Certificate: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
No edit summary
 
(32 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Configuration#Certificate|Back to Configuration]]<br>
[[Rocky,_Alma,_Springdale_9_QT_Install|Back to Install]]<br>
= Security Certificate =
= Security Certificate =


Line 10: Line 13:
  # remove *.pem
  # remove *.pem


== Let's Encrypt ==
== Let's Encrypt ==  
(assumes a functioning Apache web server for domain.tld)
# dnf -y install certbot python3-certbot-apache
# certbot --apache -d domain.tld -d mail.domain.tld <span style="color:red">--rsa-key-size 2048 --key-type rsa</span>


# dnf -y install certbot python3-certbot-apache
A 2048 bit key should have been created (qmail won't run with anything less), if not, force it with RSA options <span style="color:red">(in red)</span> above.<br>
# certbot --apache -d domain.tld -d mail.domain.tld
Check the size of the private key with the following command


This should create a 2048 bit certificate, if not
# openssl rsa -in /etc/letsencrypt/live/mydomain.tld/privkey.pem  -text | grep Key


# certbot --rsa-key-size 2048 --key-type rsa --apache -d domain.tld -d mail.domain.tld
Move key & certificate in place


  # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
  # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
  # cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem <nowiki>></nowiki> servercert.pem
  # cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/mydomain.tld/fullchain.pem <nowiki>></nowiki> servercert.pem
  # cp ./servercert.pem /var/qmail/control/servercert.pem
  # cp ./servercert.pem /var/qmail/control/servercert.pem


== Go Daddy ==
== GoDaddy ==
  # cd /tmp
  # cd /tmp
  # SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
  # SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
  # openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
  # openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
  # openssl req -in csr.pem -noout -text <span style="color:red">(Examine your signing request)<span>
  # openssl req -in csr.pem -noout -text <span style="color:red">(Examine your signing request)<span>
Submit signing request (csr.pem) to GoDaddy and download crt and crt bundle when done.
Submit signing request (csr.pem) to GoDaddy, download crt and crt bundle, pack, and move in place.
  # cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
  # cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
# chmod 644 servercert.pem
  # cp servercert.pem /var/qmail/control
# chown root:qmail servercert.pem
  # cp -p servercert.pem /var/qmail/control


= Implementation =
= Implementation =
Line 38: Line 42:
== Restart Services ==
== Restart Services ==
  # qmailctl stop && sleep 2 && qmailctl start
  # qmailctl stop && sleep 2 && qmailctl start
  # systemctl restart dovecot httpd
  # systemctl reload dovecot httpd
 
== Dovecot ==
ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem


== Renew (Let's Encrypt) *with script ==
== Renew (Let's Encrypt) *with script ==
  # crontab -e
  # crontab -e
  0 0 * * * /opt/certbot/certbot renew
  0 0 * * * /opt/certbot/renewcerts renew


<pre>
#!/bin/bash
# certbot: script to renew certificates


LOG=/usr/command/certs/certs.log
#!/bin/bash<br>
days=3
#  Script: renewcerts
 
# Function: renew certificates<br>
today=`date`
LOG=/usr/command/certs/certs.log
today=`date --date="$today" --utc +%s`
days=3<br>
CD=/etc/letsencrypt/live
today=`date`
FC=fullchain.pem
today=`date --date="$today" --utc +%s`
PK=privkey.pem
CD=/etc/letsencrypt/live
 
FC=fullchain.pem
mailcert () {
PK=privkey.pem<br>
mailcert () {
   cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
   cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
   cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
   cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
   cp ./servercert.pem  /var/qmail/control/servercert.pem
   cp servercert.pem  /var/qmail/control/servercert.pem
   systemctl reload dovecot   
   systemctl reload dovecot   
   qmailctl stop && sleep 2 && qmailctl start
   qmailctl stop && sleep 2 && qmailctl start
}
}<br>
 
for CDOM in `ls $CD`
for CDOM in `ls $CD`
do
do
   [ "$CDOM" = "README" ] && continue
   [ "$CDOM" = "README" ] && continue
   exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
   exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
Line 79: Line 76:
   if [ $diff -le $days ]
   if [ $diff -le $days ]
   then
   then
       certbot renew --cert-name $CDOM
       certbot renew --cert-name $CDOM --apache <span style="color:red">--rsa-key-size 2048 --key-type rsa</span>
       systemctl reload httpd
       systemctl reload httpd
       mailcert $CDOM
       mailcert $CDOM
   fi
   fi
done
done<br>
exit 0


exit 0
== Mail server settings ==


</pre>
=== Dovecot ===
ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem


== Qmail run scripts ==
===Submission===
===Submission===
<pre>
<pre>

Latest revision as of 09:26, 19 October 2024

Back to Configuration
Back to Install

Security Certificate

Self-Signed

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ
# cat cert.pem key.pem > servercert.pem
# cp servercert.pem /var/qmail/control/servercert.pem
# remove *.pem

Let's Encrypt

(assumes a functioning Apache web server for domain.tld) 

# dnf -y install certbot python3-certbot-apache
# certbot --apache -d domain.tld -d mail.domain.tld --rsa-key-size 2048 --key-type rsa

A 2048 bit key should have been created (qmail won't run with anything less), if not, force it with RSA options (in red) above.
Check the size of the private key with the following command 

# openssl rsa -in /etc/letsencrypt/live/mydomain.tld/privkey.pem  -text | grep Key

Move key & certificate in place 

# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
# cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/mydomain.tld/fullchain.pem > servercert.pem
# cp ./servercert.pem /var/qmail/control/servercert.pem

GoDaddy

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
# openssl req -in csr.pem -noout -text (Examine your signing request)

Submit signing request (csr.pem) to GoDaddy, download crt and crt bundle, pack, and move in place. 

# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
# cp servercert.pem /var/qmail/control

Implementation

Restart Services

# qmailctl stop && sleep 2 && qmailctl start
# systemctl reload dovecot httpd

Renew (Let's Encrypt) *with script

# crontab -e
0 0 * * * /opt/certbot/renewcerts renew



#!/bin/bash

#   Script: renewcerts
# Function: renew certificates

LOG=/usr/command/certs/certs.log
days=3

today=`date`
today=`date --date="$today" --utc +%s`
CD=/etc/letsencrypt/live
FC=fullchain.pem
PK=privkey.pem

mailcert () {
  cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
  cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
  cp servercert.pem  /var/qmail/control/servercert.pem
  systemctl reload dovecot  
  qmailctl stop && sleep 2 && qmailctl start
}

for CDOM in `ls $CD`
do
  [ "$CDOM" = "README" ] && continue
  exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
  off=`date --date="$exp" --utc +%s`
  diff=$(( (off - today)/86400 ))
  echo "Certificate Domain: $CDOM, Days to expire: $diff"
  echo ""
  if [ $diff -le $days ]
  then
     certbot renew --cert-name $CDOM --apache --rsa-key-size 2048 --key-type rsa
     systemctl reload httpd
     mailcert $CDOM
  fi
done

exit 0

Mail server settings

Dovecot

ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem

Submission

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1

SMTPS

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
    $SMTPD $VCHKPW /bin/true 2>&1
Retrieved from "http://wiki.qmailtoaster.org:80/index.php?title=Certificate&oldid=1352"