From b67321f5f59edae7a5f48273e3142c791cd54627 Mon Sep 17 00:00:00 2001 From: Jakub Czajka Date: Sat, 3 Jun 2023 10:50:06 +0200 Subject: [PATCH] [dovecot] Require client certificates for IMAP. --- ca/README | 13 ++++++++----- dovecot/10-auth.conf | 6 +++--- dovecot/10-ssl.conf | 4 ++-- dovecot/20-imap.conf | 3 +++ dovecot/README | 6 ++++++ postfix/main.cf | 4 ++-- 6 files changed, 24 insertions(+), 12 deletions(-) diff --git a/ca/README b/ca/README index de645f0..3270c05 100644 --- a/ca/README +++ b/ca/README @@ -17,6 +17,9 @@ instance of `.crt` [1]. ``` $ sudo --preserve-env openssl req -x509 -config ca.cnf -new -days 3650 -sha256 \ -newkey rsa:4096 -keyout private/ca.key -out ca.pem +$ sudo --preserve-env openssl ca -gencrl -config ca.cnf -out crlfile +$ sudo --preserve-env sh -c "cat ca.pem >> ca.crl" +$ sudo --preserve-env sh -c "cat crlfile >> ca.crl" ``` Certificate @@ -37,11 +40,11 @@ Other output formats are also possible [4]. If generting an email certificate, add an extensions [5]. ``` -$ openssl req -config ca.cnf -new -key certs/private/.key \ - -out certs/.csr -extensions email_cert -$ openssl x509 -req -days 365 -sha256 -CA ca.pem -CAkey private/ca.key \ - -next_serial -in certs/.csr -out certs/.crt \ - -extensions email_cert +$ sudo --preserve-env openssl req -config ca.cnf -new \ + -key certs/private/.key -out certs/.csr -extensions email_cert +$ sudo --preserve-env openssl x509 -req -days 365 -sha256 -CA ca.pem \ + -CAkey private/ca.key -next_serial -in certs/.csr \ + -out certs/.crt -extensions email_cert ``` Import diff --git a/dovecot/10-auth.conf b/dovecot/10-auth.conf index ee3adfd..84294a8 100644 --- a/dovecot/10-auth.conf +++ b/dovecot/10-auth.conf @@ -86,18 +86,18 @@ #auth_failure_delay = 2 secs # Require a valid SSL client certificate or the authentication fails. -#auth_ssl_require_client_cert = no +auth_ssl_require_client_cert = no # Take the username from client's SSL certificate, using # X509_NAME_get_text_by_NID() which returns the subject's DN's # CommonName. -#auth_ssl_username_from_cert = no +auth_ssl_username_from_cert = no # Space separated list of wanted authentication mechanisms: # plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp # gss-spnego # NOTE: See also disable_plaintext_auth setting. -auth_mechanisms = plain +auth_mechanisms = plain login ## ## Password and user databases diff --git a/dovecot/10-ssl.conf b/dovecot/10-ssl.conf index 4dc0566..aa19178 100644 --- a/dovecot/10-ssl.conf +++ b/dovecot/10-ssl.conf @@ -21,10 +21,10 @@ ssl_key = <${mail_ssl_cert_dir}/privkey.pem # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = Trash +``` + Administration -------------- diff --git a/postfix/main.cf b/postfix/main.cf index 6d0fa49..f115559 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -38,8 +38,8 @@ disable_vrfy_command = yes smtpd_reject_unlisted_sender = yes # HELO command -smtpd_helo_restrictions = reject_invalid_helo_hostname, - reject_non_fqdn_helo_hostname +smtpd_helo_restrictions = permit_sasl_authenticated, + reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname smtpd_helo_required = yes # Message rewrite -- 2.39.5