aptitude install dovecot-common dovecot-imapd 
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.ori
cat /etc/dovecot/dovecot.conf
################## Dovecot OLI  ##################
protocols = imap imaps
listen = *

login_greeting = Server GEZEN ready...
log_timestamp = "%Y-%m-%d %H:%M:%S "
log_path = /var/log/mail.log

mail_location = maildir:/var/mail/%n
mail_privileged_group = mail
disable_plaintext_auth = no

auth default {
   passdb ldap {
      args = /etc/dovecot/dovecot-ldap.conf
      }
   userdb ldap {
      args = /etc/dovecot/dovecot-ldap.conf
      }
}
cat /etc/dovecot/dovecot-ldap.conf
hosts = localhost
auth_bind = yes
base = ou=people,dc=gezen,dc=fr
scope = subtree

user_filter = (&(objectClass=posixAccount)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(objectClass=posixAccount)(uid=%u))
default_pass_scheme = SSHA

Génération des certificat SSL et d'une AC

# mkdir /root/ssl
# cd /root/ssl
# mkdir ca
# mkdir ca/newcerts
# mkdir conf
# mkdir csr
# mkdir key
# mkdir cert
# touch ca/index.txt
# echo '01' > ca/serial
# chmod 700 ca

Explications :

  • /etc/ssl/ : répertoire de configuration général de openssl
  • /etc/ssl/ca/ : répertoire qui contient les fichiers de l'AC
  • /etc/ssl/ca/newcerts/ : répertoire qui contient les certificats signés par l'AC
  • /etc/ssl/ca/index.txt : fichier ascii qui référence les certificats
  • /etc/ssl/ca/serial : fichier ascii qui contient un n° de série. Celui sera incrémenté à chaque nouveau certificat
  • /etc/ssl/conf/ : répertoire qui contient les fichiers de configuration pour créer des certificats pour les différents services (smtps, https, etc.)
  • /etc/ssl/csr/ : répertoire qui contient les demandes de signatures
  • /etc/ssl/key/ : répertoire qui contient les clés secrètes des certificats
  • /etc/ssl/cert/ : répertoire qui contient les certificats signés

Génération de l'AC

# cd /root/ssl
# vi conf/ca.cnf
[ ca ]
default_ca = CA_default

[ CA_default ]
dir = /root/ssl
certs = $dir/ca/certs
new_certs_dir = $dir/ca/newcerts
database = $dir/ca/index.txt
certificate = $dir/ca/ca.pem
serial = $dir/ca/serial
private_key = $dir/ca/ca.key
default_days = 3650
default_md = sha1
preserve = no
policy = policy_match

[ policy_match ]
organizationName = match
commonName = supplied
emailAddress = optional

[ req ]
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
organizationName = Organisation (obligatoire)
organizationName_default = gezen.fr
commonName = Nom CN (obligatoire)
commonName_max = 64
emailAddress = Adresse mail (optionnel)
emailAddress_max = 40

[CA]
nsComment = "CA gezen.fr"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = keyCertSign, cRLSign
# openssl req -new -x509 -config ./conf/ca.cnf -extensions CA -sha1 -newkey rsa:4096 -nodes -days 3650 -keyout ca/ca.key -out ca/ca.pem
Generating a 4096 bit RSA private key
............................................................................................................................................++
..........................................................................................................................++
writing new private key to 'ca/ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organisation (obligatoire) [gezen.fr]:
Nom CN (obligatoire) []:AC gezen.fr
Adresse mail (optionnel) []:lkco@gezen.fr

Génération du certificat serveur

# cp conf/ca.cnf conf/server.cnf

Rajouter ceci à la fin du fichier :

# vi conf/server.cnf
[SERVEUR]
nsComment = "Certificat Messagerie"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
issuerAltName = issuer:copy
basicConstraints = critical,CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment
nsCertType = server
extendedKeyUsage = serverAuth
subjectAltName = @ALIASES
[ALIASES]
DNS.1 = lkco.gezen.fr
DNS.2 = noriah.gezen.fr
DNS.3 = www.cabsr.fr
# openssl req -new -config ./conf/server.cnf -newkey rsa:4096 -nodes -keyout key/server.key -out csr/server.csr
Generating a 4096 bit RSA private key
..............................................++
.............................++
writing new private key to 'key/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organisation (obligatoire) [gezen.fr]:
Nom CN (obligatoire) []:mail.gezen.fr
Adresse mail (optionnel) []:lkco@gezen.fr

Signature du cetificat par l'AC

# openssl ca -config ./conf/server.cnf -extensions SERVEUR -in csr/server.csr -out cert/server.pem
Using configuration from ./conf/server.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName      :PRINTABLE:'gezen.fr'
commonName            :PRINTABLE:'mail.gezen.fr'
emailAddress          :IA5STRING:'lkco@gezen.fr'
Certificate is to be certified until Mar 28 23:25:58 2021 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Explication des paramètres de la ligne de commande :

  • ca : Commande ca pour créer la clé publique
  • -config ./conf/server.cnf : Fichier de configuration à utiliser
  • -extensions SERVEUR : Section du fichier de configuration à utiliser
  • in csr/server.csr : Chemin relatif du fichier de requête qui a été créé précédemment.
  • out cert/server.pem : Chemin relatif du certificat créé
messagerie/installation_dovecot_postfix_spamassassin_clamav_ldap.txt · Dernière modification: 2017/07/07 14:42 (modification externe)
CC Attribution-Noncommercial-Share Alike 4.0 International
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0