diff options
author | Gilles Chehade <gilles@cvs.openbsd.org> | 2010-10-29 09:16:09 +0000 |
---|---|---|
committer | Gilles Chehade <gilles@cvs.openbsd.org> | 2010-10-29 09:16:09 +0000 |
commit | 7e76f02782ab7976338844f864eef0659b6e5393 (patch) | |
tree | bc9ef868b80c0064dce46f04de870680dc036365 /usr.sbin | |
parent | 3bbbe5b8ce319e42892d378b832ec4eb444528c1 (diff) |
smtpd no longer knows a map called "secrets" which holds credentials for
authenticated relaying. one can create many maps holding credentials and
name them however he/she wants, just like any other map.
teach smtpd how to select a credentials map at the rule-level allowing a
setup to relay through the same MX with different credentials depending
on the source.
smtpd.conf.5 updated to reflect changes with help from jmc@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/smtpd/lka.c | 5 | ||||
-rw-r--r-- | usr.sbin/smtpd/mfa.c | 3 | ||||
-rw-r--r-- | usr.sbin/smtpd/mta.c | 7 | ||||
-rw-r--r-- | usr.sbin/smtpd/parse.y | 24 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.conf.5 | 211 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.h | 9 |
6 files changed, 138 insertions, 121 deletions
diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c index c2376e32db2..c4849e775de 100644 --- a/usr.sbin/smtpd/lka.c +++ b/usr.sbin/smtpd/lka.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lka.c,v 1.119 2010/10/09 22:05:35 gilles Exp $ */ +/* $OpenBSD: lka.c,v 1.120 2010/10/29 09:16:07 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -128,8 +128,9 @@ lka_imsg(struct smtpd *env, struct imsgev *iev, struct imsg *imsg) switch (imsg->hdr.type) { case IMSG_LKA_SECRET: { struct map_secret *map_secret; + secret = imsg->data; - map = map_findbyname(env, "secrets"); + map = map_find(env, secret->secmapid); if (map == NULL) fatalx("lka: secrets map not found"); map_secret = map_lookup(env, map->m_id, secret->host, K_SECRET); diff --git a/usr.sbin/smtpd/mfa.c b/usr.sbin/smtpd/mfa.c index 5b7f1677d21..9daa14d7ece 100644 --- a/usr.sbin/smtpd/mfa.c +++ b/usr.sbin/smtpd/mfa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mfa.c,v 1.51 2010/10/28 21:15:50 gilles Exp $ */ +/* $OpenBSD: mfa.c,v 1.52 2010/10/29 09:16:07 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org> @@ -275,7 +275,6 @@ mfa_test_rcpt_resume(struct smtpd *env, struct submit_status *ss) { ss->msg.recipient = ss->u.path; ss->msg.expire = ss->msg.recipient.rule.r_qexpire; - log_debug("EXPIRE IN %d", ss->msg.expire); imsg_compose_event(env->sc_ievs[PROC_LKA], IMSG_LKA_RCPT, 0, 0, -1, ss, sizeof(*ss)); } diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c index b9119a80c91..58248b8a73a 100644 --- a/usr.sbin/smtpd/mta.c +++ b/usr.sbin/smtpd/mta.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta.c,v 1.93 2010/10/09 22:05:35 gilles Exp $ */ +/* $OpenBSD: mta.c,v 1.94 2010/10/29 09:16:07 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -103,8 +103,10 @@ mta_imsg(struct smtpd *env, struct imsgev *iev, struct imsg *imsg) /* use auth? */ if ((b->rule.r_value.relayhost.flags & F_SSL) && - (b->rule.r_value.relayhost.flags & F_AUTH)) + (b->rule.r_value.relayhost.flags & F_AUTH)) { s->flags |= MTA_USE_AUTH; + s->secmapid = b->rule.r_value.relayhost.secmapid; + } /* force a particular SSL mode? */ switch (b->rule.r_value.relayhost.flags & F_SSL) { @@ -352,6 +354,7 @@ mta_enter_state(struct mta_session *s, int newstate, void *p) */ bzero(&secret, sizeof(secret)); secret.id = s->id; + secret.secmapid = s->secmapid; strlcpy(secret.host, s->host, sizeof(secret.host)); imsg_compose_event(s->env->sc_ievs[PROC_LKA], IMSG_LKA_SECRET, 0, 0, -1, &secret, sizeof(secret)); diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index eebf471f02a..38ce43c1716 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.69 2010/10/28 21:15:50 gilles Exp $ */ +/* $OpenBSD: parse.y,v 1.70 2010/10/29 09:16:08 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org> @@ -126,7 +126,7 @@ typedef struct { %token <v.string> STRING %token <v.number> NUMBER %type <v.map> map -%type <v.number> quantifier decision port from auth ssl size expire +%type <v.number> quantifier decision port from auth ssl size expire credentials %type <v.cond> condition %type <v.tv> interval %type <v.object> mapref @@ -280,6 +280,20 @@ expire : EXPIRE STRING { | /* empty */ { $$ = conf->sc_qexpire; } ; +credentials : AUTH STRING { + struct map *m; + + if ((m = map_findbyname(conf, $2)) == NULL) { + yyerror("no such map: %s", $2); + free($2); + YYERROR; + } + free($2); + $$ = m->m_id; + } + | /* empty */ { $$ = 0; } + ; + main : QUEUE INTERVAL interval { conf->sc_qintval = $3; } @@ -871,7 +885,7 @@ action : DELIVER TO MAILDIR user { | RELAY { rule->r_action = A_RELAY; } - | RELAY VIA STRING port ssl certname auth { + | RELAY VIA STRING port ssl certname credentials { rule->r_action = A_RELAYVIA; if ($5 == 0 && ($6 != NULL || $7)) { @@ -889,8 +903,10 @@ action : DELIVER TO MAILDIR user { rule->r_value.relayhost.port = $4; rule->r_value.relayhost.flags |= $5; - if ($7) + if ($7) { rule->r_value.relayhost.flags |= F_AUTH; + rule->r_value.relayhost.secmapid = $7; + } if ($6 != NULL) { if (ssl_load_certfile(conf, $6, F_CCERT) < 0) { diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index adcb3b61821..c60e647023d 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.35 2010/10/28 21:15:50 gilles Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.36 2010/10/29 09:16:08 gilles Exp $ .\" .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: October 28 2010 $ +.Dd $Mdocdate: October 29 2010 $ .Dt SMTPD.CONF 5 .Os .Sh NAME @@ -76,6 +76,101 @@ The syntax of .Nm is described below. .Bl -tag -width Ds +.It Ic expire Ar n {s|m|h|d} +Specify how long a message can stay in the queue. +The default value is 4 days. +For example: +.Bd -literal -offset indent +expire 4d # expire after 4 days +expire 10h # expire after 10 hours +.Ed +.It Ic hostname Ar name +Specify the domain name of the server. +By default the current host name is used, +as returned by +.Xr hostname 1 . +.It Xo +.Ic listen on Ar interface +.Op Ic port Ar port +.Op Ic tls | smtps +.Op Ic certificate Ar name +.Op Ic enable auth +.Xc +Specify an +.Ar interface +and +.Ar port +to listen on. +An IP address or domain name may be used in place of +.Ar interface . +.Pp +Secured connections are provided either using STARTTLS +.Pq Ic tls , +by default on port 25, +or SMTPS +.Pq Ic smtps , +by default on port 465. +Creation of certificates is documented in +.Xr starttls 8 . +If no certificate +.Ar name +is specified, the +.Pa /etc/mail/certs +directory is searched for a file named by joining +the interface name with a .crt extension, e.g.\& +.Pa /etc/mail/certs/fxp0.crt . +.Pp +If the +.Ic enable auth +parameter is used, +any remote sender that passed SMTPAUTH is treated as if +it was the server's local user that was sending the mail. +This means that filter rules using "from local" will be matched. +.It Xo +.Ic map Ar map +.No { +.Ic source Ar type Ar source +.No } +.Xc +Maps are used to provide additional configuration information for +.Xr smtpd 8 . +.Pp +.Ar map +may be named freely. +.Pp +.Ar type +may be one of the following: +.Pp +.Bl -tag -width "fileXXX" -compact +.It db +Mappings are stored in a file created using +.Xr makemap 8 . +This is the default type if none is specified. +.It dns +Not implemented yet. +.It plain +Mappings are stored in a plain text file using the +same format as used to generate +.Xr makemap 8 +mappings. +.El +.Pp +.Ar source +specifies the source of the map data. +It must be an absolute path to a file for the +.Dq file +and +.Dq db +map types, +or a domain name for the +.Dq dns +map type. +.It Ic size Ar n +Specify a maximum message size of +.Ar n +bytes. +The argument may contain a multiplier, as documented in +.Xr scan_scaled 3 . .It Ic accept | reject .Xr smtpd 8 accepts and rejects messages @@ -172,7 +267,7 @@ The routing decision is based on the DNS system. .Op Ic port Ar port .Op Ic tls | smtps | ssl .Op Ic certificate Ar name -.Op Ic enable auth +.Op Ic auth Ar map .Xc Mail is relayed through the specified .Ar host @@ -200,113 +295,13 @@ Creation of certificates is documented in If an SMTPAUTH session with .Ar host is desired, use the -.Ic enable auth -parameter. +.Ic auth +parameter to specify the +.Ar map +that holds the credentials. .It Ic expire Ar n {s|m|h|d} Specify how long a message that matched this rule can stay in the queue. .El -.It Ic expire Ar n {s|m|h|d} -Specify how long a message can stay in the queue. -The default value is 4 days. -For example: -.Bd -literal -offset indent -expire 4d # expire after 4 days -expire 10h # expire after 10 hours -.Ed -.It Ic hostname Ar name -Specify the domain name of the server. -By default the current host name is used, -as returned by -.Xr hostname 1 . -.It Xo -.Ic listen on Ar interface -.Op Ic port Ar port -.Op Ic tls | smtps -.Op Ic certificate Ar name -.Op Ic enable auth -.Xc -Specify an -.Ar interface -and -.Ar port -to listen on. -An IP address or domain name may be used in place of -.Ar interface . -.Pp -Secured connections are provided either using STARTTLS -.Pq Ic tls , -by default on port 25, -or SMTPS -.Pq Ic smtps , -by default on port 465. -Creation of certificates is documented in -.Xr starttls 8 . -If no certificate -.Ar name -is specified, the -.Pa /etc/mail/certs -directory is searched for a file named by joining -the interface name with a .crt extension, e.g.\& -.Pa /etc/mail/certs/fxp0.crt . -.Pp -If the -.Ic enable auth -parameter is used, -any remote sender that passed SMTPAUTH is treated as if -it was the server's local user that was sending the mail. -This means that filter rules using "from local" will be matched. -.It Xo -.Ic map Ar map -.No { -.Ic source Ar type Ar source -.No } -.Xc -Maps are used to provide additional configuration information for -.Xr smtpd 8 . -.Pp -.Ar map -may be named freely except for the following: -.Pp -.Bl -tag -width "virtualXXX" -compact -.It secrets -Map queried for remote host credentials. -See -.Xr makemap 8 . -.El -.Pp -.Ar type -may be one of the following: -.Pp -.Bl -tag -width "fileXXX" -compact -.It db -Mappings are stored in a file created using -.Xr makemap 8 . -This is the default type if none is specified. -.It dns -Not implemented yet. -.It plain -Mappings are stored in a plain text file using the -same format as used to generate -.Xr makemap 8 -mappings. -.El -.Pp -.Ar source -specifies the source of the map data. -It must be an absolute path to a file for the -.Dq file -and -.Dq db -map types, -or a domain name for the -.Dq dns -map type. -.It Ic size Ar n -Specify a maximum message size of -.Ar n -bytes. -The argument may contain a multiplier, as documented in -.Xr scan_scaled 3 . .El .Sh FILES .Bl -tag -width "/etc/mail/smtpd.confXXX" -compact @@ -345,7 +340,7 @@ listen on lo0 map aliases { source db "/etc/mail/aliases.db" } map secrets { source db "/etc/mail/secrets.db" } accept for local deliver to mbox -accept for all relay via smtp.gmail.com tls enable auth +accept for all relay via smtp.gmail.com tls auth "secrets" .Ed .Pp In this second example, diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 3387f927d47..4d803be0267 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.196 2010/10/28 21:15:50 gilles Exp $ */ +/* $OpenBSD: smtpd.h,v 1.197 2010/10/29 09:16:08 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org> @@ -103,6 +103,8 @@ ((s)->s_l->flags & F_AUTH && (s)->s_flags & F_SECURE && \ !((s)->s_flags & F_AUTHENTICATED)) +typedef u_int32_t objid_t; + struct netaddr { struct sockaddr_storage ss; int bits; @@ -113,6 +115,7 @@ struct relayhost { char hostname[MAXHOSTNAMELEN]; u_int16_t port; char cert[PATH_MAX]; + objid_t secmapid; }; enum imsg_type { @@ -211,8 +214,6 @@ struct ctl_conn { }; TAILQ_HEAD(ctl_connlist, ctl_conn); -typedef u_int32_t objid_t; - struct ctl_id { objid_t id; char name[MAX_NAME_SIZE]; @@ -734,6 +735,7 @@ struct dns { struct secret { u_int64_t id; + objid_t secmapid; char host[MAXHOSTNAMELEN]; char secret[MAX_LINE_SIZE]; }; @@ -813,6 +815,7 @@ struct mta_session { int flags; TAILQ_HEAD(,message) recipients; TAILQ_HEAD(,mta_relay) relays; + objid_t secmapid; char *secret; int fd; int datafd; |