emailrelay: conf: TLS split cert and private key

Since v2.3.1 --server-tls-certificate and --client-tls-certificate may be comma separated list of privkey and fullchain so users don't need to merge the both files. The privkey must be firts, the cert second. Reflect this in config samples. Alternatively instead of comma separated the emailrelay allows just pass two --server-tls-certificate options: one for a privkey and second time for a cert. So the server_tls_certificate option may be a list. But instead to make it easier to configure from UCI let's add a separate option server-tls-key which is dedicated for a privkey. Similarly, the client-tls-key is a private key part for the --client-tls-certificate Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
2025-12-21 19:14:30 +04:00 · 2023-08-30 20:00:45 +03:00
parent ccd014b247
commit 7383eb093b
1 changed files with 6 additions and 2 deletions
--- a/mail/emailrelay/files/emailrelay.init
+++ b/mail/emailrelay/files/emailrelay.init
@@ -10,8 +10,8 @@ NAME=emailrelay
 emailrelay_instance()
 {
 	local enabled mode port remote_clients  \
-		server_auth server_tls server_tls_required server_tls_certificate server_tls_verify \
-		client_auth client_tls client_tls_required client_tls_certificate client_tls_verify \
+		server_auth server_tls server_tls_required server_tls_key server_tls_certificate server_tls_verify \
+		client_auth client_tls client_tls_required client_tls_key client_tls_certificate client_tls_verify \
 		anonymous domain smarthost address_verifier \
 		extra_cmdline

@@ -22,6 +22,7 @@ emailrelay_instance()
 	config_get_bool remote_clients "$1" remote_clients
 	config_get_bool server_tls "$1" server_tls
 	config_get_bool server_tls_required "$1" server_tls_required
+	config_get server_tls_key "$1" server_tls_key
 	config_get server_tls_certificate "$1" server_tls_certificate
 	config_get server_tls_verify "$1" server_tls_verify
 	config_get server_auth "$1" server_auth
@@ -29,6 +30,7 @@ emailrelay_instance()
 	config_get smarthost "$1" smarthost
 	config_get_bool client_tls "$1" client_tls
 	config_get_bool client_tls_required "$1" client_tls_required
+	config_get client_tls_key "$1" client_tls_key
 	config_get client_tls_certificate "$1" client_tls_certificate
 	config_get client_tls_verify "$1" client_tls_verify
 	config_get client_auth "$1" client_auth
@@ -48,11 +50,13 @@ emailrelay_instance()
 			[ "$remote_clients" = 1 ] && procd_append_param command --remote-clients
 			[ "$server_tls" = 1 ] && procd_append_param command --server-tls
 			[ "$server_tls_required" = 1 ] && procd_append_param command --server-tls-required
+			[ -n "$server_tls_key" ] && procd_append_param command --server-tls-certificate "$server_tls_key"
 			[ -n "$server_tls_certificate" ] && procd_append_param command --server-tls-certificate "$server_tls_certificate"
 			[ -n "$server_tls_verify" ] && procd_append_param command --server-tls-verify "$server_tls_verify"
 			[ -n "$server_auth" ] && procd_append_param command --server-auth "$server_auth"
 			[ "$client_tls" = 1 ] && procd_append_param command --client-tls
 			[ "$client_tls_required" = 1 ] && procd_append_param command --client-tls-required
+			[ -n "$client_tls_key" ] && procd_append_param command --client-tls-certificate "$client_tls_key"
 			[ -n "$client_tls_certificate" ] && procd_append_param command --client-tls-certificate "$client_tls_certificate"
 			[ -n "$client_tls_verify" ] && procd_append_param command --client-tls-verify "$client_tls_verify"
 			[ -n "$client_auth" ] && procd_append_param command --client-auth "$client_auth"