On Mon, Mar 28, 2022 at 12:27:18AM -0400, Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
> On Mon, Mar 28, 2022 at 03:23:55PM +1100, raf wrote:
>
> > I just tried this (debian-11, postfix-3.5.6)
> > and was surprised by the effect:
> >
> > postfix tls new-server-key
> > postfix tls deploy-server-cert /etc/postfix/cert-20220328-033631.pem
> > /etc/postfix/key-20220328-033631.pem
> >
> > The main.cf file originally contained:
> >
> > smtpd_tls_chain_files =
> > /etc/postfix/smtpd.key
> > /etc/postfix/smtpd.cert
> >
> > The deploy-server-cert subcommand appended the following:
> >
> > smtpd_tls_cert_file = /etc/postfix/cert-20220328-033631.pem
> > smtpd_tls_key_file = /etc/postfix/key-20220328-033631.pem
>
> Yes, the "postfix tls" script has not yet been updated to handle
> the new "chain files" syntax. Sorry about that.
>
> Contributions of suitably robust code welcome...
>
> --
> Viktor.
Hi,
Here's a very conservative patch. It does two things.
It includes smtp_tls_chain_files and
smtpd_tls_chain_files in the lists of parameters that
must have their default values in order for
enable-client and enable-server to change main.cf.
That might not be correct, but it seemed reasonable.
And it refuses to set smtpd_tls_cert_file and
smtpd_tls_key_file if smtpd_tls_chain_files is
currently set. Instead, it outputs instructions on what
to do manually.
Ideally, it would also use smtpd_tls_chain_files by
default, and even better, convert the old parameters to
the new parameter when given the chance, but I haven't
attempted that. That's tricky given the number of key
types that could be present.
It would be easy enough to use smtpd_tls_chain_files by
default, and even to replace smtpd_tls_cert_file and
smtpd_tls_key_file (etc.) with smtpd_tls_chain_files,
but it would be tricky to replace a subset of the files
listed in smtpd_tls_chain_files with the new files
(assuming the existence of other types of keys/certs).
It would require identifying the type of each key/cert
and only replacing the matching ones. I'm not certain
how to do that.
cheers,
raf
--- postfix-tls-script.orig 2020-05-31 00:37:04.000000000 +1000
+++ postfix-tls-script 2022-03-28 19:42:42.885356325 +1100
@@ -256,6 +256,7 @@
smtp_tls_cert_file
smtp_tls_dcert_file
smtp_tls_eccert_file
+ smtp_tls_chain_files
"
server_settings="
@@ -265,6 +266,7 @@
smtpd_tls_cert_file
smtpd_tls_dcert_file
smtpd_tls_eccert_file
+ smtpd_tls_chain_files
"
#
@@ -651,6 +653,23 @@
fi
}
+# args: certfile keyfile
+info_deploy_server_cert() {
+ cat <<-EOM
+ *** Updating smtpd_tls_chain_files is not supported, no changes made.
+ Set the equivalent of this in main.cf:
+ smtpd_tls_cert_file = $1
+ smtpd_tls_key_file = $2
+ Or:
+ smtpd_tls_chain_files =
+ $2
+ $1
+ Then run the command:
+ # postfix reload
+ if you want the new settings to take effect immediately.
+ EOM
+}
+
set_fqdn() {
if [ -n "$1" ]; then fqdn=$1; return 0; fi
fqdn=`$postconf -xh myhostname` || return 1
@@ -796,23 +815,29 @@
return 1
fi
- set -- \
- "${key_param} = ${keyfile}" \
- "${cert_param} = ${certfile}"
+ # Note: updating smtpd_tls_chain_files not supported
+ if all_default smtpd_tls_chain_files; then
+ set -- \
+ "${key_param} = ${keyfile}" \
+ "${cert_param} = ${certfile}"
- if [ "${deploy}" = "enable" ]; then
- set -- "$@" \
- "smtpd_tls_security_level = may" \
- "smtpd_tls_received_header = yes" \
- "smtpd_tls_loglevel = 1"
- fi
+ if [ "${deploy}" = "enable" ]; then
+ set -- "$@" \
+ "smtpd_tls_security_level = may" \
+ "smtpd_tls_received_header = yes" \
+ "smtpd_tls_loglevel = 1"
+ fi
- if [ -n "${tls_random_source}" ]; then
- set -- "$@" "tls_random_source = ${tls_random_source}"
- fi
+ if [ -n "${tls_random_source}" ]; then
+ set -- "$@" "tls_random_source = ${tls_random_source}"
+ fi
- # All in one shot, since postconf delays modifying "hot" main.cf files.
- $postconf -e "$@" || return 1
+ # All in one shot, since postconf delays modifying "hot" main.cf files.
+ $postconf -e "$@" || return 1
+ else
+ info_deploy_server_cert "$certfile" "$keyfile" | $INFO
+ return 1
+ fi
}
# Prepare a new cert and perhaps re-use any existing private key.
