Certificate

From QmailToaster
Jump to navigation Jump to search

Security Certificate

  1. Abstract: Create Certificate
    Generate key
    Generate signing request
    Sign the key
    Create server certificate
    Set permission
    Set owner
    Copy into place
    Restart services
    Implementation
    1. Self-Signed Certificate
      # openssl genrsa -out x.key 2048
      # openssl req -new -key x.key -out x.csr
      # openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
      # cat x.crt x.key > servercert.pem
      # chmod 644 servercert.pem
      # chown root:qmail servercert.pem
      # cp -p servercert.pem /var/qmail/control
    2. Let's Encrypt (Assumes working web server)
      # yum install python-certbot-apache
      # certbot -apache -d mydomain.com -d mail.mydomain.com
      Apache
      SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
      SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
      Dovecot
      ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
      ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem
      Qmail
      # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
      EL 7/8
      # cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
      EL 9
      # cat /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem /etc/letsencrypt/live/mail.mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
      Cron auto renew (script below)
      0 0 * * * /opt/certbot/certbot renew
    3. Application: Godaddy Signed Certificate
      # openssl genrsa -out x.key 2048
      # openssl req -new -key x.key -out x.csr
      Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)
      # cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
      # chmod 644 servercert.pem
      # chown root:qmail servercert.pem
      # cp -p servercert.pem /var/qmail/control
  2. Restart Qmail and Dovecot
    # qmailctl stop && sleep 2 && qmailctl start
    # systemctl restart dovecot
    # systemctl restart httpd
#!/bin/bash

LOG=/usr/command/certs/certs.log
days=3

today=`date`
today=`date --date="$today" --utc +%s`
CD=/etc/letsencrypt/live
FC=fullchain.pem
PK=privkey.pem

mailcert () {
   if [[ "`cat /etc/os-release | grep VERSION_ID | sed 's/VERSION_ID=//' | sed 's/"//g'`" == *"9"* ]]
   then
      cat $CD/$1/$FC $CD/$1/$PK > ./servercert.pem
   else
      cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
   fi
   cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
   cp ./servercert.pem  /var/qmail/control/servercert.pem
   systemctl reload dovecot  
   qmailctl stop && sleep 2 && qmailctl start
}

for CDOM in `ls $CD`
do
   [ "$CDOM" = "README" ] && continue
   exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
   off=`date --date="$exp" --utc +%s`
   diff=$(( (off - today)/86400 ))
   echo "Certificate Domain: $CDOM, Days to expire: $diff"
   echo ""
   if [ $diff -le $days ]
   then
      certbot renew --cert-name $CDOM
      systemctl reload httpd
      mailcert $CDOM
   fi
done

exit 0

Implementation (qmail run scripts)

Submission

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1

SMTPS

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
    $SMTPD $VCHKPW /bin/true 2>&1