<pre style='margin:0'>
Renee Otten (reneeotten) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/34c05378fda3877a5ea9ac4610c5a547914c9140">https://github.com/macports/macports-ports/commit/34c05378fda3877a5ea9ac4610c5a547914c9140</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 34c05378fda mail-server: Provide TLS update notes and instructions
</span>34c05378fda is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 34c05378fda3877a5ea9ac4610c5a547914c9140
</span>Author: Steven Thomas Smith <s.t.smith@ieee.org>
AuthorDate: Wed Mar 31 21:22:05 2021 -0400
<span style='display:block; white-space:pre;color:#404040;'> mail-server: Provide TLS update notes and instructions
</span>---
mail/mail-server/Portfile | 66 +++++++++++++---------
.../files/prefix/etc/dovecot/conf.d/10-ssl.conf | 55 ++++++++++++++----
mail/mail-server/files/prefix/etc/postfix/main.cf | 50 ++++++++++++++--
3 files changed, 128 insertions(+), 43 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/Portfile b/mail/mail-server/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index edb35603ded..d0623a44957 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4,8 +4,8 @@ PortSystem 1.0
</span> PortGroup active_variants 1.1
name mail-server
<span style='display:block; white-space:pre;background:#ffe0e0;'>-version 1.2
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+version 1.3
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 0
</span> categories mail net
platforms darwin
supported_archs noarch
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -15,12 +15,15 @@ distfiles
</span>
description Mail server configuration
<span style='display:block; white-space:pre;background:#ffe0e0;'>-long_description Mail server working configuration that provides a basic, working,\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- easily modifiable mail server. The configuration is built using\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- postfix for the MTA, dovecot for the MDA, solr for fast search,\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- rspamd for a milter, and clamav for email virus scans. The\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- configuration includes a surrogate TLS certificate, DKIM, and\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- Apple Push Notification Service (APNS) capability for iOS devices.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+long_description Mail server working configuration that \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ provides a basic, working, easily modifiable \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ mail server. The configuration is built using \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ postfix for the MTA, dovecot for the MDA, solr \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for fast search, rspamd for a milter, and \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ clamav for email virus scans. The \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configuration includes a surrogate TLS \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ certificate, DKIM, and Apple Push Notification \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Service (APNS) capability for iOS devices.
</span>
homepage https://www.postfix.org/
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -47,10 +50,10 @@ depends_lib-append port:apache-solr8 \
</span> depends_run-append port:clamav-server
variant initialize_always \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- description {Always initialize all configuration files. Intended\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- for development and troubleshooting only. Working deployments\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- must disable this variant to prevent configuration files\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- being overwritten at the next upgrade. Existing configuration\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ description {Always initialize all configuration files. Intended \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for development and troubleshooting only. Working deployments \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ must disable this variant to prevent configuration files \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ being overwritten at the next upgrade. Existing configuration \
</span> files are not overwritten by default.} {
ui_warn \
"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -62,7 +65,7 @@ variant initialize_always \
</span>
variant logrotate \
description {Use mail-server logrotate configuration.} {
<span style='display:block; white-space:pre;background:#ffe0e0;'>- depends_lib-append port:logrotate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ depends_lib-append port:logrotate
</span> }
use_configure no
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -869,18 +872,18 @@ if { [variant_isset "logrotate"] } {
</span> executable ${prefix}/sbin/logrotate
}
<span style='display:block; white-space:pre;background:#ffe0e0;'>-notes "A mail server is a complex, interdependent set of tools that must\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+notes "A mail server is a complex, interdependent set of tools that must \
</span> all be configured correctly to provide secure, reliable email.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-Users must reconfigure this installation for their own system, network,\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-and security model specifics by editing all necessary files and checking\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Users must reconfigure this installation for their own system, network, \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+and security model specifics by editing all necessary files and checking \
</span> file permissions. A subset of these settings are visible in the files:
port contents mail-server
port file mail-server
<span style='display:block; white-space:pre;background:#ffe0e0;'>-Full deployment also requires a working DNS configuration on both the LAN\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-and the internet, including SPF and DKIM records, trusted TLS certificates,\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Full deployment also requires a working DNS configuration on both the LAN \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+and the internet, including SPF and DKIM records, trusted TLS certificates, \
</span> port forwarding, possibly a mail replay, and more.
Postfix and dovecot must be installed with these variants:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -917,7 +920,7 @@ These are the locations and network settings for the default configuration:
</span> Spam/Ham training (default behavior):
Move/Copy email to the folders Spam_train or Notspam_train.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-The configuration also includes a surrogate TLS certificate and DKIM settings\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The configuration also includes a surrogate TLS certificate and DKIM settings \
</span> that must be changed before deployment.
TLS:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -926,17 +929,17 @@ that must be changed before deployment.
</span> DKIM:
${prefix}/var/lib/rspamd/dkim
<span style='display:block; white-space:pre;background:#ffe0e0;'>-The ports dns-server provide necessary DNS service on the LAN; variant\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The ports dns-server provide necessary DNS service on the LAN; variant \
</span> +logrotate provides log rotation capabilities:
sudo port install dns-server
sudo port install mail-server +logrotate
<span style='display:block; white-space:pre;background:#ffe0e0;'>-This port assume indepedent installation and management of DNS and\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-log rotation; mail-server includes example logrotate configuration files\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+This port assume indepedent installation and management of DNS and \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+log rotation; mail-server includes example logrotate configuration files \
</span> and a logroate launchdaemon.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-The port's launch daemon controls launching for each of the dependendent\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+The port's launch daemon controls launching for each of the dependendent \
</span> services. These may be controlled independently, e.g.
sudo port load clamav-server
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -952,6 +955,15 @@ and if installed independently,
</span> sudo port load dns-server
sudo port load logrotate
<span style='display:block; white-space:pre;background:#e0ffe0;'>+TLS certificate updates must be included in mail-server dovecot's \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+conf.d/10-ssl.conf, postfix's master.cf, and, if installed, \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+calendar-contacts-server's proxy nginx.conf. Instructions are \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+included as comments in:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo vi ${prefix}/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo vi ${prefix}/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sudo vi ${prefix}/var/calendarserver/Library/CalendarServer/etc/nginx.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> References:
* http://www.postfix.org/documentation.html
* https://wiki.dovecot.org/
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -960,8 +972,8 @@ and if installed independently,
</span> * _The Book of Postfix_, by Patrick Koetter and Ralf Hildebrandt
Known issues:
<span style='display:block; white-space:pre;background:#ffe0e0;'>- * The Postfix service does not reliably start after reboot,\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- presumably due to an issue with launchd. A workaround\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * The Postfix service does not reliably start after reboot, \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ presumably due to an issue with launchd. A workaround \
</span> after rebooting is to issue the commands:
sudo port unload postfix ; sleep 5 ; sudo port load postfix"
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -972,8 +984,8 @@ if { [variant_isset "initialize_always"] } {
</span> notes-append ""
}
notes-append \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- "The variant +initialize_always is set, which initializes\
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- all configuration files. Please disable this variant for\
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "The variant +initialize_always is set, which initializes \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ all configuration files. Please disable this variant for \
</span> working deployments."
}
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;color:#808080;'>index 10922700b52..68ced75e0df 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -33,17 +33,50 @@ ssl_cert = <@PREFIX@/etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.c
</span> # Note: This key is managed by Server Admin. See above before making changes
ssl_key = <@PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server v.5.8 encrypts the .key.pem files. The passwords are in
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# Keychain Access.app under the cert's SHA-1 as the Account. Save this
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# password securely for dovecot:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# sudo mkdir /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# sudo chmod 700 /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# sudo mv @host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# sudo chmod -R go-rwx /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# `ssl_key_password` wasn't working on my install, so put the decrypted key in /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# sudo openssl rsa -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem -out /etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# sudo chmod -R go-rwx /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To use macOS Server v5.10 generated certificates:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0. Identify the file that looks like @host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and verify its issue date and issuer "* Intermediate CA" with:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ ls /etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ openssl x509 -inform pem -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem -text -noout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ openssl x509 -noout -fingerprint -sha1 -inform pem -in openssl x509 -noout -fingerprint -sha1 -inform pem -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem | tr -d ':' | sed -e 's|^SHA1 Fingerprint=||' | tr -d ':' | sed -e 's|^SHA1 Fingerprint=||'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this SHA1 to obtain the passphraphse for this certificate's private key from:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Keychain Access.app> System> Search for this SHA1>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Double-click "Mac OS X Server certificate management"> Show password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1. Create a secure storage for this passphrase and desctrypted key:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo mkdir -p @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo chmod 0700 @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo vi @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo chmod -R go-rwx @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `ssl_key_password` wasn't working on my install, so put the decrypted key in @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo openssl rsa -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem -out @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted -passin file:@PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo chmod -R go-rwx @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2. Link to the existing TLS chain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.concat.pem @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3. Confirm restricted permissions:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ ls -l @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ls -l @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4. Finally, reconfigure dovecot's conf.d/10-ssl.conf, postfix's master.cf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and, if installed, calendar-contacts-server's proxy nginx.conf:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo vi @PREFIX@/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo vi @PREFIX@/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo vi @PREFIX@/var/calendarserver/Library/CalendarServer/etc/nginx.conf
</span>
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/mail/mail-server/files/prefix/etc/postfix/main.cf b/mail/mail-server/files/prefix/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;color:#808080;'>index adf252fe11d..e0797539432 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/mail/mail-server/files/prefix/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/mail/mail-server/files/prefix/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -887,11 +887,51 @@ recipient_delimiter = +
</span>
# PKI for Client (smtp) and Server (smtpd)
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# macOS Server.app v.5.8 creates a symbolic link `default_certificate` to the RSA certificate
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# it creates, which will be a PEM names hostname.domainname.<SHA-1 40 hex-digit fingerprint>.cert.pem
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# Double-check the fingerprints of certificates in Keychain Access.app, and double-check the fingerprint
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# of the certificate itself with the OpenSSL command:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# openssl x509 -noout -fingerprint -sha1 -inform pem -in <cert filename>.cert.pem | tr -d ':'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# To use macOS Server v5.10 generated certificates:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 0. Identify the file that looks like @host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and verify its issue date and issuer "* Intermediate CA" with:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ ls /etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ openssl x509 -inform pem -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem -text -noout
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ openssl x509 -noout -fingerprint -sha1 -inform pem -in openssl x509 -noout -fingerprint -sha1 -inform pem -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem | tr -d ':' | sed -e 's|^SHA1 Fingerprint=||' | tr -d ':' | sed -e 's|^SHA1 Fingerprint=||'
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this SHA1 to obtain the passphraphse for this certificate's private key from:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Keychain Access.app> System> Search for this SHA1>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Double-click "Mac OS X Server certificate management"> Show password
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 1. Create a secure storage for this passphrase and desctrypted key:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo mkdir -p @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo chmod 0700 @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo vi @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase /etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo chmod -R go-rwx @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# `ssl_key_password` wasn't working on my install, so put the decrypted key in @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo openssl rsa -in /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem -out @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted -passin file:@PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.passphrase
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo chmod -R go-rwx @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 2. Link to the existing TLS chain.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.cert.pem @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ln -s /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.concat.pem @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 3. Confirm restricted permissions:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ ls -l @PREFIX@/etc/certificates
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo ls -l @PREFIX@/etc/certificates/private
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 4. Finally, reconfigure dovecot's conf.d/10-ssl.conf, postfix's master.cf,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and, if installed, calendar-contacts-server's proxy nginx.conf:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo vi @PREFIX@/etc/dovecot/conf.d/10-ssl.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo vi @PREFIX@/etc/postfix/main.cf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# $ sudo vi @PREFIX@/var/calendarserver/Library/CalendarServer/etc/nginx.conf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # Enter the filenames directly (not the `default_certificate` link) because key files are also necessary
smtpd_tls_chain_files = @PREFIX@/etc/certificates/private/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.key.pem.decrypted /etc/certificates/@host@.@domain@.@tld@.@CERTIFICATE_SHA1@.chain.pem
</pre><pre style='margin:0'>
</pre>