Merge pull request #1220 from erik-wramner/dhparam_on_start

Generate dhparam and dovecot cert on start
This commit is contained in:
Erik Wramner 2019-08-12 22:00:31 +02:00 committed by GitHub
commit 5ebb8614a2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 68 additions and 17 deletions

View file

@ -117,11 +117,8 @@ RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/e
# stretch-backport of dovecot needs this folder
mkdir /etc/dovecot/ssl && \
chmod 755 /etc/dovecot/ssl && \
cd /usr/share/dovecot && \
./mkcert.sh && \
mkdir -p /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \
chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \
openssl dhparam -out /etc/dovecot/dh.pem 2048
chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global
# Configures LDAP
COPY target/dovecot/dovecot-ldap.conf.ext /etc/dovecot
@ -180,10 +177,7 @@ RUN mkdir /var/run/fetchmail && chown fetchmail /var/run/fetchmail
# Configures Postfix
COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
COPY target/postfix/header_checks.pcre target/postfix/sender_header_filter.pcre target/postfix/sender_login_maps.pcre /etc/postfix/maps/
RUN echo "" > /etc/aliases && \
openssl dhparam -out /etc/postfix/dhparams.pem 2048 && \
echo "@weekly FILE=\`mktemp\` ; openssl dhparam -out \$FILE 2048 > /dev/null 2>&1 && mv -f \$FILE /etc/postfix/dhparams.pem" > /etc/cron.d/dh2048
RUN echo "" > /etc/aliases
# Configuring Logs
RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \

View file

@ -511,6 +511,25 @@ function _setup_dovecot_hostname() {
function _setup_dovecot() {
notify 'task' 'Setting up Dovecot'
# Moved from docker file, copy or generate default self-signed cert
if [ -f /var/mail-state/lib-dovecot/dovecot.pem -a "$ONE_DIR" = 1 ]; then
notify 'inf' "Copying default dovecot cert"
cp /var/mail-state/lib-dovecot/dovecot.key /etc/dovecot/ssl/
cp /var/mail-state/lib-dovecot/dovecot.pem /etc/dovecot/ssl/
fi
if [ ! -f /etc/dovecot/ssl/dovecot.pem ]; then
notify 'inf' "Generating default dovecot cert"
pushd /usr/share/dovecot
./mkcert.sh
popd
if [ "$ONE_DIR" = 1 ];then
mkdir -p /var/mail-state/lib-dovecot
cp /etc/dovecot/ssl/dovecot.key /var/mail-state/lib-dovecot/
cp /etc/dovecot/ssl/dovecot.pem /var/mail-state/lib-dovecot/
fi
fi
cp -a /usr/share/dovecot/protocols.d /etc/dovecot/
# Disable pop3 (it will be eventually enabled later in the script, if requested)
mv /etc/dovecot/protocols.d/pop3d.protocol /etc/dovecot/protocols.d/pop3d.protocol.disab
@ -1012,7 +1031,6 @@ function _setup_ssl() {
;;
* )
# Unknown option, default behavior, no action is required
notify 'warn' "SSL configured by default"
;;
esac
@ -1233,28 +1251,41 @@ function _setup_postfix_relay_hosts() {
function _setup_postfix_dhparam() {
notify 'task' 'Setting up Postfix dhparam'
if [ "$ONE_DIR" = 1 ];then
DHPARAMS_FILE=/var/mail-state/lib-postfix/dhparams.pem
DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
if [ ! -f $DHPARAMS_FILE ]; then
notify 'inf' "Generate new dhparams for postfix"
notify 'inf' "Generate new shared dhparams (postfix)"
mkdir -p $(dirname "$DHPARAMS_FILE")
openssl dhparam -out $DHPARAMS_FILE 2048
else
notify 'inf' "Use dhparams that was generated previously"
notify 'inf' "Use postfix dhparams that was generated previously"
fi
# Copy from the state directory to the working location
rm /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
else
notify 'inf' "No state dir, we use the dhparams generated on image creation"
if [ ! -f /etc/postfix/dhparams.pem ]; then
if [ -f /etc/dovecot/dh.pem ]; then
notify 'inf' "Copy dovecot dhparams to postfix"
cp /etc/dovecot/dh.pem /etc/postfix/dhparams.pem
elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
notify 'inf' "Copy pre-generated dhparams to postfix"
cp /tmp/docker-mailserver/dhparams.pem /etc/postfix/dhparams.pem
else
notify 'inf' "Generate new dhparams for postfix"
openssl dhparam -out /etc/postfix/dhparams.pem 2048
fi
else
notify 'inf' "Use existing postfix dhparams"
fi
fi
}
function _setup_dovecot_dhparam() {
notify 'task' 'Setting up Dovecot dhparam'
if [ "$ONE_DIR" = 1 ];then
DHPARAMS_FILE=/var/mail-state/lib-dovecot/dh.pem
DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
if [ ! -f $DHPARAMS_FILE ]; then
notify 'inf' "Generate new dhparams for dovecot"
notify 'inf' "Generate new shared dhparams (dovecot)"
mkdir -p $(dirname "$DHPARAMS_FILE")
openssl dhparam -out $DHPARAMS_FILE 2048
else
@ -1264,7 +1295,20 @@ function _setup_dovecot_dhparam() {
# Copy from the state directory to the working location
rm /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
else
notify 'inf' "No state dir, we use the dovecot dhparams generated on image creation"
if [ ! -f /etc/dovecot/dh.pem ]; then
if [ -f /etc/postfix/dhparams.pem ]; then
notify 'inf' "Copy postfix dhparams to dovecot"
cp /etc/postfix/dhparams.pem /etc/dovecot/dh.pem
elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
notify 'inf' "Copy pre-generated dhparams to dovecot"
cp /tmp/docker-mailserver/dhparams.pem /etc/dovecot/dh.pem
else
notify 'inf' "Generate new dhparams for dovecot"
openssl dhparam -out /etc/dovecot/dh.pem 2048
fi
else
notify 'inf' "Use existing dovecot dhparams"
fi
fi
}

@ -1 +1 @@
Subproject commit 1c83a1b1d743075ed8e505ff94e548701f545b73
Subproject commit 03608115df2071fff4eaaff1605768c275e5f81f

8
test/config/dhparams.pem Normal file
View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
-----END DH PARAMETERS-----

View file

@ -1298,6 +1298,11 @@ function count_processed_changes() {
[ "${originalChangesProcessed}" != "$(count_processed_changes mail)" ]
assert_success
# Dovecot has been restarted, but this test often fails so presumably it may not be ready
# Add a short sleep to see if that helps to make the test more stable
# Alternatively we could login with a known good user to make sure that the service is up
sleep 2
result=$(docker exec mail doveadm auth test -x service=smtp setup_email_add@example.com 'test_password' | grep 'auth succeeded')
[ "$result" = "passdb: setup_email_add@example.com auth succeeded" ]
}