ok, discussed with eric, not critical but still very annoying so we'll
commit the feature tonight.
On Tue, Oct 09, 2012 at 03:33:03PM +0200, Gilles Chehade wrote:
> Argh, you should have talked to me first ...
>
> Both require ssl and require auth are implemented already ... I did
> not commit yet because we stabilized a release and decided to not
> add new features to it unless they are critical.
>
> This feature should be committed in a few days
>
> Gilles
>
>
> On Tue, Oct 09, 2012 at 03:24:32PM +0200, Alexander Hall wrote:
> > Hi,
> >
> > I suddenly got a flood of incoming spam, and when I could not find
> > any trace of them in the spamdb output, I suspected it was coming in
> > on port 587, which I had configured with tls and "enable auth"
> >
> > I did not realize that that would allow anyone to send locally
> > addressed mail to me that way, thus bypassing spamd.
> >
> > So, I hesitated, but quite easily came up with this diff, which
> > I'm testing out now.
> >
> > This allows replacing "enable auth" with "require auth" like this:
> >
> > listen on bge0 port 587 tls certificate mycert require auth
> > listen on bge0 smtps certificate mycert require auth
> >
> > Note the "require auth", as opposed to "enable auth"
> >
> > Thoughts? OK?
> >
> > /Alexander
> >
> >
> > Index: parse.y
> > ===================================================================
> > RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/parse.y,v
> > retrieving revision 1.104
> > diff -u -p -r1.104 parse.y
> > --- parse.y 30 Sep 2012 17:25:09 -0000 1.104
> > +++ parse.y 9 Oct 2012 13:07:54 -0000
> > @@ -124,7 +124,7 @@ typedef struct {
> > %token DB LDAP PLAIN DOMAIN SOURCE
> > %token RELAY BACKUP VIA DELIVER TO MAILDIR MBOX HOSTNAME
> > %token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR
> > -%token ARROW ENABLE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST
> > +%token ARROW ENABLE REQUIRE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER
> > KEY DIGEST
> > %token <v.string> STRING
> > %token <v.number> NUMBER
> > %type <v.map> map
> > @@ -263,7 +263,9 @@ ssl : SMTPS { $$ =
> > F_SMTPS; }
> > | /* empty */ { $$ = 0; }
> > ;
> >
> > -auth : ENABLE AUTH { $$ = 1; }
> > +auth : ENABLE AUTH { $$ = F_AUTH; }
> > + | REQUIRE AUTH { $$ = F_AUTH |
> > + F_AUTH_REQUIRED; }
> > | /* empty */ { $$ = 0; }
> > ;
> >
> > @@ -364,10 +366,7 @@ main : QUEUE INTERVAL interval {
> > }
> >
> > cert = ($6 != NULL) ? $6 : $3;
> > - flags = $5;
> > -
> > - if ($7)
> > - flags |= F_AUTH;
> > + flags = $5 | $7;
> >
> > if ($5 && ssl_load_certfile(cert, F_SCERT) < 0) {
> > yyerror("cannot load certificate: %s", cert);
> > @@ -967,6 +966,7 @@ lookup(char *s)
> > { "queue", QUEUE },
> > { "reject", REJECT },
> > { "relay", RELAY },
> > + { "require", REQUIRE },
> > { "single", SINGLE },
> > { "size", SIZE },
> > { "smtps", SMTPS },
> > Index: smtp_session.c
> > ===================================================================
> > RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtp_session.c,v
> > retrieving revision 1.169
> > diff -u -p -r1.169 smtp_session.c
> > --- smtp_session.c 14 Sep 2012 19:22:04 -0000 1.169
> > +++ smtp_session.c 9 Oct 2012 13:21:15 -0000
> > @@ -400,6 +400,12 @@ session_rfc5321_mail_handler(struct sess
> > return 1;
> > }
> >
> > + if (s->s_l->flags & F_AUTH_REQUIRED &&
> > + !(s->s_flags & F_AUTHENTICATED)) {
> > + session_respond(s, "530 5.7.0 Authentication required");
> > + return 1;
> > + }
> > +
> > if (s->s_state != S_HELO) {
> > session_respond(s, "503 5.5.1 Sender already specified");
> > return 1;
> > Index: smtpd.h
> > ===================================================================
> > RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtpd.h,v
> > retrieving revision 1.378
> > diff -u -p -r1.378 smtpd.h
> > --- smtpd.h 3 Oct 2012 19:42:16 -0000 1.378
> > +++ smtpd.h 9 Oct 2012 13:07:54 -0000
> > @@ -78,6 +78,7 @@
> > #define F_STARTTLS 0x01
> > #define F_SMTPS 0x02
> > #define F_AUTH 0x04
> > +#define F_AUTH_REQUIRED 0x08
> > #define F_SSL (F_SMTPS|F_STARTTLS)
> >
> > #define F_BACKUP 0x10 /* XXX */
> >
>
> --
> Gilles Chehade
>
> https://www.poolp.org @poolpOrg
>
--
Gilles Chehade
https://www.poolp.org @poolpOrg
