fix(postfix): use system-supplied default CAs #394

hardware · Aug 14, 2019 · 0bf3d72 · 0bf3d72
1 parent c0c4038
commit 0bf3d72
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 14 deletions.
diff --git a/rootfs/etc/postfix/main.cf b/rootfs/etc/postfix/main.cf
@@ -58,7 +58,7 @@ default_destination_recipient_limit = 10
 smtp_tls_loglevel            = 1
 smtp_tls_security_level      = dane
 smtp_dns_support_level       = dnssec
-smtp_tls_CAfile              = {{ .CAFILE }}
+smtp_tls_CApath              = /etc/ssl/certs
 smtp_tls_protocols           = !TLSv1, !SSLv2, !SSLv3
 smtp_tls_mandatory_protocols = !TLSv1, !SSLv2, !SSLv3
 smtp_tls_mandatory_ciphers   = medium
@@ -73,7 +73,7 @@ smtpd_tls_protocols           = !TLSv1, !SSLv2, !SSLv3
 smtpd_tls_mandatory_protocols = !TLSv1, !SSLv2, !SSLv3
 smtpd_tls_mandatory_ciphers   = medium
 smtpd_tls_exclude_ciphers     = aNULL,eNULL,EXPORT,DES,3DES,RC2,RC4,MD5,PSK,SRP,DSS,AECDH,ADH,SEED
-smtpd_tls_CAfile              = $smtp_tls_CAfile
+smtpd_tls_CApath              = /etc/ssl/certs
 smtpd_tls_cert_file           = {{ .CERTFILE }}
 smtpd_tls_key_file            = {{ .KEYFILE }}
 smtpd_tls_dh1024_param_file   = /etc/postfix/ffdhe2048.pem

diff --git a/rootfs/usr/local/bin/certs_helper.sh b/rootfs/usr/local/bin/certs_helper.sh
@@ -146,13 +146,6 @@ elif [ "$1" = "update_certs" ]; then
   rm -rf "$LIVE_CERT_PATH/*"
   cp -RT "$NORMALIZED_CERT_PATH/." "$LIVE_CERT_PATH"
 
-  # Comment CAfile directives if Let's Encrypt CA is not used
-  if [ -f "$LIVE_CERT_PATH"/chain.pem ]; then
-    sed -i '/^#\(smtp_tls_CAfile\|smtpd_tls_CAfile\)/s/^#//' /etc/postfix/main.cf
-  else
-    sed -i '/^\(smtp_tls_CAfile\|smtpd_tls_CAfile\)/s/^/#/' /etc/postfix/main.cf
-  fi
-
 elif [ "$1" = "reload" ]; then
   echo "[INFO] Updating SSL certificates and reloading"
   if "$0" update_certs -n; then

diff --git a/rootfs/usr/local/bin/setup.sh b/rootfs/usr/local/bin/setup.sh
@@ -611,6 +611,10 @@ chmod +x /usr/local/bin/*
 chown -R vmail:vmail /var/mail/dkim
 chmod 444 /var/mail/dkim/*/{private.key,public.key}
 
+# Ensure that hashes are calculated because Postfix require directory
+# to be set up like this in order to find CA certificates.
+c_rehash /etc/ssl/certs &>/dev/null
+
 # S6 WATCHDOG
 # ---------------------------------------------------------------------------------------------
 

diff --git a/test/tests.bats b/test/tests.bats
@@ -1384,7 +1384,7 @@ load 'test_helper/bats-assert/load'
 }
 
 @test "checking ssl: let's encrypt cert works correctly" {
-  run docker exec mailserver_reverse /bin/sh -c "timeout 1 openssl s_client -ign_eof -connect 0.0.0.0:587 -starttls smtp | grep 'Verify return code: 10 (certificate has expired)'"
+  run docker exec mailserver_reverse /bin/sh -c "timeout 1 openssl s_client -ign_eof -connect 0.0.0.0:587 -starttls smtp | grep 'Verify return code: 21 (unable to verify the first certificate)'"
   assert_success
 }
 
@@ -1401,9 +1401,7 @@ load 'test_helper/bats-assert/load'
 @test "checking ssl: default configuration is correct" {
   run docker exec mailserver_default /bin/sh -c "grep '/ssl' /etc/postfix/main.cf | wc -l"
   assert_success
-  assert_output 3
-  run docker exec mailserver_default /bin/sh -c "grep '#smtp_tls_CAfile' /etc/postfix/main.cf"
-  assert_success
+  assert_output 4
   run docker exec mailserver_default /bin/sh -c "grep '/ssl' /etc/dovecot/conf.d/10-ssl.conf | wc -l"
   assert_success
   assert_output 2
@@ -1412,7 +1410,7 @@ load 'test_helper/bats-assert/load'
 @test "checking ssl: let's encrypt configuration is correct" {
   run docker exec mailserver_reverse /bin/sh -c "grep '/ssl' /etc/postfix/main.cf | wc -l"
   assert_success
-  assert_output 3
+  assert_output 4
   run docker exec mailserver_reverse /bin/sh -c "grep '/ssl' /etc/dovecot/conf.d/10-ssl.conf | wc -l"
   assert_success
   assert_output 2