- implement listen on foo tls-require verify

- fix relay via with cert verification

3 files changed, 27 insertions, 3 deletions

diff --git a/smtpd/envelope.c b/smtpd/envelope.c
index d5f47acc..146d7371 100644
--- a/smtpd/envelope.c
+++ b/smtpd/envelope.c
@@ -403,8 +403,15 @@ envelope_ascii_load(enum envelope_field field, struct envelope *ep, char *buf)
 		    sizeof ep->agent.mta.relay.helotable);
 	case EVP_MTA_RELAY_FLAGS:
 		return ascii_load_mta_relay_flags(&ep->agent.mta.relay.flags, buf);
-	case EVP_MTA_RELAY:
-		return ascii_load_mta_relay_url(&ep->agent.mta.relay, buf);
+	case EVP_MTA_RELAY: {
+		int ret;
+		uint16_t flags = ep->agent.mta.relay.flags;
+		ret = ascii_load_mta_relay_url(&ep->agent.mta.relay, buf);
+		if (! ret)
+			break;
+		ep->agent.mta.relay.flags |= flags;
+		return ret;
+	}
 	case EVP_CTIME:
 		return ascii_load_time(&ep->creation, buf);
 	case EVP_EXPIRE:
@@ -658,6 +665,7 @@ ascii_load_mta_relay_flags(uint16_t *dest, char *buf)
 		else
 			return 0;
 	}
+
 	return 1;
 }
 
diff --git a/smtpd/parse.y b/smtpd/parse.y
index 54699804..a722a166 100644
--- a/smtpd/parse.y
+++ b/smtpd/parse.y
@@ -240,9 +240,11 @@ pkiname		: PKI STRING	{
 		;
 
 ssl		: SMTPS				{ $$ = F_SMTPS; }
+		| SMTPS VERIFY 			{ $$ = F_SMTPS|F_TLS_VERIFY; }
 		| TLS				{ $$ = F_STARTTLS; }
 		| SSL				{ $$ = F_SSL; }
 		| TLS_REQUIRE			{ $$ = F_STARTTLS|F_STARTTLS_REQUIRE; }
+		| TLS_REQUIRE VERIFY   		{ $$ = F_STARTTLS|F_STARTTLS_REQUIRE|F_TLS_VERIFY; }
 		| /* Empty */			{ $$ = 0; }
 		;
 
@@ -562,7 +564,7 @@ main		: BOUNCEWARN {
 			char	       *ifx  = $4;
 			int		family = $5;
 			in_port_t	port = $6;
-			uint8_t		ssl  = $7;
+			uint16_t       	ssl  = $7;
 			char	       *pki = $8;
 			uint16_t       	auth = $9;
 			char	       *tag  = $10;
@@ -937,6 +939,7 @@ action		: userbase DELIVER TO MAILDIR			{
 					YYERROR;
 				}
 			}
+			log_warnx("relayhost flags: %d", rule->r_value.relayhost.flags);
 		}
 		;
 
diff --git a/smtpd/smtp_session.c b/smtpd/smtp_session.c
index ac286111..1fd7b42e 100644
--- a/smtpd/smtp_session.c
+++ b/smtpd/smtp_session.c
@@ -582,6 +582,12 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg)
 
 		if (resp_ca_vrfy->status == CA_OK)
 			s->flags |= SF_VERIFIED;
+		else if (s->listener->flags & F_TLS_VERIFY) {
+			log_info("smtp-in: Disconnecting session %016" PRIx64
+			    ": SSL certificate check failed", s->id);
+			smtp_free(s, "SSL certificate check failed");	
+			return;
+		}
 
 		smtp_io(&s->io, IO_TLSVERIFIED);
 		io_resume(&s->io, IO_PAUSE_IN);
@@ -757,6 +763,13 @@ smtp_io(struct io *io, int evt)
 			break;
 		}
 
+		if (s->listener->flags & F_TLS_VERIFY) {
+			log_info("smtp-in: Disconnecting session %016" PRIx64
+			    ": client did not present certificate", s->id);
+			smtp_free(s, "client did not present certificate");	
+			return;
+		}
+
 		/* No verification required, cascade */
 
 	case IO_TLSVERIFIED: