From abb793605b54a1c4b333056320cf23adeb1bdd74 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 20 Nov 2017 06:39:58 +0100
Subject: [PATCH] mail/postfix: merge recent additions from master

---
 .../OPNsense/Postfix/forms/general.xml        | 18 ++++
 .../app/models/OPNsense/Postfix/General.xml   | 17 ++++
 .../OPNsense/Postfix/generate_certs.php       | 85 +++++++++++++++++++
 .../scripts/OPNsense/Postfix/setup.sh         |  2 +
 .../templates/OPNsense/Postfix/main.cf        | 10 +++
 5 files changed, 132 insertions(+)
 create mode 100755 mail/postfix/src/opnsense/scripts/OPNsense/Postfix/generate_certs.php

diff --git a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
index 2e974c035..e6eb63bb6 100644
--- a/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
+++ b/mail/postfix/src/opnsense/mvc/app/controllers/OPNsense/Postfix/forms/general.xml
@@ -61,6 +61,24 @@
         <type>checkbox</type>
         <help>This will disable known weak ciphers like DES, RC4 or MD5.</help>
     </field>
+    <field>
+        <id>general.certificate</id>
+        <label>Server Certificate</label>
+        <type>dropdown</type>
+        <help>Choose the certificate to use when other servers want to do TLS with you.</help>
+    </field>
+    <field>
+        <id>general.ca</id>
+        <label>Root CA</label>
+        <type>dropdown</type>
+        <help>Choose the Certificate Authority which signed your certificate.</help>
+    </field>
+    <field>
+        <id>general.smtpclient_security</id>
+        <label>SMTP Client Security</label>
+        <type>dropdown</type>
+        <help>Choose "none" to disable TLS for sending mail. Set encrypt to enforce TLS security, please do not use this for Internet wide communication as not every server supports TLS yet. Default is "may" which will use TLS when offered.</help>
+    </field>
     <field>
         <id>general.reject_unauth_pipelining</id>
         <label>Reject Unauthenticated Pipelining</label>
diff --git a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
index 1bfd70ba5..208abb098 100644
--- a/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
+++ b/mail/postfix/src/opnsense/mvc/app/models/OPNsense/Postfix/General.xml
@@ -43,6 +43,23 @@
             <default>1</default>
             <Required>Y</Required>
         </disable_weak_ciphers>
+        <certificate type="CertificateField">
+            <Type>cert</Type>
+            <Required>N</Required>
+        </certificate>
+        <ca type="CertificateField">
+            <Type>ca</Type>
+            <Required>N</Required>
+        </ca>
+        <smtpclient_security type="OptionField">
+            <default>may</default>
+            <Required>Y</Required>
+            <OptionValues>
+                <none>none</none>
+                <may>may</may>
+                <encrypt>encrypt</encrypt>
+            </OptionValues>
+        </smtpclient_security>
         <check_recipient_access type="ArrayField">
         </check_recipient_access>
         <reject_unauth_pipelining type="BooleanField">
diff --git a/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/generate_certs.php b/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/generate_certs.php
new file mode 100755
index 000000000..a36c14953
--- /dev/null
+++ b/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/generate_certs.php
@@ -0,0 +1,85 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2015 Deciso B.V.
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+// use legacy code to generate certs and ca's
+// eventually we need to replace this.
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+
+use OPNsense\Core\Config;
+
+$cert_pem_filename = '/usr/local/etc/postfix/cert_opn.pem';
+$cert_pem_content = '';
+
+$ca_pem_filename = '/usr/local/etc/postfix/ca_opn.pem';
+$ca_pem_content = '';
+
+// traverse Postfix plugin for certficiates
+$configObj = Config::getInstance()->object();
+if (isset($configObj->OPNsense->postfix)) {
+    foreach ($configObj->OPNsense->postfix->children() as $find_cert) {
+        $cert_refid = (string)$find_cert->certificate;
+        // if eap has a certificate attached, search for its contents
+        if ($cert_refid != "") {
+            foreach ($configObj->cert as $cert) {
+                if ($cert_refid == (string)$cert->refid) {
+                    // generate cert pem file
+                    $pem_content = trim(str_replace("\n\n", "\n", str_replace(
+                        "\r",
+                        "",
+                        base64_decode((string)$cert->crt)
+                    )));
+
+                    $pem_content .= "\n";
+                    $pem_content .= trim(str_replace(
+                        "\n\n",
+                        "\n",
+                        str_replace("\r", "", base64_decode((string)$cert->prv))
+                    ));
+                    $pem_content .= "\n";
+                    $cert_pem_content .= $pem_content;
+                    // generate ca pem file
+                    if (!empty($cert->caref)) {
+                        $cert = (array)$cert;
+                        $ca_pem_content .= ca_chain($cert);
+                    }
+                }
+            }
+        }
+    }
+}
+
+file_put_contents($cert_pem_filename, $cert_pem_content);
+chmod($cert_pem_filename, 0600);
+echo "Certificates generated $cert_pem_filename\n";
+
+file_put_contents($ca_pem_filename, $ca_pem_content);
+chmod($ca_pem_filename, 0600);
+echo "Certificates generated $ca_pem_filename\n";
diff --git a/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/setup.sh b/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/setup.sh
index 5a153a51e..f588dedd9 100755
--- a/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/setup.sh
+++ b/mail/postfix/src/opnsense/scripts/OPNsense/Postfix/setup.sh
@@ -30,3 +30,5 @@ chown -R root:postfix /var/spool/postfix/pid
 postmap /usr/local/etc/postfix/transport
 postmap /usr/local/etc/postfix/recipient_access
 postmap /usr/local/etc/postfix/sender_access
+
+/usr/local/opnsense/scripts/OPNsense/Postfix/generate_certs.php
diff --git a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
index b9f248b5b..853266808 100644
--- a/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
+++ b/mail/postfix/src/opnsense/service/templates/OPNsense/Postfix/main.cf
@@ -75,6 +75,16 @@ smtp_tls_protocols=!SSLv2,!SSLv3
 {% if helpers.exists('OPNsense.postfix.general.disable_weak_ciphers') and OPNsense.postfix.general.disable_weak_ciphers == '1' %}
 smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
 {% endif %}
+{% if helpers.exists('OPNsense.postfix.general.smtpclient_security') and OPNsense.postfix.general.smtpclient_security != '' %}
+smtp_tls_security_level = {{ OPNsense.postfix.general.smtpclient_security }}
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.certificate') and OPNsense.postfix.general.certificate != '' %}
+smtpd_use_tls = yes
+smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
+{% endif %}
+{% if helpers.exists('OPNsense.postfix.general.ca') and OPNsense.postfix.general.ca != '' %}
+smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
+{% endif %}
 
 {% if helpers.exists('OPNsense.postfix.antispam.enable_rspamd') and OPNsense.postfix.antispam.enable_rspamd == '1' %}
 smtpd_milters = inet:localhost:11332