move the SSL setup into its own bash script since it is used for much more than email now
This commit is contained in:
Joshua Tauberer
parent
0ab43ef4fd
commit
67d31ed998
|
|
@ -132,7 +132,7 @@ def build_zone(domain, zonefile, env, with_ns=True):
|
|||
records.append(("ns1", "A", env["PUBLIC_IP"]))
|
||||
records.append(("ns2", "A", env["PUBLIC_IP"]))
|
||||
|
||||
# Add a TLSA record for SMTP.
|
||||
# Add a DANE TLSA record for SMTP.
|
||||
records.append(("_25._tcp", "TLSA", build_tlsa_record(env)))
|
||||
|
||||
def has_rec(qname, rtype):
|
||||
|
|
@ -179,9 +179,8 @@ def build_zone(domain, zonefile, env, with_ns=True):
|
|||
########################################################################
|
||||
|
||||
def build_tlsa_record(env):
|
||||
# A TLSA record in DNS specifies that connections on a port, e.g.
|
||||
# the SMTP port, must use TLS and the certificate must match a
|
||||
# particular certificate.
|
||||
# A DANE TLSA record in DNS specifies that connections on a port
|
||||
# must use TLS and the certificate must match a particular certificate.
|
||||
#
|
||||
# Thanks to http://blog.huque.com/2012/10/dnssec-and-certificates.html
|
||||
# for explaining all of this!
|
||||
|
|
|
|||
|
|
@ -18,8 +18,7 @@ source /etc/mailinabox.conf # load global vars
|
|||
|
||||
apt_install \
|
||||
postfix postgrey postfix-pcre \
|
||||
dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 \
|
||||
openssl
|
||||
dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3
|
||||
|
||||
mkdir -p $STORAGE_ROOT/mail
|
||||
|
||||
|
|
@ -244,29 +243,6 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
|||
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
|
||||
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
|
||||
|
||||
# SSL CERTIFICATE
|
||||
|
||||
mkdir -p $STORAGE_ROOT/ssl
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
||||
# Generate a new private key if one doesn't already exist.
|
||||
# Set the umask so the key file is not world-readable.
|
||||
(umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
|
||||
fi
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
|
||||
# Generate a certificate signing request if one doesn't already exist.
|
||||
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
|
||||
-subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
|
||||
fi
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
||||
# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.
|
||||
openssl x509 -req -days 365 \
|
||||
-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
|
||||
fi
|
||||
echo
|
||||
echo "Your SSL certificate's fingerpint is:"
|
||||
openssl x509 -in /home/user-data/ssl/ssl_certificate.pem -noout -fingerprint
|
||||
echo
|
||||
|
||||
# PERMISSIONS / RESTART SERVICES
|
||||
|
||||
# Ensure configuration files are owned by dovecot and not world readable.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,43 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# SSL Certificate
|
||||
#
|
||||
# Create a self-signed SSL certificate if one has not yet been created.
|
||||
#
|
||||
# The certificate is for PUBLIC_HOSTNAME specifically and is used for:
|
||||
#
|
||||
# * IMAP
|
||||
# * SMTP submission (port 587) and opportunistic TLS (when on the receiving end)
|
||||
# * the DNSSEC DANE TLSA record for SMTP
|
||||
# * HTTPS (for PUBLIC_HOSTNAME only)
|
||||
#
|
||||
# When other domains besides PUBLIC_HOSTNAME are served over HTTPS,
|
||||
# we generate a domain-specific self-signed certificate in the management
|
||||
# daemon (web_update.py) as needed.
|
||||
|
||||
source setup/functions.sh # load our functions
|
||||
source /etc/mailinabox.conf # load global vars
|
||||
|
||||
apt_install openssl
|
||||
|
||||
mkdir -p $STORAGE_ROOT/ssl
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
||||
# Generate a new private key if one doesn't already exist.
|
||||
# Set the umask so the key file is not world-readable.
|
||||
(umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
|
||||
fi
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
|
||||
# Generate a certificate signing request if one doesn't already exist.
|
||||
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
|
||||
-subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
|
||||
fi
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
||||
# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.
|
||||
openssl x509 -req -days 365 \
|
||||
-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
|
||||
fi
|
||||
|
||||
echo
|
||||
echo "Your SSL certificate's fingerpint is:"
|
||||
openssl x509 -in /home/user-data/ssl/ssl_certificate.pem -noout -fingerprint
|
||||
echo
|
||||
|
|
@ -122,6 +122,7 @@ EOF
|
|||
|
||||
# Start service configuration.
|
||||
. setup/system.sh
|
||||
. setup/ssl.sh
|
||||
. setup/dns.sh
|
||||
. setup/mail.sh
|
||||
. setup/dkim.sh
|
||||
|
|
|
|||
Loading…
Reference in New Issue