3 files changed, 11 insertions, 16 deletions

diff --git a/NEWS b/NEWS
index 8c11951c..8c93aa9b 100644
--- a/NEWS
+++ b/NEWS
@@ -75,6 +75,7 @@ fetchmail-6.3.19 (not yet released):
   Reported by Mihail Nechkin against FreeBSD port.
   Workaround for 6.3.18: build in a separate directory, i. e:
   mkdir build && cd build && ../configure --options-go-here
+* Send a NOOP only after a failed STARTTLS in IMAP. (Sunil Shetye)
 
 # DOCUMENTATION:
 * The manual page now links to IANA for GSSAPI service names.
diff --git a/imap.c b/imap.c
index b1c51043..cbaa913b 100644
--- a/imap.c
+++ b/imap.c
@@ -397,9 +397,6 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
 /* apply for connection authorization */
 {
     int ok = 0;
-#ifdef SSL_ENABLE
-    int got_tls = 0;
-#endif
     (void)greeting;
 
     /*
@@ -457,17 +454,12 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
 		 * Now that we're confident in our TLS connection we can
 		 * guarantee a secure capability re-probe.
 		 */
-		got_tls = 1;
 		capa_probe(sock, ctl);
 		if (outlevel >= O_VERBOSE)
 		{
 		    report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
 		}
-	    }
-	}
-
-	if (!got_tls) {
-	    if (must_tls(ctl)) {
+	    } else if (must_tls(ctl)) {
 		/* Config required TLS but we couldn't guarantee it, so we must
 		 * stop. */
 		report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
@@ -486,6 +478,10 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
 		}
 		/* Usable.  Proceed with authenticating insecurely. */
 	    }
+	} else if (must_tls(ctl)) {
+	    /* Config required TLS but STARTTLS is not advertised. */
+	    report(stderr, GT_("%s: cannot upgrade to TLS: no STARTTLS in CAPABILITY response.\n"), commonname);
+	    return PS_SOCKET;
 	}
     }
 #endif /* SSL_ENABLE */
diff --git a/pop3.c b/pop3.c
index fd3e5b5d..21251e59 100644
--- a/pop3.c
+++ b/pop3.c
@@ -281,7 +281,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 #endif /* OPIE_ENABLE */
 #ifdef SSL_ENABLE
     flag connection_may_have_tls_errors = FALSE;
-    flag got_tls = FALSE;
 #endif /* SSL_ENABLE */
 
     done_capa = FALSE;
@@ -465,7 +464,6 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		    * Now that we're confident in our TLS connection we can
 		    * guarantee a secure capability re-probe.
 		    */
-		   got_tls = TRUE;
 		   done_capa = FALSE;
 		   ok = capa_probe(sock);
 		   if (ok != PS_SUCCESS) {
@@ -475,11 +473,7 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		   {
 		       report(stdout, GT_("%s: upgrade to TLS succeeded.\n"), commonname);
 		   }
-	       }
-	   }
-
-	   if (!got_tls) {
-	       if (must_tls(ctl)) {
+	       } else if (must_tls(ctl)) {
 		   /* Config required TLS but we couldn't guarantee it, so we must
 		    * stop. */
 		   report(stderr, GT_("%s: upgrade to TLS failed.\n"), commonname);
@@ -496,6 +490,10 @@ static int pop3_getauth(int sock, struct query *ctl, char *greeting)
 		       report(stdout, GT_("%s: opportunistic upgrade to TLS failed, trying to continue.\n"), commonname);
 		   }
 	       }
+	   } else if (must_tls(ctl)) {
+	       /* Config required TLS but STLS is not advertised. */
+	       report(stderr, GT_("%s: cannot upgrade to TLS: no STLS in CAPA response.\n"), commonname);
+	       return PS_SOCKET;
 	   }
 	} /* maybe_tls() */
 #endif /* SSL_ENABLE */