Remove STARTTLS policy enhancement from this branch.

certbot-postfix/Dockerfile

@@ -1,32 +0,0 @@
-FROM certbot_local
-MAINTAINER Sydney Li
-
-WORKDIR /opt/certbot-postfix
-
-RUN apk add --no-cache --update postfix \
-        ca-certificates \
-        supervisor \
-        rsyslog \
-        bash \
-        git \
-        curl-dev \
-        gcc \
-        libc-dev
-
-# Postfix isn't very docker-friendly-- also need to DL rsyslog and
-# run them via supervisord.
-COPY docker-files/supervisord.conf /etc/supervisord.conf
-COPY docker-files/rsyslog.conf /etc/rsyslog.conf
-COPY certbot_postfix/ certbot_postfix/
-COPY setup.py setup.py
-COPY requirements.txt requirements.txt
-RUN pip install --no-cache-dir --editable .
-RUN pip install -r requirements.txt
-
-
-ADD tests tests
-ADD testdata testdata
-
-RUN mkdir /var/mail
-ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
-EXPOSE 25

certbot-postfix/certbot_postfix/constants.py

@@ -1,7 +1,5 @@
 """Postfix plugin constants."""
 
-POLICY_FILENAME = "starttls_everywhere_policy"
-
 CA_CERTS_PATH = "/etc/ssl/certs/"
 
 MINIMUM_VERSION = (2, 11,)
@@ -55,6 +53,5 @@ CLI_DEFAULTS = dict(
     tls_only=False,
     ignore_master_overrides=False,
     server_only=False,
-    policy_file=POLICY_FILENAME,
 )
 """CLI defaults."""

certbot-postfix/certbot_postfix/installer.py

@@ -29,11 +29,6 @@ class Installer(plugins_common.Installer):
 
     :ivar postconf: Wrapper for Postfix configuration command-line tool.
     :type postconf: :class: `certbot_postfix.postconf.ConfigMain`
-
-    :ivar policy: A STARTTLS Policy object to query per-domain TLS policies.
-    :type policy: :class: `policylist.policy.Config`
-
-    :ivar str policy_file: Path to TLS policy file in a format that Postfix expects.
     """
 
     description = "Configure TLS with the Postfix MTA"
@@ -49,8 +44,6 @@ class Installer(plugins_common.Installer):
             "default configuration paths.")
         add("config-utility", default=constants.CLI_DEFAULTS["config_utility"],
             help="Path to the 'postconf' executable.")
-        add("policy-file", default=constants.CLI_DEFAULTS["policy_file"],
-            help="Name of the policy file that we should write to in config-dir.")
         add("tls-only", default=constants.CLI_DEFAULTS["tls_only"],
             help="Only set params to enable opportunistic TLS and install certificates.")
         add("server-only", default=constants.CLI_DEFAULTS["server_only"],
@@ -74,14 +67,9 @@ class Installer(plugins_common.Installer):
         # Files to save
         self.save_notes = []
 
-        # Variables for starttls-policy enhancement
-        self.policy = None
-        self.postfix = None
-        self.policy_file = None
-        self._enhance_func = {"starttls-policy": self._enable_policy_list}
-        # Since we only need to enable TLS or the STARTTLS policy once for all domains,
+        self._enhance_func = {}
+        # Since we only need to enable TLS once for all domains,
         # keep track of whether this enhancement was already called.
-        self._starttls_policy_enabled = False
         self._tls_enabled = False
 
     def _ensure_ca_certificates_exist(self):
@@ -127,7 +115,6 @@ class Installer(plugins_common.Installer):
         # Check Postfix version
         self._check_version()
         self._lock_config_dir()
-        self.policy_file = os.path.join(self.conf('config-dir'), self.conf('policy-file'))
         self.install_ssl_dhparams()
 
     def config_test(self):
@@ -256,25 +243,6 @@ class Installer(plugins_common.Installer):
             self._set_vars(constants.DEFAULT_CLIENT_VARS)
         self._confirm_changes()
 
-    def _enable_policy_list(self, domain, options):
-        # pylint: disable=unused-argument
-        if self._starttls_policy_enabled:
-            return
-        self._starttls_policy_enabled = True
-        try:
-            from starttls_policy import policy
-        except ImportError:
-            raise errors.PluginError('STARTTLS Everywhere policy Python module not installed!')
-        if options is None:
-            policy = policy.Config()
-        else:
-            policy = policy.Config(options)
-        policy.load()
-        util.write_domainwise_tls_policies(policy, self.policy_file)
-        policy_cf_entry = "texthash:" + self.policy_file
-        self.postconf.set("smtp_tls_policy_maps", policy_cf_entry)
-        self.postconf.set("smtp_tls_CApath", constants.CA_CERTS_PATH)
-
     def enhance(self, domain, enhancement, options=None):
         """Raises an exception for request for unsupported enhancement.
         """
@@ -295,7 +263,7 @@ class Installer(plugins_common.Installer):
         :rtype: list
 
         """
-        return ['starttls-policy']
+        return []
 
     def save(self, title=None, temporary=False):
         """Creates backups and writes changes to configuration files.

certbot-postfix/certbot_postfix/tests/installer_test.py

@@ -2,7 +2,6 @@
 import functools
 import os
 import pkg_resources
-import shutil
 import unittest
 
 import mock
@@ -19,9 +18,7 @@ class InstallerTest(certbot_test_util.ConfigTestCase):
         self.config.postfix_ctl = "postfix"
         self.config.postfix_config_dir = self.tempdir
         self.config.postfix_config_utility = "postconf"
-        self.config.postfix_policy_file = os.path.join(self.tempdir, "config.json")
         self.config.config_dir = self.tempdir
-        shutil.copyfile(_config_file, self.config.postfix_policy_file)
         self.mock_postfix = MockPostfix()
         self.mock_postconf = MockPostconf(self.tempdir, {"mail_version": "3.1.4"})
 
@@ -29,7 +26,7 @@ class InstallerTest(certbot_test_util.ConfigTestCase):
         pass
 
     def test_add_parser_arguments(self):
-        options = set(('ctl', 'config-dir', 'config-utility', 'policy-file',
+        options = set(('ctl', 'config-dir', 'config-utility',
                        'tls-only', 'server-only', 'ignore-master-overrides'))
         mock_add = mock.MagicMock()
 
