enable ssl for postfix/dovecot by default using a self-signed certificate if not otherwise specified

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2022-11-12 16:36:57 +01:00
parent 1d938f2a43
commit cc1d427a69
11 changed files with 275 additions and 205 deletions
--- a/lib/configfiles/jammy.xml
+++ b/lib/configfiles/jammy.xml
@@ -1753,15 +1753,18 @@ virtual_mailbox_limit = 0
 ### TLS settings
 ###
 ## TLS for outgoing mails from the server to another server
-#smtp_tls_security_level = may
-#smtp_tls_note_starttls_offer = yes
+smtp_tls_security_level = may
+smtp_tls_note_starttls_offer = yes
 ## TLS for incoming connections (clients or other mail servers)
-#smtpd_tls_security_level = may
-#smtpd_tls_cert_file = /etc/ssl/server/<SERVERNAME>.pem
-#smtpd_tls_key_file = $smtpd_tls_cert_file
+smtpd_tls_security_level = may
+smtpd_tls_cert_file = <SSL_CERT_FILE>
+smtpd_tls_key_file = <SSL_KEY_FILE>
 #smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-#smtpd_tls_loglevel = 1
-#smtpd_tls_received_header = yes
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtp_use_tls = yes
+smtpd_use_tls = yes
+smtpd_tls_session_cache_timeout = 3600s
 ]]>
 						</content>
 					</file>
@@ -1780,36 +1783,37 @@ virtual_mailbox_limit = 0
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
-smtp      inet  n       -       n       -       -       smtpd
-#smtp      inet  n       -       n       -       1       postscreen
-#smtpd     pass  -       -       n       -       -       smtpd
-#dnsblog   unix  -       -       n       -       0       dnsblog
-#tlsproxy  unix  -       -       n       -       0       tlsproxy
-#submission inet n       -       n       -       -       smtpd
-#  -o syslog_name=postfix/submission
-#  -o smtpd_tls_security_level=encrypt
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_tls_auth_only=yes
-#  -o smtpd_reject_unlisted_recipient=no
+#smtp      inet  n       -       y       -       -       smtpd
+smtp      inet  n       -       y       -       1       postscreen
+smtpd     pass  -       -       y       -       -       smtpd
+dnsblog   unix  -       -       y       -       0       dnsblog
+tlsproxy  unix  -       -       y       -       0       tlsproxy
+submission inet n       -       y       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=
-#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
-#smtps     inet  n       -       n       -       -       smtpd
-#  -o syslog_name=postfix/smtps
-#  -o smtpd_tls_wrappermode=yes
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+smtps     inet  n       -       y       -       -       smtpd
+  -o syslog_name=postfix/smtps
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=
-#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
-#628       inet  n       -       n       -       -       qmqpd
-pickup    unix  n       -       n       60      1       pickup
+  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+         -o content_filter=
+         -o receive_override_options=no_header_body_checks
 cleanup   unix  n       -       n       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 #qmgr     unix  n       -       n       300     1       oqmgr
@@ -2831,14 +2835,14 @@ service dict {
 ##

 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-ssl = no
+ssl = yes

 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-#ssl_cert = </etc/dovecot/dovecot.pem
-#ssl_key = </etc/dovecot/private/dovecot.pem
+ssl_cert = <<SSL_CERT_FILE>
+ssl_key = <<SSL_KEY_FILE>

 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -2870,8 +2874,12 @@ ssl = no
 # auth_ssl_username_from_cert=yes.
 #ssl_cert_username_field = commonName

-# DH parameters length to use.
-#ssl_dh_parameters_length = 1024
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+ssl_dh = </etc/dovecot/dh.pem
+

 # SSL protocols to use
 #ssl_protocols = !SSLv3
@@ -3320,6 +3328,7 @@ plugin {
 						</file>
 					</files>
 					<commands index="1">
+						<command><![CDATA[openssl dhparam -out /etc/dovecot/dh.pem 4096]]></command>
 						<command><![CDATA[service dovecot restart]]></command>
 					</commands>
 				</general>