summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorGilles Chehade <gilles@cvs.openbsd.org>2010-10-29 09:16:09 +0000
committerGilles Chehade <gilles@cvs.openbsd.org>2010-10-29 09:16:09 +0000
commit7e76f02782ab7976338844f864eef0659b6e5393 (patch)
treebc9ef868b80c0064dce46f04de870680dc036365 /usr.sbin
parent3bbbe5b8ce319e42892d378b832ec4eb444528c1 (diff)
smtpd no longer knows a map called "secrets" which holds credentials for
authenticated relaying. one can create many maps holding credentials and name them however he/she wants, just like any other map. teach smtpd how to select a credentials map at the rule-level allowing a setup to relay through the same MX with different credentials depending on the source. smtpd.conf.5 updated to reflect changes with help from jmc@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/smtpd/lka.c5
-rw-r--r--usr.sbin/smtpd/mfa.c3
-rw-r--r--usr.sbin/smtpd/mta.c7
-rw-r--r--usr.sbin/smtpd/parse.y24
-rw-r--r--usr.sbin/smtpd/smtpd.conf.5211
-rw-r--r--usr.sbin/smtpd/smtpd.h9
6 files changed, 138 insertions, 121 deletions
diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c
index c2376e32db2..c4849e775de 100644
--- a/usr.sbin/smtpd/lka.c
+++ b/usr.sbin/smtpd/lka.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: lka.c,v 1.119 2010/10/09 22:05:35 gilles Exp $ */
+/* $OpenBSD: lka.c,v 1.120 2010/10/29 09:16:07 gilles Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -128,8 +128,9 @@ lka_imsg(struct smtpd *env, struct imsgev *iev, struct imsg *imsg)
switch (imsg->hdr.type) {
case IMSG_LKA_SECRET: {
struct map_secret *map_secret;
+
secret = imsg->data;
- map = map_findbyname(env, "secrets");
+ map = map_find(env, secret->secmapid);
if (map == NULL)
fatalx("lka: secrets map not found");
map_secret = map_lookup(env, map->m_id, secret->host, K_SECRET);
diff --git a/usr.sbin/smtpd/mfa.c b/usr.sbin/smtpd/mfa.c
index 5b7f1677d21..9daa14d7ece 100644
--- a/usr.sbin/smtpd/mfa.c
+++ b/usr.sbin/smtpd/mfa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mfa.c,v 1.51 2010/10/28 21:15:50 gilles Exp $ */
+/* $OpenBSD: mfa.c,v 1.52 2010/10/29 09:16:07 gilles Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org>
@@ -275,7 +275,6 @@ mfa_test_rcpt_resume(struct smtpd *env, struct submit_status *ss) {
ss->msg.recipient = ss->u.path;
ss->msg.expire = ss->msg.recipient.rule.r_qexpire;
- log_debug("EXPIRE IN %d", ss->msg.expire);
imsg_compose_event(env->sc_ievs[PROC_LKA], IMSG_LKA_RCPT, 0, 0, -1,
ss, sizeof(*ss));
}
diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c
index b9119a80c91..58248b8a73a 100644
--- a/usr.sbin/smtpd/mta.c
+++ b/usr.sbin/smtpd/mta.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mta.c,v 1.93 2010/10/09 22:05:35 gilles Exp $ */
+/* $OpenBSD: mta.c,v 1.94 2010/10/29 09:16:07 gilles Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -103,8 +103,10 @@ mta_imsg(struct smtpd *env, struct imsgev *iev, struct imsg *imsg)
/* use auth? */
if ((b->rule.r_value.relayhost.flags & F_SSL) &&
- (b->rule.r_value.relayhost.flags & F_AUTH))
+ (b->rule.r_value.relayhost.flags & F_AUTH)) {
s->flags |= MTA_USE_AUTH;
+ s->secmapid = b->rule.r_value.relayhost.secmapid;
+ }
/* force a particular SSL mode? */
switch (b->rule.r_value.relayhost.flags & F_SSL) {
@@ -352,6 +354,7 @@ mta_enter_state(struct mta_session *s, int newstate, void *p)
*/
bzero(&secret, sizeof(secret));
secret.id = s->id;
+ secret.secmapid = s->secmapid;
strlcpy(secret.host, s->host, sizeof(secret.host));
imsg_compose_event(s->env->sc_ievs[PROC_LKA], IMSG_LKA_SECRET,
0, 0, -1, &secret, sizeof(secret));
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index eebf471f02a..38ce43c1716 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.69 2010/10/28 21:15:50 gilles Exp $ */
+/* $OpenBSD: parse.y,v 1.70 2010/10/29 09:16:08 gilles Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org>
@@ -126,7 +126,7 @@ typedef struct {
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.map> map
-%type <v.number> quantifier decision port from auth ssl size expire
+%type <v.number> quantifier decision port from auth ssl size expire credentials
%type <v.cond> condition
