install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: install:8dc105be6811c5da1512d17a4f91d7397e57e3c4
Branches Tags
install:master
...
compare: install:master
Branches Tags
install:master

17 Commits
8dc105be68 ... master

Author SHA1 Message Date
Christoph
b99844c1b5 install_postfixadmin.sh: remove space.. 2026-02-18 18:53:38 +01:00
Christoph
691c34fa18 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2026-02-18 18:48:01 +01:00
Christoph
1ca6031fea install_postfixadmin.sh: fix error determin PFA configuration file. 2026-02-18 18:47:25 +01:00
Christoph
8234254094 Merge branch 'master' of git.oopen.de:install/mailsystem 2026-02-18 12:38:47 +01:00
Christoph
afff836253 install_postfix_advanced.sh: comment entries '127.0.0.1:10040_time_limit=3600' and 'policyd-spf_time_limit=3600'. 2026-02-18 12:38:33 +01:00
Christoph
7c05201520 install_postfix_advanced.sh: some changes of 'main.cf' in case of relay host only. 2026-02-18 01:48:45 +01:00
Christoph
0674fb1231 install_amavis.sh: fix entering procedure of variable 'SASL_AUTH_ENABLED'. 2026-02-18 01:33:55 +01:00
Christoph
32980f67de install_postfix_advanced.sh: fix handling of additional smtp port. 2026-02-18 01:32:08 +01:00
Christoph
7b9a6f52ca install_postfix_advanced.sh: add support for parameter 'smtpd_tls_eccert_file'. 2026-02-16 14:38:21 +01:00
Christoph
5a8280b767 install_amavis.sh: in any case, IS_SYMPA_LIST_SERVER must be set to false except server ist a sympa listmanager. 2026-02-16 14:01:12 +01:00
Christoph
7c99515e72 install_postfix_advanced.sh: some minor changes. 2026-02-16 13:32:21 +01:00
Christoph Kuchenbuch
ef963e89fc install_amavis.sh: separate amavis inbound (port 10024) amd outbound (10029) in case of sympa listserver or 'only relay' server. 2026-02-16 00:17:56 +01:00
Christoph Kuchenbuch
654e5738d4 install_postfix_advanced.sh: fix error - forgot 'fi'.. 2026-02-16 00:15:57 +01:00
Christoph Kuchenbuch
6356876ab6 Change some settings, if Server is a listserver. 2026-02-15 14:37:19 +01:00
Christoph Kuchenbuch
ee892a6b33 Add script 'set-policyd-spf-config-for-listserver.sh' - More relaxed settings for Listenserver. 2026-02-15 14:36:21 +01:00
Christoph
7741803f71 install_amavis.sh: fix some error writing file '50-user'. 2026-02-13 23:46:22 +01:00
Christoph
da1867ef91 install_amavis.sh: some minor changes.. 2026-02-13 22:47:16 +01:00
6 changed files with 416 additions and 193 deletions
Expand all files Collapse all files

184
install_amavis.sh
View File

@@ -110,7 +110,8 @@ detect_os_1 () {
# --- Some default settings
# -------------
DEFAULT_SASL_AUTH_ENABLED="no"
DEFAULT_SASL_AUTH_ENABLED=false
DEFAULT_IS_SYMPA_LIST_SERVER=false
DEFAULT_QUARANTINE_DIR="/var/QUARANTINE"
DEFAULT_QUARANTINE_ADMIN='postmaster\@$mydomain'
@@ -187,7 +188,9 @@ if [[ -z "$_HOSTNAME" ]] ; then
[[ "$_HOSTNAME" = "$_HOSTNAME_SHORT" ]] && _HOSTNAME=""
fi
[[ -z "$_SASL_AUTH_ENABLED" ]] && _SASL_AUTH_ENABLED="$DEFAULT_SASL_AUTH_ENABLED"
[[ -z "$_SASL_AUTH_ENABLED" ]] && _SASL_AUTH_ENABLED=${DEFAULT_SASL_AUTH_ENABLED}
[[ -z "${_IS_SYMPA_LIST_SERVER}" ]] && _IS_SYMPA_LIST_SERVER=${DEFAULT_IS_SYMPA_LIST_SERVER}
[[ -z "$_QUARANTINE_DIR" ]] && _QUARANTINE_DIR="$DEFAULT_QUARANTINE_DIR"
@@ -375,9 +378,12 @@ SASL_AUTH_ENABLED=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Should this mail server support Cyrus SASL authentication?"
echo "Should this mail server support Cyrus SASL authentication? [true/yes/false/no]"
echo ""
while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
while [[ "$SASL_AUTH_ENABLED" != "yes" &&
"$SASL_AUTH_ENABLED" != "true" &&
"$SASL_AUTH_ENABLED" != "no" &&
"$SASL_AUTH_ENABLED" != "false" ]];do
if [[ -n "$_SASL_AUTH_ENABLED" ]]; then
echononl "Support Cyrus SASL authentication [${_SASL_AUTH_ENABLED}]: "
@@ -390,13 +396,62 @@ while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,}
fi
if [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]] ; then
_SASL_AUTH_ENABLED=""
[[ -z "${SASL_AUTH_ENABLED}" ]] && SASL_AUTH_ENABLED=${_SASL_AUTH_ENABLED}
if [[ "$SASL_AUTH_ENABLED" != "yes" &&
"$SASL_AUTH_ENABLED" != "true" &&
"$SASL_AUTH_ENABLED" != "false" &&
"$SASL_AUTH_ENABLED" != "no" ]] ; then
SASL_AUTH_ENABLED=""
echo -e "\n\t\033[33m\033[1mWrong entry!\033[m\n Type 'yes' or 'no'"
fi
done
[[ "$SASL_AUTH_ENABLED" = "yes" ]] && SASL_AUTH_ENABLED=true
[[ "$SASL_AUTH_ENABLED" = "no" ]] && SASL_AUTH_ENABLED=false
if ! ${SASL_AUTH_ENABLED} ; then
IS_SYMPA_LIST_SERVER=""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Are Sympa List Services provided? - [true/yes/false/no]"
echo ""
echononl "Sympa List Server? [$_IS_SYMPA_LIST_SERVER]: "
read IS_SYMPA_LIST_SERVER
if [[ -z "${IS_SYMPA_LIST_SERVER}" ]] ; then
IS_SYMPA_LIST_SERVER="$_IS_SYMPA_LIST_SERVER"
fi
IS_SYMPA_LIST_SERVER=${IS_SYMPA_LIST_SERVER,,}
while [[ "$IS_SYMPA_LIST_SERVER" != "yes" && \
"$IS_SYMPA_LIST_SERVER" != "true" && \
"$IS_SYMPA_LIST_SERVER" != "no" && \
"$IS_SYMPA_LIST_SERVER" != "false" ]]; do
echo -e "\n\t\033[33m\033[1mWrong value was given!!\033[m\n"
echononl "Sympa List Server? [$_IS_SYMPA_LIST_SERVER]: "
read IS_SYMPA_LIST_SERVER
if [[ -z "${IS_SYMPA_LIST_SERVER}" ]] ; then
IS_SYMPA_LIST_SERVER=false
fi
IS_SYMPA_LIST_SERVER=${IS_SYMPA_LIST_SERVER,,}
done
if [[ "$IS_SYMPA_LIST_SERVER" = 'yes' || "$IS_SYMPA_LIST_SERVER" = 'true' ]] ; then
IS_SYMPA_LIST_SERVER=true
else
IS_SYMPA_LIST_SERVER=false
fi
else
IS_SYMPA_LIST_SERVER=false
fi
echo ""
@@ -704,7 +759,6 @@ else
fi
if ! $DB_IN_USE ; then
echo -e "[3] \033[37m\033[1mSkip (No Database in use)\033[m"
_DB_TYPE="None"
else
echo "[3] Skip (No Database in use)"
fi
@@ -855,6 +909,7 @@ echo -e "\tIPv4 address...........................: $IPV4"
echo -e "\tIPv6 address...........................: $IPV6"
echo ""
echo -e "\tSASL AUTH support......................: $SASL_AUTH_ENABLED"
echo -e "\tSupport sympa mailinglists.............: ${IS_SYMPA_LIST_SERVER}"
echo ""
echo -e "\tQuarantine Directory ..................: $QUARANTINE_DIR"
echo ""
@@ -906,6 +961,7 @@ _IPV4=$IPV4
_IPV6=$IPV6
_SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
_IS_SYMPA_LIST_SERVER=${IS_SYMPA_LIST_SERVER}
_QUARANTINE_DIR=$QUARANTINE_DIR
_QUARANTINE_ADMIN=$QUARANTINE_ADMIN
@@ -4210,10 +4266,49 @@ use strict;
# !! smtpd_proxy_filter - see master.cf !!
#
#
EOF
if ${SASL_AUTH_ENABLED} ; then
cat << EOF >> "${_config_file}"
\$inet_socket_port = [10024, 10026];
#\$inet_socket_port = [10024, 10029];
#\$inet_socket_port = [10024, 10026, 10029];
\$interface_policy{'10026'} = 'ORIGINATING';
\$policy_bank{'ORIGINATING'} = {
originating => 1, # declare that mail was submitted by our smtp client
bypass_spam_checks_maps => (1),
bypass_virus_checks_maps => (0),
remove_existing_spam_headers => 1,
};
EOF
else
cat << EOF >> "${_config_file}"
#\$inet_socket_port = [10024, 10026];
\$inet_socket_port = [10024, 10029];
#\$inet_socket_port = [10024, 10026, 10029];
\$interface_policy{'10024'} = 'INBOUND';
\$interface_policy{'10029'} = 'VIRUSONLY';
# Inbound: Spam + Virus
\$policy_bank{'INBOUND'} = { };
# Outbound: nur Virus
\$policy_bank{'VIRUSONLY'} = {
bypass_spam_checks_maps => [1],
bypass_header_checks_maps => [1],
final_spam_destiny => D_PASS,
originating => 1,
};
EOF
fi
cat << EOF >> "${_config_file}"
# Bypass spam checking fro trusted networks
#
#\$interface_policy{'10026'} = 'TRUSTED';
@@ -4432,14 +4527,15 @@ EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
if [[ "${DB_TYPE}" = "PostgreSQL" ]] || [[ "${DB_TYPE}" = "MySQL" ]]; then
if [[ "${DB_TYPE}" = "PostgreSQL" ]] || \
[[ "${DB_TYPE}" = "MySQL" ]] && \
! ${IS_SYMPA_LIST_SERVER}; then
if [[ "$DB_TYPE" = "PostgreSQL" ]]; then
_db="psql"
_db="pgsql"
else
_db="mysql"
fi
@@ -4451,7 +4547,6 @@ EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
@@ -4465,39 +4560,38 @@ EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi
if [[ -f "/etc/postfix/${_db}_relay-domain-maps.cf" ]]; then
cat >> /etc/amavis/conf.d/50-user <<EOF
# Domains, die als relay_domains akzeptiert werden:
# Domains, die als Relay Domains akzeptiert werden:
'${_db}:/etc/postfix/${_db}_relay-domain-maps.cf',
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi
if grep -iq -E "^\s*btree:/etc/postfix/relay_domains" $postfix_main_cf > /dev/null 2>&1 ; then
if grep -iq -E "^\s*btree:/etc/postfix/relay_domains" "/etc/postfix/main.cf" > /dev/null 2>&1 ; then
cat >> /etc/amavis/conf.d/50-user <<EOF
# Domains, die als virtuelle Mailbox-Domains gehostet sind:
'${_db}:/etc/postfix/${_db}_relay-domain-maps.cf',
# weiter Domains, die als Relay Domains akzeptiert werden
'btree:/etc/postfix/relay_domains',
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
@@ -4522,15 +4616,6 @@ fi
cat >> /etc/amavis/conf.d/50-user <<EOF
## - get rid of "Open Relay" warnings in amavis logfile.
## -
\$interface_policy{'10026'} = 'ORIGINATING';
\$policy_bank{'ORIGINATING'} = {
originating => 1, # declare that mail was submitted by our smtp client
bypass_spam_checks_maps => (1),
bypass_virus_checks_maps => (0),
remove_existing_spam_headers => 1,
};
## - If you get am error like:
## -
@@ -4550,33 +4635,42 @@ fi
if [[ "$DB_TYPE" = "PostgreSQL" ]]; then
cat >> /etc/amavis/conf.d/50-user <<EOF
if [[ -n "${DB_NAME}" ]] && [[ -n "${DB_HOST}" ]] && [[ -n "${DB_USER}" ]] && [[ -n "${DB_PASS}" ]] ; then
cat >> /etc/amavis/conf.d/50-user <<EOF
## - lookup for local domains in PostgreSQL database
## -
@lookup_sql_dsn = (
['DBI:Pg:database=${DB_NAME};host=${DB_HOST}', '$DB_USER', '$DB_PASS']
);
\$sql_select_policy = 'SELECT \\'Y\\' AS local FROM domain WHERE \\'@\\' || domain IN (%k);';
#@lookup_sql_dsn = (
# ['DBI:Pg:database=${DB_NAME};host=${DB_HOST}', '$DB_USER', '$DB_PASS']
#);
#\$sql_select_policy = 'SELECT \\'Y\\' AS local FROM domain WHERE \\'@\\' || domain IN (%k);';
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi
elif [[ "$DB_TYPE" = "MySQL" ]];then
cat >> /etc/amavis/conf.d/50-user <<EOF
if [[ -n "${DB_NAME}" ]] && [[ -n "${DB_HOST}" ]] && [[ -n "${DB_USER}" ]] && [[ -n "${DB_PASS}" ]] ; then
cat >> /etc/amavis/conf.d/50-user <<EOF
## - lookup for local domains in MySQL database
## -
@lookup_sql_dsn = (
['DBI:mysql:database=${DB_NAME};host=${DB_HOST}', '$DB_USER', '$DB_PASS']
);
\$sql_select_policy = 'SELECT "Y" AS local FROM domain WHERE CONCAT("@", domain) IN (%k)';
#@lookup_sql_dsn = (
# ['DBI:mysql:database=${DB_NAME};host=${DB_HOST}', '$DB_USER', '$DB_PASS']
#);
#\$sql_select_policy = 'SELECT "Y" AS local FROM domain WHERE CONCAT("@", domain) IN (%k)';
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi
fi
@@ -5168,7 +5262,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
smtp inet n - y - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10024
EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
if ! ${SASL_AUTH_ENABLED} ; then
cat >> $postfix_master_cf << EOF
-o smtpd_sasl_auth_enable=no
EOF
@@ -5202,7 +5296,7 @@ EOF
${additional_smtp_port} inet n - y - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10024
EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
if ! ${SASL_AUTH_ENABLED} ; then
cat >> $postfix_master_cf << EOF
-o smtpd_sasl_auth_enable=no
EOF

7
install_opendkim.sh
View File

@@ -726,8 +726,11 @@ fi
if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
ensure_dkim_var "non_smtpd_milters" > "${tmp_main_cf_file}"
cp "${tmp_main_cf_file}" "${main_cf_file}"
# In case of sympa, DKIM signatures will be added by sympa list manager
if ! which sympa ; then
ensure_dkim_var "non_smtpd_milters" > "${tmp_main_cf_file}"
cp "${tmp_main_cf_file}" "${main_cf_file}"
fi
else

11
install_opendmarc.sh
View File

@@ -26,8 +26,15 @@ opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
config_file_name_value_parameters="
AuthservID|HOSTNAME
TrustedAuthservIDs|HOSTNAME
PidFile|/run/opendmarc/opendmarc.pid
RejectFailures|true
PidFile|/run/opendmarc/opendmarc.pid"
if which sympa ; then
config_file_name_value_parameters="$config_file_name_value_parameters
RejectFailures|false"
else
config_file_name_value_parameters="$config_file_name_value_parameters
RejectFailures|true"
fi
config_file_name_value_parameters="$config_file_name_value_parameters
Syslog|true
SyslogFacility|mail
IgnoreHosts|${opendmarc_base_dir}/ignore.hosts

128
install_postfix_advanced.sh
View File

@@ -171,8 +171,10 @@ fi
if [[ -z "$_RELAY_HOST" ]]; then
_IS_RELAY_HOST=$DEFAULT_IS_RELAY_HOST
else
_IS_RELAY_HOST="$_RELAY_HOST"
_IS_RELAY_HOST="${_RELAY_HOST,,}"
fi
[[ "${_IS_RELAY_HOST}" == "yes" ]] && _IS_RELAY_HOST=true
[[ "${_IS_RELAY_HOST}" == "no" ]] && _IS_RELAY_HOST=false
if [[ -z "$_LISTEN_ON_ADDITIONAL_RELAY_PORT" ]] ; then
_LISTEN_ON_ADDITIONAL_RELAY_PORT=${DEFAULT_LISTEN_ON_ADDITIONAL_RELAY_PORT}
@@ -466,7 +468,7 @@ if ! ${IS_RELAY_HOST} ; then
fi
if [[ "${INPUT,,}" == "yes" || "${INPUT,,}" == "true" ]]; then
INSTALL_DMARC_REPORT_SUPPORT=true
fi
fi
fi
@@ -1071,7 +1073,18 @@ debugLevel = 1
# HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
# HELO_reject = False - Never reject/defer on HELO, append header only.
# HELO_reject = No_Check - Never check HELO.
EOF
if ${IS_SYMPA_LIST_SERVER} ; then
cat <<EOF >> "${_file}"
HELO_reject = False
EOF
else
cat <<EOF >> "${_file}"
HELO_reject = SPF_Not_Pass
EOF
fi
cat <<EOF >> "${_file}"
# Mail From rejection policy. Options are:
# Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
@@ -1084,7 +1097,18 @@ HELO_reject = SPF_Not_Pass
# MAIL FROM-Adresse reagiert. Ein Fehler tritt auf, wenn die IP-Adresse des sendenden
# Servers nicht den SPF-Einträgen der Domain in der MAIL FROM-Adresse entspricht.
#
EOF
if ${IS_SYMPA_LIST_SERVER} ; then
cat <<EOF >> "${_file}"
Mail_From_reject = False
EOF
else
cat <<EOF >> "${_file}"
Mail_From_reject = Fail
EOF
fi
cat <<EOF >> "${_file}"
# Policy for rejecting due to SPF PermError. Options are:
# PermError_reject = True
@@ -1096,7 +1120,18 @@ Mail_From_reject = Fail
#
# Wenn PermError_reject auf True gesetzt ist, wird die E-Mail abgewiesen (rejected),
#
EOF
if ${IS_SYMPA_LIST_SERVER} ; then
cat <<EOF >> "${_file}"
PermError_reject = False
EOF
else
cat <<EOF >> "${_file}"
PermError_reject = True
EOF
fi
cat <<EOF >> "${_file}"
# Policy for deferring messages due to SPF TempError. Options are:
# TempError_Defer = True
@@ -1109,7 +1144,7 @@ PermError_reject = True
# Wenn TempError_Defer auf True gesetzt ist, wird die E-Mail vorübergehend zurückgewiesen
# (deferred), und der empfangende Server versucht später erneut, die E-Mail zuzustelle
#
TempError_Defer = Defer
TempError_Defer = True
# Type of header to insert to document SPF result. Can be Received-SPF (SPF)
# or Authentication Results (AR). It cannot be both.
@@ -2111,9 +2146,24 @@ smtp_tls_security_level=dane
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
# TLS RSA keys path
smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
EOF
if [[ -f "/etc/postfix/ssl/mailserver-ecdsa.crt" &&
-f "/etc/postfix/ssl/mailserver-ecdsa.key" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# TLS ECDSA keys path
smtpd_tls_eccert_file = /etc/postfix/ssl/mailserver-ecdsa.crt
smtpd_tls_eckey_file = /etc/postfix/ssl/mailserver-ecdsa.key
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
@@ -2427,8 +2477,8 @@ virtual_alias_domains =
#======= Postfix DSN Support ============
#
# Use the smtpd_discard_ehlo_keyword_address_maps feature if you wish to allow DSN
#
# Use the smtpd_discard_ehlo_keyword_address_maps feature if you wish to allow DSN
# requests from trusted clients but not from random strangers
#
# smtpd_discard_ehlo_keyword_address_maps =
@@ -2443,15 +2493,15 @@ virtual_alias_domains =
#smtpd_discard_ehlo_keyword_address_maps =
# If you want to disallow all use of DSN requests from the network, use the
# If you want to disallow all use of DSN requests from the network, use the
# smtpd_discard_ehlo_keywords feature:
#
# /etc/postfix/main.cf:
# smtpd_discard_ehlo_keywords = silent-discard, dsn
#
#
#
# A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that
#
# A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that
# the Postfix SMTP server will not send in the EHLO response to a remote SMTP client.
#
#
@@ -2681,7 +2731,7 @@ EOF
if [[ -n "$(which postfwd)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
127.0.0.1:10040_time_limit = 3600
#127.0.0.1:10040_time_limit = 3600
EOF
else
cat <<EOF >> /etc/postfix/main.cf
@@ -2699,7 +2749,7 @@ if [[ -n "$(which policyd-spf)" ]] ; then
# policyd-spf unix - n n - 0 spawn
# user=policyd-spf argv=/usr/bin/policyd-spf
#
policyd-spf_time_limit = 3600
#policyd-spf_time_limit = 3600
EOF
fi
@@ -2876,6 +2926,16 @@ smtpd_recipient_restrictions =
# \$relay_recipient_maps, and \$relay_recipient_maps is not null.
#
reject_unlisted_recipient,
EOF
if [[ -n "$(which policyd-spf)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Check Postfix policy service ..
#
check_policy_service unix:private/policy-spf
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# reject_unauth_destination
#
# Reject the request unless one of the following is true:
@@ -2898,17 +2958,7 @@ smtpd_recipient_restrictions =
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
EOF
if [[ -n "$(which policyd-spf)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Check Postfix policy service ..
#
check_policy_service unix:private/policy-spf
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# Policyd-Weight
#check_policy_service inet:127.0.0.1:12525,
# ---------------------------------------------------------------------------------
@@ -2999,6 +3049,16 @@ else
EOF
fi
if ${IS_SYMPA_LIST_SERVER} || ${IS_RELAY_HOST}; then
cat <<EOF >> /etc/postfix/main.cf
# Default: alles was nicht explizit überschrieben wird (pickup/local/sympa/cron/...)
content_filter = amavisfeed:[127.0.0.1]:10029
EOF
fi
if [[ -n "$(which opendkim)" ]] || [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
@@ -3040,7 +3100,7 @@ EOF
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
@@ -3068,7 +3128,13 @@ EOF
#
EOF
if [[ -n "$(which opendkim)" ]] ; then
if ${IS_SYMPA_LIST_SERVER} ; then
cat <<EOF >> /etc/postfix/main.cf
# DKIM signing takes place in the Sympa list manager.
non_smtpd_milters =
EOF
elif [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
@@ -3940,10 +4006,10 @@ if ${INSTALL_DMARC_REPORT_SUPPORT} ; then
cat <<EOF >> /etc/postfix/transport 2> $log_file
# - Take care your master.cf file ($postfix_master_cf) contains:
# -
# -
# - dmarc-pipe unix - n n - - pipe
# - flags=Rq user=vmail argv=/usr/local/bin/dmarc-collect.sh
# -
# -
dmarc-reports@oopen.de dmarc-pipe:
EOF
@@ -4032,7 +4098,7 @@ EOF
_failed=true
fi
if ${_failed} ; then
echo_failed
error "$(cat $log_file)"
@@ -4081,6 +4147,14 @@ else
dmarc_pipe_present=false
fi
if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
if grep -iq -E "^${ADDITIONAL_RELAY_LISTEN_PORT}\s+" $postfix_master_cf > /dev/null 2>&1 ; then
additional_relay_port_present=true
else
additional_relay_port_present=false
fi
fi
_found=false
echononl " Create new file \"${postfix_master_cf}\""
if [[ -f "${postfix_master_cf}.$backup_date" ]]; then
@@ -4110,9 +4184,11 @@ smtps inet n - y - - smtpd
EOF
fi
elif $LISTEN_ON_ADDITIONAL_RELAY_PORT ; then
cat >> $postfix_master_cf << EOF
if ! ${additional_relay_port_present} ; then
cat >> $postfix_master_cf << EOF
${ADDITIONAL_RELAY_LISTEN_PORT} inet n - y - - smtpd
EOF
fi
fi
continue
fi

239
install_postfixadmin.sh
View File

@@ -389,7 +389,7 @@ if [[ -z "$APACHE_VHOST_DIR" ]] ; then
fi
fi
[[ -n "${COMPOSER}" ]] || COMPOSER=${DEFAULT_COMPOSER}
[[ -n "${COMPOSER}" ]] || COMPOSER=${DEFAULT_COMPOSER}
[[ -n "$POSTFIX_DB_TYPE" ]] || fatal "Database Type of Postfix Database (POSTFIX_DB_TYPE) not present!"
[[ -n "$POSTFIX_DB_HOST_MYSQL" ]] || POSTFIX_DB_HOST_MYSQL="$DEFAULT_POSTFIX_DB_HOST_MYSQL"
@@ -430,7 +430,7 @@ if [[ "$POSTFIX_DB_TYPE" = "mysql" ]] ; then
fi
else
echononl "\tGet MySQL command.."
mysql_command="$(which mysql)"
if [[ $? -eq 0 ]]; then
@@ -453,9 +453,9 @@ if [[ "$POSTFIX_DB_TYPE" = "mysql" ]] ; then
elif [[ -f "/etc/mysql/debian.cnf" ]] ; then
MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
else
fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated.
fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated.
Use configuration file "$conf_file" to set
Use configuration file "$conf_file" to set
parameter manually."
fi
fi
@@ -475,7 +475,7 @@ fi
if [[ "$ENCRYPTION_METHOD" =~ dovecot ]]; then
[[ -n "$DOVEADM_PW" ]] || DOVEADM_PW=$DEFAULT_DOVEADM_PW
fi
fi
[[ -n "$DELETED_MAILBOX_DIR" ]] || DELETED_MAILBOX_DIR=$DEFAULT_DELETED_MAILBOX_DIR
[[ -n "$DELETED_DOMAINS_DIR" ]] || DELETED_DOMAINS_DIR=$DEFAULT_DELETED_DOMAINS_DIR
@@ -767,7 +767,7 @@ fi
if ! $database_exists ; then
echononl "\tCreate Postfix Database '$POSTFIX_DB_NAME'"
if [ "$POSTFIX_DB_TYPE" = "mysql" ]; then
if [ "$POSTFIX_DB_TYPE" = "mysql" ]; then
echo -n " (MySQL).."
mysql $MYSQL_CREDENTIALS -N -s -e \
"CREATE DATABASE IF NOT EXISTS $POSTFIX_DB_NAME CHARACTER SET utf8 COLLATE utf8_general_ci" >> $log_file 2>&1
@@ -817,7 +817,7 @@ else
else
_db_backup_file_name="${POSTFIX_DB_NAME}-pfa.${backup_date}.sql"
fi
if [[ "$POSTFIX_DB_TYPE" = "mysql" ]]; then
if [[ "$POSTFIX_DB_TYPE" = "mysql" ]]; then
echo -n " (MySQL).."
mysqldump $MYSQL_CREDENTIALS --opt $POSTFIX_DB_NAME > ${WEBSITE_BASEDIR}/${_db_backup_file_name} 2> $log_file
if [[ $? -eq 0 ]]; then
@@ -1011,7 +1011,7 @@ else
fi
echo -e "\n\n\t\033[37m\033[1mBase install Postfixadmin..\033[m\n"
@@ -1358,13 +1358,13 @@ if [[ "$PHP_TYPE" = "fcgid" ]] ; then
#!/bin/sh
export PHPRC="${WEBSITE_BASEDIR}/conf/"
export TMPDIR="${WEBSITE_BASEDIR}/tmp"
# PHP child process management (PHP_FCGI_CHILDREN) should
# always be disabled with mod_fcgid, which will only route one
# request at a time to application processes it has spawned;
# thus, any child processes created by PHP will not be used
# effectively. (Additionally, the PHP child processes may not
# be terminated properly.) By default, and with the environment
# variable setting PHP_FCGI_CHILDREN=0, PHP child process
# PHP child process management (PHP_FCGI_CHILDREN) should
# always be disabled with mod_fcgid, which will only route one
# request at a time to application processes it has spawned;
# thus, any child processes created by PHP will not be used
# effectively. (Additionally, the PHP child processes may not
# be terminated properly.) By default, and with the environment
# variable setting PHP_FCGI_CHILDREN=0, PHP child process
# management is disabled.
PHP_FCGI_CHILDREN=0
export PHP_FCGI_CHILDREN
@@ -1697,17 +1697,17 @@ EOF
# - X-Frame-Options
# -
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
# - site and set your site as the source, it's quite easy:
# - The X-Frame-Options header (RFC), or XFO header, protects your visitors
# - against clickjacking attacks. An attacker can load up an iframe on their
# - site and set your site as the source, it's quite easy:
# -
# - <iframe src="https://scotthelme.co.uk"></iframe>
# -
# - Using some crafty CSS they can hide your site in the background and create some
# - genuine looking overlays. When your visitors click on what they think is a harmless
# - link, they're actually clicking on links on your website in the background. That
# - might not seem so bad until we realise that the browser will execute those requests
# - in the context of the user, which could include them being logged in and authenticated
# - Using some crafty CSS they can hide your site in the background and create some
# - genuine looking overlays. When your visitors click on what they think is a harmless
# - link, they're actually clicking on links on your website in the background. That
# - might not seem so bad until we realise that the browser will execute those requests
# - in the context of the user, which could include them being logged in and authenticated
# - to your site!
# -
# - Troy Hunt has a great blog on 'Clickjack attack the hidden threat right in front :
@@ -1715,49 +1715,49 @@ EOF
# -
# - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
# -
# - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows
# - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify
# - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows
# - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify
# -sites that are permitted to frame your own site.
# -
Header always set X-Frame-Options "SAMEORIGIN"
# - X-Xss-Protection
# -
# - This header is used to configure the built in reflective XSS protection found
# - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header
# - are 0, which disables the protection, 1 which enables the protection
# - and 1; mode=block which tells the browser to block the response if it
# - This header is used to configure the built in reflective XSS protection found
# - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header
# - are 0, which disables the protection, 1 which enables the protection
# - and 1; mode=block which tells the browser to block the response if it
# - detects an attack rather than sanitising the script.
# -
Header always set X-Xss-Protection "1; mode=block"
# - X-Content-Type-Options
# -
# - Nice and easy to configure, this header only has one valid value, nosniff.
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
# - the content-type of a response away from the one being declared by the server.
# - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - that, with clever naming, could be treated as a different content-type, like
# - Nice and easy to configure, this header only has one valid value, nosniff.
# - It prevents Google Chrome and Internet Explorer from trying to mime-sniff
# - the content-type of a response away from the one being declared by the server.
# - It reduces exposure to drive-by downloads and the risks of user uploaded content
# - that, with clever naming, could be treated as a different content-type, like
# - an executable.
# -
Header always set X-Content-Type-Options "nosniff"
# - Content Security Policy
# -
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# - The CSP header allows you to define a whitelist of approved sources of content
# - for your site. By restricting the assets that a browser can load for your site,
# - like js and css, CSP can act as an effective countermeasure to XSS attacks. I
# - have covered CSP in a lot more detail in my blog Content Security Policy - An
# - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/).
# -
# - Here is a basic policy to enforce TLS on all assets and prevent
# - Here is a basic policy to enforce TLS on all assets and prevent
# - mixed content warnings.
# -
# - Allow Google Analytics, Google AJAX CDN and Same Origin
# - script-src 'self' www.google-analytics.com ajax.googleapis.com;
# -
# - Emmbedding Google Fonts
# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
# -
# - Allow YouTube Videos (iframe embedded)
# - frame-src 'self' https://www.youtube.com
@@ -1767,9 +1767,9 @@ EOF
# - Referrer-Policy
# -
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header
# - field that identifies the address of the webpage (i.e. the URI or IRI) that
# - linked to the resource being requested. By checking the referrer, the new
# - webpage can see where the request originated.
# -
Header set Referrer-Policy "strict-origin-when-cross-origin"
@@ -1889,7 +1889,7 @@ fi
echononl "\tCreate system user '$VACATION_USER'"
if ! grep -q "$VACATION_USER" /etc/passwd > /dev/null 2>&1 ; then
adduser --system --home /var/spool/vacation --no-create-home --uid 65501 --gid 65501 --shell /usr/sbin/nologin $VACATION_USER > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
echo_failed
error "$(cat $log_file)"
@@ -1960,7 +1960,7 @@ fi
# -
#echononl "\tWorkaround, because encoding does not work as exspected."
## - Vacation script changed. Since Version 3.2 we need another perl regexp.
## - The old one was:
## - The old one was:
## - perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
## -
##perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
@@ -1995,7 +1995,7 @@ fi
# - /etc/mail/postfixadmin/vacation.conf
# - /etc/postfixadmin/vacation.conf
# -
# - Instead of changing this script, we put the needed entries
# - Instead of changing this script, we put the needed entries
# - to file /etc/postfixadmin/vacation.conf:
# -
echononl "\tCreate directory '/etc/postfixadmin' "
@@ -2101,15 +2101,15 @@ fi
# - Create an entry in /etc/hosts for the (non-existant domain)
# - $AUTOREPLY_HOSTNAME
# -
# - $AUTOREPLY_HOSTNAME
# -
# - add:
# -
# - 127.0.0.1 $AUTOREPLY_HOSTNAME
# -
echononl "\tCreate entry in /etc/hosts for '$AUTOREPLY_HOSTNAME'"
if ! grep -q "$AUTOREPLY_HOSTNAME" /etc/hosts > $log_file 2>&1 ; then
perl -i -n -p -e"s#(^\s*127.0.0.1\s+localhost.*)#\1\n\n127.0.0.1 ${AUTOREPLY_HOSTNAME}#" /etc/hosts > $log_file 2>&1
perl -i -n -p -e"s#(^\s*127.0.0.1\s+localhost.*)#\1\n\n127.0.0.1 ${AUTOREPLY_HOSTNAME}#" /etc/hosts > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
@@ -2120,7 +2120,7 @@ else
echo_skipped
fi
# - Define the transport type in the Postfix master file
# - Define the transport type in the Postfix master file
# - /etc/postfix/master.cf
# -
# - vacation unix - n n - - pipe
@@ -2208,15 +2208,18 @@ fi
echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n"
if [[ $MAJOR_VERSION -gt 3 ]] || [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
if [[ $MAJOR_VERSION -gt 3 ]] ; then
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file"
elif [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]] ; then
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file"
else
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php"
cp -a "$pfa_conf_file" "${pfa_conf_file}.ORIG"
fi
# - Use 'Re: $SUBJECT' as the default subject template for vacation
# - in postfixadmin
@@ -2277,26 +2280,26 @@ else
fi
> $log_file
perl -i -n -p -e "s#^(\s*\\\$CONF\['default_language'\]\s*=.*)#//!\1\n\\\$CONF['default_language'] = 'de';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_type'\]\s*=.*)#//!\1\n\\\$CONF['database_type'] = '$_database_type';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_host'\]\s*=.*)#//!\1\n\\\$CONF['database_host'] = 'localhost';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_user'\]\s*=.*)#//!\1\n\\\$CONF['database_user'] = '$POSTFIX_DB_USER';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_password'\]\s*=.*)#//!\1\n\\\$CONF['database_password'] = '$POSTFIX_DB_PASS';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_name'\]\s*=.*)#//!\1\n\\\$CONF['database_name'] = '$POSTFIX_DB_NAME';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['database_prefix'\]\s*=.*)#//!\1\n\\\$CONF['database_prefix'] = '';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['admin_email'\]\s*=.*)#//!\1\n\\\$CONF['admin_email'] = '$WEBMASTER_EMAIL';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['encrypt'\]\s*=.*)#//!\1\n\\\$CONF['encrypt'] = '$ENCRYPTION_METHOD';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
if grep -q -E "^\\\$CONF\['dovecotpw'\]\s*=.*" "$pfa_conf_file" 2> /dev/null ; then
perl -i -n -p -e "s#^(\\\$CONF\['dovecotpw'\]\s*=.*)#//!\1\n\\\$CONF['dovecotpw'] = '$DOVEADM_PW';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
else
cat <<EOF >> $pfa_conf_file
@@ -2335,7 +2338,7 @@ echononl "\tAdjust Postfix Admin's Configuration - Part 2"
_failed=false
> $log_file
perl -i -n -p -e "s#^(\s*\\\$CONF\['default_aliases'\]\s*=.*)#//\n//! 'default_aliases' will be overridden - see end of configfile\n//\n\1#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
cat <<EOF >> $pfa_conf_file 2> $log_file
@@ -2355,10 +2358,10 @@ EOF
perl -i -n -p -e "s#^(\s*\\\$CONF\['language_hook'\]\s*=.*)#//\n//! 'language_hook' will be overridden - see end of configfile\n//\n\1#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['password_validation'\]\s*=.*)#//\n//! 'password_validation' will be overridden - see end of configfile\n//\n\1#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
cat <<EOF >> $pfa_conf_file 2> $log_file
// Password validation
@@ -2384,19 +2387,19 @@ cat <<EOF >> $pfa_conf_file 2> $log_file
);
/*
language_hook example function
language_hook example function
Called if \$CONF['language_hook'] == '<name_of_the_function>'
Allows to add or override \$PALANG interface texts.
If you add new texts, please always prefix them with 'x_' (for example
If you add new texts, please always prefix them with 'x_' (for example
\$PALANG['x_mytext'] = 'foo') to avoid they clash with texts that might be
added to languages/*.lang in future versions of PostfixAdmin.
Please also make sure that all your added texts are included in all
sections - that includes all 'case "XY":' sections and the 'default:'
section (for users that don't have any of the languages specified
in the 'case "XY":' section).
in the 'case "XY":' section).
Usually the 'default:' section should contain english text.
If you modify an existing text/translation, please consider to report it
@@ -2442,23 +2445,23 @@ EOF
perl -i -n -p -e "s#^(\s*\\\$CONF\['domain_path'\]\s*=.*)#//!\1\n\\\$CONF['domain_path'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['domain_in_mailbox'\]\s*=.*)#//!\1\n\\\$CONF['domain_in_mailbox'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['aliases'\]\s*=.*)#//!\1\n\\\$CONF['aliases'] = '100';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['mailboxes'\]\s*=.*)#//!\1\n\\\$CONF['mailboxes'] = '100';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['maxquota'\]\s*=.*)#//!\1\n\\\$CONF['maxquota'] = '0';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['domain_quota_default'\]\s*=.*)#//!\1\n\\\$CONF['domain_quota_default'] = '0';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['quota'\]\s*=.*)#//!\1\n\\\$CONF['quota'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['domain_quota'\]\s*=.*)#//!\1\n\\\$CONF['domain_quota'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['quota_multiplier'\]\s*=.*)#//!\1\n\\\$CONF['quota_multiplier'] = '1048576';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
if $_failed ; then
echo_failed
error "$(cat $log_file)"
@@ -2536,8 +2539,8 @@ cat <<EOF >> $pfa_conf_file 2> $log_file
// ReplyType options
// If you want to define additional reply options put them in array below.
// The array has the format seconds between replies => $PALANG text
// Special values for seconds are:
// 0 => only reply to the first mail while on vacation
// Special values for seconds are:
// 0 => only reply to the first mail while on vacation
// 1 => reply on every mail
// 60*60*24*7 => Reply if last autoreply was at least a week ago
//
@@ -2570,8 +2573,8 @@ fi
## - EOM;
## -
echononl "\tCreate welcome message.."
if [[ -n "$WELCOME_MESSAGE" ]] ; then
cat <<EOF >> $pfa_conf_file 2> $log_file
if [[ -n "$WELCOME_MESSAGE" ]] ; then
cat <<EOF >> $pfa_conf_file 2> $log_file
// Welcome Message
// This message is send to every newly created mailbox.
@@ -2614,35 +2617,35 @@ echononl "\tAdjust Postfix Admin's Configuration - Part 5"
_failed=false
> $log_file
perl -i -n -p -e "s#^(\s*\\\$CONF\['alias_control_admin'\]\s+=.*)#//!\1\n\\\$CONF['alias_control_admin'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['alias_control'\]\s*=.*)#//!\1\n\\\$CONF['alias_control'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['special_alias_control'\]\s*=.*)#//!\1\n\\\$CONF['special_alias_control'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['backup'\]\s*=.*)#//!\1\n\\\$CONF['backup'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['fetchmail'\]\s*=.*)#//!\1\n\\\$CONF['fetchmail'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['user_footer_link'\]\s+=.*)#//!\1\n\\\$CONF['user_footer_link'] = 'https://${WEBSITE_NAME}/main.php';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['footer_text'\]\s+=.*)#//!\1\n\\\$CONF['footer_text'] = 'Main Menu';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['footer_link'\]\s+=.*)#//!\1\n\\\$CONF['footer_link'] = 'http://${WEBSITE_NAME}/main.php';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['emailcheck_resolve_domain'\]\s*=.*)#//!\1\n\\\$CONF['emailcheck_resolve_domain'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['show_status'\]\s*=.*)#//!\1\n\\\$CONF['show_status'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['show_status_key'\]\s*=.*)#//!\1\n\\\$CONF['show_status_key'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['show_undeliverable'\]\s*=.*)#//!\1\n\\\$CONF['show_undeliverable'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['show_popimap'\]\s*=.*)#//!\1\n\\\$CONF['show_popimap'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['used_quotas'\]\s*=.*)#//!\1\n\\\$CONF['used_quotas'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['new_quota_table'\]\s*=.*)#//!\1\n\\\$CONF['new_quota_table'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true
$pfa_conf_file >> $log_file 2>&1 || _failed=true
if $_failed ; then
echo_failed
error "$(cat $log_file)"
@@ -2675,7 +2678,7 @@ fi
# - $CONF['configured'] = true;
echononl "\tSet '\$CONF['configured'] = true'"
perl -i -n -p -e "s#^(\s*\\\$CONF\['configured'\]\s*=.*)#//!\1\n\\\$CONF['configured'] = true;#" \
$pfa_conf_file > $log_file 2>&1
$pfa_conf_file > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
@@ -2736,7 +2739,7 @@ echo ""
# - AFTER DELETION MAILBOX
# -
# -
# - activate script for moving a mailbox from the mailboxdirectory
# - and save it to the backupb directory /var/deleted-maildirs
# -
@@ -2745,7 +2748,7 @@ echononl "\tCreate folder '${DELETED_MAILBOX_DIR}"
if [[ ! -d "${DELETED_MAILBOX_DIR}" ]] ; then
mkdir $DELETED_MAILBOX_DIR > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
echo_ok
else
echo_failed
error "$(cat $log_file)"
@@ -2799,11 +2802,11 @@ else
fi
# - Change the posdeletion scripts to your needs:
# -
# -
# - set:
# - basedir=/var/vmail
# - trashbase=$DELETED_MAILBOX_DIR
# -
# -
# - trashdir="${trashbase}/$2/`date +%F_$H-%M`_${subdir}"
# -
echononl "\tAdjust 'postfixadmin-mailbox-postdeletion.sh'"
@@ -2825,9 +2828,9 @@ fi
# - Edit ${WEBSITE_BASEDIR}/htdocs/config.inc.php
# -
# - in section add line
# - in section add line
# - $CONF['mailbox_postdeletion_script']='sudo -u vmail /usr/local/bin/postfixadmin-mailbox-postdeletion.sh';
# -
# -
echononl "\tAdjust 'config.inc.php' to make script available"
perl -i -n -p -e "s#^(\s*[/*]?\s*\\\$CONF\['mailbox_postdeletion_script'\]\s*=.*)#//!\1\n\\\$CONF['mailbox_postdeletion_script'] = 'sudo -u vmail /usr/local/bin/postfixadmin-mailbox-postdeletion.sh';#" \
$pfa_conf_file > $log_file 2>&1
@@ -2890,7 +2893,7 @@ fi
# - AFTER DELETION MAILDOMIAN
# -
# -
# - activate script for moving a mailbox from the mailboxdirectory
# - and save it to the backupb directory $DELETED_DOMAINS_DIR
# -
@@ -2899,7 +2902,7 @@ echononl "\tCreate folder '${DELETED_DOMAINS_DIR}"
if [[ ! -d "${DELETED_DOMAINS_DIR}" ]] ; then
mkdir $DELETED_DOMAINS_DIR > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
echo_ok
else
echo_failed
error "$(cat $log_file)"
@@ -2956,11 +2959,11 @@ fi
# - Change the posdeletion scripts to your needs:
# -
# -
# - set:
# - basedir=/var/vmail
# - trashbase=$DELETED_DOMAINS_DIR
# -
# -
# - trashdir="${trashbase}/`date +%F_%H-%M`_$1"
# -
echononl "\tAdjust 'postfixadmin-domain-postdeletion.sh'"
@@ -2981,9 +2984,9 @@ fi
# - edit ${WEBSITE_BASEDIR}/htdocs/config.inc.php
# -
# - in section add line
# - in section add line
# - $CONF['domain_postdeletion_script']='sudo -u vmail /usr/local/bin/postfixadmin-domain-postdeletion.sh';
# -
# -
echononl "\tAdjust 'config.inc.php' to make script available"
perl -i -n -p -e "s#^(\s*[/*]?\s*\\\$CONF\['domain_postdeletion_script'\]\s*=.*)#//!\1\n\\\$CONF['domain_postdeletion_script'] = 'sudo -u vmail /usr/local/bin/postfixadmin-domain-postdeletion.sh';#" \
$pfa_conf_file >> $log_file 2>&1
@@ -3050,9 +3053,9 @@ fi
## - specified database.
## -
## - Now you have to setup Postfix to recognize all these entries. To do so,
## - you must specify database requests (in different files) and load them
## - you must specify database requests (in different files) and load them
## - into Postfix configuration. In particular that are the following files:
## -
## -
## - pgsql_relay-domain-maps.cf
## - pgsql_sender_login_maps.cf
## - pgsql_transport_maps.cf
@@ -3494,7 +3497,7 @@ echononl "\tCreate file '/etc/postfix/${POSTFIX_DB_TYPE}_virtual_alias_address_r
if [ "$POSTFIX_DB_TYPE" = "pgsql" ]; then
cat <<EOF > /etc/postfix/${POSTFIX_DB_TYPE}_virtual_alias_address_rewriting.cf
## - this address rewriting acts as address extension
## - this address rewriting acts as address extension
## - with delimeter "-"
## -
hosts = $POSTFIX_DB_HOST_PGSQL
@@ -3686,14 +3689,14 @@ info "Browse to \033[1mhttps://${WEBSITE_NAME}/setup.php\033[m to create a 'setu
\t Instructions on how to do this are pointed out at the setup site, maybe like this:
\t - Generate setup_password hash and set \033[1m$CONF['setup_password']\033[m
\t - Generate setup_password hash and set \033[1m$CONF['setup_password']\033[m
\t in file \033[1mconfig.local.php\033[m as printed out.
\t - Browse to \033[1mhttp://${WEBSITE_NAME}/setup.php\033[m once again to update
\t the database
\t Browse to \033[1mhttp://${WEBSITE_NAME}\033[m and login using an existent admin account
\t Browse to \033[1mhttp://${WEBSITE_NAME}\033[m and login using an existent admin account
\t[ \033[33m\033[1mNotice\033[m ]: \033[1mScroll back to see if all seems to be fine!\033[m
@@ -3747,7 +3750,7 @@ dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s' AND active = true
EOF
## - add configuration parameter virtual_mailbox_limit_maps
## - add configuration parameter virtual_mailbox_limit_maps
## - in Postfix /etc/postfix/main.cf
## -
## - add:

40
set-policyd-spf-config-for-listserver.sh Executable file
View File

@@ -0,0 +1,40 @@
#!/usr/bin/env bash
set -euo pipefail
CONF="/etc/postfix-policyd-spf-python/policyd-spf.conf"
BACKUP="${CONF}.$(date +%Y%m%d-%H%M%S).bak"
if [[ ! -f "$CONF" ]]; then
echo "ERROR: Config not found: $CONF" >&2
exit 1
fi
cp -a -- "$CONF" "$BACKUP"
ensure_kv() {
local key="$1"
local value="$2"
# Prüfen ob es eine AKTIVE (nicht auskommentierte) Zeile gibt
if grep -Eq "^[[:space:]]*${key}[[:space:]]*=" "$CONF"; then
# Nur erste aktive Zeile ersetzen
sed -ri "0,/^[[:space:]]*${key}[[:space:]]*=.*/s//${key} = ${value}/" "$CONF"
else
# Anfügen mit Leerzeile + Kommentar
cat >>"$CONF" <<EOF
# --- Mailinglist-friendly SPF policy (added by script) ---
${key} = ${value}
EOF
fi
}
ensure_kv "HELO_reject" "False"
ensure_kv "Mail_From_reject" "False"
ensure_kv "PermError_reject" "False"
ensure_kv "TempError_Defer" "True"
echo "Updated: $CONF"
echo "Backup : $BACKUP"
exit