Add STARTTLS server-side support to postfix setujp.

diff --git a/bin/setup_starttls.sh b/bin/setup_starttls.sh
new file mode 100755 (executable)
index 0000000..3b306c2
--- /dev/null
+++ b/bin/setup_starttls.sh
@@ -0,0 +1,38 @@
+#!/bin/sh
+set -x
+set -e
+key=$1
+cert=$2
+
+if [ ! "$(id -u)" -eq "0" ]; then
+  echo "Must be run as root."
+  exit 1
+fi
+
+key_target=/etc/postfix/key.pem
+if [ ! -n "$key" ]; then
+  if [ ! -f "${key_target}" ]; then
+    (umask 077; openssl genrsa -out "${key_target}" 2048)
+  fi
+else
+  cp "$key" "${key_target}"
+fi
+
+fqdn=$(postconf -h myhostname)
+cert_target=/etc/postfix/cert.pem
+if [ ! -n "$cert" ]; then
+  if [ ! -f "${cert_target}" ]; then
+    openssl req -new -key "${key_target}" -x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert_target}"
+  fi
+else
+  cp "$cert" "${cert_target}"
+fi
+
+cat >> /etc/postfix/main.cf << EOF
+
+# Enable server-side STARTTLS. 
+smtpd_tls_cert_file = /etc/postfix/cert.pem
+smtpd_tls_key_file = /etc/postfix/key.pem
+smtpd_tls_security_level = may
+EOF
+service postfix restart

diff --git a/mails/server_postinstall_finished b/mails/server_postinstall_finished
index 7e403cc14a16beee0c94ae935c299abb5353916d..75253c973105882122451f22b46d15a88d4f37d4 100644 (file)
--- a/mails/server_postinstall_finished
+++ b/mails/server_postinstall_finished
@@ -12,6 +12,10 @@ perform the following tasks:
   key signing, with a second parameter $keyfile if a key already exists; without
   second parameter, this will generate a new key and print the DNS record to add
 
+- run (as root) config/bin/setup_starttls.sh to set up server-side STARTTLS for
+  mail; optionally run with paths to 1) a key file and 2) a cert file as
+  arguments if those exist to re-use existing ones
+
 - in the screen weechat/bitlbee session (run "screen -dr"), switch to the
   &bitlbee channel, register with a password ("register", "/oper . [password]"),
   and set up Jabber account with password ("account add jabber