1#!/bin/sh
2#         $NetBSD: postfix-tls-script,v 1.5 2023/12/23 20:30:42 christos Exp $
3#
4
5#++
6# NAME
7#         postfix-tls 1
8# SUMMARY
9#         Postfix TLS management
10# SYNOPSIS
11#         \fBpostfix tls\fR \fIsubcommand\fR
12# DESCRIPTION
13#         The "\fBpostfix tls \fIsubcommand\fR" feature enables
14#         opportunistic TLS in the Postfix SMTP client or server, and
15#         manages Postfix SMTP server private keys and certificates.
16#
17#         The following subcommands are available:
18# .IP "\fBenable-client\fR [\fB-r \fIrandsource\fR]"
19#         Enable opportunistic TLS in the Postfix SMTP client, if all
20#         SMTP client TLS settings are at their default values.
21#         Otherwise, suggest parameter settings without making any
22#         changes.
23# .sp
24#         Specify \fIrandsource\fR to update the value of the
25#         \fBtls_random_source\fR configuration parameter (typically,
26#         /dev/urandom).  Prepend \fBdev:\fR to device paths or
27#         \fBegd:\fR to EGD socket paths.
28# .sp
29#         See also the \fBall-default-client\fR subcommand.
30# .IP "\fBenable-server\fR [\fB-r \fIrandsource\fR] [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
31#         Create a new private key and self-signed server certificate
32#         and enable opportunistic TLS in the Postfix SMTP server,
33#         if all SMTP server TLS settings are at their default values.
34#         Otherwise, suggest parameter settings without making any
35#         changes.
36# .sp
37#         The \fIrandsource\fR parameter is as with \fBenable-client\fR
38#         above, and the remaining options are as with \fBnew-server-key\fR
39#         below.
40# .sp
41#         See also the \fBall-default-server\fR subcommand.
42# .IP "\fBnew-server-key\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
43#         Create a new private key and self-signed server certificate,
44#         but do not deploy them. Log and display commands to deploy
45#         the new key and corresponding certificate.  Also log and
46#         display commands to output a corresponding CSR or TLSA
47#         records which may be needed to obtain a CA certificate or
48#         to update DNS before the new key can be deployed.
49# .sp
50#         The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
51#         defaults to 2048.  If you choose the \fBecdsa\fR  \fIalgorithm\fR
52#         then \fIbits\fR will be an EC curve name (by default
53#         \fBsecp256r1\fR, also known as prime256v1).  Curves other
54#         than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
55#         are unlikely to be widely interoperable.  When generating
56#         EC keys, use one of these three.  DSA keys are obsolete and
57#         are not supported.
58# .sp
59#         Note: ECDSA support requires OpenSSL 1.0.0 or later and may
60#         not be available on your system.  Not all client systems
61#         will support ECDSA, so you'll generally want to deploy both
62#         RSA and ECDSA certificates to make use of ECDSA with
63#         compatible clients and RSA with the rest. If you want to
64#         deploy certificate chains with intermediate CAs for both
65#         RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
66#         versions may not handle multiple chain files correctly.
67# .sp
68#         The first \fIhostname\fR argument will be the \fBCommonName\fR
69#         of both the subject and issuer of the self-signed certificate.
70#         It, and any additional \fIhostname\fR arguments, will also
71#         be listed as DNS alternative names in the certificate.  If
72#         no \fIhostname\fR is provided the value of the \fBmyhostname\fR
73#         main.cf parameter will be used.
74# .sp
75#         For RSA, the generated private key and certificate files
76#         are named \fBkey-\fIyyyymmdd-hhmmss\fB.pem\fR and
77#         \fBcert-\fIyyyymmdd-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
78#         is the calendar date and \fIhhmmss\fR is the time of day
79#         in UTC.  For ECDSA, the file names start with \fBeckey-\fR
80#         and \fBeccert-\fR instead of \fBkey-\fR and \fBcert-\fR
81#         respectively.
82# .sp
83#         Before deploying the new key and certificate with DANE,
84#         update the DNS with new DANE TLSA records, then wait for
85#         secondary nameservers to update and then for stale records
86#         in remote DNS caches to expire.
87# .sp
88#         Before deploying a new CA certificate make sure to include
89#         all the required intermediate issuing CA certificates in
90#         the certificate chain file.  The server certificate must
91#         be the first certificate in the chain file.  Overwrite and
92#         deploy the file with the original self-signed certificate
93#         that was generated together with the key.
94# .IP "\fBnew-server-cert\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
95#         This is just like \fBnew-server-key\fR except that, rather
96#         than generating a new private key, any currently deployed
97#         private key is copied to the new key file.  Thus if you're
98#         publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
99#         no need to update DNS records.  The \fIalgorithm\fR and
100#         \fIbits\fR arguments are used only if no key of the same
101#         algorithm is already configured.
102# .sp
103#         This command is rarely needed, because the self-signed
104#         certificates generated have a 100-year nominal expiration
105#         time.  The underlying public key algorithms may well be
106#         obsoleted by quantum computers long before then.
107# .sp
108#         The most plausible reason for using this command is when
109#         the system hostname changes, and you'd like the name in the
110#         certificate to match the new hostname (not required for
111#         DANE "3 1 1", but some needlessly picky non-DANE opportunistic
112#         TLS clients may log warnings or even refuse to communicate).
113# .IP "\fBdeploy-server-cert \fIcertfile\fB \fIkeyfile\fR"
114#         This subcommand deploys the certificates in \fIcertfile\fR
115#         and private key in \fIkeyfile\fR (which are typically
116#         generated by the commands above, which will also log and
117#         display the full command needed to deploy the generated key
118#         and certificate).  After the new certificate and key are
119#         deployed any obsolete keys and certificates may be removed
120#         by hand.   The \fIkeyfile\fR and \fIcertfile\fR filenames
121#         may be relative to the Postfix configuration directory.
122# .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB...\fR]"
123#         Write to stdout a certificate signing request (CSR) for the
124#         specified \fIkeyfile\fR.
125# .sp
126#         Instead of an absolute pathname or a pathname relative to
127#         $config_directory, \fIkeyfile\fR may specify one of the
128#         supported key algorithm names (see "\fBpostconf -T
129#         public-key-algorithms\fR"). In that case, the corresponding
130#         setting from main.cf is used to locate the \fIkeyfile\fR.
131#         The default \fIkeyfile\fR value is \fBrsa\fR.
132# .sp
133#         Zero or more \fIhostname\fR values can be specified.  The
134#         default \fIhostname\fR is the value of \fBmyhostname\fR
135#         main.cf parameter.
136# .IP "\fBoutput-server-tlsa\fR [\fB-h \fIhostname\fR] [\fIkeyfile\fB...\fR]"
137#         Write to stdout a DANE TLSA RRset suitable for a port 25
138#         SMTP server on host \fIhostname\fR with keys from any of
139#         the specified \fIkeyfile\fR values.  The default \fIhostname\fR
140#         is the value of the \fBmyhostname\fR main.cf parameter.
141# .sp
142#         Instead of absolute pathnames or pathnames relative to
143#         $config_directory, the \fIkeyfile\fR list may specify
144#         names of supported public key algorithms (see "\fBpostconf
145#         -T public-key-algorithms\fR").  In that case, the actual
146#         \fIkeyfile\fR list uses the values of the corresponding
147#         Postfix server TLS key file parameters.  If a parameter
148#         value is empty or equal to \fBnone\fR, then no TLSA record
149#         is output for that algorithm.
150# .sp
151#         The default \fIkeyfile\fR list consists of the two supported
152#         algorithms \fBrsa\fR and \fBecdsa\fR.
153# AUXILIARY COMMANDS
154# .IP "\fBall-default-client\fR"
155#         Exit with status 0 (success) if all SMTP client TLS settings are
156#         at their default values.  Otherwise, exit with a non-zero status.
157#         This is typically used as follows:
158# .sp
159#         \fBpostfix tls all-default-client &&
160#                   postfix tls enable-client\fR
161# .IP "\fBall-default-server\fR"
162#         Exit with status 0 (success) if all SMTP server TLS settings are
163#         at their default values.  Otherwise, exit with a non-zero status.
164#         This is typically used as follows:
165# .sp
166#         \fBpostfix tls all-default-server &&
167#                   postfix tls enable-server\fR
168# CONFIGURATION PARAMETERS
169# .ad
170# .fi
171#         The "\fBpostfix tls \fIsubcommand\fR" feature reads
172#         or updates the following configuration parameters.
173# .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
174#         The location of all postfix administrative commands.
175# .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
176#         The default location of the Postfix main.cf and master.cf
177#         configuration files.
178# .IP "\fBopenssl_path (openssl)\fR"
179#         The location of the OpenSSL command line program \fBopenssl\fR(1).
180# .IP "\fBsmtp_tls_loglevel (0)\fR"
181#         Enable additional Postfix SMTP client logging of TLS activity.
182# .IP "\fBsmtp_tls_security_level (empty)\fR"
183#         The default SMTP TLS security level for the Postfix SMTP client.
184# .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
185#         Name of the file containing the optional Postfix SMTP client
186#         TLS session cache.
187# .IP "\fBsmtpd_tls_cert_file (empty)\fR"
188#         File with the Postfix SMTP server RSA certificate in PEM format.
189# .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
190#         File with the Postfix SMTP server ECDSA certificate in PEM format.
191# .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
192#         File with the Postfix SMTP server ECDSA private key in PEM format.
193# .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
194#         File with the Postfix SMTP server RSA private key in PEM format.
195# .IP "\fBsmtpd_tls_loglevel (0)\fR"
196#         Enable additional Postfix SMTP server logging of TLS activity.
197# .IP "\fBsmtpd_tls_received_header (no)\fR"
198#         Request that the Postfix SMTP server produces Received:  message
199#         headers that include information about the protocol and cipher used,
200#         as well as the remote SMTP client CommonName and client certificate issuer
201#         CommonName.
202# .IP "\fBsmtpd_tls_security_level (empty)\fR"
203#         The SMTP TLS security level for the Postfix SMTP server; when
204#         a non-empty value is specified, this overrides the obsolete parameters
205#         smtpd_use_tls and smtpd_enforce_tls.
206# .IP "\fBtls_random_source (see 'postconf -d' output)\fR"
207#         The external entropy source for the in-memory \fBtlsmgr\fR(8) pseudo
208#         random number generator (PRNG) pool.
209# SEE ALSO
210#         master(8) Postfix master program
211#         postfix(1) Postfix administrative interface
212# README FILES
213# .ad
214# .fi
215#         Use "\fBpostconf readme_directory\fR" or
216#         "\fBpostconf html_directory\fR" to locate this information.
217# .na
218# .nf
219#         TLS_README, Postfix TLS configuration and operation
220# LICENSE
221# .ad
222# .fi
223#         The Secure Mailer license must be distributed with this software.
224# HISTORY
225#         The "\fBpostfix tls\fR" command was introduced with Postfix
226#         version 3.1.
227# AUTHOR(S)
228#         Viktor Dukhovni
229#--
230
231RSA_BITS=2048                 # default
232EC_CURVE=secp256r1  # default
233
234case $daemon_directory in
235"") echo This script must be run by the postfix command. 1>&2
236    echo Do not run directly. 1>&2
237    exit 1;;
238esac
239
240umask 022
241SHELL=/bin/sh
242
243postconf=$command_directory/postconf
244LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-tls-script"
245INFO="$LOGGER -p info"
246WARN="$LOGGER -p warn"
247ERROR="$LOGGER -p error"
248FATAL="$LOGGER -p fatal"
249
250# Overwrite SMTP client and server settings only when these are at defaults.
251client_settings="
252    smtp_use_tls
253    smtp_enforce_tls
254    smtp_tls_enforce_peername
255    smtp_tls_security_level
256    smtp_tls_cert_file
257    smtp_tls_dcert_file
258    smtp_tls_eccert_file
259"
260
261server_settings="
262    smtpd_use_tls
263    smtpd_enforce_tls
264    smtpd_tls_security_level
265    smtpd_tls_cert_file
266    smtpd_tls_dcert_file
267    smtpd_tls_eccert_file
268"
269
270#
271# Can't do much without these in place.
272#
273cd $command_directory || {
274    # Let's hope there's a "postlog" somewhere else on the PATH
275    FATAL="postlog -p fatal -t $MAIL_LOGTAG/postfix-tls-script"
276    msg="no Postfix command directory '${command_directory}'"
277    $FATAL "$msg" || { echo "$msg" >&2; sleep 1; }
278    exit 1
279}
280
281check_getopt() {
282    OPTIND=1
283    a=
284    b=
285    c=
286    set -- -a 1 -b 2 -c -- -pos
287    while getopts :a:b:c o
288    do
289          case $o in
290          a) a="${OPTARG}";;
291          b) b="${OPTARG}";;
292          c) c=3;;
293          *) return 1;;
294          esac
295    done
296    shift `expr ${OPTIND} - 1`
297    if [ "${a}" != "1" -o "${b}" != 2 -o "${c}" != 3 \
298           -o "${OPTIND}" -ne 7 -o "$1" != "-pos" ]; then
299          return 1
300    fi
301}
302
303check_getopt || {
304    $FATAL "/bin/sh does not implement a compatible 'getopts' built-in"
305    exit 1
306}
307
308# ----- BEGIN OpenSSL-specific -----
309
310# No need to set the location of the OpenSSL command in each Postfix instance,
311# the value from the default instance is used for all instances.
312#
313default_config_directory=`$postconf -dh config_directory`
314openssl=`$postconf -c $default_config_directory -xh openssl_path`
315"$openssl" version >/dev/null 2>&1 || {
316    $FATAL "No working openssl(1) command found with 'openssl_path = $openssl'"
317    exit 1
318}
319
320# ----- END OpenSSL-specific -----
321
322test -n "$config_directory" -a -d "$config_directory" || {
323    $FATAL no Postfix configuration directory $config_directory!
324    exit 1
325}
326
327# Do we support TLS and if so which algorithms?
328#
329$postconf -T compile-version | grep . >/dev/null || {
330    mail_version=`$postconf -dh mail_version`
331    $FATAL "Postfix $mail_version is not compiled with TLS support"
332    exit 1
333}
334rsa=
335ecdsa=
336for _algo in `$postconf -T public-key-algorithms | grep -E '^(rsa|ecdsa)$'`
337do
338    eval $_algo=$_algo
339done
340
341# ----- BEGIN OpenSSL-specific -----
342
343if [ -n "${ecdsa}" ]; then
344    $openssl ecparam -name secp256r1 >/dev/null 2>&1 || {
345          cat <<-EOM | $WARN
346          Postfix supports ECDSA, but the $openssl command does not. Consider
347          setting the openssl_path parameter to a more capable version of the
348          command-line utility than $openssl (with PATH=$PATH).
349          EOM
350          ecdsa=
351    }
352fi
353if [ -n "${rsa}" ]; then
354   DEFALG=rsa
355elif [ -n "${ecdsa}" ]; then
356   DEFALG=ecdsa
357else
358    mail_version=`$postconf -dh mail_version`
359    $FATAL "Postfix $mail_version does not support either RSA or ECDSA"
360    exit 1
361fi
362
363# Make sure stdin is open when testing
364if [ -r /dev/stdin ] < /dev/null; then
365    stdin=/dev/stdin
366elif [ -r /dev/fd/0 ] </dev/null; then
367    stdin=/dev/fd/0
368else
369    $FATAL No /dev/fd/0 or /dev/stdin found
370    exit 1
371fi
372
373hex_sha256() {
374    $openssl dgst -binary -sha256 | od -An -vtx1 | tr -d ' \012'
375}
376
377# We require SHA2-256 support from openssl(1)
378#
379null256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
380tmp=`hex_sha256 </dev/null 2>/dev/null`
381if [ "${tmp}" != "${null256}" ]; then
382    cat <<EOF >&2
383Your $openssl does not support the SHA2-256 digest algorithm. To enable
384'postfix tls', install an OpenSSL that does. Install its openssl(1) command
385at /usr/local/bin/openssl or other suitable location, and set the
386'openssl_path' parameter in $default_config_directory/main.cf accordingly.
387EOF
388    $FATAL "No 'postfix tls' support when openssl(1) is obsolete"
389    exit 1
390fi
391
392read_key() {
393    [ -n "$1" -a -f "$1" ] || return 1
394
395    # Old OpenSSL versions return success even for unsupported sub-commands!
396    # So we inspect the output instead.  Don't prompt if the key is password
397    # protected.
398    #
399    while read cmd key_algo key_param cert_param; do
400          $openssl $cmd -passin "pass:umask 077" -in "$1" |
401              grep . && return 0
402    done 2>/dev/null <<-EOF
403          rsa rsa smtpd_tls_key_file smtpd_tls_cert_file
404          ec ecdsa smtpd_tls_eckey_file smtpd_tls_eccert_file
405          EOF
406    return 1
407}
408
409pubkey_dgst() {
410    [ -n "$1" -a -f "$1" ] || return 1
411
412    # Old OpenSSL versions return success even for unsupported sub-commands!
413    # So we inspect the output instead.
414    #
415    for cmd in ec rsa; do
416          $openssl $cmd -passin "pass:umask 077" -in "$1" -pubout |
417          $openssl $cmd -pubin -outform DER |
418          hex_sha256 | grep -E -v "${null256}" && return 0
419    done 2>/dev/null
420    return 1
421}
422
423cert_pubkey_dgst() {
424    [ -n "$1" -a -f "$1" ] || return 1
425
426    # Old OpenSSL versions return success even for unsupported sub-commands!
427    # So we inspect the output instead.
428    #
429    for cmd in ec rsa; do
430          $openssl x509 -pubkey -noout -in "$1" |
431          $openssl $cmd -pubin -outform DER |
432          hex_sha256 | grep -E -v "${null256}" && return 0
433    done 2>/dev/null
434    return 1
435}
436
437copy_key() {
438    _algo=$1; shift
439    _bits=$1; shift
440    _fold=$1; shift
441    _fnew=$1; shift
442    _umask=`umask`
443
444    umask 077
445    read_key "${_fold}" > "${_fnew}"    # sets key_algo of current key
446    _ret=$?
447    umask "${_umask}"
448
449    if [ "${_ret}" -ne 0 ]; then
450          $FATAL "Error copying private key from '${_fold}' to '${_fnew}'"
451          return 1
452    fi
453    if [ "${key_algo}" != "${_algo}" ]; then
454          $FATAL "Key algorithm '$key_algo' of '${_fold}' is not '${_algo}'"
455          return 1
456    fi
457    # XXX: We'd need C-code in postconf to portably check for compatible "bits"
458}
459
460create_key() {
461    _algo=$1
462    _bits=$2
463    _fnew=$3
464    _umask=`umask`
465
466    case $_algo in
467        "") $FATAL "Internal error: empty algorithm"; return 1;;
468      $rsa) set -- "${openssl}" genrsa -out "${_fnew}" "${_bits}";;
469    $ecdsa) set -- "${openssl}" ecparam -param_enc named_curve -genkey \
470                    -out "${_fnew}" -name "${_bits}";;
471           *) $FATAL "Internal error: bad algorithm '${_algo}'"
472              return 1;;
473    esac
474
475    umask 077
476    _err=`"$@" 2>&1`
477    _ret=$?
