diff options
author | Gilles Chehade <gilles@poolp.org> | 2013-09-09 11:06:45 -0600 |
---|---|---|
committer | Gilles Chehade <gilles@poolp.org> | 2013-09-09 11:06:45 -0600 |
commit | 2396fe2bc300f22dd8e5325c17024c0bcf33f75e (patch) | |
tree | 61e050eebae646a6c5ffd375a8057c26cca51c85 | |
parent | move forward with tls strict verify, works for relay rules, not (diff) | |
download | OpenSMTPD-2396fe2bc300f22dd8e5325c17024c0bcf33f75e.tar.xz OpenSMTPD-2396fe2bc300f22dd8e5325c17024c0bcf33f75e.zip |
- implement listen on foo tls-require verify
- fix relay via with cert verification
-rw-r--r-- | smtpd/envelope.c | 12 | ||||
-rw-r--r-- | smtpd/parse.y | 5 | ||||
-rw-r--r-- | smtpd/smtp_session.c | 13 |
3 files changed, 27 insertions, 3 deletions
diff --git a/smtpd/envelope.c b/smtpd/envelope.c index d5f47acc..146d7371 100644 --- a/smtpd/envelope.c +++ b/smtpd/envelope.c @@ -403,8 +403,15 @@ envelope_ascii_load(enum envelope_field field, struct envelope *ep, char *buf) sizeof ep->agent.mta.relay.helotable); case EVP_MTA_RELAY_FLAGS: return ascii_load_mta_relay_flags(&ep->agent.mta.relay.flags, buf); - case EVP_MTA_RELAY: - return ascii_load_mta_relay_url(&ep->agent.mta.relay, buf); + case EVP_MTA_RELAY: { + int ret; + uint16_t flags = ep->agent.mta.relay.flags; + ret = ascii_load_mta_relay_url(&ep->agent.mta.relay, buf); + if (! ret) + break; + ep->agent.mta.relay.flags |= flags; + return ret; + } case EVP_CTIME: return ascii_load_time(&ep->creation, buf); case EVP_EXPIRE: @@ -658,6 +665,7 @@ ascii_load_mta_relay_flags(uint16_t *dest, char *buf) else return 0; } + return 1; } diff --git a/smtpd/parse.y b/smtpd/parse.y index 54699804..a722a166 100644 --- a/smtpd/parse.y +++ b/smtpd/parse.y @@ -240,9 +240,11 @@ pkiname : PKI STRING { ; ssl : SMTPS { $$ = F_SMTPS; } + | SMTPS VERIFY { $$ = F_SMTPS|F_TLS_VERIFY; } | TLS { $$ = F_STARTTLS; } | SSL { $$ = F_SSL; } | TLS_REQUIRE { $$ = F_STARTTLS|F_STARTTLS_REQUIRE; } + | TLS_REQUIRE VERIFY { $$ = F_STARTTLS|F_STARTTLS_REQUIRE|F_TLS_VERIFY; } | /* Empty */ { $$ = 0; } ; @@ -562,7 +564,7 @@ main : BOUNCEWARN { char *ifx = $4; int family = $5; in_port_t port = $6; - uint8_t ssl = $7; + uint16_t ssl = $7; char *pki = $8; uint16_t auth = $9; char *tag = $10; @@ -937,6 +939,7 @@ action : userbase DELIVER TO MAILDIR { YYERROR; } } + log_warnx("relayhost flags: %d", rule->r_value.relayhost.flags); } ; diff --git a/smtpd/smtp_session.c b/smtpd/smtp_session.c index ac286111..1fd7b42e 100644 --- a/smtpd/smtp_session.c +++ b/smtpd/smtp_session.c @@ -582,6 +582,12 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg) if (resp_ca_vrfy->status == CA_OK) s->flags |= SF_VERIFIED; + else if (s->listener->flags & F_TLS_VERIFY) { + log_info("smtp-in: Disconnecting session %016" PRIx64 + ": SSL certificate check failed", s->id); + smtp_free(s, "SSL certificate check failed"); + return; + } smtp_io(&s->io, IO_TLSVERIFIED); io_resume(&s->io, IO_PAUSE_IN); @@ -757,6 +763,13 @@ smtp_io(struct io *io, int evt) break; } + if (s->listener->flags & F_TLS_VERIFY) { + log_info("smtp-in: Disconnecting session %016" PRIx64 + ": client did not present certificate", s->id); + smtp_free(s, "client did not present certificate"); + return; + } + /* No verification required, cascade */ case IO_TLSVERIFIED: |