diff options
author | Jacek Masiulaniec <jacekm@cvs.openbsd.org> | 2009-04-09 19:49:35 +0000 |
---|---|---|
committer | Jacek Masiulaniec <jacekm@cvs.openbsd.org> | 2009-04-09 19:49:35 +0000 |
commit | 2e2322d056b4c8ba1c9b7af6ee4f9dc822f05066 (patch) | |
tree | 56aa10d09172a90bab7e76383c705d9f65a9afd1 /usr.sbin/smtpd | |
parent | fbfd94f72683cc3188d39266ff0dcff9eae8f3f6 (diff) |
change syntax of the "listen on" and "relay via" directives:
1) kill the ssmtp keyword in "ssmtp listen on ...";
2) kill the use keyword in "... use certificate foo";
3) tls no longer implicit, user must explicitely use the tls or smtps option.
4) for "relay via", move the tls/smtps options to right after the
port specification; makes it similar to "listen on".
These directives:
ssmtp listen on fxp0 use ceritifate "foo"
accept for all relay via tls "mx.bar.com"
now become:
listen on fxp0 smtps certificate "foo"
accept for all relay via "mx.bar.com" tls
ok gilles@
Diffstat (limited to 'usr.sbin/smtpd')
-rw-r--r-- | usr.sbin/smtpd/lka.c | 10 | ||||
-rw-r--r-- | usr.sbin/smtpd/mta.c | 4 | ||||
-rw-r--r-- | usr.sbin/smtpd/parse.y | 99 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtp.c | 10 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtp_session.c | 4 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.h | 6 | ||||
-rw-r--r-- | usr.sbin/smtpd/ssl.c | 6 |
7 files changed, 69 insertions, 70 deletions
diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c index 0bd7ae83579..371abb36594 100644 --- a/usr.sbin/smtpd/lka.c +++ b/usr.sbin/smtpd/lka.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lka.c,v 1.39 2009/04/05 16:33:12 gilles Exp $ */ +/* $OpenBSD: lka.c,v 1.40 2009/04/09 19:49:34 jacekm Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -440,7 +440,7 @@ lka_dispatch_mta(int sig, short event, void *p) } switch (mxhost.flags & F_SSL) { - case F_SSMTP: + case F_SMTPS: ssin->sin_port = htons(465); mxrep.mxhost = mxhost; imsg_compose(ibuf, IMSG_LKA_MX, 0, 0, -1, &mxrep, @@ -455,7 +455,7 @@ lka_dispatch_mta(int sig, short event, void *p) case F_STARTTLS: ssin->sin_port = htons(25); mxrep.mxhost = mxhost; - mxrep.mxhost.flags &= ~F_SSMTP; + mxrep.mxhost.flags &= ~F_SMTPS; imsg_compose(ibuf, IMSG_LKA_MX, 0, 0, -1, &mxrep, sizeof(struct mxrep)); break; @@ -481,7 +481,7 @@ lka_dispatch_mta(int sig, short event, void *p) } switch (mxhost.flags & F_SSL) { - case F_SSMTP: + case F_SMTPS: ssin6->sin6_port = htons(465); mxrep.mxhost = mxhost; imsg_compose(ibuf, IMSG_LKA_MX, 0, 0, -1, &mxrep, @@ -496,7 +496,7 @@ lka_dispatch_mta(int sig, short event, void *p) case F_STARTTLS: ssin6->sin6_port = htons(25); mxrep.mxhost = mxhost; - mxrep.mxhost.flags &= ~F_SSMTP; + mxrep.mxhost.flags &= ~F_SMTPS; imsg_compose(ibuf, IMSG_LKA_MX, 0, 0, -1, &mxrep, sizeof(struct mxrep)); break; diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c index 7d9ba336cdb..9abd62d05f9 100644 --- a/usr.sbin/smtpd/mta.c +++ b/usr.sbin/smtpd/mta.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta.c,v 1.39 2009/03/29 14:18:20 jacekm Exp $ */ +/* $OpenBSD: mta.c,v 1.40 2009/04/09 19:49:34 jacekm Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -624,7 +624,7 @@ mta_write(int s, short event, void *arg) return; } - if (mxhost && mxhost->flags & F_SSMTP) { + if (mxhost && mxhost->flags & F_SMTPS) { ssl_client_init(sessionp); return; } diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 5021a42cf8f..1e7473bdb77 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.30 2009/03/31 21:03:49 tobias Exp $ */ +/* $OpenBSD: parse.y,v 1.31 2009/04/09 19:49:34 jacekm Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org> @@ -113,8 +113,8 @@ typedef struct { %} -%token QUEUE INTERVAL LISTEN ON ALL PORT USE -%token MAP TYPE HASH LIST SINGLE SSL SSMTP CERTIFICATE +%token QUEUE INTERVAL LISTEN ON ALL PORT +%token MAP TYPE HASH LIST SINGLE SSL SMTPS CERTIFICATE %token DNS DB TFILE EXTERNAL DOMAIN CONFIG SOURCE %token RELAY VIA DELIVER TO MAILDIR MBOX HOSTNAME %token ACCEPT REJECT INCLUDE NETWORK ERROR MDA FROM FOR @@ -122,7 +122,7 @@ typedef struct { %token <v.string> STRING %token <v.number> NUMBER %type <v.map> map -%type <v.number> quantifier decision port ssmtp from auth ssl +%type <v.number> quantifier decision port from auth ssl %type <v.cond> condition %type <v.tv> interval %type <v.object> mapref @@ -214,19 +214,15 @@ port : PORT STRING { } ; -certname : USE CERTIFICATE STRING { - if (($$ = strdup($3)) == NULL) +certname : CERTIFICATE STRING { + if (($$ = strdup($2)) == NULL) fatal(NULL); - free($3); + free($2); } | /* empty */ { $$ = NULL; } ; -ssmtp : SSMTP { $$ = 1; } - | /* empty */ { $$ = 0; } - ; - -ssl : SSMTP { $$ = F_SSMTP; } +ssl : SMTPS { $$ = F_SMTPS; } | TLS { $$ = F_STARTTLS; } | SSL { $$ = F_SSL; } | /* empty */ { $$ = 0; } @@ -238,19 +234,33 @@ auth : ENABLE AUTH { $$ = 1; } main : QUEUE INTERVAL interval { conf->sc_qintval = $3; } - | ssmtp LISTEN ON STRING port certname auth { + | LISTEN ON STRING port ssl certname auth { char *cert; u_int8_t flags; - if ($5 == 0) { - if ($1) - $5 = htons(465); + if ($5 == F_SSL) { + yyerror("syntax error"); + free($6); + free($3); + YYERROR; + } + + if ($5 == 0 && ($6 != NULL || $7)) { + yyerror("error: must specify tls or smtps"); + free($6); + free($3); + YYERROR; + } + + if ($4 == 0) { + if ($5 == F_SMTPS) + $4 = htons(465); else - $5 = htons(25); + $4 = htons(25); } - cert = ($6 != NULL) ? $6 : $4; - flags = 0; + cert = ($6 != NULL) ? $6 : $3; + flags = $5; if ($7) flags |= F_AUTH; @@ -258,33 +268,27 @@ main : QUEUE INTERVAL interval { if (ssl_load_certfile(conf, cert) < 0) { log_warnx("warning: could not load cert: %s, " "no SSL/TLS/AUTH support", cert); - if ($1 || $6 != NULL) { + if ($5) { yyerror("cannot load certificate: %s", cert); free($6); - free($4); + free($3); YYERROR; } } - else { - if ($1) - flags |= F_SSMTP; - else - flags |= F_STARTTLS; - } - if (! interface($4, &conf->sc_listeners, - MAX_LISTEN, $5, flags)) { - if (host($4, &conf->sc_listeners, - MAX_LISTEN, $5, flags) <= 0) { - yyerror("invalid virtual ip or interface: %s", $4); + if (! interface($3, &conf->sc_listeners, + MAX_LISTEN, $4, flags)) { + if (host($3, &conf->sc_listeners, + MAX_LISTEN, $4, flags) <= 0) { + yyerror("invalid virtual ip or interface: %s", $3); free($6); - free($4); + free($3); YYERROR; } } free($6); - free($4); + free($3); } | HOSTNAME STRING { if (strlcpy(conf->sc_hostname, $2, @@ -732,29 +736,27 @@ action : DELIVER TO MAILDIR STRING { | RELAY { rule->r_action = A_RELAY; } - | RELAY VIA ssl STRING port auth { + | RELAY VIA STRING port ssl auth { rule->r_action = A_RELAYVIA; - if ($3) - rule->r_value.relayhost.flags = $3; + if ($5 == 0 && $6) { + yyerror("error: auth over insecure channel"); + free($3); + YYERROR; + } - if (strlcpy(rule->r_value.relayhost.hostname, $4, + if (strlcpy(rule->r_value.relayhost.hostname, $3, sizeof(rule->r_value.relayhost.hostname)) >= sizeof(rule->r_value.relayhost.hostname)) fatal("hostname too long"); - if ($5 == 0) - rule->r_value.relayhost.port = 0; - else - rule->r_value.relayhost.port = $5; + rule->r_value.relayhost.port = $4; + rule->r_value.relayhost.flags |= $5; - if ($6) { - if (! $3) - fatalx("cannot auth over insecure channel"); + if ($6) rule->r_value.relayhost.flags |= F_AUTH; - } - free($4); + free($3); } ; @@ -939,13 +941,12 @@ lookup(char *s) { "reject", REJECT }, { "relay", RELAY }, { "single", SINGLE }, + { "smtps", SMTPS }, { "source", SOURCE }, { "ssl", SSL }, - { "ssmtp", SSMTP }, { "tls", TLS }, { "to", TO }, { "type", TYPE }, - { "use", USE }, { "via", VIA }, }; const struct keywords *p; diff --git a/usr.sbin/smtpd/smtp.c b/usr.sbin/smtpd/smtp.c index 3fbf2f33f96..5d59f809169 100644 --- a/usr.sbin/smtpd/smtp.c +++ b/usr.sbin/smtpd/smtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp.c,v 1.32 2009/03/29 14:18:20 jacekm Exp $ */ +/* $OpenBSD: smtp.c,v 1.33 2009/04/09 19:49:34 jacekm Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org> @@ -144,9 +144,6 @@ smtp_dispatch_parent(int sig, short event, void *p) if ((l->fd = imsg_get_fd(ibuf, &imsg)) == -1) fatal("cannot get fd"); - log_debug("smtp_dispatch_parent: " - "got fd %d for listener: %p", l->fd, l); - (void)strlcpy(key.ssl_name, l->ssl_cert_name, sizeof(key.ssl_name)); @@ -639,8 +636,9 @@ smtp_setup_events(struct smtpd *env) struct timeval tv; TAILQ_FOREACH(l, &env->sc_listeners, entry) { - log_debug("smtp_setup_events: configuring listener: %p%s.", - l, (l->flags & F_SSL)?" (with ssl)":""); + log_debug("smtp_setup_events: listen on %s port %d flags 0x%01x" + " cert \"%s\"", ss_to_text(&l->ss), ntohs(l->port), + l->flags, l->ssl_cert_name); session_socket_blockmode(l->fd, BM_NONBLOCK); if (listen(l->fd, SMTPD_BACKLOG) == -1) diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c index 0e448304811..db558d366bd 100644 --- a/usr.sbin/smtpd/smtp_session.c +++ b/usr.sbin/smtpd/smtp_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp_session.c,v 1.63 2009/03/15 19:32:10 gilles Exp $ */ +/* $OpenBSD: smtp_session.c,v 1.64 2009/04/09 19:49:34 jacekm Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org> @@ -737,7 +737,7 @@ session_init(struct listener *l, struct session *s) session_error, s)) == NULL) fatalx("session_init: bufferevent_new failed"); - if (l->flags & F_SSMTP) { + if (l->flags & F_SMTPS) { log_debug("session_init: initializing ssl"); s->s_flags |= F_EVLOCKED; bufferevent_disable(s->s_bev, EV_READ|EV_WRITE); diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index d02d2daa98e..7b249879512 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.96 2009/03/22 22:53:47 gilles Exp $ */ +/* $OpenBSD: smtpd.h,v 1.97 2009/04/09 19:49:34 jacekm Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org> @@ -73,9 +73,9 @@ #define SMTP_ANYLINE_MAX SMTP_TEXTLINE_MAX #define F_STARTTLS 0x01 -#define F_SSMTP 0x02 +#define F_SMTPS 0x02 #define F_AUTH 0x04 -#define F_SSL (F_SSMTP|F_STARTTLS) +#define F_SSL (F_SMTPS|F_STARTTLS) struct netaddr { diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index f151a94af75..29f1aff2d2c 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.11 2009/03/15 19:32:11 gilles Exp $ */ +/* $OpenBSD: ssl.c,v 1.12 2009/04/09 19:49:34 jacekm Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -509,7 +509,7 @@ ssl_session_accept(int fd, short event, void *p) log_info("ssl_session_accept: accepted ssl client"); s->s_flags |= F_SECURE; - if (s->s_l->flags & F_SSMTP) { + if (s->s_l->flags & F_SMTPS) { s_smtp.ssmtp++; s_smtp.ssmtp_active++; } @@ -601,7 +601,7 @@ ssl_session_destroy(struct session *s) return; } - if (s->s_l->flags & F_SSMTP) { + if (s->s_l->flags & F_SMTPS) { if (s->s_flags & F_SECURE) s_smtp.ssmtp_active--; } |