Certificate

From QmailToaster
Revision as of 00:34, 18 October 2024 by Ebroch (talk | contribs)
Jump to navigation Jump to search

Security Certificate

Self-Signed

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ
# cat cert.pem key.pem > servercert.pem
# cp servercert.pem /var/qmail/control/servercert.pem
# remove *.pem

Let's Encrypt

(assumes a functioning Apache web server for domain.tld)

# dnf -y install certbot python3-certbot-apache
# certbot --apache -d domain.tld -d mail.domain.tld

A 2048 bit key should have been created, if not, force it with RSA options

# certbot --rsa-key-size 2048 --key-type rsa --apache -d domain.tld -d mail.domain.tld

Check the size of the private key with this command

# openssl rsa -in /etc/letsencrypt/live/mail.mydomain.com/privkey.pem  -text | grep Key

Move key & certificate in place

# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
# cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > servercert.pem
# cp ./servercert.pem /var/qmail/control/servercert.pem

Go Daddy

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
# openssl req -in csr.pem -noout -text (Examine your signing request)

Submit signing request (csr.pem) to GoDaddy and download crt and crt bundle when done.

# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
# chmod 644 servercert.pem
# chown root:qmail servercert.pem
# cp -p servercert.pem /var/qmail/control

Implementation

Restart Services

# qmailctl stop && sleep 2 && qmailctl start
# systemctl restart dovecot httpd

Renew (Let's Encrypt) *with script

# crontab -e
0 0 * * * /opt/certbot/certbot renew
#!/bin/bash
# certbot: script to renew certificates

LOG=/usr/command/certs/certs.log
days=3

today=`date`
today=`date --date="$today" --utc +%s`
CD=/etc/letsencrypt/live
FC=fullchain.pem
PK=privkey.pem

mailcert () {
   cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
   cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
   cp ./servercert.pem  /var/qmail/control/servercert.pem
   systemctl reload dovecot  
   qmailctl stop && sleep 2 && qmailctl start
}

for CDOM in `ls $CD`
do
   [ "$CDOM" = "README" ] && continue
   exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
   off=`date --date="$exp" --utc +%s`
   diff=$(( (off - today)/86400 ))
   echo "Certificate Domain: $CDOM, Days to expire: $diff"
   echo ""
   if [ $diff -le $days ]
   then
      certbot renew --cert-name $CDOM
      systemctl reload httpd
      mailcert $CDOM
   fi
done

exit 0

Mail server settings

Dovecot

ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem

Submission

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1

SMTPS

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
    $SMTPD $VCHKPW /bin/true 2>&1