Argh, you should have talked to me first ...
Both require ssl and require auth are implemented already ... I did
not commit yet because we stabilized a release and decided to not
add new features to it unless they are critical.
This feature should be committed in a few days
Gilles
On Tue, Oct 09, 2012 at 03:24:32PM +0200, Alexander Hall wrote:
> Hi,
>
> I suddenly got a flood of incoming spam, and when I could not find
> any trace of them in the spamdb output, I suspected it was coming in
> on port 587, which I had configured with tls and "enable auth"
>
> I did not realize that that would allow anyone to send locally
> addressed mail to me that way, thus bypassing spamd.
>
> So, I hesitated, but quite easily came up with this diff, which
> I'm testing out now.
>
> This allows replacing "enable auth" with "require auth" like this:
>
> listen on bge0 port 587 tls certificate mycert require auth
> listen on bge0 smtps certificate mycert require auth
>
> Note the "require auth", as opposed to "enable auth"
>
> Thoughts? OK?
>
> /Alexander
>
>
> Index: parse.y
> ===================================================================
> RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/parse.y,v
> retrieving revision 1.104
> diff -u -p -r1.104 parse.y
> --- parse.y 30 Sep 2012 17:25:09 -0000 1.104
> +++ parse.y 9 Oct 2012 13:07:54 -0000
> @@ -124,7 +124,7 @@ typedef struct {
> %token DB LDAP PLAIN DOMAIN SOURCE
> %token RELAY BACKUP VIA DELIVER TO MAILDIR MBOX HOSTNAME
> %token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR
> -%token ARROW ENABLE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST
> +%token ARROW ENABLE REQUIRE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER
> KEY DIGEST
> %token <v.string> STRING
> %token <v.number> NUMBER
> %type <v.map> map
> @@ -263,7 +263,9 @@ ssl : SMTPS { $$ =
> F_SMTPS; }
> | /* empty */ { $$ = 0; }
> ;
>
> -auth : ENABLE AUTH { $$ = 1; }
> +auth : ENABLE AUTH { $$ = F_AUTH; }
> + | REQUIRE AUTH { $$ = F_AUTH |
> + F_AUTH_REQUIRED; }
> | /* empty */ { $$ = 0; }
> ;
>
> @@ -364,10 +366,7 @@ main : QUEUE INTERVAL interval {
> }
>
> cert = ($6 != NULL) ? $6 : $3;
> - flags = $5;
> -
> - if ($7)
> - flags |= F_AUTH;
> + flags = $5 | $7;
>
> if ($5 && ssl_load_certfile(cert, F_SCERT) < 0) {
> yyerror("cannot load certificate: %s", cert);
> @@ -967,6 +966,7 @@ lookup(char *s)
> { "queue", QUEUE },
> { "reject", REJECT },
> { "relay", RELAY },
> + { "require", REQUIRE },
> { "single", SINGLE },
> { "size", SIZE },
> { "smtps", SMTPS },
> Index: smtp_session.c
> ===================================================================
> RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtp_session.c,v
> retrieving revision 1.169
> diff -u -p -r1.169 smtp_session.c
> --- smtp_session.c 14 Sep 2012 19:22:04 -0000 1.169
> +++ smtp_session.c 9 Oct 2012 13:21:15 -0000
> @@ -400,6 +400,12 @@ session_rfc5321_mail_handler(struct sess
> return 1;
> }
>
> + if (s->s_l->flags & F_AUTH_REQUIRED &&
> + !(s->s_flags & F_AUTHENTICATED)) {
> + session_respond(s, "530 5.7.0 Authentication required");
> + return 1;
> + }
> +
> if (s->s_state != S_HELO) {
> session_respond(s, "503 5.5.1 Sender already specified");
> return 1;
> Index: smtpd.h
> ===================================================================
> RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtpd.h,v
> retrieving revision 1.378
> diff -u -p -r1.378 smtpd.h
> --- smtpd.h 3 Oct 2012 19:42:16 -0000 1.378
> +++ smtpd.h 9 Oct 2012 13:07:54 -0000
> @@ -78,6 +78,7 @@
> #define F_STARTTLS 0x01
> #define F_SMTPS 0x02
> #define F_AUTH 0x04
> +#define F_AUTH_REQUIRED 0x08
> #define F_SSL (F_SMTPS|F_STARTTLS)
>
> #define F_BACKUP 0x10 /* XXX */
>
--
Gilles Chehade
https://www.poolp.org @poolpOrg
