Certificate: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
No edit summary
No edit summary
 
(156 intermediate revisions by the same user not shown)
Line 1: Line 1:
<u>'''Security Certificate'''</u>
[[Configuration#Certificate|Back to Configuration]]<br>
[[Rocky,_Alma,_Springdale_9_QT_Install|Back to Install]]<br>


To configure a SSL certificate for TLS and/or SSL over SMTP:
= Security Certificate =


1) Abstract: Create Certificate
== Self-Signed ==
  a. Generate key
  b. Generate signing request
  c. Sign the key
  d. Create server certificate
  e. Set permission
  f. Set owner
  g. Copy into place
  h. Restart services


1) Create a private key using the triple des encryption standard (recommended):
# cd /tmp
  # openssl genrsa -des3 -out servercert.key.enc 1024
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
  # openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ
# cat cert.pem key.pem > servercert.pem
# cp servercert.pem /var/qmail/control/servercert.pem
# remove *.pem


2) Remove the pass phrase from the private key:
== Let's Encrypt ==
  # openssl rsa -in servercert.key.enc -out servercert.key
(assumes a functioning Apache web server for domain.tld)
  # dnf -y install certbot python3-certbot-apache
# certbot --apache -d domain.tld -d mail.domain.tld <span style="color:red">--rsa-key-size 2048 --key-type rsa</span>


3) Generate Certificate Request
A 2048 bit key should have been created (qmail won't run with anything less), if not, force it with RSA options <span style="color:red">(in red)</span> above.<br>
# openssl req -new -key servercert.key -out servercert.csr
Check the size of the private key with the following command


4) Go to [http://www.discountwebcerts.com/idev/idevaffiliate.php?id=135 DiscountWebCerts] and submit servercert.csr for a trusted certificate ($19.95). You will then receive a servercert.crt. Now just do the following.
# openssl rsa -in /etc/letsencrypt/live/mydomain.tld/privkey.pem  -text | grep Key


5) Create standard .pem in /var/qmail/control/servercert.pem
Move key & certificate in place
# cat servercert.key servercert.crt > /var/qmail/control/servercert.pem


----------------------
# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
*NOTE - For reference, here is the command to sign the request for a self signed certificate:
# cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/mydomain.tld/fullchain.pem <nowiki>></nowiki> servercert.pem
# openssl x509 -req -days 365 -in servercert.csr -signkey servercert.key -out servercert.crt
# cp ./servercert.pem /var/qmail/control/servercert.pem


Here is an additional resource with some good examples.
== GoDaddy ==
# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
# openssl req -in csr.pem -noout -text <span style="color:red">(Examine your signing request)<span>
Submit signing request (csr.pem) to GoDaddy, download crt and crt bundle, pack, and move in place.
# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
# cp servercert.pem /var/qmail/control


http://www.madboa.com/geek/openssl/#cert-self
= Implementation =
----------------------


----------------------
== Restart Services ==
** NOTE - Some certificate providers, like GoDaddy for example, will also give you a chain file (also sometimes called intermediate file), dump it into the same servercert.pem like so:
# qmailctl stop && sleep 2 && qmailctl start
# systemctl reload dovecot httpd


cat /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/intermediate.crt > /var/qmail/control/servercert.pem
== Renew (Let's Encrypt) *with script ==
# crontab -e
0 0 * * * /opt/certbot/renewcerts renew


This will join all three of them: The key, signed certificate and the intermediate certificate. You can use the same certificate you have obtained for your Apache website.
-----------------------


  # chown root:vchkpw /var/qmail/control/servercert.pem
  #!/bin/bash<br>
  # chmod 640 /var/qmail/control/servercert.pem
#  Script: renewcerts
# Function: renew certificates<br>
LOG=/usr/command/certs/certs.log
days=3<br>
today=`date`
today=`date --date="$today" --utc +%s`
CD=/etc/letsencrypt/live
FC=fullchain.pem
PK=privkey.pem<br>
mailcert () {
  cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
  cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
  cp servercert.pem /var/qmail/control/servercert.pem
  systemctl reload dovecot 
  qmailctl stop && sleep 2 && qmailctl start
}<br>
for CDOM in `ls $CD`
do
  [ "$CDOM" = "README" ] && continue
  exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
  off=`date --date="$exp" --utc +%s`
  diff=$(( (off - today)/86400 ))
  echo "Certificate Domain: $CDOM, Days to expire: $diff"
  echo ""
  if [ $diff -le $days ]
  then
      certbot renew --cert-name $CDOM --apache <span style="color:red">--rsa-key-size 2048 --key-type rsa</span>
      systemctl reload httpd
      mailcert $CDOM
  fi
done<br>
exit 0


Note, in order to avoid verification errors in email clients (i.e. Outlook, Thunderbird, etc), you need to use the same server name (FQDN) in your client configuration(s) for both incoming (pop/imap) and outgoing (smtp) servers that was entered as the hostname when the certificate request was created. This should also be the same name that is used on the DNS MX record.
== Mail server settings ==


That's all there is to it. There is no need to restart qmail.
=== Dovecot ===
ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem


===Submission===
<pre>
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"


