If not cipher list is specified for a relay rule, fallback to
the global cipher list if defined, rather than libtls default.
This is closer to the previous behavior.
Eric.
Index: mta.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/mta.c,v
retrieving revision 1.236
diff -u -p -r1.236 mta.c
--- mta.c 31 Mar 2021 17:47:16 -0000 1.236
+++ mta.c 31 Mar 2021 19:14:13 -0000
@@ -491,6 +491,7 @@ mta_setup_dispatcher(struct dispatcher *
struct tls_config *config;
struct pki *pki;
struct ca *ca;
+ const char *ciphers;
uint32_t protos;
if (dispatcher->type != DISPATCHER_REMOTE)
@@ -501,8 +502,10 @@ mta_setup_dispatcher(struct dispatcher *
if ((config = tls_config_new()) == NULL)
fatal("smtpd: tls_config_new");
- if (remote->tls_ciphers &&
- tls_config_set_ciphers(config, remote->tls_ciphers) == -1)
+ ciphers = env->sc_tls_ciphers;
+ if (remote->tls_ciphers)
+ ciphers = remote->tls_ciphers;
+ if (ciphers && tls_config_set_ciphers(config, ciphers) == -1)
err(1, "%s", tls_config_error(config));
if (remote->tls_protocols &&
