install_postfix_advanced.sh: add support for postfix-policyd-spf-python .

2025-03-02 02:17:25 +01:00 · 2025-03-02 02:17:25 +01:00 · ae2b6540af
commit ae2b6540af
parent 6cc1848e45
1 changed files with 185 additions and 6 deletions
--- a/install_postfix_advanced.sh
+++ b/install_postfix_advanced.sh
@ -984,6 +984,116 @@ EOF
 fi


+# - Install SPF-Policy-Tools
+# -
+echononl "   Install Postfix SPF-Policy-Tools 'postfix-policyd-spf-python'"
+_pkg=postfix-policyd-spf-python
+if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
+   echo_skipped
+else
+   DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $log_file
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+fi
+
+
+# - Backup existing configuration file for policyd-spf daemon
+# -
+_file="/etc/postfix-policyd-spf-python/policyd-spf.conf"
+echononl "   Backup configuration file '${_file}'."
+if [[ -f "${_file}" ]]; then
+   cp -a "${_file}" "${_file}.${backup_date}" > /dev/null 2> $log_file
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+echononl "   Creeate new configuration '${_file}'.."
+cat <<EOF > "${_file}"
+#  For a fully commented sample config file see policyd-spf.conf.commented
+
+#  Reject and deferred reason
+Reason_Message = Message {rejectdefer} due to: {spf}.
+
+#  Amount of debugging information logged.  0 logs no debugging messages
+#  5 includes all debug messages.
+debugLevel = 1
+
+#  HELO check rejection policy. Options are:
+#  HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail.
+#  HELO_reject = Softfail - Reject if result Softfail and Fail
+#  HELO_reject = Fail - Reject on HELO Fail
+#  HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
+#  HELO_reject = False - Never reject/defer on HELO, append header only.
+#  HELO_reject = No_Check - Never check HELO.
+HELO_reject = SPF_Not_Pass
+
+#  Mail From rejection policy.  Options are:
+#  Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
+#  Mail_From_reject = Softfail - Reject if result Softfail and Fail
+#  Mail_From_reject = Fail - Reject on Mail From Fail (default)
+#  Mail_From_reject = False - Never reject/defer on Mail From, append header only
+#  Mail_From_reject = No_Check - Never check Mail From/Return Path.
+#
+# Dieser Parameter steuert, wie der SPF-Check auf Fehler bei der Überprüfung der
+# MAIL FROM-Adresse reagiert. Ein Fehler tritt auf, wenn die IP-Adresse des sendenden
+# Servers nicht den SPF-Einträgen der Domain in der MAIL FROM-Adresse entspricht.
+#
+Mail_From_reject = Fail
+
+#  Policy for rejecting due to SPF PermError.  Options are:
+#  PermError_reject = True
+#  PermError_reject = False
+#
+# Wirkung: Dieser Parameter bestimmt, wie der SPF-Check auf permanente Fehler (PermError)
+# reagiert. Ein permanenter Fehler tritt auf, wenn die SPF-DNS-Einträge ungültig oder
+# fehlerhaft sind (z. B. syntaktische Fehler oder ungültige Mechanismen).
+#
+# Wenn PermError_reject auf True gesetzt ist, wird die E-Mail abgewiesen (rejected),
+#
+PermError_reject = True
+
+#  Policy for deferring messages due to SPF TempError.  Options are:
+#  TempError_Defer = True
+#  TempError_Defer = False
+#
+# Wirkung: Dieser Parameter bestimmt das Verhalten bei temporären SPF-Fehlern (TempError).
+# Ein temporärer Fehler tritt auf, wenn der SPF-Check aufgrund von vorübergehenden
+# Problemen (z. B. DNS-Auflösungsfehler oder Netzwerkprobleme) nicht durchgeführt werden kann.
+#
+# Wenn TempError_Defer auf True gesetzt ist, wird die E-Mail vorübergehend zurückgewiesen
+# (deferred), und der empfangende Server versucht später erneut, die E-Mail zuzustelle
+#
+TempError_Defer = Defer
+
+# Type of header to insert to document SPF result. Can be Received-SPF (SPF)
+# or Authentication Results (AR). It cannot be both.
+# Examples: (default is Received-SPF):
+# Header_Type = AR
+# Header_Type = SPF
+Header_Type = SPF
+
+#  Do not check SPF for localhost addresses - add to skip addresses to
+#  skip SPF for internal networks if desired. Defaults are standard IPv4 and
+#  IPv6 localhost addresses.
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
+EOF
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+fi
+
+
 ## - Install Postfix Firewall Daemon from debian packages system
 ## -
 echononl "   Install Postfix Firewall Daemon from debian packages system"
@ -2498,6 +2608,20 @@ else
 EOF
 fi

