Fix for issue where a signed cert and self signed cert can both exist #112
Conversation
When any cert exists, do not generate self signed cert or postfix will server both/either Comment out smtpd_tls_cecert or smtpd_tls_cert config if matching cert does not exist
|
|
|
Hello @nickwest , thank you very much for your improvement of the better compatible with CA settings! I'd like to merge this PR after it gets at least one approval from the community so that we can make sure it works as expected. P.S. add an unit test will be highly appreciated. Have a great day! |
|
Hi @huan, I added a couple unit tests as requested. They verify that when both EC and RSA certs are present they share the same CN, domains, and are either both self signed or both CA signed. This ensures that regardless of which certificate is used the result will be equal. The already present TLS tests will continue to verify that connections will work regardless of certificate matching and validity. Those tests also verify that having a single cert (the case prior to PR #51) is working properly. If @czocher is available they'd probably be a good reviewer/approver since this touches their work in PR #51 where EC certs were introduced. I also see that PR #36 could introduce custom paths for certs. The unit tests in my PR do not account for that currently and would need to be changed if that PR is merged. |
| if [[ -f /etc/postfix/cert/smtp.ec.cert && -f /etc/postfix/cert/smtp.cert ]]; then | ||
| ec_cert_subject=`openssl x509 -noout -subject -in /etc/postfix/cert/smtp.ec.cert` | ||
| rsa_cert_subject=`openssl x509 -noout -subject -in /etc/postfix/cert/smtp.cert` | ||
| ec_cert_cn=`perl -e 'print join "\n", @cn = $ARGV[0] =~ /(?<=CN\s=\s).*/g;' "$ec_cert_subject" | sort -` |
There was a problem hiding this comment.
I used perl here because busy-box grep doesn't include PCRE regex and I needed Lookaround constructors to extract the domains/CN
|
Hi @nickwest I'm available but I don't have access to any proper production environment at the moment to try to deploy and test it. I can have a look at the code though. |
init-openssl.shcreates both RSA and EC self-signed certificates. When using a properly signed certificate of only one type (RSA or EC) theinit-openssl.shscript will still generate the self-signed version of the other certificate type. This results in some requests to Postfix returning the self-signed cert rather than the signed cert.This pull requests modifies
init-openssl.shto prevent the generation of self-signed certificates if either type of certificate already exists. If a certificate does exist it also checks for missing certificates and then uses sed to comment out the appropriate smtpd_tls_cert_file/key lines in main.cf.When both or neither certificates are present it functions as it currently does.