From e5719ceacbac682b298297219ba3375a898784a3 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 5 Dec 2015 16:44:13 +0100 Subject: [PATCH] Begening configuration for Letsencrypt support --- .gitignore | 1 + README.md | 56 ++++++++---------------------------- SSL.md | 46 ++++++++++++++++++++++++++++++ start-mailserver.sh | 69 ++++++++++++++++++++++++++++++++------------- 4 files changed, 108 insertions(+), 64 deletions(-) create mode 100644 SSL.md diff --git a/.gitignore b/.gitignore index 2fc3256c..61e94224 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ docker-compose.yml postfix/ssl/* assert.sh* +letsencrypt/ \ No newline at end of file diff --git a/README.md b/README.md index 8dbb8155..c24c2fbf 100644 --- a/README.md +++ b/README.md @@ -68,53 +68,21 @@ Volumes allow to: docker-compose up -d mail -# configure ssl - -## generate self-signed ssl certificate - -You can easily generate a self-signed SSL certificate by using the following command: - - docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate - - # Press enter - # Enter a password when needed - # Fill information like Country, Organisation name - # Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate. - # They HAVE to be different, otherwise you'll get a `TXT_DB error number 2` - # Don't fill extras - # Enter same password when needed - # Sign the certificate? [y/n]:y - # 1 out of 1 certificate requests certified, commit? [y/n]y - - # will generate: - # postfix/ssl/mail.my-domain.com-key.pem (used in postfix) - # postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files) - # postfix/ssl/mail.my-domain.com-cert.pem (used in postfix) - # postfix/ssl/mail.my-domain.com-combined.pem (used in courier) - # postfix/ssl/demoCA/cacert.pem (certificate authority) - -Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument. -Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml). - -## configure ssl certificate (convention over configuration) - -If a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder. - # client configuration - # imap - username: - password: - server: - imap port: 143 or 993 with ssl (recommended) - imap path prefix: INBOX - auth method: md5 challenge-response + # imap + username: + password: + server: + imap port: 143 or 993 with ssl (recommended) + imap path prefix: INBOX + auth method: md5 challenge-response - # smtp - smtp port: 25 or 587 with ssl (recommended) - username: - password: - auth method: md5 challenge-response + # smtp + smtp port: 25 or 587 with ssl (recommended) + username: + password: + auth method: md5 challenge-response # todo diff --git a/SSL.md b/SSL.md new file mode 100644 index 00000000..0bb3e972 --- /dev/null +++ b/SSL.md @@ -0,0 +1,46 @@ +# docker-mailserver with ssl + +There are multiple options to enable SSL: + +* using [letsencrypt](https://letsencrypt.org/) +* using self-signed certificates with the provided tool + +## let's encrypt + +To enable Let's Encrypt on your mail server, you have to add en environment variable `DMS_SSL` with value `letsencrypt`. +You also have to mount your `letsencrypt` folder to `/etc/letsencrypt`. + + + +TO BE FINISHED WHEN IT WILL BE TESTED + + + +## self signed certificates + +You can easily generate a self-signed SSL certificate by using the following command: + + docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate + + # Press enter + # Enter a password when needed + # Fill information like Country, Organisation name + # Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate. + # They HAVE to be different, otherwise you'll get a `TXT_DB error number 2` + # Don't fill extras + # Enter same password when needed + # Sign the certificate? [y/n]:y + # 1 out of 1 certificate requests certified, commit? [y/n]y + + # will generate: + # postfix/ssl/mail.my-domain.com-key.pem (used in postfix) + # postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files) + # postfix/ssl/mail.my-domain.com-cert.pem (used in postfix) + # postfix/ssl/mail.my-domain.com-combined.pem (used in courier) + # postfix/ssl/demoCA/cacert.pem (certificate authority) + +Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument. +Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml). + +If a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder. + diff --git a/start-mailserver.sh b/start-mailserver.sh index 89d84238..ca5a7ecd 100644 --- a/start-mailserver.sh +++ b/start-mailserver.sh @@ -54,28 +54,57 @@ echo "Postfix configurations" touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox touch /etc/postfix/virtual && postmap /etc/postfix/virtual -# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder -if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \ -&& [ -e "/tmp/postfix/ssl/$(hostname)-key.pem" ] \ -&& [ -e "/tmp/postfix/ssl/$(hostname)-combined.pem" ] \ -&& [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ]; then - echo "Adding $(hostname) SSL certificate" - mkdir -p /etc/postfix/ssl - cp /tmp/postfix/ssl/$(hostname)-cert.pem /etc/postfix/ssl - cp /tmp/postfix/ssl/$(hostname)-key.pem /etc/postfix/ssl - cp /tmp/postfix/ssl/$(hostname)-combined.pem /etc/postfix/ssl - cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl +# SSL Configuration +case $DMS_SSL in + "letsencrypt" ) + # letsencrypt folders and files mounted in /etc/letsencrypt - # Postfix configuration - sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/'$(hostname)'-cert.pem/g' /etc/postfix/main.cf - sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/'$(hostname)'-key.pem/g' /etc/postfix/main.cf - sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf - sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf - ln -s /etc/postfix/ssl/cacert.pem /etc/ssl/certs/cacert-$(hostname).pem + # Adding certificates from Letsencrypt and IdenTrust + # curl https://letsencrypt.org/certs/isrgrootx1.pem -so /etc/ssl/certs/isrgrootx1.pem + # curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem -so /etc/ssl/certs/lets-encrypt-x1-cross-signed.pem + # curl https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem -so /etc/ssl/certs/lets-encrypt-x2-cross-signed.pem + # curl https://letsencrypt.org/certs/letsencryptauthorityx1.pem -so /etc/ssl/certs/letsencryptauthorityx1.pem + # curl https://letsencrypt.org/certs/letsencryptauthorityx2.pem -so /etc/ssl/certs/letsencryptauthorityx2.pem - # Courier configuration - sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl -fi + # Postfix configuration + sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/fullchain.pem/g' /etc/postfix/main.cf + sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/'$(hostname)'\/privkey.pem/g' /etc/postfix/main.cf + + # Courier configuration + cat /etc/letsencrypt/live/$(hostname)/privkey.pem /etc/letsencrypt/live/$(hostname)/cert.pem >> /etc/letsencrypt/live/$(hostname)/combined.pem + sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/'$(hostname)'\/combined.pem/g' /etc/courier/imapd-ssl + + echo "SSL configured with letsencrypt certificates" + + ;; + + "self-signed" ) + # Adding self-signed SSL certificate if provided in 'postfix/ssl' folder + if [ -e "/tmp/postfix/ssl/$(hostname)-cert.pem" ] \ + && [ -e "/tmp/postfix/ssl/$(hostname)-key.pem" ] \ + && [ -e "/tmp/postfix/ssl/$(hostname)-combined.pem" ] \ + && [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ]; then + echo "Adding $(hostname) SSL certificate" + mkdir -p /etc/postfix/ssl + cp /tmp/postfix/ssl/$(hostname)-cert.pem /etc/postfix/ssl + cp /tmp/postfix/ssl/$(hostname)-key.pem /etc/postfix/ssl + cp /tmp/postfix/ssl/$(hostname)-combined.pem /etc/postfix/ssl + cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl + + # Postfix configuration + sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/'$(hostname)'-cert.pem/g' /etc/postfix/main.cf + sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/'$(hostname)'-key.pem/g' /etc/postfix/main.cf + sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf + sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf + ln -s /etc/postfix/ssl/cacert.pem /etc/ssl/certs/cacert-$(hostname).pem + + # Courier configuration + sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/'$(hostname)'-combined.pem/g' /etc/courier/imapd-ssl + fi + + ;; + +esac echo "Fixing permissions" chown -R 5000:5000 /var/mail