%type <v.tv> interval
%type <v.object> mapref
@@ -280,6 +280,20 @@ expire : EXPIRE STRING {
| /* empty */ { $$ = conf->sc_qexpire; }
;
+credentials : AUTH STRING {
+ struct map *m;
+
+ if ((m = map_findbyname(conf, $2)) == NULL) {
+ yyerror("no such map: %s", $2);
+ free($2);
+ YYERROR;
+ }
+ free($2);
+ $$ = m->m_id;
+ }
+ | /* empty */ { $$ = 0; }
+ ;
+
main : QUEUE INTERVAL interval {
conf->sc_qintval = $3;
}
@@ -871,7 +885,7 @@ action : DELIVER TO MAILDIR user {
| RELAY {
rule->r_action = A_RELAY;
}
- | RELAY VIA STRING port ssl certname auth {
+ | RELAY VIA STRING port ssl certname credentials {
rule->r_action = A_RELAYVIA;
if ($5 == 0 && ($6 != NULL || $7)) {
@@ -889,8 +903,10 @@ action : DELIVER TO MAILDIR user {
rule->r_value.relayhost.port = $4;
rule->r_value.relayhost.flags |= $5;
- if ($7)
+ if ($7) {
rule->r_value.relayhost.flags |= F_AUTH;
+ rule->r_value.relayhost.secmapid = $7;
+ }
if ($6 != NULL) {
if (ssl_load_certfile(conf, $6, F_CCERT) < 0) {
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index adcb3b61821..c60e647023d 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: smtpd.conf.5,v 1.35 2010/10/28 21:15:50 gilles Exp $
+.\" $OpenBSD: smtpd.conf.5,v 1.36 2010/10/29 09:16:08 gilles Exp $
.\"
.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
.\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\"
-.Dd $Mdocdate: October 28 2010 $
+.Dd $Mdocdate: October 29 2010 $
.Dt SMTPD.CONF 5
.Os
.Sh NAME
@@ -76,6 +76,101 @@ The syntax of
.Nm
is described below.
.Bl -tag -width Ds
+.It Ic expire Ar n {s|m|h|d}
+Specify how long a message can stay in the queue.
+The default value is 4 days.
+For example:
+.Bd -literal -offset indent
+expire 4d # expire after 4 days
+expire 10h # expire after 10 hours
+.Ed
+.It Ic hostname Ar name
+Specify the domain name of the server.
+By default the current host name is used,
+as returned by
+.Xr hostname 1 .
+.It Xo
+.Ic listen on Ar interface
+.Op Ic port Ar port
+.Op Ic tls | smtps
+.Op Ic certificate Ar name
+.Op Ic enable auth
+.Xc
+Specify an
+.Ar interface
+and
+.Ar port
+to listen on.
+An IP address or domain name may be used in place of
+.Ar interface .
+.Pp
+Secured connections are provided either using STARTTLS
+.Pq Ic tls ,
+by default on port 25,
+or SMTPS
+.Pq Ic smtps ,
+by default on port 465.
+Creation of certificates is documented in
+.Xr starttls 8 .
+If no certificate
+.Ar name
+is specified, the
+.Pa /etc/mail/certs
+directory is searched for a file named by joining
+the interface name with a .crt extension, e.g.\&
+.Pa /etc/mail/certs/fxp0.crt .
+.Pp
+If the
+.Ic enable auth
+parameter is used,
+any remote sender that passed SMTPAUTH is treated as if
+it was the server's local user that was sending the mail.
+This means that filter rules using "from local" will be matched.
+.It Xo
+.Ic map Ar map
+.No {
+.Ic source Ar type Ar source
+.No }
+.Xc
+Maps are used to provide additional configuration information for
+.Xr smtpd 8 .
+.Pp
+.Ar map
+may be named freely.
+.Pp
+.Ar type
+may be one of the following:
+.Pp
+.Bl -tag -width "fileXXX" -compact
+.It db
+Mappings are stored in a file created using
+.Xr makemap 8 .
+This is the default type if none is specified.
+.It dns
+Not implemented yet.
+.It plain
+Mappings are stored in a plain text file using the
+same format as used to generate
+.Xr makemap 8
+mappings.
+.El
+.Pp
+.Ar source
+specifies the source of the map data.
+It must be an absolute path to a file for the
+.Dq file
+and
+.Dq db
+map types,
+or a domain name for the
+.Dq dns
+map type.
+.It Ic size Ar n
+Specify a maximum message size of
+.Ar n
+bytes.
+The argument may contain a multiplier, as documented in
+.Xr scan_scaled 3 .
.It Ic accept | reject
.Xr smtpd 8
accepts and rejects messages
@@ -172,7 +267,7 @@ The routing decision is based on the DNS system.
.Op Ic port Ar port
.Op Ic tls | smtps | ssl
.Op Ic certificate Ar name
-.Op Ic enable auth
+.Op Ic auth Ar map
.Xc
Mail is relayed through the specified
.Ar host
@@ -200,113 +295,13 @@ Creation of certificates is documented in
If an SMTPAUTH session with
.Ar host
is desired, use the
-.Ic enable auth
-parameter.
+.Ic auth
+parameter to specify the
+.Ar map
+that holds the credentials.
.It Ic expire Ar n {s|m|h|d}
Specify how long a message that matched this rule can stay in the queue.
.El
-.It Ic expire Ar n {s|m|h|d}
-Specify how long a message can stay in the queue.
-The default value is 4 days.
-For example:
-.Bd -literal -offset indent
-expire 4d # expire after 4 days
-expire 10h # expire after 10 hours
-.Ed
-.It Ic hostname Ar name
-Specify the domain name of the server.
-By default the current host name is used,
-as returned by
-.Xr hostname 1 .
-.It Xo
-.Ic listen on Ar interface
-.Op Ic port Ar port
-.Op Ic tls | smtps
-.Op Ic certificate Ar name
-.Op Ic enable auth
-.Xc
-Specify an
-.Ar interface
-and
-.Ar port
-to listen on.
-An IP address or domain name may be used in place of
-.Ar interface .
-.Pp
-Secured connections are provided either using STARTTLS
-.Pq Ic tls ,
-by default on port 25,
-or SMTPS
-.Pq Ic smtps ,
-by default on port 465.
-Creation of certificates is documented in
-.Xr starttls 8 .
-If no certificate
-.Ar name
-is specified, the
-.Pa /etc/mail/certs
-directory is searched for a file named by joining
-the interface name with a .crt extension, e.g.\&
-.Pa /etc/mail/certs/fxp0.crt .
-.Pp
-If the
-.Ic enable auth
-parameter is used,
-any remote sender that passed SMTPAUTH is treated as if
-it was the server's local user that was sending the mail.
-This means that filter rules using "from local" will be matched.
-.It Xo
-.Ic map Ar map
-.No {
-.Ic source Ar type Ar source
-.No }
-.Xc
-Maps are used to provide additional configuration information for
-.Xr smtpd 8 .
-.Pp
-.Ar map
-may be named freely except for the following:
-.Pp
-.Bl -tag -width "virtualXXX" -compact
-.It secrets
-Map queried for remote host credentials.
-See
-.Xr makemap 8 .
-.El
-.Pp
-.Ar type
-may be one of the following:
-.Pp
-.Bl -tag -width "fileXXX" -compact
-.It db
-Mappings are stored in a file created using
-.Xr makemap 8 .
-This is the default type if none is specified.
-.It dns
-Not implemented yet.
-.It plain
-Mappings are stored in a plain text file using the
-same format as used to generate
-.Xr makemap 8
-mappings.
-.El
-.Pp
-.Ar source
-specifies the source of the map data.
-It must be an absolute path to a file for the
-.Dq file
-and
-.Dq db
-map types,
-or a domain name for the
-.Dq dns
-map type.
-.It Ic size Ar n
-Specify a maximum message size of
-.Ar n
-bytes.
-The argument may contain a multiplier, as documented in
-.Xr scan_scaled 3 .
.El
.Sh FILES
.Bl -tag -width "/etc/mail/smtpd.confXXX" -compact
@@ -345,7 +340,7 @@ listen on lo0
map aliases { source db "/etc/mail/aliases.db" }
map secrets { source db "/etc/mail/secrets.db" }
accept for local deliver to mbox
-accept for all relay via smtp.gmail.com tls enable auth
+accept for all relay via smtp.gmail.com tls auth "secrets"
.Ed
.Pp
In this second example,
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 3387f927d47..4d803be0267 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: smtpd.h,v 1.196 2010/10/28 21:15:50 gilles Exp $ */
+/* $OpenBSD: smtpd.h,v 1.197 2010/10/29 09:16:08 gilles Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org>
@@ -103,6 +103,8 @@
((s)->s_l->flags & F_AUTH && (s)->s_flags & F_SECURE && \
!((s)->s_flags & F_AUTHENTICATED))
+typedef u_int32_t objid_t;
+
struct netaddr {
struct sockaddr_storage ss;
int bits;
@@ -113,6 +115,7 @@ struct relayhost {
char hostname[MAXHOSTNAMELEN];
u_int16_t port;
char cert[PATH_MAX];
+ objid_t secmapid;
};
enum imsg_type {
@@ -211,8 +214,6 @@ struct ctl_conn {
};
TAILQ_HEAD(ctl_connlist, ctl_conn);
-typedef u_int32_t objid_t;
-
struct ctl_id {
objid_t id;
char name[MAX_NAME_SIZE];
@@ -734,6 +735,7 @@ struct dns {
struct secret {
u_int64_t id;
+ objid_t secmapid;
char host[MAXHOSTNAMELEN];
char secret[MAX_LINE_SIZE];
};
@@ -813,6 +815,7 @@ struct mta_session {
int flags;
TAILQ_HEAD(,message) recipients;
TAILQ_HEAD(,mta_relay) relays;
+ objid_t secmapid;
char *secret;
int fd;
int datafd;