STARTTLS_Everywhere

starttlsPolicyToPostfix.php

#!/usr/bin/env php
<?php
// Creative Commons CC0 (equivalent of Public Domain)

// array of mailbox domains we know for sure are dane compliant
$DANEarray = array('deviant.email', 'domblogger.net', 'librelamp.com');

# load the json
$json = file_get_contents('./policy.json');
$data = json_decode($json);

foreach($DANEarray as $DANE) {
  if(isset($data->policies->$DANE)) {
    $data->policies->$DANE->mode = 'dane';
  } else {
    // don't need to add mxs array, MX records are secured with DNSSEC
    $data->policies->$DANE = new stdClass;
    $data->policies->$DANE->mode = 'dane';
  }
}

$aliases = $data->{'policy-aliases'};
$policies = $data->policies;

foreach($policies as $domain => $policy) {
  $mode = 'may';
  $mxs = array();
  if (isset($policy->{'policy-alias'})) {
    $alias=$policy->{'policy-alias'};
    if(isset($aliases->$alias->mxs)) {
      $mxs = $aliases->$alias->mxs;
    }
    $mode = strtolower(trim($aliases->$alias->mode));
  } else {
    if(isset($policy->mxs)) {
      $mxs = $policy->mxs;
    }
    $mode = strtolower(trim($policy->mode));
  }
  switch($mode) {
    case 'testing':
      // currently starttls Everywhere does not use any modes other than testing
      //  so convert it to secure or there really is no point
      if(count($mxs) > 0) {
        print $domain . " secure protocols=TLSv1.2 ciphers=high match=" . implode(':',$mxs) . "\n";
      } else {
        print $domain . " secure protocols=TLSv1.2 ciphers=high\n";
      }
      break;
    case 'enforce':
    if(count($mxs) > 0) {
        print $domain . " secure protocols=TLSv1.2 ciphers=high match=" . implode(':',$mxs) . "\n";
      } else {
        print $domain . " secure protocols=TLSv1.2 ciphers=high\n";
      }
      break;
    case 'dane':
      print $domain . " dane-only protocols=TLSv1.2 ciphers=high\n";
      break;
    default:
      // do not understand the mode
      print $domain . " may\n";
      break;
  }
}

?>

update-postfix-tls-policy-list.sh

#!/bin/bash

# only triggers about every 8 hours on average

TRIGGER=0

MOD=$(( $RANDOM % 8 ))

if [ "x${MOD}" == "x0" ]; then
  TRIGGER=1
elif [ ! -f /etc/postfix/tls_policy ]; then
  TRIGGER=1
else
  MODDATE=`date +%s -r /etc/postfix/tls_policy`
  NOW=`date +%s`
  DIFF=$(( ${NOW} - ${MODDATE} ))
  HOURS=$(( ${DIFF} / 3600 ))
  if [ ${HOURS} -gt 35 ]; then
    TRIGGER=1
  fi
fi
if [ ! -f /usr/local/libexec/starttlsPolicyToPostfix.php ]; then
  TRIGGER=0
fi

if [ ${TRIGGER} -eq 0 ]; then
  exit 0
fi

# sleep random number of minutes up to 20
sleep $(( $RANDOM % 1200 ))

TMP=`mktemp -d /tmp/starttls.XXXXXX`
/bin/cp /usr/local/libexec/starttlsPolicyToPostfix.php ${TMP}/
pushd ${TMP} > /dev/null 2>&1
/usr/bin/curl -Os https://dl.eff.org/starttls-everywhere/policy.json
if [ $? -ne 0 ]; then
  exit 1
fi
/usr/bin/curl -Os https://dl.eff.org/starttls-everywhere/policy.json.asc
if [ $? -ne 0 ]; then
  exit 1
fi

# okay to comment out this line after first use
/usr/bin/gpg --keyserver hkp://pool.sks-keyservers.net --recv-key B693F33372E965D76D55368616EEA65D03326C9D > /dev/null 2>&1
# don't comment this out
/usr/bin/gpg --trusted-key 842AEA40C5BCD6E1 --verify policy.json.asc > /dev/null 2>&1
if [ $? -ne 0 ]; then
  exit 1
fi

/usr/bin/php starttlsPolicyToPostfix.php > tls_policy

n=`/bin/wc -l tls_policy |cut -d" " -f1`
if [ $n -gt 50 ]; then
  /bin/cat tls_policy > /etc/postfix/tls_policy
  /usr/sbin/postmap /etc/postfix/tls_policy
fi

popd > /dev/null 2>&1
rm -rf ${TMP}