![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.sbin / smtpd
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.27 / (download) - annotate - [select for diffs], Sun Jun 25 08:08:03 2023 UTC (11 months, 2 weeks ago) by op
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.26: +1 -2 lines
Diff to previous 1.26 (colored)
remove ssl_init() it's a noop; nowadays both LibreSSL and OpenSSL libcrypto and libssl initialize themselves automatically before doing anything. noticed by jsing, ok tb
Revision 1.26 / (download) - annotate - [select for diffs], Fri Feb 18 16:57:36 2022 UTC (2 years, 3 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.25: +1 -0 lines
Diff to previous 1.25 (colored)
Revert changes to use the new libtls signer api There are bugs in the new libtls signer that can lead to a crash. OK tb@ jsing@
Revision 1.25 / (download) - annotate - [select for diffs], Sat Feb 12 18:22:04 2022 UTC (2 years, 3 months ago) by eric
Branch: MAIN
Changes since 1.24: +1 -2 lines
Diff to previous 1.24 (colored)
use new libtls signer api ok tb@
Revision 1.24 / (download) - annotate - [select for diffs], Wed May 26 07:05:50 2021 UTC (3 years ago) by eric
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.23: +6 -26 lines
Diff to previous 1.23 (colored)
remove unused code ok millert@
Revision 1.23 / (download) - annotate - [select for diffs], Sun Apr 11 07:18:08 2021 UTC (3 years, 1 month ago) by eric
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.22: +1 -7 lines
Diff to previous 1.22 (colored)
do not build unused code and remove uneeded dependency on libm. ok tb@
Revision 1.22 / (download) - annotate - [select for diffs], Fri Mar 5 12:37:32 2021 UTC (3 years, 3 months ago) by eric
Branch: MAIN
Changes since 1.21: +4 -1 lines
Diff to previous 1.21 (colored)
Start porting smtpd to libtls. Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times. ok tb@
Revision 1.21 / (download) - annotate - [select for diffs], Wed Sep 18 11:26:30 2019 UTC (4 years, 8 months ago) by eric
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.20: +4 -1 lines
Diff to previous 1.20 (colored)
Implement server certificate validation in smtp(1). Check certificate against MX name in smtpd(8) mta. ok gilles@
Revision 1.20 / (download) - annotate - [select for diffs], Thu Apr 21 14:27:41 2016 UTC (8 years, 1 month ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.19: +2 -6 lines
Diff to previous 1.19 (colored)
Use automatic DH parameters, instead of fixed ones. Also disable DHE by default since it is computationally expensive and a potential DoS vector. ok gilles@
Revision 1.19 / (download) - annotate - [select for diffs], Sun Dec 13 09:52:44 2015 UTC (8 years, 5 months ago) by gilles
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.18: +3 -2 lines
Diff to previous 1.18 (colored)
refactor a bit to move the SNI handling away from smtp_session into smtp ok sunil@, jung@
Revision 1.18 / (download) - annotate - [select for diffs], Sat Dec 12 20:02:31 2015 UTC (8 years, 5 months ago) by gilles
Branch: MAIN
Changes since 1.17: +2 -6 lines
Diff to previous 1.17 (colored)
remove CA from pki and no longer allow specifying a CA with 'pki' keyword.
introduce 'ca' keyword to allow specifying a custom CA.
making CA part of pki was a bad idea and several people hit use-cases that
plain couldn't work.
instead of:
pki foobar.org ca "/etc/mail/CA.pem"
use now:
ca foobar.org certificate "/etc/mail/CA.pem"
ok sunil@, jung@
Revision 1.17 / (download) - annotate - [select for diffs], Sat Dec 12 17:16:56 2015 UTC (8 years, 5 months ago) by gilles
Branch: MAIN
Changes since 1.16: +3 -3 lines
Diff to previous 1.16 (colored)
allow overriding the default cipher-suite ok jung@, sunil@, millert@
Revision 1.16 / (download) - annotate - [select for diffs], Sat Dec 12 17:14:40 2015 UTC (8 years, 5 months ago) by gilles
Branch: MAIN
Changes since 1.15: +1 -3 lines
Diff to previous 1.15 (colored)
bump DH params to 2048, it's been part of smtpd releases for a long time and I've been running with it since June with no side-effect ok sunil@, jung@, millert@
Revision 1.15 / (download) - annotate - [select for diffs], Sat Dec 12 14:40:20 2015 UTC (8 years, 5 months ago) by gilles
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
pki name is a hostname not a path
Revision 1.14 / (download) - annotate - [select for diffs], Sat Dec 12 11:04:19 2015 UTC (8 years, 5 months ago) by gilles
Branch: MAIN
Changes since 1.13: +5 -5 lines
Diff to previous 1.13 (colored)
whitespaces
Revision 1.13 / (download) - annotate - [select for diffs], Tue Dec 1 09:33:17 2015 UTC (8 years, 6 months ago) by gilles
Branch: MAIN
Changes since 1.12: +10 -1 lines
Diff to previous 1.12 (colored)
prepare the ground for the CA certificate handling refactor, this commit adds the parse.y bit + structures & members needed but does not make use of it yet
Revision 1.12 / (download) - annotate - [select for diffs], Wed Oct 21 16:45:13 2015 UTC (8 years, 7 months ago) by jsing
Branch: MAIN
Changes since 1.11: +1 -3 lines
Diff to previous 1.11 (colored)
Use SSL_CTX_set_ecdh_auto() instead of rolling our own version. ok gilles@
Revision 1.11 / (download) - annotate - [select for diffs], Thu Jan 22 09:26:05 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.10: +1 -3 lines
Diff to previous 1.10 (colored)
LibreSSL now supports loading of CA certificates from memory, replace the internal and long-serving ssl_ctx_load_verify_memory() function with a call to the SSL_CTX_load_verify_mem() API function. The ssl_privsep.c file with hacks for using OpenSSL in privsep'ed processes can now go away; portable versions of smtpd and relayd should start depending on LibreSSL or they have to carry ssl_privsep.c in openbsd-compat to work with legacy OpenSSL. No functional change. Based on previous discussions with gilles@ bluhm@ and many others OK bluhm@ (as part of the libcrypto/libssl/libtls diff)
Revision 1.10 / (download) - annotate - [select for diffs], Fri Jan 16 15:08:52 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.9: +1 -2 lines
Diff to previous 1.9 (colored)
SSL_CTX_use_certificate_chain() has been added to LibreSSL and there is no need to keep a local copy in ssl_privsep.c. This adds a little burden on OpenSMTPD-portable because it will have to put it in openbsd-compat for compatibility with legacy OpenSSL. OK gilles@
Revision 1.9 / (download) - annotate - [select for diffs], Tue May 20 17:33:36 2014 UTC (10 years ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.8: +3 -4 lines
Diff to previous 1.8 (colored)
Unify the SSL privsep key loading functions. ok eric@
Revision 1.8 / (download) - annotate - [select for diffs], Tue May 20 14:21:46 2014 UTC (10 years ago) by reyk
Branch: MAIN
Changes since 1.7: +5 -4 lines
Diff to previous 1.7 (colored)
Deep down inside OpenSSL, err... LibreSSL, RSA_set_ex_data attempts to free() the external data when releasing the RSA object. The RSA_GET_EX_NEW_INDEX(3) manual page doesn't mention that this is the default behaviour - it just describes the possible free_func() callback - and the code path in libcrypto is hiding the fact behind layers of abstraction. Fix possible double free by allocating and copying the external data reference that is used for RSA privsep (pkiname in smtpd's case). ok eric@ gilles@
Revision 1.7 / (download) - annotate - [select for diffs], Tue Apr 29 19:13:14 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.6: +10 -6 lines
Diff to previous 1.6 (colored)
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed". ok gilles@
Revision 1.6 / (download) - annotate - [select for diffs], Tue Apr 29 10:08:55 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
Changes since 1.5: +2 -2 lines
Diff to previous 1.5 (colored)
It is only required to load the keys and certs into the same SSL context once. Simplify the code path by moving the loading from three different places into ssl_ctx_create(): ok gilles@
Revision 1.5 / (download) - annotate - [select for diffs], Tue Feb 4 13:44:41 2014 UTC (10 years, 4 months ago) by eric
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.4: +24 -26 lines
Diff to previous 1.4 (colored)
pki code cleanup - rename "struct ssl" and "cert" to "struct pki" and "cert" to "pki_name" - inherit pki conf on fork instead of passing it through imsg at startup - implement SNI on smtp listeners
Revision 1.4 / (download) - annotate - [select for diffs], Thu Nov 28 12:50:40 2013 UTC (10 years, 6 months ago) by eric
Branch: MAIN
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)
fix loading of passphrase-protected keys.
Revision 1.3 / (download) - annotate - [select for diffs], Wed Nov 6 10:01:29 2013 UTC (10 years, 7 months ago) by eric
Branch: MAIN
Changes since 1.2: +14 -3 lines
Diff to previous 1.2 (colored)
Much much improved config parser and related changes. Simplify code and do not impose an order on conditions and rule options. Format changes that may require smtpd.conf update for some setups: - SSL certificates are no longer automatically loaded, but must be explicitely declared using the "pki" keyword. - "certificate" option becomes "pki" in listener and accept rules. - "ssl://" becomes "secure://" in relay via rules. - "helo" becomes "hostnames" in relay rules New features: - accept rules do not need an explicit action, in which case alias table or .forward must provide one. - new "forward-only" action to force relaying and reject rcpts that expand as local delivery. - "!" (negation) modifier on rule matching conditions. - new "recipient" rule matching condition. - new "verify" option on listeners and relay rules to reject invalid certificates. Other changes: - remember the helo name advertised on incoming mail and use it for sending bounces. - bump envelope version (existing envelopes are updated on-the-fly).
Revision 1.2 / (download) - annotate - [select for diffs], Fri Jul 19 09:04:07 2013 UTC (10 years, 10 months ago) by eric
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.1: +4 -2 lines
Diff to previous 1.1 (colored)
tls perfect forward secrecy with ecdhe suggested by djm@ on hackers@, diff ok djm@
Revision 1.1 / (download) - annotate - [select for diffs], Sat Jan 26 09:37:24 2013 UTC (11 years, 4 months ago) by gilles
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Sync with our smtpd repo: * first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. smtpd.conf(5) simplified, it will require adaptations ok eric@