From 89818320f51ce9b89c144087357e3182ba7f3dda Mon Sep 17 00:00:00 2001 From: millert Date: Thu, 10 Feb 2022 14:59:35 +0000 Subject: [PATCH] Do not verify the cert or CA for a relay using opportunistic TLS. If a relay is not explicitly configured to use TLS but the remote side supports STARTTLS, we will try to use it. However, in this case we should not verify the cert or CA (which may be self-signed). This restores the relay behavior before the switch to libtls was made. There is no change if the relay is explicitly configured to use TLS. OK eric@ --- usr.sbin/smtpd/mta.c | 12 ++++-------- usr.sbin/smtpd/mta_session.c | 4 ++-- usr.sbin/smtpd/parse.y | 4 ++-- usr.sbin/smtpd/smtpd.h | 5 ++--- 4 files changed, 10 insertions(+), 15 deletions(-) diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c index 5c5a652ebc9..1d48fe69673 100644 --- a/usr.sbin/smtpd/mta.c +++ b/usr.sbin/smtpd/mta.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta.c,v 1.240 2021/06/14 17:58:15 eric Exp $ */ +/* $OpenBSD: mta.c,v 1.241 2022/02/10 14:59:35 millert Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -522,13 +522,13 @@ mta_setup_dispatcher(struct dispatcher *dispatcher) == -1) fatal("tls_config_set_ca_file"); - if (remote->tls_noverify) { + if (remote->tls_verify) { + tls_config_verify(config); + } else { tls_config_insecure_noverifycert(config); tls_config_insecure_noverifyname(config); tls_config_insecure_noverifytime(config); } - else - tls_config_verify(config); remote->tls_config = config; } @@ -1828,10 +1828,6 @@ mta_relay(struct envelope *e, struct relayhost *relayh) if (!key.authlabel[0]) key.authlabel = NULL; - if ((key.tls == RELAY_TLS_STARTTLS || key.tls == RELAY_TLS_SMTPS) && - dispatcher->u.remote.tls_noverify == 0) - key.flags |= RELAY_TLS_VERIFY; - if ((r = SPLAY_FIND(mta_relay_tree, &relays, &key)) == NULL) { r = xcalloc(1, sizeof *r); TAILQ_INIT(&r->tasks); diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c index 78e349019e7..ee5876c62db 100644 --- a/usr.sbin/smtpd/mta_session.c +++ b/usr.sbin/smtpd/mta_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta_session.c,v 1.144 2021/07/28 19:39:50 benno Exp $ */ +/* $OpenBSD: mta_session.c,v 1.145 2022/02/10 14:59:35 millert Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -1223,7 +1223,7 @@ mta_io(struct io *io, int evt, void *arg) log_info("%016"PRIx64" mta tls ciphers=%s", s->id, tls_to_text(io_tls(s->io))); s->flags |= MTA_TLS; - if (!s->relay->dispatcher->u.remote.tls_noverify) + if (s->relay->dispatcher->u.remote.tls_verify) s->flags |= MTA_TLS_VERIFIED; mta_tls_started(s); diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 7de52a1c568..4915bf6002c 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.290 2021/10/15 15:01:29 naddy Exp $ */ +/* $OpenBSD: parse.y,v 1.291 2022/02/10 14:59:35 millert Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -868,6 +868,7 @@ HELO STRING { } dsp->u.remote.tls_required = 1; + dsp->u.remote.tls_verify = 1; } | TLS NO_VERIFY { if (dsp->u.remote.tls_required == 1) { @@ -876,7 +877,6 @@ HELO STRING { } dsp->u.remote.tls_required = 1; - dsp->u.remote.tls_noverify = 1; } | AUTH tables { struct table *t = $2; diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index e6fc114d0a6..7e80dcc2abc 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.671 2021/09/22 17:12:34 eric Exp $ */ +/* $OpenBSD: smtpd.h,v 1.672 2022/02/10 14:59:35 millert Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -99,7 +99,6 @@ #define RELAY_AUTH 0x08 #define RELAY_LMTP 0x80 -#define RELAY_TLS_VERIFY 0x200 #define MTA_EXT_DSN 0x400 @@ -1189,7 +1188,7 @@ struct dispatcher_remote { char *auth; int tls_required; - int tls_noverify; + int tls_verify; char *tls_protocols; char *tls_ciphers; -- 2.20.1