Add basic postfix TLS configuration by default (#1608050)
This commit is contained in:
parent
36a66f046a
commit
1eb26ffaae
@ -79,11 +79,49 @@ index 7af8bde..fbe5c62 100644
|
|||||||
#fallback_transport =
|
#fallback_transport =
|
||||||
|
|
||||||
# The luser_relay parameter specifies an optional destination address
|
# The luser_relay parameter specifies an optional destination address
|
||||||
@@ -673,4 +696,3 @@ sample_directory =
|
@@ -673,4 +696,41 @@ sample_directory =
|
||||||
# readme_directory: The location of the Postfix README files.
|
# readme_directory: The location of the Postfix README files.
|
||||||
#
|
#
|
||||||
readme_directory =
|
readme_directory =
|
||||||
-inet_protocols = ipv4
|
-inet_protocols = ipv4
|
||||||
|
+
|
||||||
|
+# TLS CONFIGURATION
|
||||||
|
+#
|
||||||
|
+# Basic Postfix TLS configuration by default with self-signed certificate
|
||||||
|
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
|
||||||
|
+
|
||||||
|
+# The full pathname of a file with the Postfix SMTP server RSA certificate
|
||||||
|
+# in PEM format. Intermediate certificates should be included in general,
|
||||||
|
+# the server certificate first, then the issuing CA(s) (bottom-up order).
|
||||||
|
+#
|
||||||
|
+smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
|
||||||
|
+
|
||||||
|
+# The full pathname of a file with the Postfix SMTP server RSA private key
|
||||||
|
+# in PEM format. The private key must be accessible without a pass-phrase,
|
||||||
|
+# i.e. it must not be encrypted.
|
||||||
|
+#
|
||||||
|
+smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
|
||||||
|
+
|
||||||
|
+# Announce STARTTLS support to remote SMTP clients, but do not require that
|
||||||
|
+# clients use TLS encryption (opportunistic TLS inbound).
|
||||||
|
+#
|
||||||
|
+smtpd_tls_security_level = may
|
||||||
|
+
|
||||||
|
+# Directory with PEM format Certification Authority certificates that the
|
||||||
|
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
|
||||||
|
+#
|
||||||
|
+smtp_tls_CApath = /etc/pki/tls/certs
|
||||||
|
+
|
||||||
|
+# The full pathname of a file containing CA certificates of root CAs
|
||||||
|
+# trusted to sign either remote SMTP server certificates or intermediate CA
|
||||||
|
+# certificates.
|
||||||
|
+#
|
||||||
|
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
|
||||||
|
+
|
||||||
|
+# Use TLS if this is supported by the remote SMTP server, otherwise use
|
||||||
|
+# plaintext (opportunistic TLS outbound).
|
||||||
|
+#
|
||||||
|
+smtp_tls_security_level = may
|
||||||
diff --git a/conf/master.cf b/conf/master.cf
|
diff --git a/conf/master.cf b/conf/master.cf
|
||||||
index b67ed59..a9633ba 100644
|
index b67ed59..a9633ba 100644
|
||||||
--- a/conf/master.cf
|
--- a/conf/master.cf
|
||||||
|
26
postfix.spec
26
postfix.spec
@ -37,6 +37,9 @@
|
|||||||
%define postfix_sample_dir %{postfix_doc_dir}/samples
|
%define postfix_sample_dir %{postfix_doc_dir}/samples
|
||||||
%define postfix_readme_dir %{postfix_doc_dir}/README_FILES
|
%define postfix_readme_dir %{postfix_doc_dir}/README_FILES
|
||||||
|
|
||||||
|
%global sslcert %{_sysconfdir}/pki/tls/certs/postfix.pem
|
||||||
|
%global sslkey %{_sysconfdir}/pki/tls/private/postfix.key
|
||||||
|
|
||||||
# Filter private libraries
|
# Filter private libraries
|
||||||
%global _privatelibs libpostfix-.+\.so.*
|
%global _privatelibs libpostfix-.+\.so.*
|
||||||
%global __provides_exclude ^(%{_privatelibs})$
|
%global __provides_exclude ^(%{_privatelibs})$
|
||||||
@ -45,13 +48,14 @@
|
|||||||
Name: postfix
|
Name: postfix
|
||||||
Summary: Postfix Mail Transport Agent
|
Summary: Postfix Mail Transport Agent
|
||||||
Version: 3.3.1
|
Version: 3.3.1
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
URL: http://www.postfix.org
|
URL: http://www.postfix.org
|
||||||
License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+)
|
License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+)
|
||||||
Requires(post): systemd systemd-sysv
|
Requires(post): systemd systemd-sysv
|
||||||
Requires(post): %{_sbindir}/alternatives
|
Requires(post): %{_sbindir}/alternatives
|
||||||
|
Requires(post): %{_bindir}/openssl
|
||||||
Requires(pre): %{_sbindir}/groupadd
|
Requires(pre): %{_sbindir}/groupadd
|
||||||
Requires(pre): %{_sbindir}/useradd
|
Requires(pre): %{_sbindir}/useradd
|
||||||
Requires(preun): %{_sbindir}/alternatives
|
Requires(preun): %{_sbindir}/alternatives
|
||||||
@ -478,6 +482,23 @@ if [ -f %{_libdir}/sasl2/smtpd.conf ]; then
|
|||||||
fi
|
fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# Create self-signed SSL certificate
|
||||||
|
if [ ! -f %{sslkey} ]; then
|
||||||
|
umask 077
|
||||||
|
%{_bindir}/openssl genrsa 4096 > %{sslkey} 2> /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f %{sslcert} ]; then
|
||||||
|
FQDN=`hostname`
|
||||||
|
if [ "x${FQDN}" = "x" ]; then
|
||||||
|
FQDN=localhost.localdomain
|
||||||
|
fi
|
||||||
|
|
||||||
|
%{_bindir}/openssl req -new -key %{sslkey} -x509 -sha256 -days 365 -set_serial $RANDOM -out %{sslcert} \
|
||||||
|
-subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}"
|
||||||
|
chmod 644 %{sslcert}
|
||||||
|
fi
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
@ -734,6 +755,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 24 2018 Robert Scheck <robert@fedoraproject.org> - 2:3.3.1-4
|
||||||
|
- Add basic postfix TLS configuration by default (#1608050)
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:3.3.1-3
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:3.3.1-3
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user