Remove "listen secure" syntax from smtpd.conf. It's broken since a couple of

months and noone complained.

Users should replace existing "listen secure" directives with two separate
"tls" and "smtps" listeners. i.e. a line like

        listen on $iface tls pki $pki

has to be replaced with

        listen on $iface tls pki $pki
        listen on $iface smtps pki $pki

Relaying syntax is not affected by this change.

suggested by eric
ok gilles

diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 20736f6..b522d40 100644 (file)
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.196 2017/05/22 13:43:15 gilles Exp $      */
+/*     $OpenBSD: parse.y,v 1.197 2017/07/11 06:08:40 natano Exp $      */
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -169,7 +169,7 @@ typedef struct {
 %}
 
 %token AS QUEUE COMPRESSION ENCRYPTION MAXMESSAGESIZE MAXMTADEFERRED LISTEN ON ANY PORT EXPIRE
-%token TABLE SECURE SMTPS CERTIFICATE DOMAIN BOUNCEWARN LIMIT INET4 INET6 NODSN SESSION
+%token TABLE SMTPS CERTIFICATE DOMAIN BOUNCEWARN LIMIT INET4 INET6 NODSN SESSION
 %token  RELAY BACKUP VIA DELIVER TO LMTP MAILDIR MBOX RCPTTO HOSTNAME HOSTNAMES
 %token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR SOURCE MTA PKI SCHEDULER
 %token ARROW AUTH TLS LOCAL VIRTUAL TAG TAGGED ALIAS FILTER KEY CA DHE
@@ -515,14 +515,6 @@ opt_if_listen : INET4 {
                        listen_opts.options |= LO_SSL;
                        listen_opts.ssl = F_STARTTLS;
                }
-               | SECURE                        {
-                       if (listen_opts.options & LO_SSL) {
-                               yyerror("TLS mode already specified");
-                               YYERROR;
-                       }
-                       listen_opts.options |= LO_SSL;
-                       listen_opts.ssl = F_SSL;
-               }
                | TLS_REQUIRE                   {
                        if (listen_opts.options & LO_SSL) {
                                yyerror("TLS mode already specified");
@@ -1512,7 +1504,6 @@ lookup(char *s)
                { "reject",             REJECT },
                { "relay",              RELAY },
                { "scheduler",          SCHEDULER },
-               { "secure",             SECURE },
                { "sender",             SENDER },
                { "senders",            SENDERS },
                { "session",            SESSION },

diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 3f3e474..c08e45e 100644 (file)
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: smtpd.conf.5,v 1.173 2017/06/07 13:25:18 jmc Exp $
+.\"    $OpenBSD: smtpd.conf.5,v 1.174 2017/07/11 06:08:40 natano Exp $
 .\"
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
 .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .\"
-.Dd $Mdocdate: June 7 2017 $
+.Dd $Mdocdate: July 11 2017 $
 .Dt SMTPD.CONF 5
 .Os
 .Sh NAME
@@ -657,7 +657,7 @@ Changing the default value might degrade performance.
 .Ic listen on Ar interface
 .Op Ar family
 .Op Ic port Ar port
-.Op Ic tls | tls-require | tls-require verify | smtps | secure
+.Op Ic tls | tls-require | tls-require verify | smtps
 .Op Ic pki Ar pkiname
 .Op Ic ca Ar caname
 .Op Ic auth | auth-optional Op < Ns Ar authtable Ns >
@@ -701,8 +701,6 @@ If
 is specified, the client must provide a valid certificate to be
 able to establish an SMTP session.
 .Pp
-.Ic secure
-may be specified to provide both STARTTLS and SMTPS services.
 Host certificates may be used for these connections,
 and must be previously declared using the pki directive.
 If