On Tue, Jul 09, 2024 at 01:59:02PM +0000, [email protected] wrote:
July 9, 2024 2:32 PM, "Tassilo Philipp" <[email protected]> wrote:
Hello ML,
I tried to make use of the "tls" option of match rules, and got
confused that whenever that option is specified, the server tries to
expand the "RCPT TO", address, no matter what action is specified.
This results in a 451 Tempfail, when it cannot expand that address.
Unsure I understand, it might help to share some config.
Sorry, in hindsight, I confused myself. The logged error is:
451 Tempfail: <[email protected]>
In the verbose log, it quits on the expansion step, so I thought it
tries to expand that address (but on the server there is no such user).
In the end, ruleset_match() just returns a tempfail, hard, in that case,
so the log is simply confusing.
Would it be enough to introduce a new flag in enum envelope_flags,
and set it when the session flag SF_SECURE is set, e.g. in smtp_tx()?
E.g. some addition like (given EF_TLS would be the new envelope
flag):
if (s->flags & SF_SECURE)
tx->evp.flags |= EF_TLS;
I would be open to work on a patch, or do I risk opening a can of
worms, b/c there is something I don't foresee?
You won't be opening a can of worms, no, but this diff is not enough:
What we want is to record not only that there was TLS but also what
TLS version and ciphers were used, so just a binary flag isn't enough.
Mh... sounds like a good idea, however, smtpd.conf(5) itself would still
just be a binary option, no?
Furthermore, since this will require adding one or two fields to
envelopes, there will be a bump in envelope version and _possibly_ a
flag day unless old envelopes missing fields can be updated
transparently by a new smtpd expecting the field.
I might not follow... what would be the flag "day"?
I can look at it, but...
Back then we had just released the new action-based envelopes so I
didn't want to impose another flag day on users so soon after, it's
been years now so it's acceptable if needed. If needed, we need to
check if other features might need to ride it so we can unlock
multiple features at once even if we just provision the envelope but
don't expose the features yet.
.. I think I have to study the code a bit more thoroughly, first, and
do play around with it, to not miss anything. This might take a little
bit longer, life's unfortunately not that easy, lately. :-/
I'd suggest you move forward with your diff, including envelope
changes, and we can discuss with the full diff.
Sounds good! Will try to make it happen!
Thanks for the helpful feedback, glad I asked, first :)
