diff options
Diffstat (limited to 'imap')
| -rw-r--r-- | imap/.gitignore | 5 | ||||
| -rw-r--r-- | imap/ChangeLog | 16 | ||||
| -rw-r--r-- | imap/Makefile.am | 18 | ||||
| -rw-r--r-- | imap/configure.ac | 2 | ||||
| -rw-r--r-- | imap/imapd-ssl.dist.in | 16 | ||||
| -rw-r--r-- | imap/imapd.cnf.openssl.in | 2 | ||||
| -rw-r--r-- | imap/mkdhparams.in | 44 | ||||
| -rw-r--r-- | imap/mkdhparams.sgml | 81 | ||||
| -rw-r--r-- | imap/mkimapdcert.in | 15 | ||||
| -rw-r--r-- | imap/mkpop3dcert.in | 14 | ||||
| -rw-r--r-- | imap/pop3d-ssl.dist.in | 16 | ||||
| -rw-r--r-- | imap/pop3d.cnf.openssl.in | 2 |
12 files changed, 201 insertions, 30 deletions
diff --git a/imap/.gitignore b/imap/.gitignore index 4b8bc07..3687d22 100644 --- a/imap/.gitignore +++ b/imap/.gitignore @@ -17,6 +17,11 @@ /imapd.html.in /imapd.pam /imaplogin +/mkdhparams +/mkdhparams.8 +/mkdhparams.8.in +/mkdhparams.html +/mkdhparams.html.in /mkimapdcert /mkimapdcert.8 /mkimapdcert.8.in diff --git a/imap/ChangeLog b/imap/ChangeLog index 297b0cc..a5eeb40 100644 --- a/imap/ChangeLog +++ b/imap/ChangeLog @@ -1,3 +1,19 @@ +2013-11-10 Sam Varshavchik <mrsam@courier-mta.com> + + * libs/tcpd/libcouriergnutls.c, libs/tcpd/libcouriertls.c: remove the + TLS_DHCERTFILE setting, and use TLS_CERTFILE for all functionality. + Read DH parameters from TLS_CERTFILE, or from the new TLS_DHPARAMS + environment variable. + + * mkdhparams: New script that generates DH parameters into a standalone + file. + + * Remove TLS_DHCERTFILE setting from imapd-ssl, pop3d-ssl, esmtpd and + esmtpd-ssl. Add TLS_DHPARAMS. + + * Update imapd.cnf.openssl, pop3d.cnf.openssl, esmtpd.cnf.openssl, + set default number of bits for RSA keys to 4096. + 2013-10-14 Sam Varshavchik <mrsam@courier-mta.com> * libs/tcpd/libcouriertls.c (tls_create): Add TLSv1_1_method() and diff --git a/imap/Makefile.am b/imap/Makefile.am index 46a1e41..ef36662 100644 --- a/imap/Makefile.am +++ b/imap/Makefile.am @@ -8,22 +8,25 @@ BUILT_SOURCES=README.proxy DISTCLEANFILES=imapd.pam pop3d.pam imapd.cnf pop3d.cnf CLEANFILES=imapd.8 imapd.html mkimapdcert.html mkimapdcert.8 \ + mkdhparams.html mkdhparams.8 \ courierpop3d.html courierpop3d.8 mkpop3dcert.html mkpop3dcert.8 EXTRA_DIST=testsuite testsuite.txt smaptestsuite smaptestsuite.txt \ BUGS BUGS.html README README.html imapd.authpam \ pop3d.authpam system-auth.authpam system-auth2.authpam\ imapd.html.in imapd.8.in \ + mkdhparams.html.in mkdhparams.8.in \ mkimapdcert.html.in mkimapdcert.8.in \ mkpop3dcert.html.in mkpop3dcert.8.in \ courierpop3d.html.in courierpop3d.8.in \ README.proxy README.proxy.html \ imapd.cnf.gnutls pop3d.cnf.gnutls -noinst_SCRIPTS=mkimapdcert mkpop3dcert +noinst_SCRIPTS=mkimapdcert mkpop3dcert mkdhparams noinst_PROGRAMS=imaplogin imapd pop3login pop3d noinst_DATA=imapd.8 imapd.html imapd.cnf pop3d.cnf \ + mkdhparams.html mkdhparams.8 \ mkimapdcert.html mkimapdcert.8 \ mkpop3dcert.html mkpop3dcert.8 \ courierpop3d.html courierpop3d.8 @@ -102,6 +105,12 @@ imapd.html: imapd.html.in imapd.8: imapd.8.in ./config.status --file=imapd.8 +mkdhparams.html: mkdhparams.html.in + ./config.status --file=mkdhparams.html + +mkdhparams.8: mkdhparams.8.in + ./config.status --file=mkdhparams.8 + mkimapdcert.html: mkimapdcert.html.in ./config.status --file=mkimapdcert.html @@ -128,6 +137,13 @@ imapd.8.in: imapd.sgml ../docbook/sgml2man ../docbook/sgml2man imapd.sgml imapd.8.in mv imapd.8 imapd.8.in +mkdhparams.html.in: mkdhparams.sgml ../docbook/sgml2html + ../docbook/sgml2html mkdhparams.sgml mkdhparams.html.in + +mkdhparams.8.in: mkdhparams.sgml ../docbook/sgml2man + ../docbook/sgml2man mkdhparams.sgml mkdhparams.8.in + mv mkdhparams.8 mkdhparams.8.in + mkimapdcert.html.in: mkimapdcert.sgml ../docbook/sgml2html ../docbook/sgml2html mkimapdcert.sgml mkimapdcert.html.in diff --git a/imap/configure.ac b/imap/configure.ac index 7253d96..e60a5b5 100644 --- a/imap/configure.ac +++ b/imap/configure.ac @@ -367,5 +367,5 @@ int main() AC_SUBST(cacerts) AC_OUTPUT(Makefile imapd.dist imapd-ssl.dist pop3d.dist pop3d-ssl.dist - testsuitefix.pl mkimapdcert mkpop3dcert + testsuitefix.pl mkimapdcert mkpop3dcert mkdhparams imapd.cnf.openssl pop3d.cnf.openssl) diff --git a/imap/imapd-ssl.dist.in b/imap/imapd-ssl.dist.in index ac2f468..609c5aa 100644 --- a/imap/imapd-ssl.dist.in +++ b/imap/imapd-ssl.dist.in @@ -194,16 +194,6 @@ COURIERTLS=@bindir@/couriertls # This is supposed to be an inactivity timeout, but its not yet implemented. # -##NAME: TLS_DHCERTFILE:0 -# -# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate. -# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA -# you must generate a DH pair that will be used. In most situations the -# DH pair is to be treated as confidential, and the file specified by -# TLS_DHCERTFILE must not be world-readable. -# -# TLS_DHCERTFILE= - ##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS @@ -238,6 +228,12 @@ COURIERTLS=@bindir@/couriertls TLS_CERTFILE=@certsdir@/imapd.pem +##NAME: TLS_DHPARAMS:0 +# +# TLS_DHPARAMS - DH parameter file. +# +TLS_DHPARAMS=@certsdir@/dhparams.pem + ##NAME: TLS_TRUSTCERTS:0 # # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. diff --git a/imap/imapd.cnf.openssl.in b/imap/imapd.cnf.openssl.in index 0c66526..db9c732 100644 --- a/imap/imapd.cnf.openssl.in +++ b/imap/imapd.cnf.openssl.in @@ -2,7 +2,7 @@ RANDFILE = @certsdir@/imapd.rand [ req ] -default_bits = 1024 +default_bits = 4096 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type diff --git a/imap/mkdhparams.in b/imap/mkdhparams.in new file mode 100644 index 0000000..f5bddfa --- /dev/null +++ b/imap/mkdhparams.in @@ -0,0 +1,44 @@ +#! @SHELL@ +# +# Copyright 2013 Double Precision, Inc. See COPYING for +# distribution information. +# +# Run this script monthly to generate DH parameters. + +if test -f @certsdir@/dhparams.pem +then + if test "`find @certsdir@/dhparams.pem -mtime +25 -print `" = "" + then + # Less than 25 days old + exit 0 + fi +fi + +set -e + +cp /dev/null @certsdir@/dhparams.pem.tmp +chmod 600 @certsdir@/dhparams.pem.tmp +chown @mailuser@ @certsdir@/dhparams.pem.tmp + +BITS="$DH_BITS" +if test "@ssllib@" = "openssl" +then + if test "$BITS" = "" + then + BITS=768 + fi + + dd if=@RANDOMV@ of=@certsdir@/dhparams.rand.tmp count=1 2>/dev/null + @OPENSSL@ dhparam -rand @certsdir@/dhparams.rand.tmp -outform PEM $BITS >@certsdir@/dhparams.pem.tmp + rm -f @certsdir@/dhparams.rand.tmp + mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem +else + if test "$BITS" = "" + then + BITS=high + fi + + @CERTTOOL@ --generate-dh-params --sec-param $BITS >@certsdir@/dhparams.pem.tmp + mv -f @certsdir@/dhparams.pem.tmp @certsdir@/dhparams.pem +fi + diff --git a/imap/mkdhparams.sgml b/imap/mkdhparams.sgml new file mode 100644 index 0000000..086a530 --- /dev/null +++ b/imap/mkdhparams.sgml @@ -0,0 +1,81 @@ +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<!