1/*++ 2/* NAME 3/* tlsproxy 8 4/* SUMMARY 5/* Postfix TLS proxy 6/* SYNOPSIS 7/* \fBtlsproxy\fR [generic Postfix daemon options] 8/* DESCRIPTION 9/* The \fBtlsproxy\fR(8) server implements a server-side TLS 10/* proxy. It is used by \fBpostscreen\fR(8) to talk SMTP-over-TLS 11/* with remote SMTP clients that are not whitelisted (including 12/* clients whose whitelist status has expired), 13/* but it should also work for non-SMTP protocols. 14/* 15/* Although one \fBtlsproxy\fR(8) process can serve multiple 16/* sessions at the same time, it is a good idea to allow the 17/* number of processes to increase with load, so that the 18/* service remains responsive. 19/* PROTOCOL EXAMPLE 20/* .ad 21/* .fi 22/* The example below concerns \fBpostscreen\fR(8). However, 23/* the \fBtlsproxy\fR(8) server is agnostic of the application 24/* protocol, and the example is easily adapted to other 25/* applications. 26/* 27/* After receiving a valid remote SMTP client STARTTLS command, 28/* the \fBpostscreen\fR(8) server sends the remote SMTP client 29/* endpoint string, the requested role (server), and the 30/* requested timeout to \fBtlsproxy\fR(8). \fBpostscreen\fR(8) 31/* then receives a "TLS available" indication from \fBtlsproxy\fR(8). 32/* If the TLS service is available, \fBpostscreen\fR(8) sends 33/* the remote SMTP client file descriptor to \fBtlsproxy\fR(8), 34/* and sends the plaintext 220 greeting to the remote SMTP 35/* client. This triggers TLS negotiations between the remote 36/* SMTP client and \fBtlsproxy\fR(8). Upon completion of the 37/* TLS-level handshake, \fBtlsproxy\fR(8) translates between 38/* plaintext from/to \fBpostscreen\fR(8) and ciphertext to/from 39/* the remote SMTP client. 40/* SECURITY 41/* .ad 42/* .fi 43/* The \fBtlsproxy\fR(8) server is moderately security-sensitive. 44/* It talks to untrusted clients on the network. The process 45/* can be run chrooted at fixed low privilege. 46/* DIAGNOSTICS 47/* Problems and transactions are logged to \fBsyslogd\fR(8). 48/* CONFIGURATION PARAMETERS 49/* .ad 50/* .fi 51/* Changes to \fBmain.cf\fR are not picked up automatically, 52/* as \fBtlsproxy\fR(8) processes may run for a long time 53/* depending on mail server load. Use the command "\fBpostfix 54/* reload\fR" to speed up a change. 55/* 56/* The text below provides only a parameter summary. See 57/* \fBpostconf\fR(5) for more details including examples. 58/* STARTTLS SUPPORT CONTROLS 59/* .ad 60/* .fi 61/* .IP "\fBtlsproxy_tls_CAfile ($smtpd_tls_CAfile)\fR" 62/* A file containing (PEM format) CA certificates of root CAs 63/* trusted to sign either remote SMTP client certificates or intermediate 64/* CA certificates. 65/* .IP "\fBtlsproxy_tls_CApath ($smtpd_tls_CApath)\fR" 66/* A directory containing (PEM format) CA certificates of root CAs 67/* trusted to sign either remote SMTP client certificates or intermediate 68/* CA certificates. 69/* .IP "\fBtlsproxy_tls_always_issue_session_ids ($smtpd_tls_always_issue_session_ids)\fR" 70/* Force the Postfix \fBtlsproxy\fR(8) server to issue a TLS session id, 71/* even when TLS session caching is turned off. 72/* .IP "\fBtlsproxy_tls_ask_ccert ($smtpd_tls_ask_ccert)\fR" 73/* Ask a remote SMTP client for a client certificate. 74/* .IP "\fBtlsproxy_tls_ccert_verifydepth ($smtpd_tls_ccert_verifydepth)\fR" 75/* The verification depth for remote SMTP client certificates. 76/* .IP "\fBtlsproxy_tls_cert_file ($smtpd_tls_cert_file)\fR" 77/* File with the Postfix \fBtlsproxy\fR(8) server RSA certificate in PEM 78/* format. 79/* .IP "\fBtlsproxy_tls_ciphers ($smtpd_tls_ciphers)\fR" 80/* The minimum TLS cipher grade that the Postfix \fBtlsproxy\fR(8) server 81/* will use with opportunistic TLS encryption. 82/* .IP "\fBtlsproxy_tls_dcert_file ($smtpd_tls_dcert_file)\fR" 83/* File with the Postfix \fBtlsproxy\fR(8) server DSA certificate in PEM 84/* format. 85/* .IP "\fBtlsproxy_tls_dh1024_param_file ($smtpd_tls_dh1024_param_file)\fR" 86/* File with DH parameters that the Postfix \fBtlsproxy\fR(8) server 87/* should use with non-export EDH ciphers. 88/* .IP "\fBtlsproxy_tls_dh512_param_file ($smtpd_tls_dh512_param_file)\fR" 89/* File with DH parameters that the Postfix \fBtlsproxy\fR(8) server 90/* should use with export-grade EDH ciphers. 91/* .IP "\fBtlsproxy_tls_dkey_file ($smtpd_tls_dkey_file)\fR" 92/* File with the Postfix \fBtlsproxy\fR(8) server DSA private key in PEM 93/* format. 94/* .IP "\fBtlsproxy_tls_eccert_file ($smtpd_tls_eccert_file)\fR" 95/* File with the Postfix \fBtlsproxy\fR(8) server ECDSA certificate in 96/* PEM format. 97/* .IP "\fBtlsproxy_tls_eckey_file ($smtpd_tls_eckey_file)\fR" 98/* File with the Postfix \fBtlsproxy\fR(8) server ECDSA private key in 99/* PEM format. 100/* .IP "\fBtlsproxy_tls_eecdh_grade ($smtpd_tls_eecdh_grade)\fR" 101/* The Postfix \fBtlsproxy\fR(8) server security grade for ephemeral 102/* elliptic-curve Diffie-Hellman (EECDH) key exchange. 103/* .IP "\fBtlsproxy_tls_exclude_ciphers ($smtpd_tls_exclude_ciphers)\fR" 104/* List of ciphers or cipher types to exclude from the \fBtlsproxy\fR(8) 105/* server cipher list at all TLS security levels. 106/* .IP "\fBtlsproxy_tls_fingerprint_digest ($smtpd_tls_fingerprint_digest)\fR" 107/* The message digest algorithm to construct remote SMTP 108/* client-certificate 109/* fingerprints. 110/* .IP "\fBtlsproxy_tls_key_file ($smtpd_tls_key_file)\fR" 111/* File with the Postfix \fBtlsproxy\fR(8) server RSA private key in PEM 112/* format. 113/* .IP "\fBtlsproxy_tls_loglevel ($smtpd_tls_loglevel)\fR" 114/* Enable additional Postfix \fBtlsproxy\fR(8) server logging of TLS 115/* activity. 116/* .IP "\fBtlsproxy_tls_mandatory_ciphers ($smtpd_tls_mandatory_ciphers)\fR" 117/* The minimum TLS cipher grade that the Postfix \fBtlsproxy\fR(8) server 118/* will use with mandatory TLS encryption. 119/* .IP "\fBtlsproxy_tls_mandatory_exclude_ciphers ($smtpd_tls_mandatory_exclude_ciphers)\fR" 120/* Additional list of ciphers or cipher types to exclude from the 121/* \fBtlsproxy\fR(8) server cipher list at mandatory TLS security levels. 122/* .IP "\fBtlsproxy_tls_mandatory_protocols ($smtpd_tls_mandatory_protocols)\fR" 123/* The SSL/TLS protocols accepted by the Postfix \fBtlsproxy\fR(8) server 124/* with mandatory TLS encryption. 125/* .IP "\fBtlsproxy_tls_protocols ($smtpd_tls_protocols)\fR" 126/* List of TLS protocols that the Postfix \fBtlsproxy\fR(8) server will 127/* exclude or include with opportunistic TLS encryption. 128/* .IP "\fBtlsproxy_tls_req_ccert ($smtpd_tls_req_ccert)\fR" 129/* With mandatory TLS encryption, require a trusted remote SMTP 130/* client certificate in order to allow TLS connections to proceed. 131/* .IP "\fBtlsproxy_tls_security_level ($smtpd_tls_security_level)\fR" 132/* The SMTP TLS security level for the Postfix \fBtlsproxy\fR(8) server; 133/* when a non-empty value is specified, this overrides the obsolete 134/* parameters smtpd_use_tls and smtpd_enforce_tls. 135/* .PP 136/* Available in Postfix version 2.11 and later: 137/* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" 138/* The name of the \fBtlsmgr\fR(8) service entry in master.cf. 139/* OBSOLETE STARTTLS SUPPORT CONTROLS 140/* .ad 141/* .fi 142/* These parameters are supported for compatibility with 143/* \fBsmtpd\fR(8) legacy parameters. 144/* .IP "\fBtlsproxy_use_tls ($smtpd_use_tls)\fR" 145/* Opportunistic TLS: announce STARTTLS support to remote SMTP clients, 146/* but do not require that clients use TLS encryption. 147/* .IP "\fBtlsproxy_enforce_tls ($smtpd_enforce_tls)\fR" 148/* Mandatory TLS: announce STARTTLS support to remote SMTP clients, and 149/* require that clients use TLS encryption. 150/* RESOURCE CONTROLS 151/* .ad 152/* .fi 153/* .IP "\fBtlsproxy_watchdog_timeout (10s)\fR" 154/* How much time a \fBtlsproxy\fR(8) process may take to process local 155/* or remote I/O before it is terminated by a built-in watchdog timer. 156/* MISCELLANEOUS CONTROLS 157/* .ad 158/* .fi 159/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 160/* The default location of the Postfix main.cf and master.cf 161/* configuration files. 162/* .IP "\fBprocess_id (read-only)\fR" 163/* The process ID of a Postfix command or daemon process. 164/* .IP "\fBprocess_name (read-only)\fR" 165/* The process name of a Postfix command or daemon process. 166/* .IP "\fBsyslog_facility (mail)\fR" 167/* The syslog facility of Postfix logging. 168/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 169/* The mail system name that is prepended to the process name in syslog 170/* records, so that "smtpd" becomes, for example, "postfix/smtpd". 171/* SEE ALSO 172/* postscreen(8), Postfix zombie blocker 173/* smtpd(8), Postfix SMTP server 174/* postconf(5), configuration parameters 175/* syslogd(5), system logging 176/* LICENSE 177/* .ad 178/* .fi 179/* The Secure Mailer license must be distributed with this software. 180/* HISTORY 181/* .ad 182/* .fi 183/* This service was introduced with Postfix version 2.8. 184/* AUTHOR(S) 185/* Wietse Venema 186/* IBM T.J. Watson Research 187/* P.O. Box 704 188/* Yorktown Heights, NY 10598, USA 189/*--*/ 190 191 /* 192 * System library. 193 */ 194#include <sys_defs.h> 195 196 /* 197 * Utility library. 198 */ 199#include <msg.h> 200#include <vstream.h> 201#include <iostuff.h> 202#include <nbbio.h> 203#include <mymalloc.h> 204 205 /* 206 * Global library. 207 */ 208#include <mail_proto.h> 209#include <mail_params.h> 210#include <mail_conf.h> 211#include <mail_version.h> 212 213 /* 214 * Master library. 215 */ 216#include <mail_server.h> 217 218 /* 219 * TLS library. 220 */ 221#ifdef USE_TLS 222#define TLS_INTERNAL /* XXX */ 223#include <tls.h> 224#include <tls_proxy.h> 225 226 /* 227 * Application-specific. 228 */ 229#include <tlsproxy.h> 230 231 /* 232 * Tunable parameters. We define our clones of the smtpd(8) parameters to 233 * avoid any confusion about which parameters are used by this program. 234 */ 235int var_smtpd_tls_ccert_vd; 236char *var_smtpd_tls_loglevel; 237bool var_smtpd_use_tls; 238bool var_smtpd_enforce_tls; 239bool var_smtpd_tls_ask_ccert; 240bool var_smtpd_tls_req_ccert; 241bool var_smtpd_tls_set_sessid; 242char *var_smtpd_relay_ccerts; 243char *var_smtpd_tls_cert_file; 244char *var_smtpd_tls_key_file; 245char *var_smtpd_tls_dcert_file; 246char *var_smtpd_tls_dkey_file; 247char *var_smtpd_tls_eccert_file; 248char *var_smtpd_tls_eckey_file; 249char *var_smtpd_tls_CAfile; 250char *var_smtpd_tls_CApath; 251char *var_smtpd_tls_ciph; 252char *var_smtpd_tls_mand_ciph; 253char *var_smtpd_tls_excl_ciph; 254char *var_smtpd_tls_mand_excl; 255char *var_smtpd_tls_proto; 256char *var_smtpd_tls_mand_proto; 257char *var_smtpd_tls_dh512_param_file; 258char *var_smtpd_tls_dh1024_param_file; 259char *var_smtpd_tls_eecdh; 260char *var_smtpd_tls_fpt_dgst; 261char *var_smtpd_tls_level; 262 263int var_tlsp_tls_ccert_vd; 264char *var_tlsp_tls_loglevel; 265bool var_tlsp_use_tls; 266bool var_tlsp_enforce_tls; 267bool var_tlsp_tls_ask_ccert; 268bool var_tlsp_tls_req_ccert; 269bool var_tlsp_tls_set_sessid; 270char *var_tlsp_tls_cert_file; 271char *var_tlsp_tls_key_file; 272char *var_tlsp_tls_dcert_file; 273char *var_tlsp_tls_dkey_file; 274char *var_tlsp_tls_eccert_file; 275char *var_tlsp_tls_eckey_file; 276char *var_tlsp_tls_CAfile; 277char *var_tlsp_tls_CApath; 278char *var_tlsp_tls_ciph; 279char *var_tlsp_tls_mand_ciph; 280char *var_tlsp_tls_excl_ciph; 281char *var_tlsp_tls_mand_excl; 282char *var_tlsp_tls_proto; 283char *var_tlsp_tls_mand_proto; 284char *var_tlsp_tls_dh512_param_file; 285char *var_tlsp_tls_dh1024_param_file; 286char *var_tlsp_tls_eecdh; 287char *var_tlsp_tls_fpt_dgst; 288char *var_tlsp_tls_level; 289 290int var_tlsp_watchdog; 291 292 /* 293 * TLS per-process status. 294 */ 295static TLS_APPL_STATE *tlsp_server_ctx; 296static int ask_client_cert; 297 298 /* 299 * SLMs. 300 */ 301#define STR(x) vstring_str(x) 302 303 /* 304 * This code looks simpler than expected. That is the result of a great deal 305 * of effort, mainly in design and analysis. 306 * 307 * By design, postscreen(8) is an event-driven server that must scale up to a 308 * large number of clients. This means that postscreen(8) must avoid doing 309 * CPU-intensive operations such as those in OpenSSL. 310 * 311 * tlsproxy(8) runs the OpenSSL code on behalf of postscreen(8), translating 312 * plaintext SMTP messages from postscreen(8) into SMTP-over-TLS messages to 313 * the remote SMTP client, and vice versa. As long as postscreen(8) does not 314 * receive email messages, the cost of doing TLS operations will be modest. 315 * 316 * Like postscreen(8), one tlsproxy(8) process services multiple remote SMTP 317 * clients. Unlike postscreen(8), there can be more than one tlsproxy(8) 318 * process, although their number is meant to be much smaller than the 319 * number of remote SMTP clients that talk TLS. 320 * 321 * As with postscreen(8), all I/O must be event-driven: encrypted traffic 322 * between tlsproxy(8) and remote SMTP clients, and plaintext traffic 323 * between tlsproxy(8) and postscreen(8). Event-driven plaintext I/O is 324 * straightforward enough that it could be abstracted away with the nbbio(3) 325 * module. 326 * 327 * The event-driven TLS I/O implementation is founded on on-line OpenSSL 328 * documentation, supplemented by statements from OpenSSL developers on 329 * public mailing lists. After some field experience with this code, we may 330 * be able to factor it out as a library module, like nbbio(3), that can 331 * become part of the TLS library. 332 */ 333 334static void tlsp_ciphertext_event(int, char *); 335 336#define TLSP_INIT_TIMEOUT 100 337 338/* tlsp_drain - delayed exit after "postfix reload" */ 339 340static void tlsp_drain(char *unused_service, char **unused_argv) 341{ 342 int count; 343 344 /* 345 * After "postfix reload", complete work-in-progress in the background, 346 * instead of dropping already-accepted connections on the floor. 347 * 348 * All error retry counts shall be limited. Instead of blocking here, we 349 * could retry failed fork() operations in the event call-back routines, 350 * but we don't need perfection. The host system is severely overloaded 351 * and service levels are already way down. 352 */ 353 for (count = 0; /* see below */ ; count++) { 354 if (count >= 5) { 355 msg_fatal("fork: %m"); 356 } else if (event_server_drain() != 0) { 357 msg_warn("fork: %m"); 358 sleep(1); 359 continue; 360 } else { 361 return; 362 } 363 } 364} 365 366/* tlsp_eval_tls_error - translate TLS "error" result into action */ 367 368static int tlsp_eval_tls_error(TLSP_STATE *state, int err) 369{ 370 int ciphertext_fd = state->ciphertext_fd; 371 372 /* 373 * The ciphertext file descriptor is in non-blocking mode, meaning that 374 * each SSL_accept/connect/read/write/shutdown request may return an 375 * "error" indication that it needs to read or write more ciphertext. The 376 * purpose of this routine is to translate those "error" indications into 377 * the appropriate read/write/timeout event requests. 378 */ 379 switch (err) { 380 381 /* 382 * No error from SSL_read and SSL_write means that the plaintext 383 * output buffer is full and that the plaintext input buffer is 384 * empty. Stop read/write events on the ciphertext stream. Keep the 385 * timer alive as a safety mechanism for the case that the plaintext 386 * pseudothreads get stuck. 387 */ 388 case SSL_ERROR_NONE: 389 if (state->ssl_last_err != SSL_ERROR_NONE) { 390 event_disable_readwrite(ciphertext_fd); 391 event_request_timer(tlsp_ciphertext_event, (char *) state, 392 state->timeout); 393 state->ssl_last_err = SSL_ERROR_NONE; 394 } 395 return (0); 396 397 /* 398 * The TLS engine wants to write to the network. Turn on 399 * write/timeout events on the ciphertext stream. 400 */ 401 case SSL_ERROR_WANT_WRITE: 402 if (state->ssl_last_err == SSL_ERROR_WANT_READ) 403 event_disable_readwrite(ciphertext_fd); 404 if (state->ssl_last_err != SSL_ERROR_WANT_WRITE) { 405 event_enable_write(ciphertext_fd, tlsp_ciphertext_event, 406 (char *) state); 407 state->ssl_last_err = SSL_ERROR_WANT_WRITE; 408 } 409 event_request_timer(tlsp_ciphertext_event, (char *) state, 410 state->timeout); 411 return (0); 412 413 /* 414 * The TLS engine wants to read from the network. Turn on 415 * read/timeout events on the ciphertext stream. 