From: gilles Date: Tue, 29 Apr 2014 17:32:42 +0000 (+0000) Subject: when a session fails due to a TLS error in a smtp+tls:// connection, try X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=63dab8efc2ebb66a1f5415b4280bf2737a0a8f13;p=openbsd when a session fails due to a TLS error in a smtp+tls:// connection, try plain before giving up ok eric@ --- diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c index 615ddfd8da8..0be56d71cbb 100644 --- a/usr.sbin/smtpd/mta_session.c +++ b/usr.sbin/smtpd/mta_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta_session.c,v 1.61 2014/04/29 10:18:06 reyk Exp $ */ +/* $OpenBSD: mta_session.c,v 1.62 2014/04/29 17:32:42 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -80,6 +80,7 @@ enum mta_state { #define MTA_WANT_SECURE 0x0010 #define MTA_USE_AUTH 0x0020 #define MTA_USE_CERT 0x0040 +#define MTA_DOWNGRADE_PLAIN 0x0080 #define MTA_TLS_TRIED 0x0080 @@ -525,6 +526,10 @@ mta_connect(struct mta_session *s) s->use_smtps = 1; /* tls+smtps */ break; } + else if (s->flags & MTA_DOWNGRADE_PLAIN) { + /* smtp+tls, with tls failure */ + break; + } default: mta_free(s); return; @@ -544,7 +549,6 @@ mta_connect(struct mta_session *s) ((struct sockaddr_in6 *)sa)->sin6_port = htons(portno); s->attempt += 1; - if (s->use_smtp_tls) schema = "smtp+tls://"; else if (s->use_starttls) @@ -870,6 +874,11 @@ mta_response(struct mta_session *s, char *line) switch (s->state) { case MTA_BANNER: + if (line[0] != '2') { + mta_error(s, "BANNER rejected: %s", line); + s->flags |= MTA_FREE; + return; + } if (s->flags & MTA_LMTP) mta_enter_state(s, MTA_LHLO); else @@ -1269,6 +1278,11 @@ mta_io(struct io *io, int evt) mta_error(s, "IO Error: %s", io->error); if (!s->ready) mta_connect(s); + else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_ANYSSL))) { + /* error in non-strict SSL negotiation, downgrade to plain */ + s->flags |= MTA_DOWNGRADE_PLAIN; + mta_connect(s); + } else mta_free(s); break;