On Mon, Feb 14, 2022 at 11:10:01AM -0700, Todd C. Miller wrote: > On Mon, 14 Feb 2022 17:43:47 +0100, Sebastien Marie wrote: > > > It seems I need to explicitly add "tls" on the action line to enforce > > the tls verification now. > > > > - action "relay-free" relay host "smtps://f...@smtp.free.fr" auth > > <secret > > s> > > + action "relay-free" relay host "smtps://f...@smtp.free.fr" auth > > <secret > > s> tls > > > > I am unsure if the behaviour change was intented or not. If it > > persists it might need some documentation (a current.html entry) for > > users to update their configuration (as TLS session might not be > > checked anymore whereas it was previously). > > The change is not intentional. As you found, if there is no explicit > tls config for the dispatcher then the default is not to verify. > > One way to fix this is to update the TLS config in mta_tls_init() > before calling tls_configure() for smtps:// and smtp+tls:// relays. > Can you try the following diff against -current?
With the diff, the connection is verified. One aspect that I haven't verified for now is the difference between using "tls" (early initialisation) and not using it (late initialisation). I will try to look at it to ensure that the connection is always used with tls_config_verify(). But for now, the diff is good. OK semarie@ Thanks. > > - todd > > Index: usr.sbin/smtpd/mta_session.c > =================================================================== > RCS file: /cvs/src/usr.sbin/smtpd/mta_session.c,v > retrieving revision 1.145 > diff -u -p -u -r1.145 mta_session.c > --- usr.sbin/smtpd/mta_session.c 10 Feb 2022 14:59:35 -0000 1.145 > +++ usr.sbin/smtpd/mta_session.c 14 Feb 2022 18:05:02 -0000 > @@ -1563,7 +1563,7 @@ mta_error(struct mta_session *s, const c > static void > mta_tls_init(struct mta_session *s) > { > - struct tls_config *tls_config; > + struct dispatcher_remote *remote; > struct tls *tls; > > if ((tls = tls_client()) == NULL) { > @@ -1572,8 +1572,14 @@ mta_tls_init(struct mta_session *s) > return; > } > > - tls_config = s->relay->dispatcher->u.remote.tls_config; > - if (tls_configure(tls, tls_config) == -1) { > + remote = &s->relay->dispatcher->u.remote; > + if ((s->flags & MTA_WANT_SECURE) && !remote->tls_required) { > + /* If TLS not explicitly configured, use implicit config. */ > + remote->tls_required = 1; > + remote->tls_verify = 1; > + tls_config_verify(remote->tls_config); > + } > + if (tls_configure(tls, remote->tls_config) == -1) { > log_info("%016"PRIx64" mta closing reason=tls-failure", s->id); > tls_free(tls); > mta_free(s); -- Sebastien Marie