Add support for "require TLS"-settings

1 files changed, 38 insertions, 10 deletions

diff --git a/qmail-remote.c b/qmail-remote.c
index 125d813..a743e06 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -9,6 +9,7 @@
 #include "substdio.h"
 #include "subfd.h"
 #include "scan.h"
+#include "byte.h"
 #include "case.h"
 #include "error.h"
 #include "auto_qmail.h"
@@ -401,6 +402,7 @@ static int tls_init(struct ip_mx *current_mx)
   stralloc saciphers = {0};
   const char *ciphers, *servercert = 0;
   const char *mx_host = current_mx->fqdn;
+  const char *failure_class = "Z"; // per default we do temp failures
 
   if (mx_host) {
     struct stat st;
@@ -425,10 +427,26 @@ static int tls_init(struct ip_mx *current_mx)
     }
   }
 
-  /* DANE: lookup TLSA records */
   int tls_required = (smtps || servercert != NULL);
-  stralloc tlsa_rr = { 0 };
 
+  /* per-domain "require TLS"-settings */
+  if (!tls_required) {
+    int at = byte_rchr(sender.s, sender.len, '@') + 1;
+    if (at < sender.len) {
+      stralloc tmp = { 0 };
+      if (!stralloc_copys(&tmp, "control/tlsrequire/")
+          || !stralloc_catb(&tmp, sender.s + at, sender.len - at)
+          || !stralloc_0(&tmp)) // sender is not 0-terminated
+        temp_nomem();
+      if (control_readint(&tls_required, tmp.s) == -1) temp_control();
+      tls_required = (tls_required & 0x02) ? 1 : 0; // 2nd bit is SMTP outgoing
+      if (tls_required)
+        failure_class = "D"; // do perm failures for faster user feedback
+    }
+  }
+
+  /* DANE: lookup TLSA records */
+  stralloc tlsa_rr = { 0 };
   if (mx_host && !servercert && current_mx->validated) {
     stralloc tlsa_label = { 0 };
     char port[FMT_ULONG];
@@ -456,8 +474,10 @@ static int tls_init(struct ip_mx *current_mx)
     for ( ; len && case_diffs(sa->s, "STARTTLS"); ++sa, --len) ;
     if (!len) {
       if (!tls_required) return 0;
-      out("ZNo TLS achieved while TLS is required by configuration");
-      smtptext.len = 0; TLS_QUIT;
+      out(failure_class);
+      out("TLS is required, but was not offered by host");
+      smtptext.len = 0;
+      TLS_QUIT;
     }
   }
 
@@ -615,10 +635,12 @@ static int tls_init(struct ip_mx *current_mx)
 
   /* read the responce to STARTTLS */
   if (!smtps) {
-    if (smtpcode() != 220) {
+    unsigned int code = smtpcode();
+    if (code != 220) {
       SSL_free(myssl);
       if (!tls_required) return 0;
-      out("ZSTARTTLS rejected while TLS is required by configuration");
+      out((code >= 500) ? "D" : failure_class);
+      out("TLS is required, but host refused to start TLS");
       TLS_QUIT;
     }
     smtptext.len = 0;
@@ -626,8 +648,10 @@ static int tls_init(struct ip_mx *current_mx)
 
   ssl = myssl;
   if (ssl_timeoutconn(timeout, smtpfd, smtpfd, myssl) <= 0) {
-    if (tls_required)
-      tls_quit("ZTLS connect failed", ssl_error_str());
+    if (tls_required) {
+      out(failure_class);
+      tls_quit("TLS connect failed", ssl_error_str());
+    }
     else {
       out("lTLS connect failed");
       const char *err = ssl_error_str();
@@ -707,8 +731,12 @@ static int tls_init(struct ip_mx *current_mx)
     }
   }
 
-  if (smtps) if (smtpcode() != 220)
-    quit("ZTLS Connected to "," but greeting failed");
+  if (smtps) {
+    unsigned int code = smtpcode();
+    if (code >= 500 && code < 600) quit("DTLS connected to "," but greeting failed");
+    if (code >= 400 && code < 500) return -1; /* try next MX, see RFC-2821 */
+    if (code != 220) quit("ZTLS connected to "," but greeting failed");
+  }
 
   return 1;
 }