From 3e84641d4841edb5e2b700b9c0456c0cf35ac8f5 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Tue, 12 Mar 2013 17:26:13 +0100 Subject: [PATCH] Current state --- passwd | 2 +- postfix/canonical | 13 ++++++ postfix/main.cf | 13 ++++++ postfix/postfix.pem | 56 ++++++++++++++++++++++++++ postfix/smtp_auth | 2 + ssl/CA-fbrehm/postfix/mkcert | 46 +++++++++++++++++++++ ssl/CA-fbrehm/postfix/postfix-cert.cnf | 23 +++++++++++ ssl/CA-fbrehm/postfix/postfix.pem | 56 ++++++++++++++++++++++++++ ssl/openssl.cnf | 19 ++++----- 9 files changed, 220 insertions(+), 10 deletions(-) create mode 100644 postfix/canonical create mode 100644 postfix/postfix.pem create mode 100644 postfix/smtp_auth create mode 100755 ssl/CA-fbrehm/postfix/mkcert create mode 100644 ssl/CA-fbrehm/postfix/postfix-cert.cnf create mode 100644 ssl/CA-fbrehm/postfix/postfix.pem diff --git a/passwd b/passwd index 8d461f2..4a7c278 100644 --- a/passwd +++ b/passwd @@ -1,4 +1,4 @@ -root:x:0:0:root:/root:/bin/bash +root:x:0:0:root Stralsund:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/adm:/bin/false diff --git a/postfix/canonical b/postfix/canonical new file mode 100644 index 0000000..4dfc962 --- /dev/null +++ b/postfix/canonical @@ -0,0 +1,13 @@ +/^root@profitbricks\.com$/ frank.brehm@profitbricks.com +/^root@profitbricks\.localdomain$/ frank.brehm@profitbricks.com +/^root@.*dc1\.de\.profitbricks.net$/ frank.brehm@profitbricks.com +/^ppd@.*dc1\.de\.profitbricks.net$/ frank.brehm@profitbricks.com +/^vcb@.*dc1\.de\.profitbricks.net$/ frank.brehm@profitbricks.com +/.*@.*dc1\.de\.profitbricks.net$/ @profitbricks.com +/^bind@profitbricks\.com$/ frank.brehm@profitbricks.com +/.*@localhost$/ @profitbricks.com +/.*@.*profitbricks\.localdomain$/ @profitbricks.com +/.*@.*\.pb.local$/ @profitbricks.com +/.*@stralsund.profitbricks.com$/ @profitbricks.com +/.*@samara.profitbricks.com$/ @profitbricks.com + diff --git a/postfix/main.cf b/postfix/main.cf index cdbf0d0..1db1c0d 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -311,6 +311,8 @@ unknown_local_recipient_reject_code = 550 #relayhost = [mailserver.isp.tld] #relayhost = uucphost #relayhost = [an.ip.add.ress] +#relayhost = [mail.pb.local] +relayhost = [smtp.googlemail.com] # REJECTING UNKNOWN RELAY USERS # @@ -655,3 +657,14 @@ sample_directory = /etc/postfix # readme_directory = no home_mailbox = .maildir/ +mydomain = pb.local +canonical_maps = pcre:/etc/postfix/canonical +myorigin = profitbricks.com +smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth +smtp_sasl_auth_enable = yes +smtp_tls_cert_file = /etc/postfix/postfix.pem +smtp_sasl_security_options = noanonymous +smtp_tls_enforce_peername = no +smtp_tls_key_file = /etc/postfix/postfix.pem +smtp_use_tls = yes +tls_random_source = dev:/dev/urandom diff --git a/postfix/postfix.pem b/postfix/postfix.pem new file mode 100644 index 0000000..ac72b5a --- /dev/null +++ b/postfix/postfix.pem @@ -0,0 +1,56 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDVyqLn5YIkyll4 +zLi5GBRf8cr4rWV6iUFnlSH/RdLR9XXGXFlMInsx3hc3v4jkUS6zyIOzDuxV7jlA +eKdT820lRYapZ9qd+Wsdu4o9MvsJyCvBF22LqFiz4xi6Ir5j3+ZmhHz3mS67Q+rj +VAHODJXOW6tbDzI9cODDWU2rN5I2ilGD/86Dm124pXk5WVrXULE2ovr7IYf7zoja +9rb53GHwMy5AxJ34eyyV5aKK9I7nRTtMT6zs9AiiMQuS6+/Qxhph1rWn+AHJs44W +EsQW8RIsehKY8pSHhgw1MVlq1kuCdbkAHrDDeNsqEkHUe6D2byzyVs/5QZGuMYNf +VFPxWOd/AgMBAAECggEBAIRndvS/gxZd64OQ5mZbr2KsUNQqL0rwbn1EM0XxbFtz +9XjgAL3SLRH5Rc/U42bjkFTvvgDLITsmynZPQvIPNG183aVVGGP18Iz9dOPqCudH +/TEc3U8895KQ9uNwWRFpvTuImgyN5g88ROB9SpDd4nlm9Hz0sFy0576UNDHxvK/h +YAhaoyTI5bIOQBEY2dZ4dgKc1rqzOG4G8eMiQo3ePavcsvEeo+a4I8qKoquysP+o +JfDajQogSLPRApaxgHxP+OtvtSV2pflvjCVujhdsQLnbb5CnwVf6SYWlFNFEnlbr +N4epOb+fdpVYT6wofw+8x9cStYs01L5+SxifarjDi8ECgYEA9CVqa+fDWC9vUNsy +spgqF93uCv16xNOAwOKa5de5WXZyzYf6TnOM9Djm1eiV0oSiD9761w/ok3RsWS+O +7EXAFdZOqrRYPtad3U1r5Bjr2w/NezeTgCIeuayJo/iWKrRv7ozb59XFiSZHbTLn ++tdYJ5O+PnrAPJ+H9GTg9Fc1ovkCgYEA4CvujFDwM2JIiU1eKwN4KWkjYdPcE7TI +mNqwMp4u+CoQHALtwEjvdz4Ze+/QnaQzXoj0RYX4fijjaSZb1U/VRG3Ouyt1GkRd +B1BEQd5rMMQk5mwy8PnhHoMDOXsSVvmCAO1QjRRk8dyK8aq73ntallZHjb+H6tjN +4OEA/Rs/BDcCgYEArxUd6l/8EIOD2oI3KyhAF3mJucvpfLkIPkrDNkyrmOJ+lbIL +6LKoxIMB1yjCOIPxDFylmhDIguYcxSB76ChlBcP4Cibmmbmi4A8jbiIJEcGVY+WJ +G3xceF6pHjOozNs04eeV0/3TePVAh6jX/2TqzQcAiSHSNidZggPN5qubxVECgYBd +VS0usowveJ4mvFWWpw0igKnAk0qv0bcrHPH7QSzhGfI3F2kRg8xf4zUNCt3apIDW +vUKmp468SB3Wq6fUejabFPTbrM5Gr2vkHaEto4MRfLi4TxguiHsYDwgKqJkMKTnd +VPESrAkTQfV/hMxPZyBiM237MGFQgA/HryaQOwXTpQKBgQCC1qQSJCDe2CwY5RAl +/uKu1d83HCgV8wpf6gkmIwprJXGoGOl4p27ZZC8jhWjpoe3RBCXyQUcWJTbP1WNy +1slOb2tqCjEnq31WFnuvs67cil3VWqGaBNqde+WGpcVSeBr1BjtPE23qGkifNBiJ +qV515M5fmXRyfi0ffyMxOBN5KQ== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIID7jCCAtagAwIBAgIJAIy3wz5uAaVaMA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD +VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV +BAoTBkJlcmxpbjEeMBwGA1UECxMVTG9jYWwgUG9zdGZpeCBTU0wga2V5MRswGQYD +VQQDExJzdHJhbHN1bmQucGIubG9jYWwxKzApBgkqhkiG9w0BCQEWHGZyYW5rLmJy +ZWhtQHByb2ZpdGJyaWNrcy5jb20wHhcNMTMwMzEyMTYxNzQxWhcNMjMwMzEwMTYx +NzQxWjCBqjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMG +QmVybGluMQ8wDQYDVQQKEwZCZXJsaW4xHjAcBgNVBAsTFUxvY2FsIFBvc3RmaXgg +U1NMIGtleTEbMBkGA1UEAxMSc3RyYWxzdW5kLnBiLmxvY2FsMSswKQYJKoZIhvcN +AQkBFhxmcmFuay5icmVobUBwcm9maXRicmlja3MuY29tMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA1cqi5+WCJMpZeMy4uRgUX/HK+K1leolBZ5Uh/0XS +0fV1xlxZTCJ7Md4XN7+I5FEus8iDsw7sVe45QHinU/NtJUWGqWfanflrHbuKPTL7 +CcgrwRdti6hYs+MYuiK+Y9/mZoR895kuu0Pq41QBzgyVzlurWw8yPXDgw1lNqzeS +NopRg//Og5tduKV5OVla11CxNqL6+yGH+86I2va2+dxh8DMuQMSd+HssleWiivSO +50U7TE+s7PQIojELkuvv0MYaYda1p/gBybOOFhLEFvESLHoSmPKUh4YMNTFZatZL +gnW5AB6ww3jbKhJB1Hug9m8s8lbP+UGRrjGDX1RT8VjnfwIDAQABoxUwEzARBglg +hkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBAKV21eXL5S6bdXW1pxdF +RbXZT2iakpO/cLjmlkcWTkgquyOnpcJRhD/wXNJmkD8ZaobxLnpemQ7ve1RjOOCb +Dvkzz28A3yyJ316k01Pa2O7yHA+XnlYdNYnYonW9NA5dur3Zc48SYp8+6RC3kqzQ +pmuK4CFi5MN6t6kNF0Sze+qRlrcArtXuW/7fxGk1SZ5rutfGzzSzYT2BVK3DvQFB +FsRJBLg3xJodZ4KO5gvbB2xraYgV5vDVr/HsbMCotF7UAcHT5gpLP5Kg23aDR90F +xmHeuemL7ZV1vOgX4EEE2lV5OHrw9lfzjTOpd9sziKsUVQyJzbI1Q7mt2xEIPxfX +YoM= +-----END CERTIFICATE----- +-----BEGIN DH PARAMETERS----- +MEYCQQDPOMC0amsMEDcf47cl1l+MbVjeXkzw1QGq2sZCuMXaysftE1ZJRcVqzreS +MyK0pOrAp4ucU6fzy75K6hbBQnJTAgEC +-----END DH PARAMETERS----- diff --git a/postfix/smtp_auth b/postfix/smtp_auth new file mode 100644 index 0000000..5975def --- /dev/null +++ b/postfix/smtp_auth @@ -0,0 +1,2 @@ +mail.brehm-online.com vmail:uhu +smtp.googlemail.com frank.brehm@profitbricks.com:EMsiWgsus diff --git a/ssl/CA-fbrehm/postfix/mkcert b/ssl/CA-fbrehm/postfix/mkcert new file mode 100755 index 0000000..e168ac9 --- /dev/null +++ b/ssl/CA-fbrehm/postfix/mkcert @@ -0,0 +1,46 @@ +#!/bin/bash +# +# This is a short script to quickly generate a self-signed X.509 key for +# Postfix over SSL. Normally this script would get called by an automatic +# package installation routine. + +test -x /usr/bin/openssl || exit 0 + +CADir="/etc/ssl/CA-fbrehm/postfix" +prefix="/usr" +pemfile="$CADir/postfix.pem" +randfile="$CADir/postfix.rand" +conffile="$CADir/postfix-cert.cnf" +pemfile_orig="/etc/postfix/postfix.pem" +days=3650 + +if [ -f $pemfile ]; then + echo "$pemfile already exists." + exit 1 +fi + +if [ ! -f $conffile ] ; then + echo "$conffile does not exists!" + exit 2 +fi + +cp /dev/null $pemfile +chmod 600 $pemfile +chown root $pemfile + +cleanup() { + rm -f $pemfile + rm -f $randfile + exit 1 +} + +dd if=/dev/urandom of=$randfile count=1 2>/dev/null +/usr/bin/openssl req -new -x509 -days $days -nodes \ + -config $conffile -out $pemfile -keyout $pemfile || cleanup +/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup +/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup +rm -f $randfile +cp -pv $pemfile $pemfile_orig + + +# vim: ts=4 et diff --git a/ssl/CA-fbrehm/postfix/postfix-cert.cnf b/ssl/CA-fbrehm/postfix/postfix-cert.cnf new file mode 100644 index 0000000..7be4e6e --- /dev/null +++ b/ssl/CA-fbrehm/postfix/postfix-cert.cnf @@ -0,0 +1,23 @@ + +RANDFILE = /usr/share/postfix.rand + +[ req ] +default_bits = 2048 +encrypt_key = yes +distinguished_name = req_dn +x509_extensions = cert_type +prompt = no + +[ req_dn ] +C=DE +ST=Berlin +L=Berlin +O=Berlin +OU=Local Postfix SSL key +CN=stralsund.pb.local +emailAddress=frank.brehm@profitbricks.com + + +[ cert_type ] +nsCertType = server + diff --git a/ssl/CA-fbrehm/postfix/postfix.pem b/ssl/CA-fbrehm/postfix/postfix.pem new file mode 100644 index 0000000..ac72b5a --- /dev/null +++ b/ssl/CA-fbrehm/postfix/postfix.pem @@ -0,0 +1,56 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDVyqLn5YIkyll4 +zLi5GBRf8cr4rWV6iUFnlSH/RdLR9XXGXFlMInsx3hc3v4jkUS6zyIOzDuxV7jlA +eKdT820lRYapZ9qd+Wsdu4o9MvsJyCvBF22LqFiz4xi6Ir5j3+ZmhHz3mS67Q+rj +VAHODJXOW6tbDzI9cODDWU2rN5I2ilGD/86Dm124pXk5WVrXULE2ovr7IYf7zoja +9rb53GHwMy5AxJ34eyyV5aKK9I7nRTtMT6zs9AiiMQuS6+/Qxhph1rWn+AHJs44W +EsQW8RIsehKY8pSHhgw1MVlq1kuCdbkAHrDDeNsqEkHUe6D2byzyVs/5QZGuMYNf +VFPxWOd/AgMBAAECggEBAIRndvS/gxZd64OQ5mZbr2KsUNQqL0rwbn1EM0XxbFtz +9XjgAL3SLRH5Rc/U42bjkFTvvgDLITsmynZPQvIPNG183aVVGGP18Iz9dOPqCudH +/TEc3U8895KQ9uNwWRFpvTuImgyN5g88ROB9SpDd4nlm9Hz0sFy0576UNDHxvK/h +YAhaoyTI5bIOQBEY2dZ4dgKc1rqzOG4G8eMiQo3ePavcsvEeo+a4I8qKoquysP+o +JfDajQogSLPRApaxgHxP+OtvtSV2pflvjCVujhdsQLnbb5CnwVf6SYWlFNFEnlbr +N4epOb+fdpVYT6wofw+8x9cStYs01L5+SxifarjDi8ECgYEA9CVqa+fDWC9vUNsy +spgqF93uCv16xNOAwOKa5de5WXZyzYf6TnOM9Djm1eiV0oSiD9761w/ok3RsWS+O +7EXAFdZOqrRYPtad3U1r5Bjr2w/NezeTgCIeuayJo/iWKrRv7ozb59XFiSZHbTLn ++tdYJ5O+PnrAPJ+H9GTg9Fc1ovkCgYEA4CvujFDwM2JIiU1eKwN4KWkjYdPcE7TI +mNqwMp4u+CoQHALtwEjvdz4Ze+/QnaQzXoj0RYX4fijjaSZb1U/VRG3Ouyt1GkRd +B1BEQd5rMMQk5mwy8PnhHoMDOXsSVvmCAO1QjRRk8dyK8aq73ntallZHjb+H6tjN +4OEA/Rs/BDcCgYEArxUd6l/8EIOD2oI3KyhAF3mJucvpfLkIPkrDNkyrmOJ+lbIL +6LKoxIMB1yjCOIPxDFylmhDIguYcxSB76ChlBcP4Cibmmbmi4A8jbiIJEcGVY+WJ +G3xceF6pHjOozNs04eeV0/3TePVAh6jX/2TqzQcAiSHSNidZggPN5qubxVECgYBd +VS0usowveJ4mvFWWpw0igKnAk0qv0bcrHPH7QSzhGfI3F2kRg8xf4zUNCt3apIDW +vUKmp468SB3Wq6fUejabFPTbrM5Gr2vkHaEto4MRfLi4TxguiHsYDwgKqJkMKTnd +VPESrAkTQfV/hMxPZyBiM237MGFQgA/HryaQOwXTpQKBgQCC1qQSJCDe2CwY5RAl +/uKu1d83HCgV8wpf6gkmIwprJXGoGOl4p27ZZC8jhWjpoe3RBCXyQUcWJTbP1WNy +1slOb2tqCjEnq31WFnuvs67cil3VWqGaBNqde+WGpcVSeBr1BjtPE23qGkifNBiJ +qV515M5fmXRyfi0ffyMxOBN5KQ== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIID7jCCAtagAwIBAgIJAIy3wz5uAaVaMA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD +VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV +BAoTBkJlcmxpbjEeMBwGA1UECxMVTG9jYWwgUG9zdGZpeCBTU0wga2V5MRswGQYD +VQQDExJzdHJhbHN1bmQucGIubG9jYWwxKzApBgkqhkiG9w0BCQEWHGZyYW5rLmJy +ZWhtQHByb2ZpdGJyaWNrcy5jb20wHhcNMTMwMzEyMTYxNzQxWhcNMjMwMzEwMTYx +NzQxWjCBqjELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMG +QmVybGluMQ8wDQYDVQQKEwZCZXJsaW4xHjAcBgNVBAsTFUxvY2FsIFBvc3RmaXgg +U1NMIGtleTEbMBkGA1UEAxMSc3RyYWxzdW5kLnBiLmxvY2FsMSswKQYJKoZIhvcN +AQkBFhxmcmFuay5icmVobUBwcm9maXRicmlja3MuY29tMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEA1cqi5+WCJMpZeMy4uRgUX/HK+K1leolBZ5Uh/0XS +0fV1xlxZTCJ7Md4XN7+I5FEus8iDsw7sVe45QHinU/NtJUWGqWfanflrHbuKPTL7 +CcgrwRdti6hYs+MYuiK+Y9/mZoR895kuu0Pq41QBzgyVzlurWw8yPXDgw1lNqzeS +NopRg//Og5tduKV5OVla11CxNqL6+yGH+86I2va2+dxh8DMuQMSd+HssleWiivSO +50U7TE+s7PQIojELkuvv0MYaYda1p/gBybOOFhLEFvESLHoSmPKUh4YMNTFZatZL +gnW5AB6ww3jbKhJB1Hug9m8s8lbP+UGRrjGDX1RT8VjnfwIDAQABoxUwEzARBglg +hkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADggEBAKV21eXL5S6bdXW1pxdF +RbXZT2iakpO/cLjmlkcWTkgquyOnpcJRhD/wXNJmkD8ZaobxLnpemQ7ve1RjOOCb +Dvkzz28A3yyJ316k01Pa2O7yHA+XnlYdNYnYonW9NA5dur3Zc48SYp8+6RC3kqzQ +pmuK4CFi5MN6t6kNF0Sze+qRlrcArtXuW/7fxGk1SZ5rutfGzzSzYT2BVK3DvQFB +FsRJBLg3xJodZ4KO5gvbB2xraYgV5vDVr/HsbMCotF7UAcHT5gpLP5Kg23aDR90F +xmHeuemL7ZV1vOgX4EEE2lV5OHrw9lfzjTOpd9sziKsUVQyJzbI1Q7mt2xEIPxfX +YoM= +-----END CERTIFICATE----- +-----BEGIN DH PARAMETERS----- +MEYCQQDPOMC0amsMEDcf47cl1l+MbVjeXkzw1QGq2sZCuMXaysftE1ZJRcVqzreS +MyK0pOrAp4ucU6fzy75K6hbBQnJTAgEC +-----END DH PARAMETERS----- diff --git a/ssl/openssl.cnf b/ssl/openssl.cnf index 18760c6..9333270 100644 --- a/ssl/openssl.cnf +++ b/ssl/openssl.cnf @@ -39,7 +39,7 @@ default_ca = CA_default # The default ca section #################################################################### [ CA_default ] -dir = ./demoCA # Where everything is kept +dir = /etc/ssl/CA-fbrehm # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. @@ -70,7 +70,7 @@ cert_opt = ca_default # Certificate field options # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext -default_days = 365 # how long to certify for +default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering @@ -83,8 +83,8 @@ policy = policy_match # For the CA policy [ policy_match ] countryName = match -stateOrProvinceName = match -organizationName = match +stateOrProvinceName = optional +organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional @@ -103,7 +103,7 @@ emailAddress = optional #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes @@ -126,24 +126,25 @@ string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) -countryName_default = AU +countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State +stateOrProvinceName_default = Berlin localityName = Locality Name (eg, city) +localityName_default = Berlin 0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd +0.organizationName_default = ProfitBricks GmbH # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) -#organizationalUnitName_default = +organizationalUnitName_default = storage department commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 -- 2.39.5