Archive-Team
/
docker-mailserver
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update ssl.sh 

Update environment.md
Update mailserver.env

Extracting certificate for multiple domain for SNI support
This commit is contained in:
vp1100 2024-08-08 23:12:12 +02:00 committed by svg
parent d61909bdea
commit f937faa678
3 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/content/config/environment.md
View File

@ -191,6 +191,12 @@ In the majority of cases, you want `letsencrypt` or `manual`.
Please read [the SSL page in the documentation][docs-tls] for more information. Please read [the SSL page in the documentation][docs-tls] for more information.
##### SSL_SNI_DOMAINS
Comma separated list of domains.
Certificates will be exported for each domain from traefik `acme.json` and added to Postfix and Dovecot for SNI support.
##### TLS_LEVEL ##### TLS_LEVEL
- **empty** => modern - **empty** => modern

3
mailserver.env
View File

@ -240,6 +240,9 @@ SMTP_ONLY=
# self-signed => Enables self-signed certificates # self-signed => Enables self-signed certificates
SSL_TYPE= SSL_TYPE=
# Provide a comma separated list of domains to additionally export the certificate from acme.json
SSL_SNI_DOMAINS=
# These are only supported with `SSL_TYPE=manual`. # These are only supported with `SSL_TYPE=manual`.
# Provide the path to your cert and key files that you've mounted access to within the container. # Provide the path to your cert and key files that you've mounted access to within the container.
SSL_CERT_PATH= SSL_CERT_PATH=

38
target/scripts/helpers/ssl.sh
View File

@ -127,6 +127,44 @@ function _setup_ssl() {
fi fi
_log 'trace' "letsencrypt (acme.json) extracted certificate using ${EXTRACTED_DOMAIN[0]}: '${EXTRACTED_DOMAIN[1]}'" _log 'trace' "letsencrypt (acme.json) extracted certificate using ${EXTRACTED_DOMAIN[0]}: '${EXTRACTED_DOMAIN[1]}'"
# Extracting certificates for SNI support
if [[ -n ${SSL_SNI_DOMAINS} ]] ; then
# add empty dovecot & postfix config
echo -n "" > /etc/dovecot/conf.d/20-sni.conf
echo -n "" > /etc/postfix/sni.map
# add tls_server_sni_maps yo main.cf if not exist
local SNI_MAPS="tls_server_sni_maps = hash:/etc/postfix/sni.map"
grep -qxF -- "${SNI_MAPS}" "/etc/postfix/main.cf" || echo "${SNI_MAPS}" >> /etc/postfix/main.cf
for SNI_DOMAIN in ${SSL_SNI_DOMAINS//,/ }
do
if _extract_certs_from_acme "${SNI_DOMAIN}"; then
local PRIVATE_KEY="/etc/letsencrypt/live/${SNI_DOMAIN}/key.pem"
local CERT_CHAIN="/etc/letsencrypt/live/${SNI_DOMAIN}/fullchain.pem"
# add certificate to postfix
echo "${SNI_DOMAIN} ${PRIVATE_KEY} ${CERT_CHAIN}" >> /etc/postfix/sni.map
# add certificate to dovecot
{
echo "local_name ${SNI_DOMAIN} {"
echo " ssl_cert = <${CERT_CHAIN}"
echo " ssl_key = <${PRIVATE_KEY}"
echo "}"
} >> /etc/dovecot/conf.d/20-sni.conf
_log 'trace' "SNI: extracted domain: ${SNI_DOMAIN}"
else
_log 'warn' "SNI: letsencrypt (acme.json) failed to extract domain: ${SNI_DOMAIN}"
fi
done
# create postfix SNI table
postmap -F hash:/etc/postfix/sni.map
_log 'trace' "SNI: creating postfix db (sni.map.db)"
fi
fi fi
} }