added postfix certificate distribution

2023-10-24 20:57:44 +00:00
parent b17b808404
commit f20896e21c
12 changed files with 184 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,5 @@
 ssl/certs
 ssl/tmp
 ssl/db
+*/ssl
+*/postfix/relay_clientcerts
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -88,7 +88,6 @@ services:
      - 8025:25
    volumes:
      - spool:/var/spool/postfix
-      # - ./etc-zntrl/postfix:/etc/postfix
 networks:
  traefik:
    external: true
@@ -98,4 +97,3 @@ volumes:
  search:
  z-push:
  spool:
-
--- a/etc-relay/postfix/main.cf
+++ b/etc-relay/postfix/main.cf
@@ -33,8 +33,8 @@ default_transport = smtp:

 # SMPTD (inbound) TLS parameters
 smtpd_tls_CApath = /etc/ssl/certs
-smtpd_tls_CAfile = /etc/ssl/certs/balusign-signing-ca.pem
-smtpd_tls_key_file=/etc/ssl/private/relay.de.key
+smtpd_tls_CAfile = /etc/ssl/certs/kopano-ca.crt
+smtpd_tls_key_file=/etc/ssl/private/pf-relay.key
 smtpd_tls_cert_file=/etc/ssl/relay-full-chain.pem
 smtpd_tls_security_level=may
 smtpd_tls_loglevel = 1
@@ -47,7 +47,7 @@ smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination

 # SMTP (outbound)
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_key_file=/etc/ssl/private/relay.de.key
+smtp_tls_key_file=/etc/ssl/private/pf-relay.key
 smtp_tls_cert_file=/etc/ssl/relay-full-chain.pem
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
--- a/etc-zntrl/postfix/main.cf
+++ b/etc-zntrl/postfix/main.cf
@@ -0,0 +1,60 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+biff = no
+maillog_file = /dev/stdout
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on fresh installs.
+compatibility_level = 2
+
+# local domains
+myhostname = mta.zntrl.de
+mydestination = $mydomain, localhost.$mydomain, localhost
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = zntrl.de
+# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+# trusts all hosts in the kopano docker network
+mynetworks_style = subnet
+
+# virtual domains
+virtual_mailbox_domains = zntrl.de ads64.de
+virtual_mailbox_maps = hash:/etc/postfix/vmailbox
+virtual_alias_maps = hash:/etc/postfix/virtual
+# virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock
+virtual_transport = lmtp:dagent:2003
+
+# default outbound transport for all domains, use one relay for all domains
+# authenticates to relay.zntrl.de for authorisation to relay mail, see also: SMTP (outbound)
+default_transport = smtp:[relay.zntrl.de]:465
+
+# SMTPD (inbound) TLS parameters
+smtpd_tls_key_file = /etc/postfix/ssl/private/nuc0.lan.key
+smtpd_tls_cert_file = /etc/postfix/ssl/nuc0-full-chain.pem
+smtpd_tls_CApath = /etc/ssl/certs
+smtpd_tls_CAfile = /etc/postfix/ssl/certs/balusign-signing-ca.pem
+smtpd_tls_security_level=may
+smtpd_tls_loglevel = 1
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+
+# SMTP (outbound)
+smtp_tls_key_file = /etc/postfix/ssl/private/nuc0.lan.key
+smtp_tls_cert_file = /etc/postfix/ssl/nuc0-full-chain.pem
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_wrappermode = yes
+smtp_tls_security_level = encrypt
+smtp_tls_loglevel = 1
+
+mailbox_size_limit = 0
+message_size_limit = 50000000
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
--- a/etc-zntrl/postfix/master.cf
+++ b/etc-zntrl/postfix/master.cf
@@ -0,0 +1,67 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       -       smtpd
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+#submission inet n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_tls_auth_only=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+        -o syslog_name=postfix/$service_name
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
--- a/etc-zntrl/postfix/relay_clientcerts
+++ b/etc-zntrl/postfix/relay_clientcerts
@@ -0,0 +1,2 @@
+57:6c:b5:f6:49:0e:9d:62:cc:c5:63:80:e5:64:58:ed relay.de
+d4:16:18:1e:21:37:45:fa:a9:ad:d7:7f:0c:37:8f:7c zntrl.de
--- a/etc-zntrl/postfix/virtual
+++ b/etc-zntrl/postfix/virtual
@@ -0,0 +1,3 @@
+postmaster@zntrl.de postmaster
+abuse@zntrl.de      postmaster
+
--- a/etc-zntrl/postfix/vmailbox
+++ b/etc-zntrl/postfix/vmailbox
@@ -0,0 +1,8 @@
+baloan@zntrl.de      notused
+blu3prince@zntrl.de  notused
+fafnir@zntrl.de      notused
+postmaster@zntrl.de  notused
+andreas@ads64.de     notused
+postmaster@ads64.de  notused
+# Comment out the entry below to implement a catch-all.
+# @zntrl.de		         notused
--- a/ssl/create-key
+++ b/ssl/create-key
@@ -5,4 +5,6 @@ echo creating keys for $1
 export CN=$1
 export SAN=DNS:$CN
 openssl req -new -out tmp/$CN.csr -nodes -keyout certs/$CN.key
-openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -out certs/$CN.crt -extensions server_ext
+openssl rsa -in certs/$CN.key -pubout -out certs/$CN-public-key.pem
+openssl ca -batch -in tmp/$CN.csr -passin env:CA_PWD -notext -out certs/$CN.crt -extensions server_ext
+cat certs/$CN.key certs/$CN.crt >certs/$CN-key-certs.pem
--- a/ssl/create-postfix-certs
+++ b/ssl/create-postfix-certs
@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+export CN=$1
+./create-key $CN
+pushd certs
+# The default algorithm is sha256 with Postfix ≥ 3.6 and the compatibility_level set to 3.6 or higher. 
+# With Postfix ≤ 3.5, the default algorithm is md5.
+# https://www.postfix.org/postconf.5.html#relay_clientcerts
+openssl x509 -in $CN.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -md5 -c | ( read D FP; echo $FP $CN ) >>relay_clientcerts
+cp $CN.key ~/kopano-docker/etc-$CN/ssl/private
+cp kopano-ca.crt ~/kopano-docker/etc-$CN/ssl/certs
+cat kopano-ca.crt $CN.crt >~/kopano-docker/etc-$CN/ssl/$CN-full-chain.pem
+popd
--- a/ssl/mkcerts
+++ b/ssl/mkcerts
@@ -3,6 +3,7 @@ export OPENSSL_CONF=./etc/kopano-ca.conf
 export CA_PWD=kopano
 export CA_SUBJ="/DC=de/DC=dts/O=Digital Trust Solutions/OU=Information Security Unit/CN=DTS Signing CA/"
 # create ssl certificates for docker network
+rm certs/*
 rm tmp/*.csr
 rm db/*.pem
 rm db/*.db
@@ -12,8 +13,9 @@ touch db/kopano-ca.db.attr
 echo 01 >db/kopano-ca.crt.srl
 echo 01 >db/kopano-ca.crl.srl
 # create signing ca (minimal pki)
+# inject distinguished_name (subj) and req_extensions (-reqexts) because -section req_ca is not yet available (section default: req)
 openssl req -new -reqexts ca_reqext -subj "$CA_SUBJ" -out tmp/kopano-ca.csr -passout pass:$CA_PWD -keyout certs/kopano-ca.key
-openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/kopano-ca.crt -extensions signing_ca_ext
+openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -notext -out certs/kopano-ca.crt -extensions signing_ca_ext

 # create kopano server ssl key (for encryption)
 ./create-key server
@@ -25,3 +27,13 @@ openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -out certs/
 ./create-key search
 ./create-key webapp
 ./create-key z-push
+
+# create postfix clients ssl key pair (for authentification)
+echo >certs/relay_clientcerts
+./create-postfix-certs relay
+./create-postfix-certs zntrl
+./create-postfix-certs baloghs
+
+cp certs/relay_clientcerts ~/kopano-docker/etc-relay/postfix
+cp certs/relay_clientcerts ~/kopano-docker/etc-zntrl/postfix
+cp certs/relay_clientcerts ~/kopano-docker/etc-baloghs/postfix
--- a/15
+++ b/15
@@ -1,10 +1,11 @@
-complete internal SSL key generation and injection
-complete relay SSL key generation and injection (manual for distribution to relay)
-recipe: how to add a domain (dns, postfix virtual domains, webapp, z-push)
-bareos mysql backup (mysqldump, or database shutdown during backup)
-remove all etc volume mounts
-kopano server and database tuning
-check logging for all containers
+ok - complete internal SSL key generation and injection
+ok - complete relay SSL key generation and injection (manual for distribution to relay)
+enable zntrl.de
 remove passwords from gitlab & docker
 add spamd
+check logging for all containers
+bareos mysql backup (mysqldump, or database shutdown during backup)
+recipe: how to add a domain (dns, postfix virtual domains, webapp, z-push)
+kopano server and database tuning
+? - remove all etc volume mounts
 baloghs.de migration