From c363e24861017d92bacba3ced10545d5b7defb33 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Sun, 11 Oct 2020 02:27:03 +0200 Subject: modernize to use TLS_CHAIN_FILES (not TLS_CERT TLS_KEY) --- postfix/postfix.sh | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) (limited to 'postfix') diff --git a/postfix/postfix.sh b/postfix/postfix.sh index e3c5d54..d91d71f 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -5,6 +5,8 @@ # # Auto-tweak plain installed postfix Debian package # +# Depends: postfix (>= 3.4) +# # TODO: # * Implement stuff from here: http://www.wsrcc.com/spam/ # * Implement stuff from here: http://www.muine.org/~hoang/postfix.html @@ -33,8 +35,7 @@ REDPILL=${REDPILL:-REDPILL} REALM=${REALM:-ORG} # superseded by redpill config mailhost -TLS_CERT=${TLS_CERT:-/etc/ssl/certs/postfix.pem} -TLS_KEY=${TLS_KEY:-/etc/ssl/private/postfix.pem} +TLS_CHAIN_FILES=${TLS_CHAIN_FILES:-} # TODO: maybe use AMaViS default of 20 (and instead tune spamassassin) # @@ -160,12 +161,11 @@ else warn "Dovecot missing - (Debian package dovecot-core or dovecot)." fi ENABLE_TLS= -[ -z "$thismailhost" ] || TLS_CERT="/etc/ssl/shared/$thismailhost.pem" -[ -z "$thismailhost" ] || TLS_KEY="/etc/ssl/private/$thismailhost.pem" -if [ -f "$TLS_CERT" ] && [ -f "$TLS_KEY" ]; then +[ -z "$thismailhost" ] || TLS_CHAIN_FILES="/etc/ssl/private/$thismailhost.chain.pem" +if [ -f "$TLS_CHAIN_FILES" ]; then ENABLE_TLS=1 else - warn "No TLS - requires certificate \"$TLS_CERT\" and key \"$TLS_KEY\"." + warn "No TLS - requires key chain \"$TLS_CHAIN_FILES\"." fi # TODO: enable only on systems with user accounts ENABLE_SUBMISSION=1 @@ -278,11 +278,9 @@ fi # outbound opportunistic encryption _postconf -e smtp_tls_security_level=may if [ -n "$ENABLE_TLS" ]; then - _postconf -e smtp_tls_cert_file="$TLS_CERT" - _postconf -e smtp_tls_key_file="$TLS_KEY" + _postconf -e smtp_tls_chain_files="$TLS_CHAIN_FILES" else - _postconf -X smtp_tls_cert_file - _postconf -X smtp_tls_key_file + _postconf -X smtp_tls_chain_files fi _postconf -e smtp_tls_loglevel=1 @@ -298,15 +296,13 @@ _postconf -e smtp_tls_policy_maps="hash:$confdir/tls_policy" # inbound opportunistic encryption if [ -n "$ENABLE_TLS" ]; then _postconf -e smtpd_tls_security_level=may - _postconf -e smtpd_tls_cert_file="$TLS_CERT" - _postconf -e smtpd_tls_key_file="$TLS_KEY" + _postconf -e smtpd_tls_chain_files="$TLS_CHAIN_FILES" _postconf -e smtpd_tls_loglevel=1 _postconf -e smtpd_tls_auth_only=yes _postconf -e smtpd_tls_received_header=yes else _postconf -e smtpd_tls_security_level=none - _postconf -X smtpd_tls_cert_file - _postconf -X smtpd_tls_key_file + _postconf -X smtpd_tls_chain_files _postconf -X smtpd_tls_loglevel _postconf -X smtpd_tls_auth_only _postconf -X smtpd_tls_received_header @@ -322,6 +318,10 @@ _postconf -X smtp_tls_CApath _postconf -X lmtp_tls_CApath _postconf -X smtp_tls_CAfile _postconf -X lmtp_tls_CAfile +_postconf -X smtp_tls_cert_file +_postconf -X smtp_tls_key_file +_postconf -X smtpd_tls_cert_file +_postconf -X smtpd_tls_key_file _postconf -X smtpd_tls_ask_ccert _postconf -X smtp_tls_note_starttls_offer _postconf -X smtpd_tls_session_cache_database -- cgit v1.2.3