From b86656243f3936b8e275fe4d94f31f8ce5d24288 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Sat, 2 Aug 2014 15:39:47 +0000
Subject: [PATCH] avoid mail.log warnings about untrusted certificates on
 outgoing mail, fixes #124

---
 setup/mail-postfix.sh | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
index 23c6c649..69805ea1 100755
--- a/setup/mail-postfix.sh
+++ b/setup/mail-postfix.sh
@@ -31,7 +31,7 @@ source /etc/mailinabox.conf # load global vars
 
 # Install packages.
 
-apt_install postfix postgrey postfix-pcre
+apt_install postfix postgrey postfix-pcre ca-certificates
 
 # Basic Settings
 
@@ -75,15 +75,27 @@ tools/editconf.py /etc/postfix/main.cf \
 	smtpd_tls_received_header=yes
 
 # When connecting to remote SMTP servers, prefer TLS and use DANE if available.
-# Postfix queries for the TLSA record on the destination MX host. If no TLSA records are found,
+#
+# Prefering ("opportunistic") TLS means Postfix will accept whatever SSL certificate the remote
+# end provides, if the remote end offers STARTTLS during the connection. DANE takes this a
+# step further:
+#
+# Postfix queries DNS for the TLSA record on the destination MX host. If no TLSA records are found,
 # then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
 # or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
 # itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
 # relies on our local bind9 server being present and smtp_dns_support_level being set to dnssec
 # to use it.
+#
+# The smtp_tls_CAfile is superflous, but it turns warnings in the logs about untrusted certs
+# into notices about trusted certs. Since in these cases Postfix is doing opportunistic TLS,
+# it does not care about whether the remote certificate is trusted. But, looking at the logs,
+# it's nice to be able to see that the connection was in fact encrypted for the right party.
+# The CA file is provided by the package ca-certificates.
 tools/editconf.py /etc/postfix/main.cf \
 	smtp_tls_security_level=dane \
 	smtp_dns_support_level=dnssec \
+	smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt \
 	smtp_tls_loglevel=2
 
 # Incoming Mail
@@ -137,4 +149,4 @@ ufw_allow submission
 
 # Restart services
 
-restart_service postfix
\ No newline at end of file
+restart_service postfix