Do not verify the cert or CA for a relay using opportunistic TLS.

If a relay is not explicitly configured to use TLS but the remote
side supports STARTTLS, we will try to use it.  However, in this
case we should not verify the cert or CA (which may be self-signed).
This restores the relay behavior before the switch to libtls was made.
There is no change if the relay is explicitly configured to use TLS.
OK eric@

diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c
index 5c5a652..1d48fe6 100644 (file)
--- a/usr.sbin/smtpd/mta.c
+++ b/usr.sbin/smtpd/mta.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: mta.c,v 1.240 2021/06/14 17:58:15 eric Exp $  */
+/*     $OpenBSD: mta.c,v 1.241 2022/02/10 14:59:35 millert Exp $       */
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -522,13 +522,13 @@ mta_setup_dispatcher(struct dispatcher *dispatcher)
            == -1)
                fatal("tls_config_set_ca_file");
 
-       if (remote->tls_noverify) {
+       if (remote->tls_verify) {
+               tls_config_verify(config);
+       } else {
                tls_config_insecure_noverifycert(config);
                tls_config_insecure_noverifyname(config);
                tls_config_insecure_noverifytime(config);
        }
-       else
-               tls_config_verify(config);
 
        remote->tls_config = config;
 }
@@ -1828,10 +1828,6 @@ mta_relay(struct envelope *e, struct relayhost *relayh)
        if (!key.authlabel[0])
                key.authlabel = NULL;
 
-       if ((key.tls == RELAY_TLS_STARTTLS || key.tls == RELAY_TLS_SMTPS) &&
-           dispatcher->u.remote.tls_noverify == 0)
-               key.flags |= RELAY_TLS_VERIFY;
-
        if ((r = SPLAY_FIND(mta_relay_tree, &relays, &key)) == NULL) {
                r = xcalloc(1, sizeof *r);
                TAILQ_INIT(&r->tasks);

diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c
index 78e3490..ee5876c 100644 (file)
--- a/usr.sbin/smtpd/mta_session.c
+++ b/usr.sbin/smtpd/mta_session.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: mta_session.c,v 1.144 2021/07/28 19:39:50 benno Exp $ */
+/*     $OpenBSD: mta_session.c,v 1.145 2022/02/10 14:59:35 millert Exp $       */
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -1223,7 +1223,7 @@ mta_io(struct io *io, int evt, void *arg)
                log_info("%016"PRIx64" mta tls ciphers=%s",
                    s->id, tls_to_text(io_tls(s->io)));
                s->flags |= MTA_TLS;
-               if (!s->relay->dispatcher->u.remote.tls_noverify)
+               if (s->relay->dispatcher->u.remote.tls_verify)
                        s->flags |= MTA_TLS_VERIFIED;
 
                mta_tls_started(s);

diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 7de52a1..4915bf6 100644 (file)
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.290 2021/10/15 15:01:29 naddy Exp $       */
+/*     $OpenBSD: parse.y,v 1.291 2022/02/10 14:59:35 millert Exp $     */
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -868,6 +868,7 @@ HELO STRING {
        }
 
        dsp->u.remote.tls_required = 1;
+       dsp->u.remote.tls_verify = 1;
 }
 | TLS NO_VERIFY {
        if (dsp->u.remote.tls_required == 1) {
@@ -876,7 +877,6 @@ HELO STRING {
        }
 
        dsp->u.remote.tls_required = 1;
-       dsp->u.remote.tls_noverify = 1;
 }
 | AUTH tables {
        struct table   *t = $2;

diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index e6fc114..7e80dcc 100644 (file)
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: smtpd.h,v 1.671 2021/09/22 17:12:34 eric Exp $        */
+/*     $OpenBSD: smtpd.h,v 1.672 2022/02/10 14:59:35 millert Exp $     */
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -99,7 +99,6 @@
 
 #define RELAY_AUTH             0x08
 #define RELAY_LMTP             0x80
-#define        RELAY_TLS_VERIFY        0x200
 
 #define MTA_EXT_DSN            0x400
 
@@ -1189,7 +1188,7 @@ struct dispatcher_remote {
 
        char    *auth;
        int      tls_required;
-       int      tls_noverify;
+       int      tls_verify;
        char    *tls_protocols;
        char    *tls_ciphers;