Beginning of imap client certs

This commit is contained in:
Bob Mottram 2015-06-14 15:56:46 +01:00
parent 43c64a3fba
commit d971f4f75f
2 changed files with 25 additions and 1 deletions

View File

@ -5653,6 +5653,25 @@ function configure_imap {
sed -i 's/#disable_plaintext_auth =.*/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf
# enable login via client certs
# http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
#sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
#sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
#sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.pem|g' /etc/dovecot/conf.d/10-ssl.conf
#sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
#if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
#echo '' >> /etc/dovecot/conf.d/10-auth.conf
#echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf
#echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf
#echo '}' >> /etc/dovecot/conf.d/10-auth.conf
#fi
#echo "$MY_USERNAME:{plain}::::::nopassword" > /etc/dovecot/passwd-file
#freedombone-addcert -h dovecot-ca --ca
service dovecot restart
echo 'configure_imap' >> $COMPLETION_FILE
}

View File

@ -34,6 +34,7 @@ AREA="Free Speech Zone"
LOCATION="Freedomville"
ORGANISATION="Freedombone"
UNIT="Freedombone Unit"
EXTENSIONS=""
function show_help {
echo ''
@ -49,6 +50,7 @@ function show_help {
echo ' -l --location [locn] Optional location name'
echo ' -o --organisation [name] Optional organisation name'
echo ' -u --unit [name] Optional unit name'
echo ' --ca Certificate authority cert'
echo ''
exit 0
}
@ -85,6 +87,9 @@ case $key in
shift
UNIT="$1"
;;
--ca)
EXTENSIONS="-extensions v3_ca"
;;
*)
# unknown option
;;
@ -102,7 +107,7 @@ if ! which openssl > /dev/null ;then
exit 5689
fi
openssl req -x509 -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt
openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt
openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
chmod 400 /etc/ssl/private/$HOSTNAME.key
chmod 640 /etc/ssl/certs/$HOSTNAME.crt