| Current File : //usr/libexec/postfix/postfix-tls-script |
#!/bin/sh
#++
# NAME
# postfix-tls 1
# SUMMARY
# Postfix TLS management
# SYNOPSIS
# \fBpostfix tls\fR \fIsubcommand\fR
# DESCRIPTION
# The "\fBpostfix tls \fIsubcommand\fR" feature enables
# opportunistic TLS in the Postfix SMTP client or server, and
# manages Postfix SMTP server private keys and certificates.
#
# The following subcommands are available:
# .IP "\fBenable-client\fR [\fB-r \fIrandsource\fR]"
# Enable opportunistic TLS in the Postfix SMTP client, if all
# SMTP client TLS settings are at their default values.
# Otherwise, suggest parameter settings without making any
# changes.
# .sp
# Specify \fIrandsource\fR to update the value of the
# \fBtls_random_source\fR configuration parameter (typically,
# /dev/urandom). Prepend \fBdev:\fR to device paths or
# \fBegd:\fR to EGD socket paths.
# .sp
# See also the \fBall-default-client\fR subcommand.
# .IP "\fBenable-server\fR [\fB-r \fIrandsource\fR] [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
# Create a new private key and self-signed server certificate
# and enable opportunistic TLS in the Postfix SMTP server,
# if all SMTP server TLS settings are at their default values.
# Otherwise, suggest parameter settings without making any
# changes.
# .sp
# The \fIrandsource\fR parameter is as with \fBenable-client\fR
# above, and the remaining options are as with \fBnew-server-key\fR
# below.
# .sp
# See also the \fBall-default-server\fR subcommand.
# .IP "\fBnew-server-key\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
# Create a new private key and self-signed server certificate,
# but do not deploy them. Log and display commands to deploy
# the new key and corresponding certificate. Also log and
# display commands to output a corresponding CSR or TLSA
# records which may be needed to obtain a CA certificate or
# to update DNS before the new key can be deployed.
# .sp
# The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
# defaults to 2048. If you choose the \fBecdsa\fR \fIalgorithm\fR
# then \fIbits\fR will be an EC curve name (by default
# \fBsecp256r1\fR, also known as prime256v1). Curves other
# than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
# are unlikely to be widely interoperable. When generating
# EC keys, use one of these three. DSA keys are obsolete and
# are not supported.
# .sp
# Note: ECDSA support requires OpenSSL 1.0.0 or later and may
# not be available on your system. Not all client systems
# will support ECDSA, so you'll generally want to deploy both
# RSA and ECDSA certificates to make use of ECDSA with
# compatible clients and RSA with the rest. If you want to
# deploy certificate chains with intermediate CAs for both
# RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
# versions may not handle multiple chain files correctly.
# .sp
# The first \fIhostname\fR argument will be the \fBCommonName\fR
# of both the subject and issuer of the self-signed certificate.
# It, and any additional \fIhostname\fR arguments, will also
# be listed as DNS alternative names in the certificate. If
# no \fIhostname\fR is provided the value of the \fBmyhostname\fR
# main.cf parameter will be used.
# .sp
# For RSA, the generated private key and certificate files
# are named \fBkey-\fIyyyymmdd-hhmmss\fB.pem\fR and
# \fBcert-\fIyyyymmdd-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
# is the calendar date and \fIhhmmss\fR is the time of day
# in UTC. For ECDSA, the file names start with \fBeckey-\fR
# and \fBeccert-\fR instead of \fBkey-\fR and \fBcert-\fR
# respectively.
# .sp
# Before deploying the new key and certificate with DANE,
# update the DNS with new DANE TLSA records, then wait for
# secondary nameservers to update and then for stale records
# in remote DNS caches to expire.
# .sp
# Before deploying a new CA certificate make sure to include
# all the required intermediate issuing CA certificates in
# the certificate chain file. The server certificate must
# be the first certificate in the chain file. Overwrite and
# deploy the file with the original self-signed certificate
# that was generated together with the key.
# .IP "\fBnew-server-cert\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
# This is just like \fBnew-server-key\fR except that, rather
# than generating a new private key, any currently deployed
# private key is copied to the new key file. Thus if you're
# publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
# no need to update DNS records. The \fIalgorithm\fR and
# \fIbits\fR arguments are used only if no key of the same
# algorithm is already configured.
# .sp
# This command is rarely needed, because the self-signed
# certificates generated have a 100-year nominal expiration
# time. The underlying public key algorithms may well be
# obsoleted by quantum computers long before then.
# .sp
# The most plausible reason for using this command is when
# the system hostname changes, and you'd like the name in the
# certificate to match the new hostname (not required for
# DANE "3 1 1", but some needlessly picky non-DANE opportunistic
# TLS clients may log warnings or even refuse to communicate).
# .IP "\fBdeploy-server-cert \fIcertfile\fB \fIkeyfile\fR"
# This subcommand deploys the certificates in \fIcertfile\fR
# and private key in \fIkeyfile\fR (which are typically
# generated by the commands above, which will also log and
# display the full command needed to deploy the generated key
# and certificate). After the new certificate and key are
# deployed any obsolete keys and certificates may be removed
# by hand. The \fIkeyfile\fR and \fIcertfile\fR filenames
# may be relative to the Postfix configuration directory.
# .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB...\fR]"
# Write to stdout a certificate signing request (CSR) for the
# specified \fIkeyfile\fR.
# .sp
# Instead of an absolute pathname or a pathname relative to
# $config_directory, \fIkeyfile\fR may specify one of the
# supported key algorithm names (see "\fBpostconf -T
# public-key-algorithms\fR"). In that case, the corresponding
# setting from main.cf is used to locate the \fIkeyfile\fR.
# The default \fIkeyfile\fR value is \fBrsa\fR.
# .sp
# Zero or more \fIhostname\fR values can be specified. The
# default \fIhostname\fR is the value of \fBmyhostname\fR
# main.cf parameter.
# .IP "\fBoutput-server-tlsa\fR [\fB-h \fIhostname\fR] [\fIkeyfile\fB...\fR]"
# Write to stdout a DANE TLSA RRset suitable for a port 25
# SMTP server on host \fIhostname\fR with keys from any of
# the specified \fIkeyfile\fR values. The default \fIhostname\fR
# is the value of the \fBmyhostname\fR main.cf parameter.
# .sp
# Instead of absolute pathnames or pathnames relative to
# $config_directory, the \fIkeyfile\fR list may specify
# names of supported public key algorithms (see "\fBpostconf
# -T public-key-algorithms\fR"). In that case, the actual
# \fIkeyfile\fR list uses the values of the corresponding
# Postfix server TLS key file parameters. If a parameter
# value is empty or equal to \fBnone\fR, then no TLSA record
# is output for that algorithm.
# .sp
# The default \fIkeyfile\fR list consists of the two supported
# algorithms \fBrsa\fR and \fBecdsa\fR.
# AUXILIARY COMMANDS
# .IP "\fBall-default-client\fR"
# Exit with status 0 (success) if all SMTP client TLS settings are
# at their default values. Otherwise, exit with a non-zero status.
# This is typically used as follows:
# .sp
# \fBpostfix tls all-default-client &&
# postfix tls enable-client\fR
# .IP "\fBall-default-server\fR"
# Exit with status 0 (success) if all SMTP server TLS settings are
# at their default values. Otherwise, exit with a non-zero status.
# This is typically used as follows:
# .sp
# \fBpostfix tls all-default-server &&
# postfix tls enable-server\fR
# CONFIGURATION PARAMETERS
# .ad
# .fi
# The "\fBpostfix tls \fIsubcommand\fR" feature reads
# or updates the following configuration parameters.
# .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
# The location of all postfix administrative commands.
# .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
# The default location of the Postfix main.cf and master.cf
# configuration files.
# .IP "\fBopenssl_path (openssl)\fR"
# The location of the OpenSSL command line program \fBopenssl\fR(1).
# .IP "\fBsmtp_tls_loglevel (0)\fR"
# Enable additional Postfix SMTP client logging of TLS activity.
# .IP "\fBsmtp_tls_security_level (empty)\fR"
# The default SMTP TLS security level for the Postfix SMTP client;
# when a non-empty value is specified, this overrides the obsolete
# parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
# .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
# Name of the file containing the optional Postfix SMTP client
# TLS session cache.
# .IP "\fBsmtpd_tls_cert_file (empty)\fR"
# File with the Postfix SMTP server RSA certificate in PEM format.
# .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
# File with the Postfix SMTP server ECDSA certificate in PEM format.
# .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
# File with the Postfix SMTP server ECDSA private key in PEM format.
# .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
# File with the Postfix SMTP server RSA private key in PEM format.
# .IP "\fBsmtpd_tls_loglevel (0)\fR"
# Enable additional Postfix SMTP server logging of TLS activity.
# .IP "\fBsmtpd_tls_received_header (no)\fR"
# Request that the Postfix SMTP server produces Received: message
# headers that include information about the protocol and cipher used,
# as well as the remote SMTP client CommonName and client certificate issuer
# CommonName.
# .IP "\fBsmtpd_tls_security_level (empty)\fR"
# The SMTP TLS security level for the Postfix SMTP server; when
# a non-empty value is specified, this overrides the obsolete parameters
# smtpd_use_tls and smtpd_enforce_tls.
# .IP "\fBtls_random_source (see 'postconf -d' output)\fR"
# The external entropy source for the in-memory \fBtlsmgr\fR(8) pseudo
# random number generator (PRNG) pool.
# SEE ALSO
# master(8) Postfix master program
# postfix(1) Postfix administrative interface
# README FILES
# .ad
# .fi
# Use "\fBpostconf readme_directory\fR" or
# "\fBpostconf html_directory\fR" to locate this information.
# .na
# .nf
# TLS_README, Postfix TLS configuration and operation
# LICENSE
# .ad
# .fi
# The Secure Mailer license must be distributed with this software.
# HISTORY
# The "\fBpostfix tls\fR" command was introduced with Postfix
# version 3.1.
# AUTHOR(S)
# Viktor Dukhovni
#--
RSA_BITS=2048 # default
EC_CURVE=secp256r1 # default
case $daemon_directory in
"") echo This script must be run by the postfix command. 1>&2
echo Do not run directly. 1>&2
exit 1;;
esac
umask 022
SHELL=/bin/sh
postconf=$command_directory/postconf
LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-tls-script"
INFO="$LOGGER -p info"
WARN="$LOGGER -p warn"
ERROR="$LOGGER -p error"
FATAL="$LOGGER -p fatal"
# Overwrite SMTP client and server settings only when these are at defaults.
client_settings="
smtp_use_tls
smtp_enforce_tls
smtp_tls_enforce_peername
smtp_tls_security_level
smtp_tls_cert_file
smtp_tls_dcert_file
smtp_tls_eccert_file
"
server_settings="
smtpd_use_tls
smtpd_enforce_tls
smtpd_tls_security_level
smtpd_tls_cert_file
smtpd_tls_dcert_file
smtpd_tls_eccert_file
"
#
# Can't do much without these in place.
#
cd $command_directory || {
# Let's hope there's a "postlog" somewhere else on the PATH
FATAL="postlog -p fatal -t $MAIL_LOGTAG/postfix-tls-script"
msg="no Postfix command directory '${command_directory}'"
$FATAL "$msg" || { echo "$msg" >&2; sleep 1; }
exit 1
}
check_getopt() {
OPTIND=1
a=
b=
c=
set -- -a 1 -b 2 -c -- -pos
while getopts :a:b:c o
do
case $o in
a) a="${OPTARG}";;
b) b="${OPTARG}";;
c) c=3;;
*) return 1;;
esac
done
shift `expr ${OPTIND} - 1`
if [ "${a}" != "1" -o "${b}" != 2 -o "${c}" != 3 \
-o "${OPTIND}" -ne 7 -o "$1" != "-pos" ]; then
return 1
fi
}
check_getopt || {
$FATAL "/bin/sh does not implement a compatible 'getopts' built-in"
exit 1
}
# ----- BEGIN OpenSSL-specific -----
# No need to set the location of the OpenSSL command in each Postfix instance,
# the value from the default instance is used for all instances.
#
default_config_directory=`$postconf -dh config_directory`
openssl=`$postconf -c $default_config_directory -xh openssl_path`
"$openssl" version >/dev/null 2>&1 || {
$FATAL "No working openssl(1) command found with 'openssl_path = $openssl'"
exit 1
}
# ----- END OpenSSL-specific -----
test -n "$config_directory" -a -d "$config_directory" || {
$FATAL no Postfix configuration directory $config_directory!
exit 1
}
# Do we support TLS and if so which algorithms?
#
$postconf -T compile-version | grep . >/dev/null || {
mail_version=`$postconf -dh mail_version`
$FATAL "Postfix $mail_version is not compiled with TLS support"
exit 1
}
rsa=
ecdsa=
for _algo in `$postconf -T public-key-algorithms | egrep '^(rsa|ecdsa)$'`
do
eval $_algo=$_algo
done
# ----- BEGIN OpenSSL-specific -----
if [ -n "${ecdsa}" ]; then
$openssl ecparam -name secp256r1 >/dev/null 2>&1 || {
cat <<-EOM | $WARN
Postfix supports ECDSA, but the $openssl command does not. Consider
setting the openssl_path parameter to a more capable version of the
command-line utility than $openssl (with PATH=$PATH).
EOM
ecdsa=
}
fi
if [ -n "${rsa}" ]; then
DEFALG=rsa
elif [ -n "${ecdsa}" ]; then
DEFALG=ecdsa
else
mail_version=`$postconf -dh mail_version`
$FATAL "Postfix $mail_version does not support either RSA or ECDSA"
exit 1
fi
# Make sure stdin is open when testing
if [ -r /dev/stdin ] < /dev/null; then
stdin=/dev/stdin
elif [ -r /dev/fd/0 ] </dev/null; then
stdin=/dev/fd/0
else
$FATAL No /dev/fd/0 or /dev/stdin found
exit 1
fi
hex_sha256() {
$openssl dgst -binary -sha256 | od -An -vtx1 | tr -d ' \012'
}
# We require SHA2-256 support from openssl(1)
#
null256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
tmp=`hex_sha256 </dev/null 2>/dev/null`
if [ "${tmp}" != "${null256}" ]; then
cat <<EOF >&2
Your $openssl does not support the SHA2-256 digest algorithm. To enable
'postfix tls', install an OpenSSL that does. Install its openssl(1) command
at /usr/local/bin/openssl or other suitable location, and set the
'openssl_path' parameter in $default_config_directory/main.cf accordingly.
EOF
$FATAL "No 'postfix tls' support when openssl(1) is obsolete"
exit 1
fi
read_key() {
[ -n "$1" -a -f "$1" ] || return 1
# Old OpenSSL versions return success even for unsupported sub-commands!
# So we inspect the output instead. Don't prompt if the key is password
# protected.
#
while read cmd key_algo key_param cert_param; do
$openssl $cmd -passin "pass:umask 077" -in "$1" |
grep . && return 0
done 2>/dev/null <<-EOF
rsa rsa smtpd_tls_key_file smtpd_tls_cert_file
ec ecdsa smtpd_tls_eckey_file smtpd_tls_eccert_file
EOF
return 1
}
pubkey_dgst() {
[ -n "$1" -a -f "$1" ] || return 1
# Old OpenSSL versions return success even for unsupported sub-commands!
# So we inspect the output instead.
#
for cmd in ec rsa; do
$openssl $cmd -passin "pass:umask 077" -in "$1" -pubout |
$openssl $cmd -pubin -outform DER |
hex_sha256 | egrep -v "${null256}" && return 0
done 2>/dev/null
return 1
}
cert_pubkey_dgst() {
[ -n "$1" -a -f "$1" ] || return 1
# Old OpenSSL versions return success even for unsupported sub-commands!
# So we inspect the output instead.
#
for cmd in ec rsa; do
$openssl x509 -pubkey -noout -in "$1" |
$openssl $cmd -pubin -outform DER |
hex_sha256 | egrep -v "${null256}" && return 0
done 2>/dev/null
return 1
}
copy_key() {
_algo=$1; shift
_bits=$1; shift
_fold=$1; shift
_fnew=$1; shift
_umask=`umask`
umask 077
read_key "${_fold}" > "${_fnew}" # sets key_algo of current key
_ret=$?
umask "${_umask}"
if [ "${_ret}" -ne 0 ]; then
$FATAL "Error copying private key from '${_fold}' to '${_fnew}'"
return 1
fi
if [ "${key_algo}" != "${_algo}" ]; then
$FATAL "Key algorithm '$key_algo' of '${_fold}' is not '${_algo}'"
return 1
fi
# XXX: We'd need C-code in postconf to portably check for compatible "bits"
}
create_key() {
_algo=$1
_bits=$2
_fnew=$3
_umask=`umask`
case $_algo in
"") $FATAL "Internal error: empty algorithm"; return 1;;
$rsa) set -- "${openssl}" genrsa -out "${_fnew}" "${_bits}";;
$ecdsa) set -- "${openssl}" ecparam -param_enc named_curve -genkey \
-out "${_fnew}" -name "${_bits}";;
*) $FATAL "Internal error: bad algorithm '${_algo}'"
return 1;;
esac
umask 077
_err=`"$@" 2>&1`
_ret=$?
umask "${_umask}"
if [ "${_ret}" -ne 0 ]; then
echo "${_err}" | $WARN
$FATAL "error generating new ${_algo} ${_bits} private key"
return 1
fi
}
create_cert() {
_k=$1; shift
_c=$1; shift
set_fqdn "$1"
if [ $# -gt 0 ]; then shift; fi
set -- "$fqdn" "$@"
if [ -r "${_c}" ]; then
$FATAL "New certificate file already exists: ${_c}"
return 1
fi
# Generate a new self-signed (~100 year) certificate
#
(
echo "default_md = sha256"
echo "x509_extensions = v3"
echo "prompt = yes"
echo "distinguished_name = dn"
echo "[dn]"
echo "[v3]"
echo "basicConstraints = CA:false"
echo "subjectKeyIdentifier = hash"
echo "extendedKeyUsage = serverAuth, clientAuth"
echo "subjectAltName = @alts"
echo "[alts]"
i=1; for dns in "$@"; do
# XXX map empty to $myhostname
echo "DNS.$i = $dns"
i=`expr $i + 1`
done
) | $openssl req -x509 -config $stdin -new -key "${_k}" \
-subj "/CN=$fqdn" -days 36525 -out "${_c}" || {
rm -f "${_c}" "${_k}"
$FATAL "error generating self-signed SSL certificate"
return 1
}
}
output_server_csr() {
set_keyfile "$1" || return 1
shift
set_fqdn "$1" || return 1
shift
set -- "$fqdn" "$@"
(
echo "default_md = sha256"
echo "req_extensions = v3"
echo "prompt = yes"
echo "distinguished_name = dn"
echo "[dn]"
echo "[v3]"
echo "subjectKeyIdentifier = hash"
echo "extendedKeyUsage = serverAuth, clientAuth"
echo "subjectAltName = @alts"
echo "[alts]"
i=1; for dns in "$@"; do
echo "DNS.$i = $dns"
i=`expr $i + 1`
done
) | $openssl req -config $stdin -new -key "$keyfile" -subj /
}
# ----- END OpenSSL-specific -----
info_enable_client() {
cat <<-EOM
*** Non-default SMTP client TLS settings detected, no changes made.
For opportunistic TLS in the Postfix SMTP client, the below settings
are typical:
smtp_tls_security_level = may
smtp_tls_loglevel = 1
EOM
if get_cache_db_type dbtype
then
echo " smtp_tls_session_cache_database = ${dbtype}:\${data_directory}/smtp_scache"
fi
}
info_client_deployed() {
cat <<-EOM
Enabled opportunistic TLS in the Postfix SMTP client.
Run the command:
# postfix reload
if you want the new settings to take effect immediately.
EOM
}
info_enable_server() {
cat <<-EOM
*** Non-default SMTP server TLS settings detected, no changes made.
For opportunistic TLS in the Postfix SMTP server, the below settings
are typical:
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
You can use "postfix tls new-server-cert" to create a new certificate.
Or, "postfix tls new-server-key" to also force a new private key.
If you publish DANE TLSA records, see:
https://tools.ietf.org/html/rfc7671#section-8
https://tools.ietf.org/html/rfc7671#section-5.1
https://tools.ietf.org/html/rfc7671#section-5.2
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
EOM
}
# args: certfile keyfile deploy
info_created() {
cat <<-EOM
New private key and self-signed certificate created. To deploy run:
# postfix tls deploy-server-cert $1 $2
EOM
}
# args: certfile keyfile deploy
info_server_deployed() {
if [ "$3" = "enable" ]; then
echo "Enabled opportunistic TLS in the Postfix SMTP server"
fi
cat <<-EOM
New TLS private key and certificate deployed.
Run the command:
# postfix reload
if you want the new settings to take effect immediately.
EOM
}
# args: certfile keyfile deploy
info_csr() {
cat <<-EOM
To generate a CSR run:
# postfix tls output-server-csr -k $2 [<hostname> ...]
EOM
if [ -z "$3" ]; then
echo "Save the signed certificate chain in $1, and deploy as above."
else
echo "Save the signed certificate chain in $1."
fi
}
# args: certfile keyfile deploy
info_tlsa() {
# If already deployed, info for how to show all the deployed keys.
# Otherwise, just the new keys, so that TLSA records can be updated
# first.
if [ -n "$3" ]; then shift $#; fi
cat <<-EOM
To generate TLSA records run:
# postfix tls output-server-tlsa [-h <hostname>] $2
EOM
}
# args: certfile keyfile deploy
info_dane_dns() {
# If already deployed, too late to wait, otherwise advise updating TLSA
# RRs before deployment.
if [ -n "$3" ]; then
cat <<-EOM
(If you have DANE TLSA RRs, update them as soon as possible to match
the newly deployed keys).
EOM
else
cat <<-EOM
(deploy after updating the DNS and waiting for stale RRs to expire).
EOM
fi
}
set_fqdn() {
if [ -n "$1" ]; then fqdn=$1; return 0; fi
fqdn=`$postconf -xh myhostname` || return 1
case $fqdn in /*) fqdn=`cat "${fqdn}"` || return 1;; esac
}
set_keyfile() {
keyfile=$1
case $keyfile in
rsa) if [ -n "${rsa}" ]; then
keyfile=`$postconf -nxh smtpd_tls_key_file`
else
keyfile=
fi
;;
ecdsa) if [ -n "${ecdsa}" ]; then
keyfile=`$postconf -nxh smtpd_tls_eckey_file`
else
keyfile=
fi
;;
"") : empty ok;;
none) : see below;;
/*) ;;
*) # User-specified key pathnames are relative to the configuration
# directory
keyfile="${config_directory}/${keyfile}";;
esac
if [ "${keyfile}" = "none" ]; then keyfile= ; fi
}
check_key() {
read_key "$1" >/dev/null && return 0
$FATAL "no private key found in file: $1"
return 1
}
# Create new key or copy existing if specified.
#
ensure_key() {
_algo=$1; shift
_bits=$1; shift
stamp=`TZ=UTC date +%Y%m%d-%H%M%S`
case $_algo in
"") $FATAL "Internal error: empty algorithm "; return 1;;
$rsa) keyfile="${config_directory}/key-${stamp}.pem"
certfile="${config_directory}/cert-${stamp}.pem";;
$ecdsa) keyfile="${config_directory}/eckey-${stamp}.pem"
certfile="${config_directory}/eccert-${stamp}.pem";;
*) $FATAL "Internal error: bad algorithm '${_algo}'"
return 1;;
esac
if [ -r "${keyfile}" ]; then
$FATAL "New private key file already exists: ${keyfile}"
return 1
fi
if [ -r "${certfile}" ]; then
$FATAL "New certificate file already exists: ${certfile}"
return 1
fi
if [ -n "$1" ]; then
copy_key "${_algo}" "${_bits}" "$1" "${keyfile}" && return 0
else
create_key "${_algo}" "${_bits}" "${keyfile}" && return 0
fi
rm -f "${keyfile}"
return 1
}
init_random_source() {
tls_random_source=$1
if [ -z "${tls_random_source}" ]; then
tls_random_source=`$postconf -xh tls_random_source`
fi
if [ -n "${tls_random_source}" ]; then
return 0
fi
if [ -r /dev/urandom ]
then
tls_random_source=dev:/dev/urandom
else
$FATAL no default TLS random source defined and no /dev/urandom
return 1
fi
}
# Don't be too clever by half.
all_default() {
for var in "$@"
do
val=`$postconf -nh "${var}"`
if [ -n "$val" ]; then return 1; fi
done
return 0
}
# Select read-write database type for TLS session caches.
#
get_cache_db_type() {
var=$1; shift
prio=0
ret=1
for _dbtype in `$postconf -m`
do
_prio=0
case $_dbtype in
lmdb) _prio=2;;
btree) _prio=1;;
esac
if [ "$_prio" -gt "$prio" ]
then
eval "$var=\$_dbtype"
prio=$_prio
ret=0
fi
done
return $ret
}
deploy_server_cert() {
certfile=$1; shift
keyfile=$1; shift
deploy=$1; shift
# Sets key_algo, key_param and cert_param
check_key "$keyfile" || return 1
cd=`cert_pubkey_dgst "${certfile}"` || {
$FATAL "error computing certificate public key digest"
return 1
}
kd=`pubkey_dgst "$keyfile"` || {
$FATAL "error computing public key digest"
return 1
}
if [ "$cd" != "$kd" ]; then
$FATAL "Certificate in ${certfile} does not match key in ${keyfile}"
return 1
fi
set -- \
"${key_param} = ${keyfile}" \
"${cert_param} = ${certfile}"
if [ "${deploy}" = "enable" ]; then
set -- "$@" \
"smtpd_tls_security_level = may" \
"smtpd_tls_received_header = yes" \
"smtpd_tls_loglevel = 1"
fi
if [ -n "${tls_random_source}" ]; then
set -- "$@" "tls_random_source = ${tls_random_source}"
fi
# All in one shot, since postconf delays modifying "hot" main.cf files.
$postconf -e "$@" || return 1
}
# Prepare a new cert and perhaps re-use any existing private key.
#
new_server_cert() {
algo=$1; shift
bits=$1; shift
oldkey=$1; shift
deploy=$1; shift
# resets keyfile (copy or else new) and new certfile
ensure_key "$algo" "$bits" "${oldkey}" || return 1
create_cert "${keyfile}" "${certfile}" "$@" || return 1
if [ -n "${deploy}" ]; then
deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1
fi
(
if [ -z "${deploy}" ]; then
info_created "${certfile}" "${keyfile}" "${deploy}"
else
info_server_deployed "${certfile}" "${keyfile}" "${deploy}"
fi
info_csr "${certfile}" "${keyfile}" "${deploy}"
info_tlsa "${certfile}" "${keyfile}" "${deploy}"
if [ -z "${oldkey}" ]; then
info_dane_dns "${certfile}" "${keyfile}" "${deploy}"
fi
) | $INFO
}
enable_client() {
if all_default ${client_settings}
then
set -- \
"smtp_tls_security_level = may" \
"smtp_tls_loglevel = 1"
if get_cache_db_type dbtype
then
set -- "$@" \
"smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
fi
if [ -n "${tls_random_source}" ]; then
set -- "$@" "tls_random_source = ${tls_random_source}"
fi
# All in one shot, since postconf delays modifying "hot" main.cf files.
$postconf -e "$@" || return 1
info_client_deployed
else
info_enable_client
fi | $INFO
}
enable_server() {
algo=$1; shift
bits=$1; shift
if all_default ${server_settings}
then
# algo bits keyfile deploy [hostnames ...]
new_server_cert "${algo}" "${bits}" "" "enable" "$@" || return 1
else
info_enable_server | $INFO
fi
}
output_server_tlsa() {
hostname=$1
check_key "$2" || return 1
data=`pubkey_dgst "$2"` || return 1
if [ -z "$data" ]
then
$FATAL error computing SHA2-256 SPKI digest of "$key"
return 1
fi
echo "_25._tcp.$hostname. IN TLSA 3 1 1 $data"
}
#
# Parse JCL
#
case $1 in
enable-client)
cmd=$1; shift; OPTIND=1
rand=
while getopts :r: _opt
do
case $_opt in
r) rand="${OPTARG}";;
*) $FATAL "usage: postfix tls $cmd [-r devrandom]"
exit 1;;
esac
done
# No positional arguments supported with enable-client
if [ $# -ge "${OPTIND}" ]; then
$FATAL "usage: postfix tls $cmd [-r devrandom]"
exit 1
fi
# But, shift anyway
shift `expr $OPTIND - 1`
init_random_source "${rand}" || exit 1
enable_client || exit 1
;;
enable-server)
cmd=$1; shift; OPTIND=1
algo=$DEFALG
bits=
rand=
while getopts :a:b:r: _opt
do
case $_opt in
a) algo="${OPTARG}";;
b) bits="${OPTARG}";;
r) rand="${OPTARG}";;
*) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [-r devrandom] [hostname ...]"
exit 1;;
esac
done
# Here positional arguments are hostnames for the new certificate, as
# many as the user wants
shift `expr $OPTIND - 1`
case $algo in
"") $FATAL "Internal error: empty algorithm "; return 1;;
$rsa) : ${bits:=${RSA_BITS}};;
$ecdsa) : ${bits:=${EC_CURVE}};;
*) $FATAL "Unsupported private key algorithm: $algo"
exit 1;;
esac
init_random_source "${rand}" || exit 1
enable_server "${algo}" "${bits}" "$@" || exit 1
;;
new-server-key)
cmd=$1; shift; OPTIND=1
algo=$DEFALG
while getopts :a:b: _opt
do
case $_opt in
a) algo="${OPTARG}";;
b) bits="${OPTARG}";;
*) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
exit 1;;
esac
done
# Here positional arguments are hostnames for the new certificate, as
# many as the user wants
shift `expr $OPTIND - 1`
case $algo in
"") $FATAL "Internal error: empty algorithm "; return 1;;
$rsa) : ${bits:=${RSA_BITS}};;
$ecdsa) : ${bits:=${EC_CURVE}};;
*) $FATAL "Unsupported public key algorithm: $algo"
exit 1;;
esac
# Force new key
new_server_cert "${algo}" "${bits}" "" "" "$@" || exit 1
;;
new-server-cert)
cmd=$1; shift; OPTIND=1
algo=$DEFALG
while getopts :a:b: _opt
do
case $_opt in
a) algo="${OPTARG}";;
b) bits="${OPTARG}";;
*) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
exit 1;;
esac
done
# Here positional arguments are hostnames for the new certificate, as
# many as the user wants
shift `expr $OPTIND - 1`
case $algo in
"") $FATAL "Invalid empty key algorithm"; exit 1;;
$rsa) : ${bits:=${RSA_BITS}};;
$ecdsa) : ${bits:=${EC_CURVE}};;
*) $FATAL "Unsupported private key algorithm: $algo"
exit 1;;
esac
# Existing keyfile or empty
set_keyfile "${algo}"
