From 32bd51d0e8c39c927252c909ad28182ded9358e2 Mon Sep 17 00:00:00 2001
From: eric <eric@openbsd.org>
Date: Wed, 31 Mar 2021 17:47:16 +0000
Subject: [PATCH] allow to specify tls protocols and ciphers on relay actions

ok espie@ sthen@ tb@
---
 usr.sbin/smtpd/mta.c        | 15 ++++++++++-----
 usr.sbin/smtpd/parse.y      | 21 +++++++++++++++++++--
 usr.sbin/smtpd/smtpd.conf.5 | 16 ++++++++++++++--
 usr.sbin/smtpd/smtpd.h      |  4 +++-
 4 files changed, 46 insertions(+), 10 deletions(-)

diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c
index 74dd7c71ba0..2da8608e3a0 100644
--- a/usr.sbin/smtpd/mta.c
+++ b/usr.sbin/smtpd/mta.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mta.c,v 1.235 2021/03/05 12:37:32 eric Exp $	*/
+/*	$OpenBSD: mta.c,v 1.236 2021/03/31 17:47:16 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -491,6 +491,7 @@ mta_setup_dispatcher(struct dispatcher *dispatcher)
 	struct tls_config *config;
 	struct pki *pki;
 	struct ca *ca;
+	uint32_t protos;
 
 	if (dispatcher->type != DISPATCHER_REMOTE)
 		return;
@@ -500,10 +501,14 @@ mta_setup_dispatcher(struct dispatcher *dispatcher)
 	if ((config = tls_config_new()) == NULL)
 		fatal("smtpd: tls_config_new");
 
-	if (env->sc_tls_ciphers) {
-		if (tls_config_set_ciphers(config, env->sc_tls_ciphers) == -1)
-			err(1, "%s", tls_config_error(config));
-	}
+	if (remote->tls_ciphers &&
+	    tls_config_set_ciphers(config, remote->tls_ciphers) == -1)
+		err(1, "%s", tls_config_error(config));
+
+	if (remote->tls_protocols &&
+	    (tls_config_parse_protocols(&protos, remote->tls_protocols) == -1
+	    || tls_config_set_protocols(config, protos) == -1))
+		err(1, "%s", tls_config_error(config));
 
 	if (remote->pki) {
 		pki = dict_get(env->sc_pki_dict, remote->pki);
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 40f78be84f7..e813279dffb 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.285 2021/03/05 12:37:32 eric Exp $	*/
+/*	$OpenBSD: parse.y,v 1.286 2021/03/31 17:47:16 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -190,7 +190,7 @@ typedef struct {
 %token	MAIL_FROM MAILDIR MASK_SRC MASQUERADE MATCH MAX_MESSAGE_SIZE MAX_DEFERRED MBOX MDA MTA MX
 %token	NO_DSN NO_VERIFY NOOP
 %token	ON
-%token	PHASE PKI PORT PROC PROC_EXEC PROXY_V2
+%token	PHASE PKI PORT PROC PROC_EXEC PROTOCOLS PROXY_V2
 %token	QUEUE QUIT
 %token	RCPT_TO RDNS RECIPIENT RECEIVEDAUTH REGEX RELAY REJECT REPORT REWRITE RSET
 %token	SCHEDULER SENDER SENDERS SMTP SMTP_IN SMTP_OUT SMTPS SOCKET SRC SRS SUB_ADDR_DELIM
@@ -768,6 +768,22 @@ HELO STRING {
 
 	dsp->u.remote.ca = $2;
 }
+| CIPHERS STRING {
+	if (dsp->u.remote.tls_ciphers) {
+		yyerror("ciphers already specified for this dispatcher");
+		YYERROR;
+	}
+
+	dsp->u.remote.tls_ciphers = $2;
+}
+| PROTOCOLS STRING {
+	if (dsp->u.remote.tls_protocols) {
+		yyerror("protocols already specified for this dispatcher");
+		YYERROR;
+	}
+
+	dsp->u.remote.tls_protocols = $2;
+}
 | SRC tables {
 	struct table   *t = $2;
 
@@ -2682,6 +2698,7 @@ lookup(char *s)
 		{ "port",		PORT },
 		{ "proc",		PROC },
 		{ "proc-exec",		PROC_EXEC },
+		{ "protocols",		PROTOCOLS },
 		{ "proxy-v2",		PROXY_V2 },
 		{ "queue",		QUEUE },
 		{ "quit",		QUIT },
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 6359cc8434a..74def422d02 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: smtpd.conf.5,v 1.258 2021/03/05 12:37:32 eric Exp $
+.\"	$OpenBSD: smtpd.conf.5,v 1.259 2021/03/31 17:47:16 eric Exp $
 .\"
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
 .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .\"
-.Dd $Mdocdate: March 5 2021 $
+.Dd $Mdocdate: March 31 2021 $
 .Dt SMTPD.CONF 5
 .Os
 .Sh NAME
@@ -298,6 +298,18 @@ When used with a smarthost, the protocol must not be
 If
 .Cm no-verify
 is specified, do not require a valid certificate.
+.It Cm protocols Ar protostr
+Define the protocol versions to be used for TLS sessions.
+Refer to the
+.Xr tls_config_parse_protocols 3
+manpage for the format of
+.Ar protostr .
+.It Cm ciphers Ar cipherstr
+Define the list of ciphers that may be used for TLS sessions.
+Refer to the
+.Xr tls_config_set_ciphers 3
+manpage for the format of
+.Ar cipherstr .
 .It Cm auth Pf < Ar table Ns >
 Use the mapping
 .Ar table
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index c0e4878893f..4b5da97b44e 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.662 2021/03/05 12:37:32 eric Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.663 2021/03/31 17:47:16 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1192,6 +1192,8 @@ struct dispatcher_remote {
 	char	*auth;
 	int	 tls_required;
 	int	 tls_noverify;
+	char	*tls_protocols;
+	char	*tls_ciphers;
 
 	int	 backup;
 	char	*backupmx;
-- 
2.20.1