install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of https://git.oopen.de/install/mailsystem

Browse Source
This commit is contained in:
Christoph 2024-09-18 19:38:15 +02:00
commit 1d78a7e4b3
3 changed files with 416 additions and 325 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

188
install_amavis.sh
View File

@ -413,6 +413,85 @@ else
done done
fi fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Use SecuriteInfo Signatures (https://www.securiteinfo.com)?"
echo ""
echo "Note: You have to sign up for an account. For a free account thats here:"
echo " https://www.securiteinfo.com/clients/customers/signup"
echo ""
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Load SecuriteInfo Singatures (yes/no): "
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Load SecuriteInfo Singatures [yes]: "
else
echononl "Load SecuriteInfo Singatures [no]: "
fi
fi
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Wrong entry! (yes/no): "
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
else
if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
if $_SECURITE_INFO_IN_USE ; then
_TMP_LOAD_SI=yes
else
_TMP_LOAD_SI=no
fi
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Wrong entry! [yes]: "
else
echononl "Wrong entry! [no]: "
fi
read _TMP_LOAD_SI
fi
fi
fi
done
if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
SECURITE_INFO_IN_USE=true
else
SECURITE_INFO_IN_USE=false
fi
if $SECURITE_INFO_IN_USE ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert SecuriteInfo Authorisation Signature"
echo ""
echo ""
SI_AUTHORISATION_SIGNATURE=
if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
fi
done
else
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
fi
done
fi
fi
echo "" echo ""
echo -e "\033[32m--\033[m" echo -e "\033[32m--\033[m"
echo "" echo ""
@ -586,84 +665,6 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
fi fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Load SecuriteInfo Signatures (https://www.securiteinfo.com)?"
echo ""
echo "Note: You have to sign up for an account. For a free account thats here:"
echo " https://www.securiteinfo.com/clients/customers/signup"
echo ""
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Load SecuriteInfo Singatures (yes/no): "
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Load SecuriteInfo Singatures [yes]: "
else
echononl "Load SecuriteInfo Singatures [no]: "
fi
fi
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Wrong entry! (yes/no): "
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
else
if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
if $_SECURITE_INFO_IN_USE ; then
_TMP_LOAD_SI=yes
else
_TMP_LOAD_SI=no
fi
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Wrong entry! [yes]: "
else
echononl "Wrong entry! [no]: "
fi
read _TMP_LOAD_SI
fi
fi
fi
done
if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
SECURITE_INFO_IN_USE=true
else
SECURITE_INFO_IN_USE=false
fi
if $SECURITE_INFO_IN_USE ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert SecuriteInfo Authorisation Signature"
echo ""
echo ""
SI_AUTHORISATION_SIGNATURE=
if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
fi
done
else
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
fi
done
fi
fi
fi fi
@ -3550,9 +3551,16 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
# -------------------------------------- # --------------------------------------
# --- Begin: User specific modifications # --- Begin: User specific modifications
# --- Inserted by install-script "$(basename "$0")" at $(date +"%Y-%m-%d %H:%M") # --- Inserted by install-script "$(basename "$0")" at $(date +"%Y-%m-%d %H:%M")
# - SecuriteInfo
# -
# - SecuriteInfo signatures are now directly integrated into ClamAV's Freshclam.
# -
# - We therefore disable them here.
# -
securiteinfo_enabled="no"
EOF EOF
if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE ; then
if $MALWARE_PATROL_IN_USE ; then if $MALWARE_PATROL_IN_USE ; then
@ -3586,29 +3594,23 @@ EOF
error "$(cat $tmp_err_msg)" error "$(cat $tmp_err_msg)"
fi fi
fi fi
fi # if $MALWARE_PATROL_IN_USE
if $SECURITE_INFO_IN_USE ; then else
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
# - SecuriteInfo
# - MalwarePatrol
# - # -
# - type: Gold # - Not in use
# - account: ckubu@oopen.de
# - signatur: abb4ec6..46b59a4e
# - # -
# - - ALT - malwarepatrol_enabled="no"
# - type: professional
# - account: oo@oopen.de
# - signatur: b0b7e94d..0c2e3a89
# -
securiteinfo_authorisation_signature="$SI_AUTHORISATION_SIGNATURE"
EOF EOF
if [[ "$?" -ne 0 ]] ; then if [[ "$?" -ne 0 ]] ; then
installation_failed=true installation_failed=true
error "$(cat $tmp_err_msg)" error "$(cat $tmp_err_msg)"
fi fi
fi # if $SECURITE_INFO_IN_USE
fi #if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE fi #if $MALWARE_PATROL_IN_USE
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
# - Disable Yara-Rule set, because (some?) pgp mails where blocked. # - Disable Yara-Rule set, because (some?) pgp mails where blocked.

