Hi,
I suddenly got a flood of incoming spam, and when I could not find
any trace of them in the spamdb output, I suspected it was coming in
on port 587, which I had configured with tls and "enable auth"
I did not realize that that would allow anyone to send locally
addressed mail to me that way, thus bypassing spamd.
So, I hesitated, but quite easily came up with this diff, which
I'm testing out now.
This allows replacing "enable auth" with "require auth" like this:
listen on bge0 port 587 tls certificate mycert require auth
listen on bge0 smtps certificate mycert require auth
Note the "require auth", as opposed to "enable auth"
Thoughts? OK?
/Alexander
Index: parse.y
===================================================================
RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.104
diff -u -p -r1.104 parse.y
--- parse.y 30 Sep 2012 17:25:09 -0000 1.104
+++ parse.y 9 Oct 2012 13:07:54 -0000
@@ -124,7 +124,7 @@ typedef struct {
%token DB LDAP PLAIN DOMAIN SOURCE
%token RELAY BACKUP VIA DELIVER TO MAILDIR MBOX HOSTNAME
%token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR
-%token ARROW ENABLE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST
+%token ARROW ENABLE REQUIRE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.map> map
@@ -263,7 +263,9 @@ ssl : SMTPS { $$ = F_SMTPS;
}
| /* empty */ { $$ = 0; }
;
-auth : ENABLE AUTH { $$ = 1; }
+auth : ENABLE AUTH { $$ = F_AUTH; }
+ | REQUIRE AUTH { $$ = F_AUTH |
+ F_AUTH_REQUIRED; }
| /* empty */ { $$ = 0; }
;
@@ -364,10 +366,7 @@ main : QUEUE INTERVAL interval {
}
cert = ($6 != NULL) ? $6 : $3;
- flags = $5;
-
- if ($7)
- flags |= F_AUTH;
+ flags = $5 | $7;
if ($5 && ssl_load_certfile(cert, F_SCERT) < 0) {
yyerror("cannot load certificate: %s", cert);
@@ -967,6 +966,7 @@ lookup(char *s)
{ "queue", QUEUE },
{ "reject", REJECT },
{ "relay", RELAY },
+ { "require", REQUIRE },
{ "single", SINGLE },
{ "size", SIZE },
{ "smtps", SMTPS },
Index: smtp_session.c
===================================================================
RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtp_session.c,v
retrieving revision 1.169
diff -u -p -r1.169 smtp_session.c
--- smtp_session.c 14 Sep 2012 19:22:04 -0000 1.169
+++ smtp_session.c 9 Oct 2012 13:21:15 -0000
@@ -400,6 +400,12 @@ session_rfc5321_mail_handler(struct sess
return 1;
}
+ if (s->s_l->flags & F_AUTH_REQUIRED &&
+ !(s->s_flags & F_AUTHENTICATED)) {
+ session_respond(s, "530 5.7.0 Authentication required");
+ return 1;
+ }
+
if (s->s_state != S_HELO) {
session_respond(s, "503 5.5.1 Sender already specified");
return 1;
Index: smtpd.h
===================================================================
RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtpd.h,v
retrieving revision 1.378
diff -u -p -r1.378 smtpd.h
--- smtpd.h 3 Oct 2012 19:42:16 -0000 1.378
+++ smtpd.h 9 Oct 2012 13:07:54 -0000
@@ -78,6 +78,7 @@
#define F_STARTTLS 0x01
#define F_SMTPS 0x02
#define F_AUTH 0x04
+#define F_AUTH_REQUIRED 0x08
#define F_SSL (F_SMTPS|F_STARTTLS)
#define F_BACKUP 0x10 /* XXX */
