feat(config): prefer smtpd_tls_chain_files over cert/key files

If smtpd_tls_chain_files is set in pillar, use it and suppress
smtpd_tls_cert_file/smtpd_tls_key_file (including from the arbitrary
params loop). If neither is set, default to snakeoil certs.

Author: javierbertoli

kitchen.yml

@@ -259,3 +259,19 @@ suites:
     verifier:
       inspec_tests:
         - path: test/integration/default
+  - name: chain-files
+    provisioner:
+      state_top:
+        base:
+          '*':
+            - postfix._mapdata
+            - postfix
+            - postfix.config
+      pillars:
+        top.sls:
+          base:
+            '*':
+              - chain_files
+    verifier:
+      inspec_tests:
+        - path: test/integration/chain-files

postfix/files/main.cf

@@ -73,8 +73,14 @@
 {{ set_parameter('smtpd_tls_loglevel', 1) }}
 {{ set_parameter('smtpd_tls_security_level', 'may') }}
 {{ set_parameter('smtp_tls_CApath', '/etc/ssl/certs') }}
+{%- if config.get('smtpd_tls_chain_files') %}
+{{ set_parameter('smtpd_tls_chain_files') }}
+{%- do processed_parameters.append('smtpd_tls_cert_file') %}
+{%- do processed_parameters.append('smtpd_tls_key_file') %}
+{%- else %}
 {{ set_parameter('smtpd_tls_cert_file', '/etc/ssl/certs/ssl-cert-snakeoil.pem') }}
 {{ set_parameter('smtpd_tls_key_file', '/etc/ssl/private/ssl-cert-snakeoil.key') }}
+{%- endif %}
 {{ set_parameter('smtpd_tls_session_cache_database', 'btree:${data_directory}/smtpd_scache') }}
 {{ set_parameter('smtpd_tls_mandatory_ciphers', 'high') }}
 {{ set_parameter('smtpd_tls_mandatory_exclude_ciphers', ['aNULL', 'MD5']) }}

test/integration/chain-files/controls/postfix_spec.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+control 'Postfix config - smtpd_tls_chain_files' do
+  title 'smtpd_tls_chain_files suppresses cert/key files'
+
+  describe postfix_conf do
+    # chain_files should be set
+    its('smtpd_tls_chain_files') do
+      should match '/etc/ssl/private/ssl-cert-snakeoil.key'
+    end
+    # cert_file and key_file must be absent when chain_files is set
+    its('smtpd_tls_cert_file') { should be_nil }
+    its('smtpd_tls_key_file') { should be_nil }
+  end
+end

test/integration/chain-files/inspec.yml

@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+name: chain-files
+title: postfix formula - smtpd_tls_chain_files
+maintainer: SaltStack Formulas
+license: Apache-2.0
+summary: Verify that smtpd_tls_chain_files suppresses smtpd_tls_cert_file/key_file
+depends:
+  - name: share
+    path: test/integration/share
+supports:
+  - platform-name: debian
+  - platform-name: ubuntu
+  - platform-name: centos
+  - platform-name: fedora
+  - platform-name: opensuse
+  - platform-name: suse
+  - platform-name: freebsd
+  - platform-name: openbsd
+  - platform-name: amazon
+  - platform-name: oracle
+  - platform-name: arch
+  - platform-name: gentoo
+  - platform-name: almalinux
+  - platform-name: rocky
+  - platform-name: mac_os_x
+  - platform: windows

test/integration/default/controls/postfix_spec.rb

@@ -20,6 +20,7 @@
     its('smtp_tls_CApath') { should cmp '/etc/ssl/certs' }
     its('smtpd_tls_cert_file') { should cmp '/etc/postfix/ssl/server-cert.crt' }
     its('smtpd_tls_key_file') { should cmp '/etc/postfix/ssl/server-cert.key' }
+    its('smtpd_tls_chain_files') { should be_nil }
     its('smtpd_tls_session_cache_database') do
       should cmp 'btree:${data_directory}/smtpd_scache'
     end

test/salt/pillar/chain_files.sls

@@ -0,0 +1,61 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+postfix:
+  manage_master_config: true
+  enable_service: true
+  reload_service: true
+
+  config:
+    smtpd_banner: $myhostname ESMTP $mail_name
+    smtp_tls_CApath: /etc/ssl/certs
+    biff: 'no'
+    append_dot_mydomain: 'no'
+    readme_directory: 'no'
+    myhostname: localhost
+    mydestination: localhost, localhost.localdomain
+    relayhost: ''
+    mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+    mailbox_size_limit: 0
+    recipient_delimiter: +
+    inet_interfaces: 127.0.0.1
+    inet_protocols: all
+
+    alias_maps: hash:/etc/aliases
+    alias_database: hash:/etc/aliases
+
+    smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
+    smtpd_use_tls: 'yes'
+    smtpd_sasl_auth_enable: 'yes'
+    smtpd_sasl_type: dovecot
+    smtpd_sasl_path: /var/run/dovecot/auth-client
+    smtpd_recipient_restrictions: >-
+      permit_mynetworks,
+      permit_sasl_authenticated,
+      reject_unauth_destination
+    smtpd_relay_restrictions: >-
+      permit_mynetworks,
+      permit_sasl_authenticated,
+      reject_unauth_destination
+    smtpd_sasl_security_options: noanonymous
+    smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
+    smtpd_tls_auth_only: 'yes'
+    smtpd_sasl_local_domain: $mydomain
+    smtpd_tls_loglevel: 1
+    smtpd_tls_session_cache_timeout: 3600s
+
+    relay_domains: '$mydestination'
+
+    # Use chain_files instead of cert/key — formula should suppress cert/key
+    smtpd_tls_chain_files:
+      - /etc/ssl/private/ssl-cert-snakeoil.key
+      - /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+    smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
+
+  aliases:
+    use_file: false
+    present:
+      root: info@example.com
+    absent:
+      - root