summaryrefslogtreecommitdiffstats
path: root/conf/postfix-tls-script
diff options
context:
space:
mode:
Diffstat (limited to 'conf/postfix-tls-script')
-rw-r--r--conf/postfix-tls-script1152
1 files changed, 1152 insertions, 0 deletions
diff --git a/conf/postfix-tls-script b/conf/postfix-tls-script
new file mode 100644
index 0000000..997e9c5
--- /dev/null
+++ b/conf/postfix-tls-script
@@ -0,0 +1,1152 @@
+#!/bin/sh
+
+#++
+# NAME
+# postfix-tls 1
+# SUMMARY
+# Postfix TLS management
+# SYNOPSIS
+# \fBpostfix tls\fR \fIsubcommand\fR
+# DESCRIPTION
+# The "\fBpostfix tls \fIsubcommand\fR" feature enables
+# opportunistic TLS in the Postfix SMTP client or server, and
+# manages Postfix SMTP server private keys and certificates.
+#
+# The following subcommands are available:
+# .IP "\fBenable-client\fR [\fB-r \fIrandsource\fR]"
+# Enable opportunistic TLS in the Postfix SMTP client, if all
+# SMTP client TLS settings are at their default values.
+# Otherwise, suggest parameter settings without making any
+# changes.
+# .sp
+# Specify \fIrandsource\fR to update the value of the
+# \fBtls_random_source\fR configuration parameter (typically,
+# /dev/urandom). Prepend \fBdev:\fR to device paths or
+# \fBegd:\fR to EGD socket paths.
+# .sp
+# See also the \fBall-default-client\fR subcommand.
+# .IP "\fBenable-server\fR [\fB-r \fIrandsource\fR] [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
+# Create a new private key and self-signed server certificate
+# and enable opportunistic TLS in the Postfix SMTP server,
+# if all SMTP server TLS settings are at their default values.
+# Otherwise, suggest parameter settings without making any
+# changes.
+# .sp
+# The \fIrandsource\fR parameter is as with \fBenable-client\fR
+# above, and the remaining options are as with \fBnew-server-key\fR
+# below.
+# .sp
+# See also the \fBall-default-server\fR subcommand.
+# .IP "\fBnew-server-key\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
+# Create a new private key and self-signed server certificate,
+# but do not deploy them. Log and display commands to deploy
+# the new key and corresponding certificate. Also log and
+# display commands to output a corresponding CSR or TLSA
+# records which may be needed to obtain a CA certificate or
+# to update DNS before the new key can be deployed.
+# .sp
+# The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
+# defaults to 2048. If you choose the \fBecdsa\fR \fIalgorithm\fR
+# then \fIbits\fR will be an EC curve name (by default
+# \fBsecp256r1\fR, also known as prime256v1). Curves other
+# than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
+# are unlikely to be widely interoperable. When generating
+# EC keys, use one of these three. DSA keys are obsolete and
+# are not supported.
+# .sp
+# Note: ECDSA support requires OpenSSL 1.0.0 or later and may
+# not be available on your system. Not all client systems
+# will support ECDSA, so you'll generally want to deploy both
+# RSA and ECDSA certificates to make use of ECDSA with
+# compatible clients and RSA with the rest. If you want to
+# deploy certificate chains with intermediate CAs for both
+# RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
+# versions may not handle multiple chain files correctly.
+# .sp
+# The first \fIhostname\fR argument will be the \fBCommonName\fR
+# of both the subject and issuer of the self-signed certificate.
+# It, and any additional \fIhostname\fR arguments, will also
+# be listed as DNS alternative names in the certificate. If
+# no \fIhostname\fR is provided the value of the \fBmyhostname\fR
+# main.cf parameter will be used.
+# .sp
+# For RSA, the generated private key and certificate files
+# are named \fBkey-\fIyyyymmdd-hhmmss\fB.pem\fR and
+# \fBcert-\fIyyyymmdd-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
+# is the calendar date and \fIhhmmss\fR is the time of day
+# in UTC. For ECDSA, the file names start with \fBeckey-\fR
+# and \fBeccert-\fR instead of \fBkey-\fR and \fBcert-\fR
+# respectively.
+# .sp
+# Before deploying the new key and certificate with DANE,
+# update the DNS with new DANE TLSA records, then wait for
+# secondary nameservers to update and then for stale records
+# in remote DNS caches to expire.
+# .sp
+# Before deploying a new CA certificate make sure to include
+# all the required intermediate issuing CA certificates in
+# the certificate chain file. The server certificate must
+# be the first certificate in the chain file. Overwrite and
+# deploy the file with the original self-signed certificate
+# that was generated together with the key.
+# .IP "\fBnew-server-cert\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
+# This is just like \fBnew-server-key\fR except that, rather
+# than generating a new private key, any currently deployed
+# private key is copied to the new key file. Thus if you're
+# publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
+# no need to update DNS records. The \fIalgorithm\fR and
+# \fIbits\fR arguments are used only if no key of the same
+# algorithm is already configured.
