install_postfixadmin.sh: remove space..

install_amavis.sh

@@ -110,7 +110,8 @@ detect_os_1 () {
 # --- Some default settings
 # -------------
 
-DEFAULT_SASL_AUTH_ENABLED="no"
+DEFAULT_SASL_AUTH_ENABLED=false
+DEFAULT_IS_SYMPA_LIST_SERVER=false
 
 DEFAULT_QUARANTINE_DIR="/var/QUARANTINE"
 DEFAULT_QUARANTINE_ADMIN='postmaster\@$mydomain'
@@ -187,7 +188,9 @@ if [[ -z "$_HOSTNAME" ]] ; then
    [[ "$_HOSTNAME" = "$_HOSTNAME_SHORT" ]] && _HOSTNAME=""
 fi
 
-[[ -z "$_SASL_AUTH_ENABLED" ]] && _SASL_AUTH_ENABLED="$DEFAULT_SASL_AUTH_ENABLED"
+[[ -z "$_SASL_AUTH_ENABLED" ]] && _SASL_AUTH_ENABLED=${DEFAULT_SASL_AUTH_ENABLED}
+
+[[ -z "${_IS_SYMPA_LIST_SERVER}" ]] && _IS_SYMPA_LIST_SERVER=${DEFAULT_IS_SYMPA_LIST_SERVER}
 
 
 [[ -z "$_QUARANTINE_DIR" ]] && _QUARANTINE_DIR="$DEFAULT_QUARANTINE_DIR"
@@ -375,9 +378,12 @@ SASL_AUTH_ENABLED=
 echo ""
 echo -e "\033[32m--\033[m"
 echo ""
-echo "Should this mail server support Cyrus SASL authentication?"
+echo "Should this mail server support Cyrus SASL authentication? [true/yes/false/no]"
 echo ""
-while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
+while [[ "$SASL_AUTH_ENABLED" != "yes" && 
+         "$SASL_AUTH_ENABLED" != "true" && 
+         "$SASL_AUTH_ENABLED" != "no" &&
+         "$SASL_AUTH_ENABLED" != "false" ]];do
 
    if [[ -n "$_SASL_AUTH_ENABLED" ]]; then
       echononl "Support Cyrus SASL authentication [${_SASL_AUTH_ENABLED}]: "
@@ -390,13 +396,62 @@ while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
       SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,}
    fi
 
-   if [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]] ; then
+   [[ -z "${SASL_AUTH_ENABLED}" ]] && SASL_AUTH_ENABLED=${_SASL_AUTH_ENABLED}
-      _SASL_AUTH_ENABLED=""
+
+   if [[ "$SASL_AUTH_ENABLED" != "yes" &&
+         "$SASL_AUTH_ENABLED" != "true" &&
+         "$SASL_AUTH_ENABLED" != "false" &&
+         "$SASL_AUTH_ENABLED" != "no" ]] ; then
+      SASL_AUTH_ENABLED=""
       echo -e  "\n\t\033[33m\033[1mWrong entry!\033[m\n Type 'yes' or 'no'"
    fi
 
 done
 
+[[ "$SASL_AUTH_ENABLED" = "yes" ]] && SASL_AUTH_ENABLED=true
+[[ "$SASL_AUTH_ENABLED" = "no" ]] && SASL_AUTH_ENABLED=false
+
+
+if  ! ${SASL_AUTH_ENABLED} ; then
+
+   IS_SYMPA_LIST_SERVER=""
+   echo ""
+   echo -e "\033[32m--\033[m"
+   echo ""
+   echo "Are Sympa List Services provided? - [true/yes/false/no]"
+   echo ""
+   echononl "Sympa List Server? [$_IS_SYMPA_LIST_SERVER]: "
+
+   read IS_SYMPA_LIST_SERVER
+   if [[ -z "${IS_SYMPA_LIST_SERVER}" ]] ; then
+      IS_SYMPA_LIST_SERVER="$_IS_SYMPA_LIST_SERVER"
+   fi
+   IS_SYMPA_LIST_SERVER=${IS_SYMPA_LIST_SERVER,,}
+
+   while [[ "$IS_SYMPA_LIST_SERVER" != "yes" && \
+            "$IS_SYMPA_LIST_SERVER" != "true" && \
+            "$IS_SYMPA_LIST_SERVER" != "no" && \
+            "$IS_SYMPA_LIST_SERVER" != "false" ]]; do
+
+      echo -e "\n\t\033[33m\033[1mWrong value was given!!\033[m\n"
+
+      echononl "Sympa List Server? [$_IS_SYMPA_LIST_SERVER]: "
+      read IS_SYMPA_LIST_SERVER
+      if [[ -z "${IS_SYMPA_LIST_SERVER}" ]] ; then
+         IS_SYMPA_LIST_SERVER=false
+      fi
+      IS_SYMPA_LIST_SERVER=${IS_SYMPA_LIST_SERVER,,}
+
+   done
+
+   if [[ "$IS_SYMPA_LIST_SERVER" = 'yes' || "$IS_SYMPA_LIST_SERVER" = 'true' ]] ; then
+      IS_SYMPA_LIST_SERVER=true
+   else
+      IS_SYMPA_LIST_SERVER=false
+   fi
+else
+   IS_SYMPA_LIST_SERVER=false
+fi
 
 
 echo ""
@@ -854,6 +909,7 @@ echo -e "\tIPv4 address...........................: $IPV4"
 echo -e "\tIPv6 address...........................: $IPV6"
 echo ""
 echo -e "\tSASL AUTH support......................: $SASL_AUTH_ENABLED"
+echo -e "\tSupport sympa mailinglists.............: ${IS_SYMPA_LIST_SERVER}"
 echo ""
 echo -e "\tQuarantine Directory ..................: $QUARANTINE_DIR"
 echo ""
@@ -905,6 +961,7 @@ _IPV4=$IPV4
 _IPV6=$IPV6
 
 _SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
+_IS_SYMPA_LIST_SERVER=${IS_SYMPA_LIST_SERVER}
 
 _QUARANTINE_DIR=$QUARANTINE_DIR
 _QUARANTINE_ADMIN=$QUARANTINE_ADMIN
@@ -4209,10 +4266,49 @@ use strict;
 # !! smtpd_proxy_filter - see master.cf                           !!
 #
 #
+EOF
+
+if ${SASL_AUTH_ENABLED} ; then
+   cat << EOF >> "${_config_file}"
 \$inet_socket_port = [10024, 10026];
 #\$inet_socket_port = [10024, 10029];
 #\$inet_socket_port = [10024, 10026, 10029];
 
+\$interface_policy{'10026'} = 'ORIGINATING';
+\$policy_bank{'ORIGINATING'} = {
+  originating => 1,  # declare that mail was submitted by our smtp client
+  bypass_spam_checks_maps  => (1),
+  bypass_virus_checks_maps => (0),
+  remove_existing_spam_headers => 1,
+};
+EOF
+
+else
+
+   cat << EOF >> "${_config_file}"
+#\$inet_socket_port = [10024, 10026];
+\$inet_socket_port = [10024, 10029];
+#\$inet_socket_port = [10024, 10026, 10029];
+
+\$interface_policy{'10024'} = 'INBOUND';
+\$interface_policy{'10029'} = 'VIRUSONLY';
+
+# Inbound: Spam + Virus
+\$policy_bank{'INBOUND'} = { };
+
+# Outbound: nur Virus
+\$policy_bank{'VIRUSONLY'} = {
+  bypass_spam_checks_maps   => [1],
+  bypass_header_checks_maps => [1],
+  final_spam_destiny        => D_PASS,
+  originating               => 1,
+};
+EOF
+
+fi
+
+cat << EOF >> "${_config_file}"
+
 # Bypass spam checking fro trusted networks
 #
 #\$interface_policy{'10026'} = 'TRUSTED';
@@ -4434,7 +4530,9 @@ if [[ "$?" -ne 0 ]] ; then
 fi
 
 
-if [[ "${DB_TYPE}" = "PostgreSQL" ]] || [[ "${DB_TYPE}" = "MySQL" ]]; then
+if [[ "${DB_TYPE}" = "PostgreSQL" ]] || \
+   [[ "${DB_TYPE}" = "MySQL" ]] && \
+   ! ${IS_SYMPA_LIST_SERVER}; then
 
    if [[ "$DB_TYPE" = "PostgreSQL" ]]; then
       _db="pgsql"
@@ -4503,10 +4601,6 @@ EOF
 );
 EOF
 
-echo ""
-echo "hallo 9"
-echo ""
-
 else
    cat >> /etc/amavis/conf.d/50-user <<'EOF'
 @local_domains_maps = ( ["."] );
@@ -4522,15 +4616,6 @@ fi
 
 cat >> /etc/amavis/conf.d/50-user <<EOF
 
-## - get rid of "Open Relay" warnings in amavis logfile.
-## -
-\$interface_policy{'10026'} = 'ORIGINATING';
-\$policy_bank{'ORIGINATING'} = {
-    originating => 1,  # declare that mail was submitted by our smtp client
-    bypass_spam_checks_maps  => (1),
-    bypass_virus_checks_maps => (0),
-    remove_existing_spam_headers => 1,
-};
 
 ## - If you get am error like:
 ## -
@@ -5177,7 +5262,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
 smtp      inet  n       -       y       -       -       smtpd
    -o content_filter=amavisfeed:[127.0.0.1]:10024
 EOF
-      if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
+      if ! ${SASL_AUTH_ENABLED} ; then
          cat >> $postfix_master_cf << EOF
    -o smtpd_sasl_auth_enable=no
 EOF
@@ -5211,7 +5296,7 @@ EOF
 ${additional_smtp_port}      inet  n       -       y       -       -       smtpd
    -o content_filter=amavisfeed:[127.0.0.1]:10024
 EOF
-      if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
+      if ! ${SASL_AUTH_ENABLED} ; then
          cat >> $postfix_master_cf << EOF
    -o smtpd_sasl_auth_enable=no
 EOF

install_opendkim.sh

@@ -726,8 +726,11 @@ fi
 
 if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
 
-   ensure_dkim_var "non_smtpd_milters"     > "${tmp_main_cf_file}"
+   # In case of sympa, DKIM signatures will be added by sympa list manager
-   cp "${tmp_main_cf_file}" "${main_cf_file}"
+   if ! which sympa ; then
+      ensure_dkim_var "non_smtpd_milters"     > "${tmp_main_cf_file}"
+      cp "${tmp_main_cf_file}" "${main_cf_file}"
+   fi
 
 else
 

install_opendmarc.sh

@@ -26,8 +26,15 @@ opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
 config_file_name_value_parameters="
    AuthservID|HOSTNAME
    TrustedAuthservIDs|HOSTNAME
-   PidFile|/run/opendmarc/opendmarc.pid
+   PidFile|/run/opendmarc/opendmarc.pid"
-   RejectFailures|true
+if which sympa ; then
+   config_file_name_value_parameters="$config_file_name_value_parameters
+   RejectFailures|false"
+else
+   config_file_name_value_parameters="$config_file_name_value_parameters
+   RejectFailures|true"
+fi
+config_file_name_value_parameters="$config_file_name_value_parameters
    Syslog|true
    SyslogFacility|mail
    IgnoreHosts|${opendmarc_base_dir}/ignore.hosts

install_postfix_advanced.sh

@@ -171,8 +171,10 @@ fi
 if [[ -z "$_RELAY_HOST" ]]; then
    _IS_RELAY_HOST=$DEFAULT_IS_RELAY_HOST
 else
-   _IS_RELAY_HOST="$_RELAY_HOST"
+   _IS_RELAY_HOST="${_RELAY_HOST,,}"
 fi
+[[ "${_IS_RELAY_HOST}" == "yes" ]] && _IS_RELAY_HOST=true
+[[ "${_IS_RELAY_HOST}" == "no" ]] && _IS_RELAY_HOST=false
 
 if [[ -z "$_LISTEN_ON_ADDITIONAL_RELAY_PORT" ]] ; then
    _LISTEN_ON_ADDITIONAL_RELAY_PORT=${DEFAULT_LISTEN_ON_ADDITIONAL_RELAY_PORT}
@@ -1071,7 +1073,18 @@ debugLevel = 1
 #  HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
 #  HELO_reject = False - Never reject/defer on HELO, append header only.
 #  HELO_reject = No_Check - Never check HELO.
+EOF
+if ${IS_SYMPA_LIST_SERVER} ; then
+   cat <<EOF >> "${_file}"
+HELO_reject = False
+EOF
+else
+   cat <<EOF >> "${_file}"
 HELO_reject = SPF_Not_Pass
+EOF
+fi
+
+cat <<EOF >> "${_file}"
 
 #  Mail From rejection policy.  Options are:
 #  Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
@@ -1084,7 +1097,18 @@ HELO_reject = SPF_Not_Pass
 # MAIL FROM-Adresse reagiert. Ein Fehler tritt auf, wenn die IP-Adresse des sendenden
 # Servers nicht den SPF-Einträgen der Domain in der MAIL FROM-Adresse entspricht.
 #
+EOF
+if ${IS_SYMPA_LIST_SERVER} ; then
+   cat <<EOF >> "${_file}"
+Mail_From_reject = False
+EOF
+else
+   cat <<EOF >> "${_file}"
 Mail_From_reject = Fail
+EOF
+fi
+
+cat <<EOF >> "${_file}"
 
 #  Policy for rejecting due to SPF PermError.  Options are:
 #  PermError_reject = True
@@ -1096,7 +1120,18 @@ Mail_From_reject = Fail
 #
 # Wenn PermError_reject auf True gesetzt ist, wird die E-Mail abgewiesen (rejected),
 #
+EOF
+if ${IS_SYMPA_LIST_SERVER} ; then
+   cat <<EOF >> "${_file}"
+PermError_reject = False
+EOF
+else
+   cat <<EOF >> "${_file}"
 PermError_reject = True
+EOF
+fi
+
+cat <<EOF >> "${_file}"
 
 #  Policy for deferring messages due to SPF TempError.  Options are:
 #  TempError_Defer = True
@@ -1109,7 +1144,7 @@ PermError_reject = True
 # Wenn TempError_Defer auf True gesetzt ist, wird die E-Mail vorübergehend zurückgewiesen
 # (deferred), und der empfangende Server versucht später erneut, die E-Mail zuzustelle
 #
-TempError_Defer = Defer
+TempError_Defer = True
 
 # Type of header to insert to document SPF result. Can be Received-SPF (SPF)
 # or Authentication Results (AR). It cannot be both.
@@ -2111,9 +2146,24 @@ smtp_tls_security_level=dane
 smtpd_tls_loglevel = 1
 smtp_tls_loglevel = 1
 
+
+# TLS RSA keys path
 smtpd_tls_cert_file = $_TLS_CERT_FILE
 smtpd_tls_key_file = $_TLS_KEY_FILE
 
+EOF
+
+if [[ -f "/etc/postfix/ssl/mailserver-ecdsa.crt" &&
+      -f "/etc/postfix/ssl/mailserver-ecdsa.key" ]] ; then
+   cat <<EOF >> /etc/postfix/main.cf
+# TLS ECDSA keys path
+smtpd_tls_eccert_file = /etc/postfix/ssl/mailserver-ecdsa.crt
+smtpd_tls_eckey_file = /etc/postfix/ssl/mailserver-ecdsa.key
+
+EOF
+fi
+
+cat <<EOF >> /etc/postfix/main.cf
 
 ## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
 ## -
@@ -2681,7 +2731,7 @@ EOF
 
 if [[ -n "$(which postfwd)" ]]  ; then
    cat <<EOF >> /etc/postfix/main.cf
-127.0.0.1:10040_time_limit = 3600
+#127.0.0.1:10040_time_limit = 3600
 EOF
 else
    cat <<EOF >> /etc/postfix/main.cf
@@ -2699,7 +2749,7 @@ if [[ -n "$(which policyd-spf)" ]]  ; then
 #  policyd-spf  unix  -       n       n       -       0       spawn
 #     user=policyd-spf argv=/usr/bin/policyd-spf
 #
-policyd-spf_time_limit = 3600
+#policyd-spf_time_limit = 3600
 EOF
 fi
 
@@ -2876,6 +2926,16 @@ smtpd_recipient_restrictions =
 #        \$relay_recipient_maps, and \$relay_recipient_maps is not null.
 #
    reject_unlisted_recipient,
+EOF
+
+if [[ -n "$(which policyd-spf)" ]]  ; then
+   cat <<EOF >> /etc/postfix/main.cf
+# Check Postfix policy service ..
+#
+   check_policy_service unix:private/policy-spf
+EOF
+fi
+cat <<EOF >> /etc/postfix/main.cf
 # reject_unauth_destination
 #
 # Reject the request unless one of the following is true:
@@ -2898,17 +2958,7 @@ smtpd_recipient_restrictions =
 # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
 # for more details
    reject_unverified_recipient,
-EOF
 
-if [[ -n "$(which policyd-spf)" ]]  ; then
-   cat <<EOF >> /etc/postfix/main.cf   
-# Check Postfix policy service ..
-#
-   check_policy_service unix:private/policy-spf
-EOF
-fi
-
-cat <<EOF >> /etc/postfix/main.cf
 # Policyd-Weight
    #check_policy_service inet:127.0.0.1:12525,
 # ---------------------------------------------------------------------------------
@@ -2999,6 +3049,16 @@ else
 EOF
 fi
 
+if ${IS_SYMPA_LIST_SERVER} || ${IS_RELAY_HOST}; then
+
+   cat <<EOF >> /etc/postfix/main.cf
+
+# Default: alles was nicht explizit überschrieben wird (pickup/local/sympa/cron/...)
+content_filter = amavisfeed:[127.0.0.1]:10029
+
+EOF
+fi
+
 if [[ -n "$(which opendkim)" ]]  || [[ -n "$(which opendmarc)" ]] ; then
    cat <<EOF >> /etc/postfix/main.cf
 
@@ -3068,7 +3128,13 @@ EOF
 #
 EOF
 
-   if [[ -n "$(which opendkim)" ]]  ; then
+   if ${IS_SYMPA_LIST_SERVER} ; then
+
+      cat <<EOF >> /etc/postfix/main.cf
+# DKIM signing takes place in the Sympa list manager.
+non_smtpd_milters =
+EOF
+   elif [[ -n "$(which opendkim)" ]]  ; then
       cat <<EOF >> /etc/postfix/main.cf
 non_smtpd_milters =  local:/opendkim/opendkim.sock
 EOF
@@ -4081,6 +4147,14 @@ else
    dmarc_pipe_present=false
 fi
 
+if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
+   if grep -iq -E "^${ADDITIONAL_RELAY_LISTEN_PORT}\s+" $postfix_master_cf > /dev/null 2>&1 ; then
+      additional_relay_port_present=true
+   else
+      additional_relay_port_present=false
+   fi
+fi
+
 _found=false
 echononl "   Create new file \"${postfix_master_cf}\""
 if [[ -f "${postfix_master_cf}.$backup_date" ]]; then
@@ -4110,9 +4184,11 @@ smtps     inet  n       -       y       -       -       smtpd
 EOF
 				fi
          elif $LISTEN_ON_ADDITIONAL_RELAY_PORT ; then
-            cat >> $postfix_master_cf << EOF
+            if ! ${additional_relay_port_present} ; then
+               cat >> $postfix_master_cf << EOF
 ${ADDITIONAL_RELAY_LISTEN_PORT}      inet  n       -       y       -       -       smtpd
 EOF
+            fi
 			fi
 			continue
 		fi

install_postfixadmin.sh

@@ -2208,7 +2208,11 @@ fi
 
 echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n"
 
-if [[ $MAJOR_VERSION -gt 3 ]] || [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
+if [[ $MAJOR_VERSION -gt 3 ]] ; then
+   pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
+   cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php"  "$pfa_conf_file"
+
+elif [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]] ; then
    pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
    cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php"  "$pfa_conf_file"
 else
@@ -2217,7 +2221,6 @@ else
 fi
 
 
-
 # - Use 'Re: $SUBJECT' as the default subject template for vacation
 # - in postfixadmin
 # -

set-policyd-spf-config-for-listserver.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CONF="/etc/postfix-policyd-spf-python/policyd-spf.conf"
+BACKUP="${CONF}.$(date +%Y%m%d-%H%M%S).bak"
+
+if [[ ! -f "$CONF" ]]; then
+  echo "ERROR: Config not found: $CONF" >&2
+  exit 1
+fi
+
+cp -a -- "$CONF" "$BACKUP"
+
+ensure_kv() {
+  local key="$1"
+  local value="$2"
+
+  # Prüfen ob es eine AKTIVE (nicht auskommentierte) Zeile gibt
+  if grep -Eq "^[[:space:]]*${key}[[:space:]]*=" "$CONF"; then
+    # Nur erste aktive Zeile ersetzen
+    sed -ri "0,/^[[:space:]]*${key}[[:space:]]*=.*/s//${key} = ${value}/" "$CONF"
+  else
+    # Anfügen mit Leerzeile + Kommentar
+    cat >>"$CONF" <<EOF
+
+# --- Mailinglist-friendly SPF policy (added by script) ---
+${key} = ${value}
+EOF
+  fi
+}
+
+ensure_kv "HELO_reject" "False"
+ensure_kv "Mail_From_reject" "False"
+ensure_kv "PermError_reject" "False"
+ensure_kv "TempError_Defer" "True"
+
+echo "Updated: $CONF"
+echo "Backup : $BACKUP"
+
+exit