Add the option of manually specifying paths to SSL certificates (#296)

* Add the option of manually specifying paths to SSL certificates

* Adding tests for manual SSL changes
This commit is contained in:
Morgan Kesler 2016-08-31 09:15:39 -04:00 committed by Thomas VIAL
parent afb8c05cf9
commit ee0c4244cc
4 changed files with 62 additions and 3 deletions

View file

@ -75,6 +75,13 @@ run:
-v "`pwd`/test":/tmp/docker-mailserver-test \ -v "`pwd`/test":/tmp/docker-mailserver-test \
-e DISABLE_CLAMAV=1 \ -e DISABLE_CLAMAV=1 \
-h mail.my-domain.com -t $(NAME) -h mail.my-domain.com -t $(NAME)
docker run -d --name mail_manual_ssl \
-v "`pwd`/test/config":/tmp/docker-mailserver \
-v "`pwd`/test":/tmp/docker-mailserver-test \
-e SSL_TYPE=manual \
-e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \
-e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \
-h mail.my-domain.com -t $(NAME)
# Wait for containers to fully start # Wait for containers to fully start
sleep 20 sleep 20
@ -104,4 +111,4 @@ tests:
clean: clean:
# Remove running test containers # Remove running test containers
docker rm -f mail mail_pop3 mail_smtponly mail_fail2ban mail_fetchmail fail-auth-mailer mail_disabled_amavis mail_disabled_spamassassin mail_disabled_clamav docker rm -f mail mail_pop3 mail_smtponly mail_fail2ban mail_fetchmail fail-auth-mailer mail_disabled_amavis mail_disabled_spamassassin mail_disabled_clamav mail_manual_ssl

View file

@ -29,7 +29,7 @@ Before you open an issue, please have a look this `README`, the [Wiki](https://g
## Usage ## Usage
#### Get latest image #### Get latest image
docker pull tvial/docker-mailserver:latest docker pull tvial/docker-mailserver:latest
#### Create a `docker-compose.yml` #### Create a `docker-compose.yml`
@ -70,7 +70,7 @@ Don't forget to adapt MAIL_USER and MAIL_PASS to your needs
-ti tvial/docker-mailserver:latest \ -ti tvial/docker-mailserver:latest \
/bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf
#### Generate DKIM keys #### Generate DKIM keys
docker run --rm \ docker run --rm \
-v "$(pwd)/config":/tmp/docker-mailserver \ -v "$(pwd)/config":/tmp/docker-mailserver \
@ -143,6 +143,7 @@ Otherwise, `iptables` won't be able to ban IPs.
- **empty** => SSL disabled - **empty** => SSL disabled
- letsencrypt => Enables Let's Encrypt certificates - letsencrypt => Enables Let's Encrypt certificates
- custom => Enables custom certificates - custom => Enables custom certificates
- manual => Let's you manually specify locations of your SSL certificates for non-standard cases
- self-signed => Enables self-signed certificates - self-signed => Enables self-signed certificates
Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) for more information. Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) for more information.

View file

@ -165,6 +165,30 @@ case $SSL_TYPE in
fi fi
;; ;;
"manual" )
# Lets you manually specify the location of the SSL Certs to use. This gives you some more control over this whole processes (like using kube-lego to generate certs)
if [ -n "$SSL_CERT_PATH" ] \
&& [ -n "$SSL_KEY_PATH" ]; then
echo "Configuring certificates using cert $SSL_CERT_PATH and key $SSL_KEY_PATH"
mkdir -p /etc/postfix/ssl
cp "$SSL_CERT_PATH" /etc/postfix/ssl/cert
cp "$SSL_KEY_PATH" /etc/postfix/ssl/key
chmod 600 /etc/postfix/ssl/cert
chmod 600 /etc/postfix/ssl/key
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/cert/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/key/g' /etc/postfix/main.cf
# Dovecot configuration
sed -i -e 's/ssl_cert = <\/etc\/dovecot\/dovecot\.pem/ssl_cert = <\/etc\/postfix\/ssl\/cert/g' /etc/dovecot/conf.d/10-ssl.conf
sed -i -e 's/ssl_key = <\/etc\/dovecot\/private\/dovecot\.pem/ssl_key = <\/etc\/postfix\/ssl\/key/g' /etc/dovecot/conf.d/10-ssl.conf
echo "SSL configured with 'Manual' certificates"
fi
;;
"self-signed" ) "self-signed" )
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder # Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
if [ -e "/tmp/docker-mailserver/ssl/$(hostname)-cert.pem" ] \ if [ -e "/tmp/docker-mailserver/ssl/$(hostname)-cert.pem" ] \

View file

@ -433,6 +433,33 @@
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@test "checking ssl: manual configuration is correct" {
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/postfix/main.cf | wc -l'
[ "$status" -eq 0 ]
[ "$output" -eq 1 ]
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/dovecot/conf.d/10-ssl.conf | wc -l'
[ "$status" -eq 0 ]
[ "$output" -eq 1 ]
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/postfix/main.cf | wc -l'
[ "$status" -eq 0 ]
[ "$output" -eq 1 ]
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/dovecot/conf.d/10-ssl.conf | wc -l'
[ "$status" -eq 0 ]
[ "$output" -eq 1 ]
}
@test "checking ssl: manual configuration copied files correctly " {
run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/cert /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem'
[ "$status" -eq 0 ]
run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/key /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem'
[ "$status" -eq 0 ]
}
@test "checking ssl: manual cert works correctly" {
run docker exec mail_manual_ssl /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
[ "$status" -eq 0 ]
}
# #
# fail2ban # fail2ban
# #