added postfix certificate distribution

ssl/create-key

@@ -4,5 +4,7 @@ echo creating keys for $1
 # private key for client, public key for server sslkeys
 export CN=$1
 export SAN=DNS:$CN
-openssl req -new -out tmp/$CN.csr -nodes -keyout certs/$CN.key 
-openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -out certs/$CN.crt -extensions server_ext
+openssl req -new -out tmp/$CN.csr -nodes -keyout certs/$CN.key
+openssl rsa -in certs/$CN.key -pubout -out certs/$CN-public-key.pem
+openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -notext -out certs/$CN.crt -extensions server_ext
+cat certs/$CN.key certs/$CN.crt >certs/$CN-key-certs.pem

ssl/create-postfix-certs

@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+export CN=$1
+./create-key $CN
+pushd certs
+# The default algorithm is sha256 with Postfix ≥ 3.6 and the compatibility_level set to 3.6 or higher. 
+# With Postfix ≤ 3.5, the default algorithm is md5.
+# https://www.postfix.org/postconf.5.html#relay_clientcerts
+openssl x509 -in $CN.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -md5 -c | ( read D FP; echo $FP $CN ) >>relay_clientcerts
+cp $CN.key ~/kopano-docker/etc-$CN/ssl/private
+cp kopano-ca.crt ~/kopano-docker/etc-$CN/ssl/certs
+cat kopano-ca.crt $CN.crt >~/kopano-docker/etc-$CN/ssl/$CN-full-chain.pem
+popd

ssl/mkcerts

@@ -3,6 +3,7 @@ export OPENSSL_CONF=./etc/kopano-ca.conf
 export CA_PWD=kopano
 export CA_SUBJ="/DC=de/DC=dts/O=Digital Trust Solutions/OU=Information Security Unit/CN=DTS Signing CA/"
 # create ssl certificates for docker network
+rm certs/*
 rm tmp/*.csr
 rm db/*.pem
 rm db/*.db
@@ -12,8 +13,9 @@ touch db/kopano-ca.db.attr
 echo 01 >db/kopano-ca.crt.srl
 echo 01 >db/kopano-ca.crl.srl
 # create signing ca (minimal pki)
+# inject distinguished_name (subj) and req_extensions (-reqexts) because -section req_ca is not yet available (section default: req)
 openssl req -new -reqexts ca_reqext -subj "$CA_SUBJ" -out tmp/kopano-ca.csr -passout pass:$CA_PWD -keyout certs/kopano-ca.key
-openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/kopano-ca.crt -extensions signing_ca_ext
+openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -notext -out certs/kopano-ca.crt -extensions signing_ca_ext
 
 # create kopano server ssl key (for encryption)
 ./create-key server
@@ -25,3 +27,13 @@ openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/
 ./create-key search
 ./create-key webapp
 ./create-key z-push
+
+# create postfix clients ssl key pair (for authentification)
+echo >certs/relay_clientcerts
+./create-postfix-certs relay
+./create-postfix-certs zntrl
+./create-postfix-certs baloghs
+
+cp certs/relay_clientcerts ~/kopano-docker/etc-relay/postfix
+cp certs/relay_clientcerts ~/kopano-docker/etc-zntrl/postfix
+cp certs/relay_clientcerts ~/kopano-docker/etc-baloghs/postfix