From: Christian Heller <>
Date: Sun, 14 May 2017 19:10:18 +0000 (+0200)
Subject: Add STARTTLS server-side support to postfix setujp.

Add STARTTLS server-side support to postfix setujp.

diff --git a/bin/ b/bin/
new file mode 100755
index 0000000..3b306c2
--- /dev/null
+++ b/bin/
@@ -0,0 +1,38 @@
+set -x
+set -e
+if [ ! "$(id -u)" -eq "0" ]; then
+  echo "Must be run as root."
+  exit 1
+if [ ! -n "$key" ]; then
+  if [ ! -f "${key_target}" ]; then
+    (umask 077; openssl genrsa -out "${key_target}" 2048)
+  fi
+  cp "$key" "${key_target}"
+fqdn=$(postconf -h myhostname)
+if [ ! -n "$cert" ]; then
+  if [ ! -f "${cert_target}" ]; then
+    openssl req -new -key "${key_target}" -x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert_target}"
+  fi
+  cp "$cert" "${cert_target}"
+cat >> /etc/postfix/ << EOF
+# Enable server-side STARTTLS. 
+smtpd_tls_cert_file = /etc/postfix/cert.pem
+smtpd_tls_key_file = /etc/postfix/key.pem
+smtpd_tls_security_level = may
+service postfix restart
diff --git a/mails/server_postinstall_finished b/mails/server_postinstall_finished
index 7e403cc..75253c9 100644
--- a/mails/server_postinstall_finished
+++ b/mails/server_postinstall_finished
@@ -12,6 +12,10 @@ perform the following tasks:
   key signing, with a second parameter $keyfile if a key already exists; without
   second parameter, this will generate a new key and print the DNS record to add
+- run (as root) config/bin/ to set up server-side STARTTLS for
+  mail; optionally run with paths to 1) a key file and 2) a cert file as
+  arguments if those exist to re-use existing ones
 - in the screen weechat/bitlbee session (run "screen -dr"), switch to the
   &bitlbee channel, register with a password ("register", "/oper . [password]"),
   and set up Jabber account with password ("account add jabber