summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonas Smedegaard <dr@jones.dk>2012-03-25 22:51:47 +0200
committerJonas Smedegaard <dr@jones.dk>2012-03-26 00:34:47 +0200
commite4eaf35fc83fb8b4d269067fa3b7f505480b3778 (patch)
tree0d374d3eab93c15d676ae09fbc5e92da17233a6c
parentdda87f40a4db6426400507d46ccdca1cf96fbbe8 (diff)
Fix support TLS without SASL: apparently stem from unreliable TLS implementation in Postfix <2.2. Improve warnings.
Diffstat
-rwxr-xr-xpostfix/postfix.sh32
1 files changed, 16 insertions, 16 deletions
diff --git a/postfix/postfix.sh b/postfix/postfix.sh
index 8ba2042..dfbc32a 100755
--- a/postfix/postfix.sh
+++ b/postfix/postfix.sh
@@ -53,21 +53,23 @@ fi
# exit1 "ERROR: Greylisting support (Debian package postgrey) missing."
#fi
# FIXME: We really want to check for at least 2.1.1 but that's tricky...
-sasl2=
-if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then
- sasl2=1
-else
- echo >&2 "WARNING: Encryption requires sasl tools 2.1.1 (Debian package sasl2-bin)."
-fi
-saslsubdir="sasl"
-
sslcert=
-if [ -n "$sasl2" ] && [ -f /etc/ssl/certs/postfix.pem ]; then
+if [ -f /etc/ssl/certs/postfix.pem ]; then
sslcert=1
else
- echo >&2 "WARNING: Encryption requires SSL certificate at /etc/ssl/certs/postfix.pem."
+ echo >&2 "WARNING: TLS encryption requires SSL certificate at /etc/ssl/certs/postfix.pem."
fi
-
+sasl2=
+if [ -n "$sslcert" ]; then
+ if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then
+ sasl2=1
+ else
+ echo >&2 "WARNING: SASL authentication requires sasl tools 2.1.1 (Debian package sasl2-bin)."
+ fi
+else
+ echo >&2 "WARNING: SASL authentication requires TLS encryption."
+fi
+saslsubdir="sasl"
amavis=
if [ -x /usr/sbin/amavisd ] || [ -x /usr/sbin/amavisd-new ]; then
amavis=1
@@ -209,9 +211,7 @@ $postconf -c "$tempdir" -e "unverified_sender_reject_code = 550"
# Trust recipient verification too
$postconf -c "$tempdir" -e "unverified_recipient_reject_code = 550"
-# TLS breaks postfix if no SASL modules available (and doesn't make sense either)
-# (change the test if using some other modules and avoid the plain ones)
-if [ -n "$sasl2" ] && [ -n "$sslcert" ]; then
+if [ -n "$sasl2" ]; then
mkdir -p "$tempdir/$saslsubdir"
echo 'mech_list: plain login' > "$tempdir/$saslsubdir/smtpd.conf"
echo 'minimum_layer: 0' >> "$tempdir/$saslsubdir/smtpd.conf"
@@ -226,6 +226,8 @@ if [ -n "$sasl2" ] && [ -n "$sslcert" ]; then
"$tempdir/master.cf"
cat $tempdir/master.cf | egrep -q "^tlsmgr$sp" || \
echo 'tlsmgr unix - - - 300 1 tlsmgr' >> $tempdir/master.cf
+fi
+if [ -n "$sslcert" ]; then
$postconf -c "$tempdir" -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem'
$postconf -c "$tempdir" -e 'smtpd_tls_loglevel = 1'
$postconf -c "$tempdir" -e 'smtpd_use_tls = yes'
@@ -266,8 +268,6 @@ if [ -n "$sasl2" ] && [ -n "$sslcert" ]; then
$postconf -c "$tempdir" -e 'smtp_use_tls = no'
echo >&2 "WARNING: Private certificate not found - client side TLS not enabled!"
fi
-else
- echo >&2 'WARNING: TLS not activated due to missing requirements...'
fi
if [ -n "$amavis" ]; then
generated by cgit v1.2.3 (git 2.46.0) at 2025-01-13 00:00:39 +0000