From 1aa03b06e23475628d9c4ab3e355acda0edef6be Mon Sep 17 00:00:00 2001 From: eric Date: Mon, 24 Sep 2018 16:14:34 +0000 Subject: [PATCH] Allow to use the "tls" keyword on any relay action to force TLS, with strict certificate validation. The "no-verify" becomes optional. ok gilles@ millert@ semarie@ --- usr.sbin/smtpd/mta.c | 21 +++++++++++++++++++-- usr.sbin/smtpd/parse.y | 16 ++++++++++------ usr.sbin/smtpd/smtpd.conf.5 | 13 +++++++++---- usr.sbin/smtpd/smtpd.h | 3 ++- 4 files changed, 40 insertions(+), 13 deletions(-) diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c index 4da1a84c2eb..b7a841d15b0 100644 --- a/usr.sbin/smtpd/mta.c +++ b/usr.sbin/smtpd/mta.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta.c,v 1.225 2018/09/19 05:31:12 eric Exp $ */ +/* $OpenBSD: mta.c,v 1.226 2018/09/24 16:14:34 eric Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -657,6 +657,23 @@ mta_handle_envelope(struct envelope *evp, const char *smarthost) return; } + if (dispatcher->u.remote.tls_required) { + /* Reject relay if smtp+notls:// is requested */ + if (relayh.tls == RELAY_TLS_NO) { + log_warnx("warn: TLS required for action \"%s\"", + evp->dispatcher); + m_create(p_queue, IMSG_MTA_DELIVERY_TEMPFAIL, 0, 0, -1); + m_add_evpid(p_queue, evp->id); + m_add_string(p_queue, "TLS required for relaying"); + m_add_int(p_queue, ESC_OTHER_STATUS); + m_close(p_queue); + return; + } + /* Update smtp:// to smtp+tls:// */ + if (relayh.tls == RELAY_TLS_OPPORTUNISTIC) + relayh.tls = RELAY_TLS_STARTTLS; + } + relay = mta_relay(evp, &relayh); /* ignore if we don't know the limits yet */ if (relay->limits && @@ -1739,7 +1756,7 @@ mta_relay(struct envelope *e, struct relayhost *relayh) if (!key.authlabel[0]) key.authlabel = NULL; - if (dispatcher->u.remote.smarthost && + if ((key.tls == RELAY_TLS_STARTTLS || key.tls == RELAY_TLS_SMTPS) && dispatcher->u.remote.tls_noverify == 0) key.flags |= RELAY_TLS_VERIFY; diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index d80fd6e9590..c3177e3f058 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.221 2018/09/07 07:35:31 miko Exp $ */ +/* $OpenBSD: parse.y,v 1.222 2018/09/24 16:14:34 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -739,17 +739,21 @@ HELO STRING { dispatcher->u.remote.smarthost = strdup(t->t_name); } -| TLS NO_VERIFY { - if (dispatcher->u.remote.smarthost == NULL) { - yyerror("tls no-verify may not be specified without host on a dispatcher"); +| TLS { + if (dispatcher->u.remote.tls_required == 1) { + yyerror("tls already specified for this dispatcher"); YYERROR; } - if (dispatcher->u.remote.tls_noverify == 1) { - yyerror("tls no-verify already specified for this dispatcher"); + dispatcher->u.remote.tls_required = 1; +} +| TLS NO_VERIFY { + if (dispatcher->u.remote.tls_required == 1) { + yyerror("tls already specified for this dispatcher"); YYERROR; } + dispatcher->u.remote.tls_required = 1; dispatcher->u.remote.tls_noverify = 1; } | AUTH tables { diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index f897b9a7101..02a7b281981 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.204 2018/09/10 12:42:17 jmc Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.205 2018/09/24 16:14:34 eric Exp $ .\" .\" Copyright (c) 2008 Janne Johansson .\" Copyright (c) 2009 Jacek Masiulaniec @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: September 10 2018 $ +.Dd $Mdocdate: September 24 2018 $ .Dt SMTPD.CONF 5 .Os .Sh NAME @@ -265,8 +265,13 @@ and .Dq smtps protocols for authentication. Server certificates for those protocols are verified by default. -.It Cm tls no-verify -Do not require a valid certificate for the specified host. +.It Cm tls Op no-verify +Require TLS to be used when relaying, using mandatory STARTTLS by default. +When used with a smarthost, the protocol must not be +.Dq smtp+notls:// . +If +.Op no-verify +is specified, do not require a valid certificate. .It Cm auth Pf < Ar table Ns > Use the mapping .Ar table diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index baa224a0a80..89b01e4f118 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.561 2018/09/19 05:31:12 eric Exp $ */ +/* $OpenBSD: smtpd.h,v 1.562 2018/09/24 16:14:34 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -1063,6 +1063,7 @@ struct dispatcher_remote { char *smarthost; char *auth; + int tls_required; int tls_noverify; int backup; -- 2.20.1