From 308a01512eb9f9484c3ed38e7e964f7c198a1055 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Sat, 10 Oct 2020 18:52:29 +0200 Subject: generalize overridable variables $TLS_CERT $TLS_KEY --- postfix/postfix.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/postfix/postfix.sh b/postfix/postfix.sh index 62b228e..5c2d5b8 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -29,6 +29,9 @@ exit1() { exit 1 } +TLS_CERT=${TLS_CERT:-/etc/ssl/certs/postfix.pem} +TLS_KEY=${TLS_KEY:-/etc/ssl/private/postfix.pem} + realmsdir='/etc/local-REDPILL' configdirs='/etc/local /etc/local-ORG /etc/local-REDPILL /etc/local-COMMON' confdir='/etc/postfix' @@ -59,10 +62,10 @@ else warn "Dovecot missing - (Debian package dovecot-core or dovecot)." fi tls_cert= -if [ -f /etc/ssl/certs/postfix.pem ] && [ -f /etc/ssl/private/postfix.pem ]; then +if [ -f "$TLS_CERT" ] && [ -f "$TLS_KEY" ]; then tls_cert=1 else - warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem and private key at /etc/ssl/private/postfix.pem." + warn "No TLS - requires certificate \"$TLS_CERT\" and key \"$TLS_KEY\"." fi # TODO: enable only on systems with user accounts submission=1 @@ -261,15 +264,15 @@ fi # outbound opportunistic encryption _postconf -e smtp_tls_security_level=may if [ -n "$tls_cert" ]; then - _postconf -e smtp_tls_cert_file=/etc/ssl/certs/postfix.pem - _postconf -e smtp_tls_key_file=/etc/ssl/private/postfix.pem + _postconf -e smtp_tls_cert_file="$TLS_CERT" + _postconf -e smtp_tls_key_file="$TLS_KEY" else _postconf -X smtp_tls_cert_file _postconf -X smtp_tls_key_file fi _postconf -e smtp_tls_loglevel=1 -# Force TLS towards peers +# enforce TLS trust path towards peers catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy" [ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy" postmapfiles="$postmapfiles tls_policy" @@ -278,8 +281,8 @@ _postconf -e smtp_tls_policy_maps="hash:$confdir/tls_policy" # inbound opportunistic encryption if [ -n "$tls_cert" ]; then _postconf -e smtpd_tls_security_level=may - _postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' - _postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + _postconf -e smtpd_tls_cert_file="$TLS_CERT" + _postconf -e smtpd_tls_key_file="$TLS_KEY" _postconf -e 'smtpd_tls_loglevel = 1' _postconf -e 'smtpd_tls_auth_only = yes' _postconf -e 'smtpd_tls_received_header = yes' -- cgit v1.2.3