install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: install:4360717cfe148014cbb62107a8a420d0681955fb
Branches Tags
install:master
...
compare: install:master
Branches Tags
install:master

36 Commits
4360717cfe ... master

Author SHA1 Message Date
Christoph
6d516ed25a install_postfix_advanced.sh: remove depredated parameter 'permit_mx_backup'. 2026-02-11 21:20:00 +01:00
Christoph
c6909c937d Merge branch 'master' of git.oopen.de:install/mailsystem 2026-02-11 21:17:33 +01:00
Christoph
9708c595c4 install_update_dovecot.conf.sample: fix parameter 'cert_base_dir'. 2026-02-11 21:16:37 +01:00
Christoph
9c52e54182 install_postfixadmin.sh: configuration file at version 4.x is 'config.local.php'. 2026-02-11 00:47:05 +01:00
Christoph
849cbfa2e4 install_postfixadmin.sh: some minor changes. 2026-02-10 23:58:58 +01:00
Christoph
0a51e44b93 install_amavis.sh: some minor changes.. 2026-02-10 15:27:39 +01:00
Christoph Kuchenbuch
16618f9949 install_opendmarc.sh: no opendmarc check on non_smtpd connections. 2026-02-10 15:02:05 +01:00
Christoph
b4b47d5a79 install_amavis.sh: keine milters auf localhost:10025. install_postfix_advanced.sh: kein OpenDmarc bei non_smtpd_milters. (DMARC ist eine Inbound-Policy-Prüfung, nicht sinnvoll für lokal/originating.) 2026-02-10 14:14:53 +01:00
Christoph
d1694bf3a4 install_postfix_advanced.sh: adjust '/etc/postfix/header_checks'. 2026-02-10 00:37:03 +01:00
Christoph
ee1e2d0b7e install_amavis.sh: add spamassassin rule for Null sender ( (Return-Path: <>). 2026-02-10 00:35:10 +01:00
Christoph
96a77260c3 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2026-02-04 22:23:01 +01:00
Christoph
71be7f0754 install_update_dovecot.sh: relax/defuse systemd-hardening 2026-02-04 22:22:31 +01:00
Christoph
e82b464115 install_postfixadmin.sh: add support for versions 4.x 2026-02-04 21:08:22 +01:00
Christoph
7163b2dccf install_opendmarc.sh: fix errors in adjustin main.cf file. 2026-02-02 19:44:41 +01:00
Christoph
b39e6c8f22 install_opendkim.sh fix errors in adjustin main.cf file. 2026-02-02 19:44:20 +01:00
Christoph
119f0e172f install_postfix_advanced.sh: fix OpenDKIM/OpenDMARC handling. 2026-02-02 19:43:18 +01:00
Christoph
74702b3d41 install_update_dovecot-2.4.sh: change calculation of numbers of cpus. 2026-02-02 11:47:33 +01:00
Christoph
b32555f66c install_update_dovecot-2.4.sh: fix error writing (mysql) 'auth-sql.conf.ext' file. 2026-01-21 01:43:01 +01:00
Christoph
e3c2df0f3b README.install: a minor change. 2026-01-11 00:42:08 +01:00
Christoph
2f3e513f04 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2026-01-10 14:46:44 +01:00
Christoph
876fae3364 install_postfixadmin.sh: dovecot changed quota: ist now determined directly from filesystem. this isn't supported ba postfixadmin - so disable quota view for mailboxes. 2026-01-10 14:46:11 +01:00
Christoph
3032337c7d Provide systemd.pc wrapper so pkg-config exposes systemdsystemunitdir. 2026-01-09 21:46:13 +01:00
Christoph
4240bc3b14 install_amavis.sh: remoce deprecated parameter disable_dns_lookups for transport 'amavisfeed'. 2026-01-08 13:55:22 +01:00
Christoph
14fc0b0578 Merge branch 'master' of git.oopen.de:install/mailsystem 2026-01-08 13:50:07 +01:00
Christoph
6a827cba44 install_postfix_advanced.sh,install_postfix_base.sh: comment deprecated parameter 'smtpd_tls_dh1024_param_file'. 2026-01-08 13:49:40 +01:00
Christoph
0ec563bb3c Merge branch 'master' of https://git.oopen.de/install/mailsystem 2026-01-07 01:59:52 +01:00
Christoph
027930ae6e install_opendmarc.sh: adjust writing milter directives to postfix's main.cf. 2026-01-07 01:59:36 +01:00
Christoph
20da412413 install_opendkim.sh: adjust writing milter directives to postfix's main.cf. 2026-01-07 01:59:22 +01:00
Christoph
e829868645 install_opendkim.sh: move FQHN from '/etc/opendkim/trusted'. 2026-01-07 01:53:46 +01:00
Christoph
5b853a26cb Backup old (Post-Queue setting) installation scripts. 2026-01-07 00:14:36 +01:00
Christoph
cd39cb98b8 install_amavis.sh: change to 'Post-Queue' setting. 2026-01-07 00:13:13 +01:00
Christoph
b09baa144c install_opendmarc.sh: forgot changing also master.cf. 2026-01-07 00:12:17 +01:00
Christoph
f0921f8669 install_opendkim.sh: forgot changing also master.cf. 2026-01-07 00:12:02 +01:00
Christoph
548c4015e8 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2026-01-06 23:22:30 +01:00
Christoph
e91c9f1b04 install_opendmarc.sh: adjust konfiguration. 2026-01-06 23:21:58 +01:00
Christoph
4bb27992d8 install_opendkim.sh: adjust konfiguration. 2026-01-06 23:21:08 +01:00
15 changed files with 8204 additions and 455 deletions
Expand all files Collapse all files

5297
BAK/install_amavis.sh.Pre-Queue.00 Executable file
View File

File diff suppressed because it is too large Load Diff

684
BAK/install_opendkim.sh.Pre-Queue.00 Executable file
View File

@@ -0,0 +1,684 @@
#!/usr/bin/env bash
clear
echo -e "\n \033[32mStart Installation of OpenDKIM..\033[m"
# -------------
# - Settings
# -------------
#_src_base_dir="$(realpath $(dirname $0))"
#conf_file="${_src_base_dir}/conf/install_opendkim.conf"
log_file="$(mktemp)"
backup_date="$(date +%Y-%m-%d-%H%M)"
_opendkim_packages="opendkim opendkim-tools"
opendkim_base_dir="/etc/opendkim"
opendkim_key_dir="${opendkim_base_dir}/keys"
opendkim_conf_file="/etc/opendkim.conf"
postfix_spool_dir="/var/spool/postfix"
opendkim_socket_dir="${postfix_spool_dir}/opendkim"
opendkim_socket_file="${opendkim_socket_dir}/opendkim.sock"
postfix_needs_restart=false
opendkim_needs_restart=false
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
fatal(){
echo ""
echo -e "fatal error: $*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]"
}
# -------------
# - Some pre-installation tasks
# -------------
# - Is 'systemd' supported on this system
# -
SYSTEMD_EXISTS=false
systemd=$(which systemd)
systemctl=$(which systemctl)
if [[ -n "$systemd" ]] || [[ -n "$systemctl" ]] ; then
SYSTEMD_EXISTS=true
fi
# =============
# - Start Installation
# =============
echo ""
# - Synchronise package index files with the repository
# -
echononl " Synchronise package index files with the repository.."
apt-get update > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Install OpenDKIM
# -
echononl " Install needed debian packages.."
opendkim_packages=""
packages_installed=false
for _pkg in $_opendkim_packages ; do
if aptitude search "$_pkg" | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
continue
else
opendkim_packages="$opendkim_packages $_pkg"
fi
done
if [[ -n "$opendkim_packages" ]]; then
DEBIAN_FRONTEND=noninteractive apt-get -y install $opendkim_packages > /dev/null 2> "$log_file"
packages_installed=true
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add user 'postfix' to group 'opendkim'
# -
echononl " Add user 'postfix' to group 'opendkim'.."
if grep opendkim /etc/group | grep -q postfix 2> /dev/null ; then
echo_skipped
else
adduser postfix opendkim > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Save configuration file from distribution
# -
echononl " Save configuration file from distribution"
if $packages_installed ; then
cp -a $opendkim_conf_file $opendkim_conf_file.ORIG 2> "$log_file"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
echononl " Backup existing file '${opendkim_conf_file}'.."
if [[ -f "${opendkim_conf_file}" ]] ; then
mv "${opendkim_conf_file}" "${opendkim_conf_file}.${backup_date}"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Create OpenDKIM configuration
# -
echononl " Create OpenDKIM configuration"
if [[ -f "$opendkim_conf_file" ]] \
&& grep -i -q -E "^\s*Socket\s+local:$opendkim_socket_file" "$opendkim_conf_file" \
&& grep -i -q -E "^\s*SigningTable.*${opendkim_base_dir}/signing.table" "$opendkim_conf_file" \
&& grep -i -q -E "^\s*KeyTable.*${opendkim_base_dir}/key.table" "$opendkim_conf_file" ; then
echo_skipped
warn "OpenDKIM seems already be configured."
else
cat <<EOF > $opendkim_conf_file 2> $log_file
# Datei $opendkim_conf_file
# Sets the "authserv-id" to use when generating the Authentication-Results:
# header field after verifying a message. The default is to use the name of
# the MTA processing the message. If the string "HOSTNAME" is provided, the
# name of the host running the filter (as returned by the gethostname(3)
# function) will be used.
AuthservID "DKIM check $(hostname -f)"
# OpenDKIM agiert als Mail Filter (= Milter) in den
# Modi signer (s) und verifier (v) und verwendet eine
# Socket-Datei zur Kommunikation (alternativ: lokaler Port)
Mode sv
# Socket local:/var/run/opendkim/opendkim.sock
# Socket local:$opendkim_socket_file
# Socket inet:12345@localhost
Socket local:$opendkim_socket_file
# OpenDKIM verwendet diesen Benutzer bzw.
# diese Gruppe
UserID opendkim:opendkim
UMask 002
PidFile /var/run/opendkim/opendkim.pid
# OpenDKIM bei Problemen neustarten,
# aber max. 10 mal pro Stunde
AutoRestart yes
AutoRestartRate 10/1h
# Logging (wenn alles funktioniert eventuell reduzieren)
Syslog yes
SyslogSuccess yes
LogWhy yes
# Verfahren, wie Header und Body durch
# OpenDKIM verarbeitet werden sollen.
Canonicalization relaxed/simple
# interne Mails nicht mit OpenDKIM verarbeiten
ExternalIgnoreList refile:${opendkim_base_dir}/trusted
InternalHosts refile:${opendkim_base_dir}/trusted
# welche Verschlüsselungs-Keys sollen für welche
# Domains verwendet werden
# (refile: für Dateien mit regulären Ausdrücke)
SigningTable refile:${opendkim_base_dir}/signing.table
KeyTable ${opendkim_base_dir}/key.table
# diesen Signatur-Algorithmus verwenden
SignatureAlgorithm rsa-sha256
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
# Add an "Authentication-Results:" header field even to unsigned messages
# from domains with no "signs all" policy. The reported DKIM result will be
# "none" in such cases. Normally unsigned mail from non-strict domains does
# not cause the results header field to be added.
AlwaysAddARHeader yes
# Causes opendkim to fork and exits immediately, leaving the service running
# in the background. The default is "true".
Background yes
# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
# default is 5. Ignored if not using an asynchronous resolver package. See
# also the NOTES section below.
DNSTimeout 5
EOF
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Assign ownership to the opendkim user and restrict tthe
# - file permissions:
# -
echononl " Assign ownership and file permissions.."
chmod u=rw,go=r $opendkim_conf_file 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Create the directories to hold OpenDKIMs data files, assign
# - ownership to the opendkim user, and restrict the file
# - permissions:
# -
echononl " Create directory '$opendkim_base_dir'"
if [[ -d "$opendkim_base_dir" ]] ; then
echo_skipped
else
opendkim_needs_restart=true
mkdir ${opendkim_base_dir} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echononl " Create directory '$opendkim_key_dir'"
if [[ -d "$opendkim_key_dir" ]] ; then
echo_skipped
else
opendkim_needs_restart=true
mkdir $opendkim_key_dir 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echononl " Set ownership on directory '${opendkim_base_dir}' (recursive).."
chown -R opendkim:opendkim ${opendkim_base_dir} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Set file-permission on $opendkim_key_dir"
chmod go-rw $opendkim_key_dir 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Create empty files
# - ${opendkim_base_dir}/signing.table
# - ${opendkim_base_dir}/key.table
# -
echononl " Create empty file '${opendkim_base_dir}/signing.table'.."
if [[ -f "${opendkim_base_dir}/signing.table" ]] ; then
echo_skipped
else
touch ${opendkim_base_dir}/signing.table 2> $log_file
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echononl " Create empty file '${opendkim_base_dir}/key.table'.."
if [[ -f "${opendkim_base_dir}/key.table" ]] ; then
echo_skipped
else
touch ${opendkim_base_dir}/key.table 2> $log_file
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Create the trusted hosts file ${opendkim_base_dir}/trusted.hosts.
# -
echononl " Create trusted hosts file '${opendkim_base_dir}/trusted'.."
if [[ -f "${opendkim_base_dir}/trusted" ]] ; then
echo_skipped
else
cat <<EOF > ${opendkim_base_dir}/trusted 2> $log_file
127.0.0.1
::1
localhost
$(hostname -f)
EOF
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Create the OpenDKIM socket directory in Postfixs work area
# - and make sure it has the correct ownership:
# -
echononl " Create the OpenDKIM socket directory in Postfixs work area.."
if [[ -d "${postfix_spool_dir}/opendkim" ]] ; then
echo_skipped
else
mkdir ${postfix_spool_dir}/opendkim 2> $log_file
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Set ownership on directory '${postfix_spool_dir}/opendkim'.."
chown opendkim:postfix ${postfix_spool_dir}/opendkim 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Edit /etc/default/opendkim
# -
# - Set:
# - SOCKET="local:${postfix_spool_dir}/opendkim/opendkim.sock"
# -
echononl " Set 'SOCKET' at file /etc/default/opendkim.."
if grep -q -E "^\s*SOCKET" /etc/default/opendkim 2>/dev/null ; then
if grep -q -E "^\s*SOCKET.*local:$opendkim_socket_file" /etc/default/opendkim 2>/dev/null ; then
echo_skipped
else
perl -i -n -p -e "s#^\s*SOCKET=.*#SOCKET=\"local:$opendkim_socket_file\"#" /etc/default/opendkim 2> $log_file
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
cat <<EOF >>/etc/default/opendkim 2> $log_file
SOCKET="local:$opendkim_socket_file"
EOF
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Edit /etc/postfix/main.cf and add a section to activate
# - processing of e-mail through the OpenDKIM daemon:
# -
backup_date="$(date +%Y-%m-%d-%H%M)"
echononl " Backup existing postfix configuration (main.cf).."
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Activate processing of e-mail through the OpenDKIM daemon.."
if grep -q -E "milter_default_action\s*=\s*accept" /etc/postfix/main.cf ; then
echo_skipped
warn "Postfix (main.cf) seems already be configured for milters"
echononl " Delete previosly saved Postfix configuration.."
rm /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# ======= Milter configuration =======
# OpenDKIM
milter_default_action = accept
# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
milter_protocol = 6
# Note:
# We will sign AFTER sending through AmaVIS, just befor sending out. So
# set 'smtpd_milters =' to an emty string here and add to localhost:10025
# section in master.cf: 'smtpd_milters=local:/opendkim/opendkim.sock'
#
# If you want sign mails before sending through AmaVIS, set
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milters =
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
#
# cleanup Header/Content-Bereinigung
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
#
# Das sind z. B.:
#
# - interne Bounces (MAILER-DAEMON)
#
# - Cron-Mails vom Server
#
# - Weiterleitungen, die Postfix selbst generiert
#
# - Mails, die über sendmail CLI gesendet werden
#
# - Mails, die Amavis über LMTP zurückgibt
#
# - etc.
#
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Prevent Postfix from setting the DKIM Header twice (one befor
# - and one after processing amavis
# -
# - To disable milter processing after amavis, add to your master.cf in
# - the after-amavis section:
# - 127.0.0.1:10025 inet n - - - - smtpd
# - [...]
# - -o smtpd_milters=
# -
# - If you want to run the milter after amavis, set in main.cf
# - smtpd_milters=
# - to an empty string and add the smtpd_milters configuration to master.cf
# - (after-section amavis) instead:
# - -o smtpd_milters=local:/opendkim/opendkim.sock
# -
echononl " Backup file '/etc/postfix/master.cf'.."
cp -a /etc/postfix/master.cf /etc/postfix/master.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Adjust /etc/postfix/master.cf. Set DKIM after sending throuh AmaVIS.."
_found=false
_changed=false
tmp_master_file="/tmp/postfix_master.cf"
> $tmp_master_file
while IFS='' read -r _line || [[ -n $_line ]] ; do
if $_found && ! echo "$_line" | grep -i -q -E "^\s*-o" 2> /dev/null ; then
echo " -o smtpd_milters=local:/opendkim/opendkim.sock" >> "$tmp_master_file"
_changed=true
_found=false
fi
if $_found && echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*" ; then
_found=false
if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendkim/opendkim.sock\s*$" ; then
echo " -o smtpd_milters=local:/opendkim/opendkim.sock" >> "$tmp_master_file"
_changed=true
continue
fi
fi
if echo "$_line" | grep -i -q -E "^\s*(submission|smtps)\s+inet\s+" 2> /dev/null ; then
_found=true
fi
echo "$_line" >> "$tmp_master_file"
done < "/etc/postfix/master.cf"
if $_changed ; then
cp $tmp_master_file /etc/postfix/master.cf 2> $log_file
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
info "Postfix (master.cf) was not changed - seems already be configured right."
echononl " Delete previosly saved file '/etc/postfix/master.cf'.."
rm /etc/postfix/master.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
rm -f $tmp_master_file
echo ""
# - Restart OpenDKIM
# -
echononl " Restart OpenDKIM.."
if $opendkim_needs_restart ; then
if $SYSTEMD_EXISTS ; then
systemctl restart opendkim > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
/etc/init.d/opendkim restart > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
fi
# - Restart Postfix so it starts using OpenDKIM when processing mail:
# -
echononl " Restart Postfix.."
if $postfix_needs_restart ; then
if $SYSTEMD_EXISTS ; then
systemctl restart postfix > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
/etc/init.d/postfix restart > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
fi
echo ""
rm -f "$log_file"
exit 0

936
BAK/install_opendmarc.sh.Pre-Queue.00 Executable file
View File

@@ -0,0 +1,936 @@
#!/usr/bin/env bash
clear
echo -e "\n \033[32mStart Installation of OpenDMARC..\033[m"
overwrite_config_files=true
# -------------
# - Settings
# -------------
#_src_base_dir="$(realpath $(dirname $0))"
#conf_file="${_src_base_dir}/conf/install_opendmarc.conf"
_opendmarc_packages="opendmarc"
opendmarc_base_dir="/etc/opendmarc"
opendmarc_conf_file="/etc/opendmarc.conf"
postfix_spool_dir="/var/spool/postfix"
opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
config_file_name_value_parameters="
AuthservID|$(hostname -f)
TrustedAuthservIDs|$(hostname -f)
PidFile|/run/opendmarc/opendmarc.pid
RejectFailures|true
Syslog|true
SyslogFacility|mail
IgnoreHosts|${opendmarc_base_dir}/ignore.hosts
IgnoreMailFrom|${opendmarc_base_dir}/ignore.mailfrom
IgnoreAuthenticatedClients|true
RequiredHeaders|false
UMask|002
FailureReports|false
AutoRestart|true
HistoryFile|/run/opendmarc/opendmarc.dat
SPFIgnoreResults|false
SPFSelfValidate|true
Socket|${opendmarc_socket_file}
"
declare -a config_file_name_value_parameter_arr=()
for _conf in $config_file_name_value_parameters ; do
config_file_name_value_parameter_arr+=("$_conf")
done
postfix_needs_restart=false
opendmarc_needs_restart=false
backup_date="$(date +%Y-%m-%d-%H%M)"
log_file="$(mktemp)"
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
fatal(){
echo ""
echo -e "fatal error: $*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]"
}
# -------------
# - Some pre-installation tasks
# -------------
# - Is 'systemd' supported on this system
# -
SYSTEMD_EXISTS=false
systemd=$(which systemd)
systemctl=$(which systemctl)
if [[ -n "$systemd" ]] || [[ -n "$systemctl" ]] ; then
SYSTEMD_EXISTS=true
fi
# =============
# - Start Installation
# =============
echo ""
# - Synchronise package index files with the repository
# -
echononl " Synchronise package index files with the repository.."
apt-get update > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Install opendmarc
# -
echononl " Install needed debian packages.."
opendmarc_packages=""
packages_installed=false
for _pkg in $_opendmarc_packages ; do
if aptitude search "$_pkg" | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
continue
else
opendmarc_packages="$opendmarc_packages $_pkg"
fi
done
if [[ -n "$opendmarc_packages" ]]; then
DEBIAN_FRONTEND=noninteractive apt-get -y install $opendmarc_packages > /dev/null 2> "$log_file"
packages_installed=true
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add user 'postfix' to group 'opendmarc'
# -
echononl " Add user 'postfix' to group 'opendmarc'.."
if grep -E "^opendmarc" /etc/group | grep -q postfix 2> /dev/null ; then
echo_skipped
else
usermod -a -G opendmarc postfix > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Add 'IgnoreHosts' with default value to the original opendmarc.conf file
#
echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Specifies the path to a file that contains a list of hostnames, IP addresses,
## and/or CIDR expressions identifying hosts whose SMTP connections are to be
## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
#
IgnoreHosts 127.0.0.1
# Optional - auch nach Absender-Domain ignorieren:
IgnoreMailFrom ${opendmarc_base_dir}/ignore.mailfrom
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'IgnoreAuthenticatedClients' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'TrustedAuthservIDs' with default value to the original opendmarc.conf file
#
_param="TrustedAuthservIDs"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
# Provides a list of authserv-ids that are to be used to identify Authentication-Results
# header fields whose contents are to be assumed as valid input for the DMARC assessment.
# To provide a list, separate values by commas. If the string "HOSTNAME" is provided,
# the name of the host running the filter (as returned by the gethostname(3) function)
# will be used. Matching against this list is case-insensitive. The default is to use the
# value of AuthservID.
#
TrustedAuthservIDs OpenDMARC
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="RequiredHeaders"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, the filter will ensure the header of the message conforms to the basic
## header field count restrictions laid out in RFC5322, Section 3.6. Messages
## failing this test are rejected without further processing. A From: field from
## which no domain name could be extracted will also be rejected.
#
RequiredHeaders false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'AutoRestart' with default value to the original opendmarc.conf file
#
_param="AutoRestart"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Automatically re-start on failures. Use with caution; if the filter fails
## instantly after it starts, this can cause a tight fork(2) loop.
#
AutoRestart false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'HistoryFile' with default value to the original opendmarc.conf file
#
_param="HistoryFile"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, specifies the location of a text file to which records are written
## that can be used to generate DMARC aggregate reports. Records are batches of
## rows containing information about a single received message, and include all
## relevant information needed to generate a DMARC aggregate report. It is
## expected that this will not be used in its raw form, but rather periodically
## imported into a relational database from which the aggregate reports can be
## extracted using opendmarc-importstats(8).
#
HistoryFile /run/opendmarc/opendmarc.dat
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'SPFIgnoreResults' with default value to the original opendmarc.conf file
#
_param="SPFIgnoreResults"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Causes the filter to ignore any SPF results in the header of the message. This
## is useful if you want the filter to perform SPF checks itself, or because you
## don't trust the arriving header. The default is "false".
#
SPFIgnoreResults false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'SPFSelfValidate' with default value to the original opendmarc.conf file
#
_param="SPFSelfValidate"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Causes the filter to perform a fallback SPF check itself when it can find no
## SPF results in the message header. If SPFIgnoreResults is also set, it never
## looks for SPF results in headers and always performs the SPF check itself when
## this is set. The default is "false".
#
SPFSelfValidate false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Save configuration file from distribution
# -
echononl " Save configuration file from distribution"
if [[ -f "${opendmarc_conf_file}.ORIG" ]] ; then
echo_skipped
else
cp -a $opendmarc_conf_file $opendmarc_conf_file.ORIG 2> "$log_file"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
for _val in "${config_file_name_value_parameter_arr[@]}" ; do
IFS='|' read -a _val_arr <<< "${_val}"
echononl " $opendmarc_conf_file: ${_val_arr[0]} -> ${_val_arr[1]}.."
if $(grep -E -q "^\s*${_val_arr[0]}\s+${_val_arr[1]}\s*$" $opendmarc_conf_file 2> /dev/null) ; then
echo_skipped
elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
elif $(grep -E -q "^\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null) ; then
perl -i -n -p -e "s#^(\s*${_val_arr[0]}.*)#\#\1\n${_val_arr[0]} ${_val_arr[1]}#" $opendmarc_conf_file > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
else
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
${_val_arr[0]} ${_val_arr[1]}
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
fi
done
# - Assign ownership to the opendmarc user and restrict tthe
# - file permissions:
# -
echononl " Assign file permissions to '$opendmarc_conf_file'.."
chmod u=rw,go=r $opendmarc_conf_file 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
# - Create the directories to hold opendmarc's data files, assign
# - ownership to the opendmarc user, and restrict the file
# - permissions:
# -
echononl " Create directory '$opendmarc_base_dir'"
if [[ -d "$opendmarc_base_dir" ]] ; then
echo_skipped
else
opendmarc_needs_restart=true
mkdir ${opendmarc_base_dir} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echononl " Set ownership on directory '${opendmarc_base_dir}' (recursive).."
chown -R opendmarc:opendmarc ${opendmarc_base_dir} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Backup existing file '${opendmarc_base_dir}/ignore.hosts'.."
if [[ -f "${opendmarc_base_dir}/ignore.hosts" ]] ; then
mv "${opendmarc_base_dir}/ignore.hosts" "${opendmarc_base_dir}/ignore.hosts.${backup_date}"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Create the file ${opendmarc_base_dir}/ignore.hosts
# -
echononl " Create file '${opendmarc_base_dir}/ignore.hosts'.."
if [[ -f "${opendmarc_base_dir}/ignore.hosts" ]] ; then
echo_skipped
else
cat <<EOF > ${opendmarc_base_dir}/ignore.hosts 2> $log_file
# /etc/opendmarc/ignore.hosts
#
# Aktuell hat OpenDMARC seinen Milter nur am Dienst
# 'localhost:10025' hängen. Dort ist der Client
# immer 127.0.0.1, nicht die externe Gegenstelle.
#
# Deshalb macht es in diesem Setup keinen Sinn,
# hier IP-Adressen von externen Diensten (CRSend etc.)
# einzutragen sie würden nie matchen.
#
# WICHTIG:
# - KEIN 127.0.0.1
# - KEIN localhost
# - KEIN ::1
#
# Eintrag dieser Adressen würde DMARC komplett deaktivieren.
#
# ==> Datei bleibt absichtlich leer.
EOF
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Create the file ${opendmarc_base_dir}/ignore.hosts
# -
echononl " Backup existing file '${opendmarc_base_dir}/ignore.mailfrom'.."
if [[ -f "${opendmarc_base_dir}/ignore.mailfrom" ]] ; then
mv "${opendmarc_base_dir}/ignore.mailfrom" "${opendmarc_base_dir}/ignore.mailfrom.${backup_date}"
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
echononl " Create file '${opendmarc_base_dir}/ignore.mailfrom'.."
if [[ -f "${opendmarc_base_dir}/ignore.mailfrom" ]] ; then
echo_skipped
else
cat <<EOF > ${opendmarc_base_dir}/ignore.mailfrom 2> $log_file
# /etc/opendmarc/ignore.mailfrom
#
# Hier könnte man Absender-Domains von der DMARC-Prüfung
# ausnehmen (z. B. problematische Partner-Domains).
#
# Aktuell ist das für dein Setup nicht notwendig.
#
# Beispiele (NICHT aktiv!):
# @example.org
# example.org
#
# ==> Datei bleibt absichtlich leer.
EOF
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Edit /etc/default/opendmarc
# -
# - Set:
# - SOCKET="local:${postfix_spool_dir}/opendmarc/opendmarc.sock"
# -
echononl " Set 'SOCKET' at file /etc/default/opendmarc.."
if grep -q -E "^\s*SOCKET" /etc/default/opendmarc 2>/dev/null ; then
if grep -q -E "^\s*SOCKET\s*=\s*\"*local:$opendmarc_socket_file" /etc/default/opendmarc 2>/dev/null ; then
echo_skipped
else
perl -i -n -p -e "s#^\s*SOCKET=.*#SOCKET=\"local:$opendmarc_socket_file\"#" /etc/default/opendmarc 2> $log_file
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
cat <<EOF >>/etc/default/opendmarc 2> $log_file
SOCKET="local:$opendmarc_socket_file"
EOF
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Create the opendmarc socket directory in Postfixs work area
# - and make sure it has the correct ownership:
# -
echononl " Create the opendmarc socket directory in Postfix's work area.."
if [[ -d "${postfix_spool_dir}/opendmarc" ]] ; then
echo_skipped
else
mkdir ${postfix_spool_dir}/opendmarc 2> $log_file
opendmarc_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Set ownership on directory '${postfix_spool_dir}/opendmarc'.."
chown opendmarc:postfix ${postfix_spool_dir}/opendmarc 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Edit /etc/postfix/main.cf and add a section to activate
# - processing of e-mail through the opendmarc daemon:
# -
echononl " Backup existing postfix configuration (main.cf).."
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
echo_skipped
else
perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
/etc/postfix/main.cf > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
postfix_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
warn "Postfix is not adjusted. Complete Postfix configuration (main.cf) manually\!"
fi
echo ""
# - Edit /etc/postfix/main.cf and add a section to activate
# - processing of e-mail through the OpenDKIM daemon:
# -
backup_date="$(date +%Y-%m-%d-%H%M)"
echononl " Backup existing postfix configuration (main.cf).."
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Activate processing of e-mail through the OpenDKIM daemon.."
if grep -q -E "milter_default_action\s*=\s*accept" /etc/postfix/main.cf ; then
echo_skipped
info "Postfix (main.cf) was not changed - seems already be configured right."
echononl " Delete previosly saved Postfix configuration.."
rm /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# ======= Milter configuration =======
# OpenDKIM
milter_default_action = accept
# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
milter_protocol = 6
# Note:
# We will sign AFTER sending through AmaVIS, just befor sending out. So
# set 'smtpd_milters =' to an emty string here and add to localhost:10025
# section in master.cf: 'smtpd_milters=local:/opendkim/opendkim.sock'
#
# If you want sign mails before sending through AmaVIS, set
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milters =
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
#
# cleanup Header/Content-Bereinigung
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
#
# Das sind z. B.:
#
# - interne Bounces (MAILER-DAEMON)
#
# - Cron-Mails vom Server
#
# - Weiterleitungen, die Postfix selbst generiert
#
# - Mails, die über sendmail CLI gesendet werden
#
# - Mails, die Amavis über LMTP zurückgibt
#
# - etc.
#
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
echo ""
# - Prevent Postfix from setting the DMARC Header twice (one befor
# - and one after processing amavis
# -
# - To disable milter processing after amavis, add to your master.cf in
# - the after-amavis section:
# - 127.0.0.1:10025 inet n - - - - smtpd
# - [...]
# - -o smtpd_milters=
# -
# - If you want to run the milter after amavis, set in main.cf
# - smtpd_milters=
# - to an empty string and add the smtpd_milters configuration to master.cf
# - (after-section amavis) instead:
# - -o smtpd_milters=local:/opendmarc/opendmarc.sock
# -
echononl " Backup file '/etc/postfix/master.cf'.."
cp -a /etc/postfix/master.cf /etc/postfix/master.cf.${backup_date} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Adjust /etc/postfix/master.cf. Set DMARC after sending throuh AmaVIS.."
_found=false
_changed=false
tmp_master_file="/tmp/postfix_master.cf"
> $tmp_master_file
while IFS='' read -r _line || [[ -n $_line ]] ; do
if $_found && ! echo "$_line" | grep -i -q -E "^\s*-o" 2> /dev/null ; then
echo " -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
_changed=true
_found=false
fi
if $_found && echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*" ; then
_found=false
if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendmarc/opendmarc.sock\s*$" ; then
echo " -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
_changed=true
continue
fi
fi
if echo "$_line" | grep -i -q -E "^\s*(localhost|127.0.0.1):10025\s+inet\s+" 2> /dev/null ; then
_found=true
fi
echo "$_line" >> "$tmp_master_file"
done < "/etc/postfix/master.cf"
if $_changed ; then
cp $tmp_master_file /etc/postfix/master.cf 2> $log_file
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
info "Postfix (master.cf) was not changed - seems already be configured right."
echononl " Delete previosly saved file '/etc/postfix/master.cf'.."
rm /etc/postfix/master.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
rm -f $tmp_master_file
echo ""
echononl " Enable OpenDMARC Service"
if $SYSTEMD_EXISTS ; then
systemctl enable opendmarc > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
warn "Maybe OpenDMARC Service is not enabled, because its an old non-systemd os.."
fi
# - Restart opendmarc
# -
echononl " Restart opendmarc.."
if $opendmarc_needs_restart ; then
if $SYSTEMD_EXISTS ; then
systemctl restart opendmarc > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
/etc/init.d/opendmarc restart > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
fi
# - Restart Postfix so it starts using opendmarc when processing mail:
# -
echononl " Restart Postfix.."
if $postfix_needs_restart ; then
if $SYSTEMD_EXISTS ; then
systemctl restart postfix > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
/etc/init.d/postfix restart > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
fi
echo ""
rm -f "$log_file"
exit 0

36
DOC/DMARC_Rejections_SOP.md Normal file
View File

@@ -0,0 +1,36 @@
# Analyse und Begründung von DMARC-Rejects
## (Postfix + OpenDMARC 1.4.2)
### 1. Zweck
Diese SOP beschreibt, wie DMARC-Rejects auf dem Mailserver revisionssicher analysiert und begründet werden, ohne die betroffene E-Mail anzunehmen oder erneut senden zu lassen.
### 2. Systemkontext
- MTA: Postfix
- DMARC-Filter: OpenDMARC 1.4.2
- SPF-Prüfung: policyd-spf
- DKIM-Prüfung: OpenDKIM
- Entscheidungspunkt: SMTP END-OF-MESSAGE
### 3. Grundprinzip
OpenDMARC loggt nur das Endergebnis der DMARC-Evaluation, nicht die Detailursachen. Die Ursache eines Rejects wird durch Log-Korrelation ermittelt.
### 4. Relevante Logquellen
- Postfix (SMTP-Rejects)
- policyd-spf (SPF-Ergebnis, identity)
- OpenDMARC (pass/fail/none pro Domain)
### 5. Entscheidungslogik
DMARC besteht nur, wenn mindestens ein Mechanismus DMARC-konform erfolgreich ist:
- SPF(mailfrom) aligned
- DKIM valid + aligned
SPF über HELO ist für DMARC nicht verwertbar.
### 6. Ableitungsregel
Wenn SPF nur über HELO erfolgreich war und DMARC fail meldet, muss DKIM fehlgeschlagen sein.
### 7. Revisionssichere Begründung
Die E-Mail wurde gemäß der DMARC-Policy der Absenderdomain abgelehnt, da keine DMARC-konforme Authentifizierung vorlag.
### 8. Referenzen
RFC 7489 (DMARC), RFC 7208 (SPF), RFC 6376 (DKIM)

BIN
DOC/DMARC_Rejections_SOP.pdf Normal file
View File

Binary file not shown.

2
README.install
View File

@@ -58,7 +58,7 @@
- create configuration file 'install_update_dovecot.conf' - create configuration file 'install_update_dovecot.conf'
cp -a conf install_update_dovecot.conf.sample install_update_dovecot.conf cp -a conf install_update_dovecot.conf.sample install_update_dovecot.conf
- adjust configuration file 'install_update_dovecot.conf' to your needs - adjust configuration file 'install_update_dovecot.conf' to your needs
- run script 'install_update_dovecot.sh' - run script 'install_update_dovecot-2.4.sh' # the old one was: 'install_update_dovecot.sh'
Note: Note:
Maybe you have to finish installing postfixadmin, i.e creating admin account(s). Maybe you have to finish installing postfixadmin, i.e creating admin account(s).

2
conf/install_update_dovecot.conf.sample
View File

@@ -145,7 +145,7 @@ dbhost=""
# - Cert/Key configurations # - Cert/Key configurations
# --- # ---
cert_base_dir="/etc/postfix/ssl" cert_base_dir="/etc/dovecot/ssl"
server_cert=${cert_base_dir}/mailserver.crt server_cert=${cert_base_dir}/mailserver.crt
server_key=${cert_base_dir}/mailserver.key server_key=${cert_base_dir}/mailserver.key
dh_pem_file="${cert_base_dir}/dh_4096.pem" dh_pem_file="${cert_base_dir}/dh_4096.pem"

158
install_amavis.sh
View File

@@ -2257,6 +2257,45 @@ if ! $installation_failed ; then
fi fi
fi fi
# Create /etc/spamassassin/99_nullsender.cf
#
# Spamassassin Regeln für Nullsender (Return-Path: <>)
#
# Problem:
# echte DSNs haben ebenfalls Return-Path: <>
#
# Aber:
# Echte DSNs sind i.d.R. multipart/report (delivery-status)
#
echononl " Create file \"/etc/spamassassin/99_nullsender.cf\".."
cat <<'EOF' > /etc/spamassassin/99_nullsender.cf 2> $tmp_err_msg
########################################################################
# Null-sender (Return-Path: <>) Behandlung
# Ziel: Fake-Bounces markieren, echte DSNs nicht treffen
########################################################################
# 1) Null-Envelope-From erkannt
header LOCAL_NULL_SENDER Return-Path =~ /^<>$/i
describe LOCAL_NULL_SENDER Null envelope-from (Return-Path <>)
score LOCAL_NULL_SENDER 0.1
# 2) Echte DSNs sind i.d.R. multipart/report (delivery-status)
header LOCAL_DSN_MULTIPART Content-Type =~ /^multipart\/report\b/i
describe LOCAL_DSN_MULTIPART Looks like a real DSN (multipart/report)
score LOCAL_DSN_MULTIPART -3.0
# 3) Fake-Bounce: Null-sender, aber NICHT multipart/report
meta LOCAL_NULL_NOT_DSN LOCAL_NULL_SENDER && !LOCAL_DSN_MULTIPART
describe LOCAL_NULL_NOT_DSN Null-sender but not a DSN (likely fake bounce spam)
score LOCAL_NULL_NOT_DSN 6.0
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
# - Enable nightly cronjob for spamassassin # - Enable nightly cronjob for spamassassin
# - # -
@@ -3260,6 +3299,18 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
if [[ "$?" -ne 0 ]] ; then if [[ "$?" -ne 0 ]] ; then
installation_failed=true installation_failed=true
error "$(cat $tmp_err_msg)" error "$(cat $tmp_err_msg)"
warn "command was:
git clone https://github.com/extremeshok/clamav-unofficial-sigs.git /tmp/clamav-unofficial-sigs"
echononl "continue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi fi
if ! $installation_failed ; then if ! $installation_failed ; then
echo_ok echo_ok
@@ -4923,36 +4974,51 @@ else
fi fi
## - Provide an 'After-queue filter' (classic content filter):
## -
## - - The external sender communicates with port 25.
## - - Postfix accepts the email and initially places it in the queue.
## - - Postfix then forwards the email to Amavis (10024).
## - - Amavis returns it to Postfix (typically on 10025).
## -
## - Advantage:
## - Port 25 is 'normal Postfix SMTP'
## - -> Milters (OpenDMARC/OpenDKIM verify) access port 25 cleanly
## - -> DMARC reject happens in the SMTP dialog (if you set it up that way
## - and the checks pass 'pre-queue')
## -
## - Disadvantage:
## - Some types of rejections may no longer happen 'before queue', but only later
## - (depending on the type of check)
## -
## -
## - Set up /etc/postfix/master ## - Set up /etc/postfix/master
## - ## -
## - Forward emails to amavis using "Pre-Queue" Option smtpd_proxy_filter ## - Forward emails to amavis using "After-Queue-Filter" Option content_filter
## - ## -
## - edit /etc/postfix/master.cf and add flags for "smtpd_proxy_filter" (to ## - edit /etc/postfix/master.cf and add flags for "content_filter" (to
## - forward to amavis service on localhost port 10024) and for "content_filter" ## - forward to amavis service on localhost port 10024)
## - (to avoid rechecking by "Post-Queue" content_filter) to smtp service
## - ## -
## - smtp inet n - - - - smtpd ## - smtp inet n - - - - smtpd
## - -o smtpd_proxy_filter=127.0.0.1:10024 ## - -o content_filter=amavisfeed:[127.0.0.1]:10024
## - -o content_filter=
## - ## -
## - take care, that, in case NOT to reject, amavis fowards the mail to the ## - !! Noticw !!
## - MTA (Postfix) for delivering. To avoid loops in checking, install a ## - - take care localhost:10025 has empty 'content_filter'
## - (Postfix) smtpd service on a local Port (10025) without checking anymore
## - ## -
## - to do this edit /etc/postfix/master.cf and add service: ## - localhost:10025 inet n - y - - smtpd
## - ## - -o content_filter=
## - localhost:10025 inet n - - - - smtpd ## - -o smtpd_proxy_filter=
## - -o content_filter= ## - -o smtpd_milters=
## - -o smtpd_proxy_filter= ## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 ## - -o smtpd_client_restrictions=
## - -o smtpd_client_restrictions= ## - -o smtpd_helo_restrictions=
## - -o smtpd_helo_restrictions= ## - -o smtpd_sender_restrictions=
## - -o smtpd_sender_restrictions= ## - -o smtpd_recipient_restrictions=permit_mynetworks,reject
## - -o smtpd_recipient_restrictions=permit_mynetworks,reject ## - -o smtpd_data_restrictions=
## - -o smtpd_data_restrictions= ## - -o mynetworks=127.0.0.0/8,[::1]/128
## - -o mynetworks=127.0.0.0/8,[::1]/128,<$_ipv4_address/32> ## - -o receive_override_options=no_unknown_recipient_checks
## - -o receive_override_options=no_unknown_recipient_checks
## - ## -
## - - take care not to have 'content_filter' set im main.cf
postfix_master_cf="/etc/postfix/master.cf" postfix_master_cf="/etc/postfix/master.cf"
echo "" echo ""
echononl " Backup file \"${postfix_master_cf}\"" echononl " Backup file \"${postfix_master_cf}\""
@@ -5004,10 +5070,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
_found=true _found=true
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
smtp inet n - y - - smtpd smtp inet n - y - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024 -o content_filter=amavisfeed:[127.0.0.1]:10024
-o content_filter=
-o smtpd_milters=
-o non_smtpd_milters=
EOF EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
@@ -5020,6 +5083,8 @@ EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
-o smtpd_proxy_filter= -o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions= -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_helo_restrictions=
@@ -5031,7 +5096,8 @@ localhost:10025 inet n - y - - smtpd
EOF EOF
if [[-n "$(which opendmarc)" ]] ; then if [[-n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendmarc/opendmarc.sock # IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF EOF
fi fi
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
@@ -5047,8 +5113,7 @@ EOF
_found=true _found=true
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
${additional_smtp_port} inet n - y - - smtpd ${additional_smtp_port} inet n - y - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024 -o content_filter=amavisfeed:[127.0.0.1]:10024
-o content_filter=
EOF EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
@@ -5073,17 +5138,17 @@ EOF
if [[ -n "$(which opendkim)" ]] ; then if [[ -n "$(which opendkim)" ]] ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendkim/opendkim.sock -o smtpd_milters=local:/opendkim/opendkim.sock
-o milter_macro_daemon_name=ORIGINATING
EOF EOF
fi fi
cat >> $postfix_master_cf << EOF
#-o milter_macro_daemon_name=ORIGINATING
EOF
if ! $smtps_present ; then if ! $smtps_present ; then
if ! $localhost_10025_present ; then if ! $localhost_10025_present ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
-o smtpd_proxy_filter= -o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions= -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_helo_restrictions=
@@ -5095,12 +5160,10 @@ localhost:10025 inet n - y - - smtpd
EOF EOF
if [[ -n "$(which opendmarc)" ]] ; then if [[ -n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendmarc/opendmarc.sock # IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF EOF
fi fi
cat >> $postfix_master_cf << EOF
#-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
EOF
fi fi
if ! $amavisfeed_present ; then if ! $amavisfeed_present ; then
@@ -5108,7 +5171,6 @@ EOF
amavisfeed unix - - n - 20 lmtp amavisfeed unix - - n - 20 lmtp
-o smtp_data_done_timeout=1200 -o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes -o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
EOF EOF
fi fi
fi # if ! $smtps_present fi # if ! $smtps_present
@@ -5130,17 +5192,17 @@ EOF
if [[ -n "$(which opendkim)" ]] ; then if [[ -n "$(which opendkim)" ]] ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendkim/opendkim.sock -o smtpd_milters=local:/opendkim/opendkim.sock
-o milter_macro_daemon_name=ORIGINATING
EOF EOF
fi fi
cat >> $postfix_master_cf << EOF
#-o milter_macro_daemon_name=ORIGINATING
EOF
if ! $localhost_10025_present ; then if ! $localhost_10025_present ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
-o smtpd_proxy_filter= -o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions= -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_helo_restrictions=
@@ -5152,12 +5214,10 @@ localhost:10025 inet n - y - - smtpd
EOF EOF
if [[ -n "$(which opendmarc)" ]] ; then if [[ -n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendmarc/opendmarc.sock # IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF EOF
fi fi
cat >> $postfix_master_cf << EOF
#-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
EOF
fi fi
if ! $amavisfeed_present ; then if ! $amavisfeed_present ; then
@@ -5165,7 +5225,6 @@ EOF
amavisfeed unix - - n - 20 lmtp amavisfeed unix - - n - 20 lmtp
-o smtp_data_done_timeout=1200 -o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes -o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
EOF EOF
fi fi
@@ -5180,6 +5239,8 @@ EOF
localhost:10025 inet n - y - - smtpd localhost:10025 inet n - y - - smtpd
-o content_filter= -o content_filter=
-o smtpd_proxy_filter= -o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128 -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions= -o smtpd_client_restrictions=
-o smtpd_helo_restrictions= -o smtpd_helo_restrictions=
@@ -5191,12 +5252,10 @@ localhost:10025 inet n - y - - smtpd
EOF EOF
if [[ -n "$(which opendmarc)" ]] ; then if [[ -n "$(which opendmarc)" ]] ; then
cat >> $postfix_master_cf << EOF cat >> $postfix_master_cf << EOF
-o smtpd_milters=local:/opendmarc/opendmarc.sock # IMPORTANT: no opendmarc here!
#-o smtpd_milters=local:/opendmarc/opendmarc.sock
EOF EOF
fi fi
cat >> $postfix_master_cf << EOF
#-o mynetworks=127.0.0.0/8,[::1]/128,${IPV4}/32
EOF
continue continue
fi fi
@@ -5206,7 +5265,6 @@ EOF
amavisfeed unix - - n - 20 lmtp amavisfeed unix - - n - 20 lmtp
-o smtp_data_done_timeout=1200 -o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes -o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
EOF EOF
continue continue
fi fi

318
install_opendkim.sh
View File

@@ -13,6 +13,9 @@ echo -e "\n \033[32mStart Installation of OpenDKIM..\033[m"
#conf_file="${_src_base_dir}/conf/install_opendkim.conf" #conf_file="${_src_base_dir}/conf/install_opendkim.conf"
log_file="$(mktemp)" log_file="$(mktemp)"
tmp_main_cf_file="$(mktemp)"
main_cf_file="/etc/postfix/main.cf"
backup_date="$(date +%Y-%m-%d-%H%M)" backup_date="$(date +%Y-%m-%d-%H%M)"
@@ -27,6 +30,8 @@ postfix_spool_dir="/var/spool/postfix"
opendkim_socket_dir="${postfix_spool_dir}/opendkim" opendkim_socket_dir="${postfix_spool_dir}/opendkim"
opendkim_socket_file="${opendkim_socket_dir}/opendkim.sock" opendkim_socket_file="${opendkim_socket_dir}/opendkim.sock"
opendkim_socket_string="local:/opendkim/opendkim.sock"
postfix_needs_restart=false postfix_needs_restart=false
opendkim_needs_restart=false opendkim_needs_restart=false
@@ -87,6 +92,82 @@ echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]" echo -e "\033[80G[ \033[37mskipped\033[m ]"
} }
# Funktion stellt sicher, dass in /etc/postfix/main.cf
# - smtpd_milters
# - non_smtpd_milters
# den Wert "local:/opendkim/opendkim.sock" enthalten.
#
# Logik:
# 1) Existiert eine aktive Zeile (nicht auskommentiert)? → anpassen
# 2) Sonst: existiert eine auskommentierte Zeile? → ersetzen (entkommentieren)
# 3) Sonst: Variable am Ende der Datei hinzufügen
#
ensure_dkim_var() {
local var="$1"
awk -v var="$var" -v dkim="$opendkim_socket_string" '
# trim helper
function trim(s) {
sub("^[[:space:]]+", "", s)
sub("[[:space:]]+$", "", s)
return s
}
# Normalisiert aktive Werte:
# - wenn leer -> nur dkim
# - wenn dkim schon enthalten -> unverändert
# - sonst -> dkim vorne dran
function normalize_active_value(v) {
v = trim(v)
if (v == "") return dkim
if (index(v, dkim) > 0) return v
return dkim "," v
}
BEGIN { found_active=0; replaced_commented=0 }
#################################################################
# FALL 1: Aktive Zeile (nicht auskommentiert): var =
#################################################################
$0 ~ "^[[:space:]]*"var"[[:space:]]*=" && $0 !~ "^[[:space:]]*#" {
found_active=1
# rechten Teil extrahieren (nach "=")
v=$0
sub("^[[:space:]]*"var"[[:space:]]*=[[:space:]]*", "", v)
print var" = " normalize_active_value(v)
next
}
#################################################################
# FALL 2: Auskommentierte Zeile: # var =
# Sonderregel: ersetzen mit NUR DKIM, unabhängig vom Kommentarinhalt
#################################################################
$0 ~ "^[[:space:]]*#[[:space:]]*"var"[[:space:]]*=" \
&& found_active==0 && replaced_commented==0 {
replaced_commented=1
print var" = " dkim
next
}
#################################################################
# Sonst: Zeile unverändert ausgeben
#################################################################
{ print }
#################################################################
# FALL 3: Variable nicht vorhanden → am Ende hinzufügen
#################################################################
END {
if (found_active==0 && replaced_commented==0) {
print var" = " dkim
}
}
' "$main_cf_file"
}
# ------------- # -------------
# - Some pre-installation tasks # - Some pre-installation tasks
@@ -206,73 +287,208 @@ else
cat <<EOF > $opendkim_conf_file 2> $log_file cat <<EOF > $opendkim_conf_file 2> $log_file
# Datei $opendkim_conf_file # Datei $opendkim_conf_file
# AuthservID (string)
#
# Sets the "authserv-id" to use when generating the Authentication-Results: # Sets the "authserv-id" to use when generating the Authentication-Results:
# header field after verifying a message. The default is to use the name of # header field after verifying a message. The default is to use the name of
# the MTA processing the message. If the string "HOSTNAME" is provided, the # the MTA processing the message. If the string "HOSTNAME" is provided, the
# name of the host running the filter (as returned by the gethostname(3) # name of the host running the filter (as returned by the gethostname(3)
# function) will be used. # function) will be used.
AuthservID "DKIM check $(hostname -f)" AuthservID HOSTNAME
# Mode (string)
#
# OpenDKIM agiert als Mail Filter (= Milter) in den # OpenDKIM agiert als Mail Filter (= Milter) in den
# Modi signer (s) und verifier (v) und verwendet eine # Modi signer (s) und verifier (v) und verwendet eine
# Socket-Datei zur Kommunikation (alternativ: lokaler Port) # Socket-Datei zur Kommunikation (alternativ: lokaler Port)
Mode sv Mode sv
# Socket (string)
#
# Specifies the socket that should be established by the filter to receive
# connections from sendmail(8) in order to provide service. socketspec is
# in one of two forms: local:path, which creates a UNIX domain socket at
# the specified path, or inet:port[@host] or inet6:port[@host] which
# creates a TCP socket on the specified port and in the specified protocol
# family. If the host is not given as either a hostname or an IP address,
# the socket will be listening on all interfaces. A literal IP address must
# be enclosed in square brackets. This option is mandatory either in the
# configuration file or on the command line.
#
# Socket local:/var/run/opendkim/opendkim.sock # Socket local:/var/run/opendkim/opendkim.sock
# Socket local:$opendkim_socket_file # Socket local:$opendkim_socket_file
# Socket inet:12345@localhost # Socket inet:12345@localhost
Socket local:$opendkim_socket_file Socket local:$opendkim_socket_file
# OpenDKIM verwendet diesen Benutzer bzw. # UserID (string)
# diese Gruppe #
# Attempts to become the specified userid before starting operations. The
# value is of the form userid[:group]. The process will be assigned all of
# the groups and primary group ID of the named userid unless an alternate
# group is specified.
UserID opendkim:opendkim UserID opendkim:opendkim
# UMask (integer)
#
#Requests a specific permissions mask to be used for file creation. This
# only really applies to creation of the socket when Socket specifies a UNIX
# domain socket, and to the PidFile (if any); temporary files are created by
# the mkstemp(3) function that enforces a specific file mode on creation
# regardless of the process umask. See umask(2) for more information.
#
UMask 002 UMask 002
# PidFile (string)
#
# Specifies the path to a file that should be created at process start
# containing the process ID.
PidFile /var/run/opendkim/opendkim.pid PidFile /var/run/opendkim/opendkim.pid
# OpenDKIM bei Problemen neustarten, # AutoRestart (Boolean)
# aber max. 10 mal pro Stunde #
# Automatically re-start on failures. Use with caution; if the filter fails
# instantly after it starts, this can cause a tight fork(2) loop.
AutoRestart yes AutoRestart yes
# AutoRestartRate (string)
#
# Sets the maximum automatic restart rate. If the filter begins restarting
# faster than the rate defined here, it will give up and terminate. This is
# a string of the form n/t[u] where n is an integer limiting the count of
# restarts in the given interval and t[u] defines the time interval through
# which the rate is calculated; t is an integer and u defines the units thus
# represented ("s" or "S" for seconds, the default; "m" or "M" for minutes;
# "h" or "H" for hours; "d" or "D" for days). For example, a value of "10/1h"
# limits the restarts to 10 in one hour. There is no default, meaning restart
# rate is not limited.
AutoRestartRate 10/1h AutoRestartRate 10/1h
# Logging (wenn alles funktioniert eventuell reduzieren) # Syslog (Boolean)
#
# Log via calls to syslog(3) any interesting activity.
Syslog yes Syslog yes
# SyslogSuccess (Boolean)
#
# Log via calls to syslog(3) additional entries indicating successful signing
# or verification of messages.
SyslogSuccess yes SyslogSuccess yes
# LogWhy (boolean)
#
# If logging is enabled (see Syslog below), issues very detailed logging
# about the logic behind the filters decision to either sign a message or
# verify it. The logic behind the decision is non-trivial and can be confusing
# to administrators not familiar with its operation. A description of how the
# decision is made can be found in the OPERATIONS section of the opendkim(8)
# man page. This causes a large increase in the amount of log data generated
# for each message, so it should be limited to debugging use and not enabled
# for general operation.
LogWhy yes LogWhy yes
# Verfahren, wie Header und Body durch # Verfahren, wie Header und Body durch
# OpenDKIM verarbeitet werden sollen. # OpenDKIM verarbeitet werden sollen.
Canonicalization relaxed/simple Canonicalization relaxed/simple
# interne Mails nicht mit OpenDKIM verarbeiten # ExternalIgnoreList (dataset)
#
# Identifies a set of "external" hosts that may send mail through the server
# as one of the signing domains without credentials as such. This has the
# effect of suppressing the "external host (hostname) tried to send mail as
# (domain)" log messages. Entries in the data set should be of the same form
# as those of the PeerList option below. The set is empty by default.
ExternalIgnoreList refile:${opendkim_base_dir}/trusted ExternalIgnoreList refile:${opendkim_base_dir}/trusted
# InternalHosts (dataset)
#
# Identifies a set internal hosts whose mail should be signed rather than
# verified. Entries in this data set follow the same form as those of the
# PeerList option below. If not specified, the default of "127.0.0.1" is applied.
# Naturally, providing a value here overrides the default, so if mail from
# 127.0.0.1 should be signed, the list provided here should include that address
# explicitly.
InternalHosts refile:${opendkim_base_dir}/trusted InternalHosts refile:${opendkim_base_dir}/trusted
# welche Verschlüsselungs-Keys sollen für welche # SigningTable (dataset)
# Domains verwendet werden #
# (refile: für Dateien mit regulären Ausdrücke) # Defines a table used to select one or more signatures to apply to a message
# based on the address found in the From: header field. Keys in this table vary
# depending on the type of table used; values in this data set should include
# one field that contains a name found in the KeyTable (see above) that
# identifies which key should be used in generating the signature, and an
# optional second field naming the signer of the message that will be included
# in the "i=" tag in the generated signature. Note that the "i=" value will not
# be included in the signature if it conflicts with the signing domain
# (the "d=" value).
#
# If the first field contains only a "%" character, it will be replaced by the
# domain found in the From: header field. Similarly, within the optional second
# field, any "%" character will be replaced by the domain found in the From:
# header field.
#
# If this table specifies a regular expression file ("refile"), then the keys are
# wildcard patterns that are matched against the address found in the From:
# header field. Entries are checked in the order in which they appear in the file.
#
# For all other database types, the full user@host is checked first, then simply
# host, then user@.domain (with all superdomains checked in sequence, so
# "foo.example.com" would first check "user@foo.example.com", then "user@.example.com",
# then "user@.com"), then .domain, then user@*, and finally *.
SigningTable refile:${opendkim_base_dir}/signing.table SigningTable refile:${opendkim_base_dir}/signing.table
# KeyTable (dataset)
#
# Gives the location of a file mapping key names to signing keys. If present,
# overrides any KeyFile setting in the configuration file. The data set named here
# maps each key name to three values: (a) the name of the domain to use in the
# signature's "d=" value; (b) the name of the selector to use in the signature's
# "s=" value; and (c) either a private key or a path to a file containing a private
# key. If the first value consists solely of a percent sign ("%") character, it
# will be replaced by the apparent domain of the sender when generating a signature.
# If the third value starts with a slash ("/") character, or "./" or "../", then it
# is presumed to refer to a file from which the private key should be read, otherwise
# it is itself a PEM-encoded private key or a base64-encoded DER private key; a "%"
# in the third value in this case will be replaced by the apparent domain name of
# the sender. The SigningTable (see below) is used to select records from this table
# to be used to add signatures based on the message sender.
KeyTable ${opendkim_base_dir}/key.table KeyTable ${opendkim_base_dir}/key.table
# diesen Signatur-Algorithmus verwenden # SignatureAlgorithm (string)
#
# Selects the signing algorithm to use when generating signatures. Use 'opendkim -V'
# to see the list of supported algorithms. The default is rsa-sha256 if it is
# available, otherwise it will be rsa-sha1.
SignatureAlgorithm rsa-sha256 SignatureAlgorithm rsa-sha256
# Always oversign From (sign using actual From and a null From to prevent # OversignHeaders (dataset)
# malicious signatures header fields (From and/or others) between the signer #
# and the verifier. From is oversigned by default in the Debian pacakge # Specifies a set of header fields that should be included in all signature header
# because it is often the identity key used by reputation systems and thus # lists (the "h=" tag) once more than the number of times they were actually present
# somewhat security sensitive. # in the signed message. The set is empty by default. The purpose of this, and
# especially of listing an absent header field, is to prevent the addition of
# important fields between the signer and the verifier. Since the verifier would
# include that header field when performing verification if it had been added by an
# intermediary, the signed message and the verified message were different and the
# verification would fail. Note that listing a field name here and not listing it in
# the SignHeaders list is likely to generate invalid signatures.
OversignHeaders From OversignHeaders From
# AlwaysAddARHeader (Boolean)
#
# Add an "Authentication-Results:" header field even to unsigned messages # Add an "Authentication-Results:" header field even to unsigned messages
# from domains with no "signs all" policy. The reported DKIM result will be # from domains with no "signs all" policy. The reported DKIM result will be
# "none" in such cases. Normally unsigned mail from non-strict domains does # "none" in such cases. Normally unsigned mail from non-strict domains does
# not cause the results header field to be added. # not cause the results header field to be added.
AlwaysAddARHeader yes AlwaysAddARHeader yes
# Background (Boolean)
#
# Causes opendkim to fork and exits immediately, leaving the service running # Causes opendkim to fork and exits immediately, leaving the service running
# in the background. The default is "true". # in the background. The default is "true".
Background yes Background yes
# DNSTimeout (integer)
#
# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The # Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
# default is 5. Ignored if not using an asynchronous resolver package. See # default is 5. Ignored if not using an asynchronous resolver package. See
# also the NOTES section below. # also the NOTES section below.
@@ -301,8 +517,8 @@ else
fi fi
# - Create the directories to hold OpenDKIMs data files, assign # - Create the directories to hold OpenDKIMs data files, assign
# - ownership to the opendkim user, and restrict the file # - ownership to the opendkim user, and restrict the file
# - permissions: # - permissions:
# - # -
echononl " Create directory '$opendkim_base_dir'" echononl " Create directory '$opendkim_base_dir'"
@@ -391,7 +607,6 @@ else
127.0.0.1 127.0.0.1
::1 ::1
localhost localhost
$(hostname -f)
EOF EOF
opendkim_needs_restart=true opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
@@ -403,7 +618,7 @@ EOF
fi fi
# - Create the OpenDKIM socket directory in Postfixs work area # - Create the OpenDKIM socket directory in Postfixs work area
# - and make sure it has the correct ownership: # - and make sure it has the correct ownership:
# - # -
echononl " Create the OpenDKIM socket directory in Postfixs work area.." echononl " Create the OpenDKIM socket directory in Postfixs work area.."
@@ -462,7 +677,7 @@ EOF
fi fi
# - Edit /etc/postfix/main.cf and add a section to activate # - Edit /etc/postfix/main.cf and add a section to activate
# - processing of e-mail through the OpenDKIM daemon: # - processing of e-mail through the OpenDKIM daemon:
# - # -
backup_date="$(date +%Y-%m-%d-%H%M)" backup_date="$(date +%Y-%m-%d-%H%M)"
@@ -476,19 +691,15 @@ else
fi fi
echononl " Activate processing of e-mail through the OpenDKIM daemon.." echononl " Activate processing of e-mail through the OpenDKIM daemon.."
if grep -q -E "milter_default_action\s*=\s*accept" /etc/postfix/main.cf ; then if grep -q -E "^\s*#?\s*smtpd_milters\s*=" ${main_cf_file} ; then
echo_skipped
warn "Postfix (main.cf) seems already be configured for milters" ensure_dkim_var "smtpd_milters" > "${tmp_main_cf_file}"
echononl " Delete previosly saved Postfix configuration.." cp "${tmp_main_cf_file}" "${main_cf_file}"
rm /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# ======= Milter configuration ======= # ======= Milter configuration =======
@@ -508,8 +719,19 @@ milter_protocol = 6
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to # 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters=' # localhost:10025 section in master.cf: 'smtpd_milters='
# #
#smtpd_milters = local:/opendkim/opendkim.sock smtpd_milters = $opendkim_socket_string
smtpd_milters = EOF
fi
if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
ensure_dkim_var "non_smtpd_milters" > "${tmp_main_cf_file}"
cp "${tmp_main_cf_file}" "${main_cf_file}"
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# Was sind non_smtpd_milters? # Was sind non_smtpd_milters?
# #
@@ -539,30 +761,30 @@ smtpd_milters =
# #
# #
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden. # DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = local:/opendkim/opendkim.sock non_smtpd_milters = $opendkim_socket_string
EOF EOF
postfix_needs_restart=true fi
if [[ $? -eq 0 ]] ; then postfix_needs_restart=true
echo_ok if [[ $? -eq 0 ]] ; then
else echo_ok
echo_failed else
error "$(cat $log_file)" echo_failed
fi error "$(cat $log_file)"
fi fi
# - Prevent Postfix from setting the DKIM Header twice (one befor # - Prevent Postfix from setting the DKIM Header twice (one befor
# - and one after processing amavis # - and one after processing amavis
# - # -
# - To disable milter processing after amavis, add to your master.cf in # - To disable milter processing after amavis, add to your master.cf in
# - the after-amavis section: # - the after-amavis section:
# - 127.0.0.1:10025 inet n - - - - smtpd # - 127.0.0.1:10025 inet n - - - - smtpd
# - [...] # - [...]
# - -o smtpd_milters= # - -o smtpd_milters=
# - # -
# - If you want to run the milter after amavis, set in main.cf # - If you want to run the milter after amavis, set in main.cf
# - smtpd_milters= # - smtpd_milters=
# - to an empty string and add the smtpd_milters configuration to master.cf # - to an empty string and add the smtpd_milters configuration to master.cf
# - (after-section amavis) instead: # - (after-section amavis) instead:
# - -o smtpd_milters=local:/opendkim/opendkim.sock # - -o smtpd_milters=local:/opendkim/opendkim.sock
# - # -
@@ -591,6 +813,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
_found=false _found=false
if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendkim/opendkim.sock\s*$" ; then if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendkim/opendkim.sock\s*$" ; then
echo " -o smtpd_milters=local:/opendkim/opendkim.sock" >> "$tmp_master_file" echo " -o smtpd_milters=local:/opendkim/opendkim.sock" >> "$tmp_master_file"
echo " -o milter_macro_daemon_name=ORIGINATING" >> "$tmp_master_file"
_changed=true _changed=true
continue continue
fi fi
@@ -629,7 +852,7 @@ rm -f $tmp_master_file
echo "" echo ""
# - Restart OpenDKIM # - Restart OpenDKIM
# - # -
echononl " Restart OpenDKIM.." echononl " Restart OpenDKIM.."
if $opendkim_needs_restart ; then if $opendkim_needs_restart ; then
if $SYSTEMD_EXISTS ; then if $SYSTEMD_EXISTS ; then
@@ -681,4 +904,5 @@ fi
echo "" echo ""
rm -f "$log_file" rm -f "$log_file"
rm -f "$tmp_main_cf_file"
exit 0 exit 0

538
install_opendmarc.sh
View File

@@ -24,8 +24,8 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock" opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
config_file_name_value_parameters=" config_file_name_value_parameters="
AuthservID|$(hostname -f) AuthservID|HOSTNAME
TrustedAuthservIDs|$(hostname -f) TrustedAuthservIDs|HOSTNAME
PidFile|/run/opendmarc/opendmarc.pid PidFile|/run/opendmarc/opendmarc.pid
RejectFailures|true RejectFailures|true
Syslog|true Syslog|true
@@ -37,11 +37,13 @@ config_file_name_value_parameters="
UMask|002 UMask|002
FailureReports|false FailureReports|false
AutoRestart|true AutoRestart|true
HistoryFile|/run/opendmarc/opendmarc.dat HistoryFile|/run/opendmarc/opendmarc.dat
SPFIgnoreResults|false SPFIgnoreResults|false
SPFSelfValidate|true SPFSelfValidate|true
Socket|${opendmarc_socket_file} Socket|${opendmarc_socket_file}
" "
declare -a config_file_name_value_parameter_arr=() declare -a config_file_name_value_parameter_arr=()
for _conf in $config_file_name_value_parameters ; do for _conf in $config_file_name_value_parameters ; do
config_file_name_value_parameter_arr+=("$_conf") config_file_name_value_parameter_arr+=("$_conf")
@@ -50,8 +52,15 @@ done
postfix_needs_restart=false postfix_needs_restart=false
opendmarc_needs_restart=false opendmarc_needs_restart=false
backup_date="$(date +%Y-%m-%d-%H%M)"
log_file="$(mktemp)" log_file="$(mktemp)"
tmp_main_cf_file="$(mktemp)"
main_cf_file="/etc/postfix/main.cf"
backup_date="$(date +%Y-%m-%d-%H%M)"
opendkim_socket_string="local:/opendkim/opendkim.sock"
opendmarc_socket_string="local:/opendmarc/opendmarc.sock"
# ------------- # -------------
# --- Some functions # --- Some functions
@@ -109,6 +118,116 @@ echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]" echo -e "\033[80G[ \033[37mskipped\033[m ]"
} }
# iFubction stellt sicher, dass OpenDMARC milter in main.cf gesetzt ist
# und (falls OpenDKIM vorhanden ist) OpenDMARC direkt nach OpenDKIM folgt.
#
# Ziel:
# - smtpd_milters und non_smtpd_milters enthalten: local:/opendmarc/opendmarc.sock
# - Falls local:/opendkim/opendkim.sock vorhanden ist:
# ...opendkim...,local:/opendmarc/opendmarc.sock,...
#
# Logik:
# 1) Aktive Zeile existiert? → anpassen
# 2) Sonst kommentierte Zeile existiert? → ersetzen (entkommentieren) an derselben Stelle
# 3) Sonst am Ende hinzufügen
ensure_dmarc_var() {
local var="$1"
awk -v var="$var" -v dmarc="$opendmarc_socket_string" -v dkim="$opendkim_socket_string" '
function trim(s) {
sub("^[[:space:]]+", "", s)
sub("[[:space:]]+$", "", s)
return s
}
# Normalisiert aktive Werte:
# - Entfernt vorhandenes dmarc (um Duplikate zu verhindern)
# - Fügt dmarc wieder ein:
# - direkt nach dkim, falls dkim vorhanden
# - sonst ans Ende (oder allein, wenn leer)
function normalize_active_value(v, n,i,t,has_dkim,out,newn) {
v = trim(v)
if (v == "") return dmarc
# split an Komma, trimmen, DMARC entfernen
n = split(v, a, ",")
has_dkim = 0
newn = 0
for (i=1; i<=n; i++) {
t = trim(a[i])
if (t == "") continue
if (t == dmarc) continue # Duplikate vermeiden
a[++newn] = t
if (t == dkim) has_dkim = 1
}
n = newn
out = ""
if (has_dkim) {
# Ausgabe bauen und DMARC direkt nach DKIM einfügen
for (i=1; i<=n; i++) {
if (out != "") out = out ","
out = out a[i]
if (a[i] == dkim) {
out = out "," dmarc
}
}
return out
}
# kein DKIM: DMARC ans Ende anhängen
for (i=1; i<=n; i++) {
if (out != "") out = out ","
out = out a[i]
}
if (out == "") return dmarc
return out "," dmarc
}
BEGIN { found_active=0; replaced_commented=0 }
#################################################################
# FALL 1: Aktive Zeile (nicht auskommentiert): var =
#################################################################
$0 ~ "^[[:space:]]*"var"[[:space:]]*=" && $0 !~ "^[[:space:]]*#" {
found_active=1
v=$0
sub("^[[:space:]]*"var"[[:space:]]*=[[:space:]]*", "", v)
print var" = " normalize_active_value(v)
next
}
#################################################################
# FALL 2: Auskommentierte Zeile: # var =
# Sonderregel: ersetzen mit NUR DMARC, unabhängig vom Kommentarinhalt
#################################################################
$0 ~ "^[[:space:]]*#[[:space:]]*"var"[[:space:]]*=" \
&& found_active==0 && replaced_commented==0 {
replaced_commented=1
print var" = " dmarc
next
}
#################################################################
# Sonst: Zeile unverändert ausgeben
#################################################################
{ print }
#################################################################
# FALL 3: Variable nicht vorhanden → am Ende hinzufügen
#################################################################
END {
if (found_active==0 && replaced_commented==0) {
print var" = " dmarc
}
}
' "$main_cf_file"
}
# ------------- # -------------
# - Some pre-installation tasks # - Some pre-installation tasks
@@ -193,14 +312,39 @@ echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file} cat << EOF >> ${opendmarc_conf_file}
## IgnoreHosts (string)
##
## Specifies the path to a file that contains a list of hostnames, IP addresses, ## Specifies the path to a file that contains a list of hostnames, IP addresses,
## and/or CIDR expressions identifying hosts whose SMTP connections are to be ## and/or CIDR expressions identifying hosts whose SMTP connections are to be
## ignored by the filter. If not specified, defaults to "127.0.0.1" only. ## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
# #
IgnoreHosts 127.0.0.1 IgnoreHosts /etc/opendmarc/ignore.hosts
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# Optional - auch nach Absender-Domain ignorieren:
IgnoreMailFrom ${opendmarc_base_dir}/ignore.mailfrom # - Add 'IgnoreMailFrom' with default value to the original opendmarc.conf file
#
echononl " Add 'IgnoreMailFrom' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^IgnoreMailFrom\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## IgnoreMailFrom (string)
##
## Gives a list of domain names whose mail (based on the From: domain)
## is to be ignored by the filter. The list should be comma-separated.
## Matching against this list is case-insensitive. The default is an
## empty list, meaning no mail is ignored.
#
IgnoreMailFrom /etc/opendmarc/ignore.mailfrom
EOF EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@@ -220,10 +364,12 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file} cat << EOF >> ${opendmarc_conf_file}
## IgnoreAuthenticatedClients (Boolean)
##
## If set, causes mail from authenticated clients (i.e., those that used ## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false". ## SMTP AUTH) to be ignored by the filter. The default is "false".
# #
IgnoreAuthenticatedClients false IgnoreAuthenticatedClients true
EOF EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@@ -250,30 +396,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
# will be used. Matching against this list is case-insensitive. The default is to use the # will be used. Matching against this list is case-insensitive. The default is to use the
# value of AuthservID. # value of AuthservID.
# #
TrustedAuthservIDs OpenDMARC TrustedAuthservIDs HOSTNAME
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
EOF EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@@ -293,6 +416,8 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file} cat << EOF >> ${opendmarc_conf_file}
## RequiredHeaders (Boolean)
##
## If set, the filter will ensure the header of the message conforms to the basic ## If set, the filter will ensure the header of the message conforms to the basic
## header field count restrictions laid out in RFC5322, Section 3.6. Messages ## header field count restrictions laid out in RFC5322, Section 3.6. Messages
## failing this test are rejected without further processing. A From: field from ## failing this test are rejected without further processing. A From: field from
@@ -318,10 +443,12 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file} cat << EOF >> ${opendmarc_conf_file}
## AutoRestart (Boolean)
##
## Automatically re-start on failures. Use with caution; if the filter fails ## Automatically re-start on failures. Use with caution; if the filter fails
## instantly after it starts, this can cause a tight fork(2) loop. ## instantly after it starts, this can cause a tight fork(2) loop.
# #
AutoRestart false AutoRestart true
EOF EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@@ -341,6 +468,8 @@ echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file} cat << EOF >> ${opendmarc_conf_file}
## HistoryFile (string)
##
## If set, specifies the location of a text file to which records are written ## If set, specifies the location of a text file to which records are written
## that can be used to generate DMARC aggregate reports. Records are batches of ## that can be used to generate DMARC aggregate reports. Records are batches of
## rows containing information about a single received message, and include all ## rows containing information about a single received message, and include all
@@ -349,7 +478,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
## imported into a relational database from which the aggregate reports can be ## imported into a relational database from which the aggregate reports can be
## extracted using opendmarc-importstats(8). ## extracted using opendmarc-importstats(8).
# #
HistoryFile /run/opendmarc/opendmarc.dat #HistoryFile /run/opendmarc/opendmarc.dat
EOF EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@@ -398,7 +527,7 @@ if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
## looks for SPF results in headers and always performs the SPF check itself when ## looks for SPF results in headers and always performs the SPF check itself when
## this is set. The default is "false". ## this is set. The default is "false".
# #
SPFSelfValidate false SPFSelfValidate true
EOF EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@@ -432,15 +561,6 @@ for _val in "${config_file_name_value_parameter_arr[@]}" ; do
echononl " $opendmarc_conf_file: ${_val_arr[0]} -> ${_val_arr[1]}.." echononl " $opendmarc_conf_file: ${_val_arr[0]} -> ${_val_arr[1]}.."
if $(grep -E -q "^\s*${_val_arr[0]}\s+${_val_arr[1]}\s*$" $opendmarc_conf_file 2> /dev/null) ; then if $(grep -E -q "^\s*${_val_arr[0]}\s+${_val_arr[1]}\s*$" $opendmarc_conf_file 2> /dev/null) ; then
echo_skipped echo_skipped
elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
elif $(grep -E -q "^\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null) ; then elif $(grep -E -q "^\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null) ; then
perl -i -n -p -e "s#^(\s*${_val_arr[0]}.*)#\#\1\n${_val_arr[0]} ${_val_arr[1]}#" $opendmarc_conf_file > "$log_file" 2>&1 perl -i -n -p -e "s#^(\s*${_val_arr[0]}.*)#\#\1\n${_val_arr[0]} ${_val_arr[1]}#" $opendmarc_conf_file > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
@@ -450,11 +570,8 @@ for _val in "${config_file_name_value_parameter_arr[@]}" ; do
echo_failed echo_failed
error "$(cat $log_file)" error "$(cat $log_file)"
fi fi
else elif $(grep -E -q "^\s*#\s*${_val_arr[0]}\s+" $opendmarc_conf_file 2> /dev/null); then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file" perl -i -n -p -e "s&^(\s*#\s*${_val_arr[0]}.*)&\1\n${_val_arr[0]} ${_val_arr[1]}&" $opendmarc_conf_file > "$log_file" 2>&1
${_val_arr[0]} ${_val_arr[1]}
EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
opendmarc_needs_restart=true opendmarc_needs_restart=true
@@ -462,6 +579,100 @@ EOF
echo_failed echo_failed
error "$(cat $log_file)" error "$(cat $log_file)"
fi fi
else
if [[ "${_val_arr[0]}" == "IgnoreHosts" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## IgnoreHosts (string)
##
## Specifies the path to a file that contains a list of hostnames, IP
## addresses, and/or CIDR expressions identifying hosts whose SMTP
## connections are to be ignored by the filter. If not specified,
## defaults to "127.0.0.1" only.
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "IgnoreMailFrom" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## IgnoreMailFrom (string)
##
## Gives a list of domain names whose mail (based on the From: domain)
## is to be ignored by the filter. The list should be comma-separated.
## Matching against this list is case-insensitive. The default is an
## empty list, meaning no mail is ignored.
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "IgnoreAuthenticatedClients" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## IgnoreAuthenticatedClients (Boolean)
##
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "AutoRestart" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## AutoRestart (Boolean)
##
## Automatically re-start on failures. Use with caution; if the filter
## fails instantly after it starts, this can cause a tight fork(2)
## loop.
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "RequiredHeaders" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## RequiredHeaders (Boolean)
##
## If set, the filter will ensure the header of the message conforms to
## the basic header field count restrictions laid out in RFC5322,
## Section 3.6. Messages failing this test are rejected without further
## processing. A From: field from which no domain name could be
## extracted will also be rejected.
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "SPFSelfValidate" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## SPFSelfValidate (Boolean)
##
## Causes the filter to perform a fallback SPF check itself when it can
## find no SPF results in the message header. If SPFIgnoreResults is
## also set, it never looks for SPF results in headers and always
## performs the SPF check itself when this is set. The default is
## "false".
#
${_val_arr[0]} ${_val_arr[1]}
EOF
elif [[ "${_val_arr[0]}" == "SPFIgnoreResults" ]]; then
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
## SPFIgnoreResults (Boolean)
##
## Causes the filter to ignore any SPF results in the header of the
## message. This is useful if you want the filter to perform SPF checks
## itself, or because you don't trust the arriving header. The default
## is "false".
#
${_val_arr[0]} ${_val_arr[1]}
EOF
else
cat <<EOF >> $opendmarc_conf_file 2> "$log_file"
${_val_arr[0]} ${_val_arr[1]}
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
opendmarc_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
fi
fi fi
done done
@@ -670,12 +881,34 @@ else
error "$(cat $log_file)" error "$(cat $log_file)"
fi fi
echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.." #echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then #if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then # if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
# echo_skipped
# else
# perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
# /etc/postfix/main.cf > $log_file 2>&1
# if [[ $? -eq 0 ]] ; then
# echo_ok
# postfix_needs_restart=true
# else
# echo_failed
# error "$(cat $log_file)"
# fi
# fi
#else
#
# echo_skipped
# warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
#fi
echononl " Set Variable smtpd_milters at '/etc/postfix/main.cf'.."
if $(grep -q -E "^\s*smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
if $(grep -q -E "^\s*smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
echo_skipped echo_skipped
else else
perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \ perl -i -n -p -e "s&^\s*(smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
/etc/postfix/main.cf > $log_file 2>&1 /etc/postfix/main.cf > $log_file 2>&1
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@@ -687,14 +920,14 @@ if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.
fi fi
else else
echo_skipped echo_skipped
warn "Postfix is not adjusted. Complete Postfix configuration (main.cf) manually\!" warn "smtpd_milters was not adjusted. Complete Postfix configuration (main.cf) manually\!"
fi fi
echo "" echo ""
# - Edit /etc/postfix/main.cf and add a section to activate # - Edit /etc/postfix/main.cf and add a section to activate
# - processing of e-mail through the OpenDKIM daemon: # - processing of e-mail through the OpenDKIM daemon:
# - # -
backup_date="$(date +%Y-%m-%d-%H%M)" backup_date="$(date +%Y-%m-%d-%H%M)"
@@ -707,20 +940,16 @@ else
error "$(cat $log_file)" error "$(cat $log_file)"
fi fi
echononl " Activate processing of e-mail through the OpenDKIM daemon.." echononl " Activate processing of e-mail through the OpenDMARC daemon.."
if grep -q -E "milter_default_action\s*=\s*accept" /etc/postfix/main.cf ; then if grep -q -E "^\s*#?\s*smtpd_milters\s*=" ${main_cf_file} ; then
echo_skipped
info "Postfix (main.cf) was not changed - seems already be configured right." ensure_dmarc_var "smtpd_milters" > "${tmp_main_cf_file}"
echononl " Delete previosly saved Postfix configuration.." cp "${tmp_main_cf_file}" "${main_cf_file}"
rm /etc/postfix/main.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# ======= Milter configuration ======= # ======= Milter configuration =======
@@ -729,8 +958,8 @@ else
milter_default_action = accept milter_default_action = accept
# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2 # Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
milter_protocol = 6 milter_protocol = 6
# Note: # Note:
# We will sign AFTER sending through AmaVIS, just befor sending out. So # We will sign AFTER sending through AmaVIS, just befor sending out. So
# set 'smtpd_milters =' to an emty string here and add to localhost:10025 # set 'smtpd_milters =' to an emty string here and add to localhost:10025
@@ -739,131 +968,62 @@ milter_protocol = 6
# If you want sign mails before sending through AmaVIS, set # If you want sign mails before sending through AmaVIS, set
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to # 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters=' # localhost:10025 section in master.cf: 'smtpd_milters='
# #
#smtpd_milters = local:/opendkim/opendkim.sock smtpd_milters = $opendmarc_socket_string
smtpd_milters =
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
#
# cleanup Header/Content-Bereinigung
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
#
# Das sind z. B.:
#
# - interne Bounces (MAILER-DAEMON)
#
# - Cron-Mails vom Server
#
# - Weiterleitungen, die Postfix selbst generiert
#
# - Mails, die über sendmail CLI gesendet werden
#
# - Mails, die Amavis über LMTP zurückgibt
#
# - etc.
#
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF EOF
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi fi
echo "" #if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
#
# ensure_dmarc_var "non_smtpd_milters" > "${tmp_main_cf_file}"
# cp "${tmp_main_cf_file}" "${main_cf_file}"
#
#else
#
# cat <<EOF >> /etc/postfix/main.cf 2> $log_file
#
## Was sind non_smtpd_milters?
##
## non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
## der smtpd-Daemon sind.
##
## Das betrifft z. B.:
##
## cleanup Header/Content-Bereinigung
## qmgr Queue-Manager
## lmtp / smtp Auslieferung nach extern
## local lokale Zustellung
##
## Das sind z. B.:
##
## - interne Bounces (MAILER-DAEMON)
##
## - Cron-Mails vom Server
##
## - Weiterleitungen, die Postfix selbst generiert
##
## - Mails, die über sendmail CLI gesendet werden
##
## - Mails, die Amavis über LMTP zurückgibt
##
## - etc.
##
##
## DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
#non_smtpd_milters = $opendmarc_socket_string
#EOF
#fi
#postfix_needs_restart=true
#if [[ $? -eq 0 ]] ; then
# echo_ok
#else
# echo_failed
# error "$(cat $log_file)"
#fi
# - Prevent Postfix from setting the DMARC Header twice (one befor
# - and one after processing amavis
# -
# - To disable milter processing after amavis, add to your master.cf in
# - the after-amavis section:
# - 127.0.0.1:10025 inet n - - - - smtpd
# - [...]
# - -o smtpd_milters=
# -
# - If you want to run the milter after amavis, set in main.cf
# - smtpd_milters=
# - to an empty string and add the smtpd_milters configuration to master.cf
# - (after-section amavis) instead:
# - -o smtpd_milters=local:/opendmarc/opendmarc.sock
# -
echononl " Backup file '/etc/postfix/master.cf'.."
cp -a /etc/postfix/master.cf /etc/postfix/master.cf.${backup_date} 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
echononl " Adjust /etc/postfix/master.cf. Set DMARC after sending throuh AmaVIS.."
_found=false
_changed=false
tmp_master_file="/tmp/postfix_master.cf"
> $tmp_master_file
while IFS='' read -r _line || [[ -n $_line ]] ; do
if $_found && ! echo "$_line" | grep -i -q -E "^\s*-o" 2> /dev/null ; then
echo " -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
_changed=true
_found=false
fi
if $_found && echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*" ; then
_found=false
if ! echo "$_line" | grep -i -q -E "^\s*-o\s+smtpd_milters=\s*local:/opendmarc/opendmarc.sock\s*$" ; then
echo " -o smtpd_milters=local:/opendmarc/opendmarc.sock" >> "$tmp_master_file"
_changed=true
continue
fi
fi
if echo "$_line" | grep -i -q -E "^\s*(localhost|127.0.0.1):10025\s+inet\s+" 2> /dev/null ; then
_found=true
fi
echo "$_line" >> "$tmp_master_file"
done < "/etc/postfix/master.cf"
if $_changed ; then
cp $tmp_master_file /etc/postfix/master.cf 2> $log_file
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
info "Postfix (master.cf) was not changed - seems already be configured right."
echononl " Delete previosly saved file '/etc/postfix/master.cf'.."
rm /etc/postfix/master.cf.$backup_date 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
rm -f $tmp_master_file
echo "" echo ""
echononl " Enable OpenDMARC Service" echononl " Enable OpenDMARC Service"

174
install_postfix_advanced.sh
View File

@@ -2123,7 +2123,9 @@ smtpd_tls_key_file = $_TLS_KEY_FILE
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem #smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter ## - also possible to use 2048 key with that parameter
## - ## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem ## - DEPRECATED parameter-
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. ## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## - ## -
@@ -2909,8 +2911,13 @@ fi
cat <<EOF >> /etc/postfix/main.cf cat <<EOF >> /etc/postfix/main.cf
# Policyd-Weight # Policyd-Weight
#check_policy_service inet:127.0.0.1:12525, #check_policy_service inet:127.0.0.1:12525,
# ---------------------------------------------------------------------------------
# DEPRECATED permit_mx_backup
#
# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
# permit Backup MX # permit Backup MX
permit_mx_backup, # permit_mx_backup,
# ---------------------------------------------------------------------------------
# permit, if all restrictions so far passed # permit, if all restrictions so far passed
permit permit
@@ -2951,8 +2958,13 @@ smtpd_relay_restrictions =
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details # for more details
reject_unverified_recipient, reject_unverified_recipient,
# ---------------------------------------------------------------------------------
# DEPRECATED permit_mx_backup
#
# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
# permit Backup MX # permit Backup MX
permit_mx_backup, # permit_mx_backup,
# ---------------------------------------------------------------------------------
# permit, if all restrictions so far passed # permit, if all restrictions so far passed
permit permit
@@ -2992,7 +3004,7 @@ if [[ -n "$(which opendkim)" ]] || [[ -n "$(which opendmarc)" ]] ; then
# ======= Milter configuration ======= # ======= Milter configuration =======
# OpenDKIM # OpenDKIM / OpenDMARC
milter_default_action = accept milter_default_action = accept
@@ -3009,7 +3021,23 @@ milter_protocol = 6
# localhost:10025 section in master.cf: 'smtpd_milters=' # localhost:10025 section in master.cf: 'smtpd_milters='
# #
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
smtpd_milters = EOF
if [[ -n "$(which opendkim)" ]] && [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
EOF
elif [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
smtpd_milters = local:/opendkim/opendkim.sock
EOF
else
cat <<EOF >> /etc/postfix/main.cf
smtpd_milters = local:/opendmarc/opendmarc.sock
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# Was sind non_smtpd_milters? # Was sind non_smtpd_milters?
# #
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT # non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
@@ -3036,19 +3064,76 @@ smtpd_milters =
# #
# - etc. # - etc.
# #
#
EOF
fi
if [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden. # DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
# #
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF EOF
else
cat <<EOF >> /etc/postfix/main.cf if [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
else
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = non_smtpd_milters =
EOF
fi
else
cat <<EOF >> /etc/postfix/main.cf
# ======= Milter configuration =======
# OpenDKIM / OpenDMARC
milter_default_action = accept
# Postfix ≥ 2.6 milter_protocol = 6, Postfix ≤ 2.5 milter_protocol = 2
milter_protocol = 6
# Note:
# We will sign AFTER sending through AmaVIS, just befor sending out. So
# set 'smtpd_milters =' to an emty string here and add to localhost:10025
# section in master.cf: 'smtpd_milters=local:/opendkim/opendkim.sock'
#
# If you want sign mails before sending through AmaVIS, set
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
#smtpd_milters =
# Was sind non_smtpd_milters?
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
#
# Das betrifft z. B.:
#
# cleanup Header/Content-Bereinigung
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
#
# Das sind z. B.:
#
# - interne Bounces (MAILER-DAEMON)
#
# - Cron-Mails vom Server
#
# - Weiterleitungen, die Postfix selbst generiert
#
# - Mails, die über sendmail CLI gesendet werden
#
# - Mails, die Amavis über LMTP zurückgibt
#
# - etc.
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
#
#non_smtpd_milters =
EOF EOF
fi fi
@@ -3539,41 +3624,58 @@ fi
_file="/etc/postfix/header_checks.pcre" _file="/etc/postfix/header_checks.pcre"
echononl " Create file '$_file' used for header replacing" echononl " Create file '$_file' used for header replacing"
if [[ ! -f "$_file" ]]; then if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file" cat << 'EOF' > "$_file"
# --- # ---
# - Replace headers # - Header Checks - /etc/postfix/header_checks
# --- # ---
#
# Ziel: offensichtlich kaputte RFC-Header ablehnen (wenig False Positives)
# - Replace recieved from ########################################
#/^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4 # A) Kaputter From:-Header
########################################
# 1) From: ist leer
/^From:\s*$/ REJECT Invalid From header (empty) - Spamschutzregel FROM-1001
# 2) Mehr als ein '@' im From:-Header -> syntaktisch kaputt
/^From:.*@.*@/ REJECT Invalid From header (multiple @) - Spamschutzregel FROM-1002
# --- # 3) Mehrere Mailboxen durch Komma getrennt (wie: Die@..., Lions@..., ...)
# - Ignore Headers # (Legitime Fälle nutzen i.d.R. Display-Namen/Group-Syntax; dieses Muster ist in Spam sehr häufig)
# --- /^From:\s*[^<>,]+@[^,]+,\s*[^<>,]+@/ REJECT Invalid From header (multiple mailboxes) - Spamschutzregel FROM-1003
#/^\s*User-Agent/ IGNORE # 4) Typische kaputte UTF-8-Fragmente
#/^\s*X-Enigmail/ IGNORE /^From:.*\xC3\xA2/ REJECT Invalid UTF-8 in From header - Spamschutzregel FROM-1004
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# --- ########################################
# - Reject / Discard headers # B) Optional: sehr spezifische lokale Blacklist
# --- ########################################
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001 #/^Reply-To: .+\@inx1and1\..+/ REJECT Possible spam (local pattern)
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001 ########################################
# C) Warn
########################################
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001 # Date-Rejects sind oft zu aggressiv -> wenn nötig: lieber taggen oder loggen statt reject
/^Date: .* 19[0-9][0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1003
########################################
# Bemerkungen
########################################
# (envelope-from <>) nicht pauschal rejecten:
# echte DSNs/Bounces haben legitimerweise MAIL FROM: <>
#/\(envelope-from <>\)/ REJECT Null envelope-from
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
EOF EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok

4
install_postfix_base.sh
View File

@@ -929,7 +929,9 @@ smtpd_tls_key_file = $_TLS_KEY_FILE
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem #smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter ## - also possible to use 2048 key with that parameter
## - ## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem ## - DEPRECATED parameter-
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. ## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## - ## -

143
install_postfixadmin.sh
View File

@@ -187,10 +187,9 @@ detect_mysql_version () {
# - # -
systemd_supported=false systemd_supported=false
systemd=$(which systemd)
systemctl=$(which systemctl) systemctl=$(which systemctl)
if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then if [[ -n "$systemctl" ]] ; then
systemd_supported=true systemd_supported=true
fi fi
@@ -256,6 +255,14 @@ do
echo -e "\n\t\033[33m\033[1mA version number is required!\033[m\n" echo -e "\n\t\033[33m\033[1mA version number is required!\033[m\n"
fi fi
done done
IFS='.' read -r PF_ADMIN_MAJOR_VERSION PF_ADMIN_MINOR_VERSION PF_ADMIN_PATCH_LEVEL <<< "$PF_ADMIN_VERSION"
#echo ""
#echo "PF_ADMIN_MAJOR_VERSION: $PF_ADMIN_MAJOR_VERSION"
#echo "PF_ADMIN_MINOR_VERSION: $PF_ADMIN_MINOR_VERSION"
#echo "PF_ADMIN_PATCH_LEVEL: $PF_ADMIN_PATCH_LEVEL"
#exit
echo "" echo ""
echo -e "\033[32m--\033[m" echo -e "\033[32m--\033[m"
echo "" echo ""
@@ -275,6 +282,9 @@ DEFAULT_APACHE_SERVER_CERT="server-bundle.crt"
DEFAULT_APACHE_SERVER_KEY="server.key" DEFAULT_APACHE_SERVER_KEY="server.key"
DEFAULT_DEBIAN_APACHE_VHOST_DIR="/etc/apache2/sites-available" DEFAULT_DEBIAN_APACHE_VHOST_DIR="/etc/apache2/sites-available"
DEFAULT_APACHE_VHOST_DIR="/usr/local/apache2/conf/vhosts" DEFAULT_APACHE_VHOST_DIR="/usr/local/apache2/conf/vhosts"
DEFAULT_COMPOSER="/usr/local/bin/composer"
DEFAULT_POSTFIX_DB_HOST_PGSQL="/run/postgresql" DEFAULT_POSTFIX_DB_HOST_PGSQL="/run/postgresql"
if [[ -S "/tmp/mysql.sock" ]] ; then if [[ -S "/tmp/mysql.sock" ]] ; then
DEFAULT_POSTFIX_DB_HOST_MYSQL="unix:/tmp/mysql.sock" DEFAULT_POSTFIX_DB_HOST_MYSQL="unix:/tmp/mysql.sock"
@@ -379,6 +389,8 @@ if [[ -z "$APACHE_VHOST_DIR" ]] ; then
fi fi
fi fi
[[ -n "${COMPOSER}" ]] || COMPOSER=${DEFAULT_COMPOSER}
[[ -n "$POSTFIX_DB_TYPE" ]] || fatal "Database Type of Postfix Database (POSTFIX_DB_TYPE) not present!" [[ -n "$POSTFIX_DB_TYPE" ]] || fatal "Database Type of Postfix Database (POSTFIX_DB_TYPE) not present!"
[[ -n "$POSTFIX_DB_HOST_MYSQL" ]] || POSTFIX_DB_HOST_MYSQL="$DEFAULT_POSTFIX_DB_HOST_MYSQL" [[ -n "$POSTFIX_DB_HOST_MYSQL" ]] || POSTFIX_DB_HOST_MYSQL="$DEFAULT_POSTFIX_DB_HOST_MYSQL"
[[ -n "$POSTFIX_DB_HOST_PGSQL" ]] ||POSTFIX_DB_HOST_PGSQL="$DEFAULT_POSTFIX_DB_HOST_PGSQL" [[ -n "$POSTFIX_DB_HOST_PGSQL" ]] ||POSTFIX_DB_HOST_PGSQL="$DEFAULT_POSTFIX_DB_HOST_PGSQL"
@@ -926,11 +938,79 @@ done
if $_failed ; then if $_failed ; then
echo_failed echo_failed
error "$(cat $log_file)" error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
else else
echo_ok echo_ok
fi fi
echo -e "\n\n\t\033[37m\033[1mInstall (global) composer..\033[m\n"
echononl "\tDownload composer from 'getcomposer.org'.."
php -r "copy('https://getcomposer.org/installer', '${_src_base_dir}/composer-setup.php');" > $log_file 2>&1
if [[ "$?" = "0" ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
fi
echononl "\tInstall composer to ${COMPOSER}"
php ${_src_base_dir}/composer-setup.php --install-dir=$(dirname ${COMPOSER}) \
--filename=$(basename ${COMPOSER}) > $log_file 2>&1
if [[ "$?" = "0" ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
fi
echononl "\tRemove the installer"
php -r "unlink('${_src_base_dir}/composer-setup.php');" > $log_file 2>&1
if [[ "$?" = "0" ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
fi
echo -e "\n\n\t\033[37m\033[1mBase install Postfixadmin..\033[m\n" echo -e "\n\n\t\033[37m\033[1mBase install Postfixadmin..\033[m\n"
@@ -1102,6 +1182,37 @@ else
echo_ok echo_ok
fi fi
echononl "\tInstall PHP dependencies ( composer install --no-dev ... ).."
if [[ ${PF_ADMIN_MAJOR_VERSION} -gt 3 ]] ; then
if $PHP_DEBIAN_INSTALLATION ; then
su ${HTTP_USER} -c"cd ${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}
php /usr/local/bin/composer install --prefer-dist --no-interaction --no-dev" -s /bin/bash \
> $log_file 2>&1
else
su ${HTTP_USER} -c"cd ${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}
/usr/local/php-${php_latest_ver}/bin/php /usr/local/bin/composer --prefer-dist \
--no-interaction install --no-dev" -s /bin/bash > $log_file 2>&1
fi
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
fi
else
echo_skipped
fi
echononl "\tRemove existing symlink '${WEBSITE_BASEDIR}/htdocs'" echononl "\tRemove existing symlink '${WEBSITE_BASEDIR}/htdocs'"
if [[ -h "${WEBSITE_BASEDIR}/htdocs" ]]; then if [[ -h "${WEBSITE_BASEDIR}/htdocs" ]]; then
@@ -2097,7 +2208,7 @@ fi
echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n" echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n"
if [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then if [[ $MAJOR_VERSION -gt 3 ]] || [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php" pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file" cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file"
else else
@@ -2496,7 +2607,7 @@ fi
## - $CONF['show_undeliverable']='NO'; ## - $CONF['show_undeliverable']='NO';
## - $CONF['show_popimap']='NO'; ## - $CONF['show_popimap']='NO';
## - ## -
## - $CONF['used_quotas'] = 'YES'; ## - $CONF['used_quotas'] = 'NO';
## - $CONF['new_quota_table'] = 'YES'; ## - $CONF['new_quota_table'] = 'YES';
## - ## -
echononl "\tAdjust Postfix Admin's Configuration - Part 5" echononl "\tAdjust Postfix Admin's Configuration - Part 5"
@@ -2528,7 +2639,7 @@ perl -i -n -p -e "s#^(\s*\\\$CONF\['show_undeliverable'\]\s*=.*)#//!\1\n\\\$CONF
$pfa_conf_file >> $log_file 2>&1 || _failed=true $pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['show_popimap'\]\s*=.*)#//!\1\n\\\$CONF['show_popimap'] = 'NO';#" \ perl -i -n -p -e "s#^(\s*\\\$CONF\['show_popimap'\]\s*=.*)#//!\1\n\\\$CONF['show_popimap'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true $pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['used_quotas'\]\s*=.*)#//!\1\n\\\$CONF['used_quotas'] = 'YES';#" \ perl -i -n -p -e "s#^(\s*\\\$CONF\['used_quotas'\]\s*=.*)#//!\1\n\\\$CONF['used_quotas'] = 'NO';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true $pfa_conf_file >> $log_file 2>&1 || _failed=true
perl -i -n -p -e "s#^(\s*\\\$CONF\['new_quota_table'\]\s*=.*)#//!\1\n\\\$CONF['new_quota_table'] = 'YES';#" \ perl -i -n -p -e "s#^(\s*\\\$CONF\['new_quota_table'\]\s*=.*)#//!\1\n\\\$CONF['new_quota_table'] = 'YES';#" \
$pfa_conf_file >> $log_file 2>&1 || _failed=true $pfa_conf_file >> $log_file 2>&1 || _failed=true
@@ -3496,6 +3607,26 @@ else
error "$(cat $log_file)" error "$(cat $log_file)"
fi fi
echononl "\tRestart Apache Webservice.."
if [[ -n "$APACHE_SERVICE_FILE" ]] || [[ -n "$APACHE_INIT_SCRIPT" ]] ; then
if [[ -n "$APACHE_SERVICE_FILE" ]] ; then
systemctl restart $APACHE_SERVICE_FILE > $log_file 2>&1
else
$APACHE_INIT_SCRIPT restart > $log_file 2>&1
fi
if [[ $? -eq 0 ]]; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
warn "Neither an init-script nor a service file for 'apache2' webservice found!"
fi
# - Start all PHP FPM engines # - Start all PHP FPM engines
# - # -
if [[ -n "$php_major_versions" ]]; then if [[ -n "$php_major_versions" ]]; then
@@ -3543,7 +3674,7 @@ fi
echo "" echo ""
info "Browse to \033[1mhttp://${WEBSITE_NAME}/setup.php\033[m to create a 'setup password'\n$(cat <<EOF info "Browse to \033[1mhttps://${WEBSITE_NAME}/setup.php\033[m to create a 'setup password'\n$(cat <<EOF
\t \033[33mIn caes of updating postfix.admin browse this URL and \033[1mlogin with your \t \033[33mIn caes of updating postfix.admin browse this URL and \033[1mlogin with your
\t setup_password\033[m\033[33m, because only after that the database '${POSTFIX_DB_NAME}' \t setup_password\033[m\033[33m, because only after that the database '${POSTFIX_DB_NAME}'

115
install_update_dovecot-2.4.sh
View File

@@ -2361,7 +2361,13 @@ done
## - Let make use multiple cores (-j<number of cores +1>) ## - Let make use multiple cores (-j<number of cores +1>)
## - ## -
export MAKEFLAGS=-j$(expr `grep "^processor" /proc/cpuinfo | sort -u | wc -l` - 1) #export MAKEFLAGS=-j$(expr `grep "^processor" /proc/cpuinfo | sort -u | wc -l` - 1)
CPUS=$(nproc)
if (( CPUS > 1 )); then
export MAKEFLAGS="-j$((CPUS - 1))"
else
export MAKEFLAGS="-j1"
fi
# ------------- # -------------
@@ -2639,6 +2645,58 @@ if $_new ; then
fi fi
# Dovecot's configure script queries pkg-config for "systemd" and expects
# the variable "systemdsystemunitdir" to be defined.
# On minimal Debian(13)-based systems, only libsystemd.pc is provided and
# no systemd.pc (and often no systemd binary) exists.
# This pkg-config wrapper provides the missing metadata so configure
# can auto-detect the correct systemd unit installation directory.
#
if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -ge 13 ]] ; then
echononl " Create '/usr/lib/x86_64-linux-gnu/pkgconfig/systemd.pc'."
if [[ ! -f "/usr/lib/x86_64-linux-gnu/pkgconfig/systemd.pc" ]] ; then
cat <<'EOF' > /usr/lib/x86_64-linux-gnu/pkgconfig/systemd.pc 2>>${_log_dir}/debian-install.log
prefix=/usr
exec_prefix=${prefix}
libdir=/usr/lib/x86_64-linux-gnu
includedir=/usr/include
# Some build systems (incl. Dovecot's configure) query this to decide where
# to install systemd service/unit files:
systemdsystemunitdir=/usr/lib/systemd/system
Name: systemd
Description: systemd (pkg-config compatibility wrapper)
Version: 0
Requires: libsystemd
EOF
if [[ $? -gt 0 ]] ; then
echo -e "$rc_failed"
error "$(cat $log_file)"
echo ""
echo " command was:"
echo " ln -s libsystemd.pc /usr/lib/x86_64-linux-gnu/pkgconfig/systemd.pc"
echo ""
echononl " continue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/no]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
else
echo -e "$rc_done"
fi
else
echo -e "$rc_skipped"
fi
fi
## ----------------- ## -----------------
## - Create Users/groups needed for dovecot ## - Create Users/groups needed for dovecot
@@ -2778,6 +2836,11 @@ if $systemd_support ; then
fi fi
#--with-systemdsystemunitdir=/etc/systemd/system/" #--with-systemdsystemunitdir=/etc/systemd/system/"
#if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -ge 13 ]] ; then
# config_params="$config_params systemdsystemunitdir=/lib/systemd/system"
#fi
echononl " Configure Dovecot.." echononl " Configure Dovecot.."
#./configure \ #./configure \
# --prefix=/usr/local/dovecot-${_version} \ # --prefix=/usr/local/dovecot-${_version} \
@@ -3151,12 +3214,12 @@ EOF
echononl " Create empty file '$(basename "${_conf_file}")'.." echononl " Create empty file '$(basename "${_conf_file}")'.."
if [[ ! -f "${_conf_file}" ]] ; then if [[ ! -f "${_conf_file}" ]] ; then
_failed=false _failed=false
cat <<'EOF' > "${_conf_file}" 2> "${log_file}" cat <<EOF > "${_conf_file}" 2> "${log_file}"
## ##
## Settings for the Sieve interpreter ## Settings for the Sieve interpreter
## ##
# see also: https://doc.dovecot.org/2.4.1/core/plugins/sieve.html # see also: https://doc.dovecot.org/${_version}/core/plugins/sieve.html
# To use Sieve, you will first need to make sure you are using Dovecot LDA or LMTP Server # To use Sieve, you will first need to make sure you are using Dovecot LDA or LMTP Server
# for delivering incoming mail to users' mailboxes. # for delivering incoming mail to users' mailboxes.
@@ -3221,12 +3284,12 @@ EOF
echononl " Create empty file '$(basename "${_conf_file}")'.." echononl " Create empty file '$(basename "${_conf_file}")'.."
if [[ ! -f "${_conf_file}" ]] ; then if [[ ! -f "${_conf_file}" ]] ; then
_failed=false _failed=false
cat <<'EOF' > "${_conf_file}" 2> "${log_file}" cat <<EOF > "${_conf_file}" 2> "${log_file}"
## ##
## Settings for the Sieve Vacation Extension ## Settings for the Sieve Vacation Extension
## ##
# see also: https://doc.dovecot.org/2.4.1/core/config/sieve/extensions/vacation.html # see also: https://doc.dovecot.org/${_version}/core/config/sieve/extensions/vacation.html
# The Sieve vacation extension (RFC 5230) defines a mechanism to generate automatic # The Sieve vacation extension (RFC 5230) defines a mechanism to generate automatic
# replies to incoming email messages. It takes various precautions to make sure replies # replies to incoming email messages. It takes various precautions to make sure replies
@@ -6291,7 +6354,7 @@ EOF
# same as IMAP's LOGIN command. The LOGIN command is internally handled using PLAIN # same as IMAP's LOGIN command. The LOGIN command is internally handled using PLAIN
# mechanism. # mechanism.
# #
# see https://doc.dovecot.org/2.4.1/core/config/auth/mechanisms/overview.html for # see https://doc.dovecot.org/${_version}/core/config/auth/mechanisms/overview.html for
# further (non-rcCleartext) Authentication. # further (non-rcCleartext) Authentication.
auth_mechanisms = ${auth_mechanisms} auth_mechanisms = ${auth_mechanisms}
EOF EOF
@@ -6417,11 +6480,11 @@ if [[ $dovecot_major_version -gt 2 ]] \
if [[ "$db_driver" = "pgsql" ]]; then if [[ "$db_driver" = "pgsql" ]]; then
read -r -d '' NEW_BLOCK <<'EOF' read -r -d '' NEW_BLOCK <<EOF
passdb sql { passdb sql {
# Load SQL connection data # Load SQL connection data
!include /usr/local/dovecot-2.4.1-4/etc/dovecot/sql-connect.conf.ext !include /usr/local/dovecot-${_version}/etc/dovecot/sql-connect.conf.ext
query = SELECT username AS user, password \\ query = SELECT username AS user, password \\
FROM mailbox \\ FROM mailbox \\
@@ -6449,18 +6512,18 @@ EOF
# LMTP mail delivery YES YES # LMTP mail delivery YES YES
# doveadm commands YES YES # doveadm commands YES YES
# #
# see also: https://doc.dovecot.org/2.4.1/core/config/auth/passdb.html # see also: https://doc.dovecot.org/${_version}/core/config/auth/passdb.html
# #
$(echo -e "${NEW_BLOCK}") $(echo -e "${NEW_BLOCK}")
EOF EOF
fi fi
read -r -d '' NEW_BLOCK <<'EOF' read -r -d '' NEW_BLOCK <<EOF
userdb sql { userdb sql {
# Load SQL connection data # Load SQL connection data
!include /usr/local/dovecot-2.4.1-4/etc/dovecot/sql-connect.conf.ext !include /usr/local/dovecot-${_version}/etc/dovecot/sql-connect.conf.ext
query = SELECT '/var/vmail/' || maildir AS home, \\ query = SELECT '/var/vmail/' || maildir AS home, \\
'5000' AS uid, '5000' AS gid \\ '5000' AS uid, '5000' AS gid \\
@@ -6497,7 +6560,7 @@ EOF
# The userdb and passdb may be the same or they may be different depending on your needs. # The userdb and passdb may be the same or they may be different depending on your needs.
# You can also have multiple authentication databases. # You can also have multiple authentication databases.
# #
# see: https://doc.dovecot.org/2.4.1/core/config/auth/userdb.html # see: https://doc.dovecot.org/${_version}/core/config/auth/userdb.html
# #
$(echo -e "${NEW_BLOCK}") $(echo -e "${NEW_BLOCK}")
EOF EOF
@@ -6505,11 +6568,11 @@ EOF
elif [[ "$db_driver" = "mysql" ]]; then elif [[ "$db_driver" = "mysql" ]]; then
read -r -d '' NEW_BLOCK <<'EOF' read -r -d '' NEW_BLOCK <<EOF
passdb sql { passdb sql {
# Load SQL connection data # Load SQL connection data
!include /usr/local/dovecot-2.4.1-4/etc/dovecot/sql-connect.conf.ext !include /usr/local/dovecot-${_version}/etc/dovecot/sql-connect.conf.ext
query = SELECT username AS user, password \\ query = SELECT username AS user, password \\
FROM mailbox \\ FROM mailbox \\
@@ -6537,17 +6600,17 @@ EOF
# LMTP mail delivery YES YES # LMTP mail delivery YES YES
# doveadm commands YES YES # doveadm commands YES YES
# #
# see also: https://doc.dovecot.org/2.4.1/core/config/auth/passdb.html # see also: https://doc.dovecot.org/${_version}/core/config/auth/passdb.html
# #
$(echo -e "${NEW_BLOCK}") $(echo -e "${NEW_BLOCK}")
EOF EOF
fi fi
read -r -d '' NEW_BLOCK <<'EOF' read -r -d '' NEW_BLOCK <<EOF
userdb sql { userdb sql {
# Load SQL connection data # Load SQL connection data
!include /usr/local/dovecot-2.4.1-4/etc/dovecot/sql-connect.conf.ext !include /usr/local/dovecot-${_version}/etc/dovecot/sql-connect.conf.ext
query = SELECT CONCAT('/var/vmail/',maildir) AS home, \\ query = SELECT CONCAT('/var/vmail/',maildir) AS home, \\
'5000' AS uid, '5000' AS gid \\ '5000' AS uid, '5000' AS gid \\
@@ -6584,7 +6647,7 @@ EOF
# The userdb and passdb may be the same or they may be different depending on your needs. # The userdb and passdb may be the same or they may be different depending on your needs.
# You can also have multiple authentication databases. # You can also have multiple authentication databases.
# #
# see: https://doc.dovecot.org/2.4.1/core/config/auth/userdb.html # see: https://doc.dovecot.org/${_version}/core/config/auth/userdb.html
# #
$(echo -e "${NEW_BLOCK}") $(echo -e "${NEW_BLOCK}")
EOF EOF
@@ -7081,7 +7144,7 @@ if [[ $dovecot_major_version -gt 2 ]] \
# #
# As used here, %{user | domain} expands to the domain of the local user. Other Mail user # As used here, %{user | domain} expands to the domain of the local user. Other Mail user
# variables can be used as well. # variables can be used as well.
# see: https://doc.dovecot.org/2.4.1/core/settings/variables.html#mail-user-variables # see: https://doc.dovecot.org/${_version}/core/settings/variables.html#mail-user-variables
postmaster_address = ${postmaster_address} postmaster_address = ${postmaster_address}
EOF EOF
fi fi
@@ -7231,7 +7294,7 @@ protocol lmtp {
# #
# As used here, %{user | domain} expands to the domain of the local user. Other Mail user # As used here, %{user | domain} expands to the domain of the local user. Other Mail user
# variables can be used as well. # variables can be used as well.
# see: https://doc.dovecot.org/2.4.1/core/settings/variables.html#mail-user-variables # see: https://doc.dovecot.org/${_version}/core/settings/variables.html#mail-user-variables
postmaster_address = ${postmaster_address} postmaster_address = ${postmaster_address}
mail_plugins { mail_plugins {
@@ -9180,11 +9243,11 @@ if [[ $dovecot_major_version -gt 2 ]] \
if [[ "$db_driver" = "pgsql" ]]; then if [[ "$db_driver" = "pgsql" ]]; then
read -r -d '' NEW_BLOCK <<'EOF' read -r -d '' NEW_BLOCK <<EOF
userdb sql { userdb sql {
# Load SQL connection data # Load SQL connection data
!include /usr/local/dovecot-2.4.1-4/etc/dovecot/sql-connect.conf.ext !include /usr/local/dovecot-${_version}/etc/dovecot/sql-connect.conf.ext
query = SELECT '/var/vmail/' || maildir AS home, \\ query = SELECT '/var/vmail/' || maildir AS home, \\
'5000' AS uid, '5000' AS gid, \\ '5000' AS uid, '5000' AS gid, \\
@@ -9222,7 +9285,7 @@ EOF
# The userdb and passdb may be the same or they may be different depending on your needs. # The userdb and passdb may be the same or they may be different depending on your needs.
# You can also have multiple authentication databases. # You can also have multiple authentication databases.
# #
# see: https://doc.dovecot.org/2.4.1/core/config/auth/userdb.html # see: https://doc.dovecot.org/${_version}/core/config/auth/userdb.html
# #
${NEW_BLOCK} ${NEW_BLOCK}
EOF EOF
@@ -9234,11 +9297,11 @@ EOF
elif [[ "$db_driver" = "mysql" ]]; then elif [[ "$db_driver" = "mysql" ]]; then
read -r -d '' NEW_BLOCK <<'EOF' read -r -d '' NEW_BLOCK <<EOF
userdb sql { userdb sql {
# Load SQL connection data # Load SQL connection data
!include /usr/local/dovecot-2.4.1-4/etc/dovecot/sql-connect.conf.ext !include /usr/local/dovecot-${_version}/etc/dovecot/sql-connect.conf.ext
query = SELECT CONCAT('/var/vmail/',maildir) AS home, \ query = SELECT CONCAT('/var/vmail/',maildir) AS home, \
'5000' AS uid, '5000' AS gid, \ '5000' AS uid, '5000' AS gid, \
@@ -9276,7 +9339,7 @@ EOF
# The userdb and passdb may be the same or they may be different depending on your needs. # The userdb and passdb may be the same or they may be different depending on your needs.
# You can also have multiple authentication databases. # You can also have multiple authentication databases.
# #
# see: https://doc.dovecot.org/2.4.1/core/config/auth/userdb.html # see: https://doc.dovecot.org/${_version}/core/config/auth/userdb.html
# #
$(echo -e "${NEW_BLOCK}") $(echo -e "${NEW_BLOCK}")
EOF EOF

252
install_update_dovecot.sh
View File

@@ -184,7 +184,7 @@ else
fi fi
if [[ -z "$systemd_support" ]] ; then if [[ -z "$systemd_support" ]] ; then
if $SYSTEMD_EXISTS ; then if $SYSTEMD_EXISTS ; then
systemd_support=true systemd_support=true
else else
systemd_support=false systemd_support=false
@@ -305,7 +305,7 @@ _version_short="${_version%-*}"
#clean_up 0 #clean_up 0
# 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed. # 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed.
# Use mailbox { autoexpunge } Mailbox settings instead. # Use mailbox { autoexpunge } Mailbox settings instead.
# #
if [[ $dovecot_major_version -gt 2 ]] \ if [[ $dovecot_major_version -gt 2 ]] \
@@ -362,12 +362,12 @@ if [[ -n "$_update" ]]; then
echo -e "[1] Update" echo -e "[1] Update"
echo -e "\033[37m\033[1m[2] New Installation\033[m" echo -e "\033[37m\033[1m[2] New Installation\033[m"
fi fi
echo "" echo ""
echononl "Choose a number or press <RETURN> for highlighted value: " echononl "Choose a number or press <RETURN> for highlighted value: "
else else
echo -e "[1] Update" echo -e "[1] Update"
echo "[2] New Installation" echo "[2] New Installation"
echo "" echo ""
echononl "Choose a Number: " echononl "Choose a Number: "
fi fi
update="" update=""
@@ -392,13 +392,13 @@ while [[ "$update" != "true" && "$update" != "false" ]] ; do
fi fi
;; ;;
*) update="" *) update=""
echo "" echo ""
if [[ -n "$_IS_RELAY_HOST" ]]; then if [[ -n "$_IS_RELAY_HOST" ]]; then
echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ] or type <RETURN>" echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ] or type <RETURN>"
else else
echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ]" echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ]"
fi fi
echo "" echo ""
echononl "Reentry: " echononl "Reentry: "
;; ;;
esac esac
@@ -415,7 +415,7 @@ done
clear; clear;
echo "" echo ""
if $update ;then if $update ;then
echo -e "\tUpdate Dovecot................: $update" echo -e "\tUpdate Dovecot................: $update"
else else
echo -e "\tInstall Dovecot first time....: Yes" echo -e "\tInstall Dovecot first time....: Yes"
@@ -507,7 +507,7 @@ export MAKEFLAGS=-j$(expr `grep "^processor" /proc/cpuinfo | sort -u | wc -l` -
echo "" echo ""
if $update ;then if $update ;then
_new=false; _new=false;
else else
_new=true; _new=true;
@@ -683,7 +683,7 @@ mkdir -p $_log_dir
## ----------------- ## -----------------
## --- Download ## --- Download
cd ${_src_base_dir} cd ${_src_base_dir}
@@ -720,7 +720,7 @@ fi
## - Download Pigeonhole for Dovecot v2.2 ## - Download Pigeonhole for Dovecot v2.2
## - ## -
if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then
echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.." echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1 wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
@@ -730,7 +730,7 @@ if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]]
echo -e "$rc_failed" echo -e "$rc_failed"
error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually
and proceed instllation." and proceed instllation."
echononl "\tProceed instllation [yes/no]: " echononl "\tProceed instllation [yes/no]: "
@@ -1071,7 +1071,7 @@ fi
## - if [ -d $checkdir ]; then ## - if [ -d $checkdir ]; then
## - PATH=$PATH:$checkdir ## - PATH=$PATH:$checkdir
## - fi ## - fi
## - ## -
echononl "\tAdd /usr/local/dovecot/bin to PATH variable.." echononl "\tAdd /usr/local/dovecot/bin to PATH variable.."
if ! grep "checkdir=\"/usr/local/dovecot/bin\"" /etc/profile > /dev/null ; then if ! grep "checkdir=\"/usr/local/dovecot/bin\"" /etc/profile > /dev/null ; then
perl -i -n -p -e "s#^(\s*)(export\ +PATH)#checkdir=\"/usr/local/dovecot/bin\"\nif [ -d \\\$checkdir ]; then\n PATH=\\\$PATH:\\\$checkdir\nfi\n\n\1\2#" /etc/profile perl -i -n -p -e "s#^(\s*)(export\ +PATH)#checkdir=\"/usr/local/dovecot/bin\"\nif [ -d \\\$checkdir ]; then\n PATH=\\\$PATH:\\\$checkdir\nfi\n\n\1\2#" /etc/profile
@@ -1166,9 +1166,9 @@ cp -r /usr/local/dovecot-${_version}/share/doc/dovecot/example-config/* \
## - base_dir =/run/dovecot/ ## - base_dir =/run/dovecot/
## - state_dir = /run/dovecot ## - state_dir = /run/dovecot
## - shutdown_clients = no ## - shutdown_clients = no
## - ## -
## - dict { ## - dict {
## - expire = $db_driver:/usr/local/dovecot/etc/dovecot/sql-dict.conf.ext ## - expire = $db_driver:/usr/local/dovecot/etc/dovecot/sql-dict.conf.ext
## - } ## - }
## - ## -
echononl "\tAdjust file dovecot.conf.." echononl "\tAdjust file dovecot.conf.."
@@ -1253,7 +1253,7 @@ if $_new ; then
echononl "\tCreate table expires in database ${dbname}.." echononl "\tCreate table expires in database ${dbname}.."
if $plugin_expire ; then if $plugin_expire ; then
cat << EOF | psql -U$dbuser $dbname > ${_log_dir}/error.log 2>&1 cat << EOF | psql -U$dbuser $dbname > ${_log_dir}/error.log 2>&1
CREATE TABLE IF NOT EXISTS expires ( CREATE TABLE IF NOT EXISTS expires (
username varchar(100) not null, username varchar(100) not null,
mailbox varchar(255) not null, mailbox varchar(255) not null,
@@ -1395,7 +1395,7 @@ EOF
echononl "\tCreate table expires in database ${dbname}.." echononl "\tCreate table expires in database ${dbname}.."
if $plugin_expire ; then if $plugin_expire ; then
cat << EOF | mysql -u$dbuser -p$dbpassword $dbname > /dev/null 2>&1 cat << EOF | mysql -u$dbuser -p$dbpassword $dbname > /dev/null 2>&1
CREATE TABLE IF NOT EXISTS expires ( CREATE TABLE IF NOT EXISTS expires (
username varchar(100) not null, username varchar(100) not null,
mailbox varchar(255) not null, mailbox varchar(255) not null,
@@ -1450,7 +1450,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END IF; # END IF;
# END; # END;
# \$\$ LANGUAGE plpgsql; # \$\$ LANGUAGE plpgsql;
# #
# CREATE TRIGGER mergeexpires BEFORE INSERT ON expires # CREATE TRIGGER mergeexpires BEFORE INSERT ON expires
# FOR EACH ROW EXECUTE PROCEDURE merge_expires(); # FOR EACH ROW EXECUTE PROCEDURE merge_expires();
@@ -1505,7 +1505,7 @@ EOF
echo -e "$rc_failed" echo -e "$rc_failed"
fatal "Creating file sql-dict.conf.ext failed" fatal "Creating file sql-dict.conf.ext failed"
fi fi
fi fi
else else
echo -e "$rc_skipped" echo -e "$rc_skipped"
fi fi
@@ -1519,15 +1519,15 @@ fi
## - default_vsz_limit = 512M ## - default_vsz_limit = 512M
## - ## -
## - !! Bemerkung !! ## - !! Bemerkung !!
## - ## -
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer ## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files" ## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird. ## - (default = 1024) geändert wird.
## - ## -
## - ## -
## - Systemd System: ## - Systemd System:
## - =============== ## - ===============
## - ## -
## - In der service datei (z.Bsp. /etc/systemd/system/multi-user.target.wants/dovecot.service) ## - In der service datei (z.Bsp. /etc/systemd/system/multi-user.target.wants/dovecot.service)
## - den Wert 'LimitNOFILE' hochsetzen: ## - den Wert 'LimitNOFILE' hochsetzen:
## - ## -
@@ -1536,15 +1536,15 @@ fi
## - systemctl daemon-reload ## - systemctl daemon-reload
## - systemctl restart dovecot.service ## - systemctl restart dovecot.service
## - ## -
## - Im Falle von LX containern muss zusätzlich auf dem hostsystem ## - Im Falle von LX containern muss zusätzlich auf dem hostsystem
## - in der datei '/etc/systemd/system.conf' der Wert für 'DefaultLimitNOFILE' ## - in der datei '/etc/systemd/system.conf' der Wert für 'DefaultLimitNOFILE'
## - hochgesetzt werden. ## - hochgesetzt werden.
## - ## -
## - System V systems: ## - System V systems:
## - ================= ## - =================
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer ## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files" ## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird. Z.Bsp. in der Datei /etc/init.d/dovecot ## - (default = 1024) geändert wird. Z.Bsp. in der Datei /etc/init.d/dovecot
## - durch Einfügen der zeile: ## - durch Einfügen der zeile:
## - ulimit -n 32768 ## - ulimit -n 32768
## - ## -
@@ -1596,10 +1596,10 @@ fi
## - address = $imaps_listener_adresses ## - address = $imaps_listener_adresses
## - .. ## - ..
## - } ## - }
## - ## -
## - process_min_avail = 16 ## - process_min_avail = 16
## - } ## - }
## - ## -
## - service pop3-login { ## - service pop3-login {
## - inet_listener pop3 { ## - inet_listener pop3 {
## - address = $pop_listener_adresses ## - address = $pop_listener_adresses
@@ -1678,7 +1678,7 @@ fi
## - permanently on filesystem. So we have to create such a file ## - permanently on filesystem. So we have to create such a file
## - ## -
## - openssl dhparam -out /etc/postfix/ssl/dh_4096.pem` ## - openssl dhparam -out /etc/postfix/ssl/dh_4096.pem`
## - ## -
if [[ $dovecot_major_version -ge 3 ]] \ if [[ $dovecot_major_version -ge 3 ]] \
|| ( [[ $dovecot_major_version -eq 2 ]] && [[ $dovecot_minor_version -ge 3 ]] ); then || ( [[ $dovecot_major_version -eq 2 ]] && [[ $dovecot_minor_version -ge 3 ]] ); then
@@ -1687,7 +1687,7 @@ if [[ $dovecot_major_version -ge 3 ]] \
echo -en "$rc_wait" echo -en "$rc_wait"
if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
openssl dhparam -out "$dh_pem_file" 4096 > /dev/null 2>&1 openssl dhparam -out "$dh_pem_file" 4096 > /dev/null 2>&1
else else
openssl dhparam -dsaparam -out "$dh_pem_file" 4096 > /dev/null 2>&1 openssl dhparam -dsaparam -out "$dh_pem_file" 4096 > /dev/null 2>&1
fi fi
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
@@ -1784,7 +1784,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf ## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf
## - ## -
## - mail_location = maildir:/var/vmail/%d/%n/Maildir ## - mail_location = maildir:/var/vmail/%d/%n/Maildir
## - ## -
## - mail_uid = vmail ## - mail_uid = vmail
@@ -1794,7 +1794,7 @@ fi
## - last_valid_uid = 5000 ## - last_valid_uid = 5000
## - ## -
## - mail_temp_dir = /var/vmail/tmp ## - mail_temp_dir = /var/vmail/tmp
## - ## -
## - first_valid_gid = 5000 ## - first_valid_gid = 5000
## - last_valid_gid = 5000 ## - last_valid_gid = 5000
## - ## -
@@ -1842,7 +1842,7 @@ else
echo -e "$rc_failed" echo -e "$rc_failed"
fatal "Adjusting file '10-mail.conf' failed" fatal "Adjusting file '10-mail.conf' failed"
fi fi
echononl "\tCreate TEMP directory '/var/vmail/tmp' .." echononl "\tCreate TEMP directory '/var/vmail/tmp' .."
@@ -1937,7 +1937,7 @@ fi
## - ## -
## - Add namespaces type private ## - Add namespaces type private
## - ## -
## - Add: ## - Add:
## - namespace inbox { ## - namespace inbox {
## - type = private ## - type = private
## - separator = / ## - separator = /
@@ -1957,7 +1957,7 @@ namespace inbox {
# Hierarchy separator to use. You should use the same separator for all # Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one. # namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format. # The default however depends on the underlying mail storage format.
#separator = #separator =
separator = / separator = /
# Prefix required to access this namespace. This needs to be different for # Prefix required to access this namespace. This needs to be different for
@@ -2007,12 +2007,12 @@ fi
## - auto = subscribe ## - auto = subscribe
## - special_use = \Drafts ## - special_use = \Drafts
## - } ## - }
## - ## -
## - mailbox Trash { ## - mailbox Trash {
## - auto = subscribe ## - auto = subscribe
## - special_use = \Trash ## - special_use = \Trash
## - } ## - }
## - ## -
## - mailbox Sent { ## - mailbox Sent {
## - auto = subscribe ## - auto = subscribe
## - special_use = \Sent ## - special_use = \Sent
@@ -2072,7 +2072,7 @@ fi
## - ## -
## - disable_plaintext_auth = no ## - disable_plaintext_auth = no
## - auth_mechanisms = $auth_mechanisms ## - auth_mechanisms = $auth_mechanisms
## - !include auth-sql.conf.ext # comment all other includes ## - !include auth-sql.conf.ext # comment all other includes
## - auth_username_translation = "%@" ## - auth_username_translation = "%@"
## - ## -
_failed=false _failed=false
@@ -2101,14 +2101,14 @@ fi
## - ## -
## - passdb { ## - passdb {
## - driver = sql ## - driver = sql
## - ## -
## - ## -
## - # path for sql configuration file, see example-config/dovecot-sql.conf.ext ## - # path for sql configuration file, see example-config/dovecot-sql.conf.ext
## - args = /usr/local/dovecot/etc/dovecot/sql-connect.conf.ext ## - args = /usr/local/dovecot/etc/dovecot/sql-connect.conf.ext
## - } ## - }
## - ## -
## - .. ## - ..
## - ## -
## - userdb { ## - userdb {
## - driver = sql ## - driver = sql
## - args = /usr/local/dovecot/etc/dovecot/sql-connect.conf.ext ## - args = /usr/local/dovecot/etc/dovecot/sql-connect.conf.ext
@@ -2194,14 +2194,14 @@ fi
## - if running inetd-script: ## - if running inetd-script:
## - ## -
## - log_path = /var/log/dovecot/dovecot.log ## - log_path = /var/log/dovecot/dovecot.log
## - ## -
## - or for example ## - or for example
## - ## -
## - log_path = syslog ## - log_path = syslog
## - syslog_facility = local1 ## - syslog_facility = local1
## - auth_verbose = yes ## - auth_verbose = yes
## - auth_verbose_passwords = plain ## - auth_verbose_passwords = plain
## - ## -
## - in conjunction with the the following entries in /etc/rsyslog.conf ## - in conjunction with the the following entries in /etc/rsyslog.conf
## - ## -
## - local1.* -/var/log/dovecot.log ## - local1.* -/var/log/dovecot.log
@@ -2310,7 +2310,7 @@ fi
## - hostname = $hostname ## - hostname = $hostname
## - sendmail_path = /usr/sbin/sendmail ## - sendmail_path = /usr/sbin/sendmail
## - lda_mailbox_autocreate = no ## - lda_mailbox_autocreate = no
## - mail_plugins = $mail_plugins sieve ## - mail_plugins = $mail_plugins sieve
## - ## -
_failed=false _failed=false
echononl "\tAdjusting file 15-lda.conf" echononl "\tAdjusting file 15-lda.conf"
@@ -2406,7 +2406,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/90-plugin.conf ## - edit /usr/local/dovecot/etc/dovecot/conf.d/90-plugin.conf
## - ## -
## - Note: ## - Note:
## - Setting "autocreate", "autosubscribe" here is depricated. Use mailbox { auto } setting instead. ## - Setting "autocreate", "autosubscribe" here is depricated. Use mailbox { auto } setting instead.
## - ## -
## - expire = Trash ## - expire = Trash
## - expire2 = Trash/* ## - expire2 = Trash/*
@@ -2419,7 +2419,7 @@ fi
## - # it's better to enable it only after you've verified that the expire plugin is ## - # it's better to enable it only after you've verified that the expire plugin is
## - # working as wanted. (v2.2.16+) ## - # working as wanted. (v2.2.16+)
## - expire_cache = yes ## - expire_cache = yes
## - ## -
_failed=false _failed=false
echononl "\tAdjusting file 90-plugin.conf" echononl "\tAdjusting file 90-plugin.conf"
if $plugin_expire ; then if $plugin_expire ; then
@@ -2483,7 +2483,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
cat <<EOF >> "$_tmp_file" cat <<EOF >> "$_tmp_file"
# Add Setting 'sieve_vacation_send_from_recipient' from (included) # Add Setting 'sieve_vacation_send_from_recipient' from (included)
# #
# Pigeonhole Sieve: Vacation Extension # Pigeonhole Sieve: Vacation Extension
# ==================================== # ====================================
@@ -2563,7 +2563,7 @@ else
fi fi
## - NOTICE: if you pre-compile your (global) scripts, you will increase ## - NOTICE: if you pre-compile your (global) scripts, you will increase
## - performance ## - performance
## - ## -
echononl "\tPrecompile global sieve script" echononl "\tPrecompile global sieve script"
@@ -2597,12 +2597,14 @@ chown -R vmail:vmail /usr/local/dovecot-${_version}/etc/dovecot/sieve
if $systemd_support; then if $systemd_support; then
_folder_created=false
## - # - At time, we don't use private tmp directory for divecot. ## - # - At time, we don't use private tmp directory for divecot.
## - # - ## - # -
## - echononl "\tAdjust Systemd service file, set PrivateTmp=false.." ## - echononl "\tAdjust Systemd service file, set PrivateTmp=false.."
## - if [[ -f "/etc/systemd/system/dovecot.service" ]] ; then ## - if [[ -f "/etc/systemd/system/dovecot.service" ]] ; then
## - ## -
## - if $(grep -o -E "PrivateTmp\s*=\s*[^[:blank:]]+" /etc/systemd/system/dovecot.service | grep -q true 2> /dev/null ) ; then ## - if $(grep -o -E "PrivateTmp\s*=\s*[^[:blank:]]+" /etc/systemd/system/dovecot.service | grep -q true 2> /dev/null ) ; then
## - perl -i -n -p -e "s/(PrivateTmp\s*=\s*)true/\1false/" /etc/systemd/system/dovecot.service ## - perl -i -n -p -e "s/(PrivateTmp\s*=\s*)true/\1false/" /etc/systemd/system/dovecot.service
## - if [[ $? -eq 0 ]]; then ## - if [[ $? -eq 0 ]]; then
## - echo -e "$rc_done" ## - echo -e "$rc_done"
@@ -2620,9 +2622,16 @@ if $systemd_support; then
## - ## -
## - here: ## - here:
## - LimitNOFILE=32768 ## - LimitNOFILE=32768
## - ## -
if [[ -f "/lib/systemd/system/dovecot.service" ]] \ ## - zwei Bemerkungen:
&& $(grep -q -E "^LimitNOFILE=" /lib/systemd/system/dovecot.service) ; then ## - - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
## - - hier auch keine backslah '\' am ende der zeile notwendig, da statement
## - offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
## -
if [[ -f /lib/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*LimitNOFILE=' /lib/systemd/system/dovecot.service ||
[[ -f /etc/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*LimitNOFILE=' /etc/systemd/system/dovecot.service ; then
_LimitNOFILE="$(grep -E "^LimitNOFILE=[[:digit:]]+" /lib/systemd/system/dovecot.service | cut -d'=' -f2)" _LimitNOFILE="$(grep -E "^LimitNOFILE=[[:digit:]]+" /lib/systemd/system/dovecot.service | cut -d'=' -f2)"
@@ -2638,6 +2647,7 @@ if $systemd_support; then
mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1 mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then
echo -e "$rc_done" echo -e "$rc_done"
_folder_created=true
else else
echo -e "$rc_failed" echo -e "$rc_failed"
adjust_limit_nofile=false adjust_limit_nofile=false
@@ -2656,8 +2666,54 @@ LimitNOFILE=$service_limit_nofile
EOF EOF
echo -e "$rc_done" echo -e "$rc_done"
fi fi
fi fi
## - Adjust systemd hardening:
## -
## - Options such as ProtectSystem=full/strict make the service's mount namespace,
## - including /usr (and thus /usr/local/dovecote/..), read-only, even though it is w
## - ritable outside the service.
## -
## - However, we would like to allow dovecot to write to the directory
## - /usr/local/dovecot/etc/dovecot/sieve/.
## -
## - ProtectSystem=off
## -
## - zwei Bemerkungen:
## - - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
## - - hier auch keine backslah '\' am ende der zeile notwendig, da statement
## - offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
## -
if [[ -f /lib/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*ProtectSystem=' /lib/systemd/system/dovecot.service ||
[[ -f /etc/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*ProtectSystem=' /etc/systemd/system/dovecot.service ; then
if ! ${_folder_created} ; then
echononl "\tCreate Directory '/etc/systemd/system/dovecot.service.d'.."
if [[ -d "/etc/systemd/system/dovecot.service.d" ]] ; then
echo -e "$rc_skipped"
else
mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo -e "$rc_done"
else
echo -e "$rc_failed"
fi
fi
fi
echononl "\tSet 'ProtectSystem=off' for 'dovecot.service'.."
cat <<EOF > /etc/systemd/system/dovecot.service.d/systemd-hardening.conf
[Service]
ProtectSystem=off
EOF
echo -e "$rc_done"
fi
echononl "\tReload systemd .." echononl "\tReload systemd .."
systemctl daemon-reload > /dev/null 2>&1 systemctl daemon-reload > /dev/null 2>&1
@@ -2692,7 +2748,7 @@ else
fi fi
fi fi
if $_new ; then if $_new ; then
@@ -2707,7 +2763,7 @@ if $_new ; then
## - running dovecot service via init-script ## - running dovecot service via init-script
## - ## -
cat <<EOF > /etc/init.d/dovecot cat <<EOF > /etc/init.d/dovecot
#! /bin/sh #! /bin/sh
### BEGIN INIT INFO ### BEGIN INIT INFO
# Provides: dovecot # Provides: dovecot
# Required-Start: \$syslog \$postgresql # Required-Start: \$syslog \$postgresql
@@ -2899,7 +2955,7 @@ EOF
echo -e "$rc_failed" echo -e "$rc_failed"
fatal "Creating init script for dovecot failed" fatal "Creating init script for dovecot failed"
fi fi
chmod 755 /etc/init.d/dovecot chmod 755 /etc/init.d/dovecot
else else
@@ -2910,7 +2966,7 @@ EOF
fi fi
## - Add a cronjob to restart dovecot after booting the system. ## - Add a cronjob to restart dovecot after booting the system.
## - ## -
## - Notice: ## - Notice:
## - On normal start, dovecot started its service even if ipv6 is not ## - On normal start, dovecot started its service even if ipv6 is not
## - yet present and dovecot cannot bind to ipv6 listeners. ## - yet present and dovecot cannot bind to ipv6 listeners.
@@ -2964,10 +3020,10 @@ EOF
## - add/uncomment: ## - add/uncomment:
## - ## -
## - smtpd_tls_auth_only ## - smtpd_tls_auth_only
## - ## -
## - smtpd_sasl_type = dovecot ## - smtpd_sasl_type = dovecot
## - smtpd_sasl_path = private/dovecot-auth ## - smtpd_sasl_path = private/dovecot-auth
## - ## -
## - virtual_transport = dovecot ## - virtual_transport = dovecot
## - dovecot_destination_recipient_limit = 1 ## - dovecot_destination_recipient_limit = 1
## - ## -
@@ -3172,22 +3228,22 @@ echo -e "\033[1mConfigure quota support for dovecot\033[m"
## - take care quota plugins (quota,imap-quota) will ## - take care quota plugins (quota,imap-quota) will
## - be loaded: ## - be loaded:
## - ## -
## - there are two quota related plugins: ## - there are two quota related plugins:
## - ## -
## - * quota: implements the actual quota handling and includes also all the quota backends. ## - * quota: implements the actual quota handling and includes also all the quota backends.
## - * imap_quota: for reporting quota information via imap. ## - * imap_quota: for reporting quota information via imap.
## - ## -
## - enable them in configuration files, e.g.: ## - enable them in configuration files, e.g.:
## - ## -
## - conf.d/10-mail.conf: ## - conf.d/10-mail.conf:
## - ## -
## - # space separated list of plugins to load for all services. plugins specific to ## - # space separated list of plugins to load for all services. plugins specific to
## - # imap, lda, etc. are added to this list in their own .conf files. ## - # imap, lda, etc. are added to this list in their own .conf files.
## - mail_plugins = $mail_plugins quota ## - mail_plugins = $mail_plugins quota
## - ## -
## - conf.d/20-imap.conf: ## - conf.d/20-imap.conf:
## - ## -
## - protocol imap { ## - protocol imap {
## - # space separated list of plugins to load (default is global mail_plugins). ## - # space separated list of plugins to load (default is global mail_plugins).
## - mail_plugins = $mail_plugins imap_quota ## - mail_plugins = $mail_plugins imap_quota
@@ -3222,7 +3278,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/dovecot.conf ## - edit /usr/local/dovecot/etc/dovecot/dovecot.conf
## - ## -
## - add: ## - add:
## - ## -
## - dict { ## - dict {
@@ -3369,7 +3425,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END IF; # END IF;
# return NEW; # return NEW;
# END IF; # END IF;
# #
# LOOP # LOOP
# UPDATE quota2 SET bytes = bytes + NEW.bytes, # UPDATE quota2 SET bytes = bytes + NEW.bytes,
# messages = messages + NEW.messages # messages = messages + NEW.messages
@@ -3377,7 +3433,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# IF found THEN # IF found THEN
# RETURN NULL; # RETURN NULL;
# END IF; # END IF;
# #
# BEGIN # BEGIN
# IF NEW.messages = 0 THEN # IF NEW.messages = 0 THEN
# INSERT INTO quota2 (bytes, messages, username) VALUES (NEW.bytes, NULL, NEW.username); # INSERT INTO quota2 (bytes, messages, username) VALUES (NEW.bytes, NULL, NEW.username);
@@ -3391,10 +3447,10 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END LOOP; # END LOOP;
# END; # END;
# \$\$; # \$\$;
# #
# #
# ALTER FUNCTION public.merge_quota2() OWNER TO postfix; # ALTER FUNCTION public.merge_quota2() OWNER TO postfix;
# #
# CREATE TRIGGER mergequota2 # CREATE TRIGGER mergequota2
# BEFORE INSERT ON quota2 # BEFORE INSERT ON quota2
# FOR EACH ROW # FOR EACH ROW
@@ -3444,7 +3500,7 @@ EOF
# END IF; # END IF;
# END; # END;
# \$\$ LANGUAGE plpgsql; # \$\$ LANGUAGE plpgsql;
# #
# CREATE TRIGGER mergeexpires BEFORE INSERT ON expires # CREATE TRIGGER mergeexpires BEFORE INSERT ON expires
# FOR EACH ROW EXECUTE PROCEDURE merge_expires(); # FOR EACH ROW EXECUTE PROCEDURE merge_expires();
@@ -3473,7 +3529,7 @@ EOF
fi fi
## - you also have to update the userdb's query in file ## - you also have to update the userdb's query in file
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to ## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - support extra variable "quota_rule" ## - support extra variable "quota_rule"
## - ## -
echononl "\tRenew file sql-connect.conf.ext" echononl "\tRenew file sql-connect.conf.ext"
@@ -3570,7 +3626,7 @@ EOF
fi fi
## - you also have to update the userdb's query in file ## - you also have to update the userdb's query in file
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to ## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - support extra variable "quota_rule" ## - support extra variable "quota_rule"
## - ## -
echononl "\tRenew file sql-connect.conf.ext" echononl "\tRenew file sql-connect.conf.ext"
@@ -3697,20 +3753,20 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/90-quota.conf ## - edit /usr/local/dovecot/etc/dovecot/conf.d/90-quota.conf
## - ## -
## - add to the end of file or in seperate plugin-blocks ## - add to the end of file or in seperate plugin-blocks
## - as designed in that file: ## - as designed in that file:
## - plugin { ## - plugin {
## - # sql backend: ## - # sql backend:
## - quota = dict:user quota::proxy::quota ## - quota = dict:user quota::proxy::quota
## - ## -
## - quota_rule = *:storage=1g ## - quota_rule = *:storage=1g
## - quota_rule2 = trash:storage=+100m ## - quota_rule2 = trash:storage=+100m
## - ## -
## - quota_warning = storage=80%% quota-warning 80 %u ## - quota_warning = storage=80%% quota-warning 80 %u
## - quota_warning2 = storage=95%% quota-warning 95 %u ## - quota_warning2 = storage=95%% quota-warning 95 %u
## - } ## - }
## - ## -
## - service quota-warning { ## - service quota-warning {
## - executable = script /usr/local/bin/quota-warning.sh ## - executable = script /usr/local/bin/quota-warning.sh
## - user = vmail ## - user = vmail
@@ -3725,7 +3781,7 @@ cp -a /usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf \
/usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf.ORIG /usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf.ORIG
cat <<EOF >>/usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf cat <<EOF >>/usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf
## - ## -
plugin { plugin {
# SQL backend: # SQL backend:
quota = dict:User quota::proxy::quota quota = dict:User quota::proxy::quota
@@ -3832,7 +3888,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf ## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf
## - ## -
## - Add namespaces type shared to 10-mail.conf ## - Add namespaces type shared to 10-mail.conf
## - Take care to enable ACL plugin also, otherwise all users can access all the shared ## - Take care to enable ACL plugin also, otherwise all users can access all the shared
## - mailboxes, assuming they have permissions on filesystem level to do so. ## - mailboxes, assuming they have permissions on filesystem level to do so.
## - we will do that later.. ## - we will do that later..
## - namespace { ## - namespace {
@@ -3894,7 +3950,7 @@ else
fi fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf ## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf
## - ## -
## - mail_plugins = quota expire acl ## - mail_plugins = quota expire acl
## - ## -
_failed=false _failed=false
@@ -3961,7 +4017,7 @@ fi
## - ## -
## - plugin { ## - plugin {
## - ## acl = vfile:/etc/dovecot/global-acls:cache_secs=300 ## - ## acl = vfile:/etc/dovecot/global-acls:cache_secs=300
## - ## -
## - # Without global ACLs: ## - # Without global ACLs:
## - acl = vfile ## - acl = vfile
## - .. ## - ..
@@ -4094,8 +4150,8 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
## - NOTE: ## - NOTE:
## - ## -
## - All changes on database (CREATE TABLE / CREATE TRIGGER / what else..) ## - All changes on database (CREATE TABLE / CREATE TRIGGER / what else..)
## - need to be done as the dbuser (here postfix) under whom dovecot ## - need to be done as the dbuser (here postfix) under whom dovecot
## - accesses the database. If not, you have to change the permissiond to allow ## - accesses the database. If not, you have to change the permissiond to allow
## - dovecot dbuser to access the createt table/trigger/... ## - dovecot dbuser to access the createt table/trigger/...
## - ## -
@@ -4125,7 +4181,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END IF; # END IF;
# return NEW; # return NEW;
# END IF; # END IF;
# #
# LOOP # LOOP
# UPDATE quota2 SET bytes = bytes + NEW.bytes, # UPDATE quota2 SET bytes = bytes + NEW.bytes,
# messages = messages + NEW.messages # messages = messages + NEW.messages
@@ -4133,7 +4189,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# IF found THEN # IF found THEN
# RETURN NULL; # RETURN NULL;
# END IF; # END IF;
# #
# BEGIN # BEGIN
# IF NEW.messages = 0 THEN # IF NEW.messages = 0 THEN
# INSERT INTO quota2 (bytes, messages, username) VALUES (NEW.bytes, NULL, NEW.username); # INSERT INTO quota2 (bytes, messages, username) VALUES (NEW.bytes, NULL, NEW.username);
@@ -4147,10 +4203,10 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END LOOP; # END LOOP;
# END; # END;
# \$\$; # \$\$;
# #
# #
# ALTER FUNCTION public.merge_quota2() OWNER TO postfix; # ALTER FUNCTION public.merge_quota2() OWNER TO postfix;
# #
# CREATE TRIGGER mergequota2 # CREATE TRIGGER mergequota2
# BEFORE INSERT ON quota2 # BEFORE INSERT ON quota2
# FOR EACH ROW # FOR EACH ROW
@@ -4200,7 +4256,7 @@ EOF
# END IF; # END IF;
# END; # END;
# \$\$ LANGUAGE plpgsql; # \$\$ LANGUAGE plpgsql;
# #
# CREATE TRIGGER mergeexpires BEFORE INSERT ON expires # CREATE TRIGGER mergeexpires BEFORE INSERT ON expires
# FOR EACH ROW EXECUTE PROCEDURE merge_expires(); # FOR EACH ROW EXECUTE PROCEDURE merge_expires();
@@ -4230,7 +4286,7 @@ EOF
# primary key (from_user, to_user) # primary key (from_user, to_user)
# ); # );
# COMMENT ON TABLE user_shares IS 'User from_user shares folders to user to_user.'; # COMMENT ON TABLE user_shares IS 'User from_user shares folders to user to_user.';
# #
# CREATE TABLE anyone_shares ( # CREATE TABLE anyone_shares (
# from_user varchar(100) not null, # from_user varchar(100) not null,
# dummy char(1) DEFAULT '1', -- always '1' currently # dummy char(1) DEFAULT '1', -- always '1' currently
@@ -4336,7 +4392,7 @@ EOF
# dummy char(1) DEFAULT '1', -- always '1' currently # dummy char(1) DEFAULT '1', -- always '1' currently
# primary key (from_user, to_user) # primary key (from_user, to_user)
# ) COMMENT = 'User from_user shares folders to user to_user.'; # ) COMMENT = 'User from_user shares folders to user to_user.';
# #
# CREATE TABLE anyone_shares ( # CREATE TABLE anyone_shares (
# from_user varchar(100) not null, # from_user varchar(100) not null,
# dummy char(1) DEFAULT '1', -- always '1' currently # dummy char(1) DEFAULT '1', -- always '1' currently
@@ -4576,7 +4632,7 @@ fi
blank_line blank_line
echononl "\tSet '_update=true' in file '$(basename "$conf_file")'.." echononl "\tSet '_update=true' in file '$(basename "$conf_file")'.."
if grep -q -E "^\s*_update=false" "$conf_file" 2> /dev/null ; then if grep -q -E "^\s*_update=false" "$conf_file" 2> /dev/null ; then
perl -i -n -p -e "s/^\s*_update=.*/_update=true/" "$conf_file" perl -i -n -p -e "s/^\s*_update=.*/_update=true/" "$conf_file"
if [ "$?" = 0 ]; then if [ "$?" = 0 ]; then
echo -e "$rc_done" echo -e "$rc_done"
else else