added postfix certificate distribution

2023-10-24 20:57:44 +00:00
parent b17b808404
commit f20896e21c
12 changed files with 184 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,5 @@
 ssl/certs
 ssl/tmp
 ssl/db
 */ssl
 */postfix/relay_clientcerts
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -88,7 +88,6 @@ services:
      - 8025:25
    volumes:
      - spool:/var/spool/postfix
      # - ./etc-zntrl/postfix:/etc/postfix
 networks:
  traefik:
    external: true
@@ -98,4 +97,3 @@ volumes:
  search:
  z-push:
  spool:
--- a/etc-relay/postfix/main.cf
+++ b/etc-relay/postfix/main.cf
@@ -33,8 +33,8 @@ default_transport = smtp:
 # SMPTD (inbound) TLS parameters
 smtpd_tls_CApath = /etc/ssl/certs
-smtpd_tls_CAfile = /etc/ssl/certs/balusign-signing-ca.pem
+smtpd_tls_CAfile = /etc/ssl/certs/kopano-ca.crt
-smtpd_tls_key_file=/etc/ssl/private/relay.de.key
+smtpd_tls_key_file=/etc/ssl/private/pf-relay.key
 smtpd_tls_cert_file=/etc/ssl/relay-full-chain.pem
 smtpd_tls_security_level=may
 smtpd_tls_loglevel = 1
@@ -47,7 +47,7 @@ smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
 # SMTP (outbound)
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_key_file=/etc/ssl/private/relay.de.key
+smtp_tls_key_file=/etc/ssl/private/pf-relay.key
 smtp_tls_cert_file=/etc/ssl/relay-full-chain.pem
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
--- a/etc-zntrl/postfix/main.cf
+++ b/etc-zntrl/postfix/main.cf
@@ -0,0 +1,60 @@
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
 smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
 biff = no
 maillog_file = /dev/stdout
 # appending .domain is the MUA's job.
 append_dot_mydomain = no
 # Uncomment the next line to generate "delayed mail" warnings
 #delay_warning_time = 4h
 readme_directory = no
 # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on fresh installs.
 compatibility_level = 2
 # local domains
 myhostname = mta.zntrl.de
 mydestination = $mydomain, localhost.$mydomain, localhost
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = zntrl.de
 # mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 # trusts all hosts in the kopano docker network
 mynetworks_style = subnet
 # virtual domains
 virtual_mailbox_domains = zntrl.de ads64.de
 virtual_mailbox_maps = hash:/etc/postfix/vmailbox
 virtual_alias_maps = hash:/etc/postfix/virtual
 # virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock
 virtual_transport = lmtp:dagent:2003
 # default outbound transport for all domains, use one relay for all domains
 # authenticates to relay.zntrl.de for authorisation to relay mail, see also: SMTP (outbound)
 default_transport = smtp:[relay.zntrl.de]:465
 # SMTPD (inbound) TLS parameters
 smtpd_tls_key_file = /etc/postfix/ssl/private/nuc0.lan.key
 smtpd_tls_cert_file = /etc/postfix/ssl/nuc0-full-chain.pem
 smtpd_tls_CApath = /etc/ssl/certs
 smtpd_tls_CAfile = /etc/postfix/ssl/certs/balusign-signing-ca.pem
 smtpd_tls_security_level=may
 smtpd_tls_loglevel = 1
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 # SMTP (outbound)
 smtp_tls_key_file = /etc/postfix/ssl/private/nuc0.lan.key
 smtp_tls_cert_file = /etc/postfix/ssl/nuc0-full-chain.pem
 smtp_tls_CApath=/etc/ssl/certs
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_wrappermode = yes
 smtp_tls_security_level = encrypt
 smtp_tls_loglevel = 1
 mailbox_size_limit = 0
 message_size_limit = 50000000
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all
--- a/etc-zntrl/postfix/master.cf
+++ b/etc-zntrl/postfix/master.cf
@@ -0,0 +1,67 @@
 #
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master" or
 # on-line: http://www.postfix.org/master.5.html).
 #
 # Do not forget to execute "postfix reload" after editing this file.
 #
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 smtp      inet  n       -       y       -       -       smtpd
 #smtp      inet  n       -       y       -       1       postscreen
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
 #submission inet n       -       y       -       -       smtpd
 #  -o syslog_name=postfix/submission
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_tls_auth_only=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #smtps     inet  n       -       y       -       -       smtpd
 #  -o syslog_name=postfix/smtps
 #  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_reject_unlisted_recipient=no
 #  -o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=
 #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 #  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
 qmgr      unix  n       -       n       300     1       qmgr
 #qmgr     unix  n       -       n       300     1       oqmgr
 tlsmgr    unix  -       -       y       1000?   1       tlsmgr
 rewrite   unix  -       -       y       -       -       trivial-rewrite
 bounce    unix  -       -       y       -       0       bounce
 defer     unix  -       -       y       -       0       bounce
 trace     unix  -       -       y       -       0       bounce
 verify    unix  -       -       y       -       1       verify
 flush     unix  n       -       y       1000?   0       flush
 proxymap  unix  -       -       n       -       -       proxymap
 proxywrite unix -       -       n       -       1       proxymap
 smtp      unix  -       -       y       -       -       smtp
 relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
 #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
 showq     unix  n       -       y       -       -       showq
 error     unix  -       -       y       -       -       error
 retry     unix  -       -       y       -       -       error
 discard   unix  -       -       y       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       n       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
 postlog   unix-dgram n  -       n       -       1       postlogd
--- a/etc-zntrl/postfix/relay_clientcerts
+++ b/etc-zntrl/postfix/relay_clientcerts
@@ -0,0 +1,2 @@
 57:6c:b5:f6:49:0e:9d:62:cc:c5:63:80:e5:64:58:ed relay.de
 d4:16:18:1e:21:37:45:fa:a9:ad:d7:7f:0c:37:8f:7c zntrl.de
--- a/etc-zntrl/postfix/virtual
+++ b/etc-zntrl/postfix/virtual
@@ -0,0 +1,3 @@
 postmaster@zntrl.de postmaster
 abuse@zntrl.de      postmaster
--- a/etc-zntrl/postfix/vmailbox
+++ b/etc-zntrl/postfix/vmailbox
@@ -0,0 +1,8 @@
 baloan@zntrl.de      notused
 blu3prince@zntrl.de  notused
 fafnir@zntrl.de      notused
 postmaster@zntrl.de  notused
 andreas@ads64.de     notused
 postmaster@ads64.de  notused
 # Comment out the entry below to implement a catch-all.
 # @zntrl.de		         notused
--- a/ssl/create-key
+++ b/ssl/create-key
@@ -5,4 +5,6 @@ echo creating keys for $1
 export CN=$1
 export SAN=DNS:$CN
 openssl req -new -out tmp/$CN.csr -nodes -keyout certs/$CN.key
-openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -out certs/$CN.crt -extensions server_ext
+openssl rsa -in certs/$CN.key -pubout -out certs/$CN-public-key.pem
 openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -notext -out certs/$CN.crt -extensions server_ext
 cat certs/$CN.key certs/$CN.crt >certs/$CN-key-certs.pem
--- a/ssl/create-postfix-certs
+++ b/ssl/create-postfix-certs
@@ -0,0 +1,12 @@
 #!/usr/bin/bash
 export CN=$1
 ./create-key $CN
 pushd certs
 # The default algorithm is sha256 with Postfix ≥ 3.6 and the compatibility_level set to 3.6 or higher. 
 # With Postfix ≤ 3.5, the default algorithm is md5.
 # https://www.postfix.org/postconf.5.html#relay_clientcerts
 openssl x509 -in $CN.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -md5 -c | ( read D FP; echo $FP $CN ) >>relay_clientcerts
 cp $CN.key ~/kopano-docker/etc-$CN/ssl/private
 cp kopano-ca.crt ~/kopano-docker/etc-$CN/ssl/certs
 cat kopano-ca.crt $CN.crt >~/kopano-docker/etc-$CN/ssl/$CN-full-chain.pem
 popd
--- a/ssl/mkcerts
+++ b/ssl/mkcerts
@@ -3,6 +3,7 @@ export OPENSSL_CONF=./etc/kopano-ca.conf
 export CA_PWD=kopano
 export CA_SUBJ="/DC=de/DC=dts/O=Digital Trust Solutions/OU=Information Security Unit/CN=DTS Signing CA/"
 # create ssl certificates for docker network
 rm certs/*
 rm tmp/*.csr
 rm db/*.pem
 rm db/*.db
@@ -12,8 +13,9 @@ touch db/kopano-ca.db.attr
 echo 01 >db/kopano-ca.crt.srl
 echo 01 >db/kopano-ca.crl.srl
 # create signing ca (minimal pki)
 # inject distinguished_name (subj) and req_extensions (-reqexts) because -section req_ca is not yet available (section default: req)
 openssl req -new -reqexts ca_reqext -subj "$CA_SUBJ" -out tmp/kopano-ca.csr -passout pass:$CA_PWD -keyout certs/kopano-ca.key
-openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/kopano-ca.crt -extensions signing_ca_ext
+openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -notext -out certs/kopano-ca.crt -extensions signing_ca_ext
 # create kopano server ssl key (for encryption)
 ./create-key server
@@ -25,3 +27,13 @@ openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/
 ./create-key search
 ./create-key webapp
 ./create-key z-push
 # create postfix clients ssl key pair (for authentification)
 echo >certs/relay_clientcerts
 ./create-postfix-certs relay
 ./create-postfix-certs zntrl
 ./create-postfix-certs baloghs
 cp certs/relay_clientcerts ~/kopano-docker/etc-relay/postfix
 cp certs/relay_clientcerts ~/kopano-docker/etc-zntrl/postfix
 cp certs/relay_clientcerts ~/kopano-docker/etc-baloghs/postfix
--- a/15
+++ b/15
@@ -1,10 +1,11 @@
-complete internal SSL key generation and injection
+ok - complete internal SSL key generation and injection
-complete relay SSL key generation and injection (manual for distribution to relay)
+ok - complete relay SSL key generation and injection (manual for distribution to relay)
-recipe: how to add a domain (dns, postfix virtual domains, webapp, z-push)
+enable zntrl.de
 bareos mysql backup (mysqldump, or database shutdown during backup)
 remove all etc volume mounts
 kopano server and database tuning
 check logging for all containers
 remove passwords from gitlab & docker
 add spamd
 check logging for all containers
 bareos mysql backup (mysqldump, or database shutdown during backup)
 recipe: how to add a domain (dns, postfix virtual domains, webapp, z-push)
 kopano server and database tuning
 ? - remove all etc volume mounts
 baloghs.de migration
		`@@ -0,0 +1,2 @@`
							`57:6c:b5:f6:49:0e:9d:62:cc:c5:63:80:e5:64:58:ed relay.de`
							`d4:16:18:1e:21:37:45:fa:a9:ad:d7:7f:0c:37:8f:7c zntrl.de`
		`@@ -0,0 +1,3 @@`
							`postmaster@zntrl.de postmaster`
							`abuse@zntrl.de postmaster`