Re: smtpd: make relay to smarthost to verify TLS by default

Thu, 31 May 2018 13:26:28 -0700 

On Thu, May 31, 2018 at 04:06:31PM +0200, Sebastien Marie wrote:
> Hi,
> 
> When using smarthost ("host" option of "relay") for outgoing mails, TLS
> connection aren't verified. If it could make sens for standard MX, I
> think it would be better to verify the connection by default if the user
> specifies a TLS-aware url for the relay.
> 
> The diff below changes the behaviour of:
>       action "foo" relay host "smtps://example.com"
> 
> Currently, smtpd will connect to example.com without verifying TLS at
> all. There is no option to force such verification (it was present in
> with previous grammar).
> 
> With the following diff, the TLS connection is verified by default (and
> the connection aborted on error). Opportunistic TLS will be still possible
> with a new option: tls no-verify.
> 
> So, for having the old behaviour the syntax will be:
>       action "foo" relay host "smtps://example.com" tls no-verify
> 
> It affects only smarthost connection. Outgoing using MX still use
> opportunistic TLS.
> 
> Regarding the diff, it adds F_TLS_VERIFY option by default for each call
> of text_to_relayhost(), so also for "smtp://" or "lmtp://" urls. I checked
> that "smtp://" isn't affected by such flag (there is no TLS connection
> to verify), and I hope it will be the same for "lmtp://" (confirmation
> will be welcome). Next, the grammar is extended to permit to clear the
> flag if requested. smtpd(1) already have all the magic to check the
> connection.
> 
> Thanks.
> -- 
> Sebastien Marie

Hello.

This makes sense, indeed.

Here is a slightly updated diff for your proposal.  It makes the
documentatino more accurate: the server certificate is always
verified, the flag is only meant to accept invalid certificates.  It
also fixes build (apparently the mta.c chunk was incorrect).

Eric.

Index: mta.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/mta.c,v
retrieving revision 1.212
diff -u -p -r1.212 mta.c
--- mta.c       31 May 2018 11:56:10 -0000      1.212
+++ mta.c       31 May 2018 19:56:03 -0000
@@ -677,6 +677,9 @@ mta_handle_envelope(struct envelope *evp
                return;
        }
 
+       if (dispatcher->u.remote.tls_noverify == 0)
+               evp->agent.mta.relay.flags |= F_TLS_VERIFY;
+
        relay = mta_relay(evp);
        /* ignore if we don't know the limits yet */
        if (relay->limits &&
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.206
diff -u -p -r1.206 parse.y
--- parse.y     30 May 2018 19:01:58 -0000      1.206
+++ parse.y     31 May 2018 19:56:04 -0000
@@ -182,7 +182,7 @@ typedef struct {
 %token KEY
 %token LIMIT LISTEN LMTP LOCAL
 %token MAIL_FROM MAILDIR MASK_SRC MASQUERADE MATCH MAX_MESSAGE_SIZE 
MAX_DEFERRED MBOX MDA MTA MX
-%token NODSN
+%token NODSN NOVERIFY
 %token ON
 %token PKI PORT
 %token QUEUE
@@ -541,6 +541,19 @@ HELO STRING {
 
        dispatcher->u.remote.smarthost = strdup(t->t_name);
 }
+| TLS NOVERIFY {
+       if (dispatcher->u.remote.smarthost == NULL) {
+               yyerror("tls no-verify may not be specified without host on a 
dispatcher");
+               YYERROR;
+       }
+
+       if (dispatcher->u.remote.tls_noverify == 1) {
+               yyerror("tls no-verify already specified for this dispatcher");
+               YYERROR;
+       }
+
+       dispatcher->u.remote.tls_noverify = 1;
+}
 | AUTH tables {
        struct table   *t = $2;
 
@@ -1571,6 +1584,7 @@ lookup(char *s)
                { "mta",                MTA },
                { "mx",                 MX },
                { "no-dsn",             NODSN },
+               { "no-verify",          NOVERIFY },
                { "on",                 ON },
                { "pki",                PKI },
                { "port",               PORT },
Index: smtpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.183
diff -u -p -r1.183 smtpd.conf.5
--- smtpd.conf.5        31 May 2018 13:36:35 -0000      1.183
+++ smtpd.conf.5        31 May 2018 19:56:04 -0000
@@ -205,6 +205,9 @@ to advertise during the HELO phase.
 .It Cm host Ar relay-url
 Do not perform MX lookups but relay messages to the relay host described by
 .Ar relay-url .
+If the url uses tls, the certificate will be verified by default.
+.It Cm tls Ar no-verify
+Do not require valid certificate for the specified host.
 .It Cm auth Pf < Ar table Ns >
 Use the mapping
 .Ar table
Index: smtpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.h,v
retrieving revision 1.545
diff -u -p -r1.545 smtpd.h
--- smtpd.h     29 May 2018 21:05:52 -0000      1.545
+++ smtpd.h     31 May 2018 19:56:05 -0000
@@ -1068,6 +1068,7 @@ struct dispatcher_remote {
 
        char    *smarthost;
        char    *auth;
+       int      tls_noverify;
 
        int      backup;
        char    *backupmx;

Reply via email to