emailrelay: conf: TLS split cert and private key

Since v2.3.1 --server-tls-certificate and --client-tls-certificate may be comma separated list of privkey and fullchain so users don't need to merge the both files.
The privkey must be firts, the cert second.
Reflect this in config samples.

Alternatively instead of comma separated the emailrelay allows just pass two --server-tls-certificate options: one for a privkey and second time for a cert.

So the server_tls_certificate option may be a list. But instead to make it easier to configure from UCI let's add a separate option server-tls-key which is dedicated for a privkey.

Similarly, the client-tls-key is a private key part for the --client-tls-certificate

Signed-off-by: Sergey Ponomarev <[email protected]>

diff --git a/mail/emailrelay/files/emailrelay.init b/mail/emailrelay/files/emailrelay.init
index a9bc2b313aeb1cbccb35e44d56c05becb07ca595..93609539392dee9cd07f2a1d91063846534161df 100644 (file)
--- a/mail/emailrelay/files/emailrelay.init
+++ b/mail/emailrelay/files/emailrelay.init
@@ -10,8 +10,8 @@ NAME=emailrelay
 emailrelay_instance()
 {
        local enabled mode port remote_clients  \
-               server_auth server_tls server_tls_required server_tls_certificate server_tls_verify \
-               client_auth client_tls client_tls_required client_tls_certificate client_tls_verify \
+               server_auth server_tls server_tls_required server_tls_key server_tls_certificate server_tls_verify \
+               client_auth client_tls client_tls_required client_tls_key client_tls_certificate client_tls_verify \
                anonymous domain smarthost address_verifier \
                extra_cmdline
 
@@ -22,6 +22,7 @@ emailrelay_instance()
        config_get_bool remote_clients "$1" remote_clients
        config_get_bool server_tls "$1" server_tls
        config_get_bool server_tls_required "$1" server_tls_required
+       config_get server_tls_key "$1" server_tls_key
        config_get server_tls_certificate "$1" server_tls_certificate
        config_get server_tls_verify "$1" server_tls_verify
        config_get server_auth "$1" server_auth
@@ -29,6 +30,7 @@ emailrelay_instance()
        config_get smarthost "$1" smarthost
        config_get_bool client_tls "$1" client_tls
        config_get_bool client_tls_required "$1" client_tls_required
+       config_get client_tls_key "$1" client_tls_key
        config_get client_tls_certificate "$1" client_tls_certificate
        config_get client_tls_verify "$1" client_tls_verify
        config_get client_auth "$1" client_auth
@@ -48,11 +50,13 @@ emailrelay_instance()
                        [ "$remote_clients" = 1 ] && procd_append_param command --remote-clients
                        [ "$server_tls" = 1 ] && procd_append_param command --server-tls
                        [ "$server_tls_required" = 1 ] && procd_append_param command --server-tls-required
+                       [ -n "$server_tls_key" ] && procd_append_param command --server-tls-certificate "$server_tls_key"
                        [ -n "$server_tls_certificate" ] && procd_append_param command --server-tls-certificate "$server_tls_certificate"
                        [ -n "$server_tls_verify" ] && procd_append_param command --server-tls-verify "$server_tls_verify"
                        [ -n "$server_auth" ] && procd_append_param command --server-auth "$server_auth"
                        [ "$client_tls" = 1 ] && procd_append_param command --client-tls
                        [ "$client_tls_required" = 1 ] && procd_append_param command --client-tls-required
+                       [ -n "$client_tls_key" ] && procd_append_param command --client-tls-certificate "$client_tls_key"
                        [ -n "$client_tls_certificate" ] && procd_append_param command --client-tls-certificate "$client_tls_certificate"
                        [ -n "$client_tls_verify" ] && procd_append_param command --client-tls-verify "$client_tls_verify"
                        [ -n "$client_auth" ] && procd_append_param command --client-auth "$client_auth"