install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of https://git.oopen.de/install/mailsystem

Browse Source
This commit is contained in:
Christoph 2024-09-18 19:38:15 +02:00
commit 1d78a7e4b3
3 changed files with 416 additions and 325 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

460
install_amavis.sh
View File

@ -131,7 +131,7 @@ DEFAULT_SI_AUTHORISATION_SIGNATURE_OOPEN=abb4ec6b194639f3d123154f1b971843a3b8751
# SecuriteInfo signatur databases # SecuriteInfo signatur databases
# #
SI_SIGNATUR_DATABASES=" SI_SIGNATUR_DATABASES="
securiteinfo.hdb securiteinfo.hdb
securiteinfo.ign2 securiteinfo.ign2
javascript.ndb javascript.ndb
spam_marketing.ndb spam_marketing.ndb
@ -210,7 +210,7 @@ _needed_packages_clamav="clamav \
if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 10 ]] ; then if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 10 ]] ; then
_needed_packages_clamav="$_needed_packages_clamav \ _needed_packages_clamav="$_needed_packages_clamav \
libclamunrar7" libclamunrar7"
elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 11 ]] ; then elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 11 ]] ; then
_needed_packages_clamav="$_needed_packages_clamav \ _needed_packages_clamav="$_needed_packages_clamav \
libclamunrar9" libclamunrar9"
elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 12 ]] ; then elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 12 ]] ; then
@ -355,7 +355,7 @@ else
fi fi
done done
fi fi
if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then
IPV6=disabled IPV6=disabled
fi fi
@ -384,7 +384,7 @@ while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
fi fi
done done
echo "" echo ""
@ -413,11 +413,90 @@ else
done done
fi fi
echo ""
echo -e "\033[32m--\033[m" echo ""
echo "" echo -e "\033[32m--\033[m"
echo "Should ClamAV unofficial Singatures be installed?" echo ""
echo "" echo "Use SecuriteInfo Signatures (https://www.securiteinfo.com)?"
echo ""
echo "Note: You have to sign up for an account. For a free account thats here:"
echo " https://www.securiteinfo.com/clients/customers/signup"
echo ""
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Load SecuriteInfo Singatures (yes/no): "
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Load SecuriteInfo Singatures [yes]: "
else
echononl "Load SecuriteInfo Singatures [no]: "
fi
fi
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Wrong entry! (yes/no): "
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
else
if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
if $_SECURITE_INFO_IN_USE ; then
_TMP_LOAD_SI=yes
else
_TMP_LOAD_SI=no
fi
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Wrong entry! [yes]: "
else
echononl "Wrong entry! [no]: "
fi
read _TMP_LOAD_SI
fi
fi
fi
done
if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
SECURITE_INFO_IN_USE=true
else
SECURITE_INFO_IN_USE=false
fi
if $SECURITE_INFO_IN_USE ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert SecuriteInfo Authorisation Signature"
echo ""
echo ""
SI_AUTHORISATION_SIGNATURE=
if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
fi
done
else
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
fi
done
fi
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Should ClamAV unofficial Singatures be installed?"
echo ""
if [[ -z "$_INSTALL_CLAMAV_UNOFFICIAL_SIGS" ]]; then if [[ -z "$_INSTALL_CLAMAV_UNOFFICIAL_SIGS" ]]; then
echononl "Install ClamAV unofficial Singatures (yes/no): " echononl "Install ClamAV unofficial Singatures (yes/no): "
else else
@ -451,14 +530,14 @@ else
fi fi
if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
echo "" echo ""
echo -e "\033[32m--\033[m" echo -e "\033[32m--\033[m"
echo "" echo ""
echo "Load MalwarePatrol Signatures (https://www.malwarepatrol.net)?" echo "Load MalwarePatrol Signatures (https://www.malwarepatrol.net)?"
echo "" echo ""
echo "Note: You have to sign up for an account. For a free account thats here:" echo "Note: You have to sign up for an account. For a free account thats here:"
echo " https://www.malwarepatrol.net/signup-free.shtml" echo " https://www.malwarepatrol.net/signup-free.shtml"
echo "" echo ""
if [[ -z "$_MALWARE_PATROL_IN_USE" ]]; then if [[ -z "$_MALWARE_PATROL_IN_USE" ]]; then
echononl "Load MalwarePatrol Singatures (yes/no): " echononl "Load MalwarePatrol Singatures (yes/no): "
else else
@ -491,7 +570,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
fi fi
read _TMP_LOAD_MP read _TMP_LOAD_MP
fi fi
fi fi
fi fi
done done
@ -501,14 +580,14 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
MALWARE_PATROL_IN_USE=false MALWARE_PATROL_IN_USE=false
fi fi
if $MALWARE_PATROL_IN_USE ; then if $MALWARE_PATROL_IN_USE ; then
echo "" echo ""
echo "" echo ""
echo "Are you using a free account from MalwarePatrol?" echo "Are you using a free account from MalwarePatrol?"
echo "" echo ""
echo "" echo ""
if [[ -z "$_MALWERE_PATROL_FREE" ]] ; then if [[ -z "$_MALWERE_PATROL_FREE" ]] ; then
echononl " Using fgree acount from MalwarePatrol? (yes/no): " echononl " Using fgree acount from MalwarePatrol? (yes/no): "
@ -583,85 +662,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
done done
fi fi
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Load SecuriteInfo Signatures (https://www.securiteinfo.com)?"
echo ""
echo "Note: You have to sign up for an account. For a free account thats here:"
echo " https://www.securiteinfo.com/clients/customers/signup"
echo ""
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Load SecuriteInfo Singatures (yes/no): "
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Load SecuriteInfo Singatures [yes]: "
else
echononl "Load SecuriteInfo Singatures [no]: "
fi
fi
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Wrong entry! (yes/no): "
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
else
if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
if $_SECURITE_INFO_IN_USE ; then
_TMP_LOAD_SI=yes
else
_TMP_LOAD_SI=no
fi
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Wrong entry! [yes]: "
else
echononl "Wrong entry! [no]: "
fi
read _TMP_LOAD_SI
fi
fi
fi
done
if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
SECURITE_INFO_IN_USE=true
else
SECURITE_INFO_IN_USE=false
fi
if $SECURITE_INFO_IN_USE ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert SecuriteInfo Authorisation Signature"
echo ""
echo ""
SI_AUTHORISATION_SIGNATURE=
if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
fi
done
else
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
fi
done
fi
fi fi
fi fi
@ -674,28 +675,28 @@ else
DB_IN_USE=false DB_IN_USE=false
fi fi
DB_TYPE="" DB_TYPE=""
echo "" echo ""
echo -e "\033[32m--\033[m" echo -e "\033[32m--\033[m"
echo "" echo ""
echo "Are a database lookups for local domains in use?" echo "Are a database lookups for local domains in use?"
echo "" echo ""
if [[ "$_DB_TYPE" = "MySQL" ]] ; then if [[ "$_DB_TYPE" = "MySQL" ]] ; then
echo -e "\033[37m\033[1m[1] MySQL\033[m" echo -e "\033[37m\033[1m[1] MySQL\033[m"
else else
echo "[1] MySQL" echo "[1] MySQL"
fi fi
if [[ "$_DB_TYPE" = "PostgreSQL" ]] ; then if [[ "$_DB_TYPE" = "PostgreSQL" ]] ; then
echo -e "[2] \033[37m\033[1mPostgeSQL\033[m" echo -e "[2] \033[37m\033[1mPostgeSQL\033[m"
else else
echo "[2] PostgeSQL" echo "[2] PostgeSQL"
fi fi
if ! $DB_IN_USE ; then if ! $DB_IN_USE ; then
echo -e "[3] \033[37m\033[1mSkip (No Database in use)\033[m" echo -e "[3] \033[37m\033[1mSkip (No Database in use)\033[m"
_DB_TYPE="None" _DB_TYPE="None"
else else
echo "[3] Skip (No Database in use)" echo "[3] Skip (No Database in use)"
fi fi
echo "" echo ""
echo "Type a number or press <RETURN> to choose highlighted value" echo "Type a number or press <RETURN> to choose highlighted value"
echo "" echo ""
echononl "Eingabe: " echononl "Eingabe: "
@ -714,12 +715,12 @@ while [ "$DB_TYPE" != "MySQL" -a "$DB_TYPE" != "PostgreSQL" -a "$DB_TYPE" != "No
DB_TYPE="None" DB_TYPE="None"
DB_IN_USE=false DB_IN_USE=false
;; ;;
'') DB_TYPE=$_DB_TYPE '') DB_TYPE=$_DB_TYPE
;; ;;
*) *)
echo "" echo ""
echo -e "\tFalsche Eingabe ! [ 1 = MySQL ; 2 = PostgreSQL , 3 = Skip] or type <RETURN>" echo -e "\tFalsche Eingabe ! [ 1 = MySQL ; 2 = PostgreSQL , 3 = Skip] or type <RETURN>"
echo "" echo ""
echononl "Eingabe: " echononl "Eingabe: "
;; ;;
esac esac
@ -1018,7 +1019,7 @@ if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 12 ]] ; then
installation_failed=true installation_failed=true
error "$(cat $tmp_err_msg) error "$(cat $tmp_err_msg)
command was: command was:
cpanm -q --skip-installed $_module" cpanm -q --skip-installed $_module"
echononl "\tcontinue anyway [yes/no]: " echononl "\tcontinue anyway [yes/no]: "
@ -1080,7 +1081,7 @@ echo
## - Install package amavisd-new NOW, because we need at least the existence ## - Install package amavisd-new NOW, because we need at least the existence
## - of the AmaViS user (amavis) befor finally installation and configuration ## - of the AmaViS user (amavis) befor finally installation and configuration
## - of AmaViS itself. ## - of AmaViS itself.
## - ## -
echononl " Install packages \"amavisd-new\"" echononl " Install packages \"amavisd-new\""
@ -1159,7 +1160,7 @@ fi
## - # cp /root/sample-spam.txt /tmp ## - # cp /root/sample-spam.txt /tmp
## - # cd /tmp ## - # cd /tmp
## - # su amavis -c 'spamassassin -D </tmp/sample-spam.txt' ## - # su amavis -c 'spamassassin -D </tmp/sample-spam.txt'
## - ## -
## - Notice: ## - Notice:
## - If not testing as user roor, you need to change int a directora, where the testing ## - If not testing as user roor, you need to change int a directora, where the testing
## - user has read/write? access, even if the sample spam file is located at /tmp ## - user has read/write? access, even if the sample spam file is located at /tmp
@ -1232,27 +1233,27 @@ echo -e " \033[37m\033[1mConfigure Razor2..\033[m"
info "Open firewall outgoing port 2703 for Razor2" info "Open firewall outgoing port 2703 for Razor2"
## - This next section gets Razor2 up and running and copies its files where ## - This next section gets Razor2 up and running and copies its files where
## - both root and amavis expect to find them. ## - both root and amavis expect to find them.
## - ## -
## - SpamAssassin is designed to enable each user to have their own settings and ## - SpamAssassin is designed to enable each user to have their own settings and
## - data. This section will make both users happy. ## - data. This section will make both users happy.
## - ## -
## - This is because if we are debugging SpamAssassin or Razor or Pyzor or DCC, ## - This is because if we are debugging SpamAssassin or Razor or Pyzor or DCC,
## - we want to be able to do so with spamassassin -D </tmp/sample-spam.txt ## - we want to be able to do so with spamassassin -D </tmp/sample-spam.txt
## - rather than amavisd-new -d 5 debug-sa , because we don't want to shut ## - rather than amavisd-new -d 5 debug-sa , because we don't want to shut
## - amavisd-new down every time we need to debug one of those programs. A better ## - amavisd-new down every time we need to debug one of those programs. A better
## - A way to debug SpamAssassin is to run the program as the AmaViS user amavis ## - A way to debug SpamAssassin is to run the program as the AmaViS user amavis
## - like so: ## - like so:
## - su clamav -c 'spamassassin -D </root/sample-spam.txt' ## - su clamav -c 'spamassassin -D </root/sample-spam.txt'
## - ## -
## - First: ## - First:
## - To create a new razor-agent.conf file in /root/.razor/razor-agent.conf, we ## - To create a new razor-agent.conf file in /root/.razor/razor-agent.conf, we
## - must 'razor-admin -create' prevent from using the defaut one in directory ## - must 'razor-admin -create' prevent from using the defaut one in directory
## - /etc/razor/ ## - /etc/razor/
## - ## -
echononl " Rename /etc/razor/razor-agent.conf to /etc/razor/razor-agent.conf.ORIG" echononl " Rename /etc/razor/razor-agent.conf to /etc/razor/razor-agent.conf.ORIG"
if [[ -f /etc/razor/razor-agent.conf ]]; then if [[ -f /etc/razor/razor-agent.conf ]]; then
mv /etc/razor/razor-agent.conf /etc/razor/razor-agent.conf.ORIG > $tmp_err_msg 2>&1 mv /etc/razor/razor-agent.conf /etc/razor/razor-agent.conf.ORIG > $tmp_err_msg 2>&1
@ -1365,7 +1366,7 @@ fi
## - Copy root's .razor directory and files to the amavis user's home directory ## - Copy root's .razor directory and files to the amavis user's home directory
## - ## -
echononl " Copy root's razor configuration to user \"amavis\" (${_home_amavais}/.razor)" echononl " Copy root's razor configuration to user \"amavis\" (${_home_amavais}/.razor)"
installation_failed=false installation_failed=false
cp -r /root/.razor ${_home_amavais}/ > $tmp_err_msg 2>&1 cp -r /root/.razor ${_home_amavais}/ > $tmp_err_msg 2>&1
if [[ "$?" -ne 0 ]] ; then if [[ "$?" -ne 0 ]] ; then
@ -1867,7 +1868,7 @@ report_safe 0
# #
# #
# Our own IP's # Our own IP's
# #
# Notice: i decided not to trust our own ip's, because i want # Notice: i decided not to trust our own ip's, because i want
# to filter also mails from local users out # to filter also mails from local users out
@ -1879,7 +1880,7 @@ fi
echo "$_msg_trusted" >> /etc/spamassassin/local.cf echo "$_msg_trusted" >> /etc/spamassassin/local.cf
echo "" >> /etc/spamassassin/local.cf echo "" >> /etc/spamassassin/local.cf
echo "$_msg_internal" >> /etc/spamassassin/local.cf echo "$_msg_internal" >> /etc/spamassassin/local.cf
cat << EOF >> /etc/spamassassin/local.cf 2>$tmp_err_msg cat << EOF >> /etc/spamassassin/local.cf 2>$tmp_err_msg
@ -1910,8 +1911,8 @@ bayes_auto_learn_threshold_spam 10.0
bayes_auto_learn_threshold_nonspam -0.5 bayes_auto_learn_threshold_nonspam -0.5
# NOTE: Since there is a script that runs each day to --force-expire old # NOTE: Since there is a script that runs each day to --force-expire old
# Bayes tokens "/etc/cron.daily/amavisd-new" (make sure there is if # Bayes tokens "/etc/cron.daily/amavisd-new" (make sure there is if
# you use this setting!), we can set: # you use this setting!), we can set:
# #
bayes_auto_expire 0 bayes_auto_expire 0
@ -1983,14 +1984,14 @@ ok_locales all
# Local delivery uses this flag to distinguish between possible spam # Local delivery uses this flag to distinguish between possible spam
# and ham # and ham
# #
# Again: in our setup wee NEED to set the spam flag # Again: in our setup wee NEED to set the spam flag
# #
add_header spam Flag _YESNOCAPS_ add_header spam Flag _YESNOCAPS_
# Some shortcircuiting, if the plugin is enabled # Some shortcircuiting, if the plugin is enabled
# #
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
# #
# default: strongly-whitelisted mails are *really* whitelisted now, if the # default: strongly-whitelisted mails are *really* whitelisted now, if the
@ -2289,11 +2290,11 @@ EOF
fi fi
# - !! Notice !! # - !! Notice !!
# - if su clamav -c 'spamassassin --lint' failed ( with warn # - if su clamav -c 'spamassassin --lint' failed ( with warn
# - message "warn: Use of uninitialized value $type in numeric..") # - message "warn: Use of uninitialized value $type in numeric..")
# - reading "/etc/spamassassin/local.cf": razor_timeout 8, have a look # - reading "/etc/spamassassin/local.cf": razor_timeout 8, have a look
# - at SpamAssassin/Plugin/Razor2.pm line 118: # - at SpamAssassin/Plugin/Razor2.pm line 118:
# - # -
# - type => $Mail::SpamAssassin::Conf::CONF_TYPE_DURATIION, # - type => $Mail::SpamAssassin::Conf::CONF_TYPE_DURATIION,
# - # -
# - Should be: # - Should be:
@ -2536,7 +2537,7 @@ if [[ \`expr \$code1 + \$code2 + \$code3\` < 4 ]]; then
fi fi
fi fi
# Fixup perms -- group and other should be able to read and execute, # Fixup perms -- group and other should be able to read and execute,
# but never write. Works around sa-compile's failure to obey umask. # but never write. Works around sa-compile's failure to obey umask.
if [ -d /var/lib/spamassassin ]; then if [ -d /var/lib/spamassassin ]; then
chown -R debian-spamd:debian-spamd /var/lib/spamassassin chown -R debian-spamd:debian-spamd /var/lib/spamassassin
@ -2661,7 +2662,7 @@ else
/etc/init.d/amavis restart >/dev/null /etc/init.d/amavis restart >/dev/null
fi fi
# Fixup perms -- group and other should be able to read and execute, # Fixup perms -- group and other should be able to read and execute,
# but never write. Works around sa-compile's failure to obey umask. # but never write. Works around sa-compile's failure to obey umask.
if [ -d /var/lib/spamassassin ]; then if [ -d /var/lib/spamassassin ]; then
chown -R debian-spamd:debian-spamd /var/lib/spamassassin chown -R debian-spamd:debian-spamd /var/lib/spamassassin
@ -3143,10 +3144,10 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
## - ## -
## - Use ClamAV Unofficial Signatures Updater: ## - Use ClamAV Unofficial Signatures Updater:
## - https://github.com/extremeshok/clamav-unofficial-sigs/releases ## - https://github.com/extremeshok/clamav-unofficial-sigs/releases
## - ## -
## - See readme file: ## - See readme file:
## - https://github.com/extremeshok/clamav-unofficial-sigs ## - https://github.com/extremeshok/clamav-unofficial-sigs
## - ## -
echo "" echo ""
echo -e " \033[37m\033[1mClamAV Unofficial Signatures..\033[m" echo -e " \033[37m\033[1mClamAV Unofficial Signatures..\033[m"
@ -3183,7 +3184,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
echo_failed echo_failed
error "$(cat $tmp_err_msg) error "$(cat $tmp_err_msg)
command was: command was:
cpanm -q --skip-installed $_module" cpanm -q --skip-installed $_module"
echononl "continue anyway [yes/no]: " echononl "continue anyway [yes/no]: "
@ -3257,7 +3258,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
if ! $(grep -q -E "^\s*xshok_mkdir_ownership\s+\"\\\$work_dir_urlhaus\"" "${_clamav_script}" 2> /dev/null) ; then if ! $(grep -q -E "^\s*xshok_mkdir_ownership\s+\"\\\$work_dir_urlhaus\"" "${_clamav_script}" 2> /dev/null) ; then
if $(grep -q -E "^\s*xshok_mkdir_ownership\s+\"\\\$work_dir\"" "${_clamav_script}" 2> /dev/null) ; then if $(grep -q -E "^\s*xshok_mkdir_ownership\s+\"\\\$work_dir\"" "${_clamav_script}" 2> /dev/null) ; then
perl -i -n -p \ perl -i -n -p \
-e "s#(\s*xshok_mkdir_ownership\s+)(\"\\\$work_dir\")#\1\2\n\1\"\\\$work_dir_urlhaus\"#" \ -e "s#(\s*xshok_mkdir_ownership\s+)(\"\\\$work_dir\")#\1\2\n\1\"\\\$work_dir_urlhaus\"#" \
"${_clamav_script}" > $tmp_err_msg 2>&1 "${_clamav_script}" > $tmp_err_msg 2>&1
@ -3395,7 +3396,7 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
fi fi
if [[ "${os_dist,,}" = "debian" ]] ; then if [[ "${os_dist,,}" = "debian" ]] ; then
## - For Debian Jessie (Debian 8) // Stretch (Debian 9) // Buster (Debian 10) // Bullseye (Debian 11) ## - For Debian Jessie (Debian 8) // Stretch (Debian 9) // Buster (Debian 10) // Bullseye (Debian 11)
@ -3550,65 +3551,66 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
# -------------------------------------- # --------------------------------------
# --- Begin: User specific modifications # --- Begin: User specific modifications
# --- Inserted by install-script "$(basename "$0")" at $(date +"%Y-%m-%d %H:%M") # --- Inserted by install-script "$(basename "$0")" at $(date +"%Y-%m-%d %H:%M")
# - SecuriteInfo
# -
# - SecuriteInfo signatures are now directly integrated into ClamAV's Freshclam.
# -
# - We therefore disable them here.
# -
securiteinfo_enabled="no"
EOF EOF
if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE ; then
if $MALWARE_PATROL_IN_USE ; then if $MALWARE_PATROL_IN_USE ; then
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
malwarepatrol_receipt_code="$MP_RECEIPT_NUMBER" malwarepatrol_receipt_code="$MP_RECEIPT_NUMBER"
malwarepatrol_list="clamav_basic" malwarepatrol_list="clamav_basic"
EOF EOF
if [[ "$?" -ne 0 ]] ; then if [[ "$?" -ne 0 ]] ; then
installation_failed=true installation_failed=true
error "$(cat $tmp_err_msg)" error "$(cat $tmp_err_msg)"
fi fi
if $MALWERE_PATROL_FREE ; then if $MALWERE_PATROL_FREE ; then
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
malwarepatrol_product_code="8" malwarepatrol_product_code="8"
malwarepatrol_free="yes" malwarepatrol_free="yes"
EOF EOF
if [[ "$?" -ne 0 ]] ; then if [[ "$?" -ne 0 ]] ; then
installation_failed=true installation_failed=true
error "$(cat $tmp_err_msg)" error "$(cat $tmp_err_msg)"
fi fi
else else
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
malwarepatrol_product_code="15" malwarepatrol_product_code="15"
malwarepatrol_free="no" malwarepatrol_free="no"
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi
fi # if $MALWARE_PATROL_IN_USE
if $SECURITE_INFO_IN_USE ; then
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
# - SecuriteInfo
# -
# - type: Gold
# - account: ckubu@oopen.de
# - signatur: abb4ec6..46b59a4e
# -
# - - ALT -
# - type: professional
# - account: oo@oopen.de
# - signatur: b0b7e94d..0c2e3a89
# -
securiteinfo_authorisation_signature="$SI_AUTHORISATION_SIGNATURE"
EOF EOF
if [[ "$?" -ne 0 ]] ; then if [[ "$?" -ne 0 ]] ; then
installation_failed=true installation_failed=true
error "$(cat $tmp_err_msg)" error "$(cat $tmp_err_msg)"
fi fi
fi # if $SECURITE_INFO_IN_USE fi
fi #if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE
else
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
# - MalwarePatrol
# -
# - Not in use
# -
malwarepatrol_enabled="no"
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi #if $MALWARE_PATROL_IN_USE
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
# - Disable Yara-Rule set, because (some?) pgp mails where blocked. # - Disable Yara-Rule set, because (some?) pgp mails where blocked.
