generate a self-signed certificate for PUBLIC_HOSTNAME and change DNS MX records to PRIMARY_HOSTNAME so it matches

This commit is contained in:
Joshua Tauberer 2013-09-08 11:25:56 +00:00
parent 0403d27712
commit 548cc8a0f6
2 changed files with 40 additions and 22 deletions

View file

@ -69,7 +69,7 @@ for fn in $STORAGE_ROOT/dns/*.txt; do
\$ORIGIN $zone. ; default zone domain
\$TTL 86400 ; default time to live
@ IN SOA ns1.$zone. hostmaster.$PRIMARY_HOSTNAME. (
@ IN SOA ns1.$PRIMARY_HOSTNAME. hostmaster.$PRIMARY_HOSTNAME. (
$serial ; serial number
28800 ; Refresh
7200 ; Retry
@ -77,19 +77,24 @@ for fn in $STORAGE_ROOT/dns/*.txt; do
86400 ; Min TTL
)
NS ns1.$zone.
NS ns2.$zone.
NS ns1.$PRIMARY_HOSTNAME.
NS ns2.$PRIMARY_HOSTNAME.
IN A $PUBLIC_IP
MX 10 mail.$zone.
MX 10 $PRIMARY_HOSTNAME.
300 TXT "v=spf1 mx -all"
ns1 IN A $PUBLIC_IP
ns2 IN A $PUBLIC_IP
mail IN A $PUBLIC_IP
www IN A $PUBLIC_IP
EOF
# In PRIMARY_HOSTNAME, also define ns1 and ns2.
if [ "$zone" = $PRIMARY_HOSTNAME ]; then
cat >> /etc/nsd3/zones/$fn2 << EOF;
ns1 IN A $PUBLIC_IP
ns2 IN A $PUBLIC_IP
EOF
fi
# If OpenDKIM is set up, append the suggested TXT record to the zone.
if [ -f "$STORAGE_ROOT/mail/dkim/mail.txt" ]; then
cat "$STORAGE_ROOT/mail/dkim/mail.txt" >> /etc/nsd3/zones/$fn2;

View file

@ -12,9 +12,12 @@
# Install packages.
source /etc/mailinabox.conf # load global vars
DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
postfix postgrey \
dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3
dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite sqlite3 \
openssl
mkdir -p $STORAGE_ROOT/mail
@ -26,12 +29,16 @@ sed -i "s/#submission/submission/" /etc/postfix/master.cf
# Enable TLS and require it for all user authentication.
tools/editconf.py /etc/postfix/main.cf \
smtpd_use_tls=yes\
smtpd_tls_security_level=may\
smtpd_tls_auth_only=yes \
smtp_tls_security_level=may \
smtp_tls_loglevel=2 \
smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
smtpd_tls_received_header=yes
# note: smtpd_use_tls=yes appears to already be the default, but we can never be too sure
# When connecting to remote SMTP servers, prefer TLS.
tools/editconf.py /etc/postfix/main.cf \
smtp_tls_security_level=may \
smtp_tls_loglevel=2
# Postfix will query dovecot for user authentication.
tools/editconf.py /etc/postfix/main.cf \
@ -187,16 +194,22 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
ssl=required \
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
# The Dovecot installation already created a self-signed public/private key pair
# in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem, which we'll
# use unless certificates already exist. We'll move them into $STORAGE_ROOT/ssl
# unless files exist there already.
mkdir -p $STORAGE_ROOT/ssl
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi
#
# SSL CERTIFICATE
# Create a self-signed certifiate.
mkdir -p $STORAGE_ROOT/ssl
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
openssl genrsa -des3 -passout pass:x -out /tmp/server.key 2048 # create key, but it has a password...
openssl rsa -passin pass:x -in /tmp/server.key -out $STORAGE_ROOT/ssl/ssl_private_key.pem # remove password and save it to the right location
rm /tmp/server.key # remove temporary password-laden key
openssl req -new -key $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr \
-subj "/C=/ST=/L=/O=/CN=$PUBLIC_HOSTNAME"
openssl x509 -req -days 365 \
-in $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr -signkey $STORAGE_ROOT/ssl/ssl_private_key.pem -out $STORAGE_ROOT/ssl/ssl_certificate.pem
fi
# PERMISSIONS / RESTART SERVICES
# Ensure configuration files are owned by dovecot and not world readable.
chown -R mail:dovecot /etc/dovecot