diff options
| -rwxr-xr-x | tools/qmail | 2 | ||||
| -rwxr-xr-x | tools/qmail-tls-check_certs | 60 | 
2 files changed, 31 insertions, 31 deletions
| diff --git a/tools/qmail b/tools/qmail index f2164d7..f765a8f 100755 --- a/tools/qmail +++ b/tools/qmail @@ -259,7 +259,7 @@ case "$verb" in            echo "Beware: file '$file' is missing."          fi        done -      /var/qmail/bin/qmail-tls-check_certs -server +      /var/qmail/bin/qmail-tls-check_certs -stunnel      ;;      *)              echo "Usage: $0 {start|stop|reload|zap|restart|status}" diff --git a/tools/qmail-tls-check_certs b/tools/qmail-tls-check_certs index 0d73596..a379399 100755 --- a/tools/qmail-tls-check_certs +++ b/tools/qmail-tls-check_certs @@ -10,17 +10,14 @@  # valid, non-expired certs with the appropriate KeyUsage extensions  # required to get their jobs done.  # This script can be run on a nightly basis to check the cert status. -# Note that when it marked as cert as "bad" (typically because it's -# expired), it will be renamed, a syslog event generated, and probably -# Qmail will STOP WORKING FOR NEW TLS SESSIONS. +# Note that when a cert is "bad" (typically because it's +# expired), we send a warning via syslog. +# If the cert is bad, Qmail will STOP WORKING FOR NEW TLS SESSIONS.  # -# That may sound bad, but the alternative is that Qmail will stop working -# for new TLS sessions *anyway* - it's just that this script will tell -# you why... +# The point of this script is to tell you *why* qmail is not working.  LOGGER="logger -i -t qmail-tls-check_certs" -dir=''  dirlist="/etc/qmail/control /var/qmail/control"  for trydir in $dirlist ; do    if test -d $trydir ; then @@ -28,49 +25,53 @@ for trydir in $dirlist ; do      break    fi  done -if test -z "$dir" ; then -  1>&2 echo "Cannot find any control directory ($dirlist)" -  exit 1 -fi  certlist=""  for arg in "$@" ; do    case $arg in -    -server) certlist="$certlist servercert.pem" ;; -    -client) certlist="$certlist clientcert.pem" ;; +    -stunnel) certlist=/etc/stunnel/stunnel.pem ;; +    -starttls)  +      if test -z "$dir" ; then +        1>&2 echo "Sorry, can't find the control directory ($dirlist)" +        exit1 +      fi +      certlist="$dir/servercert.pem $dir/clientcert.pem" +      ;;      *) 1>&2 echo "Unrecognized verbiage: '$arg'"         exit 1    esac   done  if test -z "$certlist" ; then -  certlist="servercert.pem clientcert.pem" +  if test -z "$dir" ; then +    1>&2 echo "Cannot find any control directory ($dirlist)" +    exit 1 +  fi +  certlist="$dir/servercert.pem $dir/clientcert.pem"  fi  for cert in $certlist ; do -    if ! test -f "$dir/$cert"; then -        echo "Certificate missing: $dir/$cert" +    if ! test -f "$cert"; then +        echo "Certificate missing: $cert"      else          #First, check that it's a valid cert for the task -        TEMP_PURPOSE=`openssl x509 -in $dir/$cert -noout -purpose 2>/dev/null` +        TEMP_PURPOSE=`openssl x509 -in $cert -noout -purpose 2>/dev/null`          if [ "$?" != "0" ]; then -                echo "$dir/$cert is a broken cert. Disabled" -                mv -f $dir/$cert $dir/BROKEN-${cert} -                $LOGGER "$dir/$cert is a broken cert. Disabled" +                echo "$cert is a broken cert." +                $LOGGER "$cert is a broken cert."                  continue          fi          #Now check it hasn't expired -        TEMP_DATE=$( openssl x509 -in $dir/$cert -noout -dates 2>/dev/null | \ +        TEMP_DATE=$( openssl x509 -in $cert -noout -dates 2>/dev/null | \                  grep -i after|cut -d= -f2 )          EXPIRE_IN_SECS=`date +%s --date $TEMP_DATE 2>/dev/null`          if [ "`echo $EXPIRE_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then              NOW_IN_SECS=`date +%s 2>/dev/null`              if [ "`echo $NOW_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then                  if [ $NOW_IN_SECS -gt $EXPIRE_IN_SECS ]; then -                    echo "$dir/$cert has EXPIRED. Disabling" -                    mv -f $dir/$cert $dir/EXPIRED-${cert} -                    $LOGGER "$dir/$cert has EXPIRED. Disabling" +                    echo "$cert has EXPIRED." +                    $LOGGER "$cert has EXPIRED."                      continue                  fi              fi @@ -79,18 +80,17 @@ for cert in $certlist ; do          if [ "`echo $cert|grep server`" != "" ] ; then              if [ "_$( echo $TEMP_PURPOSE | \                      egrep -i '(any purpose|server).* yes' )" = "_" ]; then -                echo "$dir/$cert is NOT a server cert. Disabled" -                mv -f $dir/$cert $dir/NOT-A-SERVER-CERT-${cert} -                $LOGGER "$dir/$cert is NOT a server cert. Disabled" +                echo    "$cert is NOT a server cert." +                $LOGGER "$cert is NOT a server cert."                  continue              fi          fi          if [ "`echo $cert|grep client`" != "" ] ; then              if [ "_$( echo $TEMP_PURPOSE |                     egrep -i '(any purpose|client).* yes' )" = "_" ]; then -                echo "$dir/$cert is NOT a client cert. Disabled" -                mv -f $dir/$cert $dir/NOT-A-CLIENT-CERT-${cert} -                $LOGGER "$dir/$cert is NOT a client cert. Disabled" +                echo "   $cert is NOT a client cert." +                $LOGGER "$cert is NOT a client cert." +                continue              fi          fi      fi | 
