forked from pool/postfix
d737fb736c
rework tls stuff, fix post-install, update vda patch OBS-URL: https://build.opensuse.org/request/show/70284 OBS-URL: https://build.opensuse.org/package/show/server:mail/postfix?expand=0&rev=74
133 lines
5.3 KiB
Diff
133 lines
5.3 KiB
Diff
diff -ruN postfix-SuSE-orig/SuSEconfig.postfix postfix-SuSE/SuSEconfig.postfix
|
|
--- postfix-SuSE-orig/SuSEconfig.postfix 2011-05-11 10:30:56.000000000 +0200
|
|
+++ postfix-SuSE/SuSEconfig.postfix 2011-05-15 15:42:17.000000000 +0200
|
|
@@ -143,7 +143,6 @@
|
|
if [ "$CAPATH" ]
|
|
then
|
|
cpifnewer "$CAPATH/*" ./$CAPATH
|
|
- mkdir ./etc/ssl
|
|
rsync -avH /etc/ssl/certs ./etc/ssl
|
|
fi
|
|
# smtpd_tls_CAfile
|
|
@@ -162,10 +161,12 @@
|
|
fi
|
|
# smtpd_tls_key_file
|
|
smtpd_tls_key_file=`postconf -h smtpd_tls_key_file`
|
|
- if [ "$smtpd_tls_key_file" -a $smtpd_tls_key_file != '$smtpd_tls_cert_file' ]
|
|
- then
|
|
- DIR=`dirname $smtpd_tls_key_file`
|
|
- cpifnewer $smtpd_tls_key_file ./$DIR
|
|
+ if [ -n "$smtpd_tls_key_file" ]; then
|
|
+ if [ "$smtpd_tls_key_file" -a $smtpd_tls_key_file != '$smtpd_tls_cert_file' ]
|
|
+ then
|
|
+ DIR=`dirname $smtpd_tls_key_file`
|
|
+ cpifnewer $smtpd_tls_key_file ./$DIR
|
|
+ fi
|
|
fi
|
|
|
|
# PAM
|
|
@@ -263,7 +264,6 @@
|
|
|
|
# to be on the save side
|
|
$PCONF -e "daemon_directory = @daemon_directory@"
|
|
- $PCONF -e "program_directory = @daemon_directory@"
|
|
$PCONF -e "readme_directory = @readme_directory@"
|
|
$PCONF -e "html_directory = @html_directory@"
|
|
$PCONF -e "sample_directory = @sample_directory@"
|
|
@@ -557,19 +557,28 @@
|
|
fi
|
|
if test "$POSTFIX_SMTP_TLS_SERVER" == "yes" -o "$POSTFIX_SMTP_TLS_SERVER_LEGACY_SUPPORT" == "yes"; then
|
|
$PCONF -e "smtpd_use_tls = yes"
|
|
- $PCONF -e "smtpd_tls_CAfile = $POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE"
|
|
+ if [ -n "$POSTFIX_TLS_CAFILE" -a -s "$POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE" ]; then
|
|
+ $PCONF -e "smtpd_tls_CAfile = $POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE"
|
|
+ else
|
|
+ $PCONF -e "smtpd_tls_CApath = $POSTFIX_SSL_PATH/cacerts"
|
|
+ fi
|
|
$PCONF -e "smtpd_tls_cert_file = $POSTFIX_SSL_PATH/$POSTFIX_TLS_CERTFILE"
|
|
$PCONF -e "smtpd_tls_key_file = $POSTFIX_SSL_PATH/$POSTFIX_TLS_KEYFILE"
|
|
- $PCONF -e "smtpd_tls_received_header = yes"
|
|
- $PCONF -e "tls_daemon_random_source = dev:/dev/urandom"
|
|
- $PCONF -e "tls_random_source = dev:/dev/urandom"
|
|
$PCONF -e "relay_clientcerts = hash:/etc/postfix/relay_ccerts"
|
|
$PCONF -e "smtpd_tls_ask_ccert = yes"
|
|
+ $PCONF -e "smtpd_tls_received_header = yes"
|
|
touch -m -d "1 minute ago" $TMPDIR/main.cf
|
|
CURRENT=$($PCONF -h smtpd_recipient_restrictions)
|
|
$PCONF -e "smtpd_recipient_restrictions = permit_tls_clientcerts, $CURRENT"
|
|
else
|
|
$PCONF -e "smtpd_use_tls = no"
|
|
+ $PCONF -e "smtpd_tls_CAfile ="
|
|
+ $PCONF -e "smtpd_tls_CApath ="
|
|
+ $PCONF -e "smtpd_tls_cert_file ="
|
|
+ $PCONF -e "smtpd_tls_key_file ="
|
|
+ $PCONF -e "relay_clientcerts ="