@@ -113,17 +110,7 @@ class InstallerTest(certbot_test_util.ConfigTestCase):
     def test_supported_enhancements(self):
         self.assertEqual(
             self._create_prepared_installer().supported_enhancements(),
-            ['starttls-policy'])
-
-    def test_enhance_starttls(self):
-        installer = self._create_prepared_installer()
-        mock_open = mock.mock_open()
-        with mock.patch('certbot_postfix.installer.util.open', mock_open):
-            installer.enhance("example.org", "starttls-policy", self.config.postfix_policy_file)
-        mock_open().write.assert_called_once_with(
-            'example-recipient.com secure '
-            'match=.example-recipient.com:example-recipient.com:mail.example.com '
-            'protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1\n')
+            [])
 
     def _create_prepared_installer(self):
         """Creates and returns a new prepared Postfix Installer.

certbot-postfix/certbot_postfix/util.py

@@ -6,8 +6,6 @@ from certbot import errors
 from certbot import util as certbot_util
 from certbot.plugins import util as plugins_util
 
-from certbot_postfix import constants
-
 logger = logging.getLogger(__name__)
 
 COMMAND = "postfix"
@@ -203,55 +201,6 @@ def verify_exe_exists(exe, message=None):
     if not (certbot_util.exe_exists(exe) or plugins_util.path_surgery(exe)):
         raise errors.NoInstallationError(message)
 
-def _get_formatted_protocols(min_tls_version, delimiter=":"):
-    """Enforces the minimum TLS version in a way that Postfix can understand. For instance,
-    if the min_tls_version is TLS1.1, then Postfix expects: "!SSLv2:!SSLv3:!TLSv1"
-
-    :param str min_tls_version: SSL/TLS version that we expect to be in ACCEPTABLE_TLS_VERSIONS.
-    :param str delimiter: delimiter for the SSL/TLS declarations.
-    :rtype str: Protocol declaration, formatted correctly in a Postfix-y way. For instance:
-        TLSv1.1 => !SSLv2:!SSLv3:!TLSv1
-        TLSv1   => !SSLv2:!SSLv3
-    """
-    if min_tls_version not in constants.ACCEPTABLE_TLS_VERSIONS:
-        return None
-    return delimiter.join(["!" + version
-        for version in constants.TLS_VERSIONS[0:constants.TLS_VERSIONS.index(min_tls_version)]])
-
-def _get_formatted_policy_for_domain(address_domain, tls_policy):
-    """Parses TLS policy specification into a format that Postfix expects. In particular:
-        <domain> <tls_security_level> protocols=<protocols>
-    For instance, let's say we have an entry for mail.example.com with a minimum TLS version of 1.1:
-        mail.example.com encrypt protocols=!SSLv2:!SSLv3:!TLSv1
-    :param address_domain str: The domain we're configuring this policy for.
-    :param tls_policy dict: TLS policy information.
-    :rtype str: Properly formatted Postfix TLS policy specification for this domain.
-    """
-    mx_list = tls_policy.mxs
-    if len(mx_list) == 0:
-        matches = ""
-    else:
-        matches = 'match=' + ':'.join(mx_list)
-    entry = address_domain + " secure " + matches
-    protocols_value = _get_formatted_protocols(tls_policy.min_tls_version)
-    if protocols_value is not None:
-        entry += " protocols=" + protocols_value
-    else:
-        logger.warn('Unknown minimum TLS version: %s', tls_policy.min_tls_version)
-    return entry
-
-def write_domainwise_tls_policies(policy, policy_file):
-    """Writes domainwise tls policies to policy_file in a format that Postfix
-    can parse.
-    :param policy: A TLSPolicy object that wraps the STARTTLS Policy List.
-    :param str policy_file: The filepath to the Postfix tls_policy file that should be written.
-    """
-    policy_lines = []
-    for address_domain, tls_policy in policy.policies_iter():
-        policy_lines.append(_get_formatted_policy_for_domain(address_domain, tls_policy))
-    with open(policy_file, "w") as f:
-        f.write("\n".join(policy_lines) + "\n")
-
 def report_master_overrides(name, overrides, acceptable_overrides=None):
     """If the value for a parameter |name| is overridden by other services,
     report a warning to notify the user.
@@ -268,7 +217,7 @@ def report_master_overrides(name, overrides, acceptable_overrides=None):
         service, value = override
         # If this override is acceptable:
         if acceptable_overrides is not None and \
-            _is_acceptable_value(name, value, acceptable_overrides):
+            is_acceptable_value(name, value, acceptable_overrides):
             continue
         error_string += "  {1}: {2}\n".format(service, value)
     if len(error_string) > 0:
@@ -276,6 +225,9 @@ def report_master_overrides(name, overrides, acceptable_overrides=None):
              "following services in master.cf:\n" + error_string)
 
 def is_acceptable_value(parameter, value, acceptable):
+    """ Returns whether the `value` for this `parameter` is acceptable,
+    given a string or tuple `acceptable`
+    """
     # If it's a tuple, there's multiple acceptable options.
     # Only set a param if it's not acceptable.
     if isinstance(acceptable, tuple):

certbot-postfix/docker-files/rsyslog.conf

@@ -1,13 +0,0 @@
-$ModLoad immark.so # provides --MARK-- message capability
-$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
-
-# default permissions for all log files.
-$FileOwner root
-$FileGroup adm
-$FileCreateMode 0640
-$DirCreateMode 0755
-$Umask 0022
-
-#*.info                                                 /dev/stdout
-#mail.*                                                 /dev/stdout
-mail.info /dev/stdout

certbot-postfix/docker-files/supervisord.conf

@@ -1,24 +0,0 @@
-[supervisord]
-user            = root
-nodaemon        = true
-logfile         = /dev/null
-logfile_maxbytes= 0
-
-[program:rsyslog]
-command         = rsyslogd -n
-autostart       = true
-autorestart     = true
-startsecs       = 2
-stopwaitsecs    = 2
-stdout_logfile  = /dev/stdout
-stderr_logfile  = /dev/stderr
-stdout_logfile_maxbytes = 0
-stderr_logfile_maxbytes = 0
-
-[program:postfix]
-process_name    = master
-autostart       = true
-autorestart     = false
-directory       = /etc/postfix
-command         = /usr/sbin/postfix -c /etc/postfix start
-startsecs = 0

