#
e6c7c102 |
| 23-Apr-2024 |
jsg <jsg@openbsd.org> |
correct indentation; no functional change ok tb@
|
#
cd8603db |
| 03-Jan-2024 |
op <op@openbsd.org> |
relax ORCPT syntax validation
We expected the ORCPT parameter to be a valid rfc822 address. This is wrong on multiple levels:
- any other IANA-registered "addr-type" can be used - the parameter
relax ORCPT syntax validation
We expected the ORCPT parameter to be a valid rfc822 address. This is wrong on multiple levels:
- any other IANA-registered "addr-type" can be used - the parameter may be encoded and we didn't decode it prior validation - RFC3461 explicitly states that "[..] the address associated with the ORCPT keyword is NOT constrained to conform to the syntax rules for that 'addr-type'".
Instead, just validate the xtext and preserve the ORCPT value as-is.
Issue originally reported by Tim Kuijsten, Tassilo Philipp and others.
ok millert@
show more ...
|
#
2e9bd56e |
| 08-Nov-2023 |
op <op@openbsd.org> |
RFC 7505 ("Null MX") handling
mail delivery will not be attempted if a domain advertises a single MX record with preference 0 and a zero-length label.
based on an initial diff from Philipp (philipp
RFC 7505 ("Null MX") handling
mail delivery will not be attempted if a domain advertises a single MX record with preference 0 and a zero-length label.
based on an initial diff from Philipp (philipp+openbsd [at] bureaucracy [dot] de), thanks!
ok jung@
show more ...
|
#
0dcffd0d |
| 31-May-2023 |
op <op@openbsd.org> |
add missing include of time.h
spotted after a report on OpenSMTPD-portable. While here include sys/time.h in smtpd.h, as noted in event_init(3), since it includes event.h.
ok millert@
|
#
62e04d05 |
| 16-May-2023 |
op <op@openbsd.org> |
some fatal -> fatalx to improved logging
errno doesn't generally contains anything useful after libtls functions, and in most cases it's explicitly cleared to avoid misuse, so change a few fatal() c
some fatal -> fatalx to improved logging
errno doesn't generally contains anything useful after libtls functions, and in most cases it's explicitly cleared to avoid misuse, so change a few fatal() calls to fatalx() when logging libtls failures. Also, add the real error string, via tls_error() or tls_config_error(), that was missing before.
ok millert@
show more ...
|
#
41b8cf0b |
| 18-Feb-2022 |
millert <millert@openbsd.org> |
Revert changes to use the new libtls signer api There are bugs in the new libtls signer that can lead to a crash. OK tb@ jsing@
|
#
3abbdc76 |
| 12-Feb-2022 |
eric <eric@openbsd.org> |
use new libtls signer api
ok tb@
|
#
89818320 |
| 10-Feb-2022 |
millert <millert@openbsd.org> |
Do not verify the cert or CA for a relay using opportunistic TLS. If a relay is not explicitly configured to use TLS but the remote side supports STARTTLS, we will try to use it. However, in this ca
Do not verify the cert or CA for a relay using opportunistic TLS. If a relay is not explicitly configured to use TLS but the remote side supports STARTTLS, we will try to use it. However, in this case we should not verify the cert or CA (which may be self-signed). This restores the relay behavior before the switch to libtls was made. There is no change if the relay is explicitly configured to use TLS. OK eric@
show more ...
|
#
d3140113 |
| 14-Jun-2021 |
eric <eric@openbsd.org> |
add required headers for smtpd.h and remove unnecessary ones in other files.
ok jung@
|
#
ff01b044 |
| 26-May-2021 |
eric <eric@openbsd.org> |
replaces calls to err(3)/errx(3) with fatal()/fatalx() from log.c for code that runs in the daemon.
ok florian@ millert@
|
#
a040621a |
| 09-Apr-2021 |
eric <eric@openbsd.org> |
allow to specify tls ciphers and protocols on listeners
ok tb@
|
#
a2bac8cf |
| 02-Apr-2021 |
eric <eric@openbsd.org> |
if cipher list is not specified for a relay action, use the global cipher list if defined. otherwise fallback to libtls default.
ok millert@
|
#
32bd51d0 |
| 31-Mar-2021 |
eric <eric@openbsd.org> |
allow to specify tls protocols and ciphers on relay actions
ok espie@ sthen@ tb@
|
#
eed85469 |
| 05-Mar-2021 |
eric <eric@openbsd.org> |
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of t
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times.
ok tb@
show more ...
|
#
dd6d690a |
| 21-Dec-2019 |
gilles <gilles@openbsd.org> |
keep track of the relay action in relays, will be used for smtp-out reporting
|
#
9e7c83d3 |
| 18-Dec-2019 |
gilles <gilles@openbsd.org> |
teach relay action how to do domain-based relay host, this allows declaring a single relay action with a mapping of relay hosts per domain.
ok eric@
|
#
c78098c5 |
| 20-Sep-2019 |
gilles <gilles@openbsd.org> |
teach smtpd how to do SRS so hosts that act as forwarders don't break SPF. this basic implementation does SRS0/SRS1 encoding/decoding, validating time and checksums.
with insight from semarie@, ok e
teach smtpd how to do SRS so hosts that act as forwarders don't break SPF. this basic implementation does SRS0/SRS1 encoding/decoding, validating time and checksums.
with insight from semarie@, ok eric@ and millert@
show more ...
|
#
d6ee62d2 |
| 18-Sep-2019 |
eric <eric@openbsd.org> |
Implement server certificate validation in smtp(1). Check certificate against MX name in smtpd(8) mta.
ok gilles@
|
#
67608b6d |
| 14-Sep-2019 |
gilles <gilles@openbsd.org> |
in mta_relay_cmp() properly check that authlabel or backupname are not NULL before comparing their value with other relays
diff from Caspar Schutijser <caspar@schutijser.com>
|
#
42d9b5d3 |
| 19-Aug-2019 |
eric <eric@openbsd.org> |
use a specific and more relevant status message for failed smarthost resolution.
ok gilles@
|
#
28efdb08 |
| 14-Jun-2019 |
eric <eric@openbsd.org> |
simplify the runq interface:
- remove (unused) per-job callback - rename runq_schedule() to runq_schedule_at() and runq_delay() to runq_schedule() - remove unused runq_next()
ok sunil@ gilles@
|
#
d64dc2a5 |
| 23-Dec-2018 |
eric <eric@openbsd.org> |
remove dead code
ok gilles@
|
#
1aa03b06 |
| 24-Sep-2018 |
eric <eric@openbsd.org> |
Allow to use the "tls" keyword on any relay action to force TLS, with strict certificate validation. The "no-verify" becomes optional.
ok gilles@ millert@ semarie@
|
#
1a271186 |
| 19-Sep-2018 |
eric <eric@openbsd.org> |
rename the ill-named "flags" member to "as_host" in domain structure. remove yet another useless relay flag while there.
ok gilles@
|
#
d0a6e81f |
| 17-Sep-2018 |
eric <eric@openbsd.org> |
simplify code path for backup relay and remove useless flag
ok gilles@
|