Hi.
Same diff with associated manpage update.
If there is no objection, I'd like to commit this quickly.
Eric.
Index: smtpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.199
diff -u -p -r1.199 smtpd.conf.5
--- smtpd.conf.5 1 Sep 2018 19:56:28 -0000 1.199
+++ smtpd.conf.5 2 Sep 2018 18:56:44 -0000
@@ -228,7 +228,38 @@ to advertise during the HELO phase.
.It Cm host Ar relay-url
Do not perform MX lookups but relay messages to the relay host described by
.Ar relay-url .
-If the URL uses TLS, the certificate will be verified by default.
+The format for
+.Ar relay-url
+is
+.Sm off
+.Op Ar proto No :// Op Ar label No @
+.Ar host Op : Ar port .
+.Sm on
+The following protocols are available:
+.Pp
+.Bl -tag -width "smtp+notls" -compact
+.It smtp
+Normal SMTP session with opportunistic STARTTLS.
+.It smtp+tls
+Normal SMTP session with mandatory STARTTLS.
+.It smtp+notls
+Plain text SMTP session without TLS.
+.It lmtp
+LMTP session.
+.It smtps
+SMTP session with forced TLS on connection.
+.El
+.Pp
+If not specified, the
+.Dq smtp
+protocol is used.
+.Pp
+Specifying an auth label toggles authentication.
+An auth table must also be defined for this action.
+The protocol must explicitely require TLS.
+.Pp
+If TLS is explicitely required, the server certificate
+will be verified by default.
.It Cm tls no-verify
Do not require a valid certificate for the specified host.
.It Cm auth Pf < Ar table Ns >
Index: to.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/to.c,v
retrieving revision 1.31
diff -u -p -r1.31 to.c
--- to.c 7 Jun 2018 11:31:51 -0000 1.31
+++ to.c 2 Sep 2018 18:56:44 -0000
@@ -310,15 +310,11 @@ text_to_relayhost(struct relayhost *rela
* new schemas should be *appended* otherwise the default
* schema index needs to be updated later in this function.
*/
- { "smtp://", 0 },
+ { "smtp://", RELAY_TLS_OPTIONAL },
+ { "smtp+tls://", RELAY_STARTTLS },
+ { "smtp+notls://", 0 },
{ "lmtp://", RELAY_LMTP },
- { "smtp+tls://", RELAY_TLS_OPTIONAL },
- { "smtps://", RELAY_SMTPS },
- { "tls://", RELAY_STARTTLS },
- { "smtps+auth://", RELAY_SMTPS|RELAY_AUTH },
- { "tls+auth://", RELAY_STARTTLS|RELAY_AUTH },
- { "secure://", RELAY_SMTPS|RELAY_STARTTLS },
- { "secure+auth://", RELAY_SMTPS|RELAY_STARTTLS|RELAY_AUTH }
+ { "smtps://", RELAY_SMTPS }
};
const char *errstr = NULL;
char *p, *q;
@@ -341,8 +337,8 @@ text_to_relayhost(struct relayhost *rela
if (strstr(buffer, "://"))
return 0;
- /* no schema, default to smtp+tls:// */
- i = 2;
+ /* no schema, default to smtp:// */
+ i = 0;
p = buffer;
}
else
@@ -397,10 +393,13 @@ text_to_relayhost(struct relayhost *rela
return 0;
if ((relay->flags & RELAY_LMTP) && (relay->port == 0))
return 0;
- if (relay->authlabel[0] == '\0' && relay->flags & RELAY_AUTH)
- return 0;
- if (relay->authlabel[0] != '\0' && !(relay->flags & RELAY_AUTH))
- return 0;
+ if (relay->authlabel[0]) {
+ /* disallow auth on non-tls scheme. */
+ if (!(relay->flags & (RELAY_STARTTLS | RELAY_SMTPS)))
+ return 0;
+ relay->flags |= RELAY_AUTH;
+ }
+
return 1;
}
