base.m4, vhost.m4: Very hacky DH field-size limitation.

We can't set `tls_dh_min_bits' from an expansion.  So set up multiple
transports for different thresholds.

diff --git a/base.m4 b/base.m4
index 523e475875f3272633a7b785a80cfa8c91714534..4a925df0a899959fcd95cfacc56d1037c5a04bce 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -348,9 +348,11 @@ SECTION(transports)m4_dnl
 ## A standard transport for remote delivery.  By default, try to do TLS, and
 ## don't worry too much if it's not very secure: the alternative is sending
 ## in plaintext anyway.  But all of this can be overridden from the
 ## A standard transport for remote delivery.  By default, try to do TLS, and
 ## don't worry too much if it's not very secure: the alternative is sending
 ## in plaintext anyway.  But all of this can be overridden from the

-## `domains.conf' file.
-smtp:
-       driver = smtp
+## `domains.conf' file.  Annoyingly, the `tls_dh_min_bits' setting isn't
+## expanded before use, so we can't set it the obvious way.  Instead, encode
+## it into the transport name.  This is very unpleasant, of course.
+m4_define(<:SMTP_TRANS_DHBITS:>,
+       <:driver = smtp

        hosts_try_auth = *
        hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
        hosts_require_auth = \
        hosts_try_auth = *
        hosts_require_tls = DOMKV(tls-peer-ca, {*}{})
        hosts_require_auth = \


@@ -366,10 +368,14 @@ smtp:
                                 {$value} \
                                 {${expand:$value}}}} \
                      {CONF_acceptable_ciphers})
                                 {$value} \
                                 {${expand:$value}}}} \
                      {CONF_acceptable_ciphers})

-       ## Can't set this to an expansion. :-(
-       m4_dnl tls_dh_min_bits = DOMKV(dh-min-bits, {$value}{1020})
-       tls_dh_min_bits = 1020
-       tls_tempfail_tryclear = true
+       tls_dh_min_bits = $1
+       tls_tempfail_tryclear = true:>)m4_dnl
+smtp:
+       SMTP_TRANS_DHBITS(1020)
+smtp_dhbits_1024:
+       SMTP_TRANS_DHBITS(1020)
+smtp_dhbits_2048:
+       SMTP_TRANS_DHBITS(2046)

 
 ## Transport to a local SMTP server; use TLS and perform client
 ## authentication.
 
 ## Transport to a local SMTP server; use TLS and perform client
 ## authentication.

diff --git a/vhost.m4 b/vhost.m4
index b4cfb01bac29e0008812fcac5ec5d09e9806624d..41bc715048ca2d41e6ee3f6ba86246bede540884 100644 (file)
--- a/vhost.m4
+++ b/vhost.m4
@@ -40,7 +40,8 @@ m4_define(<:VHOST_USER:>,
 
 SECTION(routers, route)m4_dnl
 ## If we're a front-end for some other domain, or we have special information
 
 SECTION(routers, route)m4_dnl
 ## If we're a front-end for some other domain, or we have special information

-## about the domain, then pass stuff along as instructed.
+## about the domain, then pass stuff along as instructed.  The hack for the
+## `transport' is very nasty; see the commentary for `smtp'.

 virtual_route:
        driver = manualroute
        self = fail
 virtual_route:
        driver = manualroute
        self = fail


@@ -48,7 +49,7 @@ virtual_route:
        condition = DOMKV(route, {true}{false})
        route_data = <;DOMKV(route)
        same_domain_copy_routing = true
        condition = DOMKV(route, {true}{false})
        route_data = <;DOMKV(route)
        same_domain_copy_routing = true

-       transport = smtp
+       transport = DOMKV(tls-min-dh-bits, {smtp_dhbits_$value}{smtp})

        no_more
 
 SECTION(routers, virtual)m4_dnl
        no_more
 
 SECTION(routers, virtual)m4_dnl