416 */ 417 case SSL_ERROR_WANT_READ: 418 if (state->ssl_last_err == SSL_ERROR_WANT_WRITE) 419 event_disable_readwrite(ciphertext_fd); 420 if (state->ssl_last_err != SSL_ERROR_WANT_READ) { 421 event_enable_read(ciphertext_fd, tlsp_ciphertext_event, 422 (char *) state); 423 state->ssl_last_err = SSL_ERROR_WANT_READ; 424 } 425 event_request_timer(tlsp_ciphertext_event, (char *) state, 426 state->timeout); 427 return (0); 428 429 /* 430 * Some error. Self-destruct. This automagically cleans up all 431 * pending read/write and timeout event requests, making state a 432 * dangling pointer. 433 */ 434 case SSL_ERROR_SSL: 435 tls_print_errors(); 436 /* FALLTHROUGH */ 437 default: 438 tlsp_state_free(state); 439 return (-1); 440 } 441} 442 443/* tlsp_strategy - decide what to read or write next. */ 444 445static void tlsp_strategy(TLSP_STATE *state) 446{ 447 TLS_SESS_STATE *tls_context = state->tls_context; 448 NBBIO *plaintext_buf; 449 int ssl_stat; 450 int ssl_read_err; 451 int ssl_write_err; 452 int handshake_err; 453 454 /* 455 * Be sure to complete the TLS handshake before enabling plain-text I/O. 456 * In case of an unrecoverable error, this automagically cleans up all 457 * pending read/write and timeout event requests. 458 */ 459 if (state->flags & TLSP_FLAG_DO_HANDSHAKE) { 460 ssl_stat = SSL_accept(tls_context->con); 461 if (ssl_stat != 1) { 462 handshake_err = SSL_get_error(tls_context->con, ssl_stat); 463 tlsp_eval_tls_error(state, handshake_err); 464 /* At this point, state could be a dangling pointer. */ 465 return; 466 } 467 if ((state->tls_context = tls_server_post_accept(tls_context)) == 0) { 468 tlsp_state_free(state); 469 return; 470 } 471 if ((state->req_flags & TLS_PROXY_FLAG_SEND_CONTEXT) != 0 472 && (attr_print(state->plaintext_stream, ATTR_FLAG_NONE, 473 ATTR_TYPE_FUNC, tls_proxy_context_print, 474 (char *) state->tls_context, ATTR_TYPE_END) != 0 475 || vstream_fflush(state->plaintext_stream) != 0)) { 476 msg_warn("cannot send TLS context: %m"); 477 tlsp_state_free(state); 478 return; 479 } 480 state->flags &= ~TLSP_FLAG_DO_HANDSHAKE; 481 } 482 483 /* 484 * Shutdown and self-destruct after NBBIO error. This automagically 485 * cleans up all pending read/write and timeout event requests. Before 486 * shutting down TLS, we stop all plain-text I/O events but keep the 487 * NBBIO error flags. 488 */ 489 plaintext_buf = state->plaintext_buf; 490 if (NBBIO_ERROR_FLAGS(plaintext_buf)) { 491 if (NBBIO_ACTIVE_FLAGS(plaintext_buf)) 492 nbbio_disable_readwrite(state->plaintext_buf); 493 ssl_stat = SSL_shutdown(tls_context->con); 494 /* XXX Wait for return value 1 if sessions are to be reused? */ 495 if (ssl_stat < 0) { 496 handshake_err = SSL_get_error(tls_context->con, ssl_stat); 497 tlsp_eval_tls_error(state, handshake_err); 498 /* At this point, state could be a dangling pointer. */ 499 return; 500 } 501 tlsp_state_free(state); 502 return; 503 } 504 505 /* 506 * Try to move data from the plaintext input buffer to the TLS engine. 507 * 508 * XXX We're supposed to repeat the exact same SSL_write() call arguments 509 * after an SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE result. Rumor has 510 * it that this is because each SSL_write() call reads from the buffer 511 * incrementally, and returns > 0 only after the final byte is processed. 512 * Rumor also has it that setting SSL_MODE_ENABLE_PARTIAL_WRITE and 513 * SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER voids this requirement, and that 514 * repeating the request with an increased request size is OK. 515 * Unfortunately all this is not or poorly documented, and one has to 516 * rely on statements from OpenSSL developers in public mailing archives. 517 */ 518 ssl_write_err = SSL_ERROR_NONE; 519 while (NBBIO_READ_PEND(plaintext_buf) > 0) { 520 ssl_stat = SSL_write(tls_context->con, NBBIO_READ_BUF(plaintext_buf), 521 NBBIO_READ_PEND(plaintext_buf)); 522 ssl_write_err = SSL_get_error(tls_context->con, ssl_stat); 523 if (ssl_write_err != SSL_ERROR_NONE) 524 break; 525 /* Allow the plaintext pseudothread to read more data. */ 526 NBBIO_READ_PEND(plaintext_buf) -= ssl_stat; 527 if (NBBIO_READ_PEND(plaintext_buf) > 0) 528 memmove(NBBIO_READ_BUF(plaintext_buf), 529 NBBIO_READ_BUF(plaintext_buf) + ssl_stat, 530 NBBIO_READ_PEND(plaintext_buf)); 531 } 532 533 /* 534 * Try to move data from the TLS engine to the plaintext output buffer. 535 * Note: data may arrive as a side effect of calling SSL_write(), 536 * therefore we call SSL_read() after calling SSL_write(). 537 * 538 * XXX We're supposed to repeat the exact same SSL_read() call arguments 539 * after an SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE result. This 540 * supposedly means that our plaintext writer must not memmove() the 541 * plaintext output buffer until after the SSL_read() call succeeds. For 542 * now I'll ignore this, because 1) SSL_read() is documented to return 543 * the bytes available, instead of returning > 0 only after the entire 544 * buffer is processed like SSL_write() does; and 2) there is no "read" 545 * equivalent of the SSL_R_BAD_WRITE_RETRY, SSL_MODE_ENABLE_PARTIAL_WRITE 546 * or SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER features. 547 */ 548 ssl_read_err = SSL_ERROR_NONE; 549 while (NBBIO_WRITE_PEND(state->plaintext_buf) < NBBIO_BUFSIZE(plaintext_buf)) { 550 ssl_stat = SSL_read(tls_context->con, 551 NBBIO_WRITE_BUF(plaintext_buf) 552 + NBBIO_WRITE_PEND(state->plaintext_buf), 553 NBBIO_BUFSIZE(plaintext_buf) 554 - NBBIO_WRITE_PEND(state->plaintext_buf)); 555 ssl_read_err = SSL_get_error(tls_context->con, ssl_stat); 556 if (ssl_read_err != SSL_ERROR_NONE) 557 break; 558 NBBIO_WRITE_PEND(plaintext_buf) += ssl_stat; 559 } 560 561 /* 562 * Try to enable/disable ciphertext read/write events. If SSL_write() was 563 * satisfied, see if SSL_read() wants to do some work. In case of an 564 * unrecoverable error, this automagically destroys the session state 565 * after cleaning up all pending read/write and timeout event requests. 