You can also use this signed certificate for apache by putting:
exec /usr/bin/softlimit -m 128000000 \
* '''servercert.key''' in '''/etc/pki/tls/private/localhost.key'''
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
* '''servercert.crt''' in '''/etc/pki/tls/certs/localhost.crt'''
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
Be sure to check your /etc/httpd/conf.d/ssl.conf file to be certain that the correct file names are specified, and that the corresponding parameters are not commented out.
    $SMTPD $VCHKPW /bin/true 2>&1
</pre>


You need to restart apache to activate the modified certificate configuration.
===SMTPS===
<pre>
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"


 
exec /usr/bin/softlimit -m 128000000 \
See [http://tldp.org/HOWTO/SSL-RedHat-HOWTO.html Building a Secure Redhat Apache Server HOWTO] for guidance with securing your Apache Server.
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
 
    -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
 
    $SMTPD $VCHKPW /bin/true 2>&1
 
</pre>
'''Self-signed ssl cert''' gleaned from the archives
 
 
Quick-n-dirty how-to for ssl certs
 
# cd /usr/share/ssl/certs
 
# make stunnel.pem
# mv stunnel.pem /var/qmail/control/servercert.pem
 
Then run these commands to finish:
 
# cd /var/qmail/control
 
# chown root:qmail /var/qmail/control/servercert.pem
 
# chmod 644 /var/qmail/control/servercert.pem
 
# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
 
And that should take care of it for you...good till next year.
 
 
 
* Jake - I changed the link for the certs to [http://www.discountwebcerts.com/idev/idevaffiliate.php?id=135 DiscountWebCerts]. I've used them before and signed up for an affiliate account. When you purchase a cert from them, we earn 5% of the total sale. They offer single root certs (not chained certs like GoDaddy and others) and they're fast. I had my cert in literally 15 minutes.
 
* Jake - As a side note, I've used RegFly (RapidSSL) a couple times for SSL certs, and there is always an issue that requires helpdesk intervention (~24 hours). I have never had one work in the 5 minutes they advertise. Just be aware.  I have been using [http://www.freessl.com/ssl-certificate-products/free-ssl/freessl.htm FreeSSL] during the wait periods. They offer a free 30-day certificate signed by a major CA that can be used until you get the other certificate straightened out, and they really do give you a cert in 5 minutes after the phone call verification.
 
* I recently tried this with RegFly and I have not been able to get the certificate from them nor a response from their support desk , nor my money back. I would advise people to avoid this company.
 
* Jake - I second this. I purchased a cert from them and have not received the cert nor my money refunded after 30 days of fighting with their support.
 
----------------------
*NOTE - How to create an OUTLOOK certificate for import to avoid outlook certificate warnings:
# openssl pkcs12 -export -in servercert.crt -inkey servercert.key -out OutlookSMTP.p12
 
Then import the OutlookSMTP.p12 file into the Trusted Root Certification Authorities store within Internet Explorer (Tools -> Internet Options -> Content -> Certificates, or by just double-clicking it). You will then be free to establish an SSL connection within Outlook to enforce tighter security.
----------------------

Latest revision as of 10:26, 19 October 2024

Back to Configuration
Back to Install

Security Certificate

Self-Signed

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ
# cat cert.pem key.pem > servercert.pem
# cp servercert.pem /var/qmail/control/servercert.pem
# remove *.pem

Let's Encrypt

(assumes a functioning Apache web server for domain.tld)

# dnf -y install certbot python3-certbot-apache
# certbot --apache -d domain.tld -d mail.domain.tld --rsa-key-size 2048 --key-type rsa

A 2048 bit key should have been created (qmail won't run with anything less), if not, force it with RSA options (in red) above.
Check the size of the private key with the following command

# openssl rsa -in /etc/letsencrypt/live/mydomain.tld/privkey.pem  -text | grep Key

Move key & certificate in place

# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
# cat /etc/letsencrypt/live/domain.tld/privkey.pem /etc/letsencrypt/live/mydomain.tld/fullchain.pem > servercert.pem
# cp ./servercert.pem /var/qmail/control/servercert.pem

GoDaddy

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
# openssl req -in csr.pem -noout -text (Examine your signing request)

Submit signing request (csr.pem) to GoDaddy, download crt and crt bundle, pack, and move in place.

# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
# cp servercert.pem /var/qmail/control

Implementation

Restart Services

# qmailctl stop && sleep 2 && qmailctl start
# systemctl reload dovecot httpd

Renew (Let's Encrypt) *with script

# crontab -e
0 0 * * * /opt/certbot/renewcerts renew


#!/bin/bash
# Script: renewcerts # Function: renew certificates
LOG=/usr/command/certs/certs.log days=3
today=`date` today=`date --date="$today" --utc +%s` CD=/etc/letsencrypt/live FC=fullchain.pem PK=privkey.pem
mailcert () { cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak cp servercert.pem /var/qmail/control/servercert.pem systemctl reload dovecot qmailctl stop && sleep 2 && qmailctl start }
for CDOM in `ls $CD` do [ "$CDOM" = "README" ] && continue exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'` off=`date --date="$exp" --utc +%s` diff=$(( (off - today)/86400 )) echo "Certificate Domain: $CDOM, Days to expire: $diff" echo "" if [ $diff -le $days ] then certbot renew --cert-name $CDOM --apache --rsa-key-size 2048 --key-type rsa systemctl reload httpd mailcert $CDOM fi done
exit 0

Mail server settings

Dovecot

ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem

Submission

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1

SMTPS

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
    $SMTPD $VCHKPW /bin/true 2>&1