On Mon, Feb 14, 2022 at 11:10:01AM -0700, Todd C. Miller wrote:
> On Mon, 14 Feb 2022 17:43:47 +0100, Sebastien Marie wrote:
>
> > It seems I need to explicitly add "tls" on the action line to enforce
> > the tls verification now.
> >
> > - action "relay-free" relay host "smtps://f...@smtp.free.fr" auth
> > <secret
> > s>
> > + action "relay-free" relay host "smtps://f...@smtp.free.fr" auth
> > <secret
> > s> tls
> >
> > I am unsure if the behaviour change was intented or not. If it
> > persists it might need some documentation (a current.html entry) for
> > users to update their configuration (as TLS session might not be
> > checked anymore whereas it was previously).
>
> The change is not intentional. As you found, if there is no explicit
> tls config for the dispatcher then the default is not to verify.
>
> One way to fix this is to update the TLS config in mta_tls_init()
> before calling tls_configure() for smtps:// and smtp+tls:// relays.
> Can you try the following diff against -current?
With the diff, the connection is verified.
One aspect that I haven't verified for now is the difference between
using "tls" (early initialisation) and not using it (late
initialisation). I will try to look at it to ensure that the
connection is always used with tls_config_verify().
But for now, the diff is good.
OK semarie@
Thanks.
>
> - todd
>
> Index: usr.sbin/smtpd/mta_session.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/mta_session.c,v
> retrieving revision 1.145
> diff -u -p -u -r1.145 mta_session.c
> --- usr.sbin/smtpd/mta_session.c 10 Feb 2022 14:59:35 -0000 1.145
> +++ usr.sbin/smtpd/mta_session.c 14 Feb 2022 18:05:02 -0000
> @@ -1563,7 +1563,7 @@ mta_error(struct mta_session *s, const c
> static void
> mta_tls_init(struct mta_session *s)
> {
> - struct tls_config *tls_config;
> + struct dispatcher_remote *remote;
> struct tls *tls;
>
> if ((tls = tls_client()) == NULL) {
> @@ -1572,8 +1572,14 @@ mta_tls_init(struct mta_session *s)
> return;
> }
>
> - tls_config = s->relay->dispatcher->u.remote.tls_config;
> - if (tls_configure(tls, tls_config) == -1) {
> + remote = &s->relay->dispatcher->u.remote;
> + if ((s->flags & MTA_WANT_SECURE) && !remote->tls_required) {
> + /* If TLS not explicitly configured, use implicit config. */
> + remote->tls_required = 1;
> + remote->tls_verify = 1;
> + tls_config_verify(remote->tls_config);
> + }
> + if (tls_configure(tls, remote->tls_config) == -1) {
> log_info("%016"PRIx64" mta closing reason=tls-failure", s->id);
> tls_free(tls);
> mta_free(s);
--
Sebastien Marie
