diff options
Diffstat (limited to 'postfix/anti-uce.sh')
| -rwxr-xr-x | postfix/anti-uce.sh | 37 |
1 files changed, 31 insertions, 6 deletions
diff --git a/postfix/anti-uce.sh b/postfix/anti-uce.sh index 4913523..b80e2fe 100755 --- a/postfix/anti-uce.sh +++ b/postfix/anti-uce.sh @@ -12,30 +12,55 @@ function getlinesfromfile() { cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr "\n" "," | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//' } -postconf -e "smtpd_helo_required = yes" +# Some badly configured setup use hostname instead of FQDN +if postconf myhostname | grep '.' &> /dev/null; then + postconf -e "smtpd_helo_required = yes" +fi postconf -e "`getlinesfromfile permit_mx_backup_networks`" postconf -e "`getlinesfromfile maps_rbl_domains`" postconf -e "`getlinesfromfile smtpd_recipient_restrictions`" -# These options can be fatal if no SASL plugins are available! -if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.crt -a -f /etc/ssl/certs/postfix.key; then +# TLS breaks postfix if no SASL modules available (and doesn't make sense either) +# (change the test if using some other modules and avoid the plain ones) +if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.pem]; then mkdir -p $confdir/sasl echo "pwcheck_method: pam" >$confdir/sasl/smtpd.conf echo "auto_transition: false" >>$confdir/sasl/smtpd.conf groups postfix | grep shadow &>/dev/null || adduser postfix shadow + # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy) cp -a $confdir/master.cf $confdir/master.cf.old cat $confdir/master.cf.old | sed \ -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \ -e "s/^#?\(\(smtps|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \ > $confdir/master.cf + # Check if using a proper key or just a self-signed one + # (it is assumed that a CA certificate is made public if used!) + if [ -f /etc/ssl/certs/postfix.pem -a -f /etc/ssl/certs/cacert.pem]; then + postconf -e "smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem" + postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem" + postconf -e "smtpd_tls_key_file = /etc/ssl/private/postfix.pem" + # Client side TLS only makes sense if a publicly available certificate is available + # (and DON'T publish a self-signed certificate!) + postconf -e "smtp_tls_loglevel = 1" + postconf -e "smtp_use_tls = yes" + postconf -e "smtp_tls_CApath = /etc/ssl/certs" + postconf -e "smtp_tls_note_starttls_offer = yes" # Useful when collecting info for smtp_tls_per_site option + postconf -e "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache" + # This makes Netscape ask for a certificate, so make sure it IS public! + postconf -e "smtpd_tls_ask_ccert = yes" + else + postconf -e "smtpd_tls_CAfile = /etc/ssl/certs/postfix.pem" + postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem" + postconf -e "smtpd_tls_key_file = /etc/ssl/certs/postfix.pem" + fi + postconf -e "smtpd_tls_loglevel = 1" postconf -e "smtpd_use_tls = yes" + postconf -e "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache" postconf -e "smtpd_tls_auth_only = yes" postconf -e "smtpd_sasl_auth_enable = no" - postconf -e "broken_sasl_auth_clients = yes" postconf -e "smtpd_sasl_security_options = noanonymous" postconf -e "smtpd_sasl_local_domain = \$myhostname" - postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt" - postconf -e "smtpd_tls_key_file = /etc/ssl/certs/postfix.key" + postconf -e "broken_sasl_auth_clients = yes" postconf -e "tls_random_source = dev:/dev/urandom" postconf -e "tls_daemon_random_source = dev:/dev/urandom" else |