mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
Add the option of manually specifying paths to SSL certificates (#296)
* Add the option of manually specifying paths to SSL certificates * Adding tests for manual SSL changes
This commit is contained in:
parent
afb8c05cf9
commit
ee0c4244cc
9
Makefile
9
Makefile
|
@ -75,6 +75,13 @@ run:
|
||||||
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
||||||
-e DISABLE_CLAMAV=1 \
|
-e DISABLE_CLAMAV=1 \
|
||||||
-h mail.my-domain.com -t $(NAME)
|
-h mail.my-domain.com -t $(NAME)
|
||||||
|
docker run -d --name mail_manual_ssl \
|
||||||
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
||||||
|
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
||||||
|
-e SSL_TYPE=manual \
|
||||||
|
-e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \
|
||||||
|
-e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \
|
||||||
|
-h mail.my-domain.com -t $(NAME)
|
||||||
# Wait for containers to fully start
|
# Wait for containers to fully start
|
||||||
sleep 20
|
sleep 20
|
||||||
|
|
||||||
|
@ -104,4 +111,4 @@ tests:
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
# Remove running test containers
|
# Remove running test containers
|
||||||
docker rm -f mail mail_pop3 mail_smtponly mail_fail2ban mail_fetchmail fail-auth-mailer mail_disabled_amavis mail_disabled_spamassassin mail_disabled_clamav
|
docker rm -f mail mail_pop3 mail_smtponly mail_fail2ban mail_fetchmail fail-auth-mailer mail_disabled_amavis mail_disabled_spamassassin mail_disabled_clamav mail_manual_ssl
|
||||||
|
|
|
@ -143,6 +143,7 @@ Otherwise, `iptables` won't be able to ban IPs.
|
||||||
- **empty** => SSL disabled
|
- **empty** => SSL disabled
|
||||||
- letsencrypt => Enables Let's Encrypt certificates
|
- letsencrypt => Enables Let's Encrypt certificates
|
||||||
- custom => Enables custom certificates
|
- custom => Enables custom certificates
|
||||||
|
- manual => Let's you manually specify locations of your SSL certificates for non-standard cases
|
||||||
- self-signed => Enables self-signed certificates
|
- self-signed => Enables self-signed certificates
|
||||||
|
|
||||||
Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) for more information.
|
Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) for more information.
|
||||||
|
|
|
@ -165,6 +165,30 @@ case $SSL_TYPE in
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
"manual" )
|
||||||
|
# Lets you manually specify the location of the SSL Certs to use. This gives you some more control over this whole processes (like using kube-lego to generate certs)
|
||||||
|
if [ -n "$SSL_CERT_PATH" ] \
|
||||||
|
&& [ -n "$SSL_KEY_PATH" ]; then
|
||||||
|
echo "Configuring certificates using cert $SSL_CERT_PATH and key $SSL_KEY_PATH"
|
||||||
|
mkdir -p /etc/postfix/ssl
|
||||||
|
cp "$SSL_CERT_PATH" /etc/postfix/ssl/cert
|
||||||
|
cp "$SSL_KEY_PATH" /etc/postfix/ssl/key
|
||||||
|
chmod 600 /etc/postfix/ssl/cert
|
||||||
|
chmod 600 /etc/postfix/ssl/key
|
||||||
|
|
||||||
|
# Postfix configuration
|
||||||
|
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/cert/g' /etc/postfix/main.cf
|
||||||
|
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/key/g' /etc/postfix/main.cf
|
||||||
|
|
||||||
|
# Dovecot configuration
|
||||||
|
sed -i -e 's/ssl_cert = <\/etc\/dovecot\/dovecot\.pem/ssl_cert = <\/etc\/postfix\/ssl\/cert/g' /etc/dovecot/conf.d/10-ssl.conf
|
||||||
|
sed -i -e 's/ssl_key = <\/etc\/dovecot\/private\/dovecot\.pem/ssl_key = <\/etc\/postfix\/ssl\/key/g' /etc/dovecot/conf.d/10-ssl.conf
|
||||||
|
|
||||||
|
echo "SSL configured with 'Manual' certificates"
|
||||||
|
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
"self-signed" )
|
"self-signed" )
|
||||||
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
|
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
|
||||||
if [ -e "/tmp/docker-mailserver/ssl/$(hostname)-cert.pem" ] \
|
if [ -e "/tmp/docker-mailserver/ssl/$(hostname)-cert.pem" ] \
|
||||||
|
|
|
@ -433,6 +433,33 @@
|
||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@test "checking ssl: manual configuration is correct" {
|
||||||
|
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/postfix/main.cf | wc -l'
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
[ "$output" -eq 1 ]
|
||||||
|
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/dovecot/conf.d/10-ssl.conf | wc -l'
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
[ "$output" -eq 1 ]
|
||||||
|
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/postfix/main.cf | wc -l'
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
[ "$output" -eq 1 ]
|
||||||
|
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/dovecot/conf.d/10-ssl.conf | wc -l'
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
[ "$output" -eq 1 ]
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "checking ssl: manual configuration copied files correctly " {
|
||||||
|
run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/cert /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem'
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/key /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem'
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "checking ssl: manual cert works correctly" {
|
||||||
|
run docker exec mail_manual_ssl /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
|
||||||
|
[ "$status" -eq 0 ]
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# fail2ban
|
# fail2ban
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in a new issue