IMAP client authentication certificates

Makefile

@@ -17,6 +17,7 @@ install:
 	install -m 755 src/${APP}-config ${DESTDIR}${PREFIX}/bin
 	install -m 755 src/${APP}-sec ${DESTDIR}${PREFIX}/bin
 	install -m 755 src/${APP}-addcert ${DESTDIR}${PREFIX}/bin
+	install -m 755 src/${APP}-clientcert ${DESTDIR}${PREFIX}/bin
 	install -m 755 src/${APP}-addlist ${DESTDIR}${PREFIX}/bin
 	install -m 755 src/${APP}-addemail ${DESTDIR}${PREFIX}/bin
 	install -m 755 src/${APP}-renew-cert ${DESTDIR}${PREFIX}/bin
@@ -35,6 +36,7 @@ install:
 	install -m 644 man/${APP}-config.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 	install -m 644 man/${APP}-sec.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 	install -m 644 man/${APP}-addcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
+	install -m 644 man/${APP}-clientcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 	install -m 644 man/${APP}-addlist.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 	install -m 644 man/${APP}-addemail.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 	install -m 644 man/${APP}-renew-cert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
@@ -52,6 +54,7 @@ uninstall:
 	rm -f ${PREFIX}/share/man/man1/${APP}-remote.1.gz
 	rm -f ${PREFIX}/share/man/man1/${APP}-config.1.gz
 	rm -f ${PREFIX}/share/man/man1/${APP}-sec.1.gz
+	rm -f ${PREFIX}/share/man/man1/${APP}-clientcert.1.gz
 	rm -f ${PREFIX}/share/man/man1/${APP}-addcert.1.gz
 	rm -f ${PREFIX}/share/man/man1/${APP}-addlist.1.gz
 	rm -f ${PREFIX}/share/man/man1/${APP}-addemail.1.gz
@@ -71,6 +74,7 @@ uninstall:
 	rm -f ${PREFIX}/bin/${APP}-config
 	rm -f ${PREFIX}/bin/${APP}-sec
 	rm -f ${PREFIX}/bin/${APP}-addcert
+	rm -f ${PREFIX}/bin/${APP}-clientcert
 	rm -f ${PREFIX}/bin/${APP}-addlist
 	rm -f ${PREFIX}/bin/${APP}-addemail
 	rm -f ${PREFIX}/bin/${APP}-renew-cert

debian/source/include-binaries

@@ -4,6 +4,7 @@ man/freedombone-client.1.gz
 man/freedombone-remote.1.gz
 man/freedombone-config.1.gz
 man/freedombone-sec.1.gz
+man/freedombone-clientcert.1.gz
 man/freedombone-addcert.1.gz
 man/freedombone-addlist.1.gz
 man/freedombone-addemail.1.gz

src/freedombone

@@ -5655,28 +5655,74 @@ function configure_imap {
   sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf
   sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf
 
-  # enable login via client certs
-  # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
-  #sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
-  #sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
-  #sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.pem|g' /etc/dovecot/conf.d/10-ssl.conf
-  #sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
-  #if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
-    #echo '' >> /etc/dovecot/conf.d/10-auth.conf
-    #echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
-    #echo '  driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
-    #echo '  args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
-    #echo '  deny = no' >> /etc/dovecot/conf.d/10-auth.conf
-    #echo '  master = no' >> /etc/dovecot/conf.d/10-auth.conf
-    #echo '  pass = no' >> /etc/dovecot/conf.d/10-auth.conf
-    #echo '}' >> /etc/dovecot/conf.d/10-auth.conf
-  #fi
-  #echo "$MY_USERNAME:{plain}::::::nopassword" > /etc/dovecot/passwd-file
-  #freedombone-addcert -h dovecot-ca --ca
   service dovecot restart
   echo 'configure_imap' >> $COMPLETION_FILE
 }
 
+function configure_imap_client_certs {
+  if grep -Fxq "configure_imap_client_certs" $COMPLETION_FILE; then
+      return
+  fi
+  # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
+  sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
+  sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
+  sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.crt|g' /etc/dovecot/conf.d/10-ssl.conf
+  sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
+  if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
+    echo '' >> /etc/dovecot/conf.d/10-auth.conf
+    echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
+    echo '  driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
+    echo '  args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
+    echo '  deny = no' >> /etc/dovecot/conf.d/10-auth.conf
+    echo '  master = no' >> /etc/dovecot/conf.d/10-auth.conf
+    echo '  pass = no' >> /etc/dovecot/conf.d/10-auth.conf
+    echo '}' >> /etc/dovecot/conf.d/10-auth.conf
+  fi
+  # make a CA cert
+  if [ ! -f /etc/ssl/private/dovecot-ca.key ]; then
+	  freedombone-addcert -h dovecot-ca --ca
+  fi
+  # CA configuration
+  echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
+  echo 'default_ca = dovecot-ca' >> /etc/ssl/dovecot-ca.cnf
+  echo '' >> /etc/ssl/dovecot-ca.cnf
+  echo '[ crl_ext ]' >> /etc/ssl/dovecot-ca.cnf
+  echo 'authorityKeyIdentifier=keyid:always' >> /etc/ssl/dovecot-ca.cnf
+  echo '' >> /etc/ssl/dovecot-ca.cnf
+  echo '[ dovecot-ca ]' >> /etc/ssl/dovecot-ca.cnf
+  echo 'new_certs_dir = .' >> /etc/ssl/dovecot-ca.cnf
+  echo 'unique_subject = no' >> /etc/ssl/dovecot-ca.cnf
+  echo 'certificate = /etc/ssl/certs/dovecot-ca.crt' >> /etc/ssl/dovecot-ca.cnf
+  echo 'database = ssldb' >> /etc/ssl/dovecot-ca.cnf
+  echo 'private_key = /etc/ssl/private/dovecot-ca.key' >> /etc/ssl/dovecot-ca.cnf
+  echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf
+  echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf
+  echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf
+  echo 'default_bits = 2048' >> /etc/ssl/dovecot-ca.cnf
+  echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf
+  echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf
+  echo '' >> /etc/ssl/dovecot-ca.cnf
+  echo '[ dovecot-ca_policy ]' >> /etc/ssl/dovecot-ca.cnf
+  echo 'commonName = supplied' >> /etc/ssl/dovecot-ca.cnf
+  echo 'stateOrProvinceName = supplied' >> /etc/ssl/dovecot-ca.cnf
+  echo 'countryName = supplied' >> /etc/ssl/dovecot-ca.cnf
+  echo 'emailAddress = optional' >> /etc/ssl/dovecot-ca.cnf
+  echo 'organizationName = supplied' >> /etc/ssl/dovecot-ca.cnf
+  echo 'organizationalUnitName = optional' >> /etc/ssl/dovecot-ca.cnf
+  echo '' >> /etc/ssl/dovecot-ca.cnf
+  echo '[ dovecot-ca_extensions ]' >> /etc/ssl/dovecot-ca.cnf
+  echo 'basicConstraints = CA:false' >> /etc/ssl/dovecot-ca.cnf
+  echo 'subjectKeyIdentifier = hash' >> /etc/ssl/dovecot-ca.cnf
+  echo 'authorityKeyIdentifier = keyid:always' >> /etc/ssl/dovecot-ca.cnf
+  echo 'keyUsage = digitalSignature,keyEncipherment' >> /etc/ssl/dovecot-ca.cnf
+  echo 'extendedKeyUsage = clientAuth' >> /etc/ssl/dovecot-ca.cnf
+  touch /etc/ssl/ssldb
+  echo 0001 > /etc/ssl/sslserial
+  freedombone-clientcert -u $MY_USERNAME
+  service dovecot restart
+  echo 'configure_imap_client_certs' >> $COMPLETION_FILE
+}
+
 function configure_gpg {
   if grep -Fxq "configure_gpg" $COMPLETION_FILE; then
       return
@@ -9153,6 +9199,7 @@ configure_email
 create_procmail
 spam_filtering
 configure_imap
+configure_imap_client_certs
 configure_gpg
 encrypt_incoming_email
 encrypt_outgoing_email

