diff --git a/Makefile b/Makefile index da797c21..116ed1fd 100644 --- a/Makefile +++ b/Makefile @@ -17,6 +17,7 @@ install: install -m 755 src/${APP}-config ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-sec ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-addcert ${DESTDIR}${PREFIX}/bin + install -m 755 src/${APP}-clientcert ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-addlist ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-addemail ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-renew-cert ${DESTDIR}${PREFIX}/bin @@ -35,6 +36,7 @@ install: install -m 644 man/${APP}-config.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-sec.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-addcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1 + install -m 644 man/${APP}-clientcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-addlist.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-addemail.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-renew-cert.1.gz ${DESTDIR}${PREFIX}/share/man/man1 @@ -52,6 +54,7 @@ uninstall: rm -f ${PREFIX}/share/man/man1/${APP}-remote.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-config.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-sec.1.gz + rm -f ${PREFIX}/share/man/man1/${APP}-clientcert.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-addcert.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-addlist.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-addemail.1.gz @@ -71,6 +74,7 @@ uninstall: rm -f ${PREFIX}/bin/${APP}-config rm -f ${PREFIX}/bin/${APP}-sec rm -f ${PREFIX}/bin/${APP}-addcert + rm -f ${PREFIX}/bin/${APP}-clientcert rm -f ${PREFIX}/bin/${APP}-addlist rm -f ${PREFIX}/bin/${APP}-addemail rm -f ${PREFIX}/bin/${APP}-renew-cert diff --git a/debian/source/include-binaries b/debian/source/include-binaries index adf2df5d..087091f5 100644 --- a/debian/source/include-binaries +++ b/debian/source/include-binaries @@ -4,6 +4,7 @@ man/freedombone-client.1.gz man/freedombone-remote.1.gz man/freedombone-config.1.gz man/freedombone-sec.1.gz +man/freedombone-clientcert.1.gz man/freedombone-addcert.1.gz man/freedombone-addlist.1.gz man/freedombone-addemail.1.gz diff --git a/man/freedombone-addcert.1.gz b/man/freedombone-addcert.1.gz index 38d40f74..ad66eaca 100644 Binary files a/man/freedombone-addcert.1.gz and b/man/freedombone-addcert.1.gz differ diff --git a/man/freedombone-addemail.1.gz b/man/freedombone-addemail.1.gz index 7c14b2b1..84c144cd 100644 Binary files a/man/freedombone-addemail.1.gz and b/man/freedombone-addemail.1.gz differ diff --git a/man/freedombone-addlist.1.gz b/man/freedombone-addlist.1.gz index 370295f4..5bda7839 100644 Binary files a/man/freedombone-addlist.1.gz and b/man/freedombone-addlist.1.gz differ diff --git a/man/freedombone-addxmpp.1.gz b/man/freedombone-addxmpp.1.gz index 826e80d0..eded5a1a 100644 Binary files a/man/freedombone-addxmpp.1.gz and b/man/freedombone-addxmpp.1.gz differ diff --git a/man/freedombone-client.1.gz b/man/freedombone-client.1.gz index 57b94f26..45cf9036 100644 Binary files a/man/freedombone-client.1.gz and b/man/freedombone-client.1.gz differ diff --git a/man/freedombone-clientcert.1.gz b/man/freedombone-clientcert.1.gz new file mode 100644 index 00000000..db58e972 Binary files /dev/null and b/man/freedombone-clientcert.1.gz differ diff --git a/man/freedombone-config.1.gz b/man/freedombone-config.1.gz index 5fb8b1a1..38cb8a05 100644 Binary files a/man/freedombone-config.1.gz and b/man/freedombone-config.1.gz differ diff --git a/man/freedombone-ignore.1.gz b/man/freedombone-ignore.1.gz index 536d6abc..d91f67d9 100644 Binary files a/man/freedombone-ignore.1.gz and b/man/freedombone-ignore.1.gz differ diff --git a/man/freedombone-prep.1.gz b/man/freedombone-prep.1.gz index 199b4e5f..d9cfb3c8 100644 Binary files a/man/freedombone-prep.1.gz and b/man/freedombone-prep.1.gz differ diff --git a/man/freedombone-remote.1.gz b/man/freedombone-remote.1.gz index 150309b8..6e50ad61 100644 Binary files a/man/freedombone-remote.1.gz and b/man/freedombone-remote.1.gz differ diff --git a/man/freedombone-renew-cert.1.gz b/man/freedombone-renew-cert.1.gz index d3c1e7c5..2266bc20 100644 Binary files a/man/freedombone-renew-cert.1.gz and b/man/freedombone-renew-cert.1.gz differ diff --git a/man/freedombone-rmemail.1.gz b/man/freedombone-rmemail.1.gz index 6dfde842..37df405a 100644 Binary files a/man/freedombone-rmemail.1.gz and b/man/freedombone-rmemail.1.gz differ diff --git a/man/freedombone-rmlist.1.gz b/man/freedombone-rmlist.1.gz index f644056f..67099321 100644 Binary files a/man/freedombone-rmlist.1.gz and b/man/freedombone-rmlist.1.gz differ diff --git a/man/freedombone-rmxmpp.1.gz b/man/freedombone-rmxmpp.1.gz index 595c507c..3a0c600a 100644 Binary files a/man/freedombone-rmxmpp.1.gz and b/man/freedombone-rmxmpp.1.gz differ diff --git a/man/freedombone-sec.1.gz b/man/freedombone-sec.1.gz index e528ab14..2a3977ea 100644 Binary files a/man/freedombone-sec.1.gz and b/man/freedombone-sec.1.gz differ diff --git a/man/freedombone-unignore.1.gz b/man/freedombone-unignore.1.gz index 3913f49b..2a668e50 100644 Binary files a/man/freedombone-unignore.1.gz and b/man/freedombone-unignore.1.gz differ diff --git a/man/freedombone-xmpp-pass.1.gz b/man/freedombone-xmpp-pass.1.gz index bb014912..4e51da09 100644 Binary files a/man/freedombone-xmpp-pass.1.gz and b/man/freedombone-xmpp-pass.1.gz differ diff --git a/man/freedombone.1.gz b/man/freedombone.1.gz index cdfb8888..c50218df 100644 Binary files a/man/freedombone.1.gz and b/man/freedombone.1.gz differ diff --git a/src/freedombone b/src/freedombone index 99222970..5961e493 100755 --- a/src/freedombone +++ b/src/freedombone @@ -5655,28 +5655,74 @@ function configure_imap { sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf - # enable login via client certs - # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/ - #sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf - #sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf - #sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.pem|g' /etc/dovecot/conf.d/10-ssl.conf - #sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf - #if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then - #echo '' >> /etc/dovecot/conf.d/10-auth.conf - #echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf - #echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf - #echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf - #echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf - #echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf - #echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf - #echo '}' >> /etc/dovecot/conf.d/10-auth.conf - #fi - #echo "$MY_USERNAME:{plain}::::::nopassword" > /etc/dovecot/passwd-file - #freedombone-addcert -h dovecot-ca --ca service dovecot restart echo 'configure_imap' >> $COMPLETION_FILE } +function configure_imap_client_certs { + if grep -Fxq "configure_imap_client_certs" $COMPLETION_FILE; then + return + fi + # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/ + sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf + sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf + sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.crt|g' /etc/dovecot/conf.d/10-ssl.conf + sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf + if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then + echo '' >> /etc/dovecot/conf.d/10-auth.conf + echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf + echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf + echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf + echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf + echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf + echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf + echo '}' >> /etc/dovecot/conf.d/10-auth.conf + fi + # make a CA cert + if [ ! -f /etc/ssl/private/dovecot-ca.key ]; then + freedombone-addcert -h dovecot-ca --ca + fi + # CA configuration + echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf + echo 'default_ca = dovecot-ca' >> /etc/ssl/dovecot-ca.cnf + echo '' >> /etc/ssl/dovecot-ca.cnf + echo '[ crl_ext ]' >> /etc/ssl/dovecot-ca.cnf + echo 'authorityKeyIdentifier=keyid:always' >> /etc/ssl/dovecot-ca.cnf + echo '' >> /etc/ssl/dovecot-ca.cnf + echo '[ dovecot-ca ]' >> /etc/ssl/dovecot-ca.cnf + echo 'new_certs_dir = .' >> /etc/ssl/dovecot-ca.cnf + echo 'unique_subject = no' >> /etc/ssl/dovecot-ca.cnf + echo 'certificate = /etc/ssl/certs/dovecot-ca.crt' >> /etc/ssl/dovecot-ca.cnf + echo 'database = ssldb' >> /etc/ssl/dovecot-ca.cnf + echo 'private_key = /etc/ssl/private/dovecot-ca.key' >> /etc/ssl/dovecot-ca.cnf + echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf + echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf + echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf + echo 'default_bits = 2048' >> /etc/ssl/dovecot-ca.cnf + echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf + echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf + echo '' >> /etc/ssl/dovecot-ca.cnf + echo '[ dovecot-ca_policy ]' >> /etc/ssl/dovecot-ca.cnf + echo 'commonName = supplied' >> /etc/ssl/dovecot-ca.cnf + echo 'stateOrProvinceName = supplied' >> /etc/ssl/dovecot-ca.cnf + echo 'countryName = supplied' >> /etc/ssl/dovecot-ca.cnf + echo 'emailAddress = optional' >> /etc/ssl/dovecot-ca.cnf + echo 'organizationName = supplied' >> /etc/ssl/dovecot-ca.cnf + echo 'organizationalUnitName = optional' >> /etc/ssl/dovecot-ca.cnf + echo '' >> /etc/ssl/dovecot-ca.cnf + echo '[ dovecot-ca_extensions ]' >> /etc/ssl/dovecot-ca.cnf + echo 'basicConstraints = CA:false' >> /etc/ssl/dovecot-ca.cnf + echo 'subjectKeyIdentifier = hash' >> /etc/ssl/dovecot-ca.cnf + echo 'authorityKeyIdentifier = keyid:always' >> /etc/ssl/dovecot-ca.cnf + echo 'keyUsage = digitalSignature,keyEncipherment' >> /etc/ssl/dovecot-ca.cnf + echo 'extendedKeyUsage = clientAuth' >> /etc/ssl/dovecot-ca.cnf + touch /etc/ssl/ssldb + echo 0001 > /etc/ssl/sslserial + freedombone-clientcert -u $MY_USERNAME + service dovecot restart + echo 'configure_imap_client_certs' >> $COMPLETION_FILE +} + function configure_gpg { if grep -Fxq "configure_gpg" $COMPLETION_FILE; then return @@ -9153,6 +9199,7 @@ configure_email create_procmail spam_filtering configure_imap +configure_imap_client_certs configure_gpg encrypt_incoming_email encrypt_outgoing_email diff --git a/src/freedombone-clientcert b/src/freedombone-clientcert new file mode 100755 index 00000000..da65a21d --- /dev/null +++ b/src/freedombone-clientcert @@ -0,0 +1,121 @@ +#!/bin/bash +# +# .---. . . +# | | | +# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-. +# | | (.-' (.-' ( | ( )| | | | )( )| | (.-' +# ' ' --' --' -' - -' ' ' -' -' -' ' - --' +# +# Freedom in the Cloud +# +# Generates an email client cert for use with IMAP clients + +# See: +# http://strange.systems/certificate-based-auth-with-dovecot-sendmail +# http://help.fabasoftfolio.com/index.php?topic=doc/Installation-and-Configuration-of-Fabasoft-Folio-IMAP-Service/client-certificate-authentication.htm + +# License +# ======= +# +# Copyright (C) 2015 Bob Mottram +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +USERNAME= + +function show_help { + echo '' + echo 'freedombone-clientcert -u [username]' + echo '' + echo 'Creates email certificates for use with IMAP clients' + echo '' + echo ' --help Show help' + echo ' -u --username [name] Username' + echo '' + exit 0 +} + +while [[ $# > 1 ]] +do +key="$1" + +case $key in + --help) + show_help + ;; + -u|--username) + shift + USERNAME="$1" + ;; + *) + # unknown option + ;; +esac +shift +done + +if [ ! $USERNAME ]; then + echo 'No username specified' + exit 5748 +fi + +if [ ! -d /home/$USERNAME ]; then + echo "User $USERNAME not found" + exit 76239 +fi + +if [ -d /home/$USERNAME/emailcert ]; then + echo 'Client certs were already for created' + exit 2953 +fi + +if [ ! -f /etc/dovecot/passwd-file ]; then + touch /etc/dovecot/passwd-file +fi + +# Add a user password +if ! grep -q "$USERNAME:{plain}" $/etc/dovecot/passwd-file; then + echo "$USERNAME:{plain}::::::nopassword" >> /etc/dovecot/passwd-file +fi + +chmod 600 /etc/dovecot/passwd-file + +# create a user cert +freedombone-addcert -h $USERNAME + +# create a certificate request +openssl req -new -sha256 -key /etc/ssl/private/$USERNAME.key -out /etc/ssl/requests/$USERNAME.csr + +# sign the certificate request +openssl ca -config /etc/ssl/dovecot-ca.cnf -in /etc/ssl/requests/$USERNAME.csr -out /etc/ssl/certs/$USERNAME.cer + +# move the cert to the user's home +mkdir /home/$USERNAME/emailcert +mv /etc/ssl/certs/$USERNAME.cer /home/$USERNAME/emailcert +cp /etc/ssl/certs/dovecot-ca.crt /home/$USERNAME/emailcert +mv /etc/ssl/private/$USERNAME.key /home/$USERNAME/emailcert +mv /etc/ssl/certs/$USERNAME.crt /home/$USERNAME/emailcert + +# set permissions for the user +chmod -R 600 /home/$USERNAME/emailcert +chown -R $USERNAME:$USERNAME /home/$USERNAME/emailcert + +shred -zu /etc/ssl/requests/$USERNAME.csr + +echo 'Email authentication certificate created. You can obtain it on the client with:' +echo '' +echo " scp -P 2222 -r $USERNAME@mydomainname:/home/$USERNAME/emailcert ~/" +echo '' + +exit 0