Certificate: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
(89 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Configuration#Certificate|Back to Configuration]]<br> | |||
[[Rocky,_Alma,_Springdale_9_QT_Install|Back to Install]]<br> | |||
= Security Certificate = | = Security Certificate = | ||
== Self-Signed == | == Self-Signed == | ||
# cd /tmp | |||
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld" | # SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld" | ||
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ | # openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ | ||
# cat cert.pem key.pem > servercert.pem | |||
# cp servercert.pem /var/qmail/control/servercert.pem | |||
# remove *.pem | |||
== Let's Encrypt == | |||
(assumes a functioning Apache web server for domain.tld) | |||
# dnf -y install certbot python3-certbot-apache | |||
# certbot --apache -d domain.tld -d mail.domain.tld <span style="color:red">--rsa-key-size 2048 --key-type rsa</span> | |||
A 2048 bit key should have been created (qmail won't run with anything less), if not, force it with RSA options <span style="color:red">(in red)</span> above.<br> | |||
Check the size of the private key with the following command | |||
# openssl rsa -in /etc/letsencrypt/live/mydomain.tld/privkey.pem -text | grep Key | |||
Move key & certificate in place | |||
# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | |||
# cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/mydomain.tld/fullchain.pem <nowiki>></nowiki> servercert.pem | |||
# cp ./servercert.pem /var/qmail/control/servercert.pem | |||
< | == GoDaddy == | ||
# cd /tmp | |||
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld" | |||
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ | |||
# openssl req -in csr.pem -noout -text <span style="color:red">(Examine your signing request)<span> | |||
Submit signing request (csr.pem) to GoDaddy, download crt and crt bundle, pack, and move in place. | |||
# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem | |||
# cp servercert.pem /var/qmail/control | |||
= Implementation = | |||
== Restart Services == | |||
# | # qmailctl stop && sleep 2 && qmailctl start | ||
# systemctl reload dovecot httpd | |||
== Renew (Let's Encrypt) *with script == | |||
# crontab -e | |||
0 0 * * * /opt/certbot/renewcerts renew | |||
mailcert () { | #!/bin/bash<br> | ||
# Script: renewcerts | |||
# Function: renew certificates<br> | |||
LOG=/usr/command/certs/certs.log | |||
days=3<br> | |||
today=`date` | |||
today=`date --date="$today" --utc +%s` | |||
CD=/etc/letsencrypt/live | |||
FC=fullchain.pem | |||
PK=privkey.pem<br> | |||
mailcert () { | |||
cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem | cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem | ||
cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | ||
cp | cp servercert.pem /var/qmail/control/servercert.pem | ||
systemctl reload dovecot | systemctl reload dovecot | ||
qmailctl stop && sleep 2 && qmailctl start | qmailctl stop && sleep 2 && qmailctl start | ||
} | }<br> | ||
for CDOM in `ls $CD` | |||
for CDOM in `ls $CD` | do | ||
do | |||
[ "$CDOM" = "README" ] && continue | [ "$CDOM" = "README" ] && continue | ||
exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` | exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` | ||
Line 85: | Line 76: | ||
if [ $diff -le $days ] | if [ $diff -le $days ] | ||
then | then | ||
certbot renew --cert-name $CDOM | certbot renew --cert-name $CDOM --apache <span style="color:red">--rsa-key-size 2048 --key-type rsa</span> | ||
systemctl reload httpd | systemctl reload httpd | ||
mailcert $CDOM | mailcert $CDOM | ||
fi | fi | ||
done | done<br> | ||
exit 0 | |||
== Mail server settings == | |||
</ | === Dovecot === | ||
ssl_cert = </var/qmail/control/servercert.pem | |||
ssl_key = </var/qmail/control/servercert.pem | |||
= | ===Submission=== | ||
== | |||
<pre> | <pre> | ||
#!/bin/sh | #!/bin/sh | ||
Line 115: | Line 108: | ||
</pre> | </pre> | ||
==SMTPS== | ===SMTPS=== | ||
<pre> | <pre> | ||
#!/bin/sh | #!/bin/sh |
Latest revision as of 09:26, 19 October 2024
Back to Configuration
Back to Install
Security Certificate
Self-Signed
# cd /tmp # SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld" # openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ # cat cert.pem key.pem > servercert.pem # cp servercert.pem /var/qmail/control/servercert.pem # remove *.pem
Let's Encrypt
(assumes a functioning Apache web server for domain.tld)
# dnf -y install certbot python3-certbot-apache
# certbot --apache -d domain.tld -d mail.domain.tld --rsa-key-size 2048 --key-type rsa
A 2048 bit key should have been created (qmail won't run with anything less), if not, force it with RSA options (in red) above.
Check the size of the private key with the following command
# openssl rsa -in /etc/letsencrypt/live/mydomain.tld/privkey.pem -text | grep Key
Move key & certificate in place
# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak # cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/mydomain.tld/fullchain.pem > servercert.pem # cp ./servercert.pem /var/qmail/control/servercert.pem
GoDaddy
# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
# openssl req -in csr.pem -noout -text (Examine your signing request)
Submit signing request (csr.pem) to GoDaddy, download crt and crt bundle, pack, and move in place.
# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem # cp servercert.pem /var/qmail/control
Implementation
Restart Services
# qmailctl stop && sleep 2 && qmailctl start # systemctl reload dovecot httpd
Renew (Let's Encrypt) *with script
# crontab -e 0 0 * * * /opt/certbot/renewcerts renew
#!/bin/bash
# Script: renewcerts # Function: renew certificates
LOG=/usr/command/certs/certs.log days=3
today=`date` today=`date --date="$today" --utc +%s` CD=/etc/letsencrypt/live FC=fullchain.pem PK=privkey.pem
mailcert () { cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak cp servercert.pem /var/qmail/control/servercert.pem systemctl reload dovecot qmailctl stop && sleep 2 && qmailctl start }
for CDOM in `ls $CD` do [ "$CDOM" = "README" ] && continue exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` off=`date --date="$exp" --utc +%s` diff=$(( (off - today)/86400 )) echo "Certificate Domain: $CDOM, Days to expire: $diff" echo "" if [ $diff -le $days ] then certbot renew --cert-name $CDOM --apache --rsa-key-size 2048 --key-type rsa systemctl reload httpd mailcert $CDOM fi done
exit 0
Mail server settings
Dovecot
ssl_cert = </var/qmail/control/servercert.pem ssl_key = </var/qmail/control/servercert.pem
Submission
#!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SMTPD="/var/qmail/bin/qmail-smtpd" TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" HOSTNAME=`hostname` VCHKPW="/home/vpopmail/bin/vchkpw" export FORCETLS="1" export SMTPAUTH="!" exec /usr/bin/softlimit -m 128000000 \ /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \ $SMTPD $VCHKPW /bin/true 2>&1
SMTPS
#!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` SMTPD="/var/qmail/bin/qmail-smtpd" TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb" HOSTNAME=`hostname` VCHKPW="/home/vpopmail/bin/vchkpw" export SMTPS="1" export FORCETLS="0" export SMTPAUTH="!+cram" exec /usr/bin/softlimit -m 128000000 \ /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \ $SMTPD $VCHKPW /bin/true 2>&1