From b7235d33f0fb6bad0f8b229c444d2a45c6f9622c Mon Sep 17 00:00:00 2001
From: Benjamin Sonntag <benjamin@sonntag.fr>
Date: Sun, 24 Jun 2018 18:23:39 +0200
Subject: [PATCH] [enh] not using apache.pem anymore: using
 /etc/ssl/*/alternc-*.pem|key

---
 .../alternc/postfix/postfix-slave.cf          | 30 ++++++++++---
 .../templates/alternc/postfix/postfix.cf      | 45 +++++++++----------
 .../templates/dovecot/conf.d/95_alternc.conf  |  2 -
 .../templates/dovecot/conf.d/96_ssl.conf      |  4 +-
 etc/alternc/templates/proftpd/proftpd.conf    |  4 +-
 5 files changed, 48 insertions(+), 37 deletions(-)

diff --git a/etc/alternc/templates/alternc/postfix/postfix-slave.cf b/etc/alternc/templates/alternc/postfix/postfix-slave.cf
index 3afcb183..a9677fd5 100644
--- a/etc/alternc/templates/alternc/postfix/postfix-slave.cf
+++ b/etc/alternc/templates/alternc/postfix/postfix-slave.cf
@@ -4,20 +4,36 @@ header_checks = regexp:/etc/postfix/header_checks
 body_checks = regexp:/etc/postfix/body_checks
 local_destination_concurrency_limit = 8
 default_destination_concurrency_limit = 10
+# TLS
 smtpd_use_tls = yes
-smtpd_tls_dcert_file = /etc/alternc/apache.pem
-smtpd_tls_dkey_file = $smtpd_tls_dcert_file
-smtpd_tls_CApath = /etc/ssl/certs/
-smtpd_tls_key_file =  $smtpd_tls_dcert_file
+smtpd_tls_dcert_file = /etc/ssl/certs/alternc-postfix.pem
+smtpd_tls_dkey_file = /etc/ssl/private/alternc-postfix.key
+smtpd_tls_key_file =  $smtpd_tls_dkey_file
 smtpd_tls_cert_file =  $smtpd_tls_dcert_file
+smtp_tls_dcert_file = $smtpd_tls_dcert_file
+smtp_tls_dkey_file = $smtpd_tls_dkey_file
+smtp_tls_cert_file = $smtpd_tls_dcert_file
+smtp_tls_key_file = $smtpd_tls_dkey_file
+smtpd_tls_CApath = /etc/ssl/certs/
+smtp_tls_CApath = $smtpd_tls_CApath
 smtpd_tls_loglevel = 0
 smtpd_tls_received_header = yes
 smtpd_tls_session_cache_timeout = 3600s
 smtp_use_tls = yes
-smtp_tls_dcert_file = $smtpd_tls_dcert_file
-smtp_tls_dkey_file = $smtpd_tls_dcert_file
-smtp_tls_CApath = $smtpd_tls_CApath
 smtpd_tls_auth_only = yes
+smtp_use_tls = yes
+smtp_tls_security_level = may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtpd_tls_protocols = TLSv1, TLSv1.1, TLSv1.2
+smtp_tls_protocols = TLSv1, TLSv1.1, TLSv1.2
+smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
+smtp_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4                                                                                            
+tls_preempt_cipherlist      = yes
+smtpd_tls_mandatory_ciphers = high
+smtp_tls_mandatory_ciphers = high
+smtpd_tls_ciphers           = high
+smtp_tls_ciphers           = high
+# SASL
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_local_domain = postfix
 smtpd_sasl_security_options = noanonymous
diff --git a/etc/alternc/templates/alternc/postfix/postfix.cf b/etc/alternc/templates/alternc/postfix/postfix.cf
index 991d05f5..d2a4fc72 100644
--- a/etc/alternc/templates/alternc/postfix/postfix.cf
+++ b/etc/alternc/templates/alternc/postfix/postfix.cf
@@ -22,18 +22,32 @@ smtpd_client_connection_rate_limit=50
 smtp_mx_session_limit = 1
 #### TLS options
 smtpd_use_tls = yes
-smtpd_tls_dcert_file = /etc/alternc/apache.pem
-smtpd_tls_dkey_file = $smtpd_tls_dcert_file
-smtpd_tls_CApath = /etc/ssl/certs/
-smtpd_tls_key_file =  $smtpd_tls_dcert_file
+smtpd_tls_dcert_file = /etc/ssl/certs/alternc-postfix.pem
+smtpd_tls_dkey_file = /etc/ssl/private/alternc-postfix.key
+smtpd_tls_key_file =  $smtpd_tls_dkey_file
 smtpd_tls_cert_file =  $smtpd_tls_dcert_file
+smtp_tls_dcert_file = $smtpd_tls_dcert_file
+smtp_tls_dkey_file = $smtpd_tls_dkey_file
+smtp_tls_cert_file = $smtpd_tls_dcert_file
+smtp_tls_key_file = $smtpd_tls_dkey_file
+smtpd_tls_CApath = /etc/ssl/certs/
+smtp_tls_CApath = $smtpd_tls_CApath
 smtpd_tls_loglevel = 0
 smtpd_tls_received_header = yes
 smtpd_tls_session_cache_timeout = 3600s
-smtp_tls_dcert_file = $smtpd_tls_dcert_file
-smtp_tls_dkey_file = $smtpd_tls_dcert_file
-smtp_tls_CApath = $smtpd_tls_CApath
 smtpd_tls_auth_only = no
+smtp_use_tls = yes
+smtp_tls_security_level = may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtpd_tls_protocols = TLSv1, TLSv1.1, TLSv1.2
+smtp_tls_protocols = TLSv1, TLSv1.1, TLSv1.2
+smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
+smtp_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4                                                                                            
+tls_preempt_cipherlist      = yes
+smtpd_tls_mandatory_ciphers = high
+smtp_tls_mandatory_ciphers = high
+smtpd_tls_ciphers           = high
+smtp_tls_ciphers           = high
 #SASL options
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_local_domain = postfix
@@ -68,20 +82,3 @@ message_size_limit = 100000000
 virtual_mailbox_limit = 0
 mailbox_size_limit = 0
 enable_original_recipient = no
-smtp_tls_dcert_file = $smtpd_tls_dcert_file
-smtp_tls_dkey_file = $smtpd_tls_dcert_file
-smtp_tls_CAfile = $smtpd_tls_CAfile
-smtp_tls_key_file = $smtpd_tls_dcert_file
-smtp_tls_cert_file = $smtpd_tls_dcert_file
-smtp_use_tls = yes
-smtp_tls_security_level = may
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtpd_tls_protocols = TLSv1, TLSv1.1, TLSv1.2
-smtp_tls_protocols = TLSv1, TLSv1.1, TLSv1.2
-smtpd_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4
-smtp_tls_exclude_ciphers = aNULL, DES, 3DES, MD5, DES+MD5, RC4                                                                                            
-tls_preempt_cipherlist      = yes
-smtpd_tls_mandatory_ciphers = high
-smtp_tls_mandatory_ciphers = high
-smtpd_tls_ciphers           = high
-smtp_tls_ciphers           = high
diff --git a/etc/alternc/templates/dovecot/conf.d/95_alternc.conf b/etc/alternc/templates/dovecot/conf.d/95_alternc.conf
index dda55336..14e6c7d7 100644
--- a/etc/alternc/templates/dovecot/conf.d/95_alternc.conf
+++ b/etc/alternc/templates/dovecot/conf.d/95_alternc.conf
@@ -157,9 +157,7 @@ ssl = yes
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root.
 #ssl_cert = </etc/dovecot/dovecot.pem
-#ssl_cert_file = /etc/alternc/apache.pem
 #ssl_key = </etc/dovecot/dovecot.pem
-#ssl_key_file = /etc/alternc/apache.pem
 
