summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonas Smedegaard <dr@jones.dk>2020-10-10 18:52:29 +0200
committerJonas Smedegaard <dr@jones.dk>2020-10-10 22:15:42 +0200
commit308a01512eb9f9484c3ed38e7e964f7c198a1055 (patch)
tree06d209f2118895286eb0ba10278866a3ad107470
parent02126f4539f4559390ba0e167cb0ddf24e897367 (diff)
generalize overridable variables $TLS_CERT $TLS_KEY
-rwxr-xr-xpostfix/postfix.sh17
1 files changed, 10 insertions, 7 deletions
diff --git a/postfix/postfix.sh b/postfix/postfix.sh
index 62b228e..5c2d5b8 100755
--- a/postfix/postfix.sh
+++ b/postfix/postfix.sh
@@ -29,6 +29,9 @@ exit1() {
exit 1
}
+TLS_CERT=${TLS_CERT:-/etc/ssl/certs/postfix.pem}
+TLS_KEY=${TLS_KEY:-/etc/ssl/private/postfix.pem}
+
realmsdir='/etc/local-REDPILL'
configdirs='/etc/local /etc/local-ORG /etc/local-REDPILL /etc/local-COMMON'
confdir='/etc/postfix'
@@ -59,10 +62,10 @@ else
warn "Dovecot missing - (Debian package dovecot-core or dovecot)."
fi
tls_cert=
-if [ -f /etc/ssl/certs/postfix.pem ] && [ -f /etc/ssl/private/postfix.pem ]; then
+if [ -f "$TLS_CERT" ] && [ -f "$TLS_KEY" ]; then
tls_cert=1
else
- warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem and private key at /etc/ssl/private/postfix.pem."
+ warn "No TLS - requires certificate \"$TLS_CERT\" and key \"$TLS_KEY\"."
fi
# TODO: enable only on systems with user accounts
submission=1
@@ -261,15 +264,15 @@ fi
# outbound opportunistic encryption
_postconf -e smtp_tls_security_level=may
if [ -n "$tls_cert" ]; then
- _postconf -e smtp_tls_cert_file=/etc/ssl/certs/postfix.pem
- _postconf -e smtp_tls_key_file=/etc/ssl/private/postfix.pem
+ _postconf -e smtp_tls_cert_file="$TLS_CERT"
+ _postconf -e smtp_tls_key_file="$TLS_KEY"
else
_postconf -X smtp_tls_cert_file
_postconf -X smtp_tls_key_file
fi
_postconf -e smtp_tls_loglevel=1
-# Force TLS towards peers
+# enforce TLS trust path towards peers
catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy"
[ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy"
postmapfiles="$postmapfiles tls_policy"
@@ -278,8 +281,8 @@ _postconf -e smtp_tls_policy_maps="hash:$confdir/tls_policy"
# inbound opportunistic encryption
if [ -n "$tls_cert" ]; then
_postconf -e smtpd_tls_security_level=may
- _postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem'
- _postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem'
+ _postconf -e smtpd_tls_cert_file="$TLS_CERT"
+ _postconf -e smtpd_tls_key_file="$TLS_KEY"
_postconf -e 'smtpd_tls_loglevel = 1'
_postconf -e 'smtpd_tls_auth_only = yes'
_postconf -e 'smtpd_tls_received_header = yes'