From 268fb4cc6f73612b7c2a52d54c22c8bad1d9f397 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Thu, 31 Aug 2017 19:39:28 +0100 Subject: [PATCH] Improve email tls config --- src/freedombone-base-email | 46 ++++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/src/freedombone-base-email b/src/freedombone-base-email index 6ab7a99a..6f19f8c8 100755 --- a/src/freedombone-base-email +++ b/src/freedombone-base-email @@ -120,29 +120,41 @@ function email_create_template { } function email_install_tls { - # make a tls certificate for email + tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions + tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples + + if [ ! -f $tls_config_file ]; then + tls_config_file=/etc/exim4/exim4.conf.template + tls_auth_config_file=$tls_config_file + fi if [ ! -f /etc/ssl/certs/exim.dhparam ]; then ${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH check_certificates exim + cp /etc/ssl/certs/exim.dhparam /etc/exim4 + chown root:Debian-exim /etc/exim4/exim.dhparam + chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam fi - cp /etc/ssl/private/exim.key /etc/exim4 - cp /etc/ssl/certs/exim.crt /etc/exim4 - cp /etc/ssl/certs/exim.dhparam /etc/exim4 - chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam - chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam - - sed -i '/login_saslauthd_server/,/.endif/ s/# *//' /etc/exim4/exim4.conf.template - if ! grep -q "MAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template; then - sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME =\nMAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template - else - sed -i "s|MAIN_HARDCODE_PRIMARY_HOSTNAME =.*|MAIN_HARDCODE_PRIMARY_HOSTNAME =|g" /etc/exim4/exim4.conf.template + if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then + sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME =\nMAIN_TLS_ENABLE = true" $tls_config_file fi - sed -i "s|SMTPLISTENEROPTIONS=''|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4 - if ! grep -q "tls_on_connect_ports=465" /etc/exim4/exim4.conf.template; then - sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' /etc/exim4/exim4.conf.template + if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then + sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' $tls_config_file fi - if ! grep -q "# don't send system passwords" /etc/exim4/exim4.conf.template; then - sed -i "s|don't send system passwords.*|# don't send system passwords unencrypted|g" /etc/exim4/exim4.conf.template + if grep -q '# login_saslauthd_server' $tls_auth_config_file; then + sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file + fi + if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then + if ! grep -q "MAIN_TLS_CERTKEY = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" $tls_config_file; then + sed -i "/.ifdef MAIN_TLS_CERTKEY/i\MAIN_TLS_CERTKEY = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" $tls_config_file + fi + fi + if [ -f /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key ]; then + if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" $tls_config_file; then + sed -i "/.ifdef MAIN_TLS_PRIVATEKEY/i\MAIN_TLS_PRIVATEKEY = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" $tls_config_file + fi + fi + if ! grep -q "SMTPLISTENEROPTIONS='-oX 465:25:587" /etc/default/exim4; then + sed -i "s|SMTPLISTENEROPTIONS=.*|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4 fi }