Hi, I suddenly got a flood of incoming spam, and when I could not find any trace of them in the spamdb output, I suspected it was coming in on port 587, which I had configured with tls and "enable auth"
I did not realize that that would allow anyone to send locally addressed mail to me that way, thus bypassing spamd. So, I hesitated, but quite easily came up with this diff, which I'm testing out now. This allows replacing "enable auth" with "require auth" like this: listen on bge0 port 587 tls certificate mycert require auth listen on bge0 smtps certificate mycert require auth Note the "require auth", as opposed to "enable auth" Thoughts? OK? /Alexander Index: parse.y =================================================================== RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/parse.y,v retrieving revision 1.104 diff -u -p -r1.104 parse.y --- parse.y 30 Sep 2012 17:25:09 -0000 1.104 +++ parse.y 9 Oct 2012 13:07:54 -0000 @@ -124,7 +124,7 @@ typedef struct { %token DB LDAP PLAIN DOMAIN SOURCE %token RELAY BACKUP VIA DELIVER TO MAILDIR MBOX HOSTNAME %token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR -%token ARROW ENABLE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST +%token ARROW ENABLE REQUIRE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST %token <v.string> STRING %token <v.number> NUMBER %type <v.map> map @@ -263,7 +263,9 @@ ssl : SMTPS { $$ = F_SMTPS; } | /* empty */ { $$ = 0; } ; -auth : ENABLE AUTH { $$ = 1; } +auth : ENABLE AUTH { $$ = F_AUTH; } + | REQUIRE AUTH { $$ = F_AUTH | + F_AUTH_REQUIRED; } | /* empty */ { $$ = 0; } ; @@ -364,10 +366,7 @@ main : QUEUE INTERVAL interval { } cert = ($6 != NULL) ? $6 : $3; - flags = $5; - - if ($7) - flags |= F_AUTH; + flags = $5 | $7; if ($5 && ssl_load_certfile(cert, F_SCERT) < 0) { yyerror("cannot load certificate: %s", cert); @@ -967,6 +966,7 @@ lookup(char *s) { "queue", QUEUE }, { "reject", REJECT }, { "relay", RELAY }, + { "require", REQUIRE }, { "single", SINGLE }, { "size", SIZE }, { "smtps", SMTPS }, Index: smtp_session.c =================================================================== RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtp_session.c,v retrieving revision 1.169 diff -u -p -r1.169 smtp_session.c --- smtp_session.c 14 Sep 2012 19:22:04 -0000 1.169 +++ smtp_session.c 9 Oct 2012 13:21:15 -0000 @@ -400,6 +400,12 @@ session_rfc5321_mail_handler(struct sess return 1; } + if (s->s_l->flags & F_AUTH_REQUIRED && + !(s->s_flags & F_AUTHENTICATED)) { + session_respond(s, "530 5.7.0 Authentication required"); + return 1; + } + if (s->s_state != S_HELO) { session_respond(s, "503 5.5.1 Sender already specified"); return 1; Index: smtpd.h =================================================================== RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtpd.h,v retrieving revision 1.378 diff -u -p -r1.378 smtpd.h --- smtpd.h 3 Oct 2012 19:42:16 -0000 1.378 +++ smtpd.h 9 Oct 2012 13:07:54 -0000 @@ -78,6 +78,7 @@ #define F_STARTTLS 0x01 #define F_SMTPS 0x02 #define F_AUTH 0x04 +#define F_AUTH_REQUIRED 0x08 #define F_SSL (F_SMTPS|F_STARTTLS) #define F_BACKUP 0x10 /* XXX */