Add basic postfix TLS configuration by default (#1608050)

postfix-3.2.0-config.patch

@@ -79,11 +79,49 @@ index 7af8bde..fbe5c62 100644
  #fallback_transport =
  
  # The luser_relay parameter specifies an optional destination address
-@@ -673,4 +696,3 @@ sample_directory =
+@@ -673,4 +696,41 @@ sample_directory =
  # readme_directory: The location of the Postfix README files.
  #
  readme_directory =
 -inet_protocols = ipv4
++
++# TLS CONFIGURATION
++#
++# Basic Postfix TLS configuration by default with self-signed certificate
++# for inbound SMTP and also opportunistic TLS for outbound SMTP.
++
++# The full pathname of a file with the Postfix SMTP server RSA certificate
++# in PEM format. Intermediate certificates should be included in general,
++# the server certificate first, then the issuing CA(s) (bottom-up order).
++#
++smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
++
++# The full pathname of a file with the Postfix SMTP server RSA private key
++# in PEM format. The private key must be accessible without a pass-phrase,
++# i.e. it must not be encrypted.
++#
++smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
++
++# Announce STARTTLS support to remote SMTP clients, but do not require that
++# clients use TLS encryption (opportunistic TLS inbound).
++#
++smtpd_tls_security_level = may
++
++# Directory with PEM format Certification Authority certificates that the
++# Postfix SMTP client uses to verify a remote SMTP server certificate.
++#
++smtp_tls_CApath = /etc/pki/tls/certs
++
++# The full pathname of a file containing CA certificates of root CAs
++# trusted to sign either remote SMTP server certificates or intermediate CA
++# certificates.
++#
++smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
++
++# Use TLS if this is supported by the remote SMTP server, otherwise use
++# plaintext (opportunistic TLS outbound).
++#
++smtp_tls_security_level = may
 diff --git a/conf/master.cf b/conf/master.cf
 index b67ed59..a9633ba 100644
 --- a/conf/master.cf

postfix.spec

@@ -37,6 +37,9 @@
 %define postfix_sample_dir	%{postfix_doc_dir}/samples
 %define postfix_readme_dir	%{postfix_doc_dir}/README_FILES
 
+%global sslcert %{_sysconfdir}/pki/tls/certs/postfix.pem
+%global sslkey  %{_sysconfdir}/pki/tls/private/postfix.key
+
 # Filter private libraries
 %global _privatelibs libpostfix-.+\.so.*
 %global __provides_exclude ^(%{_privatelibs})$
@@ -45,13 +48,14 @@
 Name: postfix
 Summary: Postfix Mail Transport Agent
 Version: 3.3.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 Group: System Environment/Daemons
 URL: http://www.postfix.org
 License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+)
 Requires(post): systemd systemd-sysv
 Requires(post): %{_sbindir}/alternatives
+Requires(post): %{_bindir}/openssl
 Requires(pre): %{_sbindir}/groupadd
 Requires(pre): %{_sbindir}/useradd
 Requires(preun): %{_sbindir}/alternatives
@@ -478,6 +482,23 @@ if [ -f %{_libdir}/sasl2/smtpd.conf ]; then
 fi
 %endif
 
+# Create self-signed SSL certificate
+if [ ! -f %{sslkey} ]; then
+  umask 077
+  %{_bindir}/openssl genrsa 4096 > %{sslkey} 2> /dev/null
+fi
+
+if [ ! -f %{sslcert} ]; then
+  FQDN=`hostname`
+  if [ "x${FQDN}" = "x" ]; then
+    FQDN=localhost.localdomain
+  fi
+
+  %{_bindir}/openssl req -new -key %{sslkey} -x509 -sha256 -days 365 -set_serial $RANDOM -out %{sslcert} \
+    -subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}"
+  chmod 644 %{sslcert}
+fi
+
 exit 0
 
 %pre
@@ -734,6 +755,9 @@ fi
 %endif
 
 %changelog
+* Tue Jul 24 2018 Robert Scheck <robert@fedoraproject.org> - 2:3.3.1-4
+- Add basic postfix TLS configuration by default (#1608050)
+
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:3.3.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild