Generate dhparams at startup, not build

This commit is contained in:
Erik Wramner 2019-08-09 22:13:50 +02:00
parent 1903e98ef2
commit fc8d684994
3 changed files with 46 additions and 14 deletions

View file

@ -96,7 +96,9 @@ RUN apt-get update -q --fix-missing && \
touch /var/log/auth.log && \ touch /var/log/auth.log && \
update-locale && \ update-locale && \
rm -f /etc/cron.weekly/fstrim && \ rm -f /etc/cron.weekly/fstrim && \
rm -f /etc/postsrsd.secret rm -f /etc/postsrsd.secret && \
rm -f /etc/postfix/dhparams.pem && \
rm -f /etc/dovecot/dh.pem
RUN echo "0 */6 * * * clamav /usr/bin/freshclam --quiet" > /etc/cron.d/clamav-freshclam && \ RUN echo "0 */6 * * * clamav /usr/bin/freshclam --quiet" > /etc/cron.d/clamav-freshclam && \
chmod 644 /etc/clamav/freshclam.conf && \ chmod 644 /etc/clamav/freshclam.conf && \
@ -120,8 +122,7 @@ RUN sed -i -e 's/include_try \/usr\/share\/dovecot\/protocols\.d/include_try \/e
cd /usr/share/dovecot && \ cd /usr/share/dovecot && \
./mkcert.sh && \ ./mkcert.sh && \
mkdir -p /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \ mkdir -p /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \
chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global && \ chmod 755 -R /usr/lib/dovecot/sieve-pipe /usr/lib/dovecot/sieve-filter /usr/lib/dovecot/sieve-global
openssl dhparam -out /etc/dovecot/dh.pem 2048
# Configures LDAP # Configures LDAP
COPY target/dovecot/dovecot-ldap.conf.ext /etc/dovecot COPY target/dovecot/dovecot-ldap.conf.ext /etc/dovecot
@ -180,10 +181,7 @@ RUN mkdir /var/run/fetchmail && chown fetchmail /var/run/fetchmail
# Configures Postfix # Configures Postfix
COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/ COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
COPY target/postfix/header_checks.pcre target/postfix/sender_header_filter.pcre target/postfix/sender_login_maps.pcre /etc/postfix/maps/ COPY target/postfix/header_checks.pcre target/postfix/sender_header_filter.pcre target/postfix/sender_login_maps.pcre /etc/postfix/maps/
RUN echo "" > /etc/aliases && \ RUN echo "" > /etc/aliases
openssl dhparam -out /etc/postfix/dhparams.pem 2048 && \
echo "@weekly FILE=\`mktemp\` ; openssl dhparam -out \$FILE 2048 > /dev/null 2>&1 && mv -f \$FILE /etc/postfix/dhparams.pem" > /etc/cron.d/dh2048
# Configuring Logs # Configuring Logs
RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \ RUN sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf && \

View file

@ -1224,28 +1224,41 @@ function _setup_postfix_relay_hosts() {
function _setup_postfix_dhparam() { function _setup_postfix_dhparam() {
notify 'task' 'Setting up Postfix dhparam' notify 'task' 'Setting up Postfix dhparam'
if [ "$ONE_DIR" = 1 ];then if [ "$ONE_DIR" = 1 ];then
DHPARAMS_FILE=/var/mail-state/lib-postfix/dhparams.pem DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
if [ ! -f $DHPARAMS_FILE ]; then if [ ! -f $DHPARAMS_FILE ]; then
notify 'inf' "Generate new dhparams for postfix" notify 'inf' "Generate new shared dhparams (postfix)"
mkdir -p $(dirname "$DHPARAMS_FILE") mkdir -p $(dirname "$DHPARAMS_FILE")
openssl dhparam -out $DHPARAMS_FILE 2048 openssl dhparam -out $DHPARAMS_FILE 2048
else else
notify 'inf' "Use dhparams that was generated previously" notify 'inf' "Use postfix dhparams that was generated previously"
fi fi
# Copy from the state directory to the working location # Copy from the state directory to the working location
rm /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem rm /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
else else
notify 'inf' "No state dir, we use the dhparams generated on image creation" if [ ! -f /etc/postfix/dhparams.pem ]; then
if [ -f /etc/dovecot/dh.pem ]; then
notify 'inf' "Copy dovecot dhparams to postfix"
cp /etc/dovecot/dh.pem /etc/postfix/dhparams.pem
elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
notify 'inf' "Copy pre-generated dhparams to postfix"
cp /tmp/docker-mailserver/dhparams.pem /etc/postfix/dhparams.pem
else
notify 'inf' "Generate new dhparams for postfix"
openssl dhparam -out /etc/postfix/dhparams.pem 2048
fi
else
notify 'inf' "Use existing postfix dhparams"
fi
fi fi
} }
function _setup_dovecot_dhparam() { function _setup_dovecot_dhparam() {
notify 'task' 'Setting up Dovecot dhparam' notify 'task' 'Setting up Dovecot dhparam'
if [ "$ONE_DIR" = 1 ];then if [ "$ONE_DIR" = 1 ];then
DHPARAMS_FILE=/var/mail-state/lib-dovecot/dh.pem DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
if [ ! -f $DHPARAMS_FILE ]; then if [ ! -f $DHPARAMS_FILE ]; then
notify 'inf' "Generate new dhparams for dovecot" notify 'inf' "Generate new shared dhparams (dovecot)"
mkdir -p $(dirname "$DHPARAMS_FILE") mkdir -p $(dirname "$DHPARAMS_FILE")
openssl dhparam -out $DHPARAMS_FILE 2048 openssl dhparam -out $DHPARAMS_FILE 2048
else else
@ -1255,7 +1268,20 @@ function _setup_dovecot_dhparam() {
# Copy from the state directory to the working location # Copy from the state directory to the working location
rm /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem rm /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
else else
notify 'inf' "No state dir, we use the dovecot dhparams generated on image creation" if [ ! -f /etc/dovecot/dh.pem ]; then
if [ -f /etc/postfix/dhparams.pem ]; then
notify 'inf' "Copy postfix dhparams to dovecot"
cp /etc/postfix/dhparams.pem /etc/dovecot/dh.pem
elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
notify 'inf' "Copy pre-generated dhparams to dovecot"
cp /tmp/docker-mailserver/dhparams.pem /etc/dovecot/dh.pem
else
notify 'inf' "Generate new dhparams for dovecot"
openssl dhparam -out /etc/dovecot/dh.pem 2048
fi
else
notify 'inf' "Use existing dovecot dhparams"
fi
fi fi
} }

8
test/config/dhparams.pem Normal file
View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
-----END DH PARAMETERS-----