mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-22 02:17:26 +00:00
generate a self-signed certificate for PUBLIC_HOSTNAME and change DNS MX records to PRIMARY_HOSTNAME so it matches
This commit is contained in:
Joshua Tauberer
parent
0403d27712
commit
548cc8a0f6
@ -69,7 +69,7 @@ for fn in $STORAGE_ROOT/dns/*.txt; do
|
|||||||
\$ORIGIN $zone. ; default zone domain
|
\$ORIGIN $zone. ; default zone domain
|
||||||
\$TTL 86400 ; default time to live
|
\$TTL 86400 ; default time to live
|
||||||
|
|
||||||
@ IN SOA ns1.$zone. hostmaster.$PRIMARY_HOSTNAME. (
|
@ IN SOA ns1.$PRIMARY_HOSTNAME. hostmaster.$PRIMARY_HOSTNAME. (
|
||||||
$serial ; serial number
|
$serial ; serial number
|
||||||
28800 ; Refresh
|
28800 ; Refresh
|
||||||
7200 ; Retry
|
7200 ; Retry
|
||||||
@ -77,19 +77,24 @@ for fn in $STORAGE_ROOT/dns/*.txt; do
|
|||||||
86400 ; Min TTL
|
86400 ; Min TTL
|
||||||
)
|
)
|
||||||
|
|
||||||
NS ns1.$zone.
|
NS ns1.$PRIMARY_HOSTNAME.
|
||||||
NS ns2.$zone.
|
NS ns2.$PRIMARY_HOSTNAME.
|
||||||
IN A $PUBLIC_IP
|
IN A $PUBLIC_IP
|
||||||
MX 10 mail.$zone.
|
MX 10 $PRIMARY_HOSTNAME.
|
||||||
|
|
||||||
300 TXT "v=spf1 mx -all"
|
300 TXT "v=spf1 mx -all"
|
||||||
|
|
||||||
ns1 IN A $PUBLIC_IP
|
|
||||||
ns2 IN A $PUBLIC_IP
|
|
||||||
mail IN A $PUBLIC_IP
|
|
||||||
www IN A $PUBLIC_IP
|
www IN A $PUBLIC_IP
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
# In PRIMARY_HOSTNAME, also define ns1 and ns2.
|
||||||
|
if [ "$zone" = $PRIMARY_HOSTNAME ]; then
|
||||||
|
cat >> /etc/nsd3/zones/$fn2 << EOF;
|
||||||
|
ns1 IN A $PUBLIC_IP
|
||||||
|
ns2 IN A $PUBLIC_IP
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
# If OpenDKIM is set up, append the suggested TXT record to the zone.
|
# If OpenDKIM is set up, append the suggested TXT record to the zone.
|
||||||
if [ -f "$STORAGE_ROOT/mail/dkim/mail.txt" ]; then
|
if [ -f "$STORAGE_ROOT/mail/dkim/mail.txt" ]; then
|
||||||
cat "$STORAGE_ROOT/mail/dkim/mail.txt" >> /etc/nsd3/zones/$fn2;
|
cat "$STORAGE_ROOT/mail/dkim/mail.txt" >> /etc/nsd3/zones/$fn2;
|
||||||
|
|||||||
@ -12,9 +12,12 @@
|
|||||||
|
|
||||||
# Install packages.
|
# Install packages.
|
||||||
|
|
||||||
|
source /etc/mailinabox.conf # load global vars
|
||||||
|
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
|
DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
|
||||||
postfix postgrey \
|
postfix postgrey \
|
||||||
dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3
|
dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 \
|
||||||
|
openssl
|
||||||
|
|
||||||
mkdir -p $STORAGE_ROOT/mail
|
mkdir -p $STORAGE_ROOT/mail
|
||||||
|
|
||||||
@ -26,12 +29,16 @@ sed -i "s/#submission/submission/" /etc/postfix/master.cf
|
|||||||
|
|
||||||
# Enable TLS and require it for all user authentication.
|
# Enable TLS and require it for all user authentication.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
tools/editconf.py /etc/postfix/main.cf \
|
||||||
smtpd_use_tls=yes\
|
smtpd_tls_security_level=may\
|
||||||
smtpd_tls_auth_only=yes \
|
smtpd_tls_auth_only=yes \
|
||||||
smtp_tls_security_level=may \
|
smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
|
||||||
smtp_tls_loglevel=2 \
|
smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
|
||||||
smtpd_tls_received_header=yes
|
smtpd_tls_received_header=yes
|
||||||
# note: smtpd_use_tls=yes appears to already be the default, but we can never be too sure
|
|
||||||
|
# When connecting to remote SMTP servers, prefer TLS.
|
||||||
|
tools/editconf.py /etc/postfix/main.cf \
|
||||||
|
smtp_tls_security_level=may \
|
||||||
|
smtp_tls_loglevel=2
|
||||||
|
|
||||||
# Postfix will query dovecot for user authentication.
|
# Postfix will query dovecot for user authentication.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
tools/editconf.py /etc/postfix/main.cf \
|
||||||
@ -188,15 +195,21 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
|||||||
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
|
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
|
||||||
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
|
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
|
||||||
|
|
||||||
# The Dovecot installation already created a self-signed public/private key pair
|
# SSL CERTIFICATE
|
||||||
# in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem, which we'll
|
|
||||||
# use unless certificates already exist. We'll move them into $STORAGE_ROOT/ssl
|
|
||||||
# unless files exist there already.
|
|
||||||
mkdir -p $STORAGE_ROOT/ssl
|
|
||||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi
|
|
||||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi
|
|
||||||
|
|
||||||
#
|
# Create a self-signed certifiate.
|
||||||
|
mkdir -p $STORAGE_ROOT/ssl
|
||||||
|
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
||||||
|
openssl genrsa -des3 -passout pass:x -out /tmp/server.key 2048 # create key, but it has a password...
|
||||||
|
openssl rsa -passin pass:x -in /tmp/server.key -out $STORAGE_ROOT/ssl/ssl_private_key.pem # remove password and save it to the right location
|
||||||
|
rm /tmp/server.key # remove temporary password-laden key
|
||||||
|
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
|
||||||
|
-subj "/C=/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
|
||||||
|
openssl x509 -req -days 365 \
|
||||||
|
-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
|
||||||
|
fi
|
||||||
|
|
||||||
|
# PERMISSIONS / RESTART SERVICES
|
||||||
|
|
||||||
# Ensure configuration files are owned by dovecot and not world readable.
|
# Ensure configuration files are owned by dovecot and not world readable.
|
||||||
chown -R mail:dovecot /etc/dovecot
|
chown -R mail:dovecot /etc/dovecot
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user