On Sat, Aug 08, 2015 at 10:07:31AM +0200, L?VAI D?niel wrote: > On sze, aug 05, 2015 at 06:49:42 +0000, David Dahlberg wrote: > > Am Mittwoch, den 05.08.2015, 00:31 +0100 schrieb Jason McIntyre: > > > > > if this were the case, i'd say we want: > > > [tls [verify]] > > > > Hmm, I think I have heard this proposal before ;-) > > https://marc.info/?l=openbsd-misc&m=140196108217209 > > > > > but the doc currently says: > > > > > > Note that the tls and verify options are mutually exclusive > and > > > should only be used in private networks as they will prevent > > > proper relaying on the Internet. > > > > - Note that the tls and verify options are mutually exclusive > > and > > + Note that the tls and tls verify options > > > > Got it! > How about this: >
i've just committed a slightly simpler version of this. jmc > > Index: smtpd.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v > retrieving revision 1.126 > diff -u -p -p -u -r1.126 smtpd.conf.5 > --- smtpd.conf.5 4 Jun 2015 14:23:00 -0000 1.126 > +++ smtpd.conf.5 8 Aug 2015 08:06:19 -0000 > @@ -311,7 +311,7 @@ This parameter may use conversion specif > .Op Ic hostname Ar name > .Op Ic hostnames No < Ns Ar names Ns > > .Op Ic pki Ar pkiname > -.Op Ic tls | verify > +.Op Ic tls Op verify > .Ek > .Xc > .Pp > @@ -389,19 +389,17 @@ is used instead. > If > .Ic tls > is specified, OpenSMTPD will refuse to relay unless the remote host provides > -STARTTLS. > -.Pp > -If > +STARTTLS. If > .Ic verify > -is specified, OpenSMTPD will refuse to relay unless the remote host provides > -STARTTLS and the certificate it presented has been verified. > +is also specified, OpenSMTPD will also try to verify the certificate of the > +host and refuses to relay if it is invalid. > .Pp > Note that the > .Ic tls > and > -.Ic verify > -options are mutually exclusive and should only be used in private networks > -as they will prevent proper relaying on the Internet. > +.Ic tls verify > +options should only be used in private networks as they will prevent proper > +relaying on the Internet. > .It Xo > .Ic relay via > .Ar host > > > -- > L?VAI D?niel > PGP key ID = 0x83B63A8F > Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