566 */ 567 if (tlsp_eval_tls_error(state, ssl_write_err != SSL_ERROR_NONE ? 568 ssl_write_err : ssl_read_err) < 0) 569 return; 570 571 /* 572 * Try to enable/disable plaintext read/write events. Basically, if we 573 * have nothing to write to the postscreen(8) server, see if there is 574 * something to read. If the write buffer is empty and the read buffer is 575 * full, suspend plaintext I/O until conditions change (but keep the 576 * timer active, as a safety mechanism in case ciphertext I/O gets 577 * stuck). 578 * 579 * XXX In theory, if the client keeps writing fast enough then we would 580 * never read from postscreen(8), and cause postscreen(8) to block. In 581 * practice, postscreen(8) limits the number of client commands, and thus 582 * postscreen(8)'s output will fit in a kernel buffer. This may not be 583 * true in other scenarios where the tlsproxy(8) server could be used. 584 */ 585 if (NBBIO_WRITE_PEND(plaintext_buf) > 0) { 586 if (NBBIO_ACTIVE_FLAGS(plaintext_buf) & NBBIO_FLAG_READ) 587 nbbio_disable_readwrite(plaintext_buf); 588 if ((NBBIO_ACTIVE_FLAGS(plaintext_buf) & NBBIO_FLAG_WRITE) == 0) 589 nbbio_enable_write(plaintext_buf, state->timeout); 590 } else if (NBBIO_READ_PEND(plaintext_buf) < NBBIO_BUFSIZE(plaintext_buf)) { 591 if (NBBIO_ACTIVE_FLAGS(plaintext_buf) & NBBIO_FLAG_WRITE) 592 nbbio_disable_readwrite(plaintext_buf); 593 if ((NBBIO_ACTIVE_FLAGS(plaintext_buf) & NBBIO_FLAG_READ) == 0) 594 nbbio_enable_read(plaintext_buf, state->timeout); 595 } else { 596 if (NBBIO_ACTIVE_FLAGS(plaintext_buf)) 597 nbbio_slumber(plaintext_buf, state->timeout); 598 } 599} 600 601/* tlsp_plaintext_event - plaintext was read/written */ 602 603static void tlsp_plaintext_event(int event, char *context) 604{ 605 TLSP_STATE *state = (TLSP_STATE *) context; 606 607 /* 608 * Safety alert: the plaintext pseudothreads have "slumbered" for too 609 * long (see code above). This means that the ciphertext pseudothreads 610 * are stuck. 611 */ 612 if ((NBBIO_ERROR_FLAGS(state->plaintext_buf) & NBBIO_FLAG_TIMEOUT) != 0 613 && NBBIO_ACTIVE_FLAGS(state->plaintext_buf) == 0) 614 msg_warn("deadlock on ciphertext stream for %s", state->remote_endpt); 615 616 /* 617 * This is easy, because the NBBIO layer has already done the event 618 * decoding and plaintext I/O for us. All we need to do is decide if we 619 * want to read or write more plaintext. 620 */ 621 tlsp_strategy(state); 622} 623 624/* tlsp_ciphertext_event - ciphertext is ready to read/write */ 625 626static void tlsp_ciphertext_event(int event, char *context) 627{ 628 TLSP_STATE *state = (TLSP_STATE *) context; 629 630 /* 631 * Without a TLS quivalent of the NBBIO layer, we must decode the events 632 * ourselves and do the ciphertext I/O. Then, we can decide if we want to 633 * read or write more ciphertext. 634 */ 635 if (event == EVENT_READ || event == EVENT_WRITE) { 636 tlsp_strategy(state); 637 } else { 638 if (event == EVENT_TIME && state->ssl_last_err == SSL_ERROR_NONE) 639 msg_warn("deadlock on plaintext stream for %s", 640 state->remote_endpt); 641 else 642 msg_warn("ciphertext read/write %s for %s", 643 event == EVENT_TIME ? "timeout" : "error", 644 state->remote_endpt); 645 tlsp_state_free(state); 646 } 647} 648 649/* tlsp_start_tls - turn on TLS or force disconnect */ 650 651static void tlsp_start_tls(TLSP_STATE *state) 652{ 653 TLS_SERVER_START_PROPS props; 654 static char *cipher_grade; 655 static VSTRING *cipher_exclusions; 656 657 /* 658 * The code in this routine is pasted literally from smtpd(8). I am not 659 * going to sanitize this because doing so surely will break things in 660 * unexpected ways. 661 */ 662 663 /* 664 * Perform the before-handshake portion of the per-session initalization. 665 * Pass a null VSTREAM to indicate that this program, will do the 666 * ciphertext I/O, not libtls. 667 * 668 * The cipher grade and exclusions don't change between sessions. Compute 669 * just once and cache. 670 */ 671#define ADD_EXCLUDE(vstr, str) \ 672 do { \ 673 if (*(str)) \ 674 vstring_sprintf_append((vstr), "%s%s", \ 675 VSTRING_LEN(vstr) ? " " : "", (str)); \ 676 } while (0) 677 678 if (cipher_grade == 0) { 679 cipher_grade = 680 var_tlsp_enforce_tls ? var_tlsp_tls_mand_ciph : var_tlsp_tls_ciph; 681 cipher_exclusions = vstring_alloc(10); 682 ADD_EXCLUDE(cipher_exclusions, var_tlsp_tls_excl_ciph); 683 if (var_tlsp_enforce_tls) 684 ADD_EXCLUDE(cipher_exclusions, var_tlsp_tls_mand_excl); 685 if (ask_client_cert) 686 ADD_EXCLUDE(cipher_exclusions, "aNULL"); 687 } 688 state->tls_context = 689 TLS_SERVER_START(&props, 690 ctx = tlsp_server_ctx, 691 stream = (VSTREAM *) 0,/* unused */ 692 fd = state->ciphertext_fd, 693 timeout = 0, /* unused */ 694 requirecert = (var_tlsp_tls_req_ccert 695 && var_tlsp_enforce_tls), 696 serverid = state->server_id, 697 namaddr = state->remote_endpt, 698 cipher_grade = cipher_grade, 699 cipher_exclusions = STR(cipher_exclusions), 700 mdalg = var_tlsp_tls_fpt_dgst); 701 702 if (state->tls_context == 0) { 703 tlsp_state_free(state); 704 return; 705 } 706 707 /* 708 * XXX Do we care about TLS session rate limits? Good postscreen(8) 709 * clients will occasionally require the tlsproxy to renew their 710 * whitelist status, but bad clients hammering the server can suck up 711 * lots of CPU cycles. Per-client concurrency limits in postscreen(8) 712 * will divert only naive security "researchers". 