src/freedombone-clientcert

@@ -0,0 +1,121 @@
+#!/bin/bash
+#
+# .---.                  .              .
+# |                      |              |
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
+#
+#                    Freedom in the Cloud
+#
+# Generates an email client cert for use with IMAP clients
+
+# See:
+#   http://strange.systems/certificate-based-auth-with-dovecot-sendmail
+#   http://help.fabasoftfolio.com/index.php?topic=doc/Installation-and-Configuration-of-Fabasoft-Folio-IMAP-Service/client-certificate-authentication.htm
+
+# License
+# =======
+#
+# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+USERNAME=
+
+function show_help {
+    echo ''
+    echo 'freedombone-clientcert -u [username]'
+    echo ''
+    echo 'Creates email certificates for use with IMAP clients'
+    echo ''
+    echo '     --help                  Show help'
+    echo '  -u --username [name]       Username'
+    echo ''
+    exit 0
+}
+
+while [[ $# > 1 ]]
+do
+key="$1"
+
+case $key in
+    --help)
+    show_help
+    ;;
+    -u|--username)
+    shift
+    USERNAME="$1"
+    ;;
+    *)
+    # unknown option
+    ;;
+esac
+shift
+done
+
+if [ ! $USERNAME ]; then
+    echo 'No username specified'
+    exit 5748
+fi
+
+if [ ! -d /home/$USERNAME ]; then
+    echo "User $USERNAME not found"
+    exit 76239
+fi
+
+if [ -d /home/$USERNAME/emailcert ]; then
+    echo 'Client certs were already for created'
+    exit 2953
+fi
+
+if [ ! -f /etc/dovecot/passwd-file ]; then
+    touch /etc/dovecot/passwd-file
+fi
+
+# Add a user password
+if ! grep -q "$USERNAME:{plain}" $/etc/dovecot/passwd-file; then
+  echo "$USERNAME:{plain}::::::nopassword" >> /etc/dovecot/passwd-file
+fi
+
+chmod 600 /etc/dovecot/passwd-file
+
+# create a user cert
+freedombone-addcert -h $USERNAME
+
+# create a certificate request
+openssl req -new -sha256 -key /etc/ssl/private/$USERNAME.key -out /etc/ssl/requests/$USERNAME.csr
+
+# sign the certificate request
+openssl ca -config /etc/ssl/dovecot-ca.cnf -in /etc/ssl/requests/$USERNAME.csr -out /etc/ssl/certs/$USERNAME.cer
+
+# move the cert to the user's home
+mkdir /home/$USERNAME/emailcert
+mv /etc/ssl/certs/$USERNAME.cer /home/$USERNAME/emailcert
+cp /etc/ssl/certs/dovecot-ca.crt /home/$USERNAME/emailcert
+mv /etc/ssl/private/$USERNAME.key /home/$USERNAME/emailcert
+mv /etc/ssl/certs/$USERNAME.crt /home/$USERNAME/emailcert
+
+# set permissions for the user
+chmod -R 600 /home/$USERNAME/emailcert
+chown -R $USERNAME:$USERNAME /home/$USERNAME/emailcert
+
+shred -zu /etc/ssl/requests/$USERNAME.csr
+
+echo 'Email authentication certificate created. You can obtain it on the client with:'
+echo ''
+echo "      scp -P 2222 -r $USERNAME@mydomainname:/home/$USERNAME/emailcert ~/"
+echo ''
+
+exit 0