From 2e8bb4ae34d5d0e4541a9f28b51741e0bf13f2d2 Mon Sep 17 00:00:00 2001 From: James Date: Thu, 8 Mar 2018 15:51:10 -0600 Subject: [PATCH] Allow configuring SRS secrets using the environment (#885) --- .env.dist | 15 +++++++++++++++ README.md | 8 ++++++++ target/postsrsd-wrapper.sh | 7 +++++-- 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/.env.dist b/.env.dist index 873883d7..ca349df3 100644 --- a/.env.dist +++ b/.env.dist @@ -237,3 +237,18 @@ SASLAUTHD_LDAP_FILTER= # empty => No sasl_passwd will be created # string => `/etc/postfix/sasl_passwd` will be created with the string as password SASL_PASSWD= + +# ----------------------------------------------------------------------------------------------------------------------------- +# ---------------- SRS section -------------------------------------------------------------------------------------------- +# ----------------------------------------------------------------------------------------------------------------------------- + +# empty => Envelope sender will be rewritten for all domains +# provide comma separated list of domains to exclude from rewriting +SRS_EXCLUDE_DOMAINS= + +# empty => generated when the image is built +# provide a secret to use in base64 +# you may specify multiple keys, comma separated. the first one is used for +# signing and the remaining will be used for verification. this is how you +# rotate and expire keys +SRS_SECRET= diff --git a/README.md b/README.md index bf04b807..c15fde22 100644 --- a/README.md +++ b/README.md @@ -505,3 +505,11 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1` - **empty** => Envelope sender will be rewritten for all domains - provide comma seperated list of domains to exclude from rewriting + +##### SRS_SECRET + + - **empty** => generated when the image is built + - provide a secret to use in base64 **(recommended)** + - you may specify multiple keys, comma separated. the first one is used for signing and the remaining will be used for verification. this is how you rotate and expire keys + - if you have a cluster/swarm make sure the same keys are on all nodes + - example command to generate a key: `dd if=/dev/urandom bs=24 count=1 2>/dev/null | base64` diff --git a/target/postsrsd-wrapper.sh b/target/postsrsd-wrapper.sh index 93792bdc..ccd9c6a5 100644 --- a/target/postsrsd-wrapper.sh +++ b/target/postsrsd-wrapper.sh @@ -1,12 +1,15 @@ #!/usr/bin/env bash -# postsrsd-wrapper.sh, version 0.2.0 +# postsrsd-wrapper.sh, version 0.2.1 DOMAINNAME="$(hostname -d)" sed -i -e "s/localdomain/$DOMAINNAME/g" /etc/default/postsrsd +if [ -n "$SRS_SECRET" ]; then + echo "$SRS_SECRET" | tr ',' '\n' > /etc/postsrsd.secret +fi + if [ -n "$SRS_EXCLUDE_DOMAINS" ]; then sed -i -e "s/^#\?SRS_EXCLUDE_DOMAINS=.*$/SRS_EXCLUDE_DOMAINS=$SRS_EXCLUDE_DOMAINS/g" /etc/default/postsrsd fi /etc/init.d/postsrsd start -