478    umask "${_umask}"
479
480    if [ "${_ret}" -ne 0 ]; then
481          echo "${_err}" | $WARN
482          $FATAL "error generating new ${_algo} ${_bits} private key"
483          return 1
484    fi
485}
486
487create_cert() {
488    _k=$1; shift
489    _c=$1; shift
490    set_fqdn "$1"
491    if [ $# -gt 0 ]; then shift; fi
492    set -- "$fqdn" "$@"
493
494    if [ -r "${_c}" ]; then
495          $FATAL "New certificate file already exists: ${_c}"
496          return 1
497    fi
498
499    # Generate a new self-signed (~100 year) certificate
500    #
501    (
502          echo "default_md = sha256"
503          echo "x509_extensions = v3"
504          echo "prompt = yes"
505          echo "distinguished_name = dn"
506          echo "[dn]"
507          echo "[v3]"
508          echo "basicConstraints = CA:false"
509          echo "subjectKeyIdentifier = hash"
510          echo "extendedKeyUsage = serverAuth, clientAuth"
511          echo "subjectAltName = @alts"
512          echo "[alts]"
513          i=1; for dns in "$@"; do
514              # XXX map empty to $myhostname
515              echo "DNS.$i = $dns"
516              i=`expr $i + 1`
517          done
518    ) | $openssl req -x509 -config $stdin -new -key "${_k}" \
519              -subj "/CN=$fqdn" -days 36525 -out "${_c}" || {
520          rm -f "${_c}" "${_k}"
521          $FATAL "error generating self-signed SSL certificate"
522          return 1
523    }
524}
525
526output_server_csr() {
527    set_keyfile "$1" || return 1
528    shift
529    set_fqdn "$1" || return 1
530    shift
531    set -- "$fqdn" "$@"
532    (
533          echo "default_md = sha256"
534          echo "req_extensions = v3"
535          echo "prompt = yes"
536          echo "distinguished_name = dn"
537          echo "[dn]"
538          echo "[v3]"
539          echo "subjectKeyIdentifier = hash"
540          echo "extendedKeyUsage = serverAuth, clientAuth"
541          echo "subjectAltName = @alts"
542          echo "[alts]"
543          i=1; for dns in "$@"; do
544              echo "DNS.$i = $dns"
545              i=`expr $i + 1`
546          done
547    ) | $openssl req -config $stdin -new -key "$keyfile" -subj /
548}
549
550# ----- END OpenSSL-specific -----
551
552info_enable_client() {
553          cat <<-EOM
554          *** Non-default SMTP client TLS settings detected, no changes made.
555          For opportunistic TLS in the Postfix SMTP client, the below settings
556          are typical:
557            smtp_tls_security_level = may
558            smtp_tls_loglevel = 1
559          EOM
560          if get_cache_db_type dbtype
561          then
562              echo "  smtp_tls_session_cache_database = ${dbtype}:\${data_directory}/smtp_scache"
563          fi
564}
565
566info_client_deployed() {
567          cat <<-EOM
568          Enabled opportunistic TLS in the Postfix SMTP client.
569          Run the command:
570            # postfix reload
571          if you want the new settings to take effect immediately.
572          EOM
573}
574
575info_enable_server() {
576          cat <<-EOM
577          *** Non-default SMTP server TLS settings detected, no changes made.
578          For opportunistic TLS in the Postfix SMTP server, the below settings
579          are typical:
580            smtpd_tls_security_level = may
581            smtpd_tls_loglevel = 1
582          You can use "postfix tls new-server-cert" to create a new certificate.
583          Or, "postfix tls new-server-key" to also force a new private key.
584          If you publish DANE TLSA records, see:
585            https://tools.ietf.org/html/rfc7671#section-8
586            https://tools.ietf.org/html/rfc7671#section-5.1
587            https://tools.ietf.org/html/rfc7671#section-5.2
588            https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
589          EOM
590}
591
592# args: certfile keyfile deploy
593info_created() {
594          cat <<-EOM
595          New private key and self-signed certificate created. To deploy run:
596            # postfix tls deploy-server-cert $1 $2
597          EOM
598}
599
600# args: certfile keyfile deploy
601info_server_deployed() {
602          if [ "$3" = "enable" ]; then
603              echo "Enabled opportunistic TLS in the Postfix SMTP server"
604          fi
605          cat <<-EOM
606          New TLS private key and certificate deployed.
607          Run the command:
608            # postfix reload
609          if you want the new settings to take effect immediately.
610          EOM
611}
612
613# args: certfile keyfile deploy
614info_csr() {
615          cat <<-EOM
616          To generate a CSR run:
617            # postfix tls output-server-csr -k $2 [<hostname> ...]
618          EOM
619          if [ -z "$3" ]; then
620              echo "Save the signed certificate chain in $1, and deploy as above."
621          else
622              echo "Save the signed certificate chain in $1."
623          fi
624}
625
626# args: certfile keyfile deploy
627info_tlsa() {
628          # If already deployed, info for how to show all the deployed keys.
629          # Otherwise, just the new keys, so that TLSA records can be updated
630          # first.
631          if [ -n "$3" ]; then shift $#; fi
632          cat <<-EOM
633          To generate TLSA records run:
634            # postfix tls output-server-tlsa [-h <hostname>] $2
635          EOM
636}
637
638# args: certfile keyfile deploy
639info_dane_dns() {
640          # If already deployed, too late to wait, otherwise advise updating TLSA
641          # RRs before deployment.
642          if [ -n "$3" ]; then
643              cat <<-EOM
644          (If you have DANE TLSA RRs, update them as soon as possible to match
645          the newly deployed keys).
646          EOM
647          else
648              cat <<-EOM
649          (deploy after updating the DNS and waiting for stale RRs to expire).
650          EOM
651          fi
652}
653
654set_fqdn() {
655    if [ -n "$1" ]; then fqdn=$1; return 0; fi
656    fqdn=`$postconf -xh myhostname` || return 1
657    case $fqdn in /*) fqdn=`cat "${fqdn}"` || return 1;; esac
658}
659
660set_keyfile() {
661    keyfile=$1
662    case $keyfile in
663       rsa) if [ -n "${rsa}" ]; then
664                    keyfile=`$postconf -nxh smtpd_tls_key_file`
665              else
666                    keyfile=
667              fi
668              ;;
669     ecdsa) if [ -n "${ecdsa}" ]; then
670                    keyfile=`$postconf -nxh smtpd_tls_eckey_file`
671              else
672                    keyfile=
673              fi
674              ;;
675        "") : empty ok;;
676      none) : see below;;
677        /*) ;;
678         *) # User-specified key pathnames are relative to the configuration
679              # directory
680              keyfile="${config_directory}/${keyfile}";;
681    esac
682    if [ "${keyfile}" = "none" ]; then keyfile= ; fi
683}
684
685check_key() {
686    read_key "$1" >/dev/null && return 0
687    $FATAL "no private key found in file: $1"
688    return 1
689}
690
691# Create new key or copy existing if specified.
692#
693ensure_key() {
694    _algo=$1; shift
695    _bits=$1; shift
696    stamp=`TZ=UTC date +%Y%m%d-%H%M%S`
697
698    case $_algo in
699          "") $FATAL "Internal error: empty algorithm "; return 1;;
700      $rsa) keyfile="${config_directory}/key-${stamp}.pem"
701              certfile="${config_directory}/cert-${stamp}.pem";;
702    $ecdsa) keyfile="${config_directory}/eckey-${stamp}.pem"
703              certfile="${config_directory}/eccert-${stamp}.pem";;
704           *) $FATAL "Internal error: bad algorithm '${_algo}'"
705              return 1;;
706    esac
707
708    if [ -r "${keyfile}" ]; then
709          $FATAL "New private key file already exists: ${keyfile}"
710          return 1
711    fi
712    if [ -r "${certfile}" ]; then
713          $FATAL "New certificate file already exists: ${certfile}"
714          return 1
715    fi
716
717    if [ -n "$1" ]; then
718          copy_key "${_algo}" "${_bits}" "$1" "${keyfile}" && return 0
719    else
720          create_key "${_algo}" "${_bits}" "${keyfile}" && return 0
721    fi
722    rm -f "${keyfile}"
723    return 1
724}
725
726init_random_source() {
727    tls_random_source=$1
728
729    if [ -z "${tls_random_source}" ]; then
730          tls_random_source=`$postconf -xh tls_random_source`
731    fi
732    if [ -n "${tls_random_source}" ]; then
733          return 0
734    fi
735    if [ -r /dev/urandom ]
736    then
737          tls_random_source=dev:/dev/urandom
738    else
739          $FATAL no default TLS random source defined and no /dev/urandom
740          return 1
741    fi
742}
743
744# Don't be too clever by half.
745all_default() {
746    for var in "$@"
747    do
748          val=`$postconf -nh "${var}"`
749          if [ -n "$val" ]; then return 1; fi
750    done
751    return 0
752}
753
754# Select read-write database type for TLS session caches.
755#
756get_cache_db_type() {
757    var=$1; shift
758    prio=0
759    ret=1
760    for _dbtype in `$postconf -m`
761    do
762          _prio=0
763          case $_dbtype in
764           lmdb) _prio=2;;
765          btree) _prio=1;;
766          esac
767          if [ "$_prio" -gt "$prio" ]
768          then
769              eval "$var=\$_dbtype"
770              prio=$_prio
771              ret=0
772          fi
773    done
774    return $ret
775}
776
777deploy_server_cert() {
778    certfile=$1; shift
779    keyfile=$1; shift
780    case $# in 0) deploy=;; *) deploy=$1; shift;; esac
781
782    # Sets key_algo, key_param and cert_param
783    check_key "$keyfile" || return 1
784
785    cd=`cert_pubkey_dgst "${certfile}"` || {
786          $FATAL "error computing certificate public key digest"
787          return 1
788    }
789    kd=`pubkey_dgst "$keyfile"` || {
790          $FATAL "error computing public key digest"
791          return 1
792    }
793
794    if [ "$cd" != "$kd" ]; then
795          $FATAL "Certificate in ${certfile} does not match key in ${keyfile}"
796          return 1
797    fi
798
799    set -- \
800          "${key_param} = ${keyfile}" \
801          "${cert_param} = ${certfile}"
802
803    if [ "${deploy}" = "enable" ]; then
804          set -- "$@" \
805              "smtpd_tls_security_level = may" \
806              "smtpd_tls_received_header = yes" \
807              "smtpd_tls_loglevel = 1"
808    fi
809
810    if [ -n "${tls_random_source}" ]; then
811          set -- "$@" "tls_random_source = ${tls_random_source}"
812    fi
813
814    # All in one shot, since postconf delays modifying "hot" main.cf files.
815    $postconf -e "$@" || return 1
816}
817
818# Prepare a new cert and perhaps re-use any existing private key.
819#
820new_server_cert() {
821    algo=$1; shift
822    bits=$1; shift
823    oldkey=$1; shift
824    deploy=$1; shift
825
826    # resets keyfile (copy or else new) and new certfile
827    ensure_key "$algo" "$bits" "${oldkey}" || return 1
828    create_cert "${keyfile}" "${certfile}" "$@" || return 1
829    if [ -n "${deploy}" ]; then
830          deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1
831    fi
832
833    (
834          if [ -z "${deploy}" ]; then
835              info_created "${certfile}" "${keyfile}" "${deploy}"
836          else
837              info_server_deployed "${certfile}" "${keyfile}" "${deploy}"
838          fi
839          info_csr "${certfile}" "${keyfile}" "${deploy}"
840          info_tlsa "${certfile}" "${keyfile}" "${deploy}"
841          if [ -z "${oldkey}" ]; then
842              info_dane_dns "${certfile}" "${keyfile}" "${deploy}"
843          fi
844    ) | $INFO
845}
846
847enable_client() {
848    if all_default ${client_settings}
849    then
850          set -- \
851              "smtp_tls_security_level = may" \
852              "smtp_tls_loglevel = 1"
853
854          if get_cache_db_type dbtype
855          then
856              set -- "$@" \
857                    "smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
858          fi
859
860          if [ -n "${tls_random_source}" ]; then
861              set -- "$@" "tls_random_source = ${tls_random_source}"
862          fi
863
864          # All in one shot, since postconf delays modifying "hot" main.cf files.
865          $postconf -e "$@" || return 1
866          info_client_deployed
867    else
868          info_enable_client
869    fi | $INFO
870}
871
872enable_server() {
873    algo=$1; shift
874    bits=$1; shift
875
876    if all_default ${server_settings}
877    then
878          # algo bits keyfile deploy [hostnames ...]
879          new_server_cert "${algo}" "${bits}" "" "enable" "$@" || return 1
880    else
881          info_enable_server | $INFO
882    fi
883}
884
885output_server_tlsa() {
886    hostname=$1
887    check_key "$2" || return 1
888    data=`pubkey_dgst "$2"` || return 1
889    if [ -z "$data" ]
890    then
891          $FATAL error computing SHA2-256 SPKI digest of "$key"
892          return 1
893    fi
894    echo "_25._tcp.$hostname. IN TLSA 3 1 1 $data"
895}
896
897#
898# Parse JCL
899#
900case $1 in
901enable-client)
902          cmd=$1; shift; OPTIND=1
903          rand=
904          while getopts :r: _opt
905          do
906              case $_opt in
907              r) rand="${OPTARG}";;
908              *) $FATAL "usage: postfix tls $cmd [-r devrandom]"
909                 exit 1;;
910              esac
911          done
912
913          # No positional arguments supported with enable-client
914          if [ $# -ge "${OPTIND}" ]; then
915              $FATAL "usage: postfix tls $cmd [-r devrandom]"
916              exit 1
917          fi
918          # But, shift anyway
919          shift `expr $OPTIND - 1`
920
921          init_random_source "${rand}" || exit 1
922          enable_client || exit 1
923          ;;
924
925enable-server)
926          cmd=$1; shift; OPTIND=1
927          algo=$DEFALG
928          bits=
929          rand=
930          while getopts :a:b:r: _opt
931          do
932              case $_opt in
933              a) algo="${OPTARG}";;
934              b) bits="${OPTARG}";;
935              r) rand="${OPTARG}";;
936              *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [-r devrandom] [hostname ...]"
937                 exit 1;;
938              esac
939          done
940
941          # Here positional arguments are hostnames for the new certificate, as
942          # many as the user wants
943          shift `expr $OPTIND - 1`
944
945          case $algo in
946              "") $FATAL "Internal error: empty algorithm "; return 1;;
947            $rsa) : ${bits:=${RSA_BITS}};;
948          $ecdsa) : ${bits:=${EC_CURVE}};;
949               *) $FATAL "Unsupported private key algorithm: $algo"
950                    exit 1;;
951          esac
952
953          init_random_source "${rand}" || exit 1
954          enable_server "${algo}" "${bits}" "$@" || exit 1
955          ;;
956
957new-server-key)
958          cmd=$1; shift; OPTIND=1
959          algo=$DEFALG
960          while getopts :a:b: _opt
961          do
962              case $_opt in
963              a) algo="${OPTARG}";;
964              b) bits="${OPTARG}";;
965              *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
966                 exit 1;;
967              esac
968          done
969
970          # Here positional arguments are hostnames for the new certificate, as
971          # many as the user wants
972          shift `expr $OPTIND - 1`
973
974          case $algo in
975              "") $FATAL "Internal error: empty algorithm "; return 1;;
976            $rsa) : ${bits:=${RSA_BITS}};;
977          $ecdsa) : ${bits:=${EC_CURVE}};;
978               *) $FATAL "Unsupported public key algorithm: $algo"
979                    exit 1;;
980          esac
981
982          # Force new key
983          new_server_cert "${algo}" "${bits}" "" "" "$@" || exit 1
984          ;;
985
986new-server-cert)
987          cmd=$1; shift; OPTIND=1
988          algo=$DEFALG
989          while getopts :a:b: _opt
990          do
991              case $_opt in
992              a) algo="${OPTARG}";;
993              b) bits="${OPTARG}";;
994              *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
995                 exit 1;;
996              esac
997          done
998
999          # Here positional arguments are hostnames for the new certificate, as
1000          # many as the user wants
1001          shift `expr $OPTIND - 1`
1002
1003          case $algo in
1004              "") $FATAL "Invalid empty key algorithm"; exit 1;;
1005            $rsa) : ${bits:=${RSA_BITS}};;
1006          $ecdsa) : ${bits:=${EC_CURVE}};;
1007               *) $FATAL "Unsupported private key algorithm: $algo"
1008                    exit 1;;
1009          esac
1010
1011          # Existing keyfile or empty
1012          set_keyfile "${algo}"
1013
1014          if [ -n "${keyfile}" -a ! -f "${keyfile}" ]; then
1015              echo "Key file: ${keyfile} not found, creating new keys" | $WARN
1016              keyfile=
1017          fi
1018
1019          # Try to re-use (copy) existing key.
1020          new_server_cert "${algo}" "${bits}" "${keyfile}" "" "$@" || exit 1
1021          ;;
1022
1023deploy-server-cert)
1024          if [ $# -ne 3 ]; then
1025              $FATAL "usage: postfix tls $1 certfile keyfile"
1026              exit 1
1027          fi
1028          shift
1029
1030          # User-specified key and cert pathnames are relative to the
1031          # configuration directory
1032          #
1033          case "${1}" in
1034          /*) certfile="${1}" ;;
1035           *) certfile="${config_directory}/${1}" ;;
1036          esac
1037          case "${2}" in
1038          /*) keyfile="${2}" ;;
1039           *) keyfile="${config_directory}/${2}" ;;
1040          esac
1041
1042          deploy_server_cert "${certfile}" "${keyfile}" || exit 1
1043          info_server_deployed "${certfile}" "${keyfile}" "deploy" | $INFO
1044          ;;
1045
1046output-server-csr)
1047          cmd=$1; shift; OPTIND=1
1048          k=
1049          while getopts :k: _opt
1050          do
1051              case $_opt in
1052              k) k="${OPTARG}";;
1053              *) $FATAL "usage: postfix tls $cmd [-k keyfile] [hostname ...]"
1054                 exit 1;;
1055              esac
1056          done
1057
1058          # Here positional arguments are hostnames for the new certificate, as
1059          # many as the user wants
1060          shift `expr $OPTIND - 1`
1061
1062          if [ -n "${k}" ]; then
1063              set_keyfile "${k}"
1064          else
1065              for _algo in $rsa $ecdsa
1066              do
1067                    set_keyfile "${_algo}"
1068                    if [ -n "${keyfile}" ]; then
1069                        break
1070                    fi
1071              done
1072          fi
1073
1074          if [ -z "${keyfile}" -o ! -r "${keyfile}" ]; then
1075              $FATAL "No usable keyfile specified or configured"
1076              exit 1
1077          fi
1078
1079          # Default <hostname> from $myhostname
1080          if [ $# -eq 0 ]; then
1081              set_fqdn
1082              set -- "$fqdn"
1083          fi
1084
1085          # Output a CSR for the requested names
1086          output_server_csr "$keyfile" "$@" || exit 1
1087          ;;
1088
1089output-server-tlsa)
1090          cmd=$1; shift; OPTIND=1
1091          hostname=
1092          while getopts :h: _opt
1093          do
1094              case $_opt in
1095              h) hostname="${OPTARG}";;
1096              *) $FATAL "usage: postfix tls $cmd [-h hostname] [keyfile ...]"
1097                 exit 1;;
1098              esac
1099          done
1100          set_fqdn "${hostname}"
1101
1102          # Here positional arguments are keyfiles for which we output "3 1 1"
1103          # TLSA RRs, as many keyfiles as the user wants.  By default the live
1104          # RSA and/or ECDSA keys.
1105          shift `expr $OPTIND - 1`
1106
1107          if [ $# -eq 0 ]; then set -- $rsa $ecdsa; fi
1108
1109          found=
1110          for _k in "$@"
1111          do
1112              set_keyfile "${_k}"
1113              if [ -z "${keyfile}" ]; then continue; fi
1114              echo "; ${keyfile}"
1115              output_server_tlsa "${fqdn}" "${keyfile}" || exit 1
1116              found=1
1117          done
1118          if [ -z "${found}" ]; then
1119              $FATAL "No usable keyfiles specified or configured"
1120              exit 1
1121          fi
1122          ;;
1123
1124all-default-client)
1125          cmd=$1; shift; OPTIND=1
1126
1127          # No arguments for all-default-client
1128          if [ $# -ge "${OPTIND}" ]; then
1129              $FATAL "usage: postfix tls $cmd"
1130              exit 1
1131          fi
1132
1133          all_default ${client_settings} || exit 1
1134          ;;
1135
1136all-default-server)
1137          cmd=$1; shift; OPTIND=1
1138
1139          # No arguments for all-default-server
1140          if [ $# -ge "${OPTIND}" ]; then
1141              $FATAL "usage: postfix tls $cmd"
1142              exit 1
1143          fi
1144
1145          all_default ${server_settings} || exit 1
1146          ;;
1147
1148*)
1149          $ERROR "unknown tls command: '$1'"
1150          $FATAL "usage: postfix tls enable-client (or enable-server, new-server-key, new-server-cert, deploy-server-cert, output-server-csr, output-server-tlsa, all-default-client, all-default-server)"
1151          exit 1
1152          ;;
1153
1154esac
1155