Begening configuration for Letsencrypt support

.gitignore

@@ -2,3 +2,4 @@
 docker-compose.yml
 postfix/ssl/*
 assert.sh*
+letsencrypt/

README.md

@@ -68,53 +68,21 @@ Volumes allow to:
 
 	docker-compose up -d mail
 
-# configure ssl
-
-## generate self-signed ssl certificate
-
-You can easily generate a self-signed SSL certificate by using the following command:
-
-	docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate
-
-	# Press enter
-	# Enter a password when needed
-	# Fill information like Country, Organisation name
-	# Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate.
-	# They HAVE to be different, otherwise you'll get a `TXT_DB error number 2`
-	# Don't fill extras
-	# Enter same password when needed
-	# Sign the certificate? [y/n]:y
-	# 1 out of 1 certificate requests certified, commit? [y/n]y
-
-	# will generate:
-	# postfix/ssl/mail.my-domain.com-key.pem (used in postfix)
-	# postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files)
-	# postfix/ssl/mail.my-domain.com-cert.pem (used in postfix)
-	# postfix/ssl/mail.my-domain.com-combined.pem (used in courier)
-	# postfix/ssl/demoCA/cacert.pem (certificate authority)
-
-Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument.
-Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml).
-
-## configure ssl certificate (convention over configuration)
-
-If a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder.
-
 # client configuration
 
-	# imap
-	username:  				<username1@my-domain.com>
-	password:  				<username1password>
-	server:    				<your-server-ip-or-hostname>
-	imap port: 				143 or 993 with ssl (recommended)
-	imap path prefix:		INBOX
-	auth method:			md5 challenge-response
+  # imap
+  username:         <username1@my-domain.com>
+  password:         <username1password>
+  server:           <your-server-ip-or-hostname>
+  imap port:        143 or 993 with ssl (recommended)
+  imap path prefix:   INBOX
+  auth method:      md5 challenge-response
 
-	# smtp
-	smtp port:				25 or 587 with ssl (recommended)
-	username:  				<username1@my-domain.com>
-	password:  				<username1password>
-	auth method:			md5 challenge-response
+  # smtp
+  smtp port:        25 or 587 with ssl (recommended)
+  username:         <username1@my-domain.com>
+  password:         <username1password>
+  auth method:      md5 challenge-response
 
 # todo
 

SSL.md

@@ -0,0 +1,46 @@
+# docker-mailserver with ssl
+
+There are multiple options to enable SSL:
+
+* using [letsencrypt](https://letsencrypt.org/)
+* using self-signed certificates with the provided tool
+
+## let's encrypt
+
+To enable Let's Encrypt on your mail server, you have to add en environment variable `DMS_SSL` with value `letsencrypt`.
+You also have to mount your `letsencrypt` folder to `/etc/letsencrypt`.
+
+
+
+TO BE FINISHED WHEN IT WILL BE TESTED
+
+
+
+## self signed certificates
+
+You can easily generate a self-signed SSL certificate by using the following command:
+
+  docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate
+
+  # Press enter
+  # Enter a password when needed
+  # Fill information like Country, Organisation name
+  # Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate.
+  # They HAVE to be different, otherwise you'll get a `TXT_DB error number 2`
+  # Don't fill extras
+  # Enter same password when needed
+  # Sign the certificate? [y/n]:y
+  # 1 out of 1 certificate requests certified, commit? [y/n]y
+
+  # will generate:
+  # postfix/ssl/mail.my-domain.com-key.pem (used in postfix)
+  # postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files)
+  # postfix/ssl/mail.my-domain.com-cert.pem (used in postfix)
+  # postfix/ssl/mail.my-domain.com-combined.pem (used in courier)
+  # postfix/ssl/demoCA/cacert.pem (certificate authority)
+
+Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument.
+Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml).
+
+If a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder.
+

start-mailserver.sh

@@ -54,28 +54,57 @@ echo "Postfix configurations"
 touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox
 touch /etc/postfix/virtual && postmap /etc/postfix/virtual
 
-# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
-if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \
-&& [ -e "/tmp/postfix/ssl/$(hostname)-key.pem"  ] \
-&& [ -e "/tmp/postfix/ssl/$(hostname)-combined.pem" ] \
-&& [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ]; then
-  echo "Adding $(hostname) SSL certificate"
-  mkdir -p /etc/postfix/ssl
-  cp /tmp/postfix/ssl/$(hostname)-cert.pem /etc/postfix/ssl
-  cp /tmp/postfix/ssl/$(hostname)-key.pem /etc/postfix/ssl
-  cp /tmp/postfix/ssl/$(hostname)-combined.pem /etc/postfix/ssl
-  cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl
+# SSL Configuration
+case $DMS_SSL in
+  "letsencrypt" )
+    # letsencrypt folders and files mounted in /etc/letsencrypt
 
-  # Postfix configuration
-  sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/'$(hostname)'-cert.pem/g' /etc/postfix/main.cf
-  sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/'$(hostname)'-key.pem/g' /etc/postfix/main.cf
-  sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
-  sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
-  ln -s /etc/postfix/ssl/cacert.pem /etc/ssl/certs/cacert-$(hostname).pem
+      # Adding certificates from Letsencrypt and IdenTrust
+      # curl https://letsencrypt.org/certs/isrgrootx1.pem -so /etc/ssl/certs/isrgrootx1.pem
+      # curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem -so /etc/ssl/certs/lets-encrypt-x1-cross-signed.pem
+      # curl https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem -so /etc/ssl/certs/lets-encrypt-x2-cross-signed.pem
+      # curl https://letsencrypt.org/certs/letsencryptauthorityx1.pem -so /etc/ssl/certs/letsencryptauthorityx1.pem
+      # curl https://letsencrypt.org/certs/letsencryptauthorityx2.pem -so /etc/ssl/certs/letsencryptauthorityx2.pem
 
-  # Courier configuration
-  sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl
-fi
+      # Postfix configuration
+      sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/fullchain.pem/g' /etc/postfix/main.cf
+      sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/privkey.pem/g' /etc/postfix/main.cf
+
+      # Courier configuration
+      cat /etc/letsencrypt/live/$(hostname)/privkey.pem /etc/letsencrypt/live/$(hostname)/cert.pem >> /etc/letsencrypt/live/$(hostname)/combined.pem
+      sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/'$(hostname)'\/combined.pem/g' /etc/courier/imapd-ssl
+
+      echo "SSL configured with letsencrypt certificates"
+
+    ;;
+
+  "self-signed" )
+    # Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
+    if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \
+    && [ -e "/tmp/postfix/ssl/$(hostname)-key.pem"  ] \
+    && [ -e "/tmp/postfix/ssl/$(hostname)-combined.pem" ] \
+    && [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ]; then
+      echo "Adding $(hostname) SSL certificate"
+      mkdir -p /etc/postfix/ssl
+      cp /tmp/postfix/ssl/$(hostname)-cert.pem /etc/postfix/ssl
+      cp /tmp/postfix/ssl/$(hostname)-key.pem /etc/postfix/ssl
+      cp /tmp/postfix/ssl/$(hostname)-combined.pem /etc/postfix/ssl
+      cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl
+
+      # Postfix configuration
+      sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/'$(hostname)'-cert.pem/g' /etc/postfix/main.cf
+      sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/'$(hostname)'-key.pem/g' /etc/postfix/main.cf
+      sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
+      sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
+      ln -s /etc/postfix/ssl/cacert.pem /etc/ssl/certs/cacert-$(hostname).pem
+
+      # Courier configuration
+      sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl
+    fi
+
+    ;;
+
+esac
 
 echo "Fixing permissions"
 chown -R 5000:5000 /var/mail