|
@@ -0,0 +1,89 @@
|
|
|
+# This file is part of acme-updater, written by Helmut Pozimski 2016-2017.
|
|
|
+#
|
|
|
+# stov is free software: you can redistribute it and/or modify
|
|
|
+# it under the terms of the GNU General Public License as published by
|
|
|
+# the Free Software Foundation, version 2 of the License.
|
|
|
+#
|
|
|
+# stov is distributed in the hope that it will be useful,
|
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
+# GNU General Public License for more details.
|
|
|
+#
|
|
|
+# You should have received a copy of the GNU General Public License
|
|
|
+# along with stov. If not, see <http://www.gnu.org/licenses/>.
|
|
|
+
|
|
|
+
|
|
|
+# -*- coding: utf8 -*-
|
|
|
+
|
|
|
+""" Contains the postfix module which manages certificates for the postfix
|
|
|
+mail server.
|
|
|
+"""
|
|
|
+
|
|
|
+import logging
|
|
|
+import socket
|
|
|
+import os
|
|
|
+import subprocess
|
|
|
+
|
|
|
+from amulib import helpers
|
|
|
+import OpenSSL
|
|
|
+
|
|
|
+LOGGER = logging.getLogger("acme_tlsa_mail")
|
|
|
+
|
|
|
+
|
|
|
+def run(config=None, acme_dir="/var/lib/acme",
|
|
|
+ named_key_path="/run/named/session.key"):
|
|
|
+ hostname = socket.gethostname()
|
|
|
+ fqdn = socket.getfqdn()
|
|
|
+ if config:
|
|
|
+ certificate_path = config["certificate_path"]
|
|
|
+ key_path = config["key_path"]
|
|
|
+ tlsa = config["tlsa"]
|
|
|
+ tlsa_ports = config["tlsa_ports"]
|
|
|
+ else:
|
|
|
+ certificate_path = "/etc/postfix/%s.crt" % hostname
|
|
|
+ key_path = "/etc/postfix/%s.key" % hostname
|
|
|
+ tlsa = True
|
|
|
+ tlsa_ports = [25, 465, 587]
|
|
|
+ try:
|
|
|
+ with open(certificate_path, "r") as cert_file:
|
|
|
+ cert_text = cert_file.read()
|
|
|
+ except IOError:
|
|
|
+ LOGGER.error("Error while opening the postfix certificate")
|
|
|
+ else:
|
|
|
+ current_cert = OpenSSL.crypto.load_certificate(
|
|
|
+ OpenSSL.crypto.FILETYPE_PEM, cert_text
|
|
|
+ )
|
|
|
+ acme_cert_path = os.path.join(acme_dir, "live", fqdn,
|
|
|
+ "cert")
|
|
|
+ acme_fullchain_path = os.path.join(acme_dir, "live", fqdn,
|
|
|
+ "fullchain")
|
|
|
+ if helpers.check_renewal(current_cert, acme_cert_path):
|
|
|
+ try:
|
|
|
+ with open(acme_cert_path, "r") as acme_cert_file:
|
|
|
+ acme_cert_text = acme_cert_file.read()
|
|
|
+ except IOError:
|
|
|
+ LOGGER.error("Error while opening new postfix "
|
|
|
+ "certificate file")
|
|
|
+ else:
|
|
|
+ acme_cert = OpenSSL.crypto.load_certificate(
|
|
|
+ OpenSSL.crypto.FILETYPE_PEM, acme_cert_text
|
|
|
+ )
|
|
|
+ if tlsa:
|
|
|
+ for port in tlsa_ports:
|
|
|
+ helpers.create_tlsa_records(fqdn, port, acme_cert,
|
|
|
+ named_key_path)
|
|
|
+ if helpers.copy_file(acme_fullchain_path, certificate_path):
|
|
|
+ newkey_path = os.path.join(acme_dir, "live",
|
|
|
+ fqdn, "privkey")
|
|
|
+ if helpers.copy_file(newkey_path, key_path):
|
|
|
+ LOGGER.info("Certificate for postfix successfully "
|
|
|
+ "renewed, restarting service.")
|
|
|
+ subprocess.call(["/etc/init.d/postfix", "restart"])
|
|
|
+ else:
|
|
|
+ LOGGER.error("Renewal of cert for postfix failed, "
|
|
|
+ "please clean up manually and "
|
|
|
+ "check the backup files!")
|
|
|
+ else:
|
|
|
+ LOGGER.error("Renewal of cert for postfix failed, "
|
|
|
+ "please clean up manually and "
|
|
|
+ "check the backup files!")
|