summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGilles Chehade <gilles@cvs.openbsd.org>2012-07-08 15:48:01 +0000
committerGilles Chehade <gilles@cvs.openbsd.org>2012-07-08 15:48:01 +0000
commitc8b28223f84b129f5f72ef10b254b1e64b580f0c (patch)
tree32e48a6f0658c8ec2524aa55245a7d5b2206be75
parent0555be9328889f8d2630094a9a1ca7c3e299b5f0 (diff)
- plug text_to_relayhost() in parse.y to support relay URLs.
- document the new URL syntax in smtpd.conf.5 - replace starttls:// schema with tls:// Beware, "relay via" rules should now be expressed with a relay URL: accept [...] relay via "mx1.example.org" smtps port 465 becomes accept [...] relay via "smtps://mx1.example.org" This will allow using mappings of relays with different protocols and options. Make sure to update your smtpd.conf if you relay via ! ok eric, ok chl
-rw-r--r--usr.sbin/smtpd/parse.y56
-rw-r--r--usr.sbin/smtpd/smtpd.conf.545
-rw-r--r--usr.sbin/smtpd/util.c6
3 files changed, 61 insertions, 46 deletions
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 9f7c885abaa..454ea66ae60 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.88 2012/05/13 00:10:49 gilles Exp $ */
+/* $OpenBSD: parse.y,v 1.89 2012/07/08 15:48:00 gilles Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org>
@@ -887,48 +887,52 @@ action : DELIVER TO MAILDIR user {
rule->r_action = A_RELAY;
rule->r_as = $2;
}
- | RELAY VIA STRING port ssl certname credentials relay_as {
+ | RELAY VIA STRING certname credentials relay_as {
rule->r_action = A_RELAYVIA;
- rule->r_as = $8;
+ rule->r_as = $6;
- if ($5 == 0 && ($6 != NULL || $7)) {
- yyerror("error: must specify tls, smtps, or ssl");
- free($6);
+ if (! text_to_relayhost(&rule->r_value.relayhost, $3)) {
+ yyerror("error: invalid url: %s", $3);
free($3);
+ free($4);
+ free($5);
+ free($6);
YYERROR;
}
+ free($3);
- if (strlcpy(rule->r_value.relayhost.hostname, $3,
- sizeof(rule->r_value.relayhost.hostname))
- >= sizeof(rule->r_value.relayhost.hostname))
- fatal("hostname too long");
-
- rule->r_value.relayhost.port = $4;
- rule->r_value.relayhost.flags |= $5;
-
- if ($7) {
- rule->r_value.relayhost.flags |= F_AUTH;
- strlcpy(rule->r_value.relayhost.authmap, $7,
+ /* no worries, F_AUTH cant be set without SSL */
+ if (rule->r_value.relayhost.flags & F_AUTH) {
+ if ($5 == NULL) {
+ yyerror("error: auth without authmap");
+ free($3);
+ free($4);
+ free($5);
+ free($6);
+ YYERROR;
+ }
+ strlcpy(rule->r_value.relayhost.authmap, $5,
sizeof(rule->r_value.relayhost.authmap));
- free($7);
}
+ free($5);
+
- if ($6 != NULL) {
- if (ssl_load_certfile($6, F_CCERT) < 0) {
+ if ($4 != NULL) {
+ if (ssl_load_certfile($4, F_CCERT) < 0) {
yyerror("cannot load certificate: %s",
- $6);
- free($6);
+ $4);
free($3);
+ free($4);
+ free($5);
+ free($6);
YYERROR;
}
- if (strlcpy(rule->r_value.relayhost.cert, $6,
+ if (strlcpy(rule->r_value.relayhost.cert, $4,
sizeof(rule->r_value.relayhost.cert))
>= sizeof(rule->r_value.relayhost.cert))
fatal("certificate path too long");
}
-
- free($3);
- free($6);
+ free($4);
}
;
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index fdd26a421a1..2f9f302d405 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: smtpd.conf.5,v 1.52 2012/05/13 13:58:31 jmc Exp $
+.\" $OpenBSD: smtpd.conf.5,v 1.53 2012/07/08 15:48:00 gilles Exp $
.\"
.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
.\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\"
-.Dd $Mdocdate: May 13 2012 $
+.Dd $Mdocdate: July 8 2012 $
.Dt SMTPD.CONF 5
.Os
.Sh NAME
@@ -320,26 +320,37 @@ respectively.
.It Xo
.Ic relay via
.Ar host
-.Op Ic port Ar port
-.Op Ic tls | smtps | ssl
.Op Ic certificate Ar name
.Op Ic auth Ar map
.Op Ic as Ar address
.Xc
Mail is relayed through the specified
.Ar host
-and
-.Ar port .
+expressed as an URL.
+For example:
+.Bd -literal -offset indent
+smtp://mx1.example.org # use SMTP
+smtp://mx1.example.org:4321 # use SMTP with port 4321
+.Ed
+.Pp
+The communication channel may be secured using one of the secure
+schemas.
+For example:
+.Bd -literal -offset indent
+tls://mx1.example.org # use TLS
+smtps://mx1.example.org # use SMTPS
+ssl://mx1.example.org # try SMTPS and fallback to TLS
+.Ed
+.Pp
+In addition, credentials for authenticated relaying may be provided
+when using a secure schema.
+For example:
+.Bd -literal -offset indent
+tls+auth://mx1.example.org # AUTH over TLS
+smtps+auth://mx1.example.org # AUTH over SMTPS
+ssl+auth://mx1.example.org # AUTH over either SMTPS or TLS
+.Ed
.Pp
-The communication channel may be secured using the
-.Ic tls
-or
-.Ic smtps
-options.
-The special keyword
-.Ic ssl
-means that any of the two is acceptable:
-SMTPS is tried first, STARTTLS second.
If a certificate
.Ar name
is specified and exists in the
@@ -351,9 +362,9 @@ Creation of certificates is documented in
.Pp
If an SMTPAUTH session with
.Ar host
-is desired, use the
+is desired, the
.Ic auth
-parameter to specify the
+parameter is used to specify the
.Ar map
that holds the credentials.
.Pp
diff --git a/usr.sbin/smtpd/util.c b/usr.sbin/smtpd/util.c
index db903ff669c..a4343a11b01 100644
--- a/usr.sbin/smtpd/util.c
+++ b/usr.sbin/smtpd/util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: util.c,v 1.61 2012/07/02 10:32:28 eric Exp $ */
+/* $OpenBSD: util.c,v 1.62 2012/07/08 15:48:00 gilles Exp $ */
/*
* Copyright (c) 2000,2001 Markus Friedl. All rights reserved.
@@ -474,9 +474,9 @@ text_to_relayhost(struct relayhost *relay, char *s)
} schemas [] = {
{ "smtp://", 0 },
{ "smtps://", F_SMTPS },
- { "starttls://", F_STARTTLS },
+ { "tls://", F_STARTTLS },
{ "smtps+auth://", F_SMTPS|F_AUTH },
- { "starttls+auth://", F_STARTTLS|F_AUTH },
+ { "tls+auth://", F_STARTTLS|F_AUTH },
{ "ssl://", F_SMTPS|F_STARTTLS },
{ "ssl+auth://", F_SMTPS|F_STARTTLS|F_AUTH }
};