Add initial not yet running installscript for dovecot version 2.4.x

DOC/README.test_mailprotocolls

@@ -14,3 +14,10 @@ openssl s_client -crlf -starttls pop3 -connect localhost:110
 openssl s_client -crlf -connect localhost:993
 openssl s_client -crlf -starttls imap -connect localhost:143
 
+
+# Test RSA based TLS connection
+#
+echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
+
+echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2
+echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp

install_opendkim.sh

@@ -189,6 +189,13 @@ else
    cat <<EOF > $opendkim_conf_file 2> $log_file
 # Datei $opendkim_conf_file
 
+# Sets the "authserv-id" to use when generating the Authentication-Results:
+# header field after verifying a message. The default is to use the name of
+# the MTA processing the message. If the string "HOSTNAME" is provided, the
+# name of the host running the filter (as returned by the gethostname(3)
+# function) will be used.
+AuthservID              "DKIM check $(hostname -f)"
+
 # OpenDKIM agiert als Mail Filter (= Milter) in den
 # Modi signer (s) und verifier (v) und verwendet eine
 # Socket-Datei zur Kommunikation (alternativ: lokaler Port)
@@ -237,6 +244,21 @@ SignatureAlgorithm      rsa-sha256
 # because it is often the identity key used by reputation systems and thus
 # somewhat security sensitive.
 OversignHeaders         From
+
+# Add an "Authentication-Results:" header field even to unsigned messages
+# from domains with no "signs all" policy. The reported DKIM result will be
+# "none" in such cases. Normally unsigned mail from non-strict domains does
+# not cause the results header field to be added.
+AlwaysAddARHeader       yes
+
+# Causes opendkim to fork and exits immediately, leaving the service running
+# in the background. The default is "true".
+Background              yes
+
+# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
+# default is 5. Ignored if not using an asynchronous resolver package. See
+# also the NOTES section below.
+DNSTimeout              5
 EOF
    opendkim_needs_restart=true
    if [[ $? -eq 0 ]] ; then

install_opendmarc.sh

@@ -23,7 +23,7 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
 opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
 
 config_file_name_value_parameters="
-   AuthservID|OpenDMARC
+   AuthservID|DMARC check $(hostname -f)
    PidFile|/run/opendmarc/opendmarc.pid
    RejectFailures|true
    Syslog|true
@@ -36,6 +36,7 @@ config_file_name_value_parameters="
    FailureReports|false
    AutoRestart|true
    HistoryFile|/run/opendmarc/opendmarc.dat
+   SPFIgnoreResults|false
    SPFSelfValidate|true
    Socket|${opendmarc_socket_file}
 "
@@ -182,6 +183,200 @@ else
 fi
 
 
+# - Add 'IgnoreHosts' with default value to the original opendmarc.conf file
+#
+echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Specifies the path to a file that contains a list of hostnames, IP addresses,
+## and/or CIDR expressions identifying hosts whose SMTP connections are to be
+## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
+#
+IgnoreHosts 127.0.0.1
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'IgnoreAuthenticatedClients' with default value to the original opendmarc.conf file
+#
+_param="IgnoreAuthenticatedClients"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, causes mail from authenticated clients (i.e., those that used 
+## SMTP AUTH) to be ignored by the filter. The default is "false".
+#
+IgnoreAuthenticatedClients false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
+#
+_param="IgnoreAuthenticatedClients"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, causes mail from authenticated clients (i.e., those that used
+## SMTP AUTH) to be ignored by the filter. The default is "false".
+#
+IgnoreAuthenticatedClients false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
+#
+_param="RequiredHeaders"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, the filter will ensure the header of the message conforms to the basic 
+## header field count restrictions laid out in RFC5322, Section 3.6. Messages 
+## failing this test are rejected without further processing. A From: field from 
+## which no domain name could be extracted will also be rejected.
+#
+RequiredHeaders false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'AutoRestart' with default value to the original opendmarc.conf file
+#
+_param="AutoRestart"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Automatically re-start on failures. Use with caution; if the filter fails
+## instantly after it starts, this can cause a tight fork(2) loop.
+#
+AutoRestart false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'HistoryFile' with default value to the original opendmarc.conf file
+#
+_param="HistoryFile"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, specifies the location of a text file to which records are written
+## that can be used to generate DMARC aggregate reports. Records are batches of
+## rows containing information about a single received message, and include all
+## relevant information needed to generate a DMARC aggregate report. It is
+## expected that this will not be used in its raw form, but rather periodically
+## imported into a relational database from which the aggregate reports can be
+## extracted using opendmarc-importstats(8).
+#
+HistoryFile /run/opendmarc/opendmarc.dat
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'SPFIgnoreResults' with default value to the original opendmarc.conf file
+#
+_param="SPFIgnoreResults"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Causes the filter to ignore any SPF results in the header of the message. This
+## is useful if you want the filter to perform SPF checks itself, or because you
+## don't trust the arriving header. The default is "false".
+#
+SPFIgnoreResults false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'SPFSelfValidate' with default value to the original opendmarc.conf file
+#
+_param="SPFSelfValidate"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Causes the filter to perform a fallback SPF check itself when it can find no
+## SPF results in the message header. If SPFIgnoreResults is also set, it never
+## looks for SPF results in headers and always performs the SPF check itself when
+## this is set. The default is "false".
+#
+SPFSelfValidate false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
 # - Save configuration file from distribution
 # -
 echononl "   Save configuration file from distribution"

