summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonas Smedegaard <dr@jones.dk>2002-12-30 20:18:46 +0000
committerJonas Smedegaard <dr@jones.dk>2002-12-30 20:18:46 +0000
commitd181eb2c0767717dad2b56d8af6bb062d54e89cd (patch)
tree752adcf1c871ac8a6f9b84bad2aff2320ee7852d
parent45279a6d28018e87133d243a4fcb3539bf0d6e7d (diff)
Rearrange options. Add client side TLS support and generally improve TLS options. More comments.
-rwxr-xr-xpostfix/anti-uce.sh37
1 files changed, 31 insertions, 6 deletions
diff --git a/postfix/anti-uce.sh b/postfix/anti-uce.sh
index 4913523..b80e2fe 100755
--- a/postfix/anti-uce.sh
+++ b/postfix/anti-uce.sh
@@ -12,30 +12,55 @@ function getlinesfromfile() {
cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr "\n" "," | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//'
}
-postconf -e "smtpd_helo_required = yes"
+# Some badly configured setup use hostname instead of FQDN
+if postconf myhostname | grep '.' &> /dev/null; then
+ postconf -e "smtpd_helo_required = yes"
+fi
postconf -e "`getlinesfromfile permit_mx_backup_networks`"
postconf -e "`getlinesfromfile maps_rbl_domains`"
postconf -e "`getlinesfromfile smtpd_recipient_restrictions`"
-# These options can be fatal if no SASL plugins are available!
-if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.crt -a -f /etc/ssl/certs/postfix.key; then
+# TLS breaks postfix if no SASL modules available (and doesn't make sense either)
+# (change the test if using some other modules and avoid the plain ones)
+if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.pem]; then
mkdir -p $confdir/sasl
echo "pwcheck_method: pam" >$confdir/sasl/smtpd.conf
echo "auto_transition: false" >>$confdir/sasl/smtpd.conf
groups postfix | grep shadow &>/dev/null || adduser postfix shadow
+ # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy)
cp -a $confdir/master.cf $confdir/master.cf.old
cat $confdir/master.cf.old | sed \
-e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
-e "s/^#?\(\(smtps|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
> $confdir/master.cf
+ # Check if using a proper key or just a self-signed one
+ # (it is assumed that a CA certificate is made public if used!)
+ if [ -f /etc/ssl/certs/postfix.pem -a -f /etc/ssl/certs/cacert.pem]; then
+ postconf -e "smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem"
+ postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
+ postconf -e "smtpd_tls_key_file = /etc/ssl/private/postfix.pem"
+ # Client side TLS only makes sense if a publicly available certificate is available
+ # (and DON'T publish a self-signed certificate!)
+ postconf -e "smtp_tls_loglevel = 1"
+ postconf -e "smtp_use_tls = yes"
+ postconf -e "smtp_tls_CApath = /etc/ssl/certs"
+ postconf -e "smtp_tls_note_starttls_offer = yes" # Useful when collecting info for smtp_tls_per_site option
+ postconf -e "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
+ # This makes Netscape ask for a certificate, so make sure it IS public!
+ postconf -e "smtpd_tls_ask_ccert = yes"
+ else
+ postconf -e "smtpd_tls_CAfile = /etc/ssl/certs/postfix.pem"
+ postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
+ postconf -e "smtpd_tls_key_file = /etc/ssl/certs/postfix.pem"
+ fi
+ postconf -e "smtpd_tls_loglevel = 1"
postconf -e "smtpd_use_tls = yes"
+ postconf -e "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache"
postconf -e "smtpd_tls_auth_only = yes"
postconf -e "smtpd_sasl_auth_enable = no"
- postconf -e "broken_sasl_auth_clients = yes"
postconf -e "smtpd_sasl_security_options = noanonymous"
postconf -e "smtpd_sasl_local_domain = \$myhostname"
- postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt"
- postconf -e "smtpd_tls_key_file = /etc/ssl/certs/postfix.key"
+ postconf -e "broken_sasl_auth_clients = yes"
postconf -e "tls_random_source = dev:/dev/urandom"
postconf -e "tls_daemon_random_source = dev:/dev/urandom"
else