+# .sp
+# This command is rarely needed, because the self-signed
+# certificates generated have a 100-year nominal expiration
+# time. The underlying public key algorithms may well be
+# obsoleted by quantum computers long before then.
+# .sp
+# The most plausible reason for using this command is when
+# the system hostname changes, and you'd like the name in the
+# certificate to match the new hostname (not required for
+# DANE "3 1 1", but some needlessly picky non-DANE opportunistic
+# TLS clients may log warnings or even refuse to communicate).
+# .IP "\fBdeploy-server-cert \fIcertfile\fB \fIkeyfile\fR"
+# This subcommand deploys the certificates in \fIcertfile\fR
+# and private key in \fIkeyfile\fR (which are typically
+# generated by the commands above, which will also log and
+# display the full command needed to deploy the generated key
+# and certificate). After the new certificate and key are
+# deployed any obsolete keys and certificates may be removed
+# by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
+# may be relative to the Postfix configuration directory.
+# .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB...\fR]"
+# Write to stdout a certificate signing request (CSR) for the
+# specified \fIkeyfile\fR.
+# .sp
+# Instead of an absolute pathname or a pathname relative to
+# $config_directory, \fIkeyfile\fR may specify one of the
+# supported key algorithm names (see "\fBpostconf -T
+# public-key-algorithms\fR"). In that case, the corresponding
+# setting from main.cf is used to locate the \fIkeyfile\fR.
+# The default \fIkeyfile\fR value is \fBrsa\fR.
+# .sp
+# Zero or more \fIhostname\fR values can be specified. The
+# default \fIhostname\fR is the value of \fBmyhostname\fR
+# main.cf parameter.
+# .IP "\fBoutput-server-tlsa\fR [\fB-h \fIhostname\fR] [\fIkeyfile\fB...\fR]"
+# Write to stdout a DANE TLSA RRset suitable for a port 25
+# SMTP server on host \fIhostname\fR with keys from any of
+# the specified \fIkeyfile\fR values. The default \fIhostname\fR
+# is the value of the \fBmyhostname\fR main.cf parameter.
+# .sp
+# Instead of absolute pathnames or pathnames relative to
+# $config_directory, the \fIkeyfile\fR list may specify
+# names of supported public key algorithms (see "\fBpostconf
+# -T public-key-algorithms\fR"). In that case, the actual
+# \fIkeyfile\fR list uses the values of the corresponding
+# Postfix server TLS key file parameters. If a parameter
+# value is empty or equal to \fBnone\fR, then no TLSA record
+# is output for that algorithm.
+# .sp
+# The default \fIkeyfile\fR list consists of the two supported
+# algorithms \fBrsa\fR and \fBecdsa\fR.
+# AUXILIARY COMMANDS
+# .IP "\fBall-default-client\fR"
+# Exit with status 0 (success) if all SMTP client TLS settings are
+# at their default values. Otherwise, exit with a non-zero status.
+# This is typically used as follows:
+# .sp
+# \fBpostfix tls all-default-client &&
+# postfix tls enable-client\fR
+# .IP "\fBall-default-server\fR"
+# Exit with status 0 (success) if all SMTP server TLS settings are
+# at their default values. Otherwise, exit with a non-zero status.
+# This is typically used as follows:
+# .sp
+# \fBpostfix tls all-default-server &&
+# postfix tls enable-server\fR
+# CONFIGURATION PARAMETERS
+# .ad
+# .fi
+# The "\fBpostfix tls \fIsubcommand\fR" feature reads
+# or updates the following configuration parameters.
+# .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
+# The location of all postfix administrative commands.
+# .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
+# The default location of the Postfix main.cf and master.cf
+# configuration files.
+# .IP "\fBopenssl_path (openssl)\fR"
+# The location of the OpenSSL command line program \fBopenssl\fR(1).
+# .IP "\fBsmtp_tls_loglevel (0)\fR"
+# Enable additional Postfix SMTP client logging of TLS activity.
+# .IP "\fBsmtp_tls_security_level (empty)\fR"
+# The default SMTP TLS security level for the Postfix SMTP client.
+# .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
+# Name of the file containing the optional Postfix SMTP client
+# TLS session cache.
+# .IP "\fBsmtpd_tls_cert_file (empty)\fR"
+# File with the Postfix SMTP server RSA certificate in PEM format.
+# .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
+# File with the Postfix SMTP server ECDSA certificate in PEM format.
+# .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
+# File with the Postfix SMTP server ECDSA private key in PEM format.
+# .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
+# File with the Postfix SMTP server RSA private key in PEM format.
+# .IP "\fBsmtpd_tls_loglevel (0)\fR"
+# Enable additional Postfix SMTP server logging of TLS activity.
+# .IP "\fBsmtpd_tls_received_header (no)\fR"
+# Request that the Postfix SMTP server produces Received: message
+# headers that include information about the protocol and cipher used,
+# as well as the remote SMTP client CommonName and client certificate issuer
+# CommonName.
