ARC: on the smtp transport option take empty or forced-fail to disable signing

diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 839200c6cd0923d63bfbb92bfd55431ea21b6a2b..3389632a2eeac6b82a990a33a36924c6b213693c 100644 (file)
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -802,6 +802,7 @@ arc_sign = <admd-identifier> : <selector> : <privkey>
 An option on the smtp transport, which constructs and prepends to the message
 an ARC set of headers.  The textually-first Authentication-Results: header
 is used as a basis (you must have added one on entry to the ADMD).
+Expanded; if unset, empty or forced-failure then no signing is done.
 
 
 

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index bd1e20d7fc3a35667af2e79d9a71a71fc09ac1a2..2dfb5b73af4ad31e9f192db1d82d648207f70100 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -3004,15 +3004,21 @@ else
     uschar * s = sx.ob->arc_sign;
     if (s)
       {
-      if (!(sx.ob->dkim.arc_signspec = expand_string(s)))
+      if (!(sx.ob->dkim.arc_signspec = s = expand_string(s)))
        {
-       message = US"failed to expand arc_sign";
-       sx.ok = FALSE;
-       goto SEND_FAILED;
+       if (!expand_string_forcedfail)
+         {
+         message = US"failed to expand arc_sign";
+         sx.ok = FALSE;
+         goto SEND_FAILED;
+         }
+       }
+      else if (*s)
+       {
+       /* Ask dkim code to hash the body for ARC */
+       (void) arc_ams_setup_sign_bodyhash();
+       sx.ob->dkim.force_bodyhash = TRUE;
        }
-      /* Ask dkim code to hash the body for ARC */
-      (void) arc_ams_setup_sign_bodyhash();
-      sx.ob->dkim.force_bodyhash = TRUE;
       }
     }
 # endif