diff options
author | Gilles Chehade <gilles@cvs.openbsd.org> | 2012-07-08 15:48:01 +0000 |
---|---|---|
committer | Gilles Chehade <gilles@cvs.openbsd.org> | 2012-07-08 15:48:01 +0000 |
commit | c8b28223f84b129f5f72ef10b254b1e64b580f0c (patch) | |
tree | 32e48a6f0658c8ec2524aa55245a7d5b2206be75 | |
parent | 0555be9328889f8d2630094a9a1ca7c3e299b5f0 (diff) |
- plug text_to_relayhost() in parse.y to support relay URLs.
- document the new URL syntax in smtpd.conf.5
- replace starttls:// schema with tls://
Beware, "relay via" rules should now be expressed with a relay URL:
accept [...] relay via "mx1.example.org" smtps port 465
becomes accept [...] relay via "smtps://mx1.example.org"
This will allow using mappings of relays with different protocols and
options.
Make sure to update your smtpd.conf if you relay via !
ok eric, ok chl
-rw-r--r-- | usr.sbin/smtpd/parse.y | 56 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.conf.5 | 45 | ||||
-rw-r--r-- | usr.sbin/smtpd/util.c | 6 |
3 files changed, 61 insertions, 46 deletions
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 9f7c885abaa..454ea66ae60 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.88 2012/05/13 00:10:49 gilles Exp $ */ +/* $OpenBSD: parse.y,v 1.89 2012/07/08 15:48:00 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org> @@ -887,48 +887,52 @@ action : DELIVER TO MAILDIR user { rule->r_action = A_RELAY; rule->r_as = $2; } - | RELAY VIA STRING port ssl certname credentials relay_as { + | RELAY VIA STRING certname credentials relay_as { rule->r_action = A_RELAYVIA; - rule->r_as = $8; + rule->r_as = $6; - if ($5 == 0 && ($6 != NULL || $7)) { - yyerror("error: must specify tls, smtps, or ssl"); - free($6); + if (! text_to_relayhost(&rule->r_value.relayhost, $3)) { + yyerror("error: invalid url: %s", $3); free($3); + free($4); + free($5); + free($6); YYERROR; } + free($3); - if (strlcpy(rule->r_value.relayhost.hostname, $3, - sizeof(rule->r_value.relayhost.hostname)) - >= sizeof(rule->r_value.relayhost.hostname)) - fatal("hostname too long"); - - rule->r_value.relayhost.port = $4; - rule->r_value.relayhost.flags |= $5; - - if ($7) { - rule->r_value.relayhost.flags |= F_AUTH; - strlcpy(rule->r_value.relayhost.authmap, $7, + /* no worries, F_AUTH cant be set without SSL */ + if (rule->r_value.relayhost.flags & F_AUTH) { + if ($5 == NULL) { + yyerror("error: auth without authmap"); + free($3); + free($4); + free($5); + free($6); + YYERROR; + } + strlcpy(rule->r_value.relayhost.authmap, $5, sizeof(rule->r_value.relayhost.authmap)); - free($7); } + free($5); + - if ($6 != NULL) { - if (ssl_load_certfile($6, F_CCERT) < 0) { + if ($4 != NULL) { + if (ssl_load_certfile($4, F_CCERT) < 0) { yyerror("cannot load certificate: %s", - $6); - free($6); + $4); free($3); + free($4); + free($5); + free($6); YYERROR; } - if (strlcpy(rule->r_value.relayhost.cert, $6, + if (strlcpy(rule->r_value.relayhost.cert, $4, sizeof(rule->r_value.relayhost.cert)) >= sizeof(rule->r_value.relayhost.cert)) fatal("certificate path too long"); } - - free($3); - free($6); + free($4); } ; diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index fdd26a421a1..2f9f302d405 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.52 2012/05/13 13:58:31 jmc Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.53 2012/07/08 15:48:00 gilles Exp $ .\" .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: May 13 2012 $ +.Dd $Mdocdate: July 8 2012 $ .Dt SMTPD.CONF 5 .Os .Sh NAME @@ -320,26 +320,37 @@ respectively. .It Xo .Ic relay via .Ar host -.Op Ic port Ar port -.Op Ic tls | smtps | ssl .Op Ic certificate Ar name .Op Ic auth Ar map .Op Ic as Ar address .Xc Mail is relayed through the specified .Ar host -and -.Ar port . +expressed as an URL. +For example: +.Bd -literal -offset indent +smtp://mx1.example.org # use SMTP +smtp://mx1.example.org:4321 # use SMTP with port 4321 +.Ed +.Pp +The communication channel may be secured using one of the secure +schemas. +For example: +.Bd -literal -offset indent +tls://mx1.example.org # use TLS +smtps://mx1.example.org # use SMTPS +ssl://mx1.example.org # try SMTPS and fallback to TLS +.Ed +.Pp +In addition, credentials for authenticated relaying may be provided +when using a secure schema. +For example: +.Bd -literal -offset indent +tls+auth://mx1.example.org # AUTH over TLS +smtps+auth://mx1.example.org # AUTH over SMTPS +ssl+auth://mx1.example.org # AUTH over either SMTPS or TLS +.Ed .Pp -The communication channel may be secured using the -.Ic tls -or -.Ic smtps -options. -The special keyword -.Ic ssl -means that any of the two is acceptable: -SMTPS is tried first, STARTTLS second. If a certificate .Ar name is specified and exists in the @@ -351,9 +362,9 @@ Creation of certificates is documented in .Pp If an SMTPAUTH session with .Ar host -is desired, use the +is desired, the .Ic auth -parameter to specify the +parameter is used to specify the .Ar map that holds the credentials. .Pp diff --git a/usr.sbin/smtpd/util.c b/usr.sbin/smtpd/util.c index db903ff669c..a4343a11b01 100644 --- a/usr.sbin/smtpd/util.c +++ b/usr.sbin/smtpd/util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: util.c,v 1.61 2012/07/02 10:32:28 eric Exp $ */ +/* $OpenBSD: util.c,v 1.62 2012/07/08 15:48:00 gilles Exp $ */ /* * Copyright (c) 2000,2001 Markus Friedl. All rights reserved. @@ -474,9 +474,9 @@ text_to_relayhost(struct relayhost *relay, char *s) } schemas [] = { { "smtp://", 0 }, { "smtps://", F_SMTPS }, - { "starttls://", F_STARTTLS }, + { "tls://", F_STARTTLS }, { "smtps+auth://", F_SMTPS|F_AUTH }, - { "starttls+auth://", F_STARTTLS|F_AUTH }, + { "tls+auth://", F_STARTTLS|F_AUTH }, { "ssl://", F_SMTPS|F_STARTTLS }, { "ssl+auth://", F_SMTPS|F_STARTTLS|F_AUTH } }; |