Certificate
Security Certificate
Self-Signed
# cd /tmp # SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld" # openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ # cat cert.pem key.pem > servercert.pem # cp servercert.pem /var/qmail/control/servercert.pem # remove *.pem
Let's Encrypt
# dnf -y install certbot python3-certbot-apache # certbot --apache -d domain.tld -d mail.domain.tld
This should create a 2048 bit certificate, if not
# certbot --rsa-key-size 2048 --key-type rsa --apache -d domain.tld -d mail.domain.tld # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak # cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > servercert.pem # cp ./servercert.pem /var/qmail/control/servercert.pem
Go Daddy
# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl genrsa -out key.pem 2048
# openssl req -new -key key.pem -out csr.pem -subj $SUBJ
# openssl req -in csr.pem -noout -text (Examine your signing request)
Submit signing request (csr.pem) to GoDaddy and download crt and crt bundle when done.
# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem # chmod 644 servercert.pem # chown root:qmail servercert.pem # cp -p servercert.pem /var/qmail/control
Implementation
Restart Services
# qmailctl stop && sleep 2 && qmailctl start # systemctl restart dovecot httpd
Dovecot
ssl_cert = </var/qmail/control/servercert.pem ssl_key = </var/qmail/control/servercert.pem
Renew (Let's Encrypt) *with script
# crontab -e 0 0 * * * /opt/certbot/certbot renew
#!/bin/bash
# certbot: script to renew certificates
LOG=/usr/command/certs/certs.log
days=3
today=`date`
today=`date --date="$today" --utc +%s`
CD=/etc/letsencrypt/live
FC=fullchain.pem
PK=privkey.pem
mailcert () {
cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
cp ./servercert.pem /var/qmail/control/servercert.pem
systemctl reload dovecot
qmailctl stop && sleep 2 && qmailctl start
}
for CDOM in `ls $CD`
do
[ "$CDOM" = "README" ] && continue
exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
off=`date --date="$exp" --utc +%s`
diff=$(( (off - today)/86400 ))
echo "Certificate Domain: $CDOM, Days to expire: $diff"
echo ""
if [ $diff -le $days ]
then
certbot renew --cert-name $CDOM
systemctl reload httpd
mailcert $CDOM
fi
done
exit 0
Qmail run scripts
Submission
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"
exec /usr/bin/softlimit -m 128000000 \
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
$SMTPD $VCHKPW /bin/true 2>&1
SMTPS
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"
exec /usr/bin/softlimit -m 128000000 \
/usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
$SMTPD $VCHKPW /bin/true 2>&1