+# .IP "\fBsmtpd_tls_security_level (empty)\fR"
+# The SMTP TLS security level for the Postfix SMTP server; when
+# a non-empty value is specified, this overrides the obsolete parameters
+# smtpd_use_tls and smtpd_enforce_tls.
+# .IP "\fBtls_random_source (see 'postconf -d' output)\fR"
+# The external entropy source for the in-memory \fBtlsmgr\fR(8) pseudo
+# random number generator (PRNG) pool.
+# SEE ALSO
+# master(8) Postfix master program
+# postfix(1) Postfix administrative interface
+# README FILES
+# .ad
+# .fi
+# Use "\fBpostconf readme_directory\fR" or
+# "\fBpostconf html_directory\fR" to locate this information.
+# .na
+# .nf
+# TLS_README, Postfix TLS configuration and operation
+# LICENSE
+# .ad
+# .fi
+# The Secure Mailer license must be distributed with this software.
+# HISTORY
+# The "\fBpostfix tls\fR" command was introduced with Postfix
+# version 3.1.
+# AUTHOR(S)
+# Viktor Dukhovni
+#--
+
+RSA_BITS=2048 # default
+EC_CURVE=secp256r1 # default
+
+case $daemon_directory in
+"") echo This script must be run by the postfix command. 1>&2
+ echo Do not run directly. 1>&2
+ exit 1;;
+esac
+
+umask 022
+SHELL=/bin/sh
+
+postconf=$command_directory/postconf
+LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-tls-script"
+INFO="$LOGGER -p info"
+WARN="$LOGGER -p warn"
+ERROR="$LOGGER -p error"
+FATAL="$LOGGER -p fatal"
+
+# Overwrite SMTP client and server settings only when these are at defaults.
+client_settings="
+ smtp_use_tls
+ smtp_enforce_tls
+ smtp_tls_enforce_peername
+ smtp_tls_security_level
+ smtp_tls_cert_file
+ smtp_tls_dcert_file
+ smtp_tls_eccert_file
+"
+
+server_settings="
+ smtpd_use_tls
+ smtpd_enforce_tls
+ smtpd_tls_security_level
+ smtpd_tls_cert_file
+ smtpd_tls_dcert_file
+ smtpd_tls_eccert_file
+"
+
+#
+# Can't do much without these in place.
+#
+cd $command_directory || {
+ # Let's hope there's a "postlog" somewhere else on the PATH
+ FATAL="postlog -p fatal -t $MAIL_LOGTAG/postfix-tls-script"
+ msg="no Postfix command directory '${command_directory}'"
+ $FATAL "$msg" || { echo "$msg" >&2; sleep 1; }
+ exit 1
+}
+
+check_getopt() {
+ OPTIND=1
+ a=
+ b=
+ c=
+ set -- -a 1 -b 2 -c -- -pos
+ while getopts :a:b:c o
+ do
+ case $o in
+ a) a="${OPTARG}";;
+ b) b="${OPTARG}";;
+ c) c=3;;
+ *) return 1;;
+ esac
+ done
+ shift `expr ${OPTIND} - 1`
+ if [ "${a}" != "1" -o "${b}" != 2 -o "${c}" != 3 \
+ -o "${OPTIND}" -ne 7 -o "$1" != "-pos" ]; then
+ return 1
+ fi
+}
+
+check_getopt || {
+ $FATAL "/bin/sh does not implement a compatible 'getopts' built-in"
+ exit 1
+}
+
+# ----- BEGIN OpenSSL-specific -----
+
+# No need to set the location of the OpenSSL command in each Postfix instance,
+# the value from the default instance is used for all instances.
+#
+default_config_directory=`$postconf -dh config_directory`
+openssl=`$postconf -c $default_config_directory -xh openssl_path`
+"$openssl" version >/dev/null 2>&1 || {
+ $FATAL "No working openssl(1) command found with 'openssl_path = $openssl'"
+ exit 1
+}
+
+# ----- END OpenSSL-specific -----
+
+test -n "$config_directory" -a -d "$config_directory" || {
+ $FATAL no Postfix configuration directory $config_directory!
+ exit 1
+}
+
+# Do we support TLS and if so which algorithms?
+#
+$postconf -T compile-version | grep . >/dev/null || {
+ mail_version=`$postconf -dh mail_version`
+ $FATAL "Postfix $mail_version is not compiled with TLS support"
+ exit 1
+}
+rsa=
+ecdsa=
+for _algo in `$postconf -T public-key-algorithms | grep -E '^(rsa|ecdsa)$'`
+do
+ eval $_algo=$_algo
+done
+
+# ----- BEGIN OpenSSL-specific -----
+
+if [ -n "${ecdsa}" ]; then
+ $openssl ecparam -name secp256r1 >/dev/null 2>&1 || {
+ cat <<-EOM | $WARN
+ Postfix supports ECDSA, but the $openssl command does not. Consider
+ setting the openssl_path parameter to a more capable version of the
+ command-line utility than $openssl (with PATH=$PATH).
+ EOM
+ ecdsa=
+ }
+fi
+if [ -n "${rsa}" ]; then
+ DEFALG=rsa
+elif [ -n "${ecdsa}" ]; then
+ DEFALG=ecdsa
+else
+ mail_version=`$postconf -dh mail_version`
+ $FATAL "Postfix $mail_version does not support either RSA or ECDSA"
+ exit 1
+fi
+
+# Make sure stdin is open when testing
+if [ -r /dev/stdin ] < /dev/null; then
+ stdin=/dev/stdin
+elif [ -r /dev/fd/0 ] </dev/null; then
+ stdin=/dev/fd/0
+else
+ $FATAL No /dev/fd/0 or /dev/stdin found
+ exit 1
+fi
+
+hex_sha256() {
+ $openssl dgst -binary -sha256 | od -An -vtx1 | tr -d ' \012'
+}
+
+# We require SHA2-256 support from openssl(1)
+#
+null256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+tmp=`hex_sha256 </dev/null 2>/dev/null`
+if [ "${tmp}" != "${null256}" ]; then
+ cat <<EOF >&2
+Your $openssl does not support the SHA2-256 digest algorithm. To enable
+'postfix tls', install an OpenSSL that does. Install its openssl(1) command
+at /usr/local/bin/openssl or other suitable location, and set the
+'openssl_path' parameter in $default_config_directory/main.cf accordingly.
+EOF
+ $FATAL "No 'postfix tls' support when openssl(1) is obsolete"
+ exit 1
+fi
+
+read_key() {
+ [ -n "$1" -a -f "$1" ] || return 1
+
+ # Old OpenSSL versions return success even for unsupported sub-commands!
+ # So we inspect the output instead. Don't prompt if the key is password
+ # protected.
+ #
+ while read cmd key_algo key_param cert_param; do
+ $openssl $cmd -passin "pass:umask 077" -in "$1" |
+ grep . && return 0
+ done 2>/dev/null <<-EOF
+ rsa rsa smtpd_tls_key_file smtpd_tls_cert_file
+ ec ecdsa smtpd_tls_eckey_file smtpd_tls_eccert_file
+ EOF
+ return 1
+}
+
+pubkey_dgst() {
+ [ -n "$1" -a -f "$1" ] || return 1
+
+ # Old OpenSSL versions return success even for unsupported sub-commands!
+ # So we inspect the output instead.
+ #
+ for cmd in ec rsa; do
+ $openssl $cmd -passin "pass:umask 077" -in "$1" -pubout |
+ $openssl $cmd -pubin -outform DER |
+ hex_sha256 | grep -E -v "${null256}" && return 0
+ done 2>/dev/null
+ return 1
+}
+
+cert_pubkey_dgst() {
+ [ -n "$1" -a -f "$1" ] || return 1
+
+ # Old OpenSSL versions return success even for unsupported sub-commands!
+ # So we inspect the output instead.
+ #
+ for cmd in ec rsa; do
+ $openssl x509 -pubkey -noout -in "$1" |
+ $openssl $cmd -pubin -outform DER |
+ hex_sha256 | grep -E -v "${null256}" && return 0
+ done 2>/dev/null
+ return 1
+}
+
+copy_key() {
+ _algo=$1; shift
+ _bits=$1; shift
+ _fold=$1; shift
+ _fnew=$1; shift
+ _umask=`umask`
+
+ umask 077
+ read_key "${_fold}" > "${_fnew}" # sets key_algo of current key
+ _ret=$?
+ umask "${_umask}"
+
+ if [ "${_ret}" -ne 0 ]; then
+ $FATAL "Error copying private key from '${_fold}' to '${_fnew}'"
+ return 1
+ fi
+ if [ "${key_algo}" != "${_algo}" ]; then
+ $FATAL "Key algorithm '$key_algo' of '${_fold}' is not '${_algo}'"
+ return 1
+ fi
+ # XXX: We'd need C-code in postconf to portably check for compatible "bits"
+}
+
+create_key() {
+ _algo=$1
+ _bits=$2
+ _fnew=$3
+ _umask=`umask`
+
+ case $_algo in
+ "") $FATAL "Internal error: empty algorithm"; return 1;;
+ $rsa) set -- "${openssl}" genrsa -out "${_fnew}" "${_bits}";;
+ $ecdsa) set -- "${openssl}" ecparam -param_enc named_curve -genkey \
+ -out "${_fnew}" -name "${_bits}";;
+ *) $FATAL "Internal error: bad algorithm '${_algo}'"
+ return 1;;
+ esac
+
+ umask 077
+ _err=`"$@" 2>&1`
+ _ret=$?
+ umask "${_umask}"
+
+ if [ "${_ret}" -ne 0 ]; then
+ echo "${_err}" | $WARN
+ $FATAL "error generating new ${_algo} ${_bits} private key"
+ return 1
+ fi
+}
+
+create_cert() {
+ _k=$1; shift
+ _c=$1; shift
+ set_fqdn "$1"
+ if [ $# -gt 0 ]; then shift; fi
+ set -- "$fqdn" "$@"
+
+ if [ -r "${_c}" ]; then
+ $FATAL "New certificate file already exists: ${_c}"
+ return 1
+ fi
+
+ # Generate a new self-signed (~100 year) certificate
+ #
+ (
+ echo "default_md = sha256"
+ echo "x509_extensions = v3"
+ echo "prompt = yes"
+ echo "distinguished_name = dn"
+ echo "[dn]"
+ echo "[v3]"
+ echo "basicConstraints = CA:false"
+ echo "subjectKeyIdentifier = hash"
+ echo "extendedKeyUsage = serverAuth, clientAuth"
+ echo "subjectAltName = @alts"
+ echo "[alts]"
+ i=1; for dns in "$@"; do
+ # XXX map empty to $myhostname
+ echo "DNS.$i = $dns"
+ i=`expr $i + 1`
+ done
+ ) | $openssl req -x509 -config $stdin -new -key "${_k}" \
+ -subj "/CN=$fqdn" -days 36525 -out "${_c}" || {
+ rm -f "${_c}" "${_k}"
+ $FATAL "error generating self-signed SSL certificate"
+ return 1
+ }
+}
+
+output_server_csr() {
+ set_keyfile "$1" || return 1
+ shift
+ set_fqdn "$1" || return 1
+ shift
+ set -- "$fqdn" "$@"
+ (
+ echo "default_md = sha256"
+ echo "req_extensions = v3"
+ echo "prompt = yes"
+ echo "distinguished_name = dn"
+ echo "[dn]"
+ echo "[v3]"
+ echo "subjectKeyIdentifier = hash"
+ echo "extendedKeyUsage = serverAuth, clientAuth"
+ echo "subjectAltName = @alts"
+ echo "[alts]"
+ i=1; for dns in "$@"; do
+ echo "DNS.$i = $dns"
+ i=`expr $i + 1`
+ done
+ ) | $openssl req -config $stdin -new -key "$keyfile" -subj /
+}
+
+# ----- END OpenSSL-specific -----
+
+info_enable_client() {
+ cat <<-EOM
+ *** Non-default SMTP client TLS settings detected, no changes made.
+ For opportunistic TLS in the Postfix SMTP client, the below settings
+ are typical:
+ smtp_tls_security_level = may
+ smtp_tls_loglevel = 1
+ EOM
+ if get_cache_db_type dbtype
+ then
+ echo " smtp_tls_session_cache_database = ${dbtype}:\${data_directory}/smtp_scache"
+ fi
+}
+
+info_client_deployed() {
+ cat <<-EOM
+ Enabled opportunistic TLS in the Postfix SMTP client.
+ Run the command:
+ # postfix reload
+ if you want the new settings to take effect immediately.
+ EOM
+}
+
+info_enable_server() {
+ cat <<-EOM
+ *** Non-default SMTP server TLS settings detected, no changes made.
+ For opportunistic TLS in the Postfix SMTP server, the below settings
+ are typical:
+ smtpd_tls_security_level = may
+ smtpd_tls_loglevel = 1
+ You can use "postfix tls new-server-cert" to create a new certificate.
+ Or, "postfix tls new-server-key" to also force a new private key.
+ If you publish DANE TLSA records, see:
+ https://tools.ietf.org/html/rfc7671#section-8
+ https://tools.ietf.org/html/rfc7671#section-5.1
+ https://tools.ietf.org/html/rfc7671#section-5.2
+ https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_created() {
+ cat <<-EOM
+ New private key and self-signed certificate created. To deploy run:
+ # postfix tls deploy-server-cert $1 $2
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_server_deployed() {
+ if [ "$3" = "enable" ]; then
+ echo "Enabled opportunistic TLS in the Postfix SMTP server"
+ fi
+ cat <<-EOM
+ New TLS private key and certificate deployed.
+ Run the command:
+ # postfix reload
+ if you want the new settings to take effect immediately.
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_csr() {
+ cat <<-EOM
+ To generate a CSR run:
+ # postfix tls output-server-csr -k $2 [<hostname> ...]
+ EOM
+ if [ -z "$3" ]; then
+ echo "Save the signed certificate chain in $1, and deploy as above."
+ else
+ echo "Save the signed certificate chain in $1."
+ fi
+}
+
+# args: certfile keyfile deploy
+info_tlsa() {
+ # If already deployed, info for how to show all the deployed keys.
+ # Otherwise, just the new keys, so that TLSA records can be updated
+ # first.
+ if [ -n "$3" ]; then shift $#; fi
+ cat <<-EOM
+ To generate TLSA records run:
+ # postfix tls output-server-tlsa [-h <hostname>] $2
+ EOM
+}
+
+# args: certfile keyfile deploy
+info_dane_dns() {
+ # If already deployed, too late to wait, otherwise advise updating TLSA
+ # RRs before deployment.
+ if [ -n "$3" ]; then
+ cat <<-EOM
+ (If you have DANE TLSA RRs, update them as soon as possible to match
+ the newly deployed keys).
+ EOM
+ else
+ cat <<-EOM
+ (deploy after updating the DNS and waiting for stale RRs to expire).
+ EOM
+ fi
+}
+
+set_fqdn() {
+ if [ -n "$1" ]; then fqdn=$1; return 0; fi
+ fqdn=`$postconf -xh myhostname` || return 1
+ case $fqdn in /*) fqdn=`cat "${fqdn}"` || return 1;; esac
+}
+
+set_keyfile() {
+ keyfile=$1
+ case $keyfile in
+ rsa) if [ -n "${rsa}" ]; then
+ keyfile=`$postconf -nxh smtpd_tls_key_file`
+ else
+ keyfile=
+ fi
+ ;;
+ ecdsa) if [ -n "${ecdsa}" ]; then
+ keyfile=`$postconf -nxh smtpd_tls_eckey_file`
+ else
+ keyfile=
+ fi
+ ;;
+ "") : empty ok;;
+ none) : see below;;
+ /*) ;;
+ *) # User-specified key pathnames are relative to the configuration
+ # directory
+ keyfile="${config_directory}/${keyfile}";;
+ esac
+ if [ "${keyfile}" = "none" ]; then keyfile= ; fi
+}
+
+check_key() {
+ read_key "$1" >/dev/null && return 0
+ $FATAL "no private key found in file: $1"
+ return 1
+}
+
+# Create new key or copy existing if specified.
+#
+ensure_key() {
+ _algo=$1; shift
+ _bits=$1; shift
+ stamp=`TZ=UTC date +%Y%m%d-%H%M%S`
+
+ case $_algo in
+ "") $FATAL "Internal error: empty algorithm "; return 1;;
+ $rsa) keyfile="${config_directory}/key-${stamp}.pem"
+ certfile="${config_directory}/cert-${stamp}.pem";;
+ $ecdsa) keyfile="${config_directory}/eckey-${stamp}.pem"
+ certfile="${config_directory}/eccert-${stamp}.pem";;
+ *) $FATAL "Internal error: bad algorithm '${_algo}'"
+ return 1;;
+ esac
+
+ if [ -r "${keyfile}" ]; then
+ $FATAL "New private key file already exists: ${keyfile}"
+ return 1
+ fi
+ if [ -r "${certfile}" ]; then
+ $FATAL "New certificate file already exists: ${certfile}"
+ return 1
+ fi
+
+ if [ -n "$1" ]; then
+ copy_key "${_algo}" "${_bits}" "$1" "${keyfile}" && return 0
+ else
+ create_key "${_algo}" "${_bits}" "${keyfile}" && return 0
+ fi
+ rm -f "${keyfile}"
+ return 1
+}
+
+init_random_source() {
+ tls_random_source=$1
+
+ if [ -z "${tls_random_source}" ]; then
+ tls_random_source=`$postconf -xh tls_random_source`
+ fi
+ if [ -n "${tls_random_source}" ]; then
+ return 0
+ fi
+ if [ -r /dev/urandom ]
+ then
+ tls_random_source=dev:/dev/urandom
+ else
+ $FATAL no default TLS random source defined and no /dev/urandom
+ return 1
+ fi
+}
+
+# Don't be too clever by half.
+all_default() {
+ for var in "$@"
+ do
+ val=`$postconf -nh "${var}"`
+ if [ -n "$val" ]; then return 1; fi
+ done
+ return 0
+}
+
+# Select read-write database type for TLS session caches.
+#
+get_cache_db_type() {
+ var=$1; shift
+ prio=0
+ ret=1
+ for _dbtype in `$postconf -m`
+ do
+ _prio=0
+ case $_dbtype in
+ lmdb) _prio=2;;
+ btree) _prio=1;;
+ esac
+ if [ "$_prio" -gt "$prio" ]
+ then
+ eval "$var=\$_dbtype"
+ prio=$_prio
+ ret=0
+ fi
+ done
+ return $ret
+}
+
+deploy_server_cert() {
+ certfile=$1; shift
+ keyfile=$1; shift
+ case $# in 0) deploy=;; *) deploy=$1; shift;; esac
+
+ # Sets key_algo, key_param and cert_param
+ check_key "$keyfile" || return 1
+
+ cd=`cert_pubkey_dgst "${certfile}"` || {
+ $FATAL "error computing certificate public key digest"
+ return 1
+ }
+ kd=`pubkey_dgst "$keyfile"` || {
+ $FATAL "error computing public key digest"
+ return 1
+ }
+
+ if [ "$cd" != "$kd" ]; then
+ $FATAL "Certificate in ${certfile} does not match key in ${keyfile}"
+ return 1
+ fi
+
+ set -- \
+ "${key_param} = ${keyfile}" \
+ "${cert_param} = ${certfile}"
+
+ if [ "${deploy}" = "enable" ]; then
+ set -- "$@" \
+ "smtpd_tls_security_level = may" \
+ "smtpd_tls_received_header = yes" \
+ "smtpd_tls_loglevel = 1"
+ fi
+
+ if [ -n "${tls_random_source}" ]; then
+ set -- "$@" "tls_random_source = ${tls_random_source}"
+ fi
+
+ # All in one shot, since postconf delays modifying "hot" main.cf files.
