Beginning of imap client certs

src/freedombone

   sed -i 's/#disable_plaintext_auth =.*/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf
   sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf
   sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf
+
+  # enable login via client certs
+  # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
+  #sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
+  #sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
+  #sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.pem|g' /etc/dovecot/conf.d/10-ssl.conf
+  #sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
+  #if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
+	#echo '' >> /etc/dovecot/conf.d/10-auth.conf
+    #echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
+    #echo '  driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
+    #echo '  args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
+    #echo '  deny = no' >> /etc/dovecot/conf.d/10-auth.conf
+    #echo '  master = no' >> /etc/dovecot/conf.d/10-auth.conf
+    #echo '  pass = no' >> /etc/dovecot/conf.d/10-auth.conf
+    #echo '}' >> /etc/dovecot/conf.d/10-auth.conf
+  #fi
+  #echo "$MY_USERNAME:{plain}::::::nopassword" > /etc/dovecot/passwd-file
+  #freedombone-addcert -h dovecot-ca --ca
   service dovecot restart
   echo 'configure_imap' >> $COMPLETION_FILE
 }

src/freedombone-addcert

 LOCATION="Freedomville"
 ORGANISATION="Freedombone"
 UNIT="Freedombone Unit"
+EXTENSIONS=""
 
 function show_help {
     echo ''
     echo '  -l --location [locn]       Optional location name'
     echo '  -o --organisation [name]   Optional organisation name'
     echo '  -u --unit [name]           Optional unit name'
+    echo '     --ca                    Certificate authority cert'
     echo ''
     exit 0
 }
     shift
     UNIT="$1"
     ;;
+    --ca)
+    EXTENSIONS="-extensions v3_ca"
+    ;;
     *)
     # unknown option
     ;;
     exit 5689
 fi
 
-openssl req -x509 -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt
+openssl req -x509 $EXTENSIONS -nodes -days 3650 -sha256 -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" -newkey rsa:4096 -keyout /etc/ssl/private/$HOSTNAME.key -out /etc/ssl/certs/$HOSTNAME.crt
 openssl dhparam -check -text -5 1024 -out /etc/ssl/certs/$HOSTNAME.dhparam
 chmod 400 /etc/ssl/private/$HOSTNAME.key
 chmod 640 /etc/ssl/certs/$HOSTNAME.crt