Age | Commit message (Collapse) | Author |
|
|
|
avoid using inet_pton(3) which doesn't support scoped ipv6 address, and use
getaddrinfo(3) instead of.
ok millert@ florian@ kn@
|
|
any parts of his diff not taken are noted on tech
|
|
If multiple recipients are specified but only one is valid, use the
first entry in the recipient list for the Received: header, not the
value from the last "RCPT TO:" command (which could be invalid).
From Chris Waddey
|
|
Found the hard way by renaud <at> allard <dot> it
OK eric@, gilles@, millert@
|
|
IPv6 addresses have been formatted as "[address]" in envelope files
for years. This was supposed to be removed after the 6.6 release
but got forgotten. Noticed by kn@, OK deraadt@ kn@
|
|
jmc@ dislikes a comma before "then" in a conditional, so leave those
untouched.
ok jmc@
|
|
|
|
This restores the documented behavior that was broken by the fix
for opportunistic TLS. OK semarie@.
|
|
There are bugs in the new libtls signer that can lead to a crash.
OK tb@ jsing@
|
|
ok tb@
|
|
If a relay is not explicitly configured to use TLS but the remote
side supports STARTTLS, we will try to use it. However, in this
case we should not verify the cert or CA (which may be self-signed).
This restores the relay behavior before the switch to libtls was made.
There is no change if the relay is explicitly configured to use TLS.
OK eric@
|
|
... including those inlined into print_dname(). This also fixes
-Wunused-but-set-variable warnings warnings in smtpd and smtpctl.
The code was imported with asr and then copied around.
ok deraadt@ guenther@
|
|
macro-build a replacement for sccsid, and was done without any concern
for namespace damage. Unfortunately this practice started infecting
other code as others were unaware they didn't need the file.
ok millert guenther
|
|
and put some Xr in smtpd.conf.5 so people can find it;
from leon fischer
|
|
cleanup/push from larry hynes;
gilles agreed the page is suitable for installation;
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
|
|
|
|
fixes a bug where ruleset was not evaluated with the expanded address.
reported by Stefan Haller
ok millert@
|
|
ok millert@
|
|
and formats a bit nicer;
while here, wrap lines to <80;
|
|
bounce report.
From Erik Brens
|
|
millert@ thinks its useful.
|
|
As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.
Remove explicit tls_init() calls from base to not give the impression of
it being needed.
Feedback tb
OK Tests mestre
|
|
ok millert@
|
|
ok jung@
|
|
for code that runs in the daemon.
ok florian@ millert@
|
|
ok millert@
|
|
|
|
|
|
- cafile=<path>: override the default root certificates
- nosni: disable SNI completely
- noverify: do not verify sevrer certificate (replaces -C)
- servername=<name>: set server name for SNI
ok tb@
|
|
|
|
|
|
improvements from jmc@ schwarze@ tb@
ok tb@
|
|
going through a deferred event. It makes the code simplier and eliminates
the need to keep the listener tls context in the io structure.
ok tb@
|
|
ok tb@ millert@
|
|
ok tb@
|
|
ok tb@
|
|
|
|
ok tb@
|
|
belongs to the listener, and should not be freed with that session if
an error occurs before. Unlink it from the session early in the accept
callback to avoid this.
tweaks and ok millert@
|
|
cipher list if defined. otherwise fallback to libtls default.
ok millert@
|
|
parameters when tracing is not enabled.
ok millert@
|
|
ok espie@ sthen@ tb@
|
|
issue hit by florian@
diff by jsing@
ok tb@
|
|
dns for the peer address.
spotted by krw@
ok krw@ tb@
|
|
Note that it changes the way SNI works: The certificate to use is now
selected by looking at the names found in the certificates themselves,
rather than the names of the pki entries in the configuration file.
The set of certificates for a tls listener must be defined explicitly by
using the pki listener option multiple times.
ok tb@
|
|
|
|
|