-.\" $OpenBSD: smtpd.conf.5,v 1.199 2018/09/01 19:56:28 gilles Exp $
+.\" $OpenBSD: smtpd.conf.5,v 1.200 2018/09/03 11:30:14 eric Exp $
.\"
.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
.\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\"
-.Dd $Mdocdate: September 1 2018 $
+.Dd $Mdocdate: September 3 2018 $
.Dt SMTPD.CONF 5
.Os
.Sh NAME
.It Cm host Ar relay-url
Do not perform MX lookups but relay messages to the relay host described by
.Ar relay-url .
-If the URL uses TLS, the certificate will be verified by default.
+The format for
+.Ar relay-url
+is
+.Sm off
+.Op Ar proto No :// Op Ar label No @
+.Ar host Op : Ar port .
+.Sm on
+The following protocols are available:
+.Pp
+.Bl -tag -width "smtp+notls" -compact
+.It smtp
+Normal SMTP session with opportunistic STARTTLS.
+.It smtp+tls
+Normal SMTP session with mandatory STARTTLS.
+.It smtp+notls
+Plain text SMTP session without TLS.
+.It lmtp
+LMTP session.
+.It smtps
+SMTP session with forced TLS on connection.
+.El
+.Pp
+If not specified, the
+.Dq smtp
+protocol is used.
+.Pp
+Specifying an auth label toggles authentication.
+An auth table must also be defined for this action.
+The protocol must explicitely require TLS.
+.Pp
+If TLS is explicitely required, the server certificate
+will be verified by default.
.It Cm tls no-verify
Do not require a valid certificate for the specified host.
.It Cm auth Pf < Ar table Ns >
listen on lo0
action "local" mbox alias <aliases>
-action "relay" relay host tls+auth://label@smtp.example.com \e
+action "relay" relay host smtp+tls://label@smtp.example.com \e
auth <secrets>
match for local action "local"
-/* $OpenBSD: to.c,v 1.31 2018/06/07 11:31:51 eric Exp $ */
+/* $OpenBSD: to.c,v 1.32 2018/09/03 11:30:14 eric Exp $ */
/*
* Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
* new schemas should be *appended* otherwise the default
* schema index needs to be updated later in this function.
*/
- { "smtp://", 0 },
+ { "smtp://", RELAY_TLS_OPTIONAL },
+ { "smtp+tls://", RELAY_STARTTLS },
+ { "smtp+notls://", 0 },
{ "lmtp://", RELAY_LMTP },
- { "smtp+tls://", RELAY_TLS_OPTIONAL },
- { "smtps://", RELAY_SMTPS },
- { "tls://", RELAY_STARTTLS },
- { "smtps+auth://", RELAY_SMTPS|RELAY_AUTH },
- { "tls+auth://", RELAY_STARTTLS|RELAY_AUTH },
- { "secure://", RELAY_SMTPS|RELAY_STARTTLS },
- { "secure+auth://", RELAY_SMTPS|RELAY_STARTTLS|RELAY_AUTH }
+ { "smtps://", RELAY_SMTPS }
};
const char *errstr = NULL;
char *p, *q;
if (strstr(buffer, "://"))
return 0;
- /* no schema, default to smtp+tls:// */
- i = 2;
+ /* no schema, default to smtp:// */
+ i = 0;
p = buffer;
}
else
return 0;
if ((relay->flags & RELAY_LMTP) && (relay->port == 0))
return 0;
- if (relay->authlabel[0] == '\0' && relay->flags & RELAY_AUTH)
- return 0;
- if (relay->authlabel[0] != '\0' && !(relay->flags & RELAY_AUTH))
- return 0;
+ if (relay->authlabel[0]) {
+ /* disallow auth on non-tls scheme. */
+ if (!(relay->flags & (RELAY_STARTTLS | RELAY_SMTPS)))
+ return 0;
+ relay->flags |= RELAY_AUTH;
+ }
+
return 1;
}
projects / openbsd / commitdiff