diff options
author | Eric Faurot <eric@cvs.openbsd.org> | 2018-09-24 16:14:35 +0000 |
---|---|---|
committer | Eric Faurot <eric@cvs.openbsd.org> | 2018-09-24 16:14:35 +0000 |
commit | 681145f0d4f58f7d8231319eebb8dc4931bea169 (patch) | |
tree | 74b82629647cdea1cd0d943b04456780d5efb6be /usr.sbin | |
parent | 5e85f2b6d4d448a1b04c9c07639a4259e1d182ca (diff) |
Allow to use the "tls" keyword on any relay action to force TLS, with
strict certificate validation. The "no-verify" becomes optional.
ok gilles@ millert@ semarie@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/smtpd/mta.c | 21 | ||||
-rw-r--r-- | usr.sbin/smtpd/parse.y | 16 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.conf.5 | 13 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.h | 3 |
4 files changed, 40 insertions, 13 deletions
diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c index 4da1a84c2eb..b7a841d15b0 100644 --- a/usr.sbin/smtpd/mta.c +++ b/usr.sbin/smtpd/mta.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta.c,v 1.225 2018/09/19 05:31:12 eric Exp $ */ +/* $OpenBSD: mta.c,v 1.226 2018/09/24 16:14:34 eric Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -657,6 +657,23 @@ mta_handle_envelope(struct envelope *evp, const char *smarthost) return; } + if (dispatcher->u.remote.tls_required) { + /* Reject relay if smtp+notls:// is requested */ + if (relayh.tls == RELAY_TLS_NO) { + log_warnx("warn: TLS required for action \"%s\"", + evp->dispatcher); + m_create(p_queue, IMSG_MTA_DELIVERY_TEMPFAIL, 0, 0, -1); + m_add_evpid(p_queue, evp->id); + m_add_string(p_queue, "TLS required for relaying"); + m_add_int(p_queue, ESC_OTHER_STATUS); + m_close(p_queue); + return; + } + /* Update smtp:// to smtp+tls:// */ + if (relayh.tls == RELAY_TLS_OPPORTUNISTIC) + relayh.tls = RELAY_TLS_STARTTLS; + } + relay = mta_relay(evp, &relayh); /* ignore if we don't know the limits yet */ if (relay->limits && @@ -1739,7 +1756,7 @@ mta_relay(struct envelope *e, struct relayhost *relayh) if (!key.authlabel[0]) key.authlabel = NULL; - if (dispatcher->u.remote.smarthost && + if ((key.tls == RELAY_TLS_STARTTLS || key.tls == RELAY_TLS_SMTPS) && dispatcher->u.remote.tls_noverify == 0) key.flags |= RELAY_TLS_VERIFY; diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index d80fd6e9590..c3177e3f058 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.221 2018/09/07 07:35:31 miko Exp $ */ +/* $OpenBSD: parse.y,v 1.222 2018/09/24 16:14:34 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -739,17 +739,21 @@ HELO STRING { dispatcher->u.remote.smarthost = strdup(t->t_name); } -| TLS NO_VERIFY { - if (dispatcher->u.remote.smarthost == NULL) { - yyerror("tls no-verify may not be specified without host on a dispatcher"); +| TLS { + if (dispatcher->u.remote.tls_required == 1) { + yyerror("tls already specified for this dispatcher"); YYERROR; } - if (dispatcher->u.remote.tls_noverify == 1) { - yyerror("tls no-verify already specified for this dispatcher"); + dispatcher->u.remote.tls_required = 1; +} +| TLS NO_VERIFY { + if (dispatcher->u.remote.tls_required == 1) { + yyerror("tls already specified for this dispatcher"); YYERROR; } + dispatcher->u.remote.tls_required = 1; dispatcher->u.remote.tls_noverify = 1; } | AUTH tables { diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index f897b9a7101..02a7b281981 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.204 2018/09/10 12:42:17 jmc Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.205 2018/09/24 16:14:34 eric Exp $ .\" .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: September 10 2018 $ +.Dd $Mdocdate: September 24 2018 $ .Dt SMTPD.CONF 5 .Os .Sh NAME @@ -265,8 +265,13 @@ and .Dq smtps protocols for authentication. Server certificates for those protocols are verified by default. -.It Cm tls no-verify -Do not require a valid certificate for the specified host. +.It Cm tls Op no-verify +Require TLS to be used when relaying, using mandatory STARTTLS by default. +When used with a smarthost, the protocol must not be +.Dq smtp+notls:// . +If +.Op no-verify +is specified, do not require a valid certificate. .It Cm auth Pf < Ar table Ns > Use the mapping .Ar table diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index baa224a0a80..89b01e4f118 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.561 2018/09/19 05:31:12 eric Exp $ */ +/* $OpenBSD: smtpd.h,v 1.562 2018/09/24 16:14:34 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1063,6 +1063,7 @@ struct dispatcher_remote { char *smarthost; char *auth; + int tls_required; int tls_noverify; int backup; |