qpsmtpd/plugins/tls_cert

#!perl -w
use warnings;

# Very basic script to create TLS certificates for qpsmtpd
use File::Temp qw/ tempfile tempdir /;
use Getopt::Long;

my %opts = ();
chomp (my $hostname = `hostname --fqdn`);
if ($?) {
    chomp($hostname = `hostname`);
}
print "Using hostname: $hostname\n";
my %defaults = (
    C  => 'XY',
    ST => 'unknown',
    L  => 'unknown',
    O  => 'QSMTPD',
    OU => 'Server',
    CN => $hostname,
);

GetOptions(\%opts, 
    'C|Country:s',
    'ST|State:s',
    'L|Locality|City:s',
    'O|Organization:s',
    'OU|OrganizationalUnit|U:s',
    'CN|CommonName|N:s',
    'emailAddress|email|E:s',
    'help|H',
);

usage() if $opts{help};

# initialize defaults
foreach my $key ( keys %defaults ) {
    $opts{$key} = $defaults{$key} unless $opts{$key}
}
$opts{emailAddress} = 'postmaster@'.$opts{CN};

mkdir('ssl') unless -d 'ssl';

my $CA_key = 'ssl/qpsmtpd-ca.key';
my $CA_crt = 'ssl/qpsmtpd-ca.crt';
my $CA_serial = 'ssl/.cert.serial';

my ($CA, $CAfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);

print ${CA} return_cfg('CA');
close ${CA};

system('openssl', 'genrsa', '-out', $CA_key, 2048) == 0 
    or die "Cannot create CA key: $?";

system('openssl', 'req', '-config', $CAfilename, '-new', '-x509',
	'-days', (365*6), '-key', $CA_key,
	'-out', $CA_crt) == 0
    or die "Cannot create CA cert: $?";

my $SERVER_key = 'ssl/qpsmtpd-server.key';
my $SERVER_csr = 'ssl/qpsmtpd-server.csr';
my $SERVER_crt = 'ssl/qpsmtpd-server.crt';

my ($SERVER, $SERVERfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);
print ${SERVER} return_cfg($opts{OU});
close ${SERVER};

system('openssl', 'genrsa', '-out', $SERVER_key, 1024) == 0 
    or die "Cannot create server key: $?";

system('openssl', 'req', '-config', $SERVERfilename, '-new', 
	'-key', $SERVER_key, '-out', $SERVER_csr) == 0
    or die "Cannot create server cert: $?";

my ($SIGN, $SIGNfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);
print ${SIGN} <<"EOT";
extensions = x509v3
[ x509v3 ]
subjectAltName   = email:copy
nsComment        = tls certificate
nsCertType       = server
EOT
close ${SIGN};

open my $SERIAL, '>', $CA_serial;
print ${SERIAL} "01\n";
close ${SERIAL};

system('openssl', 'x509', '-extfile', $SIGNfilename, '-days', (365*2),
	'-CAserial', $CA_serial, '-CA', $CA_crt,
	'-CAkey', $CA_key, '-in', $SERVER_csr,
	'-req', '-out', $SERVER_crt) == 0
    or die "Cannot sign cert: $?";

exit(0);
	
sub return_cfg {
    my $OU = shift;
    my $RANDOM = int(rand(1000)).'RAN'.int(rand(1000)).'DOM';
    my $cfg = <<"EOT";
[ req ]
default_bits           = 1024
default_keyfile        = keyfile.pem
distinguished_name     = req_distinguished_name
attributes             = req_attributes
prompt                 = no
output_password        = mypass

[ req_distinguished_name ]
C                      = $opts{C}
ST                     = $opts{ST}
L                      = $opts{L}
O                      = $opts{O}
OU                     = $OU
CN                     = $opts{CN}
emailAddress           = $opts{emailAddress}

[ req_attributes ]
challengePassword      = $RANDOM challenge password
EOT
    return $cfg;
}

sub usage {
    print STDERR <<"EOT";

 $0 will generate a TLS certificate "the quick way",
 i.e. without interaction.  You can change some defaults however.
    
 These options are recognized:             Default:

  --C       Country (two letters, e.g. DE) $defaults{C}
  --ST      State (spelled out)            $defaults{ST}
  --L       City                           $defaults{L}
  --O       Organization                   $defaults{O}
  --OU      Organizational Unit            $defaults{OU}
  --CN      Common name                    $defaults{CN}
  --email   Email address of postmaster    postmaster\@CN
  --help    Show usage

EOT
    exit(1);
}
Fix 01-syntax test failures Exclude some tests with dependencies. Remove -T from perl line in plugins This makes it harder to test with PERL5LIB/perlbrew etc 2012-04-29 10:35:59 +02:00			`#!perl -w`
POD corrections, additional tests, plugin consistency on files in plugins dir: fixed a number of POD errors formatted some # comments into POD removed bare 1; (these are plugins, not perl modules) most instances of this were copy/pasted from a previous plugin that had it removed instances of # vim ts=N ... they weren't consistent, many didn't match .perltidyrc on modules that failed perl -c tests, added 'use Qpsmtpd::Constants;' Conflicts: plugins/async/check_earlytalker plugins/async/dns_whitelist_soft plugins/async/dnsbl plugins/async/queue/smtp-forward plugins/async/require_resolvable_fromhost plugins/async/rhsbl plugins/async/uribl plugins/auth/auth_checkpassword plugins/auth/auth_cvm_unix_local plugins/auth/auth_flat_file plugins/auth/auth_ldap_bind plugins/auth/auth_vpopmail plugins/auth/auth_vpopmail_sql plugins/auth/authdeny plugins/check_badmailfromto plugins/check_badrcptto_patterns plugins/check_bogus_bounce plugins/check_earlytalker plugins/check_norelay plugins/check_spamhelo plugins/connection_time plugins/dns_whitelist_soft plugins/dnsbl plugins/domainkeys plugins/greylisting plugins/hosts_allow plugins/http_config plugins/logging/adaptive plugins/logging/apache plugins/logging/connection_id plugins/logging/transaction_id plugins/logging/warn plugins/milter plugins/queue/exim-bsmtp plugins/queue/maildir plugins/queue/postfix-queue plugins/queue/smtp-forward plugins/quit_fortune plugins/random_error plugins/rcpt_map plugins/rcpt_regexp plugins/relay_only plugins/require_resolvable_fromhost plugins/rhsbl plugins/sender_permitted_from plugins/spamassassin plugins/tls plugins/tls_cert plugins/uribl plugins/virus/aveclient plugins/virus/bitdefender plugins/virus/clamav plugins/virus/clamdscan plugins/virus/hbedv plugins/virus/kavscanner plugins/virus/klez_filter plugins/virus/sophie plugins/virus/uvscan 2012-04-08 02:11:16 +02:00			`use warnings;`

Fix problems with tls and relay_client. * lib/Qpsmtpd/Connection.pm Abstract out parameters which can be reused (e.g. TLS) or can be set when creating the Connection object via start(). * plugins/tls Simplify code to use $self->clone() construct and also suppress IO::Socket::SSL debug noise, now that this is working. * plugins/tls_cert New file to automate creating self-signed certificates for TLS. git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@597 958fd67b-6ff1-0310-b445-bb7760255be9 2006-01-05 03:12:46 +01:00			`# Very basic script to create TLS certificates for qpsmtpd`
			`use File::Temp qw/ tempfile tempdir /;`
			`use Getopt::Long;`

			`my %opts = ();`
			chomp (my $hostname = `hostname --fqdn`);
Don't pass --fqdn to hostname if it fails git-svn-id: https://svn.perl.org/qpsmtpd/trunk@855 958fd67b-6ff1-0310-b445-bb7760255be9 2008-03-13 20:51:00 +01:00			`if ($?) {`
			chomp($hostname = `hostname`);
			`}`
			`print "Using hostname: $hostname\n";`
Fix problems with tls and relay_client. * lib/Qpsmtpd/Connection.pm Abstract out parameters which can be reused (e.g. TLS) or can be set when creating the Connection object via start(). * plugins/tls Simplify code to use $self->clone() construct and also suppress IO::Socket::SSL debug noise, now that this is working. * plugins/tls_cert New file to automate creating self-signed certificates for TLS. git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@597 958fd67b-6ff1-0310-b445-bb7760255be9 2006-01-05 03:12:46 +01:00			`my %defaults = (`
			`C => 'XY',`
			`ST => 'unknown',`
			`L => 'unknown',`
			`O => 'QSMTPD',`
			`OU => 'Server',`
			`CN => $hostname,`
			`);`

			`GetOptions(\%opts,`
			`'C\|Country:s',`
			`'ST\|State:s',`
			`'L\|Locality\|City:s',`
			`'O\|Organization:s',`
			`'OU\|OrganizationalUnit\|U:s',`
			`'CN\|CommonName\|N:s',`
			`'emailAddress\|email\|E:s',`
			`'help\|H',`
			`);`

			`usage() if $opts{help};`

			`# initialize defaults`
			`foreach my $key ( keys %defaults ) {`
			`$opts{$key} = $defaults{$key} unless $opts{$key}`
			`}`
			`$opts{emailAddress} = 'postmaster@'.$opts{CN};`

			`mkdir('ssl') unless -d 'ssl';`

			`my $CA_key = 'ssl/qpsmtpd-ca.key';`
			`my $CA_crt = 'ssl/qpsmtpd-ca.crt';`
			`my $CA_serial = 'ssl/.cert.serial';`

			`my ($CA, $CAfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);`

			`print ${CA} return_cfg('CA');`
			`close ${CA};`

			`system('openssl', 'genrsa', '-out', $CA_key, 2048) == 0`
			`or die "Cannot create CA key: $?";`

			`system('openssl', 'req', '-config', $CAfilename, '-new', '-x509',`
			`'-days', (365*6), '-key', $CA_key,`
			`'-out', $CA_crt) == 0`
			`or die "Cannot create CA cert: $?";`

			`my $SERVER_key = 'ssl/qpsmtpd-server.key';`
			`my $SERVER_csr = 'ssl/qpsmtpd-server.csr';`
			`my $SERVER_crt = 'ssl/qpsmtpd-server.crt';`

			`my ($SERVER, $SERVERfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);`
			`print ${SERVER} return_cfg($opts{OU});`
			`close ${SERVER};`

			`system('openssl', 'genrsa', '-out', $SERVER_key, 1024) == 0`
			`or die "Cannot create server key: $?";`

			`system('openssl', 'req', '-config', $SERVERfilename, '-new',`
			`'-key', $SERVER_key, '-out', $SERVER_csr) == 0`
Correct minor cut/paste error git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@610 958fd67b-6ff1-0310-b445-bb7760255be9 2006-02-05 02:28:44 +01:00			`or die "Cannot create server cert: $?";`
Fix problems with tls and relay_client. * lib/Qpsmtpd/Connection.pm Abstract out parameters which can be reused (e.g. TLS) or can be set when creating the Connection object via start(). * plugins/tls Simplify code to use $self->clone() construct and also suppress IO::Socket::SSL debug noise, now that this is working. * plugins/tls_cert New file to automate creating self-signed certificates for TLS. git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@597 958fd67b-6ff1-0310-b445-bb7760255be9 2006-01-05 03:12:46 +01:00
			`my ($SIGN, $SIGNfilename) = tempfile( $template, DIR => "ssl", UNLINK => 1);`
			`print ${SIGN} <<"EOT";`
			`extensions = x509v3`
			`[ x509v3 ]`
			`subjectAltName = email:copy`
			`nsComment = tls certificate`
			`nsCertType = server`
			`EOT`
			`close ${SIGN};`

			`open my $SERIAL, '>', $CA_serial;`
			`print ${SERIAL} "01\n";`
			`close ${SERIAL};`

			`system('openssl', 'x509', '-extfile', $SIGNfilename, '-days', (365*2),`
			`'-CAserial', $CA_serial, '-CA', $CA_crt,`
			`'-CAkey', $CA_key, '-in', $SERVER_csr,`
			`'-req', '-out', $SERVER_crt) == 0`
			`or die "Cannot sign cert: $?";`

			`exit(0);`

			`sub return_cfg {`
			`my $OU = shift;`
			`my $RANDOM = int(rand(1000)).'RAN'.int(rand(1000)).'DOM';`
			`my $cfg = <<"EOT";`
			`[ req ]`
			`default_bits = 1024`
			`default_keyfile = keyfile.pem`
			`distinguished_name = req_distinguished_name`
			`attributes = req_attributes`
			`prompt = no`
			`output_password = mypass`

			`[ req_distinguished_name ]`
			`C = $opts{C}`
			`ST = $opts{ST}`
			`L = $opts{L}`
			`O = $opts{O}`
			`OU = $OU`
			`CN = $opts{CN}`
			`emailAddress = $opts{emailAddress}`

			`[ req_attributes ]`
			`challengePassword = $RANDOM challenge password`
			`EOT`
			`return $cfg;`
			`}`

			`sub usage {`
			`print STDERR <<"EOT";`

			`$0 will generate a TLS certificate "the quick way",`
			`i.e. without interaction. You can change some defaults however.`

			`These options are recognized: Default:`

			`--C Country (two letters, e.g. DE) $defaults{C}`
			`--ST State (spelled out) $defaults{ST}`
			`--L City $defaults{L}`
			`--O Organization $defaults{O}`
			`--OU Organizational Unit $defaults{OU}`
			`--CN Common name $defaults{CN}`
			`--email Email address of postmaster postmaster\@CN`
			`--help Show usage`

			`EOT`
			`exit(1);`
			`}`