From 6356876ab6278b7b33f8a43ab4af8040d1a18627 Mon Sep 17 00:00:00 2001 From: Christoph Kuchenbuch Date: Sun, 15 Feb 2026 14:37:19 +0100 Subject: [PATCH] Change some settings, if Server is a listserver. --- install_opendkim.sh | 7 ++- install_opendmarc.sh | 11 ++++- install_postfix_advanced.sh | 92 ++++++++++++++++++++++++++++--------- 3 files changed, 84 insertions(+), 26 deletions(-) diff --git a/install_opendkim.sh b/install_opendkim.sh index ec6eaba..0e4e603 100755 --- a/install_opendkim.sh +++ b/install_opendkim.sh @@ -726,8 +726,11 @@ fi if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then - ensure_dkim_var "non_smtpd_milters" > "${tmp_main_cf_file}" - cp "${tmp_main_cf_file}" "${main_cf_file}" + # In case of sympa, DKIM signatures will be added by sympa list manager + if ! which sympa ; then + ensure_dkim_var "non_smtpd_milters" > "${tmp_main_cf_file}" + cp "${tmp_main_cf_file}" "${main_cf_file}" + fi else diff --git a/install_opendmarc.sh b/install_opendmarc.sh index 06eb347..b59bc45 100755 --- a/install_opendmarc.sh +++ b/install_opendmarc.sh @@ -26,8 +26,15 @@ opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock" config_file_name_value_parameters=" AuthservID|HOSTNAME TrustedAuthservIDs|HOSTNAME - PidFile|/run/opendmarc/opendmarc.pid - RejectFailures|true + PidFile|/run/opendmarc/opendmarc.pid" +if which sympa ; then + config_file_name_value_parameters="$config_file_name_value_parameters + RejectFailures|false" +else + config_file_name_value_parameters="$config_file_name_value_parameters + RejectFailures|true" +fi +config_file_name_value_parameters="$config_file_name_value_parameters Syslog|true SyslogFacility|mail IgnoreHosts|${opendmarc_base_dir}/ignore.hosts diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index b716dd8..f88abe5 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -466,7 +466,7 @@ if ! ${IS_RELAY_HOST} ; then fi if [[ "${INPUT,,}" == "yes" || "${INPUT,,}" == "true" ]]; then INSTALL_DMARC_REPORT_SUPPORT=true - fi + fi fi @@ -1071,7 +1071,17 @@ debugLevel = 1 # HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic) # HELO_reject = False - Never reject/defer on HELO, append header only. # HELO_reject = No_Check - Never check HELO. +EOF +if ${IS_SYMPA_LIST_SERVER} ; then + cat <> "${_file}" +HELO_reject = False +EOF +else + cat <> "${_file}" HELO_reject = SPF_Not_Pass +EOF + +cat <> "${_file}" # Mail From rejection policy. Options are: # Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail. @@ -1084,7 +1094,18 @@ HELO_reject = SPF_Not_Pass # MAIL FROM-Adresse reagiert. Ein Fehler tritt auf, wenn die IP-Adresse des sendenden # Servers nicht den SPF-Einträgen der Domain in der MAIL FROM-Adresse entspricht. # +EOF +if ${IS_SYMPA_LIST_SERVER} ; then + cat <> "${_file}" +Mail_From_reject = False +EOF +else + cat <> "${_file}" Mail_From_reject = Fail +EOF +fi + +cat <> "${_file}" # Policy for rejecting due to SPF PermError. Options are: # PermError_reject = True @@ -1096,7 +1117,18 @@ Mail_From_reject = Fail # # Wenn PermError_reject auf True gesetzt ist, wird die E-Mail abgewiesen (rejected), # +EOF +if ${IS_SYMPA_LIST_SERVER} ; then + cat <> "${_file}" +PermError_reject = False +EOF +else + cat <> "${_file}" PermError_reject = True +EOF +fi + +cat <> "${_file}" # Policy for deferring messages due to SPF TempError. Options are: # TempError_Defer = True @@ -1109,7 +1141,7 @@ PermError_reject = True # Wenn TempError_Defer auf True gesetzt ist, wird die E-Mail vorübergehend zurückgewiesen # (deferred), und der empfangende Server versucht später erneut, die E-Mail zuzustelle # -TempError_Defer = Defer +TempError_Defer = True # Type of header to insert to document SPF result. Can be Received-SPF (SPF) # or Authentication Results (AR). It cannot be both. @@ -2427,8 +2459,8 @@ virtual_alias_domains = #======= Postfix DSN Support ============ -# -# Use the smtpd_discard_ehlo_keyword_address_maps feature if you wish to allow DSN +# +# Use the smtpd_discard_ehlo_keyword_address_maps feature if you wish to allow DSN # requests from trusted clients but not from random strangers # # smtpd_discard_ehlo_keyword_address_maps = @@ -2443,15 +2475,15 @@ virtual_alias_domains = #smtpd_discard_ehlo_keyword_address_maps = -# If you want to disallow all use of DSN requests from the network, use the +# If you want to disallow all use of DSN requests from the network, use the # smtpd_discard_ehlo_keywords feature: # # /etc/postfix/main.cf: # smtpd_discard_ehlo_keywords = silent-discard, dsn # -# # -# A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that +# +# A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that # the Postfix SMTP server will not send in the EHLO response to a remote SMTP client. # # @@ -2876,6 +2908,16 @@ smtpd_recipient_restrictions = # \$relay_recipient_maps, and \$relay_recipient_maps is not null. # reject_unlisted_recipient, +EOF + +if [[ -n "$(which policyd-spf)" ]] ; then + cat <> /etc/postfix/main.cf +# Check Postfix policy service .. +# + check_policy_service unix:private/policy-spf +EOF +fi +cat <> /etc/postfix/main.cf # reject_unauth_destination # # Reject the request unless one of the following is true: @@ -2898,17 +2940,7 @@ smtpd_recipient_restrictions = # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html # for more details reject_unverified_recipient, -EOF -if [[ -n "$(which policyd-spf)" ]] ; then - cat <> /etc/postfix/main.cf -# Check Postfix policy service .. -# - check_policy_service unix:private/policy-spf -EOF -fi - -cat <> /etc/postfix/main.cf # Policyd-Weight #check_policy_service inet:127.0.0.1:12525, # --------------------------------------------------------------------------------- @@ -2999,6 +3031,16 @@ else EOF fi +if ${IS_SYMPA_LIST_SERVER} ; then + + cat <> /etc/postfix/main.cf + +# Default: alles was nicht explizit überschrieben wird (pickup/local/sympa/cron/...) +content_filter = amavisfeed:[127.0.0.1]:10029 + +EOF +fi + if [[ -n "$(which opendkim)" ]] || [[ -n "$(which opendmarc)" ]] ; then cat <> /etc/postfix/main.cf @@ -3040,7 +3082,7 @@ EOF # Was sind non_smtpd_milters? # -# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT +# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT # der smtpd-Daemon sind. # # Das betrifft z. B.: @@ -3068,7 +3110,13 @@ EOF # EOF - if [[ -n "$(which opendkim)" ]] ; then + if ${IS_SYMPA_LIST_SERVER} ; then + + cat <> /etc/postfix/main.cf +# DKIM signing takes place in the Sympa list manager. +non_smtpd_milters = +EOF + elif [[ -n "$(which opendkim)" ]] ; then cat <> /etc/postfix/main.cf non_smtpd_milters = local:/opendkim/opendkim.sock EOF @@ -3940,10 +3988,10 @@ if ${INSTALL_DMARC_REPORT_SUPPORT} ; then cat <> /etc/postfix/transport 2> $log_file # - Take care your master.cf file ($postfix_master_cf) contains: -# - +# - # - dmarc-pipe unix - n n - - pipe # - flags=Rq user=vmail argv=/usr/local/bin/dmarc-collect.sh -# - +# - dmarc-reports@oopen.de dmarc-pipe: EOF @@ -4032,7 +4080,7 @@ EOF _failed=true fi - + if ${_failed} ; then echo_failed error "$(cat $log_file)"