From 680f59a0a039eed2f0ff860a9e08e77c8ffe03f2 Mon Sep 17 00:00:00 2001 From: Eric Faurot Date: Fri, 1 Jun 2018 12:24:17 +0000 Subject: Require a valid certificate by default when relaying through a smarthost. Add "tls no-verify" relay option to disable it. suggested and initial diff by semarie@. ok gilles@ --- usr.sbin/smtpd/parse.y | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) (limited to 'usr.sbin/smtpd/parse.y') diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 553c3f16acd..b09fe6f48c1 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.207 2018/05/31 21:06:12 gilles Exp $ */ +/* $OpenBSD: parse.y,v 1.208 2018/06/01 12:24:16 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -182,7 +182,7 @@ typedef struct { %token KEY %token LIMIT LISTEN LMTP LOCAL %token MAIL_FROM MAILDIR MASK_SRC MASQUERADE MATCH MAX_MESSAGE_SIZE MAX_DEFERRED MBOX MDA MTA MX -%token NODSN +%token NODSN NOVERIFY %token ON %token PKI PORT %token QUEUE @@ -541,6 +541,19 @@ HELO STRING { dispatcher->u.remote.smarthost = strdup(t->t_name); } +| TLS NOVERIFY { + if (dispatcher->u.remote.smarthost == NULL) { + yyerror("tls no-verify may not be specified without host on a dispatcher"); + YYERROR; + } + + if (dispatcher->u.remote.tls_noverify == 1) { + yyerror("tls no-verify already specified for this dispatcher"); + YYERROR; + } + + dispatcher->u.remote.tls_noverify = 1; +} | AUTH tables { struct table *t = $2; @@ -1571,6 +1584,7 @@ lookup(char *s) { "mta", MTA }, { "mx", MX }, { "no-dsn", NODSN }, + { "no-verify", NOVERIFY }, { "on", ON }, { "pki", PKI }, { "port", PORT }, -- cgit v1.2.3