diff --git a/actions/admin/settings/131.ssl.php b/actions/admin/settings/131.ssl.php index bde8d857..66bd44f9 100644 --- a/actions/admin/settings/131.ssl.php +++ b/actions/admin/settings/131.ssl.php @@ -85,7 +85,7 @@ return [ 'type' => 'text', 'string_type' => 'file', 'string_emptyallowed' => true, - 'default' => '/etc/apache2/apache2.pem', + 'default' => '/etc/ssl/froxlor_selfsigned.pem', 'save_method' => 'storeSettingField' ], 'system_ssl_key_file' => [ @@ -95,7 +95,7 @@ return [ 'type' => 'text', 'string_type' => 'file', 'string_emptyallowed' => true, - 'default' => '/etc/apache2/apache2.key', + 'default' => '/etc/ssl/froxlor_selfsigned.key', 'save_method' => 'storeSettingField' ], 'system_ssl_cert_chainfile' => [ diff --git a/install/froxlor.sql.php b/install/froxlor.sql.php index fe2756b5..5d635df3 100644 --- a/install/froxlor.sql.php +++ b/install/froxlor.sql.php @@ -569,7 +569,7 @@ opcache.validate_timestamps'), ('system', 'last_archive_run', '000000'), ('system', 'mod_fcgid_configdir', '/var/www/php-fcgi-scripts'), ('system', 'mod_fcgid_tmpdir', '/var/customers/tmp'), - ('system', 'ssl_cert_file', '/etc/apache2/apache2.pem'), + ('system', 'ssl_cert_file', '/etc/ssl/froxlor_selfsigned.pem'), ('system', 'use_ssl', '0'), ('system', 'default_vhostconf', ''), ('system', 'default_sslvhostconf', ''), @@ -583,7 +583,7 @@ opcache.validate_timestamps'), ('system', 'mod_fcgid_peardir', '/usr/share/php/:/usr/share/php5/'), ('system', 'index_file_extension', 'html'), ('system', 'mod_fcgid_maxrequests', '250'), - ('system', 'ssl_key_file','/etc/apache2/apache2.key'), + ('system', 'ssl_key_file','/etc/ssl/froxlor_selfsigned.key'), ('system', 'ssl_ca_file', ''), ('system', 'debug_cron', '0'), ('system', 'store_index_file_subs', '1'), diff --git a/lib/Froxlor/Cli/ConfigServices.php b/lib/Froxlor/Cli/ConfigServices.php index c4b43b5b..155c0afd 100644 --- a/lib/Froxlor/Cli/ConfigServices.php +++ b/lib/Froxlor/Cli/ConfigServices.php @@ -32,6 +32,7 @@ use Froxlor\Froxlor; use Froxlor\PhpHelper; use Froxlor\Settings; use Froxlor\SImExporter; +use Froxlor\System\Crypt; use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; @@ -353,6 +354,14 @@ final class ConfigServices extends CliCommand $services = $configfiles->getServices(); $replace_arr = $this->getReplacerArray(); + // be sure the fallback certificate specified in the settings exists + $certFile = Settings::Get('system.ssl_cert_file'); + $keyFile = Settings::Get('system.ssl_key_file'); + if (empty($certFile) || empty($keyFile) || !file_exists($certFile) || !file_exists($keyFile)) { + $output->writeln('Creating missing certificate ' . $certFile . ''); + Crypt::createSelfSignedCertificate(); + } + foreach ($services as $si => $service) { $output->writeln("--- Configuring: " . strtoupper($si) . " ---"); if (!isset($decoded_config[$si]) || $decoded_config[$si] == 'x') { @@ -495,7 +504,9 @@ final class ConfigServices extends CliCommand '' => Settings::Get('system.apachereload_command'), '' => FileDir::makeCorrectDir(Settings::Get('system.logfiles_directory')), '' => FileDir::makeCorrectDir(Settings::Get('phpfpm.fastcgi_ipcdir')), - '' => Settings::Get('system.httpgroup') + '' => Settings::Get('system.httpgroup'), + '' => Settings::Get('system.ssl_cert_file'), + '' => Settings::Get('system.ssl_key_file'), ]; return $replace_arr; } diff --git a/lib/Froxlor/System/Crypt.php b/lib/Froxlor/System/Crypt.php index f3122f53..425656a8 100644 --- a/lib/Froxlor/System/Crypt.php +++ b/lib/Froxlor/System/Crypt.php @@ -242,6 +242,18 @@ class Crypt */ public static function createSelfSignedCertificate() { + // validate that we have file names in the settings + $certFile = Settings::Get('system.ssl_cert_file'); + $keyFile = Settings::Get('system.ssl_key_file'); + if (empty($certFile)) { + $certFile = '/etc/ssl/froxlor_selfsigned.pem'; + Settings::Set('system.ssl_cert_file', $certFile); + } + if (empty($keyFile)) { + $keyFile = '/etc/ssl/froxlor_selfsigned.key'; + Settings::Set('system.ssl_key_file', $keyFile); + } + // certificate info $dn = [ "countryName" => "DE", @@ -262,7 +274,7 @@ class Crypt // sign csr $x509 = openssl_csr_sign($csr, null, $privkey, 365, array('digest_alg' => 'sha384')); // export to files - openssl_x509_export_to_file($x509, Settings::Get('system.ssl_cert_file')); - openssl_pkey_export_to_file($privkey, Settings::Get('system.ssl_key_file')); + openssl_x509_export_to_file($x509, $certFile); + openssl_pkey_export_to_file($privkey, $keyFile); } } diff --git a/lib/configfiles/bionic.xml b/lib/configfiles/bionic.xml index a486a90b..68fa23c6 100644 --- a/lib/configfiles/bionic.xml +++ b/lib/configfiles/bionic.xml @@ -2347,15 +2347,18 @@ virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server -#smtp_tls_security_level = may -#smtp_tls_note_starttls_offer = yes +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) -#smtpd_tls_security_level = may -#smtpd_tls_cert_file = /etc/ssl/server/.pem -#smtpd_tls_key_file = $smtpd_tls_cert_file +smtpd_tls_security_level = may +smtpd_tls_cert_file = +smtpd_tls_key_file = #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -#smtpd_tls_loglevel = 1 -#smtpd_tls_received_header = yes +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtp_use_tls = yes +smtpd_use_tls = yes +smtpd_tls_session_cache_timeout = 3600s ]]> @@ -2374,35 +2377,37 @@ virtual_mailbox_limit = 0 # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== -smtp inet n - y - - smtpd -#smtp inet n - y - 1 postscreen -#smtpd pass - - y - - smtpd -#dnsblog unix - - y - 0 dnsblog -#tlsproxy unix - - y - 0 tlsproxy -#submission inet n - y - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no +#smtp inet n - y - - smtpd +smtp inet n - y - 1 postscreen +smtpd pass - - y - - smtpd +dnsblog unix - - y - 0 dnsblog +tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - y - - smtpd -# -o syslog_name=postfix/smtps -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup + -o content_filter= + -o receive_override_options=no_header_body_checks cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr @@ -3414,14 +3419,14 @@ service dict { ## # SSL/TLS support: yes, no, required. -ssl = no +ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -#ssl_cert = +ssl_key = < # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -3453,8 +3458,11 @@ ssl = no # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName -# DH parameters length to use. -#ssl_dh_parameters_length = 1024 +# SSL DH parameters +# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` +# Or migrate from old ssl-parameters.dat file with the command dovecot +# gives on startup when ssl_dh is unset. +ssl_dh = + diff --git a/lib/configfiles/bookworm.xml b/lib/configfiles/bookworm.xml index 1ba4d1e9..dbfe2413 100644 --- a/lib/configfiles/bookworm.xml +++ b/lib/configfiles/bookworm.xml @@ -2306,15 +2306,18 @@ virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server -#smtp_tls_security_level = may -#smtp_tls_note_starttls_offer = yes +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) -#smtpd_tls_security_level = may -#smtpd_tls_cert_file = /etc/ssl/server/.pem -#smtpd_tls_key_file = $smtpd_tls_cert_file +smtpd_tls_security_level = may +smtpd_tls_cert_file = +smtpd_tls_key_file = #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -#smtpd_tls_loglevel = 1 -#smtpd_tls_received_header = yes +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtp_use_tls = yes +smtpd_use_tls = yes +smtpd_tls_session_cache_timeout = 3600s ]]> @@ -2333,35 +2336,37 @@ virtual_mailbox_limit = 0 # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== -smtp inet n - y - - smtpd -#smtp inet n - y - 1 postscreen -#smtpd pass - - y - - smtpd -#dnsblog unix - - y - 0 dnsblog -#tlsproxy unix - - y - 0 tlsproxy -#submission inet n - y - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no +#smtp inet n - y - - smtpd +smtp inet n - y - 1 postscreen +smtpd pass - - y - - smtpd +dnsblog unix - - y - 0 dnsblog +tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - y - - smtpd -# -o syslog_name=postfix/smtps -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup + -o content_filter= + -o receive_override_options=no_header_body_checks cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr @@ -2515,8 +2520,9 @@ service stats { } ssl = yes -ssl_cert = +ssl_key = < +ssl_dh = @@ -2539,6 +2545,7 @@ plugin { + diff --git a/lib/configfiles/bullseye.xml b/lib/configfiles/bullseye.xml index dd28e465..bd293819 100644 --- a/lib/configfiles/bullseye.xml +++ b/lib/configfiles/bullseye.xml @@ -2306,15 +2306,18 @@ virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server -#smtp_tls_security_level = may -#smtp_tls_note_starttls_offer = yes +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) -#smtpd_tls_security_level = may -#smtpd_tls_cert_file = /etc/ssl/server/.pem -#smtpd_tls_key_file = $smtpd_tls_cert_file +smtpd_tls_security_level = may +smtpd_tls_cert_file = +smtpd_tls_key_file = #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -#smtpd_tls_loglevel = 1 -#smtpd_tls_received_header = yes +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtp_use_tls = yes +smtpd_use_tls = yes +smtpd_tls_session_cache_timeout = 3600s ]]> @@ -2333,35 +2336,37 @@ virtual_mailbox_limit = 0 # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== -smtp inet n - y - - smtpd -#smtp inet n - y - 1 postscreen -#smtpd pass - - y - - smtpd -#dnsblog unix - - y - 0 dnsblog -#tlsproxy unix - - y - 0 tlsproxy -#submission inet n - y - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no +#smtp inet n - y - - smtpd +smtp inet n - y - 1 postscreen +smtpd pass - - y - - smtpd +dnsblog unix - - y - 0 dnsblog +tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - y - - smtpd -# -o syslog_name=postfix/smtps -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup + -o content_filter= + -o receive_override_options=no_header_body_checks cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr @@ -3453,8 +3458,8 @@ ssl = yes # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = +ssl_key = < # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -3495,7 +3500,7 @@ ssl_client_ca_dir = /etc/ssl/certs # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` # Or migrate from old ssl-parameters.dat file with the command dovecot # gives on startup when ssl_dh is unset. -ssl_dh = + diff --git a/lib/configfiles/buster.xml b/lib/configfiles/buster.xml index f9b108f1..f7aaa3a2 100644 --- a/lib/configfiles/buster.xml +++ b/lib/configfiles/buster.xml @@ -2306,15 +2306,18 @@ virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server -#smtp_tls_security_level = may -#smtp_tls_note_starttls_offer = yes +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) -#smtpd_tls_security_level = may -#smtpd_tls_cert_file = /etc/ssl/server/.pem -#smtpd_tls_key_file = $smtpd_tls_cert_file +smtpd_tls_security_level = may +smtpd_tls_cert_file = +smtpd_tls_key_file = #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -#smtpd_tls_loglevel = 1 -#smtpd_tls_received_header = yes +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtp_use_tls = yes +smtpd_use_tls = yes +smtpd_tls_session_cache_timeout = 3600s ]]> @@ -2333,35 +2336,37 @@ virtual_mailbox_limit = 0 # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== -smtp inet n - y - - smtpd -#smtp inet n - y - 1 postscreen -#smtpd pass - - y - - smtpd -#dnsblog unix - - y - 0 dnsblog -#tlsproxy unix - - y - 0 tlsproxy -#submission inet n - y - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no +#smtp inet n - y - - smtpd +smtp inet n - y - 1 postscreen +smtpd pass - - y - - smtpd +dnsblog unix - - y - 0 dnsblog +tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - y - - smtpd -# -o syslog_name=postfix/smtps -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup + -o content_filter= + -o receive_override_options=no_header_body_checks cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr @@ -3453,8 +3458,8 @@ ssl = yes # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = +ssl_key = < # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -3491,7 +3496,7 @@ ssl_client_ca_dir = /etc/ssl/certs # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` # Or migrate from old ssl-parameters.dat file with the command dovecot # gives on startup when ssl_dh is unset. -ssl_dh = + diff --git a/lib/configfiles/focal.xml b/lib/configfiles/focal.xml index 5a4f80fd..d18ba959 100644 --- a/lib/configfiles/focal.xml +++ b/lib/configfiles/focal.xml @@ -1753,15 +1753,18 @@ virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server -#smtp_tls_security_level = may -#smtp_tls_note_starttls_offer = yes +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) -#smtpd_tls_security_level = may -#smtpd_tls_cert_file = /etc/ssl/server/.pem -#smtpd_tls_key_file = $smtpd_tls_cert_file +smtpd_tls_security_level = may +smtpd_tls_cert_file = +smtpd_tls_key_file = #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -#smtpd_tls_loglevel = 1 -#smtpd_tls_received_header = yes +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtp_use_tls = yes +smtpd_use_tls = yes +smtpd_tls_session_cache_timeout = 3600s ]]> @@ -1780,36 +1783,37 @@ virtual_mailbox_limit = 0 # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== -smtp inet n - n - - smtpd -#smtp inet n - n - 1 postscreen -#smtpd pass - - n - - smtpd -#dnsblog unix - - n - 0 dnsblog -#tlsproxy unix - - n - 0 tlsproxy -#submission inet n - n - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_tls_auth_only=yes -# -o smtpd_reject_unlisted_recipient=no +#smtp inet n - y - - smtpd +smtp inet n - y - 1 postscreen +smtpd pass - - y - - smtpd +dnsblog unix - - y - 0 dnsblog +tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - n - - smtpd -# -o syslog_name=postfix/smtps -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#628 inet n - n - - qmqpd -pickup unix n - n 60 1 pickup + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup + -o content_filter= + -o receive_override_options=no_header_body_checks cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr @@ -2831,14 +2835,14 @@ service dict { ## # SSL/TLS support: yes, no, required. -ssl = no +ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -#ssl_cert = +ssl_key = < # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -2870,8 +2874,11 @@ ssl = no # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName -# DH parameters length to use. -#ssl_dh_parameters_length = 1024 +# SSL DH parameters +# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` +# Or migrate from old ssl-parameters.dat file with the command dovecot +# gives on startup when ssl_dh is unset. +ssl_dh = + diff --git a/lib/configfiles/gentoo.xml b/lib/configfiles/gentoo.xml index b3c0f765..6dcc5259 100644 --- a/lib/configfiles/gentoo.xml +++ b/lib/configfiles/gentoo.xml @@ -1648,17 +1648,18 @@ virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server -#smtp_use_tls = yes -#smtp_tls_note_starttls_offer = yes +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) -#smtpd_tls_cert_file = /etc/ssl/server/server.pem -#smtpd_tls_key_file = /etc/ssl/server/server.key +smtpd_tls_security_level = may +smtpd_tls_cert_file = +smtpd_tls_key_file = #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -#smtpd_tls_CAfile = /etc/ssl/cacert.class3.crt # Just an example for CACert.org -#smtpd_tls_auth_only = no -#smtpd_tls_loglevel = 1 -#smtpd_tls_received_header = yes -#smtpd_tls_session_cache_timeout = 3600s +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtp_use_tls = yes +smtpd_use_tls = yes +smtpd_tls_session_cache_timeout = 3600s #tls_random_source = dev:/dev/urandom ### Quota Settings with vda useflag @@ -2002,10 +2003,10 @@ protocols = imap pop3 sieve ### SSL Settings ### After you obtained an SSL-certificate enable ssl here and ### set disable_plaintext_auth to yes (see above) -ssl = no -#ssl_cert = .pem -#ssl_key = .key - +ssl = yes +ssl_cert = < +ssl_key = < +ssl_dh = + diff --git a/lib/configfiles/jammy.xml b/lib/configfiles/jammy.xml index 0f464f96..5d86a3a5 100644 --- a/lib/configfiles/jammy.xml +++ b/lib/configfiles/jammy.xml @@ -1753,15 +1753,18 @@ virtual_mailbox_limit = 0 ### TLS settings ### ## TLS for outgoing mails from the server to another server -#smtp_tls_security_level = may -#smtp_tls_note_starttls_offer = yes +smtp_tls_security_level = may +smtp_tls_note_starttls_offer = yes ## TLS for incoming connections (clients or other mail servers) -#smtpd_tls_security_level = may -#smtpd_tls_cert_file = /etc/ssl/server/.pem -#smtpd_tls_key_file = $smtpd_tls_cert_file +smtpd_tls_security_level = may +smtpd_tls_cert_file = +smtpd_tls_key_file = #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt -#smtpd_tls_loglevel = 1 -#smtpd_tls_received_header = yes +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtp_use_tls = yes +smtpd_use_tls = yes +smtpd_tls_session_cache_timeout = 3600s ]]> @@ -1780,36 +1783,37 @@ virtual_mailbox_limit = 0 # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== -smtp inet n - n - - smtpd -#smtp inet n - n - 1 postscreen -#smtpd pass - - n - - smtpd -#dnsblog unix - - n - 0 dnsblog -#tlsproxy unix - - n - 0 tlsproxy -#submission inet n - n - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_tls_auth_only=yes -# -o smtpd_reject_unlisted_recipient=no +#smtp inet n - y - - smtpd +smtp inet n - y - 1 postscreen +smtpd pass - - y - - smtpd +dnsblog unix - - y - 0 dnsblog +tlsproxy unix - - y - 0 tlsproxy +submission inet n - y - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - n - - smtpd -# -o syslog_name=postfix/smtps -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#628 inet n - n - - qmqpd -pickup unix n - n 60 1 pickup + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup + -o content_filter= + -o receive_override_options=no_header_body_checks cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr @@ -2831,14 +2835,14 @@ service dict { ## # SSL/TLS support: yes, no, required. -ssl = no +ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -#ssl_cert = +ssl_key = < # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often @@ -2870,8 +2874,12 @@ ssl = no # auth_ssl_username_from_cert=yes. #ssl_cert_username_field = commonName -# DH parameters length to use. -#ssl_dh_parameters_length = 1024 +# SSL DH parameters +# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096` +# Or migrate from old ssl-parameters.dat file with the command dovecot +# gives on startup when ssl_dh is unset. +ssl_dh = +