diff --git a/Makefile b/Makefile
index da797c21b64faf42039f3787d11b045a912672d4..116ed1fd03ef2b33d756f44869f72d075d5f3d23 100644
--- a/Makefile
+++ b/Makefile
@@ -17,6 +17,7 @@ install:
install -m 755 src/${APP}-config ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-sec ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-addcert ${DESTDIR}${PREFIX}/bin
+ install -m 755 src/${APP}-clientcert ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-addlist ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-addemail ${DESTDIR}${PREFIX}/bin
install -m 755 src/${APP}-renew-cert ${DESTDIR}${PREFIX}/bin
@@ -35,6 +36,7 @@ install:
install -m 644 man/${APP}-config.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-sec.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-addcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
+ install -m 644 man/${APP}-clientcert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-addlist.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-addemail.1.gz ${DESTDIR}${PREFIX}/share/man/man1
install -m 644 man/${APP}-renew-cert.1.gz ${DESTDIR}${PREFIX}/share/man/man1
@@ -52,6 +54,7 @@ uninstall:
rm -f ${PREFIX}/share/man/man1/${APP}-remote.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-config.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-sec.1.gz
+ rm -f ${PREFIX}/share/man/man1/${APP}-clientcert.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-addcert.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-addlist.1.gz
rm -f ${PREFIX}/share/man/man1/${APP}-addemail.1.gz
@@ -71,6 +74,7 @@ uninstall:
rm -f ${PREFIX}/bin/${APP}-config
rm -f ${PREFIX}/bin/${APP}-sec
rm -f ${PREFIX}/bin/${APP}-addcert
+ rm -f ${PREFIX}/bin/${APP}-clientcert
rm -f ${PREFIX}/bin/${APP}-addlist
rm -f ${PREFIX}/bin/${APP}-addemail
rm -f ${PREFIX}/bin/${APP}-renew-cert
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index adf2df5d80157ed08fdbf370a510d3721e4ae7c6..087091f529462e8079e3e3bb8f967b1c739ade0d 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -4,6 +4,7 @@ man/freedombone-client.1.gz
man/freedombone-remote.1.gz
man/freedombone-config.1.gz
man/freedombone-sec.1.gz
+man/freedombone-clientcert.1.gz
man/freedombone-addcert.1.gz
man/freedombone-addlist.1.gz
man/freedombone-addemail.1.gz
diff --git a/man/freedombone-addcert.1.gz b/man/freedombone-addcert.1.gz
index 38d40f74c421234c81155a6d4a3205cdab04cc02..ad66eaca754ade3fe8c8299a74a38f2c8a1ecacc 100644
Binary files a/man/freedombone-addcert.1.gz and b/man/freedombone-addcert.1.gz differ
diff --git a/man/freedombone-addemail.1.gz b/man/freedombone-addemail.1.gz
index 7c14b2b193b1831eaae5cba971fe684f2285cd5b..84c144cd0e2c5438b9337899dbdbd416b4f69bdc 100644
Binary files a/man/freedombone-addemail.1.gz and b/man/freedombone-addemail.1.gz differ
diff --git a/man/freedombone-addlist.1.gz b/man/freedombone-addlist.1.gz
index 370295f4fe8078c37587fb9b707826b0d6810888..5bda78393409424ba7df6e8d032ae7be864c4ae4 100644
Binary files a/man/freedombone-addlist.1.gz and b/man/freedombone-addlist.1.gz differ
diff --git a/man/freedombone-addxmpp.1.gz b/man/freedombone-addxmpp.1.gz
index 826e80d0cc6ae1714e43e2672f4ed97bfd099f47..eded5a1ab404e934a0ab806740a473a2d8da1bde 100644
Binary files a/man/freedombone-addxmpp.1.gz and b/man/freedombone-addxmpp.1.gz differ
diff --git a/man/freedombone-client.1.gz b/man/freedombone-client.1.gz
index 57b94f26996dee7ef2f948576aa31a154de8219c..45cf90369f2910fcd9f5b0eb8eb6e1688bc31624 100644
Binary files a/man/freedombone-client.1.gz and b/man/freedombone-client.1.gz differ
diff --git a/man/freedombone-clientcert.1.gz b/man/freedombone-clientcert.1.gz
new file mode 100644
index 0000000000000000000000000000000000000000..db58e9728d87ade10cf7f7cbd9916bae0da163e0
Binary files /dev/null and b/man/freedombone-clientcert.1.gz differ
diff --git a/man/freedombone-config.1.gz b/man/freedombone-config.1.gz
index 5fb8b1a1f24e18ebcfe9aa5f00cf252f43624585..38cb8a05301d394d23b3b63eb676bdf687c48991 100644
Binary files a/man/freedombone-config.1.gz and b/man/freedombone-config.1.gz differ
diff --git a/man/freedombone-ignore.1.gz b/man/freedombone-ignore.1.gz
index 536d6abc271fe8e313050f1ca98e0a3704fecdd7..d91f67d900cdea959c2f884a10b95378c341d467 100644
Binary files a/man/freedombone-ignore.1.gz and b/man/freedombone-ignore.1.gz differ
diff --git a/man/freedombone-prep.1.gz b/man/freedombone-prep.1.gz
index 199b4e5fe571bafe49facfdc6aad0ffc5b8b7f52..d9cfb3c88f33e08e677ea852cff5a6461f59c595 100644
Binary files a/man/freedombone-prep.1.gz and b/man/freedombone-prep.1.gz differ
diff --git a/man/freedombone-remote.1.gz b/man/freedombone-remote.1.gz
index 150309b85356b9bb590e69b4863250d847952ca4..6e50ad6144f782b690e58d034c77ce120127b988 100644
Binary files a/man/freedombone-remote.1.gz and b/man/freedombone-remote.1.gz differ
diff --git a/man/freedombone-renew-cert.1.gz b/man/freedombone-renew-cert.1.gz
index d3c1e7c5642d723b8420c2ca569dc872c61eb07b..2266bc20ca45140723a54e9b461ec1a60fa245aa 100644
Binary files a/man/freedombone-renew-cert.1.gz and b/man/freedombone-renew-cert.1.gz differ
diff --git a/man/freedombone-rmemail.1.gz b/man/freedombone-rmemail.1.gz
index 6dfde842b0bc6bc3de8b52ae94f73f9a761bd6ed..37df405a75de14677c6c253ac2953ae88cee1878 100644
Binary files a/man/freedombone-rmemail.1.gz and b/man/freedombone-rmemail.1.gz differ
diff --git a/man/freedombone-rmlist.1.gz b/man/freedombone-rmlist.1.gz
index f644056f683a6d58e57983231c06bcf8e9bb0ea8..670993214da3a508f95317fef8f03994b327f9a7 100644
Binary files a/man/freedombone-rmlist.1.gz and b/man/freedombone-rmlist.1.gz differ
diff --git a/man/freedombone-rmxmpp.1.gz b/man/freedombone-rmxmpp.1.gz
index 595c507cec0cea2826ac6ec60fac83f4fffd62c6..3a0c600a7d380578986bf9ab35c9b4fead06cfa4 100644
Binary files a/man/freedombone-rmxmpp.1.gz and b/man/freedombone-rmxmpp.1.gz differ
diff --git a/man/freedombone-sec.1.gz b/man/freedombone-sec.1.gz
index e528ab14700d23452cccc9802f1bbccb59685e33..2a3977ea38b8df654db49a196200e5837f9ab6e4 100644
Binary files a/man/freedombone-sec.1.gz and b/man/freedombone-sec.1.gz differ
diff --git a/man/freedombone-unignore.1.gz b/man/freedombone-unignore.1.gz
index 3913f49b07c11891515f2a7903da578c8a5b5dc4..2a668e506c7740d5275ed9c9dc29c8180ae10b09 100644
Binary files a/man/freedombone-unignore.1.gz and b/man/freedombone-unignore.1.gz differ
diff --git a/man/freedombone-xmpp-pass.1.gz b/man/freedombone-xmpp-pass.1.gz
index bb014912a33f9ecaf9637e3c1e4448d9d1d0e5a3..4e51da0979a270ef859166442b9231ab1ea0e6e3 100644
Binary files a/man/freedombone-xmpp-pass.1.gz and b/man/freedombone-xmpp-pass.1.gz differ
diff --git a/man/freedombone.1.gz b/man/freedombone.1.gz
index cdfb8888aea0c16278b9c96e1ad677c5e0c638ea..c50218df5d38171933611d7da9ee14fc15aba506 100644
Binary files a/man/freedombone.1.gz and b/man/freedombone.1.gz differ
diff --git a/src/freedombone b/src/freedombone
index 99222970bd96419b8ae6e78e2e9e744f87c7527a..5961e4930e42ea2898fd01b8a68a318b9060ff2f 100755
--- a/src/freedombone
+++ b/src/freedombone
@@ -5655,28 +5655,74 @@ function configure_imap {
sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf
sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf
- # enable login via client certs
- # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
- #sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
- #sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
- #sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.pem|g' /etc/dovecot/conf.d/10-ssl.conf
- #sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
- #if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
- #echo '' >> /etc/dovecot/conf.d/10-auth.conf
- #echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
- #echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
- #echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
- #echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf
- #echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf
- #echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf
- #echo '}' >> /etc/dovecot/conf.d/10-auth.conf
- #fi
- #echo "$MY_USERNAME:{plain}::::::nopassword" > /etc/dovecot/passwd-file
- #freedombone-addcert -h dovecot-ca --ca
service dovecot restart
echo 'configure_imap' >> $COMPLETION_FILE
}
+function configure_imap_client_certs {
+ if grep -Fxq "configure_imap_client_certs" $COMPLETION_FILE; then
+ return
+ fi
+ # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/
+ sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
+ sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf
+ sed -i 's|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/dovecot-ca.crt|g' /etc/dovecot/conf.d/10-ssl.conf
+ sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf
+ if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then
+ echo '' >> /etc/dovecot/conf.d/10-auth.conf
+ echo 'passdb {' >> /etc/dovecot/conf.d/10-auth.conf
+ echo ' driver = passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
+ echo ' args = /etc/dovecot/passwd-file' >> /etc/dovecot/conf.d/10-auth.conf
+ echo ' deny = no' >> /etc/dovecot/conf.d/10-auth.conf
+ echo ' master = no' >> /etc/dovecot/conf.d/10-auth.conf
+ echo ' pass = no' >> /etc/dovecot/conf.d/10-auth.conf
+ echo '}' >> /etc/dovecot/conf.d/10-auth.conf
+ fi
+ # make a CA cert
+ if [ ! -f /etc/ssl/private/dovecot-ca.key ]; then
+ freedombone-addcert -h dovecot-ca --ca
+ fi
+ # CA configuration
+ echo '[ ca ]' > /etc/ssl/dovecot-ca.cnf
+ echo 'default_ca = dovecot-ca' >> /etc/ssl/dovecot-ca.cnf
+ echo '' >> /etc/ssl/dovecot-ca.cnf
+ echo '[ crl_ext ]' >> /etc/ssl/dovecot-ca.cnf
+ echo 'authorityKeyIdentifier=keyid:always' >> /etc/ssl/dovecot-ca.cnf
+ echo '' >> /etc/ssl/dovecot-ca.cnf
+ echo '[ dovecot-ca ]' >> /etc/ssl/dovecot-ca.cnf
+ echo 'new_certs_dir = .' >> /etc/ssl/dovecot-ca.cnf
+ echo 'unique_subject = no' >> /etc/ssl/dovecot-ca.cnf
+ echo 'certificate = /etc/ssl/certs/dovecot-ca.crt' >> /etc/ssl/dovecot-ca.cnf
+ echo 'database = ssldb' >> /etc/ssl/dovecot-ca.cnf
+ echo 'private_key = /etc/ssl/private/dovecot-ca.key' >> /etc/ssl/dovecot-ca.cnf
+ echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf
+ echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf
+ echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf
+ echo 'default_bits = 2048' >> /etc/ssl/dovecot-ca.cnf
+ echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf
+ echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf
+ echo '' >> /etc/ssl/dovecot-ca.cnf
+ echo '[ dovecot-ca_policy ]' >> /etc/ssl/dovecot-ca.cnf
+ echo 'commonName = supplied' >> /etc/ssl/dovecot-ca.cnf
+ echo 'stateOrProvinceName = supplied' >> /etc/ssl/dovecot-ca.cnf
+ echo 'countryName = supplied' >> /etc/ssl/dovecot-ca.cnf
+ echo 'emailAddress = optional' >> /etc/ssl/dovecot-ca.cnf
+ echo 'organizationName = supplied' >> /etc/ssl/dovecot-ca.cnf
+ echo 'organizationalUnitName = optional' >> /etc/ssl/dovecot-ca.cnf
+ echo '' >> /etc/ssl/dovecot-ca.cnf
+ echo '[ dovecot-ca_extensions ]' >> /etc/ssl/dovecot-ca.cnf
+ echo 'basicConstraints = CA:false' >> /etc/ssl/dovecot-ca.cnf
+ echo 'subjectKeyIdentifier = hash' >> /etc/ssl/dovecot-ca.cnf
+ echo 'authorityKeyIdentifier = keyid:always' >> /etc/ssl/dovecot-ca.cnf
+ echo 'keyUsage = digitalSignature,keyEncipherment' >> /etc/ssl/dovecot-ca.cnf
+ echo 'extendedKeyUsage = clientAuth' >> /etc/ssl/dovecot-ca.cnf
+ touch /etc/ssl/ssldb
+ echo 0001 > /etc/ssl/sslserial
+ freedombone-clientcert -u $MY_USERNAME
+ service dovecot restart
+ echo 'configure_imap_client_certs' >> $COMPLETION_FILE
+}
+
function configure_gpg {
if grep -Fxq "configure_gpg" $COMPLETION_FILE; then
return
@@ -9153,6 +9199,7 @@ configure_email
create_procmail
spam_filtering
configure_imap
+configure_imap_client_certs
configure_gpg
encrypt_incoming_email
encrypt_outgoing_email
diff --git a/src/freedombone-clientcert b/src/freedombone-clientcert
new file mode 100755
index 0000000000000000000000000000000000000000..da65a21d54f4ee5d4ed9a99ae778f781a871658c
--- /dev/null
+++ b/src/freedombone-clientcert
@@ -0,0 +1,121 @@
+#!/bin/bash
+#
+# .---. . .
+# | | |
+# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
+# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
+# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
+#
+# Freedom in the Cloud
+#
+# Generates an email client cert for use with IMAP clients
+
+# See:
+# http://strange.systems/certificate-based-auth-with-dovecot-sendmail
+# http://help.fabasoftfolio.com/index.php?topic=doc/Installation-and-Configuration-of-Fabasoft-Folio-IMAP-Service/client-certificate-authentication.htm
+
+# License
+# =======
+#
+# Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+USERNAME=
+
+function show_help {
+ echo ''
+ echo 'freedombone-clientcert -u [username]'
+ echo ''
+ echo 'Creates email certificates for use with IMAP clients'
+ echo ''
+ echo ' --help Show help'
+ echo ' -u --username [name] Username'
+ echo ''
+ exit 0
+}
+
+while [[ $# > 1 ]]
+do
+key="$1"
+
+case $key in
+ --help)
+ show_help
+ ;;
+ -u|--username)
+ shift
+ USERNAME="$1"
+ ;;
+ *)
+ # unknown option
+ ;;
+esac
+shift
+done
+
+if [ ! $USERNAME ]; then
+ echo 'No username specified'
+ exit 5748
+fi
+
+if [ ! -d /home/$USERNAME ]; then
+ echo "User $USERNAME not found"
+ exit 76239
+fi
+
+if [ -d /home/$USERNAME/emailcert ]; then
+ echo 'Client certs were already for created'
+ exit 2953
+fi
+
+if [ ! -f /etc/dovecot/passwd-file ]; then
+ touch /etc/dovecot/passwd-file
+fi
+
+# Add a user password
+if ! grep -q "$USERNAME:{plain}" $/etc/dovecot/passwd-file; then
+ echo "$USERNAME:{plain}::::::nopassword" >> /etc/dovecot/passwd-file
+fi
+
+chmod 600 /etc/dovecot/passwd-file
+
+# create a user cert
+freedombone-addcert -h $USERNAME
+
+# create a certificate request
+openssl req -new -sha256 -key /etc/ssl/private/$USERNAME.key -out /etc/ssl/requests/$USERNAME.csr
+
+# sign the certificate request
+openssl ca -config /etc/ssl/dovecot-ca.cnf -in /etc/ssl/requests/$USERNAME.csr -out /etc/ssl/certs/$USERNAME.cer
+
+# move the cert to the user's home
+mkdir /home/$USERNAME/emailcert
+mv /etc/ssl/certs/$USERNAME.cer /home/$USERNAME/emailcert
+cp /etc/ssl/certs/dovecot-ca.crt /home/$USERNAME/emailcert
+mv /etc/ssl/private/$USERNAME.key /home/$USERNAME/emailcert
+mv /etc/ssl/certs/$USERNAME.crt /home/$USERNAME/emailcert
+
+# set permissions for the user
+chmod -R 600 /home/$USERNAME/emailcert
+chown -R $USERNAME:$USERNAME /home/$USERNAME/emailcert
+
+shred -zu /etc/ssl/requests/$USERNAME.csr
+
+echo 'Email authentication certificate created. You can obtain it on the client with:'
+echo ''
+echo " scp -P 2222 -r $USERNAME@mydomainname:/home/$USERNAME/emailcert ~/"
+echo ''
+
+exit 0