From b02ceab72f4a917cc8b543d20d31d634554dc9a9 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 9 Sep 2021 17:30:46 +0200 Subject: [PATCH] handle DEFER_ON_TLS_ERROR as bool use /conf/mta-sts-daemon.yml when override is missing --- core/postfix/Dockerfile | 1 - core/postfix/conf/main.cf | 2 +- core/postfix/{ => conf}/mta-sts-daemon.yml | 2 +- core/postfix/start.py | 5 +++-- 4 files changed, 5 insertions(+), 5 deletions(-) rename core/postfix/{ => conf}/mta-sts-daemon.yml (68%) diff --git a/core/postfix/Dockerfile b/core/postfix/Dockerfile index e93a584c..bdf45e35 100644 --- a/core/postfix/Dockerfile +++ b/core/postfix/Dockerfile @@ -20,7 +20,6 @@ RUN apk add --no-cache postfix postfix-pcre cyrus-sasl-login COPY conf /conf COPY start.py /start.py -COPY mta-sts-daemon.yml /etc/ EXPOSE 25/tcp 10025/tcp VOLUME ["/queue"] diff --git a/core/postfix/conf/main.cf b/core/postfix/conf/main.cf index 6152388c..3f478ed5 100644 --- a/core/postfix/conf/main.cf +++ b/core/postfix/conf/main.cf @@ -59,7 +59,7 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols =!SSLv2,!SSLv3 smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }} -smtp_tls_dane_insecure_mx_policy = {% if DEFER_ON_TLS_ERROR == 'false' %}may{% else %}dane{% endif %} +smtp_tls_dane_insecure_mx_policy = {{ 'dane' if DEFER_ON_TLS_ERROR else 'may' }} smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy.map, ${podop}dane, socketmap:unix:/tmp/mta-sts.socket:postfix smtp_tls_CApath = /etc/ssl/certs smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache diff --git a/core/postfix/mta-sts-daemon.yml b/core/postfix/conf/mta-sts-daemon.yml similarity index 68% rename from core/postfix/mta-sts-daemon.yml rename to core/postfix/conf/mta-sts-daemon.yml index 361bcbf9..1527b73f 100644 --- a/core/postfix/mta-sts-daemon.yml +++ b/core/postfix/conf/mta-sts-daemon.yml @@ -6,5 +6,5 @@ cache: options: cache_size: 10000 default_zone: - strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }} + strict_testing: {{ 'true' if DEFER_ON_TLS_ERROR else 'false' }} timeout: 4 diff --git a/core/postfix/start.py b/core/postfix/start.py index 3de83a63..361ef3ba 100755 --- a/core/postfix/start.py +++ b/core/postfix/start.py @@ -76,8 +76,9 @@ for map_file in glob.glob("/overrides/*.map"): os.remove(destination) if os.path.exists("/overrides/mta-sts-daemon.yml"): - shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml") -conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml") + conf.jinja("/overrides/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml") +else: + conf.jinja("/conf/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml") if not os.path.exists("/etc/postfix/tls_policy.map.lmdb"): open("/etc/postfix/tls_policy.map", "a").close()