qpsmtpd/plugins/tls_cert

150 lines
3.8 KiB
Plaintext
Raw Permalink Normal View History

#!/usr/bin/perl
use strict;
POD corrections, additional tests, plugin consistency on files in plugins dir: fixed a number of POD errors formatted some # comments into POD removed bare 1; (these are plugins, not perl modules) most instances of this were copy/pasted from a previous plugin that had it removed instances of # vim ts=N ... they weren't consistent, many didn't match .perltidyrc on modules that failed perl -c tests, added 'use Qpsmtpd::Constants;' Conflicts: plugins/async/check_earlytalker plugins/async/dns_whitelist_soft plugins/async/dnsbl plugins/async/queue/smtp-forward plugins/async/require_resolvable_fromhost plugins/async/rhsbl plugins/async/uribl plugins/auth/auth_checkpassword plugins/auth/auth_cvm_unix_local plugins/auth/auth_flat_file plugins/auth/auth_ldap_bind plugins/auth/auth_vpopmail plugins/auth/auth_vpopmail_sql plugins/auth/authdeny plugins/check_badmailfromto plugins/check_badrcptto_patterns plugins/check_bogus_bounce plugins/check_earlytalker plugins/check_norelay plugins/check_spamhelo plugins/connection_time plugins/dns_whitelist_soft plugins/dnsbl plugins/domainkeys plugins/greylisting plugins/hosts_allow plugins/http_config plugins/logging/adaptive plugins/logging/apache plugins/logging/connection_id plugins/logging/transaction_id plugins/logging/warn plugins/milter plugins/queue/exim-bsmtp plugins/queue/maildir plugins/queue/postfix-queue plugins/queue/smtp-forward plugins/quit_fortune plugins/random_error plugins/rcpt_map plugins/rcpt_regexp plugins/relay_only plugins/require_resolvable_fromhost plugins/rhsbl plugins/sender_permitted_from plugins/spamassassin plugins/tls plugins/tls_cert plugins/uribl plugins/virus/aveclient plugins/virus/bitdefender plugins/virus/clamav plugins/virus/clamdscan plugins/virus/hbedv plugins/virus/kavscanner plugins/virus/klez_filter plugins/virus/sophie plugins/virus/uvscan
2012-04-08 02:11:16 +02:00
use warnings;
# create TLS certificates for qpsmtpd
use File::Temp qw/ tempfile tempdir /;
use Getopt::Long;
use Sys::Hostname;
my %opts = ();
my $hostname = hostname();
print "Using hostname: $hostname\n";
my %defaults = (
C => 'XY',
ST => 'unknown',
L => 'unknown',
O => 'QSMTPD',
OU => 'Server',
CN => $hostname,
);
GetOptions(\%opts,
'C|Country:s',
'ST|State:s',
'L|Locality|City:s',
'O|Organization:s',
'OU|OrganizationalUnit|U:s',
'CN|CommonName|N:s',
'emailAddress|email|E:s',
'help|H',
);
usage() if $opts{help};
# initialize defaults
foreach my $key ( keys %defaults ) {
$opts{$key} = $defaults{$key} unless $opts{$key}
}
$opts{emailAddress} = 'postmaster@'.$opts{CN};
mkdir 'ssl' if ! -d 'ssl';
my $CA_key = 'ssl/qpsmtpd-ca.key';
my $CA_crt = 'ssl/qpsmtpd-ca.crt';
my $CA_serial = 'ssl/.cert.serial';
my $template;
my ($CA, $CAfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);
print ${CA} return_cfg('CA');
close ${CA};
system('openssl', 'genrsa', '-out', $CA_key, 2048) == 0
or die "Cannot create CA key: $?";
system('openssl', 'req', '-config', $CAfilename, '-new', '-x509',
'-days', (365*6), '-key', $CA_key,
'-out', $CA_crt) == 0
or die "Cannot create CA cert: $?";
my $SERVER_key = 'ssl/qpsmtpd-server.key';
my $SERVER_csr = 'ssl/qpsmtpd-server.csr';
my $SERVER_crt = 'ssl/qpsmtpd-server.crt';
my $SERVER_dhparam = 'ssl/qpsmtpd-dhparam.pem';
my ($SERVER, $SERVERfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);
print ${SERVER} return_cfg($opts{OU});
close ${SERVER};
system('openssl', 'genrsa', '-out', $SERVER_key, 1024) == 0
or die "Cannot create server key: $?";
system('openssl', 'req', '-config', $SERVERfilename, '-new',
'-key', $SERVER_key, '-out', $SERVER_csr) == 0
or die "Cannot create server cert: $?";
my ($SIGN, $SIGNfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);
print ${SIGN} <<"EOT";
extensions = x509v3
[ x509v3 ]
subjectAltName = email:copy
nsComment = tls certificate
nsCertType = server
EOT
close ${SIGN};
open my $SERIAL, '>', $CA_serial;
print ${SERIAL} "01\n";
close ${SERIAL};
system('openssl', 'x509', '-extfile', $SIGNfilename, '-days', (365*2),
'-CAserial', $CA_serial, '-CA', $CA_crt,
'-CAkey', $CA_key, '-in', $SERVER_csr,
'-req', '-out', $SERVER_crt) == 0
or die "Cannot sign cert: $?";
system('openssl', 'dhparam', '-out', $SERVER_dhparam, 2048) == 0
or die "Cannot create server dhparam: $?";
exit(0);
sub return_cfg {
my $OU = shift;
my $RANDOM = int(rand(1000)).'RAN'.int(rand(1000)).'DOM';
my $cfg = <<"EOT";
[ req ]
default_bits = 1024
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password = mypass
[ req_distinguished_name ]
C = $opts{C}
ST = $opts{ST}
L = $opts{L}
O = $opts{O}
OU = $OU
CN = $opts{CN}
emailAddress = $opts{emailAddress}
[ req_attributes ]
challengePassword = $RANDOM challenge password
EOT
return $cfg;
}
sub usage {
print STDERR <<"EOT";
$0 will generate a TLS certificate "the quick way",
i.e. without interaction. You can change some defaults however.
These options are recognized: Default:
--C Country (two letters, e.g. DE) $defaults{C}
--ST State (spelled out) $defaults{ST}
--L City $defaults{L}
--O Organization $defaults{O}
--OU Organizational Unit $defaults{OU}
--CN Common name $defaults{CN}
--email Email address of postmaster postmaster\@CN
--help Show usage
EOT
exit(1);
}