From c068d9ca9c828e612aaa1c40cc00f9fd49065123 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Wed, 3 Oct 2018 10:48:36 +0100
Subject: [PATCH] Add tls to exim config
---
src/freedombone-base-email | 56 ++++++++++++++++++++++++++++++++++++++
src/freedombone-upgrade | 1 +
2 files changed, 57 insertions(+)
diff --git a/src/freedombone-base-email b/src/freedombone-base-email
index ce43e4fa5..a102e39e5 100755
--- a/src/freedombone-base-email
+++ b/src/freedombone-base-email
@@ -1760,6 +1760,61 @@ function populate_keyservers {
done
}
+function exim_enable_tls {
+ read_config_param ONION_ONLY
+
+ # TLS only applies on the clearnet
+ if [[ "$ONION_ONLY" != 'no' ]]; then
+ return
+ fi
+
+ # don't conflict with web UI
+ if [[ "$(hostname)" == *'.local' ]]; then
+ return
+ fi
+
+ # check that cert exists
+ if [ ! -f "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ]; then
+ # try to create a letsencrypt cert
+ if [ ! -d "/var/www/$(hostname)/htdocs" ]; then
+ mkdir "/var/www/$(hostname)/htdocs"
+ fi
+ DH_KEYLENGTH=2048
+ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
+ "${PROJECT_NAME}-addcert" -e "$(hostname)" -s "$LETSENCRYPT_SERVER" --dhkey "$DH_KEYLENGTH"
+ # does the cert exist ?
+ if [ ! -f "/etc/letsencrypt/live/$(hostname)/fullchain.pem" ]; then
+ return
+ fi
+ fi
+ if [ ! -f "/etc/letsencrypt/live/$(hostname)/privkey.pem" ]; then
+ return
+ fi
+
+ exim_tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions
+
+ # enable TLS in exim
+ if ! grep -q "MAIN_TLS_ENABLE =" $exim_tls_config_file; then
+ sed -i '/.ifdef MAIN_TLS_ENABLE/i MAIN_TLS_ENABLE = yes' $exim_tls_config_file
+ else
+ sed -i 's|MAIN_TLS_ENABLE =.*|MAIN_TLS_ENABLE = yes|g' $exim_tls_config_file
+ fi
+
+ # add TLS private key in exim
+ if ! grep -q 'MAIN_TLS_PRIVATEKEY = /etc/letsencrypt' $exim_tls_config_file; then
+ sed -i "/MAIN_TLS_ENABLE =/a MAIN_TLS_PRIVATEKEY = /etc/letsencrypt/live/$(hostname)/privkey.pem" $exim_tls_config_file
+ else
+ sed -i "s|MAIN_TLS_PRIVATEKEY = /etc/letsencrypt.*|MAIN_TLS_PRIVATEKEY = /etc/letsencrypt/live/$(hostname)/privkey.pem|g" $exim_tls_config_file
+ fi
+
+ # add TLS public key in exim
+ if ! grep -q 'MAIN_TLS_CERTIFICATE = /etc/letsencrypt' $exim_tls_config_file; then
+ sed -i "/MAIN_TLS_ENABLE =/a MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/$(hostname)/fullchain.pem" $exim_tls_config_file
+ else
+ sed -i "s|MAIN_TLS_CERTIFICATE = /etc/letsencrypt.*|MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/$(hostname)/fullchain.pem|g" $exim_tls_config_file
+ fi
+}
+
function install_email {
if [[ $SYSTEM_TYPE == "mesh"* ]]; then
return
@@ -1773,6 +1828,7 @@ function install_email {
install_email_basic
configure_email_onion
prevent_mail_process_overrun
+ exim_enable_tls
mark_completed "${FUNCNAME[0]}"
}
diff --git a/src/freedombone-upgrade b/src/freedombone-upgrade
index dfd4f0b15..af9fd05e8 100755
--- a/src/freedombone-upgrade
+++ b/src/freedombone-upgrade
@@ -139,6 +139,7 @@ if [ -d "$PROJECT_DIR" ]; then
#rebuild_exim_with_socks
install_dynamicdns
torrc_migrate
+ exim_enable_tls
add_xmpp_onion_to_email
nodejs_upgrade
$INSTALL_PACKAGES_BACKPORTS certbot
--
GitLab