#
1.47 |
|
11-Jul-2023 |
op |
drop engine support
diff originally by tb@, tweaked to apply after the useless logging methods removal.
ok tb
|
#
1.46 |
|
11-Jul-2023 |
op |
remove the useless logging methods
Instead of wrapping all the methods of the RSA and ECDSA ENGINE, duplicate the default and override only the ones that are actually needed for the privsep crypto engine.
part of a larger diff that's ok tb@
|
#
1.45 |
|
18-Jun-2023 |
op |
remove ca_verify_cb(). was initially used for debugging, then the logging went away but the no-op callback remained.
noticed by tb@
|
#
1.44 |
|
18-Jun-2023 |
op |
smtpd: switch ECDSA_METHOD usage to EC_KEY_METHOD
smtpd and the bits it needs in libtls are the only consumer left of ECDSA_METHOD, which is long deprecated. This paves the way for the removal in libcrypto.
The diff is from gilles' work on OpenSMTPD-portable, with minor changes by me.
ok tb@, jsing@
|
#
1.43 |
|
26-Mar-2023 |
tb |
Another missing #include <openssl/err.h>
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.42 |
|
18-Feb-2022 |
millert |
Revert changes to use the new libtls signer api There are bugs in the new libtls signer that can lead to a crash. OK tb@ jsing@
|
#
1.41 |
|
12-Feb-2022 |
eric |
use new libtls signer api
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.40 |
|
14-Jun-2021 |
eric |
add required headers for smtpd.h and remove unnecessary ones in other files.
ok jung@
|
#
1.39 |
|
26-May-2021 |
eric |
replaces calls to err(3)/errx(3) with fatal()/fatalx() from log.c for code that runs in the daemon.
ok florian@ millert@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.38 |
|
05-Mar-2021 |
eric |
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times.
ok tb@
|
#
1.37 |
|
31-Dec-2020 |
martijn |
Rename the pony process to dispatcher and klondike to crypto.
From gilles@ OK millert@ giovanni@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.45 |
|
18-Jun-2023 |
op |
remove ca_verify_cb(). was initially used for debugging, then the logging went away but the no-op callback remained.
noticed by tb@
|
#
1.44 |
|
18-Jun-2023 |
op |
smtpd: switch ECDSA_METHOD usage to EC_KEY_METHOD
smtpd and the bits it needs in libtls are the only consumer left of ECDSA_METHOD, which is long deprecated. This paves the way for the removal in libcrypto.
The diff is from gilles' work on OpenSMTPD-portable, with minor changes by me.
ok tb@, jsing@
|
#
1.43 |
|
26-Mar-2023 |
tb |
Another missing #include <openssl/err.h>
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.42 |
|
18-Feb-2022 |
millert |
Revert changes to use the new libtls signer api There are bugs in the new libtls signer that can lead to a crash. OK tb@ jsing@
|
#
1.41 |
|
12-Feb-2022 |
eric |
use new libtls signer api
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.40 |
|
14-Jun-2021 |
eric |
add required headers for smtpd.h and remove unnecessary ones in other files.
ok jung@
|
#
1.39 |
|
26-May-2021 |
eric |
replaces calls to err(3)/errx(3) with fatal()/fatalx() from log.c for code that runs in the daemon.
ok florian@ millert@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.38 |
|
05-Mar-2021 |
eric |
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times.
ok tb@
|
#
1.37 |
|
31-Dec-2020 |
martijn |
Rename the pony process to dispatcher and klondike to crypto.
From gilles@ OK millert@ giovanni@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.43 |
|
26-Mar-2023 |
tb |
Another missing #include <openssl/err.h>
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
#
1.42 |
|
18-Feb-2022 |
millert |
Revert changes to use the new libtls signer api There are bugs in the new libtls signer that can lead to a crash. OK tb@ jsing@
|
#
1.41 |
|
12-Feb-2022 |
eric |
use new libtls signer api
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.40 |
|
14-Jun-2021 |
eric |
add required headers for smtpd.h and remove unnecessary ones in other files.
ok jung@
|
#
1.39 |
|
26-May-2021 |
eric |
replaces calls to err(3)/errx(3) with fatal()/fatalx() from log.c for code that runs in the daemon.
ok florian@ millert@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.38 |
|
05-Mar-2021 |
eric |
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times.
ok tb@
|
#
1.37 |
|
31-Dec-2020 |
martijn |
Rename the pony process to dispatcher and klondike to crypto.
From gilles@ OK millert@ giovanni@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.42 |
|
18-Feb-2022 |
millert |
Revert changes to use the new libtls signer api There are bugs in the new libtls signer that can lead to a crash. OK tb@ jsing@
|
#
1.41 |
|
12-Feb-2022 |
eric |
use new libtls signer api
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.40 |
|
14-Jun-2021 |
eric |
add required headers for smtpd.h and remove unnecessary ones in other files.
ok jung@
|
#
1.39 |
|
26-May-2021 |
eric |
replaces calls to err(3)/errx(3) with fatal()/fatalx() from log.c for code that runs in the daemon.
ok florian@ millert@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.38 |
|
05-Mar-2021 |
eric |
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times.
ok tb@
|
#
1.37 |
|
31-Dec-2020 |
martijn |
Rename the pony process to dispatcher and klondike to crypto.
From gilles@ OK millert@ giovanni@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.41 |
|
12-Feb-2022 |
eric |
use new libtls signer api
ok tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.40 |
|
14-Jun-2021 |
eric |
add required headers for smtpd.h and remove unnecessary ones in other files.
ok jung@
|
#
1.39 |
|
26-May-2021 |
eric |
replaces calls to err(3)/errx(3) with fatal()/fatalx() from log.c for code that runs in the daemon.
ok florian@ millert@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.38 |
|
05-Mar-2021 |
eric |
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times.
ok tb@
|
#
1.37 |
|
31-Dec-2020 |
martijn |
Rename the pony process to dispatcher and klondike to crypto.
From gilles@ OK millert@ giovanni@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.40 |
|
14-Jun-2021 |
eric |
add required headers for smtpd.h and remove unnecessary ones in other files.
ok jung@
|
#
1.39 |
|
26-May-2021 |
eric |
replaces calls to err(3)/errx(3) with fatal()/fatalx() from log.c for code that runs in the daemon.
ok florian@ millert@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.38 |
|
05-Mar-2021 |
eric |
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times.
ok tb@
|
#
1.37 |
|
31-Dec-2020 |
martijn |
Rename the pony process to dispatcher and klondike to crypto.
From gilles@ OK millert@ giovanni@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.39 |
|
26-May-2021 |
eric |
replaces calls to err(3)/errx(3) with fatal()/fatalx() from log.c for code that runs in the daemon.
ok florian@ millert@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.38 |
|
05-Mar-2021 |
eric |
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times.
ok tb@
|
#
1.37 |
|
31-Dec-2020 |
martijn |
Rename the pony process to dispatcher and klondike to crypto.
From gilles@ OK millert@ giovanni@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.38 |
|
05-Mar-2021 |
eric |
Start porting smtpd to libtls.
Note that it changes the way SNI works: The certificate to use is now selected by looking at the names found in the certificates themselves, rather than the names of the pki entries in the configuration file. The set of certificates for a tls listener must be defined explicitly by using the pki listener option multiple times.
ok tb@
|
#
1.37 |
|
31-Dec-2020 |
martijn |
Rename the pony process to dispatcher and klondike to crypto.
From gilles@ OK millert@ giovanni@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.37 |
|
31-Dec-2020 |
martijn |
Rename the pony process to dispatcher and klondike to crypto.
From gilles@ OK millert@ giovanni@
|
Revision tags: OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.36 |
|
21-Sep-2019 |
semarie |
properly initialize errstr before going to fail label.
ok gilles@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.35 |
|
23-Jul-2019 |
gilles |
errstr may be uninitialized in error code path
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.34 |
|
05-Jun-2019 |
gilles |
assume RSA_METHOD is opaque and only access members through setters/getters
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.33 |
|
05-Jun-2019 |
gilles |
a long long time ago, in a galaxy quite close actually, reyk@ introduced an RSA privsep engine to isolate private keys in the ca process. ECDSA support in smtpd is become a frequent request so here's an ECDSA privsep engine and the code required for smtpd to load ECDSA certificates and use them.
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.32 |
|
24-May-2019 |
gilles |
assume X509_STORE_CTX is opaque, don't access ->error but use the X509_STORE_CTX_get_error() function instead
|
#
1.31 |
|
24-May-2019 |
gilles |
mechanical change to dynamically allocate rsae_method
|
#
1.30 |
|
24-May-2019 |
gilles |
remove useless check, it's never been and will never be hit
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.29 |
|
24-May-2018 |
gilles |
switch smtpd to new grammar
ok eric@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|
#
1.28 |
|
21-Nov-2017 |
eric |
no need to check the sending process in imsg handlers when there is no ambiguity: just use a single switch.
ok gilles@ sunil@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.27 |
|
17-May-2017 |
deraadt |
Introduce more use of freezero(). Also, remove ptr conditionals before many functions which are free(NULL)-compat ok gilles
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.26 |
|
09-Jan-2017 |
reyk |
smtpd joins the 7 other daemons that share the same log.c file.
The only major difference was the "log_trace" concept that is only used by smtpd - move it from log.c into util.c and make it a local concept. This also needed to rename the global "verbose" variable to "tracing" in a few places.
OK krw@ gilles@ eric@
|
#
1.25 |
|
08-Sep-2016 |
eric |
Streamline the daemon shutdown sequence.
Only the parent process handles SIGTERM and SIGINT. Upon receiving one of those, it closes all imsg sockets and waitpid() for the children. It fatal()s if one of the sockets is closed unexpectedly. Other processes exit() "normally" when one of the imsg sockets is closed.
ok gilles@ sunil@
|
#
1.24 |
|
04-Sep-2016 |
eric |
The smtpd processes are not expected to ever leave their event loop. So stop pretending that the *_shutdown() functions could ever be called in this context, and just fatal() if event_dispatch() returns.
ok gilles@ sunil@ giovanni@
|
#
1.23 |
|
01-Sep-2016 |
eric |
remove noop function
ok sunil@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.22 |
|
28-May-2016 |
eric |
Implement the fork+exec pattern in smtpd.
The parent process forks child processes and re-exec each of them with an additional "-x <proc>" argument. During the early setup phase, the parent process sends ipc socket pairs to interconnect the child processes as needed, and it passes the queue encryption key to the queue if necessary. When this is done, all processes have their environment set as in the fork-only case, and they can start doing their work as before.
ok gilles@ jung@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.21 |
|
02-Feb-2016 |
gilles |
in RSA privsep engine, do not provide methods for rsa_sign / rsa_verify, they are unused in OpenSMTPD and lead to crashes in -portable when we're linked to OpenSSL starting with 1.0.2f
ok reyk@
|
#
1.20 |
|
28-Dec-2015 |
jung |
remove spaces after '!'
no binary change
ok millert
|
#
1.19 |
|
05-Dec-2015 |
claudio |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
1.18 |
|
05-Nov-2015 |
jung |
replace u_char and u_int* with standard stdint.h types to ease portable version also remove trailing whitespaces while here
no binary change
ok sunil millert gilles
|
#
1.17 |
|
17-Oct-2015 |
gilles |
KNF
|
#
1.16 |
|
14-Oct-2015 |
gilles |
remove a handful of log_warn that we should handle at a different place to make them really useful
|
#
1.15 |
|
13-Oct-2015 |
gilles |
pledge("stdio") the RSA-privsep process
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.14 |
|
20-Jan-2015 |
deraadt |
use <limits.h> comprehensively. For now try to push <> includes to each .c file, and out of the .h files. To avoid overinclude. ok gilles, in principle. If this has been done right, -portable should become easier to maintain.
|
#
1.13 |
|
16-Jan-2015 |
deraadt |
Replace <sys/param.h> with <limits.h> and other less dirty headers where possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
|
#
1.12 |
|
24-Dec-2014 |
eric |
missing include
|
#
1.11 |
|
02-Oct-2014 |
gilles |
no need to set the same field NULL twice ;-)
ok reyk@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.10 |
|
10-Jul-2014 |
jsg |
add additional includes required to build with -DOPENSSL_NO_DEPRECATED ok eric@ gilles@
|
#
1.9 |
|
10-Jul-2014 |
eric |
make the control process broadcast verbose/profile admin requests directly, rather than going through the parent process. simplify code in the meantime.
|
#
1.8 |
|
08-Jul-2014 |
eric |
fatalx(errorstr) -> fatalx("%s", errorstr) add missing include and remove redundant debug trace while here.
|
#
1.7 |
|
04-May-2014 |
reyk |
Create a new default RSA engine instead of patching the existing one if none is available. Fixes SSL/TLS and a possible fatalx() on machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
#
1.6 |
|
01-May-2014 |
reyk |
Move RSA keys from "lka" to a new dedicated "ca" process because lka is handling some async requests and shouldn't be busy with sync RSA.
ok gilles@
|
#
1.5 |
|
30-Apr-2014 |
reyk |
The RSA engine (used by pony) has to wait for a response from the privileged process (lka) and receive the imsgs in a while loop synchronously. But the lka also sends other imsgs (DNS etc.) that can still be queued up in the buffer when waiting for the RSA response. This only happens under load with many concurrent connections. For now, we just call the pony imsg handler for non-RSA imsgs that are already in the buffer.
ok gilles@ eric@ blambert@
|
#
1.4 |
|
29-Apr-2014 |
reyk |
Implement RSA privilege separation for OpenSMTPD, based on my previous implementation for relayd(8). The smtpd(8) pony processes (mta client, smtp server) don't keep the private keys in memory but send their private key operations as imsgs to the "lookup"/mta process. It's worth mentioning that this prevents acidental private key leakage as it could have been caused by "Heartbleed".
ok gilles@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.3 |
|
21-Nov-2013 |
eric |
fail if lka can't load cert file
|
#
1.2 |
|
28-Oct-2013 |
eric |
Report the ssl certificate verification status in the mail header. Log ssl certificate validation errors. Fix several ssl-related leaks.
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.1 |
|
26-Jan-2013 |
gilles |
Sync with our smtpd repo:
* first bricks of ldap and sqlite support (not finished but both working) * new table API to replace map API, all lookups are done through tables * improved handling of temporary errors throughout the daemon * improved scheduler and mta logic: connection reuse, optimizes batches * improved queue: more tolerant to admin errors, new layout, less disk-IO * improved memory usage under high load * SSL certs/keys isolated to lookup process to avoid facing network * VIRTUAL support improved, fully virtual setups possible now * runtime tracing of processes through smtpctl trace * ssl_privsep.c sync-ed with relayd * ssl.c no longer contains smtpd specific interfaces * smtpd-specific ssl bits moved to ssl_smtpd.c * update mail address in copyright
FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE. FLUSH YOUR QUEUE.
smtpd.conf(5) simplified, it will require adaptations
ok eric@
|