#1 Le 24/05/2008, à 16:10
- #hehedotcom\'isback
Script de conf Postfix-Apache avec SSL(/!!\ en cours de tests)
Bonjour
Je suis en train de mettre en place un script pour configurer postfix avec certificats et clefs RSA.
#!/bin/bash
##Sécuriser Postfix
echo "Configurer Postfix"
sudo postconf -e 'smtpd_sasl_local_domain =' & sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_sasl_security_options = noanonymous' & sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_recipient_restrictions = \ permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' &
sudo postconf -e 'inet_interfaces = all' &
echo -e '\npwcheck_method: saslauthd\nmech_list: plain login\n' | sudo tee /etc/postfix/sasl/smtpd.conf
echo "Configurer les certificats SSL"
sudo mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
echo "Generation des clefs smtp"
sudo openssl genrsa -des3 -rand /etc/hosts -out /etc/postfix/ssl/smtpd.key 1024
sudo chmod 600 /etc/postfix/ssl/smtpd.key
echo "Generation des clefs smtp"
sudo openssl req -new -key /etc/postfix/ssl/smtpd.key -out /etc/postfix/ssl/smtpd.csr && sudo openssl x509 -req -days 3650 -in /etc/postfix/ssl/smtpd.csr -signkey /etc/postfix/ssl/smtpd.key -out /etc/postfix/ssl/smtpd.crt && sudo openssl rsa -in /etc/postfix/ssl/smtpd.key -out /etc/postfix/ssl/smtpd.key.unencrypted
sudo mv -f /etc/postfix/ssl/smtpd.key.unencrypted /etc/postfix/ssl/smtpd.key
sudo openssl req -new -x509 -extensions v3_ca -keyout /etc/postfix/ssl/cakey.pem -out /etc/postfix/ssl/cacert.pem -days 3650
echo "Configurer Postfix avec les clefs RSA"
sudo postconf -e 'smtpd_tls_auth_only = no'
sudo postconf -e 'smtp_use_tls = yes'
sudo postconf -e 'smtpd_use_tls = yes'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
sudo postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
sudo postconf -e 'tls_random_source = dev:/dev/urandom'
sudo mkdir -p /etc/postfix/sasl
sudo mkdir -p /var/spool/postfix/var/run/saslauthd
sudo rm -fr /var/run/saslauthd
echo "Vous devez creer le daemon /etc/init.d/saslauthd"
###
#Creer un fichier /etc/init.d/saslauthd
#Et copier ce qui suit en retirant 4 dieses '####' par ligne
###
###Debut du script saslauthd
#####!/bin/sh -e
####NAME=saslauthd
####DAEMON="/usr/sbin/${NAME}"
####DESC="SASL Authentication Daemon"
####DEFAULTS=/etc/default/saslauthd
####PWDIR="/var/spool/postfix/var/run/${NAME}"
####PIDFILE="${PWDIR}/saslauthd.pid"
####dir="root sasl 755 ${PWDIR}"
####createdir( ) {
##### $1 = user
##### $2 = group
##### $3 = permissions (octal)
##### $4 = path to directory
#### [ -d "$4" ] || mkdir -p "$4"
#### chown -c -h "$1:$2" "$4"
#### chmod -c "$3" "$4"
####}
####test -f "${DAEMON}" || exit 0
##### Source defaults file; edit that file to configure this script.
####if [ -e "${DEFAULTS}" ]; then
#### . "${DEFAULTS}"
####fi
##### If we're not to start the daemon, simply exit
####if [ "${START}" != "yes" ]; then
#### exit 0
####fi
##### If we have no mechanisms defined
####if [ "x${MECHANISMS}" = "x" ]; then
#### echo "You need to configure ${DEFAULTS} with mechanisms to be used"
#### exit 0
####fi
##### Add our mechanisms with the necessary flag
####PARAMS="${PARAMS} -a ${MECHANISMS}"
####START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name
#### ${NAME} -- ${PARAMS}"
##### Consider our options
####case "${1}" in
#### start)
#### echo -n "Starting ${DESC}: "
#### #dir=`dpkg-statoverride --list $PWDIR`
#### test -z "$dir" || createdir $dir
#### if start-stop-daemon ${START} >/dev/null 2>&1 ; then
#### echo "${NAME}."
#### else
#### if start-stop-daemon --test ${START} >/dev/null 2>&1; then
#### echo "(failed)."
#### exit 1
#### else
#### echo "${DAEMON} already running."
#### exit 0
#### fi
#### fi
#### ;;
#### stop)
#### echo -n "Stopping ${DESC}: "
#### if start-stop-daemon --stop --quiet --pidfile "${PIDFILE}" \
#### --startas ${DAEMON} --retry 10 --name ${NAME} \
#### >/dev/null 2>&1 ; then
#### echo "${NAME}."
#### else
#### if start-stop-daemon --test ${START} >/dev/null 2>&1; then
#### echo "(not running)."
#### exit 0
#### else
#### echo "(failed)."
#### exit 1
#### fi
#### fi
#### ;;
#### restart|force-reload)
#### $0 stop
#### exec $0 start
#### ;;
#### *)
#### echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
#### exit 1
#### ;;
####esac
####exit 0
sudo chmod +x /etc/init.d/saslauthd
sudo /etc/init.d/postfix restart
echo "Postfix est configuré et les certificats sont opérationnels" && $SHELLTout à l'air de bien se faire,
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 hp-linux ESMTP Postfix (mkl)
ehlo localhost
250-hp-linux
250-PIPELINING
250-SIZE 2560000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSNPourriez vous me dire si j'oublie des trucs importants (utilisation personnelle, c'est pour tester)
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 2560000
mydestination = localhost, localhost.localdomain hp-linux
myhostname = hp-linux
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 192.168.0.0/24
mynetworks_style = host
readme_directory = no
recipient_delimiter = +
relay_domains =
relayhost = smtp.free.fr
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (mkl)
smtpd_client_message_rate_limit = 100
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = \ permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, warn_if_reject, reject_unverified_sender
smtpd_timeout = 60s
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yesmain.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (mkl)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = yes
myhostname = hp-linux
# domaine de distribution local
mydestination = localhost, localhost.localdomain hp-linux
relayhost = smtp.free.fr
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
inet_interfaces = all
# ajout du reseau local 192.168.1.0/24 & 192.168.0.0/24
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.1.0/24 192.168.0.0/24
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_recipient_restrictions = \ permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_recipient_limit = 500
# Limitation de la taille des mails
message_size_limit = 2560000
smtpd_client_message_rate_limit = 100
smtpd_timeout = 60s
# Ne pas relayer les courriers des autres machines.
mynetworks_style = host
relay_domains =
#restrictions d'accès
smtpd_sender_restrictions =
permit_mynetworks,
reject_unknown_sender_domain,
warn_if_reject,
reject_unverified_sender
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandomDernière modification par #hehedotcom\'isback (Le 26/05/2008, à 16:04)
../
Hors ligne
#2 Le 26/05/2008, à 15:57
- #hehedotcom\'isback
Re : Script de conf Postfix-Apache avec SSL(/!!\ en cours de tests)
Script de conf Apache2+ Virtualhost à modifier à la main
#!/bin/sh
############################################
#SCRIPT_SSL_APACHE
##/home/mike/02-mes_scripts/01-system/
###Version 26/05/2008.MKL
############################################
# Déclarations du repertoire Apache.
rep='/etc/apache2'
echo "Mise en place des certificats SSL" "$rep"".\nVous devez utilisez les droits administrateur"
## PARTIE I
#--Création des répertoires et des clefs.
#Creation du repertoire ssl.key et la clef RSA
cd $rep && sudo mkdir ssl.key && cd ssl.key
#Generation de la clef RSA
sudo openssl genrsa -out server.key 1024 && sudo chmod 600 server.key
#Creation du repertoire ssl.csr
cd $rep && sudo mkdir ssl.csr && cd ssl.csr
#Generation du certificat du serveur
sudo openssl req -new -key $rep/ssl.key/server.key -out server.csr
#x509 et Auto approbation du certificat
#Creation du repertoire ssl.crt
cd $rep && sudo mkdir ssl.crt && cd ssl.crt
#Generation du certificat
sudo openssl req -new -x509 -nodes -sha1 -days 365 -key $rep/ssl.key/server.key -out server.crt && cd /home/$USER && $SHELL
###Le systeme va vous demander deux fois consecutivement de renseigner certaines informations
######Mise en place des certificats SSL /etc/apache2.
######Vous devez utilisez les droits administrateur
######Generating RSA private key, 1024 bit long modulus
######........................................++++++
######....++++++
######e is 65537 (0x10001)
######You are about to be asked to enter information that will be incorporated
######into your certificate request.
######What you are about to enter is what is called a Distinguished Name or a DN.
######There are quite a few fields but you can leave some blank
######For some fields there will be a default value,
######If you enter '.', the field will be left blank.
######-----
######Country Name (2 letter code) [AU]:FR
######State or Province Name (full name) [Some-State]:FR
######Locality Name (eg, city) []:PARIS
######Organization Name (eg, company) [Internet Widgits Pty Ltd]:MKL
######Organizational Unit Name (eg, section) []:MKL_ZONE
######Common Name (eg, YOUR name) []:Mike
######Email Address []:
######Please enter the following 'extra' attributes
######to be sent with your certificate request
######A challenge password []:
######An optional company name []:
######You are about to be asked to enter information that will be incorporated
######into your certificate request.
######What you are about to enter is what is called a Distinguished Name or a DN.
######There are quite a few fields but you can leave some blank
######For some fields there will be a default value,
######If you enter '.', the field will be left blank.
######-----
######Country Name (2 letter code) [AU]:FR
######State or Province Name (full name) [Some-State]:FR
######Locality Name (eg, city) []:PARIS
######Organization Name (eg, company) [Internet Widgits Pty Ltd]:MKL
######Organizational Unit Name (eg, section) []:MKL_ZONE
######Common Name (eg, YOUR name) []:Mike
######Email Address []:
## PARTIE II
#Il faut à présent informer Apache de la mise en place des certificats
cd /etc/apache2/sites-available && editor default
#### Et ajouter au VirtualHost concerné (sans les '###'):
###SSLEngine On
###SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
###SSLCertificateFile /etc/apache2/ssl.crt/server.crt
###SSLCACertificateFile /etc/apache2/ssl.crt/server.crt
###DocumentRoot /var/www/
#Activer le mod_ssl pour Apache2
sudo a2enmod ssl
#Relancer Apache
sudo /etc/init.d/apache2 restart && firefox https://127.0.0.1
# Le fichier '/etc/apache2/sites-available/default' devrait etre similaire à ce qui suit, mais sans aucun ####
######NameVirtualHost *:80
######<VirtualHost *:80>
###### DocumentRoot /var/www/http
######</VirtualHost>
######NameVirtualHost *:443
######<VirtualHost *:443>
###### SSLEngine On
###### SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
###### SSLCertificateFile /etc/apache2/ssl.crt/server.crt
###### SSLCACertificateFile /etc/apache2/ssl.crt/server.crt
###### DocumentRoot /var/www/https
######</VirtualHost>et voila, mon serveur est en https 
Exemple de Virtualhost:
Les requetes sur le port 80 sont reroutées vers le 443 (https)
#####################################
## Virtualhost
## Domaine Virtual-1.org
#####################################
ServerName https://virtual-1.org
ServerAdmin admin@virtual-1.org
ServerSignature Off
#####################################
## Redirection des demandes HTTP
## vers l'espace sécurisé SSL
## /var/www/http/
#####################################
## ## Configuration du port 80
## ## Redirection de toutes les requêtes vers le domaine sécurisé
<VirtualHost *:80>
Redirect / https://virtual-1.org/
</VirtualHost>
<VirtualHost virtual-1.org:80>
Redirect / https://virtual-1.org/
</VirtualHost>
#####################################
## Traitement et options des requêtes
## vers l'espace sécurisé SSL
## /var/www/https/
#####################################
## ## Configuration du port 443
<VirtualHost *:443>
DirectoryIndex index.php index.html index.htm
RewriteEngine on
SSLEngine On
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCACertificateFile /etc/apache2/ssl.crt/server.crt
DocumentRoot /var/www/https
<Directory /var/www/https/>
Options Indexes
AllowOverride All
Order allow,deny
allow from all
#AddDefaultCharset UTF-8
</Directory>
## #### #### ##
## ## Répertoire avec accès controlé par login/mdp
## #### #### ##
### <Location /Private>
### AuthName "IDENTIFICATION OBLIGATOIRE"
### AuthType Basic
### AuthUserFile /opt/00-User_Apache/USERs/.users
### Order deny,allow
### require valid-user
### </Location>
</VirtualHost>
<VirtualHost virtual-1.org:443>
DirectoryIndex index.php index.html index.htm
RewriteEngine on
SSLEngine On
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCACertificateFile /etc/apache2/ssl.crt/server.crt
DocumentRoot /var/www/https
<Directory /var/www/https/>
Options Indexes
AllowOverride All
Order allow,deny
allow from all
#AddDefaultCharset UTF-8
</Directory>
## #### #### ##
## ## Répertoire avec accès controlé par login/mdp
## #### #### ##
### <Location /Private>
### AuthName "IDENTIFICATION OBLIGATOIRE"
### AuthType Basic
### AuthUserFile /opt/00-User_Apache/USERs/.users
### Order deny,allow
### require valid-user
### </Location>
</VirtualHost>
#######FIN PARTIE APACHE PERSO###################################
#######PARTIE APACHE DEFAULT#####################################
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature Off
#### Alias /doc/ "/usr/share/doc/"
#### <Directory "/usr/share/doc/">
#### Options Indexes MultiViews #FollowSymLinks#FFFFFF
#### AllowOverride None
#### Order deny,allow
#### Deny from all
#### Allow from 127.0.0.0/255.0.0.0 ::1/128
#### Allow from 127.0.0.1 # Local
#### Allow from 192.168.1.0/24 # Réseau
#### </Directory>
Dernière modification par #hehedotcom\'isback (Le 14/11/2008, à 09:37)
../
Hors ligne
#3 Le 26/05/2008, à 19:11
- zonisafiyurekinaz
Re : Script de conf Postfix-Apache avec SSL(/!!\ en cours de tests)
laisse tomber safe, on n'y comprend rien 
tu nous fais peur,
Au fait, c'est en yurek 2008 ce truc
#4 Le 26/05/2008, à 22:08
- koukouillette
Re : Script de conf Postfix-Apache avec SSL(/!!\ en cours de tests)
Salut Belga,
Oui, je sais, ce n'est pas compréhensible. C'est juste pour le retrouver, ou que je sois.
Sinon, le premier, si j'ai bien lu, active et entre les paramètres pour postfix. Le second, c'est pour apache.
C'est sensé activer le support SSL. C'est ok pour Apache (testé)
En revanche, postfix me crache dessus (mais je n'ai pas encore tout saisi les subtilités 
, notamment le relay host et free...
Sinon, comment ca va? Ca fait longtemps dis donc que tu n'es pas venu nous rendre une petite visite 
Tu en es où avec tes pen tests? 
#5 Le 15/07/2009, à 18:24
- heithem44
Re : Script de conf Postfix-Apache avec SSL(/!!\ en cours de tests)
Salut, jolie projet 
surtout pour le postfix je suis déja par ici il y a un mois environ et j'ai testé le Postfix + SSL mais ça n'avait pas marché, j'en avais vraiment besoin donc si vous pouvez me tenir au courant des modifications effectuées depuis ce serait vraiment cool.
Bravo encore et vive les scripts ça facilite tellement
Hors ligne