Re: smtpd: mta cert-check result="unverified" on smarthost

Mon, 14 Feb 2022 10:10:56 -0800 

On Mon, 14 Feb 2022 17:43:47 +0100, Sebastien Marie wrote:

> It seems I need to explicitly add "tls" on the action line to enforce
> the tls verification now.
>
> - action "relay-free"     relay host "smtps://[email protected]" auth <secret
> s>
> + action "relay-free"     relay host "smtps://[email protected]" auth <secret
> s> tls
>
> I am unsure if the behaviour change was intented or not. If it
> persists it might need some documentation (a current.html entry) for
> users to update their configuration (as TLS session might not be
> checked anymore whereas it was previously).

The change is not intentional.  As you found, if there is no explicit
tls config for the dispatcher then the default is not to verify.

One way to fix this is to update the TLS config in mta_tls_init()
before calling tls_configure() for smtps:// and smtp+tls:// relays.
Can you try the following diff against -current?

 - todd

Index: usr.sbin/smtpd/mta_session.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/mta_session.c,v
retrieving revision 1.145
diff -u -p -u -r1.145 mta_session.c
--- usr.sbin/smtpd/mta_session.c        10 Feb 2022 14:59:35 -0000      1.145
+++ usr.sbin/smtpd/mta_session.c        14 Feb 2022 18:05:02 -0000
@@ -1563,7 +1563,7 @@ mta_error(struct mta_session *s, const c
 static void
 mta_tls_init(struct mta_session *s)
 {
-       struct tls_config *tls_config;
+       struct dispatcher_remote *remote;
        struct tls *tls;
 
        if ((tls = tls_client()) == NULL) {
@@ -1572,8 +1572,14 @@ mta_tls_init(struct mta_session *s)
                return;
        }
 
-       tls_config = s->relay->dispatcher->u.remote.tls_config;
-       if (tls_configure(tls, tls_config) == -1) {
+       remote = &s->relay->dispatcher->u.remote;
+       if ((s->flags & MTA_WANT_SECURE) && !remote->tls_required) {
+               /* If TLS not explicitly configured, use implicit config. */
+               remote->tls_required = 1;
+               remote->tls_verify = 1;
+               tls_config_verify(remote->tls_config);
+       }
+       if (tls_configure(tls, remote->tls_config) == -1) {
                log_info("%016"PRIx64" mta closing reason=tls-failure", s->id);
                tls_free(tls);
                mta_free(s);

Reply via email to