install_postfix_base.sh

@@ -129,6 +129,7 @@ detect_os_1 () {
 
 DEFAULT_ADMIN_EMAIL="argus@oopen.de"
 DEFAULT_RELAY_HOST="b.mx.oopen.de"
+DEFAULT_RELAY_PORT=25
 DEFAULT_SASL_AUTH=false
 DEFAULT_REWRITE_SENDER_DOMAIN=None
 
@@ -264,7 +265,7 @@ else
       fi
    done
 fi
-if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then 
+if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then
    IPV6=disabled
 fi
 
@@ -277,7 +278,7 @@ echo "Insert e-mail address where messages to local root should be forwarded"
 echo ""
 echo ""
 if [[ -n "$_ADMIN_EMAIL" ]]; then
-   echononl "Admin e-mail address [$_ADMIN_EMAIL]: "  
+   echononl "Admin e-mail address [$_ADMIN_EMAIL]: "
    read ADMIN_EMAIL
    if [[ "X${ADMIN_EMAIL}" = "X" ]]; then
       ADMIN_EMAIL=$_ADMIN_EMAIL
@@ -340,11 +341,12 @@ fi
 # --- Some further default values depending on sasl authentification
 # -------------
 
-# - Set default value for relay host if sasl authentification should be
+# - Set default value for relay host / relay port if sasl authentification should be
-# - supported and value for _RELAY_HOST not given
+# - supported and value for _RELAY_HOST / _RELAY_PORT not given
 # -
 if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
    [[ -z "$_RELAY_HOST" ]] && _RELAY_HOST="$DEFAULT_RELAY_HOST"
+   [[ -z "$_RELAY_PORT" ]] && _RELAY_PORT="$DEFAULT_RELAY_PORT"
 fi
 
 if [[ -z ${_REWRITE_SENDER_DOMAIN} ]] ; then
@@ -415,6 +417,27 @@ if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
       done
    fi
 
+
+   RELAY_PORT=
+   echo ""
+   echo "Insert the target port to connect to ${RELAY_HOST}"
+   echo ""
+   if [[ -n "$_RELAY_PORT" ]];then
+      echononl "(target) Port on ${RELAY_HOST} [$_RELAY_PORT]: "
+      read RELAY_PORT
+      if [[ "X${RELAY_PORT}" = "X" ]]; then
+         RELAY_PORT=$_RELAY_PORT
+      fi
+   else
+      while [[ "X${RELAY_PORT}" = "X" ]]; do
+         echononl "(target) Port on ${RELAY_HOST}: "
+         read RELAY_PORT
+         if [[ "X${RELAY_PORT}" = "X" ]]; then
+            echo -e "\n\t\033[33m\033[1mi(target) Port of ${RELAY_HOST} is reqired\033[m\n"
+         fi
+      done
+   fi
+
 else
    SASL_AUTH=false
 fi
@@ -467,6 +490,7 @@ if $SASL_AUTH ; then
    echo -e "\t   sasl user.............: $SASL_USER"
    echo -e "\t   sasl password.........: $SASL_PASS"
    echo -e "\t   Relayhost.............: $RELAY_HOST"
+   echo -e "\t   Port on Relayhost.....: $RELAY_PORT"
 fi
 echo ""
 echononl "einverstanden (yes/no): "
@@ -487,7 +511,7 @@ cat << EOF > $conf_file
 # ---
 # - Parameter Settings Postfix Bases System
 # -
-# -    - automated generated config file - 
+# -    - automated generated config file -
 # ---
 
 _HOSTNAME=$HOSTNAME
@@ -498,6 +522,7 @@ _SASL_AUTH=$SASL_AUTH
 _SASL_USER=$SASL_USER
 _SASL_PASS=$SASL_PASS
 _RELAY_HOST=$RELAY_HOST
+_RELAY_PORT=$RELAY_PORT
 _REWRITE_SENDER_DOMAIN=$REWRITE_SENDER_DOMAIN
 EOF
 if [[ $? -eq 0 ]] ; then
@@ -506,7 +531,7 @@ else
    echo_failed
 fi
 
-[[ "$IPV6" = "disabled" ]] && IPV6="" 
+[[ "$IPV6" = "disabled" ]] && IPV6=""
 
 
 # - Synchronise package index files with the repository
@@ -611,7 +636,7 @@ append_dot_mydomain = no
 readme_directory = /usr/share/doc/postfix
 html_directory = /usr/share/doc/postfix/html
 
-## - The Internet protocols Postfix will attempt to use when making 
+## - The Internet protocols Postfix will attempt to use when making
 ## - or accepting connections.
 ## - DEFAULT: ipv4
 EOF
@@ -622,7 +647,7 @@ inet_protocols = ipv4, ipv6
 
 #inet_interfaces = all
 
-inet_interfaces = 
+inet_interfaces =
    127.0.0.1
    ::1
    #$IPV4
@@ -630,14 +655,14 @@ inet_interfaces =
 
 myhostname = $HOSTNAME
 
-mydestination = 
+mydestination =
    $HOSTNAME
    localhost
 
-## - The list of "trusted" SMTP clients that have more 
+## - The list of "trusted" SMTP clients that have more
 ## - privileges than "strangers"
 ## -
-mynetworks = 
+mynetworks =
    127.0.0.0/8
    [::ffff:127.0.0.0]/104
    [::1]/128
@@ -665,21 +690,34 @@ inet_interfaces =
 
 myhostname = $HOSTNAME
 
-mydestination = 
+mydestination =
    $HOSTNAME
    localhost
 
-## - The list of "trusted" SMTP clients that have more 
+## - The list of "trusted" SMTP clients that have more
 ## - privileges than "strangers"
 ## -
-mynetworks = 
+mynetworks =
    127.0.0.0/8
-   ${IPV4}/32
+EOF
 
-smtp_bind_address = $IPV4
+   if [[ ${IPV4} =~ ^127 ]] ; then
-smtp_bind_address6 = $IPV6
+
+      cat <<EOF >> /etc/postfix/main.cf
+
+smtp_bind_address =
+smtp_bind_address6 =
 
 EOF
+   else
+      cat <<EOF >> /etc/postfix/main.cf
+      ${IPV4}/32
+
+smtp_bind_address = $IPV4
+#smtp_bind_address6 =
+
+EOF
+   fi
 fi
 
 cat <<EOF >> /etc/postfix/main.cf
@@ -687,18 +725,18 @@ cat <<EOF >> /etc/postfix/main.cf
 ## - The method to generate the default value for the mynetworks parameter.
 ## -
 ## -   mynetworks_style = host" when Postfix should "trust" only the local machine
-## -   mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP 
+## -   mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
 ## -                       clients in the same IP subnetworks as the local machine.
-## -   mynetworks_style = class" when Postfix should "trust" SMTP clients in the same 
+## -   mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
 ## -                      IP class A/B/C networks as the local machine.
 ## -
 #mynetworks_style = host
 
 
-## - The maximal size of any local(8) individual mailbox or maildir file, 
+## - The maximal size of any local(8) individual mailbox or maildir file,
-## - or zero (no limit). In fact, this limits the size of any file that is 
+## - or zero (no limit). In fact, this limits the size of any file that is
-## - written to upon local delivery, including files written by external 
+## - written to upon local delivery, including files written by external
-## - commands that are executed by the local(8) delivery agent. 
+## - commands that are executed by the local(8) delivery agent.
 ## -
 mailbox_size_limit = 0
 
@@ -717,51 +755,51 @@ recipient_delimiter = +
 alias_maps =
    hash:/etc/aliases
 
-## - The alias databases for local(8) delivery that are updated 
+## - The alias databases for local(8) delivery that are updated
-## - with "newaliases" or with "sendmail -bi". 
+## - with "newaliases" or with "sendmail -bi".
 ## -
 alias_database =
    hash:/etc/aliases
 
-## - Optional address mapping lookup tables for envelope and header sender 
+## - Optional address mapping lookup tables for envelope and header sender
 ## - addresses. The table format and lookups are documented in canonical(5).
 ## -
-## - Example: you want to rewrite the SENDER address "user@ugly.domain" 
+## - Example: you want to rewrite the SENDER address "user@ugly.domain"
-## - to "user@pretty.domain", while still being able to send mail to the 
+## - to "user@pretty.domain", while still being able to send mail to the
 ## - RECIPIENT address "user@ugly.domain".
 ## -
 ## - Note: \$sender_canonical_maps is processed before \$canonical_maps.
 ## -
-sender_canonical_maps = 
+sender_canonical_maps =
    btree:/etc/postfix/sender_canonical
 
 
 ## - smtp_generic_maps (default: empty)
 ## -
-## - Optional lookup tables that perform address rewriting in the Postfix 
+## - Optional lookup tables that perform address rewriting in the Postfix
-## - SMTP client, typically to transform a locally valid address into a 
+## - SMTP client, typically to transform a locally valid address into a
-## - globally valid address when sending mail across the Internet. This is 
+## - globally valid address when sending mail across the Internet. This is
-## - needed when the local machine does not have its own Internet domain name, 
+## - needed when the local machine does not have its own Internet domain name,
-## -but uses something like localdomain.local instead. 
+## -but uses something like localdomain.local instead.
 ## -
 smtp_generic_maps =
    btree:/etc/postfix/generic
 
-## - The maximal time a message is queued before it is sent back as 
+## - The maximal time a message is queued before it is sent back as
 ## - undeliverable. Defaults to 5d (5 days)
 ## - Specify 0 when mail delivery should be tried only once.
-## - 
+## -
 maximal_queue_lifetime = 3d
 bounce_queue_lifetime = \$maximal_queue_lifetime
 
 ## - delay_warning_time (default: 0h)
 ## -
-## - The time after which the sender receives a copy of the message 
+## - The time after which the sender receives a copy of the message
-## - headers of mail that is still queued. To enable this feature, 
+## - headers of mail that is still queued. To enable this feature,
-## - specify a non-zero time value (an integral value plus an optional 
+## - specify a non-zero time value (an integral value plus an optional
-## - one-letter suffix that specifies the time unit). 
+## - one-letter suffix that specifies the time unit).
-## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 
+## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-## - The default time unit is h (hours). 
+## - The default time unit is h (hours).
 delay_warning_time = 1d
 
 
@@ -788,9 +826,24 @@ smtp_sasl_auth_enable = yes
 
 # Only offer SMTP AUTH when talking over an encrypted connection
 smtpd_tls_auth_only = yes
+EOF
+
+   if [[ ${RELAY_PORT} -ne 25 ]] ; then
+      cat <<EOF >> /etc/postfix/main.cf
+
+# Forwarding to the ip-adress of host b.mx.oopen.de
+relayhost = [${RELAY_HOST}]:${RELAY_PORT}
+EOF
+   else
+      cat <<EOF >> /etc/postfix/main.cf
 
 # Forwarding to the ip-adress of host b.mx.oopen.de
 relayhost = [${RELAY_HOST}]
+EOF
+
+   fi
+
+   cat <<EOF >> /etc/postfix/main.cf
 
 # File including login data
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
@@ -799,7 +852,7 @@ smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous
 smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
 
-# Report the SASL authenticated user name in the smtpd(8) Received message header. 
+# Report the SASL authenticated user name in the smtpd(8) Received message header.
 smtpd_sasl_authenticated_header = no
 
 
@@ -809,11 +862,11 @@ smtpd_sasl_authenticated_header = no
 ## - Aktiviert TLS für den Mailempfang
 ## -
 ## - may:
-## - Opportunistic TLS. Use TLS if this is supported by the remote 
+## - Opportunistic TLS. Use TLS if this is supported by the remote
 ## - SMTP server, otherwise use plaintext
 ## -
-## - This overrides the obsolete parameters smtpd_use_tls and 
+## - This overrides the obsolete parameters smtpd_use_tls and
-## - smtpd_enforce_tls. This parameter is ignored with 
+## - smtpd_enforce_tls. This parameter is ignored with
 ## - "smtpd_tls_wrappermode = yes".
 #smtpd_use_tls=yes
 smtp_tls_security_level=encrypt
@@ -833,11 +886,11 @@ relayhost =
 ## - Aktiviert TLS für den Mailempfang
 ## -
 ## - may:
-## - Opportunistic TLS. Use TLS if this is supported by the remote 
+## - Opportunistic TLS. Use TLS if this is supported by the remote
 ## - SMTP server, otherwise use plaintext
 ## -
-## - This overrides the obsolete parameters smtpd_use_tls and 
+## - This overrides the obsolete parameters smtpd_use_tls and
-## - smtpd_enforce_tls. This parameter is ignored with 
+## - smtpd_enforce_tls. This parameter is ignored with
 ## - "smtpd_tls_wrappermode = yes".
 #smtpd_use_tls=yes
 smtp_tls_security_level=may
@@ -849,16 +902,16 @@ cat <<EOF >> /etc/postfix/main.cf
 ## - Aktiviert TLS für den Mailversand
 ## -
 ## - may:
-## - Opportunistic TLS: announce STARTTLS support to SMTP clients, 
+## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
 ## - but do not require that clients use TLS encryption.
 # smtp_use_tls=yes
 smtpd_tls_security_level=may
 
-## -    0 Disable logging of TLS activity. 
+## -    0 Disable logging of TLS activity.
-## -    1 Log TLS handshake and certificate information. 
+## -    1 Log TLS handshake and certificate information.
-## -    2 Log levels during TLS negotiation. 
+## -    2 Log levels during TLS negotiation.
-## -    3 Log hexadecimal and ASCII dump of TLS negotiation process. 
+## -    3 Log hexadecimal and ASCII dump of TLS negotiation process.
-## -    4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. 
+## -    4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
 ## -
 smtpd_tls_loglevel = 1
 smtp_tls_loglevel = 1
@@ -867,7 +920,7 @@ smtpd_tls_cert_file = $_TLS_CERT_FILE
 smtpd_tls_key_file = $_TLS_KEY_FILE
 
 ## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
-## - 
+## -
 ## - Dont't forget to create it, e.g with openssl:
 ## -    openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024
 ## -
@@ -876,92 +929,136 @@ smtpd_tls_key_file = $_TLS_KEY_FILE
 ## -
 smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
 
-## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. 
+## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
-## - 
+## -
 ## - Dont't forget to create it, e.g with openssl:
 ## -    openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512
 ## -
 smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
 
 
-## - File containing CA certificates of root CAs trusted to sign either remote SMTP 
+## - File containing CA certificates of root CAs trusted to sign either remote SMTP
-## - server certificates or intermediate CA certificates. These are loaded into 
+## - server certificates or intermediate CA certificates. These are loaded into
 ## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
-## - 
+## -
 smtp_tls_CAfile = $_TLS_CA_FILE
 
-## - Directory with PEM format certificate authority certificates that the Postfix SMTP 
+## - Directory with PEM format certificate authority certificates that the Postfix SMTP
-## - client uses to verify a remote SMTP server certificate. Don't forget to create the 
+## - client uses to verify a remote SMTP server certificate. Don't forget to create the
 ## - necessary "hash" links with, for example, "
-## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". 
+## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
 ## -
 ## - !! Note !!
-## - To use this option in chroot mode, this directory (or a copy) must be inside 
+## - To use this option in chroot mode, this directory (or a copy) must be inside
-## - the chroot jail. 
+## - the chroot jail.
 ## -
-## - Note that a chrooted daemon resolves all filenames relative to the Postfix 
+## - Note that a chrooted daemon resolves all filenames relative to the Postfix
 ## - queue directory (/var/spool/postfix)
 ## -
 #smtpd_tls_CApath = /etc/postfix/certs
 
 
-# Disable SSLv2 SSLv3 - Postfix SMTP server 
+# Disable SSLv2 SSLv3 - Postfix SMTP server
-# 
-# List of TLS protocols that the Postfix SMTP server will exclude or  
-# include with opportunistic TLS encryption.  
-smtpd_tls_protocols = !SSLv2, !SSLv3
-# 
-# The SSL/TLS protocols accepted by the Postfix SMTP server  
-# with mandatory TLS encryption. 
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
-
-
-# Disable SSLv2 SSLv3 - Postfix SMTP client 
-#  
-# List of TLS protocols that the Postfix SMTP client will exclude or  
-# include with opportunistic TLS encryption.  
-smtp_tls_protocols = !SSLv2, !SSLv3
-# 
-# List of SSL/TLS protocols that the Postfix SMTP client will use  
-# with mandatory TLS encryption 
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
-
-
-## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
-## -    openssl > 1.0
-## -
-smtpd_tls_eecdh_grade = strong
-
-# standard list cryptographic algorithm
-tls_preempt_cipherlist = yes
-
-# Disable ciphers which are less than 256-bit:
 #
-#smtpd_tls_mandatory_ciphers = high
+# List of TLS protocols that the Postfix SMTP server will exclude or
+# include with opportunistic TLS encryption.
+#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
+
+# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
 #
-# opportunistic
+#smtpd_tls_protocols = >=TLSv1
-smtpd_tls_ciphers = high
+
+# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
+#
+#smtpd_tls_mandatory_protocols = >=TLSv1
+
+# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
+#
+#smtp_tls_protocols = >=TLSv1
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption.
+#
+smtp_tls_mandatory_protocols = >=TLSv1.2
 
 
-# Exclude ciphers
+# The Postfix SMTP server security grade for ephemeral elliptic-curve
+# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
+# parameter is always ignored, and Postfix behaves as though the auto value
+# (described below) was chosen.
+#
+# auto
+#    Use the most preferred curve that is supported by both the client and the server.
+#    This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
+#    is the default setting under the above conditions (and the only setting used with
+#    Postfix ≥ 3.6).
+#
+# none
+#    Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
+#    default in Postfix versions 2.6 and 2.7.
+#
+# strong
+#    Use EECDH with approximately 128 bits of security at a reasonable computational cost.
+#    This is the default in Postfix versions 2.8-3.5.
+#
+# ultra
+#    Use EECDH with approximately 192 bits of security at computational cost that is
+#    approximately twice as high as 128 bit strength ECC.
+#
+smtpd_tls_eecdh_grade = auto
+
+
+# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
+# of the remote client's cipher preference order.
+#
+# By default, the OpenSSL server selects the client's most preferred cipher that the
+# server supports. With SSLv3 and later, the server may choose its own most preferred
+# cipher that is supported (offered) by the client.
+#
+# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
+#
+# default: no
+#
+#tls_preempt_cipherlist = no
+
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
+# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
+# from globally restricting TLS sessions to a more stringent grade is likely negligible,
+# especially given the fact that many implementations still do not offer any stronger
+# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
+# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
+# or "low" ciphers is typically not a good idea, as systems limited to just these are
+# limited to obsolete browsers. No known SMTP clients fail to support at least one
+# "medium" or "high" grade cipher.
+#
+# default: medium
+#
+#smtpd_tls_mandatory_ciphers = medium
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
+# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
+# base definition of the selected cipher grade.
+#
+# default: medium
+#
+#smtpd_tls_ciphers = medium
+
+
+# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
+# TLS security levels.
+#
+# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
+# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
+# or one or more "+" separated cipher properties, in which case only ciphers matching all the
+# properties are excluded.
+#
 #smtpd_tls_exclude_ciphers =
-#   RC4
+
-#   aNULL
+# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
-#   SEED-SHA
+# list at mandatory TLS security levels. This list works in addition to the exclusions listed
-#   EXP
+# with smtp_tls_exclude_ciphers
-#   MD5
+#
-smtpd_tls_exclude_ciphers =
+#smtp_tls_mandatory_exclude_ciphers =
-   aNULL
-   eNULL
-   EXPORT
-   DES
-   RC4
-   MD5
-   PSK
-   aECDH
-   EDH-DSS-DES-CBC3-SHA
-   EDH-RSA-DES-CDC3-SHA
-   KRB5-DE5, CBC3-SHA
 
 
 smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
@@ -973,8 +1070,8 @@ smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
 
 # smtpd_relay_restrictions
 #
-# IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipient_restrictions 
+# IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipient_restrictions
-# parameter must specify at least one of the following restrictions. Otherwise Postfix 
+# parameter must specify at least one of the following restrictions. Otherwise Postfix
 # will refuse to receive mail:
 #
 #        reject, reject_unauth_destination
@@ -984,20 +1081,20 @@ smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
 #
 # The upstream default is:
 #
-#    smtpd_relay_restrictions = \${{\$compatibility_level} < {1} ? {} : 
+#    smtpd_relay_restrictions = \${{\$compatibility_level} < {1} ? {} :
 #       {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
 #
-# AGAIN, that means: if parameter compatibility_level is not set or compatibility_level is 
+# AGAIN, that means: if parameter compatibility_level is not set or compatibility_level is
 # set to '0', you MUST specify this value. Otherwise Postfix will refuse to receive mail
 # and you get the following error message:
 #
-#     fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify 
+#     fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify
-#     at least one working instance of: reject_unauth_destination, defer_unauth_destination, 
+#     at least one working instance of: reject_unauth_destination, defer_unauth_destination,
 #     reject, defer, defer_if_permit or check_relay_domains
 #
-#smtpd_relay_restrictions = 
+#smtpd_relay_restrictions =
-#   permit_mynetworks, 
+#   permit_mynetworks,
-#   permit_sasl_authenticated, 
+#   permit_sasl_authenticated,
 #   defer_unauth_destination
 
 EOF
@@ -1006,8 +1103,21 @@ echo_ok
 echononl "   Configure SASL authentification"
 if $SASL_AUTH ; then
 
+   _sasl_pw_file="/etc/postfix/sasl_passwd"
+   if [[ -f "${_sasl_pw_file}" ]] && $(grep -q -E "^\[${RELAY_HOST}\]" ${_sasl_pw_file} 2> /dev/null); then
+      sed -i "/^\[${RELAY_HOST}/d" ${_sasl_pw_file}
+      if [[ "$?" != "0" ]]; then
+         error "Setting \"/etc/postfix/sasl_passwd\" failed! "
+         _failed=true
+      fi
+   fi
+
    _failed=false
-   echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" > /etc/postfix/sasl_passwd
+   if [[ ${RELAY_PORT} -ne 25 ]] ; then
+      echo "[$RELAY_HOST]:${RELAY_PORT} ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
+   else
+      echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
+   fi
    if [[ "$?" != "0" ]]; then
       error "Setting \"/etc/postfix/sasl_passwd\" failed! "
       _failed=true
@@ -1081,7 +1191,7 @@ else
 fi
 
 
-## - create directory for certificates and copy certificates 
+## - create directory for certificates and copy certificates
 ## - and coresponding keys to /etc/postfix/ssl/
 ## -
 echononl "   Create directory for certificates \"/etc/postfix/ssl\""
@@ -1097,7 +1207,7 @@ else
 fi
 
 
-## - generate DH parameters that the Postfix SMTP server should use 
+## - generate DH parameters that the Postfix SMTP server should use
 ## - with EDH ciphers (length 512 and 1024
 ## -
 echononl "   Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\""
@@ -1353,6 +1463,12 @@ else
    fi
 fi
 
+if [[ ${RELAY_PORT} -ne 25 ]] ; then
+
+   echo ""
+   warn "Please do not forget to allow port \033[1m${RELAY_PORT}\033[m on both sides, outgoing
+                     on this host here and incoming on the relay host '${RELAY_HOST}'."
+fi
 
 echo ""
 clean_up 0

install_postfixadmin.sh

@@ -1842,23 +1842,25 @@ fi
 
 # - Encoding does not work as exspected.
 # -
+# - Update: Encoding seems to works now
+# -
 # - NOTE:
 # -    this IS NOT a fix, but a workaround
 # -
-echononl "\tWorkaround, because encoding does not work as exspected."
+#echononl "\tWorkaround, because encoding does not work as exspected."
-# - Vacation script changed. Since Version 3.2 we need another perl regexp.
+## - Vacation script changed. Since Version 3.2 we need another perl regexp.
-# - The old one was: 
+## - The old one was: 
-# -    perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
+## -    perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
-# -
+## -
-perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
+##perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
-   /var/spool/vacation/vacation.pl > "$log_file" 2>&1
+##   /var/spool/vacation/vacation.pl > "$log_file" 2>&1
-if [[ $? -eq 0 ]];then
+#if [[ $? -eq 0 ]];then
-   echo_ok
+#   echo_ok
-   info "This IS NOT a fix, but a workaround."
+#   info "This IS NOT a fix, but a workaround."
-else
+#else
-   echo_failed
+#   echo_failed
-   error "$(cat $log_file)"
+#   error "$(cat $log_file)"
-fi
+#fi
 
 echononl "\tSet Permission on vacation script"
 _failed=false

install_update_dovecot.sh

@@ -287,14 +287,21 @@ dovecot_main_version="$(echo $_version | cut -d '.' -f1,2)"
 dovecot_major_version="$(echo $_version | cut -d '.' -f1)"
 dovecot_minor_version="$(echo $_version | cut -d '.' -f2)"
 dovecot_patch_level="$(echo $_version | cut -d '.' -f3)"
+dovecot_minor_patch_level="$(echo $_version | cut -d '.' -f4)"
+
+_version_short="${_version%-*}"
 
 #echo ""
-#echo "_version:              $_version"
+#echo "_version:                  $_version"
-#echo "dovecot_main_version   $dovecot_main_version"
+#echo "dovecot_main_version       $dovecot_main_version"
-#echo "dovecot_major_version  $dovecot_major_version"
+#echo "dovecot_major_version      $dovecot_major_version"
-#echo "dovecot_minor_version  $dovecot_minor_version"
+#echo "dovecot_minor_version      $dovecot_minor_version"
-#echo "dovecot_patch_level    $dovecot_patch_level"
+#echo "dovecot_patch_level        $dovecot_patch_level"
+#echo "dovecot_minor_patch_level  $dovecot_minor_patch_level"
 #echo ""
+#
+#clean_up 0
+
 
 # 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed. 
 # Use mailbox { autoexpunge } Mailbox settings instead.
@@ -710,32 +717,72 @@ fi
 
 ## - Download Pigeonhole for Dovecot v2.2
 ## -
-echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
+if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then
-if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
+   
-   wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+   echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
-   if [ "$?" = 0 ]; then
+   if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
-      echo -e "$rc_done"
+      wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+      if [ "$?" = 0 ]; then
+         echo -e "$rc_done"
+      else
+         echo -e "$rc_failed"
+         error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
+
+                     Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually 
+                     and proceed instllation."
+
+         echononl "\tProceed instllation [yes/no]: "
+         read OK
+         OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+         while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+            echononl "Wrong entry! - repeat [yes/no]: "
+            read OK
+         done
+         [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+
+      fi
    else
-      echo -e "$rc_failed"
+      echo -e "$rc_skipped"
-      error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
-
-                   Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually 
-                   and proceed instllation."
-
-		echononl "\tProceed instllation [yes/no]: "
-		read OK
-		OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
-		while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
-			echononl "Wrong entry! - repeat [yes/no]: "
-			read OK
-		done
-		[[ $OK = "yes" ]] || fatal "Abbruch durch User"
-
    fi
+
+   dovecot_pigeonhole_archiv="dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz"
+
 else
-   echo -e "$rc_skipped"
+
+   echononl "\tDownload dovecot-pigeonhole-${_pigeonhole}.tar.gz.."
+   if [ ! -f "${_src_base_dir}/dovecot-pigeonhole-${_pigeonhole}.tar.gz" ]; then
+      wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+      if [ "$?" = 0 ]; then
+         echo -e "$rc_done"
+         dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
+      else
+         echo -e "$rc_failed"
+
+         error "Direct download of 'Pigeonhole Sieve and ManageSieve' source archiv  failed
+
+                  Download Pigeonhole Sieve and ManageSieve manually and name it to
+
+                  \033[1mdovecot-pigeonhole-${_pigeonhole}.tar.gz\033[m\n"
+
+
+         echononl "\tProceed instllation [yes/no]: "
+         read OK
+         OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+         while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+            echononl "Wrong entry! - repeat [yes/no]: "
+            read OK
+         done
+         [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+      fi
+   else
+      echo -e "$rc_skipped"
+   fi
+
+   dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
 fi
 
+dovecot_pigeonhole_archiv_prefix="${dovecot_pigeonhole_archiv%.tar.gz}"
+dovecot_pigeonhole_archiv_dir="${dovecot_pigeonhole_archiv%.tar.gz}"
 
 
 if $_new ; then
@@ -901,6 +948,7 @@ config_params="
    --prefix=/usr/local/dovecot-${_version} \
    --with-${db_driver} \
    --with-gssapi=yes
+   --with-ldap=yes
    --with-rundir=/run/dovecot"
 if $systemd_support ; then
    config_params="$config_params \
@@ -1055,20 +1103,20 @@ fi
 cd ${_src_base_dir}
 echo ""
 echononl "\tExtracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
-gunzip < dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz | tar -xf -
+gunzip < ${_src_base_dir}/${dovecot_pigeonhole_archiv} | tar -C ${_src_base_dir} -xf -
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
    echo -e "$rc_failed"
-   fatal Extracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz failed
+   fatal Extracting ${dovecot_pigeonhole_archiv} failed
 fi
-cd dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}
+cd ${dovecot_pigeonhole_archiv_dir}
 
 
 echononl "\tConfigure Pigeonhole ManageSieve.."
 ./configure \
 	--prefix=/usr/local/dovecot-${_version} \
-   --with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-configure.log 2<&1
+   --with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-configure.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1077,7 +1125,7 @@ else
 fi
 
 echononl "\tCompile Pigeonhole ManageSieve.."
-make > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-make.log 2<&1
+make > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-make.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1086,7 +1134,7 @@ else
 fi
 
 echononl "\tInstall Pigeonhole ManageSieve.."
-make install > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-install.log 2<&1
+make install > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-install.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1095,6 +1143,7 @@ else
 fi
 
 
+
 ## -----------------
 ## --- Configure dovecot services