diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2012-03-25 22:51:47 +0200 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2012-03-26 00:34:47 +0200 |
| commit | e4eaf35fc83fb8b4d269067fa3b7f505480b3778 (patch) | |
| tree | 0d374d3eab93c15d676ae09fbc5e92da17233a6c /postfix | |
| parent | dda87f40a4db6426400507d46ccdca1cf96fbbe8 (diff) | |
Fix support TLS without SASL: apparently stem from unreliable TLS implementation in Postfix <2.2. Improve warnings.
Diffstat (limited to 'postfix')
| -rwxr-xr-x | postfix/postfix.sh | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/postfix/postfix.sh b/postfix/postfix.sh index 8ba2042..dfbc32a 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -53,21 +53,23 @@ fi # exit1 "ERROR: Greylisting support (Debian package postgrey) missing." #fi # FIXME: We really want to check for at least 2.1.1 but that's tricky... -sasl2= -if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then - sasl2=1 -else - echo >&2 "WARNING: Encryption requires sasl tools 2.1.1 (Debian package sasl2-bin)." -fi -saslsubdir="sasl" - sslcert= -if [ -n "$sasl2" ] && [ -f /etc/ssl/certs/postfix.pem ]; then +if [ -f /etc/ssl/certs/postfix.pem ]; then sslcert=1 else - echo >&2 "WARNING: Encryption requires SSL certificate at /etc/ssl/certs/postfix.pem." + echo >&2 "WARNING: TLS encryption requires SSL certificate at /etc/ssl/certs/postfix.pem." fi - +sasl2= +if [ -n "$sslcert" ]; then + if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then + sasl2=1 + else + echo >&2 "WARNING: SASL authentication requires sasl tools 2.1.1 (Debian package sasl2-bin)." + fi +else + echo >&2 "WARNING: SASL authentication requires TLS encryption." +fi +saslsubdir="sasl" amavis= if [ -x /usr/sbin/amavisd ] || [ -x /usr/sbin/amavisd-new ]; then amavis=1 @@ -209,9 +211,7 @@ $postconf -c "$tempdir" -e "unverified_sender_reject_code = 550" # Trust recipient verification too $postconf -c "$tempdir" -e "unverified_recipient_reject_code = 550" -# TLS breaks postfix if no SASL modules available (and doesn't make sense either) -# (change the test if using some other modules and avoid the plain ones) -if [ -n "$sasl2" ] && [ -n "$sslcert" ]; then +if [ -n "$sasl2" ]; then mkdir -p "$tempdir/$saslsubdir" echo 'mech_list: plain login' > "$tempdir/$saslsubdir/smtpd.conf" echo 'minimum_layer: 0' >> "$tempdir/$saslsubdir/smtpd.conf" @@ -226,6 +226,8 @@ if [ -n "$sasl2" ] && [ -n "$sslcert" ]; then "$tempdir/master.cf" cat $tempdir/master.cf | egrep -q "^tlsmgr$sp" || \ echo 'tlsmgr unix - - - 300 1 tlsmgr' >> $tempdir/master.cf +fi +if [ -n "$sslcert" ]; then $postconf -c "$tempdir" -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' $postconf -c "$tempdir" -e 'smtpd_tls_loglevel = 1' $postconf -c "$tempdir" -e 'smtpd_use_tls = yes' @@ -266,8 +268,6 @@ if [ -n "$sasl2" ] && [ -n "$sslcert" ]; then $postconf -c "$tempdir" -e 'smtp_use_tls = no' echo >&2 "WARNING: Private certificate not found - client side TLS not enabled!" fi -else - echo >&2 'WARNING: TLS not activated due to missing requirements...' fi if [ -n "$amavis" ]; then |