certbot-postfix/testdata/certificates/ca.crt

@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID2TCCAsGgAwIBAgIJAIQpx8+nzXMdMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
-VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
-aXNjbzEMMAoGA1UECgwDRUZGMRYwFAYDVQQLDA1UZWNoIFByb2plY3RzMSAwHgYD
-VQQDDBdNYWlsIERlbGl2ZXJ5IE92ZXJsb3JkczAeFw0xODAzMzAyMzA0MjFaFw0y
-MTAxMTcyMzA0MjFaMIGCMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5p
-YTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEMMAoGA1UECgwDRUZGMRYwFAYDVQQL
-DA1UZWNoIFByb2plY3RzMSAwHgYDVQQDDBdNYWlsIERlbGl2ZXJ5IE92ZXJsb3Jk
-czCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1rcXDr4/JYmcBntXOQ
-OOkHRZCrxg/iDDj1Xy5qarMCKI+l+5JjuQBTN5msve+vQpxrNatt+Pk5N7RuaqGb
-l5UDxr38SmzI0HoggMJkFv4h2MEqunVyqEMYJC4AvlpXdz1BLJJ6jJY+XJAcXfNL
-1/WAplnP5KWjoFBziiv9Fo6mNyp65o8qLnsrCMs75jU6GQVCfdxmd97elyR+p2c1
-WPJEWSVIT/+sWwIVgYigm+fOQYfccapN91aMdWwizwHbaVamCoxuIWHOdtD0QQBg
-kFKQGy3RQUb6byUszKOJyLHtsPTi5DnGNcQZFbExslisYW6wGQ5ZOf2xClIgfb+O
-RaECAwEAAaNQME4wHQYDVR0OBBYEFOB4SKwmpWzqSJd5siuLCd9bfAFAMB8GA1Ud
-IwQYMBaAFOB4SKwmpWzqSJd5siuLCd9bfAFAMAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQELBQADggEBACUF7wbiH/vuji/C0x1ugxeZh4EXh1p9UA59g7bK3HpeJX/B
-gfX8WOtGeu97q3FX0kzjRnb0BvH3BzMfTFKg4juLzruYWhvLaRGz3CtVh1mjocLh
-KR3POrdwPL/iJjxizgckTwgvwrQhYrVexeHiBWs7Ge1Wq+d+2MUpuZfeQyBk1xBP
-DMQMF6sw/mrjfYKK9M5Kkvz3BBjgihaZxDeEWgZuQCZ9s9nb35gaRUACT3iyovm4
-osajjfIiBV2xwuD4DafOiyuUsEeWw+pGo2f11et2dXsUEsEgY+IGS6qzypIGQL2y
-Ygcb8ImHxCR4A8ILUtMuZQ/Fco1V8deZvU1NPIY=
------END CERTIFICATE-----

certbot-postfix/testdata/certificates/ca.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAvWtxcOvj8liZwGe1c5A46QdFkKvGD+IMOPVfLmpqswIoj6X7
-kmO5AFM3may9769CnGs1q234+Tk3tG5qoZuXlQPGvfxKbMjQeiCAwmQW/iHYwSq6
-dXKoQxgkLgC+Wld3PUEsknqMlj5ckBxd80vX9YCmWc/kpaOgUHOKK/0WjqY3Knrm
-jyoueysIyzvmNToZBUJ93GZ33t6XJH6nZzVY8kRZJUhP/6xbAhWBiKCb585Bh9xx
-qk33Vox1bCLPAdtpVqYKjG4hYc520PRBAGCQUpAbLdFBRvpvJSzMo4nIse2w9OLk
-OcY1xBkVsTGyWKxhbrAZDlk5/bEKUiB9v45FoQIDAQABAoIBAQCgqhWaljrOQGCJ
-Vm4OC3J6FXTn9QsWRcHgPh/xmsnN9DK7RSpRTMyKfgtXCbJBLwLs8fKf6bOYkPOy
-00UWtoaoGn/kfa4S/3H1ZMRSHdtyyvqzPa7SF+Kopj1p16+dqTq2diV8SP4eId8Z
-TTZTOy1+SxTOcQubg2JjWt0D2rPbYaE0DmAqFcXgLOLN6fVQY/Rkr3c7pVKGXqdk
-19vKej1fNH1tdUPBEqc/mvijxHKW+HnL2+hTalBBwWsPx7nOOABb6ikvtdIDzC87
-egCv0XoQntpxPJ2kuYfczN0/pNvg8rWEk9X0tHRKSnVK8HVHAN+WrZx8JWS/YODE
-zn+nElmRAoGBAPQhL4eZeAzvIr9pd+gcf1KnLsggFyGx42+mqLjje6hxXu5jC4YC
-pfjHmCKhvd1u0yCmm8P9uQmPiCvgjqMz4iPrE+qa0Xu9faJ956Bs7i0Wky3Xqiy9
-HQNfax3F7HHXQc66i+7DQ3DEiBWmVV8LfddA6bzPTHxAtqPUERw/lG6/AoGBAMah
-QNCGSyzGZYVwz+7erax7ke7A4DWumx2/wBTIe4S6XKLqh95Qjd7WeHgzN+UDMymO
-BIOHivuch5cTILx+lphaX0bu1bn9aL6gMRm+FQBuefTVZHu/H+HS0Fr5FuKEBj84
-uxXFdAJwXY0yreciaotSr3wphm2Cl/5QAqZQfsOfAoGAXCaSrFqvyCIUObB0BHeN
-UAOvUvdaA+wD78c29ONZcBGrRcy5MtKZF7kvohLvekA1DaQWM/r397XoLrfK36vb
-9rbrg6kA3fZ/D/D6l8HGfdqBn9JCeDTCWN2Rr2FgiPA59PDRlUS7ljt5KsLogsHx
-tGjaUdzmABjlWB3af5E4VD0CgYEAv7/91RA/1Dq22Oo+IahgWslz6NvT1p736fEp
-miasb0aFlVT50xlKzBuZcthnFjNPmcca/mrENgA3ORXjHXTLJsrffZelRganrpbw
-r5w7pA4Ct+OlPH0WZyffsmMSv5uaeD/pA6x5QL1+4odRMHeeCV/KPv/LYT6YQo60
-8B93MJsCgYEAoUp8NOU0BSb2TVDmiPvhTpfFmbNua9Vqd3XwAj2TfJZFM6Sc3+Dk
-IdDy8cUEfPpf/TUO2ULGGEUM1qseng/jhiwY9w1mEA7UDjsc2r8v2Mo8vhV9Pafa
-kPSwKbAR/vfQ4gtkgk9GOEAsjxcon3rs/UbAskKcmqA8YsMW2lKXs/c=
------END RSA PRIVATE KEY-----