129
install_postfix_advanced.sh
View File

@ -1830,64 +1830,109 @@ smtp_tls_CAfile = $_TLS_CA_FILE
#smtpd_tls_CApath = /etc/postfix/certs #smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server # TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
# If the list is empty, the server supports all available TLS protocol versions.
# #
# List of TLS protocols that the Postfix SMTP server will exclude or # default: see 'postconf -d' output
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
# #
# The SSL/TLS protocols accepted by the Postfix SMTP server smtpd_tls_protocols = >=TLSv1.1
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
# Disable SSLv2 SSLv3 - Postfix SMTP client
# #
# List of TLS protocols that the Postfix SMTP client will exclude or smtpd_tls_mandatory_protocols = >=TLSv1.1
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
# #
# List of SSL/TLS protocols that the Postfix SMTP client will use # default: see 'postconf -d' output
# with mandatory TLS encryption #
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = >=TLSv1.2
# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
#
# default: see 'postconf -d' output
#
smtp_tls_mandatory_protocols = >=TLSv1.2
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange # The Postfix SMTP server security grade for ephemeral elliptic-curve
## - openssl > 1.0 # Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
## - # parameter is always ignored, and Postfix behaves as though the auto value
smtpd_tls_eecdh_grade = strong # (described below) was chosen.
#
# auto
# Use the most preferred curve that is supported by both the client and the server.
# This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
# is the default setting under the above conditions (and the only setting used with
# Postfix ≥ 3.6).
#
# none
# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
# default in Postfix versions 2.6 and 2.7.
#
# strong
# Use EECDH with approximately 128 bits of security at a reasonable computational cost.
# This is the default in Postfix versions 2.8-3.5.
#
# ultra
# Use EECDH with approximately 192 bits of security at computational cost that is
# approximately twice as high as 128 bit strength ECC.
#
smtpd_tls_eecdh_grade = auto
# standard list cryptographic algorithm
# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
# of the remote client's cipher preference order.
#
# By default, the OpenSSL server selects the client's most preferred cipher that the
# server supports. With SSLv3 and later, the server may choose its own most preferred
# cipher that is supported (offered) by the client.
#
# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
#
# default: no
#
tls_preempt_cipherlist = yes tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
# from globally restricting TLS sessions to a more stringent grade is likely negligible,
# especially given the fact that many implementations still do not offer any stronger
# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
# or "low" ciphers is typically not a good idea, as systems limited to just these are
# limited to obsolete browsers. No known SMTP clients fail to support at least one
# "medium" or "high" grade cipher.
# #
#smtpd_tls_mandatory_ciphers = high # default: medium
#
#smtpd_tls_mandatory_ciphers = medium
# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
# base definition of the selected cipher grade.
#
# default: medium
# #
# opportunistic
smtpd_tls_ciphers = high smtpd_tls_ciphers = high
# Exclude ciphers # List of ciphers or cipher types to exclude from the SMTP server cipher list at all
# TLS security levels.
#
# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
# or one or more "+" separated cipher properties, in which case only ciphers matching all the
# properties are excluded.
#
#smtpd_tls_exclude_ciphers = #smtpd_tls_exclude_ciphers =
# RC4
# aNULL # Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
# SEED-SHA # list at mandatory TLS security levels. This list works in addition to the exclusions listed
# EXP # with smtp_tls_exclude_ciphers
# MD5 #
smtpd_tls_exclude_ciphers = #smtp_tls_mandatory_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5
CBC3-SHA
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache

130
install_postfix_base.sh
View File

@ -909,59 +909,103 @@ smtp_tls_CAfile = $_TLS_CA_FILE
# #
# List of TLS protocols that the Postfix SMTP server will exclude or # List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption. # include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3 #smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
# #
# The SSL/TLS protocols accepted by the Postfix SMTP server #smtpd_tls_protocols = >=TLSv1
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
# Disable SSLv2 SSLv3 - Postfix SMTP client
# #
# List of TLS protocols that the Postfix SMTP client will exclude or #smtpd_tls_mandatory_protocols = >=TLSv1
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3 # TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
# #
# List of SSL/TLS protocols that the Postfix SMTP client will use #smtp_tls_protocols = >=TLSv1
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption.
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
# #
#smtpd_tls_mandatory_ciphers = high smtp_tls_mandatory_protocols = >=TLSv1.2
# The Postfix SMTP server security grade for ephemeral elliptic-curve
# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
# parameter is always ignored, and Postfix behaves as though the auto value
# (described below) was chosen.
# #
# opportunistic # auto
smtpd_tls_ciphers = high # Use the most preferred curve that is supported by both the client and the server.
# This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
# is the default setting under the above conditions (and the only setting used with
# Postfix ≥ 3.6).
#
# none
# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
# default in Postfix versions 2.6 and 2.7.
#
# strong
# Use EECDH with approximately 128 bits of security at a reasonable computational cost.
# This is the default in Postfix versions 2.8-3.5.
#
# ultra
# Use EECDH with approximately 192 bits of security at computational cost that is
# approximately twice as high as 128 bit strength ECC.
#
smtpd_tls_eecdh_grade = auto
# Exclude ciphers # With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
# of the remote client's cipher preference order.
#
# By default, the OpenSSL server selects the client's most preferred cipher that the
# server supports. With SSLv3 and later, the server may choose its own most preferred
# cipher that is supported (offered) by the client.
#
# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
#
# default: no
#
#tls_preempt_cipherlist = no
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
# from globally restricting TLS sessions to a more stringent grade is likely negligible,
# especially given the fact that many implementations still do not offer any stronger
# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
# or "low" ciphers is typically not a good idea, as systems limited to just these are
# limited to obsolete browsers. No known SMTP clients fail to support at least one
# "medium" or "high" grade cipher.
#
# default: medium
#
#smtpd_tls_mandatory_ciphers = medium
# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
# base definition of the selected cipher grade.
#
# default: medium
#
#smtpd_tls_ciphers = medium
# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
# TLS security levels.
#
# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
# or one or more "+" separated cipher properties, in which case only ciphers matching all the
# properties are excluded.
#
#smtpd_tls_exclude_ciphers = #smtpd_tls_exclude_ciphers =
# RC4
# aNULL # Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
# SEED-SHA # list at mandatory TLS security levels. This list works in addition to the exclusions listed
# EXP # with smtp_tls_exclude_ciphers
# MD5 #
smtpd_tls_exclude_ciphers = #smtp_tls_mandatory_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache