Hi.
This diff allows to specify the protocol versions and ciphers
to use for outgoing TLS sessions on a per relay basis.
Eric.
Index: mta.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/mta.c,v
retrieving revision 1.235
diff -u -p -r1.235 mta.c
--- mta.c 5 Mar 2021 12:37:32 -0000 1.235
+++ mta.c 25 Mar 2021 13:06:20 -0000
@@ -491,6 +491,7 @@ mta_setup_dispatcher(struct dispatcher *
struct tls_config *config;
struct pki *pki;
struct ca *ca;
+ uint32_t protos;
if (dispatcher->type != DISPATCHER_REMOTE)
return;
@@ -500,10 +501,14 @@ mta_setup_dispatcher(struct dispatcher *
if ((config = tls_config_new()) == NULL)
fatal("smtpd: tls_config_new");
- if (env->sc_tls_ciphers) {
- if (tls_config_set_ciphers(config, env->sc_tls_ciphers) == -1)
- err(1, "%s", tls_config_error(config));
- }
+ if (remote->tls_ciphers &&
+ tls_config_set_ciphers(config, remote->tls_ciphers) == -1)
+ err(1, "%s", tls_config_error(config));
+
+ if (remote->tls_protocols &&
+ (tls_config_parse_protocols(&protos, remote->tls_protocols) == -1
+ || tls_config_set_protocols(config, protos) == -1))
+ err(1, "%s", tls_config_error(config));
if (remote->pki) {
pki = dict_get(env->sc_pki_dict, remote->pki);
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.285
diff -u -p -r1.285 parse.y
--- parse.y 5 Mar 2021 12:37:32 -0000 1.285
+++ parse.y 25 Mar 2021 13:05:38 -0000
@@ -190,7 +190,7 @@ typedef struct {
%token MAIL_FROM MAILDIR MASK_SRC MASQUERADE MATCH MAX_MESSAGE_SIZE
MAX_DEFERRED MBOX MDA MTA MX
%token NO_DSN NO_VERIFY NOOP
%token ON
-%token PHASE PKI PORT PROC PROC_EXEC PROXY_V2
+%token PHASE PKI PORT PROC PROC_EXEC PROTOCOLS PROXY_V2
%token QUEUE QUIT
%token RCPT_TO RDNS RECIPIENT RECEIVEDAUTH REGEX RELAY REJECT REPORT REWRITE
RSET
%token SCHEDULER SENDER SENDERS SMTP SMTP_IN SMTP_OUT SMTPS SOCKET SRC SRS
SUB_ADDR_DELIM
@@ -768,6 +768,22 @@ HELO STRING {
dsp->u.remote.ca = $2;
}
+| CIPHERS STRING {
+ if (dsp->u.remote.tls_ciphers) {
+ yyerror("ciphers already specified for this dispatcher");
+ YYERROR;
+ }
+
+ dsp->u.remote.tls_ciphers = $2;
+}
+| PROTOCOLS STRING {
+ if (dsp->u.remote.tls_protocols) {
+ yyerror("protocols already specified for this dispatcher");
+ YYERROR;
+ }
+
+ dsp->u.remote.tls_protocols = $2;
+}
| SRC tables {
struct table *t = $2;
@@ -2682,6 +2698,7 @@ lookup(char *s)
{ "port", PORT },
{ "proc", PROC },
{ "proc-exec", PROC_EXEC },
+ { "protocols", PROTOCOLS },
{ "proxy-v2", PROXY_V2 },
{ "queue", QUEUE },
{ "quit", QUIT },
Index: smtpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v
retrieving revision 1.258
diff -u -p -r1.258 smtpd.conf.5
--- smtpd.conf.5 5 Mar 2021 12:37:32 -0000 1.258
+++ smtpd.conf.5 25 Mar 2021 17:47:00 -0000
@@ -298,6 +298,18 @@ When used with a smarthost, the protocol
If
.Cm no-verify
is specified, do not require a valid certificate.
+.It Cm protocols Ar protostr
+Define the protocol versions to be used for TLS sessions.
+Refer to the
+.Xr tls_config_parse_protocols 3
+manpage for the format of
+.Ar protostr .
+.It Cm ciphers Ar cipherstr
+Define the list of ciphers that may be used for TLS sessions.
+Refer to the
+.Xr tls_config_set_ciphers 3
+manpage for the format of
+.Ar cipherstr .
.It Cm auth Pf < Ar table Ns >
Use the mapping
.Ar table
Index: smtpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.h,v
retrieving revision 1.662
diff -u -p -r1.662 smtpd.h
--- smtpd.h 5 Mar 2021 12:37:32 -0000 1.662
+++ smtpd.h 25 Mar 2021 13:06:36 -0000
@@ -1192,6 +1192,8 @@ struct dispatcher_remote {
char *auth;
int tls_required;
int tls_noverify;
+ char *tls_protocols;
+ char *tls_ciphers;
int backup;
char *backupmx;
