blob: e863fa24ae86cc1274851139e3bbeb9f526fae36 (
plain)
- #!/bin/bash
- set -e
- paramdir='/etc/local-COMMON/postfix'
- confdir='/etc/postfix'
- sp='[[:space:]]'
- function getlinesfromfile() {
- param="$1"
- echo -n "$param = "
- cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//'
- }
- # Some badly configured setup use hostname instead of FQDN
- if postconf myhostname | grep '.' &> /dev/null; then
- postconf -e 'smtpd_helo_required = yes'
- fi
- postconf -e "`getlinesfromfile permit_mx_backup_networks`"
- postconf -e "`getlinesfromfile maps_rbl_domains`"
- postconf -e "`getlinesfromfile smtpd_recipient_restrictions`"
- # TLS breaks postfix if no SASL modules available (and doesn't make sense either)
- # (change the test if using some other modules and avoid the plain ones)
- if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.pem ]; then
- mkdir -p $confdir/sasl
- echo 'pwcheck_method: pam' >$confdir/sasl/smtpd.conf
- echo 'auto_transition: false' >>$confdir/sasl/smtpd.conf
- groups postfix | grep shadow &>/dev/null || adduser postfix shadow
- # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy)
- cp -a $confdir/master.cf $confdir/master.cf.old
- cat $confdir/master.cf.old | sed \
- -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
- -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
- -e "s/^#\(tlsmgr$sp\)/\1/" \
- > $confdir/master.cf
- cat $confdir/master.cf | egrep "^tlsmgr$sp" > /dev/null || \
- echo 'tlsmgr fifo - - - 300 1 tlsmgr' >> $confdir/master.cf
- postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem'
- if [ -f /etc/ssl/private/postfix.pem ]; then
- postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem'
- fi
- postconf -e 'smtpd_tls_loglevel = 1'
- postconf -e 'smtpd_use_tls = yes'
- postconf -e 'smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache'
- postconf -e 'smtpd_tls_auth_only = yes'
- postconf -e 'smtpd_sasl_auth_enable = no'
- postconf -e 'smtpd_sasl_security_options = noanonymous'
- postconf -e 'smtpd_sasl_local_domain = $myhostname'
- postconf -e 'smtpd_tls_received_header = yes'
- postconf -e 'broken_sasl_auth_clients = yes'
- postconf -e 'tls_random_source = dev:/dev/urandom'
- postconf -e 'tls_daemon_random_source = dev:/dev/urandom'
- # Check if using a proper key exists (not just a self-signed one)
- # (it is assumed that a CA certificate is made public if used!)
- if [ -f /etc/ssl/certs/cacert.pem ]; then
- postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
- postconf -e 'smtp_tls_CAfile = $smtpd_tls_CAfile'
- postconf -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem'
- # Client side TLS only makes sense if a publicly available certificate is available
- # (and DON'T publish a self-signed certificate!)
- if [ -f /etc/ssl/private/postfix.pem ]; then
- postconf -e 'smtp_tls_key_file = $smtpd_tls_key_file'
- fi
- postconf -e 'smtp_tls_loglevel = 1'
- postconf -e 'smtp_use_tls = yes'
- postconf -e 'smtp_tls_CApath = /etc/ssl/certs'
- # postconf -e 'smtp_tls_note_starttls_offer = yes' # Useful when collecting info for smtp_tls_per_site option
- postconf -e 'smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache'
- # This makes Netscape ask for a certificate, so make sure it IS public!
- postconf -e 'smtpd_tls_ask_ccert = yes'
- fi
- else
- echo 'TLS not activated - check the script for requirements...'
- fi
- /etc/init.d/postfix reload
- # Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
- # Support for trusted MX backup networks added
- # PCRE stuff avoided, as PCRE is only optional on newest Debian packages
- # RBLs replaced with those recommended by http://www.antispews.org/
- # Here's a convenient overview of different blackholes:
- # http://rbls.org/
- # smtpd_tls_CAfile
|
