summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorEric Faurot <eric@cvs.openbsd.org>2018-09-24 16:14:35 +0000
committerEric Faurot <eric@cvs.openbsd.org>2018-09-24 16:14:35 +0000
commit681145f0d4f58f7d8231319eebb8dc4931bea169 (patch)
tree74b82629647cdea1cd0d943b04456780d5efb6be /usr.sbin
parent5e85f2b6d4d448a1b04c9c07639a4259e1d182ca (diff)
Allow to use the "tls" keyword on any relay action to force TLS, with
strict certificate validation. The "no-verify" becomes optional. ok gilles@ millert@ semarie@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/smtpd/mta.c21
-rw-r--r--usr.sbin/smtpd/parse.y16
-rw-r--r--usr.sbin/smtpd/smtpd.conf.513
-rw-r--r--usr.sbin/smtpd/smtpd.h3
4 files changed, 40 insertions, 13 deletions
diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c
index 4da1a84c2eb..b7a841d15b0 100644
--- a/usr.sbin/smtpd/mta.c
+++ b/usr.sbin/smtpd/mta.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mta.c,v 1.225 2018/09/19 05:31:12 eric Exp $ */
+/* $OpenBSD: mta.c,v 1.226 2018/09/24 16:14:34 eric Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -657,6 +657,23 @@ mta_handle_envelope(struct envelope *evp, const char *smarthost)
return;
}
+ if (dispatcher->u.remote.tls_required) {
+ /* Reject relay if smtp+notls:// is requested */
+ if (relayh.tls == RELAY_TLS_NO) {
+ log_warnx("warn: TLS required for action \"%s\"",
+ evp->dispatcher);
+ m_create(p_queue, IMSG_MTA_DELIVERY_TEMPFAIL, 0, 0, -1);
+ m_add_evpid(p_queue, evp->id);
+ m_add_string(p_queue, "TLS required for relaying");
+ m_add_int(p_queue, ESC_OTHER_STATUS);
+ m_close(p_queue);
+ return;
+ }
+ /* Update smtp:// to smtp+tls:// */
+ if (relayh.tls == RELAY_TLS_OPPORTUNISTIC)
+ relayh.tls = RELAY_TLS_STARTTLS;
+ }
+
relay = mta_relay(evp, &relayh);
/* ignore if we don't know the limits yet */
if (relay->limits &&
@@ -1739,7 +1756,7 @@ mta_relay(struct envelope *e, struct relayhost *relayh)
if (!key.authlabel[0])
key.authlabel = NULL;
- if (dispatcher->u.remote.smarthost &&
+ if ((key.tls == RELAY_TLS_STARTTLS || key.tls == RELAY_TLS_SMTPS) &&
dispatcher->u.remote.tls_noverify == 0)
key.flags |= RELAY_TLS_VERIFY;
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index d80fd6e9590..c3177e3f058 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.221 2018/09/07 07:35:31 miko Exp $ */
+/* $OpenBSD: parse.y,v 1.222 2018/09/24 16:14:34 eric Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -739,17 +739,21 @@ HELO STRING {
dispatcher->u.remote.smarthost = strdup(t->t_name);
}
-| TLS NO_VERIFY {
- if (dispatcher->u.remote.smarthost == NULL) {
- yyerror("tls no-verify may not be specified without host on a dispatcher");
+| TLS {
+ if (dispatcher->u.remote.tls_required == 1) {
+ yyerror("tls already specified for this dispatcher");
YYERROR;
}
- if (dispatcher->u.remote.tls_noverify == 1) {
- yyerror("tls no-verify already specified for this dispatcher");
+ dispatcher->u.remote.tls_required = 1;
+}
+| TLS NO_VERIFY {
+ if (dispatcher->u.remote.tls_required == 1) {
+ yyerror("tls already specified for this dispatcher");
YYERROR;
}
+ dispatcher->u.remote.tls_required = 1;
dispatcher->u.remote.tls_noverify = 1;
}
| AUTH tables {
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index f897b9a7101..02a7b281981 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: smtpd.conf.5,v 1.204 2018/09/10 12:42:17 jmc Exp $
+.\" $OpenBSD: smtpd.conf.5,v 1.205 2018/09/24 16:14:34 eric Exp $
.\"
.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
.\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -17,7 +17,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\"
-.Dd $Mdocdate: September 10 2018 $
+.Dd $Mdocdate: September 24 2018 $
.Dt SMTPD.CONF 5
.Os
.Sh NAME
@@ -265,8 +265,13 @@ and
.Dq smtps
protocols for authentication.
Server certificates for those protocols are verified by default.
-.It Cm tls no-verify
-Do not require a valid certificate for the specified host.
+.It Cm tls Op no-verify
+Require TLS to be used when relaying, using mandatory STARTTLS by default.
+When used with a smarthost, the protocol must not be
+.Dq smtp+notls:// .
+If
+.Op no-verify
+is specified, do not require a valid certificate.
.It Cm auth Pf < Ar table Ns >
Use the mapping
.Ar table
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index baa224a0a80..89b01e4f118 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: smtpd.h,v 1.561 2018/09/19 05:31:12 eric Exp $ */
+/* $OpenBSD: smtpd.h,v 1.562 2018/09/24 16:14:34 eric Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1063,6 +1063,7 @@ struct dispatcher_remote {
char *smarthost;
char *auth;
+ int tls_required;
int tls_noverify;
int backup;