install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: install:74702b3d4175911fdf69ec9d9dbf97e81699ac40
Branches Tags
install:master
..
compare: install:master
Branches Tags
install:master

37 Commits
74702b3d41 ... master

Author SHA1 Message Date
Christoph
b99844c1b5 install_postfixadmin.sh: remove space.. 2026-02-18 18:53:38 +01:00
Christoph
691c34fa18 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2026-02-18 18:48:01 +01:00
Christoph
1ca6031fea install_postfixadmin.sh: fix error determin PFA configuration file. 2026-02-18 18:47:25 +01:00
Christoph
8234254094 Merge branch 'master' of git.oopen.de:install/mailsystem 2026-02-18 12:38:47 +01:00
Christoph
afff836253 install_postfix_advanced.sh: comment entries '127.0.0.1:10040_time_limit=3600' and 'policyd-spf_time_limit=3600'. 2026-02-18 12:38:33 +01:00
Christoph
7c05201520 install_postfix_advanced.sh: some changes of 'main.cf' in case of relay host only. 2026-02-18 01:48:45 +01:00
Christoph
0674fb1231 install_amavis.sh: fix entering procedure of variable 'SASL_AUTH_ENABLED'. 2026-02-18 01:33:55 +01:00
Christoph
32980f67de install_postfix_advanced.sh: fix handling of additional smtp port. 2026-02-18 01:32:08 +01:00
Christoph
7b9a6f52ca install_postfix_advanced.sh: add support for parameter 'smtpd_tls_eccert_file'. 2026-02-16 14:38:21 +01:00
Christoph
5a8280b767 install_amavis.sh: in any case, IS_SYMPA_LIST_SERVER must be set to false except server ist a sympa listmanager. 2026-02-16 14:01:12 +01:00
Christoph
7c99515e72 install_postfix_advanced.sh: some minor changes. 2026-02-16 13:32:21 +01:00
Christoph Kuchenbuch
ef963e89fc install_amavis.sh: separate amavis inbound (port 10024) amd outbound (10029) in case of sympa listserver or 'only relay' server. 2026-02-16 00:17:56 +01:00
Christoph Kuchenbuch
654e5738d4 install_postfix_advanced.sh: fix error - forgot 'fi'.. 2026-02-16 00:15:57 +01:00
Christoph Kuchenbuch
6356876ab6 Change some settings, if Server is a listserver. 2026-02-15 14:37:19 +01:00
Christoph Kuchenbuch
ee892a6b33 Add script 'set-policyd-spf-config-for-listserver.sh' - More relaxed settings for Listenserver. 2026-02-15 14:36:21 +01:00
Christoph
7741803f71 install_amavis.sh: fix some error writing file '50-user'. 2026-02-13 23:46:22 +01:00
Christoph
da1867ef91 install_amavis.sh: some minor changes.. 2026-02-13 22:47:16 +01:00
Christoph
8dc105be68 install_amavis.sh: port 25 (smtp/inbound) → Amavis 10024 (NOT ORIGINATING); submission/smtps (outbound) → Amavis 10026 (ORIGINATING). 2026-02-13 21:50:15 +01:00
Christoph
6bc490bfc1 add script 'set_amavis_local_domains_maps.sh'. 2026-02-13 21:43:42 +01:00
Christoph
c6c6491ce0 install_postfix_advanced.sh: remove some commented lines written to master.cf file. 2026-02-13 15:02:45 +01:00
Christoph
abb2941e4b install_postfix_advanced.sh: fix error checcking if 'policy-spf' is already present in master.cf file. 2026-02-13 14:59:58 +01:00
Christoph
6d516ed25a install_postfix_advanced.sh: remove depredated parameter 'permit_mx_backup'. 2026-02-11 21:20:00 +01:00
Christoph
c6909c937d Merge branch 'master' of git.oopen.de:install/mailsystem 2026-02-11 21:17:33 +01:00
Christoph
9708c595c4 install_update_dovecot.conf.sample: fix parameter 'cert_base_dir'. 2026-02-11 21:16:37 +01:00
Christoph
9c52e54182 install_postfixadmin.sh: configuration file at version 4.x is 'config.local.php'. 2026-02-11 00:47:05 +01:00
Christoph
849cbfa2e4 install_postfixadmin.sh: some minor changes. 2026-02-10 23:58:58 +01:00
Christoph
0a51e44b93 install_amavis.sh: some minor changes.. 2026-02-10 15:27:39 +01:00
Christoph Kuchenbuch
16618f9949 install_opendmarc.sh: no opendmarc check on non_smtpd connections. 2026-02-10 15:02:05 +01:00
Christoph
b4b47d5a79 install_amavis.sh: keine milters auf localhost:10025. install_postfix_advanced.sh: kein OpenDmarc bei non_smtpd_milters. (DMARC ist eine Inbound-Policy-Prüfung, nicht sinnvoll für lokal/originating.) 2026-02-10 14:14:53 +01:00
Christoph
d1694bf3a4 install_postfix_advanced.sh: adjust '/etc/postfix/header_checks'. 2026-02-10 00:37:03 +01:00
Christoph
ee1e2d0b7e install_amavis.sh: add spamassassin rule for Null sender ( (Return-Path: <>). 2026-02-10 00:35:10 +01:00
Christoph
96a77260c3 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2026-02-04 22:23:01 +01:00
Christoph
71be7f0754 install_update_dovecot.sh: relax/defuse systemd-hardening 2026-02-04 22:22:31 +01:00
Christoph
e82b464115 install_postfixadmin.sh: add support for versions 4.x 2026-02-04 21:08:22 +01:00
Christoph
7163b2dccf install_opendmarc.sh: fix errors in adjustin main.cf file. 2026-02-02 19:44:41 +01:00
Christoph
b39e6c8f22 install_opendkim.sh fix errors in adjustin main.cf file. 2026-02-02 19:44:20 +01:00
Christoph
119f0e172f install_postfix_advanced.sh: fix OpenDKIM/OpenDMARC handling. 2026-02-02 19:43:18 +01:00
9 changed files with 1584 additions and 449 deletions
Expand all files Collapse all files

2
conf/install_update_dovecot.conf.sample
View File

@@ -145,7 +145,7 @@ dbhost=""
# - Cert/Key configurations
# ---
cert_base_dir="/etc/postfix/ssl"
cert_base_dir="/etc/dovecot/ssl"
server_cert=${cert_base_dir}/mailserver.crt
server_key=${cert_base_dir}/mailserver.key
dh_pem_file="${cert_base_dir}/dh_4096.pem"

349
install_amavis.sh
View File

@@ -110,7 +110,8 @@ detect_os_1 () {
# --- Some default settings
# -------------
DEFAULT_SASL_AUTH_ENABLED="no"
DEFAULT_SASL_AUTH_ENABLED=false
DEFAULT_IS_SYMPA_LIST_SERVER=false
DEFAULT_QUARANTINE_DIR="/var/QUARANTINE"
DEFAULT_QUARANTINE_ADMIN='postmaster\@$mydomain'
@@ -187,7 +188,9 @@ if [[ -z "$_HOSTNAME" ]] ; then
[[ "$_HOSTNAME" = "$_HOSTNAME_SHORT" ]] && _HOSTNAME=""
fi
[[ -z "$_SASL_AUTH_ENABLED" ]] && _SASL_AUTH_ENABLED="$DEFAULT_SASL_AUTH_ENABLED"
[[ -z "$_SASL_AUTH_ENABLED" ]] && _SASL_AUTH_ENABLED=${DEFAULT_SASL_AUTH_ENABLED}
[[ -z "${_IS_SYMPA_LIST_SERVER}" ]] && _IS_SYMPA_LIST_SERVER=${DEFAULT_IS_SYMPA_LIST_SERVER}
[[ -z "$_QUARANTINE_DIR" ]] && _QUARANTINE_DIR="$DEFAULT_QUARANTINE_DIR"
@@ -375,9 +378,12 @@ SASL_AUTH_ENABLED=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Should this mail server support Cyrus SASL authentication?"
echo "Should this mail server support Cyrus SASL authentication? [true/yes/false/no]"
echo ""
while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
while [[ "$SASL_AUTH_ENABLED" != "yes" &&
"$SASL_AUTH_ENABLED" != "true" &&
"$SASL_AUTH_ENABLED" != "no" &&
"$SASL_AUTH_ENABLED" != "false" ]];do
if [[ -n "$_SASL_AUTH_ENABLED" ]]; then
echononl "Support Cyrus SASL authentication [${_SASL_AUTH_ENABLED}]: "
@@ -390,13 +396,62 @@ while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,}
fi
if [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]] ; then
_SASL_AUTH_ENABLED=""
[[ -z "${SASL_AUTH_ENABLED}" ]] && SASL_AUTH_ENABLED=${_SASL_AUTH_ENABLED}
if [[ "$SASL_AUTH_ENABLED" != "yes" &&
"$SASL_AUTH_ENABLED" != "true" &&
"$SASL_AUTH_ENABLED" != "false" &&
"$SASL_AUTH_ENABLED" != "no" ]] ; then
SASL_AUTH_ENABLED=""
echo -e "\n\t\033[33m\033[1mWrong entry!\033[m\n Type 'yes' or 'no'"
fi
done
[[ "$SASL_AUTH_ENABLED" = "yes" ]] && SASL_AUTH_ENABLED=true
[[ "$SASL_AUTH_ENABLED" = "no" ]] && SASL_AUTH_ENABLED=false
if ! ${SASL_AUTH_ENABLED} ; then
IS_SYMPA_LIST_SERVER=""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Are Sympa List Services provided? - [true/yes/false/no]"
echo ""
echononl "Sympa List Server? [$_IS_SYMPA_LIST_SERVER]: "
read IS_SYMPA_LIST_SERVER
if [[ -z "${IS_SYMPA_LIST_SERVER}" ]] ; then
IS_SYMPA_LIST_SERVER="$_IS_SYMPA_LIST_SERVER"
fi
IS_SYMPA_LIST_SERVER=${IS_SYMPA_LIST_SERVER,,}
while [[ "$IS_SYMPA_LIST_SERVER" != "yes" && \
"$IS_SYMPA_LIST_SERVER" != "true" && \
"$IS_SYMPA_LIST_SERVER" != "no" && \
"$IS_SYMPA_LIST_SERVER" != "false" ]]; do
echo -e "\n\t\033[33m\033[1mWrong value was given!!\033[m\n"
echononl "Sympa List Server? [$_IS_SYMPA_LIST_SERVER]: "
read IS_SYMPA_LIST_SERVER
if [[ -z "${IS_SYMPA_LIST_SERVER}" ]] ; then
IS_SYMPA_LIST_SERVER=false
fi
IS_SYMPA_LIST_SERVER=${IS_SYMPA_LIST_SERVER,,}
done
if [[ "$IS_SYMPA_LIST_SERVER" = 'yes' || "$IS_SYMPA_LIST_SERVER" = 'true' ]] ; then
IS_SYMPA_LIST_SERVER=true
else
IS_SYMPA_LIST_SERVER=false
fi
else
IS_SYMPA_LIST_SERVER=false
fi
echo ""
@@ -704,7 +759,6 @@ else
fi
if ! $DB_IN_USE ; then
echo -e "[3] \033[37m\033[1mSkip (No Database in use)\033[m"
_DB_TYPE="None"
else
echo "[3] Skip (No Database in use)"
fi
@@ -855,6 +909,7 @@ echo -e "\tIPv4 address...........................: $IPV4"
echo -e "\tIPv6 address...........................: $IPV6"
echo ""
echo -e "\tSASL AUTH support......................: $SASL_AUTH_ENABLED"
echo -e "\tSupport sympa mailinglists.............: ${IS_SYMPA_LIST_SERVER}"
echo ""
echo -e "\tQuarantine Directory ..................: $QUARANTINE_DIR"
echo ""
@@ -906,6 +961,7 @@ _IPV4=$IPV4
_IPV6=$IPV6
_SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
_IS_SYMPA_LIST_SERVER=${IS_SYMPA_LIST_SERVER}
_QUARANTINE_DIR=$QUARANTINE_DIR
_QUARANTINE_ADMIN=$QUARANTINE_ADMIN
@@ -2257,6 +2313,45 @@ if ! $installation_failed ; then
fi
fi
# Create /etc/spamassassin/99_nullsender.cf
#
# Spamassassin Regeln für Nullsender (Return-Path: <>)
#
# Problem:
# echte DSNs haben ebenfalls Return-Path: <>
#
# Aber:
# Echte DSNs sind i.d.R. multipart/report (delivery-status)
#
echononl " Create file \"/etc/spamassassin/99_nullsender.cf\".."
cat <<'EOF' > /etc/spamassassin/99_nullsender.cf 2> $tmp_err_msg
########################################################################
# Null-sender (Return-Path: <>) Behandlung
# Ziel: Fake-Bounces markieren, echte DSNs nicht treffen
########################################################################
# 1) Null-Envelope-From erkannt
header LOCAL_NULL_SENDER Return-Path =~ /^<>$/i
describe LOCAL_NULL_SENDER Null envelope-from (Return-Path <>)
score LOCAL_NULL_SENDER 0.1
# 2) Echte DSNs sind i.d.R. multipart/report (delivery-status)
header LOCAL_DSN_MULTIPART Content-Type =~ /^multipart\/report\b/i
describe LOCAL_DSN_MULTIPART Looks like a real DSN (multipart/report)
score LOCAL_DSN_MULTIPART -3.0
# 3) Fake-Bounce: Null-sender, aber NICHT multipart/report
meta LOCAL_NULL_NOT_DSN LOCAL_NULL_SENDER && !LOCAL_DSN_MULTIPART
describe LOCAL_NULL_NOT_DSN Null-sender but not a DSN (likely fake bounce spam)
score LOCAL_NULL_NOT_DSN 6.0
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
# - Enable nightly cronjob for spamassassin
# -
@@ -3260,6 +3355,18 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
warn "command was:
git clone https://github.com/extremeshok/clamav-unofficial-sigs.git /tmp/clamav-unofficial-sigs"
echononl "continue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
if ! $installation_failed ; then
echo_ok
@@ -4159,10 +4266,49 @@ use strict;
# !! smtpd_proxy_filter - see master.cf !!
#
#
#\$inet_socket_port = [10024, 10026];
EOF
if ${SASL_AUTH_ENABLED} ; then
cat << EOF >> "${_config_file}"
\$inet_socket_port = [10024, 10026];
#\$inet_socket_port = [10024, 10029];
#\$inet_socket_port = [10024, 10026, 10029];
\$interface_policy{'10026'} = 'ORIGINATING';
\$policy_bank{'ORIGINATING'} = {
originating => 1, # declare that mail was submitted by our smtp client
bypass_spam_checks_maps => (1),
bypass_virus_checks_maps => (0),
remove_existing_spam_headers => 1,
};
EOF
else
cat << EOF >> "${_config_file}"
#\$inet_socket_port = [10024, 10026];
\$inet_socket_port = [10024, 10029];
#\$inet_socket_port = [10024, 10026, 10029];
\$interface_policy{'10024'} = 'INBOUND';
\$interface_policy{'10029'} = 'VIRUSONLY';
# Inbound: Spam + Virus
\$policy_bank{'INBOUND'} = { };
# Outbound: nur Virus
\$policy_bank{'VIRUSONLY'} = {
bypass_spam_checks_maps => [1],
bypass_header_checks_maps => [1],
final_spam_destiny => D_PASS,
originating => 1,
};
EOF
fi
cat << EOF >> "${_config_file}"
# Bypass spam checking fro trusted networks
#
#\$interface_policy{'10026'} = 'TRUSTED';
@@ -4278,7 +4424,8 @@ read_hash(\%whitelist_sender, '/etc/postfix/sender_whitelist');
# Spam-Schwellwerte
# ----------------------------------------------------------
\$sa_tag_level_deflt = 1.9; # ab hier Info-Header
#\$sa_tag_level_deflt = 1.9; # ab hier Info-Header
\$sa_tag_level_deflt = -999; # immer header schreiben (Debug-freundlich)
\$sa_tag2_level_deflt = 5.1; # ab hier X-Spam-Flag: YES
\$sa_kill_level_deflt = 9.51; # high-spam - final destiny (DISCARD)
\$sa_dsn_cutoff_level = 20.1; # ab hier keine DSN mehr
@@ -4376,15 +4523,99 @@ if (-r \$policy_banks_file) {
## - it which domains are local using the @local_domains_maps variable,
## - which by default is set to the value of \$mydomain & its subdomains:
## -
#@local_domains_maps = ( ["."] );
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
fi
## - get rid of "Open Relay" warnings in amavis logfile.
## -
\$interface_policy{'10024'} = 'ORIGINATING';
\$policy_bank{'ORIGINATING'} = {
originating => 1, # declare that mail was submitted by our smtp client
};
if [[ "${DB_TYPE}" = "PostgreSQL" ]] || \
[[ "${DB_TYPE}" = "MySQL" ]] && \
! ${IS_SYMPA_LIST_SERVER}; then
if [[ "$DB_TYPE" = "PostgreSQL" ]]; then
_db="pgsql"
else
_db="mysql"
fi
cat >> /etc/amavis/conf.d/50-user <<EOF
@local_domains_maps = (
[qw(${HOSTNAME} localhost)],
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
fi
if [[ -f "/etc/postfix/${_db}_virtual_domains_maps.cf" ]]; then
cat >> /etc/amavis/conf.d/50-user <<EOF
# Domains, die als virtuelle Mailbox-Domains gehostet sind:
'${_db}:/etc/postfix/${_db}_virtual_domains_maps.cf',
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
fi
fi
if [[ -f "/etc/postfix/${_db}_relay-domain-maps.cf" ]]; then
cat >> /etc/amavis/conf.d/50-user <<EOF
# Domains, die als Relay Domains akzeptiert werden:
'${_db}:/etc/postfix/${_db}_relay-domain-maps.cf',
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
fi
fi
if grep -iq -E "^\s*btree:/etc/postfix/relay_domains" "/etc/postfix/main.cf" > /dev/null 2>&1 ; then
cat >> /etc/amavis/conf.d/50-user <<EOF
# weiter Domains, die als Relay Domains akzeptiert werden
'btree:/etc/postfix/relay_domains',
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
fi
fi
cat >> /etc/amavis/conf.d/50-user <<EOF
);
EOF
else
cat >> /etc/amavis/conf.d/50-user <<'EOF'
@local_domains_maps = ( ["."] );
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi
cat >> /etc/amavis/conf.d/50-user <<EOF
## - If you get am error like:
## -
@@ -4396,6 +4627,7 @@ if (-r \$policy_banks_file) {
#\$inet_socket_bind = undef;
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
@@ -4403,33 +4635,42 @@ fi
if [[ "$DB_TYPE" = "PostgreSQL" ]]; then
cat >> /etc/amavis/conf.d/50-user <<EOF
if [[ -n "${DB_NAME}" ]] && [[ -n "${DB_HOST}" ]] && [[ -n "${DB_USER}" ]] && [[ -n "${DB_PASS}" ]] ; then
cat >> /etc/amavis/conf.d/50-user <<EOF
## - lookup for local domains in PostgreSQL database
## -
@lookup_sql_dsn = (
['DBI:Pg:database=${DB_NAME};host=${DB_HOST}', '$DB_USER', '$DB_PASS']
);
\$sql_select_policy = 'SELECT \\'Y\\' AS local FROM domain WHERE \\'@\\' || domain IN (%k);';
#@lookup_sql_dsn = (
# ['DBI:Pg:database=${DB_NAME};host=${DB_HOST}', '$DB_USER', '$DB_PASS']
#);
#\$sql_select_policy = 'SELECT \\'Y\\' AS local FROM domain WHERE \\'@\\' || domain IN (%k);';
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi
elif [[ "$DB_TYPE" = "MySQL" ]];then
cat >> /etc/amavis/conf.d/50-user <<EOF
if [[ -n "${DB_NAME}" ]] && [[ -n "${DB_HOST}" ]] && [[ -n "${DB_USER}" ]] && [[ -n "${DB_PASS}" ]] ; then
cat >> /etc/amavis/conf.d/50-user <<EOF
## - lookup for local domains in MySQL database
## -
@lookup_sql_dsn = (
['DBI:mysql:database=${DB_NAME};host=${DB_HOST}', '$DB_USER', '$DB_PASS']
);
\$sql_select_policy = 'SELECT "Y" AS local FROM domain WHERE CONCAT("@", domain) IN (%k)';
#@lookup_sql_dsn = (
# ['DBI:mysql:database=${DB_NAME};host=${DB_HOST}', '$DB_USER', '$DB_PASS']
#);
#\$sql_select_policy = 'SELECT "Y" AS local FROM domain WHERE CONCAT("@", domain) IN (%k)';
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi
fi
@@ -4957,6 +5198,7 @@ fi
## - localhost:10025 inet n - y - - smtpd
## - -o content_filter=
## - -o smtpd_proxy_filter=
## - -o smtpd_milters=
## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
## - -o smtpd_client_restrictions=
## - -o smtpd_helo_restrictions=
@@ -5020,7 +5262,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
smtp inet n - y - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10024
EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
if ! ${SASL_AUTH_ENABLED} ; then
cat >> $postfix_master_cf << EOF
-o smtpd_sasl_auth_enable=no
EOF
@@ -5031,6 +5273,8 @@ EOF
localhost:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
@@ -5039,15 +5283,6 @@ localhost:10025 inet n - y - - smtpd
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8,[::1]/128
-o receive_override_options=no_unknown_recipient_checks
EOF
if [[-n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF
# IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF
fi
cat >> $postfix_master_cf << EOF
#-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
EOF
fi
@@ -5061,7 +5296,7 @@ EOF
${additional_smtp_port} inet n - y - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10024
EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
if ! ${SASL_AUTH_ENABLED} ; then
cat >> $postfix_master_cf << EOF
-o smtpd_sasl_auth_enable=no
EOF
@@ -5076,7 +5311,7 @@ EOF
_found=true
cat >> $postfix_master_cf << EOF
submission inet n - y - 20 smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10024
-o content_filter=amavisfeed:[127.0.0.1]:10026
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
@@ -5093,6 +5328,8 @@ EOF
localhost:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
@@ -5102,12 +5339,6 @@ localhost:10025 inet n - y - - smtpd
-o mynetworks=127.0.0.0/8,[::1]/128
-o receive_override_options=no_unknown_recipient_checks
EOF
if [[ -n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF
# IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF
fi
fi
if ! $amavisfeed_present ; then
@@ -5128,7 +5359,7 @@ EOF
_found=true
cat >> $postfix_master_cf << EOF
smtps inet n - y - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10024
-o content_filter=amavisfeed:[127.0.0.1]:10026
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
@@ -5145,6 +5376,8 @@ EOF
localhost:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
@@ -5154,12 +5387,6 @@ localhost:10025 inet n - y - - smtpd
-o mynetworks=127.0.0.0/8,[::1]/128
-o receive_override_options=no_unknown_recipient_checks
EOF
if [[ -n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF
# IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF
fi
fi
if ! $amavisfeed_present ; then
@@ -5181,6 +5408,8 @@ EOF
localhost:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
@@ -5190,12 +5419,6 @@ localhost:10025 inet n - y - - smtpd
-o mynetworks=127.0.0.0/8,[::1]/128
-o receive_override_options=no_unknown_recipient_checks
EOF
if [[ -n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF
# IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF
fi
continue
fi

136
install_opendkim.sh
View File

@@ -13,6 +13,9 @@ echo -e "\n \033[32mStart Installation of OpenDKIM..\033[m"
#conf_file="${_src_base_dir}/conf/install_opendkim.conf"
log_file="$(mktemp)"
tmp_main_cf_file="$(mktemp)"
main_cf_file="/etc/postfix/main.cf"
backup_date="$(date +%Y-%m-%d-%H%M)"
@@ -27,6 +30,8 @@ postfix_spool_dir="/var/spool/postfix"
opendkim_socket_dir="${postfix_spool_dir}/opendkim"
opendkim_socket_file="${opendkim_socket_dir}/opendkim.sock"
opendkim_socket_string="local:/opendkim/opendkim.sock"
postfix_needs_restart=false
opendkim_needs_restart=false
@@ -87,6 +92,82 @@ echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]"
}
# Funktion stellt sicher, dass in /etc/postfix/main.cf
# - smtpd_milters
# - non_smtpd_milters
# den Wert "local:/opendkim/opendkim.sock" enthalten.
#
# Logik:
# 1) Existiert eine aktive Zeile (nicht auskommentiert)? → anpassen
# 2) Sonst: existiert eine auskommentierte Zeile? → ersetzen (entkommentieren)
# 3) Sonst: Variable am Ende der Datei hinzufügen
#
ensure_dkim_var() {
local var="$1"
awk -v var="$var" -v dkim="$opendkim_socket_string" '
# trim helper
function trim(s) {
sub("^[[:space:]]+", "", s)
sub("[[:space:]]+$", "", s)
return s
}
# Normalisiert aktive Werte:
# - wenn leer -> nur dkim
# - wenn dkim schon enthalten -> unverändert
# - sonst -> dkim vorne dran
function normalize_active_value(v) {
v = trim(v)
if (v == "") return dkim
if (index(v, dkim) > 0) return v
return dkim "," v
}
BEGIN { found_active=0; replaced_commented=0 }
#################################################################
# FALL 1: Aktive Zeile (nicht auskommentiert): var =
#################################################################
$0 ~ "^[[:space:]]*"var"[[:space:]]*=" && $0 !~ "^[[:space:]]*#" {
found_active=1
# rechten Teil extrahieren (nach "=")
v=$0
sub("^[[:space:]]*"var"[[:space:]]*=[[:space:]]*", "", v)
print var" = " normalize_active_value(v)
next
}
#################################################################
# FALL 2: Auskommentierte Zeile: # var =
# Sonderregel: ersetzen mit NUR DKIM, unabhängig vom Kommentarinhalt
#################################################################
$0 ~ "^[[:space:]]*#[[:space:]]*"var"[[:space:]]*=" \
&& found_active==0 && replaced_commented==0 {
replaced_commented=1
print var" = " dkim
next
}
#################################################################
# Sonst: Zeile unverändert ausgeben
#################################################################
{ print }
#################################################################
# FALL 3: Variable nicht vorhanden → am Ende hinzufügen
#################################################################
END {
if (found_active==0 && replaced_commented==0) {
print var" = " dkim
}
}
' "$main_cf_file"
}
# -------------
# - Some pre-installation tasks
@@ -610,19 +691,15 @@ else
fi
echononl " Activate processing of e-mail through the OpenDKIM daemon.."
if grep -q -E "milter_default_action\s*=\s*accept" /etc/postfix/main.cf ; then
echo_skipped
warn "Postfix (main.cf) seems already be configured for milters"
echononl " Delete previosly saved Postfix configuration.."
rm /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
if grep -q -E "^\s*#?\s*smtpd_milters\s*=" ${main_cf_file} ; then
ensure_dkim_var "smtpd_milters" > "${tmp_main_cf_file}"
cp "${tmp_main_cf_file}" "${main_cf_file}"
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# ======= Milter configuration =======
@@ -642,8 +719,22 @@ milter_protocol = 6
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milters = $opendkim_socket_string
EOF
fi
if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
# In case of sympa, DKIM signatures will be added by sympa list manager
if ! which sympa ; then
ensure_dkim_var "non_smtpd_milters" > "${tmp_main_cf_file}"
cp "${tmp_main_cf_file}" "${main_cf_file}"
fi
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# Was sind non_smtpd_milters?
#
@@ -673,15 +764,15 @@ smtpd_milters = local:/opendkim/opendkim.sock
#
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = $opendkim_socket_string
EOF
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
@@ -816,4 +907,5 @@ fi
echo ""
rm -f "$log_file"
rm -f "$tmp_main_cf_file"
exit 0

289
install_opendmarc.sh
View File

@@ -26,8 +26,15 @@ opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
config_file_name_value_parameters="
AuthservID|HOSTNAME
TrustedAuthservIDs|HOSTNAME
PidFile|/run/opendmarc/opendmarc.pid
RejectFailures|true
PidFile|/run/opendmarc/opendmarc.pid"
if which sympa ; then
config_file_name_value_parameters="$config_file_name_value_parameters
RejectFailures|false"
else
config_file_name_value_parameters="$config_file_name_value_parameters
RejectFailures|true"
fi
config_file_name_value_parameters="$config_file_name_value_parameters
Syslog|true
SyslogFacility|mail
IgnoreHosts|${opendmarc_base_dir}/ignore.hosts
@@ -52,8 +59,15 @@ done
postfix_needs_restart=false
opendmarc_needs_restart=false
backup_date="$(date +%Y-%m-%d-%H%M)"
log_file="$(mktemp)"
tmp_main_cf_file="$(mktemp)"
main_cf_file="/etc/postfix/main.cf"
backup_date="$(date +%Y-%m-%d-%H%M)"
opendkim_socket_string="local:/opendkim/opendkim.sock"
opendmarc_socket_string="local:/opendmarc/opendmarc.sock"
# -------------
# --- Some functions
@@ -111,6 +125,116 @@ echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]"
}
# iFubction stellt sicher, dass OpenDMARC milter in main.cf gesetzt ist
# und (falls OpenDKIM vorhanden ist) OpenDMARC direkt nach OpenDKIM folgt.
#
# Ziel:
# - smtpd_milters und non_smtpd_milters enthalten: local:/opendmarc/opendmarc.sock
# - Falls local:/opendkim/opendkim.sock vorhanden ist:
# ...opendkim...,local:/opendmarc/opendmarc.sock,...
#
# Logik:
# 1) Aktive Zeile existiert? → anpassen
# 2) Sonst kommentierte Zeile existiert? → ersetzen (entkommentieren) an derselben Stelle
# 3) Sonst am Ende hinzufügen
ensure_dmarc_var() {
local var="$1"
awk -v var="$var" -v dmarc="$opendmarc_socket_string" -v dkim="$opendkim_socket_string" '
function trim(s) {
sub("^[[:space:]]+", "", s)
sub("[[:space:]]+$", "", s)
return s
}
# Normalisiert aktive Werte:
# - Entfernt vorhandenes dmarc (um Duplikate zu verhindern)
# - Fügt dmarc wieder ein:
# - direkt nach dkim, falls dkim vorhanden
# - sonst ans Ende (oder allein, wenn leer)
function normalize_active_value(v, n,i,t,has_dkim,out,newn) {
v = trim(v)
if (v == "") return dmarc
# split an Komma, trimmen, DMARC entfernen
n = split(v, a, ",")
has_dkim = 0
newn = 0
for (i=1; i<=n; i++) {
t = trim(a[i])
if (t == "") continue
if (t == dmarc) continue # Duplikate vermeiden
a[++newn] = t
if (t == dkim) has_dkim = 1
}
n = newn
out = ""
if (has_dkim) {
# Ausgabe bauen und DMARC direkt nach DKIM einfügen
for (i=1; i<=n; i++) {
if (out != "") out = out ","
out = out a[i]
if (a[i] == dkim) {
out = out "," dmarc
}
}
return out
}
# kein DKIM: DMARC ans Ende anhängen
for (i=1; i<=n; i++) {
if (out != "") out = out ","
out = out a[i]
}
if (out == "") return dmarc
return out "," dmarc
}
BEGIN { found_active=0; replaced_commented=0 }
#################################################################
# FALL 1: Aktive Zeile (nicht auskommentiert): var =
#################################################################
$0 ~ "^[[:space:]]*"var"[[:space:]]*=" && $0 !~ "^[[:space:]]*#" {
found_active=1
v=$0
sub("^[[:space:]]*"var"[[:space:]]*=[[:space:]]*", "", v)
print var" = " normalize_active_value(v)
next
}
#################################################################
# FALL 2: Auskommentierte Zeile: # var =
# Sonderregel: ersetzen mit NUR DMARC, unabhängig vom Kommentarinhalt
#################################################################
$0 ~ "^[[:space:]]*#[[:space:]]*"var"[[:space:]]*=" \
&& found_active==0 && replaced_commented==0 {
replaced_commented=1
print var" = " dmarc
next
}
#################################################################
# Sonst: Zeile unverändert ausgeben
#################################################################
{ print }
#################################################################
# FALL 3: Variable nicht vorhanden → am Ende hinzufügen
#################################################################
END {
if (found_active==0 && replaced_commented==0) {
print var" = " dmarc
}
}
' "$main_cf_file"
}
# -------------
# - Some pre-installation tasks
@@ -764,26 +888,26 @@ else
error "$(cat $log_file)"
fi
echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
echo_skipped
else
perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
/etc/postfix/main.cf > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
postfix_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
fi
#echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
#if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
# if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
# echo_skipped
# else
# perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
# /etc/postfix/main.cf > $log_file 2>&1
# if [[ $? -eq 0 ]] ; then
# echo_ok
# postfix_needs_restart=true
# else
# echo_failed
# error "$(cat $log_file)"
# fi
# fi
#else
#
# echo_skipped
# warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
#fi
echononl " Set Variable smtpd_milters at '/etc/postfix/main.cf'.."
@@ -823,30 +947,26 @@ else
error "$(cat $log_file)"
fi
echononl " Activate processing of e-mail through the OpenDKIM daemon.."
if grep -q -E "milter_default_action\s*=\s*accept" /etc/postfix/main.cf ; then
echo_skipped
info "Postfix (main.cf) was not changed - seems already be configured right."
echononl " Delete previosly saved Postfix configuration.."
rm /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Activate processing of e-mail through the OpenDMARC daemon.."
if grep -q -E "^\s*#?\s*smtpd_milters\s*=" ${main_cf_file} ; then
ensure_dmarc_var "smtpd_milters" > "${tmp_main_cf_file}"
cp "${tmp_main_cf_file}" "${main_cf_file}"
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# ======= Milter configuration =======
# OpenDKIM, OpenDMARC
# OpenDKIM
milter_default_action = accept
# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
milter_protocol = 6
milter_protocol = 6
# Note:
# We will sign AFTER sending through AmaVIS, just befor sending out. So
# set 'smtpd_milters =' to an emty string here and add to localhost:10025
@@ -855,49 +975,62 @@ milter_protocol = 6
# If you want sign mails before sending through AmaVIS, set
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
smtpd_milters = local:/opendkim/opendkim.sock, local:/opendmarc/opendmarc.sock
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
#
# cleanup Header/Content-Bereinigung
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
#
# Das sind z. B.:
#
# - interne Bounces (MAILER-DAEMON)
#
# - Cron-Mails vom Server
#
# - Weiterleitungen, die Postfix selbst generiert
#
# - Mails, die über sendmail CLI gesendet werden
#
# - Mails, die Amavis über LMTP zurückgibt
#
# - etc.
#
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = local:/opendkim/opendkim.sock, local:/opendmarc/opendmarc.sock
#
smtpd_milters = $opendmarc_socket_string
EOF
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
#if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
#
# ensure_dmarc_var "non_smtpd_milters" > "${tmp_main_cf_file}"
# cp "${tmp_main_cf_file}" "${main_cf_file}"
#
#else
#
# cat <<EOF >> /etc/postfix/main.cf 2> $log_file
#
## Was sind non_smtpd_milters?
##
## non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
## der smtpd-Daemon sind.
##
## Das betrifft z. B.:
##
## cleanup Header/Content-Bereinigung
## qmgr Queue-Manager
## lmtp / smtp Auslieferung nach extern
## local lokale Zustellung
##
## Das sind z. B.:
##
## - interne Bounces (MAILER-DAEMON)
##
## - Cron-Mails vom Server
##
## - Weiterleitungen, die Postfix selbst generiert
##
## - Mails, die über sendmail CLI gesendet werden
##
## - Mails, die Amavis über LMTP zurückgibt
##
## - etc.
##
##
## DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
#non_smtpd_milters = $opendmarc_socket_string
#EOF
#fi
#postfix_needs_restart=true
#if [[ $? -eq 0 ]] ; then
# echo_ok
#else
# echo_failed
# error "$(cat $log_file)"
#fi
echo ""
echononl " Enable OpenDMARC Service"

306
install_postfix_advanced.sh
View File

@@ -171,8 +171,10 @@ fi
if [[ -z "$_RELAY_HOST" ]]; then
_IS_RELAY_HOST=$DEFAULT_IS_RELAY_HOST
else
_IS_RELAY_HOST="$_RELAY_HOST"
_IS_RELAY_HOST="${_RELAY_HOST,,}"
fi
[[ "${_IS_RELAY_HOST}" == "yes" ]] && _IS_RELAY_HOST=true
[[ "${_IS_RELAY_HOST}" == "no" ]] && _IS_RELAY_HOST=false
if [[ -z "$_LISTEN_ON_ADDITIONAL_RELAY_PORT" ]] ; then
_LISTEN_ON_ADDITIONAL_RELAY_PORT=${DEFAULT_LISTEN_ON_ADDITIONAL_RELAY_PORT}
@@ -466,7 +468,7 @@ if ! ${IS_RELAY_HOST} ; then
fi
if [[ "${INPUT,,}" == "yes" || "${INPUT,,}" == "true" ]]; then
INSTALL_DMARC_REPORT_SUPPORT=true
fi
fi
fi
@@ -1071,7 +1073,18 @@ debugLevel = 1
# HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
# HELO_reject = False - Never reject/defer on HELO, append header only.
# HELO_reject = No_Check - Never check HELO.
EOF
if ${IS_SYMPA_LIST_SERVER} ; then
cat <<EOF >> "${_file}"
HELO_reject = False
EOF
else
cat <<EOF >> "${_file}"
HELO_reject = SPF_Not_Pass
EOF
fi
cat <<EOF >> "${_file}"
# Mail From rejection policy. Options are:
# Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
@@ -1084,7 +1097,18 @@ HELO_reject = SPF_Not_Pass
# MAIL FROM-Adresse reagiert. Ein Fehler tritt auf, wenn die IP-Adresse des sendenden
# Servers nicht den SPF-Einträgen der Domain in der MAIL FROM-Adresse entspricht.
#
EOF
if ${IS_SYMPA_LIST_SERVER} ; then
cat <<EOF >> "${_file}"
Mail_From_reject = False
EOF
else
cat <<EOF >> "${_file}"
Mail_From_reject = Fail
EOF
fi
cat <<EOF >> "${_file}"
# Policy for rejecting due to SPF PermError. Options are:
# PermError_reject = True
@@ -1096,7 +1120,18 @@ Mail_From_reject = Fail
#
# Wenn PermError_reject auf True gesetzt ist, wird die E-Mail abgewiesen (rejected),
#
EOF
if ${IS_SYMPA_LIST_SERVER} ; then
cat <<EOF >> "${_file}"
PermError_reject = False
EOF
else
cat <<EOF >> "${_file}"
PermError_reject = True
EOF
fi
cat <<EOF >> "${_file}"
# Policy for deferring messages due to SPF TempError. Options are:
# TempError_Defer = True
@@ -1109,7 +1144,7 @@ PermError_reject = True
# Wenn TempError_Defer auf True gesetzt ist, wird die E-Mail vorübergehend zurückgewiesen
# (deferred), und der empfangende Server versucht später erneut, die E-Mail zuzustelle
#
TempError_Defer = Defer
TempError_Defer = True
# Type of header to insert to document SPF result. Can be Received-SPF (SPF)
# or Authentication Results (AR). It cannot be both.
@@ -2111,9 +2146,24 @@ smtp_tls_security_level=dane
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
# TLS RSA keys path
smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
EOF
if [[ -f "/etc/postfix/ssl/mailserver-ecdsa.crt" &&
-f "/etc/postfix/ssl/mailserver-ecdsa.key" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# TLS ECDSA keys path
smtpd_tls_eccert_file = /etc/postfix/ssl/mailserver-ecdsa.crt
smtpd_tls_eckey_file = /etc/postfix/ssl/mailserver-ecdsa.key
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
@@ -2427,8 +2477,8 @@ virtual_alias_domains =
#======= Postfix DSN Support ============
#
# Use the smtpd_discard_ehlo_keyword_address_maps feature if you wish to allow DSN
#
# Use the smtpd_discard_ehlo_keyword_address_maps feature if you wish to allow DSN
# requests from trusted clients but not from random strangers
#
# smtpd_discard_ehlo_keyword_address_maps =
@@ -2443,15 +2493,15 @@ virtual_alias_domains =
#smtpd_discard_ehlo_keyword_address_maps =
# If you want to disallow all use of DSN requests from the network, use the
# If you want to disallow all use of DSN requests from the network, use the
# smtpd_discard_ehlo_keywords feature:
#
# /etc/postfix/main.cf:
# smtpd_discard_ehlo_keywords = silent-discard, dsn
#
#
#
# A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that
#
# A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that
# the Postfix SMTP server will not send in the EHLO response to a remote SMTP client.
#
#
@@ -2681,7 +2731,7 @@ EOF
if [[ -n "$(which postfwd)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
127.0.0.1:10040_time_limit = 3600
#127.0.0.1:10040_time_limit = 3600
EOF
else
cat <<EOF >> /etc/postfix/main.cf
@@ -2699,7 +2749,7 @@ if [[ -n "$(which policyd-spf)" ]] ; then
# policyd-spf unix - n n - 0 spawn
# user=policyd-spf argv=/usr/bin/policyd-spf
#
policyd-spf_time_limit = 3600
#policyd-spf_time_limit = 3600
EOF
fi
@@ -2876,6 +2926,16 @@ smtpd_recipient_restrictions =
# \$relay_recipient_maps, and \$relay_recipient_maps is not null.
#
reject_unlisted_recipient,
EOF
if [[ -n "$(which policyd-spf)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Check Postfix policy service ..
#
check_policy_service unix:private/policy-spf
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# reject_unauth_destination
#
# Reject the request unless one of the following is true:
@@ -2898,21 +2958,16 @@ smtpd_recipient_restrictions =
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
EOF
if [[ -n "$(which policyd-spf)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Check Postfix policy service ..
#
check_policy_service unix:private/policy-spf
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# Policyd-Weight
#check_policy_service inet:127.0.0.1:12525,
# ---------------------------------------------------------------------------------
# DEPRECATED permit_mx_backup
#
# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
# permit Backup MX
permit_mx_backup,
# permit_mx_backup,
# ---------------------------------------------------------------------------------
# permit, if all restrictions so far passed
permit
@@ -2953,8 +3008,13 @@ smtpd_relay_restrictions =
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
# ---------------------------------------------------------------------------------
# DEPRECATED permit_mx_backup
#
# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
# permit Backup MX
permit_mx_backup,
# permit_mx_backup,
# ---------------------------------------------------------------------------------
# permit, if all restrictions so far passed
permit
@@ -2989,12 +3049,22 @@ else
EOF
fi
if ${IS_SYMPA_LIST_SERVER} || ${IS_RELAY_HOST}; then
cat <<EOF >> /etc/postfix/main.cf
# Default: alles was nicht explizit überschrieben wird (pickup/local/sympa/cron/...)
content_filter = amavisfeed:[127.0.0.1]:10029
EOF
fi
if [[ -n "$(which opendkim)" ]] || [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# ======= Milter configuration =======
# OpenDKIM
# OpenDKIM / OpenDMARC
milter_default_action = accept
@@ -3011,10 +3081,26 @@ milter_protocol = 6
# localhost:10025 section in master.cf: 'smtpd_milters='
#
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
smtpd_milters =
EOF
if [[ -n "$(which opendkim)" ]] && [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
EOF
elif [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
smtpd_milters = local:/opendkim/opendkim.sock
EOF
else
cat <<EOF >> /etc/postfix/main.cf
smtpd_milters = local:/opendmarc/opendmarc.sock
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
@@ -3038,19 +3124,82 @@ smtpd_milters =
#
# - etc.
#
#
EOF
fi
if [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
#
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
else
cat <<EOF >> /etc/postfix/main.cf
if ${IS_SYMPA_LIST_SERVER} ; then
cat <<EOF >> /etc/postfix/main.cf
# DKIM signing takes place in the Sympa list manager.
non_smtpd_milters =
EOF
elif [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
else
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters =
EOF
fi
else
cat <<EOF >> /etc/postfix/main.cf
# ======= Milter configuration =======
# OpenDKIM / OpenDMARC
milter_default_action = accept
# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
milter_protocol = 6
# Note:
# We will sign AFTER sending through AmaVIS, just befor sending out. So
# set 'smtpd_milters =' to an emty string here and add to localhost:10025
# section in master.cf: 'smtpd_milters=local:/opendkim/opendkim.sock'
#
# If you want sign mails before sending through AmaVIS, set
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
#smtpd_milters =
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
#
# cleanup Header/Content-Bereinigung
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
#
# Das sind z. B.:
#
# - interne Bounces (MAILER-DAEMON)
#
# - Cron-Mails vom Server
#
# - Weiterleitungen, die Postfix selbst generiert
#
# - Mails, die über sendmail CLI gesendet werden
#
# - Mails, die Amavis über LMTP zurückgibt
#
# - etc.
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
#
#non_smtpd_milters =
EOF
fi
@@ -3541,41 +3690,58 @@ fi
_file="/etc/postfix/header_checks.pcre"
echononl " Create file '$_file' used for header replacing"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
cat << 'EOF' > "$_file"
# ---
# - Replace headers
# - Header Checks - /etc/postfix/header_checks
# ---
#
# Ziel: offensichtlich kaputte RFC-Header ablehnen (wenig False Positives)
# - Replace recieved from
#/^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4
########################################
# A) Kaputter From:-Header
########################################
# 1) From: ist leer
/^From:\s*$/ REJECT Invalid From header (empty) - Spamschutzregel FROM-1001
# 2) Mehr als ein '@' im From:-Header -> syntaktisch kaputt
/^From:.*@.*@/ REJECT Invalid From header (multiple @) - Spamschutzregel FROM-1002
# ---
# - Ignore Headers
# ---
# 3) Mehrere Mailboxen durch Komma getrennt (wie: Die@..., Lions@..., ...)
# (Legitime Fälle nutzen i.d.R. Display-Namen/Group-Syntax; dieses Muster ist in Spam sehr häufig)
/^From:\s*[^<>,]+@[^,]+,\s*[^<>,]+@/ REJECT Invalid From header (multiple mailboxes) - Spamschutzregel FROM-1003
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# 4) Typische kaputte UTF-8-Fragmente
/^From:.*\xC3\xA2/ REJECT Invalid UTF-8 in From header - Spamschutzregel FROM-1004
# ---
# - Reject / Discard headers
# ---
########################################
# B) Optional: sehr spezifische lokale Blacklist
########################################
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
#/^Reply-To: .+\@inx1and1\..+/ REJECT Possible spam (local pattern)
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
########################################
# C) Warn
########################################
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
# Date-Rejects sind oft zu aggressiv -> wenn nötig: lieber taggen oder loggen statt reject
/^Date: .* 19[0-9][0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1003
########################################
# Bemerkungen
########################################
# (envelope-from <>) nicht pauschal rejecten:
# echte DSNs/Bounces haben legitimerweise MAIL FROM: <>
#/\(envelope-from <>\)/ REJECT Null envelope-from
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -3840,10 +4006,10 @@ if ${INSTALL_DMARC_REPORT_SUPPORT} ; then
cat <<EOF >> /etc/postfix/transport 2> $log_file
# - Take care your master.cf file ($postfix_master_cf) contains:
# -
# -
# - dmarc-pipe unix - n n - - pipe
# - flags=Rq user=vmail argv=/usr/local/bin/dmarc-collect.sh
# -
# -
dmarc-reports@oopen.de dmarc-pipe:
EOF
@@ -3932,7 +4098,7 @@ EOF
_failed=true
fi
if ${_failed} ; then
echo_failed
error "$(cat $log_file)"
@@ -3981,6 +4147,14 @@ else
dmarc_pipe_present=false
fi
if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
if grep -iq -E "^${ADDITIONAL_RELAY_LISTEN_PORT}\s+" $postfix_master_cf > /dev/null 2>&1 ; then
additional_relay_port_present=true
else
additional_relay_port_present=false
fi
fi
_found=false
echononl " Create new file \"${postfix_master_cf}\""
if [[ -f "${postfix_master_cf}.$backup_date" ]]; then
@@ -3999,7 +4173,6 @@ submission inet n - y - 20 smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#-o milter_macro_daemon_name=ORIGINATING
EOF
fi
if ! $smtps_present ; then
@@ -4008,13 +4181,14 @@ smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#-o milter_macro_daemon_name=ORIGINATING
EOF
fi
elif $LISTEN_ON_ADDITIONAL_RELAY_PORT ; then
cat >> $postfix_master_cf << EOF
if ! ${additional_relay_port_present} ; then
cat >> $postfix_master_cf << EOF
${ADDITIONAL_RELAY_LISTEN_PORT} inet n - y - - smtpd
EOF
fi
fi
continue
fi
@@ -4027,7 +4201,6 @@ submission inet n - y - 20 smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
EOF
fi
continue
@@ -4041,7 +4214,6 @@ smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
EOF
fi
continue
@@ -4064,7 +4236,7 @@ EOF
# - Add support for policyd-spf service
# -
if ! $(grep -iq -E "^policyd-spf\s+" "$postfix_master_cf" 2> /dev/null) ; then
if ! grep -iq -E "^policy-spf\s+" "$postfix_master_cf" 2> /dev/null ; then
cat <<EOF >> $postfix_master_cf
policy-spf unix - n n - 0 spawn
@@ -4075,7 +4247,7 @@ EOF
# - Add transport definitions for only sending over IPv4/IPv6
# -
if ! $(grep -iq -E "^smtp-ipv4-only\s+" "$postfix_master_cf" 2> /dev/null) ; then
if ! grep -iq -E "^smtp-ipv4-only\s+" "$postfix_master_cf" 2> /dev/null ; then
cat <<EOF >> $postfix_master_cf
smtp-ipv4-only unix - - n - - smtp
@@ -4083,7 +4255,7 @@ smtp-ipv4-only unix - - n - - smtp
EOF
fi
if ! $(grep -iq -E "^smtp-ipv6-only\s+" "$postfix_master_cf" 2> /dev/null) ; then
if ! grep -iq -E "^smtp-ipv6-only\s+" "$postfix_master_cf" 2> /dev/null ; then
cat <<EOF >> $postfix_master_cf
smtp-ipv6-only unix - - n - - smtp

374
install_postfixadmin.sh
View File

@@ -187,10 +187,9 @@ detect_mysql_version () {
# -
systemd_supported=false
systemd=$(which systemd)
systemctl=$(which systemctl)
if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then
if [[ -n "$systemctl" ]] ; then
systemd_supported=true
fi
@@ -256,6 +255,14 @@ do
echo -e "\n\t\033[33m\033[1mA version number is required!\033[m\n"
fi
done
IFS='.' read -r PF_ADMIN_MAJOR_VERSION PF_ADMIN_MINOR_VERSION PF_ADMIN_PATCH_LEVEL <<< "$PF_ADMIN_VERSION"
#echo ""
#echo "PF_ADMIN_MAJOR_VERSION: $PF_ADMIN_MAJOR_VERSION"
#echo "PF_ADMIN_MINOR_VERSION: $PF_ADMIN_MINOR_VERSION"
#echo "PF_ADMIN_PATCH_LEVEL: $PF_ADMIN_PATCH_LEVEL"
#exit
echo ""
echo -e "\033[32m--\033[m"
echo ""
@@ -275,6 +282,9 @@ DEFAULT_APACHE_SERVER_CERT="server-bundle.crt"
DEFAULT_APACHE_SERVER_KEY="server.key"
DEFAULT_DEBIAN_APACHE_VHOST_DIR="/etc/apache2/sites-available"
DEFAULT_APACHE_VHOST_DIR="/usr/local/apache2/conf/vhosts"
DEFAULT_COMPOSER="/usr/local/bin/composer"
DEFAULT_POSTFIX_DB_HOST_PGSQL="/run/postgresql"
if [[ -S "/tmp/mysql.sock" ]] ; then
DEFAULT_POSTFIX_DB_HOST_MYSQL="unix:/tmp/mysql.sock"
@@ -379,6 +389,8 @@ if [[ -z "$APACHE_VHOST_DIR" ]] ; then
fi
fi
[[ -n "${COMPOSER}" ]] || COMPOSER=${DEFAULT_COMPOSER}
[[ -n "$POSTFIX_DB_TYPE" ]] || fatal "Database Type of Postfix Database (POSTFIX_DB_TYPE) not present!"
[[ -n "$POSTFIX_DB_HOST_MYSQL" ]] || POSTFIX_DB_HOST_MYSQL="$DEFAULT_POSTFIX_DB_HOST_MYSQL"
[[ -n "$POSTFIX_DB_HOST_PGSQL" ]] ||POSTFIX_DB_HOST_PGSQL="$DEFAULT_POSTFIX_DB_HOST_PGSQL"
@@ -418,7 +430,7 @@ if [[ "$POSTFIX_DB_TYPE" = "mysql" ]] ; then
fi
else
echononl "\tGet MySQL command.."
mysql_command="$(which mysql)"
if [[ $? -eq 0 ]]; then
@@ -441,9 +453,9 @@ if [[ "$POSTFIX_DB_TYPE" = "mysql" ]] ; then
elif [[ -f "/etc/mysql/debian.cnf" ]] ; then
MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
else
fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated.
fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated.
Use configuration file "$conf_file" to set
Use configuration file "$conf_file" to set
parameter manually."
fi
fi
@@ -463,7 +475,7 @@ fi
if [[ "$ENCRYPTION_METHOD" =~ dovecot ]]; then
[[ -n "$DOVEADM_PW" ]] || DOVEADM_PW=$DEFAULT_DOVEADM_PW
fi
fi
[[ -n "$DELETED_MAILBOX_DIR" ]] || DELETED_MAILBOX_DIR=$DEFAULT_DELETED_MAILBOX_DIR
[[ -n "$DELETED_DOMAINS_DIR" ]] || DELETED_DOMAINS_DIR=$DEFAULT_DELETED_DOMAINS_DIR
@@ -755,7 +767,7 @@ fi
if ! $database_exists ; then
echononl "\tCreate Postfix Database '$POSTFIX_DB_NAME'"
if [ "$POSTFIX_DB_TYPE" = "mysql" ]; then
if [ "$POSTFIX_DB_TYPE" = "mysql" ]; then
echo -n " (MySQL).."
mysql $MYSQL_CREDENTIALS -N -s -e \
"CREATE DATABASE IF NOT EXISTS $POSTFIX_DB_NAME CHARACTER SET utf8 COLLATE utf8_general_ci" >> $log_file 2>&1
@@ -805,7 +817,7 @@ else
else
_db_backup_file_name="${POSTFIX_DB_NAME}-pfa.${backup_date}.sql"
fi
if [[ "$POSTFIX_DB_TYPE" = "mysql" ]]; then
if [[ "$POSTFIX_DB_TYPE" = "mysql" ]]; then
echo -n " (MySQL).."
mysqldump $MYSQL_CREDENTIALS --opt $POSTFIX_DB_NAME > ${WEBSITE_BASEDIR}/${_db_backup_file_name} 2> $log_file
if [[ $? -eq 0 ]]; then
@@ -926,12 +938,80 @@ done
if $_failed ; then
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
else
echo_ok
fi
echo -e "\n\n\t\033[37m\033[1mInstall (global) composer..\033[m\n"
echononl "\tDownload composer from 'getcomposer.org'.."
php -r "copy('https://getcomposer.org/installer', '${_src_base_dir}/composer-setup.php');" > $log_file 2>&1
if [[ "$?" = "0" ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
fi
echononl "\tInstall composer to ${COMPOSER}"
php ${_src_base_dir}/composer-setup.php --install-dir=$(dirname ${COMPOSER}) \
--filename=$(basename ${COMPOSER}) > $log_file 2>&1
if [[ "$?" = "0" ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
fi
echononl "\tRemove the installer"
php -r "unlink('${_src_base_dir}/composer-setup.php');" > $log_file 2>&1
if [[ "$?" = "0" ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
fi
echo -e "\n\n\t\033[37m\033[1mBase install Postfixadmin..\033[m\n"
@@ -1102,6 +1182,37 @@ else
echo_ok
fi
echononl "\tInstall PHP dependencies ( composer install --no-dev ... ).."
if [[ ${PF_ADMIN_MAJOR_VERSION} -gt 3 ]] ; then
if $PHP_DEBIAN_INSTALLATION ; then
su ${HTTP_USER} -c"cd ${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}
php /usr/local/bin/composer install --prefer-dist --no-interaction --no-dev" -s /bin/bash \
> $log_file 2>&1
else
su ${HTTP_USER} -c"cd ${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}
/usr/local/php-${php_latest_ver}/bin/php /usr/local/bin/composer --prefer-dist \
--no-interaction install --no-dev" -s /bin/bash > $log_file 2>&1
fi
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
fi
else
echo_skipped
fi
echononl "\tRemove existing symlink '${WEBSITE_BASEDIR}/htdocs'"
if [[ -h "${WEBSITE_BASEDIR}/htdocs" ]]; then
@@ -1247,13 +1358,13 @@ if [[ "$PHP_TYPE" = "fcgid" ]] ; then
#!/bin/sh
export PHPRC="${WEBSITE_BASEDIR}/conf/"
export TMPDIR="${WEBSITE_BASEDIR}/tmp"
# PHP child process management (PHP_FCGI_CHILDREN) should
# always be disabled with mod_fcgid, which will only route one
# request at a time to application processes it has spawned;
# thus, any child processes created by PHP will not be used
# effectively. (Additionally, the PHP child processes may not
# be terminated properly.) By default, and with the environment
# variable setting PHP_FCGI_CHILDREN=0, PHP child process
# PHP child process management (PHP_FCGI_CHILDREN) should
# always be disabled with mod_fcgid, which will only route one
# request at a time to application processes it has spawned;
# thus, any child processes created by PHP will not be used
# effectively. (Additionally, the PHP child processes may not
# be terminated properly.) By default, and with the environment
# variable setting PHP_FCGI_CHILDREN=0, PHP child process
# management is disabled.
PHP_FCGI_CHILDREN=0
export PHP_FCGI_CHILDREN
@@ -1586,17 +1697,17 @@ EOF
# - X-Frame-Options
# -
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
# - site and set your site as the source, it's quite easy:
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
# - site and set your site as the source, it's quite easy:
# -
# - <iframe src="https://scotthelme.co.uk"></iframe>
# -
# - Using some crafty CSS they can hide your site in the background and create some
# - genuine looking overlays. When your visitors click on what they think is a harmless
# - link, they're actually clicking on links on your website in the background. That
# - might not seem so bad until we realise that the browser will execute those requests
# - in the context of the user, which could include them being logged in and authenticated
# - Using some crafty CSS they can hide your site in the background and create some
# - genuine looking overlays. When your visitors click on what they think is a harmless
# - link, they're actually clicking on links on your website in the background. That
# - might not seem so bad until we realise that the browser will execute those requests
# - in the context of the user, which could include them being logged in and authenticated
# - to your site!
# -
# - Troy Hunt has a great blog on 'Clickjack attack the hidden threat right in front :
@@ -1604,49 +1715,49 @@ EOF
# -
# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
# -
# - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows
# - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify
# - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows
# - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify
# -sites that are permitted to frame your own site.
# -
Header always set X-Frame-Options "SAMEORIGIN"
# - X-Xss-Protection
# -
# - This header is used to configure the built in reflective XSS protection found
# - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header
# - are 0, which disables the protection, 1 which enables the protection
# - and 1; mode=block which tells the browser to block the response if it
# - This header is used to configure the built in reflective XSS protection found
# - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header
# - are 0, which disables the protection, 1 which enables the protection
# - and 1; mode=block which tells the browser to block the response if it
# - detects an attack rather than sanitising the script.
# -
Header always set X-Xss-Protection "1; mode=block"
# - X-Content-Type-Options
# -
# - Nice and easy to configure, this header only has one valid value, nosniff.
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
# - the content-type of a response away from the one being declared by the server.
# - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - that, with clever naming, could be treated as a different content-type, like
# - Nice and easy to configure, this header only has one valid value, nosniff.
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
# - the content-type of a response away from the one being declared by the server.
# - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - that, with clever naming, could be treated as a different content-type, like
# - an executable.
# -
Header always set X-Content-Type-Options "nosniff"
# - Content Security Policy
# -
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# -
# - Here is a basic policy to enforce TLS on all assets and prevent
# - Here is a basic policy to enforce TLS on all assets and prevent
# - mixed content warnings.
# -
# - Allow Google Analytics, Google AJAX CDN and Same Origin
# - script-src 'self' www.google-analytics.com ajax.googleapis.com;
# -
# - Emmbedding Google Fonts
# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# -
# - Allow YouTube Videos (iframe embedded)
# - frame-src 'self' https://www.youtube.com
@@ -1656,9 +1767,9 @@ EOF
# - Referrer-Policy
# -
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - webpage can see where the request originated.
# -
Header set Referrer-Policy "strict-origin-when-cross-origin"
@@ -1778,7 +1889,7 @@ fi
echononl "\tCreate system user '$VACATION_USER'"
if ! grep -q "$VACATION_USER" /etc/passwd > /dev/null 2>&1 ; then
adduser --system --home /var/spool/vacation --no-create-home --uid 65501 --gid 65501 --shell /usr/sbin/nologin $VACATION_USER > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat $log_file)"
@@ -1849,7 +1960,7 @@ fi
# -
#echononl "\tWorkaround, because encoding does not work as exspected."
## - Vacation script changed. Since Version 3.2 we need another perl regexp.
## - The old one was:
## - The old one was:
## - perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
## -
##perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
@@ -1884,7 +1995,7 @@ fi
# - /etc/mail/postfixadmin/vacation.conf
# - /etc/postfixadmin/vacation.conf
# -
# - Instead of changing this script, we put the needed entries
# - Instead of changing this script, we put the needed entries
# - to file /etc/postfixadmin/vacation.conf:
# -
echononl "\tCreate directory '/etc/postfixadmin' "
@@ -1990,15 +2101,15 @@ fi
# - Create an entry in /etc/hosts for the (non-existant domain)
# - $AUTOREPLY_HOSTNAME
# -
# - $AUTOREPLY_HOSTNAME
# -
# - add:
# -
# - 127.0.0.1 $AUTOREPLY_HOSTNAME
# -
echononl "\tCreate entry in /etc/hosts for '$AUTOREPLY_HOSTNAME'"
if ! grep -q "$AUTOREPLY_HOSTNAME" /etc/hosts > $log_file 2>&1 ; then
perl -i -n -p -e"s#(^\s*127.0.0.1\s+localhost.*)#\1\n\n127.0.0.1 ${AUTOREPLY_HOSTNAME}#" /etc/hosts > $log_file 2>&1
perl -i -n -p -e"s#(^\s*127.0.0.1\s+localhost.*)#\1\n\n127.0.0.1 ${AUTOREPLY_HOSTNAME}#" /etc/hosts > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
@@ -2009,7 +2120,7 @@ else
echo_skipped
fi
# - Define the transport type in the Postfix master file
# - Define the transport type in the Postfix master file
# - /etc/postfix/master.cf
# -
# - vacation unix - n n - - pipe
@@ -2097,15 +2208,18 @@ fi
echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n"
if [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
if [[ $MAJOR_VERSION -gt 3 ]] ; then
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file"
elif [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]] ; then
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file"
else
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php"
cp -a "$pfa_conf_file" "${pfa_conf_file}.ORIG"
fi
# - Use 'Re: $SUBJECT' as the default subject template for vacation
# - in postfixadmin
@@ -2166,26 +2280,26 @@ else
fi
> $log_file
perl -i -n -p -e "s#^(\s*\\\$CONF\['default_language'\]\s*=.*)#//!\1\n\\\$CONF['default_language'] = 'de';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_type'\]\s*=.*)#//!\1\n\\\$CONF['database_type'] = '$_database_type';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_host'\]\s*=.*)#//!\1\n\\\$CONF['database_host'] = 'localhost';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_user'\]\s*=.*)#//!\1\n\\\$CONF['database_user'] = '$POSTFIX_DB_USER';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_password'\]\s*=.*)#//!\1\n\\\$CONF['database_password'] = '$POSTFIX_DB_PASS';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_name'\]\s*=.*)#//!\1\n\\\$CONF['database_name'] = '$POSTFIX_DB_NAME';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_prefix'\]\s*=.*)#//!\1\n\\\$CONF['database_prefix'] = '';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['admin_email'\]\s*=.*)#//!\1\n\\\$CONF['admin_email'] = '$WEBMASTER_EMAIL';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['encrypt'\]\s*=.*)#//!\1\n\\\$CONF['encrypt'] = '$ENCRYPTION_METHOD';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
if grep -q -E "^\\\$CONF\['dovecotpw'\]\s*=.*" "$pfa_conf_file" 2> /dev/null ; then
perl -i -n -p -e "s#^(\\\$CONF\['dovecotpw'\]\s*=.*)#//!\1\n\\\$CONF['dovecotpw'] = '$DOVEADM_PW';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
else
cat <<EOF >> $pfa_conf_file
@@ -2224,7 +2338,7 @@ echononl "\tAdjust Postfix Admin's Configuration - Part 2"
_failed=false
> $log_file
perl -i -n -p -e "s#^(\s*\\\$CONF\['default_aliases'\]\s*=.*)#//\n//! 'default_aliases' will be overridden - see end of configfile\n//\n\1#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
cat <<EOF >> $pfa_conf_file 2> $log_file
@@ -2244,10 +2358,10 @@ EOF
perl -i -n -p -e "s#^(\s*\\\$CONF\['language_hook'\]\s*=.*)#//\n//! 'language_hook' will be overridden - see end of configfile\n//\n\1#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['password_validation'\]\s*=.*)#//\n//! 'password_validation' will be overridden - see end of configfile\n//\n\1#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
cat <<EOF >> $pfa_conf_file 2> $log_file
// Password validation
@@ -2273,19 +2387,19 @@ cat <<EOF >> $pfa_conf_file 2> $log_file
);
/*
language_hook example function
language_hook example function
Called if \$CONF['language_hook'] == '<name_of_the_function>'
Allows to add or override \$PALANG interface texts.
If you add new texts, please always prefix them with 'x_' (for example
If you add new texts, please always prefix them with 'x_' (for example
\$PALANG['x_mytext'] = 'foo') to avoid they clash with texts that might be
added to languages/*.lang in future versions of PostfixAdmin.
Please also make sure that all your added texts are included in all
sections - that includes all 'case "XY":' sections and the 'default:'
section (for users that don't have any of the languages specified
in the 'case "XY":' section).
in the 'case "XY":' section).
Usually the 'default:' section should contain english text.
If you modify an existing text/translation, please consider to report it
@@ -2331,23 +2445,23 @@ EOF
perl -i -n -p -e "s#^(\s*\\\$CONF\['domain_path'\]\s*=.*)#//!\1\n\\\$CONF['domain_path'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['domain_in_mailbox'\]\s*=.*)#//!\1\n\\\$CONF['domain_in_mailbox'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['aliases'\]\s*=.*)#//!\1\n\\\$CONF['aliases'] = '100';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['mailboxes'\]\s*=.*)#//!\1\n\\\$CONF['mailboxes'] = '100';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['maxquota'\]\s*=.*)#//!\1\n\\\$CONF['maxquota'] = '0';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['domain_quota_default'\]\s*=.*)#//!\1\n\\\$CONF['domain_quota_default'] = '0';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['quota'\]\s*=.*)#//!\1\n\\\$CONF['quota'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['domain_quota'\]\s*=.*)#//!\1\n\\\$CONF['domain_quota'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['quota_multiplier'\]\s*=.*)#//!\1\n\\\$CONF['quota_multiplier'] = '1048576';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
if $_failed ; then
echo_failed
error "$(cat $log_file)"
@@ -2425,8 +2539,8 @@ cat <<EOF >> $pfa_conf_file 2> $log_file
// ReplyType options
// If you want to define additional reply options put them in array below.
// The array has the format seconds between replies => $PALANG text
// Special values for seconds are:
// 0 => only reply to the first mail while on vacation
// Special values for seconds are:
// 0 => only reply to the first mail while on vacation
// 1 => reply on every mail
// 60*60*24*7 => Reply if last autoreply was at least a week ago
//
@@ -2459,8 +2573,8 @@ fi
## - EOM;
## -
echononl "\tCreate welcome message.."
if [[ -n "$WELCOME_MESSAGE" ]] ; then
cat <<EOF >> $pfa_conf_file 2> $log_file
if [[ -n "$WELCOME_MESSAGE" ]] ; then
cat <<EOF >> $pfa_conf_file 2> $log_file
// Welcome Message
// This message is send to every newly created mailbox.
@@ -2503,35 +2617,35 @@ echononl "\tAdjust Postfix Admin's Configuration - Part 5"
_failed=false
> $log_file
perl -i -n -p -e "s#^(\s*\\\$CONF\['alias_control_admin'\]\s+=.*)#//!\1\n\\\$CONF['alias_control_admin'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['alias_control'\]\s*=.*)#//!\1\n\\\$CONF['alias_control'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['special_alias_control'\]\s*=.*)#//!\1\n\\\$CONF['special_alias_control'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['backup'\]\s*=.*)#//!\1\n\\\$CONF['backup'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['fetchmail'\]\s*=.*)#//!\1\n\\\$CONF['fetchmail'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['user_footer_link'\]\s+=.*)#//!\1\n\\\$CONF['user_footer_link'] = 'https://${WEBSITE_NAME}/main.php';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['footer_text'\]\s+=.*)#//!\1\n\\\$CONF['footer_text'] = 'Main Menu';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['footer_link'\]\s+=.*)#//!\1\n\\\$CONF['footer_link'] = 'http://${WEBSITE_NAME}/main.php';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['emailcheck_resolve_domain'\]\s*=.*)#//!\1\n\\\$CONF['emailcheck_resolve_domain'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['show_status'\]\s*=.*)#//!\1\n\\\$CONF['show_status'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['show_status_key'\]\s*=.*)#//!\1\n\\\$CONF['show_status_key'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['show_undeliverable'\]\s*=.*)#//!\1\n\\\$CONF['show_undeliverable'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['show_popimap'\]\s*=.*)#//!\1\n\\\$CONF['show_popimap'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['used_quotas'\]\s*=.*)#//!\1\n\\\$CONF['used_quotas'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['new_quota_table'\]\s*=.*)#//!\1\n\\\$CONF['new_quota_table'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
if $_failed ; then
echo_failed
error "$(cat $log_file)"
@@ -2564,7 +2678,7 @@ fi
# - $CONF['configured'] = true;
echononl "\tSet '\$CONF['configured'] = true'"
perl -i -n -p -e "s#^(\s*\\\$CONF\['configured'\]\s*=.*)#//!\1\n\\\$CONF['configured'] = true;#" \
$pfa_conf_file > $log_file 2>&1
$pfa_conf_file > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
@@ -2625,7 +2739,7 @@ echo ""
# - AFTER DELETION MAILBOX
# -
# -
# - activate script for moving a mailbox from the mailboxdirectory
# - and save it to the backupb directory /var/deleted-maildirs
# -
@@ -2634,7 +2748,7 @@ echononl "\tCreate folder '${DELETED_MAILBOX_DIR}"
if [[ ! -d "${DELETED_MAILBOX_DIR}" ]] ; then
mkdir $DELETED_MAILBOX_DIR > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
echo_ok
else
echo_failed
error "$(cat $log_file)"
@@ -2688,11 +2802,11 @@ else
fi
# - Change the posdeletion scripts to your needs:
# -
# -
# - set:
# - basedir=/var/vmail
# - trashbase=$DELETED_MAILBOX_DIR
# -
# -
# - trashdir="${trashbase}/$2/`date +%F_$H-%M`_${subdir}"
# -
echononl "\tAdjust 'postfixadmin-mailbox-postdeletion.sh'"
@@ -2714,9 +2828,9 @@ fi
# - Edit ${WEBSITE_BASEDIR}/htdocs/config.inc.php
# -
# - in section add line
# - in section add line
# - $CONF['mailbox_postdeletion_script']='sudo -u vmail /usr/local/bin/postfixadmin-mailbox-postdeletion.sh';
# -
# -
echononl "\tAdjust 'config.inc.php' to make script available"
perl -i -n -p -e "s#^(\s*[/*]?\s*\\\$CONF\['mailbox_postdeletion_script'\]\s*=.*)#//!\1\n\\\$CONF['mailbox_postdeletion_script'] = 'sudo -u vmail /usr/local/bin/postfixadmin-mailbox-postdeletion.sh';#" \
$pfa_conf_file > $log_file 2>&1
@@ -2779,7 +2893,7 @@ fi
# - AFTER DELETION MAILDOMIAN
# -
# -
# - activate script for moving a mailbox from the mailboxdirectory
# - and save it to the backupb directory $DELETED_DOMAINS_DIR
# -
@@ -2788,7 +2902,7 @@ echononl "\tCreate folder '${DELETED_DOMAINS_DIR}"
if [[ ! -d "${DELETED_DOMAINS_DIR}" ]] ; then
mkdir $DELETED_DOMAINS_DIR > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
echo_ok
else
echo_failed
error "$(cat $log_file)"
@@ -2845,11 +2959,11 @@ fi
# - Change the posdeletion scripts to your needs:
# -
# -
# - set:
# - basedir=/var/vmail
# - trashbase=$DELETED_DOMAINS_DIR
# -
# -
# - trashdir="${trashbase}/`date +%F_%H-%M`_$1"
# -
echononl "\tAdjust 'postfixadmin-domain-postdeletion.sh'"
@@ -2870,9 +2984,9 @@ fi
# - edit ${WEBSITE_BASEDIR}/htdocs/config.inc.php
# -
# - in section add line
# - in section add line
# - $CONF['domain_postdeletion_script']='sudo -u vmail /usr/local/bin/postfixadmin-domain-postdeletion.sh';
# -
# -
echononl "\tAdjust 'config.inc.php' to make script available"
perl -i -n -p -e "s#^(\s*[/*]?\s*\\\$CONF\['domain_postdeletion_script'\]\s*=.*)#//!\1\n\\\$CONF['domain_postdeletion_script'] = 'sudo -u vmail /usr/local/bin/postfixadmin-domain-postdeletion.sh';#" \
$pfa_conf_file >> $log_file 2>&1
@@ -2939,9 +3053,9 @@ fi
## - specified database.
## -
## - Now you have to setup Postfix to recognize all these entries. To do so,
## - you must specify database requests (in different files) and load them
## - you must specify database requests (in different files) and load them
## - into Postfix configuration. In particular that are the following files:
## -
## -
## - pgsql_relay-domain-maps.cf
## - pgsql_sender_login_maps.cf
## - pgsql_transport_maps.cf
@@ -3383,7 +3497,7 @@ echononl "\tCreate file '/etc/postfix/${POSTFIX_DB_TYPE}_virtual_alias_address_r
if [ "$POSTFIX_DB_TYPE" = "pgsql" ]; then
cat <<EOF > /etc/postfix/${POSTFIX_DB_TYPE}_virtual_alias_address_rewriting.cf
## - this address rewriting acts as address extension
## - this address rewriting acts as address extension
## - with delimeter "-"
## -
hosts = $POSTFIX_DB_HOST_PGSQL
@@ -3496,6 +3610,26 @@ else
error "$(cat $log_file)"
fi
echononl "\tRestart Apache Webservice.."
if [[ -n "$APACHE_SERVICE_FILE" ]] || [[ -n "$APACHE_INIT_SCRIPT" ]] ; then
if [[ -n "$APACHE_SERVICE_FILE" ]] ; then
systemctl restart $APACHE_SERVICE_FILE > $log_file 2>&1
else
$APACHE_INIT_SCRIPT restart > $log_file 2>&1
fi
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
warn "Neither an init-script nor a service file for 'apache2' webservice found!"
fi
# - Start all PHP FPM engines
# -
if [[ -n "$php_major_versions" ]]; then
@@ -3543,7 +3677,7 @@ fi
echo ""
info "Browse to \033[1mhttp://${WEBSITE_NAME}/setup.php\033[m to create a 'setup password'\n$(cat <<EOF
info "Browse to \033[1mhttps://${WEBSITE_NAME}/setup.php\033[m to create a 'setup password'\n$(cat <<EOF
\t \033[33mIn caes of updating postfix.admin browse this URL and \033[1mlogin with your
\t setup_password\033[m\033[33m, because only after that the database '${POSTFIX_DB_NAME}'
@@ -3555,14 +3689,14 @@ info "Browse to \033[1mhttp://${WEBSITE_NAME}/setup.php\033[m to create a 'setup
\t Instructions on how to do this are pointed out at the setup site, maybe like this:
\t - Generate setup_password hash and set \033[1m$CONF['setup_password']\033[m
\t - Generate setup_password hash and set \033[1m$CONF['setup_password']\033[m
\t in file \033[1mconfig.local.php\033[m as printed out.
\t - Browse to \033[1mhttp://${WEBSITE_NAME}/setup.php\033[m once again to update
\t the database
\t Browse to \033[1mhttp://${WEBSITE_NAME}\033[m and login using an existent admin account
\t Browse to \033[1mhttp://${WEBSITE_NAME}\033[m and login using an existent admin account
\t[ \033[33m\033[1mNotice\033[m ]: \033[1mScroll back to see if all seems to be fine!\033[m
@@ -3616,7 +3750,7 @@ dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s' AND active = true
EOF
## - add configuration parameter virtual_mailbox_limit_maps
## - add configuration parameter virtual_mailbox_limit_maps
## - in Postfix /etc/postfix/main.cf
## -
## - add:

252
install_update_dovecot.sh
View File

@@ -184,7 +184,7 @@ else
fi
if [[ -z "$systemd_support" ]] ; then
if $SYSTEMD_EXISTS ; then
if $SYSTEMD_EXISTS ; then
systemd_support=true
else
systemd_support=false
@@ -305,7 +305,7 @@ _version_short="${_version%-*}"
#clean_up 0
# 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed.
# 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed.
# Use mailbox { autoexpunge } Mailbox settings instead.
#
if [[ $dovecot_major_version -gt 2 ]] \
@@ -362,12 +362,12 @@ if [[ -n "$_update" ]]; then
echo -e "[1] Update"
echo -e "\033[37m\033[1m[2] New Installation\033[m"
fi
echo ""
echo ""
echononl "Choose a number or press <RETURN> for highlighted value: "
else
echo -e "[1] Update"
echo "[2] New Installation"
echo ""
echo ""
echononl "Choose a Number: "
fi
update=""
@@ -392,13 +392,13 @@ while [[ "$update" != "true" && "$update" != "false" ]] ; do
fi
;;
*) update=""
echo ""
echo ""
if [[ -n "$_IS_RELAY_HOST" ]]; then
echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ] or type <RETURN>"
else
echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ]"
echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ]"
fi
echo ""
echo ""
echononl "Reentry: "
;;
esac
@@ -415,7 +415,7 @@ done
clear;
echo ""
if $update ;then
if $update ;then
echo -e "\tUpdate Dovecot................: $update"
else
echo -e "\tInstall Dovecot first time....: Yes"
@@ -507,7 +507,7 @@ export MAKEFLAGS=-j$(expr `grep "^processor" /proc/cpuinfo | sort -u | wc -l` -
echo ""
if $update ;then
if $update ;then
_new=false;
else
_new=true;
@@ -683,7 +683,7 @@ mkdir -p $_log_dir
## -----------------
## --- Download
## --- Download
cd ${_src_base_dir}
@@ -720,7 +720,7 @@ fi
## - Download Pigeonhole for Dovecot v2.2
## -
if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then
echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
@@ -730,7 +730,7 @@ if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]]
echo -e "$rc_failed"
error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually
Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually
and proceed instllation."
echononl "\tProceed instllation [yes/no]: "
@@ -1071,7 +1071,7 @@ fi
## - if [ -d $checkdir ]; then
## - PATH=$PATH:$checkdir
## - fi
## -
## -
echononl "\tAdd /usr/local/dovecot/bin to PATH variable.."
if ! grep "checkdir=\"/usr/local/dovecot/bin\"" /etc/profile > /dev/null ; then
perl -i -n -p -e "s#^(\s*)(export\ +PATH)#checkdir=\"/usr/local/dovecot/bin\"\nif [ -d \\\$checkdir ]; then\n PATH=\\\$PATH:\\\$checkdir\nfi\n\n\1\2#" /etc/profile
@@ -1166,9 +1166,9 @@ cp -r /usr/local/dovecot-${_version}/share/doc/dovecot/example-config/* \
## - base_dir =/run/dovecot/
## - state_dir = /run/dovecot
## - shutdown_clients = no
## -
## -
## - dict {
## - expire = $db_driver:/usr/local/dovecot/etc/dovecot/sql-dict.conf.ext
## - expire = $db_driver:/usr/local/dovecot/etc/dovecot/sql-dict.conf.ext
## - }
## -
echononl "\tAdjust file dovecot.conf.."
@@ -1253,7 +1253,7 @@ if $_new ; then
echononl "\tCreate table expires in database ${dbname}.."
if $plugin_expire ; then
cat << EOF | psql -U$dbuser $dbname > ${_log_dir}/error.log 2>&1
CREATE TABLE IF NOT EXISTS expires (
username varchar(100) not null,
mailbox varchar(255) not null,
@@ -1395,7 +1395,7 @@ EOF
echononl "\tCreate table expires in database ${dbname}.."
if $plugin_expire ; then
cat << EOF | mysql -u$dbuser -p$dbpassword $dbname > /dev/null 2>&1
CREATE TABLE IF NOT EXISTS expires (
username varchar(100) not null,
mailbox varchar(255) not null,
@@ -1450,7 +1450,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END IF;
# END;
# \$\$ LANGUAGE plpgsql;
#
#
# CREATE TRIGGER mergeexpires BEFORE INSERT ON expires
# FOR EACH ROW EXECUTE PROCEDURE merge_expires();
@@ -1505,7 +1505,7 @@ EOF
echo -e "$rc_failed"
fatal "Creating file sql-dict.conf.ext failed"
fi
fi
fi
else
echo -e "$rc_skipped"
fi
@@ -1519,15 +1519,15 @@ fi
## - default_vsz_limit = 512M
## -
## - !! Bemerkung !!
## -
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird.
## -
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird.
## -
## -
## - Systemd System:
## - ===============
## -
## -
## - In der service datei (z.Bsp. /etc/systemd/system/multi-user.target.wants/dovecot.service)
## - den Wert 'LimitNOFILE' hochsetzen:
## -
@@ -1536,15 +1536,15 @@ fi
## - systemctl daemon-reload
## - systemctl restart dovecot.service
## -
## - Im Falle von LX containern muss zusätzlich auf dem hostsystem
## - in der datei '/etc/systemd/system.conf' der Wert für 'DefaultLimitNOFILE'
## - Im Falle von LX containern muss zusätzlich auf dem hostsystem
## - in der datei '/etc/systemd/system.conf' der Wert für 'DefaultLimitNOFILE'
## - hochgesetzt werden.
## -
## - System V systems:
## - =================
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird. Z.Bsp. in der Datei /etc/init.d/dovecot
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird. Z.Bsp. in der Datei /etc/init.d/dovecot
## - durch Einfügen der zeile:
## - ulimit -n 32768
## -
@@ -1596,10 +1596,10 @@ fi
## - address = $imaps_listener_adresses
## - ..
## - }
## -
## -
## - process_min_avail = 16
## - }
## -
## -
## - service pop3-login {
## - inet_listener pop3 {
## - address = $pop_listener_adresses
@@ -1678,7 +1678,7 @@ fi
## - permanently on filesystem. So we have to create such a file
## -
## - openssl dhparam -out /etc/postfix/ssl/dh_4096.pem`
## -
## -
if [[ $dovecot_major_version -ge 3 ]] \
|| ( [[ $dovecot_major_version -eq 2 ]] && [[ $dovecot_minor_version -ge 3 ]] ); then
@@ -1687,7 +1687,7 @@ if [[ $dovecot_major_version -ge 3 ]] \
echo -en "$rc_wait"
if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
openssl dhparam -out "$dh_pem_file" 4096 > /dev/null 2>&1
else
else
openssl dhparam -dsaparam -out "$dh_pem_file" 4096 > /dev/null 2>&1
fi
if [[ $? -eq 0 ]]; then
@@ -1784,7 +1784,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf
## -
## -
## - mail_location = maildir:/var/vmail/%d/%n/Maildir
## -
## - mail_uid = vmail
@@ -1794,7 +1794,7 @@ fi
## - last_valid_uid = 5000
## -
## - mail_temp_dir = /var/vmail/tmp
## -
## -
## - first_valid_gid = 5000
## - last_valid_gid = 5000
## -
@@ -1842,7 +1842,7 @@ else
echo -e "$rc_failed"
fatal "Adjusting file '10-mail.conf' failed"
fi
echononl "\tCreate TEMP directory '/var/vmail/tmp' .."
@@ -1937,7 +1937,7 @@ fi
## -
## - Add namespaces type private
## -
## - Add:
## - Add:
## - namespace inbox {
## - type = private
## - separator = /
@@ -1957,7 +1957,7 @@ namespace inbox {
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =
#separator =
separator = /
# Prefix required to access this namespace. This needs to be different for
@@ -2007,12 +2007,12 @@ fi
## - auto = subscribe
## - special_use = \Drafts
## - }
## -
## -
## - mailbox Trash {
## - auto = subscribe
## - special_use = \Trash
## - }
## -
## -
## - mailbox Sent {
## - auto = subscribe
## - special_use = \Sent
@@ -2072,7 +2072,7 @@ fi
## -
## - disable_plaintext_auth = no
## - auth_mechanisms = $auth_mechanisms
## - !include auth-sql.conf.ext # comment all other includes
## - !include auth-sql.conf.ext # comment all other includes
## - auth_username_translation = "%@"
## -
_failed=false
@@ -2101,14 +2101,14 @@ fi
## -
## - passdb {
## - driver = sql
## -
## -
## -
## -
## - # path for sql configuration file, see example-config/dovecot-sql.conf.ext
## - args = /usr/local/dovecot/etc/dovecot/sql-connect.conf.ext
## - }
## -
## -
## - ..
## -
## -
## - userdb {
## - driver = sql
## - args = /usr/local/dovecot/etc/dovecot/sql-connect.conf.ext
@@ -2194,14 +2194,14 @@ fi
## - if running inetd-script:
## -
## - log_path = /var/log/dovecot/dovecot.log
## -
## -
## - or for example
## -
## - log_path = syslog
## - syslog_facility = local1
## - auth_verbose = yes
## - auth_verbose_passwords = plain
## -
## -
## - in conjunction with the the following entries in /etc/rsyslog.conf
## -
## - local1.* -/var/log/dovecot.log
@@ -2310,7 +2310,7 @@ fi
## - hostname = $hostname
## - sendmail_path = /usr/sbin/sendmail
## - lda_mailbox_autocreate = no
## - mail_plugins = $mail_plugins sieve
## - mail_plugins = $mail_plugins sieve
## -
_failed=false
echononl "\tAdjusting file 15-lda.conf"
@@ -2406,7 +2406,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/90-plugin.conf
## -
## - Note:
## - Setting "autocreate", "autosubscribe" here is depricated. Use mailbox { auto } setting instead.
## - Setting "autocreate", "autosubscribe" here is depricated. Use mailbox { auto } setting instead.
## -
## - expire = Trash
## - expire2 = Trash/*
@@ -2419,7 +2419,7 @@ fi
## - # it's better to enable it only after you've verified that the expire plugin is
## - # working as wanted. (v2.2.16+)
## - expire_cache = yes
## -
## -
_failed=false
echononl "\tAdjusting file 90-plugin.conf"
if $plugin_expire ; then
@@ -2483,7 +2483,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
cat <<EOF >> "$_tmp_file"
# Add Setting 'sieve_vacation_send_from_recipient' from (included)
# Add Setting 'sieve_vacation_send_from_recipient' from (included)
#
# Pigeonhole Sieve: Vacation Extension
# ====================================
@@ -2563,7 +2563,7 @@ else
fi
## - NOTICE: if you pre-compile your (global) scripts, you will increase
## - NOTICE: if you pre-compile your (global) scripts, you will increase
## - performance
## -
echononl "\tPrecompile global sieve script"
@@ -2597,12 +2597,14 @@ chown -R vmail:vmail /usr/local/dovecot-${_version}/etc/dovecot/sieve
if $systemd_support; then
_folder_created=false
## - # - At time, we don't use private tmp directory for divecot.
## - # -
## - echononl "\tAdjust Systemd service file, set PrivateTmp=false.."
## - if [[ -f "/etc/systemd/system/dovecot.service" ]] ; then
## -
## - if $(grep -o -E "PrivateTmp\s*=\s*[^[:blank:]]+" /etc/systemd/system/dovecot.service | grep -q true 2> /dev/null ) ; then
## -
## - if $(grep -o -E "PrivateTmp\s*=\s*[^[:blank:]]+" /etc/systemd/system/dovecot.service | grep -q true 2> /dev/null ) ; then
## - perl -i -n -p -e "s/(PrivateTmp\s*=\s*)true/\1false/" /etc/systemd/system/dovecot.service
## - if [[ $? -eq 0 ]]; then
## - echo -e "$rc_done"
@@ -2620,9 +2622,16 @@ if $systemd_support; then
## -
## - here:
## - LimitNOFILE=32768
## -
if [[ -f "/lib/systemd/system/dovecot.service" ]] \
&& $(grep -q -E "^LimitNOFILE=" /lib/systemd/system/dovecot.service) ; then
## -
## - zwei Bemerkungen:
## - - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
## - - hier auch keine backslah '\' am ende der zeile notwendig, da statement
## - offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
## -
if [[ -f /lib/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*LimitNOFILE=' /lib/systemd/system/dovecot.service ||
[[ -f /etc/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*LimitNOFILE=' /etc/systemd/system/dovecot.service ; then
_LimitNOFILE="$(grep -E "^LimitNOFILE=[[:digit:]]+" /lib/systemd/system/dovecot.service | cut -d'=' -f2)"
@@ -2638,6 +2647,7 @@ if $systemd_support; then
mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo -e "$rc_done"
_folder_created=true
else
echo -e "$rc_failed"
adjust_limit_nofile=false
@@ -2656,8 +2666,54 @@ LimitNOFILE=$service_limit_nofile
EOF
echo -e "$rc_done"
fi
fi
## - Adjust systemd hardening:
## -
## - Options such as ProtectSystem=full/strict make the service's mount namespace,
## - including /usr (and thus /usr/local/dovecote/..), read-only, even though it is w
## - ritable outside the service.
## -
## - However, we would like to allow dovecot to write to the directory
## - /usr/local/dovecot/etc/dovecot/sieve/.
## -
## - ProtectSystem=off
## -
## - zwei Bemerkungen:
## - - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
## - - hier auch keine backslah '\' am ende der zeile notwendig, da statement
## - offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
## -
if [[ -f /lib/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*ProtectSystem=' /lib/systemd/system/dovecot.service ||
[[ -f /etc/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*ProtectSystem=' /etc/systemd/system/dovecot.service ; then
if ! ${_folder_created} ; then
echononl "\tCreate Directory '/etc/systemd/system/dovecot.service.d'.."
if [[ -d "/etc/systemd/system/dovecot.service.d" ]] ; then
echo -e "$rc_skipped"
else
mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo -e "$rc_done"
else
echo -e "$rc_failed"
fi
fi
fi
echononl "\tSet 'ProtectSystem=off' for 'dovecot.service'.."
cat <<EOF > /etc/systemd/system/dovecot.service.d/systemd-hardening.conf
[Service]
ProtectSystem=off
EOF
echo -e "$rc_done"
fi
echononl "\tReload systemd .."
systemctl daemon-reload > /dev/null 2>&1
@@ -2692,7 +2748,7 @@ else
fi
fi
if $_new ; then
@@ -2707,7 +2763,7 @@ if $_new ; then
## - running dovecot service via init-script
## -
cat <<EOF > /etc/init.d/dovecot
#! /bin/sh
#! /bin/sh
### BEGIN INIT INFO
# Provides: dovecot
# Required-Start: \$syslog \$postgresql
@@ -2899,7 +2955,7 @@ EOF
echo -e "$rc_failed"
fatal "Creating init script for dovecot failed"
fi
chmod 755 /etc/init.d/dovecot
else
@@ -2910,7 +2966,7 @@ EOF
fi
## - Add a cronjob to restart dovecot after booting the system.
## -
## -
## - Notice:
## - On normal start, dovecot started its service even if ipv6 is not
## - yet present and dovecot cannot bind to ipv6 listeners.
@@ -2964,10 +3020,10 @@ EOF
## - add/uncomment:
## -
## - smtpd_tls_auth_only
## -
## -
## - smtpd_sasl_type = dovecot
## - smtpd_sasl_path = private/dovecot-auth
## -
## -
## - virtual_transport = dovecot
## - dovecot_destination_recipient_limit = 1
## -
@@ -3172,22 +3228,22 @@ echo -e "\033[1mConfigure quota support for dovecot\033[m"
## - take care quota plugins (quota,imap-quota) will
## - be loaded:
## -
## -
## - there are two quota related plugins:
## -
## -
## - * quota: implements the actual quota handling and includes also all the quota backends.
## - * imap_quota: for reporting quota information via imap.
## -
## - * imap_quota: for reporting quota information via imap.
## -
## - enable them in configuration files, e.g.:
## -
## -
## - conf.d/10-mail.conf:
## -
## -
## - # space separated list of plugins to load for all services. plugins specific to
## - # imap, lda, etc. are added to this list in their own .conf files.
## - mail_plugins = $mail_plugins quota
## -
## -
## - conf.d/20-imap.conf:
## -
## -
## - protocol imap {
## - # space separated list of plugins to load (default is global mail_plugins).
## - mail_plugins = $mail_plugins imap_quota
@@ -3222,7 +3278,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/dovecot.conf
## -
## -
## - add:
## -
## - dict {
@@ -3369,7 +3425,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END IF;
# return NEW;
# END IF;
#
#
# LOOP
# UPDATE quota2 SET bytes = bytes + NEW.bytes,
# messages = messages + NEW.messages
@@ -3377,7 +3433,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# IF found THEN
# RETURN NULL;
# END IF;
#
#
# BEGIN
# IF NEW.messages = 0 THEN
# INSERT INTO quota2 (bytes, messages, username) VALUES (NEW.bytes, NULL, NEW.username);
@@ -3391,10 +3447,10 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END LOOP;
# END;
# \$\$;
#
#
#
#
# ALTER FUNCTION public.merge_quota2() OWNER TO postfix;
#
#
# CREATE TRIGGER mergequota2
# BEFORE INSERT ON quota2
# FOR EACH ROW
@@ -3444,7 +3500,7 @@ EOF
# END IF;
# END;
# \$\$ LANGUAGE plpgsql;
#
#
# CREATE TRIGGER mergeexpires BEFORE INSERT ON expires
# FOR EACH ROW EXECUTE PROCEDURE merge_expires();
@@ -3473,7 +3529,7 @@ EOF
fi
## - you also have to update the userdb's query in file
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - support extra variable "quota_rule"
## -
echononl "\tRenew file sql-connect.conf.ext"
@@ -3570,7 +3626,7 @@ EOF
fi
## - you also have to update the userdb's query in file
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - support extra variable "quota_rule"
## -
echononl "\tRenew file sql-connect.conf.ext"
@@ -3697,20 +3753,20 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/90-quota.conf
## -
## -
## - add to the end of file or in seperate plugin-blocks
## - as designed in that file:
## - plugin {
## - # sql backend:
## - quota = dict:user quota::proxy::quota
## -
## -
## - quota_rule = *:storage=1g
## - quota_rule2 = trash:storage=+100m
## -
## - quota_warning = storage=80%% quota-warning 80 %u
## - quota_warning2 = storage=95%% quota-warning 95 %u
## - }
## -
## -
## - service quota-warning {
## - executable = script /usr/local/bin/quota-warning.sh
## - user = vmail
@@ -3725,7 +3781,7 @@ cp -a /usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf \
/usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf.ORIG
cat <<EOF >>/usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf
## -
## -
plugin {
# SQL backend:
quota = dict:User quota::proxy::quota
@@ -3832,7 +3888,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf
## -
## - Add namespaces type shared to 10-mail.conf
## - Take care to enable ACL plugin also, otherwise all users can access all the shared
## - Take care to enable ACL plugin also, otherwise all users can access all the shared
## - mailboxes, assuming they have permissions on filesystem level to do so.
## - we will do that later..
## - namespace {
@@ -3894,7 +3950,7 @@ else
fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf
## -
## -
## - mail_plugins = quota expire acl
## -
_failed=false
@@ -3961,7 +4017,7 @@ fi
## -
## - plugin {
## - ## acl = vfile:/etc/dovecot/global-acls:cache_secs=300
## -
## -
## - # Without global ACLs:
## - acl = vfile
## - ..
@@ -4094,8 +4150,8 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
## - NOTE:
## -
## - All changes on database (CREATE TABLE / CREATE TRIGGER / what else..)
## - need to be done as the dbuser (here postfix) under whom dovecot
## - accesses the database. If not, you have to change the permissiond to allow
## - need to be done as the dbuser (here postfix) under whom dovecot
## - accesses the database. If not, you have to change the permissiond to allow
## - dovecot dbuser to access the createt table/trigger/...
## -
@@ -4125,7 +4181,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END IF;
# return NEW;
# END IF;
#
#
# LOOP
# UPDATE quota2 SET bytes = bytes + NEW.bytes,
# messages = messages + NEW.messages
@@ -4133,7 +4189,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# IF found THEN
# RETURN NULL;
# END IF;
#
#
# BEGIN
# IF NEW.messages = 0 THEN
# INSERT INTO quota2 (bytes, messages, username) VALUES (NEW.bytes, NULL, NEW.username);
@@ -4147,10 +4203,10 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END LOOP;
# END;
# \$\$;
#
#
#
#
# ALTER FUNCTION public.merge_quota2() OWNER TO postfix;
#
#
# CREATE TRIGGER mergequota2
# BEFORE INSERT ON quota2
# FOR EACH ROW
@@ -4200,7 +4256,7 @@ EOF
# END IF;
# END;
# \$\$ LANGUAGE plpgsql;
#
#
# CREATE TRIGGER mergeexpires BEFORE INSERT ON expires
# FOR EACH ROW EXECUTE PROCEDURE merge_expires();
@@ -4230,7 +4286,7 @@ EOF
# primary key (from_user, to_user)
# );
# COMMENT ON TABLE user_shares IS 'User from_user shares folders to user to_user.';
#
#
# CREATE TABLE anyone_shares (
# from_user varchar(100) not null,
# dummy char(1) DEFAULT '1', -- always '1' currently
@@ -4336,7 +4392,7 @@ EOF
# dummy char(1) DEFAULT '1', -- always '1' currently
# primary key (from_user, to_user)
# ) COMMENT = 'User from_user shares folders to user to_user.';
#
#
# CREATE TABLE anyone_shares (
# from_user varchar(100) not null,
# dummy char(1) DEFAULT '1', -- always '1' currently
@@ -4576,7 +4632,7 @@ fi
blank_line
echononl "\tSet '_update=true' in file '$(basename "$conf_file")'.."
if grep -q -E "^\s*_update=false" "$conf_file" 2> /dev/null ; then
perl -i -n -p -e "s/^\s*_update=.*/_update=true/" "$conf_file"
perl -i -n -p -e "s/^\s*_update=.*/_update=true/" "$conf_file"
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else

40
set-policyd-spf-config-for-listserver.sh Executable file
View File

@@ -0,0 +1,40 @@
#!/usr/bin/env bash
set -euo pipefail
CONF="/etc/postfix-policyd-spf-python/policyd-spf.conf"
BACKUP="${CONF}.$(date +%Y%m%d-%H%M%S).bak"
if [[ ! -f "$CONF" ]]; then
echo "ERROR: Config not found: $CONF" >&2
exit 1
fi
cp -a -- "$CONF" "$BACKUP"
ensure_kv() {
local key="$1"
local value="$2"
# Prüfen ob es eine AKTIVE (nicht auskommentierte) Zeile gibt
if grep -Eq "^[[:space:]]*${key}[[:space:]]*=" "$CONF"; then
# Nur erste aktive Zeile ersetzen
sed -ri "0,/^[[:space:]]*${key}[[:space:]]*=.*/s//${key} = ${value}/" "$CONF"
else
# Anfügen mit Leerzeile + Kommentar
cat >>"$CONF" <<EOF
# --- Mailinglist-friendly SPF policy (added by script) ---
${key} = ${value}
EOF
fi
}
ensure_kv "HELO_reject" "False"
ensure_kv "Mail_From_reject" "False"
ensure_kv "PermError_reject" "False"
ensure_kv "TempError_Defer" "True"
echo "Updated: $CONF"
echo "Backup : $BACKUP"
exit

285
set_amavis_local_domains_maps.sh Executable file
View File

@@ -0,0 +1,285 @@
#!/usr/bin/env bash
# amavis-local-domains-auto.sh
#
# Zweck
# -----
# Ersetzt in /etc/amavis/conf.d/50-user die lokale Domains-Definition
#
# @local_domains_maps = ( ["."] );
#
# durch eine dynamische Definition, die aus der (effektiv aktiven) Postfix-
# Konfiguration ermittelt wird (pgsql oder mysql). Damit werden Spam-Header
# nur für Domains geschrieben, die Postfix tatsächlich als "lokal/relay" kennt.
#
# WICHTIG:
# - Das Skript ändert NUR dann etwas, wenn die Zeile exakt ( ["."] ); ist.
# - Backups werden IMMER nach /etc/amavis/ geschrieben (nicht neben die Datei).
# - DB-Typ wird automatisch aus "postconf -n" erkannt (robust inkl. includes).
#
# Features
# --------
# - Auto-Detect Backend: pgsql | mysql (aus Postfix-Maps)
# - Optionaler Fallback: wenn DB nicht erkennbar, dann auf ( ["."] ); setzen
# (standardmäßig AUS, weil produktiver Betrieb)
# - Dry-run Modus
# - Optional reload/restart von amavis
# - Atomare Aktualisierung (schreibt erst tmp, dann mv)
#
# Nutzung
# -------
# sudo ./amavis-local-domains-auto.sh --dry-run
# sudo ./amavis-local-domains-auto.sh --apply --reload
# sudo ./amavis-local-domains-auto.sh --apply --restart
#
# Optional:
# sudo ./amavis-local-domains-auto.sh --apply --allow-fallback-all
#
set -euo pipefail
# ----------------------------
# Konfigurierbare Pfade
# ----------------------------
AMAVIS_50="${AMAVIS_50:-/etc/amavis/conf.d/50-user}"
# Backup-Verzeichnis (gewünscht: /etc/amavis/)
BACKUP_DIR="${BACKUP_DIR:-/etc/amavis}"
# Optional: Dateimap für relay_domains (falls vorhanden)
RELAY_BTREE_DEFAULT="/etc/postfix/relay_domains"
# ----------------------------
# Schalter / Optionen
# ----------------------------
DO_APPLY=false
DO_DRY_RUN=false
DO_RESTART=false
DO_RELOAD=false
ALLOW_FALLBACK_ALL=false
# Optional overrides
HOST_FQDN_OVERRIDE=""
RELAY_BTREE_OVERRIDE=""
usage() {
cat <<'EOF'
Usage:
amavis-local-domains-auto.sh [OPTIONS]
Options:
--dry-run Show what would change, do not modify files
--apply Apply change (only if @local_domains_maps is exactly ( ["."] );)
--restart Restart amavis after apply
--reload Reload amavis after apply (preferred if supported)
--allow-fallback-all If DB backend not detectable, replace with ( ["."] ); anyway
(default: fail safely / do nothing)
--host-fqdn FQDN Override hostname -f used in the block
--relay-btree PATH Override btree file path (default: /etc/postfix/relay_domains)
-h, --help Show this help
Examples:
sudo ./amavis-local-domains-auto.sh --dry-run
sudo ./amavis-local-domains-auto.sh --apply --reload
EOF
}
die(){ echo "ERROR: $*" >&2; exit 1; }
log(){ echo "INFO: $*" >&2; }
# ----------------------------
# Argumente parsen
# ----------------------------
while [[ $# -gt 0 ]]; do
case "$1" in
--dry-run) DO_DRY_RUN=true; shift ;;
--apply) DO_APPLY=true; shift ;;
--restart) DO_RESTART=true; shift ;;
--reload) DO_RELOAD=true; shift ;;
--allow-fallback-all) ALLOW_FALLBACK_ALL=true; shift ;;
--host-fqdn) HOST_FQDN_OVERRIDE="${2:-}"; shift 2 ;;
--relay-btree) RELAY_BTREE_OVERRIDE="${2:-}"; shift 2 ;;
-h|--help) usage; exit 0 ;;
*) die "Unknown option: $1" ;;
esac
done
if ! $DO_DRY_RUN && ! $DO_APPLY; then
die "Choose one: --dry-run or --apply"
fi
if $DO_RESTART && $DO_RELOAD; then
die "Choose only one: --restart or --reload"
fi
# ----------------------------
# Sanity Checks
# ----------------------------
command -v postconf >/dev/null || die "postconf not found"
[[ -r "$AMAVIS_50" ]] || die "Missing $AMAVIS_50"
[[ -d "$BACKUP_DIR" ]] || die "Backup dir missing: $BACKUP_DIR"
[[ -w "$BACKUP_DIR" ]] || die "Backup dir not writable: $BACKUP_DIR"
HOST_FQDN="${HOST_FQDN_OVERRIDE:-$(hostname -f 2>/dev/null || hostname)}"
RELAY_BTREE="${RELAY_BTREE_OVERRIDE:-$RELAY_BTREE_DEFAULT}"
# Regex: exakt @local_domains_maps = ( ["."] );
DOTLINE_REGEX='^[[:space:]]*@local_domains_maps[[:space:]]*=[[:space:]]*\([[:space:]]*\[[[:space:]]*"\."[[:space:]]*\][[:space:]]*\)[[:space:]]*;[[:space:]]*$'
if ! grep -qE "$DOTLINE_REGEX" "$AMAVIS_50"; then
log "No change: @local_domains_maps is not exactly ( [\".\"] );"
exit 0
fi
# ----------------------------
# DB-Typ + Map-Dateien aus Postfix ermitteln
# (postconf -n berücksichtigt includes, master.d, etc.)
# ----------------------------
VMD_LINE="$(postconf -n virtual_mailbox_domains 2>/dev/null || true)"
RD_LINE="$(postconf -n relay_domains 2>/dev/null || true)"
extract_db_map() {
# Findet den ersten Token, der :pgsql: oder :mysql: enthält
# und gibt "scheme|/path/to/map.cf" aus.
local line="$1"
for tok in $line; do
tok="${tok%,}"
if [[ "$tok" == *":pgsql:"* ]]; then
echo "pgsql|${tok##*:pgsql:}"
return 0
elif [[ "$tok" == *":mysql:"* ]]; then
echo "mysql|${tok##*:mysql:}"
return 0
fi
done
return 1
}
DB_SCHEME=""
VDOM_CF=""
RELAY_CF=""
if out="$(extract_db_map "$VMD_LINE")"; then
DB_SCHEME="${out%%|*}"
VDOM_CF="${out##*|}"
else
if $ALLOW_FALLBACK_ALL; then
DB_SCHEME="all"
else
die "Could not detect pgsql/mysql from postfix virtual_mailbox_domains. Use --allow-fallback-all to force."
fi
fi
if [[ "$DB_SCHEME" != "all" ]]; then
if out="$(extract_db_map "$RD_LINE")"; then
rd_scheme="${out%%|*}"
rd_cf="${out##*|}"
if [[ "$rd_scheme" == "$DB_SCHEME" ]]; then
RELAY_CF="$rd_cf"
fi
fi
[[ -r "$VDOM_CF" ]] || die "Detected map not readable: $VDOM_CF"
if [[ -n "$RELAY_CF" ]]; then
[[ -r "$RELAY_CF" ]] || die "Detected relay map not readable: $RELAY_CF"
fi
fi
# ----------------------------
# Replacement-Block bauen (in temp Datei)
# ----------------------------
TMPDIR="$(mktemp -d)"
trap 'rm -rf "$TMPDIR"' EXIT
BLOCKFILE="$TMPDIR/block.txt"
if [[ "$DB_SCHEME" == "all" ]]; then
cat >"$BLOCKFILE" <<'EOF'
@local_domains_maps = ( ["."] );
EOF
else
{
echo "@local_domains_maps = ("
echo " [qw(${HOST_FQDN} localhost)],"
echo ""
echo " # Domains, die als virtuelle Mailbox-Domains gehostet sind:"
echo " '${DB_SCHEME}:${VDOM_CF}',"
if [[ -n "$RELAY_CF" ]]; then
echo ""
echo " # Domains, die als relay_domains akzeptiert werden:"
echo " '${DB_SCHEME}:${RELAY_CF}',"
else
echo ""
echo " # relay_domains DB-map nicht erkannt wird übersprungen"
fi
echo " 'btree:${RELAY_BTREE}',"
echo ");"
} >"$BLOCKFILE"
fi
# ----------------------------
# Geplante Änderung anzeigen
# ----------------------------
log "Detected backend: ${DB_SCHEME}"
if [[ "$DB_SCHEME" != "all" ]]; then
log "virtual_mailbox_domains map: ${DB_SCHEME}:${VDOM_CF}"
if [[ -n "$RELAY_CF" ]]; then
log "relay_domains map: ${DB_SCHEME}:${RELAY_CF}"
else
log "relay_domains map: (not detected / not used)"
fi
log "btree relay domains: btree:${RELAY_BTREE}"
fi
if $DO_DRY_RUN; then
echo "----- Would replace this line in $AMAVIS_50 -----"
echo '@local_domains_maps = ( ["."] );'
echo "----- With this block -----"
cat "$BLOCKFILE"
exit 0
fi
# ----------------------------
# Backup in /etc/amavis/ erstellen
# ----------------------------
STAMP="$(date +%F_%H%M%S)"
BACKUP_FILE="${BACKUP_DIR}/50-user.bak.${STAMP}"
cp -a "$AMAVIS_50" "$BACKUP_FILE"
log "Backup created: $BACKUP_FILE"
# ----------------------------
# Datei neu schreiben (atomar)
# - Wir ersetzen nur die exakt passende (["."]) Zeile durch den neuen Block.
# ----------------------------
OUTFILE="$TMPDIR/50-user.new"
awk -v blockfile="$BLOCKFILE" '
BEGIN {
while ((getline line < blockfile) > 0) {
newblock = newblock line "\n"
}
close(blockfile)
}
{
if ($0 ~ /^[[:space:]]*@local_domains_maps[[:space:]]*=[[:space:]]*\([[:space:]]*\[[[:space:]]*"\."[[:space:]]*\][[:space:]]*\)[[:space:]]*;[[:space:]]*$/) {
printf "%s", newblock
} else {
print
}
}
' "$AMAVIS_50" > "$OUTFILE"
mv "$OUTFILE" "$AMAVIS_50"
log "Updated $AMAVIS_50"
# ----------------------------
# Optionaler Reload/Restart von amavis
# ----------------------------
if $DO_RELOAD; then
log "Reloading amavis..."
systemctl reload amavis || die "amavis reload failed"
elif $DO_RESTART; then
log "Restarting amavis..."
systemctl restart amavis || die "amavis restart failed"
else
log "No service action requested (--reload/--restart)."
fi
log "Done."