certbot-postfix/testdata/certificates/evil.crt

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDcjCCAloCCQCIxODY/mB2CTANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
-DDAKBgNVBAoMA0VGRjEWMBQGA1UECwwNVGVjaCBQcm9qZWN0czEgMB4GA1UEAwwX
-TWFpbCBEZWxpdmVyeSBPdmVybG9yZHMwHhcNMTgwMzMwMjMwNjIwWhcNMTkwODEy
-MjMwNjIwWjBzMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG
-A1UEBwwNU2FuIEZyYW5jaXNjbzEMMAoGA1UECgwDRUZGMRYwFAYDVQQLDA1UZWNo
-IFByb2plY3RzMREwDwYDVQQDDAhldmlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAL7ToAf36lkjAaiYR2N8fQLaPbyfxGE7gu+DZz42cq0iVguU
-WyldQX/KsYZUG4cjJ3XRnbuPZU5zy/aX6PdvgGZ5PkEucGrSTdDdVL5vuLLiSNU6
-hO3hDtOjPhHW701KaKbQlmhFubflVYI9JqrFGzjNgKQbEid96t50wjGKIKl3LTSx
-jJS6DhCH+sVeqnz92ejiXAcrczrx/OIjBh3J2UGm1rpR8jv9fkB8JtiLOoyHgV1D
-YfwFk4KbLS9L6uMvSaiK1XcAOPgYo20jGgLRXplVqCPvmfCc2ASpRfc8BtNxP5e0
-Jlv29KhF+76cxiNiDn1uQ7/14vsOoE5cOsWWeWsCAwEAATANBgkqhkiG9w0BAQsF
-AAOCAQEAbShtlMQ2Yr8voORJr0yeRJ0VY9L9F0RJbLwVgyFyzuOyGti8lLVOfJFA
-uT/yUGZRqoWNP+QX8IJ6GA5SlAXKHHA6JtkgFVff5k565aSUpTG93Yo9+4jbP+RH
-o/y9lUVtCL7mCoKB9P99thBaR3zSqorPvs/yIslY69tgh4py8vMKMF19Td5P6yIQ
-G2er0CC7rFTB+GSTRUQJrBGMgq/IcFUThDfgSlp661H9WBrVoYw3H6qggh0SMWJO
-aZDHYj2ztL4AZaJfrFJ3nH05P+UaW1MDSwlvBoHx0pucCCg0iTZuK462YmvpcNDL
-LrZWYR7mr4eWHH9RzSYN/5Kw1/BF9A==
------END CERTIFICATE-----

certbot-postfix/testdata/certificates/evil.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAvtOgB/fqWSMBqJhHY3x9Ato9vJ/EYTuC74NnPjZyrSJWC5Rb
-KV1Bf8qxhlQbhyMnddGdu49lTnPL9pfo92+AZnk+QS5watJN0N1Uvm+4suJI1TqE
-7eEO06M+EdbvTUpoptCWaEW5t+VVgj0mqsUbOM2ApBsSJ33q3nTCMYogqXctNLGM
-lLoOEIf6xV6qfP3Z6OJcBytzOvH84iMGHcnZQabWulHyO/1+QHwm2Is6jIeBXUNh
-/AWTgpstL0vq4y9JqIrVdwA4+BijbSMaAtFemVWoI++Z8JzYBKlF9zwG03E/l7Qm
-W/b0qEX7vpzGI2IOfW5Dv/Xi+w6gTlw6xZZ5awIDAQABAoIBAHJWkvizTzOBiije
-tUei+7SN15gBksU/x0CD14SrUyLyA+SES+sI+Yn8hUobczMRmT87DeuoC+dp8rga
-ZXh80s6Trv2XObyHriCLvY8tmdl1RHaeza9KvnuIwFQoGNKS1wm8yaJIxPKu8wFK
-arS/zYPHfmDV55bKF8Sa6RCN1uwydkQkSv0qNAnW/94WlyWk0Peq7X2SeUYLjj6b
-ilVyET3WxCjDsUYTAsSIw7gA1CC3xm7KobXirw4EWVFAE0HXThaTLXyXIqBBuq0U
-bu79nCUqva6ScMnHtkMSw5rJoccqw4qRw+r7WW2mL1ZgIXHz41qeQX2VGNpEJhWZ
-VLTDO4ECgYEA83lFRgz3v1SdjQYq85fM8O3vvuItOqERT21+NQKOiv/qp1SlKWOu
-DNEVxllZOMWxhjJRo9KkMusDE058e2/a2MstBMJR6tcMCl0NIrvSPFmFXfaO6fBb
-kshr/Rrr+S+QQi/qL7QqFFCeo9uPckVMF9z7SVUCMs2m7j5hsdXbsrECgYEAyKT0
-K2aHZCtS6LGgNrK7XPFGFFcWbaOFU8MSiykuK9yOMq+a1IQa6wlCLhxVQzHAyS/k
-XKfTgtphvAQOv11bK1SiqKBqMlWyYLEQ9YIBfIKu0GoIUOVduG0gomZOJV1+MRTu
-32PFBkCNQnlP+20VpFY5D1vcxspbdor2bP59XNsCgYEAxEFdmKC9V0nCkbmGB8K2
-HQL+fNRd9uN8S5UL5XkBI4Q0RttRIrLJymUDc1X0OHIKrgyDiFUzrCOJ4Bck+m7o
-blYgHLTySSU8/GGTRAs35ROYEGy9OE9Z0VCi02vPCJbRZriuwfMs9CEkLxq9XzQC
-qT2khLD0S7U/uM0p/KpRJJECgYEAlFZ/vmZ6ym/NSAOqc0YIh1pJeVg5WK2AMMET
-wJadcAgLiSWSznMsg3/A0d5Ymuj5osQpjOb21NMnVp2ZWZlngc18xDZ0zOnWiu3d
-n+SRvL/RBnyd0VEBzQvBCM+iDrXkSd00DSvxygGHbhHKNBQd3/VvEg/UVZPdsvJh
-5Yrwm+kCgYAEvXKNGvcSEmR7oEMxm8tEUMiJ5gSKSaanCv529t/1r7M7OUxXPaRb
-rscUvdDf2izGUIMcwYMQN0DpayifLsZoXHzTO4mBSepc404BH3tOGtTXdcmlAVtn
-OQKXn7eV3yrkcqr2mqxBVp1o2sbrU1AghypshxYGbBHM2rF1SS3n8g==
------END RSA PRIVATE KEY-----

