From 1617fd32c4e33a6693247a5316218deb7010f367 Mon Sep 17 00:00:00 2001 From: Christoph Date: Sat, 15 Jun 2019 19:48:38 +0200 Subject: [PATCH] install_postfix_advanced.sh: add support for 'tumgreyspf'in case of debian 10 (buster) an above. --- install_postfix_advanced.sh | 388 +++++++++++++++++++++++++++++++----- 1 file changed, 342 insertions(+), 46 deletions(-) diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index d02d4e4..a8e78d3 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -11,6 +11,8 @@ _TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" _TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt +postfix_master_cf="/etc/postfix/master.cf" + tmp_err_msg=$(mktemp) backup_date="$(date +%Y-%m-%d-%H%M)" @@ -77,6 +79,34 @@ echo_failed(){ echo_skipped() { echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]" } +detect_os_1 () { + + if $(which lsb_release > /dev/null 2>&1) ; then + + os_dist="$(lsb_release -i | awk '{print tolower($3)}')" + os_version="$(lsb_release -r | awk '{print tolower($2)}')" + os_codename="$(lsb_release -c | awk '{print tolower($2)}')" + + if [[ "$os_dist" = "debian" ]]; then + if $(echo "$os_version" | grep -q '\.') ; then + os_version=$(echo "$os_version" | cut --delimiter='.' -f1) + fi + fi + + elif [[ -e "/etc/os-release" ]]; then + + . /etc/os-release + + os_dist=$ID + os_version=${VERSION_ID} + + fi + + # remove whitespace from os_dist and os_version + os_dist="${os_dist// /}" + os_version="${os_version// /}" + +} trap clean_up SIGHUP SIGINT SIGTERM @@ -99,6 +129,14 @@ fi echo "" + +# - Detect OS - Set variable +# - os_dist +# - os_version +# - os_codename +# - +detect_os_1 + # - Default Values # - #_IS_RELAY_HOST=false @@ -454,66 +492,308 @@ else fi -## - Install Postgrey from debian packages system -## - -echononl " Install Postgrey from debian packages system" -_pkg="postgrey" -if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then - echo_skipped -else - DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + ## - Install Postgrey from debian packages system + ## - + echononl " Install Postgrey from debian packages system" + _pkg="postgrey" + if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then + echo_skipped + else + DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + fi + + echononl " Adjust /etc/default/postgrey" + perl -i -n -p -e "s#^(\s*)(POSTGREY_OPTS=.*)#\#\1\2\nPOSTGREY_OPTS=\"--inet=10023 --delay=149 --auto-whitelist-clients=3 --lookup-by-subnet\"#" \ + /etc/default/postgrey > $tmp_err_msg 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $tmp_err_msg)" fi -fi -echononl " Adjust /etc/default/postgrey" -perl -i -n -p -e "s#^(\s*)(POSTGREY_OPTS=.*)#\#\1\2\nPOSTGREY_OPTS=\"--inet=10023 --delay=149 --auto-whitelist-clients=3 --lookup-by-subnet\"#" \ - /etc/default/postgrey > $tmp_err_msg 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $tmp_err_msg)" -fi - -echononl " Create /etc/postgrey/whitelist_clients.local (additional whitelist entries)" -cat << EOF > /etc/postgrey/whitelist_clients.local -# For Office 365 - servers: -##/.*outbound.protection.outlook.com\$/ -/^mail-.*\\.outbound\\.protection\\.outlook\\.com\$/ -# facebookmail.com - big pool -/.*\\.mail-mail\\.facebook\\.com\$/ -# tor hidde service -127.0.0.25 + echononl " Create /etc/postgrey/whitelist_clients.local (additional whitelist entries)" + cat << EOF > /etc/postgrey/whitelist_clients.local + # For Office 365 - servers: + ##/.*outbound.protection.outlook.com\$/ + /^mail-.*\\.outbound\\.protection\\.outlook\\.com\$/ + # facebookmail.com - big pool + /.*\\.mail-mail\\.facebook\\.com\$/ + # tor hidde service + 127.0.0.25 EOF -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed -fi + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi -echononl " Restart postrey daemon" -if $systemd_exists ; then - systemctl restart postgrey > /dev/null 2> $tmp_err_msg - if [[ $? -eq 0 ]] ; then - echo_ok + echononl " Restart postrey daemon" + if $systemd_exists ; then + systemctl restart postgrey > /dev/null 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi else - echo_failed - error "$(cat $tmp_err_msg)" + /etc/init.d/postgrey restart > /dev/null 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi fi + + postgrey_socket="" + postgrey_additional_options="" + else - /etc/init.d/postgrey restart > /dev/null 2> $tmp_err_msg - if [[ $? -eq 0 ]] ; then - echo_ok + ## - Install tumgreyspf from debian packages system + echononl " Install tumgreyspf from debian packages system" + _pkg="tumgreyspf" + if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then + echo_skipped else + DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + fi + + echononl " Add entry for 'tumgreyspf' at end of file '$postfix_master_cf" + if ! $(grep -iq -E "^\s*tumgreyspf\s+" 2>/dev/null $postfix_master_cf) ; then + cat <> /etc/postfix/master.cf 2> $tmp_err_msg + +# This is tumgreyspf, an external policy checker for the postfix mail server. +# It can optionally greylist and/or use spfquery to check SPF records to +# determine if email should be accepted by your server. +# +tumgreyspf unix - n n - - spawn + user=tumgreyspf argv=/usr/bin/tumgreyspf +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi + else + echo_skipped + fi + + echononl " Create configuration file for whitelisting: /etc/tumgreyspf/disable.conf" + if [[ ! -f /etc/tumgreyspf/disable.conf ]] ; then + cat < "/etc/tumgreyspf/disable.conf" 2> $tmp_err_msg +SPFSEEDONLY=0 +GREYLISTTIME=300 +CHECKERS= +OTHERCONFIGS= +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + else + echo_skipped + fi + + _failed=false + echononl " Whitelist tor hidde service '127.0.0.25'.." + if [[ ! -d "/var/lib/tumgreyspf/config/client_address/127/0/0/" ]] ; then + mkdir -p /var/lib/tumgreyspf/config/client_address/127/0/0/ 2> $tmp_err_msg + if [[ $? -ne 0 ]]; then + _failed=true + fi + fi + + if [[ ! -L /var/lib/tumgreyspf/config/client_address/127/0/0/25 ]]; then + ln -s /etc/tumgreyspf/disable.conf /var/lib/tumgreyspf/config/client_address/127/0/0/25 2>> $tmp_err_msg + fi + if [[ $? -ne 0 ]]; then + _failed=true + fi + if $_failed ; then echo_failed error "$(cat $tmp_err_msg)" fi + + + # --- + # Configure parameters of tumgreyspf service + # --- + + _setup_key="SPFSEEDONLY" + _setup_val="0" + _setup_file="/etc/tumgreyspf/default.conf" + echononl " Setup defaults for tumgreyspf: $_setup_key .." + if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then + cat <> "$_setup_file" 2> $tmp_err_msg + +# Added by script $(basename $0) at $(date +%Y-%m-%d) +$_setup_key = $_setup_val +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + + else + if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*0$" "$_setup_file") ; then + perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + else + echo_skipped + fi + fi + + _setup_key="GREYLISTTIME" + _setup_val="180" + _setup_file="/etc/tumgreyspf/default.conf" + echononl " Setup defaults for tumgreyspf: $_setup_key .." + if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then + cat <> "$_setup_file" 2> $tmp_err_msg + +# Added by script $(basename $0) at $(date +%Y-%m-%d) +$_setup_key = $_setup_val +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + + else + if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*${_setup_val/}$" "$_setup_file") ; then + perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + else + echo_skipped + fi + fi + + _setup_key="CHECKERS" + _setup_val="spf,greylist" + _setup_file="/etc/tumgreyspf/default.conf" + echononl " Setup defaults for tumgreyspf: $_setup_key .." + if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then + cat <> "$_setup_file" 2> $tmp_err_msg + +# Added by script $(basename $0) at $(date +%Y-%m-%d) +$_setup_key = $_setup_val +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + + else + if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*${_setup_val/}$" "$_setup_file") ; then + perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + else + echo_skipped + fi + fi + + _setup_key="OTHERCONFIGS" + _setup_val="client_address,envelope_sender,envelope_recipient" + _setup_file="/etc/tumgreyspf/default.conf" + echononl " Setup defaults for tumgreyspf: $_setup_key .." + if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then + cat <> "$_setup_file" 2> $tmp_err_msg + +# Added by script $(basename $0) at $(date +%Y-%m-%d) +$_setup_key = $_setup_val +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + + else + if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*${_setup_val/}$" "$_setup_file") ; then + perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + else + echo_skipped + fi + fi + + _setup_key="GREYLISTEXPIREDAYS" + _setup_val="10.0" + _setup_file="/etc/tumgreyspf/default.conf" + echononl " Setup defaults for tumgreyspf: $_setup_key .." + if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then + cat <> "$_setup_file" 2> $tmp_err_msg + +# Added by script $(basename $0) at $(date +%Y-%m-%d) +$_setup_key = $_setup_val +EOF + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + + else + if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*${_setup_val/}$" "$_setup_file") ; then + perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi + else + echo_skipped + fi + fi + + postgrey_socket="unix:private/tumgreyspf" + postgrey_additional_options="tumgreyspf_time_limit = 3600" fi @@ -1266,7 +1546,17 @@ virtual_alias_domains = ## --- smtpd_restriction_classes = check_greylist -check_greylist = check_policy_service inet:127.0.0.1:10023 +check_greylist = check_policy_service $postgrey_socket +EOF + +if [[ -n "$postgrey_additional_options" ]]; then + cat <> /etc/postfix/main.cf +$postgrey_additional_options +EOF +fi + + +cat <> /etc/postfix/main.cf # The time limit for delivery to 'postfwd' # @@ -1960,7 +2250,6 @@ fi ## - Create Listener for user authenticated smtp connection port 587 (submission) ## - and port 465 (smtps) ## - -postfix_master_cf="/etc/postfix/master.cf" echononl " Backup file \"${postfix_master_cf}\"" cp -a $postfix_master_cf "${postfix_master_cf}.$backup_date" > /dev/null 2> $tmp_err_msg if [[ $? -eq 0 ]] ; then @@ -2061,14 +2350,21 @@ EOF # - Add transport definitions for only sending over IPv4/IPv6 # - - cat <> $postfix_master_cf + if ! $(grep -iq -E "^smtp-ipv4-only\s+" "$postfix_master_cf" 2> /dev/null) ; then + cat <> $postfix_master_cf smtp-ipv4-only unix - - n - - smtp -o inet_protocols=ipv4 +EOF + fi + + if ! $(grep -iq -E "^smtp-ipv6-only\s+" "$postfix_master_cf" 2> /dev/null) ; then + cat <> $postfix_master_cf smtp-ipv6-only unix - - n - - smtp -o inet_protocols=ipv6 EOF + fi echo_done warn "Please check file \"$postfix_master_cf\" !"