diff options
| -rw-r--r-- | usr.sbin/smtpd/mta.c | 15 | ||||
| -rw-r--r-- | usr.sbin/smtpd/parse.y | 21 | ||||
| -rw-r--r-- | usr.sbin/smtpd/smtpd.conf.5 | 16 | ||||
| -rw-r--r-- | usr.sbin/smtpd/smtpd.h | 4 |
4 files changed, 46 insertions, 10 deletions
diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c index 74dd7c71ba0..2da8608e3a0 100644 --- a/usr.sbin/smtpd/mta.c +++ b/usr.sbin/smtpd/mta.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta.c,v 1.235 2021/03/05 12:37:32 eric Exp $ */ +/* $OpenBSD: mta.c,v 1.236 2021/03/31 17:47:16 eric Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -491,6 +491,7 @@ mta_setup_dispatcher(struct dispatcher *dispatcher) struct tls_config *config; struct pki *pki; struct ca *ca; + uint32_t protos; if (dispatcher->type != DISPATCHER_REMOTE) return; @@ -500,10 +501,14 @@ mta_setup_dispatcher(struct dispatcher *dispatcher) if ((config = tls_config_new()) == NULL) fatal("smtpd: tls_config_new"); - if (env->sc_tls_ciphers) { - if (tls_config_set_ciphers(config, env->sc_tls_ciphers) == -1) - err(1, "%s", tls_config_error(config)); - } + if (remote->tls_ciphers && + tls_config_set_ciphers(config, remote->tls_ciphers) == -1) + err(1, "%s", tls_config_error(config)); + + if (remote->tls_protocols && + (tls_config_parse_protocols(&protos, remote->tls_protocols) == -1 + || tls_config_set_protocols(config, protos) == -1)) + err(1, "%s", tls_config_error(config)); if (remote->pki) { pki = dict_get(env->sc_pki_dict, remote->pki); diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 40f78be84f7..e813279dffb 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.285 2021/03/05 12:37:32 eric Exp $ */ +/* $OpenBSD: parse.y,v 1.286 2021/03/31 17:47:16 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -190,7 +190,7 @@ typedef struct { %token MAIL_FROM MAILDIR MASK_SRC MASQUERADE MATCH MAX_MESSAGE_SIZE MAX_DEFERRED MBOX MDA MTA MX %token NO_DSN NO_VERIFY NOOP %token ON -%token PHASE PKI PORT PROC PROC_EXEC PROXY_V2 +%token PHASE PKI PORT PROC PROC_EXEC PROTOCOLS PROXY_V2 %token QUEUE QUIT %token RCPT_TO RDNS RECIPIENT RECEIVEDAUTH REGEX RELAY REJECT REPORT REWRITE RSET %token SCHEDULER SENDER SENDERS SMTP SMTP_IN SMTP_OUT SMTPS SOCKET SRC SRS SUB_ADDR_DELIM @@ -768,6 +768,22 @@ HELO STRING { dsp->u.remote.ca = $2; } +| CIPHERS STRING { + if (dsp->u.remote.tls_ciphers) { + yyerror("ciphers already specified for this dispatcher"); + YYERROR; + } + + dsp->u.remote.tls_ciphers = $2; +} +| PROTOCOLS STRING { + if (dsp->u.remote.tls_protocols) { + yyerror("protocols already specified for this dispatcher"); + YYERROR; + } + + dsp->u.remote.tls_protocols = $2; +} | SRC tables { struct table *t = $2; @@ -2682,6 +2698,7 @@ lookup(char *s) { "port", PORT }, { "proc", PROC }, { "proc-exec", PROC_EXEC }, + { "protocols", PROTOCOLS }, { "proxy-v2", PROXY_V2 }, { "queue", QUEUE }, { "quit", QUIT }, diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index 6359cc8434a..74def422d02 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.258 2021/03/05 12:37:32 eric Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.259 2021/03/31 17:47:16 eric Exp $ .\" .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: March 5 2021 $ +.Dd $Mdocdate: March 31 2021 $ .Dt SMTPD.CONF 5 .Os .Sh NAME @@ -298,6 +298,18 @@ When used with a smarthost, the protocol must not be If .Cm no-verify is specified, do not require a valid certificate. +.It Cm protocols Ar protostr +Define the protocol versions to be used for TLS sessions. +Refer to the +.Xr tls_config_parse_protocols 3 +manpage for the format of +.Ar protostr . +.It Cm ciphers Ar cipherstr +Define the list of ciphers that may be used for TLS sessions. +Refer to the +.Xr tls_config_set_ciphers 3 +manpage for the format of +.Ar cipherstr . .It Cm auth Pf < Ar table Ns > Use the mapping .Ar table diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index c0e4878893f..4b5da97b44e 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.662 2021/03/05 12:37:32 eric Exp $ */ +/* $OpenBSD: smtpd.h,v 1.663 2021/03/31 17:47:16 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1192,6 +1192,8 @@ struct dispatcher_remote { char *auth; int tls_required; int tls_noverify; + char *tls_protocols; + char *tls_ciphers; int backup; char *backupmx; |