1 files changed, 27 insertions, 0 deletions

diff --git a/postfix/anti-uce.sh b/postfix/anti-uce.sh
index 2aaf068..fc7ecf9 100755
--- a/postfix/anti-uce.sh
+++ b/postfix/anti-uce.sh
@@ -3,6 +3,8 @@
 set -e
 
 paramdir="/etc/local-COMMON/postfix"
+confdir="/etc/postfix"
+sp='[[:space:]]'
 
 function getlinesfromfile() {
 	param="$1"
@@ -15,6 +17,29 @@ postconf -e "`getlinesfromfile permit_mx_backup_networks`"
 postconf -e "`getlinesfromfile maps_rbl_domains`"
 postconf -e "`getlinesfromfile smtpd_recipient_restrictions`"
 
+# These options can be fatal if no SASL plugins are available!
+if dpkg -L libsasl-modules-plain &> /dev/null; then
+	mkdir -p $confdir/sasl
+	echo "pwcheck_method: pam" >$confdir/sasl/smtpd.conf
+	echo "auto_transition: false" >>$confdir/sasl/smtpd.conf
+	groups postfix | grep shadow &>/dev/null || adduser postfix shadow
+	cp -a $confdir/master.cf $confdir/master.cf.old
+	cat $confdir/master.cf.old | sed \
+		"s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
+		"s/^#?\(\(smtps|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
+		> $confdir/master.cf
+	postconf -e "smtpd_use_tls = yes"
+	postconf -e "smtpd_tls_auth_only = yes"
+	postconf -e "smtpd_sasl_auth_enable = no"
+	postconf -e "broken_sasl_auth_clients = yes"
+	postconf -e "smtpd_sasl_security_options = noanonymous"
+	postconf -e "smtpd_sasl_local_domain = \$myhostname"
+	postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt"
+	postconf -e "smtpd_tls_key_file = /etc/ssl/certs/postfix.key"
+	postconf -e "tls_random_source = dev:/dev/urandom"
+	postconf -e "tls_daemon_random_source = dev:/dev/urandom"
+fi
+
 /etc/init.d/postfix reload
 
 # Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
@@ -24,3 +49,5 @@ postconf -e "`getlinesfromfile smtpd_recipient_restrictions`"
 
 # Here's a convenient overview of different blackholes:
 #   http://rbls.org/
+
+# smtpd_tls_CAfile