On Thu, May 31, 2018 at 10:25:54PM +0200, Eric Faurot wrote:
> On Thu, May 31, 2018 at 04:06:31PM +0200, Sebastien Marie wrote:
> > Hi,
> >
> > When using smarthost ("host" option of "relay") for outgoing mails, TLS
> > connection aren't verified. If it could make sens for standard MX, I
> > think it would be better to verify the connection by default if the user
> > specifies a TLS-aware url for the relay.
> >
> > The diff below changes the behaviour of:
> > action "foo" relay host "smtps://example.com"
> >
> > Currently, smtpd will connect to example.com without verifying TLS at
> > all. There is no option to force such verification (it was present in
> > with previous grammar).
> >
> > With the following diff, the TLS connection is verified by default (and
> > the connection aborted on error). Opportunistic TLS will be still possible
> > with a new option: tls no-verify.
> >
> > So, for having the old behaviour the syntax will be:
> > action "foo" relay host "smtps://example.com" tls no-verify
> >
> > It affects only smarthost connection. Outgoing using MX still use
> > opportunistic TLS.
> >
> > Regarding the diff, it adds F_TLS_VERIFY option by default for each call
> > of text_to_relayhost(), so also for "smtp://" or "lmtp://" urls. I checked
> > that "smtp://" isn't affected by such flag (there is no TLS connection
> > to verify), and I hope it will be the same for "lmtp://" (confirmation
> > will be welcome). Next, the grammar is extended to permit to clear the
> > flag if requested. smtpd(1) already have all the magic to check the
> > connection.
> >
> > Thanks.
> > --
> > Sebastien Marie
>
> Hello.
>
> This makes sense, indeed.
>
> Here is a slightly updated diff for your proposal. It makes the
> documentatino more accurate: the server certificate is always
> verified, the flag is only meant to accept invalid certificates. It
> also fixes build (apparently the mta.c chunk was incorrect).
>
ok by me
> Index: mta.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/mta.c,v
> retrieving revision 1.212
> diff -u -p -r1.212 mta.c
> --- mta.c 31 May 2018 11:56:10 -0000 1.212
> +++ mta.c 31 May 2018 19:56:03 -0000
> @@ -677,6 +677,9 @@ mta_handle_envelope(struct envelope *evp
> return;
> }
>
> + if (dispatcher->u.remote.tls_noverify == 0)
> + evp->agent.mta.relay.flags |= F_TLS_VERIFY;
> +
> relay = mta_relay(evp);
> /* ignore if we don't know the limits yet */
> if (relay->limits &&
> Index: parse.y
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
> retrieving revision 1.206
> diff -u -p -r1.206 parse.y
> --- parse.y 30 May 2018 19:01:58 -0000 1.206
> +++ parse.y 31 May 2018 19:56:04 -0000
> @@ -182,7 +182,7 @@ typedef struct {
> %token KEY
> %token LIMIT LISTEN LMTP LOCAL
> %token MAIL_FROM MAILDIR MASK_SRC MASQUERADE MATCH MAX_MESSAGE_SIZE
> MAX_DEFERRED MBOX MDA MTA MX
> -%token NODSN
> +%token NODSN NOVERIFY
> %token ON
> %token PKI PORT
> %token QUEUE
> @@ -541,6 +541,19 @@ HELO STRING {
>
> dispatcher->u.remote.smarthost = strdup(t->t_name);
> }
> +| TLS NOVERIFY {
> + if (dispatcher->u.remote.smarthost == NULL) {
> + yyerror("tls no-verify may not be specified without host on a
> dispatcher");
> + YYERROR;
> + }
> +
> + if (dispatcher->u.remote.tls_noverify == 1) {
> + yyerror("tls no-verify already specified for this dispatcher");
> + YYERROR;
> + }
> +
> + dispatcher->u.remote.tls_noverify = 1;
> +}
> | AUTH tables {
> struct table *t = $2;
>
> @@ -1571,6 +1584,7 @@ lookup(char *s)
> { "mta", MTA },
> { "mx", MX },
> { "no-dsn", NODSN },
> + { "no-verify", NOVERIFY },
> { "on", ON },
> { "pki", PKI },
> { "port", PORT },
> Index: smtpd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
> retrieving revision 1.183
> diff -u -p -r1.183 smtpd.conf.5
> --- smtpd.conf.5 31 May 2018 13:36:35 -0000 1.183
> +++ smtpd.conf.5 31 May 2018 19:56:04 -0000
> @@ -205,6 +205,9 @@ to advertise during the HELO phase.
> .It Cm host Ar relay-url
> Do not perform MX lookups but relay messages to the relay host described by
> .Ar relay-url .
> +If the url uses tls, the certificate will be verified by default.
> +.It Cm tls Ar no-verify
> +Do not require valid certificate for the specified host.
> .It Cm auth Pf < Ar table Ns >
> Use the mapping
> .Ar table
> Index: smtpd.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/smtpd.h,v
> retrieving revision 1.545
> diff -u -p -r1.545 smtpd.h
> --- smtpd.h 29 May 2018 21:05:52 -0000 1.545
> +++ smtpd.h 31 May 2018 19:56:05 -0000
> @@ -1068,6 +1068,7 @@ struct dispatcher_remote {
>
> char *smarthost;
> char *auth;
> + int tls_noverify;
>
> int backup;
> char *backupmx;
>
--
Gilles Chehade
https://www.poolp.org @poolpOrg