|
|
+ $PCONF -e "smtpd_tls_ask_ccert = no"
|
|
+ $PCONF -e "smtpd_tls_received_header = no"
|
|
fi
|
|
|
|
if test "$POSTFIX_SMTP_TLS_CLIENT" == "no"; then
|
|
@@ -585,16 +594,22 @@
|
|
$PCONF -e "smtp_enforce_tls = yes"
|
|
fi
|
|
if test "$POSTFIX_SMTP_TLS_CLIENT" = "yes" -o "$POSTFIX_SMTP_TLS_CLIENT" = "must" ; then
|
|
- test -s "$POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE" && \
|
|
+ if [ -n "$POSTFIX_TLS_CAFILE" -a -s "$POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE" ]; then
|
|
$PCONF -e "smtp_tls_CAfile = $POSTFIX_SSL_PATH/$POSTFIX_TLS_CAFILE"
|
|
+ else
|
|
+ $PCONF -e "smtp_tls_CApath = $POSTFIX_SSL_PATH/cacerts"
|
|
+ fi
|
|
test -s "$POSTFIX_SSL_PATH/$POSTFIX_TLS_CERTFILE" && \
|
|
$PCONF -e "smtp_tls_cert_file = $POSTFIX_SSL_PATH/$POSTFIX_TLS_CERTFILE"
|
|
test -s "$POSTFIX_SSL_PATH/$POSTFIX_TLS_KEYFILE" && \
|
|
$PCONF -e "smtp_tls_key_file = $POSTFIX_SSL_PATH/$POSTFIX_TLS_KEYFILE"
|
|
- $PCONF -e "smtp_tls_session_cache_timeout = 3600s"
|
|
$PCONF -e "smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache"
|
|
else
|
|
- $PCONF -e "smtp_use_tls = no"
|
|
+ $PCONF -e "smtp_tls_CAfile ="
|
|
+ $PCONF -e "smtp_tls_CApath ="
|
|
+ $PCONF -e "smtp_tls_cert_file ="
|
|
+ $PCONF -e "smtp_tls_key_file ="
|
|
+ $PCONF -e "smtp_tls_session_cache_database ="
|
|
fi
|
|
|
|
ALLMAPS="hash:/etc/aliases"
|
|
diff -ruN postfix-SuSE-orig/sysconfig.postfix postfix-SuSE/sysconfig.postfix
|
|
--- postfix-SuSE-orig/sysconfig.postfix 2011-05-11 10:30:56.000000000 +0200
|
|
+++ postfix-SuSE/sysconfig.postfix 2011-05-14 18:00:01.000000000 +0200
|
|
@@ -198,9 +198,8 @@
|
|
# Note: This only has effect, if POSTFIX_BASIC_SPAM_PREVENTION is set
|
|
# to either "medium" or "hard" or "custom". If left empty, no RBL checks will take place.
|
|
#
|
|
-# Example: POSTFIX_RBL_HOSTS="rbl1.example.com, rbl2.example.com"
|
|
+# Example: POSTFIX_RBL_HOSTS="cbl.abuseat.org, dnsbl.sorbs.net, dnsbl.ahbl.org"
|
|
#
|
|
-#POSTFIX_RBL_HOSTS="zen.spamhaus.org, cbl.abuseat.org, dnsbl.sorbs.net, dnsbl.ahbl.org"
|
|
POSTFIX_RBL_HOSTS=""
|
|
|
|
## Type: yesno
|
|
@@ -287,7 +286,7 @@
|
|
# Note: "if set to "medium" default is "hash:/etc/postfix/access, reject_unknown_sender_domain"
|
|
#
|
|
# Example:
|
|
-# POSTFIX_SMTPD_SENDERNT_RESTRICTIONS="reject_unauth_pipelining,
|
|
+# POSTFIX_SMTPD_SENDER_RESTRICTIONS="reject_unauth_pipelining,
|
|
# check_client_access hash:/etc/postfix/pop-before-smtp,
|
|
# check_client_access hash:/etc/postfix/relay,
|
|
# check_client_access hash:/etc/postfix/access,
|
|
@@ -414,7 +413,12 @@
|
|
## Default: "cacert.pem"
|
|
## Config: postfix
|
|
#
|
|
-# name of the CA file (below POSTFIX_SSL_PATH)
|
|
+# name of the CAfile (below POSTFIX_SSL_PATH)
|
|
+#
|
|
+# when having more than one CA you want to trust, then
|
|
+# leave it empty and CApath ( POSTFIX_SSL_PATH/cacerts )
|
|
+# is used instead. Do not forget to run c_rehash POSTFIX_SSL_PATH/cacerts
|
|
+# after storing the certs.
|
|
#
|
|
POSTFIX_TLS_CAFILE="cacert.pem"
|
|
|