- allow a listen statement to impose tls on its clients;

- make listen statements impose authentication if 'auth' is specified and to make it optional if 'auth-optional' is specified; - sync documentation accordingly with ideas and input from beck@ and halex@, ok eric@
author: gilles <gilles@openbsd.org> 2012-10-09 20:33:02 +0000
committer: gilles <gilles@openbsd.org> 2012-10-09 20:33:02 +0000
commit: c6b7d123cbc362c8490b7410829f43e39ce6b4f5 (patch)
tree: f38db05ea3501eb7ad15778b4c829275b6d8212e
parent: Reject ssl key/certs/CA/DH files if their ownership/permissions are not (diff)
download: wireguard-openbsd-c6b7d123cbc362c8490b7410829f43e39ce6b4f5.tar.xz
wireguard-openbsd-c6b7d123cbc362c8490b7410829f43e39ce6b4f5.zip
4 files changed, 50 insertions, 19 deletions
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 8df85213131..2ee255d3134 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.106 2012/10/08 20:35:16 gilles Exp $	*/
+/*	$OpenBSD: parse.y,v 1.107 2012/10/09 20:33:02 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org>
@@ -124,7 +124,8 @@ typedef struct {
 %token	DB LDAP PLAIN DOMAIN SOURCE
 %token  RELAY BACKUP VIA DELIVER TO MAILDIR MBOX HOSTNAME
 %token	ACCEPT REJECT INCLUDE ERROR MDA FROM FOR
-%token	ARROW ENABLE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST
+%token	ARROW AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST
+%token	AUTH_OPTIONAL TLS_REQUIRE
 %token	<v.string>	STRING
 %token  <v.number>	NUMBER
 %type	<v.map>		map
@@ -260,10 +261,12 @@ certname	: CERTIFICATE STRING	{
 ssl		: SMTPS				{ $$ = F_SMTPS; }
 		| TLS				{ $$ = F_STARTTLS; }
 		| SSL				{ $$ = F_SSL; }
-		| /* empty */			{ $$ = 0; }
+		| TLS_REQUIRE			{ $$ = F_STARTTLS|F_STARTTLS_REQUIRE; }
+		| /* Empty */			{ $$ = 0; }
 		;
 
-auth		: ENABLE AUTH  			{ $$ = 1; }
+auth		: AUTH  			{ $$ = F_AUTH|F_AUTH_REQUIRE; }
+		| AUTH_OPTIONAL			{ $$ = F_AUTH; }
 		| /* empty */			{ $$ = 0; }
 		;
 
@@ -364,10 +367,7 @@ main		: QUEUE INTERVAL interval	{
 			}
 
 			cert = ($6 != NULL) ? $6 : $3;
-			flags = $5;
-
-			if ($7)
-				flags |= F_AUTH;
+			flags = $5 | $7; /* ssl | auth */
 
 			if ($5 && ssl_load_certfile(cert, F_SCERT) < 0) {
 				yyerror("cannot load certificate: %s", cert);
@@ -940,6 +940,7 @@ lookup(char *s)
 		{ "all",		ALL },
 		{ "as",			AS },
 		{ "auth",		AUTH },
+		{ "auth-optional",     	AUTH_OPTIONAL },
 		{ "backup",		BACKUP },
 		{ "certificate",	CERTIFICATE },
 		{ "cipher",		CIPHER },
@@ -948,7 +949,6 @@ lookup(char *s)
 		{ "deliver",		DELIVER },
 		{ "digest",		DIGEST },
 		{ "domain",		DOMAIN },
-		{ "enable",		ENABLE },
 		{ "encryption",		ENCRYPTION },
 		{ "expire",		EXPIRE },
 		{ "filter",		FILTER },
@@ -980,6 +980,7 @@ lookup(char *s)
 		{ "ssl",		SSL },
 		{ "tag",		TAG },
 		{ "tls",		TLS },
+		{ "tls-require",       	TLS_REQUIRE },
 		{ "to",			TO },
 		{ "via",		VIA },
 		{ "virtual",		VIRTUAL },
diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c
index a7b0d304e43..19351bc2790 100644
--- a/usr.sbin/smtpd/smtp_session.c
+++ b/usr.sbin/smtpd/smtp_session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtp_session.c,v 1.170 2012/10/07 15:46:38 chl Exp $	*/
+/*	$OpenBSD: smtp_session.c,v 1.171 2012/10/09 20:33:02 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org>
@@ -400,6 +400,21 @@ session_rfc5321_mail_handler(struct session *s, char *args)
 		return 1;
 	}
 
+
+	if (s->s_l->flags & F_STARTTLS_REQUIRE)
+		if (!(s->s_flags & F_SECURE)) {
+			session_respond(s,
+			    "530 5.7.0 Must issue a STARTTLS command first");
+			return 1;
+		}
+
+	if (s->s_l->flags & F_AUTH_REQUIRE)
+		if (!(s->s_flags & F_AUTHENTICATED)) {
+			session_respond(s,
+			    "530 5.7.0 Must issue an AUTH command first");
+			return 1;
+		}
+
 	if (s->s_state != S_HELO) {
 		session_respond(s, "503 5.5.1 Sender already specified");
 		return 1;
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 0f1d8fc2ff9..9253cb13383 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: smtpd.conf.5,v 1.71 2012/10/09 18:28:09 gilles Exp $
+.\"	$OpenBSD: smtpd.conf.5,v 1.72 2012/10/09 20:33:02 gilles Exp $
 .\"
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
 .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -53,7 +53,7 @@ For example:
 .Bd -literal -offset indent
 lan_addr = "192.168.0.1"
 listen on $lan_addr
-listen on $lan_addr tls enable auth
+listen on $lan_addr tls auth
 .Ed
 .Pp
 Some configuration directives expect expansion of their parameters at runtime.
@@ -99,9 +99,9 @@ as returned by
 .It Xo
 .Ic listen on Ar interface
 .Op Ic port Ar port
-.Op Ic tls | smtps
+.Op Ic tls | tls-require | smtps
 .Op Ic certificate Ar name
-.Op Ic enable auth
+.Op Ic auth | auth-optional
 .Xc
 Specify an
 .Ar interface
@@ -118,6 +118,9 @@ by default on port 25,
 or SMTPS
 .Pq Ic smtps ,
 by default on port 465.
+.Ar tls-require
+may be used to force clients to establish a secure connection
+before being allowed to start a SMTP transaction.
 Host certificates may be used for these connections,
 and are searched for in the
 .Pa /etc/mail/certs
@@ -150,11 +153,21 @@ Creation of certificates is documented in
 .Xr starttls 8 .
 .Pp
 If the
-.Ic enable auth
+.Ic auth
 parameter is used,
-any remote sender that passed SMTPAUTH is treated as if
+then a client may only start a SMTP transaction after a
+successful authentication.
+Any remote sender that passed SMTPAUTH is treated as if
 it was the server's local user that was sending the mail.
 This means that filter rules using "from local" will be matched.
+If
+.Ic auth-optional
+is specified, then SMTPAUTH is not required to establish a
+SMTP transaction.
+This is only useful to let a listener accept incoming mail from
+untrusted senders and outgoing mail from authenticated users in
+situations where it is not possible to listen on the submission
+port.
 .It Xo
 .Ic map Ar map
 .Ic source Ar type Ar source
@@ -468,7 +481,7 @@ a certificate valid for one year was created.
 The configuration file would look like this:
 .Bd -literal -offset indent
 listen on lo0
-listen on egress tls certificate mail.example.com enable auth
+listen on egress tls certificate mail.example.com auth
 map aliases source db "/etc/mail/aliases.db"
 accept for local deliver to mda "/path/to/mda -f -"
 accept from all for domain example.org \e
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 37959ed865d..fedc1b5b0f7 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.381 2012/10/08 20:35:16 gilles Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.382 2012/10/09 20:33:02 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@openbsd.org>
@@ -80,8 +80,10 @@
 #define F_SMTPS			 0x02
 #define F_AUTH			 0x04
 #define F_SSL			(F_SMTPS|F_STARTTLS)
+#define	F_STARTTLS_REQUIRE     	 0x08
+#define	F_AUTH_REQUIRE		 0x10
 
-#define	F_BACKUP		0x10	/* XXX */
+#define	F_BACKUP		0x20	/* XXX */
 
 #define F_SCERT			0x01
 #define F_CCERT			0x02
author	gilles <gilles@openbsd.org>	2012-10-09 20:33:02 +0000
committer	gilles <gilles@openbsd.org>	2012-10-09 20:33:02 +0000
commit	c6b7d123cbc362c8490b7410829f43e39ce6b4f5 (patch)
tree	f38db05ea3501eb7ad15778b4c829275b6d8212e
parent	Reject ssl key/certs/CA/DH files if their ownership/permissions are not (diff)
download	wireguard-openbsd-c6b7d123cbc362c8490b7410829f43e39ce6b4f5.tar.xz wireguard-openbsd-c6b7d123cbc362c8490b7410829f43e39ce6b4f5.zip