install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of git.oopen.de:install/mailsystem

Browse Source
This commit is contained in:
Christoph
2026-01-08 13:50:07 +01:00
parent 6a827cba44 0ec563bb3c
commit 14fc0b0578
7 changed files with 7311 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5297
BAK/install_amavis.sh.Pre-Queue.00 Executable file
View File

File diff suppressed because it is too large Load Diff

684
BAK/install_opendkim.sh.Pre-Queue.00 Executable file
View File

@@ -0,0 +1,684 @@
#!/usr/bin/env bash
clear
echo -e "\n \033[32mStart Installation of OpenDKIM..\033[m"
# -------------
# - Settings
# -------------
#_src_base_dir="$(realpath $(dirname $0))"
#conf_file="${_src_base_dir}/conf/install_opendkim.conf"
log_file="$(mktemp)"
backup_date="$(date +%Y-%m-%d-%H%M)"
_opendkim_packages="opendkim opendkim-tools"
opendkim_base_dir="/etc/opendkim"
opendkim_key_dir="${opendkim_base_dir}/keys"
opendkim_conf_file="/etc/opendkim.conf"
postfix_spool_dir="/var/spool/postfix"
opendkim_socket_dir="${postfix_spool_dir}/opendkim"
opendkim_socket_file="${opendkim_socket_dir}/opendkim.sock"
postfix_needs_restart=false
opendkim_needs_restart=false
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
fatal(){
echo ""
echo -e "fatal error: $*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]"
}
# -------------
# - Some pre-installation tasks
# -------------
# - Is 'systemd' supported on this system
# -
SYSTEMD_EXISTS=false
systemd=$(which systemd)
systemctl=$(which systemctl)
if [[ -n "$systemd" ]] || [[ -n "$systemctl" ]] ; then
SYSTEMD_EXISTS=true
fi
# =============
# - Start Installation
# =============
echo ""
# - Synchronise package index files with the repository
# -
echononl " Synchronise package index files with the repository.."
apt-get update > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Install OpenDKIM
# -
echononl " Install needed debian packages.."
opendkim_packages=""
packages_installed=false
for _pkg in $_opendkim_packages ; do
if aptitude search "$_pkg" | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
continue
else
opendkim_packages="$opendkim_packages $_pkg"
fi
done
if [[ -n "$opendkim_packages" ]]; then
DEBIAN_FRONTEND=noninteractive apt-get -y install $opendkim_packages > /dev/null 2> "$log_file"
packages_installed=true
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add user 'postfix' to group 'opendkim'
# -
echononl " Add user 'postfix' to group 'opendkim'.."
if grep opendkim /etc/group | grep -q postfix 2> /dev/null ; then
echo_skipped
else
adduser postfix opendkim > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Save configuration file from distribution
# -
echononl " Save configuration file from distribution"
if $packages_installed ; then
cp -a $opendkim_conf_file $opendkim_conf_file.ORIG 2> "$log_file"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
echononl " Backup existing file '${opendkim_conf_file}'.."
if [[ -f "${opendkim_conf_file}" ]] ; then
mv "${opendkim_conf_file}" "${opendkim_conf_file}.${backup_date}"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Create OpenDKIM configuration
# -
echononl " Create OpenDKIM configuration"
if [[ -f "$opendkim_conf_file" ]] \
&& grep -i -q -E "^\s*Socket\s+local:$opendkim_socket_file" "$opendkim_conf_file" \
&& grep -i -q -E "^\s*SigningTable.*${opendkim_base_dir}/signing.table" "$opendkim_conf_file" \
&& grep -i -q -E "^\s*KeyTable.*${opendkim_base_dir}/key.table" "$opendkim_conf_file" ; then
echo_skipped
warn "OpenDKIM seems already be configured."
else
cat <<EOF > $opendkim_conf_file 2> $log_file
# Datei $opendkim_conf_file
# Sets the "authserv-id" to use when generating the Authentication-Results:
# header field after verifying a message. The default is to use the name of
# the MTA processing the message. If the string "HOSTNAME" is provided, the
# name of the host running the filter (as returned by the gethostname(3)
# function) will be used.
AuthservID "DKIM check $(hostname -f)"
# OpenDKIM agiert als Mail Filter (= Milter) in den
# Modi signer (s) und verifier (v) und verwendet eine
# Socket-Datei zur Kommunikation (alternativ: lokaler Port)
Mode sv
# Socket local:/var/run/opendkim/opendkim.sock
# Socket local:$opendkim_socket_file
# Socket inet:12345@localhost
Socket local:$opendkim_socket_file
# OpenDKIM verwendet diesen Benutzer bzw.
# diese Gruppe
UserID opendkim:opendkim
UMask 002
PidFile /var/run/opendkim/opendkim.pid
# OpenDKIM bei Problemen neustarten,
# aber max. 10 mal pro Stunde
AutoRestart yes
AutoRestartRate 10/1h
# Logging (wenn alles funktioniert eventuell reduzieren)
Syslog yes
SyslogSuccess yes
LogWhy yes
# Verfahren, wie Header und Body durch
# OpenDKIM verarbeitet werden sollen.
Canonicalization relaxed/simple
# interne Mails nicht mit OpenDKIM verarbeiten
ExternalIgnoreList refile:${opendkim_base_dir}/trusted
InternalHosts refile:${opendkim_base_dir}/trusted
# welche Verschlüsselungs-Keys sollen für welche
# Domains verwendet werden
# (refile: für Dateien mit regulären Ausdrücke)
SigningTable refile:${opendkim_base_dir}/signing.table
KeyTable ${opendkim_base_dir}/key.table
# diesen Signatur-Algorithmus verwenden
SignatureAlgorithm rsa-sha256
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
# Add an "Authentication-Results:" header field even to unsigned messages
# from domains with no "signs all" policy. The reported DKIM result will be
# "none" in such cases. Normally unsigned mail from non-strict domains does
# not cause the results header field to be added.
AlwaysAddARHeader yes
# Causes opendkim to fork and exits immediately, leaving the service running
# in the background. The default is "true".
Background yes
# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
# default is 5. Ignored if not using an asynchronous resolver package. See
# also the NOTES section below.
DNSTimeout 5
EOF
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Assign ownership to the opendkim user and restrict tthe
# - file permissions:
# -
echononl " Assign ownership and file permissions.."
chmod u=rw,go=r $opendkim_conf_file 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Create the directories to hold OpenDKIMs data files, assign
# - ownership to the opendkim user, and restrict the file
# - permissions:
# -
echononl " Create directory '$opendkim_base_dir'"
if [[ -d "$opendkim_base_dir" ]] ; then
echo_skipped
else
opendkim_needs_restart=true
mkdir ${opendkim_base_dir} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echononl " Create directory '$opendkim_key_dir'"
if [[ -d "$opendkim_key_dir" ]] ; then
echo_skipped
else
opendkim_needs_restart=true
mkdir $opendkim_key_dir 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echononl " Set ownership on directory '${opendkim_base_dir}' (recursive).."
chown -R opendkim:opendkim ${opendkim_base_dir} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Set file-permission on $opendkim_key_dir"
chmod go-rw $opendkim_key_dir 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Create empty files
# - ${opendkim_base_dir}/signing.table
# - ${opendkim_base_dir}/key.table
# -
echononl " Create empty file '${opendkim_base_dir}/signing.table'.."
if [[ -f "${opendkim_base_dir}/signing.table" ]] ; then
echo_skipped
else
touch ${opendkim_base_dir}/signing.table 2> $log_file
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echononl " Create empty file '${opendkim_base_dir}/key.table'.."
if [[ -f "${opendkim_base_dir}/key.table" ]] ; then
echo_skipped
else
touch ${opendkim_base_dir}/key.table 2> $log_file
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Create the trusted hosts file ${opendkim_base_dir}/trusted.hosts.
# -
echononl " Create trusted hosts file '${opendkim_base_dir}/trusted'.."
if [[ -f "${opendkim_base_dir}/trusted" ]] ; then
echo_skipped
else
cat <<EOF > ${opendkim_base_dir}/trusted 2> $log_file
127.0.0.1
::1
localhost
$(hostname -f)
EOF
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Create the OpenDKIM socket directory in Postfixs work area
# - and make sure it has the correct ownership:
# -
echononl " Create the OpenDKIM socket directory in Postfixs work area.."
if [[ -d "${postfix_spool_dir}/opendkim" ]] ; then
echo_skipped
else
mkdir ${postfix_spool_dir}/opendkim 2> $log_file
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Set ownership on directory '${postfix_spool_dir}/opendkim'.."
chown opendkim:postfix ${postfix_spool_dir}/opendkim 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Edit /etc/default/opendkim
# -
# - Set:
# - SOCKET="local:${postfix_spool_dir}/opendkim/opendkim.sock"
# -
echononl " Set 'SOCKET' at file /etc/default/opendkim.."
if grep -q -E "^\s*SOCKET" /etc/default/opendkim 2>/dev/null ; then
if grep -q -E "^\s*SOCKET.*local:$opendkim_socket_file" /etc/default/opendkim 2>/dev/null ; then
echo_skipped
else
perl -i -n -p -e "s#^\s*SOCKET=.*#SOCKET=\"local:$opendkim_socket_file\"#" /etc/default/opendkim 2> $log_file
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
cat <<EOF >>/etc/default/opendkim 2> $log_file
SOCKET="local:$opendkim_socket_file"
EOF
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Edit /etc/postfix/main.cf and add a section to activate
# - processing of e-mail through the OpenDKIM daemon:
# -
backup_date="$(date +%Y-%m-%d-%H%M)"
echononl " Backup existing postfix configuration (main.cf).."
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Activate processing of e-mail through the OpenDKIM daemon.."
if grep -q -E "milter_default_action\s*=\s*accept" /etc/postfix/main.cf ; then
echo_skipped
warn "Postfix (main.cf) seems already be configured for milters"
echononl " Delete previosly saved Postfix configuration.."
rm /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# ======= Milter configuration =======
# OpenDKIM
milter_default_action = accept
# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
milter_protocol = 6
# Note:
# We will sign AFTER sending through AmaVIS, just befor sending out. So
# set 'smtpd_milters =' to an emty string here and add to localhost:10025
# section in master.cf: 'smtpd_milters=local:/opendkim/opendkim.sock'
#
# If you want sign mails before sending through AmaVIS, set
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milters =
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
#
# cleanup Header/Content-Bereinigung
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
#
# Das sind z. B.:
#
# - interne Bounces (MAILER-DAEMON)
#
# - Cron-Mails vom Server
#
# - Weiterleitungen, die Postfix selbst generiert
#
# - Mails, die über sendmail CLI gesendet werden
#
# - Mails, die Amavis über LMTP zurückgibt
#
# - etc.
#
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Prevent Postfix from setting the DKIM Header twice (one befor
# - and one after processing amavis
# -
# - To disable milter processing after amavis, add to your master.cf in
# - the after-amavis section:
# - 127.0.0.1:10025 inet n - - - - smtpd
# - [...]
# - -o smtpd_milters=
# -
# - If you want to run the milter after amavis, set in main.cf
# - smtpd_milters=
# - to an empty string and add the smtpd_milters configuration to master.cf
# - (after-section amavis) instead:
# - -o smtpd_milters=local:/opendkim/opendkim.sock
# -
echononl " Backup file '/etc/postfix/master.cf'.."
cp -a /etc/postfix/master.cf /etc/postfix/master.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Adjust /etc/postfix/master.cf. Set DKIM after sending throuh AmaVIS.."
_found=false
_changed=false
tmp_master_file="/tmp/postfix_master.cf"
> $tmp_master_file
while IFS='' read -r _line || [[ -n $_line ]] ; do
if $_found && ! echo "$_line" | grep -i -q -E "^\s*-o" 2> /dev/null ; then
echo " -o smtpd_milters=local:/opendkim/opendkim.sock" >> "$tmp_master_file"
_changed=true
_found=false
fi
if $_found && echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*" ; then
_found=false
if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendkim/opendkim.sock\s*$" ; then
echo " -o smtpd_milters=local:/opendkim/opendkim.sock" >> "$tmp_master_file"
_changed=true
continue
fi
fi
if echo "$_line" | grep -i -q -E "^\s*(submission|smtps)\s+inet\s+" 2> /dev/null ; then
_found=true
fi
echo "$_line" >> "$tmp_master_file"
done < "/etc/postfix/master.cf"
if $_changed ; then
cp $tmp_master_file /etc/postfix/master.cf 2> $log_file
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
info "Postfix (master.cf) was not changed - seems already be configured right."
echononl " Delete previosly saved file '/etc/postfix/master.cf'.."
rm /etc/postfix/master.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
rm -f $tmp_master_file
echo ""
# - Restart OpenDKIM
# -
echononl " Restart OpenDKIM.."
if $opendkim_needs_restart ; then
if $SYSTEMD_EXISTS ; then
systemctl restart opendkim > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
/etc/init.d/opendkim restart > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
fi
# - Restart Postfix so it starts using OpenDKIM when processing mail:
# -
echononl " Restart Postfix.."
if $postfix_needs_restart ; then
if $SYSTEMD_EXISTS ; then
systemctl restart postfix > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
/etc/init.d/postfix restart > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
fi
echo ""
rm -f "$log_file"
exit 0

936
BAK/install_opendmarc.sh.Pre-Queue.00 Executable file
View File

@@ -0,0 +1,936 @@
#!/usr/bin/env bash
clear
echo -e "\n \033[32mStart Installation of OpenDMARC..\033[m"
overwrite_config_files=true
# -------------
# - Settings
# -------------
#_src_base_dir="$(realpath $(dirname $0))"
#conf_file="${_src_base_dir}/conf/install_opendmarc.conf"
_opendmarc_packages="opendmarc"
opendmarc_base_dir="/etc/opendmarc"
opendmarc_conf_file="/etc/opendmarc.conf"
postfix_spool_dir="/var/spool/postfix"
opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
config_file_name_value_parameters="
AuthservID|$(hostname -f)
TrustedAuthservIDs|$(hostname -f)
PidFile|/run/opendmarc/opendmarc.pid
RejectFailures|true
Syslog|true
SyslogFacility|mail
IgnoreHosts|${opendmarc_base_dir}/ignore.hosts
IgnoreMailFrom|${opendmarc_base_dir}/ignore.mailfrom
IgnoreAuthenticatedClients|true
RequiredHeaders|false
UMask|002
FailureReports|false
AutoRestart|true
HistoryFile|/run/opendmarc/opendmarc.dat
SPFIgnoreResults|false
SPFSelfValidate|true
Socket|${opendmarc_socket_file}
"
declare -a config_file_name_value_parameter_arr=()
for _conf in $config_file_name_value_parameters ; do
config_file_name_value_parameter_arr+=("$_conf")
done
postfix_needs_restart=false
opendmarc_needs_restart=false
backup_date="$(date +%Y-%m-%d-%H%M)"
log_file="$(mktemp)"
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
fatal(){
echo ""
echo -e "fatal error: $*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]"
}
# -------------
# - Some pre-installation tasks
# -------------
# - Is 'systemd' supported on this system
# -
SYSTEMD_EXISTS=false
systemd=$(which systemd)
systemctl=$(which systemctl)
if [[ -n "$systemd" ]] || [[ -n "$systemctl" ]] ; then
SYSTEMD_EXISTS=true
fi
# =============
# - Start Installation
# =============
echo ""
# - Synchronise package index files with the repository
# -
echononl " Synchronise package index files with the repository.."
apt-get update > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Install opendmarc
# -
echononl " Install needed debian packages.."
opendmarc_packages=""
packages_installed=false
for _pkg in $_opendmarc_packages ; do
if aptitude search "$_pkg" | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
continue
else
opendmarc_packages="$opendmarc_packages $_pkg"
fi
done
if [[ -n "$opendmarc_packages" ]]; then
DEBIAN_FRONTEND=noninteractive apt-get -y install $opendmarc_packages > /dev/null 2> "$log_file"
packages_installed=true
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add user 'postfix' to group 'opendmarc'
# -
echononl " Add user 'postfix' to group 'opendmarc'.."
if grep -E "^opendmarc" /etc/group | grep -q postfix 2> /dev/null ; then
echo_skipped
else
usermod -a -G opendmarc postfix > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Add 'IgnoreHosts' with default value to the original opendmarc.conf file
#
echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Specifies the path to a file that contains a list of hostnames, IP addresses,
## and/or CIDR expressions identifying hosts whose SMTP connections are to be
## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
#
IgnoreHosts 127.0.0.1
# Optional - auch nach Absender-Domain ignorieren:
IgnoreMailFrom ${opendmarc_base_dir}/ignore.mailfrom
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'IgnoreAuthenticatedClients' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'TrustedAuthservIDs' with default value to the original opendmarc.conf file
#
_param="TrustedAuthservIDs"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
# Provides a list of authserv-ids that are to be used to identify Authentication-Results
# header fields whose contents are to be assumed as valid input for the DMARC assessment.
# To provide a list, separate values by commas. If the string "HOSTNAME" is provided,
# the name of the host running the filter (as returned by the gethostname(3) function)
# will be used. Matching against this list is case-insensitive. The default is to use the
# value of AuthservID.
#
TrustedAuthservIDs OpenDMARC
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="RequiredHeaders"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, the filter will ensure the header of the message conforms to the basic
## header field count restrictions laid out in RFC5322, Section 3.6. Messages
## failing this test are rejected without further processing. A From: field from
## which no domain name could be extracted will also be rejected.
#
RequiredHeaders false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'AutoRestart' with default value to the original opendmarc.conf file
#
_param="AutoRestart"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Automatically re-start on failures. Use with caution; if the filter fails
## instantly after it starts, this can cause a tight fork(2) loop.
#
AutoRestart false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'HistoryFile' with default value to the original opendmarc.conf file
#
_param="HistoryFile"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, specifies the location of a text file to which records are written
## that can be used to generate DMARC aggregate reports. Records are batches of
## rows containing information about a single received message, and include all
## relevant information needed to generate a DMARC aggregate report. It is
## expected that this will not be used in its raw form, but rather periodically
## imported into a relational database from which the aggregate reports can be
## extracted using opendmarc-importstats(8).
#
HistoryFile /run/opendmarc/opendmarc.dat
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'SPFIgnoreResults' with default value to the original opendmarc.conf file
#
_param="SPFIgnoreResults"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Causes the filter to ignore any SPF results in the header of the message. This
## is useful if you want the filter to perform SPF checks itself, or because you
## don't trust the arriving header. The default is "false".
#
SPFIgnoreResults false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'SPFSelfValidate' with default value to the original opendmarc.conf file
#
_param="SPFSelfValidate"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Causes the filter to perform a fallback SPF check itself when it can find no
## SPF results in the message header. If SPFIgnoreResults is also set, it never
## looks for SPF results in headers and always performs the SPF check itself when
## this is set. The default is "false".
#
SPFSelfValidate false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Save configuration file from distribution
# -
echononl " Save configuration file from distribution"
if [[ -f "${opendmarc_conf_file}.ORIG" ]] ; then
echo_skipped
else
cp -a $opendmarc_conf_file $opendmarc_conf_file.ORIG 2> "$log_file"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
for _val in "${config_file_name_value_parameter_arr[@]}" ; do
IFS='|' read -a _val_arr <<< "${_val}"
echononl " $opendmarc_conf_file: ${_val_arr[0]} -> ${_val_arr[1]}.."
if $(grep -E -q "^\s*${_val_arr[0]}\s+${_val_arr[1]}\s*$" $opendmarc_conf_file 2> /dev/null) ; then
echo_skipped
elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
elif $(grep -E -q "^\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null) ; then
perl -i -n -p -e "s#^(\s*${_val_arr[0]}.*)#\#\1\n${_val_arr[0]} ${_val_arr[1]}#" $opendmarc_conf_file > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
else
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
${_val_arr[0]} ${_val_arr[1]}
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
fi
done
# - Assign ownership to the opendmarc user and restrict tthe
# - file permissions:
# -
echononl " Assign file permissions to '$opendmarc_conf_file'.."
chmod u=rw,go=r $opendmarc_conf_file 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Create the directories to hold opendmarc's data files, assign
# - ownership to the opendmarc user, and restrict the file
# - permissions:
# -
echononl " Create directory '$opendmarc_base_dir'"
if [[ -d "$opendmarc_base_dir" ]] ; then
echo_skipped
else
opendmarc_needs_restart=true
mkdir ${opendmarc_base_dir} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echononl " Set ownership on directory '${opendmarc_base_dir}' (recursive).."
chown -R opendmarc:opendmarc ${opendmarc_base_dir} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Backup existing file '${opendmarc_base_dir}/ignore.hosts'.."
if [[ -f "${opendmarc_base_dir}/ignore.hosts" ]] ; then
mv "${opendmarc_base_dir}/ignore.hosts" "${opendmarc_base_dir}/ignore.hosts.${backup_date}"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Create the file ${opendmarc_base_dir}/ignore.hosts
# -
echononl " Create file '${opendmarc_base_dir}/ignore.hosts'.."
if [[ -f "${opendmarc_base_dir}/ignore.hosts" ]] ; then
echo_skipped
else
cat <<EOF > ${opendmarc_base_dir}/ignore.hosts 2> $log_file
# /etc/opendmarc/ignore.hosts
#
# Aktuell hat OpenDMARC seinen Milter nur am Dienst
# 'localhost:10025' hängen. Dort ist der Client
# immer 127.0.0.1, nicht die externe Gegenstelle.
#
# Deshalb macht es in diesem Setup keinen Sinn,
# hier IP-Adressen von externen Diensten (CRSend etc.)
# einzutragen sie würden nie matchen.
#
# WICHTIG:
# - KEIN 127.0.0.1
# - KEIN localhost
# - KEIN ::1
#
# Eintrag dieser Adressen würde DMARC komplett deaktivieren.
#
# ==> Datei bleibt absichtlich leer.
EOF
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Create the file ${opendmarc_base_dir}/ignore.hosts
# -
echononl " Backup existing file '${opendmarc_base_dir}/ignore.mailfrom'.."
if [[ -f "${opendmarc_base_dir}/ignore.mailfrom" ]] ; then
mv "${opendmarc_base_dir}/ignore.mailfrom" "${opendmarc_base_dir}/ignore.mailfrom.${backup_date}"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
echononl " Create file '${opendmarc_base_dir}/ignore.mailfrom'.."
if [[ -f "${opendmarc_base_dir}/ignore.mailfrom" ]] ; then
echo_skipped
else
cat <<EOF > ${opendmarc_base_dir}/ignore.mailfrom 2> $log_file
# /etc/opendmarc/ignore.mailfrom
#
# Hier könnte man Absender-Domains von der DMARC-Prüfung
# ausnehmen (z. B. problematische Partner-Domains).
#
# Aktuell ist das für dein Setup nicht notwendig.
#
# Beispiele (NICHT aktiv!):
# @example.org
# example.org
#
# ==> Datei bleibt absichtlich leer.
EOF
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Edit /etc/default/opendmarc
# -
# - Set:
# - SOCKET="local:${postfix_spool_dir}/opendmarc/opendmarc.sock"
# -
echononl " Set 'SOCKET' at file /etc/default/opendmarc.."
if grep -q -E "^\s*SOCKET" /etc/default/opendmarc 2>/dev/null ; then
if grep -q -E "^\s*SOCKET\s*=\s*\"*local:$opendmarc_socket_file" /etc/default/opendmarc 2>/dev/null ; then
echo_skipped
else
perl -i -n -p -e "s#^\s*SOCKET=.*#SOCKET=\"local:$opendmarc_socket_file\"#" /etc/default/opendmarc 2> $log_file
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
cat <<EOF >>/etc/default/opendmarc 2> $log_file
SOCKET="local:$opendmarc_socket_file"
EOF
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Create the opendmarc socket directory in Postfixs work area
# - and make sure it has the correct ownership:
# -
echononl " Create the opendmarc socket directory in Postfix's work area.."
if [[ -d "${postfix_spool_dir}/opendmarc" ]] ; then
echo_skipped
else
mkdir ${postfix_spool_dir}/opendmarc 2> $log_file
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Set ownership on directory '${postfix_spool_dir}/opendmarc'.."
chown opendmarc:postfix ${postfix_spool_dir}/opendmarc 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Edit /etc/postfix/main.cf and add a section to activate
# - processing of e-mail through the opendmarc daemon:
# -
echononl " Backup existing postfix configuration (main.cf).."
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
echo_skipped
else
perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
/etc/postfix/main.cf > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
postfix_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
warn "Postfix is not adjusted. Complete Postfix configuration (main.cf) manually\!"
fi
echo ""
# - Edit /etc/postfix/main.cf and add a section to activate
# - processing of e-mail through the OpenDKIM daemon:
# -
backup_date="$(date +%Y-%m-%d-%H%M)"
echononl " Backup existing postfix configuration (main.cf).."
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Activate processing of e-mail through the OpenDKIM daemon.."
if grep -q -E "milter_default_action\s*=\s*accept" /etc/postfix/main.cf ; then
echo_skipped
info "Postfix (main.cf) was not changed - seems already be configured right."
echononl " Delete previosly saved Postfix configuration.."
rm /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# ======= Milter configuration =======
# OpenDKIM
milter_default_action = accept
# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
milter_protocol = 6
# Note:
# We will sign AFTER sending through AmaVIS, just befor sending out. So
# set 'smtpd_milters =' to an emty string here and add to localhost:10025
# section in master.cf: 'smtpd_milters=local:/opendkim/opendkim.sock'
#
# If you want sign mails before sending through AmaVIS, set
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milters =
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
#
# cleanup Header/Content-Bereinigung
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
#
# Das sind z. B.:
#
# - interne Bounces (MAILER-DAEMON)
#
# - Cron-Mails vom Server
#
# - Weiterleitungen, die Postfix selbst generiert
#
# - Mails, die über sendmail CLI gesendet werden
#
# - Mails, die Amavis über LMTP zurückgibt
#
# - etc.
#
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echo ""
# - Prevent Postfix from setting the DMARC Header twice (one befor
# - and one after processing amavis
# -
# - To disable milter processing after amavis, add to your master.cf in
# - the after-amavis section:
# - 127.0.0.1:10025 inet n - - - - smtpd
# - [...]
# - -o smtpd_milters=
# -
# - If you want to run the milter after amavis, set in main.cf
# - smtpd_milters=
# - to an empty string and add the smtpd_milters configuration to master.cf
# - (after-section amavis) instead:
# - -o smtpd_milters=local:/opendmarc/opendmarc.sock
# -
echononl " Backup file '/etc/postfix/master.cf'.."
cp -a /etc/postfix/master.cf /etc/postfix/master.cf.${backup_date} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Adjust /etc/postfix/master.cf. Set DMARC after sending throuh AmaVIS.."
_found=false
_changed=false
tmp_master_file="/tmp/postfix_master.cf"
> $tmp_master_file
while IFS='' read -r _line || [[ -n $_line ]] ; do
if $_found && ! echo "$_line" | grep -i -q -E "^\s*-o" 2> /dev/null ; then
echo " -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
_changed=true
_found=false
fi
if $_found && echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*" ; then
_found=false
if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendmarc/opendmarc.sock\s*$" ; then
echo " -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
_changed=true
continue
fi
fi
if echo "$_line" | grep -i -q -E "^\s*(localhost|127.0.0.1):10025\s+inet\s+" 2> /dev/null ; then
_found=true
fi
echo "$_line" >> "$tmp_master_file"
done < "/etc/postfix/master.cf"
if $_changed ; then
cp $tmp_master_file /etc/postfix/master.cf 2> $log_file
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
info "Postfix (master.cf) was not changed - seems already be configured right."
echononl " Delete previosly saved file '/etc/postfix/master.cf'.."
rm /etc/postfix/master.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
rm -f $tmp_master_file
echo ""
echononl " Enable OpenDMARC Service"
if $SYSTEMD_EXISTS ; then
systemctl enable opendmarc > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
warn "Maybe OpenDMARC Service is not enabled, because its an old non-systemd os.."
fi
# - Restart opendmarc
# -
echononl " Restart opendmarc.."
if $opendmarc_needs_restart ; then
if $SYSTEMD_EXISTS ; then
systemctl restart opendmarc > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
/etc/init.d/opendmarc restart > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
fi
# - Restart Postfix so it starts using opendmarc when processing mail:
# -
echononl " Restart Postfix.."
if $postfix_needs_restart ; then
if $SYSTEMD_EXISTS ; then
systemctl restart postfix > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
/etc/init.d/postfix restart > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
fi
echo ""
rm -f "$log_file"
exit 0

88
install_amavis.sh
View File

@@ -218,6 +218,9 @@ elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 11 ]] ; then
elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 12 ]] ; then
_needed_packages_clamav="$_needed_packages_clamav \
libclamunrar11"
elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 13 ]] ; then
_needed_packages_clamav="$_needed_packages_clamav \
libclamunrar12"
else
_needed_packages_clamav="$_needed_packages_clamav \
libclamunrar13"
@@ -233,7 +236,6 @@ _needed_decoders_amavis="
cpio\
lhasa \
lzop \
liblz4-tool \
lrzip \
melt \
nomarch \
@@ -250,6 +252,11 @@ _needed_decoders_amavis="
unzip \
zip "
if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 12 ]] ; then
_needed_decoders_amavis="$_needed_decoders_amavis \
liblz4-tool"
fi
if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 10 ]] ; then
_needed_decoders_amavis="$_needed_decoders_amavis \
ripole \
@@ -3934,7 +3941,7 @@ installation_failed=false
_needed_cpan_modules="
Digest::SHA1
Digest::SHA2
Digest::SHA256
Digest::SHA
Encode::Detect
Net::Patricia"
for _module in $_needed_cpan_modules ; do
@@ -4916,25 +4923,38 @@ else
fi
## - Provide an 'After-queue filter' (classic content filter):
## -
## - - The external sender communicates with port 25.
## - - Postfix accepts the email and initially places it in the queue.
## - - Postfix then forwards the email to Amavis (10024).
## - - Amavis returns it to Postfix (typically on 10025).
## -
## - Advantage:
## - Port 25 is 'normal Postfix SMTP'
## - -> Milters (OpenDMARC/OpenDKIM verify) access port 25 cleanly
## - -> DMARC reject happens in the SMTP dialog (if you set it up that way
## - and the checks pass 'pre-queue')
## -
## - Disadvantage:
## - Some types of rejections may no longer happen 'before queue', but only later
## - (depending on the type of check)
## -
## -
## - Set up /etc/postfix/master
## -
## - Forward emails to amavis using "Pre-Queue" Option smtpd_proxy_filter
## - Forward emails to amavis using "After-Queue-Filter" Option content_filter
## -
## - edit /etc/postfix/master.cf and add flags for "smtpd_proxy_filter" (to
## - forward to amavis service on localhost port 10024) and for "content_filter"
## - (to avoid rechecking by "Post-Queue" content_filter) to smtp service
## - edit /etc/postfix/master.cf and add flags for "content_filter" (to
## - forward to amavis service on localhost port 10024)
## -
## - smtp inet n - - - - smtpd
## - -o smtpd_proxy_filter=127.0.0.1:10024
## - -o content_filter=
## - -o content_filter=amavisfeed:[127.0.0.1]:10024
## -
## - take care, that, in case NOT to reject, amavis fowards the mail to the
## - MTA (Postfix) for delivering. To avoid loops in checking, install a
## - (Postfix) smtpd service on a local Port (10025) without checking anymore
## - !! Noticw !!
## - - take care localhost:10025 has empty 'content_filter'
## -
## - to do this edit /etc/postfix/master.cf and add service:
## -
## - localhost:10025 inet n - - - - smtpd
## - localhost:10025 inet n - y - - smtpd
## - -o content_filter=
## - -o smtpd_proxy_filter=
## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
@@ -4943,9 +4963,10 @@ fi
## - -o smtpd_sender_restrictions=
## - -o smtpd_recipient_restrictions=permit_mynetworks,reject
## - -o smtpd_data_restrictions=
## - -o mynetworks=127.0.0.0/8,[::1]/128,<$_ipv4_address/32>
## - -o mynetworks=127.0.0.0/8,[::1]/128
## - -o receive_override_options=no_unknown_recipient_checks
## -
## - - take care not to have 'content_filter' set im main.cf
postfix_master_cf="/etc/postfix/master.cf"
echo ""
echononl " Backup file \"${postfix_master_cf}\""
@@ -4997,10 +5018,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
_found=true
cat >> $postfix_master_cf << EOF
smtp inet n - y - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=
-o smtpd_milters=
-o non_smtpd_milters=
-o content_filter=amavisfeed:[127.0.0.1]:10024
EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
cat >> $postfix_master_cf << EOF
@@ -5024,7 +5042,8 @@ localhost:10025 inet n - y - - smtpd
EOF
if [[-n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendmarc/opendmarc.sock
# IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF
fi
cat >> $postfix_master_cf << EOF
@@ -5040,8 +5059,7 @@ EOF
_found=true
cat >> $postfix_master_cf << EOF
${additional_smtp_port} inet n - y - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=
-o content_filter=amavisfeed:[127.0.0.1]:10024
EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
cat >> $postfix_master_cf << EOF
@@ -5066,11 +5084,9 @@ EOF
if [[ -n "$(which opendkim)" ]] ; then
cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendkim/opendkim.sock
-o milter_macro_daemon_name=ORIGINATING
EOF
fi
cat >> $postfix_master_cf << EOF
#-o milter_macro_daemon_name=ORIGINATING
EOF
if ! $smtps_present ; then
if ! $localhost_10025_present ; then
cat >> $postfix_master_cf << EOF
@@ -5088,12 +5104,10 @@ localhost:10025 inet n - y - - smtpd
EOF
if [[ -n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendmarc/opendmarc.sock
# IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF
fi
cat >> $postfix_master_cf << EOF
#-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
EOF
fi
if ! $amavisfeed_present ; then
@@ -5123,11 +5137,9 @@ EOF
if [[ -n "$(which opendkim)" ]] ; then
cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendkim/opendkim.sock
-o milter_macro_daemon_name=ORIGINATING
EOF
fi
cat >> $postfix_master_cf << EOF
#-o milter_macro_daemon_name=ORIGINATING
EOF
if ! $localhost_10025_present ; then
cat >> $postfix_master_cf << EOF
@@ -5145,12 +5157,10 @@ localhost:10025 inet n - y - - smtpd
EOF
if [[ -n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendmarc/opendmarc.sock
# IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF
fi
cat >> $postfix_master_cf << EOF
#-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
EOF
fi
if ! $amavisfeed_present ; then
@@ -5184,12 +5194,10 @@ localhost:10025 inet n - y - - smtpd
EOF
if [[ -n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendmarc/opendmarc.sock
# IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF
fi
cat >> $postfix_master_cf << EOF
#-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
EOF
continue
fi

171
install_opendkim.sh
View File

@@ -206,73 +206,208 @@ else
cat <<EOF > $opendkim_conf_file 2> $log_file
# Datei $opendkim_conf_file
# AuthservID (string)
#
# Sets the "authserv-id" to use when generating the Authentication-Results:
# header field after verifying a message. The default is to use the name of
# the MTA processing the message. If the string "HOSTNAME" is provided, the
# name of the host running the filter (as returned by the gethostname(3)
# function) will be used.
AuthservID "DKIM check $(hostname -f)"
AuthservID HOSTNAME
# Mode (string)
#
# OpenDKIM agiert als Mail Filter (= Milter) in den
# Modi signer (s) und verifier (v) und verwendet eine
# Socket-Datei zur Kommunikation (alternativ: lokaler Port)
Mode sv
# Socket (string)
#
# Specifies the socket that should be established by the filter to receive
# connections from sendmail(8) in order to provide service. socketspec is
# in one of two forms: local:path, which creates a UNIX domain socket at
# the specified path, or inet:port[@host] or inet6:port[@host] which
# creates a TCP socket on the specified port and in the specified protocol
# family. If the host is not given as either a hostname or an IP address,
# the socket will be listening on all interfaces. A literal IP address must
# be enclosed in square brackets. This option is mandatory either in the
# configuration file or on the command line.
#
# Socket local:/var/run/opendkim/opendkim.sock
# Socket local:$opendkim_socket_file
# Socket inet:12345@localhost
Socket local:$opendkim_socket_file
# OpenDKIM verwendet diesen Benutzer bzw.
# diese Gruppe
# UserID (string)
#
# Attempts to become the specified userid before starting operations. The
# value is of the form userid[:group]. The process will be assigned all of
# the groups and primary group ID of the named userid unless an alternate
# group is specified.
UserID opendkim:opendkim
# UMask (integer)
#
#Requests a specific permissions mask to be used for file creation. This
# only really applies to creation of the socket when Socket specifies a UNIX
# domain socket, and to the PidFile (if any); temporary files are created by
# the mkstemp(3) function that enforces a specific file mode on creation
# regardless of the process umask. See umask(2) for more information.
#
UMask 002
# PidFile (string)
#
# Specifies the path to a file that should be created at process start
# containing the process ID.
PidFile /var/run/opendkim/opendkim.pid
# OpenDKIM bei Problemen neustarten,
# aber max. 10 mal pro Stunde
# AutoRestart (Boolean)
#
# Automatically re-start on failures. Use with caution; if the filter fails
# instantly after it starts, this can cause a tight fork(2) loop.
AutoRestart yes
# AutoRestartRate (string)
#
# Sets the maximum automatic restart rate. If the filter begins restarting
# faster than the rate defined here, it will give up and terminate. This is
# a string of the form n/t[u] where n is an integer limiting the count of
# restarts in the given interval and t[u] defines the time interval through
# which the rate is calculated; t is an integer and u defines the units thus
# represented ("s" or "S" for seconds, the default; "m" or "M" for minutes;
# "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h"
# limits the restarts to 10 in one hour. There is no default, meaning restart
# rate is not limited.
AutoRestartRate 10/1h
# Logging (wenn alles funktioniert eventuell reduzieren)
# Syslog (Boolean)
#
# Log via calls to syslog(3) any interesting activity.
Syslog yes
# SyslogSuccess (Boolean)
#
# Log via calls to syslog(3) additional entries indicating successful signing
# or verification of messages.
SyslogSuccess yes
# LogWhy (boolean)
#
# If logging is enabled (see Syslog below), issues very detailed logging
# about the logic behind the filters decision to either sign a message or
# verify it. The logic behind the decision is non-trivial and can be confusing
# to administrators not familiar with its operation. A description of how the
# decision is made can be found in the OPERATIONS section of the opendkim(8)
# man page. This causes a large increase in the amount of log data generated
# for each message, so it should be limited to debugging use and not enabled
# for general operation.
LogWhy yes
# Verfahren, wie Header und Body durch
# OpenDKIM verarbeitet werden sollen.
Canonicalization relaxed/simple
# interne Mails nicht mit OpenDKIM verarbeiten
# ExternalIgnoreList (dataset)
#
# Identifies a set of "external" hosts that may send mail through the server
# as one of the signing domains without credentials as such. This has the
# effect of suppressing the "external host (hostname) tried to send mail as
# (domain)" log messages. Entries in the data set should be of the same form
# as those of the PeerList option below. The set is empty by default.
ExternalIgnoreList refile:${opendkim_base_dir}/trusted
# InternalHosts (dataset)
#
# Identifies a set internal hosts whose mail should be signed rather than
# verified. Entries in this data set follow the same form as those of the
# PeerList option below. If not specified, the default of "127.0.0.1" is applied.
# Naturally, providing a value here overrides the default, so if mail from
# 127.0.0.1 should be signed, the list provided here should include that address
# explicitly.
InternalHosts refile:${opendkim_base_dir}/trusted
# welche Verschlüsselungs-Keys sollen für welche
# Domains verwendet werden
# (refile: für Dateien mit regulären Ausdrücke)
# SigningTable (dataset)
#
# Defines a table used to select one or more signatures to apply to a message
# based on the address found in the From: header field. Keys in this table vary
# depending on the type of table used; values in this data set should include
# one field that contains a name found in the KeyTable (see above) that
# identifies which key should be used in generating the signature, and an
# optional second field naming the signer of the message that will be included
# in the "i=" tag in the generated signature. Note that the "i=" value will not
# be included in the signature if it conflicts with the signing domain
# (the "d=" value).
#
# If the first field contains only a "%" character, it will be replaced by the
# domain found in the From: header field. Similarly, within the optional second
# field, any "%" character will be replaced by the domain found in the From:
# header field.
#
# If this table specifies a regular expression file ("refile"), then the keys are
# wildcard patterns that are matched against the address found in the From:
# header field. Entries are checked in the order in which they appear in the file.
#
# For all other database types, the full user@host is checked first, then simply
# host, then user@.domain (with all superdomains checked in sequence, so
# "foo.example.com" would first check "user@foo.example.com", then "user@.example.com",
# then "user@.com"), then .domain, then user@*, and finally *.
SigningTable refile:${opendkim_base_dir}/signing.table
# KeyTable (dataset)
#
# Gives the location of a file mapping key names to signing keys. If present,
# overrides any KeyFile setting in the configuration file. The data set named here
# maps each key name to three values: (a) the name of the domain to use in the
# signature's "d=" value; (b) the name of the selector to use in the signature's
# "s=" value; and (c) either a private key or a path to a file containing a private
# key. If the first value consists solely of a percent sign ("%") character, it
# will be replaced by the apparent domain of the sender when generating a signature.
# If the third value starts with a slash ("/") character, or "./" or "../", then it
# is presumed to refer to a file from which the private key should be read, otherwise
# it is itself a PEM-encoded private key or a base64-encoded DER private key; a "%"
# in the third value in this case will be replaced by the apparent domain name of
# the sender. The SigningTable (see below) is used to select records from this table
# to be used to add signatures based on the message sender.
KeyTable ${opendkim_base_dir}/key.table
# diesen Signatur-Algorithmus verwenden
# SignatureAlgorithm (string)
#
# Selects the signing algorithm to use when generating signatures. Use 'opendkim -V'
# to see the list of supported algorithms. The default is rsa-sha256 if it is
# available, otherwise it will be rsa-sha1.
SignatureAlgorithm rsa-sha256
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
# OversignHeaders (dataset)
#
# Specifies a set of header fields that should be included in all signature header
# lists (the "h=" tag) once more than the number of times they were actually present
# in the signed message. The set is empty by default. The purpose of this, and
# especially of listing an absent header field, is to prevent the addition of
# important fields between the signer and the verifier. Since the verifier would
# include that header field when performing verification if it had been added by an
# intermediary, the signed message and the verified message were different and the
# verification would fail. Note that listing a field name here and not listing it in
# the SignHeaders list is likely to generate invalid signatures.
OversignHeaders From
# AlwaysAddARHeader (Boolean)
#
# Add an "Authentication-Results:" header field even to unsigned messages
# from domains with no "signs all" policy. The reported DKIM result will be
# "none" in such cases. Normally unsigned mail from non-strict domains does
# not cause the results header field to be added.
AlwaysAddARHeader yes
# Background (Boolean)
#
# Causes opendkim to fork and exits immediately, leaving the service running
# in the background. The default is "true".
Background yes
# DNSTimeout (integer)
#
# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
# default is 5. Ignored if not using an asynchronous resolver package. See
# also the NOTES section below.
@@ -391,7 +526,6 @@ else
127.0.0.1
::1
localhost
$(hostname -f)
EOF
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
@@ -509,7 +643,7 @@ milter_protocol = 6
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milters =
smtpd_milters = local:/opendkim/opendkim.sock
# Was sind non_smtpd_milters?
#
@@ -591,6 +725,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
_found=false
if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendkim/opendkim.sock\s*$" ; then
echo " -o smtpd_milters=local:/opendkim/opendkim.sock" >> "$tmp_master_file"
echo " -o milter_macro_daemon_name=ORIGINATING" >> "$tmp_master_file"
_changed=true
continue
fi

290
install_opendmarc.sh
View File

@@ -24,8 +24,8 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
config_file_name_value_parameters="
AuthservID|$(hostname -f)
TrustedAuthservIDs|$(hostname -f)
AuthservID|HOSTNAME
TrustedAuthservIDs|HOSTNAME
PidFile|/run/opendmarc/opendmarc.pid
RejectFailures|true
Syslog|true
@@ -42,6 +42,8 @@ config_file_name_value_parameters="
SPFSelfValidate|true
Socket|${opendmarc_socket_file}
"
declare -a config_file_name_value_parameter_arr=()
for _conf in $config_file_name_value_parameters ; do
config_file_name_value_parameter_arr+=("$_conf")
@@ -193,14 +195,39 @@ echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## IgnoreHosts (string)
##
## Specifies the path to a file that contains a list of hostnames, IP addresses,
## and/or CIDR expressions identifying hosts whose SMTP connections are to be
## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
#
IgnoreHosts 127.0.0.1
IgnoreHosts /etc/opendmarc/ignore.hosts
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# Optional - auch nach Absender-Domain ignorieren:
IgnoreMailFrom ${opendmarc_base_dir}/ignore.mailfrom
# - Add 'IgnoreMailFrom' with default value to the original opendmarc.conf file
#
echononl " Add 'IgnoreMailFrom' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^IgnoreMailFrom\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## IgnoreMailFrom (string)
##
## Gives a list of domain names whose mail (based on the From: domain)
## is to be ignored by the filter. The list should be comma-separated.
## Matching against this list is case-insensitive. The default is an
## empty list, meaning no mail is ignored.
#
IgnoreMailFrom /etc/opendmarc/ignore.mailfrom
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -220,10 +247,12 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## IgnoreAuthenticatedClients (Boolean)
##
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
IgnoreAuthenticatedClients true
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -250,30 +279,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
# will be used. Matching against this list is case-insensitive. The default is to use the
# value of AuthservID.
#
TrustedAuthservIDs OpenDMARC
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
TrustedAuthservIDs HOSTNAME
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -293,6 +299,8 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## RequiredHeaders (Boolean)
##
## If set, the filter will ensure the header of the message conforms to the basic
## header field count restrictions laid out in RFC5322, Section 3.6. Messages
## failing this test are rejected without further processing. A From: field from
@@ -318,10 +326,12 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## AutoRestart (Boolean)
##
## Automatically re-start on failures. Use with caution; if the filter fails
## instantly after it starts, this can cause a tight fork(2) loop.
#
AutoRestart false
AutoRestart true
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -341,6 +351,8 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## HistoryFile (string)
##
## If set, specifies the location of a text file to which records are written
## that can be used to generate DMARC aggregate reports. Records are batches of
## rows containing information about a single received message, and include all
@@ -349,7 +361,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
## imported into a relational database from which the aggregate reports can be
## extracted using opendmarc-importstats(8).
#
HistoryFile /run/opendmarc/opendmarc.dat
#HistoryFile /run/opendmarc/opendmarc.dat
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -398,7 +410,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
## looks for SPF results in headers and always performs the SPF check itself when
## this is set. The default is "false".
#
SPFSelfValidate false
SPFSelfValidate true
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -432,15 +444,6 @@ for _val in "${config_file_name_value_parameter_arr[@]}" ; do
echononl " $opendmarc_conf_file: ${_val_arr[0]} -> ${_val_arr[1]}.."
if $(grep -E -q "^\s*${_val_arr[0]}\s+${_val_arr[1]}\s*$" $opendmarc_conf_file 2> /dev/null) ; then
echo_skipped
elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
elif $(grep -E -q "^\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null) ; then
perl -i -n -p -e "s#^(\s*${_val_arr[0]}.*)#\#\1\n${_val_arr[0]} ${_val_arr[1]}#" $opendmarc_conf_file > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
@@ -450,6 +453,96 @@ for _val in "${config_file_name_value_parameter_arr[@]}" ; do
echo_failed
error "$(cat $log_file)"
fi
elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
else
if [[ "${_val_arr[0]}" == "IgnoreHosts" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## IgnoreHosts (string)
##
## Specifies the path to a file that contains a list of hostnames, IP
## addresses, and/or CIDR expressions identifying hosts whose SMTP
## connections are to be ignored by the filter. If not specified,
## defaults to "127.0.0.1" only.
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "IgnoreMailFrom" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## IgnoreMailFrom (string)
##
## Gives a list of domain names whose mail (based on the From: domain)
## is to be ignored by the filter. The list should be comma-separated.
## Matching against this list is case-insensitive. The default is an
## empty list, meaning no mail is ignored.
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "IgnoreAuthenticatedClients" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## IgnoreAuthenticatedClients (Boolean)
##
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "AutoRestart" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## AutoRestart (Boolean)
##
## Automatically re-start on failures. Use with caution; if the filter
## fails instantly after it starts, this can cause a tight fork(2)
## loop.
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "RequiredHeaders" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## RequiredHeaders (Boolean)
##
## If set, the filter will ensure the header of the message conforms to
## the basic header field count restrictions laid out in RFC5322,
## Section 3.6. Messages failing this test are rejected without further
## processing. A From: field from which no domain name could be
## extracted will also be rejected.
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "SPFSelfValidate" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## SPFSelfValidate (Boolean)
##
## Causes the filter to perform a fallback SPF check itself when it can
## find no SPF results in the message header. If SPFIgnoreResults is
## also set, it never looks for SPF results in headers and always
## performs the SPF check itself when this is set. The default is
## "false".
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "SPFIgnoreResults" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## SPFIgnoreResults (Boolean)
##
## Causes the filter to ignore any SPF results in the header of the
## message. This is useful if you want the filter to perform SPF checks
## itself, or because you don't trust the arriving header. The default
## is "false".
#
${_val_arr[0]} ${_val_arr[1]}
EOF
else
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
@@ -463,6 +556,7 @@ EOF
error "$(cat $log_file)"
fi
fi
fi
done
@@ -686,8 +780,30 @@ if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.
fi
fi
else
echo_skipped
warn "Postfix is not adjusted. Complete Postfix configuration (main.cf) manually\!"
warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
fi
echononl " Set Variable smtpd_milters at '/etc/postfix/main.cf'.."
if $(grep -q -E "^\s*smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
if $(grep -q -E "^\s*smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
echo_skipped
else
perl -i -n -p -e "s&^\s*(smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
/etc/postfix/main.cf > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
postfix_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
warn "smtpd_milters was not adjusted. Complete Postfix configuration (main.cf) manually\!"
fi
@@ -724,7 +840,7 @@ else
# ======= Milter configuration =======
# OpenDKIM
# OpenDKIM, OpenDMARC
milter_default_action = accept
@@ -740,8 +856,7 @@ milter_protocol = 6
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milters =
smtpd_milters = local:/opendkim/opendkim.sock, local:/opendmarc/opendmarc.sock
# Was sind non_smtpd_milters?
#
@@ -771,7 +886,7 @@ smtpd_milters =
#
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sock, local:/opendmarc/opendmarc.sock
EOF
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
@@ -783,87 +898,6 @@ EOF
fi
echo ""
# - Prevent Postfix from setting the DMARC Header twice (one befor
# - and one after processing amavis
# -
# - To disable milter processing after amavis, add to your master.cf in
# - the after-amavis section:
# - 127.0.0.1:10025 inet n - - - - smtpd
# - [...]
# - -o smtpd_milters=
# -
# - If you want to run the milter after amavis, set in main.cf
# - smtpd_milters=
# - to an empty string and add the smtpd_milters configuration to master.cf
# - (after-section amavis) instead:
# - -o smtpd_milters=local:/opendmarc/opendmarc.sock
# -
echononl " Backup file '/etc/postfix/master.cf'.."
cp -a /etc/postfix/master.cf /etc/postfix/master.cf.${backup_date} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Adjust /etc/postfix/master.cf. Set DMARC after sending throuh AmaVIS.."
_found=false
_changed=false
tmp_master_file="/tmp/postfix_master.cf"
> $tmp_master_file
while IFS='' read -r _line || [[ -n $_line ]] ; do
if $_found && ! echo "$_line" | grep -i -q -E "^\s*-o" 2> /dev/null ; then
echo " -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
_changed=true
_found=false
fi
if $_found && echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*" ; then
_found=false
if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendmarc/opendmarc.sock\s*$" ; then
echo " -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
_changed=true
continue
fi
fi
if echo "$_line" | grep -i -q -E "^\s*(localhost|127.0.0.1):10025\s+inet\s+" 2> /dev/null ; then
_found=true
fi
echo "$_line" >> "$tmp_master_file"
done < "/etc/postfix/master.cf"
if $_changed ; then
cp $tmp_master_file /etc/postfix/master.cf 2> $log_file
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
info "Postfix (master.cf) was not changed - seems already be configured right."
echononl " Delete previosly saved file '/etc/postfix/master.cf'.."
rm /etc/postfix/master.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
rm -f $tmp_master_file
echo ""
echononl " Enable OpenDMARC Service"

16
install_postfix_advanced.sh
View File

@@ -452,8 +452,8 @@ else
fi
INSTALL_DMARC_REPORT_SUPPORT=false
if ! ${IS_RELAY_HOST} ; then
INSTALL_DMARC_REPORT_SUPPORT=false
echo ""
echo -e "\033[32m--\033[m"
echo ""
@@ -580,9 +580,6 @@ fi
[[ "$IPV6" = "disabled" ]] && IPV6=""
exit
clean_up 1
# - Synchronise package index files with the repository
# -
@@ -3829,7 +3826,8 @@ if ${INSTALL_DMARC_REPORT_SUPPORT} ; then
# - ├── processed/ # Originalmails (Archiv)
# - ├── exports/ # CSV- und Top-Auswertungen
# - └── logs/ # Logdateien
echononl "Add directory Structure for collecting and analysing DMARC reports.."
echo ""
echononl " Add directory Structure for collecting and analysing DMARC reports.."
install -d -o vmail -g vmail -m 750 /var/lib/dmarc/{reports,processed,exports,logs} > /dev/null 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -3838,7 +3836,7 @@ if ${INSTALL_DMARC_REPORT_SUPPORT} ; then
error "$(cat $log_file)"
fi
echononl "Add 'dmarc-pipe' entry to $postfix_master_cf .."
echononl " Add 'dmarc-pipe' entry to $postfix_master_cf .."
cat <<EOF >> /etc/postfix/transport 2> $log_file
# - Take care your master.cf file ($postfix_master_cf) contains:
@@ -3856,7 +3854,7 @@ EOF
error "$(cat $log_file)"
fi
echononl "Create Postfix lookup table '/etc/postfix/transport'.."
echononl " Create Postfix lookup table '/etc/postfix/transport'.."
postmap btree:/etc/postfix/transport > /dev/null 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -3865,7 +3863,7 @@ EOF
error "$(cat $log_file)"
fi
echononl "Create script '/usr/local/bin/dmarc-collect.sh'.."
echononl " Create script '/usr/local/bin/dmarc-collect.sh'.."
tee /usr/local/bin/dmarc-collect.sh > /dev/null 2> $log_file <<'EOF'
#!/usr/bin/env bash
set -euo pipefail
@@ -3923,7 +3921,7 @@ EOF
fi
_failed=false
echononl "Set permissions for '/usr/local/bin/dmarc-collect.sh'.."
echononl " Set permissions for '/usr/local/bin/dmarc-collect.sh'.."
chown vmail:vmail /usr/local/bin/dmarc-collect.sh > /dev/null 2> $log_file
if [[ $? -ne 0 ]] ; then
_failed=true