When enqueueing from the local socket, the input address is faked as "::1".
This is confusing and even broken, as systems running with ipv6 disabled on
lo0 will not be able to enqueue mails using the

When enqueueing from the local socket, the input address is faked as "::1".
This is confusing and even broken, as systems running with ipv6 disabled on
lo0 will not be able to enqueue mails using the local socket.

So instead, use AF_LOCAL and print it as "local" in envelopes/maps. Add it
to the "localhost" and "all" maps accordingly, and fix the ruleset matching.

ok gilles@ chl@

show more ...

remove unused header

ok gilles@

- remove crypto_backend
- remove support for encrypted queue, it will be reintroduced later after
pouring more thinking into it

if you had it enabled, flush your queue before updating

- import latest aldap.[ch] and ber.[ch] from ypldap
- revive map_ldap.c by updating it to the current API

diff by Mathieu Masson who played puzzle with an oooold changeset of mine,
this import is to

- import latest aldap.[ch] and ber.[ch] from ypldap
- revive map_ldap.c by updating it to the current API

diff by Mathieu Masson who played puzzle with an oooold changeset of mine,
this import is to let us work on it in tree, it won't work as is.

idea ok eric@ and chl@

show more ...

switch the default queue encryption to AES-128
I'm committing this on behalf of gilles@

Introduce the crypto_backend API and provide support for... encrypted queue
using the new API. By default, OpenSMTPD does not provide queue encryption,
but it can be enabled with "queue encryption [a

Introduce the crypto_backend API and provide support for... encrypted queue
using the new API. By default, OpenSMTPD does not provide queue encryption,
but it can be enabled with "queue encryption [args]" and will transparently
encrypt/decrypt envelopes/messages as they hit the queue.

By default, it will use Blowfish in CBC mode with a different random IV for
each envelope and message. User provided key is expanded using sha256 but a
different cipher and digest may be specified in smtpd.conf

Queue encryption is compatible with compression and if both options are set
it will do them in correct order and transparently.

tested by chl@, a few users and myself
ok chl@ and I

show more ...

- use the same compression algorithm, gzip, for message file and envelopes
- rename compress_zlib.c to compress_gzip.c

with this commit it is possible to inspect a compressed queue with gzcat :)

Add compress_backend, allowing compression of messages and envelopes in the queue.
To use it, just add "queue compress" in smtpd.conf. For now, only zlib is used.

lots of feedback from eric@ and gil

Add compress_backend, allowing compression of messages and envelopes in the queue.
To use it, just add "queue compress" in smtpd.conf. For now, only zlib is used.

lots of feedback from eric@ and gilles@

ok eric@ gilles@

show more ...

Allow smtpd to work as a backup MX, relaying only to MXs with higher
priority in the DNS record. For example:

accept for domain "foo.org" relay backup "mx3.foo.org"

will relay mails for "foo.org

Allow smtpd to work as a backup MX, relaying only to MXs with higher
priority in the DNS record. For example:

accept for domain "foo.org" relay backup "mx3.foo.org"

will relay mails for "foo.org" using only hosts with higher priority
(i.e. lower value) than "mx3.foo.org", which is supposed to be the
current server.

If the specified backup MX is not found in the DNS record, relaying
works as normal.

ok gilles@

show more ...

coding style: replace all occurences of u_int* with uint*

ok eric@

- plug text_to_relayhost() in parse.y to support relay URLs.
- document the new URL syntax in smtpd.conf.5
- replace starttls:// schema with tls://

Beware, "relay via" rules should now be expressed

- plug text_to_relayhost() in parse.y to support relay URLs.
- document the new URL syntax in smtpd.conf.5
- replace starttls:// schema with tls://

Beware, "relay via" rules should now be expressed with a relay URL:

accept [...] relay via "mx1.example.org" smtps port 465
becomes accept [...] relay via "smtps://mx1.example.org"

This will allow using mappings of relays with different protocols and
options.

Make sure to update your smtpd.conf if you relay via !

ok eric, ok chl

show more ...

- cleanup parse.y by removing lots of code that should not have been there,
but in ruleset.c and util.c instead.

- introduce the new map_compare() map API call to allow iterating over keys
and c

- cleanup parse.y by removing lots of code that should not have been there,
but in ruleset.c and util.c instead.

- introduce the new map_compare() map API call to allow iterating over keys
and comparing them with provided key using provided function. this allows
checking a partial key in a key set, very useful for comparing an address
to a set of netmask.

- introduce new map kind K_NETADDR
- implement K_NETADDR for map_db and map_stdio
- teach ruleset checking how to use the map_compare() with K_NETADDR

we can now do the following:

map "srcaddr" source plain "/etc/mail/srcaddr.txt"

accept from map srcaddr for domain "openbsd.org" [...]

show more ...

- remove unused sources S_EXT, S_DYN and S_EXT from enum map_src
- continue simplification of parse.y
- remove "for network", if we ever need it we can reimport, probably no
one knows of that undoc

- remove unused sources S_EXT, S_DYN and S_EXT from enum map_src
- continue simplification of parse.y
- remove "for network", if we ever need it we can reimport, probably no
one knows of that undocumented strange feature ;-)
- change syntax for virtual domains configuration:

accept for virtual vmap [...] <- wrong
accept for virtual map vmap [...] <- right

the reason for this change is that we will soon implement relay rules
through maps and that keeping that syntax would make it inconsistent
with the other rules.

- update man pages for makemap and smtpd.conf to reflect changes

ok eric@, looks ok chl@

show more ...

- simplify a bit maps by removing fields which are still unused years
after the initial ambitious implementation: byebye map type & map flags

- simplify a bit parse.y by removing assignations to t

- simplify a bit maps by removing fields which are still unused years
after the initial ambitious implementation: byebye map type & map flags

- simplify a bit parse.y by removing assignations to these otherwise unused
fields

- remove the DNS map source, it may be a good idea, but we can just add it
when we plan to implement it (if we do)

- make the { } options in map declaration, it's been annoying me for a long
time now, this allows the following to work:

map "foobar" source plain "/etc/mail/foobar"

- update smtpd.conf.5 accordingly ;-)

show more ...

add missing header needed by str* and mem* functions

ok gilles@

- introduce delivery backend API (delivery.c)
- move each delivery method to it's own delivery backend
- simplify smtpd.c accordingly
- rename A_EXT -> A_MDA since that's what we really do

ok eric@

check for NULL ->ifa_addr, found the hard way by yours truly on his phone
ok chl@ & gilles@

Use PRI{x,d}64 in format strings instead of %llx, %lld or %qd to print {u_,}int64_t or time_t

While there, cast some time_t to int64_t

These will fix build warnings for portable smptd

ok gilles@ e

Use PRI{x,d}64 in format strings instead of %llx, %lld or %qd to print {u_,}int64_t or time_t

While there, cast some time_t to int64_t

These will fix build warnings for portable smptd

ok gilles@ eric@

show more ...

a few important fixes:

- use correct endianness when dumping/loading port
- use the right flag set when dumping/loading flags
- keep and use the authmap name when needed, rather than an id that
mi

a few important fixes:

- use correct endianness when dumping/loading port
- use the right flag set when dumping/loading flags
- keep and use the authmap name when needed, rather than an id that
might change when smtpd is restarted
- dump/load the authmap name with the envelope
- remove the rule struct from rq_batch as only the relay info is useful

ok gilles@

show more ...

add missing header needed by bsearch()

ok gilles@

- if no filter is setup, do not overwrite the data line with filtmsg buffer
- remove annoying debug lines
- disable back filters at smtpd.conf level

committing on behalf of gilles@

add support for per-line DATA callbacks, this allows filters to take their
decisions *while* the message is being received by the client.

initial support for a session-time filtering API

currently only HELO/EHLO, MAIL, RCPT are supported, however ... I have
voluntarily disabled filters at smtpd.conf level so people don't play with
it

initial support for a session-time filtering API

currently only HELO/EHLO, MAIL, RCPT are supported, however ... I have
voluntarily disabled filters at smtpd.conf level so people don't play with
it until the API has stabilized a bit

discussed with several people in private, no one opposed the feature

show more ...

'relay as' and 'relay via as' rules allow smtpd to rewrite the user part,
the domain part or the entire address of the sender at the SMTP sesssion
level. this is not masquerade but allows smtpd to co

'relay as' and 'relay via as' rules allow smtpd to rewrite the user part,
the domain part or the entire address of the sender at the SMTP sesssion
level. this is not masquerade but allows smtpd to communicate with hosts
that do a check of SMTP sender fqdn.

sent to tech@, a couple 'no regression' feedbacks

show more ...

teach smtpd how to listen on an interface group so that we can do:
listen on egress
listen on wlan

idea unvoluntarily suggested by Mikolaj Kucharski a few weeks ago,
unslacked after theo suggested

teach smtpd how to listen on an interface group so that we can do:
listen on egress
listen on wlan

idea unvoluntarily suggested by Mikolaj Kucharski a few weeks ago,
unslacked after theo suggested it again.

show more ...