untrusted comment: signature from openbsd 5.7 base secret key
RWSvUZXnw9gUb8smQUXkRDAGHvHDTOQFniVsBdx+zL0f0wobZgQ5MJ+GmXI7mYqlrg+ZRNLfW4NqrSzaoiQmhupoxxr/Di/zPww=

OpenBSD 5.7 errata 4, Apr 19, 2015

Incorrect logic in smtpd(8) can lead to unexpected client disconnect, invalid
certificate in SNI negotiation or server crash.

Apply by doing:
   signify -Vep /etc/signify/openbsd-57-base.pub -x 004_smtpd.patch.sig \
       -m - | (cd /usr/src && patch -p0)

And then rebuild and install smtpd:
   cd /usr/src/usr.sbin/smtpd
   make clean
   make obj
   make
   make install

Index: usr.sbin/smtpd/smtp_session.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtp_session.c,v
retrieving revision 1.227
diff -u -p -r1.227 smtp_session.c
--- usr.sbin/smtpd/smtp_session.c       20 Jan 2015 17:37:54 -0000      1.227
+++ usr.sbin/smtpd/smtp_session.c       16 Apr 2015 21:53:47 -0000
@@ -191,6 +191,7 @@ static uint8_t dsn_notify_str_to_uint8(c
static void smtp_auth_failure_pause(struct smtp_session *);
static void smtp_auth_failure_resume(int, short, void *);
static int smtp_sni_callback(SSL *, int *, void *);
+static const char *smtp_sni_get_servername(struct smtp_session *);

static void smtp_filter_connect(struct smtp_session *, struct sockaddr *);
static void smtp_filter_rset(struct smtp_session *);
@@ -852,7 +853,7 @@ smtp_session_imsg(struct mproc *p, struc
                       pkiname = s->smtpname;
               ssl_ctx = dict_get(env->sc_ssl_dict, pkiname);

-               ssl = ssl_smtp_init(ssl_ctx, smtp_sni_callback, s);
+               ssl = ssl_smtp_init(ssl_ctx, smtp_sni_callback);
               io_set_read(&s->io);
               io_start_tls(&s->io, ssl);

@@ -1031,6 +1032,7 @@ smtp_io(struct io *io, int evt)
{
       struct ca_cert_req_msg  req_ca_cert;
       struct smtp_session    *s = io->arg;
+       const char             *sn;
       char                   *line;
       size_t                  len, i;
       X509                   *x;
@@ -1048,6 +1050,14 @@ smtp_io(struct io *io, int evt)
               s->kickcount = 0;
               s->phase = PHASE_INIT;

+               sn = smtp_sni_get_servername(s);
+               if (sn) {
+                       if (strlcpy(s->sni, sn, sizeof s->sni) >= sizeof s->sni) {
+                               smtp_free(s, "client SNI exceeds max hostname length");
+                               return;
+                       }
+               }
+
               if (smtp_verify_certificate(s)) {
                       io_pause(&s->io, IO_PAUSE_IN);
                       break;
@@ -2139,26 +2149,24 @@ smtp_auth_failure_pause(struct smtp_sess
       evtimer_add(&s->pause, &tv);
}

+static const char *
+smtp_sni_get_servername(struct smtp_session *s)
+{
+       return SSL_get_servername(s->io.ssl, TLSEXT_NAMETYPE_host_name);
+}
+
static int
smtp_sni_callback(SSL *ssl, int *ad, void *arg)
{
       const char              *sn;
-       struct smtp_session     *s = arg;
       void                    *ssl_ctx;

       sn = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
       if (sn == NULL)
               return SSL_TLSEXT_ERR_NOACK;
-       if (strlcpy(s->sni, sn, sizeof s->sni) >= sizeof s->sni) {
-               log_warnx("warn: client SNI exceeds max hostname length");
-               return SSL_TLSEXT_ERR_NOACK;
-       }
       ssl_ctx = dict_get(env->sc_ssl_dict, sn);
-       if (ssl_ctx == NULL) {
-               log_info("smtp-in: No PKI entry for requested SNI \"%s\""
-                   "on session %016"PRIx64, sn, s->id);
+       if (ssl_ctx == NULL)
               return SSL_TLSEXT_ERR_NOACK;
-       }
       SSL_set_SSL_CTX(ssl, ssl_ctx);
       return SSL_TLSEXT_ERR_OK;
}
Index: usr.sbin/smtpd/smtpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpd.h,v
retrieving revision 1.473
diff -u -p -r1.473 smtpd.h
--- usr.sbin/smtpd/smtpd.h      20 Jan 2015 17:37:54 -0000      1.473
+++ usr.sbin/smtpd/smtpd.h      16 Apr 2015 21:53:47 -0000
@@ -1322,7 +1322,7 @@ int fork_proc_backend(const char *, cons

/* ssl_smtpd.c */
void   *ssl_mta_init(void *, char *, off_t);
-void   *ssl_smtp_init(void *, void *, void *);
+void   *ssl_smtp_init(void *, void *);


/* stat_backend.c */
Index: usr.sbin/smtpd/ssl_smtpd.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/ssl_smtpd.c,v
retrieving revision 1.8
diff -u -p -r1.8 ssl_smtpd.c
--- usr.sbin/smtpd/ssl_smtpd.c  16 Jan 2015 06:40:21 -0000      1.8
+++ usr.sbin/smtpd/ssl_smtpd.c  16 Apr 2015 21:53:47 -0000
@@ -82,7 +82,7 @@ dummy_verify(int ok, X509_STORE_CTX *sto
}

void *
-ssl_smtp_init(void *ssl_ctx, void *sni, void *arg)
+ssl_smtp_init(void *ssl_ctx, void *sni)
{
       SSL     *ssl = NULL;
       int     (*cb)(SSL *,int *,void *) = sni;
@@ -91,10 +91,8 @@ ssl_smtp_init(void *ssl_ctx, void *sni,

       SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify);

-       if (cb) {
+       if (cb)
               SSL_CTX_set_tlsext_servername_callback(ssl_ctx, cb);
-               SSL_CTX_set_tlsext_servername_arg(ssl_ctx, arg);
-       }

       if ((ssl = SSL_new(ssl_ctx)) == NULL)
               goto err;