Open jloms opened 5 months ago
Noted. Thanks!
I have a script which automatically updates the certificate to my valid Let's Encrypt certificate which I run immediately on all of my test machines, so I had not encountered this problem.
I'll generate a new, stronger, default certificate. In the meantime, here is the script that I use, if you'd like to apply your own certificate/key without web access:
#!/bin/bash
usage() {
echo "Usage: $0 public_chain private_key [-R]"
echo " -R Don't restart services"
exit;
}
SRCDIR=`grep 'SRCDIR' /etc/mailcleaner.conf | cut -d ' ' -f3`
RESTART=1
if [ ! $1 ] || [ ! $2 ]; then
echo "Missing argument"
usage
elif [[ ! -r $1 ]]; then
echo "Cannot read $1"
usage
elif [[ ! -r $2 ]]; then
echo "Cannot read $2"
usage
fi
if [ $3 ]; then
if [[ $3 -eq '-R' ]]; then
echo "Not restarting"
RESTART=0
else
echo "Invaild option '$3'"
usage
fi
fi
CERT=`cat $1 | grep -m 1 -B 1000 'END CERTIFICATE'`
COUNT=`cat $1 | grep -c 'END CERTIFICATE'`
let "COUNT--"
if [ $COUNT ]; then
CHAIN=`tac $1 | grep -m $COUNT -B 1000 'BEGIN CERTIFICATE' | tac`
else
CHAIN=''
fi
cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE mta_config set tls_certificate_data = '`cat $1`';
EOF
cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE mta_config set tls_certificate_key = '`cat $2`';
EOF
if [[ $RESTART == 1 ]]; then
for i in 4 2 1; do ${SRCDIR}/etc/init.d/exim_stage$i restart; done
fi
cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE httpd_config set tls_certificate_data = '`echo -e "$CERT"`';
EOF
cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE httpd_config set tls_certificate_chain = '`echo -e "$CHAIN"`';
EOF
cat << EOF | ${SRCDIR}/bin/mc_mysql -m mc_config
UPDATE httpd_config set tls_certificate_key = '`cat $2`';
EOF
if [[ $RESTART == 1 ]]; then
${SRCDIR}/etc/init.d/apache restart
fi
The default certificate is updated. However, for the final release, I would like to have a unique self-signed certificate generated during the install.pl
script. GitHub has a bot which is nagging me that we have an exposed private key and since some users will never update the certificate, this is justifiable.
Note: Major mail providers such as Office 365 have become more strict recently regarding TLS connections. It is now better to have no TLS than to have a self-signed certificate. So, we can generate the self-signed certificate to be used by default, but we must ensure that TLS is not enabled by default and that there are warnings in documentation or the interface to get a proper certificate.
Default certificatein the database is too weak. Changing the certificate is needed for starting apache2.