if [ -n "${keyfile}" -a ! -f "${keyfile}" ]; then
echo "Key file: ${keyfile} not found, creating new keys" | $WARN
keyfile=
fi
# Try to re-use (copy) existing key.
new_server_cert "${algo}" "${bits}" "${keyfile}" "" "$@" || exit 1
;;
deploy-server-cert)
if [ $# -ne 3 ]; then
$FATAL "usage: postfix tls $1 certfile keyfile"
exit 1
fi
shift
# User-specified key and cert pathnames are relative to the
# configuration directory
#
case "${1}" in
/*) certfile="${1}" ;;
*) certfile="${config_directory}/${1}" ;;
esac
case "${2}" in
/*) keyfile="${2}" ;;
*) keyfile="${config_directory}/${2}" ;;
esac
deploy_server_cert "${certfile}" "${keyfile}" || exit 1
info_server_deployed "${certfile}" "${keyfile}" "deploy" | $INFO
;;
output-server-csr)
cmd=$1; shift; OPTIND=1
k=
while getopts :k: _opt
do
case $_opt in
k) k="${OPTARG}";;
*) $FATAL "usage: postfix tls $cmd [-k keyfile] [hostname ...]"
exit 1;;
esac
done
# Here positional arguments are hostnames for the new certificate, as
# many as the user wants
shift `expr $OPTIND - 1`
if [ -n "${k}" ]; then
set_keyfile "${k}"
else
for _algo in $rsa $ecdsa
do
set_keyfile "${_algo}"
if [ -n "${keyfile}" ]; then
break
fi
done
fi
if [ -z "${keyfile}" -o ! -r "${keyfile}" ]; then
$FATAL "No usable keyfile specified or configured"
exit 1
fi
# Default <hostname> from $myhostname
if [ $# -eq 0 ]; then
set_fqdn
set -- "$fqdn"
fi
# Output a CSR for the requested names
output_server_csr "$keyfile" "$@" || exit 1
;;
output-server-tlsa)
cmd=$1; shift; OPTIND=1
hostname=
while getopts :h: _opt
do
case $_opt in
h) hostname="${OPTARG}";;
*) $FATAL "usage: postfix tls $cmd [-h hostname] [keyfile ...]"
exit 1;;
esac
done
set_fqdn "${hostname}"
# Here positional arguments are keyfiles for which we output "3 1 1"
# TLSA RRs, as many keyfiles as the user wants. By default the live
# RSA and/or ECDSA keys.
shift `expr $OPTIND - 1`
if [ $# -eq 0 ]; then set -- $rsa $ecdsa; fi
found=
for _k in "$@"
do
set_keyfile "${_k}"
if [ -z "${keyfile}" ]; then continue; fi
echo "; ${keyfile}"
output_server_tlsa "${fqdn}" "${keyfile}" || exit 1
found=1
done
if [ -z "${found}" ]; then
$FATAL "No usable keyfiles specified or configured"
exit 1
fi
;;
all-default-client)
cmd=$1; shift; OPTIND=1
# No arguments for all-default-client
if [ $# -ge "${OPTIND}" ]; then
$FATAL "usage: postfix tls $cmd"
exit 1
fi
all_default ${client_settings} || exit 1
;;
all-default-server)
cmd=$1; shift; OPTIND=1
# No arguments for all-default-server
if [ $# -ge "${OPTIND}" ]; then
$FATAL "usage: postfix tls $cmd"
exit 1
fi
all_default ${server_settings} || exit 1
;;
*)
$ERROR "unknown tls command: '$1'"
$FATAL "usage: postfix tls enable-client (or enable-server, new-server-key, new-server-cert, deploy-server-cert, output-server-csr, output-server-tlsa, all-default-client, all-default-server)"
exit 1
;;
esac