Tachtler's DokuWiki

Homepage | Kontakt | Rechtliche Informationen | Impressum

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen:
tachtler:dovecot_sicherheit

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
Nächste Überarbeitung		Vorhergehende Überarbeitung
tachtler:dovecot_sicherheit [2015/07/11 09:09] – [SSL-Sicherheit] klaustachtler:dovecot_sicherheit [2015/07/11 09:22] (aktuell) – [/etc/cron.weekly/ssl-parameters_update.sh] klaus
Zeile 120: Zeile 120:
   - Anschließend wir die so erzeugte **Parameter-Datei** gegen die standardmäßige Konfigurationsdatei von [[http://dovecot.org|Dovecot]] - ''/var/lib/dovecot/ssl-parameters.dat'' ersetzt   - Anschließend wir die so erzeugte **Parameter-Datei** gegen die standardmäßige Konfigurationsdatei von [[http://dovecot.org|Dovecot]] - ''/var/lib/dovecot/ssl-parameters.dat'' ersetzt
   - Abschließend muss dann noch das **erneute einlesen** der neuen Konfigurationsdatei''/var/lib/dovecot/ssl-parameters.dat'' durch [[http://dovecot.org|Dovecot]] erfolgen   - Abschließend muss dann noch das **erneute einlesen** der neuen Konfigurationsdatei''/var/lib/dovecot/ssl-parameters.dat'' durch [[http://dovecot.org|Dovecot]] erfolgen
 +
 +==== /etc/cron.weekly/ssl-parameters_update.sh ====
  
 Nachfolgendes Skript erledigt alle vorhergehenden Aufgaben: Nachfolgendes Skript erledigt alle vorhergehenden Aufgaben:
 <code bash> <code bash>
 +#!/bin/bash
  
 +##############################################################################
 +# Script-Name : ssl-parameters_update.sh                                     # 
 +# Description : Renew the Diffie-Hellman parameter file for Dovecot under    # 
 +#               the path /var/lib/dovecot/ssl-parameters.dat.                # 
 +#                                                                            # 
 +#                                                                            # 
 +# Last update : 11.07.2015                                                   # 
 +# Version     : 1.00                                                         # 
 +##############################################################################
 +
 +##############################################################################
 +#                                H I S T O R Y                               # 
 +##############################################################################
 +# Version     : x.xx                                                         # 
 +# Description : <Description>                                                #
 +# -------------------------------------------------------------------------- # 
 +# Version     : x.xx                                                         # 
 +# Description : <Description>                                                #
 +# -------------------------------------------------------------------------- # 
 +##############################################################################
 +
 +# Source function library.
 +. /etc/init.d/functions
 +
 +# Variable declarations.
 +
 +##############################################################################
 +# >>> Please edit following lines for personal command and/or configuration! #
 +##############################################################################
 +
 +# CUSTOM - Script-Name.
 +SCRIPT_NAME='ssl-parameters_update.sh'
 +
 +# CUSTOM - PATH/FILE/PARAMETER variables.
 +PARAM_DIR="/etc/dovecot"
 +FINAL_DIR="/var/lib/dovecot"
 +STATE_DIR="/tmp"
 +
 +# CUSTOM - PARAMATERS variables.
 +SSL_DH_PARAMETERS_LENGTH="2048"
 +
 +# CUSTOM - Binary.
 +BINARY_DOVECOT_PATH="/usr/sbin/dovecot"
 +BINARY_SSL_PARAMS_PATH='/usr/libexec/dovecot/ssl-params'
 +
 +# CUSTOM - Mail-Recipient.
 +MAIL_RECIPIENT='your-email@your-domain.tld'
 +
 +# CUSTOM - Status-Mail [Y|N].
 +MAIL_STATUS='N'
 +
 +##############################################################################
 +# >>> Normaly there is no need to change anything below this comment line. ! #
 +##############################################################################
 +
 +# Variables.
 +PARAM_FILE="ssl-parameters.conf"
 +STATE_FILE="ssl-parameters.dat"
 +TOUCH_COMMAND=`command -v touch`
 +MV_COMMAND=`command -v mv`
 +RM_COMMAND=`command -v rm`
 +CAT_COMMAND=`command -v cat`
 +DATE_COMMAND=`command -v date`
 +MKDIR_COMMAND=`command -v mkdir`
 +PROG_SENDMAIL=`command -v sendmail`
 +TAR_COMMAND=`command -v tar`
 +CHOWN_COMMAND=`command -v chown`
 +CHMOD_COMMAND=`command -v chmod`
 +FILE_LOCK='/tmp/'$SCRIPT_NAME'.lock'
 +FILE_LOG='/var/log/'$SCRIPT_NAME'.log'
 +FILE_LAST_LOG='/tmp/'$SCRIPT_NAME'.log'
 +FILE_MAIL='/tmp/'$SCRIPT_NAME'.mail'
 +VAR_HOSTNAME=`uname -n`
 +VAR_SENDER='root@'$VAR_HOSTNAME
 +VAR_EMAILDATE=`$DATE_COMMAND '+%a, %d %b %Y %H:%M:%S (%Z)'`
 +
 +# Functions.
 +function log() {
 +        echo $1
 +        echo `$DATE_COMMAND '+%Y/%m/%d %H:%M:%S'` " INFO:" $1 >>${FILE_LAST_LOG}
 +}
 +
 +function retval() {
 +if [ "$?" != "0" ]; then
 +        case "$?" in
 +        *)
 +                log "ERROR: Unknown error $?"
 +        ;;
 +        esac
 +fi
 +}
 +
 +function movelog() {
 +        $CAT_COMMAND $FILE_LAST_LOG >> $FILE_LOG
 +        $RM_COMMAND -f $FILE_LAST_LOG
 +        $RM_COMMAND -f $FILE_LOCK
 +}
 +
 +function sendmail() {
 +        case "$1" in
 +        'STATUS')
 +                MAIL_SUBJECT='Status execution '$SCRIPT_NAME' script.'
 +        ;;
 +        *)
 +                MAIL_SUBJECT='ERROR while execution '$SCRIPT_NAME' script !!!'
 +        ;;
 +        esac
 +
 +$CAT_COMMAND <<MAIL >$FILE_MAIL
 +Subject: $MAIL_SUBJECT
 +Date: $VAR_EMAILDATE
 +From: $VAR_SENDER
 +To: $MAIL_RECIPIENT
 +
 +MAIL
 +
 +$CAT_COMMAND $FILE_LAST_LOG >> $FILE_MAIL
 +
 +$PROG_SENDMAIL -f $VAR_SENDER -t $MAIL_RECIPIENT < $FILE_MAIL
 +
 +$RM_COMMAND -f $FILE_MAIL
 +
 +}
 +
 +# Main.
 +log ""
 +log "+-----------------------------------------------------------------+"
 +log "| Start update generating Diffie-Hellman ssl-parameters.dat file. |"
 +log "+-----------------------------------------------------------------+"
 +log ""
 +log "Run script with following parameter:"
 +log ""
 +log "SCRIPT_NAME...........: $SCRIPT_NAME"
 +log ""
 +log "PARAM_DIR.............: $PARAM_DIR"
 +log "FINAL_DIR.............: $FINAL_DIR"
 +log "STATE_DIR.............: $STATE_DIR"
 +log ""
 +log "PARAM_FILE............: $PARAM_FILE"
 +log "STATE_FILE............: $STATE_FILE"
 +log ""
 +log "BINARY_SSL_PARAMS_PATH: $BINARY_SSL_PARAMS_PATH"
 +log "BINARY_DOVECOT_PATH...: $BINARY_DOVECOT_PATH"
 +log ""
 +log "MAIL_RECIPIENT........: $MAIL_RECIPIENT"
 +log "MAIL_STATUS...........: $MAIL_STATUS"
 +log ""
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$TOUCH_COMMAND" ]; then
 +        log "Check if command '$TOUCH_COMMAND' was found....................[FAILED]"
 +        sendmail ERROR
 +        movelog
 +        exit 10
 +else
 +        log "Check if command '$TOUCH_COMMAND' was found....................[  OK  ]"
 +fi
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$MV_COMMAND" ]; then
 +        log "Check if command '$MV_COMMAND' was found.......................[FAILED]"
 +        sendmail ERROR
 + movelog
 +        exit 11
 +else
 +        log "Check if command '$MV_COMMAND' was found.......................[  OK  ]"
 +fi
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$RM_COMMAND" ]; then
 +        log "Check if command '$RM_COMMAND' was found.......................[FAILED]"
 +        sendmail ERROR
 + movelog
 +        exit 12
 +else
 +        log "Check if command '$RM_COMMAND' was found.......................[  OK  ]"
 +fi
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$CAT_COMMAND" ]; then
 +        log "Check if command '$CAT_COMMAND' was found......................[FAILED]"
 +        sendmail ERROR
 + movelog
 +        exit 13
 +else
 +        log "Check if command '$CAT_COMMAND' was found......................[  OK  ]"
 +fi
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$DATE_COMMAND" ]; then
 +        log "Check if command '$DATE_COMMAND' was found.....................[FAILED]"
 +        sendmail ERROR
 + movelog
 +        exit 14
 +else
 +        log "Check if command '$DATE_COMMAND' was found.....................[  OK  ]"
 +fi
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$MKDIR_COMMAND" ]; then
 +        log "Check if command '$MKDIR_COMMAND' was found....................[FAILED]"
 +        sendmail ERROR
 + movelog
 +        exit 15
 +else
 +        log "Check if command '$MKDIR_COMMAND' was found....................[  OK  ]"
 +fi
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$PROG_SENDMAIL" ]; then
 +        log "Check if command '$PROG_SENDMAIL' was found................[FAILED]"
 +        sendmail ERROR
 + movelog
 +        exit 16
 +else
 +        log "Check if command '$PROG_SENDMAIL' was found................[  OK  ]"
 +fi
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$TAR_COMMAND" ]; then
 +        log "Check if command '$TAR_COMMAND' was found......................[FAILED]"
 +        sendmail ERROR
 + movelog
 +        exit 17
 +else
 +        log "Check if command '$TAR_COMMAND' was found......................[  OK  ]"
 +fi
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$CHOWN_COMMAND" ]; then
 +        log "Check if command '$CHOWN_COMMAND' was found....................[FAILED]"
 +        sendmail ERROR
 + movelog
 +        exit 18
 +else
 +        log "Check if command '$CHOWN_COMMAND' was found....................[  OK  ]"
 +fi
 +
 +# Check if command (file) NOT exist OR IS empty.
 +if [ ! -s "$CHMOD_COMMAND" ]; then
 +        log "Check if command '$CHMOD_COMMAND' was found....................[FAILED]"
 +        sendmail ERROR
 + movelog
 +        exit 19
 +else
 +        log "Check if command '$CHMOD_COMMAND' was found....................[  OK  ]"
 +fi
 +
 +# Check if LOCK file NOT exist.
 +if [ ! -e "$FILE_LOCK" ]; then
 +        log "Check if script is NOT already runnig .....................[  OK  ]"
 +
 +        $TOUCH_COMMAND $FILE_LOCK
 +else
 +        log "Check if script is NOT already runnig .....................[FAILED]"
 +        log ""
 +        log "ERROR: The script was already running, or LOCK file already exists!"
 +        log ""
 +        sendmail ERROR
 + movelog
 +        exit 20
 +fi
 +
 +# Start update.
 +log ""
 +log "+-----------------------------------------------------------------+"
 +log "| Run update from $SCRIPT_NAME ...................... |"
 +log "+-----------------------------------------------------------------+"
 +log ""
 +
 +# Check if Directory NOT exists.
 +if [ ! -d "$PARAM_DIR" ]; then
 +        log "Check if $PARAM_DIR exists ..............................[FAILED]"
 +        log ""
 +        log " INFO: Creating --> $PARAM_DIR !"
 +        log ""
 +
 +        $MKDIR_COMMAND -p $PARAM_DIR  
 +else
 +        log "Check if $PARAM_DIR exists ..............................[  OK  ]"
 +fi
 +
 +# Check if Directory NOT exists.
 +if [ ! -d "$STATE_DIR" ]; then
 +        log "Check if $STATE_DIR exists ......................................[FAILED]"
 +        log ""
 +        log " INFO: Creating --> $STATE_DIR !"
 +        log ""
 +
 +        $MKDIR_COMMAND -p $STATE_DIR  
 +else
 +        log "Check if $STATE_DIR exists ......................................[  OK  ]"
 + log ""
 +fi
 +
 +# Check if file exists
 +if [ ! -e "$PARAM_DIR/$PARAM_FILE" ]; then
 +        log "Check if $PARAM_DIR/$PARAM_FILE exists ..........[FAILED]"
 +        log ""
 +else
 +        log "Check if $PARAM_DIR/$PARAM_FILE exists ..........[  OK  ]"
 +        log ""
 +        log " INFO: Deleting --> $PARAM_DIR/$PARAM_FILE"
 +        log ""
 +
 +        $RM_COMMAND $PARAM_DIR/$PARAM_FILE
 +fi
 +
 +# Generating file.
 +
 +log "Generating '$PARAM_DIR/$PARAM_FILE' .............[  OK  ]"
 +log ""
 +
 +echo "# Lenght of Diffie-Helmann-Parameter" > $PARAM_DIR/$PARAM_FILE
 +echo "ssl_dh_parameters_length = $SSL_DH_PARAMETERS_LENGTH" >> $PARAM_DIR/$PARAM_FILE
 +echo "# Save directory of temporary $STATE_FILE" >> $PARAM_DIR/$PARAM_FILE
 +echo "state_dir = $STATE_DIR" >> $PARAM_DIR/$PARAM_FILE
 +
 +log "Generating '$STATE_DIR/$STATE_FILE' ......................[  OK  ]"
 +log ""
 +log "$BINARY_SSL_PARAMS_PATH -c $PARAM_DIR/$PARAM_FILE"
 +log ""
 +
 +$BINARY_SSL_PARAMS_PATH -c $PARAM_DIR/$PARAM_FILE
 +
 +# Move file.
 +$MV_COMMAND $STATE_DIR/$STATE_FILE $FINAL_DIR/$STATE_FILE -f
 +
 +if [ "$?" != 0 ]; then
 +        retval $?
 +        log "Move file '$STATE_DIR/$STATE_FILE' ........................[FAILED]"
 +        $RM_COMMAND -f $FILE_LOCK
 +        sendmail ERROR
 + movelog
 +        exit 50
 +else
 +        log ""
 +        log "Move file '$STATE_DIR/$STATE_FILE' ........................[  OK  ]"
 +fi
 +
 +$CHOWN_COMMAND -R root.root $FINAL_DIR/$STATE_FILE
 +
 +if [ "$?" != 0 ]; then
 +        retval $?
 +        log "Owner set '$FINAL_DIR/$STATE_FILE' ............[FAILED]"
 +        $RM_COMMAND -f $FILE_LOCK
 +        sendmail ERROR
 + movelog
 +        exit 51
 +else
 +        log "Owner set '$FINAL_DIR/$STATE_FILE' ............[  OK  ]"
 +fi
 +
 +$CHMOD_COMMAND -R 644 $FINAL_DIR/$STATE_FILE
 +
 +if [ "$?" != 0 ]; then
 +        retval $?
 +        log "Permission set '$FINAL_DIR/$STATE_FILE' .......[FAILED]"
 +        $RM_COMMAND -f $FILE_LOCK
 +        sendmail ERROR
 + movelog
 +        exit 52
 +else
 +        log "Permission set '$FINAL_DIR/$STATE_FILE' .......[  OK  ]"
 +fi
 +
 +$BINARY_DOVECOT_PATH reload
 +
 +if [ "$?" != 0 ]; then
 +        retval $?
 +        log "Reload of '$BINARY_DOVECOT_PATH' ..............................[FAILED]"
 +        $RM_COMMAND -f $FILE_LOCK
 +        sendmail ERROR
 + movelog
 +        exit 53
 +else
 + log ""
 +        log "Reload of '$BINARY_DOVECOT_PATH' ..............................[  OK  ]"
 +fi
 +
 +# Finish update.
 +log ""
 +log "+-----------------------------------------------------------------+"
 +log "| End update from $SCRIPT_NAME ...................... |"
 +log "+-----------------------------------------------------------------+"
 +log ""
 +
 +# Status e-mail.
 +if [ $MAIL_STATUS = 'Y' ]; then
 +        sendmail STATUS
 +fi
 +# Move temporary log to permanent log
 +movelog
 +
 +exit 0
 </code> </code>
 +
 +Das oben gezeigte Skript führt nachfolgende Aktionen aus:
 +  - Erstellen einer Konfigurationsdatei ''/etc/dovecot/ssl-parameters.conf'' mit den Diffie-Hellman-Parametern
 +  - Erzeugen einer neuen **temporären** Diffie-Hellman Parameter-Datei
 +  - Kopieren der neuen **temporären** Diffie-Hellman Parameter-Datei auf die durch [[http://dovecot.org|Dovecot]] verwendete Diffie-Hellman-Parameter Datei ''/var/lib/dovecot/ssl-parameters.dat''
 +  - Setzen der richtigen **Besitz**rechte
 +  - Setzen der richtigen **Datei**rechte
 +  - Neustart von [[http://dovecot.org|Dovecot]] via ''/usr/sbin/dovecot reload'' Option (Kein Beenden der offenen Verbindungen, nur Einlesen der Konfugurationsdateien)
 +  - Benachrichtigung im Skript-**Fehlerfall** via e-Mail
 +  - Benachrichtigung via e-Mail über eine erfolgreiche Ausführung, auf Wunsch ein-/ausschaltbar
 +  - Erstellen einer **LOG-Datei** über die Skript-Ausführung in ''/var/log/<SKRIPT-NAME>''
  
 Um das Skript **einmal wöchentlich** laufen zu lassen, kann das vorhergehende Skript im Verzeichnis  Um das Skript **einmal wöchentlich** laufen zu lassen, kann das vorhergehende Skript im Verzeichnis 
Zeile 130: Zeile 539:
 erstellt werden. erstellt werden.
  
-Anschließend ist es noch erforderlich die entsprechenden **Datei**rechte mit nachfolgendem Befehl zu setzen, damit dieses auch ausgeführt werden kann:+Anschließend müssen noch die erforderlich **Datei**rechte mit nachfolgendem Befehl gesetzt werden, damit das Skipt auch ausgeführt werden kann, hier nachfolgendes **Beispiel**:
 <code> <code>
 # chmod +x /etc/cron.weekly/ssl-parameters_update.sh # chmod +x /etc/cron.weekly/ssl-parameters_update.sh
 </code> </code>
  
tachtler/dovecot_sicherheit.1436598546.txt.gz · Zuletzt geändert: 2015/07/11 09:09 von klaus