install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: install:3eb53b54635f88f84864097f58bd10ab58a94c61
Branches Tags
install:master
..
compare: install:master
Branches Tags
install:master

35 Commits
3eb53b5463 ... master

Author SHA1 Message Date
Christoph
ba20cb36fe Add initial not yet running installscript for dovecot version 2.4.x 2025-07-12 12:55:16 +02:00
Christoph
83ad91f77d install_update_dovecot.sh:cleanup fron debug code.. 2025-07-12 12:54:08 +02:00
Christoph
3a98ac15f7 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2025-07-12 11:10:26 +02:00
Christoph
d811cbfbd1 Backup 'BAK/install_update_dovecot.sh' bevor uploading a new one. 2025-07-12 11:10:17 +02:00
Christoph
5eebd200f4 install_update_dovecot.sh: some minor changes. 2025-07-12 11:07:57 +02:00
Christoph
14ae5a3ebf install_postfix_advanced.sh: workarround for error: the query to zen.spamhaus.org was blocked due to usage of an open resolver. 2025-05-15 02:59:51 +02:00
Christoph
e24fb4cad3 install_postfix_advanced.sh: fix error in creating master.cf (+policy-spf). 2025-05-14 11:18:56 +02:00
Christoph
cc06fe5cfa install_amavis.sh: fix errors in if statements: replace ':' with ';'. 2025-05-14 10:26:50 +02:00
Christoph
4442c6230e install_postfix_advanced.s - policyd-spf h: increase 'void lookup limit'fro '2' to '5'. 2025-04-29 17:09:27 +02:00
Christoph
3f141499dc install_postfix_base.sh: update file 'sasl_passwd' instead ao renewing it. 2025-03-12 14:43:41 +01:00
Christoph
9b12e32853 install_amavis.sh: Moving SPAM policies into an external file. 2025-03-03 17:57:22 +01:00
Christoph
894ff4eced install_opendmarc.sh: adjust configuration file. 2025-03-03 15:42:04 +01:00
Christoph
99b1205d1b install_opendkim.sh: adjust configuration file. 2025-03-03 15:41:40 +01:00
Christoph
ae2b6540af install_postfix_advanced.sh: add support for postfix-policyd-spf-python . 2025-03-02 02:17:25 +01:00
Christoph
6cc1848e45 install_opendkim.sh: Add an Authentication-Results: header field. 2025-02-26 12:26:19 +01:00
Christoph
07231ac1c7 install_postfix_advanced.sh: ix.dnsbl.manitu.net (also known as NixSpam) has been shutdown on 2025-01-16. 2025-02-14 14:29:14 +01:00
Christoph
7b6e4c36d0 install_amavis.sh,install_postfix_advanced.sh: support additional smtp port in case of relay host. 2025-01-27 18:50:01 +01:00
Christoph
ee41a335b1 install_postfix_base.sh: some really minor changes.. 2025-01-27 17:48:36 +01:00
Christoph
0b410ad6d8 install_postfix_base.sh: support relaying to non standard port (other than 25). 2025-01-27 17:02:08 +01:00
Christoph
aa092ea841 install_postfixadmin.sh: orioginal script now has the right charset (utf8). 2025-01-05 01:15:39 +01:00
Christoph
da6c7fca0e install_postfix_base.sh: fix error if IPv4 address is a loopback address (127.x). 2024-12-18 12:04:04 +01:00
root
f1f56f48f6 install_amavis.sh: fix error in if statement. 2024-10-01 17:27:21 +02:00
Christoph
765b16fd59 Merge branch 'master' of git.oopen.de:install/mailsystem 2024-10-01 00:21:35 +02:00
Christoph
6a34a5b74c README.test_mailprotocolls: add test of RSA based TLS connection. 2024-10-01 00:21:16 +02:00
Christoph
ad1d844b54 install_postfix_advanced.sh: some minor changes in writing 'main.cf'. 2024-10-01 00:20:04 +02:00
Christoph
aa38ae7d76 install_postfix_advanced.sh: some realy minor changes. 2024-09-30 17:55:26 +02:00
Christoph
f6482795c4 install_postfix_advanced.sh: get rid of trailling blanks. 2024-09-28 22:53:45 +02:00
root
361ccefd9a install_postfix_advanced.sh: adjust defaulr 'main.cf' file. 2024-09-26 17:44:21 +02:00
root
307c47d4a5 install_amavis.sh: adjust '_needed_packages_clamav'. 2024-09-26 16:19:25 +02:00
Christoph
8670eb3dba Merge branch 'master' of https://git.oopen.de/install/mailsystem 2024-09-18 23:10:34 +02:00
Christoph
8a66f11f49 install_postfix_advanced.sh: change comments for some tls parameters. 2024-09-18 23:05:30 +02:00
Christoph
1d78a7e4b3 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2024-09-18 19:38:15 +02:00
Christoph
6c3c0c596b install_amavis.sh: fix error in adding SecuriteInfo signatures to freshclam.conf. 2024-09-18 19:37:54 +02:00
Christoph
b069fdac30 install_amavis.sh: SecuriteInfo was moved to ClamAV's Freshclam. Also get rid of trailling spaces. 2024-09-18 16:46:38 +02:00
Christoph
240dfbb54a install_postfix_advanced.sh, install_postfix_base.sh: adjust tls parameters of 'main.cf'. 2024-09-17 16:28:25 +02:00
10 changed files with 10811 additions and 729 deletions
Expand all files Collapse all files

4554
BAK/install_update_dovecot.sh.00 Executable file
View File

File diff suppressed because it is too large Load Diff

7
DOC/README.test_mailprotocolls
View File

@ -14,3 +14,10 @@ openssl s_client -crlf -starttls pop3 -connect localhost:110
openssl s_client -crlf -connect localhost:993
openssl s_client -crlf -starttls imap -connect localhost:143
# Test RSA based TLS connection
#
echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2
echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp

465
install_amavis.sh
View File

@ -118,7 +118,7 @@ DEFAULT_DB_IN_USE=false
DEFAULT_INSTALL_CLAMAV_UNOFFICIAL_SIGS=true
DEFAULT_MALWARE_PATROL_IN_USE=true
DEFAULT_MALWARE_PATROL_IN_USE=false
DEFAULT_MALWERE_PATROL_FREE=false
DEFAULT_MP_RECEIPT_NUMBER=106015125438
@ -207,15 +207,18 @@ _needed_packages_clamav="clamav \
clamav-freshclam \
libgmp-dev \
libgmp10"
if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 10 ]] ; then
if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 10 ]] ; then
_needed_packages_clamav="$_needed_packages_clamav \
libclamunrar7"
elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 11 ]] ; then
elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 11 ]] ; then
_needed_packages_clamav="$_needed_packages_clamav \
libclamunrar9"
elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 12 ]] ; then
elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 12 ]] ; then
_needed_packages_clamav="$_needed_packages_clamav \
libclamunrar11"
else
_needed_packages_clamav="$_needed_packages_clamav \
libclamunrar13"
fi
_needed_decoders_amavis="
@ -413,6 +416,85 @@ else
done
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Use SecuriteInfo Signatures (https://www.securiteinfo.com)?"
echo ""
echo "Note: You have to sign up for an account. For a free account thats here:"
echo " https://www.securiteinfo.com/clients/customers/signup"
echo ""
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Load SecuriteInfo Singatures (yes/no): "
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Load SecuriteInfo Singatures [yes]: "
else
echononl "Load SecuriteInfo Singatures [no]: "
fi
fi
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Wrong entry! (yes/no): "
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
else
if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
if $_SECURITE_INFO_IN_USE ; then
_TMP_LOAD_SI=yes
else
_TMP_LOAD_SI=no
fi
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Wrong entry! [yes]: "
else
echononl "Wrong entry! [no]: "
fi
read _TMP_LOAD_SI
fi
fi
fi
done
if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
SECURITE_INFO_IN_USE=true
else
SECURITE_INFO_IN_USE=false
fi
if $SECURITE_INFO_IN_USE ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert SecuriteInfo Authorisation Signature"
echo ""
echo ""
SI_AUTHORISATION_SIGNATURE=
if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
fi
done
else
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
fi
done
fi
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
@ -586,84 +668,6 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Load SecuriteInfo Signatures (https://www.securiteinfo.com)?"
echo ""
echo "Note: You have to sign up for an account. For a free account thats here:"
echo " https://www.securiteinfo.com/clients/customers/signup"
echo ""
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Load SecuriteInfo Singatures (yes/no): "
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Load SecuriteInfo Singatures [yes]: "
else
echononl "Load SecuriteInfo Singatures [no]: "
fi
fi
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
echononl "Wrong entry! (yes/no): "
read _TMP_LOAD_SI
_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
else
if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
if $_SECURITE_INFO_IN_USE ; then
_TMP_LOAD_SI=yes
else
_TMP_LOAD_SI=no
fi
else
if $_SECURITE_INFO_IN_USE ; then
echononl "Wrong entry! [yes]: "
else
echononl "Wrong entry! [no]: "
fi
read _TMP_LOAD_SI
fi
fi
fi
done
if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
SECURITE_INFO_IN_USE=true
else
SECURITE_INFO_IN_USE=false
fi
if $SECURITE_INFO_IN_USE ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert SecuriteInfo Authorisation Signature"
echo ""
echo ""
SI_AUTHORISATION_SIGNATURE=
if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
fi
done
else
while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
echononl "SecuriteInfo Authorisation Signature: "
read SI_AUTHORISATION_SIGNATURE
if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
fi
done
fi
fi
fi
@ -2961,7 +2965,7 @@ if $SECURITE_INFO_IN_USE ; then
if [[ -f "/etc/clamav/freshclam.conf" ]] ; then
_done=false
for signatur_database in $SI_SIGNATUR_DATABASES do
for signatur_database in $SI_SIGNATUR_DATABASES ; do
if ! $(grep -q -E "DatabaseCustomURL\s+https://www.securiteinfo.com.*${signatur_database}" "/etc/clamav/freshclam.conf" 2>/dev/null) ; then
@ -3550,9 +3554,16 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
# --------------------------------------
# --- Begin: User specific modifications
# --- Inserted by install-script "$(basename "$0")" at $(date +"%Y-%m-%d %H:%M")
# - SecuriteInfo
# -
# - SecuriteInfo signatures are now directly integrated into ClamAV's Freshclam.
# -
# - We therefore disable them here.
# -
securiteinfo_enabled="no"
EOF
if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE ; then
if $MALWARE_PATROL_IN_USE ; then
@ -3586,29 +3597,23 @@ EOF
error "$(cat $tmp_err_msg)"
fi
fi
fi # if $MALWARE_PATROL_IN_USE
if $SECURITE_INFO_IN_USE ; then
else
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
# - SecuriteInfo
# - MalwarePatrol
# -
# - type: Gold
# - account: ckubu@oopen.de
# - signatur: abb4ec6..46b59a4e
# - Not in use
# -
# - - ALT -
# - type: professional
# - account: oo@oopen.de
# - signatur: b0b7e94d..0c2e3a89
# -
securiteinfo_authorisation_signature="$SI_AUTHORISATION_SIGNATURE"
malwarepatrol_enabled="no"
EOF
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
fi
fi # if $SECURITE_INFO_IN_USE
fi #if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE
fi #if $MALWARE_PATROL_IN_USE
cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
# - Disable Yara-Rule set, because (some?) pgp mails where blocked.
@ -4330,96 +4335,15 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
\$final_spam_destiny = D_BOUNCE;
#\$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
\$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
\$sa_tag2_level_deflt = 5.1; # add 'spam detected' headers at that level
\$sa_kill_level_deflt = 10.31; # reject/bounce/discard/pass
##- Moved to file '/etc/amavis/policy_banks.conf'
## -
## - User / Domain specific settings
## - \$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
## - \$sa_tag2_level_deflt = 5.1; # add 'spam detected' headers at that level
## - \$sa_kill_level_deflt = 10.31; # reject/bounce/discard/pass
## -
do "/etc/amavis/policy_banks.conf"; # Externe Datei einbinden
## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
## -
## - Set directly:
## -
#\$sa_tag2_level_deflt = {
# # oopen.de
# 'oopen.de'=>'2.1',
# 'ckubu@oopen.de'=>'2.2',
# 'argus@oopen.de'=>'2.3',
# # k8h.de
# 'k8h.de'=>'6.5',
# # default
# '.'=>'5.1'
#};
## -
## - Read from file using @spam_tag2_level_maps
## -
## - default: @spam_tag2_level_maps = (\\\$sa_tag2_level_deflt);
## -
## - Example file '/etc/postfix/tag2_level_maps.dat'
## -
## - # oopen.de
## - oopen.de 2.1
## - ckubu@oopen.de 2.2
## - argus@oopen.de 2.3
## - [..]
## - # k8h.de
## - k8h.de 6.5
## - [..]
## - # default
## - . 5.1
## -
#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
## - Per-recipient mapping of kill levels to email addresses (kill level):
## -
## - Set directly
## -
#\$sa_kill_level_deflt = {
# 'ckubu@oopen.de'=>'1500.0',
# 'ckubu-adm@oopen.de'=>'1500.0',
# # default
# '.'=>'10.31'
#};
## -
## - Read from file using @spam_kill_level_maps
## -
## - default: @spam_kill_level_maps = (\\\$sa_kill_level_deflt);
## -
## - Example file '/etc/postfix/kill_level_maps.dat'
## -
## - # oopen.de
## - ckubu@oopen.de 1500.0
## - ckubu-adm@oopen.de 1500.0
## - [..]
## - # default
## - . 10.31
## -
#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
## - We will inform the sender about bouncing his mail with a DSN (Delivery
## - StatusNotification). That DSN message will no be send, if the spamvalue
## - exceeds the value of sa_dsn_cutoff_level
## -
#\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
\$sa_dsn_cutoff_level = 20;
## - change the default server response if mail was blocked
## - because of spam.
## -
## - results in (is an example):
## - <ckubu@so36.net>: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, Mailserver
## - at a.mx.oopen.de: identified as SPAM - (in reply to end of DATA command)
## -
%smtp_reason_by_ccat = (
CC_SPAM, "Mailserver at \$myhostname: identified as SPAM - %x"
);
\$sa_spam_subject_tag = undef;
#\$sa_spam_subject_tag = '***SPAM*** ';
## - QUARANTINE
@ -4667,6 +4591,153 @@ else
fi
## - Create File containing policy settings
## -
_config_policy_banks_file=/etc/amavis/policy_banks.conf
echononl " Create File \"${_config_policy_banks_file}\""
if [[ -f "${_config_policy_banks_file}" ]]; then
echo_skipped
else
cat << EOF > ${_config_policy_banks_file}
# Externe Richtliniendatei für amavisd
use strict;
# ---
# add spam info headers if at, or above that level
# ---
## - All recipients with identical the same setting:
## -
#\$sa_tag_level_deflt = 2.0;
## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
## -
## - Set directly:
## -
\$sa_tag_level_deflt = {
'oopen.de' => '-4.5',
# default
'.'=>'2.0'
};
## - Read from file using @spam_tag2_level_maps
## -
## - default: @spam_tag2_level_maps = (\$sa_tag2_level_deflt);
## -
## - Example file '/etc/postfix/tag2_level_maps.dat'
## -
## - # oopen.de
## - oopen.de 2.1
## - ckubu@oopen.de 2.2
## - argus@oopen.de 2.3
## - [..]
## - # k8h.de
## - k8h.de 6.5
## - [..]
## - # default
## - . 5.1
## -
#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
#\$sa_spam_subject_tag = '***SPAM*** '; # Spam-Betreff-Tag
\$sa_spam_subject_tag = undef;
# ---
# add 'spam detected' headers at that level
# ---
## - All recipients with identical the same setting:
## -
#\$sa_tag2_level_deflt = 5.1; # add 'spam detected' headers at that level
## - Per-recipient mapping of kill levels to email addresses (kill level):
## -
## - Set directly
## -
\$sa_tag2_level_deflt = {
'oopen.de' => '3.1',
'123comics.net' => '4.1',
'info@123comics.net' => '3.1',
# default
'.' => '5.1',
};
## - Read from file using @spam_kill_level_maps
## -
## - default: @spam_kill_level_maps = (\$sa_kill_level_deflt);
## -
## - Example file '/etc/postfix/kill_level_maps.dat'
## -
## - # oopen.de
## - ckubu@oopen.de 1500.0
## - ckubu-adm@oopen.de 1500.0
## - [..]
## - # default
## - . 10.31
## -
#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
# ---
# adding more detailed spam-related headers.
# ---
## - All recipients with identical the same setting:
## -
\$sa_tag3_level_deflt = 7.0; # threshold for sa_tag3_level_deflt
## - Note
## - Like 'sa_tag2_level_deflt' above per-recipient also possible
@sa_tag3_level_maps = (
['^Subject:', '\[HIGH-SPAM\] $&'], # Modify subject
['HEADER', 'X-High-Spam-Flag', 'YES'], # Add a custom header
);
# ---
# spam score threshold at which amavisd-new will reject (kill) an email.
# ---
## - All recipients with identical the same setting:
## -
\$sa_kill_level_deflt = 10.31; # reject/bounce/discard/pass
## - Note
## - Like 'sa_tag2_level_deflt' above per-recipient also possible
# ---
# The threshold for sending a delivery status notification (DSN) to the sender
# ---
## - We will inform the sender about bouncing his mail with a DSN (Delivery
## - StatusNotification). That DSN message will no be send, if the spamvalue
## - exceeds the value of sa_dsn_cutoff_level
## -
#\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
\$sa_dsn_cutoff_level = 20;
#------------ Do not modify anything below this line -------------
1; # ensure a defined return
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - Configure syslogd matching the configuration od amavisd
## -
echononl " Configure syslogd matching the configuration of amavis"
@ -5029,6 +5100,12 @@ if grep -iq -E "^amavisfeed\s+" $postfix_master_cf > /dev/null 2>&1 ; then
else
amavisfeed_present=false
fi
if grep -iq -E "^[0-9]{2,5}\s+inet.*smtpd" $postfix_master_cf > /dev/null 2>&1 ; then
listen_on_additional_smtp_port=true
additional_smtp_port="$(grep -E "^[0-9]{2,5}\s+inet.*smtpd" /etc/postfix/master.cf | grep -o -E "^[0-9]{2,5}")"
else
listen_on_additional_smtp_port=false
fi
> $postfix_master_cf
while IFS='' read -r _line || [[ -n $_line ]] ; do
@ -5046,6 +5123,19 @@ EOF
EOF
fi
if ${listen_on_additional_smtp_port} ; then
cat >> $postfix_master_cf << EOF
${additional_smtp_port} inet n - y - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=
EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
cat >> $postfix_master_cf << EOF
-o smtpd_sasl_auth_enable=no
EOF
fi
fi
if ! $submission_present && ! $smtps_present && ! $localhost_10025_present ; then
cat >> $postfix_master_cf << EOF
localhost:10025 inet n - y - - smtpd
@ -5300,6 +5390,13 @@ else
fi
fi
if ${listen_on_additional_smtp_port}; then
echo ""
warn "Please do not forget to allow incomming traffic on port \033[1m${additional_smtp_port}\033[m.
Check your firewall settings.."
fi
#fi # if $ommit ; then
# -------------------------------

22
install_opendkim.sh
View File

@ -189,6 +189,13 @@ else
cat <<EOF > $opendkim_conf_file 2> $log_file
# Datei $opendkim_conf_file
# Sets the "authserv-id" to use when generating the Authentication-Results:
# header field after verifying a message. The default is to use the name of
# the MTA processing the message. If the string "HOSTNAME" is provided, the
# name of the host running the filter (as returned by the gethostname(3)
# function) will be used.
AuthservID "DKIM check $(hostname -f)"
# OpenDKIM agiert als Mail Filter (= Milter) in den
# Modi signer (s) und verifier (v) und verwendet eine
# Socket-Datei zur Kommunikation (alternativ: lokaler Port)
@ -237,6 +244,21 @@ SignatureAlgorithm rsa-sha256
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
# Add an "Authentication-Results:" header field even to unsigned messages
# from domains with no "signs all" policy. The reported DKIM result will be
# "none" in such cases. Normally unsigned mail from non-strict domains does
# not cause the results header field to be added.
AlwaysAddARHeader yes
# Causes opendkim to fork and exits immediately, leaving the service running
# in the background. The default is "true".
Background yes
# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
# default is 5. Ignored if not using an asynchronous resolver package. See
# also the NOTES section below.
DNSTimeout 5
EOF
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then

197
install_opendmarc.sh
View File

@ -23,7 +23,7 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
config_file_name_value_parameters="
AuthservID|OpenDMARC
AuthservID|DMARC check $(hostname -f)
PidFile|/run/opendmarc/opendmarc.pid
RejectFailures|true
Syslog|true
@ -36,6 +36,7 @@ config_file_name_value_parameters="
FailureReports|false
AutoRestart|true
HistoryFile|/run/opendmarc/opendmarc.dat
SPFIgnoreResults|false
SPFSelfValidate|true
Socket|${opendmarc_socket_file}
"
@ -182,6 +183,200 @@ else
fi
# - Add 'IgnoreHosts' with default value to the original opendmarc.conf file
#
echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Specifies the path to a file that contains a list of hostnames, IP addresses,
## and/or CIDR expressions identifying hosts whose SMTP connections are to be
## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
#
IgnoreHosts 127.0.0.1
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'IgnoreAuthenticatedClients' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="RequiredHeaders"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, the filter will ensure the header of the message conforms to the basic
## header field count restrictions laid out in RFC5322, Section 3.6. Messages
## failing this test are rejected without further processing. A From: field from
## which no domain name could be extracted will also be rejected.
#
RequiredHeaders false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'AutoRestart' with default value to the original opendmarc.conf file
#
_param="AutoRestart"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Automatically re-start on failures. Use with caution; if the filter fails
## instantly after it starts, this can cause a tight fork(2) loop.
#
AutoRestart false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'HistoryFile' with default value to the original opendmarc.conf file
#
_param="HistoryFile"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, specifies the location of a text file to which records are written
## that can be used to generate DMARC aggregate reports. Records are batches of
## rows containing information about a single received message, and include all
## relevant information needed to generate a DMARC aggregate report. It is
## expected that this will not be used in its raw form, but rather periodically
## imported into a relational database from which the aggregate reports can be
## extracted using opendmarc-importstats(8).
#
HistoryFile /run/opendmarc/opendmarc.dat
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'SPFIgnoreResults' with default value to the original opendmarc.conf file
#
_param="SPFIgnoreResults"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Causes the filter to ignore any SPF results in the header of the message. This
## is useful if you want the filter to perform SPF checks itself, or because you
## don't trust the arriving header. The default is "false".
#
SPFIgnoreResults false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'SPFSelfValidate' with default value to the original opendmarc.conf file
#
_param="SPFSelfValidate"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Causes the filter to perform a fallback SPF check itself when it can find no
## SPF results in the message header. If SPFIgnoreResults is also set, it never
## looks for SPF results in headers and always performs the SPF check itself when
## this is set. The default is "false".
#
SPFSelfValidate false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Save configuration file from distribution
# -
echononl " Save configuration file from distribution"

563
install_postfix_advanced.sh
View File

@ -125,9 +125,12 @@ trap clean_up SIGHUP SIGINT SIGTERM
# -
DEFAULT_ADMIN_EMAIL="argus@oopen.de"
DEFAULT_IS_RELAY_HOST=false
DEFAULT_ADDITIONAL_RELAY_PORT=2525
DEFAULT_IS_SYMPA_LIST_SERVER=no
DEFAULT_SASL_AUTH_ENABLED=no
DEFAULT_LISTEN_ON_ADDITIONAL_RELAY_PORT=false
# - Is this a systemd system?
# -
@ -167,6 +170,10 @@ else
_IS_RELAY_HOST="$_RELAY_HOST"
fi
if [[ -z "$_LISTEN_ON_ADDITIONAL_RELAY_PORT" ]] ; then
_LISTEN_ON_ADDITIONAL_RELAY_PORT=${DEFAULT_LISTEN_ON_ADDITIONAL_RELAY_PORT}
fi
echo ""
echo ""
echo ""
@ -394,6 +401,42 @@ if $IS_RELAY_HOST ; then
done
fi
ADDITIONAL_RELAY_LISTEN_PORT=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Should this mail relay server listen on an additional port?"
echo ""
if [[ -n "$_ADDITIONAL_RELAY_LISTEN_PORT" ]]; then
echo "Type:"
echo -e "\t\033[33mNone\033[m for no additional listen port."
else
echo "Type:"
echo -e "\t\033[33mNone\033[m or lrave empty for no additional listen port."
fi
echo ""
if [[ -n "$_ADDITIONAL_RELAY_LISTEN_PORT" ]]; then
echononl "additional listen port [${_ADDITIONAL_RELAY_LISTEN_PORT}]: "
read ADDITIONAL_RELAY_LISTEN_PORT
if [[ "X${ADDITIONAL_RELAY_LISTEN_PORT}" = "X" ]]; then
ADDITIONAL_RELAY_LISTEN_PORT=$_ADDITIONAL_RELAY_LISTEN_PORT
LISTEN_ON_ADDITIONAL_RELAY_PORT=true
fi
if [[ "${ADDITIONAL_RELAY_LISTEN_PORT,,}" = "none" ]] ; then
ADDITIONAL_RELAY_LISTEN_PORT=""
LISTEN_ON_ADDITIONAL_RELAY_PORT=false
fi
else
echononl "additional listen port: "
read ADDITIONAL_RELAY_LISTEN_PORT
if [[ "X${ADDITIONAL_RELAY_LISTEN_PORT}" = "X" ]] || [[ "${ADDITIONAL_RELAY_LISTEN_PORT,,}" = "none" ]]; then
ADDITIONAL_RELAY_LISTEN_PORT=""
LISTEN_ON_ADDITIONAL_RELAY_PORT=false
else
LISTEN_ON_ADDITIONAL_RELAY_PORT=true
fi
fi
else
IS_SYMPA_LIST_SERVER=false
@ -441,6 +484,11 @@ if $IS_RELAY_HOST ; then
echo -e "\tConfigure as sympa list server?...: \033[33m\033[1m$IS_SYMPA_LIST_SERVER\033[m"
echo ""
echo -e "\tSupport Cyrus SASL authentication.: $SASL_AUTH_ENABLED"
echo ""
echo -e "\tListen on an additional port?.......: \033[33m\033[1m${LISTEN_ON_ADDITIONAL_RELAY_PORT}\033[m"
if ${LISTEN_ON_ADDITIONAL_RELAY_PORT}; then
echo -e "\tAdditional Listen Port..............: ${ADDITIONAL_RELAY_LISTEN_PORT}"
fi
else
echo -e "\tConfigure as relay host?..........: $IS_RELAY_HOST"
echo -e "\tConfigure as complete mailserver..: \033[33m\033[1mtrue\033[m"
@ -464,7 +512,7 @@ _failed=false
echononl " Save Configuration"
cat << EOF > $conf_file
# ---
# - Parameter Settins Postfix Relay System
# - Parameter Settings Postfix Relay System
# ---
_HOSTNAME=$HOSTNAME
@ -480,7 +528,13 @@ if $IS_RELAY_HOST ; then
cat << EOF >> $conf_file
_SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
_SYMPA_LIST_SERVER=$IS_SYMPA_LIST_SERVER
_LISTEN_ON_ADDITIONAL_RELAY_PORT=${LISTEN_ON_ADDITIONAL_RELAY_PORT}
EOF
if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
cat << EOF >> $conf_file
_ADDITIONAL_RELAY_LISTEN_PORT=${ADDITIONAL_RELAY_LISTEN_PORT}
EOF
fi
fi
if [[ $? -ne 0 ]]; then
_failed=true
@ -930,6 +984,120 @@ EOF
fi
# - Install SPF-Policy-Tools
# -
echononl " Install Postfix SPF-Policy-Tools 'postfix-policyd-spf-python'"
_pkg=postfix-policyd-spf-python
if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
echo_skipped
else
DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Backup existing configuration file for policyd-spf daemon
# -
_file="/etc/postfix-policyd-spf-python/policyd-spf.conf"
echononl " Backup configuration file '${_file}'."
if [[ -f "${_file}" ]]; then
cp -a "${_file}" "${_file}.${backup_date}" > /dev/null 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
echononl " Creeate new configuration '${_file}'.."
cat <<EOF > "${_file}"
# For a fully commented sample config file see policyd-spf.conf.commented
# Reject and deferred reason
Reason_Message = Message {rejectdefer} due to: {spf}.
# Amount of debugging information logged. 0 logs no debugging messages
# 5 includes all debug messages.
debugLevel = 1
# HELO check rejection policy. Options are:
# HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail.
# HELO_reject = Softfail - Reject if result Softfail and Fail
# HELO_reject = Fail - Reject on HELO Fail
# HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
# HELO_reject = False - Never reject/defer on HELO, append header only.
# HELO_reject = No_Check - Never check HELO.
HELO_reject = SPF_Not_Pass
# Mail From rejection policy. Options are:
# Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
# Mail_From_reject = Softfail - Reject if result Softfail and Fail
# Mail_From_reject = Fail - Reject on Mail From Fail (default)
# Mail_From_reject = False - Never reject/defer on Mail From, append header only
# Mail_From_reject = No_Check - Never check Mail From/Return Path.
#
# Dieser Parameter steuert, wie der SPF-Check auf Fehler bei der Überprüfung der
# MAIL FROM-Adresse reagiert. Ein Fehler tritt auf, wenn die IP-Adresse des sendenden
# Servers nicht den SPF-Einträgen der Domain in der MAIL FROM-Adresse entspricht.
#
Mail_From_reject = Fail
# Policy for rejecting due to SPF PermError. Options are:
# PermError_reject = True
# PermError_reject = False
#
# Wirkung: Dieser Parameter bestimmt, wie der SPF-Check auf permanente Fehler (PermError)
# reagiert. Ein permanenter Fehler tritt auf, wenn die SPF-DNS-Einträge ungültig oder
# fehlerhaft sind (z. B. syntaktische Fehler oder ungültige Mechanismen).
#
# Wenn PermError_reject auf True gesetzt ist, wird die E-Mail abgewiesen (rejected),
#
PermError_reject = True
# Policy for deferring messages due to SPF TempError. Options are:
# TempError_Defer = True
# TempError_Defer = False
#
# Wirkung: Dieser Parameter bestimmt das Verhalten bei temporären SPF-Fehlern (TempError).
# Ein temporärer Fehler tritt auf, wenn der SPF-Check aufgrund von vorübergehenden
# Problemen (z. B. DNS-Auflösungsfehler oder Netzwerkprobleme) nicht durchgeführt werden kann.
#
# Wenn TempError_Defer auf True gesetzt ist, wird die E-Mail vorübergehend zurückgewiesen
# (deferred), und der empfangende Server versucht später erneut, die E-Mail zuzustelle
#
TempError_Defer = Defer
# Type of header to insert to document SPF result. Can be Received-SPF (SPF)
# or Authentication Results (AR). It cannot be both.
# Examples: (default is Received-SPF):
# Header_Type = AR
# Header_Type = SPF
Header_Type = SPF
# Do not check SPF for localhost addresses - add to skip addresses to
# skip SPF for internal networks if desired. Defaults are standard IPv4 and
# IPv6 localhost addresses.
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
# RFC 7208 adds a new processing limit called "void lookup limit" (See section
# 4.6.4). Default is 2, but it can be adjusted.
Void_Limit = 5
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - Install Postfix Firewall Daemon from debian packages system
## -
echononl " Install Postfix Firewall Daemon from debian packages system"
@ -1747,38 +1915,157 @@ cat <<EOF >> /etc/postfix/main.cf
# ============ TLS parameters ============
## - supports DNSSEC
## -
## - !! Notice !!
## - In order to support DNSSEC and DANE your resolver MUST support
## - DNSSEC too.
## -
## - If your resolver does not support DNSSEC, install "unbound".
## -
# What mechanisms the Postfix SMTP client uses to look up a host's IP address.
# This parameter is ignored when DNS lookups are disabled (see: disable_dns_lookups
# and smtp_dns_support_level). The "dns" mechanism is always tried before "native"
# if both are listed.
#
# Specify one of the following:
#
# dns
# Hosts can be found in the DNS (preferred).
#
# native
# Use the native naming service only (nsswitch.conf, or equivalent mechanism).
#
# dns, native
# Use the native service for hosts not found in the DNS.
#
smtp_host_lookup = dns
# Level of DNS support in the Postfix SMTP client. With "smtp_dns_support_level"
# left at its empty default value, the legacy "disable_dns_lookups" parameter c
# ontrols whether DNS is enabled in the Postfix SMTP client, otherwise the l
# egacy parameter is ignored.
#
# Specify one of the following:
#
# disabled
# Disable DNS lookups. No MX lookups are performed and hostname to address lookups
# are unconditionally "native". This setting is not appropriate for hosts that
# deliver mail to the public Internet. Some obsolete how-to documents recommend
# disabling DNS lookups in some configurations with content_filters. This is no
# longer required and strongly discouraged.
#
# enabled
# Enable DNS lookups. Nexthop destination domains not enclosed in "[]" will be
# subject to MX lookups. If "dns" and "native" are included in the "smtp_host_lookup"
# parameter value, DNS will be queried first to resolve MX-host A records, followed by
# "native" lookups if no answer is found in DNS.
#
# dnssec
# Enable DNSSEC lookups. The "dnssec" setting differs from the "enabled" setting above
# in the following ways:
#
# - Any MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to request DNSSEC-validated
# responses. If the MX response is DNSSEC-validated the corresponding hostnames are
# considered validated.
#
# - The address lookups of validated hostnames are also validated, (provided of course
# "smtp_host_lookup" includes "dns", see below).
#
# - Temporary failures in DNSSEC-enabled hostname-to-address resolution block any
# "native" lookups. Additional "native" lookups only happen when DNSSEC lookups
# hard-fail (NODATA or NXDOMAIN).
#
# default: empty
#
# !! Notice !!
# In order to support DNSSEC and DANE your resolver MUST support
# DNSSEC too.
#
# If your resolver does not support DNSSEC, install "unbound".
#
smtp_dns_support_level = dnssec
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
# The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is
# specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls.
# This parameter is ignored with "smtpd_tls_wrappermode = yes".
#
# Specify one of the following security levels:
#
# none
# TLS will not be used.
#
# may
# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not
# require that clients use TLS encryption.
#
# encrypt
# Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and
# reject all plaintext commands except HELO, EHLO, XCLIENT, STARTTLS, NOOP, QUIT,
# and (Postfix ≥ 3.9) HELP. According to RFC 2487 this MUST NOT be applied in case
# of a publicly-referenced SMTP server. Instead, this should be used on dedicated
# servers, for example submission (port 587).
#
smtpd_tls_security_level=may
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
#smtp_tls_security_level=may
# The default SMTP TLS security level for the Postfix SMTP client. When a non-empty value
# is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls,
# and smtp_tls_enforce_peername; when no value is specified for smtp_tls_enforce_peername
# or the obsolete parameters, the default SMTP TLS security level is none.
#
# Specify one of the following security levels:
#
# none
# No TLS. TLS will not be used unless enabled for specific destinations
# via smtp_tls_policy_maps.
#
# may
# Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise
# use plaintext; after a failed TLS handshake or TLS session, fall back to plaintext
# if the message has spent minimal_backoff_time in the mail queue. Since sending in the
# clear is acceptable, demanding stronger than default TLS security merely reduces
# interoperability. The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6)
# configuration parameters provide control over the protocols and cipher grade used
# with opportunistic TLS. With earlier releases the opportunistic TLS cipher grade is
# always "export" and no protocols are disabled. When TLS handshakes fail, the
# connection is retried with TLS disabled. This allows mail delivery to sites with
# non-interoperable TLS implementations.
#
# encrypt
# Mandatory TLS encryption. Since a minimum level of security is intended, it is
# reasonable to be specific about sufficiently secure protocol versions and ciphers.
# At this security level and higher, the main.cf parameters smtp_tls_mandatory_protocols
# and smtp_tls_mandatory_ciphers specify the TLS protocols and minimum cipher grade
# which the administrator considers secure enough for mandatory encrypted sessions.
# This security level is not an appropriate default for systems delivering mail to the
# Internet.
#
# dane
# Opportunistic DANE TLS. At this security level, the TLS policy for the destination
# is obtained via DNSSEC. For TLSA policy to be in effect, the destination domain's
# containing DNS zone must be signed and the Postfix SMTP client's operating system
# must be configured to send its DNS queries to a recursive DNS nameserver that is
# able to validate the signed records. Each MX host's DNS zone should also be signed,
# and should publish DANE TLSA (RFC 7672) records that specify how that MX host's TLS
# certificate is to be verified. TLSA records do not preempt the normal SMTP MX host
# selection algorithm, if some MX hosts support TLSA and others do not, TLS security
# will vary from delivery to delivery.
#
# dane-only
# ...
#
# fingerprint
# ...
#
# verify
# ...
#
# secure
# ...
#
smtp_tls_security_level=dane
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
@ -1791,6 +2078,7 @@ smtp_tls_loglevel = 1
smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
@ -1830,64 +2118,109 @@ smtp_tls_CAfile = $_TLS_CA_FILE
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
# If the list is empty, the server supports all available TLS protocol versions.
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
# default: see 'postconf -d' output
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols = >=TLSv1.1
# Disable SSLv2 SSLv3 - Postfix SMTP client
# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = >=TLSv1.1
# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# default: see 'postconf -d' output
#
smtp_tls_protocols = >=TLSv1.2
# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
#
# default: see 'postconf -d' output
#
smtp_tls_mandatory_protocols = >=TLSv1.2
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# The Postfix SMTP server security grade for ephemeral elliptic-curve
# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
# parameter is always ignored, and Postfix behaves as though the auto value
# (described below) was chosen.
#
# auto
# Use the most preferred curve that is supported by both the client and the server.
# This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
# is the default setting under the above conditions (and the only setting used with
# Postfix ≥ 3.6).
#
# none
# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
# default in Postfix versions 2.6 and 2.7.
#
# strong
# Use EECDH with approximately 128 bits of security at a reasonable computational cost.
# This is the default in Postfix versions 2.8-3.5.
#
# ultra
# Use EECDH with approximately 192 bits of security at computational cost that is
# approximately twice as high as 128 bit strength ECC.
#
#smtpd_tls_eecdh_grade = auto
# standard list cryptographic algorithm
# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
# of the remote client's cipher preference order.
#
# By default, the OpenSSL server selects the client's most preferred cipher that the
# server supports. With SSLv3 and later, the server may choose its own most preferred
# cipher that is supported (offered) by the client.
#
# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
#
# default: no
#
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
# from globally restricting TLS sessions to a more stringent grade is likely negligible,
# especially given the fact that many implementations still do not offer any stronger
# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
# or "low" ciphers is typically not a good idea, as systems limited to just these are
# limited to obsolete browsers. No known SMTP clients fail to support at least one
# "medium" or "high" grade cipher.
#
#smtpd_tls_mandatory_ciphers = high
# default: medium
#
#smtpd_tls_mandatory_ciphers = medium
# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
# base definition of the selected cipher grade.
#
# default: medium
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
# TLS security levels.
#
# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
# or one or more "+" separated cipher properties, in which case only ciphers matching all the
# properties are excluded.
#
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5
CBC3-SHA
# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
# list at mandatory TLS security levels. This list works in addition to the exclusions listed
# with smtp_tls_exclude_ciphers
#
#smtp_tls_mandatory_exclude_ciphers =
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
@ -2279,6 +2612,20 @@ else
EOF
fi
if [[ -n "$(which policyd-spf)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# The time limit for delivery to '/usr/bin/policyd-spf'
#
# An entry in '/etc/postfix/master.cf' is needed:
#
# policyd-spf unix - n n - 0 spawn
# user=policyd-spf argv=/usr/bin/policyd-spf
#
policyd-spf_time_limit = 3600
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
@ -2307,7 +2654,7 @@ smtpd_client_restrictions =
permit_mynetworks,
# Whitelist clients
#
check_client_access btree:/etc/postfix/client_whitelist
check_client_access btree:/etc/postfix/client_whitelist,
# White- / Blacklisting
#
check_sender_access btree:/etc/postfix/access_sender,
@ -2331,11 +2678,16 @@ smtpd_client_restrictions =
# - reject_rbl_client: This is an IP-based blacklist. When the client IP address is backlisted,
# reject the email.
#
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
# reject_rhsbl_helo dbl.spamhaus.org,
# reject_rhsbl_reverse_client dbl.spamhaus.org,
# reject_rhsbl_sender dbl.spamhaus.org,
# reject_rbl_client zen.spamhaus.org,
#
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
reject_rbl_client zen.spamhaus.org=127.0.1.[2..99],
# Greylisting check
#
# check_policy_service inet:127.0.0.1:10023,
@ -2469,6 +2821,17 @@ smtpd_recipient_restrictions =
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
EOF
if [[ -n "$(which policyd-spf)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Check Postfix policy service ..
#
check_policy_service unix:private/policy-spf
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# Policyd-Weight
#check_policy_service inet:127.0.0.1:12525,
# permit Backup MX
@ -2528,14 +2891,28 @@ smtpd_data_restrictions =
#
reject_unauth_pipelining
## ---
## - smtpd END OF ATA Restrictions
## ---
smtpd_end_of_data_restrictions =
EOF
if [[ -n "$(which postfwd)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Check Postfix Firewall Daemon
#
check_policy_service inet:127.0.0.1:10040
EOF
else
cat <<EOF >> /etc/postfix/main.cf
if [[ -n "$(which opendkim)" ]] ; then
EOF
fi
if [[ -n "$(which opendkim)" ]] || [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# ======= Milter configuration =======
@ -2556,12 +2933,25 @@ milter_protocol = 6
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
smtpd_milters =
EOF
fi
if [[ -n "$(which opendkim)" ]] ; then
if [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
EOF
else
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
fi
elif [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendmarc/opendmarc.sock
EOF
fi
echo_ok
@ -3349,6 +3739,12 @@ else
smtps_present=false
fi
if grep -iq -E "^policyd-spf\s+" $postfix_master_cf > /dev/null 2>&1 ; then
policyd_spf_present=true
else
policyd_spf_present=false
fi
_found=false
echononl " Create new file \"${postfix_master_cf}\""
if [[ -f "${postfix_master_cf}.$backup_date" ]]; then
@ -3379,6 +3775,10 @@ smtps inet n - y - - smtpd
#-o milter_macro_daemon_name=ORIGINATING
EOF
fi
elif $LISTEN_ON_ADDITIONAL_RELAY_PORT ; then
cat >> $postfix_master_cf << EOF
${ADDITIONAL_RELAY_LISTEN_PORT} inet n - y - - smtpd
EOF
fi
continue
fi
@ -3426,6 +3826,17 @@ EOF
done < "${postfix_master_cf}.$backup_date"
# - Add support for policyd-spf service
# -
if ! $(grep -iq -E "^policyd-spf\s+" "$postfix_master_cf" 2> /dev/null) ; then
cat <<EOF >> $postfix_master_cf
policy-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
EOF
fi
# - Add transport definitions for only sending over IPv4/IPv6
# -
if ! $(grep -iq -E "^smtp-ipv4-only\s+" "$postfix_master_cf" 2> /dev/null) ; then
@ -3673,6 +4084,14 @@ else
fi
fi
if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
echo ""
warn "Please do not forget to allow incomming traffic on port \033[1m${ADDITIONAL_RELAY_LISTEN_PORT}\033[m.
Check your firewall settings.."
fi
if [[ -n "$(which amavisd-new)" ]] ; then
warn "You have to run \033[1minstall_amavis.sh\033[m script to continue the configuration."

210
install_postfix_base.sh
View File

@ -129,6 +129,7 @@ detect_os_1 () {
DEFAULT_ADMIN_EMAIL="argus@oopen.de"
DEFAULT_RELAY_HOST="b.mx.oopen.de"
DEFAULT_RELAY_PORT=25
DEFAULT_SASL_AUTH=false
DEFAULT_REWRITE_SENDER_DOMAIN=None
@ -340,11 +341,12 @@ fi
# --- Some further default values depending on sasl authentification
# -------------
# - Set default value for relay host if sasl authentification should be
# - supported and value for _RELAY_HOST not given
# - Set default value for relay host / relay port if sasl authentification should be
# - supported and value for _RELAY_HOST / _RELAY_PORT not given
# -
if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
[[ -z "$_RELAY_HOST" ]] && _RELAY_HOST="$DEFAULT_RELAY_HOST"
[[ -z "$_RELAY_PORT" ]] && _RELAY_PORT="$DEFAULT_RELAY_PORT"
fi
if [[ -z ${_REWRITE_SENDER_DOMAIN} ]] ; then
@ -415,6 +417,27 @@ if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
done
fi
RELAY_PORT=
echo ""
echo "Insert the target port to connect to ${RELAY_HOST}"
echo ""
if [[ -n "$_RELAY_PORT" ]];then
echononl "(target) Port on ${RELAY_HOST} [$_RELAY_PORT]: "
read RELAY_PORT
if [[ "X${RELAY_PORT}" = "X" ]]; then
RELAY_PORT=$_RELAY_PORT
fi
else
while [[ "X${RELAY_PORT}" = "X" ]]; do
echononl "(target) Port on ${RELAY_HOST}: "
read RELAY_PORT
if [[ "X${RELAY_PORT}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mi(target) Port of ${RELAY_HOST} is reqired\033[m\n"
fi
done
fi
else
SASL_AUTH=false
fi
@ -467,6 +490,7 @@ if $SASL_AUTH ; then
echo -e "\t sasl user.............: $SASL_USER"
echo -e "\t sasl password.........: $SASL_PASS"
echo -e "\t Relayhost.............: $RELAY_HOST"
echo -e "\t Port on Relayhost.....: $RELAY_PORT"
fi
echo ""
echononl "einverstanden (yes/no): "
@ -498,6 +522,7 @@ _SASL_AUTH=$SASL_AUTH
_SASL_USER=$SASL_USER
_SASL_PASS=$SASL_PASS
_RELAY_HOST=$RELAY_HOST
_RELAY_PORT=$RELAY_PORT
_REWRITE_SENDER_DOMAIN=$REWRITE_SENDER_DOMAIN
EOF
if [[ $? -eq 0 ]] ; then
@ -674,13 +699,26 @@ mydestination =
## -
mynetworks =
127.0.0.0/8
EOF
if [[ ${IPV4} =~ ^127 ]] ; then
cat <<EOF >> /etc/postfix/main.cf
smtp_bind_address =
smtp_bind_address6 =
EOF
else
cat <<EOF >> /etc/postfix/main.cf
${IPV4}/32
smtp_bind_address = $IPV4
smtp_bind_address6 = $IPV6
#smtp_bind_address6 =
EOF
fi
fi
cat <<EOF >> /etc/postfix/main.cf
@ -788,9 +826,24 @@ smtp_sasl_auth_enable = yes
# Only offer SMTP AUTH when talking over an encrypted connection
smtpd_tls_auth_only = yes
EOF
if [[ ${RELAY_PORT} -ne 25 ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [${RELAY_HOST}]:${RELAY_PORT}
EOF
else
cat <<EOF >> /etc/postfix/main.cf
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [${RELAY_HOST}]
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# File including login data
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
@ -909,59 +962,103 @@ smtp_tls_CAfile = $_TLS_CA_FILE
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
#smtpd_tls_protocols = >=TLSv1
# Disable SSLv2 SSLv3 - Postfix SMTP client
# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#smtpd_tls_mandatory_protocols = >=TLSv1
# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
#smtp_tls_protocols = >=TLSv1
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption.
#
#smtpd_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = >=TLSv1.2
# The Postfix SMTP server security grade for ephemeral elliptic-curve
# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
# parameter is always ignored, and Postfix behaves as though the auto value
# (described below) was chosen.
#
# opportunistic
smtpd_tls_ciphers = high
# auto
# Use the most preferred curve that is supported by both the client and the server.
# This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
# is the default setting under the above conditions (and the only setting used with
# Postfix ≥ 3.6).
#
# none
# Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
# default in Postfix versions 2.6 and 2.7.
#
# strong
# Use EECDH with approximately 128 bits of security at a reasonable computational cost.
# This is the default in Postfix versions 2.8-3.5.
#
# ultra
# Use EECDH with approximately 192 bits of security at computational cost that is
# approximately twice as high as 128 bit strength ECC.
#
smtpd_tls_eecdh_grade = auto
# Exclude ciphers
# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
# of the remote client's cipher preference order.
#
# By default, the OpenSSL server selects the client's most preferred cipher that the
# server supports. With SSLv3 and later, the server may choose its own most preferred
# cipher that is supported (offered) by the client.
#
# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
#
# default: no
#
#tls_preempt_cipherlist = no
# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
# from globally restricting TLS sessions to a more stringent grade is likely negligible,
# especially given the fact that many implementations still do not offer any stronger
# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
# or "low" ciphers is typically not a good idea, as systems limited to just these are
# limited to obsolete browsers. No known SMTP clients fail to support at least one
# "medium" or "high" grade cipher.
#
# default: medium
#
#smtpd_tls_mandatory_ciphers = medium
# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
# base definition of the selected cipher grade.
#
# default: medium
#
#smtpd_tls_ciphers = medium
# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
# TLS security levels.
#
# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
# or one or more "+" separated cipher properties, in which case only ciphers matching all the
# properties are excluded.
#
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
# list at mandatory TLS security levels. This list works in addition to the exclusions listed
# with smtp_tls_exclude_ciphers
#
#smtp_tls_mandatory_exclude_ciphers =
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
@ -1006,8 +1103,21 @@ echo_ok
echononl " Configure SASL authentification"
if $SASL_AUTH ; then
_sasl_pw_file="/etc/postfix/sasl_passwd"
if [[ -f "${_sasl_pw_file}" ]] && $(grep -q -E "^\[${RELAY_HOST}\]" ${_sasl_pw_file} 2> /dev/null); then
sed -i "/^\[${RELAY_HOST}/d" ${_sasl_pw_file}
if [[ "$?" != "0" ]]; then
error "Setting \"/etc/postfix/sasl_passwd\" failed! "
_failed=true
fi
fi
_failed=false
echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" > /etc/postfix/sasl_passwd
if [[ ${RELAY_PORT} -ne 25 ]] ; then
echo "[$RELAY_HOST]:${RELAY_PORT} ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
else
echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
fi
if [[ "$?" != "0" ]]; then
error "Setting \"/etc/postfix/sasl_passwd\" failed! "
_failed=true
@ -1353,6 +1463,12 @@ else
fi
fi
if [[ ${RELAY_PORT} -ne 25 ]] ; then
echo ""
warn "Please do not forget to allow port \033[1m${RELAY_PORT}\033[m on both sides, outgoing
on this host here and incoming on the relay host '${RELAY_HOST}'."
fi
echo ""
clean_up 0

30
install_postfixadmin.sh
View File

@ -1842,23 +1842,25 @@ fi
# - Encoding does not work as exspected.
# -
# - Update: Encoding seems to works now
# -
# - NOTE:
# - this IS NOT a fix, but a workaround
# -
echononl "\tWorkaround, because encoding does not work as exspected."
# - Vacation script changed. Since Version 3.2 we need another perl regexp.
# - The old one was:
# - perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
# -
perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
/var/spool/vacation/vacation.pl > "$log_file" 2>&1
if [[ $? -eq 0 ]];then
echo_ok
info "This IS NOT a fix, but a workaround."
else
echo_failed
error "$(cat $log_file)"
fi
#echononl "\tWorkaround, because encoding does not work as exspected."
## - Vacation script changed. Since Version 3.2 we need another perl regexp.
## - The old one was:
## - perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
## -
##perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
## /var/spool/vacation/vacation.pl > "$log_file" 2>&1
#if [[ $? -eq 0 ]];then
# echo_ok
# info "This IS NOT a fix, but a workaround."
#else
# echo_failed
# error "$(cat $log_file)"
#fi
echononl "\tSet Permission on vacation script"
_failed=false

4621
install_update_dovecot-2.4.sh Executable file
View File

File diff suppressed because it is too large Load Diff

61
install_update_dovecot.sh
View File

@ -287,6 +287,9 @@ dovecot_main_version="$(echo $_version | cut -d '.' -f1,2)"
dovecot_major_version="$(echo $_version | cut -d '.' -f1)"
dovecot_minor_version="$(echo $_version | cut -d '.' -f2)"
dovecot_patch_level="$(echo $_version | cut -d '.' -f3)"
dovecot_minor_patch_level="$(echo $_version | cut -d '.' -f4)"
_version_short="${_version%-*}"
#echo ""
#echo "_version: $_version"
@ -294,7 +297,11 @@ dovecot_patch_level="$(echo $_version | cut -d '.' -f3)"
#echo "dovecot_major_version $dovecot_major_version"
#echo "dovecot_minor_version $dovecot_minor_version"
#echo "dovecot_patch_level $dovecot_patch_level"
#echo "dovecot_minor_patch_level $dovecot_minor_patch_level"
#echo ""
#
#clean_up 0
# 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed.
# Use mailbox { autoexpunge } Mailbox settings instead.
@ -710,6 +717,8 @@ fi
## - Download Pigeonhole for Dovecot v2.2
## -
if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then
echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
@ -736,6 +745,44 @@ else
echo -e "$rc_skipped"
fi
dovecot_pigeonhole_archiv="dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz"
else
echononl "\tDownload dovecot-pigeonhole-${_pigeonhole}.tar.gz.."
if [ ! -f "${_src_base_dir}/dovecot-pigeonhole-${_pigeonhole}.tar.gz" ]; then
wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
else
echo -e "$rc_failed"
error "Direct download of 'Pigeonhole Sieve and ManageSieve' source archiv failed
Download Pigeonhole Sieve and ManageSieve manually and name it to
\033[1mdovecot-pigeonhole-${_pigeonhole}.tar.gz\033[m\n"
echononl "\tProceed instllation [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/no]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
else
echo -e "$rc_skipped"
fi
dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
fi
dovecot_pigeonhole_archiv_prefix="${dovecot_pigeonhole_archiv%.tar.gz}"
dovecot_pigeonhole_archiv_dir="${dovecot_pigeonhole_archiv%.tar.gz}"
if $_new ; then
@ -901,6 +948,7 @@ config_params="
--prefix=/usr/local/dovecot-${_version} \
--with-${db_driver} \
--with-gssapi=yes
--with-ldap=yes
--with-rundir=/run/dovecot"
if $systemd_support ; then
config_params="$config_params \
@ -1055,20 +1103,20 @@ fi
cd ${_src_base_dir}
echo ""
echononl "\tExtracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
gunzip < dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz | tar -xf -
gunzip < ${_src_base_dir}/${dovecot_pigeonhole_archiv} | tar -C ${_src_base_dir} -xf -
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else
echo -e "$rc_failed"
fatal Extracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz failed
fatal Extracting ${dovecot_pigeonhole_archiv} failed
fi
cd dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}
cd ${dovecot_pigeonhole_archiv_dir}
echononl "\tConfigure Pigeonhole ManageSieve.."
./configure \
--prefix=/usr/local/dovecot-${_version} \
--with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-configure.log 2<&1
--with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-configure.log 2<&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else
@ -1077,7 +1125,7 @@ else
fi
echononl "\tCompile Pigeonhole ManageSieve.."
make > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-make.log 2<&1
make > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-make.log 2<&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else
@ -1086,7 +1134,7 @@ else
fi
echononl "\tInstall Pigeonhole ManageSieve.."
make install > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-install.log 2<&1
make install > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-install.log 2<&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else
@ -1095,6 +1143,7 @@ else
fi
## -----------------
## --- Configure dovecot services