summaryrefslogtreecommitdiff
path: root/usr.sbin/smtpd
AgeCommit message (Collapse)Author
2023-02-08usr.sbin: missing void to appease clang 15's -Wstrict-prototype.Theo Buehler
2023-02-06smtpd(8) could abort due to a connection from a local, scoped ipv6 address.Sebastien Marie
avoid using inet_pton(3) which doesn't support scoped ipv6 address, and use getaddrinfo(3) instead of. ok millert@ florian@ kn@
2022-12-28spelling fixes; from paul tagliamonteJason McIntyre
any parts of his diff not taken are noted on tech
2022-10-20Display the correct recipient in a Received: header with one recipient.Todd C. Miller
If multiple recipients are specified but only one is valid, use the first entry in the recipient list for the Received: header, not the value from the last "RCPT TO:" command (which could be invalid). From Chris Waddey
2022-09-26Fix a use after free in case mta_tls_init fails.Martijn van Duren
Found the hard way by renaud <at> allard <dot> it OK eric@, gilles@, millert@
2022-09-24ascii_load_sockaddr: Remove old IPv6 address parsing for envelope files.Todd C. Miller
IPv6 addresses have been formatted as "[address]" in envelope files for years. This was supposed to be removed after the 6.6 release but got forgotten. Noticed by kn@, OK deraadt@ kn@
2022-03-31man pages: add missing commas between subordinate and main clausesChristian Weisgerber
jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
2022-02-25Whitespace.Rob Pierce
2022-02-18Enable TLS verify by default for outbound "smtps://" and "smtp+tls://".Todd C. Miller
This restores the documented behavior that was broken by the fix for opportunistic TLS. OK semarie@.
2022-02-18Revert changes to use the new libtls signer apiTodd C. Miller
There are bugs in the new libtls signer that can lead to a crash. OK tb@ jsing@
2022-02-12use new libtls signer apiEric Faurot
ok tb@
2022-02-10Do not verify the cert or CA for a relay using opportunistic TLS.Todd C. Miller
If a relay is not explicitly configured to use TLS but the remote side supports STARTTLS, we will try to use it. However, in this case we should not verify the cert or CA (which may be self-signed). This restores the relay behavior before the switch to libtls was made. There is no change if the relay is explicitly configured to use TLS. OK eric@
2022-01-20remove unused variable from all copies of _asr_strdname()Christian Weisgerber
... including those inlined into print_dname(). This also fixes -Wunused-but-set-variable warnings warnings in smtpd and smtpctl. The code was imported with asr and then copied around. ok deraadt@ guenther@
2021-12-13including sys/cdefs.h manually started as a result of netbsd trying toTheo de Raadt
macro-build a replacement for sccsid, and was done without any concern for namespace damage. Unfortunately this practice started infecting other code as others were unaware they didn't need the file. ok millert guenther
2021-11-21smtpd-filters.7 referred to itself internally as just filters(7): fix that,Jason McIntyre
and put some Xr in smtpd.conf.5 so people can find it; from leon fischer
2021-11-20install smtpd-filters.7;Jason McIntyre
cleanup/push from larry hynes; gilles agreed the page is suitable for installation;
2021-10-15Don't declare variables as "unsigned char *" that are passed toChristian Weisgerber
functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
2021-09-22remove test traces committed by mistakeEric Faurot
2021-09-22bump version to 7.0.0Eric Faurot
2021-09-22decode srs-encoded address in the right place.Eric Faurot
fixes a bug where ruleset was not evaluated with the expanded address. reported by Stefan Haller ok millert@
2021-09-22sync table_db capabilities with table_staticEric Faurot
ok millert@
2021-08-05rework the "host relay-url" text block a little so it reads better,Jason McIntyre
and formats a bit nicer; while here, wrap lines to <80;
2021-08-02Fix incorrect status code for expired mails resulting in a misleadingEric Faurot
bounce report. From Erik Brens
2021-07-28add format attribute to vaararg functions.Sebastian Benoit
millert@ thinks its useful.
2021-07-14Remove unneeded calls to tls_init(3)kn
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre
2021-07-01remove useless and confusing log message when client has no certificateEric Faurot
ok millert@
2021-06-14add required headers for smtpd.h and remove unnecessary ones in other files.Eric Faurot
ok jung@
2021-05-26replaces calls to err(3)/errx(3) with fatal()/fatalx() from log.cEric Faurot
for code that runs in the daemon. ok florian@ millert@
2021-05-26remove unused codeEric Faurot
ok millert@
2021-05-25remove obsolete filesEric Faurot
2021-05-23add missing entry for cafileEric Faurot
2021-05-23add more TLS options to smtp(1):Eric Faurot
- cafile=<path>: override the default root certificates - nosni: disable SNI completely - noverify: do not verify sevrer certificate (replaces -C) - servername=<name>: set server name for SNI ok tb@
2021-05-22add semantic markup as suggested by schwarze@ and jmc@Eric Faurot
2021-05-22reorder entriesEric Faurot
2021-05-22allow to specify TLS ciphers and protocols in smtp(1)Eric Faurot
improvements from jmc@ schwarze@ tb@ ok tb@
2021-05-20Call tls_accept_socket() and tls_connect_socket() immediatly instead ofEric Faurot
going through a deferred event. It makes the code simplier and eliminates the need to keep the listener tls context in the io structure. ok tb@
2021-04-21unplug unused certificate verification code, now that this is done by libtls.Eric Faurot
ok tb@ millert@
2021-04-11do not build unused code and remove uneeded dependency on libm.Eric Faurot
ok tb@
2021-04-10remove dead code and unused dependenciesEric Faurot
ok tb@
2021-04-10bump smtpd versionEric Faurot
2021-04-09allow to specify tls ciphers and protocols on listenersEric Faurot
ok tb@
2021-04-05Until tls_accept_socket() succeeds, the tls context bound to a sessionEric Faurot
belongs to the listener, and should not be freed with that session if an error occurs before. Unlink it from the session early in the accept callback to avoid this. tweaks and ok millert@
2021-04-02if cipher list is not specified for a relay action, use the globalEric Faurot
cipher list if defined. otherwise fallback to libtls default. ok millert@
2021-03-31turn log_trace() into a macro to prevent evaluating the format stringEric Faurot
parameters when tracing is not enabled. ok millert@
2021-03-31allow to specify tls protocols and ciphers on relay actionsEric Faurot
ok espie@ sthen@ tb@
2021-03-10do not request client certificate unless requiredEric Faurot
issue hit by florian@ diff by jsing@ ok tb@
2021-03-07use the mx hostname for sni on outgoing connection, not the reverseEric Faurot
dns for the peer address. spotted by krw@ ok krw@ tb@
2021-03-05Start porting smtpd to libtls.Eric Faurot
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times. ok tb@
2021-02-13-h does not display version; from larry hynesJason McIntyre
2021-02-13readability fixes; from larry hynesJason McIntyre