add smtp_tls_security_level and smtp_tls_loglevel

GEANT · Sep 5, 2024 · 1ff6f24 · 1ff6f24
1 parent 8636516
commit 1ff6f24
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -175,6 +175,8 @@ From a networking perspective:
 | `ENABLE_SUBMISSION_PORT`           | Enable port 587. See [documentation link](https://www.postfix.org/postconf.5.html#service_name). |
 | `ENABLE_SMTPS_PORT`                | Enable legacy port 465. See [documentation link](https://www.postfix.org/postconf.5.html#service_name). |
 | `POSTFIX_SMTP_TLS_CHAIN_FILES`     | See [documentation link](http://www.postfix.org/postconf.5.html#smtp_tls_chain_files). |
+| `POSTFIX_SMTP_TLS_LOGLEVEL`       | See [documentation link](http://www.postfix.org/postconf.5.html#smtp_tls_loglevel). |
+| `POSTFIX_SMTP_TLS_SECURITY_LEVEL` | See [documentation link](http://www.postfix.org/postconf.5.html#smtp_tls_security_level). |
 | `POSTFIX_SMTPD_MILTERS`            | Any milters given here are applied after DKIM & ClamAV. See [documentation link](http://www.postfix.org/postconf.5.html#smtpd_milters). |
 | `POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS_PERMIT_SASL_AUTHENTICATED` | Set to `true` to include `permit_sasl_authenticated` in `smtpd_recipient_restrictions`. See [documentation link](http://www.postfix.org/postconf.5.html#permit_sasl_authenticated). |
 | `POSTFIX_SMTPD_RECIPIENT_RESTRICTIONS_PERMIT_MYNETWORK` | Set to `true` to include `permit_mynetwork` in `smtpd_recipient_restrictions`. See [documentation link](https://www.postfix.org/postconf.5.html#permit_mynetworks). |

diff --git a/rootfs/etc/cont-init.d/10-postfix-generate-main.cf.sh b/rootfs/etc/cont-init.d/10-postfix-generate-main.cf.sh
@@ -85,6 +85,16 @@ CHECK_RECIPIENT_ACCESS=""
     echo "smtpd_tls_loglevel = ${POSTFIX_SMTPD_TLS_LOGLEVEL}"
   fi
 
+  # http://www.postfix.org/postconf.5.html#smtp_tls_security_level
+  if [ -n "${POSTFIX_SMTP_TLS_SECURITY_LEVEL}" ]; then
+    echo "smtp_tls_security_level = ${POSTFIX_SMTP_TLS_SECURITY_LEVEL}"
+  fi
+
+  # http://www.postfix.org/postconf.5.html#smtp_tls_loglevel
+  if [ -n "${POSTFIX_SMTP_TLS_LOGLEVEL}" ]; then
+    echo "smtp_tls_loglevel = ${POSTFIX_SMTP_TLS_LOGLEVEL}"
+  fi
+
   # http://www.postfix.org/postconf.5.html#smtp_tls_chain_files
   if [ -n "${POSTFIX_SMTP_TLS_CHAIN_FILES}" ]; then
     echo "smtp_tls_chain_files = ${POSTFIX_SMTP_TLS_CHAIN_FILES}"

diff --git a/rootfs/usr/local/bin/update_tls_policy b/rootfs/usr/local/bin/update_tls_policy
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# shellcheck shell=bash
+
+SMTP_TLS_POLICY_MAPS_HASH_FILE="/etc/postfix/smtp_tls_policy.hash"
+SMTP_TLS_POLICY_MAPS_HASH_FILE_LOCAL="/etc/postfix/tables/smtp_tls_policy.hash"
+
+# Remove existing transport.hash
+rm "${TRANSPORT_MAPS_HASH_FILE}" > /dev/null 2>&1
+touch "${TRANSPORT_MAPS_HASH_FILE}"
+
+# TODO: add fail2ban file
+
+{
+  # Import local entries into transport.hash
+  if [ -f "${TRANSPORT_MAPS_HASH_FILE_LOCAL}" ]; then
+    echo ""
+    echo "## Entries from ${TRANSPORT_MAPS_HASH_FILE_LOCAL}"
+    cat "${TRANSPORT_MAPS_HASH_FILE_LOCAL}"
+    echo ""
+  fi
+} > "${TRANSPORT_MAPS_HASH_FILE}"
+
+postmap "${TRANSPORT_MAPS_HASH_FILE}"
+
+# If postfix is running, update
+if postfix status > /dev/null 2>&1; then
+  postfix reload
+fi