Add tls to exim config

c068d9ca · Bob Mottram · 915c1ac9 · c068d9ca · c068d9ca
Commit c068d9ca authored 6 years ago by Bob Mottram
--- a/src/freedombone-base-email
+++ b/src/freedombone-base-email
@@ -1760,6 +1760,61 @@ function populate_keyservers {
    done
 }

+function exim_enable_tls {
+    read_config_param ONION_ONLY
+
+    # TLS only applies on the clearnet
+    if [[ "$ONION_ONLY" != 'no' ]]; then
+        return
+    fi
+
+    # don't conflict with web UI
+    if [[ "$(hostname)" == *'.local' ]]; then
+        return
+    fi
+
+    # check that cert exists
+    if [ ! -f "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ]; then
+        # try to create a letsencrypt cert
+        if [ ! -d "/var/www/$(hostname)/htdocs" ]; then
+            mkdir "/var/www/$(hostname)/htdocs"
+        fi
+        DH_KEYLENGTH=2048
+        LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
+        "${PROJECT_NAME}-addcert" -e "$(hostname)" -s "$LETSENCRYPT_SERVER" --dhkey "$DH_KEYLENGTH"
+        # does the cert exist ?
+        if [ ! -f "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ]; then
+            return
+        fi
+    fi
+    if [ ! -f "/etc/letsencrypt/live/$(hostname)/privkey.pem" ]; then
+        return
+    fi
+
+    exim_tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions
+
+    # enable TLS in exim
+    if ! grep -q "MAIN_TLS_ENABLE =" $exim_tls_config_file; then
+        sed -i '/.ifdef MAIN_TLS_ENABLE/i MAIN_TLS_ENABLE = yes' $exim_tls_config_file
+    else
+        sed -i 's|MAIN_TLS_ENABLE =.*|MAIN_TLS_ENABLE = yes|g' $exim_tls_config_file
+    fi
+
+    # add TLS private key in exim
+    if ! grep -q 'MAIN_TLS_PRIVATEKEY = /etc/letsencrypt' $exim_tls_config_file; then
+        sed -i "/MAIN_TLS_ENABLE =/a MAIN_TLS_PRIVATEKEY = /etc/letsencrypt/live/$(hostname)/privkey.pem" $exim_tls_config_file
+    else
+        sed -i "s|MAIN_TLS_PRIVATEKEY = /etc/letsencrypt.*|MAIN_TLS_PRIVATEKEY = /etc/letsencrypt/live/$(hostname)/privkey.pem|g" $exim_tls_config_file
+    fi
+
+    # add TLS public key in exim
+    if ! grep -q 'MAIN_TLS_CERTIFICATE = /etc/letsencrypt' $exim_tls_config_file; then
+        sed -i "/MAIN_TLS_ENABLE =/a MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/$(hostname)/fullchain.pem" $exim_tls_config_file
+    else
+        sed -i "s|MAIN_TLS_CERTIFICATE = /etc/letsencrypt.*|MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/$(hostname)/fullchain.pem|g" $exim_tls_config_file
+    fi
+}
+
 function install_email {
    if [[ $SYSTEM_TYPE == "mesh"* ]]; then
        return
@@ -1773,6 +1828,7 @@ function install_email {
    install_email_basic
    configure_email_onion
    prevent_mail_process_overrun
+    exim_enable_tls

    mark_completed "${FUNCNAME[0]}"
 }

--- a/src/freedombone-upgrade
+++ b/src/freedombone-upgrade
@@ -139,6 +139,7 @@ if [ -d "$PROJECT_DIR" ]; then
        #rebuild_exim_with_socks
        install_dynamicdns
        torrc_migrate
+        exim_enable_tls
        add_xmpp_onion_to_email
        nodejs_upgrade
        $INSTALL_PACKAGES_BACKPORTS certbot