diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2020-10-08 21:21:57 +0200 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2020-10-08 21:21:57 +0200 |
| commit | f1a8980317b99470271f5eb5c1424f1622377637 (patch) | |
| tree | 55833ffb6010582111125fe9e190c0b818c41487 /postfix | |
| parent | 77e621049f1970fc615db7c2d997c52f837b4990 (diff) | |
modernize TLS settings
Diffstat (limited to 'postfix')
| -rwxr-xr-x | postfix/postfix.sh | 105 |
1 files changed, 54 insertions, 51 deletions
diff --git a/postfix/postfix.sh b/postfix/postfix.sh index 78eed19..1160f76 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -29,16 +29,6 @@ exit1() { exit 1 } -# Favor specific CA for our own server and client certificates -# (comment out to trust any CA) -#cacert_smtpd="/etc/ssl/certs/cacert.org.pem" -cacert_smtp= -cacert_lmtp= - -# File containing all trusted CA certificates -# (comment out if no chroot or it contains all individual files) -cacert_default="/etc/ssl/certs/ca-certificates.crt" - realmsdir='/etc/local-REDPILL' configdirs='/etc/local /etc/local-ORG /etc/local-REDPILL /etc/local-COMMON' confdir='/etc/postfix' @@ -70,14 +60,14 @@ if [ -x /usr/sbin/dovecot ]; then else warn "Dovecot missing - (Debian package dovecot-core or dovecot)." fi -sslcert= -if [ -f /etc/ssl/certs/postfix.pem ]; then - sslcert=1 +tls_cert= +if [ -f /etc/ssl/certs/postfix.pem ] && [ -f /etc/ssl/private/postfix.pem ]; then + tls_cert=1 else - warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem." + warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem and private key at /etc/ssl/private/postfix.pem." fi sasl= -if [ -n "$sslcert" ] && [ -n "$dovecot" ]; then +if [ -n "$tls_cert" ] && [ -n "$dovecot" ]; then sasl=1 else warn "No SASL authentication - requires TLS encryption and Dovecot." @@ -272,54 +262,66 @@ else $postconf -c "$tempdir" -X mailbox_transport $postconf -c "$tempdir" -X mailbox_command fi -if [ -n "$sasl" ]; then - $postconf -c "$tempdir" -e smtpd_sasl_type=dovecot - $postconf -c "$tempdir" -e smtpd_sasl_path=private/auth -fi -if [ -n "$sslcert" ]; then + +# outbound opportunistic encryption +$postconf -c "$tempdir" -e smtp_tls_security_level=may +$postconf -c "$tempdir" -e smtp_tls_cert_file=/etc/ssl/certs/postfix.pem +$postconf -c "$tempdir" -e smtp_tls_key_file=/etc/ssl/private/postfix.pem +$postconf -c "$tempdir" -e smtp_tls_loglevel=1 + +# Force TLS towards peers +catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy" +[ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy" +postmapfiles="$postmapfiles tls_policy" +$postconf -c "$tempdir" -e smtp_tls_policy_maps="hash:$confdir/tls_policy" + +# inbound opportunistic encryption +if [ -n "$tls_cert" ]; then + $postconf -c "$tempdir" -e smtpd_tls_security_level=may $postconf -c "$tempdir" -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' + $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' $postconf -c "$tempdir" -e 'smtpd_tls_loglevel = 1' - $postconf -c "$tempdir" -e 'smtpd_use_tls = yes' - $postconf -c "$tempdir" -e 'smtp_tls_CApath = /etc/ssl/certs' - $postconf -c "$tempdir" -e 'lmtp_tls_CApath = /etc/ssl/certs' - $postconf -c "$tempdir" -e smtp_tls_CAfile="${cacert_smtp:-$cacert_default}" - $postconf -c "$tempdir" -e lmtp_tls_CAfile="${cacert_lmtp:-$cacert_default}" - $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache' - $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_timeout = 3600s' - $postconf -c "$tempdir" -e 'tls_random_exchange_name = ${data_directory}/prng_exch' $postconf -c "$tempdir" -e 'smtpd_tls_auth_only = yes' - $postconf -c "$tempdir" -e 'smtpd_sasl_auth_enable = no' # SASL is enabled explicitly with TLS transport - $postconf -c "$tempdir" -e 'smtpd_sasl_security_options = noanonymous' $postconf -c "$tempdir" -e 'smtpd_tls_received_header = yes' - $postconf -c "$tempdir" -e 'broken_sasl_auth_clients = yes' - $postconf -c "$tempdir" -e 'tls_random_source = dev:/dev/urandom' - # Accepting client certificates breaks SMTP AUTH on OutLook Express on Mac (Classic) - $postconf -c "$tempdir" -e 'smtpd_tls_ask_ccert = no' - if [ -e /etc/ssl/private/postfix.pem ]; then - $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' - # Enable client side TLS only when private certificate is present - $postconf -c "$tempdir" -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem' - $postconf -c "$tempdir" -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem' - $postconf -c "$tempdir" -e 'smtp_tls_loglevel = 1' - $postconf -c "$tempdir" -e 'smtp_use_tls = yes' - $postconf -c "$tempdir" -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option - $postconf -c "$tempdir" -e 'smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache' - # Force using TLS for peers - catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy" - [ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy" - postmapfiles="$postmapfiles tls_policy" - $postconf -c "$tempdir" -e "smtp_tls_policy_maps = hash:$confdir/tls_policy" + if [ -n "$sasl" ]; then + $postconf -c "$tempdir" -e smtpd_sasl_type=dovecot + $postconf -c "$tempdir" -e smtpd_sasl_path=private/auth + $postconf -c "$tempdir" -e broken_sasl_auth_clients=yes else - $postconf -c "$tempdir" -e 'smtp_use_tls = no' - warn "No client-side TLS - requires private SSL certificate at /etc/ssl/private/postfix.pem." + $postconf -c "$tempdir" -X smtpd_sasl_type + $postconf -c "$tempdir" -X smtpd_sasl_path + $postconf -c "$tempdir" -X broken_sasl_auth_clients fi +else + $postconf -c "$tempdir" -e smtpd_tls_security_level=none + $postconf -c "$tempdir" -X smtpd_tls_cert_file + $postconf -c "$tempdir" -X smtpd_tls_key_file + $postconf -c "$tempdir" -X smtpd_tls_loglevel + $postconf -c "$tempdir" -X smtpd_tls_auth_only + $postconf -c "$tempdir" -X smtpd_tls_received_header fi -$postconf -c "$tempdir" -X smtpd_sasl_local_domain # Avoid smtpd_tls_CApath or smtpd_tls_CAfile to trick outlook.com # See <http://postfix.1071664.n5.nabble.com/Problems-with-incoming-mails-from-outlook-com-td78356.html> $postconf -c "$tempdir" -X smtpd_tls_CApath $postconf -c "$tempdir" -X smtpd_tls_CAfile +# obsolete TLS-related settings +$postconf -c "$tempdir" -X smtpd_use_tls +$postconf -c "$tempdir" -X smtp_tls_CApath +$postconf -c "$tempdir" -X lmtp_tls_CApath +$postconf -c "$tempdir" -X smtp_tls_CAfile +$postconf -c "$tempdir" -X lmtp_tls_CAfile +$postconf -c "$tempdir" -X smtpd_sasl_auth_enable +$postconf -c "$tempdir" -X smtpd_sasl_security_options +$postconf -c "$tempdir" -X smtpd_tls_ask_ccert +$postconf -c "$tempdir" -X smtp_tls_note_starttls_offer +$postconf -c "$tempdir" -X smtpd_sasl_local_domain +$postconf -c "$tempdir" -X smtpd_tls_session_cache_database +$postconf -c "$tempdir" -X smtpd_tls_session_cache_timeout +$postconf -c "$tempdir" -X smtp_tls_session_cache_database +$postconf -c "$tempdir" -X tls_random_exchange_name +$postconf -c "$tempdir" -X tls_random_source + if [ -n "$amavis" ]; then $postconf -c "$tempdir" -e 'max_use = 10' # Avoid too much reuse amavis_maxproc=$(getperlvarfromfile max_servers "$default_amavis_maxproc" amavisd.conf.addon amavis) @@ -454,6 +456,7 @@ fi # spam filter based on these: http://www.postfix.org/FILTER_README.html # https://www.ijs.si/software/amavisd/amavisd-new-docs.html # AUTH-SMTP based on this: http://www.postfix.org/SASL_README.html +# TLS based on this: http://www.postfix.org/TLS_README.html # Here's a convenient overview of different blackholes: # http://rbls.org/ |