On sze, aug 05, 2015 at 06:49:42 +0000, David Dahlberg wrote: > Am Mittwoch, den 05.08.2015, 00:31 +0100 schrieb Jason McIntyre: > > > if this were the case, i'd say we want: > > [tls [verify]] > > Hmm, I think I have heard this proposal before ;-) > https://marc.info/?l=openbsd-misc&m=140196108217209 > > > but the doc currently says: > > > > Note that the tls and verify options are mutually exclusive > and > > should only be used in private networks as they will prevent > > proper relaying on the Internet. > > - Note that the tls and verify options are mutually exclusive > and > + Note that the tls and tls verify options >
Got it! How about this: Index: smtpd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.126 diff -u -p -p -u -r1.126 smtpd.conf.5 --- smtpd.conf.5 4 Jun 2015 14:23:00 -0000 1.126 +++ smtpd.conf.5 8 Aug 2015 08:06:19 -0000 @@ -311,7 +311,7 @@ This parameter may use conversion specif .Op Ic hostname Ar name .Op Ic hostnames No < Ns Ar names Ns > .Op Ic pki Ar pkiname -.Op Ic tls | verify +.Op Ic tls Op verify .Ek .Xc .Pp @@ -389,19 +389,17 @@ is used instead. If .Ic tls is specified, OpenSMTPD will refuse to relay unless the remote host provides -STARTTLS. -.Pp -If +STARTTLS. If .Ic verify -is specified, OpenSMTPD will refuse to relay unless the remote host provides -STARTTLS and the certificate it presented has been verified. +is also specified, OpenSMTPD will also try to verify the certificate of the +host and refuses to relay if it is invalid. .Pp Note that the .Ic tls and -.Ic verify -options are mutually exclusive and should only be used in private networks -as they will prevent proper relaying on the Internet. +.Ic tls verify +options should only be used in private networks as they will prevent proper +relaying on the Internet. .It Xo .Ic relay via .Ar host -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