+if [[ -n "$(which policyd-spf)" ]]  ; then
+   cat <<EOF >> /etc/postfix/main.cf
+
+# The time limit for delivery to '/usr/bin/policyd-spf'
+#
+# An entry in '/etc/postfix/master.cf' is needed:
+#
+#  policyd-spf  unix  -       n       n       -       0       spawn
+#     user=policyd-spf argv=/usr/bin/policyd-spf
+#
+policyd-spf_time_limit = 3600
+EOF
+fi
+
 cat <<EOF >> /etc/postfix/main.cf


@ -2688,6 +2812,17 @@ smtpd_recipient_restrictions =
 # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
 # for more details
   reject_unverified_recipient,
+EOF
+
+if [[ -n "$(which policyd-spf)" ]]  ; then
+   cat <<EOF >> /etc/postfix/main.cf   
+# Check Postfix policy service ..
+#
+   check_policy_service unix:private/policy-spf
+EOF
+fi
+
+cat <<EOF >> /etc/postfix/main.cf
 # Policyd-Weight
   #check_policy_service inet:127.0.0.1:12525,
 # permit Backup MX
@ -2747,14 +2882,28 @@ smtpd_data_restrictions =
 #
   reject_unauth_pipelining

+
+## ---
+## - smtpd END OF ATA Restrictions
+## ---
+
 smtpd_end_of_data_restrictions =
+EOF
+
+if [[ -n "$(which postfwd)" ]]  ; then
+   cat <<EOF >> /etc/postfix/main.cf
 # Check Postfix Firewall Daemon
 #
   check_policy_service inet:127.0.0.1:10040

 EOF
+else
+   cat <<EOF >> /etc/postfix/main.cf

-if [[ -n "$(which opendkim)" ]]  ; then
+EOF
+fi
+
+if [[ -n "$(which opendkim)" ]]  || [[ -n "$(which opendmarc)" ]] ; then
   cat <<EOF >> /etc/postfix/main.cf

 # ======= Milter configuration =======
@ -2775,12 +2924,25 @@ milter_protocol = 6
 #    'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
 #    localhost:10025 section in master.cf: 'smtpd_milters='
 #
-#smtpd_milters = local:/opendkim/opendkim.sock
 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
 smtpd_milters =
+EOF
+fi
+if [[ -n "$(which opendkim)" ]] ; then
+   if [[ -n "$(which opendmarc)" ]] ; then
+      cat <<EOF >> /etc/postfix/main.cf
+non_smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
+EOF
+   else
+      cat <<EOF >> /etc/postfix/main.cf
 non_smtpd_milters = local:/opendkim/opendkim.sock
 EOF
   fi
+elif [[ -n "$(which opendmarc)" ]] ; then
+   cat <<EOF >> /etc/postfix/main.cf
+non_smtpd_milters = local:/opendmarc/opendmarc.sock
+EOF
+fi


 echo_ok
@ -3568,6 +3730,12 @@ else
 	smtps_present=false
 fi

+if grep -iq -E "^policyd-spf\s+" $postfix_master_cf > /dev/null 2>&1 ; then
+	policyd_spf_present=true
+else
+	policyd_spf_present=false
+fi
+
 _found=false
 echononl "   Create new file \"${postfix_master_cf}\""
 if [[ -f "${postfix_master_cf}.$backup_date" ]]; then
@ -3649,6 +3817,17 @@ EOF

 	done < "${postfix_master_cf}.$backup_date"

+   # - Add support for policyd-spf service
+   # -
+   if ! $(grep -iq -E "^policyd-spf\s+" "$postfix_master_cf" 2> /dev/null) ; then
+      cat <<EOF >> $postfix_master_cf
+
+policyd-spf  unix  -       n       n       -       0       spawn
+   user=policyd-spf argv=/usr/bin/policyd-spf
+EOF
+   fi
+
+
   # - Add transport definitions for only sending over IPv4/IPv6
   # -
   if ! $(grep -iq -E "^smtp-ipv4-only\s+" "$postfix_master_cf" 2> /dev/null) ; then