Commit 548cc8a0 authored by Joshua Tauberer's avatar Joshua Tauberer

generate a self-signed certificate for PUBLIC_HOSTNAME and change DNS MX...

generate a self-signed certificate for PUBLIC_HOSTNAME and change DNS MX records to PRIMARY_HOSTNAME so it matches
parent 0403d277
...@@ -69,7 +69,7 @@ for fn in $STORAGE_ROOT/dns/*.txt; do ...@@ -69,7 +69,7 @@ for fn in $STORAGE_ROOT/dns/*.txt; do
\$ORIGIN $zone. ; default zone domain \$ORIGIN $zone. ; default zone domain
\$TTL 86400 ; default time to live \$TTL 86400 ; default time to live
@ IN SOA ns1.$zone. hostmaster.$PRIMARY_HOSTNAME. ( @ IN SOA ns1.$PRIMARY_HOSTNAME. hostmaster.$PRIMARY_HOSTNAME. (
$serial ; serial number $serial ; serial number
28800 ; Refresh 28800 ; Refresh
7200 ; Retry 7200 ; Retry
...@@ -77,18 +77,23 @@ for fn in $STORAGE_ROOT/dns/*.txt; do ...@@ -77,18 +77,23 @@ for fn in $STORAGE_ROOT/dns/*.txt; do
86400 ; Min TTL 86400 ; Min TTL
) )
NS ns1.$zone. NS ns1.$PRIMARY_HOSTNAME.
NS ns2.$zone. NS ns2.$PRIMARY_HOSTNAME.
IN A $PUBLIC_IP IN A $PUBLIC_IP
MX 10 mail.$zone. MX 10 $PRIMARY_HOSTNAME.
300 TXT "v=spf1 mx -all" 300 TXT "v=spf1 mx -all"
www IN A $PUBLIC_IP
EOF
# In PRIMARY_HOSTNAME, also define ns1 and ns2.
if [ "$zone" = $PRIMARY_HOSTNAME ]; then
cat >> /etc/nsd3/zones/$fn2 << EOF;
ns1 IN A $PUBLIC_IP ns1 IN A $PUBLIC_IP
ns2 IN A $PUBLIC_IP ns2 IN A $PUBLIC_IP
mail IN A $PUBLIC_IP
www IN A $PUBLIC_IP
EOF EOF
fi
# If OpenDKIM is set up, append the suggested TXT record to the zone. # If OpenDKIM is set up, append the suggested TXT record to the zone.
if [ -f "$STORAGE_ROOT/mail/dkim/mail.txt" ]; then if [ -f "$STORAGE_ROOT/mail/dkim/mail.txt" ]; then
......
...@@ -12,9 +12,12 @@ ...@@ -12,9 +12,12 @@
# Install packages. # Install packages.
source /etc/mailinabox.conf # load global vars
DEBIAN_FRONTEND=noninteractive apt-get install -q -y \ DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
postfix postgrey \ postfix postgrey \
dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 \
openssl
mkdir -p $STORAGE_ROOT/mail mkdir -p $STORAGE_ROOT/mail
...@@ -26,12 +29,16 @@ sed -i "s/#submission/submission/" /etc/postfix/master.cf ...@@ -26,12 +29,16 @@ sed -i "s/#submission/submission/" /etc/postfix/master.cf
# Enable TLS and require it for all user authentication. # Enable TLS and require it for all user authentication.
tools/editconf.py /etc/postfix/main.cf \ tools/editconf.py /etc/postfix/main.cf \
smtpd_use_tls=yes\ smtpd_tls_security_level=may\
smtpd_tls_auth_only=yes \ smtpd_tls_auth_only=yes \
smtp_tls_security_level=may \ smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
smtp_tls_loglevel=2 \ smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
smtpd_tls_received_header=yes smtpd_tls_received_header=yes
# note: smtpd_use_tls=yes appears to already be the default, but we can never be too sure
# When connecting to remote SMTP servers, prefer TLS.
tools/editconf.py /etc/postfix/main.cf \
smtp_tls_security_level=may \
smtp_tls_loglevel=2
# Postfix will query dovecot for user authentication. # Postfix will query dovecot for user authentication.
tools/editconf.py /etc/postfix/main.cf \ tools/editconf.py /etc/postfix/main.cf \
...@@ -187,16 +194,22 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ ...@@ -187,16 +194,22 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
ssl=required \ ssl=required \
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
# SSL CERTIFICATE
# The Dovecot installation already created a self-signed public/private key pair # Create a self-signed certifiate.
# in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem, which we'll
# use unless certificates already exist. We'll move them into $STORAGE_ROOT/ssl
# unless files exist there already.
mkdir -p $STORAGE_ROOT/ssl mkdir -p $STORAGE_ROOT/ssl
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi openssl genrsa -des3 -passout pass:x -out /tmp/server.key 2048 # create key, but it has a password...
openssl rsa -passin pass:x -in /tmp/server.key -out $STORAGE_ROOT/ssl/ssl_private_key.pem # remove password and save it to the right location
rm /tmp/server.key # remove temporary password-laden key
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
-subj "/C=/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
openssl x509 -req -days 365 \
-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
fi
# # PERMISSIONS / RESTART SERVICES
# Ensure configuration files are owned by dovecot and not world readable. # Ensure configuration files are owned by dovecot and not world readable.
chown -R mail:dovecot /etc/dovecot chown -R mail:dovecot /etc/dovecot
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment