From d971f4f75fbc5e5ec9a46f24289f73c26c0ed70f Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 14 Jun 2015 15:56:46 +0100 Subject: [PATCH] Beginning of imap client certs --- src/freedombone | 19 +++++++++++++++++++ src/freedombone-addcert | 7 ++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/src/freedombone b/src/freedombone index 2ba0705e..0043ef70 100755 --- a/src/freedombone +++ b/src/freedombone @@ -5653,6 +5653,25 @@ function configure_imap { sed -i 's/#disable_plaintext_auth =.*/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf + + # enable login via client certs + # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/ + #sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf + #sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf + #sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.pem|g' /etc/dovecot/conf.d/10-ssl.conf + #sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf + #if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then + #echo '' >> /etc/dovecot/conf.d/10-auth.conf + #echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf + #echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf + #echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf + #echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf + #echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf + #echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf + #echo '}' >> /etc/dovecot/conf.d/10-auth.conf + #fi + #echo "$MY_USERNAME:{plain}::::::nopassword" > /etc/dovecot/passwd-file + #freedombone-addcert -h dovecot-ca --ca service dovecot restart echo 'configure_imap' >> $COMPLETION_FILE } diff --git a/src/freedombone-addcert b/src/freedombone-addcert index 6b514806..1874e195 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -34,6 +34,7 @@ AREA="Free Speech Zone" LOCATION="Freedomville" ORGANISATION="Freedombone" UNIT="Freedombone Unit" +EXTENSIONS="" function show_help { echo '' @@ -49,6 +50,7 @@ function show_help { echo ' -l --location [locn] Optional location name' echo ' -o --organisation [name] Optional organisation name' echo ' -u --unit [name] Optional unit name' + echo ' --ca Certificate authority cert' echo '' exit 0 } @@ -85,6 +87,9 @@ case $key in shift UNIT="$1" ;; + --ca) + EXTENSIONS="-extensions v3_ca" + ;; *) # unknown option ;; @@ -102,7 +107,7 @@ if ! which openssl > /dev/null ;then exit 5689 fi -openssl req -x509 -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt +openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam chmod 400 /etc/ssl/private/$HOSTNAME.key chmod 640 /etc/ssl/certs/$HOSTNAME.crt