713 * 714 * XXX Do we care about certificate verification results? Not as long as 715 * postscreen(8) doesn't actually receive email. 716 */ 717} 718 719/* tlsp_get_fd_event - receive final postscreen(8) hand-off information */ 720 721static void tlsp_get_fd_event(int event, char *context) 722{ 723 const char *myname = "tlsp_get_fd_event"; 724 TLSP_STATE *state = (TLSP_STATE *) context; 725 int plaintext_fd = vstream_fileno(state->plaintext_stream); 726 727 /* 728 * At this point we still manually manage plaintext read/write/timeout 729 * events. Disable I/O and timer events. Don't assume that the first 730 * plaintext request will be a read. 731 */ 732 event_disable_readwrite(plaintext_fd); 733 if (event != EVENT_TIME) 734 event_cancel_timer(tlsp_get_fd_event, (char *) state); 735 736 /* 737 * Initialize plaintext-related session state. Once we have this behind 738 * us, the TLSP_STATE destructor will automagically clean up requests for 739 * read/write/timeout events, which makes error recovery easier. 740 * 741 * Register the plaintext event handler for timer cleanup in the TLSP_STATE 742 * destructor. Insert the NBBIO event-driven I/O layer between the 743 * postscreen(8) server and the TLS engine. 744 */ 745 if (event != EVENT_READ 746 || (state->ciphertext_fd = LOCAL_RECV_FD(plaintext_fd)) < 0) { 747 msg_warn("%s: receive SMTP client file descriptor: %m", myname); 748 tlsp_state_free(state); 749 return; 750 } 751 non_blocking(state->ciphertext_fd, NON_BLOCKING); 752 state->ciphertext_timer = tlsp_ciphertext_event; 753 state->plaintext_buf = nbbio_create(plaintext_fd, 754 VSTREAM_BUFSIZE, "postscreen", 755 tlsp_plaintext_event, 756 (char *) state); 757 758 /* 759 * Perform the TLS layer before-handshake initialization. We perform the 760 * remainder after the TLS handshake completes. 761 */ 762 tlsp_start_tls(state); 763 764 /* 765 * Trigger the initial proxy server I/Os. 766 */ 767 tlsp_strategy(state); 768} 769 770/* tlsp_get_request_event - receive initial postscreen(8) hand-off info */ 771 772static void tlsp_get_request_event(int event, char *context) 773{ 774 const char *myname = "tlsp_get_request_event"; 775 TLSP_STATE *state = (TLSP_STATE *) context; 776 VSTREAM *plaintext_stream = state->plaintext_stream; 777 int plaintext_fd = vstream_fileno(plaintext_stream); 778 static VSTRING *remote_endpt; 779 static VSTRING *server_id; 780 int req_flags; 781 int timeout; 782 int ready; 783 784 /* 785 * One-time initialization. 786 */ 787 if (remote_endpt == 0) { 788 remote_endpt = vstring_alloc(10); 789 server_id = vstring_alloc(10); 790 } 791 792 /* 793 * At this point we still manually manage plaintext read/write/timeout 794 * events. Turn off timer events. Below we disable read events on error, 795 * and redefine read events on success. 796 */ 797 if (event != EVENT_TIME) 798 event_cancel_timer(tlsp_get_request_event, (char *) state); 799 800 /* 801 * We must send some data, after receiving the request attributes and 802 * before receiving the remote file descriptor. We can't assume 803 * UNIX-domain socket semantics here. 804 */ 805 if (event != EVENT_READ 806 || attr_scan(plaintext_stream, ATTR_FLAG_STRICT, 807 ATTR_TYPE_STR, MAIL_ATTR_REMOTE_ENDPT, remote_endpt, 808 ATTR_TYPE_INT, MAIL_ATTR_FLAGS, &req_flags, 809 ATTR_TYPE_INT, MAIL_ATTR_TIMEOUT, &timeout, 810 ATTR_TYPE_STR, MAIL_ATTR_SERVER_ID, server_id, 811 ATTR_TYPE_END) != 4) { 812 msg_warn("%s: receive request attributes: %m", myname); 813 event_disable_readwrite(plaintext_fd); 814 tlsp_state_free(state); 815 return; 816 } 817 818 /* 819 * If the requested TLS engine is unavailable, hang up after making sure 820 * that the plaintext peer has received our "sorry" indication. 821 */ 822 ready = ((req_flags & TLS_PROXY_FLAG_ROLE_SERVER) != 0 823 && tlsp_server_ctx != 0); 824 if (attr_print(plaintext_stream, ATTR_FLAG_NONE, 825 ATTR_TYPE_INT, MAIL_ATTR_STATUS, ready, 826 ATTR_TYPE_END) != 0 827 || vstream_fflush(plaintext_stream) != 0 828 || ready == 0) { 829 read_wait(plaintext_fd, TLSP_INIT_TIMEOUT); /* XXX */ 830 event_disable_readwrite(plaintext_fd); 831 tlsp_state_free(state); 832 return; 833 } 834 835 /* 836 * XXX We use the same fixed timeout throughout the entire session for 837 * both plaintext and ciphertext communication. This timeout is just a 838 * safety feature; the real timeout will be enforced by our plaintext 839 * peer. 840 */ 841 else { 842 state->remote_endpt = mystrdup(STR(remote_endpt)); 843 state->server_id = mystrdup(STR(server_id)); 844 msg_info("CONNECT %s %s", 845 (req_flags & TLS_PROXY_FLAG_ROLE_SERVER) ? "from" : 846 (req_flags & TLS_PROXY_FLAG_ROLE_CLIENT) ? "to" : 847 "(bogus_direction)", state->remote_endpt); 848 state->req_flags = req_flags; 849 state->timeout = timeout + 10; /* XXX */ 850 event_enable_read(plaintext_fd, tlsp_get_fd_event, (char *) state); 851 event_request_timer(tlsp_get_fd_event, (char *) state, 852 TLSP_INIT_TIMEOUT); 853 return; 854 } 855} 856 857/* tlsp_service - handle new client connection */ 858 859static void tlsp_service(VSTREAM *plaintext_stream, 860 char *service, 861 char **argv) 862{ 863 TLSP_STATE *state; 864 int plaintext_fd = vstream_fileno(plaintext_stream); 865 866 /* 867 * Sanity check. This service takes no command-line arguments. 