#!/bin/bash

set -e

paramdir="/etc/local-COMMON/postfix"
confdir="/etc/postfix"
sp='[[:space:]]'

function getlinesfromfile() {
	param="$1"
	echo -n "$param = "
	cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr "\n" "," | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//'
}

# Some badly configured setup use hostname instead of FQDN
if postconf myhostname | grep '.' &> /dev/null; then
	postconf -e "smtpd_helo_required = yes"
fi
postconf -e "`getlinesfromfile permit_mx_backup_networks`"
postconf -e "`getlinesfromfile maps_rbl_domains`"
postconf -e "`getlinesfromfile smtpd_recipient_restrictions`"

# TLS breaks postfix if no SASL modules available (and doesn't make sense either)
# (change the test if using some other modules and avoid the plain ones)
if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.pem ]; then
	mkdir -p $confdir/sasl
	echo "pwcheck_method: pam" >$confdir/sasl/smtpd.conf
	echo "auto_transition: false" >>$confdir/sasl/smtpd.conf
	groups postfix | grep shadow &>/dev/null || adduser postfix shadow
	# Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy)
	cp -a $confdir/master.cf $confdir/master.cf.old
	cat $confdir/master.cf.old | sed \
		-e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
		-e "s/^#?\(\(smtps|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
		> $confdir/master.cf
	# Check if using a proper key or just a self-signed one
	# (it is assumed that a CA certificate is made public if used!)
	if [ -f /etc/ssl/certs/postfix.pem -a -f /etc/ssl/certs/cacert.pem]; then
		postconf -e "smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem"
		postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
		postconf -e "smtpd_tls_key_file = /etc/ssl/private/postfix.pem"
		# Client side TLS only makes sense if a publicly available certificate is available
		# (and DON'T publish a self-signed certificate!)
		postconf -e "smtp_tls_loglevel = 1"
		postconf -e "smtp_use_tls = yes"
		postconf -e "smtp_tls_CApath = /etc/ssl/certs"
		postconf -e "smtp_tls_note_starttls_offer = yes" # Useful when collecting info for smtp_tls_per_site option
		postconf -e "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
		# This makes Netscape ask for a certificate, so make sure it IS public!
		postconf -e "smtpd_tls_ask_ccert = yes"
	else
		postconf -e "smtpd_tls_CAfile = /etc/ssl/certs/postfix.pem"
		postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
		postconf -e "smtpd_tls_key_file = /etc/ssl/certs/postfix.pem"
	fi
	postconf -e "smtpd_tls_loglevel = 1"
	postconf -e "smtpd_use_tls = yes"
	postconf -e "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache"
	postconf -e "smtpd_tls_auth_only = yes"
	postconf -e "smtpd_sasl_auth_enable = no"
	postconf -e "smtpd_sasl_security_options = noanonymous"
	postconf -e "smtpd_sasl_local_domain = \$myhostname"
	postconf -e "broken_sasl_auth_clients = yes"
	postconf -e "tls_random_source = dev:/dev/urandom"
	postconf -e "tls_daemon_random_source = dev:/dev/urandom"
else
	echo "TLS not activated - check the script for requirements..."
fi

/etc/init.d/postfix reload

# Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
# Support for trusted MX backup networks added
# PCRE stuff avoided, as PCRE is only optional on newest Debian packages
# RBLs replaced with those recommended by http://www.antispews.org/

# Here's a convenient overview of different blackholes:
#   http://rbls.org/

# smtpd_tls_CAfile