maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

enable ssl for postfix/dovecot by default using a self-signed certificate if not otherwise specified

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2022-11-12 16:36:57 +01:00
parent 1d938f2a43
commit cc1d427a69
11 changed files with 275 additions and 205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/Froxlor/Cli/ConfigServices.php
View File

@@ -32,6 +32,7 @@ use Froxlor\Froxlor;
use Froxlor\PhpHelper;
use Froxlor\Settings;
use Froxlor\SImExporter;
use Froxlor\System\Crypt;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;
@@ -353,6 +354,14 @@ final class ConfigServices extends CliCommand
$services = $configfiles->getServices();
$replace_arr = $this->getReplacerArray();
// be sure the fallback certificate specified in the settings exists
$certFile = Settings::Get('system.ssl_cert_file');
$keyFile = Settings::Get('system.ssl_key_file');
if (empty($certFile) || empty($keyFile) || !file_exists($certFile) || !file_exists($keyFile)) {
$output->writeln('<comment>Creating missing certificate ' . $certFile . '</>');
Crypt::createSelfSignedCertificate();
}
foreach ($services as $si => $service) {
$output->writeln("--- Configuring: " . strtoupper($si) . " ---");
if (!isset($decoded_config[$si]) || $decoded_config[$si] == 'x') {
@@ -495,7 +504,9 @@ final class ConfigServices extends CliCommand
'<WEBSERVER_RELOAD_CMD>' => Settings::Get('system.apachereload_command'),
'<CUSTOMER_LOGS>' => FileDir::makeCorrectDir(Settings::Get('system.logfiles_directory')),
'<FPM_IPCDIR>' => FileDir::makeCorrectDir(Settings::Get('phpfpm.fastcgi_ipcdir')),
'<WEBSERVER_GROUP>' => Settings::Get('system.httpgroup')
'<WEBSERVER_GROUP>' => Settings::Get('system.httpgroup'),
'<SSL_CERT_FILE>' => Settings::Get('system.ssl_cert_file'),
'<SSL_KEY_FILE>' => Settings::Get('system.ssl_key_file'),
];
return $replace_arr;
}

16
lib/Froxlor/System/Crypt.php
View File

@@ -242,6 +242,18 @@ class Crypt
*/
public static function createSelfSignedCertificate()
{
// validate that we have file names in the settings
$certFile = Settings::Get('system.ssl_cert_file');
$keyFile = Settings::Get('system.ssl_key_file');
if (empty($certFile)) {
$certFile = '/etc/ssl/froxlor_selfsigned.pem';
Settings::Set('system.ssl_cert_file', $certFile);
}
if (empty($keyFile)) {
$keyFile = '/etc/ssl/froxlor_selfsigned.key';
Settings::Set('system.ssl_key_file', $keyFile);
}
// certificate info
$dn = [
"countryName" => "DE",
@@ -262,7 +274,7 @@ class Crypt
// sign csr
$x509 = openssl_csr_sign($csr, null, $privkey, 365, array('digest_alg' => 'sha384'));
// export to files
openssl_x509_export_to_file($x509, Settings::Get('system.ssl_cert_file'));
openssl_pkey_export_to_file($privkey, Settings::Get('system.ssl_key_file'));
openssl_x509_export_to_file($x509, $certFile);
openssl_pkey_export_to_file($privkey, $keyFile);
}
}

71
lib/configfiles/bionic.xml
View File

@@ -2347,15 +2347,18 @@ virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_tls_security_level = may
#smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
#smtpd_tls_security_level = may
#smtpd_tls_cert_file = /etc/ssl/server/<SERVERNAME>.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
]]>
</content>
</file>
@@ -2374,35 +2377,37 @@ virtual_mailbox_limit = 0
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
@@ -3414,14 +3419,14 @@ service dict {
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = no
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
@@ -3453,8 +3458,11 @@ ssl = no
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# DH parameters length to use.
#ssl_dh_parameters_length = 1024
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </etc/dovecot/dh.pem
# SSL protocols to use
#ssl_protocols = !SSLv3
@@ -3903,6 +3911,7 @@ plugin {
</file>
</files>
<commands index="1">
<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 4096]]></command>
<command><![CDATA[/etc/init.d/dovecot restart]]></command>
</commands>
</general>

63
lib/configfiles/bookworm.xml
View File

@@ -2306,15 +2306,18 @@ virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_tls_security_level = may
#smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
#smtpd_tls_security_level = may
#smtpd_tls_cert_file = /etc/ssl/server/<SERVERNAME>.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
]]>
</content>
</file>
@@ -2333,35 +2336,37 @@ virtual_mailbox_limit = 0
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
@@ -2515,8 +2520,9 @@ service stats {
}
ssl = yes
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
ssl_dh = </etc/dovecot/dh.pem
postmaster_address = postmaster@<SERVERNAME>
@@ -2539,6 +2545,7 @@ plugin {
</file>
</files>
<commands index="1">
<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 4096]]></command>
<command><![CDATA[service dovecot restart]]></command>
</commands>
</general>

64
lib/configfiles/bullseye.xml
View File

@@ -2306,15 +2306,18 @@ virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_tls_security_level = may
#smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
#smtpd_tls_security_level = may
#smtpd_tls_cert_file = /etc/ssl/server/<SERVERNAME>.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
]]>
</content>
</file>
@@ -2333,35 +2336,37 @@ virtual_mailbox_limit = 0
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
@@ -3453,8 +3458,8 @@ ssl = yes
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
@@ -3495,7 +3500,7 @@ ssl_client_ca_dir = /etc/ssl/certs
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem
ssl_dh = </etc/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
@@ -4110,6 +4115,7 @@ plugin {
</file>
</files>
<commands index="1">
<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 4096]]></command>
<command><![CDATA[service dovecot restart]]></command>
</commands>
</general>

64
lib/configfiles/buster.xml
View File

@@ -2306,15 +2306,18 @@ virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_tls_security_level = may
#smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
#smtpd_tls_security_level = may
#smtpd_tls_cert_file = /etc/ssl/server/<SERVERNAME>.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
]]>
</content>
</file>
@@ -2333,35 +2336,37 @@ virtual_mailbox_limit = 0
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
@@ -3453,8 +3458,8 @@ ssl = yes
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_key = </etc/dovecot/private/dovecot.key
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
@@ -3491,7 +3496,7 @@ ssl_client_ca_dir = /etc/ssl/certs
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem
ssl_dh = </etc/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
@@ -4105,6 +4110,7 @@ plugin {
</file>
</files>
<commands index="1">
<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 4096]]></command>
<command><![CDATA[/etc/init.d/dovecot restart]]></command>
</commands>
</general>

76
lib/configfiles/focal.xml
View File

@@ -1753,15 +1753,18 @@ virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_tls_security_level = may
#smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
#smtpd_tls_security_level = may
#smtpd_tls_cert_file = /etc/ssl/server/<SERVERNAME>.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
]]>
</content>
</file>
@@ -1780,36 +1783,37 @@ virtual_mailbox_limit = 0
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
@@ -2831,14 +2835,14 @@ service dict {
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = no
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
@@ -2870,8 +2874,11 @@ ssl = no
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# DH parameters length to use.
#ssl_dh_parameters_length = 1024
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </etc/dovecot/dh.pem
# SSL protocols to use
#ssl_protocols = !SSLv3
@@ -3320,6 +3327,7 @@ plugin {
</file>
</files>
<commands index="1">
<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 4096]]></command>
<command><![CDATA[service dovecot restart]]></command>
</commands>
</general>

28
lib/configfiles/gentoo.xml
View File

@@ -1648,17 +1648,18 @@ virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_use_tls = yes
#smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
#smtpd_tls_cert_file = /etc/ssl/server/server.pem
#smtpd_tls_key_file = /etc/ssl/server/server.key
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_CAfile = /etc/ssl/cacert.class3.crt # Just an example for CACert.org
#smtpd_tls_auth_only = no
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
#smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
#tls_random_source = dev:/dev/urandom
### Quota Settings with vda useflag
@@ -2002,10 +2003,10 @@ protocols = imap pop3 sieve
### SSL Settings
### After you obtained an SSL-certificate enable ssl here and
### set disable_plaintext_auth to yes (see above)
ssl = no
#ssl_cert = </etc/ssl/server/<SERVERNAME>.pem
#ssl_key = </etc/ssl/server/<SERVERNAME>.key
ssl = yes
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
ssl_dh = </etc/dovecot/dh.pem
passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
@@ -2340,6 +2341,7 @@ plugin {
]]>
</content>
</file>
<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 4096]]></command>
<command><![CDATA[rc-update add dovecot default]]></command>
<command><![CDATA[/etc/init.d/dovecot restart]]></command>
</daemon>

77
lib/configfiles/jammy.xml
View File

@@ -1753,15 +1753,18 @@ virtual_mailbox_limit = 0
### TLS settings
###
## TLS for outgoing mails from the server to another server
#smtp_tls_security_level = may
#smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
## TLS for incoming connections (clients or other mail servers)
#smtpd_tls_security_level = may
#smtpd_tls_cert_file = /etc/ssl/server/<SERVERNAME>.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_tls_cert_file = <SSL_CERT_FILE>
smtpd_tls_key_file = <SSL_KEY_FILE>
#smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
#smtpd_tls_loglevel = 1
#smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_session_cache_timeout = 3600s
]]>
</content>
</file>
@@ -1780,36 +1783,37 @@ virtual_mailbox_limit = 0
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
#smtp inet n - y - - smtpd
smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
dnsblog unix - - y - 0 dnsblog
tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
@@ -2831,14 +2835,14 @@ service dict {
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = no
ssl = yes
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
#ssl_cert = </etc/dovecot/dovecot.pem
#ssl_key = </etc/dovecot/private/dovecot.pem
ssl_cert = <<SSL_CERT_FILE>
ssl_key = <<SSL_KEY_FILE>
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
@@ -2870,8 +2874,12 @@ ssl = no
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# DH parameters length to use.
#ssl_dh_parameters_length = 1024
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </etc/dovecot/dh.pem
# SSL protocols to use
#ssl_protocols = !SSLv3
@@ -3320,6 +3328,7 @@ plugin {
</file>
</files>
<commands index="1">
<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 4096]]></command>
<command><![CDATA[service dovecot restart]]></command>
</commands>
</general>