add a default certificate for the fast server

.gitignore

@@ -21,6 +21,8 @@ config/smtp.cert
 config/smtp.key
 config/lets_encrypt.pem
 config/signing.key
+config/fast_server.cert
+config/fast_server.key
 
 public/assets
 vendor/bundle

config/postal.defaults.yml

@@ -25,6 +25,8 @@ fast_server:
   port: 5010
   ssl_port: 5011
   proxy_protocol: false
+  default_private_key_path: # Defaults to config/fast_server.key
+  default_tls_certificate_path: # Defaults to config/fast_server.cert
 
 main_db:
   host: 127.0.0.1

lib/postal/config.rb

@@ -103,14 +103,14 @@ def self.smtp_from_address
     config.smtp&.from_address || "postal@example.com"
   end
 
-  def self.smtp_private_key
-    @smtp_private_key ||= OpenSSL::PKey::RSA.new(File.read(smtp_private_key_path))
-  end
-
   def self.smtp_private_key_path
     config.smtp_server.tls_private_key_path || config_root.join('smtp.key')
   end
 
+  def self.smtp_private_key
+    @smtp_private_key ||= OpenSSL::PKey::RSA.new(File.read(smtp_private_key_path))
+  end
+
   def self.smtp_certificate_path
     config.smtp_server.tls_certificate_path || config_root.join('smtp.cert')
   end
@@ -128,6 +128,31 @@ def self.smtp_certificates
     end
   end
 
+  def self.fast_server_default_private_key_path
+    config.fast_server.default_private_key_path || config_root.join('fast_server.key')
+  end
+
+  def self.fast_server_default_private_key
+    @fast_server_default_private_key ||= OpenSSL::PKey::RSA.new(File.read(fast_server_default_private_key_path))
+  end
+
+  def self.fast_server_default_certificate_path
+    config.fast_server.default_tls_certificate_path || config_root.join('fast_server.cert')
+  end
+
+  def self.fast_server_default_certificate_data
+    @fast_server_default_certificate_data ||= File.read(fast_server_default_certificate_path)
+  end
+
+  def self.fast_server_default_certificates
+    @fast_server_default_certificates ||= begin
+      certs = self.fast_server_default_certificate_data.scan(/-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----/m)
+      certs.map do |c|
+        OpenSSL::X509::Certificate.new(c)
+      end.freeze
+    end
+  end
+
   def self.lets_encrypt_private_key_path
     @lets_encrypt_private_key_path ||= Postal.config_root.join('lets_encrypt.pem')
   end

lib/postal/fast_server/client.rb

@@ -140,9 +140,9 @@ def self.ssl_context(domain_name = nil)
           end
 
           if ssl_context.cert.nil?
-            ssl_context.cert = Postal.smtp_certificates[0]
-            ssl_context.extra_chain_cert = Postal.smtp_certificates[1..-1]
-            ssl_context.key  = Postal.smtp_private_key
+            ssl_context.cert = Postal.fast_server_default_certificates[0]
+            ssl_context.extra_chain_cert = Postal.fast_server_default_certificates[1..-1]
+            ssl_context.key  = Postal.fast_server_default_private_key
           end
 
           ssl_context.ssl_version = "SSLv23"

script/generate_initial_config.rb

@@ -26,3 +26,22 @@
   File.open(Postal.signing_key_path, 'w') { |f| f.write(key) }
   puts "Created new signing key for DKIM & HTTP requests"
 end
+
+unless File.exists?(Postal.fast_server_default_private_key_path)
+  key = OpenSSL::PKey::RSA.new(2048).to_s
+  File.open(Postal.fast_server_default_private_key_path, 'w') { |f| f.write(key) }
+  puts "Created new private key for default fast server TLS connections"
+end
+
+unless File.exist?(Postal.fast_server_default_certificate_path)
+  cert = OpenSSL::X509::Certificate.new
+  cert.subject = cert.issuer = OpenSSL::X509::Name.parse("/C=GB/O=Default/OU=Default/CN=default")
+  cert.not_before = Time.now
+  cert.not_after = Time.now + (365 * 24 * 60 * 60) * 10
+  cert.public_key = Postal.fast_server_default_private_key.public_key
+  cert.serial = 0x0
+  cert.version = 2
+  cert.sign Postal.fast_server_default_private_key, OpenSSL::Digest::SHA256.new
+  File.open(Postal.fast_server_default_certificate_path, 'w') { |f| f.write(cert.to_pem) }
+  puts "Created new self signed certificate for default fast server TLS connections"
+end