Hi. Same diff with associated manpage update. If there is no objection, I'd like to commit this quickly.
Eric. Index: smtpd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.199 diff -u -p -r1.199 smtpd.conf.5 --- smtpd.conf.5 1 Sep 2018 19:56:28 -0000 1.199 +++ smtpd.conf.5 2 Sep 2018 18:56:44 -0000 @@ -228,7 +228,38 @@ to advertise during the HELO phase. .It Cm host Ar relay-url Do not perform MX lookups but relay messages to the relay host described by .Ar relay-url . -If the URL uses TLS, the certificate will be verified by default. +The format for +.Ar relay-url +is +.Sm off +.Op Ar proto No :// Op Ar label No @ +.Ar host Op : Ar port . +.Sm on +The following protocols are available: +.Pp +.Bl -tag -width "smtp+notls" -compact +.It smtp +Normal SMTP session with opportunistic STARTTLS. +.It smtp+tls +Normal SMTP session with mandatory STARTTLS. +.It smtp+notls +Plain text SMTP session without TLS. +.It lmtp +LMTP session. +.It smtps +SMTP session with forced TLS on connection. +.El +.Pp +If not specified, the +.Dq smtp +protocol is used. +.Pp +Specifying an auth label toggles authentication. +An auth table must also be defined for this action. +The protocol must explicitely require TLS. +.Pp +If TLS is explicitely required, the server certificate +will be verified by default. .It Cm tls no-verify Do not require a valid certificate for the specified host. .It Cm auth Pf < Ar table Ns > Index: to.c =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/to.c,v retrieving revision 1.31 diff -u -p -r1.31 to.c --- to.c 7 Jun 2018 11:31:51 -0000 1.31 +++ to.c 2 Sep 2018 18:56:44 -0000 @@ -310,15 +310,11 @@ text_to_relayhost(struct relayhost *rela * new schemas should be *appended* otherwise the default * schema index needs to be updated later in this function. */ - { "smtp://", 0 }, + { "smtp://", RELAY_TLS_OPTIONAL }, + { "smtp+tls://", RELAY_STARTTLS }, + { "smtp+notls://", 0 }, { "lmtp://", RELAY_LMTP }, - { "smtp+tls://", RELAY_TLS_OPTIONAL }, - { "smtps://", RELAY_SMTPS }, - { "tls://", RELAY_STARTTLS }, - { "smtps+auth://", RELAY_SMTPS|RELAY_AUTH }, - { "tls+auth://", RELAY_STARTTLS|RELAY_AUTH }, - { "secure://", RELAY_SMTPS|RELAY_STARTTLS }, - { "secure+auth://", RELAY_SMTPS|RELAY_STARTTLS|RELAY_AUTH } + { "smtps://", RELAY_SMTPS } }; const char *errstr = NULL; char *p, *q; @@ -341,8 +337,8 @@ text_to_relayhost(struct relayhost *rela if (strstr(buffer, "://")) return 0; - /* no schema, default to smtp+tls:// */ - i = 2; + /* no schema, default to smtp:// */ + i = 0; p = buffer; } else @@ -397,10 +393,13 @@ text_to_relayhost(struct relayhost *rela return 0; if ((relay->flags & RELAY_LMTP) && (relay->port == 0)) return 0; - if (relay->authlabel[0] == '\0' && relay->flags & RELAY_AUTH) - return 0; - if (relay->authlabel[0] != '\0' && !(relay->flags & RELAY_AUTH)) - return 0; + if (relay->authlabel[0]) { + /* disallow auth on non-tls scheme. */ + if (!(relay->flags & (RELAY_STARTTLS | RELAY_SMTPS))) + return 0; + relay->flags |= RELAY_AUTH; + } + return 1; }