diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2002-12-30 21:00:51 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2002-12-30 21:00:51 +0000 |
| commit | 5673d6518b97ab43c21dd423e65345b83fe890d0 (patch) | |
| tree | 0146e2787efbb6638205e1fef4cbc31b4fffe9cd /postfix | |
| parent | aebb64aed4ba08d0f8c021a6282798b9200a1b2b (diff) | |
Disable TLS caching for now (tlsmgr seems not provided in postfix-tls).
Improve dealing with self-signed certificates and non-conformant key location.
Replace double-quotes with single-quotes where possible.
Diffstat (limited to 'postfix')
| -rwxr-xr-x | postfix/anti-uce.sh | 67 |
1 files changed, 35 insertions, 32 deletions
diff --git a/postfix/anti-uce.sh b/postfix/anti-uce.sh index 48f8213..233652a 100755 --- a/postfix/anti-uce.sh +++ b/postfix/anti-uce.sh @@ -2,19 +2,19 @@ set -e -paramdir="/etc/local-COMMON/postfix" -confdir="/etc/postfix" +paramdir='/etc/local-COMMON/postfix' +confdir='/etc/postfix' sp='[[:space:]]' function getlinesfromfile() { param="$1" echo -n "$param = " - cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr "\n" "," | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//' + cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//' } # Some badly configured setup use hostname instead of FQDN if postconf myhostname | grep '.' &> /dev/null; then - postconf -e "smtpd_helo_required = yes" + postconf -e 'smtpd_helo_required = yes' fi postconf -e "`getlinesfromfile permit_mx_backup_networks`" postconf -e "`getlinesfromfile maps_rbl_domains`" @@ -24,8 +24,8 @@ postconf -e "`getlinesfromfile smtpd_recipient_restrictions`" # (change the test if using some other modules and avoid the plain ones) if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.pem ]; then mkdir -p $confdir/sasl - echo "pwcheck_method: pam" >$confdir/sasl/smtpd.conf - echo "auto_transition: false" >>$confdir/sasl/smtpd.conf + echo 'pwcheck_method: pam' >$confdir/sasl/smtpd.conf + echo 'auto_transition: false' >>$confdir/sasl/smtpd.conf groups postfix | grep shadow &>/dev/null || adduser postfix shadow # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy) cp -a $confdir/master.cf $confdir/master.cf.old @@ -33,38 +33,41 @@ if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.pem -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \ -e "s/^#?\(\(smtps|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \ > $confdir/master.cf - # Check if using a proper key or just a self-signed one + postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' + if [ -f /etc/ssl/private/postfix.pem ]; then + postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + fi + postconf -e 'smtpd_tls_loglevel = 1' + postconf -e 'smtpd_use_tls = yes' +# postconf -e 'smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache' + postconf -e 'smtpd_tls_auth_only = yes' + postconf -e 'smtpd_sasl_auth_enable = no' + postconf -e 'smtpd_sasl_security_options = noanonymous' + postconf -e 'smtpd_sasl_local_domain = $myhostname' + postconf -e 'broken_sasl_auth_clients = yes' + postconf -e 'tls_random_source = dev:/dev/urandom' + postconf -e 'tls_daemon_random_source = dev:/dev/urandom' + # Check if using a proper key exists (not just a self-signed one) # (it is assumed that a CA certificate is made public if used!) - if [ -f /etc/ssl/certs/postfix.pem -a -f /etc/ssl/certs/cacert.pem ]; then - postconf -e "smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem" - postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem" - postconf -e "smtpd_tls_key_file = /etc/ssl/private/postfix.pem" + if [ -f /etc/ssl/certs/cacert.pem ]; then + postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' + postconf -e 'smtp_tls_CAfile = $smtpd_tls_CAfile' + postconf -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem' # Client side TLS only makes sense if a publicly available certificate is available # (and DON'T publish a self-signed certificate!) - postconf -e "smtp_tls_loglevel = 1" - postconf -e "smtp_use_tls = yes" - postconf -e "smtp_tls_CApath = /etc/ssl/certs" - postconf -e "smtp_tls_note_starttls_offer = yes" # Useful when collecting info for smtp_tls_per_site option - postconf -e "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache" + if [ -f /etc/ssl/private/postfix.pem ]; then + postconf -e 'smtp_tls_key_file = $smtpd_tls_key_file' + fi + postconf -e 'smtp_tls_loglevel = 1' + postconf -e 'smtp_use_tls = yes' + postconf -e 'smtp_tls_CApath = /etc/ssl/certs' + postconf -e 'smtp_tls_note_starttls_offer = yes' # Useful when collecting info for smtp_tls_per_site option +# postconf -e 'smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache' # This makes Netscape ask for a certificate, so make sure it IS public! - postconf -e "smtpd_tls_ask_ccert = yes" - else - postconf -e "smtpd_tls_CAfile = /etc/ssl/certs/postfix.pem" - postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem" - postconf -e "smtpd_tls_key_file = /etc/ssl/certs/postfix.pem" + postconf -e 'smtpd_tls_ask_ccert = yes' fi - postconf -e "smtpd_tls_loglevel = 1" - postconf -e "smtpd_use_tls = yes" - postconf -e "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache" - postconf -e "smtpd_tls_auth_only = yes" - postconf -e "smtpd_sasl_auth_enable = no" - postconf -e "smtpd_sasl_security_options = noanonymous" - postconf -e "smtpd_sasl_local_domain = \$myhostname" - postconf -e "broken_sasl_auth_clients = yes" - postconf -e "tls_random_source = dev:/dev/urandom" - postconf -e "tls_daemon_random_source = dev:/dev/urandom" else - echo "TLS not activated - check the script for requirements..." + echo 'TLS not activated - check the script for requirements...' fi /etc/init.d/postfix reload |