SMTPD TLS Cert settings changed during upgrade

Report bugs and workarounds
Post Reply
kingramon0
Posts: 27
Joined: 28 Jun 2014 19:17

SMTPD TLS Cert settings changed during upgrade

Post by kingramon0 »

During the update from 3.0.2.4 to 3.0.2.5 a new self-signed TLS certificate was generated. I didn't catch this until today when one of my users told me they were no longer receiving emails from one of our external services. After troubleshooting I saw that main.cf had been altered to point to a new rsa_smtpd.pem certificate, and found the update log messages related to that change.

Code: Select all

-- snip --
MailScanner starting ...


MailScanner started with process id 17961
Generating new, more secure, self-signed cert with common name smtp.libertypumps
.com, for use with Postfix, Apache, and Webmin
Generating a 4096 bit RSA private key
................................................................................
........................................................++
......................................++
writing new private key to 'rsa_smtpd.pem'
 -- snip --
It looks like the update script assumes that the current certificate is self-signed and generates a new one.

Code: Select all

  echo -e "Generating new, more secure, self-signed cert with common name $MyName, for use with Postfix, Apache, and Webmin"

  openssl req -new -x509 -newkey rsa:4096 -nodes -out rsa_smtpd.pem -keyout rsa_smtpd.pem -days 3650 -sha256 -subj "/C=$CountryCode/O=$OrgName/CN=$MyName"


  sed -i "/^smtp_tls_CAfile/ c\smtp_tls_CAfile = \/etc\/postfix\/ssl\/rsa_smtpd.pem" /etc/postfix/main.cf
  sed -i "/^smtpd_tls_key_file/ c\smtpd_tls_key_file = \/etc\/postfix\/ssl\/rsa_smtpd.pem" /etc/postfix/main.cf
  sed -i "/^smtpd_tls_cert_file/ c\smtpd_tls_cert_file = \/etc\/postfix\/ssl\/rsa_smtpd.pem" /etc/postfix/main.cf
  sed -i "/^smtpd_tls_CAfile/ c\smtpd_tls_CAfile = \/etc\/postfix\/ssl\/rsa_smtpd.pem" /etc/postfix/main.cf

  mkdir /etc/pki/tls/backup
  mv /etc/pki/tls/certs/localhost.crt /etc/pki/tls/backup
  mv /etc/pki/tls/private/localhost.key /etc/pki/tls/backup
  #mv /etc/pki/tls/certs/server-chain.crt /etc/pki/tls/backup

  ln -s /etc/postfix/ssl/rsa_smtpd.pem /etc/pki/tls/certs/localhost.crt
  ln -s /etc/postfix/ssl/rsa_smtpd.pem /etc/pki/tls/private/localhost.key
  ln -s /etc/postfix/ssl/rsa_smtpd.pem /etc/pki/tls/certs/server-chain.crt
It's all good now, but there probably should be a better way to address this kind of change in the future.
Post Reply