From 91d34bc54eae6faa6b174b98d880098eeb89af85 Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Wed, 6 Sep 2017 23:41:23 +0200 Subject: [PATCH] Generate a new dhparams file if one_dir is set. (Resolves: #530) This improves security because each installation has it own generated dhparams file. See ticket #530 for more details. --- target/start-mailserver.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 3881e1e4..ad4e3c5b 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -112,6 +112,7 @@ function register_functions() { _register_setup_function "_setup_security_stack" _register_setup_function "_setup_postfix_aliases" _register_setup_function "_setup_postfix_vhost" + _register_setup_function "_setup_postfix_dhparam" if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then _register_setup_function "_setup_postfix_relay_amazon_ses" @@ -921,6 +922,25 @@ function _setup_postfix_relay_amazon_ses() { "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt" } +function _setup_postfix_dhparam() { + notify 'task' 'Setting up Postfix dhparam' + if [ "$ONE_DIR" = 1 ];then + DHPARAMS_FILE=/var/mail-state/lib-postfix/dhparams.pem + if [ ! -f $DHPARAMS_FILE ]; then + notify 'inf' "Generate new dhparams for postfix" + mkdir -p $(dirname "$DHPARAMS_FILE") + openssl dhparam -out $DHPARAMS_FILE 2048 + else + notify 'inf' "Use dhparams that was generated previously" + fi + + # Copy from the state directpry to the working location + rm /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem + else + notify 'inf' "No state dir, we use the dhparams generated on image creation" + fi +} + function _setup_security_stack() { notify 'task' "Setting up Security Stack"