postfix: Add support for ECDSA certificates

postfix/manifests/init.pp

@@ -32,6 +32,12 @@
 #   $postfix_cert:
 #       Path to SSL certificate. Defaults to puppet client certificate.
 #
+#   $postfix_ec_key:
+#       Path to ECDSA private key.
+#
+#   $postfix_ec_cert:
+#       Path to ECDSA certificate.
+#
 #   $postfix_chain:
 #       Path to intermediary CA cert.
 #
@@ -102,6 +108,27 @@ class postfix {
         notify  => Service["postfix"],
     }
 
+    if $postfix_ec_cert and $postfix_ec_key {
+        file { "${ssl::certs}/postfix-ec.crt":
+            ensure  => present,
+            source  => $postfix_ec_cert,
+            mode    => "0644",
+            owner   => "root",
+            group   => "root",
+            require => Package["postfix"],
+            notify  => Service["postfix"],
+        }
+        file { "${ssl::private}/postfix-ec.key":
+            ensure  => present,
+            source  => $postfix_ec_key,
+            mode    => "0640",
+            owner   => "root",
+            group   => "postfix",
+            require => Package["postfix"],
+            notify  => Service["postfix"],
+        }
+    }
+
     exec { "usermod-postfix-ssl-cert":
         path    => "/bin:/usr/bin:/sbin:/usr/sbin",
         command => "usermod -a -G ssl-cert postfix",

postfix/templates/main.cf.erb

@@ -736,6 +736,10 @@ smtpd_tls_CAfile = <%= scope.lookupvar('ssl::certs') %>/postfix-chain.crt
 <% end -%>
 smtpd_tls_cert_file=<%= scope.lookupvar('ssl::certs') %>/postfix.crt
 smtpd_tls_key_file=<%= scope.lookupvar('ssl::private') %>/postfix.key
+<% if @postfix_ec_cert and @postfix_ec_key -%>
+smtpd_tls_eccert_file=<%= scope.lookupvar('ssl::certs') %>/postfix-ec.crt
+smtpd_tls_eckey_file=<%= scope.lookupvar('ssl::private') %>/postfix-ec.key
+<% end -%>
 smtpd_tls_received_header = yes
 smtpd_tls_security_level = may
 smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache