From 8117b31e4c8190724e5913d4f6079c08969aa1d6 Mon Sep 17 00:00:00 2001 From: eric Date: Mon, 3 Sep 2018 11:30:14 +0000 Subject: [PATCH] Update and document syntax for smarthost string in smtpd.conf: - the +auth specifier is removed: it is implied by the presence of an auth label in the rest of the string - secure:// is removed: use smtp+tls:// or smtps:// - tls:// is replaced by smtp+tls:// - smtp:// becomes SMTP with opportunistic STARTTLS - smtp+tls:// becomes SMTP with mandatory STARTTLS Adjust your config file accordingly. ok gilles@ --- usr.sbin/smtpd/smtpd.conf.5 | 39 +++++++++++++++++++++++++++++++++---- usr.sbin/smtpd/to.c | 29 +++++++++++++-------------- 2 files changed, 49 insertions(+), 19 deletions(-) diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index a11019804a5..45850b76afc 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.199 2018/09/01 19:56:28 gilles Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.200 2018/09/03 11:30:14 eric Exp $ .\" .\" Copyright (c) 2008 Janne Johansson .\" Copyright (c) 2009 Jacek Masiulaniec @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: September 1 2018 $ +.Dd $Mdocdate: September 3 2018 $ .Dt SMTPD.CONF 5 .Os .Sh NAME @@ -228,7 +228,38 @@ to advertise during the HELO phase. .It Cm host Ar relay-url Do not perform MX lookups but relay messages to the relay host described by .Ar relay-url . -If the URL uses TLS, the certificate will be verified by default. +The format for +.Ar relay-url +is +.Sm off +.Op Ar proto No :// Op Ar label No @ +.Ar host Op : Ar port . +.Sm on +The following protocols are available: +.Pp +.Bl -tag -width "smtp+notls" -compact +.It smtp +Normal SMTP session with opportunistic STARTTLS. +.It smtp+tls +Normal SMTP session with mandatory STARTTLS. +.It smtp+notls +Plain text SMTP session without TLS. +.It lmtp +LMTP session. +.It smtps +SMTP session with forced TLS on connection. +.El +.Pp +If not specified, the +.Dq smtp +protocol is used. +.Pp +Specifying an auth label toggles authentication. +An auth table must also be defined for this action. +The protocol must explicitely require TLS. +.Pp +If TLS is explicitely required, the server certificate +will be verified by default. .It Cm tls no-verify Do not require a valid certificate for the specified host. .It Cm auth Pf < Ar table Ns > @@ -774,7 +805,7 @@ table secrets file:/etc/mail/secrets listen on lo0 action "local" mbox alias -action "relay" relay host tls+auth://label@smtp.example.com \e +action "relay" relay host smtp+tls://label@smtp.example.com \e auth match for local action "local" diff --git a/usr.sbin/smtpd/to.c b/usr.sbin/smtpd/to.c index e1d399d74f2..ed19aee62cd 100644 --- a/usr.sbin/smtpd/to.c +++ b/usr.sbin/smtpd/to.c @@ -1,4 +1,4 @@ -/* $OpenBSD: to.c,v 1.31 2018/06/07 11:31:51 eric Exp $ */ +/* $OpenBSD: to.c,v 1.32 2018/09/03 11:30:14 eric Exp $ */ /* * Copyright (c) 2009 Jacek Masiulaniec @@ -310,15 +310,11 @@ text_to_relayhost(struct relayhost *relay, const char *s) * new schemas should be *appended* otherwise the default * schema index needs to be updated later in this function. */ - { "smtp://", 0 }, + { "smtp://", RELAY_TLS_OPTIONAL }, + { "smtp+tls://", RELAY_STARTTLS }, + { "smtp+notls://", 0 }, { "lmtp://", RELAY_LMTP }, - { "smtp+tls://", RELAY_TLS_OPTIONAL }, - { "smtps://", RELAY_SMTPS }, - { "tls://", RELAY_STARTTLS }, - { "smtps+auth://", RELAY_SMTPS|RELAY_AUTH }, - { "tls+auth://", RELAY_STARTTLS|RELAY_AUTH }, - { "secure://", RELAY_SMTPS|RELAY_STARTTLS }, - { "secure+auth://", RELAY_SMTPS|RELAY_STARTTLS|RELAY_AUTH } + { "smtps://", RELAY_SMTPS } }; const char *errstr = NULL; char *p, *q; @@ -341,8 +337,8 @@ text_to_relayhost(struct relayhost *relay, const char *s) if (strstr(buffer, "://")) return 0; - /* no schema, default to smtp+tls:// */ - i = 2; + /* no schema, default to smtp:// */ + i = 0; p = buffer; } else @@ -397,10 +393,13 @@ text_to_relayhost(struct relayhost *relay, const char *s) return 0; if ((relay->flags & RELAY_LMTP) && (relay->port == 0)) return 0; - if (relay->authlabel[0] == '\0' && relay->flags & RELAY_AUTH) - return 0; - if (relay->authlabel[0] != '\0' && !(relay->flags & RELAY_AUTH)) - return 0; + if (relay->authlabel[0]) { + /* disallow auth on non-tls scheme. */ + if (!(relay->flags & (RELAY_STARTTLS | RELAY_SMTPS))) + return 0; + relay->flags |= RELAY_AUTH; + } + return 1; } -- 2.20.1