generate a self-signed certificate for PUBLIC_HOSTNAME and change DNS MX records to PRIMARY_HOSTNAME so it matches

scripts/dns_update.sh

@@ -69,7 +69,7 @@ for fn in $STORAGE_ROOT/dns/*.txt; do
 \$ORIGIN $zone.    ; default zone domain
 \$TTL 86400           ; default time to live
 
-@ IN SOA ns1.$zone. hostmaster.$PRIMARY_HOSTNAME. (
+@ IN SOA ns1.$PRIMARY_HOSTNAME. hostmaster.$PRIMARY_HOSTNAME. (
            $serial     ; serial number
            28800       ; Refresh
            7200        ; Retry
@@ -77,19 +77,24 @@ for fn in $STORAGE_ROOT/dns/*.txt; do
            86400       ; Min TTL
            )
 
-           NS          ns1.$zone.
-           NS          ns2.$zone.
+           NS          ns1.$PRIMARY_HOSTNAME.
+           NS          ns2.$PRIMARY_HOSTNAME.
            IN     A    $PUBLIC_IP
-           MX     10   mail.$zone.
-           
+           MX     10   $PRIMARY_HOSTNAME.
+
            300    TXT  "v=spf1 mx -all"
 
-ns1        IN     A    $PUBLIC_IP
-ns2        IN     A    $PUBLIC_IP
-mail       IN     A    $PUBLIC_IP
 www        IN     A    $PUBLIC_IP
 EOF
 
+	# In PRIMARY_HOSTNAME, also define ns1 and ns2.
+	if [ "$zone" = $PRIMARY_HOSTNAME ]; then
+		cat >> /etc/nsd3/zones/$fn2 << EOF;
+ns1        IN     A    $PUBLIC_IP
+ns2        IN     A    $PUBLIC_IP
+EOF
+	fi
+
 	# If OpenDKIM is set up, append the suggested TXT record to the zone.
 	if [ -f "$STORAGE_ROOT/mail/dkim/mail.txt" ]; then
 		cat "$STORAGE_ROOT/mail/dkim/mail.txt" >> /etc/nsd3/zones/$fn2;

scripts/mail.sh

@@ -12,9 +12,12 @@
 
 # Install packages.
 
+source /etc/mailinabox.conf # load global vars
+
 DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
 	postfix postgrey \
-	dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3
+	dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 \
+	openssl
 
 mkdir -p $STORAGE_ROOT/mail
 
@@ -26,12 +29,16 @@ sed -i "s/#submission/submission/" /etc/postfix/master.cf
 
 # Enable TLS and require it for all user authentication.
 tools/editconf.py /etc/postfix/main.cf \
-	smtpd_use_tls=yes\
+	smtpd_tls_security_level=may\
 	smtpd_tls_auth_only=yes \
-	smtp_tls_security_level=may \
-	smtp_tls_loglevel=2 \
+	smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
+	smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
 	smtpd_tls_received_header=yes
-	# note: smtpd_use_tls=yes appears to already be the default, but we can never be too sure
+
+# When connecting to remote SMTP servers, prefer TLS.
+tools/editconf.py /etc/postfix/main.cf \
+	smtp_tls_security_level=may \
+	smtp_tls_loglevel=2
 
 # Postfix will query dovecot for user authentication.
 tools/editconf.py /etc/postfix/main.cf \
@@ -187,16 +194,22 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 	ssl=required \
 	"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
 	"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
-	
-# The Dovecot installation already created a self-signed public/private key pair
-# in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem, which we'll
-# use unless certificates already exist. We'll move them into $STORAGE_ROOT/ssl
-# unless files exist there already.
-mkdir -p $STORAGE_ROOT/ssl
-if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi
-if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi
 
-# 
+# SSL CERTIFICATE
+	
+# Create a self-signed certifiate.
+mkdir -p $STORAGE_ROOT/ssl
+if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
+	openssl genrsa -des3 -passout pass:x -out /tmp/server.key 2048 # create key, but it has a password...
+	openssl rsa -passin pass:x -in /tmp/server.key -out $STORAGE_ROOT/ssl/ssl_private_key.pem # remove password and save it to the right location
+	rm /tmp/server.key # remove temporary password-laden key
+	openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
+	  -subj "/C=/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
+	openssl x509 -req -days 365 \
+	  -in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
+fi
+
+# PERMISSIONS / RESTART SERVICES
 
 # Ensure configuration files are owned by dovecot and not world readable.
 chown -R mail:dovecot /etc/dovecot