Disable TLS 1.0 only for smtp auth/submission

1 files changed, 7 insertions, 4 deletions

diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 2a1fd71..8ae6af3 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -84,6 +84,10 @@ int tls_before_auth = 0;
 int smtputf8 = 0;
 #endif
 
+/* SMTP AUTH */
+int flagauth = 0;
+char **childargs;
+
 int safewrite(fd,buf,len) int fd; char *buf; int len;
 {
   int r;
@@ -199,8 +203,6 @@ extern void realrcptto_start();
 extern int realrcptto();
 extern int realrcptto_deny();
 
-int flagauth = 0;
-
 stralloc greeting = {0};
 
 void smtp_greet(code) char *code;
@@ -960,7 +962,6 @@ static stralloc chal = {0};     /* plain challenge */
 static stralloc slop = {0};     /* b64 challenge */
 #endif
 
-char **childargs;
 char ssauthbuf[512];
 char ssauth2buf[512];
 substdio ssauth = SUBSTDIO_FDBUF(safewrite,3,ssauthbuf,sizeof(ssauthbuf));
@@ -1432,9 +1433,11 @@ void tls_init()
   /* a new SSL context with the bare minimum of options */
   ctx = SSL_CTX_new(SSLv23_server_method());
   if (!ctx) { tls_err("unable to initialize ctx"); return; }
-  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
+  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3 |
                            SSL_OP_CIPHER_SERVER_PREFERENCE |
                            SSL_OP_PRIORITIZE_CHACHA);
+  if (*childargs)
+    SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
 
   if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
     { SSL_CTX_free(ctx); tls_err("missing certificate"); return; }