github-com-docker-mailserver/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2024-01-19 02:48:50 +00:00
Code Issues Projects Releases Wiki Activity

Begening configuration for Letsencrypt support

Browse source
This commit is contained in:
Thomas VIAL 2015-12-05 16:44:13 +01:00
parent 07177f04cd
commit e5719ceacb
4 changed files with 108 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -2,3 +2,4 @@
docker-compose.yml docker-compose.yml
postfix/ssl/* postfix/ssl/*
assert.sh* assert.sh*
letsencrypt/

32
README.md
View file

@ -68,38 +68,6 @@ Volumes allow to:
docker-compose up -d mail docker-compose up -d mail
# configure ssl
## generate self-signed ssl certificate
You can easily generate a self-signed SSL certificate by using the following command:
docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate
# Press enter
# Enter a password when needed
# Fill information like Country, Organisation name
# Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate.
# They HAVE to be different, otherwise you'll get a `TXT_DB error number 2`
# Don't fill extras
# Enter same password when needed
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
# will generate:
# postfix/ssl/mail.my-domain.com-key.pem (used in postfix)
# postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files)
# postfix/ssl/mail.my-domain.com-cert.pem (used in postfix)
# postfix/ssl/mail.my-domain.com-combined.pem (used in courier)
# postfix/ssl/demoCA/cacert.pem (certificate authority)
Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument.
Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml).
## configure ssl certificate (convention over configuration)
If a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder.
# client configuration # client configuration
# imap # imap

46
SSL.md Normal file
View file

@ -0,0 +1,46 @@
# docker-mailserver with ssl
There are multiple options to enable SSL:
* using [letsencrypt](https://letsencrypt.org/)
* using self-signed certificates with the provided tool
## let's encrypt
To enable Let's Encrypt on your mail server, you have to add en environment variable `DMS_SSL` with value `letsencrypt`.
You also have to mount your `letsencrypt` folder to `/etc/letsencrypt`.
TO BE FINISHED WHEN IT WILL BE TESTED
## self signed certificates
You can easily generate a self-signed SSL certificate by using the following command:
docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate
# Press enter
# Enter a password when needed
# Fill information like Country, Organisation name
# Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate.
# They HAVE to be different, otherwise you'll get a `TXT_DB error number 2`
# Don't fill extras
# Enter same password when needed
# Sign the certificate? [y/n]:y
# 1 out of 1 certificate requests certified, commit? [y/n]y
# will generate:
# postfix/ssl/mail.my-domain.com-key.pem (used in postfix)
# postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files)
# postfix/ssl/mail.my-domain.com-cert.pem (used in postfix)
# postfix/ssl/mail.my-domain.com-combined.pem (used in courier)
# postfix/ssl/demoCA/cacert.pem (certificate authority)
Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument.
Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml).
If a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder.

41
start-mailserver.sh
View file

@ -54,11 +54,36 @@ echo "Postfix configurations"
touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox
touch /etc/postfix/virtual && postmap /etc/postfix/virtual touch /etc/postfix/virtual && postmap /etc/postfix/virtual
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder # SSL Configuration
if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \ case $DMS_SSL in
&& [ -e "/tmp/postfix/ssl/$(hostname)-key.pem" ] \ "letsencrypt" )
&& [ -e "/tmp/postfix/ssl/$(hostname)-combined.pem" ] \ # letsencrypt folders and files mounted in /etc/letsencrypt
&& [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ]; then
# Adding certificates from Letsencrypt and IdenTrust
# curl https://letsencrypt.org/certs/isrgrootx1.pem -so /etc/ssl/certs/isrgrootx1.pem
# curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem -so /etc/ssl/certs/lets-encrypt-x1-cross-signed.pem
# curl https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem -so /etc/ssl/certs/lets-encrypt-x2-cross-signed.pem
# curl https://letsencrypt.org/certs/letsencryptauthorityx1.pem -so /etc/ssl/certs/letsencryptauthorityx1.pem
# curl https://letsencrypt.org/certs/letsencryptauthorityx2.pem -so /etc/ssl/certs/letsencryptauthorityx2.pem
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/fullchain.pem/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/privkey.pem/g' /etc/postfix/main.cf
# Courier configuration
cat /etc/letsencrypt/live/$(hostname)/privkey.pem /etc/letsencrypt/live/$(hostname)/cert.pem >> /etc/letsencrypt/live/$(hostname)/combined.pem
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/'$(hostname)'\/combined.pem/g' /etc/courier/imapd-ssl
echo "SSL configured with letsencrypt certificates"
;;
"self-signed" )
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \
&& [ -e "/tmp/postfix/ssl/$(hostname)-key.pem" ] \
&& [ -e "/tmp/postfix/ssl/$(hostname)-combined.pem" ] \
&& [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ]; then
echo "Adding $(hostname) SSL certificate" echo "Adding $(hostname) SSL certificate"
mkdir -p /etc/postfix/ssl mkdir -p /etc/postfix/ssl
cp /tmp/postfix/ssl/$(hostname)-cert.pem /etc/postfix/ssl cp /tmp/postfix/ssl/$(hostname)-cert.pem /etc/postfix/ssl
@ -75,7 +100,11 @@ if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \
# Courier configuration # Courier configuration
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl
fi fi
;;
esac
echo "Fixing permissions" echo "Fixing permissions"
chown -R 5000:5000 /var/mail chown -R 5000:5000 /var/mail