#!/bin/bash # # enable TLS in postfix # and make sure that PFS can be used [ -z "$PATH" ] && PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin # first: care about the TLS certificates and keys # get the current config of postfix TLSCERT1=$(postconf -h smtp_tls_cert_file) TLSCERT2=$(postconf -h smtpd_tls_cert_file) TLSKEY1=$(postconf -h smtp_tls_key_file) TLSKEY2=$(postconf -h smtpd_tls_key_file) # make sure both TLS CERT variables are set and the files exist [ -n "$TLSCERT1" -a -f "$TLSCERT1" ] || TLSCERT1='' [ -n "$TLSCERT2" -a -f "$TLSCERT2" ] || TLSCERT2='' [ -n "$TLSKEY1" -a -f "$TLSKEY1" ] || TLSKEY1='' [ -n "$TLSKEY2" -a -f "$TLSKEY2" ] || TLSKEY2='' # maybe we got other certificates? if [ -z "$TLSKEY1" ]; then ERSATZ=$(ls /home/*/cert/my.corp/*key.op.pem) if [ -n "$ERSATZ" -a -f "$ERSATZ" ] ; then TLSKEY1="$ERSATZ" [ -z "$TLSKEY2" ] && TLSKEY2="$TLSKEY1" fi fi [ -z "$TLSKEY2" -a -n "$TLSKEY1" ] && TLSKEY2="$TLSKEY1" if [ -z "$TLSCERT1" ]; then ERSATZ=$(ls /home/*/cert/von_2013/*.intranet.my.corp.pem) if [ -n "$ERSATZ" -a -f "$ERSATZ" ] ; then TLSCERT1="$ERSATZ" [ -z "$TLSCERT2" ] && TLSCERT2="$TLSCERT1" fi fi [ -z "$TLSCERT2" -a -n "$TLSCERT1" ] && TLSCERT2="$TLSCERT1" # now make sure the CERT/KEY files really exist if [ -z "$TLSCERT1" -o -z "$TLSKEY1" ]; then # no TLS cert/key for smtp if [ -z "$TLSCERT2" -o -z "$TLSKEY2" ]; then # no TLS cert/key available at all, we'll create them TLSCERT1='/etc/postfix/ssl/smtp.cert' TLSKEY1='/etc/postfix/ssl/smtp.key' TLSCERT2="$TLSCERT1" TLSKEY2="$TLSKEY1" mkdir -p /etc/postfix/ssl openssl genrsa -out "$TLSKEY1" 2048 # next command ist interactive # make it as comfortable as possible sed -i 's|^countryName_default.*$|countryName_default = DE|' /etc/ssl/openssl.cnf sed -i 's|^stateOrProvinceName_default.*$|stateOrProvinceName_default = Sachsen|' /etc/ssl/openssl.cnf sed -i 's|^0.organizationName_default.*$|0.organizationName_default = Pferdebadeanstalt|' /etc/ssl/openssl.cnf openssl req -new -key "$TLSKEY1" -out /etc/postfix/ssl/smtp.csr openssl x509 -req -days 3650 -in /etc/postfix/ssl/smtp.csr -out "$TLSCERT1" -signkey "$TLSKEY1" else # we can use the smtpd TLS cert/key as smtp cert/key TLSCERT1="$TLSCERT2" TLSKEY1="$TLSKEY2" fi else if [ -z "$TLSCERT2" -o -z "$TLSKEY2" ]; then # we can use the smtp TLS cert/key as smtpd cert/key TLSCERT2="$TLSCERT1" TLSKEY2="$TLSKEY1" # else # all files exist, nothing to repair here fi fi # second: for PFS, we need the Diffie-Hellman files PFS1=$(postconf -h smtpd_tls_dh1024_param_file) PFS5=$(postconf -h smtpd_tls_dh512_param_file) [ -n "$PFS1" -a -f "$PFS1" ] || PFS1='' [ -n "$PFS5" -a -f "$PFS5" ] || PFS5='' if [ -z "$PFS1" ] ; then PFS1='/etc/postfix/dh_1024.pem' openssl gendh -out "$PFS1" -2 1024 postconf -e "smtpd_tls_dh1024_param_file = $PFS1" fi if [ -z "$PFS5" ] ; then PFS5='/etc/postfix/dh_0512.pem' openssl gendh -out "$PFS5" -2 512 postconf -e "smtpd_tls_dh512_param_file = $PFS5" fi # third: we set the postfix config to use the certs and enable PFS postconf -e "smtp_tls_cert_file = $TLSCERT1" postconf -e "smtp_tls_key_file = $TLSKEY1" postconf -e "smtp_tls_loglevel = 1" postconf -e "smtp_tls_note_starttls_offer = yes" postconf -e "smtp_tls_security_level = may" postconf -e "smtp_use_tls = yes" postconf -e "smtpd_enforce_tls = no" postconf -e "smtpd_tls_auth_only = no" postconf -e "smtpd_tls_CApath = /etc/ssl/certs" postconf -e "smtpd_tls_cert_file = $TLSCERT2" postconf -e "smtpd_tls_eecdh_grade = strong" postconf -e "smtpd_tls_key_file = $TLSKEY2" postconf -e "smtpd_tls_loglevel = 1" postconf -e "smtpd_tls_received_header = yes" postconf -e "smtpd_tls_security_level = may" postconf -e "smtpd_tls_session_cache_timeout = 3600s" postconf -e "smtpd_use_tls = yes" postconf -e "tls_random_source = dev:/dev/urandom" postconf -e "tls_preempt_cipherlist = yes" egrep -q '^tlsmgr' /etc/postfix/master.cf || sed -i.tls 's|#tlsmgr|tlsmgr|' /etc/postfix/master.cf rcpostfix restart rcpostfix status