fix: Enable DH parameters (ffdhe4096) by default (#2192)

This feature was originally introduced by the PR: https://github.com/docker-mailserver/docker-mailserver/pull/1463 - Assign default DH params to use via Dockerfile build instead of copy and update at runtime. - Parameterized service names and paths. - Refactor postfix and dovecot dh methods to wrap shared dh logic - I don't see any value in checking the alternative service for dh params file to copy over, so that's now dropped too. - Another conditional check is dropped and the default fallback message for existing DH params file is no longer relevant. - Improved the remaining `_notify` messages. Collapsing the warning into a single logged message also seemed relevant. - There is no apparent need for special handling with `ONE_DIR=1`. Dropped it. - Refactor DH params tests - Combine custom and default DH param tests into single test file - docs: Add instructions to use custom DH params There is no official documented support for custom DH parameters. As no guarantee is provided, this is considered an internal change, not a breaking one.
2025-06-28 11:40:23 +02:00 · 2021-09-15 20:28:04 +12:00 · 2021-09-15 20:28:04 +12:00 · 08cd4d3371
commit 08cd4d3371
parent 54ee1e7567
7 changed files with 176 additions and 286 deletions
--- a/target/scripts/startup/setup-stack.sh
+++ b/target/scripts/startup/setup-stack.sh
@ -1301,92 +1301,30 @@ function _setup_postfix_relay_hosts

 function _setup_postfix_dhparam
 {
-  _notify 'task' 'Setting up Postfix dhparam'
-
-  if [[ ${ONE_DIR} -eq 1 ]]
-  then
-    DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
-
-    if [[ ! -f ${DHPARAMS_FILE} ]]
-    then
-      _notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
-      cp -f /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
-    else
-      _notify 'inf' "Use postfix dhparams that was generated previously"
-      _notify 'warn' "Using self-generated dhparams is considered as insecure."
-      _notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
-
-      # Copy from the state directory to the working location
-      cp -f "${DHPARAMS_FILE}" /etc/postfix/dhparams.pem
-    fi
-  else
-    if [[ ! -f /etc/postfix/dhparams.pem ]]
-    then
-      if [[ -f /etc/dovecot/dh.pem ]]
-      then
-        _notify 'inf' "Copy dovecot dhparams to postfix"
-        cp /etc/dovecot/dh.pem /etc/postfix/dhparams.pem
-      elif [[ -f /tmp/docker-mailserver/dhparams.pem ]]
-      then
-        _notify 'inf' "Copy pre-generated dhparams to postfix"
-        _notify 'warn' "Using self-generated dhparams is considered as insecure."
-        _notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
-        cp /tmp/docker-mailserver/dhparams.pem /etc/postfix/dhparams.pem
-      else
-        _notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
-        cp /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
-      fi
-    else
-      _notify 'inf' "Use existing postfix dhparams"
-      _notify 'warn' "Using self-generated dhparams is considered insecure."
-      _notify 'warn' "Unless you known what you are doing, please remove /etc/postfix/dhparams.pem."
-    fi
-  fi
+  _setup_dhparam 'postfix' '/etc/postfix/dhparams.pem'
 }

 function _setup_dovecot_dhparam
 {
-  _notify 'task' 'Setting up Dovecot dhparam'
+  _setup_dhparam 'dovecot' '/etc/dovecot/dh.pem'
+}

-  if [[ ${ONE_DIR} -eq 1 ]]
-  then
-    DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
+function _setup_dhparam
+{
+  local DH_SERVICE=$1
+  local DH_DEST=$2
+  local DH_CUSTOM=/tmp/docker-mailserver/dhparams.pem

-    if [[ ! -f ${DHPARAMS_FILE} ]]
-    then
-      _notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
-      cp -f /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
-    else
-      _notify 'inf' "Use dovecot dhparams that was generated previously"
-      _notify 'warn' "Using self-generated dhparams is considered as insecure."
-      _notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
+  _notify 'task' "Setting up ${DH_SERVICE} dhparam"

-      # Copy from the state directory to the working location
-      cp -f "${DHPARAMS_FILE}" /etc/dovecot/dh.pem
-    fi
-  else
-    if [[ ! -f /etc/dovecot/dh.pem ]]
-    then
-      if [[ -f /etc/postfix/dhparams.pem ]]
-      then
-        _notify 'inf' "Copy postfix dhparams to dovecot"
-        cp /etc/postfix/dhparams.pem /etc/dovecot/dh.pem
-      elif [[ -f /tmp/docker-mailserver/dhparams.pem ]]
-      then
-        _notify 'inf' "Copy pre-generated dhparams to dovecot"
-        _notify 'warn' "Using self-generated dhparams is considered as insecure."
-        _notify 'warn' "Unless you known what you are doing, please remove /tmp/docker-mailserver/dhparams.pem."
+  if [[ -f ${DH_CUSTOM} ]]
+  then # use custom supplied dh params (assumes they're probably insecure)
+    _notify 'inf' "${DH_SERVICE} will use custom provided DH paramters."
+    _notify 'warn' "Using self-generated dhparams is considered insecure. Unless you know what you are doing, please remove ${DH_CUSTOM}."

-        cp /tmp/docker-mailserver/dhparams.pem /etc/dovecot/dh.pem
-      else
-        _notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
-        cp /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
-      fi
-    else
-      _notify 'inf' "Use existing dovecot dhparams"
-      _notify 'warn' "Using self-generated dhparams is considered as insecure."
-      _notify 'warn' "Unless you known what you are doing, please remove /etc/dovecot/dh.pem."
-    fi
+    cp -f "${DH_CUSTOM}" "${DH_DEST}"
+  else # use official standardized dh params (provided via Dockerfile)
+    _notify 'inf' "${DH_SERVICE} will use official standardized DH parameters (ffdhe4096)."
  fi
 }