diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2020-10-10 18:52:29 +0200 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2020-10-10 22:15:42 +0200 |
| commit | 308a01512eb9f9484c3ed38e7e964f7c198a1055 (patch) | |
| tree | 06d209f2118895286eb0ba10278866a3ad107470 | |
| parent | 02126f4539f4559390ba0e167cb0ddf24e897367 (diff) | |
generalize overridable variables $TLS_CERT $TLS_KEY
| -rwxr-xr-x | postfix/postfix.sh | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/postfix/postfix.sh b/postfix/postfix.sh index 62b228e..5c2d5b8 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -29,6 +29,9 @@ exit1() { exit 1 } +TLS_CERT=${TLS_CERT:-/etc/ssl/certs/postfix.pem} +TLS_KEY=${TLS_KEY:-/etc/ssl/private/postfix.pem} + realmsdir='/etc/local-REDPILL' configdirs='/etc/local /etc/local-ORG /etc/local-REDPILL /etc/local-COMMON' confdir='/etc/postfix' @@ -59,10 +62,10 @@ else warn "Dovecot missing - (Debian package dovecot-core or dovecot)." fi tls_cert= -if [ -f /etc/ssl/certs/postfix.pem ] && [ -f /etc/ssl/private/postfix.pem ]; then +if [ -f "$TLS_CERT" ] && [ -f "$TLS_KEY" ]; then tls_cert=1 else - warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem and private key at /etc/ssl/private/postfix.pem." + warn "No TLS - requires certificate \"$TLS_CERT\" and key \"$TLS_KEY\"." fi # TODO: enable only on systems with user accounts submission=1 @@ -261,15 +264,15 @@ fi # outbound opportunistic encryption _postconf -e smtp_tls_security_level=may if [ -n "$tls_cert" ]; then - _postconf -e smtp_tls_cert_file=/etc/ssl/certs/postfix.pem - _postconf -e smtp_tls_key_file=/etc/ssl/private/postfix.pem + _postconf -e smtp_tls_cert_file="$TLS_CERT" + _postconf -e smtp_tls_key_file="$TLS_KEY" else _postconf -X smtp_tls_cert_file _postconf -X smtp_tls_key_file fi _postconf -e smtp_tls_loglevel=1 -# Force TLS towards peers +# enforce TLS trust path towards peers catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy" [ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy" postmapfiles="$postmapfiles tls_policy" @@ -278,8 +281,8 @@ _postconf -e smtp_tls_policy_maps="hash:$confdir/tls_policy" # inbound opportunistic encryption if [ -n "$tls_cert" ]; then _postconf -e smtpd_tls_security_level=may - _postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' - _postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + _postconf -e smtpd_tls_cert_file="$TLS_CERT" + _postconf -e smtpd_tls_key_file="$TLS_KEY" _postconf -e 'smtpd_tls_loglevel = 1' _postconf -e 'smtpd_tls_auth_only = yes' _postconf -e 'smtpd_tls_received_header = yes' |