@ -3687,7 +3689,7 @@ EOF
error " error "
$(cat $tmp_err_msg) $(cat $tmp_err_msg)
command was: command was:
/usr/local/sbin/clamav-unofficial-sigs.sh --install-cron" /usr/local/sbin/clamav-unofficial-sigs.sh --install-cron"
echononl "continue anyway [yes/no]: " echononl "continue anyway [yes/no]: "
@ -3888,7 +3890,7 @@ fi
echononl " Install CPAN Modules mostly needed for decoding" echononl " Install CPAN Modules mostly needed for decoding"
installation_failed=false installation_failed=false
_needed_cpan_modules=" _needed_cpan_modules="
Digest::SHA1 Digest::SHA1
Digest::SHA2 Digest::SHA2
Digest::SHA256 Digest::SHA256
Encode::Detect Encode::Detect
@ -3899,7 +3901,7 @@ for _module in $_needed_cpan_modules ; do
installation_failed=true installation_failed=true
error "$(cat $tmp_err_msg) error "$(cat $tmp_err_msg)
command was: command was:
cpanm -q --skip-installed $_module" cpanm -q --skip-installed $_module"
echononl "continue anyway [yes/no]: " echononl "continue anyway [yes/no]: "
@ -3954,7 +3956,7 @@ fi
echononl " Create file '/etc/postfix/sender_whitelist'" echononl " Create file '/etc/postfix/sender_whitelist'"
if [[ ! -f "/etc/postfix/sender_whitelist" ]]; then if [[ ! -f "/etc/postfix/sender_whitelist" ]]; then
cat << EOF > /etc/postfix/sender_whitelist 2> '$tmp_err_msg' cat << EOF > /etc/postfix/sender_whitelist 2> '$tmp_err_msg'
# - Example '/etc/postfix/sender_whitelist' # - Example '/etc/postfix/sender_whitelist'
# - # -
# - Used by Amavis Configuration 'whitelist_sender_maps' / '%whitelist_sender' # - Used by Amavis Configuration 'whitelist_sender_maps' / '%whitelist_sender'
# - # -
@ -3984,7 +3986,7 @@ fi
echononl " Create file '/etc/postfix/spam_lovers'" echononl " Create file '/etc/postfix/spam_lovers'"
if [[ ! -f "/etc/postfix/spam_lovers" ]]; then if [[ ! -f "/etc/postfix/spam_lovers" ]]; then
cat << EOF > /etc/postfix/spam_lovers 2> '$tmp_err_msg' cat << EOF > /etc/postfix/spam_lovers 2> '$tmp_err_msg'
# - Example '/etc/postfix/spam_lovers' # - Example '/etc/postfix/spam_lovers'
# - # -
# - # Adresses # - # Adresses
# - adress@domain1.com 1 # - adress@domain1.com 1
@ -4012,7 +4014,7 @@ fi
echononl " Create file '/etc/postfix/virus_lovers'" echononl " Create file '/etc/postfix/virus_lovers'"
if [[ ! -f "/etc/postfix/virus_lovers" ]]; then if [[ ! -f "/etc/postfix/virus_lovers" ]]; then
cat << EOF > /etc/postfix/virus_lovers 2> '$tmp_err_msg' cat << EOF > /etc/postfix/virus_lovers 2> '$tmp_err_msg'
# - Example '/etc/postfix/virus_lovers' # - Example '/etc/postfix/virus_lovers'
# - # -
# - # Adresses # - # Adresses
# - adress@domain1.com 1 # - adress@domain1.com 1
@ -4041,7 +4043,7 @@ fi
## - Configure amavis in /etc/amavis/conf.d ## - Configure amavis in /etc/amavis/conf.d
## - ## -
## - write all changes and customization to a seperate ## - write all changes and customization to a seperate
## - file named "50-user", which will load at end of ## - file named "50-user", which will load at end of
## - configuration and overwrites the (debian)-default values ## - configuration and overwrites the (debian)-default values
## - ## -
@ -4081,7 +4083,7 @@ use strict;
# #
# Ports to listen on # Ports to listen on
# #
# 10024: default listening port # 10024: default listening port
# 10026: used for whitelisting IP's (trusted networks) # 10026: used for whitelisting IP's (trusted networks)
# #
@ -4121,7 +4123,7 @@ use strict;
#}; #};
# Bypass spam checking for whitelisted senders # Bypass spam checking for whitelisted senders
# #
#\$interface_policy{'10029'} = 'VIRUSONLY'; #\$interface_policy{'10029'} = 'VIRUSONLY';
#\$policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon #\$policy_bank{'VIRUSONLY'} = { # mail from the pickup daemon
@ -4162,10 +4164,10 @@ use strict;
## - .domain3.com => '1', ## - .domain3.com => '1',
## - ); ## - );
## - ## -
## - But we will use the read_hash function to read in a list ## - But we will use the read_hash function to read in a list
## - of senders from the external file '/etc/postfix/sender_whitelist' ## - of senders from the external file '/etc/postfix/sender_whitelist'
## - ## -
## - Example '/etc/postfix/sender_whitelist' ## - Example '/etc/postfix/sender_whitelist'
## - ## -
## - some.trustworthy@doma.in #full email address ## - some.trustworthy@doma.in #full email address
## - some.trustworthy@ #full local part ## - some.trustworthy@ #full local part
@ -4192,18 +4194,18 @@ read_hash(\%whitelist_sender, '/etc/postfix/sender_whitelist');
## - ## -
## - !! Notice !! ## - !! Notice !!
## - ## -
## - Virus checks are bypassed only if all of the recipients of a message have ## - Virus checks are bypassed only if all of the recipients of a message have
## - been added to one of these variables. If even one recipient is not listed, ## - been added to one of these variables. If even one recipient is not listed,
## - virus-checking will still be performed. To ensure that virus is still delivered ## - virus-checking will still be performed. To ensure that virus is still delivered
## - to whitelisted recipients in such cases, use the "virus_lovers" features ## - to whitelisted recipients in such cases, use the "virus_lovers" features
## - see below. ## - see below.
## - ## -
@bypass_virus_checks_maps = ( @bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \\\$bypass_virus_checks_re); \%bypass_virus_checks, \@bypass_virus_checks_acl, \\\$bypass_virus_checks_re);
## - We will use '%bypass_virus_checks_maps'. So we could set: ## - We will use '%bypass_virus_checks_maps'. So we could set:
## - ## -
## - %bypass_virus_checks = ( ## - %bypass_virus_checks = (
## - # Adresses ## - # Adresses
## - adress@domain1.com => '1', ## - adress@domain1.com => '1',
@ -4216,10 +4218,10 @@ read_hash(\%whitelist_sender, '/etc/postfix/sender_whitelist');
## - domain3.com => '1', ## - domain3.com => '1',
## - ); ## - );
## - ## -
## - But we will use the read_hash function to read in a list ## - But we will use the read_hash function to read in a list
## - of recipients from the external file '/etc/postfix/spam_lovers' ## - of recipients from the external file '/etc/postfix/spam_lovers'
## - ## -
## - Example '/etc/postfix/virus_lovers' ## - Example '/etc/postfix/virus_lovers'
## - ## -
## - # Adresses ## - # Adresses
## - adress@domain1.com 1 ## - adress@domain1.com 1
@ -4248,7 +4250,7 @@ read_hash(\%bypass_virus_checks, '/etc/postfix/virus_lovers');
## - from the external file '/etc/postfix/spam_lovers' into '%spam_lovers'. ## - from the external file '/etc/postfix/spam_lovers' into '%spam_lovers'.
## - ## -
## - For more explanations see above ## - For more explanations see above
## - ## -
read_hash(\%virus_lovers, '/etc/postfix/virus_lovers'); read_hash(\%virus_lovers, '/etc/postfix/virus_lovers');
@ -4262,17 +4264,17 @@ read_hash(\%virus_lovers, '/etc/postfix/virus_lovers');
## - ## -
## - !! Notice !! ## - !! Notice !!
## - ## -
## - Spam checks are bypassed only if all of the recipients of a message have ## - Spam checks are bypassed only if all of the recipients of a message have
## - been added to one of these variables. If even one recipient is not listed, ## - been added to one of these variables. If even one recipient is not listed,
## - spam-checking will still be performed. To ensure that spam is still delivered ## - spam-checking will still be performed. To ensure that spam is still delivered
## - to whitelisted recipients in such cases, use the "spam_lovers" features ## - to whitelisted recipients in such cases, use the "spam_lovers" features
## - see below. ## - see below.
## - ## -
@bypass_spam_checks_maps = ( @bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \\\$bypass_spam_checks_re); \%bypass_spam_checks, \@bypass_spam_checks_acl, \\\$bypass_spam_checks_re);
## - We will use '%bypass_spam_checks'. So we could set: ## - We will use '%bypass_spam_checks'. So we could set:
## - ## -
## - %bypass_spam_checks = ( ## - %bypass_spam_checks = (
## - # Adresses ## - # Adresses
## - adress@domain1.com => '1', ## - adress@domain1.com => '1',
@ -4285,10 +4287,10 @@ read_hash(\%virus_lovers, '/etc/postfix/virus_lovers');
## - domain3.com => '1', ## - domain3.com => '1',
## - ); ## - );
## - ## -
## - But we will use the read_hash function to read in a list ## - But we will use the read_hash function to read in a list
## - of recipients from the external file '/etc/postfix/spam_lovers' ## - of recipients from the external file '/etc/postfix/spam_lovers'
## - ## -
## - Example '/etc/postfix/spam_lovers' ## - Example '/etc/postfix/spam_lovers'
## - ## -
## - # Adresses ## - # Adresses
## - adress@domain1.com 1 ## - adress@domain1.com 1
@ -4357,7 +4359,7 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
## - ## -
## - default: @spam_tag2_level_maps = (\\\$sa_tag2_level_deflt); ## - default: @spam_tag2_level_maps = (\\\$sa_tag2_level_deflt);
## - ## -
## - Example file '/etc/postfix/tag2_level_maps.dat' ## - Example file '/etc/postfix/tag2_level_maps.dat'
## - ## -
## - # oopen.de ## - # oopen.de
## - oopen.de 2.1 ## - oopen.de 2.1
@ -4387,7 +4389,7 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
## - ## -
## - default: @spam_kill_level_maps = (\\\$sa_kill_level_deflt); ## - default: @spam_kill_level_maps = (\\\$sa_kill_level_deflt);
## - ## -
## - Example file '/etc/postfix/kill_level_maps.dat' ## - Example file '/etc/postfix/kill_level_maps.dat'
## - ## -
## - # oopen.de ## - # oopen.de
## - ckubu@oopen.de 1500.0 ## - ckubu@oopen.de 1500.0
@ -4400,7 +4402,7 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
## - We will inform the sender about bouncing his mail with a DSN (Delivery ## - We will inform the sender about bouncing his mail with a DSN (Delivery
## - StatusNotification). That DSN message will no be send, if the spamvalue ## - StatusNotification). That DSN message will no be send, if the spamvalue
## - exceeds the value of sa_dsn_cutoff_level ## - exceeds the value of sa_dsn_cutoff_level
## - ## -
#\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent #\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
@ -4419,7 +4421,7 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
); );
\$sa_spam_subject_tag = undef; \$sa_spam_subject_tag = undef;
#\$sa_spam_subject_tag = '***SPAM*** '; #\$sa_spam_subject_tag = '***SPAM*** ';
## - QUARANTINE ## - QUARANTINE
@ -4491,15 +4493,15 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
#}; #};
## - Amavisd-New scans all mail passing through it for viruses, but will ## - Amavisd-New scans all mail passing through it for viruses, but will
## - only hand mail for local delivery off to SA for checking - you tell ## - only hand mail for local delivery off to SA for checking - you tell
## - it which domains are local using the @local_domains_maps variable, ## - it which domains are local using the @local_domains_maps variable,
## - which by default is set to the value of \$mydomain & its subdomains: ## - which by default is set to the value of \$mydomain & its subdomains:
## - ## -
#@local_domains_maps = ( ["."] ); #@local_domains_maps = ( ["."] );
## - get rid of "Open Relay" warnings in amavis logfile. ## - get rid of "Open Relay" warnings in amavis logfile.
## - ## -
\$interface_policy{'10024'} = 'ORIGINATING'; \$interface_policy{'10024'} = 'ORIGINATING';
\$policy_bank{'ORIGINATING'} = { \$policy_bank{'ORIGINATING'} = {
@ -4622,8 +4624,8 @@ delete \$admin_maps_by_ccat{&CC_UNCHECKED};
## - ## -
## - zur Signierung der e-Mail mit herangezogen werden. ## - zur Signierung der e-Mail mit herangezogen werden.
## - ## -
## - Dies hat jedoch den Nachteil, dass bei einer Veränderung der Received: from-Zeilen ## - Dies hat jedoch den Nachteil, dass bei einer Veränderung der Received: from-Zeilen
## - im Nachhinein, wie es z.B. bei der Einlieferung durch Postfix via smtpd_proxy_filter ## - im Nachhinein, wie es z.B. bei der Einlieferung durch Postfix via smtpd_proxy_filter
## - (Pre-Queue) bei AMaViS der Fall sein könnte, die DKIM-Sigantur sprichwörtlich „ ## - (Pre-Queue) bei AMaViS der Fall sein könnte, die DKIM-Sigantur sprichwörtlich „
## - kaputt“ geht. ## - kaputt“ geht.
## - ## -
@ -4632,8 +4634,8 @@ delete \$admin_maps_by_ccat{&CC_UNCHECKED};
## - ## -
## - \$signed_header_fields{'received'} = 0; # turn off signing of Received ## - \$signed_header_fields{'received'} = 0; # turn off signing of Received
## - ## -
## - verhindert werden, indem die Received: from-Zeilen nicht mehr mit in die ## - verhindert werden, indem die Received: from-Zeilen nicht mehr mit in die
## - Berechnung der DKIM-Signatur mit einfließen. ## - Berechnung der DKIM-Signatur mit einfließen.
## - ## -
\$signed_header_fields{'received'} = 0; # turn off signing of Received \$signed_header_fields{'received'} = 0; # turn off signing of Received
@ -4915,7 +4917,7 @@ EOF
error "$(cat $tmp_err_msg)" error "$(cat $tmp_err_msg)"
fi fi
fi fi
if $installed ; then if $installed ; then
crontab /tmp/tmp_crontab > /dev/null 2> $tmp_err_msg crontab /tmp/tmp_crontab > /dev/null 2> $tmp_err_msg
if [[ "$?" -ne 0 ]] ; then if [[ "$?" -ne 0 ]] ; then
@ -4967,7 +4969,7 @@ fi
## - Forward emails to amavis using "Pre-Queue" Option smtpd_proxy_filter ## - Forward emails to amavis using "Pre-Queue" Option smtpd_proxy_filter
## - ## -
## - edit /etc/postfix/master.cf and add flags for "smtpd_proxy_filter" (to ## - edit /etc/postfix/master.cf and add flags for "smtpd_proxy_filter" (to
## - forward to amavis service on localhost port 10024) and for "content_filter" ## - forward to amavis service on localhost port 10024) and for "content_filter"
## - (to avoid rechecking by "Post-Queue" content_filter) to smtp service ## - (to avoid rechecking by "Post-Queue" content_filter) to smtp service
## - ## -
## - smtp inet n - - - - smtpd ## - smtp inet n - - - - smtpd
@ -5089,7 +5091,7 @@ submission inet n - y - 20 smtpd
#-o milter_macro_daemon_name=ORIGINATING #-o milter_macro_daemon_name=ORIGINATING
EOF EOF
if ! $smtps_present ; then if ! $smtps_present ; then
if ! $localhost_10025_present ; then if ! $localhost_10025_present ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
@ -5116,7 +5118,7 @@ EOF
#-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32 #-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
EOF EOF
fi fi
if ! $amavisfeed_present ; then if ! $amavisfeed_present ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
amavisfeed unix - - n - 20 lmtp amavisfeed unix - - n - 20 lmtp
@ -5143,7 +5145,7 @@ smtps inet n - y - - smtpd
#-o milter_macro_daemon_name=ORIGINATING #-o milter_macro_daemon_name=ORIGINATING
EOF EOF
if ! $localhost_10025_present ; then if ! $localhost_10025_present ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
@ -5227,7 +5229,7 @@ EOF
fi fi
# - [[:blank:]] means space and tab. This makes it similar to: [ \t] # - [[:blank:]] means space and tab. This makes it similar to: [ \t]
# - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed, # - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed,
# - and vertical tab. This makes it similar to: [ \t\n\r\f\v] # - and vertical tab. This makes it similar to: [ \t\n\r\f\v]
# - # -
#if [[ $_line =~ ^[[:space:]]+[^[:space:]]+ ]] && $_smtp_found ; then #if [[ $_line =~ ^[[:space:]]+[^[:space:]]+ ]] && $_smtp_found ; then

133
install_postfix_advanced.sh
View File

@ -1830,64 +1830,109 @@ smtp_tls_CAfile = $_TLS_CA_FILE
#smtpd_tls_CApath = /etc/postfix/certs #smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server # TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
# If the list is empty, the server supports all available TLS protocol versions.
# #
# List of TLS protocols that the Postfix SMTP server will exclude or # default: see 'postconf -d' output
# include with opportunistic TLS encryption. #
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols = >=TLSv1.1
# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
#
smtpd_tls_mandatory_protocols = >=TLSv1.1
# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
#
# default: see 'postconf -d' output
#
smtp_tls_protocols = >=TLSv1.2
# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
# #
# The SSL/TLS protocols accepted by the Postfix SMTP server # default: see 'postconf -d' output
# with mandatory TLS encryption. #
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtp_tls_mandatory_protocols = >=TLSv1.2
# Disable SSLv2 SSLv3 - Postfix SMTP client # The Postfix SMTP server security grade for ephemeral elliptic-curve
# # Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
# List of TLS protocols that the Postfix SMTP client will exclude or # parameter is always ignored, and Postfix behaves as though the auto value
# include with opportunistic TLS encryption. # (described below) was chosen.
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 #
# # auto
# List of SSL/TLS protocols that the Postfix SMTP client will use # Use the most preferred curve that is supported by both the client and the server.
# with mandatory TLS encryption # This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 # is the default setting under the above conditions (and the only setting used with
# Postfix ≥ 3.6).
#
# none
# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
# default in Postfix versions 2.6 and 2.7.
#
# strong
# Use EECDH with approximately 128 bits of security at a reasonable computational cost.
# This is the default in Postfix versions 2.8-3.5.
#
# ultra
# Use EECDH with approximately 192 bits of security at computational cost that is
# approximately twice as high as 128 bit strength ECC.
#
smtpd_tls_eecdh_grade = auto
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange # With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
## - openssl > 1.0 # of the remote client's cipher preference order.
## - #
smtpd_tls_eecdh_grade = strong # By default, the OpenSSL server selects the client's most preferred cipher that the
# server supports. With SSLv3 and later, the server may choose its own most preferred
# standard list cryptographic algorithm # cipher that is supported (offered) by the client.
#
# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
#
# default: no
#
tls_preempt_cipherlist = yes tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
# from globally restricting TLS sessions to a more stringent grade is likely negligible,
# especially given the fact that many implementations still do not offer any stronger
# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
# or "low" ciphers is typically not a good idea, as systems limited to just these are
# limited to obsolete browsers. No known SMTP clients fail to support at least one
# "medium" or "high" grade cipher.
# #
#smtpd_tls_mandatory_ciphers = high # default: medium
#
#smtpd_tls_mandatory_ciphers = medium
# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
# base definition of the selected cipher grade.
#
# default: medium
# #
# opportunistic
smtpd_tls_ciphers = high smtpd_tls_ciphers = high
# Exclude ciphers # List of ciphers or cipher types to exclude from the SMTP server cipher list at all
# TLS security levels.
#
# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
# or one or more "+" separated cipher properties, in which case only ciphers matching all the
# properties are excluded.
#
#smtpd_tls_exclude_ciphers = #smtpd_tls_exclude_ciphers =
# RC4
# aNULL # Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
# SEED-SHA # list at mandatory TLS security levels. This list works in addition to the exclusions listed
# EXP # with smtp_tls_exclude_ciphers
# MD5 #
smtpd_tls_exclude_ciphers = #smtp_tls_mandatory_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5
CBC3-SHA
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache

148
install_postfix_base.sh
View File

@ -905,63 +905,107 @@ smtp_tls_CAfile = $_TLS_CA_FILE
#smtpd_tls_CApath = /etc/postfix/certs #smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server # Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
# #
#smtpd_tls_mandatory_ciphers = high # List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
# #
# opportunistic #smtpd_tls_protocols = >=TLSv1
smtpd_tls_ciphers = high
# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
#
#smtpd_tls_mandatory_protocols = >=TLSv1
# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
#
#smtp_tls_protocols = >=TLSv1
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption.
#
smtp_tls_mandatory_protocols = >=TLSv1.2
# Exclude ciphers # The Postfix SMTP server security grade for ephemeral elliptic-curve
# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
# parameter is always ignored, and Postfix behaves as though the auto value
# (described below) was chosen.
#
# auto
# Use the most preferred curve that is supported by both the client and the server.
# This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
# is the default setting under the above conditions (and the only setting used with
# Postfix ≥ 3.6).
#
# none
# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
# default in Postfix versions 2.6 and 2.7.
#
# strong
# Use EECDH with approximately 128 bits of security at a reasonable computational cost.
# This is the default in Postfix versions 2.8-3.5.
#
# ultra
# Use EECDH with approximately 192 bits of security at computational cost that is
# approximately twice as high as 128 bit strength ECC.
#
smtpd_tls_eecdh_grade = auto
# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
# of the remote client's cipher preference order.
#
# By default, the OpenSSL server selects the client's most preferred cipher that the
# server supports. With SSLv3 and later, the server may choose its own most preferred
# cipher that is supported (offered) by the client.
#
# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
#
# default: no
#
#tls_preempt_cipherlist = no
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
# from globally restricting TLS sessions to a more stringent grade is likely negligible,
# especially given the fact that many implementations still do not offer any stronger
# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
# or "low" ciphers is typically not a good idea, as systems limited to just these are
# limited to obsolete browsers. No known SMTP clients fail to support at least one
# "medium" or "high" grade cipher.
#
# default: medium
#
#smtpd_tls_mandatory_ciphers = medium
# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
# base definition of the selected cipher grade.
#
# default: medium
#
#smtpd_tls_ciphers = medium
# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
# TLS security levels.
#
# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
# or one or more "+" separated cipher properties, in which case only ciphers matching all the
# properties are excluded.
#
#smtpd_tls_exclude_ciphers = #smtpd_tls_exclude_ciphers =
# RC4
# aNULL # Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
# SEED-SHA # list at mandatory TLS security levels. This list works in addition to the exclusions listed
# EXP # with smtp_tls_exclude_ciphers
# MD5 #
smtpd_tls_exclude_ciphers = #smtp_tls_mandatory_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache