From 1eb26ffaaec70d2ca4971b617078da8e001db55e Mon Sep 17 00:00:00 2001 From: Robert Scheck Date: Tue, 24 Jul 2018 23:02:42 +0200 Subject: [PATCH] Add basic postfix TLS configuration by default (#1608050) --- postfix-3.2.0-config.patch | 40 +++++++++++++++++++++++++++++++++++++- postfix.spec | 26 ++++++++++++++++++++++++- 2 files changed, 64 insertions(+), 2 deletions(-) diff --git a/postfix-3.2.0-config.patch b/postfix-3.2.0-config.patch index 4879c0d..fd62120 100644 --- a/postfix-3.2.0-config.patch +++ b/postfix-3.2.0-config.patch @@ -79,11 +79,49 @@ index 7af8bde..fbe5c62 100644 #fallback_transport = # The luser_relay parameter specifies an optional destination address -@@ -673,4 +696,3 @@ sample_directory = +@@ -673,4 +696,41 @@ sample_directory = # readme_directory: The location of the Postfix README files. # readme_directory = -inet_protocols = ipv4 ++ ++# TLS CONFIGURATION ++# ++# Basic Postfix TLS configuration by default with self-signed certificate ++# for inbound SMTP and also opportunistic TLS for outbound SMTP. ++ ++# The full pathname of a file with the Postfix SMTP server RSA certificate ++# in PEM format. Intermediate certificates should be included in general, ++# the server certificate first, then the issuing CA(s) (bottom-up order). ++# ++smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem ++ ++# The full pathname of a file with the Postfix SMTP server RSA private key ++# in PEM format. The private key must be accessible without a pass-phrase, ++# i.e. it must not be encrypted. ++# ++smtpd_tls_key_file = /etc/pki/tls/private/postfix.key ++ ++# Announce STARTTLS support to remote SMTP clients, but do not require that ++# clients use TLS encryption (opportunistic TLS inbound). ++# ++smtpd_tls_security_level = may ++ ++# Directory with PEM format Certification Authority certificates that the ++# Postfix SMTP client uses to verify a remote SMTP server certificate. ++# ++smtp_tls_CApath = /etc/pki/tls/certs ++ ++# The full pathname of a file containing CA certificates of root CAs ++# trusted to sign either remote SMTP server certificates or intermediate CA ++# certificates. ++# ++smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt ++ ++# Use TLS if this is supported by the remote SMTP server, otherwise use ++# plaintext (opportunistic TLS outbound). ++# ++smtp_tls_security_level = may diff --git a/conf/master.cf b/conf/master.cf index b67ed59..a9633ba 100644 --- a/conf/master.cf diff --git a/postfix.spec b/postfix.spec index a3eda8f..b9cd3b5 100644 --- a/postfix.spec +++ b/postfix.spec @@ -37,6 +37,9 @@ %define postfix_sample_dir %{postfix_doc_dir}/samples %define postfix_readme_dir %{postfix_doc_dir}/README_FILES +%global sslcert %{_sysconfdir}/pki/tls/certs/postfix.pem +%global sslkey %{_sysconfdir}/pki/tls/private/postfix.key + # Filter private libraries %global _privatelibs libpostfix-.+\.so.* %global __provides_exclude ^(%{_privatelibs})$ @@ -45,13 +48,14 @@ Name: postfix Summary: Postfix Mail Transport Agent Version: 3.3.1 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 Group: System Environment/Daemons URL: http://www.postfix.org License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+) Requires(post): systemd systemd-sysv Requires(post): %{_sbindir}/alternatives +Requires(post): %{_bindir}/openssl Requires(pre): %{_sbindir}/groupadd Requires(pre): %{_sbindir}/useradd Requires(preun): %{_sbindir}/alternatives @@ -478,6 +482,23 @@ if [ -f %{_libdir}/sasl2/smtpd.conf ]; then fi %endif +# Create self-signed SSL certificate +if [ ! -f %{sslkey} ]; then + umask 077 + %{_bindir}/openssl genrsa 4096 > %{sslkey} 2> /dev/null +fi + +if [ ! -f %{sslcert} ]; then + FQDN=`hostname` + if [ "x${FQDN}" = "x" ]; then + FQDN=localhost.localdomain + fi + + %{_bindir}/openssl req -new -key %{sslkey} -x509 -sha256 -days 365 -set_serial $RANDOM -out %{sslcert} \ + -subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}" + chmod 644 %{sslcert} +fi + exit 0 %pre @@ -734,6 +755,9 @@ fi %endif %changelog +* Tue Jul 24 2018 Robert Scheck - 2:3.3.1-4 +- Add basic postfix TLS configuration by default (#1608050) + * Fri Jul 13 2018 Fedora Release Engineering - 2:3.3.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild