diff --git a/bin/generate-ssl-certificate b/bin/generate-ssl-certificate index c65bc445..080a2708 100644 --- a/bin/generate-ssl-certificate +++ b/bin/generate-ssl-certificate @@ -1,4 +1,17 @@ #!/bin/sh FQDN=$(hostname) -openssl req -new -newkey rsa:2048 -nodes -keyout /ssl/$FQDN.key -out /ssl/$FQDN.csr \ No newline at end of file + +cd /ssl +# Create CA certificate +/usr/lib/ssl/misc/CA.pl -newca +# Create an unpassworded private key and create an unsigned public key certificate +openssl req -new -nodes -keyout /ssl/$FQDN-key.pem -out /ssl/$FQDN-req.pem -days 3652 +# Sign the public key certificate with CA certificate +openssl ca -out /ssl/$FQDN-cert.pem -infiles /ssl/$FQDN-req.pem +# Combine certificates for courier +cat /ssl/$FQDN-key.pem /ssl/$FQDN-cert.pem >> /ssl/$FQDN-combined.pem + +# chmod 644 /etc/postfix/foo-cert.pem /etc/postfix/cacert.pem +# chmod 400 /etc/postfix/foo-key.pem + diff --git a/postfix/main.cf b/postfix/main.cf index 51a6b0cd..ef5ee284 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -20,6 +20,8 @@ inet_protocols = all # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +#smtpd_tls_CAfile= +#smtp_tls_CAfile= smtpd_tls_security_level = may smtpd_use_tls=yes smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination diff --git a/start-mailserver.sh b/start-mailserver.sh index d17a7ba1..f989b25a 100644 --- a/start-mailserver.sh +++ b/start-mailserver.sh @@ -33,15 +33,17 @@ sed -i -r 's/DOCKER_MAIL_DOMAIN/'"$(hostname -d)"'/g' /etc/postfix/main.cf cat /tmp/vhost.tmp | sort | uniq >> /etc/postfix/vhost && rm /tmp/vhost.tmp # Adding SSL certificate if provided in 'postfix/ssl' folder -if [ -e "/tmp/postfix/ssl/$(hostname).csr" ]; then - echo "Adding $(hostname) csr/key SSL certificate" +if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ]; then + echo "Adding $(hostname) SSL certificate" cp -r /tmp/postfix/ssl /etc/postfix/ssl # Postfix configuration - sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/'$(hostname)'.csr/g' /etc/postfix/main.cf - sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/'$(hostname)'.key/g' /etc/postfix/main.cf - ln -s /etc/postfix/ssl/$(hostname).csr /etc/ssl/certs/$(hostname).pem + sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/'$(hostname)'-cert.pem/g' /etc/postfix/main.cf + sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/'$(hostname)'-key.pem/g' /etc/postfix/main.cf + sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/demoCA\/cacert.pem/g' /etc/postfix/main.cf + sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/demoCA\/cacert.pem/g' /etc/postfix/main.cf + ln -s /etc/postfix/ssl/demoCA/cacert.pem /etc/ssl/certs/cacert-$(hostname).pem # Courier configuration - sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/ssl\/certs\/'$(hostname)'.pem/g' /etc/courier/imapd-ssl + sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl fi echo "Fixing permissions"