wildcard instead of *
This commit is contained in:
parent
f9723b2b68
commit
ce26d864b5
|
|
@ -8,8 +8,10 @@
|
|||
# - docker-data/dms/config/postfix-main.cf
|
||||
#
|
||||
# Cert-Konvention (Caddy Wildcard):
|
||||
# /etc/mail/certs/*.domain.tld/*.domain.tld.crt
|
||||
# /etc/mail/certs/*.domain.tld/*.domain.tld.key
|
||||
# Caddy speichert *.domain.tld unter: wildcard_.domain.tld/wildcard_.domain.tld.crt
|
||||
# Im Container (gemountet unter /etc/mail/certs):
|
||||
# /etc/mail/certs/wildcard_.domain.tld/wildcard_.domain.tld.crt
|
||||
# /etc/mail/certs/wildcard_.domain.tld/wildcard_.domain.tld.key
|
||||
#
|
||||
# Usage:
|
||||
# ./setup-dms-tls.sh
|
||||
|
|
@ -50,6 +52,15 @@ fi
|
|||
echo " Gefundene Domains:"
|
||||
for d in $DOMAINS; do echo " - $d"; done
|
||||
|
||||
# --- Cert-Pfad Hilfsfunktionen ---
|
||||
# Caddy speichert Wildcard-Certs unter: wildcard_.domain.tld/wildcard_.domain.tld.crt
|
||||
wildcard_cert_path() {
|
||||
echo "$CERTS_BASE_PATH/wildcard_.${1}/wildcard_.${1}.crt"
|
||||
}
|
||||
wildcard_key_path() {
|
||||
echo "$CERTS_BASE_PATH/wildcard_.${1}/wildcard_.${1}.key"
|
||||
}
|
||||
|
||||
# --- Cert-Verfügbarkeit im Container prüfen ---
|
||||
echo ""
|
||||
echo "🔍 Prüfe Zertifikat-Verfügbarkeit..."
|
||||
|
|
@ -57,11 +68,11 @@ DOMAINS_OK=""
|
|||
DOMAINS_MISSING=""
|
||||
|
||||
for domain in $DOMAINS; do
|
||||
CERT_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.crt"
|
||||
KEY_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.key"
|
||||
CERT_PATH=$(wildcard_cert_path "$domain")
|
||||
KEY_PATH=$(wildcard_key_path "$domain")
|
||||
|
||||
if docker exec "$DMS_CONTAINER" test -f "$CERT_PATH" 2>/dev/null; then
|
||||
echo " ✅ $domain → Cert vorhanden"
|
||||
echo " ✅ $domain → $CERT_PATH"
|
||||
DOMAINS_OK="$DOMAINS_OK $domain"
|
||||
else
|
||||
echo " ⚠️ $domain → KEIN Cert unter $CERT_PATH"
|
||||
|
|
@ -72,13 +83,10 @@ done
|
|||
|
||||
# Node-Hostname Cert prüfen (direktes Cert, kein Wildcard)
|
||||
NODE_CERT_PATH="$CERTS_BASE_PATH/$NODE_HOSTNAME/$NODE_HOSTNAME.crt"
|
||||
NODE_KEY_PATH="$CERTS_BASE_PATH/$NODE_HOSTNAME/$NODE_HOSTNAME.key"
|
||||
if docker exec "$DMS_CONTAINER" test -f "$NODE_CERT_PATH" 2>/dev/null; then
|
||||
echo " ✅ $NODE_HOSTNAME → Cert vorhanden (Node Default)"
|
||||
NODE_CERT_OK=true
|
||||
else
|
||||
echo " ⚠️ $NODE_HOSTNAME → KEIN Cert! Caddy-Block im Caddyfile prüfen."
|
||||
NODE_CERT_OK=false
|
||||
fi
|
||||
|
||||
if [ -n "$DOMAINS_MISSING" ]; then
|
||||
|
|
@ -106,14 +114,17 @@ cat > "$DOVECOT_CFG" << 'HEADER'
|
|||
# Dovecot liest dieses File über den Volume-Mount in /tmp/docker-mailserver/
|
||||
# und wendet es automatisch an.
|
||||
#
|
||||
# Caddy Wildcard-Cert Pfad-Schema:
|
||||
# wildcard_.domain.tld/wildcard_.domain.tld.crt|.key
|
||||
#
|
||||
# Volume-Mount in docker-compose.yml:
|
||||
# - ./docker-data/dms/config/dovecot-sni.cf:/tmp/docker-mailserver/dovecot-sni.cf:ro
|
||||
|
||||
HEADER
|
||||
|
||||
for domain in $DOMAINS_OK; do
|
||||
CERT_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.crt"
|
||||
KEY_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.key"
|
||||
CERT_PATH=$(wildcard_cert_path "$domain")
|
||||
KEY_PATH=$(wildcard_key_path "$domain")
|
||||
|
||||
cat >> "$DOVECOT_CFG" << EOF
|
||||
# $domain
|
||||
|
|
@ -138,6 +149,10 @@ EOF
|
|||
done
|
||||
|
||||
echo " ✅ Dovecot SNI: $(echo $DOMAINS_OK | wc -w) Domain(s)"
|
||||
echo ""
|
||||
echo " --- dovecot-sni.cf Inhalt ---"
|
||||
cat "$DOVECOT_CFG"
|
||||
echo " --- Ende ---"
|
||||
|
||||
# ================================================================
|
||||
# POSTFIX SNI Konfiguration
|
||||
|
|
@ -146,18 +161,17 @@ POSTFIX_CFG="$CONFIG_DIR/postfix-main.cf"
|
|||
echo ""
|
||||
echo "📝 Generiere: $POSTFIX_CFG"
|
||||
|
||||
# Backup falls vorhanden
|
||||
if [ -f "$POSTFIX_CFG" ]; then
|
||||
cp "$POSTFIX_CFG" "${POSTFIX_CFG}.bak.$(date +%Y%m%d%H%M%S)"
|
||||
echo " ℹ️ Backup: ${POSTFIX_CFG}.bak.*"
|
||||
fi
|
||||
|
||||
# smtpd_tls_chain_files aufbauen: Key + Cert Paar pro Domain
|
||||
# smtpd_tls_chain_files: Key + Cert Paar pro Domain
|
||||
# Postfix wählt automatisch per SNI das passende Paar
|
||||
CHAIN_LINES=""
|
||||
for domain in $DOMAINS_OK; do
|
||||
KEY_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.key"
|
||||
CERT_PATH="$CERTS_BASE_PATH/*.$domain/*.$domain.crt"
|
||||
KEY_PATH=$(wildcard_key_path "$domain")
|
||||
CERT_PATH=$(wildcard_cert_path "$domain")
|
||||
if [ -z "$CHAIN_LINES" ]; then
|
||||
CHAIN_LINES=" $KEY_PATH, $CERT_PATH"
|
||||
else
|
||||
|
|
@ -170,6 +184,9 @@ cat > "$POSTFIX_CFG" << POSTFIX_EOF
|
|||
# Postfix SNI-Konfiguration: pro Kundendomain ein Key/Cert-Paar.
|
||||
# Postfix wählt beim TLS-Handshake das passende Paar per SNI.
|
||||
# DMS lädt dieses File automatisch beim Start.
|
||||
#
|
||||
# Caddy Wildcard-Cert Pfad-Schema:
|
||||
# wildcard_.domain.tld/wildcard_.domain.tld.crt|.key
|
||||
|
||||
# TLS Chain: Key + Cert Paare (Postfix >= 3.4)
|
||||
smtpd_tls_chain_files =
|
||||
|
|
@ -178,6 +195,10 @@ $(printf '%b' "$CHAIN_LINES")
|
|||
POSTFIX_EOF
|
||||
|
||||
echo " ✅ Postfix SNI: $(echo $DOMAINS_OK | wc -w) Domain(s)"
|
||||
echo ""
|
||||
echo " --- postfix-main.cf Inhalt ---"
|
||||
cat "$POSTFIX_CFG"
|
||||
echo " --- Ende ---"
|
||||
|
||||
# ================================================================
|
||||
# Zusammenfassung
|
||||
|
|
|
|||
Loading…
Reference in New Issue