mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-03 00:07:05 +00:00
1f0d2ddb92
This commit will: 1. Change the user account database from sqlite to OpenLDAP 2. Add policyd-spf to postfix for SPF validation 3. Add a test runner with some automated test suites Notes: User account password hashes are preserved. There is a new Roundcube contact list called "Directory" that lists the users in LDAP (MiaB users), similar to what Google Suite does. Users can still change their password in Roundcube. OpenLDAP is configured with TLS, but all remote access is blocked by firewall rules. Manual changes are required to open it for remote access (eg. "ufw allow proto tcp from <HOST> to any port ldaps"). The test runner is started by executing tests/runner.sh. Be aware that it will make changes to your system, including adding new users, domains, mailboxes, start/stop services, etc. It is highly unadvised to run it on a production system! The LDAP schema that supports mail delivery with postfix and dovecot is located in conf/postfix.schema. This file is copied verbatim from the LdapAdmin project (GPL, ldapadmin.org). Instead of including the file in git, it could be referenced by URL and downloaded by the setup script if GPL is an issue or apply for a PEN from IANA. Mangement console and other services should not appear or behave any differently than before.
207 lines
7.3 KiB
Bash
Executable File
207 lines
7.3 KiB
Bash
Executable File
#!/bin/bash
|
||
#
|
||
# RSA private key, SSL certificate, Diffie-Hellman bits files
|
||
# -------------------------------------------
|
||
|
||
# Create an RSA private key, a SSL certificate signed by a generated
|
||
# CA, and some Diffie-Hellman cipher bits, if they have not yet been
|
||
# created.
|
||
#
|
||
# The RSA private key and certificate are used for:
|
||
#
|
||
# * DNSSEC DANE TLSA records
|
||
# * IMAP
|
||
# * SMTP (opportunistic TLS for port 25 and submission on port 587)
|
||
# * HTTPS
|
||
# * SLAPD (OpenLDAP server)
|
||
#
|
||
# The certificate is created with its CN set to the PRIMARY_HOSTNAME. It is
|
||
# also used for other domains served over HTTPS until the user installs a
|
||
# better certificate for those domains.
|
||
#
|
||
# The Diffie-Hellman cipher bits are used for SMTP and HTTPS, when a
|
||
# Diffie-Hellman cipher is selected during TLS negotiation. Diffie-Hellman
|
||
# provides Perfect Forward Secrecy.
|
||
|
||
source setup/functions.sh # load our functions
|
||
source /etc/mailinabox.conf # load global vars
|
||
|
||
# Show a status line if we are going to take any action in this file.
|
||
if [ ! -f /usr/bin/openssl ] \
|
||
|| [ ! -s $STORAGE_ROOT/ssl/ca_private_key.pem ] \
|
||
|| [ ! -f $STORAGE_ROOT/ssl/ca_certificate.pem ] \
|
||
|| [ ! -s $STORAGE_ROOT/ssl/ssl_private_key.pem ] \
|
||
|| [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ] \
|
||
|| [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
|
||
echo "Creating initial SSL certificate and perfect forward secrecy Diffie-Hellman parameters..."
|
||
fi
|
||
|
||
# Install openssl.
|
||
|
||
apt_install openssl
|
||
|
||
# Create a directory to store TLS-related things like "SSL" certificates.
|
||
|
||
mkdir -p $STORAGE_ROOT/ssl
|
||
|
||
# Generate new private keys.
|
||
#
|
||
# Keys are only as good as the entropy available to openssl so that it
|
||
# can generate a random key. "OpenSSL’s built-in RSA key generator ....
|
||
# is seeded on first use with (on Linux) 32 bytes read from /dev/urandom,
|
||
# the process ID, user ID, and the current time in seconds. [During key
|
||
# generation OpenSSL] mixes into the entropy pool the current time in seconds,
|
||
# the process ID, and the possibly uninitialized contents of a ... buffer
|
||
# ... dozens to hundreds of times."
|
||
#
|
||
# A perfect storm of issues can cause the generated key to be not very random:
|
||
#
|
||
# * improperly seeded /dev/urandom, but see system.sh for how we mitigate this
|
||
# * the user ID of this process is always the same (we're root), so that seed is useless
|
||
# * zero'd memory (plausible on embedded systems, cloud VMs?)
|
||
# * a predictable process ID (likely on an embedded/virtualized system)
|
||
# * a system clock reset to a fixed time on boot
|
||
#
|
||
# Since we properly seed /dev/urandom in system.sh we should be fine, but I leave
|
||
# in the rest of the notes in case that ever changes.
|
||
if [ ! -s $STORAGE_ROOT/ssl/ca_private_key.pem ]; then
|
||
# Set the umask so the key file is never world-readable.
|
||
(umask 077; hide_output \
|
||
openssl genrsa -aes256 -passout 'pass:SECRET-PASSWORD' \
|
||
-out $STORAGE_ROOT/ssl/ca_private_key.pem 4096)
|
||
|
||
# remove the existing ca-certificate, it must be regenerated
|
||
rm -f $STORAGE_ROOT/ssl/ca_certificate.pem
|
||
|
||
# Remove the ssl_certificate.pem symbolic link to force a
|
||
# regeneration of a self-signed server certificate. Old certs need
|
||
# to be signed by the new ca.
|
||
if [ -L $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
||
# Get the name of the certificate issuer
|
||
issuer="$(openssl x509 -issuer -nocert -in $STORAGE_ROOT/ssl/ssl_certificate.pem)"
|
||
|
||
# Determine if the ssl cert if self-signed. If unique hashes is 1,
|
||
# the cert is self-signed (pior versions of MiaB used self-signed
|
||
# certs).
|
||
uniq_hashes="$(openssl x509 -subject_hash -issuer_hash -nocert -in $STORAGE_ROOT/ssl/ssl_certificate.pem | uniq | wc -l)"
|
||
|
||
if [ "$uniq_hashes" == "1" ] || grep "Temporary-Mail-In-A-Box-CA" <<<"$issuer" >/dev/null
|
||
then
|
||
rm -f $STORAGE_ROOT/ssl/ssl_certificate.pem
|
||
fi
|
||
fi
|
||
fi
|
||
|
||
if [ ! -s $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then
|
||
# Set the umask so the key file is never world-readable.
|
||
(umask 037; hide_output \
|
||
openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
|
||
|
||
# Give the group 'ssl-cert' read access so slapd can read it
|
||
groupadd -fr ssl-cert
|
||
chgrp ssl-cert $STORAGE_ROOT/ssl/ssl_private_key.pem
|
||
chmod g+r $STORAGE_ROOT/ssl/ssl_private_key.pem
|
||
|
||
# Remove the ssl_certificate.pem symbolic link to force a
|
||
# regeneration of the server certificate. It needs to be
|
||
# signed by the new ca.
|
||
if [ -L $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
||
rm -f $STORAGE_ROOT/ssl/ssl_certificate.pem
|
||
fi
|
||
fi
|
||
|
||
#
|
||
# Generate a root CA certificate
|
||
#
|
||
if [ ! -f $STORAGE_ROOT/ssl/ca_certificate.pem ]; then
|
||
# Generate the self-signed certificate.
|
||
CERT=$STORAGE_ROOT/ssl/ca_certificate.pem
|
||
hide_output \
|
||
openssl req -new -x509 \
|
||
-days 3650 -sha256 \
|
||
-key $STORAGE_ROOT/ssl/ca_private_key.pem \
|
||
-passin 'pass:SECRET-PASSWORD' \
|
||
-out $CERT \
|
||
-subj '/CN=Temporary-Mail-In-A-Box-CA'
|
||
|
||
# add the certificate to the system's trusted root ca list
|
||
# this is required for openldap's TLS implementation
|
||
hide_output \
|
||
cp $CERT /usr/local/share/ca-certificates/mailinabox.crt
|
||
hide_output \
|
||
update-ca-certificates
|
||
fi
|
||
|
||
# Generate a signed SSL certificate because things like nginx, dovecot,
|
||
# etc. won't even start without some certificate in place, and we need nginx
|
||
# so we can offer the user a control panel to install a better certificate.
|
||
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
|
||
# # Generate a certificate signing request.
|
||
CSR=/tmp/ssl_cert_sign_req-$$.csr
|
||
hide_output \
|
||
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $CSR \
|
||
-sha256 -subj "/CN=$PRIMARY_HOSTNAME"
|
||
|
||
# create a ca database (directory) for openssl
|
||
CADIR=$STORAGE_ROOT/ssl/ca
|
||
mkdir -p $CADIR/newcerts
|
||
touch $CADIR/index.txt $CADIR/index.txt.attr
|
||
[ ! -e $CADIR/serial ] && date +%s > $CADIR/serial
|
||
|
||
# Generate the signed certificate.
|
||
CERT=$STORAGE_ROOT/ssl/$PRIMARY_HOSTNAME-cert-$(date --rfc-3339=date | sed s/-//g).pem
|
||
hide_output \
|
||
openssl ca -batch \
|
||
-keyfile $STORAGE_ROOT/ssl/ca_private_key.pem \
|
||
-cert $STORAGE_ROOT/ssl/ca_certificate.pem \
|
||
-passin 'pass:SECRET-PASSWORD' \
|
||
-in $CSR \
|
||
-out $CERT \
|
||
-days 365 \
|
||
-name miab_ca \
|
||
-config - <<< "
|
||
[ miab_ca ]
|
||
dir = $CADIR
|
||
certs = \$dir
|
||
database = \$dir/index.txt
|
||
unique_subject = no
|
||
new_certs_dir = \$dir/newcerts # default place for new certs.
|
||
serial = \$dir/serial # The current serial number
|
||
x509_extensions = server_cert # The extensions to add to the cert
|
||
name_opt = ca_default # Subject Name options
|
||
cert_opt = ca_default # Certificate field options
|
||
policy = policy_anything
|
||
default_md = default # use public key default MD
|
||
|
||
[ policy_anything ]
|
||
countryName = optional
|
||
stateOrProvinceName = optional
|
||
localityName = optional
|
||
organizationName = optional
|
||
organizationalUnitName = optional
|
||
commonName = supplied
|
||
emailAddress = optional
|
||
|
||
[ server_cert ]
|
||
basicConstraints = CA:FALSE
|
||
nsCertType = server
|
||
nsComment = \"Mail-In-A-Box Generated Certificate\"
|
||
subjectKeyIdentifier = hash
|
||
authorityKeyIdentifier = keyid,issuer
|
||
"
|
||
|
||
# Delete the certificate signing request because it has no other purpose.
|
||
rm -f $CSR
|
||
|
||
# Symlink the certificates into the system certificate path, so system services
|
||
# can find it.
|
||
ln -s $CERT $STORAGE_ROOT/ssl/ssl_certificate.pem
|
||
fi
|
||
|
||
# Generate some Diffie-Hellman cipher bits.
|
||
# openssl's default bit length for this is 1024 bits, but we'll create
|
||
# 2048 bits of bits per the latest recommendations.
|
||
if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then
|
||
openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048
|
||
fi
|