diff options
author | gilles <gilles@poolp.org> | 2016-05-04 10:44:50 +0200 |
---|---|---|
committer | gilles <gilles@poolp.org> | 2016-05-04 10:44:50 +0200 |
commit | f3ece8992da6138afa84ca81fe4cc829f47be10c (patch) | |
tree | b8885cea90e81ff4437696f4c8815f388c1ba217 | |
parent | Merge branch 'master' into portable (diff) | |
parent | sync with OpenBSD: (diff) | |
download | OpenSMTPD-f3ece8992da6138afa84ca81fe4cc829f47be10c.tar.xz OpenSMTPD-f3ece8992da6138afa84ca81fe4cc829f47be10c.zip |
Merge branch 'master' into portable
-rw-r--r-- | smtpd/CVS/Entries | 154 | ||||
-rw-r--r-- | smtpd/parse.y | 21 | ||||
-rw-r--r-- | smtpd/queue.c | 20 | ||||
-rw-r--r-- | smtpd/smtpctl.8 | 6 | ||||
-rw-r--r-- | smtpd/smtpctl.c | 65 | ||||
-rw-r--r-- | smtpd/smtpd.8 | 40 | ||||
-rw-r--r-- | smtpd/smtpd.c | 6 | ||||
-rw-r--r-- | smtpd/smtpd.conf.5 | 40 | ||||
-rw-r--r-- | smtpd/ssl.c | 114 | ||||
-rw-r--r-- | smtpd/ssl.h | 8 |
10 files changed, 220 insertions, 254 deletions
diff --git a/smtpd/CVS/Entries b/smtpd/CVS/Entries index 934b3e7c..59b847e8 100644 --- a/smtpd/CVS/Entries +++ b/smtpd/CVS/Entries @@ -2,89 +2,89 @@ D/smtpctl//// D/smtpd//// /Makefile/1.15/Mon Mar 7 16:27:28 2016// /aliases.5/1.12/Mon Mar 7 16:27:28 2016// -/aliases.c/1.69/Sun Apr 17 08:27:42 2016// -/bounce.c/1.72/Sun Apr 17 08:27:42 2016// -/ca.c/1.21/Sun Apr 17 08:27:42 2016// -/compress_backend.c/1.9/Sun Apr 17 08:27:43 2016// -/compress_gzip.c/1.10/Sun Apr 17 08:27:43 2016// -/config.c/1.34/Sun Apr 17 08:27:45 2016// -/control.c/1.112/Sun Apr 17 08:27:45 2016// -/crypto.c/1.5/Sun Apr 17 08:27:43 2016// -/delivery.c/1.6/Sun Apr 17 08:27:43 2016// -/delivery_filename.c/1.14/Sun Apr 17 08:27:43 2016// -/delivery_lmtp.c/1.15/Sun Apr 17 08:27:43 2016// -/delivery_maildir.c/1.17/Sun Apr 17 08:27:43 2016// -/delivery_mbox.c/1.12/Sun Apr 17 08:27:43 2016// -/delivery_mda.c/1.9/Sun Apr 17 08:27:43 2016// -/dict.c/1.5/Sun Apr 17 08:27:43 2016// -/dns.c/1.83/Sun Apr 17 08:27:43 2016// -/enqueue.c/1.112/Sun Apr 17 08:27:43 2016// -/envelope.c/1.36/Sun Apr 17 08:27:43 2016// -/esc.c/1.4/Sun Apr 17 08:27:43 2016// -/expand.c/1.29/Sun Apr 17 08:27:43 2016// -/filter.c/1.17/Sun Apr 17 08:27:45 2016// /forward.5/1.9/Mon Mar 7 16:27:28 2016// -/forward.c/1.39/Sun Apr 17 08:27:43 2016// -/iobuf.c/1.9/Sun Apr 17 08:27:43 2016// /iobuf.h/1.4/Mon Mar 7 16:27:28 2016// -/ioev.c/1.25/Sun Apr 17 08:27:45 2016// -/ioev.h/1.6/Sun Apr 17 08:27:45 2016// -/limit.c/1.4/Sun Apr 17 08:27:43 2016// -/lka.c/1.192/Sun Apr 17 08:27:43 2016// -/lka_session.c/1.79/Sun Apr 17 08:27:43 2016// -/log.c/1.17/Sun Apr 17 08:27:43 2016// -/log.h/1.5/Sun Apr 17 08:27:43 2016// -/mailaddr.c/1.2/Sun Apr 17 08:27:43 2016// /makemap.8/1.29/Mon Mar 7 16:27:28 2016// -/makemap.c/1.65/Sun Apr 17 08:27:45 2016// -/mda.c/1.118/Sun Apr 17 08:27:45 2016// -/mproc.c/1.19/Sun Apr 17 08:27:45 2016// -/mta.c/1.200/Sun Apr 17 08:27:43 2016// -/mta_session.c/1.82/Sun Apr 17 08:27:43 2016// /newaliases.8/1.11/Mon Mar 7 16:27:28 2016// -/parse.y/1.183/Sun Apr 17 08:27:43 2016// -/parser.c/1.40/Sun Apr 17 08:27:43 