From ff1e0ece50986156e0b6f5f37985833ed0ae6c97 Mon Sep 17 00:00:00 2001 From: manuel Date: Tue, 26 Sep 2023 14:11:58 +0200 Subject: Add support for "require TLS"-settings --- qmail-remote.c | 48 ++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 10 deletions(-) (limited to 'qmail-remote.c') diff --git a/qmail-remote.c b/qmail-remote.c index 125d813..a743e06 100644 --- a/qmail-remote.c +++ b/qmail-remote.c @@ -9,6 +9,7 @@ #include "substdio.h" #include "subfd.h" #include "scan.h" +#include "byte.h" #include "case.h" #include "error.h" #include "auto_qmail.h" @@ -401,6 +402,7 @@ static int tls_init(struct ip_mx *current_mx) stralloc saciphers = {0}; const char *ciphers, *servercert = 0; const char *mx_host = current_mx->fqdn; + const char *failure_class = "Z"; // per default we do temp failures if (mx_host) { struct stat st; @@ -425,10 +427,26 @@ static int tls_init(struct ip_mx *current_mx) } } - /* DANE: lookup TLSA records */ int tls_required = (smtps || servercert != NULL); - stralloc tlsa_rr = { 0 }; + /* per-domain "require TLS"-settings */ + if (!tls_required) { + int at = byte_rchr(sender.s, sender.len, '@') + 1; + if (at < sender.len) { + stralloc tmp = { 0 }; + if (!stralloc_copys(&tmp, "control/tlsrequire/") + || !stralloc_catb(&tmp, sender.s + at, sender.len - at) + || !stralloc_0(&tmp)) // sender is not 0-terminated + temp_nomem(); + if (control_readint(&tls_required, tmp.s) == -1) temp_control(); + tls_required = (tls_required & 0x02) ? 1 : 0; // 2nd bit is SMTP outgoing + if (tls_required) + failure_class = "D"; // do perm failures for faster user feedback + } + } + + /* DANE: lookup TLSA records */ + stralloc tlsa_rr = { 0 }; if (mx_host && !servercert && current_mx->validated) { stralloc tlsa_label = { 0 }; char port[FMT_ULONG]; @@ -456,8 +474,10 @@ static int tls_init(struct ip_mx *current_mx) for ( ; len && case_diffs(sa->s, "STARTTLS"); ++sa, --len) ; if (!len) { if (!tls_required) return 0; - out("ZNo TLS achieved while TLS is required by configuration"); - smtptext.len = 0; TLS_QUIT; + out(failure_class); + out("TLS is required, but was not offered by host"); + smtptext.len = 0; + TLS_QUIT; } } @@ -615,10 +635,12 @@ static int tls_init(struct ip_mx *current_mx) /* read the responce to STARTTLS */ if (!smtps) { - if (smtpcode() != 220) { + unsigned int code = smtpcode(); + if (code != 220) { SSL_free(myssl); if (!tls_required) return 0; - out("ZSTARTTLS rejected while TLS is required by configuration"); + out((code >= 500) ? "D" : failure_class); + out("TLS is required, but host refused to start TLS"); TLS_QUIT; } smtptext.len = 0; @@ -626,8 +648,10 @@ static int tls_init(struct ip_mx *current_mx) ssl = myssl; if (ssl_timeoutconn(timeout, smtpfd, smtpfd, myssl) <= 0) { - if (tls_required) - tls_quit("ZTLS connect failed", ssl_error_str()); + if (tls_required) { + out(failure_class); + tls_quit("TLS connect failed", ssl_error_str()); + } else { out("lTLS connect failed"); const char *err = ssl_error_str(); @@ -707,8 +731,12 @@ static int tls_init(struct ip_mx *current_mx) } } - if (smtps) if (smtpcode() != 220) - quit("ZTLS Connected to "," but greeting failed"); + if (smtps) { + unsigned int code = smtpcode(); + if (code >= 500 && code < 600) quit("DTLS connected to "," but greeting failed"); + if (code >= 400 && code < 500) return -1; /* try next MX, see RFC-2821 */ + if (code != 220) quit("ZTLS connected to "," but greeting failed"); + } return 1; } -- cgit v1.2.3