Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- tachtler:dovecot_sicherheit [2015/07/10 15:56] – [SSL-Sicherheit] klaus
+++ tachtler:dovecot_sicherheit [2015/07/11 09:22] (aktuell) – [/etc/cron.weekly/ssl-parameters_update.sh] klaus
@@ Zeile 111: / Zeile 111: @@
 :!: **HINWEIS** - **Ab [[http://dovecot.org|Dovecot]]-Version 2.2.7 wir der Schlüssel __NICHT__ mehr einmal in der Woche neu erzeugt!**
-Um trotzdem eine Neuerzeugung im laufenden Betrieb durchführen zu können gibt es unter nachfolgendem externen Link Hintergründe und die Lösung zu diesem Problem, basieren auf den Hinweisen von [[https://andreasschulze.de/dovecot/ssl-params|Andreas Schulze]], dem hier ausdrücklicher erwähnt werden soll und dem dafür der Dank gebührt!
+Um trotzdem eine Neuerzeugung im laufenden Betrieb durchführen zu können, gibt es unter nachfolgendem externen Link Hintergründe und die Lösung zu diesem Problem, basieren auf den Hinweisen von [[https://andreasschulze.de/dovecot/ssl-params|Andreas Schulze]], der hier ausdrücklicher erwähnt werden soll und dem dafür die Anerkennung und der Dank gebührt!
-http://dokuwiki.nausch.org/doku.php/centos:mail_c7:dovecot_4#ssl-konfiguration
+Dazu sind nachfolgende Schritte erforderlich:
+  - Die Erzeugung einer **Konfigurationsdatei** für die **DH-Parameter**-Datei
+  - Die Erzeugung der **DH-Parameter**-Datei mit Hilfe des Programms ''/usr/libexec/dovecot/ssl-params''
+    - unter der Angabe, welche **Parameter-Länge** ''ssl_dh_parameters_length'' verwendet werden soll und
+    - in welchem Verzeichnis die **Parameter-Datei** ''state_dir'' temporär gespeichert werden soll
+  - Anschließend wir die so erzeugte **Parameter-Datei** gegen die standardmäßige Konfigurationsdatei von [[http://dovecot.org|Dovecot]] - ''/var/lib/dovecot/ssl-parameters.dat'' ersetzt
+  - Abschließend muss dann noch das **erneute einlesen** der neuen Konfigurationsdatei''/var/lib/dovecot/ssl-parameters.dat'' durch [[http://dovecot.org|Dovecot]] erfolgen
+==== /etc/cron.weekly/ssl-parameters_update.sh ====
+Nachfolgendes Skript erledigt alle vorhergehenden Aufgaben:
+<code bash>
+#!/bin/bash
+##############################################################################
+# Script-Name : ssl-parameters_update.sh                                     #
+# Description : Renew the Diffie-Hellman parameter file for Dovecot under    #
+#               the path /var/lib/dovecot/ssl-parameters.dat.                #
+#                                                                            #
+#                                                                            #
+# Last update : 11.07.2015                                                   #
+# Version     : 1.00                                                         #
+##############################################################################
+##############################################################################
+#                                H I S T O R Y                               #
+##############################################################################
+# Version     : x.xx                                                         #
+# Description : <Description>                                                #
+# -------------------------------------------------------------------------- #
+# Version     : x.xx                                                         #
+# Description : <Description>                                                #
+# -------------------------------------------------------------------------- #
+##############################################################################
+# Source function library.
+. /etc/init.d/functions
+# Variable declarations.
+##############################################################################
+# >>> Please edit following lines for personal command and/or configuration! #
+##############################################################################
+# CUSTOM - Script-Name.
+SCRIPT_NAME='ssl-parameters_update.sh'
+# CUSTOM - PATH/FILE/PARAMETER variables.
+PARAM_DIR="/etc/dovecot"
+FINAL_DIR="/var/lib/dovecot"
+STATE_DIR="/tmp"
+# CUSTOM - PARAMATERS variables.
+SSL_DH_PARAMETERS_LENGTH="2048"
+# CUSTOM - Binary.
+BINARY_DOVECOT_PATH="/usr/sbin/dovecot"
+BINARY_SSL_PARAMS_PATH='/usr/libexec/dovecot/ssl-params'
+# CUSTOM - Mail-Recipient.
+MAIL_RECIPIENT='your-email@your-domain.tld'
+# CUSTOM - Status-Mail [Y|N].
+MAIL_STATUS='N'
+##############################################################################
+# >>> Normaly there is no need to change anything below this comment line. ! #
+##############################################################################
+# Variables.