+ $postconf -e "$@" || return 1
+}
+
+# Prepare a new cert and perhaps re-use any existing private key.
+#
+new_server_cert() {
+ algo=$1; shift
+ bits=$1; shift
+ oldkey=$1; shift
+ deploy=$1; shift
+
+ # resets keyfile (copy or else new) and new certfile
+ ensure_key "$algo" "$bits" "${oldkey}" || return 1
+ create_cert "${keyfile}" "${certfile}" "$@" || return 1
+ if [ -n "${deploy}" ]; then
+ deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1
+ fi
+
+ (
+ if [ -z "${deploy}" ]; then
+ info_created "${certfile}" "${keyfile}" "${deploy}"
+ else
+ info_server_deployed "${certfile}" "${keyfile}" "${deploy}"
+ fi
+ info_csr "${certfile}" "${keyfile}" "${deploy}"
+ info_tlsa "${certfile}" "${keyfile}" "${deploy}"
+ if [ -z "${oldkey}" ]; then
+ info_dane_dns "${certfile}" "${keyfile}" "${deploy}"
+ fi
+ ) | $INFO
+}
+
+enable_client() {
+ if all_default ${client_settings}
+ then
+ set -- \
+ "smtp_tls_security_level = may" \
+ "smtp_tls_loglevel = 1"
+
+ if get_cache_db_type dbtype
+ then
+ set -- "$@" \
+ "smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
+ fi
+
+ if [ -n "${tls_random_source}" ]; then
+ set -- "$@" "tls_random_source = ${tls_random_source}"
+ fi
+
+ # All in one shot, since postconf delays modifying "hot" main.cf files.
+ $postconf -e "$@" || return 1
+ info_client_deployed
+ else
+ info_enable_client
+ fi | $INFO
+}
+
+enable_server() {
+ algo=$1; shift
+ bits=$1; shift
+
+ if all_default ${server_settings}
+ then
+ # algo bits keyfile deploy [hostnames ...]
+ new_server_cert "${algo}" "${bits}" "" "enable" "$@" || return 1
+ else
+ info_enable_server | $INFO
+ fi
+}
+
+output_server_tlsa() {
+ hostname=$1
+ check_key "$2" || return 1
+ data=`pubkey_dgst "$2"` || return 1
+ if [ -z "$data" ]
+ then
+ $FATAL error computing SHA2-256 SPKI digest of "$key"
+ return 1
+ fi
+ echo "_25._tcp.$hostname. IN TLSA 3 1 1 $data"
+}
+
+#
+# Parse JCL
+#
+case $1 in
+enable-client)
+ cmd=$1; shift; OPTIND=1
+ rand=
+ while getopts :r: _opt
+ do
+ case $_opt in
+ r) rand="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-r devrandom]"
+ exit 1;;
+ esac
+ done
+
+ # No positional arguments supported with enable-client
+ if [ $# -ge "${OPTIND}" ]; then
+ $FATAL "usage: postfix tls $cmd [-r devrandom]"
+ exit 1
+ fi
+ # But, shift anyway
+ shift `expr $OPTIND - 1`
+
+ init_random_source "${rand}" || exit 1
+ enable_client || exit 1
+ ;;
+
+enable-server)
+ cmd=$1; shift; OPTIND=1
+ algo=$DEFALG
+ bits=
+ rand=
+ while getopts :a:b:r: _opt
+ do
+ case $_opt in
+ a) algo="${OPTARG}";;
+ b) bits="${OPTARG}";;
+ r) rand="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [-r devrandom] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ case $algo in
+ "") $FATAL "Internal error: empty algorithm "; return 1;;
+ $rsa) : ${bits:=${RSA_BITS}};;
+ $ecdsa) : ${bits:=${EC_CURVE}};;
+ *) $FATAL "Unsupported private key algorithm: $algo"
+ exit 1;;
+ esac
+
+ init_random_source "${rand}" || exit 1
+ enable_server "${algo}" "${bits}" "$@" || exit 1
+ ;;
+
+new-server-key)
+ cmd=$1; shift; OPTIND=1
+ algo=$DEFALG
+ while getopts :a:b: _opt
+ do
+ case $_opt in
+ a) algo="${OPTARG}";;
+ b) bits="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ case $algo in
+ "") $FATAL "Internal error: empty algorithm "; return 1;;
+ $rsa) : ${bits:=${RSA_BITS}};;
+ $ecdsa) : ${bits:=${EC_CURVE}};;
+ *) $FATAL "Unsupported public key algorithm: $algo"
+ exit 1;;
+ esac
+
+ # Force new key
+ new_server_cert "${algo}" "${bits}" "" "" "$@" || exit 1
+ ;;
+
+new-server-cert)
+ cmd=$1; shift; OPTIND=1
+ algo=$DEFALG
+ while getopts :a:b: _opt
+ do
+ case $_opt in
+ a) algo="${OPTARG}";;
+ b) bits="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ case $algo in
+ "") $FATAL "Invalid empty key algorithm"; exit 1;;
+ $rsa) : ${bits:=${RSA_BITS}};;
+ $ecdsa) : ${bits:=${EC_CURVE}};;
+ *) $FATAL "Unsupported private key algorithm: $algo"
+ exit 1;;
+ esac
+
+ # Existing keyfile or empty
+ set_keyfile "${algo}"
+
+ if [ -n "${keyfile}" -a ! -f "${keyfile}" ]; then
+ echo "Key file: ${keyfile} not found, creating new keys" | $WARN
+ keyfile=
+ fi
+
+ # Try to re-use (copy) existing key.
+ new_server_cert "${algo}" "${bits}" "${keyfile}" "" "$@" || exit 1
+ ;;
+
+deploy-server-cert)
+ if [ $# -ne 3 ]; then
+ $FATAL "usage: postfix tls $1 certfile keyfile"
+ exit 1
+ fi
+ shift
+
+ # User-specified key and cert pathnames are relative to the
+ # configuration directory
+ #
+ case "${1}" in
+ /*) certfile="${1}" ;;
+ *) certfile="${config_directory}/${1}" ;;
+ esac
+ case "${2}" in
+ /*) keyfile="${2}" ;;
+ *) keyfile="${config_directory}/${2}" ;;
+ esac
+
+ deploy_server_cert "${certfile}" "${keyfile}" || exit 1
+ info_server_deployed "${certfile}" "${keyfile}" "deploy" | $INFO
+ ;;
+
+output-server-csr)
+ cmd=$1; shift; OPTIND=1
+ k=
+ while getopts :k: _opt
+ do
+ case $_opt in
+ k) k="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-k keyfile] [hostname ...]"
+ exit 1;;
+ esac
+ done
+
+ # Here positional arguments are hostnames for the new certificate, as
+ # many as the user wants
+ shift `expr $OPTIND - 1`
+
+ if [ -n "${k}" ]; then
+ set_keyfile "${k}"
+ else
+ for _algo in $rsa $ecdsa
+ do
+ set_keyfile "${_algo}"
+ if [ -n "${keyfile}" ]; then
+ break
+ fi
+ done
+ fi
+
+ if [ -z "${keyfile}" -o ! -r "${keyfile}" ]; then
+ $FATAL "No usable keyfile specified or configured"
+ exit 1
+ fi
+
+ # Default <hostname> from $myhostname
+ if [ $# -eq 0 ]; then
+ set_fqdn
+ set -- "$fqdn"
+ fi
+
+ # Output a CSR for the requested names
+ output_server_csr "$keyfile" "$@" || exit 1
+ ;;
+
+output-server-tlsa)
+ cmd=$1; shift; OPTIND=1
+ hostname=
+ while getopts :h: _opt
+ do
+ case $_opt in
+ h) hostname="${OPTARG}";;
+ *) $FATAL "usage: postfix tls $cmd [-h hostname] [keyfile ...]"
+ exit 1;;
+ esac
+ done
+ set_fqdn "${hostname}"
+
+ # Here positional arguments are keyfiles for which we output "3 1 1"
+ # TLSA RRs, as many keyfiles as the user wants. By default the live
+ # RSA and/or ECDSA keys.
+ shift `expr $OPTIND - 1`
+
+ if [ $# -eq 0 ]; then set -- $rsa $ecdsa; fi
+
+ found=
+ for _k in "$@"
+ do
+ set_keyfile "${_k}"
+ if [ -z "${keyfile}" ]; then continue; fi
+ echo "; ${keyfile}"
+ output_server_tlsa "${fqdn}" "${keyfile}" || exit 1
+ found=1
+ done
+ if [ -z "${found}" ]; then
+ $FATAL "No usable keyfiles specified or configured"
+ exit 1
+ fi
+ ;;
+
+all-default-client)
+ cmd=$1; shift; OPTIND=1
+
+ # No arguments for all-default-client
+ if [ $# -ge "${OPTIND}" ]; then
+ $FATAL "usage: postfix tls $cmd"
+ exit 1
+ fi
+
+ all_default ${client_settings} || exit 1
+ ;;
+
+all-default-server)
+ cmd=$1; shift; OPTIND=1
+
+ # No arguments for all-default-server
+ if [ $# -ge "${OPTIND}" ]; then
+ $FATAL "usage: postfix tls $cmd"
+ exit 1
+ fi
+
+ all_default ${server_settings} || exit 1
+ ;;
+
+*)
+ $ERROR "unknown tls command: '$1'"
+ $FATAL "usage: postfix tls enable-client (or enable-server, new-server-key, new-server-cert, deploy-server-cert, output-server-csr, output-server-tlsa, all-default-client, all-default-server)"
+ exit 1
+ ;;
+
+esac