Improve email tls config

This commit is contained in:
Bob Mottram 2017-08-31 19:39:28 +01:00
parent 8c4f835657
commit 268fb4cc6f
1 changed files with 29 additions and 17 deletions

View File

@ -120,29 +120,41 @@ function email_create_template {
} }
function email_install_tls { function email_install_tls {
# make a tls certificate for email tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions
tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples
if [ ! -f $tls_config_file ]; then
tls_config_file=/etc/exim4/exim4.conf.template
tls_auth_config_file=$tls_config_file
fi
if [ ! -f /etc/ssl/certs/exim.dhparam ]; then if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH ${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH
check_certificates exim check_certificates exim
cp /etc/ssl/certs/exim.dhparam /etc/exim4
chown root:Debian-exim /etc/exim4/exim.dhparam
chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
fi fi
cp /etc/ssl/private/exim.key /etc/exim4 if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then
cp /etc/ssl/certs/exim.crt /etc/exim4 sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME =\nMAIN_TLS_ENABLE = true" $tls_config_file
cp /etc/ssl/certs/exim.dhparam /etc/exim4
chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
sed -i '/login_saslauthd_server/,/.endif/ s/# *//' /etc/exim4/exim4.conf.template
if ! grep -q "MAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template; then
sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME =\nMAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template
else
sed -i "s|MAIN_HARDCODE_PRIMARY_HOSTNAME =.*|MAIN_HARDCODE_PRIMARY_HOSTNAME =|g" /etc/exim4/exim4.conf.template
fi fi
sed -i "s|SMTPLISTENEROPTIONS=''|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4 if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then
if ! grep -q "tls_on_connect_ports=465" /etc/exim4/exim4.conf.template; then sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' $tls_config_file
sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' /etc/exim4/exim4.conf.template
fi fi
if ! grep -q "# don't send system passwords" /etc/exim4/exim4.conf.template; then if grep -q '# login_saslauthd_server' $tls_auth_config_file; then
sed -i "s|don't send system passwords.*|# don't send system passwords unencrypted|g" /etc/exim4/exim4.conf.template sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file
fi
if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
if ! grep -q "MAIN_TLS_CERTKEY = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" $tls_config_file; then
sed -i "/.ifdef MAIN_TLS_CERTKEY/i\MAIN_TLS_CERTKEY = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" $tls_config_file
fi
fi
if [ -f /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key ]; then
if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" $tls_config_file; then
sed -i "/.ifdef MAIN_TLS_PRIVATEKEY/i\MAIN_TLS_PRIVATEKEY = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" $tls_config_file
fi
fi
if ! grep -q "SMTPLISTENEROPTIONS='-oX 465:25:587" /etc/default/exim4; then
sed -i "s|SMTPLISTENEROPTIONS=.*|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4
fi fi
} }