From: Christian Heller Date: Sun, 14 May 2017 19:10:18 +0000 (+0200) Subject: Add STARTTLS server-side support to postfix setujp. X-Git-Url: https://plomlompom.com/repos/%7B%7B%20web_path%20%7D%7D/unset_cookie?a=commitdiff_plain;h=2045b9e2aa5b7e14f8f421047b4ead3a5f77d680;p=config Add STARTTLS server-side support to postfix setujp. --- diff --git a/bin/setup_starttls.sh b/bin/setup_starttls.sh new file mode 100755 index 0000000..3b306c2 --- /dev/null +++ b/bin/setup_starttls.sh @@ -0,0 +1,38 @@ +#!/bin/sh +set -x +set -e +key=$1 +cert=$2 + +if [ ! "$(id -u)" -eq "0" ]; then + echo "Must be run as root." + exit 1 +fi + +key_target=/etc/postfix/key.pem +if [ ! -n "$key" ]; then + if [ ! -f "${key_target}" ]; then + (umask 077; openssl genrsa -out "${key_target}" 2048) + fi +else + cp "$key" "${key_target}" +fi + +fqdn=$(postconf -h myhostname) +cert_target=/etc/postfix/cert.pem +if [ ! -n "$cert" ]; then + if [ ! -f "${cert_target}" ]; then + openssl req -new -key "${key_target}" -x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert_target}" + fi +else + cp "$cert" "${cert_target}" +fi + +cat >> /etc/postfix/main.cf << EOF + +# Enable server-side STARTTLS. +smtpd_tls_cert_file = /etc/postfix/cert.pem +smtpd_tls_key_file = /etc/postfix/key.pem +smtpd_tls_security_level = may +EOF +service postfix restart diff --git a/mails/server_postinstall_finished b/mails/server_postinstall_finished index 7e403cc..75253c9 100644 --- a/mails/server_postinstall_finished +++ b/mails/server_postinstall_finished @@ -12,6 +12,10 @@ perform the following tasks: key signing, with a second parameter $keyfile if a key already exists; without second parameter, this will generate a new key and print the DNS record to add +- run (as root) config/bin/setup_starttls.sh to set up server-side STARTTLS for + mail; optionally run with paths to 1) a key file and 2) a cert file as + arguments if those exist to re-use existing ones + - in the screen weechat/bitlbee session (run "screen -dr"), switch to the &bitlbee channel, register with a password ("register", "/oper . [password]"), and set up Jabber account with password ("account add jabber