diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2012-03-23 18:01:46 +0100 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2012-03-23 18:01:46 +0100 |
| commit | 848ba521cc4a812aef5d194fa007a5e6c8dd14ce (patch) | |
| tree | 258702ad765b925dfe5f0f77cb25855edd603c82 /postfix | |
| parent | 23bb5f347ff95858dfd632f29266c541914b985d (diff) | |
Stop checking for cacert.pem file, and tidy when to apply which TLS settings.
Diffstat (limited to 'postfix')
| -rwxr-xr-x | postfix/postfix.sh | 34 |
1 files changed, 14 insertions, 20 deletions
diff --git a/postfix/postfix.sh b/postfix/postfix.sh index 21e6458..7d4b3ec 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -24,6 +24,10 @@ exit1() { exit 1 } +# Favor specific CA for our own server and client certificates +# (comment out to trust any CA) +cacert="/etc/ssl/certs/cacert.org.pem" + realmsdir='/etc/local-REDPILL' configdirs='/etc/local/postfix /etc/local-ORG/postfix /etc/local-REDPILL/postfix /etc/local-COMMON/postfix' confdir='/etc/postfix' @@ -217,15 +221,13 @@ if [ -n "$sasl2" ] && [ -n "$sslcert" ]; then cat $tempdir/master.cf | egrep -q "^tlsmgr$sp" || \ echo 'tlsmgr unix - - - 300 1 tlsmgr' >> $tempdir/master.cf $postconf -c "$tempdir" -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' - if [ -f /etc/ssl/private/postfix.pem ]; then - $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' - fi $postconf -c "$tempdir" -e 'smtpd_tls_loglevel = 1' $postconf -c "$tempdir" -e 'smtpd_use_tls = yes' $postconf -c "$tempdir" -e 'smtp_tls_CApath = /etc/ssl/certs' $postconf -c "$tempdir" -e 'smtpd_tls_CApath = /etc/ssl/certs' $postconf -c "$tempdir" -e 'lmtp_tls_CApath = /etc/ssl/certs' - $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + $postconf -c "$tempdir" -e smtpd_tls_CAfile="$cacert" + $postconf -c "$tempdir" -e smtp_tls_CAfile= $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache' $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_timeout = 3600s' $postconf -c "$tempdir" -e 'tls_random_exchange_name = ${data_directory}/prng_exch' @@ -237,31 +239,25 @@ if [ -n "$sasl2" ] && [ -n "$sslcert" ]; then $postconf -c "$tempdir" -e 'broken_sasl_auth_clients = yes' $postconf -c "$tempdir" -e 'tls_random_source = dev:/dev/urandom' $postconf -c "$tempdir" -e 'tls_daemon_random_source = dev:/dev/urandom' - # Check if using a proper key exists (not just a self-signed one) - # (it is assumed that a CA certificate is made public if used!) - if [ -f /etc/ssl/certs/cacert.pem ]; then - $postconf -c "$tempdir" -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' - # Client side TLS only makes sense if a publicly available certificate is available - # (and DON'T publish a self-signed certificate!) - $postconf -c "$tempdir" -e 'smtp_tls_CAfile = /etc/ssl/certs/cacert.pem' + # Accepting client certificates breaks SMTP AUTH on OutLook Express on Mac (Classic) + $postconf -c "$tempdir" -e 'smtpd_tls_ask_ccert = no' + if [ -e /etc/ssl/private/postfix.pem ]; then + $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + # Enable client side TLS only when private certificate is present $postconf -c "$tempdir" -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem' - if [ -f /etc/ssl/private/postfix.pem ]; then - $postconf -c "$tempdir" -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem' - fi + $postconf -c "$tempdir" -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem' $postconf -c "$tempdir" -e 'smtp_tls_loglevel = 1' $postconf -c "$tempdir" -e 'smtp_use_tls = yes' - $postconf -c "$tempdir" -e 'smtp_tls_CApath = /etc/ssl/certs' $postconf -c "$tempdir" -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option $postconf -c "$tempdir" -e 'smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache' - # Accepting client certificates breaks SMTP AUTH on OutLook Express on Mac (Classic) - $postconf -c "$tempdir" -e 'smtpd_tls_ask_ccert = no' # Force using TLS for peers catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy" [ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy" postmapfiles="$postmapfiles tls_policy" $postconf -c "$tempdir" -e "smtp_tls_policy_maps = hash:$confdir/tls_policy" else - echo >&2 "WARNING: CA certificate not found - consider using proper signed certificates!" + $postconf -c "$tempdir" -e 'smtp_use_tls = no' + echo >&2 "WARNING: Private certificate not found - client side TLS not enabled!" fi else echo >&2 'WARNING: TLS not activated due to missing requirements...' @@ -393,5 +389,3 @@ fi # Here's a convenient overview of different blackholes: # http://rbls.org/ - -# smtpd_tls_CAfile |