acceptutils (https://schmonz.com/qmail/acceptutils), my TLS and AUTH
implementation, has been updated. Changes:
- reup: Delete, because retrying AUTH has been broken ever since TLS was
added to authup.
- authup: Fix AUTH retries under TLS by inlining the retry logic.
- fixsmtpio: Fix process-management bugs in "Ensure STARTTLS resets all
state by restarting qmail-smtpd."
- Manual pages: considerably improve clarity of authup(8) and
fixsmtpio(8). Mention s6-ucspitlsd, a new UCSPI-TLS server
implementation coming soon to s6-networking.
The acceptutils patch doesn't need to be integrated into your main tree,
because it only adds new programs. These programs work well with a
patched or unpatched notqmail, netqmail, or qmail.
As always, feedback welcome.
- Amitai
P.S. There is also nascent code to integrate with NetBSD and FreeBSD's
blocklist (an alternative approach to solving the same problem as
fail2ban). The blocklist API currently requires a network socket, which
UCSPI server applications are not guaranteed to have, so the code is
turned off. It might work if you're running under plain old tcpserver.
implementation, has been updated. Changes:
- reup: Delete, because retrying AUTH has been broken ever since TLS was
added to authup.
- authup: Fix AUTH retries under TLS by inlining the retry logic.
- fixsmtpio: Fix process-management bugs in "Ensure STARTTLS resets all
state by restarting qmail-smtpd."
- Manual pages: considerably improve clarity of authup(8) and
fixsmtpio(8). Mention s6-ucspitlsd, a new UCSPI-TLS server
implementation coming soon to s6-networking.
The acceptutils patch doesn't need to be integrated into your main tree,
because it only adds new programs. These programs work well with a
patched or unpatched notqmail, netqmail, or qmail.
As always, feedback welcome.
- Amitai
P.S. There is also nascent code to integrate with NetBSD and FreeBSD's
blocklist (an alternative approach to solving the same problem as
fail2ban). The blocklist API currently requires a network socket, which
UCSPI server applications are not guaranteed to have, so the code is
turned off. It might work if you're running under plain old tcpserver.