Fix non-TLS build

[users/heiko/exim.git] / src / src / transports / smtp.c

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index dfc1c767c1aea7e5731c0e88c1a69230d302273b..cdee9282284a86c6c36bffcb07a9ac4d06a3c66a 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1987,10 +1987,8 @@ if (sx->smtps)
            DEFER, FALSE, &sx->delivery_start);
   return ERROR;
   }
-#endif
+#else
 
-#ifdef SUPPORT_DANE
-/*XXX new */
 /* If we have a proxied TLS connection, check usability for this message */
 
 if (continue_hostname && continue_proxy_cipher)
@@ -1998,8 +1996,10 @@ if (continue_hostname && continue_proxy_cipher)
   int rc;
   const uschar * sni = US"";
 
+# ifdef SUPPORT_DANE
   /* Check if the message will be DANE-verified; if so force its SNI */
 
+  tls_out.dane_verified = FALSE;
   smtp_port_for_connect(sx->conn_args.host, sx->port);
   if (  sx->conn_args.host->dnssec == DS_YES
      && (  sx->dane_required
@@ -2016,22 +2016,24 @@ if (continue_hostname && continue_proxy_cipher)
                              string_sprintf("DANE error: tlsa lookup %s",
                                rc_to_string(rc)),
                              rc, FALSE, &sx->delivery_start);
-# ifndef DISABLE_EVENT
+#  ifndef DISABLE_EVENT
                            (void) event_raise(sx->conn_args.tblock->event_action,
                              US"dane:fail", sx->dane_required
                                ?  US"dane-required" : US"dnssec-invalid");
-# endif
+#  endif
                            return rc;
       }
+# endif
 
-  /* If the SNI required for the new message differs from the existing conn
-  drop the connection to force a new one. */
+  /* If the SNI or the DANE status required for the new message differs from the
+  existing conn drop the connection to force a new one. */
 
   if (ob->tls_sni && !(sni = expand_cstring(ob->tls_sni)))
     log_write(0, LOG_MAIN|LOG_PANIC,
       "<%s>: failed to expand transport's tls_sni value: %s",
       sx->addrlist->address, expand_string_message);
 
+# ifdef SUPPORT_DANE
   if (  (continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni)
      && continue_proxy_dane == sx->conn_args.dane)
     {
@@ -2039,6 +2041,10 @@ if (continue_hostname && continue_proxy_cipher)
     if ((tls_out.dane_verified = continue_proxy_dane))
       sx->conn_args.host->dnssec = DS_YES;
     }
+# else
+  if ((continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni))
+    tls_out.sni = US sni;
+# endif
   else
     {
     DEBUG(D_transport)
@@ -2047,7 +2053,6 @@ if (continue_hostname && continue_proxy_cipher)
     HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("  SMTP>> QUIT\n");
     write(0, "QUIT\r\n", 6);
     close(0);
-    tls_out.dane_verified = FALSE;
     continue_hostname = continue_proxy_cipher = NULL;
     f.continue_more = FALSE;
     continue_sequence = 1;     /* Unfortunately, this process cannot affect success log
@@ -2055,8 +2060,7 @@ if (continue_hostname && continue_proxy_cipher)
                                back through reporting pipe. */
     }
   }
-#endif
-
+#endif /*!DISABLE_TLS*/
 
 /* Make a connection to the host if this isn't a continued delivery, and handle
 the initial interaction and HELO/EHLO/LHLO. Connect timeout errors are handled
@@ -4251,16 +4255,6 @@ connection to a new process. However, not all servers can handle this (Exim
 can), so we do not pass such a connection on if the host matches
 hosts_nopass_tls. */
 
-/*XXX do we have to veto all passing of DANE'd connections?
-Can we be any more intelligent?
-
-I could see that unpleasantly impacting high-vol mailinglist.
-Where many messages are queued for a single dest MX.
-
-But the wait-DB used by transport_check_waiting only records hosts, not domains.
-So we cannot look for a domain mismatch.
-*/
-
 DEBUG(D_transport)
   debug_printf("ok=%d send_quit=%d send_rset=%d continue_more=%d "
     "yield=%d first_address is %sNULL\n", sx->ok, sx->send_quit,