Certificate: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
No edit summary
No edit summary
 
(135 intermediate revisions by the same user not shown)
Line 1: Line 1:
<u>'''Security Certificate'''</u>
[[Configuration#Certificate|Back to Configuration]]<br>
[[Rocky,_Alma,_Springdale_9_QT_Install|Back to Install]]<br>


To configure a SSL certificate for TLS and/or SSL over SMTP:
= Security Certificate =


# Abstract: Create Certificate
== Self-Signed ==
#; Generate key
 
#; Generate signing request
# cd /tmp
#; Sign the key
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
#; Create server certificate
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ
#; Set permission
# cat cert.pem key.pem > servercert.pem
#; Set owner
# cp servercert.pem /var/qmail/control/servercert.pem
#; Copy into place
# remove *.pem
#; Restart services
 
## Self-Signed Certificate
== Let's Encrypt ==
##; <nowiki>#</nowiki> openssl genrsa -out x.key 2048
(assumes a functioning Apache web server for domain.tld)
##; <nowiki>#</nowiki> openssl req -new -key x.key -out x.csr
# dnf -y install certbot python3-certbot-apache
##; <nowiki>#</nowiki> openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
# certbot --apache -d domain.tld -d mail.domain.tld <span style="color:red">--rsa-key-size 2048 --key-type rsa</span>
##; <nowiki>#</nowiki> cat x.crt x.key > servercert.pem
 
##; <nowiki>#</nowiki> chmod 644 servercert.pem
A 2048 bit key should have been created (qmail won't run with anything less), if not, force it with RSA options <span style="color:red">(in red)</span> above.<br>
##; <nowiki>#</nowiki> chown root<nowiki>:</nowiki>qmail servercert.pem
Check the size of the private key with the following command
##; <nowiki>#</nowiki> cp -p servercert.pem /var/qmail/control
 
## Let's Encrypt CentOS 7/8 (Automatic, assumes working web server)
# openssl rsa -in /etc/letsencrypt/live/mydomain.tld/privkey.pem -text | grep Key
##; <nowiki>#</nowiki> yum install python-certbot-apache
 
##; <nowiki>#</nowiki> certbot -apache -d mydomain.com -d mail.mydomain.com
Move key & certificate in place
##: Add to Apache Virtual
 
### SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
### SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
# cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/mydomain.tld/fullchain.pem <nowiki>></nowiki> servercert.pem
### SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
# cp ./servercert.pem /var/qmail/control/servercert.pem
##: Add to Dovecot
 
### ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
== GoDaddy ==
### ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem
# cd /tmp
##: Add to Qmail
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
### <nowiki>#</nowiki> cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
### <nowiki>#</nowiki> cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
# openssl req -in csr.pem -noout -text <span style="color:red">(Examine your signing request)<span>
##: Springdale, Rocky, Alma Linux 9 may need the private key last
Submit signing request (csr.pem) to GoDaddy, download crt and crt bundle, pack, and move in place.
### <nowiki>#</nowiki> cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
##: Let's Encrypt auto renewal
# cp servercert.pem /var/qmail/control
##: Add to cron nightly renew of certs (These certificates expire every 3 months)
 
### 0 0 * * * /opt/certbot/certbot renew
= Implementation =
## Application: Godaddy Signed Certificate
 
##;<nowiki>#</nowiki> openssl genrsa -out x.key 2048
== Restart Services ==
##;<nowiki>#</nowiki> openssl req -new -key x.key -out x.csr
# qmailctl stop && sleep 2 && qmailctl start
##: Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)
# systemctl reload dovecot httpd
##;<nowiki>#</nowiki> cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
 
##;<nowiki>#</nowiki> chmod 644 servercert.pem
== Renew (Let's Encrypt) *with script ==
##;<nowiki>#</nowiki> chown root:qmail servercert.pem
# crontab -e
##;<nowiki>#</nowiki> cp -p servercert.pem /var/qmail/control
0 0 * * * /opt/certbot/renewcerts renew
 
 
#!/bin/bash<br>
#   Script: renewcerts
# Function: renew certificates<br>
LOG=/usr/command/certs/certs.log
days=3<br>
today=`date`
today=`date --date="$today" --utc +%s`
CD=/etc/letsencrypt/live
FC=fullchain.pem
PK=privkey.pem<br>
mailcert () {
  cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
  cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
  cp servercert.pem  /var/qmail/control/servercert.pem
  systemctl reload dovecot 
  qmailctl stop && sleep 2 && qmailctl start
}<br>
for CDOM in `ls $CD`
do
  [ "$CDOM" = "README" ] && continue
  exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
  off=`date --date="$exp" --utc +%s`
  diff=$(( (off - today)/86400 ))
  echo "Certificate Domain: $CDOM, Days to expire: $diff"
  echo ""
  if [ $diff -le $days ]
  then
      certbot renew --cert-name $CDOM --apache <span style="color:red">--rsa-key-size 2048 --key-type rsa</span>
      systemctl reload httpd
      mailcert $CDOM
  fi
done<br>
exit 0
 
== Mail server settings ==
 
=== Dovecot ===
ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem
 
===Submission===
<pre>
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"
 
exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1
</pre>
 
===SMTPS===
<pre>
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"
 
exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
    $SMTPD $VCHKPW /bin/true 2>&1
</pre>

Latest revision as of 09:26, 19 October 2024

Back to Configuration
Back to Install

Security Certificate

Self-Signed

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ
# cat cert.pem key.pem > servercert.pem
# cp servercert.pem /var/qmail/control/servercert.pem
# remove *.pem

Let's Encrypt

(assumes a functioning Apache web server for domain.tld)

# dnf -y install certbot python3-certbot-apache
# certbot --apache -d domain.tld -d mail.domain.tld --rsa-key-size 2048 --key-type rsa

A 2048 bit key should have been created (qmail won't run with anything less), if not, force it with RSA options (in red) above.
Check the size of the private key with the following command

# openssl rsa -in /etc/letsencrypt/live/mydomain.tld/privkey.pem  -text | grep Key

Move key & certificate in place

# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
# cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/mydomain.tld/fullchain.pem > servercert.pem
# cp ./servercert.pem /var/qmail/control/servercert.pem

GoDaddy

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
# openssl req -in csr.pem -noout -text (Examine your signing request)

Submit signing request (csr.pem) to GoDaddy, download crt and crt bundle, pack, and move in place.

# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
# cp servercert.pem /var/qmail/control

Implementation

Restart Services

# qmailctl stop && sleep 2 && qmailctl start
# systemctl reload dovecot httpd

Renew (Let's Encrypt) *with script

# crontab -e
0 0 * * * /opt/certbot/renewcerts renew


#!/bin/bash
# Script: renewcerts # Function: renew certificates
LOG=/usr/command/certs/certs.log days=3
today=`date` today=`date --date="$today" --utc +%s` CD=/etc/letsencrypt/live FC=fullchain.pem PK=privkey.pem
mailcert () { cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak cp servercert.pem /var/qmail/control/servercert.pem systemctl reload dovecot qmailctl stop && sleep 2 && qmailctl start }
for CDOM in `ls $CD` do [ "$CDOM" = "README" ] && continue exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` off=`date --date="$exp" --utc +%s` diff=$(( (off - today)/86400 )) echo "Certificate Domain: $CDOM, Days to expire: $diff" echo "" if [ $diff -le $days ] then certbot renew --cert-name $CDOM --apache --rsa-key-size 2048 --key-type rsa systemctl reload httpd mailcert $CDOM fi done
exit 0

Mail server settings

Dovecot

ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem

Submission

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1

SMTPS

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
    $SMTPD $VCHKPW /bin/true 2>&1