Certificate: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
Line 25: Line 25:
  # cd /tmp
  # cd /tmp
  # SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
  # SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
  # openssl genrsa -out key.pem 2048
  # openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
# openssl req -new -key key.pem -out csr.pem -subj $SUBJ
  # openssl req -in csr.pem -noout -text <span style="color:red">(Examine your signing request)<span>
  # openssl req -in csr.pem -noout -text <span style="color:red">(Examine your signing request)<span>
Submit signing request (csr.pem) to GoDaddy and download crt and crt bundle when done.
Submit signing request (csr.pem) to GoDaddy and download crt and crt bundle when done.

Revision as of 23:08, 17 October 2024

Security Certificate

Self-Signed

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj $SUBJ
# cat cert.pem key.pem > servercert.pem
# cp servercert.pem /var/qmail/control/servercert.pem
# remove *.pem

Let's Encrypt

# dnf -y install certbot python3-certbot-apache
# certbot --apache -d domain.tld -d mail.domain.tld

This should create a 2048 bit certificate, if not

# certbot --rsa-key-size 2048 --key-type rsa --apache -d domain.tld -d mail.domain.tld
# cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
# cat /etc/letsencrypt/live/mail.mydomain.com/privkey.pem /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem > servercert.pem
# cp ./servercert.pem /var/qmail/control/servercert.pem

Go Daddy

# cd /tmp
# SUBJ="/C=US/ST=Indiana/L=Gary/O=COMPANY/OU=IT/CN=mail.domain.tld/emailAddress=user@domain.tld"
# openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem -subj $SUBJ
# openssl req -in csr.pem -noout -text (Examine your signing request)

Submit signing request (csr.pem) to GoDaddy and download crt and crt bundle when done.

# cat key.pem 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
# chmod 644 servercert.pem
# chown root:qmail servercert.pem
# cp -p servercert.pem /var/qmail/control

Implementation

Restart Services

# qmailctl stop && sleep 2 && qmailctl start
# systemctl restart dovecot httpd

Dovecot

ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem

Renew (Let's Encrypt) *with script

# crontab -e
0 0 * * * /opt/certbot/certbot renew
#!/bin/bash
# certbot: script to renew certificates

LOG=/usr/command/certs/certs.log
days=3

today=`date`
today=`date --date="$today" --utc +%s`
CD=/etc/letsencrypt/live
FC=fullchain.pem
PK=privkey.pem

mailcert () {
   cat $CD/$1/$PK $CD/$1/$FC > ./servercert.pem
   cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
   cp ./servercert.pem  /var/qmail/control/servercert.pem
   systemctl reload dovecot  
   qmailctl stop && sleep 2 && qmailctl start
}

for CDOM in `ls $CD`
do
   [ "$CDOM" = "README" ] && continue
   exp=`openssl x509 -dates -noout < $CD/$CDOM/$FC | grep notAfter | sed 's/notAfter=//'`
   off=`date --date="$exp" --utc +%s`
   diff=$(( (off - today)/86400 ))
   echo "Certificate Domain: $CDOM, Days to expire: $diff"
   echo ""
   if [ $diff -le $days ]
   then
      certbot renew --cert-name $CDOM
      systemctl reload httpd
      mailcert $CDOM
   fi
done

exit 0

Qmail run scripts

Submission

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export FORCETLS="1"
export SMTPAUTH="!"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    $SMTPD $VCHKPW /bin/true 2>&1

SMTPS

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
export SMTPS="1"
export FORCETLS="0"
export SMTPAUTH="!+cram"

exec /usr/bin/softlimit -m 128000000 \
    /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 465 \
    $SMTPD $VCHKPW /bin/true 2>&1