On Wed, Oct 15, 2014 at 02:00:35PM -0400, Wietse Venema wrote:
> This means the host announced STARTTLS, smtp_tls_ctx was non-null, and
> the TLS level was "none".
Oops, ignoring a STARTTLS offer with "level = none" misfires as a
local configuration error:
diff --git a/src/smtp/smtp_trouble.c b/src/smtp/smtp_trouble.c
index c323a91..044ab3a 100644
--- a/src/smtp/smtp_trouble.c
+++ b/src/smtp/smtp_trouble.c
@@ -496,7 +496,8 @@ int smtp_tls_trouble(SMTP_STATE *state, int
protocol_stage)
break;
case STARTTLS_FEATURE_FALLBACK:
/* No recovery when skipping STARTTLS due to local problems */
- if (session->features & SMTP_FEATURE_STARTTLS)
+ if (session->tls_level != TLS_LEV_NONE
+ && session->features & SMTP_FEATURE_STARTTLS)
return (-1);
/* FALLTHROUGH */
case STARTTLS_COMMAND_FALLBACK:
Perhaps Ralf has policy table entries with "none" as the security
level for some of the sites in question.
This same problem happens after cleartext retry, because the level
is coerced to "none".
--
Viktor.