868 */ 869 if (argv[0]) 870 msg_fatal("unexpected command-line argument: %s", argv[0]); 871 872 /* 873 * This program handles multiple connections, so it must not block. We 874 * use event-driven code for all operations that introduce latency. 875 * Except that attribute lists are sent/received synchronously, once the 876 * socket is found to be ready for transmission. 877 */ 878 non_blocking(plaintext_fd, NON_BLOCKING); 879 vstream_control(plaintext_stream, 880 VSTREAM_CTL_PATH, "plaintext", 881 VSTREAM_CTL_TIMEOUT, 5, 882 VSTREAM_CTL_END); 883 884 /* 885 * Receive postscreen's remote SMTP client address/port and socket. 886 */ 887 state = tlsp_state_create(service, plaintext_stream); 888 event_enable_read(plaintext_fd, tlsp_get_request_event, (char *) state); 889 event_request_timer(tlsp_get_request_event, (char *) state, 890 TLSP_INIT_TIMEOUT); 891} 892 893/* pre_jail_init - pre-jail initialization */ 894 895static void pre_jail_init(char *unused_name, char **unused_argv) 896{ 897 TLS_SERVER_INIT_PROPS props; 898 const char *cert_file; 899 int have_server_cert; 900 int no_server_cert_ok; 901 int require_server_cert; 902 903 /* 904 * The code in this routine is pasted literally from smtpd(8). I am not 905 * going to sanitize this because doing so surely will break things in 906 * unexpected ways. 907 */ 908 if (*var_tlsp_tls_level) { 909 switch (tls_level_lookup(var_tlsp_tls_level)) { 910 default: 911 msg_fatal("Invalid TLS level \"%s\"", var_tlsp_tls_level); 912 /* NOTREACHED */ 913 break; 914 case TLS_LEV_SECURE: 915 case TLS_LEV_VERIFY: 916 case TLS_LEV_FPRINT: 917 msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"", 918 VAR_TLSP_TLS_LEVEL, var_tlsp_tls_level); 919 /* FALLTHROUGH */ 920 case TLS_LEV_ENCRYPT: 921 var_tlsp_enforce_tls = var_tlsp_use_tls = 1; 922 break; 923 case TLS_LEV_MAY: 924 var_tlsp_enforce_tls = 0; 925 var_tlsp_use_tls = 1; 926 break; 927 case TLS_LEV_NONE: 928 var_tlsp_enforce_tls = var_tlsp_use_tls = 0; 929 break; 930 } 931 } 932 var_tlsp_use_tls = var_tlsp_use_tls || var_tlsp_enforce_tls; 933 if (!var_tlsp_use_tls) { 934 msg_warn("TLS service is requested, but disabled with %s or %s", 935 VAR_TLSP_TLS_LEVEL, VAR_TLSP_USE_TLS); 936 return; 937 } 938 939 /* 940 * Load TLS keys before dropping privileges. 941 * 942 * Can't use anonymous ciphers if we want client certificates. Must use 943 * anonymous ciphers if we have no certificates. 944 */ 945 ask_client_cert = require_server_cert = 946 (var_tlsp_tls_ask_ccert 947 || (var_tlsp_enforce_tls && var_tlsp_tls_req_ccert)); 948 if (strcasecmp(var_tlsp_tls_cert_file, "none") == 0) { 949 no_server_cert_ok = 1; 950 cert_file = ""; 951 } else { 952 no_server_cert_ok = 0; 953 cert_file = var_tlsp_tls_cert_file; 954 } 955 have_server_cert = 956 (*cert_file || *var_tlsp_tls_dcert_file || *var_tlsp_tls_eccert_file); 957 958 /* Some TLS configuration errors are not show stoppers. */ 959 if (!have_server_cert && require_server_cert) 960 msg_warn("Need a server cert to request client certs"); 961 if (!var_tlsp_enforce_tls && var_tlsp_tls_req_ccert) 962 msg_warn("Can't require client certs unless TLS is required"); 963 /* After a show-stopper error, log a warning. */ 964 if (have_server_cert || (no_server_cert_ok && !require_server_cert)) 965 966 /* 967 * Large parameter lists are error-prone, so we emulate a language 968 * feature that C does not have natively: named parameter lists. 969 */ 970 tlsp_server_ctx = 971 TLS_SERVER_INIT(&props, 972 log_param = VAR_TLSP_TLS_LOGLEVEL, 973 log_level = var_tlsp_tls_loglevel, 974 verifydepth = var_tlsp_tls_ccert_vd, 975 cache_type = TLS_MGR_SCACHE_SMTPD, 976 set_sessid = var_tlsp_tls_set_sessid, 977 cert_file = cert_file, 978 key_file = var_tlsp_tls_key_file, 979 dcert_file = var_tlsp_tls_dcert_file, 980 dkey_file = var_tlsp_tls_dkey_file, 981 eccert_file = var_tlsp_tls_eccert_file, 982 eckey_file = var_tlsp_tls_eckey_file, 983 CAfile = var_tlsp_tls_CAfile, 984 CApath = var_tlsp_tls_CApath, 985 dh1024_param_file 986 = var_tlsp_tls_dh1024_param_file, 987 dh512_param_file 988 = var_tlsp_tls_dh512_param_file, 989 eecdh_grade = var_tlsp_tls_eecdh, 990 protocols = var_tlsp_enforce_tls ? 991 var_tlsp_tls_mand_proto : 992 var_tlsp_tls_proto, 993 ask_ccert = ask_client_cert, 994 mdalg = var_tlsp_tls_fpt_dgst); 995 else 996 msg_warn("No server certs available. TLS can't be enabled"); 997 998 /* 999 * To maintain sanity, allow partial SSL_write() operations, and allow 1000 * SSL_write() buffer pointers to change after a WANT_READ or WANT_WRITE 1001 * result. This is based on OpenSSL developers talking on a mailing list, 1002 * but is not supported by documentation. If this code stops working then 1003 * no-one can be held responsible. 1004 */ 1005 if (tlsp_server_ctx) 1006 SSL_CTX_set_mode(tlsp_server_ctx->ssl_ctx, 1007 SSL_MODE_ENABLE_PARTIAL_WRITE 1008 | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); 1009} 1010 1011/* post_jail_init - post-jail initialization */ 1012 1013static void post_jail_init(char *unused_name, char **unused_argv) 1014{ 1015 /* void */ ; 1016} 1017 1018MAIL_VERSION_STAMP_DECLARE; 1019 1020/* main - the main program */ 1021 1022int main(int argc, char **argv) 1023{ 1024 static const CONFIG_INT_TABLE int_table[] = { 1025 VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0, 1026 0, 1027 }; 1028 static const CONFIG_NINT_TABLE nint_table[] = { 1029 VAR_TLSP_TLS_CCERT_VD, DEF_TLSP_TLS_CCERT_VD, &var_tlsp_tls_ccert_vd, 0, 0, 1030 0, 1031 }; 1032 static const CONFIG_TIME_TABLE time_table[] = { 1033 VAR_TLSP_WATCHDOG, DEF_TLSP_WATCHDOG, &var_tlsp_watchdog, 10, 0, 1034 0, 1035 }; 1036 static const CONFIG_BOOL_TABLE bool_table[] = { 1037 VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls, 1038 VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls, 1039 VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert, 1040 VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert, 1041 VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid, 1042 0, 1043 }; 1044 static const CONFIG_NBOOL_TABLE nbool_table[] = { 1045 VAR_TLSP_USE_TLS, DEF_TLSP_USE_TLS, &var_tlsp_use_tls, 1046 VAR_TLSP_ENFORCE_TLS, DEF_TLSP_ENFORCE_TLS, &var_tlsp_enforce_tls, 1047 VAR_TLSP_TLS_ACERT, DEF_TLSP_TLS_ACERT, &var_tlsp_tls_ask_ccert, 1048 VAR_TLSP_TLS_RCERT, DEF_TLSP_TLS_RCERT, &var_tlsp_tls_req_ccert, 1049 VAR_TLSP_TLS_SET_SESSID, DEF_TLSP_TLS_SET_SESSID, &var_tlsp_tls_set_sessid, 1050 0, 1051 }; 1052 static const CONFIG_STR_TABLE str_table[] = { 1053 VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0, 1054 VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0, 1055 VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0, 1056 VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0, 1057 VAR_SMTPD_TLS_ECCERT_FILE, DEF_SMTPD_TLS_ECCERT_FILE, &var_smtpd_tls_eccert_file, 0, 0, 1058 VAR_SMTPD_TLS_ECKEY_FILE, DEF_SMTPD_TLS_ECKEY_FILE, &var_smtpd_tls_eckey_file, 0, 0, 1059 VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0, 1060 VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0, 1061 VAR_SMTPD_TLS_CIPH, DEF_SMTPD_TLS_CIPH, &var_smtpd_tls_ciph, 1, 0, 1062 VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0, 1063 VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0, 1064 VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0, 1065 VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_proto, 0, 0, 1066 VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0, 1067 VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0, 1068 VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0, 1069 VAR_SMTPD_TLS_EECDH, DEF_SMTPD_TLS_EECDH, &var_smtpd_tls_eecdh, 1, 0, 1070 VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0, 1071 VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0, 1072 VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0, 1073 VAR_TLSP_TLS_CERT_FILE, DEF_TLSP_TLS_CERT_FILE, &var_tlsp_tls_cert_file, 0, 0, 1074 VAR_TLSP_TLS_KEY_FILE, DEF_TLSP_TLS_KEY_FILE, &var_tlsp_tls_key_file, 0, 0, 1075 VAR_TLSP_TLS_DCERT_FILE, DEF_TLSP_TLS_DCERT_FILE, &var_tlsp_tls_dcert_file, 0, 0, 1076 VAR_TLSP_TLS_DKEY_FILE, DEF_TLSP_TLS_DKEY_FILE, &var_tlsp_tls_dkey_file, 0, 0, 1077 VAR_TLSP_TLS_ECCERT_FILE, DEF_TLSP_TLS_ECCERT_FILE, &var_tlsp_tls_eccert_file, 0, 0, 1078 VAR_TLSP_TLS_ECKEY_FILE, DEF_TLSP_TLS_ECKEY_FILE, &var_tlsp_tls_eckey_file, 0, 0, 1079 VAR_TLSP_TLS_CA_FILE, DEF_TLSP_TLS_CA_FILE, &var_tlsp_tls_CAfile, 0, 0, 1080 VAR_TLSP_TLS_CA_PATH, DEF_TLSP_TLS_CA_PATH, &var_tlsp_tls_CApath, 0, 0, 1081 VAR_TLSP_TLS_CIPH, DEF_TLSP_TLS_CIPH, &var_tlsp_tls_ciph, 1, 0, 1082 VAR_TLSP_TLS_MAND_CIPH, DEF_TLSP_TLS_MAND_CIPH, &var_tlsp_tls_mand_ciph, 1, 0, 1083 VAR_TLSP_TLS_EXCL_CIPH, DEF_TLSP_TLS_EXCL_CIPH, &var_tlsp_tls_excl_ciph, 0, 0, 1084 VAR_TLSP_TLS_MAND_EXCL, DEF_TLSP_TLS_MAND_EXCL, &var_tlsp_tls_mand_excl, 0, 0, 1085 VAR_TLSP_TLS_PROTO, DEF_TLSP_TLS_PROTO, &var_tlsp_tls_proto, 0, 0, 1086 VAR_TLSP_TLS_MAND_PROTO, DEF_TLSP_TLS_MAND_PROTO, &var_tlsp_tls_mand_proto, 0, 0, 1087 VAR_TLSP_TLS_512_FILE, DEF_TLSP_TLS_512_FILE, &var_tlsp_tls_dh512_param_file, 0, 0, 1088 VAR_TLSP_TLS_1024_FILE, DEF_TLSP_TLS_1024_FILE, &var_tlsp_tls_dh1024_param_file, 0, 0, 1089 VAR_TLSP_TLS_EECDH, DEF_TLSP_TLS_EECDH, &var_tlsp_tls_eecdh, 1, 0, 1090 VAR_TLSP_TLS_FPT_DGST, DEF_TLSP_TLS_FPT_DGST, &var_tlsp_tls_fpt_dgst, 1, 0, 1091 VAR_TLSP_TLS_LOGLEVEL, DEF_TLSP_TLS_LOGLEVEL, &var_tlsp_tls_loglevel, 0, 0, 1092 VAR_TLSP_TLS_LEVEL, DEF_TLSP_TLS_LEVEL, &var_tlsp_tls_level, 0, 0, 1093 0, 1094 }; 1095 1096 /* 1097 * Fingerprint executables and core dumps. 1098 */ 1099 MAIL_VERSION_STAMP_ALLOCATE; 1100 1101 /* 1102 * Pass control to the single-threaded service skeleton. 1103 */ 1104 event_server_main(argc, argv, tlsp_service, 1105 MAIL_SERVER_INT_TABLE, int_table, 1106 MAIL_SERVER_NINT_TABLE, nint_table, 1107 MAIL_SERVER_STR_TABLE, str_table, 1108 MAIL_SERVER_BOOL_TABLE, bool_table, 1109 MAIL_SERVER_NBOOL_TABLE, nbool_table, 1110 MAIL_SERVER_TIME_TABLE, time_table, 1111 MAIL_SERVER_PRE_INIT, pre_jail_init, 1112 MAIL_SERVER_POST_INIT, post_jail_init, 1113 MAIL_SERVER_SLOW_EXIT, tlsp_drain, 1114 MAIL_SERVER_WATCHDOG, &var_tlsp_watchdog, 1115 0); 1116} 1117 1118#else 1119 1120/* tlsp_service - respond to external trigger(s), non-TLS version */ 1121 1122static void tlsp_service(VSTREAM *stream, char *unused_service, 1123 char **unused_argv) 1124{ 1125 msg_info("TLS support is not compiled in -- exiting"); 1126 event_server_disconnect(stream); 1127} 1128 1129/* main - the main program */ 1130 1131int main(int argc, char **argv) 1132{ 1133 1134 /* 1135 * We can't simply use msg_fatal() here, because the logging hasn't been 1136 * initialized. The text would disappear because stderr is redirected to 1137 * /dev/null. 1138 * 1139 * We invoke event_server_main() to complete program initialization 1140 * (including logging) and then invoke the tlsp_service() routine to log 1141 * the message that says why this program will not run. 1142 */ 1143 event_server_main(argc, argv, tlsp_service, 1144 0); 1145} 1146 1147#endif 1148