diff options
author | Jonas Smedegaard <dr@jones.dk> | 2002-12-29 23:24:52 +0000 |
---|---|---|
committer | Jonas Smedegaard <dr@jones.dk> | 2002-12-29 23:24:52 +0000 |
commit | b4bedfdab9bbe29831eb844e991a1423f31d8174 (patch) | |
tree | 8b8bb57a37c74ad19aad950b22006d579c7d07f4 | |
parent | dfe5a490701f3662fdd1f1e1503a4fad81fca922 (diff) |
Add TLS support to postfix script (it should probably be renamed...).
-rwxr-xr-x | postfix/anti-uce.sh | 27 | ||||
-rw-r--r-- | postfix/smtpd_recipient_restrictions | 1 |
2 files changed, 28 insertions, 0 deletions
diff --git a/postfix/anti-uce.sh b/postfix/anti-uce.sh index 2aaf068..fc7ecf9 100755 --- a/postfix/anti-uce.sh +++ b/postfix/anti-uce.sh @@ -3,6 +3,8 @@ set -e paramdir="/etc/local-COMMON/postfix" +confdir="/etc/postfix" +sp='[[:space:]]' function getlinesfromfile() { param="$1" @@ -15,6 +17,29 @@ postconf -e "`getlinesfromfile permit_mx_backup_networks`" postconf -e "`getlinesfromfile maps_rbl_domains`" postconf -e "`getlinesfromfile smtpd_recipient_restrictions`" +# These options can be fatal if no SASL plugins are available! +if dpkg -L libsasl-modules-plain &> /dev/null; then + mkdir -p $confdir/sasl + echo "pwcheck_method: pam" >$confdir/sasl/smtpd.conf + echo "auto_transition: false" >>$confdir/sasl/smtpd.conf + groups postfix | grep shadow &>/dev/null || adduser postfix shadow + cp -a $confdir/master.cf $confdir/master.cf.old + cat $confdir/master.cf.old | sed \ + "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \ + "s/^#?\(\(smtps|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \ + > $confdir/master.cf + postconf -e "smtpd_use_tls = yes" + postconf -e "smtpd_tls_auth_only = yes" + postconf -e "smtpd_sasl_auth_enable = no" + postconf -e "broken_sasl_auth_clients = yes" + postconf -e "smtpd_sasl_security_options = noanonymous" + postconf -e "smtpd_sasl_local_domain = \$myhostname" + postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt" + postconf -e "smtpd_tls_key_file = /etc/ssl/certs/postfix.key" + postconf -e "tls_random_source = dev:/dev/urandom" + postconf -e "tls_daemon_random_source = dev:/dev/urandom" +fi + /etc/init.d/postfix reload # Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt @@ -24,3 +49,5 @@ postconf -e "`getlinesfromfile smtpd_recipient_restrictions`" # Here's a convenient overview of different blackholes: # http://rbls.org/ + +# smtpd_tls_CAfile diff --git a/postfix/smtpd_recipient_restrictions b/postfix/smtpd_recipient_restrictions index 890db14..d6ccc21 100644 --- a/postfix/smtpd_recipient_restrictions +++ b/postfix/smtpd_recipient_restrictions @@ -1,5 +1,6 @@ reject_invalid_hostname permit_mynetworks # Move this below FQDN-checks on a "true mailhub" - some Debian daemons send to localhost +permit_sasl_authenticated # Silently ignored if TLS not in use reject_non_fqdn_hostname reject_non_fqdn_sender reject_non_fqdn_recipient |