Add basic postfix TLS configuration by default (#1608050)

This commit is contained in:
Robert Scheck 2018-07-24 23:02:42 +02:00
parent 36a66f046a
commit 1eb26ffaae
2 changed files with 64 additions and 2 deletions

View File

@ -79,11 +79,49 @@ index 7af8bde..fbe5c62 100644
#fallback_transport = #fallback_transport =
# The luser_relay parameter specifies an optional destination address # The luser_relay parameter specifies an optional destination address
@@ -673,4 +696,3 @@ sample_directory = @@ -673,4 +696,41 @@ sample_directory =
# readme_directory: The location of the Postfix README files. # readme_directory: The location of the Postfix README files.
# #
readme_directory = readme_directory =
-inet_protocols = ipv4 -inet_protocols = ipv4
+
+# TLS CONFIGURATION
+#
+# Basic Postfix TLS configuration by default with self-signed certificate
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
+
+# The full pathname of a file with the Postfix SMTP server RSA certificate
+# in PEM format. Intermediate certificates should be included in general,
+# the server certificate first, then the issuing CA(s) (bottom-up order).
+#
+smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
+
+# The full pathname of a file with the Postfix SMTP server RSA private key
+# in PEM format. The private key must be accessible without a pass-phrase,
+# i.e. it must not be encrypted.
+#
+smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+
+# Announce STARTTLS support to remote SMTP clients, but do not require that
+# clients use TLS encryption (opportunistic TLS inbound).
+#
+smtpd_tls_security_level = may
+
+# Directory with PEM format Certification Authority certificates that the
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
+#
+smtp_tls_CApath = /etc/pki/tls/certs
+
+# The full pathname of a file containing CA certificates of root CAs
+# trusted to sign either remote SMTP server certificates or intermediate CA
+# certificates.
+#
+smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
+
+# Use TLS if this is supported by the remote SMTP server, otherwise use
+# plaintext (opportunistic TLS outbound).
+#
+smtp_tls_security_level = may
diff --git a/conf/master.cf b/conf/master.cf diff --git a/conf/master.cf b/conf/master.cf
index b67ed59..a9633ba 100644 index b67ed59..a9633ba 100644
--- a/conf/master.cf --- a/conf/master.cf

View File

@ -37,6 +37,9 @@
%define postfix_sample_dir %{postfix_doc_dir}/samples %define postfix_sample_dir %{postfix_doc_dir}/samples
%define postfix_readme_dir %{postfix_doc_dir}/README_FILES %define postfix_readme_dir %{postfix_doc_dir}/README_FILES
%global sslcert %{_sysconfdir}/pki/tls/certs/postfix.pem
%global sslkey %{_sysconfdir}/pki/tls/private/postfix.key
# Filter private libraries # Filter private libraries
%global _privatelibs libpostfix-.+\.so.* %global _privatelibs libpostfix-.+\.so.*
%global __provides_exclude ^(%{_privatelibs})$ %global __provides_exclude ^(%{_privatelibs})$
@ -45,13 +48,14 @@
Name: postfix Name: postfix
Summary: Postfix Mail Transport Agent Summary: Postfix Mail Transport Agent
Version: 3.3.1 Version: 3.3.1
Release: 3%{?dist} Release: 4%{?dist}
Epoch: 2 Epoch: 2
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://www.postfix.org URL: http://www.postfix.org
License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+) License: (IBM and GPLv2+) or (EPL-2.0 and GPLv2+)
Requires(post): systemd systemd-sysv Requires(post): systemd systemd-sysv
Requires(post): %{_sbindir}/alternatives Requires(post): %{_sbindir}/alternatives
Requires(post): %{_bindir}/openssl
Requires(pre): %{_sbindir}/groupadd Requires(pre): %{_sbindir}/groupadd
Requires(pre): %{_sbindir}/useradd Requires(pre): %{_sbindir}/useradd
Requires(preun): %{_sbindir}/alternatives Requires(preun): %{_sbindir}/alternatives
@ -478,6 +482,23 @@ if [ -f %{_libdir}/sasl2/smtpd.conf ]; then
fi fi
%endif %endif
# Create self-signed SSL certificate
if [ ! -f %{sslkey} ]; then
umask 077
%{_bindir}/openssl genrsa 4096 > %{sslkey} 2> /dev/null
fi
if [ ! -f %{sslcert} ]; then
FQDN=`hostname`
if [ "x${FQDN}" = "x" ]; then
FQDN=localhost.localdomain
fi
%{_bindir}/openssl req -new -key %{sslkey} -x509 -sha256 -days 365 -set_serial $RANDOM -out %{sslcert} \
-subj "/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=${FQDN}/emailAddress=root@${FQDN}"
chmod 644 %{sslcert}
fi
exit 0 exit 0
%pre %pre
@ -734,6 +755,9 @@ fi
%endif %endif
%changelog %changelog
* Tue Jul 24 2018 Robert Scheck <robert@fedoraproject.org> - 2:3.3.1-4
- Add basic postfix TLS configuration by default (#1608050)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:3.3.1-3 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:3.3.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild