Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EC key support #51

Merged
merged 2 commits into from
Mar 30, 2019
Merged

EC key support #51

merged 2 commits into from
Mar 30, 2019

Conversation

czocher
Copy link
Contributor

@czocher czocher commented Mar 30, 2019

This change add EC key support for simple-mail-forwarder.
Also fixes a little typo.
Solves #50

@czocher czocher mentioned this pull request Mar 30, 2019
@huan
Copy link
Owner

huan commented Mar 30, 2019

It looks good to me, I'll merge it first.

However, please test it after the new docker image had been published and make sure it works as you expected.

Thank you very much for bring this new feature to the SMF!

@huan huan merged commit b36d02f into huan:master Mar 30, 2019
@czocher czocher deleted the ec-key-support branch March 30, 2019 23:12
huan added a commit that referenced this pull request Jun 7, 2019
@huan
Copy link
Owner

huan commented Jun 7, 2019

@czocher I had just fixed a bug introduced from this PR that broke the unit testing.

@czocher
Copy link
Contributor Author

czocher commented Jul 11, 2019

@huan I'm extremely sorry, haven't realized there were unit tests in this project!

@huan
Copy link
Owner

huan commented Jul 12, 2019

Of course we have! ;-)

@petslane
Copy link
Contributor

petslane commented Sep 7, 2020

I think this PR has some problems...

I used letsencrypt to generate fullchain.pem and privkey.pem and used them as smtp.cert and smtp.key in folder that is mouted as /etc/postfix/cert/ in container.

When starting latest/1.1 image, then server starts correctly, no errors in logs, but when configuring smtp server in gmail, then I get error:

Authentication failed. Please check your username/password.
Server returned error: "TLS Negotiation failed, the certificate doesn't match the host., code: 0"

Tested certs with https://www.checktls.com/TestReceiver and cert test fails:
image

Details about cert fail:

	Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified
Cert Hostname DOES NOT VERIFY (mail.example.com != simple-mail-forwarder.com)
So email is encrypted but the host is not verified
cert not revoked by OCSP
Data:
  Version: n/a
  Serial Number: 99:7b:00:b0:9a:d6:ff:88
  Validity:
    Not Before: Sep  7 15:05:26 2020 GMT
    Not After: Sep  5 15:05:26 2030 GMT
  Issuer:
    commonName =	simple-mail-forwarder.com
    countryName =	US
    localityName =	L
    organizationName =	O
    stateOrProvinceName =	Matrix
  Subject:
    commonName =	simple-mail-forwarder.com
    countryName =	US
    localityName =	L
    organizationName =	O
    stateOrProvinceName =	Matrix
  Subject Public Key Info:
    Public Key Algorithm: id-ecPublicKey
    Public Key Bits: (384 bit)
    Modulus:
      49:F6:54:70:FF:D0:4F:75:A9:A3:53:BE:E5:FB:74:44
[...]
      B
    Exponent: n/a
    Key:
      -----BEGIN PUBLIC KEY-----
      MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEn2VHD/0E91qaNTvuX7dET+ZcuzKLg3ZV
[...]
      -----END PUBLIC KEY-----
  X509v3 Extensions:
Digest: 8aa3ee4ff9e1a701ee47b0c17a291228b03341e5ef7076f01ebfcad1aea369a2
Signature: ecdsa-with-SHA256
  6d:61:69:6c:2d:66:6f:72:77:61:72:64:65:72:2e:63
[...]
Fingerprints:
  sha256$8aa3ee4ff9e1a701ee47b0c17a291228b03341e5ef7076f01ebfcad1aea369a2
[...]
  sha512$pub$163ac8d3d075fe6a910e956a58bbe122fc06f21d662b14ec39bacfcad18c97f370415df2fc14ef6732c2c383f439d9b4a5a7437a4280f1d7f2bbb4bc4c9ea359
Certificate:
  -----BEGIN CERTIFICATE-----
  MIIB4TCCAWcCCQCZewCwmtb/iDAKBggqhkjOPQQDAjBaMQswCQYDVQQGEwJVUzEP
[...]
  E13NIJM=
  -----END CERTIFICATE-----

After starting container, I noticed that smtp.ec.cert and smtp.ec.key files were also generated. I do not know what exactly are they, but I think these are not needed.

Stopped container, deleted smtp.ec.cert and smtp.ec.key files, changed image to 1.0.0 and started container. Now smtp.ec.cert and smtp.ec.key files were not created and all tests pass on https://www.checktls.com/TestReceiver. Also, now gmail allows it to use as SMTP.

@ggilestro
Copy link

The following works for me:

cp ../../archive/mydomain/fullchain2.pem smtp.cert
cp ../../archive/mydomain/fullchain2.pem smtp.ec.cert
cp ../../archive/mydomain/privkey2.pem smtp.ec.key
cp ../../archive/mydomain/privkey2.pem smtp.key

Basically, the ec files are just a copy of the non-ec files.

@petslane
Copy link
Contributor

petslane commented Sep 8, 2020

I can confirm that cp smtp.cert smtp.ec.cert && cp smtp.key smtp.ec.key fixes latest image.

If these "ec" cert/key are required when using letsencrypt (or any other certs?), then I think README should explicitly mention that these files must be copied there.

haratosan pushed a commit to haratosan/docker-simple-mail-forwarder that referenced this pull request Apr 5, 2021
* Fix nickname typo

* Add support for EC keys
haratosan pushed a commit to haratosan/docker-simple-mail-forwarder that referenced this pull request Apr 5, 2021
huan added a commit that referenced this pull request Jul 6, 2021
…103)

* Use alpine:latest as base image

* Roll back to sillelien/base-alpine:0.10 (#23)

* fix doc

* Update README.md

* Update README.md

* Update Base to Alpine 3.8

* Update base image to Alpine 3.8
* Install s6 process manager directly
* Upgraded BATS to 1.1.0
* Install syslog-ng for postfix logging to stdout

* syslog-ng: Disable statistic messages

These spam the console too much, so disable them.

* Fix typo in README

couse => course

* Upgrade circleci from v1 to v2

* add ide config

* fix circleci config

* fix circleci config

* fix circleci config

* fix circleci config

* fix yml

* fix yml add docker run type

* fix yml add machine run type

* fix yml

* year 2019

* Add voice from Paweł Czochański

* EC key support (#51)

* Fix nickname typo

* Add support for EC keys

* Update README.md

* Update README.md

* add ec key support

* Fix layout

* Timezone tzdata packagge (#57)

Add custom timezone support

* make circler yaml linter happy

* Fix leak of EC Cert/Key problem (#58)

* code clean

* only generate not existing files (#51 #58)

* one line -> one-line

* Timezone supported

* Update author & copyright

* Update master changelog

* fix chinese charactor bug

* v1.1

* Update README.md timezone (#59)

Update README.md for Timezone support

* clean doc

* Fix H1 title

* Update README.md

* Update README.md

* Fix typo (#66)

* add auth for relayhost (#68)

* add auth for relayhost

* indent fix

* example for AUTH

* remove excess line

* environment var typo fix

* fix for mail log not displaying

* Enable GitHub Actions

* Add Actions Badge

* basic "proofreading" (#69)

* basic "proofreading"

fixed some grammatical and spelling errors, made the descriptions flow a little better

* PR revisions

* Update README.md

* add hall of flame

* Upgrade BATS & S6, with multiple-platform docker image published with version 1.2 (#76)

* v1.2

* Upgrade Alpine to 3.8 (#77)

* upgrade base image to alpine 3.8

* v1.3

* Deploy docker image arm platform from github action

* test

* test

* checkout before deploy

* clean

* use buildx as default bugild

* republish v1.2 for amd64 with s6 fix (#79)

* republish v1.3 for amd64 with s6 fix

* fix comment

* v1.2

* Add test for deleting test user (#82)

* Add makefile

* makefile

* makefile

* makefile

* 1.2.14

* add make version

* 1.2.15

* v1.3.0 for multi platforms image

* Use script to install s6 with right platforms (arm/x86) (#76)

* use aarch64 for s6 release (#76)

* v1.3.1

* Add DKIM support (#83)

* Add DKIM support

* 1.2.11

Co-authored-by: Huan (李卓桓) <zixia@zixia.net>

* generating a DKIM key for all virtualDomains

* including HOSTNAME in folder of domains for DKIM

* KeyTable, SigningTable, TrustedHosts for HOSTNAME and all virtualDomain

* Generate new DKIM data only if keys do not exist yet

* disabled opendkim.conf settings for single domain, added KeyTable,SigningTable,ExternalIgnoreList,InternalHosts

* Correct permissions of DKIM files regardless of prior creation

* Added test for multiple domains and DKIM. Ready for #88

* Updated README on DKIM for multiple domains

* Fixed indentation on entrypoint

* Fixed wrong indentation (style)

* Cleaner handling of multiple DKIM keys. No settings required. Renders #83 redundant

* Making sure we never insert the same config twice #89

* Forgot one last mention of SMF_DKIM_ALL

* Better tld naming for DKIM in README

Co-authored-by: Peeter N <petslane@users.noreply.github.com>

* DKIM test no longer changes working directory

Co-authored-by: Peeter N <petslane@users.noreply.github.com>

* More elegant generation of DKIM entries for HOSTNAME and virtual domains

* Correct switch to suppress grep complains when files miss

* Update VERSION

* Strips sender details (IP, client, user agent) when sending (#91)

* Strips sender's IP, client, and user agent headers

* Bumping patch verison number

* Allow for setting any Postfix variables in the config file (both main.cf and master.cf) (#93)

* Strips sender's IP, client, and user agent headers

* Bumping patch verison number

* SMF_POSTFIXMAIN_* to set custom postfix main.cf entries

* SMF_POSTFIXMASTER_* to set custom postfix master.cf entries

* Using sed to handle master.cf custom variables

* README.md explains env variables for custom main.cf and master.cf

* Tests for custom main.cf and master.cf

* Fixes #92

* Simplify docker run command with SMF_CONFIG

* v1.4.3 (#94)

* Add VERSION & Update README.md (#94)

* fix ignore

* 1.4.4

* add v1.4 changelog

* clean

* show version

* 1.4.5

* layout

* Update configuration after variables has been injected to the main configuration (#98)

* Add an option to override postfix's default logging configuration

* Add tests

* Update README.md

* push to build

* fix overwriting variable

* update with postfix-configuration

* delete drone for pull request

Co-authored-by: Tamaro Skaljic <49238587+tamaro-skaljic@users.noreply.github.com>

* Add an option to override postfix's default logging configuration (#97)

* Add an option to override postfix's default logging configuration

* Add tests

* Update README.md

* v1.4.6

* Change Postfix logging configuration tests behaviour (#99)

* fix default postfix logging configuration test

* Change logfile path in custom postfix logging configuration test

* Make postfix logging configuration tests restore the preconditions

* start PostSRSd and generate Secret

* start PostSRSd and generate Secret

* start PostSRSd if  is set

* start PostSRSd if  is set

* only start PostSRSd if  is set

* only start PostSRSd if  is set

* Updated README.md

* Updated README.md

* spelling...

* spelling...

* Updated the if-statement for PostSRSd

* Updated the if-statement for PostSRSd

Co-authored-by: Martijn Rondeel <martijn@rondeel.email>
Co-authored-by: Huan LI <zixia@zixia.net>
Co-authored-by: Chris Blake <chrisrblake93@gmail.com>
Co-authored-by: universeroc <universeroc@gmail.com>
Co-authored-by: Paweł Czochański <czochanski@gmail.com>
Co-authored-by: me1299 <50422731+me1299@users.noreply.github.com>
Co-authored-by: David Gonzalez <davidgg666@gmail.com>
Co-authored-by: Choon-Siang Lai <mycyberpet@yahoo.com>
Co-authored-by: Bailey <bailey.riezebos@gmail.com>
Co-authored-by: Peeter N <petslane@users.noreply.github.com>
Co-authored-by: Daniel Graziotin <daniel.graziotin@iste.uni-stuttgart.de>
Co-authored-by: Daniel Graziotin <daniel@ineed.coffee>
Co-authored-by: Cenk Kılıç <cenk1cenk2cenk3@gmail.com>
Co-authored-by: Tamaro Skaljic <49238587+tamaro-skaljic@users.noreply.github.com>
Co-authored-by: Linux User <harato@alpine.members.linode.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants