From f1f25b0534fe266051e3ffa952484563a85f9e72 Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank@brehm-online.com>
Date: Tue, 31 Jan 2012 11:00:43 +0100
Subject: [PATCH] Current state

---
 .etckeeper                            |  47 ++++
 .gitignore                            |   2 +
 motd                                  |  15 --
 runlevels/default/stunnel             |   1 +
 ssl/CA-Brehm/apache2/mkcert           |  73 ++++++
 ssl/CA-Brehm/apache2/myadmin-cert.cnf |  22 ++
 ssl/CA-Brehm/apache2/myadmin-cert.pem |  37 +++
 ssl/CA-Brehm/apache2/webmail-cert.cnf |  22 ++
 ssl/CA-Brehm/apache2/webmail-cert.pem |  37 +++
 ssl/CA-Brehm/cacert.pem               |  26 ++
 ssl/CA-Brehm/courier-imap/imapd.cnf   |  23 ++
 ssl/CA-Brehm/courier-imap/imapd.pem   |  38 +++
 ssl/CA-Brehm/courier-imap/mkcert      |  81 ++++++
 ssl/CA-Brehm/courier-imap/pop3d.cnf   |  23 ++
 ssl/CA-Brehm/courier-imap/pop3d.pem   |  38 +++
 ssl/CA-Brehm/postfix/mkcert           |  44 ++++
 ssl/CA-Brehm/postfix/postfix-cert.cnf |  23 ++
 ssl/CA-Brehm/postfix/postfix.pem      |  37 +++
 ssl/CA-Brehm/private/ca.key.unsecure  |  27 ++
 ssl/CA-Brehm/private/cakey.pem        |  30 +++
 ssl/CA-Brehm/stunnel/mkcert           | 111 ++++++++
 ssl/CA-Brehm/stunnel/stunnel-cert.cnf |  22 ++
 ssl/CA-Brehm/stunnel/stunnel.rand     | Bin 0 -> 512 bytes
 ssl/CA-Brehm/uhu.txt                  |   1 +
 ssl/openssl.cnf                       |  14 +-
 ssl/openssl.cnf.default               | 350 ++++++++++++++++++++++++++
 stunnel/old/stunnel.crt               |  17 ++
 stunnel/old/stunnel.csr               |  13 +
 stunnel/old/stunnel.key               |  15 ++
 stunnel/old/stunnel.pem               |  33 +++
 stunnel/stunnel.conf                  |   8 +-
 stunnel/stunnel.pem                   |  33 +++
 32 files changed, 1239 insertions(+), 24 deletions(-)
 delete mode 100644 motd
 create mode 120000 runlevels/default/stunnel
 create mode 100755 ssl/CA-Brehm/apache2/mkcert
 create mode 100644 ssl/CA-Brehm/apache2/myadmin-cert.cnf
 create mode 100644 ssl/CA-Brehm/apache2/myadmin-cert.pem
 create mode 100644 ssl/CA-Brehm/apache2/webmail-cert.cnf
 create mode 100644 ssl/CA-Brehm/apache2/webmail-cert.pem
 create mode 100644 ssl/CA-Brehm/cacert.pem
 create mode 100644 ssl/CA-Brehm/courier-imap/imapd.cnf
 create mode 100644 ssl/CA-Brehm/courier-imap/imapd.pem
 create mode 100755 ssl/CA-Brehm/courier-imap/mkcert
 create mode 100644 ssl/CA-Brehm/courier-imap/pop3d.cnf
 create mode 100644 ssl/CA-Brehm/courier-imap/pop3d.pem
 create mode 100755 ssl/CA-Brehm/postfix/mkcert
 create mode 100644 ssl/CA-Brehm/postfix/postfix-cert.cnf
 create mode 100644 ssl/CA-Brehm/postfix/postfix.pem
 create mode 100644 ssl/CA-Brehm/private/ca.key.unsecure
 create mode 100644 ssl/CA-Brehm/private/cakey.pem
 create mode 100755 ssl/CA-Brehm/stunnel/mkcert
 create mode 100644 ssl/CA-Brehm/stunnel/stunnel-cert.cnf
 create mode 100644 ssl/CA-Brehm/stunnel/stunnel.rand
 create mode 100644 ssl/CA-Brehm/uhu.txt
 create mode 100644 ssl/openssl.cnf.default
 create mode 100644 stunnel/old/stunnel.crt
 create mode 100644 stunnel/old/stunnel.csr
 create mode 100644 stunnel/old/stunnel.key
 create mode 100644 stunnel/old/stunnel.pem
 create mode 100644 stunnel/stunnel.pem

diff --git a/.etckeeper b/.etckeeper
index ce40246..17a88c1 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -12,6 +12,9 @@ mkdir -p './security/namespace.d'
 mkdir -p './sensors.d'
 mkdir -p './skel/.ssh'
 mkdir -p './ssh/ca'
+mkdir -p './ssl/CA-Brehm/certs'
+mkdir -p './ssl/CA-Brehm/crl'
+mkdir -p './ssl/CA-Brehm/newcerts'
 mkdir -p './sudoers.d'
 mkdir -p './texmf/dvipdfm/config'
 mkdir -p './texmf/dvips.d'
@@ -1086,6 +1089,35 @@ maybe chmod 0600 './ssh/ssh_host_rsa_key'
 maybe chmod 0644 './ssh/ssh_host_rsa_key.pub'
 maybe chmod 0600 './ssh/sshd_config'
 maybe chmod 0755 './ssl'
+maybe chmod 0755 './ssl/CA-Brehm'
+maybe chmod 0755 './ssl/CA-Brehm/apache2'
+maybe chmod 0755 './ssl/CA-Brehm/apache2/mkcert'
+maybe chmod 0644 './ssl/CA-Brehm/apache2/myadmin-cert.cnf'
+maybe chmod 0600 './ssl/CA-Brehm/apache2/myadmin-cert.pem'
+maybe chmod 0644 './ssl/CA-Brehm/apache2/webmail-cert.cnf'
+maybe chmod 0600 './ssl/CA-Brehm/apache2/webmail-cert.pem'
+maybe chmod 0644 './ssl/CA-Brehm/cacert.pem'
+maybe chmod 0755 './ssl/CA-Brehm/certs'
+maybe chmod 0755 './ssl/CA-Brehm/courier-imap'
+maybe chmod 0644 './ssl/CA-Brehm/courier-imap/imapd.cnf'
+maybe chmod 0600 './ssl/CA-Brehm/courier-imap/imapd.pem'
+maybe chmod 0755 './ssl/CA-Brehm/courier-imap/mkcert'
+maybe chmod 0644 './ssl/CA-Brehm/courier-imap/pop3d.cnf'
+maybe chmod 0600 './ssl/CA-Brehm/courier-imap/pop3d.pem'
+maybe chmod 0755 './ssl/CA-Brehm/crl'
+maybe chmod 0755 './ssl/CA-Brehm/newcerts'
+maybe chmod 0755 './ssl/CA-Brehm/postfix'
+maybe chmod 0755 './ssl/CA-Brehm/postfix/mkcert'
+maybe chmod 0644 './ssl/CA-Brehm/postfix/postfix-cert.cnf'
+maybe chmod 0600 './ssl/CA-Brehm/postfix/postfix.pem'
+maybe chmod 0755 './ssl/CA-Brehm/private'
+maybe chmod 0644 './ssl/CA-Brehm/private/ca.key.unsecure'
+maybe chmod 0644 './ssl/CA-Brehm/private/cakey.pem'
+maybe chmod 0755 './ssl/CA-Brehm/stunnel'
+maybe chmod 0755 './ssl/CA-Brehm/stunnel/mkcert'
+maybe chmod 0644 './ssl/CA-Brehm/stunnel/stunnel-cert.cnf'
+maybe chmod 0644 './ssl/CA-Brehm/stunnel/stunnel.rand'
+maybe chmod 0644 './ssl/CA-Brehm/uhu.txt'
 maybe chmod 0755 './ssl/apache2'
 maybe chmod 0444 './ssl/apache2/server.crt'
 maybe chmod 0444 './ssl/apache2/server.csr'
@@ -1103,6 +1135,7 @@ maybe chmod 0755 './ssl/misc/c_issuer'
 maybe chmod 0755 './ssl/misc/c_name'
 maybe chmod 0755 './ssl/misc/tsget'
 maybe chmod 0644 './ssl/openssl.cnf'
+maybe chmod 0644 './ssl/openssl.cnf.default'
 maybe chmod 0755 './ssl/postfix'
 maybe chmod 0444 './ssl/postfix/server.crt'
 maybe chmod 0444 './ssl/postfix/server.csr'
@@ -1115,7 +1148,21 @@ maybe chmod 0400 './ssl/postfix/server.pem'
 maybe chmod 0700 './ssl/private'
 maybe chmod 0644 './ssl/private/.keep_dev-libs_openssl-0'
 maybe chmod 0755 './stunnel'
+maybe chmod 0755 './stunnel/old'
+maybe chown stunnel './stunnel/old/stunnel.crt'
+maybe chgrp stunnel './stunnel/old/stunnel.crt'
+maybe chmod 0640 './stunnel/old/stunnel.crt'
+maybe chown stunnel './stunnel/old/stunnel.csr'
+maybe chgrp stunnel './stunnel/old/stunnel.csr'
+maybe chmod 0640 './stunnel/old/stunnel.csr'
+maybe chown stunnel './stunnel/old/stunnel.key'
+maybe chgrp stunnel './stunnel/old/stunnel.key'
+maybe chmod 0640 './stunnel/old/stunnel.key'
+maybe chown stunnel './stunnel/old/stunnel.pem'
+maybe chgrp stunnel './stunnel/old/stunnel.pem'
+maybe chmod 0640 './stunnel/old/stunnel.pem'
 maybe chmod 0644 './stunnel/stunnel.conf'
+maybe chmod 0644 './stunnel/stunnel.pem'
 maybe chmod 0440 './sudoers'
 maybe chmod 0750 './sudoers.d'
 maybe chmod 0644 './sysctl.conf'
diff --git a/.gitignore b/.gitignore
index fa8caf3..6f3c373 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,8 @@
 # old versions of files
 *.old
 
+motd
+
 # mount(8) records system state here, no need to store these
 blkid.tab
 blkid.tab.old
diff --git a/motd b/motd
deleted file mode 100644
index f97d454..0000000
--- a/motd
+++ /dev/null
@@ -1,15 +0,0 @@
-Linux uhu1 3.2.1-gentoo-r2 #1 SMP Mon Jan 30 16:49:14 CET 2012 x86_64 AMD Opteron 23xx (Gen 3 Class Opteron) AuthenticAMD GNU/Linux
-Gentoo Base System release 2.0.3
- _   _ _             _ 
-| | | | |__  _   _  / |
-| | | | '_ \| | | | | |
-| |_| | | | | |_| | | |
- \___/|_| |_|\__,_| |_|
-                       
-
-Manche Menschen tun nichts - aber sie tun es auf eine faszinierende
-Weise.
-		-- Curzio Malaparte (eigentlich: Kurt Erich Suckert)
-
-Today is Sweetmorn, the 31st day of Chaos in the YOLD 3178
-
diff --git a/runlevels/default/stunnel b/runlevels/default/stunnel
new file mode 120000
index 0000000..b1b3a25
--- /dev/null
+++ b/runlevels/default/stunnel
@@ -0,0 +1 @@
+/etc/init.d/stunnel
\ No newline at end of file
diff --git a/ssl/CA-Brehm/apache2/mkcert b/ssl/CA-Brehm/apache2/mkcert
new file mode 100755
index 0000000..45c08f3
--- /dev/null
+++ b/ssl/CA-Brehm/apache2/mkcert
@@ -0,0 +1,73 @@
+#! /bin/sh
+#
+# This is a short script to quickly generate a self-signed X.509 key for
+# Courier-IMAP/POP3 over SSL.
+
+test -x /usr/bin/openssl || exit 0
+
+CADir="/etc/ssl/CA-Brehm/apache2"
+prefix="/usr"
+randfile="$CADir/apache2.rand"
+days=1875
+do_install=0
+
+Instances="webmail myadmin"
+
+echo
+echo "Generating Random file '$randfile' ..."
+dd if=/dev/urandom of=$randfile count=1 2>/dev/null
+
+for i in $Instances ; do
+
+  pemfile="$CADir/$i-cert.pem"
+  conffile="$CADir/$i-cert.cnf"
+
+  if [ -f $pemfile ]; then
+    echo "$pemfile already exists."
+    continue
+  fi
+  do_install=1
+
+  if [ ! -f $conffile ] ; then
+    echo "$conffile does not exists!"
+    exit 2
+  fi
+
+  cp /dev/null $pemfile
+  chmod 600 $pemfile
+  chown root $pemfile
+
+  cleanup() {
+    echo
+    echo "Emergency Cleanup ..." >&2
+    rm -f $pemfile
+    rm -f $randfile
+    exit 10
+  }
+
+  echo "Generating Cert for IMAP ..."
+  /usr/bin/openssl req -new -x509 -days $days -nodes \
+          -config $conffile -out $pemfile -keyout $pemfile || cleanup
+  /usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup
+  /usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup
+
+done
+
+if [ "$do_install" = "1" ] ; then
+
+  echo
+  echo "Installing Certificates ..."
+
+  for i in $Instances ; do
+
+    pemfile="$CADir/$i-cert.pem"
+    pemfile_orig="/etc/apache2/ssl/$i-cert.pem"
+
+    cp -pv $pemfile $pemfile_orig
+
+  done
+
+fi
+
+rm -f $randfile
+
diff --git a/ssl/CA-Brehm/apache2/myadmin-cert.cnf b/ssl/CA-Brehm/apache2/myadmin-cert.cnf
new file mode 100644
index 0000000..dabb192
--- /dev/null
+++ b/ssl/CA-Brehm/apache2/myadmin-cert.cnf
@@ -0,0 +1,22 @@
+RANDFILE = /usr/share/webmail.rand
+
+[ req ]
+default_bits = 1024
+encrypt_key = yes
+distinguished_name = req_dn
+x509_extensions = cert_type
+prompt = no
+
+[ req_dn ]
+C=DE
+ST=Berlin
+L=Berlin
+O=Brehm
+OU=Frank Brehm SSL Key
+CN=myadmin.brehm-online.com
+emailAddress=frank@brehm-online.com
+
+
+[ cert_type ]
+nsCertType = server
+
diff --git a/ssl/CA-Brehm/apache2/myadmin-cert.pem b/ssl/CA-Brehm/apache2/myadmin-cert.pem
new file mode 100644
index 0000000..cf5de34
--- /dev/null
+++ b/ssl/CA-Brehm/apache2/myadmin-cert.pem
@@ -0,0 +1,37 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC0+qDrRPNPHnd/sD2Vp6ZRy87g0X22CpVMLZpjj2tEKPyf1N/t
+VoiHdOHSVLJZrmBf26A5MknUENgEFHqvjO3dPFV7x/VL9OzrrGKS5QBEoaDGheAp
+Qow/FKMYA93uFGiG4jcoC7gj+uA3zNeU+fUSHHbqEf9hm+cBtOKG7XVb5QIDAQAB
+AoGAJrrP/ylFTHQ/rILB2yoCjNSp1DDgzzlak+/ab1383ZxL28SJm1f+ZcacoQ9h
+D5Iiq8Dre/IIHKryH4Vmb/Uf3fFlLbfDcalIIZRKlLmJ43oahUI4aPRthaEN+t2X
+4PgL0uQ/4BeCs32ivGz+QWjgx2tuxIkIv7B+JYjyjJ/9QoECQQDd2QCnd70OcQVT
+0EYkWKOkRohjiuM4M+vtN7jiiWDmAsKGFaQwNnUCIMl1nGph00DBz2cyb9XvF0Cb
+hcrjC5fFAkEA0Nb/Absi8Clz9tdjOE+hWthUIkQhdtCJ8Hdm4JdUUvsGH+GyKJfh
+Fq3CyNzTsFBk8eoeEJ6zY7FKEZpmwJTVoQJBAIeC5kNlgLYxk29+6VmKS2stKmKj
+k+fgz1w3jVfTUr0tMmV1ErXgjdie7nBI+zKGOCgq6H6GkcdaDLzzHNtTWYECQQCS
+SKbjPYQhmcfC9ehoP08U5Uc5oWOXaEfXCqwjUZ0davxFRMCYsppWWmyAaj5V2Fp9
+IbLhjWi2wi7R2cdzyk1BAkB6cOePmPRIIggpl12rKor1Uw+PFWf94tQZRjOPAhWW
+H10M7NiPZSzh1UUDlhiNsV220TKzr+XN9idDCxq1ho58
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIC4zCCAkygAwIBAgIJAN/wUh5zk64nMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDjAMBgNV
+BAoTBUJyZWhtMRwwGgYDVQQLExNGcmFuayBCcmVobSBTU0wgS2V5MSEwHwYDVQQD
+ExhteWFkbWluLmJyZWhtLW9ubGluZS5jb20xJTAjBgkqhkiG9w0BCQEWFmZyYW5r
+QGJyZWhtLW9ubGluZS5jb20wHhcNMDYxMjA4MjIzNjU5WhcNMTIwMTI2MjIzNjU5
+WjCBpzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy
+bGluMQ4wDAYDVQQKEwVCcmVobTEcMBoGA1UECxMTRnJhbmsgQnJlaG0gU1NMIEtl
+eTEhMB8GA1UEAxMYbXlhZG1pbi5icmVobS1vbmxpbmUuY29tMSUwIwYJKoZIhvcN
+AQkBFhZmcmFua0BicmVobS1vbmxpbmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQC0+qDrRPNPHnd/sD2Vp6ZRy87g0X22CpVMLZpjj2tEKPyf1N/tVoiH
+dOHSVLJZrmBf26A5MknUENgEFHqvjO3dPFV7x/VL9OzrrGKS5QBEoaDGheApQow/
+FKMYA93uFGiG4jcoC7gj+uA3zNeU+fUSHHbqEf9hm+cBtOKG7XVb5QIDAQABoxUw
+EzARBglghkgBhvhCAQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADgYEAA+PPUJ1IWo+i
+lZlDQAOfLscsjv37dJtrvZguPV9aNTSRv1RgJSFseMt/CYjrzxXD2GKhDk8wyE1D
+qTy87Os2WXqBKm+6L38hheZoUcIorPwTOmh5KZXwtbyxfmKXg3lXXGDm60E6Pkf7
+O2+jRSctKlQe36TIAZxUpfumY2pVQZA=
+-----END CERTIFICATE-----
+-----BEGIN DH PARAMETERS-----
+MEYCQQDYf1RIczbTmgovRnZ8SA/b9l4b+t0dPW3/CHEUJU93w20YQ3yap6xrWIQk
+wVzhsgf+zmajDFpfQU2JJKc35oA7AgEC
+-----END DH PARAMETERS-----
diff --git a/ssl/CA-Brehm/apache2/webmail-cert.cnf b/ssl/CA-Brehm/apache2/webmail-cert.cnf
new file mode 100644
index 0000000..d88f92f
--- /dev/null
+++ b/ssl/CA-Brehm/apache2/webmail-cert.cnf
@@ -0,0 +1,22 @@
+RANDFILE = /usr/share/webmail.rand
+
+[ req ]
+default_bits = 1024
+encrypt_key = yes
+distinguished_name = req_dn
+x509_extensions = cert_type
+prompt = no
+
+[ req_dn ]
+C=DE
+ST=Berlin
+L=Berlin
+O=Brehm
+OU=Brehm SSL Key
+CN=webmail.brehm-online.com
+emailAddress=frank@brehm-online.com
+
+
+[ cert_type ]
+nsCertType = server
+
diff --git a/ssl/CA-Brehm/apache2/webmail-cert.pem b/ssl/CA-Brehm/apache2/webmail-cert.pem
new file mode 100644
index 0000000..fd2de1c
--- /dev/null
+++ b/ssl/CA-Brehm/apache2/webmail-cert.pem
@@ -0,0 +1,37 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCsrn1fttalMjRvpAVCkc/CCtprt8ifRyXuiq0njfw5x//eNjxg
+G551XNrNHOUagA3gwXFJaU9ZnjYx0nnzqhIzV3ZySbxXcDM7yDwFsygCgvLlAiO9
+hiyjGnMGx83Bm+fAYt/UgyXw1Ur7QjbbKlhZvaIFZprZL3YavjhgQg64dwIDAQAB
+AoGBAKuJEgYYjJTBkJEuMAN28RjiyyKiCGsgtC+IFoXqZ5nGcQf+fG9EQF55hOio
+QXXXqvGPd8fjEu4FWfSYDojccwJnizcrt8bpSQW3tEr8/wsqX4UJhV8N+gk4+HTM
+8ZpATdqp6q21BkkYcnMK6fqYjt4ekhLsbJk+IR5lLzKxy/IRAkEA1+lCM3miOVmD
+MMXFUKltLtuDthZQw8p4tQ4/k1u0OfwU+PQlKY4F1AgLFqtkHoWJwWvUnMvT5+9F
+AB6njPi5owJBAMy+btu+jow8ix+nII09BAJQDfe+Fa1ngkFV+FRTsrpTcF4MNt+l
+L2BwwFkbsAnoGWU6B83UUJZ4TparR5hUmx0CQHN94luGhLAIoZRFNfafqjeWVC3i
+YfFZLJgstvUr6Ivbu5wvfHFt9tAkPUozA6sP41ADTgdRQFigNFiMDTPrF+ECQGIC
+VvcCBSLEaKTCUCbMKnsg707Ew4O6pPO5v6I+XrQq9QNQPYRZgpBb6Pe+9UoIvP9k
+BBBXriwZcyVU4HTfK1ECQQDV0JEKQ3r5eKPPWaefKGYUtrWHh8KpNT8oujVMSWxG
+0OazqbiyHhucgmLsbi6JCrAEGhFJBYZ32chVnmLlXTpb
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIC1zCCAkCgAwIBAgIJAPNANtEQARp7MA0GCSqGSIb3DQEBBQUAMIGhMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDjAMBgNV
+BAoTBUJyZWhtMRYwFAYDVQQLEw1CcmVobSBTU0wgS2V5MSEwHwYDVQQDExh3ZWJt
+YWlsLmJyZWhtLW9ubGluZS5jb20xJTAjBgkqhkiG9w0BCQEWFmZyYW5rQGJyZWht
+LW9ubGluZS5jb20wHhcNMDYxMjA4MjIzNjU5WhcNMTIwMTI2MjIzNjU5WjCBoTEL
+MAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ4w
+DAYDVQQKEwVCcmVobTEWMBQGA1UECxMNQnJlaG0gU1NMIEtleTEhMB8GA1UEAxMY
+d2VibWFpbC5icmVobS1vbmxpbmUuY29tMSUwIwYJKoZIhvcNAQkBFhZmcmFua0Bi
+cmVobS1vbmxpbmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsrn1f
+ttalMjRvpAVCkc/CCtprt8ifRyXuiq0njfw5x//eNjxgG551XNrNHOUagA3gwXFJ
+aU9ZnjYx0nnzqhIzV3ZySbxXcDM7yDwFsygCgvLlAiO9hiyjGnMGx83Bm+fAYt/U
+gyXw1Ur7QjbbKlhZvaIFZprZL3YavjhgQg64dwIDAQABoxUwEzARBglghkgBhvhC
+AQEEBAMCBkAwDQYJKoZIhvcNAQEFBQADgYEAFGM8hI3QLDFaZYuiOMUyZpf1G4Pi
+OaFpA+syrqmcZXvVM+ioiRU1+Mbu0FFku0Ac9WWAwMyjIFh4ZQQYWfoEsQrH/hBJ
+BkD4zNAhjjPIuJ8iDs1sUqw91yq5UUeRQAzY3/rFZHvbeswQUDVOJaCSYuOt1gOc
+oZYY42gyvdmBnWc=
+-----END CERTIFICATE-----
+-----BEGIN DH PARAMETERS-----
+MEYCQQCZLOhh5tHEUjvRnBolCP22LO27aCcqwCfLPtGICExFfUi6dt1uxeTWh3Od
+Kr4x2UXbRAyuc7f0/akmlV2iXLNrAgEC
+-----END DH PARAMETERS-----
diff --git a/ssl/CA-Brehm/cacert.pem b/ssl/CA-Brehm/cacert.pem
new file mode 100644
index 0000000..2acae4b
--- /dev/null
+++ b/ssl/CA-Brehm/cacert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEXjCCA0agAwIBAgIJANXZwUXwSSF0MA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV
+BAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEOMAwGA1UE
+ChMFQnJlaG0xFDASBgNVBAMTC0ZyYW5rIEJyZWhtMSUwIwYJKoZIhvcNAQkBFhZm
+cmFua0BicmVobS1vbmxpbmUuY29tMB4XDTA2MTIwODIyMjUxNFoXDTA3MTIwODIy
+MjUxNFowfDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMG
+QmVybGluMQ4wDAYDVQQKEwVCcmVobTEUMBIGA1UEAxMLRnJhbmsgQnJlaG0xJTAj
+BgkqhkiG9w0BCQEWFmZyYW5rQGJyZWhtLW9ubGluZS5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCzdA4uA7do5IV6ontPiLv+c5m3bC6YpqN9yVHd
+H1E6GyGl/Z55C5+wPATJx31E+bR7bQfn1AnZu/b+BMnFU/TmTIyMvBc5IvsYgSjB
+fZDRwt5y5r20EWkJDudFIisOH03MUXVYOSt55JtIdLnMo4X1E/vqySDq0dCDFWOQ
+veQW7c+DdSTXSYKeQ8GSzOv2xzC4v+7VTgY93AxY/M5odrED9scyKvbidpgbZ0KR
+Ki8gK6IKVmwA9yFTOl73a+p3SWKiXPLbpJ1LpB5Ou/rMmXs2/tM8upOkeaei6pem
+QazMW+kDnvpVQgPbqv6REb40MOUThaaGz+YUNXQnMoJtZllFAgMBAAGjgeIwgd8w
+HQYDVR0OBBYEFIaqKzY2iHMTs78X3VHgAfLFncfKMIGvBgNVHSMEgacwgaSAFIaq
+KzY2iHMTs78X3VHgAfLFncfKoYGApH4wfDELMAkGA1UEBhMCREUxDzANBgNVBAgT
+BkJlcmxpbjEPMA0GA1UEBxMGQmVybGluMQ4wDAYDVQQKEwVCcmVobTEUMBIGA1UE
+AxMLRnJhbmsgQnJlaG0xJTAjBgkqhkiG9w0BCQEWFmZyYW5rQGJyZWhtLW9ubGlu
+ZS5jb22CCQDV2cFF8EkhdDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IB
+AQCrSRKbFKp7/ZkBTT5zBD+LR3BRyll4dcenp+XdSsjEWCdxEg7b08GaS7NelpwC
+Oj4YLZAtCqbsiOIy32FRkb2wdiGR7p1LwAyg4UOIfWjKTMRi9MNaWLMJn2tN1qcH
+jzyANwXb/WCRnU8WeGAGKvHWuuGce3lpOnxoX6h3lxAnsD06xGtOQjgvz2OS9ZWF
+RFKe96jWVosCFGbkZK4j3rRnW7PgbzMX8gcMISyQXEhhY52YMdLcFaoJhy25m+x3
+DROsgXG4aEVa+vrcXYYBp6PcUgpsRB7rKI41ArSWzF2thdzRPI2SjPwCVQ86373I
+R6DAmCw1msB4Do0EaLCoVYTF
+-----END CERTIFICATE-----
diff --git a/ssl/CA-Brehm/courier-imap/imapd.cnf b/ssl/CA-Brehm/courier-imap/imapd.cnf
new file mode 100644
index 0000000..3f67d55
--- /dev/null
+++ b/ssl/CA-Brehm/courier-imap/imapd.cnf
@@ -0,0 +1,23 @@
+
+RANDFILE = /usr/share/imapd.rand
+
+[ req ]
+default_bits = 1024
+encrypt_key = yes
+distinguished_name = req_dn
+x509_extensions = cert_type
+prompt = no
+
+[ req_dn ]
+C=DE
+ST=Brehm
+L=Brehm
+O=Brehm
+OU=Courier Mail Server IMAP SSL key
+CN=mail.brehm-online.com
+emailAddress=postmaster@brehm-online.com
+
+
+[ cert_type ]
+nsCertType = server
+
diff --git a/ssl/CA-Brehm/courier-imap/imapd.pem b/ssl/CA-Brehm/courier-imap/imapd.pem
new file mode 100644
index 0000000..076042e
--- /dev/null
+++ b/ssl/CA-Brehm/courier-imap/imapd.pem
@@ -0,0 +1,38 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC1qOWbPkrY1egkrFuPopaBG3+IFWUuwh9pXu6NpvNnEfuv6WBg
+vctKRzYPwtFnCS/5l8UWjKmLI7QEJTfAt7y7+W0A2+YvORT8DU3x3NfppF2NOGRi
+jIr3np6nJk7ALdjZQ69qyplXluv0NANNfQLXYJ4MViuKTpNNkP5Kw/uZGwIDAQAB
+AoGAEA39PNskgkVlXthcvzT/WCm1+7DoYFmHrShWrO40VMeiFsnpWqNrdAUXIg11
+tEV7l/Nx16xWz5U4M6WWZ9HVPCGL/k6hCuJYuV0jhWOBsTX5bIFEIaEKIHlTlgE8
+4jMM/oh4sY9QoQUuSR51LDt2FHz+h2e04XSY9LTAEY0jIgECQQDepX5Hk6Qr6t6D
+ZBHloid5UPVqdvyBw7C1Y8FyfNH0E1UGsTcFQHqSHyt1rqsgWOSUzkGoDvMIqi6x
+EZtR+LpjAkEA0N+Pi91wB1j6oK5cHn/N2fXag6UjVqJvxmYQoJk0PVfVUpihvMOi
+ENpLt1WTe618j5Fdf5oQfVFfVGYKy53H6QJBAIcxsJtf8FlmldTsx91LeHK3ET6j
+n7JgFIYgW8/cMVTnBEM7CrDatVLTMH2WIX1T3QDquX2GDlddl1qX2VuOEAcCQQCO
+vnnnZ+nL269MaFxkK4uOzUoMdar05gXlXJM4bfsZgRE0ZUMDMd9sDQN5w24LM8DQ
+jNONBMkIG7g+gY4XITkhAkBCuzBIWAr781FMsf6u5IKqY6Q2x/RM7ob8E67UBdhG
+C7J+p7S4zb+A7Uuyo3ibkR79bp53bt7qJl6Mpfo+EJOS
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAmagAwIBAgIJANY8AlrGDSx9MA0GCSqGSIb3DQEBBQUAMIG0MQswCQYD
+VQQGEwJERTEOMAwGA1UECBMFQnJlaG0xDjAMBgNVBAcTBUJyZWhtMQ4wDAYDVQQK
+EwVCcmVobTEpMCcGA1UECxMgQ291cmllciBNYWlsIFNlcnZlciBJTUFQIFNTTCBr
+ZXkxHjAcBgNVBAMTFW1haWwuYnJlaG0tb25saW5lLmNvbTEqMCgGCSqGSIb3DQEJ
+ARYbcG9zdG1hc3RlckBicmVobS1vbmxpbmUuY29tMB4XDTA2MTIwODIyNDMxOFoX
+DTEyMDEyNjIyNDMxOFowgbQxCzAJBgNVBAYTAkRFMQ4wDAYDVQQIEwVCcmVobTEO
+MAwGA1UEBxMFQnJlaG0xDjAMBgNVBAoTBUJyZWhtMSkwJwYDVQQLEyBDb3VyaWVy
+IE1haWwgU2VydmVyIElNQVAgU1NMIGtleTEeMBwGA1UEAxMVbWFpbC5icmVobS1v
+bmxpbmUuY29tMSowKAYJKoZIhvcNAQkBFhtwb3N0bWFzdGVyQGJyZWhtLW9ubGlu
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALWo5Zs+StjV6CSsW4+i
+loEbf4gVZS7CH2le7o2m82cR+6/pYGC9y0pHNg/C0WcJL/mXxRaMqYsjtAQlN8C3
+vLv5bQDb5i85FPwNTfHc1+mkXY04ZGKMiveenqcmTsAt2NlDr2rKmVeW6/Q0A019
+AtdgngxWK4pOk02Q/krD+5kbAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIGQDAN
+BgkqhkiG9w0BAQUFAAOBgQAJcVq4xxeH1d86DoedzsqMZyT90Y5piL4NarwQekg8
+jP0+HytRdujAJB4ahKkixsUcrFIeO3ct5ZXervdwvLK5GCcnwu3Lxa33UF7HhpOA
+5+6bQXl4qh9+sL9UoxoRf2aMObVUsb0vEe7KTUViJ8rA7nI4Iny0icBJYKqvsxeH
+5Q==
+-----END CERTIFICATE-----
+-----BEGIN DH PARAMETERS-----
+MEYCQQCd+yD50BV7puqCKcLdensocjp8erVRJ7A5DmjUOicA2Xij9QcHfq7bvN6S
+yg50QJ8JcJVV+dyKaEm1zRyRitLzAgEC
+-----END DH PARAMETERS-----
diff --git a/ssl/CA-Brehm/courier-imap/mkcert b/ssl/CA-Brehm/courier-imap/mkcert
new file mode 100755
index 0000000..54edb90
--- /dev/null
+++ b/ssl/CA-Brehm/courier-imap/mkcert
@@ -0,0 +1,81 @@
+#! /bin/sh
+#
+# This is a short script to quickly generate a self-signed X.509 key for
+# Courier-IMAP/POP3 over SSL.
+
+test -x /usr/bin/openssl || exit 0
+
+CADir="/etc/ssl/CA-Brehm/courier-imap"
+prefix="/usr"
+randfile="$CADir/courier.rand"
+days=1875
+
+pemfile_imap="$CADir/imapd.pem"
+conffile_imap="$CADir/imapd.cnf"
+pemfile_orig_imap="/etc/courier-imap/imapd.pem"
+
+pemfile_pop3="$CADir/pop3d.pem"
+conffile_pop3="$CADir/pop3d.cnf"
+pemfile_orig_pop3="/etc/courier-imap/pop3d.pem"
+
+if [ -f $pemfile_imap ]; then
+  echo "$pemfile_imap already exists."
+  exit 1
+fi
+
+if [ -f $pemfile_pop3 ]; then
+  echo "$pemfile_pop3 already exists."
+  exit 1
+fi
+
+if [ ! -f $conffile_imap ] ; then
+  echo "$conffile_imap does not exists!"
+  exit 2
+fi
+
+if [ ! -f $conffile_pop3 ] ; then
+  echo "$conffile_pop3 does not exists!"
+  exit 2
+fi
+
+cp /dev/null $pemfile_imap
+chmod 600 $pemfile_imap
+chown root $pemfile_imap
+
+cp /dev/null $pemfile_pop3
+chmod 600 $pemfile_pop3
+chown root $pemfile_pop3
+
+cleanup() {
+  echo
+  echo "Emergency Cleanup ..." >&2
+  rm -f $pemfile_imap
+  rm -f $pemfile_pop3
+  rm -f $randfile
+  exit 10
+}
+
+echo
+echo "Generating Random file '$randfile' ..."
+dd if=/dev/urandom of=$randfile count=1 2>/dev/null
+
+echo
+echo "Generating Cert for IMAP ..."
+/usr/bin/openssl req -new -x509 -days $days -nodes \
+        -config $conffile_imap -out $pemfile_imap -keyout $pemfile_imap || cleanup
+/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile_imap || cleanup
+/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile_imap || cleanup
+
+echo
+echo "Generating Cert for POP3 ..."
+/usr/bin/openssl req -new -x509 -days $days -nodes \
+        -config $conffile_imap -out $pemfile_pop3 -keyout $pemfile_pop3 || cleanup
+/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile_pop3 || cleanup
+/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile_pop3 || cleanup
+
+echo
+echo "Installing Certificates ..."
+cp -pv $pemfile_imap $pemfile_orig_imap
+cp -pv $pemfile_pop3 $pemfile_orig_pop3
+rm -f $randfile
+
diff --git a/ssl/CA-Brehm/courier-imap/pop3d.cnf b/ssl/CA-Brehm/courier-imap/pop3d.cnf
new file mode 100644
index 0000000..75af52d
--- /dev/null
+++ b/ssl/CA-Brehm/courier-imap/pop3d.cnf
@@ -0,0 +1,23 @@
+
+RANDFILE = /usr/share/pop3d.rand
+
+[ req ]
+default_bits = 1024
+encrypt_key = yes
+distinguished_name = req_dn
+x509_extensions = cert_type
+prompt = no
+
+[ req_dn ]
+C=DE
+ST=Berlin
+L=Berlin
+O=Brehm
+OU=Courier Mail Server POP3 SSL key
+CN=mail.brehm-online.com
+emailAddress=postmaster@brehm-online.com
+
+
+[ cert_type ]
+nsCertType = server
+
diff --git a/ssl/CA-Brehm/courier-imap/pop3d.pem b/ssl/CA-Brehm/courier-imap/pop3d.pem
new file mode 100644
index 0000000..bf5575c
--- /dev/null
+++ b/ssl/CA-Brehm/courier-imap/pop3d.pem
@@ -0,0 +1,38 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDeQ2lyjAA32nPw9bGNQ6cJDbgpJVTPircwIjwthdDomVOn6uEZ
+s31kUeTHcV1UFYqKQbur7zeW0fl5AHV8fhTWIODuNGUduzgrkl/NMy753s3YJcro
+8A4T6JlXz9rHGS0P1rWt/ZJX3zty3gwNZdDLI4tw5ThPkRDGmxYe4tUCMQIDAQAB
+AoGBAIQYgIUpm7+WP64H99xDRvTkiH07yKoIgVNEJYvQqhZzefqkZ+BEgtOqsFOw
+lo0wuEPvSUCoTdt/M8uscCbrMCnviwxU/DRTEIdHdhpSKK0mJoLoZBM4Ds9/kWv2
+ObkM9injHM814alaeeb9Es8vCH0AlfgZ1UWy1jV840InA3GhAkEA84xxxGygCSix
+sYh/1lU6RKgIHlMhVG/2ecjS6TbhtRy4gIzBgobvRgO7Oq788FJ9W0Gl8BpXGJ9H
+E4LfJL4/XQJBAOmgYu+NljdEUSRONr0DZYN85ERB39iz2L9ZJucnqrhQz+UHZtfr
++9k5z5hcyVu+joBnme1/P0GCwWfJGPMeZOUCQQDCV6fQ3f02Ucq5p/qaxZehgZQ4
+3o0SG+XKeH4Uqz6gjzKLIcaoqZP1grS8tzYPb0OotlH7rokhlLfa0evOHiHhAkAo
+6ODqOczYGKpsxRVou7OG9tOx8CcWd0e5Gg9p4tROOjhtToJ/xN7xBuKHN5g67H9f
+lMSrheC5w//CAMDRsbzRAkBPZjC3hnI4k2+ThAe1S9NQVpoYbyUu5qzxr3iqNvxJ
+77xF+LcDPgVPCl6wwy+/oKl4SPSKLgWmRCVY1jzmLaVq
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAmagAwIBAgIJANqm0jsS+ZuZMA0GCSqGSIb3DQEBBQUAMIG0MQswCQYD
+VQQGEwJERTEOMAwGA1UECBMFQnJlaG0xDjAMBgNVBAcTBUJyZWhtMQ4wDAYDVQQK
+EwVCcmVobTEpMCcGA1UECxMgQ291cmllciBNYWlsIFNlcnZlciBJTUFQIFNTTCBr
+ZXkxHjAcBgNVBAMTFW1haWwuYnJlaG0tb25saW5lLmNvbTEqMCgGCSqGSIb3DQEJ
+ARYbcG9zdG1hc3RlckBicmVobS1vbmxpbmUuY29tMB4XDTA2MTIwODIyNDMyMFoX
+DTEyMDEyNjIyNDMyMFowgbQxCzAJBgNVBAYTAkRFMQ4wDAYDVQQIEwVCcmVobTEO
+MAwGA1UEBxMFQnJlaG0xDjAMBgNVBAoTBUJyZWhtMSkwJwYDVQQLEyBDb3VyaWVy
+IE1haWwgU2VydmVyIElNQVAgU1NMIGtleTEeMBwGA1UEAxMVbWFpbC5icmVobS1v
+bmxpbmUuY29tMSowKAYJKoZIhvcNAQkBFhtwb3N0bWFzdGVyQGJyZWhtLW9ubGlu
+ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN5DaXKMADfac/D1sY1D
+pwkNuCklVM+KtzAiPC2F0OiZU6fq4RmzfWRR5MdxXVQViopBu6vvN5bR+XkAdXx+
+FNYg4O40ZR27OCuSX80zLvnezdglyujwDhPomVfP2scZLQ/Wta39klffO3LeDA1l
+0Msji3DlOE+REMabFh7i1QIxAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQEAwIGQDAN
+BgkqhkiG9w0BAQUFAAOBgQADISOUsK2dtfAD/Go6fGxCA91/SL1FxpkxfWSA9oG0
+9GBZRlEjrbXA5Gn8DijbZ91CArjAEJlYrNPihSD5qzFgbsbD99HDV7js3HW1TODA
+QVcrEwQGsYUQyA0UOF0AByx3CuppglkayBNBFxoDYUHfK9SavdMLnUuo68Skd+9g
+tA==
+-----END CERTIFICATE-----
+-----BEGIN DH PARAMETERS-----
+MEYCQQChYtoCiG16r+tbnSsmbpI+AMuNv4rmN/hkoTWvAMdmy3OcWIkBuhepTkZA
+yF1zxkBIH3wW6w40eqNW0W0j0uxzAgEC
+-----END DH PARAMETERS-----
diff --git a/ssl/CA-Brehm/postfix/mkcert b/ssl/CA-Brehm/postfix/mkcert
new file mode 100755
index 0000000..d2c68c1
--- /dev/null
+++ b/ssl/CA-Brehm/postfix/mkcert
@@ -0,0 +1,44 @@
+#! /bin/sh
+#
+# This is a short script to quickly generate a self-signed X.509 key for
+# Postfix over SSL.  Normally this script would get called by an automatic
+# package installation routine.
+
+test -x /usr/bin/openssl || exit 0
+
+CADir="/etc/ssl/CA-Brehm/postfix"
+prefix="/usr"
+pemfile="$CADir/postfix.pem"
+randfile="$CADir/postfix.rand"
+conffile="$CADir/postfix-cert.cnf"
+pemfile_orig="/etc/postfix/postfix.pem"
+days=1875
+
+if [ -f $pemfile ]; then
+  echo "$pemfile already exists."
+  exit 1
+fi
+
+if [ ! -f $conffile ] ; then
+  echo "$conffile does not exists!"
+  exit 2
+fi
+
+cp /dev/null $pemfile
+chmod 600 $pemfile
+chown root $pemfile
+
+cleanup() {
+  rm -f $pemfile
+  rm -f $randfile
+  exit 1
+}
+
+dd if=/dev/urandom of=$randfile count=1 2>/dev/null
+/usr/bin/openssl req -new -x509 -days $days -nodes \
+        -config $conffile -out $pemfile -keyout $pemfile || cleanup
+/usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup
+/usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup
+rm -f $randfile
+cp -pv $pemfile $pemfile_orig
+
diff --git a/ssl/CA-Brehm/postfix/postfix-cert.cnf b/ssl/CA-Brehm/postfix/postfix-cert.cnf
new file mode 100644
index 0000000..c0bf6c0
--- /dev/null
+++ b/ssl/CA-Brehm/postfix/postfix-cert.cnf
@@ -0,0 +1,23 @@
+
+RANDFILE = /usr/share/postfix.rand
+
+[ req ]
+default_bits = 1024
+encrypt_key = yes
+distinguished_name = req_dn
+x509_extensions = cert_type
+prompt = no
+
+[ req_dn ]
+C=DE
+ST=Berlin
+L=Berlin
+O=Berlin
+OU=Mail Server Postfix SSL key
+CN=mail.brehm-online.com
+emailAddress=postmaster@brehm-online.com
+
+
+[ cert_type ]
+nsCertType = server
+
diff --git a/ssl/CA-Brehm/postfix/postfix.pem b/ssl/CA-Brehm/postfix/postfix.pem
new file mode 100644
index 0000000..bd1f5cf
--- /dev/null
+++ b/ssl/CA-Brehm/postfix/postfix.pem
@@ -0,0 +1,37 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCVlGvxjXWhKDqEUkTPZO9/9b0js236ON9tt9aKDFVSrkRBtMwM
+xjkWHpc3jNT5aHtFTvalZHzr/Aa9+NTnJMKtiBTBrcyNnQUtOVQH8zbg8JrqJgj/
+MVS+gF4Aae43ofTk5juYCoh4QDXBAC//+AdhOe/FVs6jybn5G6ir/ekFBwIDAQAB
+AoGBAIwKGglbRA6uaCKsFyoIOMYXHo4HFebXSi8hl2VFaLhw2QyfJQ6sopOX7kEe
+w+IBNK/N3tM3wlD5cqJ3DXSeEPgR7laeOTC7F5cedC/ISHSvOXLVMYSnauo8H1Wi
+oZV7Vq2tKvWBCV5n20c7Q8QEtawEdQeR5Pm2xxMAlbL86+6ZAkEAxCXYH16+luHy
+LOUD5PycMu5rfbel8t5ZtKRRpD2K47/XzwSbOWG5Om6Z8mm49NeU8f6IZpiwfAyb
+H9atpa/6XQJBAMM45cHZZVjBl/2YfeF1MsFlGz3I7n7yfOHhzfkM3qPQBM0Ll8J5
+RcIADMUsGv4fcZU8/HBiwzf6WvoT17TdbrMCQBhMs+yW+TeKAE2NhaD9poAsx0ZI
+1Rc0cpqNbMvTD/zNDHhKEszWDXNutkWw0UgL2Rjttoo3Sk3j5efY2aRYG8UCQA0t
+ohTb4AOFzgTIbnbxumNjt9sL3U2kgNmerJDLVZwpRqmwxqXSGetmpXYJ7CiLZtd0
+LnZHtHXq6IlJHZ6P9BECQQCPnAVHvkVSnjjvDdFVsl8SCZAWHLgHhqd+tm3fhZ8W
+fFnqE/VQqXQhPgIvvHDvXoKpnMy6dEz2rMvJMzSBEs72
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIC+TCCAmKgAwIBAgIJAK12Jv+IhCZ4MA0GCSqGSIb3DQEBBQUAMIGyMQswCQYD
+VQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xDzANBgNV
+BAoTBkJlcmxpbjEkMCIGA1UECxMbTWFpbCBTZXJ2ZXIgUG9zdGZpeCBTU0wga2V5
+MR4wHAYDVQQDExVtYWlsLmJyZWhtLW9ubGluZS5jb20xKjAoBgkqhkiG9w0BCQEW
+G3Bvc3RtYXN0ZXJAYnJlaG0tb25saW5lLmNvbTAeFw0wNjEyMDgyMjQ2MjhaFw0x
+MjAxMjYyMjQ2MjhaMIGyMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmVybGluMQ8w
+DQYDVQQHEwZCZXJsaW4xDzANBgNVBAoTBkJlcmxpbjEkMCIGA1UECxMbTWFpbCBT
+ZXJ2ZXIgUG9zdGZpeCBTU0wga2V5MR4wHAYDVQQDExVtYWlsLmJyZWhtLW9ubGlu
+ZS5jb20xKjAoBgkqhkiG9w0BCQEWG3Bvc3RtYXN0ZXJAYnJlaG0tb25saW5lLmNv
+bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlZRr8Y11oSg6hFJEz2Tvf/W9
+I7Nt+jjfbbfWigxVUq5EQbTMDMY5Fh6XN4zU+Wh7RU72pWR86/wGvfjU5yTCrYgU
+wa3MjZ0FLTlUB/M24PCa6iYI/zFUvoBeAGnuN6H05OY7mAqIeEA1wQAv//gHYTnv
+xVbOo8m5+Ruoq/3pBQcCAwEAAaMVMBMwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqG
+SIb3DQEBBQUAA4GBAGeli/w5sD8LIbhA8qcmdK1QB9w/nvI0RSGDuZtsKl97TVQj
+cCAW7FS2U6gyA+7hJfIMZT/kMGVM9ygnU6VKmfuj8q7qsG29jOOleafYuFwKph2D
+Ft4m/OauBW0riNbJ7IT923QwBCTgpVo/sf3Hb1HKf3VqGxaPTQU4wrLJWDsj
+-----END CERTIFICATE-----
+-----BEGIN DH PARAMETERS-----
+MEYCQQDjc+Kujf6R+XMJT/3bPZhUBp/67Tano3opslrBIl0vQILYHhUB6yErvMFo
+eVYwt/wMP409NZOlIBvkwYemzXz7AgEC
+-----END DH PARAMETERS-----
diff --git a/ssl/CA-Brehm/private/ca.key.unsecure b/ssl/CA-Brehm/private/ca.key.unsecure
new file mode 100644
index 0000000..7581afd
--- /dev/null
+++ b/ssl/CA-Brehm/private/ca.key.unsecure
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAs3QOLgO3aOSFeqJ7T4i7/nOZt2wumKajfclR3R9ROhshpf2e
+eQufsDwEycd9RPm0e20H59QJ2bv2/gTJxVP05kyMjLwXOSL7GIEowX2Q0cLecua9
+tBFpCQ7nRSIrDh9NzFF1WDkreeSbSHS5zKOF9RP76skg6tHQgxVjkL3kFu3Pg3Uk
+10mCnkPBkszr9scwuL/u1U4GPdwMWPzOaHaxA/bHMir24naYG2dCkSovICuiClZs
+APchUzpe92vqd0liolzy26SdS6QeTrv6zJl7Nv7TPLqTpHmnouqXpkGszFvpA576
+VUID26r+kRG+NDDlE4Wmhs/mFDV0JzKCbWZZRQIDAQABAoIBACA+BtovosF+5Zie
+HuewWo6iOIkjL9APiKpuBH5lRRPakhYf1lxLQVrJvdZ/ODuvXcUbVuNJTqfHRN5o
+/9OrfQHv2QTkOovyhAjoE+mH5QA7MfqVCJqU0jllaxoZxICaEUFXlWzPgMc60seW
+6VciPkxFVereTkLCheM3cZcs9xFDRhEscHxGxrkZ1f2VxHysUPz+pcGnb6P/EGKW
+0P6SNcgct0IrvUjxZp3aztLMW82rRgYLLDhsycWues0fllNzLJJMjx34PtLqp7s0
+jhefaJvsBDUJLMkSufOgv6iMXCxLYEiCQqiOVgJlzL3jAZoFf6M7FuAnPu2L/RcY
+DUA/SvUCgYEA2Xw2HpaHwtQNtC814t62EmuleWK0FO21sDMUTN4FLaW/eGDZTqr2
+FvjIh64slkbfd0sr9IOV1OiRfdJzLw5xzpJrJnpEae/QdfBV04FYBYr3gbBbK+0N
+cq5vFdR2HQ2U52mze9YBWZDe1jywMSyJ9iMUhsEkt7rEFch2cFlJYJsCgYEA0zun
+FYsEsI1YkzIRvXKULipTYc8a4cfXIKaLkoin/QYGGZkj7QitwcmPTQnANY6jKMh9
+DhOWmmQs5uSF3V4+TdQh284SoiAdmz1/q8IECU7KKIswuyy50lSKZLk/y3mmnxLa
+Zu8RCkjNLSQkr/H+8r/xlteaMxfq1+Z7cu2ZG58CgYEAzqFe4ezvC8JhSsJYFja3
+EgVIcG3A3umCZ+f/75A5p0cFBaAulrmDmgvAqnhnUFgB1NuM5YFnh6N3J+4dFaZJ
+ppQiTap4+ZWpn4Q6ZvtK3+lKguNFnBRbZIwqarkzhyLySHN63btUCP7FWRLL68x/
+P2XRCL7U3eMKjg+px9BtEOUCgYEAsaoQxIvi6+RWxadtSFygyZuL+k5Jm/GLvciW
+yC7srGJuqwUlNG8CRmYTg4ZaBjHshZbrp/VNzJnJMoKvHRvxZ2CvAcN35KkCfdni
+EkLjRjjgy+0Wlbfuqzu0EzfEso2lWVJwI/eb63yEJh2qRdpSxzYuKuM4rRTGz8Tp
+vCafip0CgYB04ddKSKM46RsUVsyWs09EUKXrgdOS8JRx08ytYAAZwIhPN1+BuPRS
+iz790dimDGgfkmMzygpI+aGwjAv/0nl8Loe3LnJIbYkfeGa2/HXjzpnsNOa6KKLU
+9tPY+b5OWejtCiayhuu7ro0yEqaGGJtsdG0JaeSxtsN80jYUUNDhOg==
+-----END RSA PRIVATE KEY-----
diff --git a/ssl/CA-Brehm/private/cakey.pem b/ssl/CA-Brehm/private/cakey.pem
new file mode 100644
index 0000000..8726e72
--- /dev/null
+++ b/ssl/CA-Brehm/private/cakey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,C9EB11CBB307A1DC
+
+9xwsypRNanPOrJDTAhnq291sYpHTmONc4nmigFl/fQUf4SINjBFnS/AzNXT7n9PY
+mN1W9dAhdj8Mn2dJIg7qhIFzmGkXrgJ2wAoM2j9nXCpHcLyeziaILCNHcQWE71yC
+8uy7bmSsVMLzuNKbuv2EPa0Jg0oEoxoUcvJ3uTV2frcTxo3dmDtKgAtTAaHCoXZR
+skhwVJAn9+qN5ZzJEV1iJPDsvUyx4+PkGL2H2SEpri5WLZoMvBAE7xYD2lQNjCvT
+kg0rHbK9xDs9dq0/BmpUWAX4Gt2e6LRXeaYIyGKhxa/k8nnebjgmOnEFUuNnf4dE
+PWv1ccyMVmdWzFVqZQeVw4ad9XS9zoX2OoxQTVzq3P+nGUMU5D4Bu4T/z3w7SQvG
+DfKldmBLDz/24HpyP5TzRZ3VEjqFos73gmnfbLaZGSWMCRSeDR5x5XnhB4ZfPAxK
+qzAgXLtdcqv/j6Y9ucjdjEBOmWFa3TLlvQGFIZdKhdKRDXPT8WqOLb1DO+o2tHXY
+bTGqvE6F2uL57tosAatFrn+XLYSpLS/vY9cOs+j2cSKfBe4a4qpAqWx9Tk4pR/nK
+VWxyHvLKbjSdFo3Fqq+O/4k1sMd6FpD4oh5WHD1U7/Seoe6HKgi5OkJpwywZxCJC
+rRRSPpwI2GKwOR1CzEZm/Z2RAQH2xbhOr95vaPXRGR4yCjQWLSxDdk6qCfPF60mE
+ZEtWaDvMSkoBEs+ZHlAgZ/rXtylYdq2AvSD6eMz8zPhKdc+zlMHwl7ZlY8zQbsXZ
+8ae4EqgUBczEODOfrYHfjAujDqkE6dqapcMeJlZCVHRXV1IvSItXBfvTN7XPOSAG
+7nZ3oR4xdUFiOLZtcQ7okXU95B9isv1Aaix1JSj707f8MlG81qXM5eFJ/Na8fLy/
+4QMhuYazOd9MB/rPHwilUng+Mc0Ih3XChgZxcfMaCqwu87pE7t9WlmjL4KU5nXBK
+OwwbaYq3IOuIwb+vYIlR1Dl3uALRTwmaeDbP9D7qPf+sLo3YpKbSaqtIoZOyM33l
+zRjZu4lsLIQwHc6HrJCio+VlvzuzXdVAxQ6EHMsuZQXHbHb+qWI/tF/QQchGRvO6
+G8lhAwhiVXOZZxr42rZRfeJvePX2ERl/buAOsOcKZMUz5wWFfB2pX5up1wQpr5ew
+XFz7l5LMMytiLSVzskMadZkSoA8Kta6C7eK72nRvg8A3TtL0tgu9a5BZPCngtjRj
+qeBbM6ry7idy9uDkLIeX+9t0m25HWNMnFG0xkFmZyw3RSaSDCHKITbnu5xDPh5BD
+qZpl9u7ihlrKMvzcy3HYkNuRsofvvE7yz2O9+/WhHjHKx1HEyGFln3OE0+5VMFOM
+/fDwxvz8SWso0a/uXnJsO6qssFvGcMTh9YMkUkktwUZW06gQhSVJfq9avnqsOqIJ
+BN9JLXVw71u8qqaGjao8fO9XI90X1b49SFYAfTvWHRy9BHNjj31/8rbN4/ZX9Ih/
+uSZ5bN0giKLQ+Gg12HziODsOeSkSVRY+MYeSyFR5X2vrw3ljU7focK3f2N3Uz8z0
+YtHicwrN7j9IgQze9+mrrVQSTast8eL6EK8tYlyw5Floby2NWH8D2/5kETXYaojX
+-----END RSA PRIVATE KEY-----
diff --git a/ssl/CA-Brehm/stunnel/mkcert b/ssl/CA-Brehm/stunnel/mkcert
new file mode 100755
index 0000000..cd3ac76
--- /dev/null
+++ b/ssl/CA-Brehm/stunnel/mkcert
@@ -0,0 +1,111 @@
+#!/bin/bash
+#
+# This is a short script to quickly generate a self-signed X.509 key for
+# Courier-IMAP/POP3 over SSL.
+
+set -e
+
+test -x /usr/bin/openssl || exit 0
+
+CADir="/etc/ssl/CA-Brehm/stunnel"
+prefix="/usr"
+randfile="$CADir/stunnel.rand"
+days=1875
+do_install=0
+
+if [ "${#BASH_ARGV[@]}" == "0" ]; then
+    echo "No instances to generate certificates given." >&2
+    exit 1
+fi
+
+echo
+echo "Generating Random file '$randfile' ..."
+dd if=/dev/urandom of=$randfile count=1 2>/dev/null
+
+clear_randfile() {
+    if [ -f "${randfile}" ] ; then
+        
+    fi
+}
+
+trap clear_randfile INT TERM EXIT
+
+for i in "${BASH_ARGV[@]}"; do
+    echo
+    echo " - '${i}'"
+    echo
+
+    target_dir="${CADir}/${i}"
+
+    if [ ! -d "${target_dir}" ] ; then
+        echo "   Creating directory ${target_dir} ..."
+        mkdir -p "${target_dir}" || exit 3
+    fi
+
+    pemfile="${target_dir}/${i}-cert.pem"
+    conffile="${target_dir}/${i}-cert.cnf"
+
+    if [ ! -f "${conffile}" ] ; then
+    fi
+
+done
+
+exit 0
+Instances="webmail myadmin"
+
+for i in $Instances ; do
+
+  pemfile="$CADir/$i-cert.pem"
+  conffile="$CADir/$i-cert.cnf"
+
+  if [ -f $pemfile ]; then
+    echo "$pemfile already exists."
+    continue
+  fi
+  do_install=1
+
+  if [ ! -f $conffile ] ; then
+    echo "$conffile does not exists!"
+    exit 2
+  fi
+
+  cp /dev/null $pemfile
+  chmod 600 $pemfile
+  chown root $pemfile
+
+  cleanup() {
+    echo
+    echo "Emergency Cleanup ..." >&2
+    rm -f $pemfile
+    rm -f $randfile
+    exit 10
+  }
+
+  echo "Generating Cert for IMAP ..."
+  /usr/bin/openssl req -new -x509 -days $days -nodes \
+          -config $conffile -out $pemfile -keyout $pemfile || cleanup
+  /usr/bin/openssl gendh -rand $randfile 512 >> $pemfile || cleanup
+  /usr/bin/openssl x509 -subject -dates -fingerprint -noout -in $pemfile || cleanup
+
+done
+
+if [ "$do_install" = "1" ] ; then
+
+  echo
+  echo "Installing Certificates ..."
+
+  for i in $Instances ; do
+
+    pemfile="$CADir/$i-cert.pem"
+    pemfile_orig="/etc/apache2/ssl/$i-cert.pem"
+
+    cp -pv $pemfile $pemfile_orig
+
+  done
+
+fi
+
+rm -f $randfile
+
+
+# vim: ts=4 expandtab
diff --git a/ssl/CA-Brehm/stunnel/stunnel-cert.cnf b/ssl/CA-Brehm/stunnel/stunnel-cert.cnf
new file mode 100644
index 0000000..dabb192
--- /dev/null
+++ b/ssl/CA-Brehm/stunnel/stunnel-cert.cnf
@@ -0,0 +1,22 @@
+RANDFILE = /usr/share/webmail.rand
+
+[ req ]
+default_bits = 1024
+encrypt_key = yes
+distinguished_name = req_dn
+x509_extensions = cert_type
+prompt = no
+
+[ req_dn ]
+C=DE
+ST=Berlin
+L=Berlin
+O=Brehm
+OU=Frank Brehm SSL Key
+CN=myadmin.brehm-online.com
+emailAddress=frank@brehm-online.com
+
+
+[ cert_type ]
+nsCertType = server
+
diff --git a/ssl/CA-Brehm/stunnel/stunnel.rand b/ssl/CA-Brehm/stunnel/stunnel.rand
new file mode 100644
index 0000000000000000000000000000000000000000..5f47e0594bdac4865e398b96ba3b5a13db246b86
GIT binary patch
literal 512
zcmV+b0{{KFaBz##Li$9v5MT!6I2zVxp+alOa@ZoN9<*rFXB$C(bD22$N7Y5B`O?h&
zBq41~t_&AZ29Qy8`E!hJl$~=S(8y941GIB4cU#prjL5wEE=K7p6%-9@Kd=F!q0=+q
zAe4Tp*A9%D-oB(5BdjBa<^31PeT;v1aa~80;_Lq8sdK4BiZ*mkm2LD^!z4Y6{MXv_
zM+hZtQmaCIf>A>MdqL~KTKdy@wiU2GQW=HISenRt$eDwJND~-xlqq}am6&lSAucYI
z=Zy<MJtpf#ldHI{OLP=mpVz(VXZOwlRLivvi<(z}NmBN0WJ4eBT}ku>Rb)7S4kZOX
zDH<86*BrGW#NX71T0@BOue2$V{BMH7sNXCA8ta`=FVbX1sX5KiTH6Mep{0I_%RAj;
zm0(=g0MKFo@y;s-ddfIELLqZvAGnKR_ZOXP`5>+Jpw!OW<=nI;iFBG;X$PeuQ{Eq?
zL49n`n$f&xO3IVDkL<vEn57wmQ1aPir_RtTmSofR^XgFexdOK`Y8&D#1NrQG{F0r+
z23&b+6nvx=NF*Q4rlqf31OEgapkC^=TjUmTw7oaLkp`KHyUT-3JGfe9YI=T$F&}aT
zRi8J?XU9BAp%FXa?{9Q+cs7xI0ZZBN>>DVH_`nHY%&1(myoi;<j6U5KBFVBr6Rc~g
C(f#iL

literal 0
HcmV?d00001

diff --git a/ssl/CA-Brehm/uhu.txt b/ssl/CA-Brehm/uhu.txt
new file mode 100644
index 0000000..5c01c23
--- /dev/null
+++ b/ssl/CA-Brehm/uhu.txt
@@ -0,0 +1 @@
+up2UdLCE
diff --git a/ssl/openssl.cnf b/ssl/openssl.cnf
index 18760c6..0eda4ba 100644
--- a/ssl/openssl.cnf
+++ b/ssl/openssl.cnf
@@ -39,7 +39,7 @@ default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
 
-dir		= ./demoCA		# Where everything is kept
+dir		= /etc/ssl/CA-Brehm	# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
@@ -52,7 +52,7 @@ serial		= $dir/serial 		# The current serial number
 crlnumber	= $dir/crlnumber	# the current crl number
 					# must be commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/private/cakey.pem# The private key
+private_key	= $dir/private/cakey.pem	# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
 x509_extensions	= usr_cert		# The extentions to add to the cert
@@ -70,7 +70,7 @@ cert_opt 	= ca_default		# Certificate field options
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext
 
-default_days	= 365			# how long to certify for
+default_days	= 1875			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= default		# use public key default MD
 preserve	= no			# keep passed DN ordering
@@ -83,8 +83,8 @@ policy		= policy_match
 # For the CA policy
 [ policy_match ]
 countryName		= match
-stateOrProvinceName	= match
-organizationName	= match
+stateOrProvinceName	= optional
+organizationName	= optional
 organizationalUnitName	= optional
 commonName		= supplied
 emailAddress		= optional
@@ -126,12 +126,12 @@ string_mask = utf8only
 
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
-countryName_default		= AU
+countryName_default		= DE
 countryName_min			= 2
 countryName_max			= 2
 
 stateOrProvinceName		= State or Province Name (full name)
-stateOrProvinceName_default	= Some-State
+stateOrProvinceName_default	= Berlin
 
 localityName			= Locality Name (eg, city)
 
diff --git a/ssl/openssl.cnf.default b/ssl/openssl.cnf.default
new file mode 100644
index 0000000..18760c6
--- /dev/null
+++ b/ssl/openssl.cnf.default
@@ -0,0 +1,350 @@
+#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		= 
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem# The private key
+RANDFILE	= $dir/private/.rand	# private random number file
+
+x509_extensions	= usr_cert		# The extentions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (eg, city)
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+
+# This is OK for an SSL server.
+# nsCertType			= server
+
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+
+# For normal client use this is typical
+# nsCertType = client, email
+
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= md5, sha1		# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
diff --git a/stunnel/old/stunnel.crt b/stunnel/old/stunnel.crt
new file mode 100644
index 0000000..0e84f80
--- /dev/null
+++ b/stunnel/old/stunnel.crt
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxTCCAi6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbnRhIEJhcmJhcmExEzAR
+BgNVBAoTClNTTCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciBUZXN0aW5nIFB1cnBvc2Vz
+IE9ubHkxFTATBgNVBAMTDGxvY2FsaG9zdCBDQTEdMBsGCSqGSIb3DQEJARYOcm9v
+dEBsb2NhbGhvc3QwHhcNMTIwMTMxMDgwODQyWhcNMTQwMTMwMDgwODQyWjCBpjEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbnRh
+IEJhcmJhcmExEzARBgNVBAoTClNTTCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciBUZXN0
+aW5nIFB1cnBvc2VzIE9ubHkxEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsGCSqGSIb3
+DQEJARYOcm9vdEBsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ALfGtvMfLVrk2M77BotkfYwFtMI7JGK8FVIxL0EmaEK/BeSvYAEvMkgrxlDvCYmF
+WrcYMJ4el+lguhtGJuD4qjsih0iX3fI5I0rFPi62Vr9KcjRo9pC6RL2Ew3XtLE5T
+Am68vS7ZleK9Vzh3eRY5ZXUlS3Dn6W6mA94RLeabu5erAgMBAAEwDQYJKoZIhvcN
+AQEFBQADgYEAs45mxYjtJiLLaI69hjlaEF+KE9mKqof9MW+yxFoX6iJothBnHZoq
+vxQizuKcb8kgjn5jq2Qpp1E0IPMcEDzsN9J7n0jSGTG5PcxWpo/lqWkSZg7mUwKc
+V0lquy4FDrJe51A8dNN+cd0JXsERKLqfKXonhFcVea9qzde+VHOBjlI=
+-----END CERTIFICATE-----
diff --git a/stunnel/old/stunnel.csr b/stunnel/old/stunnel.csr
new file mode 100644
index 0000000..68594ae
--- /dev/null
+++ b/stunnel/old/stunnel.csr
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB5zCCAVACAQAwgaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MRYwFAYDVQQHEw1TYW50YSBCYXJiYXJhMRMwEQYDVQQKEwpTU0wgU2VydmVyMSIw
+IAYDVQQLExlGb3IgVGVzdGluZyBQdXJwb3NlcyBPbmx5MRIwEAYDVQQDEwlsb2Nh
+bGhvc3QxHTAbBgkqhkiG9w0BCQEWDnJvb3RAbG9jYWxob3N0MIGfMA0GCSqGSIb3
+DQEBAQUAA4GNADCBiQKBgQC3xrbzHy1a5NjO+waLZH2MBbTCOyRivBVSMS9BJmhC
+vwXkr2ABLzJIK8ZQ7wmJhVq3GDCeHpfpYLobRibg+Ko7IodIl93yOSNKxT4utla/
+SnI0aPaQukS9hMN17SxOUwJuvL0u2ZXivVc4d3kWOWV1JUtw5+lupgPeES3mm7uX
+qwIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEANZdsszYbhiDnj3c6VzFIS8Lb69YE
+c0Tg5ZVA2sV7y7ixf+tGpiELCPJHTAG7jzI0S5wj9p8S0M13miHDVE+qasRYO7S9
+pZelxcgjXqSXA9WG3lGQ+URNJJ0c94grESMNRKGFaotme6SKN+ao9K/BoGlF183N
+2xWCg0W5UYynDJc=
+-----END CERTIFICATE REQUEST-----
diff --git a/stunnel/old/stunnel.key b/stunnel/old/stunnel.key
new file mode 100644
index 0000000..d369e99
--- /dev/null
+++ b/stunnel/old/stunnel.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC3xrbzHy1a5NjO+waLZH2MBbTCOyRivBVSMS9BJmhCvwXkr2AB
+LzJIK8ZQ7wmJhVq3GDCeHpfpYLobRibg+Ko7IodIl93yOSNKxT4utla/SnI0aPaQ
+ukS9hMN17SxOUwJuvL0u2ZXivVc4d3kWOWV1JUtw5+lupgPeES3mm7uXqwIDAQAB
+AoGAY6yCY6CAP/Eo6jHaHdY2BbC+li3vkSGDyt1kTMig+bqTXrIDtwC7G8uqNxE+
+sfjC99VF4Sykpe5RYiONSK113ctiLwRbEY7G8u1fjTK+tItE2CZsk7DbtTw38cOC
+ysmmhVuqIN5Z80Zx/gseZhpfvplfiAWSQrIWe8ZX8PnFSkECQQDiI+41os6gcIBy
+0b8iITGAgLrgOVbZyBP+pCujf5H/l+X8S28RvNTTwYL22P88VUD13oV2hoxioA++
+rRN1Sk+hAkEA0ArHPXpWo57SJ9OhlMzrS1zmGORVNoy1OIDkyOdaCPrWDuLy0ZnS
+f8iRJS8Ozvwwdf23QWdRhPTznb76GfWTywJANVQh1dY6Ag3lzK338/V99f7lkwES
+oTMUvAU9IUZxSKQqoU+strMgQXuuBcZwkmrMce7y7FuYeZ2jeOTZ5NwMYQJBAIgE
+g/9N3Rdc30nqs9n1oGDFfCsKHixsEo++tdYkbFkypoFVICypxVaGa19ERQpPF+AM
+4aOBSWsEO8MG+b2/McECQFy4QrOawU454ravKLmIRrTHvumF3P21KnXc5co/AkH6
+tBwvUB+7Dd5E5ZOF5GfbIvztiH4JzVpm570RuJNigRQ=
+-----END RSA PRIVATE KEY-----
diff --git a/stunnel/old/stunnel.pem b/stunnel/old/stunnel.pem
new file mode 100644
index 0000000..1f17529
--- /dev/null
+++ b/stunnel/old/stunnel.pem
@@ -0,0 +1,33 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC3xrbzHy1a5NjO+waLZH2MBbTCOyRivBVSMS9BJmhCvwXkr2AB
+LzJIK8ZQ7wmJhVq3GDCeHpfpYLobRibg+Ko7IodIl93yOSNKxT4utla/SnI0aPaQ
+ukS9hMN17SxOUwJuvL0u2ZXivVc4d3kWOWV1JUtw5+lupgPeES3mm7uXqwIDAQAB
+AoGAY6yCY6CAP/Eo6jHaHdY2BbC+li3vkSGDyt1kTMig+bqTXrIDtwC7G8uqNxE+
+sfjC99VF4Sykpe5RYiONSK113ctiLwRbEY7G8u1fjTK+tItE2CZsk7DbtTw38cOC
+ysmmhVuqIN5Z80Zx/gseZhpfvplfiAWSQrIWe8ZX8PnFSkECQQDiI+41os6gcIBy
+0b8iITGAgLrgOVbZyBP+pCujf5H/l+X8S28RvNTTwYL22P88VUD13oV2hoxioA++
+rRN1Sk+hAkEA0ArHPXpWo57SJ9OhlMzrS1zmGORVNoy1OIDkyOdaCPrWDuLy0ZnS
+f8iRJS8Ozvwwdf23QWdRhPTznb76GfWTywJANVQh1dY6Ag3lzK338/V99f7lkwES
+oTMUvAU9IUZxSKQqoU+strMgQXuuBcZwkmrMce7y7FuYeZ2jeOTZ5NwMYQJBAIgE
+g/9N3Rdc30nqs9n1oGDFfCsKHixsEo++tdYkbFkypoFVICypxVaGa19ERQpPF+AM
+4aOBSWsEO8MG+b2/McECQFy4QrOawU454ravKLmIRrTHvumF3P21KnXc5co/AkH6
+tBwvUB+7Dd5E5ZOF5GfbIvztiH4JzVpm570RuJNigRQ=
+-----END RSA PRIVATE KEY-----
+
+-----BEGIN CERTIFICATE-----
+MIICxTCCAi6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbnRhIEJhcmJhcmExEzAR
+BgNVBAoTClNTTCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciBUZXN0aW5nIFB1cnBvc2Vz
+IE9ubHkxFTATBgNVBAMTDGxvY2FsaG9zdCBDQTEdMBsGCSqGSIb3DQEJARYOcm9v
+dEBsb2NhbGhvc3QwHhcNMTIwMTMxMDgwODQyWhcNMTQwMTMwMDgwODQyWjCBpjEL
+MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbnRh
+IEJhcmJhcmExEzARBgNVBAoTClNTTCBTZXJ2ZXIxIjAgBgNVBAsTGUZvciBUZXN0
+aW5nIFB1cnBvc2VzIE9ubHkxEjAQBgNVBAMTCWxvY2FsaG9zdDEdMBsGCSqGSIb3
+DQEJARYOcm9vdEBsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+ALfGtvMfLVrk2M77BotkfYwFtMI7JGK8FVIxL0EmaEK/BeSvYAEvMkgrxlDvCYmF
+WrcYMJ4el+lguhtGJuD4qjsih0iX3fI5I0rFPi62Vr9KcjRo9pC6RL2Ew3XtLE5T
+Am68vS7ZleK9Vzh3eRY5ZXUlS3Dn6W6mA94RLeabu5erAgMBAAEwDQYJKoZIhvcN
+AQEFBQADgYEAs45mxYjtJiLLaI69hjlaEF+KE9mKqof9MW+yxFoX6iJothBnHZoq
+vxQizuKcb8kgjn5jq2Qpp1E0IPMcEDzsN9J7n0jSGTG5PcxWpo/lqWkSZg7mUwKc
+V0lquy4FDrJe51A8dNN+cd0JXsERKLqfKXonhFcVea9qzde+VHOBjlI=
+-----END CERTIFICATE-----
diff --git a/stunnel/stunnel.conf b/stunnel/stunnel.conf
index 4aa8b8c..20709b7 100644
--- a/stunnel/stunnel.conf
+++ b/stunnel/stunnel.conf
@@ -3,8 +3,8 @@
 # Please make sure you understand them (especially the effect of chroot jail)
 
 # Certificate/key is needed in server mode and optional in client mode
-# cert = /etc/stunnel/stunnel.pem
-# key = /etc/stunnel/stunnel.pem
+cert = /etc/stunnel/stunnel.pem
+key = /etc/stunnel/stunnel.pem
 
 # Some security enhancements for UNIX systems - comment them out on Win32
 # chroot = /chroot/stunnel/
@@ -43,6 +43,10 @@ socket = r:TCP_NODELAY=1
 
 # Service-level configuration
 
+[postgres]
+accept = 5442
+connect = 5432
+
 #[pop3s]
 #accept  = 995
 #connect = 110
diff --git a/stunnel/stunnel.pem b/stunnel/stunnel.pem
new file mode 100644
index 0000000..dcd5cc9
--- /dev/null
+++ b/stunnel/stunnel.pem
@@ -0,0 +1,33 @@
+-----BEGIN PRIVATE KEY-----
+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALHmMhfRrI8xbPGd
+YO5oeT+bX+tBghLR89aGEvetD37K8kvpbj/ApqUA8qFWx4dSwq5zkjlJ55/UgTZw
+JV+fsVeNmOf0v0360B92z3AXIJ41DrMPM7vVnIg1csPpa7Zmr+vgGRpnHs0BwkfR
+WhX+xDZKaf5chfWsL28zgYY3cf1dAgMBAAECgYB8ibDxucf6alhhAJKV869F1wic
+Ebz0XeQ8fpmSp6VcVsiuWdjjaoN+qZ4xUiXWVxqQs7lev50V59cY/AM94PZtMC96
+QHL2EPzIMrpjRCU59Z7PgQwOgjX0PMds9ZS6EuufzRKidh2qiys3ZcN8AeTjG2Rv
+hL+vOs6aVqZfWMrjJQJBAODqjDMZTVu2geXH/K289CaX7OB6jsAdKwfqheXRtuz1
+Rw1nbmQp6Bzr7fQyVtgbjrnnb8xZ110J85Krbz2NYG8CQQDKfDQyBVC4niXraLKA
+JZ7vxpxP0IfLekXJ1o1Me3jmzQxCXK56sHVnJsmihyiZBmFKLCFhXfa2JBwFXBXa
+iczzAkAnmAKgSDb/Cyzo14Da0OWmGZ6gkdKpbTkTBq0VnQp3wmIEsQ2U4m+zD7Fv
+CKGTH57LiTt8HOC1xzeyvS0zB71PAkA83zX5y6tGtRSFPsZay/SJ9NVNEU2hmDKe
+yQdVdNEV4ZLL6HzzmVTSG9EGMUe9KTPaToYCdXMTsqtR2SsgtciNAkBCN66SqVJB
+op3WG5wQEOeCrqpU2PEtBnVcsZlrh0a5F+3k0IDTMjShYfyhmSMpn2Q5GIYhWhWX
+eiTnGAZF+M7b
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICtDCCAh2gAwIBAgIJAOa3kpJQWr5pMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
+BAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEUMBIGA1UE
+CgwLRnJhbmsgQnJlaG0xDzANBgNVBAsMBnByaXZhdDEbMBkGA1UEAwwSdWh1MS51
+aHUtYmFuYW5lLmRlMB4XDTEyMDEzMTA5MTM1OFoXDTEyMDMwMTA5MTM1OFowczEL
+MAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMRQw
+EgYDVQQKDAtGcmFuayBCcmVobTEPMA0GA1UECwwGcHJpdmF0MRswGQYDVQQDDBJ1
+aHUxLnVodS1iYW5hbmUuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALHm
+MhfRrI8xbPGdYO5oeT+bX+tBghLR89aGEvetD37K8kvpbj/ApqUA8qFWx4dSwq5z
+kjlJ55/UgTZwJV+fsVeNmOf0v0360B92z3AXIJ41DrMPM7vVnIg1csPpa7Zmr+vg
+GRpnHs0BwkfRWhX+xDZKaf5chfWsL28zgYY3cf1dAgMBAAGjUDBOMB0GA1UdDgQW
+BBQiJMeidpqxspkjOnX3jWPJdpvR/DAfBgNVHSMEGDAWgBQiJMeidpqxspkjOnX3
+jWPJdpvR/DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAHFSZOmOBE6F
+hh2LpwY8i9bi9T5Robg6NnFGyVTqP1ayC/LMGGUlwmu5PJt4U2y39ZKozK/FBMTa
+SX7zaQGk9HNbET1URyPysZLGpwc9djN1Qy4gfOiwkORBMi8We51IMqaowNBMag+J
+FIYREc3DNDg53HylseY8A1N9cTlUTeQ2
+-----END CERTIFICATE-----
-- 
2.39.5