From: Hiltjo Posthuma <hiltjo@codemadness.org>
Subject: opensmtpd: relay host: smarthost documentation
To: tech@openbsd.org
Date: Tue, 3 Dec 2024 19:20:02 +0100

Hi,

I have a suggestion for maybe a documentation improvement for opensmtpd relay host.

In my config I was testing a smtpd.conf rule like:

	action "outbound" relay host smtp+notls://bob@smtp.example.com \
		auth <secrets>

Of importance here is smtp+notls, so no TLS (it is in a local network).

In the maillog I saw the line:

	Dec  3 13:39:06 server smtpd[27449]: warn: Failed to parse smarthost smtp+notls://bob@smtp.example.com

It was not clear to me at the time why it failed to parse.

In the (nice to read) code I quickly found:

usr.sbin/smtpd/mta.c
	function mta_handle_envelope
		if (smarthost && !text_to_relayhost(&relayh, smarthost)) {

usr.sbin/smtpd/to.c
	function text_to_relayhost
	        if (relay->authlabel[0]) {
        	        /* disallow auth on non-tls scheme. */
                	if (relay->tls != RELAY_TLS_STARTTLS &&
	                    relay->tls != RELAY_TLS_SMTPS)
        	                return 0;

It is documented here in its full correctness:

https://man.openbsd.org/smtpd.conf#host

"The label corresponds to an entry in a credentials table, as documented in
table(5). It is used with the “smtp+tls” and “smtps” protocols for
authentication. Server certificates for those protocols are verified by
default."


But maybe it chould be documented more clearly that smtp+notls does _not_ use
labels and does not use or allow auth?

Or the warning for /var/log/maillog could be improved? Something like:

	warn: Failed to parse smarthost smtp+notls://bob@smtp.example.com: auth is not allowed for a non-TLS scheme

-- 
Kind regards,
Hiltjo