diff --git a/install_amavis.sh b/install_amavis.sh index b5e8d5c..e94c472 100755 --- a/install_amavis.sh +++ b/install_amavis.sh @@ -131,7 +131,7 @@ DEFAULT_SI_AUTHORISATION_SIGNATURE_OOPEN=abb4ec6b194639f3d123154f1b971843a3b8751 # SecuriteInfo signatur databases # SI_SIGNATUR_DATABASES=" - securiteinfo.hdb + securiteinfo.hdb securiteinfo.ign2 javascript.ndb spam_marketing.ndb @@ -210,7 +210,7 @@ _needed_packages_clamav="clamav \ if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 10 ]] ; then _needed_packages_clamav="$_needed_packages_clamav \ libclamunrar7" -elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 11 ]] ; then +elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 11 ]] ; then _needed_packages_clamav="$_needed_packages_clamav \ libclamunrar9" elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 12 ]] ; then @@ -355,7 +355,7 @@ else fi done fi -if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then +if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then IPV6=disabled fi @@ -384,7 +384,7 @@ while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do fi done - + echo "" @@ -413,11 +413,90 @@ else done fi -echo "" -echo -e "\033[32m--\033[m" -echo "" -echo "Should ClamAV unofficial Singatures be installed?" -echo "" + +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "Use SecuriteInfo Signatures (https://www.securiteinfo.com)?" +echo "" +echo "Note: You have to sign up for an account. For a free account thats here:" +echo " https://www.securiteinfo.com/clients/customers/signup" +echo "" +if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then + echononl "Load SecuriteInfo Singatures (yes/no): " +else + if $_SECURITE_INFO_IN_USE ; then + echononl "Load SecuriteInfo Singatures [yes]: " + else + echononl "Load SecuriteInfo Singatures [no]: " + fi +fi +read _TMP_LOAD_SI +_TMP_LOAD_SI=${_TMP_LOAD_SI,,} +while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do + if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then + echononl "Wrong entry! (yes/no): " + read _TMP_LOAD_SI + _TMP_LOAD_SI=${_TMP_LOAD_SI,,} + else + if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then + if [[ "X$_TMP_LOAD_SI" = "X" ]]; then + if $_SECURITE_INFO_IN_USE ; then + _TMP_LOAD_SI=yes + else + _TMP_LOAD_SI=no + fi + else + if $_SECURITE_INFO_IN_USE ; then + echononl "Wrong entry! [yes]: " + else + echononl "Wrong entry! [no]: " + fi + read _TMP_LOAD_SI + fi + fi + fi +done +if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then + SECURITE_INFO_IN_USE=true +else + SECURITE_INFO_IN_USE=false +fi + +if $SECURITE_INFO_IN_USE ; then + echo "" + echo -e "\033[32m--\033[m" + echo "" + echo "Insert SecuriteInfo Authorisation Signature" + echo "" + echo "" + SI_AUTHORISATION_SIGNATURE= + if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then + while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do + echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: " + read SI_AUTHORISATION_SIGNATURE + if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then + SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE + fi + done + else + + while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do + echononl "SecuriteInfo Authorisation Signature: " + read SI_AUTHORISATION_SIGNATURE + if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then + echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n" + fi + done + fi +fi + + +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "Should ClamAV unofficial Singatures be installed?" +echo "" if [[ -z "$_INSTALL_CLAMAV_UNOFFICIAL_SIGS" ]]; then echononl "Install ClamAV unofficial Singatures (yes/no): " else @@ -451,14 +530,14 @@ else fi if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then - echo "" - echo -e "\033[32m--\033[m" - echo "" - echo "Load MalwarePatrol Signatures (https://www.malwarepatrol.net)?" - echo "" + echo "" + echo -e "\033[32m--\033[m" + echo "" + echo "Load MalwarePatrol Signatures (https://www.malwarepatrol.net)?" + echo "" echo "Note: You have to sign up for an account. For a free account thats here:" echo " https://www.malwarepatrol.net/signup-free.shtml" - echo "" + echo "" if [[ -z "$_MALWARE_PATROL_IN_USE" ]]; then echononl "Load MalwarePatrol Singatures (yes/no): " else @@ -491,7 +570,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then fi read _TMP_LOAD_MP fi - + fi fi done @@ -501,14 +580,14 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then MALWARE_PATROL_IN_USE=false fi - + if $MALWARE_PATROL_IN_USE ; then - echo "" - echo "" - echo "Are you using a free account from MalwarePatrol?" - echo "" - echo "" + echo "" + echo "" + echo "Are you using a free account from MalwarePatrol?" + echo "" + echo "" if [[ -z "$_MALWERE_PATROL_FREE" ]] ; then echononl " Using fgree acount from MalwarePatrol? (yes/no): " @@ -583,85 +662,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then done fi - - fi - - echo "" - echo -e "\033[32m--\033[m" - echo "" - echo "Load SecuriteInfo Signatures (https://www.securiteinfo.com)?" - echo "" - echo "Note: You have to sign up for an account. For a free account thats here:" - echo " https://www.securiteinfo.com/clients/customers/signup" - echo "" - if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then - echononl "Load SecuriteInfo Singatures (yes/no): " - else - if $_SECURITE_INFO_IN_USE ; then - echononl "Load SecuriteInfo Singatures [yes]: " - else - echononl "Load SecuriteInfo Singatures [no]: " - fi - fi - read _TMP_LOAD_SI - _TMP_LOAD_SI=${_TMP_LOAD_SI,,} - while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do - if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then - echononl "Wrong entry! (yes/no): " - read _TMP_LOAD_SI - _TMP_LOAD_SI=${_TMP_LOAD_SI,,} - else - if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then - if [[ "X$_TMP_LOAD_SI" = "X" ]]; then - if $_SECURITE_INFO_IN_USE ; then - _TMP_LOAD_SI=yes - else - _TMP_LOAD_SI=no - fi - else - if $_SECURITE_INFO_IN_USE ; then - echononl "Wrong entry! [yes]: " - else - echononl "Wrong entry! [no]: " - fi - read _TMP_LOAD_SI - fi - fi - fi - done - if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then - SECURITE_INFO_IN_USE=true - else - SECURITE_INFO_IN_USE=false - fi - - if $SECURITE_INFO_IN_USE ; then - echo "" - echo -e "\033[32m--\033[m" - echo "" - echo "Insert SecuriteInfo Authorisation Signature" - echo "" - echo "" - SI_AUTHORISATION_SIGNATURE= - if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then - while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do - echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: " - read SI_AUTHORISATION_SIGNATURE - if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then - SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE - fi - done - else - - while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do - echononl "SecuriteInfo Authorisation Signature: " - read SI_AUTHORISATION_SIGNATURE - if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then - echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n" - fi - done - fi fi fi @@ -674,28 +675,28 @@ else DB_IN_USE=false fi DB_TYPE="" -echo "" -echo -e "\033[32m--\033[m" -echo "" -echo "Are a database lookups for local domains in use?" -echo "" +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "Are a database lookups for local domains in use?" +echo "" if [[ "$_DB_TYPE" = "MySQL" ]] ; then echo -e "\033[37m\033[1m[1] MySQL\033[m" else - echo "[1] MySQL" + echo "[1] MySQL" fi if [[ "$_DB_TYPE" = "PostgreSQL" ]] ; then echo -e "[2] \033[37m\033[1mPostgeSQL\033[m" else - echo "[2] PostgeSQL" + echo "[2] PostgeSQL" fi if ! $DB_IN_USE ; then - echo -e "[3] \033[37m\033[1mSkip (No Database in use)\033[m" + echo -e "[3] \033[37m\033[1mSkip (No Database in use)\033[m" _DB_TYPE="None" else - echo "[3] Skip (No Database in use)" + echo "[3] Skip (No Database in use)" fi -echo "" +echo "" echo "Type a number or press to choose highlighted value" echo "" echononl "Eingabe: " @@ -714,12 +715,12 @@ while [ "$DB_TYPE" != "MySQL" -a "$DB_TYPE" != "PostgreSQL" -a "$DB_TYPE" != "No DB_TYPE="None" DB_IN_USE=false ;; - '') DB_TYPE=$_DB_TYPE + '') DB_TYPE=$_DB_TYPE ;; *) - echo "" - echo -e "\tFalsche Eingabe ! [ 1 = MySQL ; 2 = PostgreSQL , 3 = Skip] or type " - echo "" + echo "" + echo -e "\tFalsche Eingabe ! [ 1 = MySQL ; 2 = PostgreSQL , 3 = Skip] or type " + echo "" echononl "Eingabe: " ;; esac @@ -1018,7 +1019,7 @@ if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 12 ]] ; then installation_failed=true error "$(cat $tmp_err_msg) - command was: + command was: cpanm -q --skip-installed $_module" echononl "\tcontinue anyway [yes/no]: " @@ -1080,7 +1081,7 @@ echo ## - Install package amavisd-new NOW, because we need at least the existence -## - of the AmaViS user (amavis) befor finally installation and configuration +## - of the AmaViS user (amavis) befor finally installation and configuration ## - of AmaViS itself. ## - echononl " Install packages \"amavisd-new\"" @@ -1159,7 +1160,7 @@ fi ## - # cp /root/sample-spam.txt /tmp ## - # cd /tmp ## - # su amavis -c 'spamassassin -D $tmp_err_msg 2>&1 @@ -1365,7 +1366,7 @@ fi ## - Copy root's .razor directory and files to the amavis user's home directory ## - -echononl " Copy root's razor configuration to user \"amavis\" (${_home_amavais}/.razor)" +echononl " Copy root's razor configuration to user \"amavis\" (${_home_amavais}/.razor)" installation_failed=false cp -r /root/.razor ${_home_amavais}/ > $tmp_err_msg 2>&1 if [[ "$?" -ne 0 ]] ; then @@ -1867,7 +1868,7 @@ report_safe 0 # # # Our own IP's -# +# # Notice: i decided not to trust our own ip's, because i want # to filter also mails from local users out @@ -1879,7 +1880,7 @@ fi echo "$_msg_trusted" >> /etc/spamassassin/local.cf echo "" >> /etc/spamassassin/local.cf -echo "$_msg_internal" >> /etc/spamassassin/local.cf +echo "$_msg_internal" >> /etc/spamassassin/local.cf cat << EOF >> /etc/spamassassin/local.cf 2>$tmp_err_msg @@ -1910,8 +1911,8 @@ bayes_auto_learn_threshold_spam 10.0 bayes_auto_learn_threshold_nonspam -0.5 -# NOTE: Since there is a script that runs each day to --force-expire old -# Bayes tokens "/etc/cron.daily/amavisd-new" (make sure there is if +# NOTE: Since there is a script that runs each day to --force-expire old +# Bayes tokens "/etc/cron.daily/amavisd-new" (make sure there is if # you use this setting!), we can set: # bayes_auto_expire 0 @@ -1983,14 +1984,14 @@ ok_locales all # Local delivery uses this flag to distinguish between possible spam # and ham -# +# # Again: in our setup wee NEED to set the spam flag -# +# add_header spam Flag _YESNOCAPS_ # Some shortcircuiting, if the plugin is enabled -# +# ifplugin Mail::SpamAssassin::Plugin::Shortcircuit # # default: strongly-whitelisted mails are *really* whitelisted now, if the @@ -2289,11 +2290,11 @@ EOF fi # - !! Notice !! -# - if su clamav -c 'spamassassin --lint' failed ( with warn +# - if su clamav -c 'spamassassin --lint' failed ( with warn # - message "warn: Use of uninitialized value $type in numeric..") # - reading "/etc/spamassassin/local.cf": razor_timeout 8, have a look # - at SpamAssassin/Plugin/Razor2.pm line 118: -# - +# - # - type => $Mail::SpamAssassin::Conf::CONF_TYPE_DURATIION, # - # - Should be: @@ -2536,7 +2537,7 @@ if [[ \`expr \$code1 + \$code2 + \$code3\` < 4 ]]; then fi fi -# Fixup perms -- group and other should be able to read and execute, +# Fixup perms -- group and other should be able to read and execute, # but never write. Works around sa-compile's failure to obey umask. if [ -d /var/lib/spamassassin ]; then chown -R debian-spamd:debian-spamd /var/lib/spamassassin @@ -2661,7 +2662,7 @@ else /etc/init.d/amavis restart >/dev/null fi -# Fixup perms -- group and other should be able to read and execute, +# Fixup perms -- group and other should be able to read and execute, # but never write. Works around sa-compile's failure to obey umask. if [ -d /var/lib/spamassassin ]; then chown -R debian-spamd:debian-spamd /var/lib/spamassassin @@ -3143,10 +3144,10 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then ## - ## - Use ClamAV Unofficial Signatures Updater: ## - https://github.com/extremeshok/clamav-unofficial-sigs/releases - ## - + ## - ## - See readme file: ## - https://github.com/extremeshok/clamav-unofficial-sigs - ## - + ## - echo "" echo -e " \033[37m\033[1mClamAV Unofficial Signatures..\033[m" @@ -3183,7 +3184,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then echo_failed error "$(cat $tmp_err_msg) - command was: + command was: cpanm -q --skip-installed $_module" echononl "continue anyway [yes/no]: " @@ -3257,7 +3258,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then if ! $(grep -q -E "^\s*xshok_mkdir_ownership\s+\"\\\$work_dir_urlhaus\"" "${_clamav_script}" 2> /dev/null) ; then if $(grep -q -E "^\s*xshok_mkdir_ownership\s+\"\\\$work_dir\"" "${_clamav_script}" 2> /dev/null) ; then - + perl -i -n -p \ -e "s#(\s*xshok_mkdir_ownership\s+)(\"\\\$work_dir\")#\1\2\n\1\"\\\$work_dir_urlhaus\"#" \ "${_clamav_script}" > $tmp_err_msg 2>&1 @@ -3395,7 +3396,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then fi - + if [[ "${os_dist,,}" = "debian" ]] ; then ## - For Debian Jessie (Debian 8) // Stretch (Debian 9) // Buster (Debian 10) // Bullseye (Debian 11) @@ -3550,65 +3551,66 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then # -------------------------------------- # --- Begin: User specific modifications # --- Inserted by install-script "$(basename "$0")" at $(date +"%Y-%m-%d %H:%M") + +# - SecuriteInfo +# - +# - SecuriteInfo signatures are now directly integrated into ClamAV's Freshclam. +# - +# - We therefore disable them here. +# - +securiteinfo_enabled="no" EOF - if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE ; then - if $MALWARE_PATROL_IN_USE ; then - - cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg + if $MALWARE_PATROL_IN_USE ; then + + cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg malwarepatrol_receipt_code="$MP_RECEIPT_NUMBER" malwarepatrol_list="clamav_basic" EOF - if [[ "$?" -ne 0 ]] ; then - installation_failed=true - error "$(cat $tmp_err_msg)" - fi + if [[ "$?" -ne 0 ]] ; then + installation_failed=true + error "$(cat $tmp_err_msg)" + fi - if $MALWERE_PATROL_FREE ; then - cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg + if $MALWERE_PATROL_FREE ; then + cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg malwarepatrol_product_code="8" malwarepatrol_free="yes" EOF - if [[ "$?" -ne 0 ]] ; then - installation_failed=true - error "$(cat $tmp_err_msg)" - fi - else - cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg + if [[ "$?" -ne 0 ]] ; then + installation_failed=true + error "$(cat $tmp_err_msg)" + fi + else + cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg malwarepatrol_product_code="15" malwarepatrol_free="no" -EOF - if [[ "$?" -ne 0 ]] ; then - installation_failed=true - error "$(cat $tmp_err_msg)" - fi - fi - fi # if $MALWARE_PATROL_IN_USE - - if $SECURITE_INFO_IN_USE ; then - cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg -# - SecuriteInfo -# - -# - type: Gold -# - account: ckubu@oopen.de -# - signatur: abb4ec6..46b59a4e -# - -# - - ALT - -# - type: professional -# - account: oo@oopen.de -# - signatur: b0b7e94d..0c2e3a89 -# - -securiteinfo_authorisation_signature="$SI_AUTHORISATION_SIGNATURE" EOF if [[ "$?" -ne 0 ]] ; then installation_failed=true error "$(cat $tmp_err_msg)" fi - fi # if $SECURITE_INFO_IN_USE - fi #if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE + fi + + else + cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg + +# - MalwarePatrol +# - +# - Not in use +# - +malwarepatrol_enabled="no" +EOF + if [[ "$?" -ne 0 ]] ; then + installation_failed=true + error "$(cat $tmp_err_msg)" + fi + + fi #if $MALWARE_PATROL_IN_USE + cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg # - Disable Yara-Rule set, because (some?) pgp mails where blocked. @@ -3687,7 +3689,7 @@ EOF error " $(cat $tmp_err_msg) - command was: + command was: /usr/local/sbin/clamav-unofficial-sigs.sh --install-cron" echononl "continue anyway [yes/no]: " @@ -3888,7 +3890,7 @@ fi echononl " Install CPAN Modules mostly needed for decoding" installation_failed=false _needed_cpan_modules=" - Digest::SHA1 + Digest::SHA1 Digest::SHA2 Digest::SHA256 Encode::Detect @@ -3899,7 +3901,7 @@ for _module in $_needed_cpan_modules ; do installation_failed=true error "$(cat $tmp_err_msg) - command was: + command was: cpanm -q --skip-installed $_module" echononl "continue anyway [yes/no]: " @@ -3954,7 +3956,7 @@ fi echononl " Create file '/etc/postfix/sender_whitelist'" if [[ ! -f "/etc/postfix/sender_whitelist" ]]; then cat << EOF > /etc/postfix/sender_whitelist 2> '$tmp_err_msg' -# - Example '/etc/postfix/sender_whitelist' +# - Example '/etc/postfix/sender_whitelist' # - # - Used by Amavis Configuration 'whitelist_sender_maps' / '%whitelist_sender' # - @@ -3984,7 +3986,7 @@ fi echononl " Create file '/etc/postfix/spam_lovers'" if [[ ! -f "/etc/postfix/spam_lovers" ]]; then cat << EOF > /etc/postfix/spam_lovers 2> '$tmp_err_msg' -# - Example '/etc/postfix/spam_lovers' +# - Example '/etc/postfix/spam_lovers' # - # - # Adresses # - adress@domain1.com 1 @@ -4012,7 +4014,7 @@ fi echononl " Create file '/etc/postfix/virus_lovers'" if [[ ! -f "/etc/postfix/virus_lovers" ]]; then cat << EOF > /etc/postfix/virus_lovers 2> '$tmp_err_msg' -# - Example '/etc/postfix/virus_lovers' +# - Example '/etc/postfix/virus_lovers' # - # - # Adresses # - adress@domain1.com 1 @@ -4041,7 +4043,7 @@ fi ## - Configure amavis in /etc/amavis/conf.d ## - ## - write all changes and customization to a seperate -## - file named "50-user", which will load at end of +## - file named "50-user", which will load at end of ## - configuration and overwrites the (debian)-default values ## - @@ -4081,7 +4083,7 @@ use strict; # # Ports to listen on -# +# # 10024: default listening port # 10026: used for whitelisting IP's (trusted networks) # @@ -4121,7 +4123,7 @@ use strict; #}; -# Bypass spam checking for whitelisted senders +# Bypass spam checking for whitelisted senders # #\$interface_policy{'10029'} = 'VIRUSONLY'; #\$policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon @@ -4162,10 +4164,10 @@ use strict; ## - .domain3.com => '1', ## - ); ## - -## - But we will use the read_hash function to read in a list +## - But we will use the read_hash function to read in a list ## - of senders from the external file '/etc/postfix/sender_whitelist' ## - -## - Example '/etc/postfix/sender_whitelist' +## - Example '/etc/postfix/sender_whitelist' ## - ## - some.trustworthy@doma.in #full email address ## - some.trustworthy@ #full local part @@ -4192,18 +4194,18 @@ read_hash(\%whitelist_sender, '/etc/postfix/sender_whitelist'); ## - ## - !! Notice !! ## - -## - Virus checks are bypassed only if all of the recipients of a message have -## - been added to one of these variables. If even one recipient is not listed, -## - virus-checking will still be performed. To ensure that virus is still delivered -## - to whitelisted recipients in such cases, use the "virus_lovers" features -## - see below. +## - Virus checks are bypassed only if all of the recipients of a message have +## - been added to one of these variables. If even one recipient is not listed, +## - virus-checking will still be performed. To ensure that virus is still delivered +## - to whitelisted recipients in such cases, use the "virus_lovers" features +## - see below. ## - @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \\\$bypass_virus_checks_re); ## - We will use '%bypass_virus_checks_maps'. So we could set: -## - +## - ## - %bypass_virus_checks = ( ## - # Adresses ## - adress@domain1.com => '1', @@ -4216,10 +4218,10 @@ read_hash(\%whitelist_sender, '/etc/postfix/sender_whitelist'); ## - domain3.com => '1', ## - ); ## - -## - But we will use the read_hash function to read in a list +## - But we will use the read_hash function to read in a list ## - of recipients from the external file '/etc/postfix/spam_lovers' ## - -## - Example '/etc/postfix/virus_lovers' +## - Example '/etc/postfix/virus_lovers' ## - ## - # Adresses ## - adress@domain1.com 1 @@ -4248,7 +4250,7 @@ read_hash(\%bypass_virus_checks, '/etc/postfix/virus_lovers'); ## - from the external file '/etc/postfix/spam_lovers' into '%spam_lovers'. ## - ## - For more explanations see above -## - +## - read_hash(\%virus_lovers, '/etc/postfix/virus_lovers'); @@ -4262,17 +4264,17 @@ read_hash(\%virus_lovers, '/etc/postfix/virus_lovers'); ## - ## - !! Notice !! ## - -## - Spam checks are bypassed only if all of the recipients of a message have -## - been added to one of these variables. If even one recipient is not listed, -## - spam-checking will still be performed. To ensure that spam is still delivered -## - to whitelisted recipients in such cases, use the "spam_lovers" features -## - see below. +## - Spam checks are bypassed only if all of the recipients of a message have +## - been added to one of these variables. If even one recipient is not listed, +## - spam-checking will still be performed. To ensure that spam is still delivered +## - to whitelisted recipients in such cases, use the "spam_lovers" features +## - see below. ## - @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \\\$bypass_spam_checks_re); ## - We will use '%bypass_spam_checks'. So we could set: -## - +## - ## - %bypass_spam_checks = ( ## - # Adresses ## - adress@domain1.com => '1', @@ -4285,10 +4287,10 @@ read_hash(\%virus_lovers, '/etc/postfix/virus_lovers'); ## - domain3.com => '1', ## - ); ## - -## - But we will use the read_hash function to read in a list +## - But we will use the read_hash function to read in a list ## - of recipients from the external file '/etc/postfix/spam_lovers' ## - -## - Example '/etc/postfix/spam_lovers' +## - Example '/etc/postfix/spam_lovers' ## - ## - # Adresses ## - adress@domain1.com 1 @@ -4357,7 +4359,7 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers'); ## - ## - default: @spam_tag2_level_maps = (\\\$sa_tag2_level_deflt); ## - -## - Example file '/etc/postfix/tag2_level_maps.dat' +## - Example file '/etc/postfix/tag2_level_maps.dat' ## - ## - # oopen.de ## - oopen.de 2.1 @@ -4387,7 +4389,7 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers'); ## - ## - default: @spam_kill_level_maps = (\\\$sa_kill_level_deflt); ## - -## - Example file '/etc/postfix/kill_level_maps.dat' +## - Example file '/etc/postfix/kill_level_maps.dat' ## - ## - # oopen.de ## - ckubu@oopen.de 1500.0 @@ -4400,7 +4402,7 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers'); ## - We will inform the sender about bouncing his mail with a DSN (Delivery -## - StatusNotification). That DSN message will no be send, if the spamvalue +## - StatusNotification). That DSN message will no be send, if the spamvalue ## - exceeds the value of sa_dsn_cutoff_level ## - #\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent @@ -4419,7 +4421,7 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers'); ); \$sa_spam_subject_tag = undef; -#\$sa_spam_subject_tag = '***SPAM*** '; +#\$sa_spam_subject_tag = '***SPAM*** '; ## - QUARANTINE @@ -4491,15 +4493,15 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers'); #}; -## - Amavisd-New scans all mail passing through it for viruses, but will -## - only hand mail for local delivery off to SA for checking - you tell -## - it which domains are local using the @local_domains_maps variable, -## - which by default is set to the value of \$mydomain & its subdomains: +## - Amavisd-New scans all mail passing through it for viruses, but will +## - only hand mail for local delivery off to SA for checking - you tell +## - it which domains are local using the @local_domains_maps variable, +## - which by default is set to the value of \$mydomain & its subdomains: ## - #@local_domains_maps = ( ["."] ); -## - get rid of "Open Relay" warnings in amavis logfile. +## - get rid of "Open Relay" warnings in amavis logfile. ## - \$interface_policy{'10024'} = 'ORIGINATING'; \$policy_bank{'ORIGINATING'} = { @@ -4622,8 +4624,8 @@ delete \$admin_maps_by_ccat{&CC_UNCHECKED}; ## - ## - zur Signierung der e-Mail mit herangezogen werden. ## - -## - Dies hat jedoch den Nachteil, dass bei einer Veränderung der Received: from-Zeilen -## - im Nachhinein, wie es z.B. bei der Einlieferung durch Postfix via smtpd_proxy_filter +## - Dies hat jedoch den Nachteil, dass bei einer Veränderung der Received: from-Zeilen +## - im Nachhinein, wie es z.B. bei der Einlieferung durch Postfix via smtpd_proxy_filter ## - (Pre-Queue) bei AMaViS der Fall sein könnte, die DKIM-Sigantur sprichwörtlich „ ## - kaputt“ geht. ## - @@ -4632,8 +4634,8 @@ delete \$admin_maps_by_ccat{&CC_UNCHECKED}; ## - ## - \$signed_header_fields{'received'} = 0; # turn off signing of Received ## - -## - verhindert werden, indem die Received: from-Zeilen nicht mehr mit in die -## - Berechnung der DKIM-Signatur mit einfließen. +## - verhindert werden, indem die Received: from-Zeilen nicht mehr mit in die +## - Berechnung der DKIM-Signatur mit einfließen. ## - \$signed_header_fields{'received'} = 0; # turn off signing of Received @@ -4915,7 +4917,7 @@ EOF error "$(cat $tmp_err_msg)" fi fi - + if $installed ; then crontab /tmp/tmp_crontab > /dev/null 2> $tmp_err_msg if [[ "$?" -ne 0 ]] ; then @@ -4967,7 +4969,7 @@ fi ## - Forward emails to amavis using "Pre-Queue" Option smtpd_proxy_filter ## - ## - edit /etc/postfix/master.cf and add flags for "smtpd_proxy_filter" (to -## - forward to amavis service on localhost port 10024) and for "content_filter" +## - forward to amavis service on localhost port 10024) and for "content_filter" ## - (to avoid rechecking by "Post-Queue" content_filter) to smtp service ## - ## - smtp inet n - - - - smtpd @@ -5089,7 +5091,7 @@ submission inet n - y - 20 smtpd #-o milter_macro_daemon_name=ORIGINATING EOF if ! $smtps_present ; then - if ! $localhost_10025_present ; then + if ! $localhost_10025_present ; then cat >> $postfix_master_cf << EOF localhost:10025 inet n - y - - smtpd -o content_filter= @@ -5116,7 +5118,7 @@ EOF #-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32 EOF fi - + if ! $amavisfeed_present ; then cat >> $postfix_master_cf << EOF amavisfeed unix - - n - 20 lmtp @@ -5143,7 +5145,7 @@ smtps inet n - y - - smtpd #-o milter_macro_daemon_name=ORIGINATING EOF - if ! $localhost_10025_present ; then + if ! $localhost_10025_present ; then cat >> $postfix_master_cf << EOF localhost:10025 inet n - y - - smtpd -o content_filter= @@ -5227,7 +5229,7 @@ EOF fi # - [[:blank:]] means space and tab. This makes it similar to: [ \t] - # - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed, + # - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed, # - and vertical tab. This makes it similar to: [ \t\n\r\f\v] # - #if [[ $_line =~ ^[[:space:]]+[^[:space:]]+ ]] && $_smtp_found ; then diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index 9dc03cf..5a8a445 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -1830,64 +1830,109 @@ smtp_tls_CAfile = $_TLS_CA_FILE #smtpd_tls_CApath = /etc/postfix/certs -# Disable SSLv2 SSLv3 - Postfix SMTP server +# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption. +# If the list is empty, the server supports all available TLS protocol versions. # -# List of TLS protocols that the Postfix SMTP server will exclude or -# include with opportunistic TLS encryption. -smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 +# default: see 'postconf -d' output +# +smtpd_tls_protocols = >=TLSv1.1 + +# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. +# +smtpd_tls_mandatory_protocols = >=TLSv1.1 + + +# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption. +# +# default: see 'postconf -d' output +# +smtp_tls_protocols = >=TLSv1.2 + +# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. # -# The SSL/TLS protocols accepted by the Postfix SMTP server -# with mandatory TLS encryption. -smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 +# default: see 'postconf -d' output +# +smtp_tls_mandatory_protocols = >=TLSv1.2 -# Disable SSLv2 SSLv3 - Postfix SMTP client -# -# List of TLS protocols that the Postfix SMTP client will exclude or -# include with opportunistic TLS encryption. -smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -# -# List of SSL/TLS protocols that the Postfix SMTP client will use -# with mandatory TLS encryption -smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 +# The Postfix SMTP server security grade for ephemeral elliptic-curve +# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this +# parameter is always ignored, and Postfix behaves as though the auto value +# (described below) was chosen. +# +# auto +# Use the most preferred curve that is supported by both the client and the server. +# This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This +# is the default setting under the above conditions (and the only setting used with +# Postfix ≥ 3.6). +# +# none +# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the +# default in Postfix versions 2.6 and 2.7. +# +# strong +# Use EECDH with approximately 128 bits of security at a reasonable computational cost. +# This is the default in Postfix versions 2.8-3.5. +# +# ultra +# Use EECDH with approximately 192 bits of security at computational cost that is +# approximately twice as high as 128 bit strength ECC. +# +smtpd_tls_eecdh_grade = auto -## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange -## - openssl > 1.0 -## - -smtpd_tls_eecdh_grade = strong - -# standard list cryptographic algorithm +# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead +# of the remote client's cipher preference order. +# +# By default, the OpenSSL server selects the client's most preferred cipher that the +# server supports. With SSLv3 and later, the server may choose its own most preferred +# cipher that is supported (offered) by the client. +# +# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences. +# +# default: no +# tls_preempt_cipherlist = yes -# Disable ciphers which are less than 256-bit: + +# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory +# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit +# from globally restricting TLS sessions to a more stringent grade is likely negligible, +# especially given the fact that many implementations still do not offer any stronger +# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers. +# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export" +# or "low" ciphers is typically not a good idea, as systems limited to just these are +# limited to obsolete browsers. No known SMTP clients fail to support at least one +# "medium" or "high" grade cipher. # -#smtpd_tls_mandatory_ciphers = high +# default: medium +# +#smtpd_tls_mandatory_ciphers = medium + +# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic +# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the +# base definition of the selected cipher grade. +# +# default: medium # -# opportunistic smtpd_tls_ciphers = high -# Exclude ciphers +# List of ciphers or cipher types to exclude from the SMTP server cipher list at all +# TLS security levels. +# +# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist; +# it is a simple list separated by whitespace and/or commas. The elements are a single cipher, +# or one or more "+" separated cipher properties, in which case only ciphers matching all the +# properties are excluded. +# #smtpd_tls_exclude_ciphers = -# RC4 -# aNULL -# SEED-SHA -# EXP -# MD5 -smtpd_tls_exclude_ciphers = - aNULL - eNULL - EXPORT - DES - RC4 - MD5 - PSK - aECDH - EDH-DSS-DES-CBC3-SHA - EDH-RSA-DES-CDC3-SHA - KRB5-DE5 - CBC3-SHA + +# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher +# list at mandatory TLS security levels. This list works in addition to the exclusions listed +# with smtp_tls_exclude_ciphers +# +#smtp_tls_mandatory_exclude_ciphers = smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache diff --git a/install_postfix_base.sh b/install_postfix_base.sh index cbbc02d..38617d4 100755 --- a/install_postfix_base.sh +++ b/install_postfix_base.sh @@ -905,63 +905,107 @@ smtp_tls_CAfile = $_TLS_CA_FILE #smtpd_tls_CApath = /etc/postfix/certs -# Disable SSLv2 SSLv3 - Postfix SMTP server -# -# List of TLS protocols that the Postfix SMTP server will exclude or -# include with opportunistic TLS encryption. -smtpd_tls_protocols = !SSLv2, !SSLv3 -# -# The SSL/TLS protocols accepted by the Postfix SMTP server -# with mandatory TLS encryption. -smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 - - -# Disable SSLv2 SSLv3 - Postfix SMTP client -# -# List of TLS protocols that the Postfix SMTP client will exclude or -# include with opportunistic TLS encryption. -smtp_tls_protocols = !SSLv2, !SSLv3 -# -# List of SSL/TLS protocols that the Postfix SMTP client will use -# with mandatory TLS encryption -smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 - - -## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange -## - openssl > 1.0 -## - -smtpd_tls_eecdh_grade = strong - -# standard list cryptographic algorithm -tls_preempt_cipherlist = yes - -# Disable ciphers which are less than 256-bit: +# Disable SSLv2 SSLv3 - Postfix SMTP server # -#smtpd_tls_mandatory_ciphers = high +# List of TLS protocols that the Postfix SMTP server will exclude or +# include with opportunistic TLS encryption. +#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 + +# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption. # -# opportunistic -smtpd_tls_ciphers = high +#smtpd_tls_protocols = >=TLSv1 + +# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. +# +#smtpd_tls_mandatory_protocols = >=TLSv1 + +# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption. +# +#smtp_tls_protocols = >=TLSv1 + +# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption. +# +smtp_tls_mandatory_protocols = >=TLSv1.2 -# Exclude ciphers +# The Postfix SMTP server security grade for ephemeral elliptic-curve +# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this +# parameter is always ignored, and Postfix behaves as though the auto value +# (described below) was chosen. +# +# auto +# Use the most preferred curve that is supported by both the client and the server. +# This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This +# is the default setting under the above conditions (and the only setting used with +# Postfix ≥ 3.6). +# +# none +# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the +# default in Postfix versions 2.6 and 2.7. +# +# strong +# Use EECDH with approximately 128 bits of security at a reasonable computational cost. +# This is the default in Postfix versions 2.8-3.5. +# +# ultra +# Use EECDH with approximately 192 bits of security at computational cost that is +# approximately twice as high as 128 bit strength ECC. +# +smtpd_tls_eecdh_grade = auto + + +# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead +# of the remote client's cipher preference order. +# +# By default, the OpenSSL server selects the client's most preferred cipher that the +# server supports. With SSLv3 and later, the server may choose its own most preferred +# cipher that is supported (offered) by the client. +# +# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences. +# +# default: no +# +#tls_preempt_cipherlist = no + + +# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory +# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit +# from globally restricting TLS sessions to a more stringent grade is likely negligible, +# especially given the fact that many implementations still do not offer any stronger +# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers. +# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export" +# or "low" ciphers is typically not a good idea, as systems limited to just these are +# limited to obsolete browsers. No known SMTP clients fail to support at least one +# "medium" or "high" grade cipher. +# +# default: medium +# +#smtpd_tls_mandatory_ciphers = medium + +# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic +# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the +# base definition of the selected cipher grade. +# +# default: medium +# +#smtpd_tls_ciphers = medium + + +# List of ciphers or cipher types to exclude from the SMTP server cipher list at all +# TLS security levels. +# +# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist; +# it is a simple list separated by whitespace and/or commas. The elements are a single cipher, +# or one or more "+" separated cipher properties, in which case only ciphers matching all the +# properties are excluded. +# #smtpd_tls_exclude_ciphers = -# RC4 -# aNULL -# SEED-SHA -# EXP -# MD5 -smtpd_tls_exclude_ciphers = - aNULL - eNULL - EXPORT - DES - RC4 - MD5 - PSK - aECDH - EDH-DSS-DES-CBC3-SHA - EDH-RSA-DES-CDC3-SHA - KRB5-DE5, CBC3-SHA + +# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher +# list at mandatory TLS security levels. This list works in addition to the exclusions listed +# with smtp_tls_exclude_ciphers +# +#smtp_tls_mandatory_exclude_ciphers = smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache