#!/bin/sh
# Zertifikat für Postfix erstellen


# Debugausgabe anzeigen ?
DEBUG='NO';	# YES oder NO
# Angaben zum Zertifikat
countryName='DE'
stateOrProvinceName_default=''
localityName_default=''
organizationName_default=''
organizationalUnitName_default=''
# Schlüsselstärke
keysize=1024
# Gültichkeit für den Key
expiry=365
# Gültichkeit für das CA
expiry_ca=3653
# Arbeitsverzeichniss, Kann später wieder gelöscht werden
DIR=/home/ssl_postfix_tmp


if [ $USER != "root" ]
then
	echo "Nur root kann dieses Script ausführen!"
	exit
fi

# function prüft ob variablen leer sind
function readvar ()
{
	unset VARI TEXT
	case "$1" in
		1) TEXT="Länder Kennzeichen Z.B. DE EN .."
		     local VARI="$countryName"
		;;
		2) TEXT="Deine Staat oder Bundesland"
		    local VARI="$stateOrProvinceName_default"
		;;
		3) TEXT="Deine Stadt"
		    local VARI="$localityName_default"
		;;
		4) TEXT="Dein Organisations Name"
		    local VARI="$organizationName_default"
		;;
		5) TEXT="Organisation"
		    local VARI="$organizationalUnitName_default"
		;;
	esac

	if [  -z "$VARI" ]
	then
		read -p "$TEXT " $2
	fi

	if [ -z "$VARI" ]
	then
		readvar $1 $2
	fi
}

C=1
for V in countryName stateOrProvinceName_default localityName_default organizationName_default organizationalUnitName_default; do
readvar $C $V
((C++))
done

function makepass () {
	if [ -z "$TMPPASS" ]
	then
		read -n33 -p "Bitte ein Passwort mit 32 Stellen eigeben " TMPPASS
		ZEICHEN=$(echo $TMPPASS| wc -m)
		if [ "$ZEICHEN" -lt '33' ]
		then
			TMPPASS=''
			echo "Dein Passwort ist zu kurz es MUSS 32 Stellen haben"
			makepass
		fi
	else
		if [ "$ZEICHEN" -lt '33' ]
		then
			TMPPASS=''
			echo "Dein Passwort ist zu kurz es MUSS 32 Stellen haben"
			makepass
		fi
	fi
}
if [ -f /etc/mailname ]
then
	CA=$(cat /etc/mailname)
else
	read -p "Domainname deines Mailservers? "CA
fi

function debug ()
{
	if [ $DEBUG = "YES" ]
	then
		# Parameter $1 auswerten
		echo -e "Debug: $1\n"
	fi
}

if [ ! -d "$DIR" ]
then
	debug "Erstelle das Verzeichnis $DIR"
	mkdir $DIR
	RemoveDir=yes
fi
cd $DIR || exit 1

rm -fr $DIR/ca.db.index $DIR/ca.db.index.old $DIR/ca.db.serial $DIR/ca.db.serial.old $DIR/ca.db.certs >/dev/null 2>&1
touch $DIR/ca.db.index
echo 01 >$DIR/ca.db.serial

if [ ! -d "$DIR/ca.db.certs" ]
then
mkdir $DIR/ca.db.certs
fi

touch $DIR/ca.config

cat >$DIR/openssl.cnf <<EOT
[ ca ]
default_ca= CA_default
[ CA_default ]
dir= $DIR/
certs= $DIR
new_certs_dir= $DIR/ca.db.certs
database= $DIR/ca.db.index
serial= $DIR/ca.db.serial
RANDFILE= $DIR/ca.db.rand
certificate= $DIR/$CA.crt
private_key= $DIR/$CA.key
default_days= $expiry
default_crl_days= 30
default_md= md5
preserve= no

policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= optional
stateOrProvinceName	= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[ req ]
default_bits		= $keysize
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes

[ req_distinguished_name ]
### Hier anpassen!
countryName                     = Country Name (2 letter code)
countryName_default             = $countryName
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = $stateOrProvinceName_default
localityName                    = Locality Name (eg, city)
localityName_default            = $localityName_default
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = $organizationName_default
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = $organizationalUnitName_default
commonName                      = Common Name (enter here: www.mydomain.net, mail.mydomain.net etc.)
commonName_max                  = 64
commonName_default              = $CA
emailAddress                    = Email Address
emailAddress_max                = 64
emailAddress_default            = abuse@$CA
[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name
EOT

PWGEN=$(which pwgen)
TMPPASS=''
function makepass () {
	if [ -z "$TMPPASS" ]
	then
		read -n33 -p "Bitte ein Passwort mit 32 Stellen eigeben " TMPPASS
		ZEICHEN=$(echo $TMPPASS| wc -m)
		if [ "$ZEICHEN" -lt '33' ]
		then
			TMPPASS=''
			echo "Dein Passwort ist zu kurz es MUSS 32 Stellen haben"
			makepass
		fi
	else
		if [ "$ZEICHEN" -lt '33' ]
		then
			TMPPASS=''
			echo "Dein Passwort ist zu kurz es MUSS 32 Stellen haben"
			makepass
		fi
	fi
}
if [ -x "$PWGEN" ]
then
	TMPPASS=$($PWGEN -cns1 32 1)
else
	makepass
fi

