for a plain continued-
     transport */
 /*XXX doublecheck that! */

diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index ab0e93ff8a278b6698e6603c6fdcec4bddb2479b..5200fcb74db4e1f7c189ad4bc97d99fefeca91f0 100644 (file)
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -50,7 +50,7 @@ typedef struct {
   uschar *hosts_pipe_connect;
 #endif
   uschar *hosts_avoid_esmtp;
   uschar *hosts_pipe_connect;
 #endif
   uschar *hosts_avoid_esmtp;

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   uschar *hosts_nopass_tls;
   uschar *hosts_noproxy_tls;
 #endif
   uschar *hosts_nopass_tls;
   uschar *hosts_noproxy_tls;
 #endif


@@ -78,7 +78,7 @@ typedef struct {
 #ifdef SUPPORT_SOCKS
   uschar *socks_proxy;
 #endif
 #ifdef SUPPORT_SOCKS
   uschar *socks_proxy;
 #endif

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   uschar *tls_certificate;
   uschar *tls_crl;
   uschar *tls_privatekey;
   uschar *tls_certificate;
   uschar *tls_crl;
   uschar *tls_privatekey;


@@ -135,7 +135,7 @@ typedef struct {
   BOOL utf8_needed:1;
 #endif
   BOOL dsn_all_lasthop:1;
   BOOL utf8_needed:1;
 #endif
   BOOL dsn_all_lasthop:1;

-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)

   BOOL dane_required:1;
 #endif
 #ifdef EXPERIMENTAL_PIPE_CONNECT
   BOOL dane_required:1;
 #endif
 #ifdef EXPERIMENTAL_PIPE_CONNECT

diff --git a/src/src/verify.c b/src/src/verify.c
index 184809fb55ab434f3e6d4387bc106f6832659258..7125a6da1a309a3fe434a89d31f182fa6cfee760 100644 (file)
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -687,7 +687,7 @@ tls_retry_connection:
     if permitted */
 
     yield = smtp_setup_conn(&sx, FALSE);
     if permitted */
 
     yield = smtp_setup_conn(&sx, FALSE);

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

     if (  yield == DEFER
        && addr->basic_errno == ERRNO_TLSFAILURE
        && ob->tls_tempfail_tryclear
     if (  yield == DEFER
        && addr->basic_errno == ERRNO_TLSFAILURE
        && ob->tls_tempfail_tryclear


@@ -819,7 +819,7 @@ tls_retry_connection:
            HDEBUG(D_acl|D_v)
              debug_printf_indent("problem after random/rset/mfrom; reopen conn\n");
            random_local_part = NULL;
            HDEBUG(D_acl|D_v)
              debug_printf_indent("problem after random/rset/mfrom; reopen conn\n");
            random_local_part = NULL;

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

            tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
 #endif
            HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");
            tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
 #endif
            HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP(close)>>\n");


@@ -1109,7 +1109,7 @@ no_conn:
 
       if (sx.cctx.sock >= 0)
        {
 
       if (sx.cctx.sock >= 0)
        {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

        if (sx.cctx.tls_ctx)
          {
          tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
        if (sx.cctx.tls_ctx)
          {
          tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);


@@ -1215,7 +1215,7 @@ if(cutthrough.cctx.sock < 0)
   return TRUE;
 
 if(
   return TRUE;
 
 if(

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

    cutthrough.is_tls
    ? tls_write(cutthrough.cctx.tls_ctx, ctctx.outblock.buffer, n, FALSE)
    :
    cutthrough.is_tls
    ? tls_write(cutthrough.cctx.tls_ctx, ctctx.outblock.buffer, n, FALSE)
    :


@@ -1416,7 +1416,7 @@ if(fd >= 0)
   /* Wait a short time for response, and discard it */
   cutthrough_response(&tmp_ctx, '2', NULL, 1);
 
   /* Wait a short time for response, and discard it */
   cutthrough_response(&tmp_ctx, '2', NULL, 1);
 

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

   if (cutthrough.is_tls)
     {
     tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
   if (cutthrough.is_tls)
     {
     tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);


@@ -1924,12 +1924,12 @@ while (addr_new)
           }
         else
           {
           }
         else
           {

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

          deliver_set_expansions(addr);
 #endif
           rc = do_callout(addr, host_list, &tf, callout, callout_overall,
             callout_connect, options, se_mailfrom, pm_mailfrom);
          deliver_set_expansions(addr);
 #endif
           rc = do_callout(addr, host_list, &tf, callout, callout_overall,
             callout_connect, options, se_mailfrom, pm_mailfrom);

-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS

          deliver_set_expansions(NULL);
 #endif
           }
          deliver_set_expansions(NULL);
 #endif
           }