 
 # ----------------------------------------------------------------------------
diff --git a/etc/alternc/templates/dovecot/conf.d/96_ssl.conf b/etc/alternc/templates/dovecot/conf.d/96_ssl.conf
index f46e1f8e..6d679fcd 100644
--- a/etc/alternc/templates/dovecot/conf.d/96_ssl.conf
+++ b/etc/alternc/templates/dovecot/conf.d/96_ssl.conf
@@ -1,5 +1,5 @@
 # Don't change this file, it will be overwriten by alternc.install.
 # Change ssl parameters in a file named 99_ssl.conf instead"
 
-ssl_cert = </etc/alternc/apache.pem
-ssl_key = </etc/alternc/apache.pem
\ No newline at end of file
+ssl_cert = </etc/ssl/certs/alternc-dovecot.pem
+ssl_key = </etc/ssl/private/alternc-dovecot.key
diff --git a/etc/alternc/templates/proftpd/proftpd.conf b/etc/alternc/templates/proftpd/proftpd.conf
index 46d174f8..e0fefdaf 100644
--- a/etc/alternc/templates/proftpd/proftpd.conf
+++ b/etc/alternc/templates/proftpd/proftpd.conf
@@ -128,8 +128,8 @@ TransferLog /var/log/proftpd/xferlog
        TLSRequired off
 
        # Server's certificate
-       TLSRSACertificateFile /etc/alternc/apache.pem
-       # TLSRSACertificateKeyFile /etc/ftpd/server.key.pem
+       TLSRSACertificateFile /etc/ssl/certs/alternc-proftpd.pem
+       TLSRSACertificateKeyFile /etc/ssl/private/alternc-proftpd.key
 
        # CA the server trusts
        # TLSCACertificateFile /etc/ftpd/root.cert.pem