-- Copyright 2013 Double Precision, Inc. See COPYING for --> +<!-- distribution information. --> +<refentry> + <info><author><firstname>Sam</firstname><surname>Varshavchik</surname><contrib>Author</contrib></author><productname>Courier Mail Server</productname></info> + + <refmeta> + <refentrytitle>mkdhparams</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo>Double Precision, Inc.</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>mkdhparams</refname> + <refpurpose>create DH parameter file</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis sepchar=" "> + <command>@sbindir@/mkdhparams</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>DESCRIPTION</title> + + <para> + This script creates new DH parameters and saves them in + <filename>@certsdir@/dhparams.pem</filename>. If this file already exists + and it's less than 25 days old, the script returns immediately. + If this file is over 25 days old, new DH parameters get generated and + the file gets replaced. + </para> + + <para> + This script is intended to be execute when the system boots, or from + a monthly cron job. + </para> + </refsect1> + + <refsect1> + <title>FILES</title> + + <variablelist> + <varlistentry> + <term>@certsdir@/dhparams.pem</term> + <listitem> + <simpara> + DH Parameter file. + </simpara> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>ENVIRONMENT VARIABLES</title> + + <variablelist> + <varlistentry> + <term>BITS</term> + <listitem> + <simpara> + Customize the DH parameter bit size. The default value depends on + whether this script uses OpenSSL or GnuTLS libraries. For OpenSSL + the default number of bits is 768. GnuTLS uses a security level + setting, rather than the number of bits, and the default + security level is "high". + </simpara> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>SEE ALSO</title> + + <para> + <ulink url="courier.html"><citerefentry><refentrytitle>courier</refentrytitle><manvolnum>8</manvolnum></citerefentry></ulink></para> + </refsect1> +</refentry> diff --git a/imap/mkimapdcert.in b/imap/mkimapdcert.in index 4156975..3bc1df1 100644 --- a/imap/mkimapdcert.in +++ b/imap/mkimapdcert.in @@ -24,6 +24,9 @@ then fi umask 077 +set -e + +BITS="$BITS" cleanup() { rm -f @certsdir@/imapd.pem @@ -44,20 +47,26 @@ then dd if=@RANDOMV@ of=@certsdir@/imapd.rand count=1 2>/dev/null @OPENSSL@ req -new -x509 -days 365 -nodes \ -config @sysconfdir@/imapd.cnf -out @certsdir@/imapd.pem -keyout @certsdir@/imapd.pem || cleanup - @OPENSSL@ gendh -rand @certsdir@/imapd.rand 512 >>@certsdir@/imapd.pem || cleanup @OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/imapd.pem || cleanup rm -f @certsdir@/imapd.rand else + if test "$BITS" = "" + then + BITS="high" + fi cp /dev/null @certsdir@/imapd.key chmod 600 @certsdir@/imapd.key cp /dev/null @certsdir@/imapd.cert chmod 600 @certsdir@/imapd.cert cp /dev/null @certsdir@/imapd.pem chmod 600 @certsdir@/imapd.pem + chown @mailuser@ @certsdir@/imapd.pem + cp /dev/null @certsdir@/imapd.pem + cp /dev/null @certsdir@/imapd.cert + cp /dev/null @certsdir@/imapd.key - @CERTTOOL@ --generate-privkey --outfile imapd.key + @CERTTOOL@ --generate-privkey --sec-param=$BITS --outfile imapd.key @CERTTOOL@ --generate-self-signed --load-privkey imapd.key --outfile imapd.cert --template @sysconfdir@/imapd.cnf - @CERTTOOL@ --generate-dh-params >>imapd.cert cat imapd.key imapd.cert >imapd.pem rm -f imapd.key imapd.cert fi diff --git a/imap/mkpop3dcert.in b/imap/mkpop3dcert.in index 9a4c530..5d48a1f 100644 --- a/imap/mkpop3dcert.in +++ b/imap/mkpop3dcert.in @@ -24,6 +24,7 @@ then fi umask 077 +set -e cleanup() { rm -f @certsdir@/pop3d.pem @@ -34,6 +35,9 @@ cleanup() { } cd @certsdir@ +umask 077 +BITS="$BITS" +set -e if test "@ssllib@" = "openssl" then @@ -44,20 +48,24 @@ then dd if=@RANDOMV@ of=@certsdir@/pop3d.rand count=1 2>/dev/null @OPENSSL@ req -new -x509 -days 365 -nodes \ -config @sysconfdir@/pop3d.cnf -out @certsdir@/pop3d.pem -keyout @certsdir@/pop3d.pem || cleanup - @OPENSSL@ gendh -rand @certsdir@/pop3d.rand 512 >>@certsdir@/pop3d.pem || cleanup @OPENSSL@ x509 -subject -dates -fingerprint -noout -in @certsdir@/pop3d.pem || cleanup rm -f @certsdir@/pop3d.rand else + if test "$BITS" = "" + then + BITS="high" + fi + cp /dev/null @certsdir@/pop3d.key chmod 600 @certsdir@/pop3d.key cp /dev/null @certsdir@/pop3d.cert chmod 600 @certsdir@/pop3d.cert cp /dev/null @certsdir@/pop3d.pem chmod 600 @certsdir@/pop3d.pem + chown @mailuser@ @certsdir@/pop3d.pem - @CERTTOOL@ --generate-privkey --outfile pop3d.key + @CERTTOOL@ --generate-privkey --sec-param=$BITS --outfile pop3d.key @CERTTOOL@ --generate-self-signed --load-privkey pop3d.key --outfile pop3d.cert --template @sysconfdir@/pop3d.cnf - @CERTTOOL@ --generate-dh-params >>pop3d.cert cat pop3d.key pop3d.cert >pop3d.pem rm -f pop3d.key pop3d.cert fi diff --git a/imap/pop3d-ssl.dist.in b/imap/pop3d-ssl.dist.in index 81a395a..1164b77 100644 --- a/imap/pop3d-ssl.dist.in +++ b/imap/pop3d-ssl.dist.in @@ -158,16 +158,6 @@ COURIERTLS=@bindir@/couriertls # This is supposed to be an inactivity timeout, but its not yet implemented. # -##NAME: TLS_DHCERTFILE:0 -# -# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate. -# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA -# you must generate a DH pair that will be used. In most situations the -# DH pair is to be treated as confidential, and the file specified by -# TLS_DHCERTFILE must not be world-readable. -# -# TLS_DHCERTFILE= - ##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS @@ -202,6 +192,12 @@ COURIERTLS=@bindir@/couriertls TLS_CERTFILE=@certsdir@/pop3d.pem +##NAME: TLS_DHPARAMS:0 +# +# TLS_DHPARAMS - DH parameter file. +# +TLS_DHPARAMS=@certsdir@/dhparams.pem + ##NAME: TLS_TRUSTCERTS:0 # # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. diff --git a/imap/pop3d.cnf.openssl.in b/imap/pop3d.cnf.openssl.in index 971965e..5ef1d47 100644 --- a/imap/pop3d.cnf.openssl.in +++ b/imap/pop3d.cnf.openssl.in @@ -2,7 +2,7 @@ RANDFILE = @certsdir@/pop3d.rand [ req ] -default_bits = 1024 +default_bits = 4096 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type |