On Wed, Sep 05, 2018 at 03:04:08PM +0200, Eric Faurot wrote: > With the recent changes in the smarthost syntax, and the removal of > the "secure" keyword, it's now possible to clarify the mta code by > changing the TLS option from a set flags to exclusive values. > This is far less confusing. > > More cleanup to come in mta_session.c after that. >
nice ! > Index: mta.c > =================================================================== > RCS file: /cvs/src/usr.sbin/smtpd/mta.c,v > retrieving revision 1.222 > diff -u -p -r1.222 mta.c > --- mta.c 22 Aug 2018 10:11:43 -0000 1.222 > +++ mta.c 5 Sep 2018 12:42:19 -0000 > @@ -635,6 +635,7 @@ mta_handle_envelope(struct envelope *evp > } > > memset(&relayh, 0, sizeof(relayh)); > + relayh.tls = RELAY_TLS_OPPORTUNISTIC; > if (smarthost && !text_to_relayhost(&relayh, smarthost)) { > log_warnx("warn: Failed to parse smarthost %s", smarthost); > m_create(p_queue, IMSG_MTA_DELIVERY_TEMPFAIL, 0, 0, -1); > @@ -1730,10 +1731,9 @@ mta_relay(struct envelope *e, struct rel > key.flags |= RELAY_MX; > } else { > key.domain = mta_domain(e->dest.domain, 0); > - if (!(relayh->flags & RELAY_STARTTLS)) > - key.flags |= RELAY_TLS_OPTIONAL; > } > > + key.tls = relayh->tls; > key.flags |= relayh->flags; > key.port = relayh->port; > key.authlabel = relayh->authlabel; > @@ -1748,6 +1748,7 @@ mta_relay(struct envelope *e, struct rel > r = xcalloc(1, sizeof *r); > TAILQ_INIT(&r->tasks); > r->id = generate_uid(); > + r->tls = key.tls; > r->flags = key.flags; > r->domain = key.domain; > r->backupname = key.backupname ? > @@ -1834,14 +1835,25 @@ mta_relay_to_text(struct mta_relay *rela > (void)strlcat(buf, tmp, sizeof buf); > } > > - if (relay->flags & RELAY_STARTTLS) { > - (void)strlcat(buf, sep, sizeof buf); > - (void)strlcat(buf, "starttls", sizeof buf); > - } > - > - if (relay->flags & RELAY_SMTPS) { > - (void)strlcat(buf, sep, sizeof buf); > + (void)strlcat(buf, sep, sizeof buf); > + switch(relay->tls) { > + case RELAY_TLS_OPPORTUNISTIC: > + (void)strlcat(buf, "smtp", sizeof buf); > + break; > + case RELAY_TLS_STARTTLS: > + (void)strlcat(buf, "smtp+tls", sizeof buf); > + break; > + case RELAY_TLS_SMTPS: > (void)strlcat(buf, "smtps", sizeof buf); > + break; > + case RELAY_TLS_NO: > + if (relay->flags & RELAY_LMTP) > + (void)strlcat(buf, "lmtp", sizeof buf); > + else > + (void)strlcat(buf, "smtp+notls", sizeof buf); > + break; > + default: > + (void)strlcat(buf, "???", sizeof buf); > } > > if (relay->flags & RELAY_AUTH) { > @@ -1993,6 +2005,11 @@ mta_relay_cmp(const struct mta_relay *a, > if (a->domain < b->domain) > return (-1); > if (a->domain > b->domain) > + return (1); > + > + if (a->tls < b->tls) > + return (-1); > + if (a->tls > b->tls) > return (1); > > if (a->flags < b->flags) > Index: mta_session.c > =================================================================== > RCS file: /cvs/src/usr.sbin/smtpd/mta_session.c,v > retrieving revision 1.109 > diff -u -p -r1.109 mta_session.c > --- mta_session.c 5 Sep 2018 10:15:41 -0000 1.109 > +++ mta_session.c 5 Sep 2018 12:42:19 -0000 > @@ -199,24 +199,23 @@ mta_session(struct mta_relay *relay, str > > if (relay->flags & RELAY_LMTP) > s->flags |= MTA_LMTP; > - switch (relay->flags & (RELAY_SSL|RELAY_TLS_OPTIONAL)) { > - case RELAY_SSL: > - s->flags |= MTA_FORCE_ANYSSL; > - s->flags |= MTA_WANT_SECURE; > - break; > - case RELAY_SMTPS: > + switch (relay->tls) { > + case RELAY_TLS_SMTPS: > s->flags |= MTA_FORCE_SMTPS; > s->flags |= MTA_WANT_SECURE; > break; > - case RELAY_STARTTLS: > + case RELAY_TLS_STARTTLS: > s->flags |= MTA_FORCE_TLS; > s->flags |= MTA_WANT_SECURE; > break; > - case RELAY_TLS_OPTIONAL: > + case RELAY_TLS_OPPORTUNISTIC: > /* do not force anything, try tls then smtp */ > break; > - default: > + case RELAY_TLS_NO: > s->flags |= MTA_FORCE_PLAIN; > + break; > + default: > + fatalx("bad value for relay->tls: %d", relay->tls); > } > > if (relay->flags & RELAY_BACKUP) > Index: smtpd.h > =================================================================== > RCS file: /cvs/src/usr.sbin/smtpd/smtpd.h,v > retrieving revision 1.558 > diff -u -p -r1.558 smtpd.h > --- smtpd.h 4 Sep 2018 13:04:42 -0000 1.558 > +++ smtpd.h 5 Sep 2018 12:42:19 -0000 > @@ -84,11 +84,11 @@ > #define F_RECEIVEDAUTH 0x800 > #define F_MASQUERADE 0x1000 > > +#define RELAY_TLS_OPPORTUNISTIC 0 > +#define RELAY_TLS_STARTTLS 1 > +#define RELAY_TLS_SMTPS 2 > +#define RELAY_TLS_NO 3 > > -#define RELAY_STARTTLS 0x01 > -#define RELAY_SMTPS 0x02 > -#define RELAY_TLS_OPTIONAL 0x04 > -#define RELAY_SSL (RELAY_STARTTLS | RELAY_SMTPS) > #define RELAY_AUTH 0x08 > #define RELAY_BACKUP 0x10 > #define RELAY_MX 0x20 > @@ -115,6 +115,7 @@ struct netaddr { > > struct relayhost { > uint16_t flags; > + int tls; > char hostname[HOST_NAME_MAX+1]; > uint16_t port; > char authlabel[PATH_MAX]; > @@ -732,6 +733,7 @@ struct mta_relay { > struct dispatcher *dispatcher; > struct mta_domain *domain; > struct mta_limits *limits; > + int tls; > int flags; > char *backupname; > int backuppref; > Index: to.c > =================================================================== > RCS file: /cvs/src/usr.sbin/smtpd/to.c,v > retrieving revision 1.32 > diff -u -p -r1.32 to.c > --- to.c 3 Sep 2018 11:30:14 -0000 1.32 > +++ to.c 5 Sep 2018 12:42:19 -0000 > @@ -304,17 +304,18 @@ text_to_relayhost(struct relayhost *rela > { > static const struct schema { > const char *name; > - uint16_t flags; > + int tls; > + uint16_t flags; > } schemas [] = { > /* > * new schemas should be *appended* otherwise the default > * schema index needs to be updated later in this function. > */ > - { "smtp://", RELAY_TLS_OPTIONAL }, > - { "smtp+tls://", RELAY_STARTTLS }, > - { "smtp+notls://", 0 }, > - { "lmtp://", RELAY_LMTP }, > - { "smtps://", RELAY_SMTPS } > + { "smtp://", RELAY_TLS_OPPORTUNISTIC, 0 > }, > + { "smtp+tls://", RELAY_TLS_STARTTLS, 0 > }, > + { "smtp+notls://", RELAY_TLS_NO, 0 > }, > + { "lmtp://", RELAY_TLS_NO, RELAY_LMTP > }, > + { "smtps://", RELAY_TLS_SMTPS, 0 > } > }; > const char *errstr = NULL; > char *p, *q; > @@ -344,6 +345,7 @@ text_to_relayhost(struct relayhost *rela > else > p = buffer + strlen(schemas[i].name); > > + relay->tls = schemas[i].tls; > relay->flags = schemas[i].flags; > > /* need to specify an explicit port for LMTP */ > @@ -395,7 +397,8 @@ text_to_relayhost(struct relayhost *rela > return 0; > if (relay->authlabel[0]) { > /* disallow auth on non-tls scheme. */ > - if (!(relay->flags & (RELAY_STARTTLS | RELAY_SMTPS))) > + if (relay->tls != RELAY_TLS_STARTTLS && > + relay->tls != RELAY_TLS_SMTPS) > return 0; > relay->flags |= RELAY_AUTH; > } > -- Gilles Chehade https://www.poolp.org @poolpOrg