install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of git.oopen.de:install/mailsystem

Browse Source
This commit is contained in:
Christoph
2026-02-11 21:17:33 +01:00
parent 9708c595c4 9c52e54182
commit c6909c937d
4 changed files with 178 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
install_amavis.sh
View File

@@ -2257,6 +2257,45 @@ if ! $installation_failed ; then
fi fi
fi fi
# Create /etc/spamassassin/99_nullsender.cf
#
# Spamassassin Regeln für Nullsender (Return-Path: <>)
#
# Problem:
# echte DSNs haben ebenfalls Return-Path: <>
#
# Aber:
# Echte DSNs sind i.d.R. multipart/report (delivery-status)
#
echononl " Create file \"/etc/spamassassin/99_nullsender.cf\".."
cat <<'EOF' > /etc/spamassassin/99_nullsender.cf 2> $tmp_err_msg
########################################################################
# Null-sender (Return-Path: <>) Behandlung
# Ziel: Fake-Bounces markieren, echte DSNs nicht treffen
########################################################################
# 1) Null-Envelope-From erkannt
header LOCAL_NULL_SENDER Return-Path =~ /^<>$/i
describe LOCAL_NULL_SENDER Null envelope-from (Return-Path <>)
score LOCAL_NULL_SENDER 0.1
# 2) Echte DSNs sind i.d.R. multipart/report (delivery-status)
header LOCAL_DSN_MULTIPART Content-Type =~ /^multipart\/report\b/i
describe LOCAL_DSN_MULTIPART Looks like a real DSN (multipart/report)
score LOCAL_DSN_MULTIPART -3.0
# 3) Fake-Bounce: Null-sender, aber NICHT multipart/report
meta LOCAL_NULL_NOT_DSN LOCAL_NULL_SENDER && !LOCAL_DSN_MULTIPART
describe LOCAL_NULL_NOT_DSN Null-sender but not a DSN (likely fake bounce spam)
score LOCAL_NULL_NOT_DSN 6.0
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
# - Enable nightly cronjob for spamassassin # - Enable nightly cronjob for spamassassin
# - # -
@@ -3260,6 +3299,18 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
if [[ "$?" -ne 0 ]] ; then if [[ "$?" -ne 0 ]] ; then
installation_failed=true installation_failed=true
error "$(cat $tmp_err_msg)" error "$(cat $tmp_err_msg)"
warn "command was:
git clone https://github.com/extremeshok/clamav-unofficial-sigs.git /tmp/clamav-unofficial-sigs"
echononl "continue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi fi
if ! $installation_failed ; then if ! $installation_failed ; then
echo_ok echo_ok
@@ -4957,6 +5008,7 @@ fi
## - localhost:10025 inet n - y - - smtpd ## - localhost:10025 inet n - y - - smtpd
## - -o content_filter= ## - -o content_filter=
## - -o smtpd_proxy_filter= ## - -o smtpd_proxy_filter=
## - -o smtpd_milters=
## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 ## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
## - -o smtpd_client_restrictions= ## - -o smtpd_client_restrictions=
## - -o smtpd_helo_restrictions= ## - -o smtpd_helo_restrictions=
@@ -5031,6 +5083,8 @@ EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
-o smtpd_proxy_filter= -o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions= -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_helo_restrictions=
@@ -5093,6 +5147,8 @@ EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
-o smtpd_proxy_filter= -o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions= -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_helo_restrictions=
@@ -5145,6 +5201,8 @@ EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
-o smtpd_proxy_filter= -o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions= -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_helo_restrictions=
@@ -5181,6 +5239,8 @@ EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
-o smtpd_proxy_filter= -o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions= -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_helo_restrictions=

126
install_opendmarc.sh
View File

@@ -881,26 +881,26 @@ else
error "$(cat $log_file)" error "$(cat $log_file)"
fi fi
echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.." #echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then #if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then # if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
echo_skipped # echo_skipped
else # else
perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \ # perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
/etc/postfix/main.cf > $log_file 2>&1 # /etc/postfix/main.cf > $log_file 2>&1
if [[ $? -eq 0 ]] ; then # if [[ $? -eq 0 ]] ; then
echo_ok # echo_ok
postfix_needs_restart=true # postfix_needs_restart=true
else # else
echo_failed # echo_failed
error "$(cat $log_file)" # error "$(cat $log_file)"
fi # fi
fi # fi
else #else
#
echo_skipped # echo_skipped
warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!" # warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
fi #fi
echononl " Set Variable smtpd_milters at '/etc/postfix/main.cf'.." echononl " Set Variable smtpd_milters at '/etc/postfix/main.cf'.."
@@ -975,53 +975,53 @@ EOF
fi fi
if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then #if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
ensure_dmarc_var "non_smtpd_milters" > "${tmp_main_cf_file}"
cp "${tmp_main_cf_file}" "${main_cf_file}"
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# Was sind non_smtpd_milters?
# #
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT # ensure_dmarc_var "non_smtpd_milters" > "${tmp_main_cf_file}"
# der smtpd-Daemon sind. # cp "${tmp_main_cf_file}" "${main_cf_file}"
# #
# Das betrifft z. B.: #else
# #
# cleanup Header/Content-Bereinigung # cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
# #
# Das sind z. B.: ## Was sind non_smtpd_milters?
# ##
# - interne Bounces (MAILER-DAEMON) ## non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# ## der smtpd-Daemon sind.
# - Cron-Mails vom Server ##
# ## Das betrifft z. B.:
# - Weiterleitungen, die Postfix selbst generiert ##
# ## cleanup Header/Content-Bereinigung
# - Mails, die über sendmail CLI gesendet werden ## qmgr Queue-Manager
# ## lmtp / smtp Auslieferung nach extern
# - Mails, die Amavis über LMTP zurückgibt ## local lokale Zustellung
# ##
# - etc. ## Das sind z. B.:
# ##
# ## - interne Bounces (MAILER-DAEMON)
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden. ##
non_smtpd_milters = $opendmarc_socket_string ## - Cron-Mails vom Server
EOF ##
fi ## - Weiterleitungen, die Postfix selbst generiert
postfix_needs_restart=true ##
if [[ $? -eq 0 ]] ; then ## - Mails, die über sendmail CLI gesendet werden
echo_ok ##
else ## - Mails, die Amavis über LMTP zurückgibt
echo_failed ##
error "$(cat $log_file)" ## - etc.
fi ##
##
## DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
#non_smtpd_milters = $opendmarc_socket_string
#EOF
#fi
#postfix_needs_restart=true
#if [[ $? -eq 0 ]] ; then
# echo_ok
#else
# echo_failed
# error "$(cat $log_file)"
#fi
echo "" echo ""

73
install_postfix_advanced.sh
View File

@@ -3058,20 +3058,18 @@ EOF
# #
EOF EOF
if [[ -n "$(which opendkim)" ]] && [[ -n "$(which opendmarc)" ]] ; then if [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
elif [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF EOF
else else
cat <<EOF >> /etc/postfix/main.cf cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendmarc/opendmarc.sock non_smtpd_milters =
EOF EOF
fi fi
else else
cat <<EOF >> /etc/postfix/main.cf cat <<EOF >> /etc/postfix/main.cf
@@ -3616,41 +3614,58 @@ fi
_file="/etc/postfix/header_checks.pcre" _file="/etc/postfix/header_checks.pcre"
echononl " Create file '$_file' used for header replacing" echononl " Create file '$_file' used for header replacing"
if [[ ! -f "$_file" ]]; then if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file" cat << 'EOF' > "$_file"
# --- # ---
# - Replace headers # - Header Checks - /etc/postfix/header_checks
# --- # ---
#
# Ziel: offensichtlich kaputte RFC-Header ablehnen (wenig False Positives)
# - Replace recieved from ########################################
#/^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4 # A) Kaputter From:-Header
########################################
# 1) From: ist leer
/^From:\s*$/ REJECT Invalid From header (empty) - Spamschutzregel FROM-1001
# 2) Mehr als ein '@' im From:-Header -> syntaktisch kaputt
/^From:.*@.*@/ REJECT Invalid From header (multiple @) - Spamschutzregel FROM-1002
# --- # 3) Mehrere Mailboxen durch Komma getrennt (wie: Die@..., Lions@..., ...)
# - Ignore Headers # (Legitime Fälle nutzen i.d.R. Display-Namen/Group-Syntax; dieses Muster ist in Spam sehr häufig)
# --- /^From:\s*[^<>,]+@[^,]+,\s*[^<>,]+@/ REJECT Invalid From header (multiple mailboxes) - Spamschutzregel FROM-1003
#/^\s*User-Agent/ IGNORE # 4) Typische kaputte UTF-8-Fragmente
#/^\s*X-Enigmail/ IGNORE /^From:.*\xC3\xA2/ REJECT Invalid UTF-8 in From header - Spamschutzregel FROM-1004
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# --- ########################################
# - Reject / Discard headers # B) Optional: sehr spezifische lokale Blacklist
# --- ########################################
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001 #/^Reply-To: .+\@inx1and1\..+/ REJECT Possible spam (local pattern)
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001 ########################################
# C) Warn
########################################
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001 # Date-Rejects sind oft zu aggressiv -> wenn nötig: lieber taggen oder loggen statt reject
/^Date: .* 19[0-9][0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1003
########################################
# Bemerkungen
########################################
# (envelope-from <>) nicht pauschal rejecten:
# echte DSNs/Bounces haben legitimerweise MAIL FROM: <>
#/\(envelope-from <>\)/ REJECT Null envelope-from
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
EOF EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok

12
install_postfixadmin.sh
View File

@@ -938,6 +938,16 @@ done
if $_failed ; then if $_failed ; then
echo_failed echo_failed
error "$(cat $log_file)" error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
else else
echo_ok echo_ok
fi fi
@@ -2198,7 +2208,7 @@ fi
echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n" echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n"
if [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then if [[ $MAJOR_VERSION -gt 3 ]] || [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php" pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file" cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file"
else else