certbot-postfix/testdata/certificates/self-signed.crt

@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFwzCCA6ugAwIBAgIJAKUz1/36w+LgMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
-c2NvMQwwCgYDVQQKDANFRkYxFjAUBgNVBAsMDVRlY2ggUHJvamVjdHMxFjAUBgNV
-BAMMDXJlY2lwaWVudC5jb20wHhcNMTgwMzMxMDE0MzI2WhcNMTkwMzMxMDE0MzI2
-WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
-U2FuIEZyYW5jaXNjbzEMMAoGA1UECgwDRUZGMRYwFAYDVQQLDA1UZWNoIFByb2pl
-Y3RzMRYwFAYDVQQDDA1yZWNpcGllbnQuY29tMIICIjANBgkqhkiG9w0BAQEFAAOC
-Ag8AMIICCgKCAgEAqiR5ZLiXvu6zf2hRyKM1/uTqF1h7f+bsCwzxG0n3SGmeXMVq
-GCacBLftMR6ufN2fVvnDt9g5JYK4RKUIcgfRwcn3UXq3NWRP++N6oIF+FjDatlUY
-zzmlSmDuP0ozuaFQAGeqrsF9fCIBP8oX1vw3JPoRzb2yuAsuaYPVsrIM/Sp7ApF3
-qUp9X4FfrMFUTyuQNtaZXs/jCNaOHWi1d64qFFcHmpK3gdxPkp47OiVQY+VhoPrW
-SFs8yVuOdS6/wPj1AzPj05qzWm/cwlkZnRl4Ol25kdA1Xl1UfrG3z/g6YYOR0vs7
-BfXiAS1+JX6izk6a55SjQWNb/6cdWWnO12NAtc+gx77KxtyeAaZr+qzAmKlXaCjr
-A+tTvgGpKfF4Bhbf80LwuJmodv6hG3jJG1xhrpig82C9Q2oPwJjYRFg+N1sx6pqj
-xlqX41ymtarMpuzaeikkDzLajlF3BYya8wHJ3Yc9XD+FdIWUCbtGoqWa7uFT3tEB
-o3s5z7Cx5nPL2tRbah+PE5KDfApzN5lhoCyHe8KcZnZdfBt7VhfTt59qJP4mwf5A
-pf7bTkaNhiHVa5GQQb6RhOEPMw+hUR4700S+PuzSKZ5WTePpny4f/2eVt9w9GXby
-/EbTXzhtcQHzGBlhLp2yrGb1LYmLNwndsiBM7bciNBeV8OK7m9UwKQ92j5MCAwEA
-AaNQME4wHQYDVR0OBBYEFORjWdSitq+F9t4gK++56NQuV5TiMB8GA1UdIwQYMBaA
-FORjWdSitq+F9t4gK++56NQuV5TiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
-BQADggIBAAGAhmwgl7JyE1uq7TMBGXIj8umAvBB1C/rLJAuDM1lD8r/A4mmIzhF3
-nxfHpFycb3g85sVvjUUt8NmTl/c2w1coSdLzws87mLDDHXZBKTVY0jpmAESYxwIi
-UZhOC8f4N+5CEhScTHpdPwzkPCFK/ktaZVXD4hSl8ICeF31Frw+0NOj4cnofwxZv
-DCXUI245lZJMf8+acmPL/s4eEE60HsZ/XCQPrBK33TxlMGBhDxEnzriTRiVlPY/I
-0BA9cO3e7d+a2MB+F9b3eoTo7kZ+2GkFVz0QY28KiovH6jAFMqI6c5Vo5YfvesmN
-HjVi35fJ93G/fVtwvakdHNigev3FMTilu1lp/w6lwVZEfQoDJEPBunz671F9bm/m
-J4JjEfPF36wY9yu6DIAsaBSI3EgB3sCHKo0Q6huZxLdVKup2rLsEsqAEYWCsQgxO
-OEM4q4qqBI4wMkNHkMyD5SOfZPMRDNyZGjIPcztsiHxYHMzjl2b2tPQfo6paWgMn
-ZFyvjPO+7J1srZDdVwhsTxqXCd/Hp+sxiH1MmX4rYkEAkqVprHxwyK/ZTpo3q51q
-iQX3vKccXiDBR0RcasDEblLfRN2CX2CDz+BIVjRGESMSTJ8LHLJYGbaCT4a4QZBd
-bESex2aWaPHjZ46uSd2jl/sh9TlC4d+IK7r97jSSAcxYChpTHYMM
------END CERTIFICATE-----

certbot-postfix/testdata/certificates/self-signed.key

@@ -1,52 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCqJHlkuJe+7rN/
-aFHIozX+5OoXWHt/5uwLDPEbSfdIaZ5cxWoYJpwEt+0xHq583Z9W+cO32DklgrhE
-pQhyB9HByfdRerc1ZE/743qggX4WMNq2VRjPOaVKYO4/SjO5oVAAZ6quwX18IgE/
-yhfW/Dck+hHNvbK4Cy5pg9Wysgz9KnsCkXepSn1fgV+swVRPK5A21plez+MI1o4d
-aLV3rioUVweakreB3E+Snjs6JVBj5WGg+tZIWzzJW451Lr/A+PUDM+PTmrNab9zC
-WRmdGXg6XbmR0DVeXVR+sbfP+Dphg5HS+zsF9eIBLX4lfqLOTprnlKNBY1v/px1Z
-ac7XY0C1z6DHvsrG3J4Bpmv6rMCYqVdoKOsD61O+Aakp8XgGFt/zQvC4mah2/qEb
-eMkbXGGumKDzYL1Dag/AmNhEWD43WzHqmqPGWpfjXKa1qsym7Np6KSQPMtqOUXcF
-jJrzAcndhz1cP4V0hZQJu0aipZru4VPe0QGjeznPsLHmc8va1FtqH48TkoN8CnM3
-mWGgLId7wpxmdl18G3tWF9O3n2ok/ibB/kCl/ttORo2GIdVrkZBBvpGE4Q8zD6FR
-HjvTRL4+7NIpnlZN4+mfLh//Z5W33D0ZdvL8RtNfOG1xAfMYGWEunbKsZvUtiYs3
-Cd2yIEzttyI0F5Xw4rub1TApD3aPkwIDAQABAoICAFynOjhAUdqXEMa8H3Vcc+YX
-8Oa/t5liPn6SEKaks/YKFkQ8+Vanh+UF6DQMmkbDRadOomd2Z0BnHEO9f4jhezfF
-7VnAsw5vTyNDsJ7BhdE9z4zlcHpA0SNc/8EVfm+DSha+XXOHSPeVaQq82hioBrur
-NpDM0gtpg1/QfEowreQcAxrV7s0RFI8y29AvA+ONPJ6wZJr+KIvCk2eugsvm22Fy
-N2DUrvwX5nlYk7ZJZarQ2kaY8qI6lTKuGjj0OVYz/PE+i73LDAqeyiBH9yvXF+Lo
-8UpXkQiPWJkZ3JhzfA9oX7v+Nhk72lR72qs+eBhTNAYSqojMO+hPsCrl9M7UbQLx
-rTJQV76zGHB6wsrZ5tJ/mau3SOxKiJTmn0uirwFFi7MfEL/fL0X0GuY+TVMqdmuh
-pdW7N902NCW1yyQC78aRG/UZvMe077tpb69Ut/ZKfhPsGr2O6Cb48POaifIu6cYJ
-vQgBVnY4QHI6RTUuCL+CGM2avwn/7JuuZ1wBs3zuFhZ2MXBtjnG3kz6SC04P0dR3
-UQdIJPLRKTzeIRgE9ZeBAz/QC/vZyo0HwDL4PGQLdVGdGhlCdAOcdo5f36FTtHZ5
-AMelIpLyFaZ4hmvaoVGrpKoVZttEqXvhu43CktpO9EKphaIUir8/4E7oibnFf8bX
-E6c7E1wyDHRastytjuFZAoIBAQDb75HHSU5GZvIYpbGmdpfzq49Tx7i2zSGtz7lq
-UzXMWm+hdfPVnFdVHuioZ/vluatm0K82u6qiknDwJCeVH+zSQLwLAauRsCzPVNG9
-3CxKpZO6QB1g6KH3ykK2zVmWqARgyl9mbTIwBrXTFioMOn+KKHC4JAjsg4Y40CiJ
-fPL5FJMsn29Eti7iOsM4lqCnMZC3jg7r9PkF6uC1hu8gOVNHqN3naFH6APV9BOa7
-Z+AaDIU/TJx+s3eL3OIewtIARfGntJzqJOEEHDhVQgu1H3gmFVnzFcJe7jMAwkaU
-75wRZB1rkuEwFCqukKWrleUlNXfeTxKA7lQgXJXSBd5eKJkXAoIBAQDGCrAXf0wb
-j8X04rcGor7HYzeh3gbBorKDLQo5wYu0kYu7GkxfkrCMZrrzTRBJay1K+wPdPiuc
-l4eF+tGb+fLfodbFnmDs2KWqV2pPbkmftwYjCZsOnBzRb+aYvBlWRfGKyvl5WjJ9
-rGmWCG9WQjt8yHVEKjbLaAKP9FEzHIZORKmKlwzCIPHX+5UzNX0oCxf9F/pwpegd
-w0IQrYEAnDQ7EtOs1BFwp3vasKaDPys4NaZQocK6kE+I8fDVslaCikMPMY7QOVCq
-OsIuQY/Pxuwd49It0PvvE8W2bZpTL6ZllCu7BwcsQcGGk4re3iHCAR0fzH5wUyIP
-kgOWNjXx7hLlAoIBAQDP8D851dsFwQsftnix0+pyXT/TjD7dxjATbxP0rNtubAqi
-8ywoR/ph5ik+H6IPXm3pdWBTNTdtIVtaEDTETzzOxJmFJn0Z7yFOnPj4spPFt6pm
-K3wbRZbs+fP9dUVApXYONQfhhVgwBAggnRIAIca3zuhTkO5G/0sFp/jLlLD8QjGr
-vMmsgzrsdXZhqDgYG0qh4NPGzwQqThlKR1sKcmiElenHgeAPqJxxKRMlGF7PAgtw
-/3PubquWNq4rOzLlQzvovWCmF1wPUMcKBLmg8zHbf9BdfbMZocfi7cthwPEjmC4g
-qOvzUv3Psb6Q7dWKSnUcYFI0SCCNwDt+KEJHb8bdAoIBACm+Wvu481vj5EAIAbg+
-WaRBf5p46EeseaA4wC0IZOA8xY08r9h9XQVbKhDar5IqKzPg0SGzVxH8xq4w/jm4
-Z79Hp7Oj/J4v1EuhfWEcyBwIQhzki3B664Ah7CNJkrWirJUqz4cKwhXHX8ImKQGv
-mEZnIoCpvT8Gv3OEdhEl9BFPW8VArYnF0/RIrVxL7AOiwv2wLjPMZK7RV32YdNai
-FkhVYZTOZpauVubz0UVc7Uk91b6tOhSFEp61EKSaoK2HYzcypP2y9xPKqt+BJkUP
-kvmB6e2KXXA5ZLVdSOg75QEISGd1xcdIXPh25RCxFcCE55SqUARxIX7SsjrZVmmW
-WxkCggEBALIFdo3ZYFkQNOTElg613nd+YDZhR80zg74YYaHa4wkTgpHgoBYTjpso
-A+sK4omyZ59Ya7pEAOKBhufPATPMRiFH9T8fxXRMH6Nts8cmiDuTmhc3R/T4Hxt5
-A7Pb20CCdFpiTVeGr/zIqlZCjxwYpPi1BrauJLRVqqXc8ixlnmCT0H+mlRmYlGbg
-taZwuIQ63YM+U2flTCMG9jboaL8l7NT9Peg/TfYSnd0CS+90V3jR5n8/iQQDf2f9
-7PLDuNmYtYPHg5YKQBbVedKTwZuZZecFRb/teRjzLPVT2Dn/O+iSdQ4DHQQfv+zJ
-tuSRLL0KfOMMo3qJvm/UprrqRW+Oa4Q=
------END PRIVATE KEY-----

certbot-postfix/testdata/certificates/valid.crt

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDdzCCAl8CCQCIxODY/mB2CjANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMC
-VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
-DDAKBgNVBAoMA0VGRjEWMBQGA1UECwwNVGVjaCBQcm9qZWN0czEgMB4GA1UEAwwX
-TWFpbCBEZWxpdmVyeSBPdmVybG9yZHMwHhcNMTgwMzMwMjMwNzM0WhcNMTkwODEy
-MjMwNzM0WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQG
-A1UEBwwNU2FuIEZyYW5jaXNjbzEMMAoGA1UECgwDRUZGMRYwFAYDVQQLDA1UZWNo
-IFByb2plY3RzMRYwFAYDVQQDDA1yZWNpcGllbnQuY29tMIIBIjANBgkqhkiG9w0B
-AQEFAAOCAQ8AMIIBCgKCAQEAyDnXSD4NUHSrdsEET2wNlm/l3bxkl1dXVqiKHLVE
-aY/naUr7R9lkhb+/BNb+5fGV+Wj83UjF0uagEGQGO3gNLhEu7LSnRdH52EDOFhs8
-nGvxdyb85gi2UDXCITljq9OgrYMgmTFz3Evy6jvIetvH0Lm5KDTWifHulwZEcYRn
-Xw13qKvZ9vD6J/mHr1jcLk47nNJFdwrVeMhElZ6k2AeB9OOZS/fBfajzVSIkCBpr
-JoqV3+bHrHe2aji8cNBjAUINpL4Sy6QMAuM95ne78gIGsxbJBgt7L1IM1RkQUluN
-Wmvp7G3G4x7jKyp/Ts32vux6/1CTR85jiYNxGitJZQWitQIDAQABMA0GCSqGSIb3
-DQEBCwUAA4IBAQBuHLeiNZ+osqlZq4N6S90tj/PJip4AANiC4NHUH7AwoLdj966C
-+rx8gsKRnMbh7GffRbYHTrrpimkWab2jjhcN9JpQvLoP09/KTIsyVbA8Le7Chnb0
-HTPtSFwbjx+65urFeBrBKubGAoAKl63a/xA0/wUQtc8p0fyB15WhCCcr2ZUo+dMV
-txwcmJuyfVP4muUYrGcw2opWqH24lfD2rKDuQvtfFAtxiCl3lLbyxHgb26FADMMu
-USPs2oVU50/3wBdko2C86R4HG3UyhzqpDP3sX+b83up+Xw+RbZsa3kwLlzt14pgo
-+Zn097XnNN92tyioAEzYyCKbF0YRvxp3rUqT
------END CERTIFICATE-----

certbot-postfix/testdata/certificates/valid.key

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAyDnXSD4NUHSrdsEET2wNlm/l3bxkl1dXVqiKHLVEaY/naUr7
-R9lkhb+/BNb+5fGV+Wj83UjF0uagEGQGO3gNLhEu7LSnRdH52EDOFhs8nGvxdyb8
-5gi2UDXCITljq9OgrYMgmTFz3Evy6jvIetvH0Lm5KDTWifHulwZEcYRnXw13qKvZ
-9vD6J/mHr1jcLk47nNJFdwrVeMhElZ6k2AeB9OOZS/fBfajzVSIkCBprJoqV3+bH
-rHe2aji8cNBjAUINpL4Sy6QMAuM95ne78gIGsxbJBgt7L1IM1RkQUluNWmvp7G3G
-4x7jKyp/Ts32vux6/1CTR85jiYNxGitJZQWitQIDAQABAoIBAHKeCcrlGqIP54eX
-fmwooq6XZ7LDAaJQ8UI+QLGmYn87TXFM5wN+Qrj9xs9yc4AWB5A6tWXHHtdYBhDb
-8WVhl8njNEV0NL0XMjrE/jRRayTv9c4Ll4HnQtYvr+1s+M2H29b31VVcpcJaB7hm
-eKE75uppJsEJXjahM79oaw3AiZwzCJow5oKATz1Ttk7LD7sC23hyHHCIzM5nG+Od
-s0JbJj08xMZxlsts3WdbF14bfPgyKFIIbYm/qdeosPX26PmZvevtPLItomttO8d7
-c5HV8oYiLCmEDUSPuN13IeTRjuIEvU/zkVqRHxDTWtrzyQi74swAPW3e+SjvVALq
-26MsNRECgYEA/Py/cM80WYBsEXHT8D3TKMECxhD2OWp3wvlx8jHtCyK8DxHeUWvD
-4WlpOUSXkTsTbFfmhblHjnVIM9+kQn3tZnhTv/G4Xm+j11XakHm5GZ31YqSVwPW+
-MPCc69OkDwAZExhjkJSGvUF2WcrlJ96t34lX+3W5GJMdiRPYlHxiXZ8CgYEAypw+
-8jUlkKYBARKvGj6wzPX5xYdmNmoprVhq4jJGL8vwHgjsxlCz9eoixp3vBxhfKpgu
-jYrUv3LjiWwiR95zQQYuRTUt5ERlC7/d64lAhEvhKLkvQo8x/x9OQ5WX/0UlLd4N
-GLRjSzY/7TCdQW37OBSWyQTnXKZ5lGCfamEldysCgYB8LPMqxAnGBKsGxQBqY25K
-CrL51UmGVSQDp7yuTKM1XA9CtlqRTHwRIFRtr6VVu9GE1IBqEs90tUyDabqOiJEG
-QvmYtWTxtYqOH63wTE72q/nOOUroM7bu/quHdZKJalrkbIwyYzTfoEofON/R+hMO
-LbPp0ZbQ4SUWK4+bEpKVsQKBgFsfiIPgeUOkFYGJCK2yEkwsOKipK8Q/XP00beXL
-nJt0ikrH0s2ikD2Cjx9q+ozjXjHG/fD0xphQMJumwYg3OPi+seK4dypZxGRTZ5i+
-QwD9K4foOaQiyOaoCsgEqLbLP1xwqM06nAnAnWGs4p0BvOHNCL/h77hQuw+LoUbz
-6Ci/AoGBANZXia/sxU40a8zYsj/QlYK+51Q+h+UNqY4n4QY4MDho9hipL/SNKfbs
-5Sg9NJCL4mYQKdlh3BpASDEd2gyflGTCwbz1yiNA12hX0F8bF6gVSFW9ZnCxTCAF
-3mQKRi8QAts4yieLe7QeII7LzBIZyhn3Wr369/+oDIVHDrbEZdRr
------END RSA PRIVATE KEY-----

certbot-postfix/testdata/recipient_policy.json

@@ -1,13 +0,0 @@
-{
-  "timestamp": "2018-03-30T19:45:16+00:00",
-  "author": "Electronic Frontier Foundation https://eff.org",
-  "expires": "2018-04-30T19:45:16+00:00",
-  "version": "0.1",
-  "pinsets": {},
-  "policy-aliases": {
-    "recipient": { "mode": "enforce", "mxs": ["recipient.com"] }
-  },
-  "policies": {
-    "recipient": { "policy-alias": "recipient" }
-  }
-}

certbot-postfix/testdata/recipient_policy_keypin.json

@@ -1,19 +0,0 @@
-{
-  "timestamp": "2018-03-30T19:45:16+00:00",
-  "author": "Electronic Frontier Foundation https://eff.org",
-  "expires": "2018-04-30T19:45:16+00:00",
-  "version": "0.1",
-  "pinsets": {
-    "eff": {
-      "static-spki-hashes": [
-        "sha1/B5:68:C5:05:5E:5B:F0:03:93:9F:E1:89:10:21:A7:3E:E3:A9:B0:B9"
-      ]
-    }
-  },
-  "policy-aliases": {
-    "recipient": { "mode": "enforce", "mxs": ["recipient.com"] }
-  },
-  "policies": {
-    "recipient": { "policy-alias": "recipient" }
-  }
-}

certbot-postfix/tests/run_tests.sh

@@ -1,77 +0,0 @@
-#!/bin/sh
-
-set -e
-
-RCPTNAME=recipient
-SENDNAME=sender
-NETWORKNAME=certbot_postfix_network
-IMAGE_NAME=certbot_postfix
-BASE_IMAGE=certbot_local
-
-# Create network if it doesn't exist
-docker network create -d bridge $NETWORKNAME || true
-
-# Build with all the changes.
-docker build -t $BASE_IMAGE -f ../Dockerfile ../
-docker build -t $IMAGE_NAME .
-
-# Run sender and receipient images
-docker stop $SENDNAME || true
-docker stop $RCPTNAME || true
-
-docker run --rm --network=$NETWORKNAME \
-    -d --name $SENDNAME -h $SENDNAME $IMAGE_NAME
-    
-docker run --rm --network=$NETWORKNAME \
-    -d --name $RCPTNAME -h $RCPTNAME $IMAGE_NAME
-
-docker_do() {
-    docker exec ${1} /bin/sh -c ". ./tests/setup.sh && ${2}"
-}
-
-sender_do() {
-    docker_do $SENDNAME "$1"
-}
-
-recipient_do() {
-    docker_do $RCPTNAME "$1"
-}
-
-both_do() {
-    sender_do "$1" && recipient_do "$1"
-}
-
-both_do "setup && install_certs valid"
-
-echo "Regular mail over TLS..."
-sender_do "echo -e 'Subject: Subject\n\nbody' | sendmail root@${RCPTNAME}"
-sleep 1
-recipient_do "grep \"TLS\" /var/mail/root"
-
-echo "Mail NOT sent over TLS..."
-recipient_do "rm /var/mail/root"
-recipient_do uninstall_certs
-sender_do "echo -e 'Subject: Subject\n\nbody' | sendmail root@${RCPTNAME}"
-recipient_do "[ -f /var/mail/root ] && ! (grep \"TLS\" /var/mail/root)"
-
-echo "Mail NOT sent over TLS if policy configured poorly..."
-sender_do "install_certs valid --starttls-policy /opt/certbot-postfix/testdata/recipient_policy.json"
-sender_do "echo -e 'Subject: Subject\n\nbody' | sendmail root@${RCPTNAME}"
-sender_do "mailq | grep \"TLS is required, but was not offered\""
-
-echo "Mail NOT sent over TLS if cert name wrong..."
-recipient_do "install_certs evil"
-sender_do "echo -e 'Subject: Subject\n\nbody' | sendmail root@${RCPTNAME}"
-sender_do "mailq | grep \"Server certificate not trusted\""
-
-echo "Mail NOT sent over TLS if certs root not trusted..."
-recipient_do "install_certs self-signed"
-sender_do "echo -e 'Subject: Subject\n\nbody' | sendmail root@${RCPTNAME}"
-sender_do "mailq | grep \"Server certificate not trusted\""
-
-echo "Mail sent over TLS if policy configured properly..."
-recipient_do "install_certs valid"
-sender_do "echo -e 'Subject: Subject\n\nbody' | sendmail root@${RCPTNAME}"
-sleep 1
-recipient_do "grep \"TLS\" /var/mail/root"
-

certbot-postfix/tests/setup.sh

@@ -1,44 +0,0 @@
-#!/bin/sh
-
-DEFAULT_CONF=/etc/postfix/main.cf
-BACKUP_TLS_CONF=/etc/postfix/tls.cf.bk
-BACKUP_NO_TLS_CONF=/etc/postfix/no_tls.cf.bk
-
-setup() {
-    ### Certbot setup
-    ln -sf "/opt/certbot-postfix/testdata/certificates" /etc/certificates
-
-    # Postconf things for testing purposes.
-    postconf -e smtpd_use_tls=no
-    postconf -e smtpd_tls_received_header=yes
-    postconf -e smtputf8_enable=no
-    postconf -e disable_dns_lookups=yes
-    postconf -e myhostname=$HOSTNAME
-    newaliases
-
-    cat /etc/certificates/ca.crt >> /etc/ssl/certs/ca-certificates.crt
-}
-
-install_certs() {
-    # If certs alrady installed, restore from backup.
-    if ! [ -f $BACKUP_NO_TLS_CONF ]; then
-        cp $DEFAULT_CONF $BACKUP_NO_TLS_CONF
-    fi
-
-    # Install certs via certbot!
-    cert_name=$1
-    shift
-    certbot install --installer postfix \
-        --cert-path /etc/certificates/$cert_name.crt --key-path /etc/certificates/$cert_name.key \
-        -d recipient.com ${@}
-}
-
-uninstall_certs() {
-    # We shouldn't have to do anything other than
-    # restore the original backup version.
-    if [ -f $BACKUP_NO_TLS_CONF ]; then
-        cp $BACKUP_NO_TLS_CONF $DEFAULT_CONF
-        postfix reload
-        exit 0
-    fi
-}

certbot/cli.py

@@ -1110,9 +1110,6 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False):  # pylint: dis
     helpful.add(
         "security", "--no-uir", action="store_false", dest="uir", default=flag_default("uir"),
         help=argparse.SUPPRESS)
-    helpful.add(
-        "security", "--starttls-policy", dest="starttls_policy",
-        default=flag_default("starttls_policy"), help=argparse.SUPPRESS)
     helpful.add(
         "security", "--staple-ocsp", action="store_true", dest="staple",
         default=flag_default("staple"),

certbot/client.py

@@ -472,8 +472,7 @@ class Client(object):
             ("hsts", "ensure-http-header", "Strict-Transport-Security"),
             ("redirect", "redirect", None),
             ("staple", "staple-ocsp", chain_path),
-            ("uir", "ensure-http-header", "Upgrade-Insecure-Requests"),
-            ("starttls_policy", "starttls-policy", None),)
+            ("uir", "ensure-http-header", "Upgrade-Insecure-Requests"),)
         supported = self.installer.supported_enhancements()
 
         for config_name, enhancement_name, option in enhancement_info:
@@ -481,8 +480,6 @@ class Client(object):
             if enhancement_name in supported:
                 if config_name == "redirect" and config_value is None:
                     config_value = enhancements.ask(enhancement_name)
-                if config_name == "starttls_policy" and config_value is not None:
-                    option = config_value
                 if config_value:
                     self.apply_enhancement(domains, enhancement_name, option)
                     enhanced = True

certbot/constants.py

@@ -60,7 +60,6 @@ CLI_DEFAULTS = dict(
     hsts=None,
     uir=None,
     staple=None,
-    starttls_policy=None,
     strict_permissions=False,
     pref_challs=[],
     validate_hooks=True,
@@ -136,7 +135,7 @@ RENEWER_DEFAULTS = dict(
 """Defaults for renewer script."""
 
 
-ENHANCEMENTS = ["redirect", "ensure-http-header", "ocsp-stapling", "spdy", "starttls-policy"]
+ENHANCEMENTS = ["redirect", "ensure-http-header", "ocsp-stapling", "spdy"]
 """List of possible :class:`certbot.interfaces.IInstaller`
 enhancements.