From d91b2a03bb2f571055c86aeb8827789a8abbae48 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Fri, 15 Apr 2005 16:16:17 +0000 Subject: Handle postfix 2.2 with slightly different official TLS support. --- postfix/postfix.sh | 39 ++++++++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 9 deletions(-) (limited to 'postfix') diff --git a/postfix/postfix.sh b/postfix/postfix.sh index ebcdbc5..ec70560 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -3,7 +3,7 @@ # /etc/local-COMMON/postfix/postfix.sh # Copyright 2002-2004 Jonas Smedegaard # -# $Id: postfix.sh,v 1.29 2004-05-09 20:23:19 jonas Exp $ +# $Id: postfix.sh,v 1.30 2005-04-15 16:16:17 jonas Exp $ # # Auto-tweak plain installed postfix Debian package # @@ -24,6 +24,10 @@ pf2= if $postconf -d mail_version | grep -q '= 2'; then pf2=1 fi +pf22= +if $postconf -d mail_version | grep -q '= 2\.2'; then + pf22=1 +fi pftls= if [ -x /usr/lib/postfix/tlsmgr ]; then pftls=1 @@ -39,6 +43,10 @@ else echo "WARNING: Not enabling encryption: sasl tools 2.1.1 or greater is required." echo " (on Debian: install the package sasl2-bin)" fi +sasldir="$confdir/sasl" +if [ -n "$pf22" ]; then + sasldir="$confdir/sasl2" +fi #function getlinesfromfile() { # param="$1" @@ -102,11 +110,11 @@ fi # TLS breaks postfix if no SASL modules available (and doesn't make sense either) # (change the test if using some other modules and avoid the plain ones) if [ -n "$pftls" -a -n "$sasl2" -a -f /etc/ssl/certs/postfix.pem ]; then - mkdir -p $confdir/sasl - echo 'mech_list: plain login' >$confdir/sasl/smtpd.conf - echo 'minimum_layer: 0' >>$confdir/sasl/smtpd.conf - echo 'pwcheck_method: saslauthd' >>$confdir/sasl/smtpd.conf - echo 'auto_transition: false' >>$confdir/sasl/smtpd.conf + mkdir -p "$sasldir" + echo 'mech_list: plain login' > "$sasldir/smtpd.conf" + echo 'minimum_layer: 0' >> "$sasldir/smtpd.conf" + echo 'pwcheck_method: saslauthd' >> "$sasldir/smtpd.conf" + echo 'auto_transition: false' >> "$sasldir/smtpd.conf" groups postfix | grep -q sasl || adduser postfix sasl # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy) cp -a $confdir/master.cf $confdir/master.cf.old @@ -116,14 +124,23 @@ if [ -n "$pftls" -a -n "$sasl2" -a -f /etc/ssl/certs/postfix.pem ]; then -e "s/^#\(tlsmgr$sp\)/\1/" \ > $confdir/master.cf cat $confdir/master.cf | egrep -q "^tlsmgr$sp" || \ - echo 'tlsmgr fifo - - - 300 1 tlsmgr' >> $confdir/master.cf + if [ -n "$pf22" ]; then + echo 'tlsmgr unix - - - 300 1 tlsmgr' >> $confdir/master.cf + else + echo 'tlsmgr fifo - - - 300 1 tlsmgr' >> $confdir/master.cf + fi $postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' if [ -f /etc/ssl/private/postfix.pem ]; then $postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' fi $postconf -e 'smtpd_tls_loglevel = 1' $postconf -e 'smtpd_use_tls = yes' - $postconf -e 'smtpd_tls_session_cache_database = sdbm:/var/spool/postfix/smtpd_scache' + $postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + if [ -n "$pf22" ]; then + $postconf -e 'smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_scache' + else + $postconf -e 'smtpd_tls_session_cache_database = sdbm:/var/spool/postfix/smtpd_scache' + fi $postconf -e 'smtpd_tls_session_cache_timeout = 3600s' $postconf -e 'tls_random_exchange_name = /var/spool/postfix/prng_exch' $postconf -e 'smtpd_tls_auth_only = yes' @@ -149,7 +166,11 @@ if [ -n "$pftls" -a -n "$sasl2" -a -f /etc/ssl/certs/postfix.pem ]; then $postconf -e 'smtp_use_tls = yes' $postconf -e 'smtp_tls_CApath = /etc/ssl/certs' $postconf -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option - $postconf -e 'smtp_tls_session_cache_database = sdbm:/var/spool/postfix/smtp_scache' + if [ -n "$pf22" ]; then + $postconf -e 'smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_scache' + else + $postconf -e 'smtp_tls_session_cache_database = sdbm:/var/spool/postfix/smtp_scache' + fi # Accepting client certificates breaks SMTP AUTH on OutLook Express on Mac (Classic) $postconf -e 'smtpd_tls_ask_ccert = no' else -- cgit v1.2.3