Skip to content

Instantly share code, notes, and snippets.

@AliceWonderMiscreations

AliceWonderMiscreations/starttlsPolicyToPostfix.php

Created November 10, 2018 09:52
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save AliceWonderMiscreations/d96973f1d089077c769b646a50cc0e3d to your computer and use it in GitHub Desktop.
Save AliceWonderMiscreations/d96973f1d089077c769b646a50cc0e3d to your computer and use it in GitHub Desktop.
Download ZIP
STARTTLS_Everywhere
Raw
starttlsPolicyToPostfix.php
#!/usr/bin/env php
<?php
// Creative Commons CC0 (equivalent of Public Domain)
// array of mailbox domains we know for sure are dane compliant
$DANEarray = array('deviant.email', 'domblogger.net', 'librelamp.com');
# load the json
$json = file_get_contents('./policy.json');
$data = json_decode($json);
foreach($DANEarray as $DANE) {
if(isset($data->policies->$DANE)) {
$data->policies->$DANE->mode = 'dane';
} else {
// don't need to add mxs array, MX records are secured with DNSSEC
$data->policies->$DANE = new stdClass;
$data->policies->$DANE->mode = 'dane';
}
}
$aliases = $data->{'policy-aliases'};
$policies = $data->policies;
foreach($policies as $domain => $policy) {
$mode = 'may';
$mxs = array();
if (isset($policy->{'policy-alias'})) {
$alias=$policy->{'policy-alias'};
if(isset($aliases->$alias->mxs)) {
$mxs = $aliases->$alias->mxs;
}
$mode = strtolower(trim($aliases->$alias->mode));
} else {
if(isset($policy->mxs)) {
$mxs = $policy->mxs;
}
$mode = strtolower(trim($policy->mode));
}
switch($mode) {
case 'testing':
// currently starttls Everywhere does not use any modes other than testing
// so convert it to secure or there really is no point
if(count($mxs) > 0) {
print $domain . " secure protocols=TLSv1.2 ciphers=high match=" . implode(':',$mxs) . "\n";
} else {
print $domain . " secure protocols=TLSv1.2 ciphers=high\n";
}
break;
case 'enforce':
if(count($mxs) > 0) {
print $domain . " secure protocols=TLSv1.2 ciphers=high match=" . implode(':',$mxs) . "\n";
} else {
print $domain . " secure protocols=TLSv1.2 ciphers=high\n";
}
break;
case 'dane':
print $domain . " dane-only protocols=TLSv1.2 ciphers=high\n";
break;
default:
// do not understand the mode
print $domain . " may\n";
break;
}
}
?>
Raw
update-postfix-tls-policy-list.sh
#!/bin/bash
# only triggers about every 8 hours on average
TRIGGER=0
MOD=$(( $RANDOM % 8 ))
if [ "x${MOD}" == "x0" ]; then
TRIGGER=1
elif [ ! -f /etc/postfix/tls_policy ]; then
TRIGGER=1
else
MODDATE=`date +%s -r /etc/postfix/tls_policy`
NOW=`date +%s`
DIFF=$(( ${NOW} - ${MODDATE} ))
HOURS=$(( ${DIFF} / 3600 ))
if [ ${HOURS} -gt 35 ]; then
TRIGGER=1
fi
fi
if [ ! -f /usr/local/libexec/starttlsPolicyToPostfix.php ]; then
TRIGGER=0
fi
if [ ${TRIGGER} -eq 0 ]; then
exit 0
fi
# sleep random number of minutes up to 20
sleep $(( $RANDOM % 1200 ))
TMP=`mktemp -d /tmp/starttls.XXXXXX`
/bin/cp /usr/local/libexec/starttlsPolicyToPostfix.php ${TMP}/
pushd ${TMP} > /dev/null 2>&1
/usr/bin/curl -Os https://dl.eff.org/starttls-everywhere/policy.json
if [ $? -ne 0 ]; then
exit 1
fi
/usr/bin/curl -Os https://dl.eff.org/starttls-everywhere/policy.json.asc
if [ $? -ne 0 ]; then
exit 1
fi
# okay to comment out this line after first use
/usr/bin/gpg --keyserver hkp://pool.sks-keyservers.net --recv-key B693F33372E965D76D55368616EEA65D03326C9D > /dev/null 2>&1
# don't comment this out
/usr/bin/gpg --trusted-key 842AEA40C5BCD6E1 --verify policy.json.asc > /dev/null 2>&1
if [ $? -ne 0 ]; then
exit 1
fi
/usr/bin/php starttlsPolicyToPostfix.php > tls_policy
n=`/bin/wc -l tls_policy |cut -d" " -f1`
if [ $n -gt 50 ]; then
/bin/cat tls_policy > /etc/postfix/tls_policy
/usr/sbin/postmap /etc/postfix/tls_policy
fi
popd > /dev/null 2>&1
rm -rf ${TMP}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment