From 7b990c9ff672080aac273e0be32834ff2b2116d6 Mon Sep 17 00:00:00 2001
From: Antoine Nguyen <tonio@ngyn.org>
Date: Fri, 15 Dec 2023 11:55:11 +0100
Subject: [PATCH] Replace EDH key generation by DHE group file

---
 modoboa_installer/config_dict_template.py        |  4 ++++
 modoboa_installer/scripts/base.py                |  2 +-
 .../scripts/files/postfix/main.cf.tpl            |  2 +-
 modoboa_installer/scripts/postfix.py             | 16 ++++++++++------
 4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/modoboa_installer/config_dict_template.py b/modoboa_installer/config_dict_template.py
index 73cc2c57..bfd8f726 100644
--- a/modoboa_installer/config_dict_template.py
+++ b/modoboa_installer/config_dict_template.py
@@ -346,6 +346,10 @@ def is_email(user_input):
                 "option": "message_size_limit",
                 "default": "11534336",
             },
+            {
+                "option": "dhe_group",
+                "default": "4096"
+            }
         ]
     },
     {
diff --git a/modoboa_installer/scripts/base.py b/modoboa_installer/scripts/base.py
index c15cc914..43788e04 100644
--- a/modoboa_installer/scripts/base.py
+++ b/modoboa_installer/scripts/base.py
@@ -10,7 +10,7 @@
 from .. import utils
 
 
-class Installer(object):
+class Installer:
     """Simple installer for one application."""
 
     appname = None
diff --git a/modoboa_installer/scripts/files/postfix/main.cf.tpl b/modoboa_installer/scripts/files/postfix/main.cf.tpl
index 9bc9b446..b7d2ee45 100644
--- a/modoboa_installer/scripts/files/postfix/main.cf.tpl
+++ b/modoboa_installer/scripts/files/postfix/main.cf.tpl
@@ -41,7 +41,7 @@ smtpd_tls_auth_only = no
 smtpd_tls_CApath = /etc/ssl/certs
 smtpd_tls_key_file = %tls_key_file
 smtpd_tls_cert_file = %tls_cert_file
-smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
+smtpd_tls_dh1024_param_file = ${config_directory}/ffdhe%{dhe_group}.pem
 smtpd_tls_loglevel = 1
 smtpd_tls_session_cache_database = btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_security_level = may
diff --git a/modoboa_installer/scripts/postfix.py b/modoboa_installer/scripts/postfix.py
index a14e234c..beba9f2d 100644
--- a/modoboa_installer/scripts/postfix.py
+++ b/modoboa_installer/scripts/postfix.py
@@ -14,7 +14,6 @@
 
 
 class Postfix(base.Installer):
-
     """Postfix installer."""
 
     appname = "postfix"
@@ -51,7 +50,7 @@ def install_packages(self):
 
     def get_template_context(self):
         """Additional variables."""
-        context = super(Postfix, self).get_template_context()
+        context = super().get_template_context()
         context.update({
             "db_driver": self.db_driver,
             "dovecot_mailboxes_owner": self.config.get(
@@ -65,6 +64,13 @@ def get_template_context(self):
         })
         return context
 
+    def check_dhe_group_file(self):
+        group = self.config.get(self.appname, "dhe_group")
+        file_name = f"ffdhe{group}.pem"
+        if not os.path.exists(f"{self.config_dir}/{file_name}"):
+            url = f"https://raw.githubusercontent.com/internetstandards/dhe_groups/main/{file_name}"
+            utils.exec_cmd(f"wget {url}", cwd=self.config_dir)
+
     def post_run(self):
         """Additional tasks."""
         venv_path = self.config.get("modoboa", "venv_path")
@@ -86,10 +92,8 @@ def post_run(self):
             if not os.path.exists(path):
                 utils.copy_file(os.path.join("/etc", f), path)
 
-        # Generate EDH parameters
-        if not os.path.exists("{}/dh2048.pem".format(self.config_dir)):
-            cmd = "openssl dhparam -dsaparam -out dh2048.pem 2048"
-            utils.exec_cmd(cmd, cwd=self.config_dir)
+        # Generate DHE group
+        self.check_dhe_group_file()
 
         # Generate /etc/aliases.db file to avoid warnings
         aliases_file = "/etc/aliases"