From b8caf78e0ae86118cd0659e28da919721106eadb Mon Sep 17 00:00:00 2001 From: John Denker Date: Sat, 2 Jun 2012 20:47:50 -0700 Subject: bring a few odds and ends into the repo --- tools/makefile | 2 ++ tools/qmail-tls-check_certs | 84 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100755 tools/qmail-tls-check_certs (limited to 'tools') diff --git a/tools/makefile b/tools/makefile index f64b9c2..005b408 100644 --- a/tools/makefile +++ b/tools/makefile @@ -23,6 +23,8 @@ install: chmod u+s /var/qmail/rbin/checkpassword cp smtp.conf /etc/stunnel/ cp pop3.conf /etc/stunnel/ + chmod 640 /var/qmail/control/*.crtkey + chown qmaild /var/qmail/control/*.crtkey /etc/tcpserver/smtp.rules : install -d /etc/tcpserver diff --git a/tools/qmail-tls-check_certs b/tools/qmail-tls-check_certs new file mode 100755 index 0000000..d8f97de --- /dev/null +++ b/tools/qmail-tls-check_certs @@ -0,0 +1,84 @@ +#!/bin/sh +# +# Author: Jason Haar +# Date: 09-Nov-2004 +# Version: 1.0 +# Copyright: GPL +# +# This script simply checks the status of the certificates used by +# Qmail with Frederik Vermeulen's TLS patch - to ensure they are +# valid, non-expired certs with the appropriate KeyUsage extensions +# required to get their jobs done. +# This script can be run on a nightly basis to check the cert status. +# Note that when it marked as cert as "bad" (typically because it's +# expired), it will be renamed, a syslog event generated, and probably +# Qmail will STOP WORKING FOR NEW TLS SESSIONS. +# +# That may sound bad, but the alternative is that Qmail will stop working +# for new TLS sessions *anyway* - it's just that this script will tell +# you why... + +LOGGER="logger -i -t qmail-tls-check_certs" + +dir='' +dirlist="/etc/qmail/control /var/qmail/control" +for trydir in $dirlist ; do + if test -d $trydir ; then + dir=$trydir + break + fi +done +if test -z "$dir" ; then + 1>&2 echo "Cannot find any control director ($dirlist)" + exit 1 +fi + +for cert in servercert.pem clientcert.pem ; do + if ! test -f "$dir/$cert"; then + echo "Certificate missing: $dir/$cert" + else + #First, check that it's a valid cert for the task + TEMP_PURPOSE=`openssl x509 -in $dir/$cert -noout -purpose 2>/dev/null` + if [ "$?" != "0" ]; then + echo "$dir/$cert is a broken cert. Disabled" + mv -f $dir/$cert $dir/BROKEN-${cert} + $LOGGER "$dir/$cert is a broken cert. Disabled" + continue + fi + + #Now check it hasn't expired + TEMP_DATE=$( openssl x509 -in $dir/$cert -noout -dates 2>/dev/null | \ + grep -i after|cut -d= -f2 ) + EXPIRE_IN_SECS=`date +%s --date $TEMP_DATE 2>/dev/null` + if [ "`echo $EXPIRE_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then + NOW_IN_SECS=`date +%s 2>/dev/null` + if [ "`echo $NOW_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then + if [ $NOW_IN_SECS -gt $EXPIRE_IN_SECS ]; then + echo "$dir/$cert has EXPIRED. Disabling" + mv -f $dir/$cert $dir/EXPIRED-${cert} + $LOGGER "$dir/$cert has EXPIRED. Disabling" + continue + fi + fi + fi + + if [ "`echo $cert|grep server`" != "" ] ; then + if [ "_$( echo $TEMP_PURPOSE | \ + egrep -i '(any purpose|server).* yes' )" = "_" ]; then + echo "$dir/$cert is NOT a server cert. Disabled" + mv -f $dir/$cert $dir/NOT-A-SERVER-CERT-${cert} + $LOGGER "$dir/$cert is NOT a server cert. Disabled" + continue + fi + fi + if [ "`echo $cert|grep client`" != "" ] ; then + if [ "_$( echo $TEMP_PURPOSE | + egrep -i '(any purpose|client).* yes' )" = "_" ]; then + echo "$dir/$cert is NOT a client cert. Disabled" + mv -f $dir/$cert $dir/NOT-A-CLIENT-CERT-${cert} + $LOGGER "$dir/$cert is NOT a client cert. Disabled" + fi + fi + fi + +done -- cgit v1.2.3