PASSIN=" -passin pass:$TMPPASS"
PASSOUT=" -passout pass:$TMPPASS"
echo "Das Passwort für $CA lautet $PASSIN"
echo $TMPPASS > $DIR/${CA}_pass.conf



configdir=$DIR
export configdir

debug "openssl genrsa -des3 -rand /dev/urandom -out $DIR/${CA}.key${PASSOUT} 1024"
openssl genrsa -des3 -rand /dev/urandom -out $DIR/${CA}.key${PASSOUT}  $expiry_ca
chmod 600 $DIR/$CA.key
debug "openssl req -batch -new -config $DIR/openssl.cnf -key $DIR/${CA}.key -out $DIR/$CA.crt${PASSIN}"
openssl req -batch -new -config $DIR/openssl.cnf -key $DIR/${CA}.key -out $DIR/$CA.crt${PASSIN}

debug "openssl x509 -req -days $expiry -in $DIR/$CA.crt -signkey $DIR/${CA}.key -out $DIR/${CA}-crt.pem${PASSIN}"
openssl x509 -req -days $expiry -in $DIR/$CA.crt -signkey $DIR/${CA}.key -out $DIR/${CA}-crt.pem${PASSIN}

debug "openssl rsa -in $DIR/${CA}.key -out $DIR/${CA}.key.unencrypted${PASSIN}"
openssl rsa -in $DIR/${CA}.key -out $DIR/${CA}.key.unencrypted${PASSIN}

mv -f $DIR/${CA}.key.unencrypted $DIR/${CA}.key
debug "openssl req -batch -new -nodes -config $DIR/openssl.cnf -x509 -keyout $DIR/${CA}.cakey.pem -out $DIR/${CA}.cacert.pem -days $expiry${PASSIN}${PASSOUT}"
openssl req -batch -new -config $DIR/openssl.cnf -x509 -keyout $DIR/${CA}.cakey.pem -out $DIR/${CA}.cacert.pem -days $expiry${PASSIN}${PASSOUT}

openssl gendh -out $DIR/dh_1024.pem -2 -rand /dev/urandom 1024
openssl gendh -out $DIR/dh_512.pem -2 -rand /dev/urandom 512
if [ ! -d "/etc/postfix/ssl" ]
then
	mkdir -p /etc/postfix/ssl
	debug "Erstelle das Verzeichniss /etc/postfix/ssl"
fi

if [ -f '/etc/postfix/main.cf' ]
then
	debug 'Erstelle eine Sicherung von /etc/postfix/main.cf'
	cp -f /etc/postfix/main.cf /etc/postfix/main.cf-backup-$(date +"%Y-%m-%d")
fi
debug "Aktualisiere /etc/postfix/main.cf"
mv -f $DIR/$CA.key /etc/postfix/ssl/$CA.key
chmod 400  /etc/postfix/ssl/$CA.key
postconf -e "smtpd_use_tls = yes"
postconf -e "smtpd_tls_key_file = /etc/postfix/ssl/$CA.key"
postconf -e "smtp_tls_note_starttls_offer = yes"
mv -f $DIR/$CA-crt.pem /etc/postfix/ssl/$CA-crt.pem
chmod 444 /etc/postfix/ssl/$CA-crt.pem
postconf -e "smtpd_tls_cert_file = /etc/postfix/ssl/$CA-crt.pem"
mv -f $DIR/${CA}.cacert.pem /etc/postfix/ssl/${CA}.cacert.pem
chmod 444 /etc/postfix/ssl/${CA}.cacert.pem
postconf -e "smtpd_tls_CAfile = /etc/postfix/ssl/${CA}.cacert.pem"
postconf -e "smtpd_tls_loglevel = 1"
postconf -e "smtpd_tls_received_header = yes"
postconf -e "smtpd_tls_session_cache_timeout = 3600s"
postconf -e "tls_random_source = dev:/dev/urandom"
mv -f $DIR/dh_1024.pem /etc/postfix/ssl/dh_1024.pem
mv -f $DIR/dh_512.pem /etc/postfix/ssl/dh_512.pem
postconf -e 'smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem'
postconf -e 'smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem'
postconf -e 'smtpd_tls_security_level = may'
postconf -e "smtp_tls_key_file = /etc/postfix/ssl/$CA.key"
postconf -e "smtp_tls_cert_file = /etc/postfix/ssl/$CA-crt.pem"
postconf -e "smtp_tls_CAfile = /etc/postfix/ssl/${CA}.cacert.pem"

echo "Bitte Postfix neu Starten und Logdatei überprüfen!"
echo "Das Verzeichnis $DIR kann auch gelöscht werden."