free
/
freedombone
Obserwuj 1
Gwiazdka 0
Forkuj 0
Kod Problemy 0 Pull Requests 0 Wydania 0 Wiki Aktywność
Przeglądaj źródła

IMAP client authentication certificates

Bob Mottram 9 lat temu
rodzic
05c2e120fe
commit
05c8d2c2ce
22 zmienionych plików z 191 dodań i 18 usunięć
Widok podzielony Pokaż statystyki zmian
  1. 4
    0
      Makefile
  2. 1
    0
      debian/source/include-binaries
  3. BIN
      man/freedombone-addcert.1.gz
  4. BIN
      man/freedombone-addemail.1.gz
  5. BIN
      man/freedombone-addlist.1.gz
  6. BIN
      man/freedombone-addxmpp.1.gz
  7. BIN
      man/freedombone-client.1.gz
  8. BIN
      man/freedombone-clientcert.1.gz
  9. BIN
      man/freedombone-config.1.gz
  10. BIN
      man/freedombone-ignore.1.gz
  11. BIN
      man/freedombone-prep.1.gz
  12. BIN
      man/freedombone-remote.1.gz
  13. BIN
      man/freedombone-renew-cert.1.gz
  14. BIN
      man/freedombone-rmemail.1.gz
  15. BIN
      man/freedombone-rmlist.1.gz
  16. BIN
      man/freedombone-rmxmpp.1.gz
  17. BIN
      man/freedombone-sec.1.gz
  18. BIN
      man/freedombone-unignore.1.gz
  19. BIN
      man/freedombone-xmpp-pass.1.gz
  20. BIN
      man/freedombone.1.gz
  21. 65
    18
      src/freedombone
  22. 121
    0
      src/freedombone-clientcert

+ 4
- 0
Makefile Wyświetl plik 

@@ -17,6 +17,7 @@ install:
17 17 
 	install -m 755 src/${APP}-config ${DESTDIR}${PREFIX}/bin
18 18 
 	install -m 755 src/${APP}-sec ${DESTDIR}${PREFIX}/bin
19 19 
 	install -m 755 src/${APP}-addcert ${DESTDIR}${PREFIX}/bin
20 
+	install -m 755 src/${APP}-clientcert ${DESTDIR}${PREFIX}/bin
20 21 
 	install -m 755 src/${APP}-addlist ${DESTDIR}${PREFIX}/bin
21 22 
 	install -m 755 src/${APP}-addemail ${DESTDIR}${PREFIX}/bin
22 23 
 	install -m 755 src/${APP}-renew-cert ${DESTDIR}${PREFIX}/bin
 
@@ -35,6 +36,7 @@ install:
35 36 
 	install -m 644 man/${APP}-config.1.gz ${DESTDIR}${PREFIX}/share/man/man1
36 37 
 	install -m 644 man/${APP}-sec.1.gz ${DESTDIR}${PREFIX}/share/man/man1
37 38 
 	install -m 644 man/${APP}-addcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
39 
+	install -m 644 man/${APP}-clientcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
38 40 
 	install -m 644 man/${APP}-addlist.1.gz ${DESTDIR}${PREFIX}/share/man/man1
39 41 
 	install -m 644 man/${APP}-addemail.1.gz ${DESTDIR}${PREFIX}/share/man/man1
40 42 
 	install -m 644 man/${APP}-renew-cert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
 
@@ -52,6 +54,7 @@ uninstall:
52 54 
 	rm -f ${PREFIX}/share/man/man1/${APP}-remote.1.gz
53 55 
 	rm -f ${PREFIX}/share/man/man1/${APP}-config.1.gz
54 56 
 	rm -f ${PREFIX}/share/man/man1/${APP}-sec.1.gz
57 
+	rm -f ${PREFIX}/share/man/man1/${APP}-clientcert.1.gz
55 58 
 	rm -f ${PREFIX}/share/man/man1/${APP}-addcert.1.gz
56 59 
 	rm -f ${PREFIX}/share/man/man1/${APP}-addlist.1.gz
57 60 
 	rm -f ${PREFIX}/share/man/man1/${APP}-addemail.1.gz
 
@@ -71,6 +74,7 @@ uninstall:
71 74 
 	rm -f ${PREFIX}/bin/${APP}-config
72 75 
 	rm -f ${PREFIX}/bin/${APP}-sec
73 76 
 	rm -f ${PREFIX}/bin/${APP}-addcert
77 
+	rm -f ${PREFIX}/bin/${APP}-clientcert
74 78 
 	rm -f ${PREFIX}/bin/${APP}-addlist
75 79 
 	rm -f ${PREFIX}/bin/${APP}-addemail
76 80 
 	rm -f ${PREFIX}/bin/${APP}-renew-cert

+ 1
- 0
debian/source/include-binaries Wyświetl plik 

@@ -4,6 +4,7 @@ man/freedombone-client.1.gz
4 4 
 man/freedombone-remote.1.gz
5 5 
 man/freedombone-config.1.gz
6 6 
 man/freedombone-sec.1.gz
7 
+man/freedombone-clientcert.1.gz
7 8 
 man/freedombone-addcert.1.gz
8 9 
 man/freedombone-addlist.1.gz
9 10 
 man/freedombone-addemail.1.gz

BIN
man/freedombone-addcert.1.gz Wyświetl plik


BIN
man/freedombone-addemail.1.gz Wyświetl plik


BIN
man/freedombone-addlist.1.gz Wyświetl plik


BIN
man/freedombone-addxmpp.1.gz Wyświetl plik


BIN
man/freedombone-client.1.gz Wyświetl plik


BIN
man/freedombone-clientcert.1.gz Wyświetl plik


BIN
man/freedombone-config.1.gz Wyświetl plik


BIN
man/freedombone-ignore.1.gz Wyświetl plik


BIN
man/freedombone-prep.1.gz Wyświetl plik


BIN
man/freedombone-remote.1.gz Wyświetl plik


BIN
man/freedombone-renew-cert.1.gz Wyświetl plik


BIN
man/freedombone-rmemail.1.gz Wyświetl plik


BIN
man/freedombone-rmlist.1.gz Wyświetl plik


BIN
man/freedombone-rmxmpp.1.gz Wyświetl plik


BIN
man/freedombone-sec.1.gz Wyświetl plik


BIN
man/freedombone-unignore.1.gz Wyświetl plik


BIN
man/freedombone-xmpp-pass.1.gz Wyświetl plik


BIN
man/freedombone.1.gz Wyświetl plik


+ 65
- 18
src/freedombone Wyświetl plik 

@@ -5655,28 +5655,74 @@ function configure_imap {
5655 5655 
   sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf
5656 5656 
   sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf
5657 5657
5658 
-  # enable login via client certs
5659 
-  # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
5660 
-  #sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
5661 
-  #sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
5662 
-  #sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.pem|g' /etc/dovecot/conf.d/10-ssl.conf
5663 
-  #sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
5664 
-  #if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
5665 
-    #echo '' >> /etc/dovecot/conf.d/10-auth.conf
5666 
-    #echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
5667 
-    #echo '  driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
5668 
-    #echo '  args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
5669 
-    #echo '  deny = no' >> /etc/dovecot/conf.d/10-auth.conf
5670 
-    #echo '  master = no' >> /etc/dovecot/conf.d/10-auth.conf
5671 
-    #echo '  pass = no' >> /etc/dovecot/conf.d/10-auth.conf
5672 
-    #echo '}' >> /etc/dovecot/conf.d/10-auth.conf
5673 
-  #fi
5674 
-  #echo "$MY_USERNAME:{plain}::::::nopassword" > /etc/dovecot/passwd-file
5675 
-  #freedombone-addcert -h dovecot-ca --ca
5676 5658 
   service dovecot restart
5677 5659 
   echo 'configure_imap' >> $COMPLETION_FILE
5678 5660 
 }
5679 5661
5662 
+function configure_imap_client_certs {
5663 
+  if grep -Fxq "configure_imap_client_certs" $COMPLETION_FILE; then
5664 
+      return
5665 
+  fi
5666 
+  # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
5667 
+  sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
5668 
+  sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
5669 
+  sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.crt|g' /etc/dovecot/conf.d/10-ssl.conf
5670 
+  sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
5671 
+  if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
5672 
+    echo '' >> /etc/dovecot/conf.d/10-auth.conf
5673 
+    echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
5674 
+    echo '  driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
5675 
+    echo '  args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
5676 
+    echo '  deny = no' >> /etc/dovecot/conf.d/10-auth.conf
5677 
+    echo '  master = no' >> /etc/dovecot/conf.d/10-auth.conf
5678 
+    echo '  pass = no' >> /etc/dovecot/conf.d/10-auth.conf
5679 
+    echo '}' >> /etc/dovecot/conf.d/10-auth.conf
5680 
+  fi
5681 
+  # make a CA cert
5682 
+  if [ ! -f /etc/ssl/private/dovecot-ca.key ]; then
5683 
+	  freedombone-addcert -h dovecot-ca --ca
5684 
+  fi
5685 
+  # CA configuration
5686 
+  echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
5687 
+  echo 'default_ca = dovecot-ca' >> /etc/ssl/dovecot-ca.cnf
5688 
+  echo '' >> /etc/ssl/dovecot-ca.cnf
5689 
+  echo '[ crl_ext ]' >> /etc/ssl/dovecot-ca.cnf
5690 
+  echo 'authorityKeyIdentifier=keyid:always' >> /etc/ssl/dovecot-ca.cnf
5691 
+  echo '' >> /etc/ssl/dovecot-ca.cnf
5692 
+  echo '[ dovecot-ca ]' >> /etc/ssl/dovecot-ca.cnf
5693 
+  echo 'new_certs_dir = .' >> /etc/ssl/dovecot-ca.cnf
5694 
+  echo 'unique_subject = no' >> /etc/ssl/dovecot-ca.cnf
5695 
+  echo 'certificate = /etc/ssl/certs/dovecot-ca.crt' >> /etc/ssl/dovecot-ca.cnf
5696 
+  echo 'database = ssldb' >> /etc/ssl/dovecot-ca.cnf
5697 
+  echo 'private_key = /etc/ssl/private/dovecot-ca.key' >> /etc/ssl/dovecot-ca.cnf
5698 
+  echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf
5699 
+  echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf
5700 
+  echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf
5701 
+  echo 'default_bits = 2048' >> /etc/ssl/dovecot-ca.cnf
5702 
+  echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf
5703 
+  echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf
5704 
+  echo '' >> /etc/ssl/dovecot-ca.cnf
5705 
+  echo '[ dovecot-ca_policy ]' >> /etc/ssl/dovecot-ca.cnf
5706 
+  echo 'commonName = supplied' >> /etc/ssl/dovecot-ca.cnf
5707 
+  echo 'stateOrProvinceName = supplied' >> /etc/ssl/dovecot-ca.cnf
5708 
+  echo 'countryName = supplied' >> /etc/ssl/dovecot-ca.cnf
5709 
+  echo 'emailAddress = optional' >> /etc/ssl/dovecot-ca.cnf
5710 
+  echo 'organizationName = supplied' >> /etc/ssl/dovecot-ca.cnf
5711 
+  echo 'organizationalUnitName = optional' >> /etc/ssl/dovecot-ca.cnf
5712 
+  echo '' >> /etc/ssl/dovecot-ca.cnf
5713 
+  echo '[ dovecot-ca_extensions ]' >> /etc/ssl/dovecot-ca.cnf
5714 
+  echo 'basicConstraints = CA:false' >> /etc/ssl/dovecot-ca.cnf
5715 
+  echo 'subjectKeyIdentifier = hash' >> /etc/ssl/dovecot-ca.cnf
5716 
+  echo 'authorityKeyIdentifier = keyid:always' >> /etc/ssl/dovecot-ca.cnf
5717 
+  echo 'keyUsage = digitalSignature,keyEncipherment' >> /etc/ssl/dovecot-ca.cnf
5718 
+  echo 'extendedKeyUsage = clientAuth' >> /etc/ssl/dovecot-ca.cnf
5719 
+  touch /etc/ssl/ssldb
5720 
+  echo 0001 > /etc/ssl/sslserial
5721 
+  freedombone-clientcert -u $MY_USERNAME
5722 
+  service dovecot restart
5723 
+  echo 'configure_imap_client_certs' >> $COMPLETION_FILE
5724 
+}
5725 
+
5680 5726 
 function configure_gpg {
5681 5727 
   if grep -Fxq "configure_gpg" $COMPLETION_FILE; then
5682 5728 
       return
 
@@ -9153,6 +9199,7 @@ configure_email
9153 9199 
 create_procmail
9154 9200 
 spam_filtering
9155 9201 
 configure_imap
9202 
+configure_imap_client_certs
9156 9203 
 configure_gpg
9157 9204 
 encrypt_incoming_email
9158 9205 
 encrypt_outgoing_email

+ 121
- 0
src/freedombone-clientcert Wyświetl plik 

@@ -0,0 +1,121 @@
1 
+#!/bin/bash
2 
+#
3 
+# .---.                  .              .
4 
+# |                      |              |
5 
+# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
6 
+# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
7 
+# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
8 
+#
9 
+#                    Freedom in the Cloud
10 
+#
11 
+# Generates an email client cert for use with IMAP clients
12 
+
13 
+# See:
14 
+#   http://strange.systems/certificate-based-auth-with-dovecot-sendmail
15 
+#   http://help.fabasoftfolio.com/index.php?topic=doc/Installation-and-Configuration-of-Fabasoft-Folio-IMAP-Service/client-certificate-authentication.htm
16 
+
17 
+# License
18 
+# =======
19 
+#
20 
+# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
21 
+#
22 
+# This program is free software: you can redistribute it and/or modify
23 
+# it under the terms of the GNU General Public License as published by
24 
+# the Free Software Foundation, either version 3 of the License, or
25 
+# (at your option) any later version.
26 
+#
27 
+# This program is distributed in the hope that it will be useful,
28 
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
29 
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30 
+# GNU General Public License for more details.
31 
+#
32 
+# You should have received a copy of the GNU General Public License
33 
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
34 
+
35 
+USERNAME=
36 
+
37 
+function show_help {
38 
+    echo ''
39 
+    echo 'freedombone-clientcert -u [username]'
40 
+    echo ''
41 
+    echo 'Creates email certificates for use with IMAP clients'
42 
+    echo ''
43 
+    echo '     --help                  Show help'
44 
+    echo '  -u --username [name]       Username'
45 
+    echo ''
46 
+    exit 0
47 
+}
48 
+
49 
+while [[ $# > 1 ]]
50 
+do
51 
+key="$1"
52 
+
53 
+case $key in
54 
+    --help)
55 
+    show_help
56 
+    ;;
57 
+    -u|--username)
58 
+    shift
59 
+    USERNAME="$1"
60 
+    ;;
61 
+    *)
62 
+    # unknown option
63 
+    ;;
64 
+esac
65 
+shift
66 
+done
67 
+
68 
+if [ ! $USERNAME ]; then
69 
+    echo 'No username specified'
70 
+    exit 5748
71 
+fi
72 
+
73 
+if [ ! -d /home/$USERNAME ]; then
74 
+    echo "User $USERNAME not found"
75 
+    exit 76239
76 
+fi
77 
+
78 
+if [ -d /home/$USERNAME/emailcert ]; then
79 
+    echo 'Client certs were already for created'
80 
+    exit 2953
81 
+fi
82 
+
83 
+if [ ! -f /etc/dovecot/passwd-file ]; then
84 
+    touch /etc/dovecot/passwd-file
85 
+fi
86 
+
87 
+# Add a user password
88 
+if ! grep -q "$USERNAME:{plain}" $/etc/dovecot/passwd-file; then
89 
+  echo "$USERNAME:{plain}::::::nopassword" >> /etc/dovecot/passwd-file
90 
+fi
91 
+
92 
+chmod 600 /etc/dovecot/passwd-file
93 
+
94 
+# create a user cert
95 
+freedombone-addcert -h $USERNAME
96 
+
97 
+# create a certificate request
98 
+openssl req -new -sha256 -key /etc/ssl/private/$USERNAME.key -out /etc/ssl/requests/$USERNAME.csr
99 
+
100 
+# sign the certificate request
101 
+openssl ca -config /etc/ssl/dovecot-ca.cnf -in /etc/ssl/requests/$USERNAME.csr -out /etc/ssl/certs/$USERNAME.cer
102 
+
103 
+# move the cert to the user's home
104 
+mkdir /home/$USERNAME/emailcert
105 
+mv /etc/ssl/certs/$USERNAME.cer /home/$USERNAME/emailcert
106 
+cp /etc/ssl/certs/dovecot-ca.crt /home/$USERNAME/emailcert
107 
+mv /etc/ssl/private/$USERNAME.key /home/$USERNAME/emailcert
108 
+mv /etc/ssl/certs/$USERNAME.crt /home/$USERNAME/emailcert
109 
+
110 
+# set permissions for the user
111 
+chmod -R 600 /home/$USERNAME/emailcert
112 
+chown -R $USERNAME:$USERNAME /home/$USERNAME/emailcert
113 
+
114 
+shred -zu /etc/ssl/requests/$USERNAME.csr
115 
+
116 
+echo 'Email authentication certificate created. You can obtain it on the client with:'
117 
+echo ''
118 
+echo "      scp -P 2222 -r $USERNAME@mydomainname:/home/$USERNAME/emailcert ~/"
119 
+echo ''
120 
+
121 
+exit 0