From: Frank Brehm Date: Tue, 31 Jan 2012 10:00:43 +0000 (+0100) Subject: Current state X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=f1f25b0534fe266051e3ffa952484563a85f9e72;p=config%2Fuhu1%2Fetc.git Current state --- diff --git a/.etckeeper b/.etckeeper index ce40246..17a88c1 100755 --- a/.etckeeper +++ b/.etckeeper @@ -12,6 +12,9 @@ mkdir -p './security/namespace.d' mkdir -p './sensors.d' mkdir -p './skel/.ssh' mkdir -p './ssh/ca' +mkdir -p './ssl/CA-Brehm/certs' +mkdir -p './ssl/CA-Brehm/crl' +mkdir -p './ssl/CA-Brehm/newcerts' mkdir -p './sudoers.d' mkdir -p './texmf/dvipdfm/config' mkdir -p './texmf/dvips.d' @@ -1086,6 +1089,35 @@ maybe chmod 0600 './ssh/ssh_host_rsa_key' maybe chmod 0644 './ssh/ssh_host_rsa_key.pub' maybe chmod 0600 './ssh/sshd_config' maybe chmod 0755 './ssl' +maybe chmod 0755 './ssl/CA-Brehm' +maybe chmod 0755 './ssl/CA-Brehm/apache2' +maybe chmod 0755 './ssl/CA-Brehm/apache2/mkcert' +maybe chmod 0644 './ssl/CA-Brehm/apache2/myadmin-cert.cnf' +maybe chmod 0600 './ssl/CA-Brehm/apache2/myadmin-cert.pem' +maybe chmod 0644 './ssl/CA-Brehm/apache2/webmail-cert.cnf' +maybe chmod 0600 './ssl/CA-Brehm/apache2/webmail-cert.pem' +maybe chmod 0644 './ssl/CA-Brehm/cacert.pem' +maybe chmod 0755 './ssl/CA-Brehm/certs' +maybe chmod 0755 './ssl/CA-Brehm/courier-imap' +maybe chmod 0644 './ssl/CA-Brehm/courier-imap/imapd.cnf' +maybe chmod 0600 './ssl/CA-Brehm/courier-imap/imapd.pem' +maybe chmod 0755 './ssl/CA-Brehm/courier-imap/mkcert' +maybe chmod 0644 './ssl/CA-Brehm/courier-imap/pop3d.cnf' +maybe chmod 0600 './ssl/CA-Brehm/courier-imap/pop3d.pem' +maybe chmod 0755 './ssl/CA-Brehm/crl' +maybe chmod 0755 './ssl/CA-Brehm/newcerts' +maybe chmod 0755 './ssl/CA-Brehm/postfix' +maybe chmod 0755 './ssl/CA-Brehm/postfix/mkcert' +maybe chmod 0644 './ssl/CA-Brehm/postfix/postfix-cert.cnf' +maybe chmod 0600 './ssl/CA-Brehm/postfix/postfix.pem' +maybe chmod 0755 './ssl/CA-Brehm/private' +maybe chmod 0644 './ssl/CA-Brehm/private/ca.key.unsecure' +maybe chmod 0644 './ssl/CA-Brehm/private/cakey.pem' +maybe chmod 0755 './ssl/CA-Brehm/stunnel' +maybe chmod 0755 './ssl/CA-Brehm/stunnel/mkcert' +maybe chmod 0644 './ssl/CA-Brehm/stunnel/stunnel-cert.cnf' +maybe chmod 0644 './ssl/CA-Brehm/stunnel/stunnel.rand' +maybe chmod 0644 './ssl/CA-Brehm/uhu.txt' maybe chmod 0755 './ssl/apache2' maybe chmod 0444 './ssl/apache2/server.crt' maybe chmod 0444 './ssl/apache2/server.csr' @@ -1103,6 +1135,7 @@ maybe chmod 0755 './ssl/misc/c_issuer' maybe chmod 0755 './ssl/misc/c_name' maybe chmod 0755 './ssl/misc/tsget' maybe chmod 0644 './ssl/openssl.cnf' +maybe chmod 0644 './ssl/openssl.cnf.default' maybe chmod 0755 './ssl/postfix' maybe chmod 0444 './ssl/postfix/server.crt' maybe chmod 0444 './ssl/postfix/server.csr' @@ -1115,7 +1148,21 @@ maybe chmod 0400 './ssl/postfix/server.pem' maybe chmod 0700 './ssl/private' maybe chmod 0644 './ssl/private/.keep_dev-libs_openssl-0' maybe chmod 0755 './stunnel' +maybe chmod 0755 './stunnel/old' +maybe chown stunnel './stunnel/old/stunnel.crt' +maybe chgrp stunnel './stunnel/old/stunnel.crt' +maybe chmod 0640 './stunnel/old/stunnel.crt' +maybe chown stunnel './stunnel/old/stunnel.csr' +maybe chgrp stunnel './stunnel/old/stunnel.csr' +maybe chmod 0640 './stunnel/old/stunnel.csr' +maybe chown stunnel './stunnel/old/stunnel.key' +maybe chgrp stunnel './stunnel/old/stunnel.key' +maybe chmod 0640 './stunnel/old/stunnel.key' +maybe chown stunnel './stunnel/old/stunnel.pem' +maybe chgrp stunnel './stunnel/old/stunnel.pem' +maybe chmod 0640 './stunnel/old/stunnel.pem' maybe chmod 0644 './stunnel/stunnel.conf' +maybe chmod 0644 './stunnel/stunnel.pem' maybe chmod 0440 './sudoers' maybe chmod 0750 './sudoers.d' maybe chmod 0644 './sysctl.conf' diff --git a/.gitignore b/.gitignore index fa8caf3..6f3c373 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,8 @@ # old versions of files *.old +motd + # mount(8) records system state here, no need to store these blkid.tab blkid.tab.old diff --git a/motd b/motd deleted file mode 100644 index f97d454..0000000 --- a/motd +++ /dev/null @@ -1,15 +0,0 @@ -Linux uhu1 3.2.1-gentoo-r2 #1 SMP Mon Jan 30 16:49:14 CET 2012 x86_64 AMD Opteron 23xx (Gen 3 Class Opteron) AuthenticAMD GNU/Linux -Gentoo Base System release 2.0.3 - _ _ _ _ -| | | | |__ _ _ / | -| | | | '_ \| | | | | | -| |_| | | | | |_| | | | - \___/|_| |_|\__,_| |_| - - -Manche Menschen tun nichts - aber sie tun es auf eine faszinierende -Weise. - -- Curzio Malaparte (eigentlich: Kurt Erich Suckert) - -Today is Sweetmorn, the 31st day of Chaos in the YOLD 3178 - diff --git a/runlevels/default/stunnel b/runlevels/default/stunnel new file mode 120000 index 0000000..b1b3a25 --- /dev/null +++ b/runlevels/default/stunnel @@ -0,0 +1 @@ +/etc/init.d/stunnel \ No newline at end of file diff --git a/ssl/CA-Brehm/apache2/mkcert b/ssl/CA-Brehm/apache2/mkcert new file mode 100755 index 0000000..45c08f3 --- /dev/null +++ b/ssl/CA-Brehm/apache2/mkcert @@ -0,0 +1,73 @@ +#! /bin/sh +# +# This is a short script to quickly generate a self-signed X.509 key for +# Courier-IMAP/POP3 over SSL. + +test -x /usr/bin/openssl || exit 0 + +CADir="/etc/ssl/CA-Brehm/apache2" +prefix="/usr" +randfile="$CADir/apache2.rand" +days=1875 +do_install=0 + +Instances="webmail myadmin" + +echo +echo "Generating Random file '$randfile' ..." +dd if=/dev/urandom of=$randfile count=1 2>/dev/null + +for i in $Instances ; do + + pemfile="$CADir/$i-cert.pem" + conffile="$CADir/$i-cert.cnf" + + if [ -f $pemfile ]; then + echo "$pemfile already exists." + continue + fi + do_install=1 + + if [ ! -f $conffile ] ; then + echo "$conffile does not exists!" + exit 2 + fi + + cp /dev/null $pemfile + chmod 600 $pemfile + chown root $pemfile + + cleanup() { + echo + echo "Emergency Cleanup ..." >&2 + rm -f $pemfile + rm -f $randfile + exit 10 + } + + echo "Generating Cert for IMAP ..." + /usr/bin/openssl req -new -x509 -days $days -nodes \ + -config $conffile -out $pemfile -keyout $pemfile || cleanup + /usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup + /usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup + +done + +if [ "$do_install" = "1" ] ; then + + echo + echo "Installing Certificates ..." + + for i in $Instances ; do + + pemfile="$CADir/$i-cert.pem" + pemfile_orig="/etc/apache2/ssl/$i-cert.pem" + + cp -pv $pemfile $pemfile_orig + + done + +fi + +rm -f $randfile + diff --git a/ssl/CA-Brehm/apache2/myadmin-cert.cnf b/ssl/CA-Brehm/apache2/myadmin-cert.cnf new file mode 100644 index 0000000..dabb192 --- /dev/null +++ b/ssl/CA-Brehm/apache2/myadmin-cert.cnf @@ -0,0 +1,22 @@ +RANDFILE = /usr/share/webmail.rand + +[ req ] +default_bits = 1024 +encrypt_key = yes +distinguished_name = req_dn +x509_extensions = cert_type +prompt = no + +[ req_dn ] +C=DE +ST=Berlin +L=Berlin +O=Brehm +OU=Frank Brehm SSL Key +CN=myadmin.brehm-online.com +emailAddress=frank@brehm-online.com + + +[ cert_type ] +nsCertType = server + diff --git a/ssl/CA-Brehm/apache2/myadmin-cert.pem b/ssl/CA-Brehm/apache2/myadmin-cert.pem new file mode 100644 index 0000000..cf5de34 --- /dev/null +++ b/ssl/CA-Brehm/apache2/myadmin-cert.pem @@ -0,0 +1,37 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQC0+qDrRPNPHnd/sD2Vp6ZRy87g0X22CpVMLZpjj2tEKPyf1N/t +VoiHdOHSVLJZrmBf26A5MknUENgEFHqvjO3dPFV7x/VL9OzrrGKS5QBEoaDGheAp +Qow/FKMYA93uFGiG4jcoC7gj+uA3zNeU+fUSHHbqEf9hm+cBtOKG7XVb5QIDAQAB +AoGAJrrP/ylFTHQ/rILB2yoCjNSp1DDgzzlak+/ab1383ZxL28SJm1f+ZcacoQ9h +D5Iiq8Dre/IIHKryH4Vmb/Uf3fFlLbfDcalIIZRKlLmJ43oahUI4aPRthaEN+t2X +4PgL0uQ/4BeCs32ivGz+QWjgx2tuxIkIv7B+JYjyjJ/9QoECQQDd2QCnd70OcQVT +0EYkWKOkRohjiuM4M+vtN7jiiWDmAsKGFaQwNnUCIMl1nGph00DBz2cyb9XvF0Cb +hcrjC5fFAkEA0Nb/Absi8Clz9tdjOE+hWthUIkQhdtCJ8Hdm4JdUUvsGH+GyKJfh +Fq3CyNzTsFBk8eoeEJ6zY7FKEZpmwJTVoQJBAIeC5kNlgLYxk29+6VmKS2stKmKj +k+fgz1w3jVfTUr0tMmV1ErXgjdie7nBI+zKGOCgq6H6GkcdaDLzzHNtTWYECQQCS +SKbjPYQhmcfC9ehoP08U5Uc5oWOXaEfXCqwjUZ0davxFRMCYsppWWmyAaj5V2Fp9 +IbLhjWi2wi7R2cdzyk1BAkB6cOePmPRIIggpl12rKor1Uw+PFWf94tQZRjOPAhWW +H10M7NiPZSzh1UUDlhiNsV220TKzr+XN9idDCxq1ho58 +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIC4zCCAkygAwIBAgIJAN/wUh5zk64nMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD +VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDjAMBgNV +BAoTBUJyZWhtMRwwGgYDVQQLExNGcmFuayBCcmVobSBTU0wgS2V5MSEwHwYDVQQD +ExhteWFkbWluLmJyZWhtLW9ubGluZS5jb20xJTAjBgkqhkiG9w0BCQEWFmZyYW5r +QGJyZWhtLW9ubGluZS5jb20wHhcNMDYxMjA4MjIzNjU5WhcNMTIwMTI2MjIzNjU5 +WjCBpzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy +bGluMQ4wDAYDVQQKEwVCcmVobTEcMBoGA1UECxMTRnJhbmsgQnJlaG0gU1NMIEtl +eTEhMB8GA1UEAxMYbXlhZG1pbi5icmVobS1vbmxpbmUuY29tMSUwIwYJKoZIhvcN +AQkBFhZmcmFua0BicmVobS1vbmxpbmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQC0+qDrRPNPHnd/sD2Vp6ZRy87g0X22CpVMLZpjj2tEKPyf1N/tVoiH +dOHSVLJZrmBf26A5MknUENgEFHqvjO3dPFV7x/VL9OzrrGKS5QBEoaDGheApQow/ +FKMYA93uFGiG4jcoC7gj+uA3zNeU+fUSHHbqEf9hm+cBtOKG7XVb5QIDAQABoxUw +EzARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADgYEAA+PPUJ1IWo+i +lZlDQAOfLscsjv37dJtrvZguPV9aNTSRv1RgJSFseMt/CYjrzxXD2GKhDk8wyE1D +qTy87Os2WXqBKm+6L38hheZoUcIorPwTOmh5KZXwtbyxfmKXg3lXXGDm60E6Pkf7 +O2+jRSctKlQe36TIAZxUpfumY2pVQZA= +-----END CERTIFICATE----- +-----BEGIN DH PARAMETERS----- +MEYCQQDYf1RIczbTmgovRnZ8SA/b9l4b+t0dPW3/CHEUJU93w20YQ3yap6xrWIQk +wVzhsgf+zmajDFpfQU2JJKc35oA7AgEC +-----END DH PARAMETERS----- diff --git a/ssl/CA-Brehm/apache2/webmail-cert.cnf b/ssl/CA-Brehm/apache2/webmail-cert.cnf new file mode 100644 index 0000000..d88f92f --- /dev/null +++ b/ssl/CA-Brehm/apache2/webmail-cert.cnf @@ -0,0 +1,22 @@ +RANDFILE = /usr/share/webmail.rand + +[ req ] +default_bits = 1024 +encrypt_key = yes +distinguished_name = req_dn +x509_extensions = cert_type +prompt = no + +[ req_dn ] +C=DE +ST=Berlin +L=Berlin +O=Brehm +OU=Brehm SSL Key +CN=webmail.brehm-online.com +emailAddress=frank@brehm-online.com + + +[ cert_type ] +nsCertType = server + diff --git a/ssl/CA-Brehm/apache2/webmail-cert.pem b/ssl/CA-Brehm/apache2/webmail-cert.pem new file mode 100644 index 0000000..fd2de1c --- /dev/null +++ b/ssl/CA-Brehm/apache2/webmail-cert.pem @@ -0,0 +1,37 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQCsrn1fttalMjRvpAVCkc/CCtprt8ifRyXuiq0njfw5x//eNjxg +G551XNrNHOUagA3gwXFJaU9ZnjYx0nnzqhIzV3ZySbxXcDM7yDwFsygCgvLlAiO9 +hiyjGnMGx83Bm+fAYt/UgyXw1Ur7QjbbKlhZvaIFZprZL3YavjhgQg64dwIDAQAB +AoGBAKuJEgYYjJTBkJEuMAN28RjiyyKiCGsgtC+IFoXqZ5nGcQf+fG9EQF55hOio +QXXXqvGPd8fjEu4FWfSYDojccwJnizcrt8bpSQW3tEr8/wsqX4UJhV8N+gk4+HTM +8ZpATdqp6q21BkkYcnMK6fqYjt4ekhLsbJk+IR5lLzKxy/IRAkEA1+lCM3miOVmD +MMXFUKltLtuDthZQw8p4tQ4/k1u0OfwU+PQlKY4F1AgLFqtkHoWJwWvUnMvT5+9F +AB6njPi5owJBAMy+btu+jow8ix+nII09BAJQDfe+Fa1ngkFV+FRTsrpTcF4MNt+l +L2BwwFkbsAnoGWU6B83UUJZ4TparR5hUmx0CQHN94luGhLAIoZRFNfafqjeWVC3i +YfFZLJgstvUr6Ivbu5wvfHFt9tAkPUozA6sP41ADTgdRQFigNFiMDTPrF+ECQGIC +VvcCBSLEaKTCUCbMKnsg707Ew4O6pPO5v6I+XrQq9QNQPYRZgpBb6Pe+9UoIvP9k +BBBXriwZcyVU4HTfK1ECQQDV0JEKQ3r5eKPPWaefKGYUtrWHh8KpNT8oujVMSWxG +0OazqbiyHhucgmLsbi6JCrAEGhFJBYZ32chVnmLlXTpb +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIC1zCCAkCgAwIBAgIJAPNANtEQARp7MA0GCSqGSIb3DQEBBQUAMIGhMQswCQYD +VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDjAMBgNV +BAoTBUJyZWhtMRYwFAYDVQQLEw1CcmVobSBTU0wgS2V5MSEwHwYDVQQDExh3ZWJt +YWlsLmJyZWhtLW9ubGluZS5jb20xJTAjBgkqhkiG9w0BCQEWFmZyYW5rQGJyZWht +LW9ubGluZS5jb20wHhcNMDYxMjA4MjIzNjU5WhcNMTIwMTI2MjIzNjU5WjCBoTEL +MAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ4w +DAYDVQQKEwVCcmVobTEWMBQGA1UECxMNQnJlaG0gU1NMIEtleTEhMB8GA1UEAxMY +d2VibWFpbC5icmVobS1vbmxpbmUuY29tMSUwIwYJKoZIhvcNAQkBFhZmcmFua0Bi +cmVobS1vbmxpbmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsrn1f +ttalMjRvpAVCkc/CCtprt8ifRyXuiq0njfw5x//eNjxgG551XNrNHOUagA3gwXFJ +aU9ZnjYx0nnzqhIzV3ZySbxXcDM7yDwFsygCgvLlAiO9hiyjGnMGx83Bm+fAYt/U +gyXw1Ur7QjbbKlhZvaIFZprZL3YavjhgQg64dwIDAQABoxUwEzARBglghkgBhvhC +AQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADgYEAFGM8hI3QLDFaZYuiOMUyZpf1G4Pi +OaFpA+syrqmcZXvVM+ioiRU1+Mbu0FFku0Ac9WWAwMyjIFh4ZQQYWfoEsQrH/hBJ +BkD4zNAhjjPIuJ8iDs1sUqw91yq5UUeRQAzY3/rFZHvbeswQUDVOJaCSYuOt1gOc +oZYY42gyvdmBnWc= +-----END CERTIFICATE----- +-----BEGIN DH PARAMETERS----- +MEYCQQCZLOhh5tHEUjvRnBolCP22LO27aCcqwCfLPtGICExFfUi6dt1uxeTWh3Od +Kr4x2UXbRAyuc7f0/akmlV2iXLNrAgEC +-----END DH PARAMETERS----- diff --git a/ssl/CA-Brehm/cacert.pem b/ssl/CA-Brehm/cacert.pem new file mode 100644 index 0000000..2acae4b --- /dev/null +++ b/ssl/CA-Brehm/cacert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEXjCCA0agAwIBAgIJANXZwUXwSSF0MA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV +BAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEOMAwGA1UE +ChMFQnJlaG0xFDASBgNVBAMTC0ZyYW5rIEJyZWhtMSUwIwYJKoZIhvcNAQkBFhZm +cmFua0BicmVobS1vbmxpbmUuY29tMB4XDTA2MTIwODIyMjUxNFoXDTA3MTIwODIy +MjUxNFowfDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMG +QmVybGluMQ4wDAYDVQQKEwVCcmVobTEUMBIGA1UEAxMLRnJhbmsgQnJlaG0xJTAj +BgkqhkiG9w0BCQEWFmZyYW5rQGJyZWhtLW9ubGluZS5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCzdA4uA7do5IV6ontPiLv+c5m3bC6YpqN9yVHd +H1E6GyGl/Z55C5+wPATJx31E+bR7bQfn1AnZu/b+BMnFU/TmTIyMvBc5IvsYgSjB +fZDRwt5y5r20EWkJDudFIisOH03MUXVYOSt55JtIdLnMo4X1E/vqySDq0dCDFWOQ +veQW7c+DdSTXSYKeQ8GSzOv2xzC4v+7VTgY93AxY/M5odrED9scyKvbidpgbZ0KR +Ki8gK6IKVmwA9yFTOl73a+p3SWKiXPLbpJ1LpB5Ou/rMmXs2/tM8upOkeaei6pem +QazMW+kDnvpVQgPbqv6REb40MOUThaaGz+YUNXQnMoJtZllFAgMBAAGjgeIwgd8w +HQYDVR0OBBYEFIaqKzY2iHMTs78X3VHgAfLFncfKMIGvBgNVHSMEgacwgaSAFIaq +KzY2iHMTs78X3VHgAfLFncfKoYGApH4wfDELMAkGA1UEBhMCREUxDzANBgNVBAgT +BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ4wDAYDVQQKEwVCcmVobTEUMBIGA1UE +AxMLRnJhbmsgQnJlaG0xJTAjBgkqhkiG9w0BCQEWFmZyYW5rQGJyZWhtLW9ubGlu +ZS5jb22CCQDV2cFF8EkhdDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IB +AQCrSRKbFKp7/ZkBTT5zBD+LR3BRyll4dcenp+XdSsjEWCdxEg7b08GaS7NelpwC +Oj4YLZAtCqbsiOIy32FRkb2wdiGR7p1LwAyg4UOIfWjKTMRi9MNaWLMJn2tN1qcH +jzyANwXb/WCRnU8WeGAGKvHWuuGce3lpOnxoX6h3lxAnsD06xGtOQjgvz2OS9ZWF +RFKe96jWVosCFGbkZK4j3rRnW7PgbzMX8gcMISyQXEhhY52YMdLcFaoJhy25m+x3 +DROsgXG4aEVa+vrcXYYBp6PcUgpsRB7rKI41ArSWzF2thdzRPI2SjPwCVQ86373I +R6DAmCw1msB4Do0EaLCoVYTF +-----END CERTIFICATE----- diff --git a/ssl/CA-Brehm/courier-imap/imapd.cnf b/ssl/CA-Brehm/courier-imap/imapd.cnf new file mode 100644 index 0000000..3f67d55 --- /dev/null +++ b/ssl/CA-Brehm/courier-imap/imapd.cnf @@ -0,0 +1,23 @@ + +RANDFILE = /usr/share/imapd.rand + +[ req ] +default_bits = 1024 +encrypt_key = yes +distinguished_name = req_dn +x509_extensions = cert_type +prompt = no + +[ req_dn ] +C=DE +ST=Brehm +L=Brehm +O=Brehm +OU=Courier Mail Server IMAP SSL key +CN=mail.brehm-online.com +emailAddress=postmaster@brehm-online.com + + +[ cert_type ] +nsCertType = server + diff --git a/ssl/CA-Brehm/courier-imap/imapd.pem b/ssl/CA-Brehm/courier-imap/imapd.pem new file mode 100644 index 0000000..076042e --- /dev/null +++ b/ssl/CA-Brehm/courier-imap/imapd.pem @@ -0,0 +1,38 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQC1qOWbPkrY1egkrFuPopaBG3+IFWUuwh9pXu6NpvNnEfuv6WBg +vctKRzYPwtFnCS/5l8UWjKmLI7QEJTfAt7y7+W0A2+YvORT8DU3x3NfppF2NOGRi +jIr3np6nJk7ALdjZQ69qyplXluv0NANNfQLXYJ4MViuKTpNNkP5Kw/uZGwIDAQAB +AoGAEA39PNskgkVlXthcvzT/WCm1+7DoYFmHrShWrO40VMeiFsnpWqNrdAUXIg11 +tEV7l/Nx16xWz5U4M6WWZ9HVPCGL/k6hCuJYuV0jhWOBsTX5bIFEIaEKIHlTlgE8 +4jMM/oh4sY9QoQUuSR51LDt2FHz+h2e04XSY9LTAEY0jIgECQQDepX5Hk6Qr6t6D +ZBHloid5UPVqdvyBw7C1Y8FyfNH0E1UGsTcFQHqSHyt1rqsgWOSUzkGoDvMIqi6x +EZtR+LpjAkEA0N+Pi91wB1j6oK5cHn/N2fXag6UjVqJvxmYQoJk0PVfVUpihvMOi +ENpLt1WTe618j5Fdf5oQfVFfVGYKy53H6QJBAIcxsJtf8FlmldTsx91LeHK3ET6j +n7JgFIYgW8/cMVTnBEM7CrDatVLTMH2WIX1T3QDquX2GDlddl1qX2VuOEAcCQQCO +vnnnZ+nL269MaFxkK4uOzUoMdar05gXlXJM4bfsZgRE0ZUMDMd9sDQN5w24LM8DQ +jNONBMkIG7g+gY4XITkhAkBCuzBIWAr781FMsf6u5IKqY6Q2x/RM7ob8E67UBdhG +C7J+p7S4zb+A7Uuyo3ibkR79bp53bt7qJl6Mpfo+EJOS +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIC/TCCAmagAwIBAgIJANY8AlrGDSx9MA0GCSqGSIb3DQEBBQUAMIG0MQswCQYD +VQQGEwJERTEOMAwGA1UECBMFQnJlaG0xDjAMBgNVBAcTBUJyZWhtMQ4wDAYDVQQK +EwVCcmVobTEpMCcGA1UECxMgQ291cmllciBNYWlsIFNlcnZlciBJTUFQIFNTTCBr +ZXkxHjAcBgNVBAMTFW1haWwuYnJlaG0tb25saW5lLmNvbTEqMCgGCSqGSIb3DQEJ +ARYbcG9zdG1hc3RlckBicmVobS1vbmxpbmUuY29tMB4XDTA2MTIwODIyNDMxOFoX +DTEyMDEyNjIyNDMxOFowgbQxCzAJBgNVBAYTAkRFMQ4wDAYDVQQIEwVCcmVobTEO +MAwGA1UEBxMFQnJlaG0xDjAMBgNVBAoTBUJyZWhtMSkwJwYDVQQLEyBDb3VyaWVy +IE1haWwgU2VydmVyIElNQVAgU1NMIGtleTEeMBwGA1UEAxMVbWFpbC5icmVobS1v +bmxpbmUuY29tMSowKAYJKoZIhvcNAQkBFhtwb3N0bWFzdGVyQGJyZWhtLW9ubGlu +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALWo5Zs+StjV6CSsW4+i +loEbf4gVZS7CH2le7o2m82cR+6/pYGC9y0pHNg/C0WcJL/mXxRaMqYsjtAQlN8C3 +vLv5bQDb5i85FPwNTfHc1+mkXY04ZGKMiveenqcmTsAt2NlDr2rKmVeW6/Q0A019 +AtdgngxWK4pOk02Q/krD+5kbAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIGQDAN +BgkqhkiG9w0BAQUFAAOBgQAJcVq4xxeH1d86DoedzsqMZyT90Y5piL4NarwQekg8 +jP0+HytRdujAJB4ahKkixsUcrFIeO3ct5ZXervdwvLK5GCcnwu3Lxa33UF7HhpOA +5+6bQXl4qh9+sL9UoxoRf2aMObVUsb0vEe7KTUViJ8rA7nI4Iny0icBJYKqvsxeH +5Q== +-----END CERTIFICATE----- +-----BEGIN DH PARAMETERS----- +MEYCQQCd+yD50BV7puqCKcLdensocjp8erVRJ7A5DmjUOicA2Xij9QcHfq7bvN6S +yg50QJ8JcJVV+dyKaEm1zRyRitLzAgEC +-----END DH PARAMETERS----- diff --git a/ssl/CA-Brehm/courier-imap/mkcert b/ssl/CA-Brehm/courier-imap/mkcert new file mode 100755 index 0000000..54edb90 --- /dev/null +++ b/ssl/CA-Brehm/courier-imap/mkcert @@ -0,0 +1,81 @@ +#! /bin/sh +# +# This is a short script to quickly generate a self-signed X.509 key for +# Courier-IMAP/POP3 over SSL. + +test -x /usr/bin/openssl || exit 0 + +CADir="/etc/ssl/CA-Brehm/courier-imap" +prefix="/usr" +randfile="$CADir/courier.rand" +days=1875 + +pemfile_imap="$CADir/imapd.pem" +conffile_imap="$CADir/imapd.cnf" +pemfile_orig_imap="/etc/courier-imap/imapd.pem" + +pemfile_pop3="$CADir/pop3d.pem" +conffile_pop3="$CADir/pop3d.cnf" +pemfile_orig_pop3="/etc/courier-imap/pop3d.pem" + +if [ -f $pemfile_imap ]; then + echo "$pemfile_imap already exists." + exit 1 +fi + +if [ -f $pemfile_pop3 ]; then + echo "$pemfile_pop3 already exists." + exit 1 +fi + +if [ ! -f $conffile_imap ] ; then + echo "$conffile_imap does not exists!" + exit 2 +fi + +if [ ! -f $conffile_pop3 ] ; then + echo "$conffile_pop3 does not exists!" + exit 2 +fi + +cp /dev/null $pemfile_imap +chmod 600 $pemfile_imap +chown root $pemfile_imap + +cp /dev/null $pemfile_pop3 +chmod 600 $pemfile_pop3 +chown root $pemfile_pop3 + +cleanup() { + echo + echo "Emergency Cleanup ..." >&2 + rm -f $pemfile_imap + rm -f $pemfile_pop3 + rm -f $randfile + exit 10 +} + +echo +echo "Generating Random file '$randfile' ..." +dd if=/dev/urandom of=$randfile count=1 2>/dev/null + +echo +echo "Generating Cert for IMAP ..." +/usr/bin/openssl req -new -x509 -days $days -nodes \ + -config $conffile_imap -out $pemfile_imap -keyout $pemfile_imap || cleanup +/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile_imap || cleanup +/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile_imap || cleanup + +echo +echo "Generating Cert for POP3 ..." +/usr/bin/openssl req -new -x509 -days $days -nodes \ + -config $conffile_imap -out $pemfile_pop3 -keyout $pemfile_pop3 || cleanup +/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile_pop3 || cleanup +/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile_pop3 || cleanup + +echo +echo "Installing Certificates ..." +cp -pv $pemfile_imap $pemfile_orig_imap +cp -pv $pemfile_pop3 $pemfile_orig_pop3 +rm -f $randfile + diff --git a/ssl/CA-Brehm/courier-imap/pop3d.cnf b/ssl/CA-Brehm/courier-imap/pop3d.cnf new file mode 100644 index 0000000..75af52d --- /dev/null +++ b/ssl/CA-Brehm/courier-imap/pop3d.cnf @@ -0,0 +1,23 @@ + +RANDFILE = /usr/share/pop3d.rand + +[ req ] +default_bits = 1024 +encrypt_key = yes +distinguished_name = req_dn +x509_extensions = cert_type +prompt = no + +[ req_dn ] +C=DE +ST=Berlin +L=Berlin +O=Brehm +OU=Courier Mail Server POP3 SSL key +CN=mail.brehm-online.com +emailAddress=postmaster@brehm-online.com + + +[ cert_type ] +nsCertType = server + diff --git a/ssl/CA-Brehm/courier-imap/pop3d.pem b/ssl/CA-Brehm/courier-imap/pop3d.pem new file mode 100644 index 0000000..bf5575c --- /dev/null +++ b/ssl/CA-Brehm/courier-imap/pop3d.pem @@ -0,0 +1,38 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDeQ2lyjAA32nPw9bGNQ6cJDbgpJVTPircwIjwthdDomVOn6uEZ +s31kUeTHcV1UFYqKQbur7zeW0fl5AHV8fhTWIODuNGUduzgrkl/NMy753s3YJcro +8A4T6JlXz9rHGS0P1rWt/ZJX3zty3gwNZdDLI4tw5ThPkRDGmxYe4tUCMQIDAQAB +AoGBAIQYgIUpm7+WP64H99xDRvTkiH07yKoIgVNEJYvQqhZzefqkZ+BEgtOqsFOw +lo0wuEPvSUCoTdt/M8uscCbrMCnviwxU/DRTEIdHdhpSKK0mJoLoZBM4Ds9/kWv2 +ObkM9injHM814alaeeb9Es8vCH0AlfgZ1UWy1jV840InA3GhAkEA84xxxGygCSix +sYh/1lU6RKgIHlMhVG/2ecjS6TbhtRy4gIzBgobvRgO7Oq788FJ9W0Gl8BpXGJ9H +E4LfJL4/XQJBAOmgYu+NljdEUSRONr0DZYN85ERB39iz2L9ZJucnqrhQz+UHZtfr ++9k5z5hcyVu+joBnme1/P0GCwWfJGPMeZOUCQQDCV6fQ3f02Ucq5p/qaxZehgZQ4 +3o0SG+XKeH4Uqz6gjzKLIcaoqZP1grS8tzYPb0OotlH7rokhlLfa0evOHiHhAkAo +6ODqOczYGKpsxRVou7OG9tOx8CcWd0e5Gg9p4tROOjhtToJ/xN7xBuKHN5g67H9f +lMSrheC5w//CAMDRsbzRAkBPZjC3hnI4k2+ThAe1S9NQVpoYbyUu5qzxr3iqNvxJ +77xF+LcDPgVPCl6wwy+/oKl4SPSKLgWmRCVY1jzmLaVq +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIC/TCCAmagAwIBAgIJANqm0jsS+ZuZMA0GCSqGSIb3DQEBBQUAMIG0MQswCQYD +VQQGEwJERTEOMAwGA1UECBMFQnJlaG0xDjAMBgNVBAcTBUJyZWhtMQ4wDAYDVQQK +EwVCcmVobTEpMCcGA1UECxMgQ291cmllciBNYWlsIFNlcnZlciBJTUFQIFNTTCBr +ZXkxHjAcBgNVBAMTFW1haWwuYnJlaG0tb25saW5lLmNvbTEqMCgGCSqGSIb3DQEJ +ARYbcG9zdG1hc3RlckBicmVobS1vbmxpbmUuY29tMB4XDTA2MTIwODIyNDMyMFoX +DTEyMDEyNjIyNDMyMFowgbQxCzAJBgNVBAYTAkRFMQ4wDAYDVQQIEwVCcmVobTEO +MAwGA1UEBxMFQnJlaG0xDjAMBgNVBAoTBUJyZWhtMSkwJwYDVQQLEyBDb3VyaWVy +IE1haWwgU2VydmVyIElNQVAgU1NMIGtleTEeMBwGA1UEAxMVbWFpbC5icmVobS1v +bmxpbmUuY29tMSowKAYJKoZIhvcNAQkBFhtwb3N0bWFzdGVyQGJyZWhtLW9ubGlu +ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN5DaXKMADfac/D1sY1D +pwkNuCklVM+KtzAiPC2F0OiZU6fq4RmzfWRR5MdxXVQViopBu6vvN5bR+XkAdXx+ +FNYg4O40ZR27OCuSX80zLvnezdglyujwDhPomVfP2scZLQ/Wta39klffO3LeDA1l +0Msji3DlOE+REMabFh7i1QIxAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIGQDAN +BgkqhkiG9w0BAQUFAAOBgQADISOUsK2dtfAD/Go6fGxCA91/SL1FxpkxfWSA9oG0 +9GBZRlEjrbXA5Gn8DijbZ91CArjAEJlYrNPihSD5qzFgbsbD99HDV7js3HW1TODA +QVcrEwQGsYUQyA0UOF0AByx3CuppglkayBNBFxoDYUHfK9SavdMLnUuo68Skd+9g +tA== +-----END CERTIFICATE----- +-----BEGIN DH PARAMETERS----- +MEYCQQChYtoCiG16r+tbnSsmbpI+AMuNv4rmN/hkoTWvAMdmy3OcWIkBuhepTkZA +yF1zxkBIH3wW6w40eqNW0W0j0uxzAgEC +-----END DH PARAMETERS----- diff --git a/ssl/CA-Brehm/postfix/mkcert b/ssl/CA-Brehm/postfix/mkcert new file mode 100755 index 0000000..d2c68c1 --- /dev/null +++ b/ssl/CA-Brehm/postfix/mkcert @@ -0,0 +1,44 @@ +#! /bin/sh +# +# This is a short script to quickly generate a self-signed X.509 key for +# Postfix over SSL. Normally this script would get called by an automatic +# package installation routine. + +test -x /usr/bin/openssl || exit 0 + +CADir="/etc/ssl/CA-Brehm/postfix" +prefix="/usr" +pemfile="$CADir/postfix.pem" +randfile="$CADir/postfix.rand" +conffile="$CADir/postfix-cert.cnf" +pemfile_orig="/etc/postfix/postfix.pem" +days=1875 + +if [ -f $pemfile ]; then + echo "$pemfile already exists." + exit 1 +fi + +if [ ! -f $conffile ] ; then + echo "$conffile does not exists!" + exit 2 +fi + +cp /dev/null $pemfile +chmod 600 $pemfile +chown root $pemfile + +cleanup() { + rm -f $pemfile + rm -f $randfile + exit 1 +} + +dd if=/dev/urandom of=$randfile count=1 2>/dev/null +/usr/bin/openssl req -new -x509 -days $days -nodes \ + -config $conffile -out $pemfile -keyout $pemfile || cleanup +/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup +/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup +rm -f $randfile +cp -pv $pemfile $pemfile_orig + diff --git a/ssl/CA-Brehm/postfix/postfix-cert.cnf b/ssl/CA-Brehm/postfix/postfix-cert.cnf new file mode 100644 index 0000000..c0bf6c0 --- /dev/null +++ b/ssl/CA-Brehm/postfix/postfix-cert.cnf @@ -0,0 +1,23 @@ + +RANDFILE = /usr/share/postfix.rand + +[ req ] +default_bits = 1024 +encrypt_key = yes +distinguished_name = req_dn +x509_extensions = cert_type +prompt = no + +[ req_dn ] +C=DE +ST=Berlin +L=Berlin +O=Berlin +OU=Mail Server Postfix SSL key +CN=mail.brehm-online.com +emailAddress=postmaster@brehm-online.com + + +[ cert_type ] +nsCertType = server + diff --git a/ssl/CA-Brehm/postfix/postfix.pem b/ssl/CA-Brehm/postfix/postfix.pem new file mode 100644 index 0000000..bd1f5cf --- /dev/null +++ b/ssl/CA-Brehm/postfix/postfix.pem @@ -0,0 +1,37 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQCVlGvxjXWhKDqEUkTPZO9/9b0js236ON9tt9aKDFVSrkRBtMwM +xjkWHpc3jNT5aHtFTvalZHzr/Aa9+NTnJMKtiBTBrcyNnQUtOVQH8zbg8JrqJgj/ +MVS+gF4Aae43ofTk5juYCoh4QDXBAC//+AdhOe/FVs6jybn5G6ir/ekFBwIDAQAB +AoGBAIwKGglbRA6uaCKsFyoIOMYXHo4HFebXSi8hl2VFaLhw2QyfJQ6sopOX7kEe +w+IBNK/N3tM3wlD5cqJ3DXSeEPgR7laeOTC7F5cedC/ISHSvOXLVMYSnauo8H1Wi +oZV7Vq2tKvWBCV5n20c7Q8QEtawEdQeR5Pm2xxMAlbL86+6ZAkEAxCXYH16+luHy +LOUD5PycMu5rfbel8t5ZtKRRpD2K47/XzwSbOWG5Om6Z8mm49NeU8f6IZpiwfAyb +H9atpa/6XQJBAMM45cHZZVjBl/2YfeF1MsFlGz3I7n7yfOHhzfkM3qPQBM0Ll8J5 +RcIADMUsGv4fcZU8/HBiwzf6WvoT17TdbrMCQBhMs+yW+TeKAE2NhaD9poAsx0ZI +1Rc0cpqNbMvTD/zNDHhKEszWDXNutkWw0UgL2Rjttoo3Sk3j5efY2aRYG8UCQA0t +ohTb4AOFzgTIbnbxumNjt9sL3U2kgNmerJDLVZwpRqmwxqXSGetmpXYJ7CiLZtd0 +LnZHtHXq6IlJHZ6P9BECQQCPnAVHvkVSnjjvDdFVsl8SCZAWHLgHhqd+tm3fhZ8W +fFnqE/VQqXQhPgIvvHDvXoKpnMy6dEz2rMvJMzSBEs72 +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIC+TCCAmKgAwIBAgIJAK12Jv+IhCZ4MA0GCSqGSIb3DQEBBQUAMIGyMQswCQYD +VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV +BAoTBkJlcmxpbjEkMCIGA1UECxMbTWFpbCBTZXJ2ZXIgUG9zdGZpeCBTU0wga2V5 +MR4wHAYDVQQDExVtYWlsLmJyZWhtLW9ubGluZS5jb20xKjAoBgkqhkiG9w0BCQEW +G3Bvc3RtYXN0ZXJAYnJlaG0tb25saW5lLmNvbTAeFw0wNjEyMDgyMjQ2MjhaFw0x +MjAxMjYyMjQ2MjhaMIGyMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8w +DQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBkJlcmxpbjEkMCIGA1UECxMbTWFpbCBT +ZXJ2ZXIgUG9zdGZpeCBTU0wga2V5MR4wHAYDVQQDExVtYWlsLmJyZWhtLW9ubGlu +ZS5jb20xKjAoBgkqhkiG9w0BCQEWG3Bvc3RtYXN0ZXJAYnJlaG0tb25saW5lLmNv +bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlZRr8Y11oSg6hFJEz2Tvf/W9 +I7Nt+jjfbbfWigxVUq5EQbTMDMY5Fh6XN4zU+Wh7RU72pWR86/wGvfjU5yTCrYgU +wa3MjZ0FLTlUB/M24PCa6iYI/zFUvoBeAGnuN6H05OY7mAqIeEA1wQAv//gHYTnv +xVbOo8m5+Ruoq/3pBQcCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqG +SIb3DQEBBQUAA4GBAGeli/w5sD8LIbhA8qcmdK1QB9w/nvI0RSGDuZtsKl97TVQj +cCAW7FS2U6gyA+7hJfIMZT/kMGVM9ygnU6VKmfuj8q7qsG29jOOleafYuFwKph2D +Ft4m/OauBW0riNbJ7IT923QwBCTgpVo/sf3Hb1HKf3VqGxaPTQU4wrLJWDsj +-----END CERTIFICATE----- +-----BEGIN DH PARAMETERS----- +MEYCQQDjc+Kujf6R+XMJT/3bPZhUBp/67Tano3opslrBIl0vQILYHhUB6yErvMFo +eVYwt/wMP409NZOlIBvkwYemzXz7AgEC +-----END DH PARAMETERS----- diff --git a/ssl/CA-Brehm/private/ca.key.unsecure b/ssl/CA-Brehm/private/ca.key.unsecure new file mode 100644 index 0000000..7581afd --- /dev/null +++ b/ssl/CA-Brehm/private/ca.key.unsecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAs3QOLgO3aOSFeqJ7T4i7/nOZt2wumKajfclR3R9ROhshpf2e +eQufsDwEycd9RPm0e20H59QJ2bv2/gTJxVP05kyMjLwXOSL7GIEowX2Q0cLecua9 +tBFpCQ7nRSIrDh9NzFF1WDkreeSbSHS5zKOF9RP76skg6tHQgxVjkL3kFu3Pg3Uk +10mCnkPBkszr9scwuL/u1U4GPdwMWPzOaHaxA/bHMir24naYG2dCkSovICuiClZs +APchUzpe92vqd0liolzy26SdS6QeTrv6zJl7Nv7TPLqTpHmnouqXpkGszFvpA576 +VUID26r+kRG+NDDlE4Wmhs/mFDV0JzKCbWZZRQIDAQABAoIBACA+BtovosF+5Zie +HuewWo6iOIkjL9APiKpuBH5lRRPakhYf1lxLQVrJvdZ/ODuvXcUbVuNJTqfHRN5o +/9OrfQHv2QTkOovyhAjoE+mH5QA7MfqVCJqU0jllaxoZxICaEUFXlWzPgMc60seW +6VciPkxFVereTkLCheM3cZcs9xFDRhEscHxGxrkZ1f2VxHysUPz+pcGnb6P/EGKW +0P6SNcgct0IrvUjxZp3aztLMW82rRgYLLDhsycWues0fllNzLJJMjx34PtLqp7s0 +jhefaJvsBDUJLMkSufOgv6iMXCxLYEiCQqiOVgJlzL3jAZoFf6M7FuAnPu2L/RcY +DUA/SvUCgYEA2Xw2HpaHwtQNtC814t62EmuleWK0FO21sDMUTN4FLaW/eGDZTqr2 +FvjIh64slkbfd0sr9IOV1OiRfdJzLw5xzpJrJnpEae/QdfBV04FYBYr3gbBbK+0N +cq5vFdR2HQ2U52mze9YBWZDe1jywMSyJ9iMUhsEkt7rEFch2cFlJYJsCgYEA0zun +FYsEsI1YkzIRvXKULipTYc8a4cfXIKaLkoin/QYGGZkj7QitwcmPTQnANY6jKMh9 +DhOWmmQs5uSF3V4+TdQh284SoiAdmz1/q8IECU7KKIswuyy50lSKZLk/y3mmnxLa +Zu8RCkjNLSQkr/H+8r/xlteaMxfq1+Z7cu2ZG58CgYEAzqFe4ezvC8JhSsJYFja3 +EgVIcG3A3umCZ+f/75A5p0cFBaAulrmDmgvAqnhnUFgB1NuM5YFnh6N3J+4dFaZJ +ppQiTap4+ZWpn4Q6ZvtK3+lKguNFnBRbZIwqarkzhyLySHN63btUCP7FWRLL68x/ +P2XRCL7U3eMKjg+px9BtEOUCgYEAsaoQxIvi6+RWxadtSFygyZuL+k5Jm/GLvciW +yC7srGJuqwUlNG8CRmYTg4ZaBjHshZbrp/VNzJnJMoKvHRvxZ2CvAcN35KkCfdni +EkLjRjjgy+0Wlbfuqzu0EzfEso2lWVJwI/eb63yEJh2qRdpSxzYuKuM4rRTGz8Tp +vCafip0CgYB04ddKSKM46RsUVsyWs09EUKXrgdOS8JRx08ytYAAZwIhPN1+BuPRS +iz790dimDGgfkmMzygpI+aGwjAv/0nl8Loe3LnJIbYkfeGa2/HXjzpnsNOa6KKLU +9tPY+b5OWejtCiayhuu7ro0yEqaGGJtsdG0JaeSxtsN80jYUUNDhOg== +-----END RSA PRIVATE KEY----- diff --git a/ssl/CA-Brehm/private/cakey.pem b/ssl/CA-Brehm/private/cakey.pem new file mode 100644 index 0000000..8726e72 --- /dev/null +++ b/ssl/CA-Brehm/private/cakey.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,C9EB11CBB307A1DC + +9xwsypRNanPOrJDTAhnq291sYpHTmONc4nmigFl/fQUf4SINjBFnS/AzNXT7n9PY +mN1W9dAhdj8Mn2dJIg7qhIFzmGkXrgJ2wAoM2j9nXCpHcLyeziaILCNHcQWE71yC +8uy7bmSsVMLzuNKbuv2EPa0Jg0oEoxoUcvJ3uTV2frcTxo3dmDtKgAtTAaHCoXZR +skhwVJAn9+qN5ZzJEV1iJPDsvUyx4+PkGL2H2SEpri5WLZoMvBAE7xYD2lQNjCvT +kg0rHbK9xDs9dq0/BmpUWAX4Gt2e6LRXeaYIyGKhxa/k8nnebjgmOnEFUuNnf4dE +PWv1ccyMVmdWzFVqZQeVw4ad9XS9zoX2OoxQTVzq3P+nGUMU5D4Bu4T/z3w7SQvG +DfKldmBLDz/24HpyP5TzRZ3VEjqFos73gmnfbLaZGSWMCRSeDR5x5XnhB4ZfPAxK +qzAgXLtdcqv/j6Y9ucjdjEBOmWFa3TLlvQGFIZdKhdKRDXPT8WqOLb1DO+o2tHXY +bTGqvE6F2uL57tosAatFrn+XLYSpLS/vY9cOs+j2cSKfBe4a4qpAqWx9Tk4pR/nK +VWxyHvLKbjSdFo3Fqq+O/4k1sMd6FpD4oh5WHD1U7/Seoe6HKgi5OkJpwywZxCJC +rRRSPpwI2GKwOR1CzEZm/Z2RAQH2xbhOr95vaPXRGR4yCjQWLSxDdk6qCfPF60mE +ZEtWaDvMSkoBEs+ZHlAgZ/rXtylYdq2AvSD6eMz8zPhKdc+zlMHwl7ZlY8zQbsXZ +8ae4EqgUBczEODOfrYHfjAujDqkE6dqapcMeJlZCVHRXV1IvSItXBfvTN7XPOSAG +7nZ3oR4xdUFiOLZtcQ7okXU95B9isv1Aaix1JSj707f8MlG81qXM5eFJ/Na8fLy/ +4QMhuYazOd9MB/rPHwilUng+Mc0Ih3XChgZxcfMaCqwu87pE7t9WlmjL4KU5nXBK +OwwbaYq3IOuIwb+vYIlR1Dl3uALRTwmaeDbP9D7qPf+sLo3YpKbSaqtIoZOyM33l +zRjZu4lsLIQwHc6HrJCio+VlvzuzXdVAxQ6EHMsuZQXHbHb+qWI/tF/QQchGRvO6 +G8lhAwhiVXOZZxr42rZRfeJvePX2ERl/buAOsOcKZMUz5wWFfB2pX5up1wQpr5ew +XFz7l5LMMytiLSVzskMadZkSoA8Kta6C7eK72nRvg8A3TtL0tgu9a5BZPCngtjRj +qeBbM6ry7idy9uDkLIeX+9t0m25HWNMnFG0xkFmZyw3RSaSDCHKITbnu5xDPh5BD +qZpl9u7ihlrKMvzcy3HYkNuRsofvvE7yz2O9+/WhHjHKx1HEyGFln3OE0+5VMFOM +/fDwxvz8SWso0a/uXnJsO6qssFvGcMTh9YMkUkktwUZW06gQhSVJfq9avnqsOqIJ +BN9JLXVw71u8qqaGjao8fO9XI90X1b49SFYAfTvWHRy9BHNjj31/8rbN4/ZX9Ih/ +uSZ5bN0giKLQ+Gg12HziODsOeSkSVRY+MYeSyFR5X2vrw3ljU7focK3f2N3Uz8z0 +YtHicwrN7j9IgQze9+mrrVQSTast8eL6EK8tYlyw5Floby2NWH8D2/5kETXYaojX +-----END RSA PRIVATE KEY----- diff --git a/ssl/CA-Brehm/stunnel/mkcert b/ssl/CA-Brehm/stunnel/mkcert new file mode 100755 index 0000000..cd3ac76 --- /dev/null +++ b/ssl/CA-Brehm/stunnel/mkcert @@ -0,0 +1,111 @@ +#!/bin/bash +# +# This is a short script to quickly generate a self-signed X.509 key for +# Courier-IMAP/POP3 over SSL. + +set -e + +test -x /usr/bin/openssl || exit 0 + +CADir="/etc/ssl/CA-Brehm/stunnel" +prefix="/usr" +randfile="$CADir/stunnel.rand" +days=1875 +do_install=0 + +if [ "${#BASH_ARGV[@]}" == "0" ]; then + echo "No instances to generate certificates given." >&2 + exit 1 +fi + +echo +echo "Generating Random file '$randfile' ..." +dd if=/dev/urandom of=$randfile count=1 2>/dev/null + +clear_randfile() { + if [ -f "${randfile}" ] ; then + + fi +} + +trap clear_randfile INT TERM EXIT + +for i in "${BASH_ARGV[@]}"; do + echo + echo " - '${i}'" + echo + + target_dir="${CADir}/${i}" + + if [ ! -d "${target_dir}" ] ; then + echo " Creating directory ${target_dir} ..." + mkdir -p "${target_dir}" || exit 3 + fi + + pemfile="${target_dir}/${i}-cert.pem" + conffile="${target_dir}/${i}-cert.cnf" + + if [ ! -f "${conffile}" ] ; then + fi + +done + +exit 0 +Instances="webmail myadmin" + +for i in $Instances ; do + + pemfile="$CADir/$i-cert.pem" + conffile="$CADir/$i-cert.cnf" + + if [ -f $pemfile ]; then + echo "$pemfile already exists." + continue + fi + do_install=1 + + if [ ! -f $conffile ] ; then + echo "$conffile does not exists!" + exit 2 + fi + + cp /dev/null $pemfile + chmod 600 $pemfile + chown root $pemfile + + cleanup() { + echo + echo "Emergency Cleanup ..." >&2 + rm -f $pemfile + rm -f $randfile + exit 10 + } + + echo "Generating Cert for IMAP ..." + /usr/bin/openssl req -new -x509 -days $days -nodes \ + -config $conffile -out $pemfile -keyout $pemfile || cleanup + /usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup + /usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup + +done + +if [ "$do_install" = "1" ] ; then + + echo + echo "Installing Certificates ..." + + for i in $Instances ; do + + pemfile="$CADir/$i-cert.pem" + pemfile_orig="/etc/apache2/ssl/$i-cert.pem" + + cp -pv $pemfile $pemfile_orig + + done + +fi + +rm -f $randfile + + +# vim: ts=4 expandtab diff --git a/ssl/CA-Brehm/stunnel/stunnel-cert.cnf b/ssl/CA-Brehm/stunnel/stunnel-cert.cnf new file mode 100644 index 0000000..dabb192 --- /dev/null +++ b/ssl/CA-Brehm/stunnel/stunnel-cert.cnf @@ -0,0 +1,22 @@ +RANDFILE = /usr/share/webmail.rand + +[ req ] +default_bits = 1024 +encrypt_key = yes +distinguished_name = req_dn +x509_extensions = cert_type +prompt = no + +[ req_dn ] +C=DE +ST=Berlin +L=Berlin +O=Brehm +OU=Frank Brehm SSL Key +CN=myadmin.brehm-online.com +emailAddress=frank@brehm-online.com + + +[ cert_type ] +nsCertType = server + diff --git a/ssl/CA-Brehm/stunnel/stunnel.rand b/ssl/CA-Brehm/stunnel/stunnel.rand new file mode 100644 index 0000000..5f47e05 Binary files /dev/null and b/ssl/CA-Brehm/stunnel/stunnel.rand differ diff --git a/ssl/CA-Brehm/uhu.txt b/ssl/CA-Brehm/uhu.txt new file mode 100644 index 0000000..5c01c23 --- /dev/null +++ b/ssl/CA-Brehm/uhu.txt @@ -0,0 +1 @@ +up2UdLCE diff --git a/ssl/openssl.cnf b/ssl/openssl.cnf index 18760c6..0eda4ba 100644 --- a/ssl/openssl.cnf +++ b/ssl/openssl.cnf @@ -39,7 +39,7 @@ default_ca = CA_default # The default ca section #################################################################### [ CA_default ] -dir = ./demoCA # Where everything is kept +dir = /etc/ssl/CA-Brehm # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. @@ -52,7 +52,7 @@ serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem# The private key +private_key = $dir/private/cakey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert @@ -70,7 +70,7 @@ cert_opt = ca_default # Certificate field options # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext -default_days = 365 # how long to certify for +default_days = 1875 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering @@ -83,8 +83,8 @@ policy = policy_match # For the CA policy [ policy_match ] countryName = match -stateOrProvinceName = match -organizationName = match +stateOrProvinceName = optional +organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional @@ -126,12 +126,12 @@ string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) -countryName_default = AU +countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State +stateOrProvinceName_default = Berlin localityName = Locality Name (eg, city) diff --git a/ssl/openssl.cnf.default b/ssl/openssl.cnf.default new file mode 100644 index 0000000..18760c6 --- /dev/null +++ b/ssl/openssl.cnf.default @@ -0,0 +1,350 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) + +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = md5, sha1 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) diff --git a/stunnel/old/stunnel.crt b/stunnel/old/stunnel.crt new file mode 100644 index 0000000..0e84f80 --- /dev/null +++ b/stunnel/old/stunnel.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICxTCCAi6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCVVMx +EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbnRhIEJhcmJhcmExEzAR +BgNVBAoTClNTTCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciBUZXN0aW5nIFB1cnBvc2Vz +IE9ubHkxFTATBgNVBAMTDGxvY2FsaG9zdCBDQTEdMBsGCSqGSIb3DQEJARYOcm9v +dEBsb2NhbGhvc3QwHhcNMTIwMTMxMDgwODQyWhcNMTQwMTMwMDgwODQyWjCBpjEL +MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbnRh +IEJhcmJhcmExEzARBgNVBAoTClNTTCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciBUZXN0 +aW5nIFB1cnBvc2VzIE9ubHkxEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsGCSqGSIb3 +DQEJARYOcm9vdEBsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB +ALfGtvMfLVrk2M77BotkfYwFtMI7JGK8FVIxL0EmaEK/BeSvYAEvMkgrxlDvCYmF +WrcYMJ4el+lguhtGJuD4qjsih0iX3fI5I0rFPi62Vr9KcjRo9pC6RL2Ew3XtLE5T +Am68vS7ZleK9Vzh3eRY5ZXUlS3Dn6W6mA94RLeabu5erAgMBAAEwDQYJKoZIhvcN +AQEFBQADgYEAs45mxYjtJiLLaI69hjlaEF+KE9mKqof9MW+yxFoX6iJothBnHZoq +vxQizuKcb8kgjn5jq2Qpp1E0IPMcEDzsN9J7n0jSGTG5PcxWpo/lqWkSZg7mUwKc +V0lquy4FDrJe51A8dNN+cd0JXsERKLqfKXonhFcVea9qzde+VHOBjlI= +-----END CERTIFICATE----- diff --git a/stunnel/old/stunnel.csr b/stunnel/old/stunnel.csr new file mode 100644 index 0000000..68594ae --- /dev/null +++ b/stunnel/old/stunnel.csr @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIB5zCCAVACAQAwgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh +MRYwFAYDVQQHEw1TYW50YSBCYXJiYXJhMRMwEQYDVQQKEwpTU0wgU2VydmVyMSIw +IAYDVQQLExlGb3IgVGVzdGluZyBQdXJwb3NlcyBPbmx5MRIwEAYDVQQDEwlsb2Nh +bGhvc3QxHTAbBgkqhkiG9w0BCQEWDnJvb3RAbG9jYWxob3N0MIGfMA0GCSqGSIb3 +DQEBAQUAA4GNADCBiQKBgQC3xrbzHy1a5NjO+waLZH2MBbTCOyRivBVSMS9BJmhC +vwXkr2ABLzJIK8ZQ7wmJhVq3GDCeHpfpYLobRibg+Ko7IodIl93yOSNKxT4utla/ +SnI0aPaQukS9hMN17SxOUwJuvL0u2ZXivVc4d3kWOWV1JUtw5+lupgPeES3mm7uX +qwIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEANZdsszYbhiDnj3c6VzFIS8Lb69YE +c0Tg5ZVA2sV7y7ixf+tGpiELCPJHTAG7jzI0S5wj9p8S0M13miHDVE+qasRYO7S9 +pZelxcgjXqSXA9WG3lGQ+URNJJ0c94grESMNRKGFaotme6SKN+ao9K/BoGlF183N +2xWCg0W5UYynDJc= +-----END CERTIFICATE REQUEST----- diff --git a/stunnel/old/stunnel.key b/stunnel/old/stunnel.key new file mode 100644 index 0000000..d369e99 --- /dev/null +++ b/stunnel/old/stunnel.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQC3xrbzHy1a5NjO+waLZH2MBbTCOyRivBVSMS9BJmhCvwXkr2AB +LzJIK8ZQ7wmJhVq3GDCeHpfpYLobRibg+Ko7IodIl93yOSNKxT4utla/SnI0aPaQ +ukS9hMN17SxOUwJuvL0u2ZXivVc4d3kWOWV1JUtw5+lupgPeES3mm7uXqwIDAQAB +AoGAY6yCY6CAP/Eo6jHaHdY2BbC+li3vkSGDyt1kTMig+bqTXrIDtwC7G8uqNxE+ +sfjC99VF4Sykpe5RYiONSK113ctiLwRbEY7G8u1fjTK+tItE2CZsk7DbtTw38cOC +ysmmhVuqIN5Z80Zx/gseZhpfvplfiAWSQrIWe8ZX8PnFSkECQQDiI+41os6gcIBy +0b8iITGAgLrgOVbZyBP+pCujf5H/l+X8S28RvNTTwYL22P88VUD13oV2hoxioA++ +rRN1Sk+hAkEA0ArHPXpWo57SJ9OhlMzrS1zmGORVNoy1OIDkyOdaCPrWDuLy0ZnS +f8iRJS8Ozvwwdf23QWdRhPTznb76GfWTywJANVQh1dY6Ag3lzK338/V99f7lkwES +oTMUvAU9IUZxSKQqoU+strMgQXuuBcZwkmrMce7y7FuYeZ2jeOTZ5NwMYQJBAIgE +g/9N3Rdc30nqs9n1oGDFfCsKHixsEo++tdYkbFkypoFVICypxVaGa19ERQpPF+AM +4aOBSWsEO8MG+b2/McECQFy4QrOawU454ravKLmIRrTHvumF3P21KnXc5co/AkH6 +tBwvUB+7Dd5E5ZOF5GfbIvztiH4JzVpm570RuJNigRQ= +-----END RSA PRIVATE KEY----- diff --git a/stunnel/old/stunnel.pem b/stunnel/old/stunnel.pem new file mode 100644 index 0000000..1f17529 --- /dev/null +++ b/stunnel/old/stunnel.pem @@ -0,0 +1,33 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQC3xrbzHy1a5NjO+waLZH2MBbTCOyRivBVSMS9BJmhCvwXkr2AB +LzJIK8ZQ7wmJhVq3GDCeHpfpYLobRibg+Ko7IodIl93yOSNKxT4utla/SnI0aPaQ +ukS9hMN17SxOUwJuvL0u2ZXivVc4d3kWOWV1JUtw5+lupgPeES3mm7uXqwIDAQAB +AoGAY6yCY6CAP/Eo6jHaHdY2BbC+li3vkSGDyt1kTMig+bqTXrIDtwC7G8uqNxE+ +sfjC99VF4Sykpe5RYiONSK113ctiLwRbEY7G8u1fjTK+tItE2CZsk7DbtTw38cOC +ysmmhVuqIN5Z80Zx/gseZhpfvplfiAWSQrIWe8ZX8PnFSkECQQDiI+41os6gcIBy +0b8iITGAgLrgOVbZyBP+pCujf5H/l+X8S28RvNTTwYL22P88VUD13oV2hoxioA++ +rRN1Sk+hAkEA0ArHPXpWo57SJ9OhlMzrS1zmGORVNoy1OIDkyOdaCPrWDuLy0ZnS +f8iRJS8Ozvwwdf23QWdRhPTznb76GfWTywJANVQh1dY6Ag3lzK338/V99f7lkwES +oTMUvAU9IUZxSKQqoU+strMgQXuuBcZwkmrMce7y7FuYeZ2jeOTZ5NwMYQJBAIgE +g/9N3Rdc30nqs9n1oGDFfCsKHixsEo++tdYkbFkypoFVICypxVaGa19ERQpPF+AM +4aOBSWsEO8MG+b2/McECQFy4QrOawU454ravKLmIRrTHvumF3P21KnXc5co/AkH6 +tBwvUB+7Dd5E5ZOF5GfbIvztiH4JzVpm570RuJNigRQ= +-----END RSA PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIICxTCCAi6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCVVMx +EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbnRhIEJhcmJhcmExEzAR +BgNVBAoTClNTTCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciBUZXN0aW5nIFB1cnBvc2Vz +IE9ubHkxFTATBgNVBAMTDGxvY2FsaG9zdCBDQTEdMBsGCSqGSIb3DQEJARYOcm9v +dEBsb2NhbGhvc3QwHhcNMTIwMTMxMDgwODQyWhcNMTQwMTMwMDgwODQyWjCBpjEL +MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbnRh +IEJhcmJhcmExEzARBgNVBAoTClNTTCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciBUZXN0 +aW5nIFB1cnBvc2VzIE9ubHkxEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsGCSqGSIb3 +DQEJARYOcm9vdEBsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB +ALfGtvMfLVrk2M77BotkfYwFtMI7JGK8FVIxL0EmaEK/BeSvYAEvMkgrxlDvCYmF +WrcYMJ4el+lguhtGJuD4qjsih0iX3fI5I0rFPi62Vr9KcjRo9pC6RL2Ew3XtLE5T +Am68vS7ZleK9Vzh3eRY5ZXUlS3Dn6W6mA94RLeabu5erAgMBAAEwDQYJKoZIhvcN +AQEFBQADgYEAs45mxYjtJiLLaI69hjlaEF+KE9mKqof9MW+yxFoX6iJothBnHZoq +vxQizuKcb8kgjn5jq2Qpp1E0IPMcEDzsN9J7n0jSGTG5PcxWpo/lqWkSZg7mUwKc +V0lquy4FDrJe51A8dNN+cd0JXsERKLqfKXonhFcVea9qzde+VHOBjlI= +-----END CERTIFICATE----- diff --git a/stunnel/stunnel.conf b/stunnel/stunnel.conf index 4aa8b8c..20709b7 100644 --- a/stunnel/stunnel.conf +++ b/stunnel/stunnel.conf @@ -3,8 +3,8 @@ # Please make sure you understand them (especially the effect of chroot jail) # Certificate/key is needed in server mode and optional in client mode -# cert = /etc/stunnel/stunnel.pem -# key = /etc/stunnel/stunnel.pem +cert = /etc/stunnel/stunnel.pem +key = /etc/stunnel/stunnel.pem # Some security enhancements for UNIX systems - comment them out on Win32 # chroot = /chroot/stunnel/ @@ -43,6 +43,10 @@ socket = r:TCP_NODELAY=1 # Service-level configuration +[postgres] +accept = 5442 +connect = 5432 + #[pop3s] #accept = 995 #connect = 110 diff --git a/stunnel/stunnel.pem b/stunnel/stunnel.pem new file mode 100644 index 0000000..dcd5cc9 --- /dev/null +++ b/stunnel/stunnel.pem @@ -0,0 +1,33 @@ +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALHmMhfRrI8xbPGd +YO5oeT+bX+tBghLR89aGEvetD37K8kvpbj/ApqUA8qFWx4dSwq5zkjlJ55/UgTZw +JV+fsVeNmOf0v0360B92z3AXIJ41DrMPM7vVnIg1csPpa7Zmr+vgGRpnHs0BwkfR +WhX+xDZKaf5chfWsL28zgYY3cf1dAgMBAAECgYB8ibDxucf6alhhAJKV869F1wic +Ebz0XeQ8fpmSp6VcVsiuWdjjaoN+qZ4xUiXWVxqQs7lev50V59cY/AM94PZtMC96 +QHL2EPzIMrpjRCU59Z7PgQwOgjX0PMds9ZS6EuufzRKidh2qiys3ZcN8AeTjG2Rv +hL+vOs6aVqZfWMrjJQJBAODqjDMZTVu2geXH/K289CaX7OB6jsAdKwfqheXRtuz1 +Rw1nbmQp6Bzr7fQyVtgbjrnnb8xZ110J85Krbz2NYG8CQQDKfDQyBVC4niXraLKA +JZ7vxpxP0IfLekXJ1o1Me3jmzQxCXK56sHVnJsmihyiZBmFKLCFhXfa2JBwFXBXa +iczzAkAnmAKgSDb/Cyzo14Da0OWmGZ6gkdKpbTkTBq0VnQp3wmIEsQ2U4m+zD7Fv +CKGTH57LiTt8HOC1xzeyvS0zB71PAkA83zX5y6tGtRSFPsZay/SJ9NVNEU2hmDKe +yQdVdNEV4ZLL6HzzmVTSG9EGMUe9KTPaToYCdXMTsqtR2SsgtciNAkBCN66SqVJB +op3WG5wQEOeCrqpU2PEtBnVcsZlrh0a5F+3k0IDTMjShYfyhmSMpn2Q5GIYhWhWX +eiTnGAZF+M7b +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIICtDCCAh2gAwIBAgIJAOa3kpJQWr5pMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV +BAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEUMBIGA1UE +CgwLRnJhbmsgQnJlaG0xDzANBgNVBAsMBnByaXZhdDEbMBkGA1UEAwwSdWh1MS51 +aHUtYmFuYW5lLmRlMB4XDTEyMDEzMTA5MTM1OFoXDTEyMDMwMTA5MTM1OFowczEL +MAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMRQw +EgYDVQQKDAtGcmFuayBCcmVobTEPMA0GA1UECwwGcHJpdmF0MRswGQYDVQQDDBJ1 +aHUxLnVodS1iYW5hbmUuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALHm +MhfRrI8xbPGdYO5oeT+bX+tBghLR89aGEvetD37K8kvpbj/ApqUA8qFWx4dSwq5z +kjlJ55/UgTZwJV+fsVeNmOf0v0360B92z3AXIJ41DrMPM7vVnIg1csPpa7Zmr+vg +GRpnHs0BwkfRWhX+xDZKaf5chfWsL28zgYY3cf1dAgMBAAGjUDBOMB0GA1UdDgQW +BBQiJMeidpqxspkjOnX3jWPJdpvR/DAfBgNVHSMEGDAWgBQiJMeidpqxspkjOnX3 +jWPJdpvR/DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHFSZOmOBE6F +hh2LpwY8i9bi9T5Robg6NnFGyVTqP1ayC/LMGGUlwmu5PJt4U2y39ZKozK/FBMTa +SX7zaQGk9HNbET1URyPysZLGpwc9djN1Qy4gfOiwkORBMi8We51IMqaowNBMag+J +FIYREc3DNDg53HylseY8A1N9cTlUTeQ2 +-----END CERTIFICATE-----