2016// /parser.h/1.29/Mon Mar 7 16:27:28 2016// -/pony.c/1.12/Sun Apr 17 08:27:43 2016// -/queue.c/1.176/Sun Apr 17 08:27:43 2016// -/queue_backend.c/1.62/Sun Apr 17 08:27:43 2016// -/queue_fs.c/1.14/Sun Apr 17 08:27:43 2016// -/queue_null.c/1.6/Sun Apr 17 08:27:43 2016// -/queue_proc.c/1.6/Sun Apr 17 08:27:43 2016// -/queue_ram.c/1.7/Sun Apr 17 08:27:43 2016// -/rfc2822.c/1.7/Sun Apr 17 08:27:43 2016// /rfc2822.h/1.4/Mon Mar 7 16:27:28 2016// -/ruleset.c/1.32/Sun Apr 17 08:27:43 2016// -/runq.c/1.2/Sun Apr 17 08:27:43 2016// -/scheduler.c/1.51/Sun Apr 17 08:27:43 2016// -/scheduler_backend.c/1.15/Sun Apr 17 08:27:43 2016// -/scheduler_null.c/1.9/Sun Apr 17 08:27:43 2016// -/scheduler_proc.c/1.8/Sun Apr 17 08:27:43 2016// -/scheduler_ramqueue.c/1.42/Sun Apr 17 08:27:43 2016// /sendmail.8/1.4/Mon Mar 7 16:27:28 2016// -/smtp.c/1.155/Sun Apr 17 08:27:45 2016// -/smtp_session.c/1.269/Sun Apr 17 08:27:45 2016// -/smtpctl.8/1.54/Mon Mar 7 16:27:28 2016// -/smtpctl.c/1.148/Sun Apr 17 08:27:45 2016// /smtpd-api.h/1.29/Mon Mar 7 16:27:28 2016// -/smtpd-defines.h/1.6/Sun Apr 17 08:27:43 2016// -/smtpd.8/1.28/Mon Mar 7 16:27:28 2016// -/smtpd.c/1.275/Sun Apr 17 08:27:45 2016// -/smtpd.conf.5/1.157/Sun Apr 17 08:28:17 2016// -/smtpd.h/1.514/Sun Apr 17 08:27:45 2016// -/ssl.c/1.85/Sun Apr 17 08:27:43 2016// -/ssl.h/1.19/Mon Mar 7 16:27:28 2016// -/ssl_smtpd.c/1.13/Sun Apr 17 08:27:43 2016// -/stat_backend.c/1.10/Sun Apr 17 08:27:43 2016// -/stat_ramstat.c/1.10/Sun Apr 17 08:27:43 2016// /table.5/1.5/Mon Mar 7 16:27:28 2016// -/table.c/1.23/Sun Apr 17 08:27:43 2016// -/table_api.c/1.8/Sun Apr 17 08:27:43 2016// -/table_db.c/1.9/Sun Apr 17 08:27:43 2016// -/table_getpwnam.c/1.4/Sun Apr 17 08:27:43 2016// -/table_proc.c/1.6/Sun Apr 17 08:27:43 2016// -/table_static.c/1.15/Sun Apr 17 08:27:43 2016// -/to.c/1.26/Sun Apr 17 08:27:43 2016// -/tree.c/1.5/Sun Apr 17 08:27:43 2016// -/util.c/1.126/Sun Apr 17 08:27:45 2016// -/waitq.c/1.5/Sun Apr 17 08:27:43 2016// +/aliases.c/1.69/Tue May 3 08:13:59 2016// +/bounce.c/1.72/Tue May 3 08:13:59 2016// +/ca.c/1.21/Tue May 3 08:13:59 2016// +/compress_backend.c/1.9/Tue May 3 08:13:59 2016// +/compress_gzip.c/1.10/Tue May 3 08:13:59 2016// +/config.c/1.34/Tue May 3 08:13:59 2016// +/control.c/1.112/Tue May 3 08:13:59 2016// +/crypto.c/1.5/Tue May 3 08:13:59 2016// +/delivery.c/1.6/Tue May 3 08:13:59 2016// +/delivery_filename.c/1.14/Tue May 3 08:13:59 2016// +/delivery_lmtp.c/1.15/Tue May 3 08:13:59 2016// +/delivery_maildir.c/1.17/Tue May 3 08:13:59 2016// +/delivery_mbox.c/1.12/Tue May 3 08:13:59 2016// +/delivery_mda.c/1.9/Tue May 3 08:13:59 2016// +/dict.c/1.5/Tue May 3 08:13:59 2016// +/dns.c/1.83/Tue May 3 08:13:59 2016// +/enqueue.c/1.112/Tue May 3 08:13:59 2016// +/envelope.c/1.36/Tue May 3 08:13:59 2016// +/esc.c/1.4/Tue May 3 08:13:59 2016// +/expand.c/1.29/Tue May 3 08:13:59 2016// +/filter.c/1.17/Tue May 3 08:13:59 2016// +/forward.c/1.39/Tue May 3 08:13:59 2016// +/iobuf.c/1.9/Tue May 3 08:13:59 2016// +/ioev.c/1.25/Tue May 3 08:13:59 2016// +/ioev.h/1.6/Sun Apr 17 08:29:30 2016// +/limit.c/1.4/Tue May 3 08:13:59 2016// +/lka.c/1.192/Tue May 3 08:13:59 2016// +/lka_session.c/1.79/Tue May 3 08:13:59 2016// +/log.c/1.17/Tue May 3 08:13:59 2016// +/log.h/1.5/Tue May 3 08:13:59 2016// +/mailaddr.c/1.2/Tue May 3 08:13:59 2016// +/makemap.c/1.65/Tue May 3 08:13:59 2016// +/mda.c/1.118/Tue May 3 08:13:59 2016// +/mproc.c/1.19/Tue May 3 08:13:59 2016// +/mta.c/1.200/Tue May 3 08:13:59 2016// +/mta_session.c/1.82/Tue May 3 08:13:59 2016// +/parse.y/1.184/Wed May 4 08:42:16 2016// +/parser.c/1.40/Tue May 3 08:13:59 2016// +/pony.c/1.12/Tue May 3 08:13:59 2016// +/queue.c/1.177/Wed May 4 08:42:17 2016// +/queue_backend.c/1.62/Tue May 3 08:13:59 2016// +/queue_fs.c/1.14/Tue May 3 08:13:59 2016// +/queue_null.c/1.6/Tue May 3 08:13:59 2016// +/queue_proc.c/1.6/Tue May 3 08:13:59 2016// +/queue_ram.c/1.7/Tue May 3 08:13:59 2016// +/rfc2822.c/1.7/Tue May 3 08:13:59 2016// +/ruleset.c/1.32/Tue May 3 08:13:59 2016// +/runq.c/1.2/Tue May 3 08:13:59 2016// +/scheduler.c/1.51/Tue May 3 08:13:59 2016// +/scheduler_backend.c/1.15/Tue May 3 08:13:59 2016// +/scheduler_null.c/1.9/Tue May 3 08:13:59 2016// +/scheduler_proc.c/1.8/Tue May 3 08:13:59 2016// +/scheduler_ramqueue.c/1.42/Tue May 3 08:13:59 2016// +/smtp.c/1.155/Tue May 3 08:13:59 2016// +/smtp_session.c/1.269/Tue May 3 08:13:59 2016// +/smtpctl.8/1.55/Wed May 4 08:42:17 2016// +/smtpctl.c/1.149/Wed May 4 08:42:17 2016// +/smtpd-defines.h/1.6/Tue May 3 08:13:59 2016// +/smtpd.8/1.30/Wed May 4 08:42:17 2016// +/smtpd.c/1.276/Wed May 4 08:42:18 2016// +/smtpd.conf.5/1.159/Wed May 4 08:42:18 2016// +/smtpd.h/1.514/Tue May 3 08:13:59 2016// +/ssl.c/1.86/Wed May 4 08:42:18 2016// +/ssl.h/1.20/Wed May 4 08:42:19 2016// +/ssl_smtpd.c/1.13/Tue May 3 08:13:59 2016// +/stat_backend.c/1.10/Tue May 3 08:13:59 2016// +/stat_ramstat.c/1.10/Tue May 3 08:13:59 2016// +/table.c/1.23/Tue May 3 08:13:59 2016// +/table_api.c/1.8/Tue May 3 08:13:59 2016// +/table_db.c/1.9/Tue May 3 08:13:59 2016// +/table_getpwnam.c/1.4/Tue May 3 08:13:59 2016// +/table_proc.c/1.6/Tue May 3 08:13:59 2016// +/table_static.c/1.15/Tue May 3 08:13:59 2016// +/to.c/1.26/Tue May 3 08:13:59 2016// +/tree.c/1.5/Tue May 3 08:13:59 2016// +/util.c/1.126/Tue May 3 08:13:59 2016// +/waitq.c/1.5/Tue May 3 08:13:59 2016// diff --git a/smtpd/parse.y b/smtpd/parse.y index 067af85f..6d9f3aa3 100644 --- a/smtpd/parse.y +++ b/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.183 2016/02/22 16:19:05 gilles Exp $ */ +/* $OpenBSD: parse.y,v 1.184 2016/04/21 14:27:41 jsing Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -184,7 +184,7 @@ typedef struct { %token TABLE SECURE SMTPS CERTIFICATE DOMAIN BOUNCEWARN LIMIT INET4 INET6 NODSN SESSION %token RELAY BACKUP VIA DELIVER TO LMTP MAILDIR MBOX RCPTTO HOSTNAME HOSTNAMES %token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR SOURCE MTA PKI SCHEDULER -%token ARROW AUTH TLS LOCAL VIRTUAL TAG TAGGED ALIAS FILTER KEY CA DHPARAMS +%token ARROW AUTH TLS LOCAL VIRTUAL TAG TAGGED ALIAS FILTER KEY CA DHE %token AUTH_OPTIONAL TLS_REQUIRE USERBASE SENDER SENDERS MASK_SOURCE VERIFY FORWARDONLY RECIPIENT %token CIPHERS RECEIVEDAUTH MASQUERADE SOCKET %token <v.string> STRING @@ -405,8 +405,19 @@ opt_pki : CERTIFICATE STRING { | KEY STRING { pki->pki_key_file = $2; } - | DHPARAMS STRING { - pki->pki_dhparams_file = $2; + | DHE STRING { + if (strcasecmp($2, "none") == 0) + pki->pki_dhe = 0; + else if (strcasecmp($2, "auto") == 0) + pki->pki_dhe = 1; + else if (strcasecmp($2, "legacy") == 0) + pki->pki_dhe = 2; + else { + yyerror("invalid DHE keyword: %s", $2); + free($2); + YYERROR; + } + free($2); } ; @@ -1468,7 +1479,7 @@ lookup(char *s) { "ciphers", CIPHERS }, { "compression", COMPRESSION }, { "deliver", DELIVER }, - { "dhparams", DHPARAMS }, + { "dhe", DHE }, { "domain", DOMAIN }, { "encryption", ENCRYPTION }, { "expire", EXPIRE }, diff --git a/smtpd/queue.c b/smtpd/queue.c index fd335eea..ccd3546b 100644 --- a/smtpd/queue.c +++ b/smtpd/queue.c @@ -1,4 +1,4 @@ -/* $OpenBSD: queue.c,v 1.176 2016/01/27 12:46:03 sunil Exp $ */ +/* $OpenBSD: queue.c,v 1.177 2016/04/29 08:55:08 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -76,9 +76,8 @@ queue_imsg(struct mproc *p, struct imsg *imsg) uint64_t reqid, evpid, holdq; uint32_t msgid; time_t nexttry; - size_t buflen, id_sz, n_evp; + size_t n_evp; int fd, mta_ext, ret, v, flags, code; - char buf[sizeof(evp)]; memset(&bounce, 0, sizeof(struct delivery_bounce)); if (p->proc == PROC_PONY) { @@ -323,9 +322,6 @@ queue_imsg(struct mproc *p, struct imsg *imsg) * its way back to the scheduler. We need to detect * this properly and report that state. */ - evp.flags |= flags; - /* In the past if running or runnable */ - evp.nexttry = nexttry; if (flags & EF_INFLIGHT) { /* * Not exactly correct but pretty close: The @@ -335,12 +331,12 @@ queue_imsg(struct mproc *p, struct imsg *imsg) evp.lasttry = nexttry; } - id_sz = sizeof evp.id; - (void)memcpy(buf, &evp.id, id_sz); - buflen = envelope_dump_buffer(&evp, buf + id_sz, - sizeof(buf) - id_sz); - m_compose(p_control, IMSG_CTL_LIST_ENVELOPES, - imsg->hdr.peerid, 0, -1, buf, id_sz + buflen + 1); + m_create(p_control, IMSG_CTL_LIST_ENVELOPES, + imsg->hdr.peerid, 0, -1); + m_add_int(p_control, flags); + m_add_time(p_control, nexttry); + m_add_envelope(p_control, &evp); + m_close(p_control); return; } } diff --git a/smtpd/smtpctl.8 b/smtpd/smtpctl.8 index 05446eeb..17618ecf 100644 --- a/smtpd/smtpctl.8 +++ b/smtpd/smtpctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpctl.8,v 1.54 2015/11/05 09:14:31 sunil Exp $ +.\" $OpenBSD: smtpctl.8,v 1.55 2016/04/17 18:41:03 jung Exp $ .\" .\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org> .\" Copyright (c) 2012 Gilles Chehade <gilles@poolp.org> @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: November 5 2015 $ +.Dd $Mdocdate: April 17 2016 $ .Dt SMTPCTL 8 .Os .Sh NAME @@ -260,7 +260,7 @@ io .It smtp (incoming sessions) .It -filter +filters .It transfer (outgoing sessions) .It diff --git a/smtpd/smtpctl.c b/smtpd/smtpctl.c index 6e0192aa..cd27143d 100644 --- a/smtpd/smtpctl.c +++ b/smtpd/smtpctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpctl.c,v 1.148 2016/03/17 19:40:43 krw Exp $ */ +/* $OpenBSD: smtpctl.c,v 1.149 2016/04/29 08:55:08 eric Exp $ */ /* * Copyright (c) 2013 Eric Faurot <eric@openbsd.org> @@ -235,6 +235,51 @@ srv_read(void *dst, size_t sz) } static void +srv_get_int(int *i) +{ + uint8_t type; + + srv_read(&type, 1); + srv_read(i, sizeof(*i)); +} + +static void +srv_get_time(time_t *t) +{ + uint8_t type; + + srv_read(&type, 1); + srv_read(t, sizeof(*t)); +} + +static void +srv_get_evpid(uint64_t *evpid) +{ + uint8_t type; + + srv_read(&type, 1); + srv_read(evpid, sizeof(*evpid)); +} + +static void +srv_get_envelope(struct envelope *evp) +{ + uint64_t evpid; + uint8_t type; + size_t s; + const void *d; + + srv_get_evpid(&evpid); + srv_read(&type, sizeof(type)); + srv_read(&s, sizeof(s)); + d = rdata; + srv_read(NULL, s); + + envelope_load_buffer(evp, d, s - 1); + evp->id = evpid; +} + +static void srv_end(void) { if (rlen) @@ -311,9 +356,8 @@ srv_iter_envelopes(uint32_t msgid, struct envelope *evp) static uint32_t currmsgid = 0; static uint64_t from = 0; static int done = 0, need_send = 1, found; - char buf[sizeof(*evp)]; - size_t buflen; - uint64_t evpid; + int flags; + time_t nexttry; if (currmsgid != msgid) { if (currmsgid != 0 && !done) @@ -346,13 +390,14 @@ srv_iter_envelopes(uint32_t msgid, struct envelope *evp) goto again; } - srv_read(&evpid, sizeof evpid); - buflen = rlen; - srv_read(buf, rlen); - envelope_load_buffer(evp, buf, buflen - 1); - evp->id = evpid; - + srv_get_int(&flags); + srv_get_time(&nexttry); + srv_get_envelope(evp); srv_end(); + + evp->flags |= flags; + evp->nexttry = nexttry; + from = evp->id + 1; found++; return (1); diff --git a/smtpd/smtpd.8 b/smtpd/smtpd.8 index ecd9db26..0a5d20dd 100644 --- a/smtpd/smtpd.8 +++ b/smtpd/smtpd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.8,v 1.28 2015/10/24 11:38:39 jung Exp $ +.\" $OpenBSD: smtpd.8,v 1.30 2016/04/18 21:06:42 jmc Exp $ .\" .\" Copyright (c) 2012, Eric Faurot <eric@openbsd.org> .\" Copyright (c) 2008, Gilles Chehade <gilles@poolp.org> @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 24 2015 $ +.Dd $Mdocdate: April 18 2016 $ .Dt SMTPD 8 .Os .Sh NAME @@ -28,6 +28,7 @@ .Op Fl D Ar macro Ns = Ns Ar value .Op Fl f Ar file .Op Fl P Ar system +.Op Fl T Ar trace .Sh DESCRIPTION .Nm is a Simple Mail Transfer Protocol @@ -86,6 +87,41 @@ Do not schedule remote transfers. .It smtp Do not listen on SMTP sockets. .El +.It Fl T Ar trace +Enables real-time tracing at startup. +Normal operation can be resumed using +.Xr smtpctl 8 . +This option can be used multiple times. +The accepted values are: +.Pp +.Bl -bullet -compact +.It +imsg +.It +io +.It +smtp (incoming sessions) +.It +filters +.It +transfer (outgoing sessions) +.It +bounce +.It +scheduler +.It +expand (aliases/virtual/forward expansion) +.It +lookup (user/credentials lookups) +.It +stat +.It +rules (matched by incoming sessions) +.It +mproc +.It +all +.El .It Fl v Produce more verbose output. .El diff --git a/smtpd/smtpd.c b/smtpd/smtpd.c index 9fe07518..f9c9401f 100644 --- a/smtpd/smtpd.c +++ b/smtpd/smtpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.c,v 1.275 2016/03/17 19:40:43 krw Exp $ */ +/* $OpenBSD: smtpd.c,v 1.276 2016/04/21 14:27:41 jsing Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -785,10 +785,6 @@ load_pki_tree(void) if (!ssl_load_certificate(pki, pki->pki_cert_file)) fatalx("load_pki_tree: failed to load certificate file"); - - if (pki->pki_dhparams_file) - if (!ssl_load_dhparams(pki, pki->pki_dhparams_file)) - fatalx("load_pki_tree: failed to load dhparams file"); } log_debug("debug: init ca-tree"); diff --git a/smtpd/smtpd.conf.5 b/smtpd/smtpd.conf.5 index 2ae04414..17651804 100644 --- a/smtpd/smtpd.conf.5 +++ b/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.157 2016/04/10 06:48:07 jmc Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.159 2016/05/03 18:43:45 jung Exp $ .\" .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: April 10 2016 $ +.Dd $Mdocdate: May 3 2016 $ .Dt SMTPD.CONF 5 .Os .Sh NAME @@ -851,19 +851,13 @@ Associate the key located in .Ar keyfile with .Ar hostname . -.It Ic pki Ar hostname Ic dhparams Ar dhfile -Associate the Diffie-Hellman parameters located in -.Ar dhfile -with +.It Ic pki Ar hostname Ic dhe Ar params +Specify the DHE parameters to use for DHE cipher suites with .Ar hostname . -.Pp -The parameters are used for ephemeral key exchange. -If not specified, -.Xr smtpd 8 -will use safely generated built-in parameters. -.Pp -Creation of Diffie-Hellman parameters is documented in -.Xr openssl 1 . +Valid parameter values are none, legacy and auto. +For legacy a fixed key length of 1024 bits is used, whereas for auto the key +length is determined automatically. +The default is none, which disables DHE cipher suites. .It Ic queue compression Enable transparent compression of envelopes and messages. The only supported algorithm at the moment is gzip. @@ -1055,9 +1049,11 @@ A secrets file is needed to specify a username and password: .Nm would look like this: .Bd -literal -offset indent -listen on lo0 table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets + +listen on lo0 + accept for local alias <aliases> deliver to mbox accept for any relay via tls+auth://label@smtp.example.com \e auth <secrets> @@ -1085,11 +1081,11 @@ The configuration file would look like this: pki mail.example.com certificate "/etc/ssl/mail.example.com.crt" pki mail.example.com key "/etc/ssl/private/mail.example.com.key" +table aliases file:/etc/mail/aliases + listen on lo0 listen on egress tls pki mail.example.com auth -table aliases file:/etc/mail/aliases - accept for local alias <aliases> deliver to mda "/path/to/mda \-f \-" accept from any for domain example.com \e deliver to mda "/path/to/mda \-f \-" @@ -1104,11 +1100,11 @@ but all outgoing mail is passed to dkimproxy_out on port 10027 for signing. The signed messages are received on port 10028 and tagged for relaying. .Bd -literal -offset indent +table aliases file:/etc/mail/aliases + listen on lo0 listen on lo0 port 10028 tag DKIM -table aliases file:/etc/mail/aliases - accept for local alias <aliases> deliver to mbox accept tagged DKIM for any relay accept from local for any relay via smtp://127.0.0.1:10027 @@ -1122,12 +1118,12 @@ The table can be used to specify the IP addresses of relays that may legitimately originate mail with your domain as the sender. .Bd -literal -offset indent -listen on lo0 -listen on egress - table aliases file:/etc/mail/aliases table other-relays file:/etc/mail/other-relays +listen on lo0 +listen on egress + accept for local alias <aliases> deliver to mbox accept from local for any relay reject from ! source <other-relays> sender "@example.com" for any diff --git a/smtpd/ssl.c b/smtpd/ssl.c index 54b9ef86..8c4fb247 100644 --- a/smtpd/ssl.c +++ b/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.85 2015/12/13 09:52:44 gilles Exp $ */ +/* $OpenBSD: ssl.c,v 1.86 2016/04/21 14:27:41 jsing Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -47,9 +47,6 @@ #include "log.h" #include "ssl.h" -static DH *get_dh2048(void); -static DH *get_dh_from_memory(char *, size_t); - void ssl_init(void) { @@ -73,7 +70,6 @@ int ssl_setup(SSL_CTX **ctxp, struct pki *pki, int (*sni_cb)(SSL *,int *,void *), const char *ciphers) { - DH *dh; SSL_CTX *ctx; uint8_t sid[SSL_MAX_SID_CTX_LENGTH]; @@ -91,13 +87,7 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki, if (sni_cb) SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb); - if (pki->pki_dhparams_len == 0) - dh = get_dh2048(); - else - dh = get_dh_from_memory(pki->pki_dhparams, - pki->pki_dhparams_len); - ssl_set_ephemeral_key_exchange(ctx, dh); - DH_free(dh); + SSL_CTX_set_dh_auto(ctx, pki->pki_dhe); SSL_CTX_set_ecdh_auto(ctx, 1); @@ -335,19 +325,6 @@ ssl_load_cafile(struct ca *c, const char *pathname) return 1; } -int -ssl_load_dhparams(struct pki *p, const char *pathname) -{ - p->pki_dhparams = ssl_load_file(pathname, &p->pki_dhparams_len, 0755); - if (p->pki_dhparams == NULL) { - if (errno == EACCES) - return 0; - log_info("info: No DH parameters found in %s: " - "using built-in parameters", pathname); - } - return 1; -} - const char * ssl_to_text(const SSL *ssl) { @@ -373,93 +350,6 @@ ssl_error(const char *where) } } -/* From OpenSSL's documentation: - * - * If "strong" primes were used to generate the DH parameters, it is - * not strictly necessary to generate a new key for each handshake - * but it does improve forward secrecy. - * - * -- gilles@ - */ -static DH * -get_dh2048(void) -{ - DH *dh; - unsigned char dh2048_p[] = { - 0xB2,0xE2,0x07,0x34,0x16,0xEB,0x18,0xB5,0xED,0x0F,0xD4,0xC3, - 0xB6,0x6B,0x79,0xDF,0xA1,0x98,0x1C,0x8D,0x68,0x97,0x6C,0xDF, - 0xFF,0x38,0x60,0xEC,0x93,0x40,0xEF,0x26,0x12,0xB8,0x1B,0x79, - 0x68,0x72,0x47,0x8F,0x53,0x4C,0xBF,0x90,0xFF,0xE0,0x3E,0xE7, - 0x43,0x95,0x0B,0x97,0x43,0xDA,0xB4,0xE1,0x85,0x69,0xA5,0x67, - 0xFB,0x10,0x97,0x5A,0x0D,0x11,0xEB,0xED,0x78,0x82,0xCC,0xF5, - 0x7A,0xCC,0x27,0x27,0x5E,0xE5,0x3D,0xBA,0x47,0x38,0xBE,0x18, - 0xCA,0xC7,0x16,0xC7,0x7B,0x9E,0xA7,0xB0,0x80,0xAC,0x92,0x25, - 0x36,0x16,0x8F,0x29,0xA5,0x32,0x01,0x60,0x33,0x7C,0x2C,0x2F, - 0x49,0x7C,0x1D,0x4B,0xDA,0xBD,0xE4,0xF9,0x82,0x2B,0x71,0xCB, - 0x07,0xE3,0xCC,0x65,0x8A,0x1A,0xAB,0x81,0x0F,0xA9,0x96,0x35, - 0x4C,0xFD,0x42,0xFC,0xD6,0xE3,0xE8,0x2E,0x0E,0xAA,0x4D,0x75, - 0x54,0x02,0x49,0xDD,0xC5,0x5F,0x38,0x93,0xFA,0xEF,0x7D,0xBA, - 0x0C,0x75,0x93,0x09,0x8C,0x24,0x65,0xC6,0xF4,0xBF,0x59,0xF0, - 0x5D,0x0A,0xA4,0x26,0x7F,0xDA,0x0F,0x41,0x3A,0x43,0x61,0xDF, - 0x09,0x26,0xA1,0xB0,0xFE,0x8D,0xA6,0x21,0xC1,0xFD,0x41,0x65, - 0x30,0xE7,0xE4,0xD0,0x8E,0x78,0x93,0x3C,0x3E,0x3E,0xCA,0x30, - 0xA7,0x25,0x35,0x24,0x26,0x29,0xAC,0xCE,0x21,0x78,0x3B,0x9D, - 0xDD,0x0B,0x44,0xD0,0x7C,0xEB,0x2F,0xDD,0xE7,0x64,0xBC,0xF7, - 0x40,0x12,0xC8,0x35,0xFA,0x81,0xD6,0x80,0x39,0x1C,0x77,0x72, - 0x86,0x5B,0x19,0xDC,0xCB,0xDC,0xCB,0xF6,0x54,0x6F,0xB1,0xCB, - 0xE4,0xC3,0x05,0xD3 - }; - unsigned char dh2048_g[] = { - 0x02 - }; - - if ((dh = DH_new()) == NULL) - return NULL; - - dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); - dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); - if (dh->p == NULL || dh->g == NULL) { - DH_free(dh); - return NULL; - } - - return dh; -} - -static DH * -get_dh_from_memory(char *params, size_t len) -{ - BIO *mem; - DH *dh; - - mem = BIO_new_mem_buf(params, len); - if (mem == NULL) - return NULL; - dh = PEM_read_bio_DHparams(mem, NULL, NULL, NULL); - if (dh == NULL) - goto err; - if (dh->p == NULL || dh->g == NULL) - goto err; - return dh; - -err: - if (mem != NULL) - BIO_free(mem); - if (dh != NULL) - DH_free(dh); - return NULL; -} - - -void -ssl_set_ephemeral_key_exchange(SSL_CTX *ctx, DH *dh) -{ - if (dh == NULL || !SSL_CTX_set_tmp_dh(ctx, dh)) { - ssl_error("ssl_set_ephemeral_key_exchange"); - fatal("ssl_set_ephemeral_key_exchange: cannot set tmp dh"); - } -} - int ssl_load_pkey(const void *data, size_t datalen, char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr) diff --git a/smtpd/ssl.h b/smtpd/ssl.h index f86705a8..dfa6994c 100644 --- a/smtpd/ssl.h +++ b/smtpd/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.19 2015/12/13 09:52:44 gilles Exp $ */ +/* $OpenBSD: ssl.h,v 1.20 2016/04/21 14:27:41 jsing Exp $ */ /* * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org> * @@ -31,9 +31,7 @@ struct pki { EVP_PKEY *pki_pkey; - char *pki_dhparams_file; - char *pki_dhparams; - off_t pki_dhparams_len; + int pki_dhe; }; struct ca { @@ -51,7 +49,6 @@ int ssl_setup(SSL_CTX **, struct pki *, int (*)(SSL *, int *, void *), const char *); SSL_CTX *ssl_ctx_create(const char *, char *, off_t, const char *); int ssl_cmp(struct pki *, struct pki *); -void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); char *ssl_load_file(const char *, off_t *, mode_t); char *ssl_load_key(const char *, off_t *, char *, mode_t, const char *); @@ -61,7 +58,6 @@ void ssl_error(const char *); int ssl_load_certificate(struct pki *, const char *); int ssl_load_keyfile(struct pki *, const char *, const char *); int ssl_load_cafile(struct ca *, const char *); -int ssl_load_dhparams(struct pki *, const char *); int ssl_load_pkey(const void *, size_t, char *, off_t, X509 **, EVP_PKEY **); int ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t, |