+PARAM_FILE="ssl-parameters.conf"
+STATE_FILE="ssl-parameters.dat"
+TOUCH_COMMAND=`command -v touch`
+MV_COMMAND=`command -v mv`
+RM_COMMAND=`command -v rm`
+CAT_COMMAND=`command -v cat`
+DATE_COMMAND=`command -v date`
+MKDIR_COMMAND=`command -v mkdir`
+PROG_SENDMAIL=`command -v sendmail`
+TAR_COMMAND=`command -v tar`
+CHOWN_COMMAND=`command -v chown`
+CHMOD_COMMAND=`command -v chmod`
+FILE_LOCK='/tmp/'$SCRIPT_NAME'.lock'
+FILE_LOG='/var/log/'$SCRIPT_NAME'.log'
+FILE_LAST_LOG='/tmp/'$SCRIPT_NAME'.log'
+FILE_MAIL='/tmp/'$SCRIPT_NAME'.mail'
+VAR_HOSTNAME=`uname -n`
+VAR_SENDER='root@'$VAR_HOSTNAME
+VAR_EMAILDATE=`$DATE_COMMAND '+%a, %d %b %Y %H:%M:%S (%Z)'`
+# Functions.
+function log() {
+        echo $1
+        echo `$DATE_COMMAND '+%Y/%m/%d %H:%M:%S'` " INFO:" $1 >>${FILE_LAST_LOG}
+}
+function retval() {
+if [ "$?" != "0" ]; then
+        case "$?" in
+        *)
+                log "ERROR: Unknown error $?"
+        ;;
+        esac
+fi
+}
+function movelog() {
+        $CAT_COMMAND $FILE_LAST_LOG >> $FILE_LOG
+        $RM_COMMAND -f $FILE_LAST_LOG
+        $RM_COMMAND -f $FILE_LOCK
+}
+function sendmail() {
+        case "$1" in
+        'STATUS')
+                MAIL_SUBJECT='Status execution '$SCRIPT_NAME' script.'
+        ;;
+        *)
+                MAIL_SUBJECT='ERROR while execution '$SCRIPT_NAME' script !!!'
+        ;;
+        esac
+$CAT_COMMAND <<MAIL >$FILE_MAIL
+Subject: $MAIL_SUBJECT
+Date: $VAR_EMAILDATE
+From: $VAR_SENDER
+To: $MAIL_RECIPIENT
+MAIL
+$CAT_COMMAND $FILE_LAST_LOG >> $FILE_MAIL
+$PROG_SENDMAIL -f $VAR_SENDER -t $MAIL_RECIPIENT < $FILE_MAIL
+$RM_COMMAND -f $FILE_MAIL
+}
+# Main.
+log ""
+log "+-----------------------------------------------------------------+"
+log "| Start update generating Diffie-Hellman ssl-parameters.dat file. |"
+log "+-----------------------------------------------------------------+"
+log ""
+log "Run script with following parameter:"
+log ""
+log "SCRIPT_NAME...........: $SCRIPT_NAME"
+log ""
+log "PARAM_DIR.............: $PARAM_DIR"
+log "FINAL_DIR.............: $FINAL_DIR"
+log "STATE_DIR.............: $STATE_DIR"
+log ""
+log "PARAM_FILE............: $PARAM_FILE"
+log "STATE_FILE............: $STATE_FILE"
+log ""
+log "BINARY_SSL_PARAMS_PATH: $BINARY_SSL_PARAMS_PATH"
+log "BINARY_DOVECOT_PATH...: $BINARY_DOVECOT_PATH"
+log ""
+log "MAIL_RECIPIENT........: $MAIL_RECIPIENT"
+log "MAIL_STATUS...........: $MAIL_STATUS"
+log ""
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$TOUCH_COMMAND" ]; then
+        log "Check if command '$TOUCH_COMMAND' was found....................[FAILED]"
+        sendmail ERROR
+        movelog
+        exit 10
+else
+        log "Check if command '$TOUCH_COMMAND' was found....................[  OK  ]"
+fi
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$MV_COMMAND" ]; then
+        log "Check if command '$MV_COMMAND' was found.......................[FAILED]"
+        sendmail ERROR
+	movelog
+        exit 11
+else
+        log "Check if command '$MV_COMMAND' was found.......................[  OK  ]"
+fi
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$RM_COMMAND" ]; then
+        log "Check if command '$RM_COMMAND' was found.......................[FAILED]"
+        sendmail ERROR
+	movelog
+        exit 12
+else
+        log "Check if command '$RM_COMMAND' was found.......................[  OK  ]"
+fi
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$CAT_COMMAND" ]; then
+        log "Check if command '$CAT_COMMAND' was found......................[FAILED]"
+        sendmail ERROR
+	movelog
+        exit 13
+else
+        log "Check if command '$CAT_COMMAND' was found......................[  OK  ]"
+fi
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$DATE_COMMAND" ]; then
+        log "Check if command '$DATE_COMMAND' was found.....................[FAILED]"
+        sendmail ERROR
+	movelog
+        exit 14
+else
+        log "Check if command '$DATE_COMMAND' was found.....................[  OK  ]"
+fi
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$MKDIR_COMMAND" ]; then
+        log "Check if command '$MKDIR_COMMAND' was found....................[FAILED]"
+        sendmail ERROR
+	movelog
+        exit 15
+else
+        log "Check if command '$MKDIR_COMMAND' was found....................[  OK  ]"
+fi
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$PROG_SENDMAIL" ]; then
+        log "Check if command '$PROG_SENDMAIL' was found................[FAILED]"
+        sendmail ERROR
+	movelog
+        exit 16
+else
+        log "Check if command '$PROG_SENDMAIL' was found................[  OK  ]"
+fi
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$TAR_COMMAND" ]; then
+        log "Check if command '$TAR_COMMAND' was found......................[FAILED]"
+        sendmail ERROR
+	movelog
+        exit 17
+else
+        log "Check if command '$TAR_COMMAND' was found......................[  OK  ]"
+fi
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$CHOWN_COMMAND" ]; then
+        log "Check if command '$CHOWN_COMMAND' was found....................[FAILED]"
+        sendmail ERROR
+	movelog
+        exit 18
+else
+        log "Check if command '$CHOWN_COMMAND' was found....................[  OK  ]"
+fi
+# Check if command (file) NOT exist OR IS empty.
+if [ ! -s "$CHMOD_COMMAND" ]; then
+        log "Check if command '$CHMOD_COMMAND' was found....................[FAILED]"
+        sendmail ERROR
+	movelog
+        exit 19
+else
+        log "Check if command '$CHMOD_COMMAND' was found....................[  OK  ]"
+fi
+# Check if LOCK file NOT exist.
+if [ ! -e "$FILE_LOCK" ]; then
+        log "Check if script is NOT already runnig .....................[  OK  ]"
+        $TOUCH_COMMAND $FILE_LOCK
+else
+        log "Check if script is NOT already runnig .....................[FAILED]"
+        log ""
+        log "ERROR: The script was already running, or LOCK file already exists!"
+        log ""
+        sendmail ERROR
+	movelog
+        exit 20
+fi
+# Start update.
+log ""
+log "+-----------------------------------------------------------------+"
+log "| Run update from $SCRIPT_NAME ...................... |"
+log "+-----------------------------------------------------------------+"
+log ""
+# Check if Directory NOT exists.
+if [ ! -d "$PARAM_DIR" ]; then
+        log "Check if $PARAM_DIR exists ..............................[FAILED]"
+        log ""
+        log " INFO: Creating --> $PARAM_DIR !"
+        log ""
+        $MKDIR_COMMAND -p $PARAM_DIR
+else
+        log "Check if $PARAM_DIR exists ..............................[  OK  ]"
+fi
+# Check if Directory NOT exists.
+if [ ! -d "$STATE_DIR" ]; then
+        log "Check if $STATE_DIR exists ......................................[FAILED]"
+        log ""
+        log " INFO: Creating --> $STATE_DIR !"
+        log ""
+        $MKDIR_COMMAND -p $STATE_DIR
+else
+        log "Check if $STATE_DIR exists ......................................[  OK  ]"
+	log ""
+fi
+# Check if file exists
+if [ ! -e "$PARAM_DIR/$PARAM_FILE" ]; then
+        log "Check if $PARAM_DIR/$PARAM_FILE exists ..........[FAILED]"
+        log ""
+else
+        log "Check if $PARAM_DIR/$PARAM_FILE exists ..........[  OK  ]"
+        log ""
+        log " INFO: Deleting --> $PARAM_DIR/$PARAM_FILE"
+        log ""
+        $RM_COMMAND $PARAM_DIR/$PARAM_FILE
+fi
+# Generating file.
+log "Generating '$PARAM_DIR/$PARAM_FILE' .............[  OK  ]"
+log ""
+echo "# Lenght of Diffie-Helmann-Parameter" > $PARAM_DIR/$PARAM_FILE
+echo "ssl_dh_parameters_length = $SSL_DH_PARAMETERS_LENGTH" >> $PARAM_DIR/$PARAM_FILE
+echo "# Save directory of temporary $STATE_FILE" >> $PARAM_DIR/$PARAM_FILE
+echo "state_dir = $STATE_DIR" >> $PARAM_DIR/$PARAM_FILE
+log "Generating '$STATE_DIR/$STATE_FILE' ......................[  OK  ]"
+log ""
+log "$BINARY_SSL_PARAMS_PATH -c $PARAM_DIR/$PARAM_FILE"
+log ""
+$BINARY_SSL_PARAMS_PATH -c $PARAM_DIR/$PARAM_FILE
+# Move file.
+$MV_COMMAND $STATE_DIR/$STATE_FILE $FINAL_DIR/$STATE_FILE -f
+if [ "$?" != 0 ]; then
+        retval $?
+        log "Move file '$STATE_DIR/$STATE_FILE' ........................[FAILED]"
+        $RM_COMMAND -f $FILE_LOCK
+        sendmail ERROR
+	movelog
+        exit 50
+else
+        log ""
+        log "Move file '$STATE_DIR/$STATE_FILE' ........................[  OK  ]"
+fi
+$CHOWN_COMMAND -R root.root $FINAL_DIR/$STATE_FILE
+if [ "$?" != 0 ]; then
+        retval $?
+        log "Owner set '$FINAL_DIR/$STATE_FILE' ............[FAILED]"
+        $RM_COMMAND -f $FILE_LOCK
+        sendmail ERROR
+	movelog
+        exit 51
+else
+        log "Owner set '$FINAL_DIR/$STATE_FILE' ............[  OK  ]"
+fi
+$CHMOD_COMMAND -R 644 $FINAL_DIR/$STATE_FILE
+if [ "$?" != 0 ]; then
+        retval $?
+        log "Permission set '$FINAL_DIR/$STATE_FILE' .......[FAILED]"
+        $RM_COMMAND -f $FILE_LOCK
+        sendmail ERROR
+	movelog
+        exit 52
+else
+        log "Permission set '$FINAL_DIR/$STATE_FILE' .......[  OK  ]"
+fi
+$BINARY_DOVECOT_PATH reload
+if [ "$?" != 0 ]; then
+        retval $?
+        log "Reload of '$BINARY_DOVECOT_PATH' ..............................[FAILED]"
+        $RM_COMMAND -f $FILE_LOCK
+        sendmail ERROR
+	movelog
+        exit 53
+else
+	log ""
+        log "Reload of '$BINARY_DOVECOT_PATH' ..............................[  OK  ]"
+fi
+# Finish update.
+log ""
+log "+-----------------------------------------------------------------+"
+log "| End update from $SCRIPT_NAME ...................... |"
+log "+-----------------------------------------------------------------+"
+log ""
+# Status e-mail.
+if [ $MAIL_STATUS = 'Y' ]; then
+        sendmail STATUS
+fi
+# Move temporary log to permanent log
+movelog
+exit 0
+</code>
+Das oben gezeigte Skript führt nachfolgende Aktionen aus:
+  - Erstellen einer Konfigurationsdatei ''/etc/dovecot/ssl-parameters.conf'' mit den Diffie-Hellman-Parametern
+  - Erzeugen einer neuen **temporären** Diffie-Hellman Parameter-Datei
+  - Kopieren der neuen **temporären** Diffie-Hellman Parameter-Datei auf die durch [[http://dovecot.org|Dovecot]] verwendete Diffie-Hellman-Parameter Datei ''/var/lib/dovecot/ssl-parameters.dat''
+  - Setzen der richtigen **Besitz**rechte
+  - Setzen der richtigen **Datei**rechte
+  - Neustart von [[http://dovecot.org|Dovecot]] via ''/usr/sbin/dovecot reload'' Option (Kein Beenden der offenen Verbindungen, nur Einlesen der Konfugurationsdateien)
+  - Benachrichtigung im Skript-**Fehlerfall** via e-Mail
+  - Benachrichtigung via e-Mail über eine erfolgreiche Ausführung, auf Wunsch ein-/ausschaltbar
+  - Erstellen einer **LOG-Datei** über die Skript-Ausführung in ''/var/log/<SKRIPT-NAME>''
+Um das Skript **einmal wöchentlich** laufen zu lassen, kann das vorhergehende Skript im Verzeichnis
+  * ''/etc/cron.weekly''
+erstellt werden.
+Anschließend müssen noch die erforderlich **Datei**rechte mit nachfolgendem Befehl gesetzt werden, damit das Skipt auch ausgeführt werden kann, hier nachfolgendes **Beispiel**:
+<code>
+# chmod +x /etc/cron.weekly/ssl-parameters_update.sh
+</code>