install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

install_postfix_advanced.sh: get rid of trailling blanks.

Browse Source
This commit is contained in:
Christoph
2024-09-28 22:53:45 +02:00
parent 361ccefd9a
commit f6482795c4
1 changed files with 195 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

410
install_postfix_advanced.sh
View File

@@ -161,7 +161,7 @@ else
_IS_SYMPA_LIST_SERVER="$_SYMPA_LIST_SERVER"
fi
if [[ -z "$_RELAY_HOST" ]]; then
if [[ -z "$_RELAY_HOST" ]]; then
_IS_RELAY_HOST=$DEFAULT_IS_RELAY_HOST
else
_IS_RELAY_HOST="$_RELAY_HOST"
@@ -272,7 +272,7 @@ else
fi
done
fi
if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then
if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then
IPV6=disabled
fi
@@ -285,18 +285,18 @@ echo "How will this Mailserver be used?"
echo ""
if [[ -n "$_IS_RELAY_HOST" ]]; then
if $_IS_RELAY_HOST ; then
echo "[1] Complete Mailserver (with mailboxes)"
echo "[1] Complete Mailserver (with mailboxes)"
echo -e "\033[37m\033[1m[2] Mailrelay Host\033[m"
else
echo -e "\033[37m\033[1m[1] complete Mailserver (with mailboxes)\033[m"
echo -e "\033[37m\033[1m[1] complete Mailserver (with mailboxes)\033[m"
echo "[2] Mailrelay Host"
fi
echo ""
echo ""
echononl "Choose a number or press <RETURN> for highlighted value: "
else
echo "[1] Complete Mailserver (with mailboxes)"
echo "[2] Mailrelay Host"
echo ""
echo ""
echononl "Choose a Number: "
fi
while [[ "$IS_RELAY_HOST" != "true" && "$IS_RELAY_HOST" != "false" ]];do
@@ -316,13 +316,13 @@ while [[ "$IS_RELAY_HOST" != "true" && "$IS_RELAY_HOST" != "false" ]];do
fi
;;
*) IS_RELAY_HOST=
echo ""
echo ""
if [[ -n "$_IS_RELAY_HOST" ]]; then
echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host] or type <RETURN>"
else
echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]"
echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]"
fi
echo ""
echo ""
echononl "Reentry: "
;;
esac
@@ -409,7 +409,7 @@ echo "Insert e-mail address where messages to local root should be forwarded"
echo ""
echo ""
if [[ -n "$_ADMIN_EMAIL" ]]; then
echononl "Admin e-mail address [$_ADMIN_EMAIL]: "
echononl "Admin e-mail address [$_ADMIN_EMAIL]: "
read ADMIN_EMAIL
if [[ "X${ADMIN_EMAIL}" = "X" ]]; then
ADMIN_EMAIL=$_ADMIN_EMAIL
@@ -491,7 +491,7 @@ else
echo_ok
fi
[[ "$IPV6" = "disabled" ]] && IPV6=""
[[ "$IPV6" = "disabled" ]] && IPV6=""
# - Synchronise package index files with the repository
@@ -580,7 +580,7 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -ne 10 ]] ; then
#
#perl -i -n -p -e "s#^(\s*)(POSTGREY_OPTS=.*)#\#\1\2\nPOSTGREY_OPTS=\"--inet=127.0.0.1:10023 --delay=149 --auto-whitelist-clients=3 --lookup-by-subnet\"#" \
# /etc/default/postgrey > $log_file 2>&1
# postgrey as unix socket
#
perl -i -n -p -e "s#^(\s*)(POSTGREY_OPTS=.*)#\#\1\2\nPOSTGREY_OPTS=\"--unix=/var/spool/postfix/postgrey/postgrey.sock --delay=149 --auto-whitelist-clients=3 --lookup-by-subnet\"#" \
@@ -709,8 +709,8 @@ else
if ! $(grep -iq -E "^\s*tumgreyspf\s+" 2>/dev/null $postfix_master_cf) ; then
cat <<EOF >> $postfix_master_cf 2> $log_file
# This is tumgreyspf, an external policy checker for the postfix mail server.
# It can optionally greylist and/or use spfquery to check SPF records to
# This is tumgreyspf, an external policy checker for the postfix mail server.
# It can optionally greylist and/or use spfquery to check SPF records to
# determine if email should be accepted by your server.
#
tumgreyspf unix - n n - - spawn
@@ -728,10 +728,10 @@ EOF
echononl " Create configuration file for whitelisting: /etc/tumgreyspf/disable.conf"
if [[ ! -f /etc/tumgreyspf/disable.conf ]] ; then
cat <<EOF > "/etc/tumgreyspf/disable.conf" 2> $log_file
SPFSEEDONLY=0
GREYLISTTIME=300
CHECKERS=
OTHERCONFIGS=
SPFSEEDONLY=0
GREYLISTTIME=300
CHECKERS=
OTHERCONFIGS=
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -1449,10 +1449,10 @@ cat <<EOF > /etc/postfix/main.cf
compatibility_level = 2
# With "smtputf8_enable = yes", Postfix requires that non-ASCII address information
# is encoded in UTF-8 and will reject other encodings such as ISO-8859. It is not
# practical for Postfix to support multiple encodings at the same time. There is no
# problem with RFC 2047 encodings such as "=?ISO-8859-1?Q?text?=", because those use
# only characters from the ASCII characterset.
# is encoded in UTF-8 and will reject other encodings such as ISO-8859. It is not
# practical for Postfix to support multiple encodings at the same time. There is no
# problem with RFC 2047 encodings such as "=?ISO-8859-1?Q?text?=", because those use
# only characters from the ASCII characterset.
#smtputf8_enable = no
EOF
if $IS_SYMPA_LIST_SERVER ; then
@@ -1482,7 +1482,7 @@ append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
EOF
@@ -1499,19 +1499,19 @@ inet_interfaces = all
myhostname = $HOSTNAME
mydestination =
mydestination =
$HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
mynetworks =
# +++++++++++++++++++++++++++++++++++++
# replace 127.0.0.1/8 with 127.0.0.1/32
# +++++++++++++++++++++++++++++++++++++
# So we can use i.e 127.0.0.25 (or any other 127.x.x.x address)
# to bind to hidden tor service on port 25 without having an
# to bind to hidden tor service on port 25 without having an
# open relay
#
# see also: https://github.com/ehloonion/onionmx/blob/master/open-relay.md
@@ -1556,19 +1556,19 @@ inet_interfaces =
myhostname = $HOSTNAME
mydestination =
mydestination =
$HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
mynetworks =
# +++++++++++++++++++++++++++++++++++++
# replace 127.0.0.1/8 with 127.0.0.1/32
# +++++++++++++++++++++++++++++++++++++
# So we can use i.e 127.0.0.25 (or any other 127.x.x.x address)
# to bind to hidden tor service on port 25 without having an
# to bind to hidden tor service on port 25 without having an
# open relay
#
# see also: https://github.com/ehloonion/onionmx/blob/master/open-relay.md
@@ -1596,18 +1596,18 @@ cat <<EOF >> /etc/postfix/main.cf
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
@@ -1631,17 +1631,17 @@ recipient_delimiter = +
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - Optional address mapping lookup tables for envelope and header sender
## - Optional address mapping lookup tables for envelope and header sender
## - addresses. The table format and lookups are documented in canonical(5).
## -
## - Example: you want to rewrite the SENDER address "user@ugly.domain"
## - to "user@pretty.domain", while still being able to send mail to the
## - Example: you want to rewrite the SENDER address "user@ugly.domain"
## - to "user@pretty.domain", while still being able to send mail to the
## - RECIPIENT address "user@ugly.domain".
## -
## - Note: \$sender_canonical_maps is processed before \$canonical_maps.
@@ -1660,10 +1660,10 @@ smtp_generic_maps =
btree:/etc/postfix/generic
## - Optional lookup tables with mappings from recipient address
## - to (message delivery transport, next-hop destination).
## - See transport(5) for details.
## -
## - Optional lookup tables with mappings from recipient address
## - to (message delivery transport, next-hop destination).
## - See transport(5) for details.
## -
transport_maps =
btree:/etc/postfix/transport
btree:/etc/postfix/relay_domains
@@ -1677,21 +1677,21 @@ fi
cat <<EOF >> /etc/postfix/main.cf
## - The maximal time a message is queued before it is sent back as
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
## -
maximal_queue_lifetime = 12h
bounce_queue_lifetime = \$maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 4h
@@ -1709,9 +1709,9 @@ prepend_delivered_header =
## - proxy_read_maps
## -
## - The lookup tables that the proxymap(8) server is allowed to access for the read-only service.
## -
## - Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Table
## - references that don't begin with proxy: are ignored.
## -
## - Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Table
## - references that don't begin with proxy: are ignored.
## -
#proxy_read_maps = \$local_recipient_maps \$mydestination \$virtual_alias_maps \$virtual_alias_domains \$virtual_mailbox_maps \$virtual_mailbox_domains \$relay_recipient_maps \$relay_domains \$canonical_maps \$sender_canonical_maps \$recipient_canonical_maps \$relocated_maps \$transport_maps \$mynetworks \$sender_bcc_maps \$recipient_bcc_maps \$smtp_generic_maps \$lmtp_generic_maps \$smtpd_sender_login_maps
@@ -1811,23 +1811,10 @@ smtp_host_lookup = dns
#
smtp_dns_support_level = dnssec
## - Aktiviert TLS für den Mailempfang
## -
# By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix
# is visible. Explicitly switch it on using "smtpd_use_tls = yes".
#
# Example:
#
# /etc/postfix/main.cf:
# smtpd_use_tls = yes
#
# With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but does
# not require that clients use TLS encryption.
#
smtpd_use_tls=yes
# The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is
# specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls.
# This parameter is ignored with "smtpd_tls_wrappermode = yes".
@@ -1850,23 +1837,16 @@ smtpd_use_tls=yes
#
smtpd_tls_security_level=may
## - Aktiviert TLS für den Mailversand
## -
# Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support,
# otherwise send the mail in the clear. Beware: some SMTP servers offer STARTTLS even if /
# it is not configured.
# The default SMTP TLS security level for the Postfix SMTP client. When a non-empty value
# is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls,
# and smtp_tls_enforce_peername; when no value is specified for smtp_tls_enforce_peername
# or the obsolete parameters, the default SMTP TLS security level is none.
#
# default: no
#
smtp_use_tls=yes
# The default SMTP TLS security level for the Postfix SMTP client. When a non-empty value
# is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls,
# and smtp_tls_enforce_peername; when no value is specified for smtp_tls_enforce_peername
# or the obsolete parameters, the default SMTP TLS security level is none.
#
# Specify one of the following security levels:
# Specify one of the following security levels:
#
# none
# No TLS. TLS will not be used unless enabled for specific destinations
@@ -1919,11 +1899,11 @@ smtp_use_tls=yes
smtp_tls_security_level=dane
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
@@ -1932,7 +1912,7 @@ smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
@@ -1941,38 +1921,38 @@ smtpd_tls_key_file = $_TLS_KEY_FILE
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
## -
smtp_tls_CAfile = $_TLS_CA_FILE
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - /usr/bin/c_rehash /etc/postfix/certs".
## - /usr/bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
# If the list is empty, the server supports all available TLS protocol versions.
#
# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
# If the list is empty, the server supports all available TLS protocol versions.
#
# default: see 'postconf -d' output
#
smtpd_tls_protocols = >=TLSv1.1
@@ -1988,45 +1968,45 @@ smtpd_tls_mandatory_protocols = >=TLSv1.1
#
smtp_tls_protocols = >=TLSv1.2
# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
#
# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
#
# default: see 'postconf -d' output
#
smtp_tls_mandatory_protocols = >=TLSv1.2
# The Postfix SMTP server security grade for ephemeral elliptic-curve
# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
# parameter is always ignored, and Postfix behaves as though the auto value
# (described below) was chosen.
# The Postfix SMTP server security grade for ephemeral elliptic-curve
# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
# parameter is always ignored, and Postfix behaves as though the auto value
# (described below) was chosen.
#
# auto
# Use the most preferred curve that is supported by both the client and the server.
# This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
# is the default setting under the above conditions (and the only setting used with
# Use the most preferred curve that is supported by both the client and the server.
# This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
# is the default setting under the above conditions (and the only setting used with
# Postfix ≥ 3.6).
#
# none
# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
# default in Postfix versions 2.6 and 2.7.
#
# strong
# Use EECDH with approximately 128 bits of security at a reasonable computational cost.
# Use EECDH with approximately 128 bits of security at a reasonable computational cost.
# This is the default in Postfix versions 2.8-3.5.
#
# ultra
# Use EECDH with approximately 192 bits of security at computational cost that is
# Use EECDH with approximately 192 bits of security at computational cost that is
# approximately twice as high as 128 bit strength ECC.
#
smtpd_tls_eecdh_grade = auto
# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
# of the remote client's cipher preference order.
# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
# of the remote client's cipher preference order.
#
# By default, the OpenSSL server selects the client's most preferred cipher that the
# server supports. With SSLv3 and later, the server may choose its own most preferred
# cipher that is supported (offered) by the client.
# By default, the OpenSSL server selects the client's most preferred cipher that the
# server supports. With SSLv3 and later, the server may choose its own most preferred
# cipher that is supported (offered) by the client.
#
# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
#
@@ -2035,23 +2015,23 @@ smtpd_tls_eecdh_grade = auto
tls_preempt_cipherlist = yes
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
# from globally restricting TLS sessions to a more stringent grade is likely negligible,
# especially given the fact that many implementations still do not offer any stronger
# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
# or "low" ciphers is typically not a good idea, as systems limited to just these are
# limited to obsolete browsers. No known SMTP clients fail to support at least one
# "medium" or "high" grade cipher.
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
# from globally restricting TLS sessions to a more stringent grade is likely negligible,
# especially given the fact that many implementations still do not offer any stronger
# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
# or "low" ciphers is typically not a good idea, as systems limited to just these are
# limited to obsolete browsers. No known SMTP clients fail to support at least one
# "medium" or "high" grade cipher.
#
# default: medium
#
#smtpd_tls_mandatory_ciphers = medium
# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
# base definition of the selected cipher grade.
# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
# base definition of the selected cipher grade.
#
# default: medium
#
@@ -2104,16 +2084,16 @@ smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
# Report the SASL authenticated user name in the smtpd(8) Received message header.
smtpd_sasl_authenticated_header = yes
# Enable interoperability with remote SMTP clients that implement an obsolete version
# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook
# Enable interoperability with remote SMTP clients that implement an obsolete version
# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook
# Express version 4 and MicroSoft Exchange version 5.0.
#
# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support
# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support
# in a non-standard way.
#
broken_sasl_auth_clients = yes
## - Optional lookup table with the SASL login names that own
## - Optional lookup table with the SASL login names that own
## - sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
@@ -2133,7 +2113,7 @@ else
#======= SASL Authentification ============
## - Enable SASL authentication in the Postfix SMTP server. By default,
## - Enable SASL authentication in the Postfix SMTP server. By default,
## - the Postfix SMTP server does not use authentication.
## -
smtpd_sasl_auth_enable = no
@@ -2142,16 +2122,16 @@ smtpd_sasl_auth_enable = no
## -
smtpd_tls_auth_only = yes
## - The SASL plug-in type that the Postfix SMTP server should use for authentication.
## - The available types are listed with the "postconf -a" command.
## - The SASL plug-in type that the Postfix SMTP server should use for authentication.
## - The available types are listed with the "postconf -a" command.
## -
## - Available values are at least: cyrus, dovecot
## -
## -
smtpd_sasl_type = dovecot
## - Implementation-specific information that the Postfix SMTP server passes
## - through to the SASL plug-in implementation that is selected with smtpd_sasl_type.
## - through to the SASL plug-in implementation that is selected with smtpd_sasl_type.
## - Typically this specifies the name of a configuration file or rendezvous point.
## -
smtpd_sasl_path = private/dovecot-auth
@@ -2163,17 +2143,17 @@ smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
# Report the SASL authenticated user name in the smtpd(8) Received message header.
smtpd_sasl_authenticated_header = no
# Enable interoperability with remote SMTP clients that implement an obsolete version
# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook
# Enable interoperability with remote SMTP clients that implement an obsolete version
# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook
# Express version 4 and MicroSoft Exchange version 5.0.
#
# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support
# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support
# in a non-standard way.
#
broken_sasl_auth_clients = yes
## - Optional lookup table with the SASL login names that own
## - Optional lookup table with the SASL login names that own
## - sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
@@ -2210,10 +2190,10 @@ virtual_mailbox_maps =
virtual_mailbox_domains =
## - Optional lookup tables that alias specific mail addresses or domains
## - to other local or remote address. The table format and lookups are
## - documented in virtual(5). For an overview of Postfix address
## - manipulations see the ADDRESS_REWRITING_README document.
## - Optional lookup tables that alias specific mail addresses or domains
## - to other local or remote address. The table format and lookups are
## - documented in virtual(5). For an overview of Postfix address
## - manipulations see the ADDRESS_REWRITING_README document.
## -
virtual_alias_maps =
btree:/etc/postfix/virtual_alias_maps
@@ -2229,11 +2209,11 @@ cat <<EOF >> /etc/postfix/main.cf
## - mailman
#hash:/var/lib/mailman/data/virtual-mailman
## - Postfix is final destination for the specified list of virtual alias
## - domains, that is, domains for which all addresses are aliased to addresses
## - in other local or remote domains. The SMTP server validates recipient
## - addresses with \$virtual_alias_maps and rejects non-existent recipients.
## - See also the virtual alias domain class in the ADDRESS_CLASS_README file
## - Postfix is final destination for the specified list of virtual alias
## - domains, that is, domains for which all addresses are aliased to addresses
## - in other local or remote domains. The SMTP server validates recipient
## - addresses with \$virtual_alias_maps and rejects non-existent recipients.
## - See also the virtual alias domain class in the ADDRESS_CLASS_README file
## -
virtual_alias_domains =
btree:/etc/postfix/virtual_alias_domains
@@ -2420,7 +2400,7 @@ virtual_alias_domains =
# - smtpd_end_of_data_restrictions
# -
# - Note:
# - all smtpd restrictions are evaluated until one of them
# - all smtpd restrictions are evaluated until one of them
# - results in 'REJECT'
## ---
@@ -2441,13 +2421,13 @@ fi
cat <<EOF >> /etc/postfix/main.cf
# The time limit for delivery to 'postfwd'
#
#
# Note
# This Parameter is used only if you've defined a 127.0.0.1:10040 spawn service
# in master.cf to have postfix control starting/stopping of the service.
# This Parameter is used only if you've defined a 127.0.0.1:10040 spawn service
# in master.cf to have postfix control starting/stopping of the service.
#
# If the service is started externally, such as by an init script, I
# don't believe it's used or needed.
# don't believe it's used or needed.
#
# The time limit for all external commands is controlled by command_time_limit
#
@@ -2468,16 +2448,16 @@ cat <<EOF >> /etc/postfix/main.cf
# smtpd_delay_reject (default: yes)
#
# Wait until the RCPT TO command before evaluating \$smtpd_client_restrictions,
# \$smtpd_helo_restrictions and \$smtpd_sender_restrictions, or wait until the
#
# Wait until the RCPT TO command before evaluating \$smtpd_client_restrictions,
# \$smtpd_helo_restrictions and \$smtpd_sender_restrictions, or wait until the
# ETRN command before evaluating \$smtpd_client_restrictions and \$smtpd_helo_restrictions.
#
# This feature is turned on by default because some clients apparently mis-behave
# This feature is turned on by default because some clients apparently mis-behave
# when the Postfix SMTP server rejects commands before RCPT TO.
#
# The default setting has one major benefit: it allows Postfix to log recipient address
# information when rejecting a client name/address or sender address, so that it is
# The default setting has one major benefit: it allows Postfix to log recipient address
# information when rejecting a client name/address or sender address, so that it is
# possible to find out whose mail is being rejected.
smtpd_delay_reject = yes
@@ -2502,18 +2482,18 @@ smtpd_client_restrictions =
#
permit_dnswl_client dnswl.oopen.de,
# Blacklists
#
#
# - rhs stands for right hand side, i.e, the domain name.
#
# - reject_rhsbl_helo makes Postfix reject email when the client HELO or EHLO hostname is blacklisted.
#
# - reject_rhsbl_reverse_client: reject the email when the unverified reverse client hostname is
# blacklisted. Postfix will fetch the client hostname from PTR record. If the hostname is
# - reject_rhsbl_reverse_client: reject the email when the unverified reverse client hostname is
# blacklisted. Postfix will fetch the client hostname from PTR record. If the hostname is
# blacklisted, reject the email.
#
# - reject_rhsbl_sender makes Postfix reject email when the MAIL FROM domain is blacklisted.
#
# - reject_rbl_client: This is an IP-based blacklist. When the client IP address is backlisted,
# - reject_rbl_client: This is an IP-based blacklist. When the client IP address is backlisted,
# reject the email.
#
reject_rhsbl_helo dbl.spamhaus.org,
@@ -2523,7 +2503,7 @@ smtpd_client_restrictions =
reject_rbl_client ix.dnsbl.manitu.net,
# Greylisting check
#
# check_policy_service inet:127.0.0.1:10023,
# check_policy_service inet:127.0.0.1:10023,
#
#
# Using defined restriction class (see smtpd_restriction_classes):
@@ -2537,14 +2517,14 @@ smtpd_client_restrictions =
#warn_if_reject,
check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
#reject_rbl_client bl.spamcop.net,
# Reject the request when
# Reject the request when
# 1) the client IP address->name mapping fails
# 2) the name->address mapping fails
# 3) the name->address mapping does not match the client IP address.
# 3) the name->address mapping does not match the client IP address.
#
# Note:
# This is a stronger restriction than the reject_unknown_reverse_client_hostname
# feature, which triggers only under condition 1) above.
# This is a stronger restriction than the reject_unknown_reverse_client_hostname
# feature, which triggers only under condition 1) above.
#
#reject_unknown_client
@@ -2560,16 +2540,16 @@ smtpd_helo_restrictions =
# Whitelist clients
#
check_client_access btree:/etc/postfix/client_whitelist
# Reject the request when the HELO or EHLO hostname is malformed.
# Reject the request when the HELO or EHLO hostname is malformed.
#
# Note
# specify "smtpd_helo_required = yes" to fully enforce this restriction
# (without "smtpd_helo_required = yes", a client can simply skip
# reject_invalid_helo_hostname by not sending HELO or EHLO).
# (without "smtpd_helo_required = yes", a client can simply skip
# reject_invalid_helo_hostname by not sending HELO or EHLO).
#
reject_invalid_helo_hostname,
# Reject the request when the HELO or EHLO hostname is not in fully-qualified
# domain or address literal form, as required by the RFC.
# Reject the request when the HELO or EHLO hostname is not in fully-qualified
# domain or address literal form, as required by the RFC.
#
reject_non_fqdn_helo_hostname
# Don't talk to mail systems that don't know their own hostname.
@@ -2609,26 +2589,26 @@ smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
# don't accept misconfigured recipients
reject_unknown_recipient_domain,
# Reject the request when the RCPT TO address is not listed in the list of valid
# recipients for its domain class. See the smtpd_reject_unlisted_recipient
# parameter description for details.
# Reject the request when the RCPT TO address is not listed in the list of valid
# recipients for its domain class. See the smtpd_reject_unlisted_recipient
# parameter description for details.
#
# smtpd_reject_unlisted_recipient (default: yes)
#
# Request that the Postfix SMTP server rejects mail for unknown recipient addresses,
# even when no explicit reject_unlisted_recipient access restriction is specified.
# This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages.
# Request that the Postfix SMTP server rejects mail for unknown recipient addresses,
# even when no explicit reject_unlisted_recipient access restriction is specified.
# This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages.
#
# An address is always considered "known" when it matches a virtual(5) alias or
# a canonical(5) mapping.
# - The recipient domain matches \$mydestination, \$inet_interfaces or \$proxy_interfaces,
# but the recipient is not listed in \$local_recipient_maps, and \$local_recipient_maps
# An address is always considered "known" when it matches a virtual(5) alias or
# a canonical(5) mapping.
# - The recipient domain matches \$mydestination, \$inet_interfaces or \$proxy_interfaces,
# but the recipient is not listed in \$local_recipient_maps, and \$local_recipient_maps
# is not null.
# - The recipient domain matches \$virtual_alias_domains but the recipient is not listed
# - The recipient domain matches \$virtual_alias_domains but the recipient is not listed
# in \$virtual_alias_maps.
# - The recipient domain matches \$virtual_mailbox_domains but the recipient is not
# listed in \$virtual_mailbox_maps, and \$virtual_mailbox_maps is not null.
# - The recipient domain matches \$relay_domains but the recipient is not listed in
# - The recipient domain matches \$virtual_mailbox_domains but the recipient is not
# listed in \$virtual_mailbox_maps, and \$virtual_mailbox_maps is not null.
# - The recipient domain matches \$relay_domains but the recipient is not listed in
# \$relay_recipient_maps, and \$relay_recipient_maps is not null.
#
reject_unlisted_recipient,
@@ -2636,12 +2616,12 @@ smtpd_recipient_restrictions =
#
# Reject the request unless one of the following is true:
#
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
#
#
# - Postfix is the final destination: the resolved RCPT TO domain matches
# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains,
# - Postfix is the final destination: the resolved RCPT TO domain matches
# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains,
# or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
#
# Note:
@@ -2649,8 +2629,8 @@ smtpd_recipient_restrictions =
# relay policy is specified under smtpd_relay_restrictions
# (available with Postfix 2.10 and later).
#reject_unauth_destination,
# Reject the request when mail to the RCPT TO address is known to bounce, or when the
# recipient address destination is not reachable. Address verification information is
# Reject the request when mail to the RCPT TO address is known to bounce, or when the
# recipient address destination is not reachable. Address verification information is
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
@@ -2666,8 +2646,8 @@ smtpd_recipient_restrictions =
## - smtpd Relay Restrictions (since version 2.11)
## ---
# Access restrictions for mail relay control applied in the context of
# the RCPT TO command, before smtpd_recipient_restrictions.
# Access restrictions for mail relay control applied in the context of
# the RCPT TO command, before smtpd_recipient_restrictions.
#
smtpd_relay_restrictions =
# only special accounts (postmaster, abuse and other rolr accounts)
@@ -2686,15 +2666,15 @@ smtpd_relay_restrictions =
reject_unknown_recipient_domain,
# Reject the request unless one of the following is true:
#
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
#
# - Postfix is the final destination: the resolved RCPT TO domain matches
# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains,
# - Postfix is the final destination: the resolved RCPT TO domain matches
# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains,
# or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
reject_unauth_destination,
# Reject the request when mail to the RCPT TO address is known to bounce, or when the
# recipient address destination is not reachable. Address verification information is
# Reject the request when mail to the RCPT TO address is known to bounce, or when the
# recipient address destination is not reachable. Address verification information is
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
@@ -2740,7 +2720,7 @@ milter_protocol = 6
# If you want sign mails before sending through AmaVIS, set
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
smtpd_milters =
@@ -2805,7 +2785,7 @@ else
fi
## - create directory for certificates and copy certificates
## - create directory for certificates and copy certificates
## - and coresponding keys to /etc/postfix/ssl/
## -
echononl " Create directory for certificates \"/etc/postfix/ssl\""
@@ -2821,7 +2801,7 @@ else
fi
## - generate DH parameters that the Postfix SMTP server should use
## - generate DH parameters that the Postfix SMTP server should use
## - with EDH ciphers (length 512 and 1024
## -
echononl " Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\""
@@ -2978,8 +2958,8 @@ if [[ ! -f /etc/postfix/access_sender ]]; then
#
# Restricts sender addresses this system accepts in MAIL FROM commands.
#
# Define the whitelist or blacklist with and OK or REJECT,
# followed by an optional answer text.
# Define the whitelist or blacklist with and OK or REJECT,
# followed by an optional answer text.
#
#
# Note:
@@ -3187,8 +3167,8 @@ if [[ ! -f /etc/postfix/greylist_client_access_pcre ]]; then
#
# - Note:
# -
# - Action 'check_greylist' must be defined by 'smtpd_restriction_classes'
# - and also set with an action (check_policy_service inet:127.0.0.1:10023)
# - Action 'check_greylist' must be defined by 'smtpd_restriction_classes'
# - and also set with an action (check_policy_service inet:127.0.0.1:10023)
# - in file /etc/postfix/ main.cf.
# -
# - Your main.cf may looks like:
@@ -3450,7 +3430,7 @@ if ! $IS_RELAY_HOST ; then
else
echo_failed
fi
## - Change permissions for dir '/var/vmail'
## -
@@ -3597,7 +3577,7 @@ EOF
fi
# - [[:blank:]] means space and tab. This makes it similar to: [ \t]
# - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed,
# - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed,
# - and vertical tab. This makes it similar to: [ \t\n\r\f\v]
# -
#if [[ $_line =~ ^[[:space:]]+[^[:space:]]+ ]] && $_smtp_found ; then