Newer
Older
# _____ _ _
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# | __| _| -_| -_| . | . | | . | . | | -_|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
# Generates an email client cert for use with IMAP clients
# See:
# http://strange.systems/certificate-based-auth-with-dovecot-sendmail
# http://help.fabasoftfolio.com/index.php?topic=doc/Installation-and-Configuration-of-Fabasoft-Folio-IMAP-Service/client-certificate-authentication.htm
# License
# =======
#
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
COUNTRY_CODE="US"
AREA="Free Speech Zone"
LOCATION="Freedomville"
ORGANISATION="Freedombone"
UNIT="Freedombone Unit"
EXTENSIONS=""
echo $'Creates email certificates for use with IMAP clients'
echo $' --help Show help'
echo $' -u --username [name] Username'
key="$1"
case $key in
--help)
show_help
;;
-u|--username)
shift
USERNAME="$1"
;;
*)
# unknown option
;;
esac
echo $'Client certs were already for created'
fi
if [ ! -f /etc/dovecot/passwd-file ]; then
touch /etc/dovecot/passwd-file
fi
# Add a user password
if ! grep -q "$USERNAME:{plain}" /etc/dovecot/passwd-file; then
echo "$USERNAME:{plain}::::::nopassword" >> /etc/dovecot/passwd-file
fi
chmod 600 /etc/dovecot/passwd-file
# create a user cert
echo $'User certificates were not created'
openssl req -new -sha256 -subj \
"/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$USERNAME" \
-key "/etc/ssl/private/$USERNAME.key" \
-out "/etc/ssl/requests/$USERNAME.csr"
echo $'Certificate request was not created'
-in "/etc/ssl/requests/$USERNAME.csr" \
-out "/etc/ssl/certs/$USERNAME.cer"
echo $'Authentication certificate was not created'
# move the cert to the user's home
# shellcheck disable=SC2086
mv /etc/ssl/certs/$USERNAME.cer /home/$USERNAME/emailcert
cp "/etc/ssl/certs/dovecot.crt" "/home/$USERNAME/emailcert"
cp "/etc/ssl/certs/ca-$HOSTNAME.crt" "/home/$USERNAME/emailcert"
# shellcheck disable=SC2086
mv /etc/ssl/private/$USERNAME.key /home/$USERNAME/emailcert
# shellcheck disable=SC2086
mv /etc/ssl/certs/$USERNAME.crt /home/$USERNAME/emailcert
openssl pkcs12 -export -in "/home/$USERNAME/emailcert/$USERNAME.cer" \
-out "/home/$USERNAME/emailcert/$USERNAME.p12" \
-inkey "/home/$USERNAME/emailcert/$USERNAME.key" \
-certfile "/home/$USERNAME/emailcert/ca-$HOSTNAME.crt" \
{ echo '#!/bin/bash';
echo "sudo mv ca-$HOSTNAME.crt /etc/ssl/certs";
echo "sudo mv $USERNAME.crt /etc/ssl/certs";
echo "sudo mv dovecot.crt /etc/ssl/certs";
echo "sudo mv $USERNAME.key /etc/ssl/private";
echo 'exit 0'; } > "/home/$USERNAME/emailcert/install.sh"
chmod -R 755 "/home/$USERNAME/emailcert"
chown -R "$USERNAME":"$USERNAME" "/home/$USERNAME/emailcert"
chmod +x "/home/$USERNAME/emailcert/install.sh"
echo $'Email authentication certificate created. You can obtain it on the client with:'
echo " scp -P 2222 -r $USERNAME@$HOSTNAME:/home/$USERNAME/emailcert ~/"