diff --git a/update_postfix_dh_parameters.sh b/update_postfix_dh_parameters.sh new file mode 100755 index 0000000..9318a40 --- /dev/null +++ b/update_postfix_dh_parameters.sh @@ -0,0 +1,286 @@ +#!/usr/bin/env bash + +script_dir="$(dirname $(realpath $0))" +script_name="$(basename "$0")" + +conf_dir=$(dirname $0)/conf +conf_file="${conf_dir}/install_postfix_base.conf" + +_TLS_CERT_DIR=/etc/postfix/ssl +_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" +_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" +_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt + + +log_file=$(mktemp) + + +# ------------- +# --- Some functions +# ------------- +clean_up() { + + # Perform program exit housekeeping + rm -f $log_file + exit $1 +} + +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} + +fatal(){ + echo "" + echo -e "fatal error: $*" + echo "" + echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m" + echo "" + clean_up 1 +} + +error(){ + echo "" + echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" + echo "" +} + +warn (){ + echo "" + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + echo "" +} + +info (){ + echo "" + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + echo "" +} + +echo_done() { + echo -e "\033[80G[ \033[32mdone\033[m ]" +} +echo_ok() { + echo -e "\033[80G[ \033[32mok\033[m ]" +} +echo_warning() { + echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" +} +echo_failed(){ + echo -e "\033[80G[ \033[1;31mfailed\033[m ]" +} +echo_skipped() { + echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]" +} + +blank_line() { + if $terminal ; then + echo "" + fi +} + + +detect_os () { + + if $(which lsb_release > /dev/null 2>&1) ; then + + DIST="$(lsb_release -i | awk '{print tolower($3)}')" + DIST_VERSION="$(lsb_release -r | awk '{print tolower($2)}')" + DIST_CODENAME="$(lsb_release -c | awk '{print tolower($2)}')" + + if [[ "$DIST" = "debian" ]]; then + if $(echo "$DIST_VERSION" | grep -q '\.') ; then + DIST_VERSION=$(echo "$DIST_VERSION" | cut --delimiter='.' -f1) + fi + fi + + elif [[ -e "/etc/os-release" ]]; then + + . /etc/os-release + + DIST=$ID + DIST_VERSION=${VERSION_ID} + + fi + + # remove whitespace from DIST and DIST_VERSION + DIST="${DIST// /}" + DIST_VERSION="${DIST_VERSION// /}" + +} + + + +# ------------- +# --- Some default settings +# ------------- + +DEFAULT_ADMIN_EMAIL="argus@oopen.de" +DEFAULT_RELAY_HOST="b.mx.oopen.de" +DEFAULT_SASL_AUTH=false + + +# - Is this a systemd system? +# - +if [[ "X`which systemd`" = "X" ]]; then + systemd_exists=false +else + systemd_exists=true +fi + +echo "" + +# - Read Configuration File if exists +# - +if [[ -f "$conf_file" ]]; then + source $conf_file +fi + + +# ------------- +# --- Set default values for some non existent variables (i.e. no configuration file is present) +# ------------- + +[[ -z "$_ADMIN_EMAIL" ]] && _ADMIN_EMAIL="$DEFAULT_ADMIN_EMAIL" +[[ -z "$_SASL_AUTH" ]] && _SASL_AUTH="$DEFAULT_SASL_AUTH" + +if [[ -z "$_HOSTNAME" ]] ; then + _HOSTNAME="$(hostname -f)" + _HOSTNAME_SHORT="$(hostname)" + [[ "$_HOSTNAME" = "$_HOSTNAME_SHORT" ]] && _HOSTNAME="" +fi + +blank_line +echononl "Detect distribution/release of running OS.." +detect_os > /dev/null 2>&1 +if [[ $? -ne 0 ]]; then + echo_failed +else + echo_ok +fi +blank_line +blank_line + +## - create directory for certificates and copy certificates +## - and coresponding keys to /etc/postfix/ssl/ +## - +if [[ ! -d "/etc/postfix/ssl" ]] ; then + fatal "Certification directory \033[1m/etc/postfix/ssl\033[m not found!" +fi + + +## - generate DH parameters that the Postfix SMTP server should use +## - with EDH ciphers (length 512 and 1024 +## - +echononl " Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\"" +if [[ ! -f /etc/postfix/ssl/dh_512.pem ]]; then + if [[ $DIST_VERSION -gt 11 ]] ; then + openssl dhparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1 + else + openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1 + fi + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + if [[ $DIST_VERSION -gt 11 ]] ; then + if $(grep -q -E "X9.42" /etc/postfix/ssl/dh_512.pem 2> /dev/null); then + openssl dhparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi + else + echo_skipped + fi + else + echo_skipped + fi +fi +echononl " Generate DH key length=1024 \"/etc/postfix/ssl/dh_1024.pem\"" +if [[ ! -f /etc/postfix/ssl/dh_1024.pem ]]; then + if [[ $DIST_VERSION -gt 11 ]] ; then + openssl dhparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1 + else + openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1 + fi + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + if [[ $DIST_VERSION -gt 11 ]] ; then + if $(grep -q -E "X9.42" /etc/postfix/ssl/dh_1024.pem 2> /dev/null); then + openssl dhparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi + else + echo_skipped + fi + else + echo_skipped + fi +fi +echononl " Generate DH key length=2048 \"/etc/postfix/ssl/dh_2048.pem\"" +if [[ ! -f /etc/postfix/ssl/dh_2048.pem ]]; then + if [[ $DIST_VERSION -gt 11 ]] ; then + openssl dhparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1 + else + openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1 + fi + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + if [[ $DIST_VERSION -gt 11 ]] ; then + if $(grep -q -E "X9.42" /etc/postfix/ssl/dh_2048.pem 2> /dev/null); then + openssl dhparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi + else + echo_skipped + fi + else + echo_skipped + fi +fi + +## - restart postfix +## - +echononl " Restart postfix" +if $systemd_exists ; then + systemctl restart postfix > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + /etc/init.d/postfix restart > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +fi + + +echo "" +clean_up 0