IMAP client authentication certificates

This commit is contained in:
Bob Mottram 2015-06-17 19:28:08 +01:00
parent 05c2e120fe
commit 05c8d2c2ce
22 changed files with 191 additions and 18 deletions

View File

@ -17,6 +17,7 @@ install:
install -m 755 src/${APP}-config ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-config ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-sec ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-sec ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-addcert ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-addcert ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-clientcert ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-addlist ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-addlist ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-addemail ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-addemail ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-renew-cert ${DESTDIR}${PREFIX}/bin install -m 755 src/${APP}-renew-cert ${DESTDIR}${PREFIX}/bin
@ -35,6 +36,7 @@ install:
install -m 644 man/${APP}-config.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-config.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-sec.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-sec.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-addcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-addcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-clientcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-addlist.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-addlist.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-addemail.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-addemail.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-renew-cert.1.gz ${DESTDIR}${PREFIX}/share/man/man1 install -m 644 man/${APP}-renew-cert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
@ -52,6 +54,7 @@ uninstall:
rm -f ${PREFIX}/share/man/man1/${APP}-remote.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-remote.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-config.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-config.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-sec.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-sec.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-clientcert.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-addcert.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-addcert.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-addlist.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-addlist.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-addemail.1.gz rm -f ${PREFIX}/share/man/man1/${APP}-addemail.1.gz
@ -71,6 +74,7 @@ uninstall:
rm -f ${PREFIX}/bin/${APP}-config rm -f ${PREFIX}/bin/${APP}-config
rm -f ${PREFIX}/bin/${APP}-sec rm -f ${PREFIX}/bin/${APP}-sec
rm -f ${PREFIX}/bin/${APP}-addcert rm -f ${PREFIX}/bin/${APP}-addcert
rm -f ${PREFIX}/bin/${APP}-clientcert
rm -f ${PREFIX}/bin/${APP}-addlist rm -f ${PREFIX}/bin/${APP}-addlist
rm -f ${PREFIX}/bin/${APP}-addemail rm -f ${PREFIX}/bin/${APP}-addemail
rm -f ${PREFIX}/bin/${APP}-renew-cert rm -f ${PREFIX}/bin/${APP}-renew-cert

View File

@ -4,6 +4,7 @@ man/freedombone-client.1.gz
man/freedombone-remote.1.gz man/freedombone-remote.1.gz
man/freedombone-config.1.gz man/freedombone-config.1.gz
man/freedombone-sec.1.gz man/freedombone-sec.1.gz
man/freedombone-clientcert.1.gz
man/freedombone-addcert.1.gz man/freedombone-addcert.1.gz
man/freedombone-addlist.1.gz man/freedombone-addlist.1.gz
man/freedombone-addemail.1.gz man/freedombone-addemail.1.gz

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -5655,28 +5655,74 @@ function configure_imap {
sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf
# enable login via client certs
# http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
#sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
#sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
#sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.pem|g' /etc/dovecot/conf.d/10-ssl.conf
#sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
#if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
#echo '' >> /etc/dovecot/conf.d/10-auth.conf
#echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf
#echo '}' >> /etc/dovecot/conf.d/10-auth.conf
#fi
#echo "$MY_USERNAME:{plain}::::::nopassword" > /etc/dovecot/passwd-file
#freedombone-addcert -h dovecot-ca --ca
service dovecot restart service dovecot restart
echo 'configure_imap' >> $COMPLETION_FILE echo 'configure_imap' >> $COMPLETION_FILE
} }
function configure_imap_client_certs {
if grep -Fxq "configure_imap_client_certs" $COMPLETION_FILE; then
return
fi
# http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.crt|g' /etc/dovecot/conf.d/10-ssl.conf
sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
echo '' >> /etc/dovecot/conf.d/10-auth.conf
echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf
echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf
echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf
echo '}' >> /etc/dovecot/conf.d/10-auth.conf
fi
# make a CA cert
if [ ! -f /etc/ssl/private/dovecot-ca.key ]; then
freedombone-addcert -h dovecot-ca --ca
fi
# CA configuration
echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
echo 'default_ca = dovecot-ca' >> /etc/ssl/dovecot-ca.cnf
echo '' >> /etc/ssl/dovecot-ca.cnf
echo '[ crl_ext ]' >> /etc/ssl/dovecot-ca.cnf
echo 'authorityKeyIdentifier=keyid:always' >> /etc/ssl/dovecot-ca.cnf
echo '' >> /etc/ssl/dovecot-ca.cnf
echo '[ dovecot-ca ]' >> /etc/ssl/dovecot-ca.cnf
echo 'new_certs_dir = .' >> /etc/ssl/dovecot-ca.cnf
echo 'unique_subject = no' >> /etc/ssl/dovecot-ca.cnf
echo 'certificate = /etc/ssl/certs/dovecot-ca.crt' >> /etc/ssl/dovecot-ca.cnf
echo 'database = ssldb' >> /etc/ssl/dovecot-ca.cnf
echo 'private_key = /etc/ssl/private/dovecot-ca.key' >> /etc/ssl/dovecot-ca.cnf
echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf
echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf
echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf
echo 'default_bits = 2048' >> /etc/ssl/dovecot-ca.cnf
echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf
echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf
echo '' >> /etc/ssl/dovecot-ca.cnf
echo '[ dovecot-ca_policy ]' >> /etc/ssl/dovecot-ca.cnf
echo 'commonName = supplied' >> /etc/ssl/dovecot-ca.cnf
echo 'stateOrProvinceName = supplied' >> /etc/ssl/dovecot-ca.cnf
echo 'countryName = supplied' >> /etc/ssl/dovecot-ca.cnf
echo 'emailAddress = optional' >> /etc/ssl/dovecot-ca.cnf
echo 'organizationName = supplied' >> /etc/ssl/dovecot-ca.cnf
echo 'organizationalUnitName = optional' >> /etc/ssl/dovecot-ca.cnf
echo '' >> /etc/ssl/dovecot-ca.cnf
echo '[ dovecot-ca_extensions ]' >> /etc/ssl/dovecot-ca.cnf
echo 'basicConstraints = CA:false' >> /etc/ssl/dovecot-ca.cnf
echo 'subjectKeyIdentifier = hash' >> /etc/ssl/dovecot-ca.cnf
echo 'authorityKeyIdentifier = keyid:always' >> /etc/ssl/dovecot-ca.cnf
echo 'keyUsage = digitalSignature,keyEncipherment' >> /etc/ssl/dovecot-ca.cnf
echo 'extendedKeyUsage = clientAuth' >> /etc/ssl/dovecot-ca.cnf
touch /etc/ssl/ssldb
echo 0001 > /etc/ssl/sslserial
freedombone-clientcert -u $MY_USERNAME
service dovecot restart
echo 'configure_imap_client_certs' >> $COMPLETION_FILE
}
function configure_gpg { function configure_gpg {
if grep -Fxq "configure_gpg" $COMPLETION_FILE; then if grep -Fxq "configure_gpg" $COMPLETION_FILE; then
return return
@ -9153,6 +9199,7 @@ configure_email
create_procmail create_procmail
spam_filtering spam_filtering
configure_imap configure_imap
configure_imap_client_certs
configure_gpg configure_gpg
encrypt_incoming_email encrypt_incoming_email
encrypt_outgoing_email encrypt_outgoing_email

121
src/freedombone-clientcert Executable file
View File

@ -0,0 +1,121 @@
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# Generates an email client cert for use with IMAP clients
# See:
# http://strange.systems/certificate-based-auth-with-dovecot-sendmail
# http://help.fabasoftfolio.com/index.php?topic=doc/Installation-and-Configuration-of-Fabasoft-Folio-IMAP-Service/client-certificate-authentication.htm
# License
# =======
#
# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
USERNAME=
function show_help {
echo ''
echo 'freedombone-clientcert -u [username]'
echo ''
echo 'Creates email certificates for use with IMAP clients'
echo ''
echo ' --help Show help'
echo ' -u --username [name] Username'
echo ''
exit 0
}
while [[ $# > 1 ]]
do
key="$1"
case $key in
--help)
show_help
;;
-u|--username)
shift
USERNAME="$1"
;;
*)
# unknown option
;;
esac
shift
done
if [ ! $USERNAME ]; then
echo 'No username specified'
exit 5748
fi
if [ ! -d /home/$USERNAME ]; then
echo "User $USERNAME not found"
exit 76239
fi
if [ -d /home/$USERNAME/emailcert ]; then
echo 'Client certs were already for created'
exit 2953
fi
if [ ! -f /etc/dovecot/passwd-file ]; then
touch /etc/dovecot/passwd-file
fi
# Add a user password
if ! grep -q "$USERNAME:{plain}" $/etc/dovecot/passwd-file; then
echo "$USERNAME:{plain}::::::nopassword" >> /etc/dovecot/passwd-file
fi
chmod 600 /etc/dovecot/passwd-file
# create a user cert
freedombone-addcert -h $USERNAME
# create a certificate request
openssl req -new -sha256 -key /etc/ssl/private/$USERNAME.key -out /etc/ssl/requests/$USERNAME.csr
# sign the certificate request
openssl ca -config /etc/ssl/dovecot-ca.cnf -in /etc/ssl/requests/$USERNAME.csr -out /etc/ssl/certs/$USERNAME.cer
# move the cert to the user's home
mkdir /home/$USERNAME/emailcert
mv /etc/ssl/certs/$USERNAME.cer /home/$USERNAME/emailcert
cp /etc/ssl/certs/dovecot-ca.crt /home/$USERNAME/emailcert
mv /etc/ssl/private/$USERNAME.key /home/$USERNAME/emailcert
mv /etc/ssl/certs/$USERNAME.crt /home/$USERNAME/emailcert
# set permissions for the user
chmod -R 600 /home/$USERNAME/emailcert
chown -R $USERNAME:$USERNAME /home/$USERNAME/emailcert
shred -zu /etc/ssl/requests/$USERNAME.csr
echo 'Email authentication certificate created. You can obtain it on the client with:'
echo ''
echo " scp -P 2222 -r $USERNAME@mydomainname:/home/$USERNAME/emailcert ~/"
echo ''
exit 0