Commit 67d31ed9 authored by Joshua Tauberer's avatar Joshua Tauberer

move the SSL setup into its own bash script since it is used for much more than email now

parent 0ab43ef4
......@@ -132,7 +132,7 @@ def build_zone(domain, zonefile, env, with_ns=True):
records.append(("ns1", "A", env["PUBLIC_IP"]))
records.append(("ns2", "A", env["PUBLIC_IP"]))
# Add a TLSA record for SMTP.
# Add a DANE TLSA record for SMTP.
records.append(("_25._tcp", "TLSA", build_tlsa_record(env)))
def has_rec(qname, rtype):
......@@ -179,9 +179,8 @@ def build_zone(domain, zonefile, env, with_ns=True):
########################################################################
def build_tlsa_record(env):
# A TLSA record in DNS specifies that connections on a port, e.g.
# the SMTP port, must use TLS and the certificate must match a
# particular certificate.
# A DANE TLSA record in DNS specifies that connections on a port
# must use TLS and the certificate must match a particular certificate.
#
# Thanks to http://blog.huque.com/2012/10/dnssec-and-certificates.html
# for explaining all of this!
......
......@@ -18,8 +18,7 @@ source /etc/mailinabox.conf # load global vars
apt_install \
postfix postgrey postfix-pcre \
dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 \
openssl
dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3
mkdir -p $STORAGE_ROOT/mail
......@@ -244,29 +243,6 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
# SSL CERTIFICATE
mkdir -p $STORAGE_ROOT/ssl
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
# Generate a new private key if one doesn't already exist.
# Set the umask so the key file is not world-readable.
(umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
fi
if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
# Generate a certificate signing request if one doesn't already exist.
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
-subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
fi
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.
openssl x509 -req -days 365 \
-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
fi
echo
echo "Your SSL certificate's fingerpint is:"
openssl x509 -in /home/user-data/ssl/ssl_certificate.pem -noout -fingerprint
echo
# PERMISSIONS / RESTART SERVICES
# Ensure configuration files are owned by dovecot and not world readable.
......
#!/bin/bash
#
# SSL Certificate
#
# Create a self-signed SSL certificate if one has not yet been created.
#
# The certificate is for PUBLIC_HOSTNAME specifically and is used for:
#
# * IMAP
# * SMTP submission (port 587) and opportunistic TLS (when on the receiving end)
# * the DNSSEC DANE TLSA record for SMTP
# * HTTPS (for PUBLIC_HOSTNAME only)
#
# When other domains besides PUBLIC_HOSTNAME are served over HTTPS,
# we generate a domain-specific self-signed certificate in the management
# daemon (web_update.py) as needed.
source setup/functions.sh # load our functions
source /etc/mailinabox.conf # load global vars
apt_install openssl
mkdir -p $STORAGE_ROOT/ssl
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
# Generate a new private key if one doesn't already exist.
# Set the umask so the key file is not world-readable.
(umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
fi
if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
# Generate a certificate signing request if one doesn't already exist.
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
-subj "/C=$CSR_COUNTRY/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
fi
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
# Generate a SSL certificate by self-signing if a SSL certificate doesn't yet exist.
openssl x509 -req -days 365 \
-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
fi
echo
echo "Your SSL certificate's fingerpint is:"
openssl x509 -in /home/user-data/ssl/ssl_certificate.pem -noout -fingerprint
echo
......@@ -122,6 +122,7 @@ EOF
# Start service configuration.
. setup/system.sh
. setup/ssl.sh
. setup/dns.sh
. setup/mail.sh
. setup/dkim.sh
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment