From 7ca414fc9f229e5673a58e6abc5ec7e36e0c410a Mon Sep 17 00:00:00 2001
From: Ossi Salmi <osalmi@iki.fi>
Date: Tue, 5 Nov 2013 01:14:45 +0200
Subject: [PATCH] postfix: Add support for ECDSA certificates

---
 postfix/manifests/init.pp     | 27 +++++++++++++++++++++++++++
 postfix/templates/main.cf.erb |  4 ++++
 2 files changed, 31 insertions(+)

diff --git a/postfix/manifests/init.pp b/postfix/manifests/init.pp
index 71c7ae7..beb12c3 100644
--- a/postfix/manifests/init.pp
+++ b/postfix/manifests/init.pp
@@ -32,6 +32,12 @@
 #   $postfix_cert:
 #       Path to SSL certificate. Defaults to puppet client certificate.
 #
+#   $postfix_ec_key:
+#       Path to ECDSA private key.
+#
+#   $postfix_ec_cert:
+#       Path to ECDSA certificate.
+#
 #   $postfix_chain:
 #       Path to intermediary CA cert.
 #
@@ -102,6 +108,27 @@ class postfix {
         notify  => Service["postfix"],
     }
 
+    if $postfix_ec_cert and $postfix_ec_key {
+        file { "${ssl::certs}/postfix-ec.crt":
+            ensure  => present,
+            source  => $postfix_ec_cert,
+            mode    => "0644",
+            owner   => "root",
+            group   => "root",
+            require => Package["postfix"],
+            notify  => Service["postfix"],
+        }
+        file { "${ssl::private}/postfix-ec.key":
+            ensure  => present,
+            source  => $postfix_ec_key,
+            mode    => "0640",
+            owner   => "root",
+            group   => "postfix",
+            require => Package["postfix"],
+            notify  => Service["postfix"],
+        }
+    }
+
     exec { "usermod-postfix-ssl-cert":
         path    => "/bin:/usr/bin:/sbin:/usr/sbin",
         command => "usermod -a -G ssl-cert postfix",
diff --git a/postfix/templates/main.cf.erb b/postfix/templates/main.cf.erb
index 42e3681..fd5d2a3 100644
--- a/postfix/templates/main.cf.erb
+++ b/postfix/templates/main.cf.erb
@@ -736,6 +736,10 @@ smtpd_tls_CAfile = <%= scope.lookupvar('ssl::certs') %>/postfix-chain.crt
 <% end -%>
 smtpd_tls_cert_file=<%= scope.lookupvar('ssl::certs') %>/postfix.crt
 smtpd_tls_key_file=<%= scope.lookupvar('ssl::private') %>/postfix.key
+<% if @postfix_ec_cert and @postfix_ec_key -%>
+smtpd_tls_eccert_file=<%= scope.lookupvar('ssl::certs') %>/postfix-ec.crt
+smtpd_tls_eckey_file=<%= scope.lookupvar('ssl::private') %>/postfix-ec.key
+<% end -%>
 smtpd_tls_received_header = yes
 smtpd_tls_security_level = may
 smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache