tachtler:dovecot_sicherheit
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
tachtler:dovecot_sicherheit [2015/07/10 15:32] – [Dovecot Sicherheit] klaus | tachtler:dovecot_sicherheit [2015/07/11 09:22] (aktuell) – [/etc/cron.weekly/ssl-parameters_update.sh] klaus | ||
---|---|---|---|
Zeile 100: | Zeile 100: | ||
... | ... | ||
</ | </ | ||
+ | |||
+ | ===== SSL-Sicherheit ===== | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | Die Diffie-Hellman-Parameter werden beim ersten Start des [[http:// | ||
+ | * ''/ | ||
+ | abgelegt. | ||
+ | |||
+ | :!: **HINWEIS** - **Ab [[http:// | ||
+ | |||
+ | Um trotzdem eine Neuerzeugung im laufenden Betrieb durchführen zu können, gibt es unter nachfolgendem externen Link Hintergründe und die Lösung zu diesem Problem, basieren auf den Hinweisen von [[https:// | ||
+ | |||
+ | Dazu sind nachfolgende Schritte erforderlich: | ||
+ | - Die Erzeugung einer **Konfigurationsdatei** für die **DH-Parameter**-Datei | ||
+ | - Die Erzeugung der **DH-Parameter**-Datei mit Hilfe des Programms ''/ | ||
+ | - unter der Angabe, welche **Parameter-Länge** '' | ||
+ | - in welchem Verzeichnis die **Parameter-Datei** '' | ||
+ | - Anschließend wir die so erzeugte **Parameter-Datei** gegen die standardmäßige Konfigurationsdatei von [[http:// | ||
+ | - Abschließend muss dann noch das **erneute einlesen** der neuen Konfigurationsdatei''/ | ||
+ | |||
+ | ==== / | ||
+ | |||
+ | Nachfolgendes Skript erledigt alle vorhergehenden Aufgaben: | ||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | |||
+ | ############################################################################## | ||
+ | # Script-Name : ssl-parameters_update.sh | ||
+ | # Description : Renew the Diffie-Hellman parameter file for Dovecot under # | ||
+ | # the path / | ||
+ | # # | ||
+ | # # | ||
+ | # Last update : 11.07.2015 | ||
+ | # Version | ||
+ | ############################################################################## | ||
+ | |||
+ | ############################################################################## | ||
+ | # H I S T O R Y # | ||
+ | ############################################################################## | ||
+ | # Version | ||
+ | # Description : < | ||
+ | # -------------------------------------------------------------------------- # | ||
+ | # Version | ||
+ | # Description : < | ||
+ | # -------------------------------------------------------------------------- # | ||
+ | ############################################################################## | ||
+ | |||
+ | # Source function library. | ||
+ | . / | ||
+ | |||
+ | # Variable declarations. | ||
+ | |||
+ | ############################################################################## | ||
+ | # >>> | ||
+ | ############################################################################## | ||
+ | |||
+ | # CUSTOM - Script-Name. | ||
+ | SCRIPT_NAME=' | ||
+ | |||
+ | # CUSTOM - PATH/ | ||
+ | PARAM_DIR="/ | ||
+ | FINAL_DIR="/ | ||
+ | STATE_DIR="/ | ||
+ | |||
+ | # CUSTOM - PARAMATERS variables. | ||
+ | SSL_DH_PARAMETERS_LENGTH=" | ||
+ | |||
+ | # CUSTOM - Binary. | ||
+ | BINARY_DOVECOT_PATH="/ | ||
+ | BINARY_SSL_PARAMS_PATH='/ | ||
+ | |||
+ | # CUSTOM - Mail-Recipient. | ||
+ | MAIL_RECIPIENT=' | ||
+ | |||
+ | # CUSTOM - Status-Mail [Y|N]. | ||
+ | MAIL_STATUS=' | ||
+ | |||
+ | ############################################################################## | ||
+ | # >>> | ||
+ | ############################################################################## | ||
+ | |||
+ | # Variables. | ||
+ | PARAM_FILE=" | ||
+ | STATE_FILE=" | ||
+ | TOUCH_COMMAND=`command -v touch` | ||
+ | MV_COMMAND=`command -v mv` | ||
+ | RM_COMMAND=`command -v rm` | ||
+ | CAT_COMMAND=`command -v cat` | ||
+ | DATE_COMMAND=`command -v date` | ||
+ | MKDIR_COMMAND=`command -v mkdir` | ||
+ | PROG_SENDMAIL=`command -v sendmail` | ||
+ | TAR_COMMAND=`command -v tar` | ||
+ | CHOWN_COMMAND=`command -v chown` | ||
+ | CHMOD_COMMAND=`command -v chmod` | ||
+ | FILE_LOCK='/ | ||
+ | FILE_LOG='/ | ||
+ | FILE_LAST_LOG='/ | ||
+ | FILE_MAIL='/ | ||
+ | VAR_HOSTNAME=`uname -n` | ||
+ | VAR_SENDER=' | ||
+ | VAR_EMAILDATE=`$DATE_COMMAND '+%a, %d %b %Y %H:%M:%S (%Z)'` | ||
+ | |||
+ | # Functions. | ||
+ | function log() { | ||
+ | echo $1 | ||
+ | echo `$DATE_COMMAND ' | ||
+ | } | ||
+ | |||
+ | function retval() { | ||
+ | if [ " | ||
+ | case " | ||
+ | *) | ||
+ | log " | ||
+ | ;; | ||
+ | esac | ||
+ | fi | ||
+ | } | ||
+ | |||
+ | function movelog() { | ||
+ | $CAT_COMMAND $FILE_LAST_LOG >> $FILE_LOG | ||
+ | $RM_COMMAND -f $FILE_LAST_LOG | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | } | ||
+ | |||
+ | function sendmail() { | ||
+ | case " | ||
+ | ' | ||
+ | MAIL_SUBJECT=' | ||
+ | ;; | ||
+ | *) | ||
+ | MAIL_SUBJECT=' | ||
+ | ;; | ||
+ | esac | ||
+ | |||
+ | $CAT_COMMAND << | ||
+ | Subject: $MAIL_SUBJECT | ||
+ | Date: $VAR_EMAILDATE | ||
+ | From: $VAR_SENDER | ||
+ | To: $MAIL_RECIPIENT | ||
+ | |||
+ | |||
+ | |||
+ | $CAT_COMMAND $FILE_LAST_LOG >> $FILE_MAIL | ||
+ | |||
+ | $PROG_SENDMAIL -f $VAR_SENDER -t $MAIL_RECIPIENT < $FILE_MAIL | ||
+ | |||
+ | $RM_COMMAND -f $FILE_MAIL | ||
+ | |||
+ | } | ||
+ | |||
+ | # Main. | ||
+ | log "" | ||
+ | log " | ||
+ | log "| Start update generating Diffie-Hellman ssl-parameters.dat file. |" | ||
+ | log " | ||
+ | log "" | ||
+ | log "Run script with following parameter:" | ||
+ | log "" | ||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log " | ||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 10 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 11 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 12 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 13 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 14 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 15 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 16 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 17 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 18 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if command (file) NOT exist OR IS empty. | ||
+ | if [ ! -s " | ||
+ | log "Check if command ' | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 19 | ||
+ | else | ||
+ | log "Check if command ' | ||
+ | fi | ||
+ | |||
+ | # Check if LOCK file NOT exist. | ||
+ | if [ ! -e " | ||
+ | log "Check if script is NOT already runnig .....................[ | ||
+ | |||
+ | $TOUCH_COMMAND $FILE_LOCK | ||
+ | else | ||
+ | log "Check if script is NOT already runnig .....................[FAILED]" | ||
+ | log "" | ||
+ | log " | ||
+ | log "" | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 20 | ||
+ | fi | ||
+ | |||
+ | # Start update. | ||
+ | log "" | ||
+ | log " | ||
+ | log "| Run update from $SCRIPT_NAME ...................... |" | ||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | # Check if Directory NOT exists. | ||
+ | if [ ! -d " | ||
+ | log "Check if $PARAM_DIR exists ..............................[FAILED]" | ||
+ | log "" | ||
+ | log " INFO: Creating --> $PARAM_DIR !" | ||
+ | log "" | ||
+ | |||
+ | $MKDIR_COMMAND -p $PARAM_DIR | ||
+ | else | ||
+ | log "Check if $PARAM_DIR exists ..............................[ | ||
+ | fi | ||
+ | |||
+ | # Check if Directory NOT exists. | ||
+ | if [ ! -d " | ||
+ | log "Check if $STATE_DIR exists ......................................[FAILED]" | ||
+ | log "" | ||
+ | log " INFO: Creating --> $STATE_DIR !" | ||
+ | log "" | ||
+ | |||
+ | $MKDIR_COMMAND -p $STATE_DIR | ||
+ | else | ||
+ | log "Check if $STATE_DIR exists ......................................[ | ||
+ | log "" | ||
+ | fi | ||
+ | |||
+ | # Check if file exists | ||
+ | if [ ! -e " | ||
+ | log "Check if $PARAM_DIR/ | ||
+ | log "" | ||
+ | else | ||
+ | log "Check if $PARAM_DIR/ | ||
+ | log "" | ||
+ | log " INFO: Deleting --> $PARAM_DIR/ | ||
+ | log "" | ||
+ | |||
+ | $RM_COMMAND $PARAM_DIR/ | ||
+ | fi | ||
+ | |||
+ | # Generating file. | ||
+ | |||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | echo "# Lenght of Diffie-Helmann-Parameter" | ||
+ | echo " | ||
+ | echo "# Save directory of temporary $STATE_FILE" | ||
+ | echo " | ||
+ | |||
+ | log " | ||
+ | log "" | ||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | $BINARY_SSL_PARAMS_PATH -c $PARAM_DIR/ | ||
+ | |||
+ | # Move file. | ||
+ | $MV_COMMAND $STATE_DIR/ | ||
+ | |||
+ | if [ " | ||
+ | retval $? | ||
+ | log "Move file ' | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 50 | ||
+ | else | ||
+ | log "" | ||
+ | log "Move file ' | ||
+ | fi | ||
+ | |||
+ | $CHOWN_COMMAND -R root.root $FINAL_DIR/ | ||
+ | |||
+ | if [ " | ||
+ | retval $? | ||
+ | log "Owner set ' | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 51 | ||
+ | else | ||
+ | log "Owner set ' | ||
+ | fi | ||
+ | |||
+ | $CHMOD_COMMAND -R 644 $FINAL_DIR/ | ||
+ | |||
+ | if [ " | ||
+ | retval $? | ||
+ | log " | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 52 | ||
+ | else | ||
+ | log " | ||
+ | fi | ||
+ | |||
+ | $BINARY_DOVECOT_PATH reload | ||
+ | |||
+ | if [ " | ||
+ | retval $? | ||
+ | log " | ||
+ | $RM_COMMAND -f $FILE_LOCK | ||
+ | sendmail ERROR | ||
+ | movelog | ||
+ | exit 53 | ||
+ | else | ||
+ | log "" | ||
+ | log " | ||
+ | fi | ||
+ | |||
+ | # Finish update. | ||
+ | log "" | ||
+ | log " | ||
+ | log "| End update from $SCRIPT_NAME ...................... |" | ||
+ | log " | ||
+ | log "" | ||
+ | |||
+ | # Status e-mail. | ||
+ | if [ $MAIL_STATUS = ' | ||
+ | sendmail STATUS | ||
+ | fi | ||
+ | # Move temporary log to permanent log | ||
+ | movelog | ||
+ | |||
+ | exit 0 | ||
+ | </ | ||
+ | |||
+ | Das oben gezeigte Skript führt nachfolgende Aktionen aus: | ||
+ | - Erstellen einer Konfigurationsdatei ''/ | ||
+ | - Erzeugen einer neuen **temporären** Diffie-Hellman Parameter-Datei | ||
+ | - Kopieren der neuen **temporären** Diffie-Hellman Parameter-Datei auf die durch [[http:// | ||
+ | - Setzen der richtigen **Besitz**rechte | ||
+ | - Setzen der richtigen **Datei**rechte | ||
+ | - Neustart von [[http:// | ||
+ | - Benachrichtigung im Skript-**Fehlerfall** via e-Mail | ||
+ | - Benachrichtigung via e-Mail über eine erfolgreiche Ausführung, | ||
+ | - Erstellen einer **LOG-Datei** über die Skript-Ausführung in ''/ | ||
+ | |||
+ | Um das Skript **einmal wöchentlich** laufen zu lassen, kann das vorhergehende Skript im Verzeichnis | ||
+ | * ''/ | ||
+ | erstellt werden. | ||
+ | |||
+ | Anschließend müssen noch die erforderlich **Datei**rechte mit nachfolgendem Befehl gesetzt werden, damit das Skipt auch ausgeführt werden kann, hier nachfolgendes **Beispiel**: | ||
+ | < | ||
+ | # chmod +x / | ||
+ | </ | ||
+ |
tachtler/dovecot_sicherheit.txt · Zuletzt geändert: 2015/07/11 09:22 von klaus