Compare commits
10 Commits
96a77260c3
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
| 6d516ed25a | |||
| c6909c937d | |||
| 9708c595c4 | |||
| 9c52e54182 | |||
| 849cbfa2e4 | |||
| 0a51e44b93 | |||
| 16618f9949 | |||
| b4b47d5a79 | |||
| d1694bf3a4 | |||
| ee1e2d0b7e |
@@ -145,7 +145,7 @@ dbhost=""
|
||||
# - Cert/Key configurations
|
||||
# ---
|
||||
|
||||
cert_base_dir="/etc/postfix/ssl"
|
||||
cert_base_dir="/etc/dovecot/ssl"
|
||||
server_cert=${cert_base_dir}/mailserver.crt
|
||||
server_key=${cert_base_dir}/mailserver.key
|
||||
dh_pem_file="${cert_base_dir}/dh_4096.pem"
|
||||
|
||||
@@ -2257,6 +2257,45 @@ if ! $installation_failed ; then
|
||||
fi
|
||||
fi
|
||||
|
||||
# Create /etc/spamassassin/99_nullsender.cf
|
||||
#
|
||||
# Spamassassin Regeln für Nullsender (Return-Path: <>)
|
||||
#
|
||||
# Problem:
|
||||
# echte DSNs haben ebenfalls Return-Path: <>
|
||||
#
|
||||
# Aber:
|
||||
# Echte DSNs sind i.d.R. multipart/report (delivery-status)
|
||||
#
|
||||
echononl " Create file \"/etc/spamassassin/99_nullsender.cf\".."
|
||||
cat <<'EOF' > /etc/spamassassin/99_nullsender.cf 2> $tmp_err_msg
|
||||
########################################################################
|
||||
# Null-sender (Return-Path: <>) Behandlung
|
||||
# Ziel: Fake-Bounces markieren, echte DSNs nicht treffen
|
||||
########################################################################
|
||||
|
||||
# 1) Null-Envelope-From erkannt
|
||||
header LOCAL_NULL_SENDER Return-Path =~ /^<>$/i
|
||||
describe LOCAL_NULL_SENDER Null envelope-from (Return-Path <>)
|
||||
score LOCAL_NULL_SENDER 0.1
|
||||
|
||||
# 2) Echte DSNs sind i.d.R. multipart/report (delivery-status)
|
||||
header LOCAL_DSN_MULTIPART Content-Type =~ /^multipart\/report\b/i
|
||||
describe LOCAL_DSN_MULTIPART Looks like a real DSN (multipart/report)
|
||||
score LOCAL_DSN_MULTIPART -3.0
|
||||
|
||||
# 3) Fake-Bounce: Null-sender, aber NICHT multipart/report
|
||||
meta LOCAL_NULL_NOT_DSN LOCAL_NULL_SENDER && !LOCAL_DSN_MULTIPART
|
||||
describe LOCAL_NULL_NOT_DSN Null-sender but not a DSN (likely fake bounce spam)
|
||||
score LOCAL_NULL_NOT_DSN 6.0
|
||||
EOF
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
else
|
||||
echo_failed
|
||||
error "$(cat $tmp_err_msg)"
|
||||
fi
|
||||
|
||||
|
||||
# - Enable nightly cronjob for spamassassin
|
||||
# -
|
||||
@@ -3260,6 +3299,18 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
|
||||
if [[ "$?" -ne 0 ]] ; then
|
||||
installation_failed=true
|
||||
error "$(cat $tmp_err_msg)"
|
||||
|
||||
warn "command was:
|
||||
|
||||
git clone https://github.com/extremeshok/clamav-unofficial-sigs.git /tmp/clamav-unofficial-sigs"
|
||||
echononl "continue anyway [yes/no]: "
|
||||
read OK
|
||||
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
|
||||
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
|
||||
echononl "Wrong entry! - repeat [yes/nno]: "
|
||||
read OK
|
||||
done
|
||||
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
|
||||
fi
|
||||
if ! $installation_failed ; then
|
||||
echo_ok
|
||||
@@ -4957,6 +5008,7 @@ fi
|
||||
## - localhost:10025 inet n - y - - smtpd
|
||||
## - -o content_filter=
|
||||
## - -o smtpd_proxy_filter=
|
||||
## - -o smtpd_milters=
|
||||
## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
|
||||
## - -o smtpd_client_restrictions=
|
||||
## - -o smtpd_helo_restrictions=
|
||||
@@ -5031,6 +5083,8 @@ EOF
|
||||
localhost:10025 inet n - y - - smtpd
|
||||
-o content_filter=
|
||||
-o smtpd_proxy_filter=
|
||||
-o smtpd_milters=
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
|
||||
-o smtpd_client_restrictions=
|
||||
-o smtpd_helo_restrictions=
|
||||
@@ -5093,6 +5147,8 @@ EOF
|
||||
localhost:10025 inet n - y - - smtpd
|
||||
-o content_filter=
|
||||
-o smtpd_proxy_filter=
|
||||
-o smtpd_milters=
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
|
||||
-o smtpd_client_restrictions=
|
||||
-o smtpd_helo_restrictions=
|
||||
@@ -5145,6 +5201,8 @@ EOF
|
||||
localhost:10025 inet n - y - - smtpd
|
||||
-o content_filter=
|
||||
-o smtpd_proxy_filter=
|
||||
-o smtpd_milters=
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
|
||||
-o smtpd_client_restrictions=
|
||||
-o smtpd_helo_restrictions=
|
||||
@@ -5181,6 +5239,8 @@ EOF
|
||||
localhost:10025 inet n - y - - smtpd
|
||||
-o content_filter=
|
||||
-o smtpd_proxy_filter=
|
||||
-o smtpd_milters=
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
|
||||
-o smtpd_client_restrictions=
|
||||
-o smtpd_helo_restrictions=
|
||||
|
||||
@@ -881,26 +881,26 @@ else
|
||||
error "$(cat $log_file)"
|
||||
fi
|
||||
|
||||
echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
|
||||
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
|
||||
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
|
||||
echo_skipped
|
||||
else
|
||||
perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
|
||||
/etc/postfix/main.cf > $log_file 2>&1
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
postfix_needs_restart=true
|
||||
else
|
||||
echo_failed
|
||||
error "$(cat $log_file)"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
|
||||
echo_skipped
|
||||
warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
|
||||
fi
|
||||
#echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
|
||||
#if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
|
||||
# if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
|
||||
# echo_skipped
|
||||
# else
|
||||
# perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
|
||||
# /etc/postfix/main.cf > $log_file 2>&1
|
||||
# if [[ $? -eq 0 ]] ; then
|
||||
# echo_ok
|
||||
# postfix_needs_restart=true
|
||||
# else
|
||||
# echo_failed
|
||||
# error "$(cat $log_file)"
|
||||
# fi
|
||||
# fi
|
||||
#else
|
||||
#
|
||||
# echo_skipped
|
||||
# warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
|
||||
#fi
|
||||
|
||||
|
||||
echononl " Set Variable smtpd_milters at '/etc/postfix/main.cf'.."
|
||||
@@ -975,53 +975,53 @@ EOF
|
||||
fi
|
||||
|
||||
|
||||
if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
|
||||
|
||||
ensure_dmarc_var "non_smtpd_milters" > "${tmp_main_cf_file}"
|
||||
cp "${tmp_main_cf_file}" "${main_cf_file}"
|
||||
|
||||
else
|
||||
|
||||
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
|
||||
|
||||
# Was sind non_smtpd_milters?
|
||||
#if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
|
||||
#
|
||||
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
|
||||
# der smtpd-Daemon sind.
|
||||
# ensure_dmarc_var "non_smtpd_milters" > "${tmp_main_cf_file}"
|
||||
# cp "${tmp_main_cf_file}" "${main_cf_file}"
|
||||
#
|
||||
# Das betrifft z. B.:
|
||||
#else
|
||||
#
|
||||
# cleanup Header/Content-Bereinigung
|
||||
# qmgr Queue-Manager
|
||||
# lmtp / smtp Auslieferung nach extern
|
||||
# local lokale Zustellung
|
||||
# cat <<EOF >> /etc/postfix/main.cf 2> $log_file
|
||||
#
|
||||
# Das sind z. B.:
|
||||
#
|
||||
# - interne Bounces (MAILER-DAEMON)
|
||||
#
|
||||
# - Cron-Mails vom Server
|
||||
#
|
||||
# - Weiterleitungen, die Postfix selbst generiert
|
||||
#
|
||||
# - Mails, die über sendmail CLI gesendet werden
|
||||
#
|
||||
# - Mails, die Amavis über LMTP zurückgibt
|
||||
#
|
||||
# - etc.
|
||||
#
|
||||
#
|
||||
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
|
||||
non_smtpd_milters = $opendmarc_socket_string
|
||||
EOF
|
||||
fi
|
||||
postfix_needs_restart=true
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
else
|
||||
echo_failed
|
||||
error "$(cat $log_file)"
|
||||
fi
|
||||
## Was sind non_smtpd_milters?
|
||||
##
|
||||
## non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
|
||||
## der smtpd-Daemon sind.
|
||||
##
|
||||
## Das betrifft z. B.:
|
||||
##
|
||||
## cleanup Header/Content-Bereinigung
|
||||
## qmgr Queue-Manager
|
||||
## lmtp / smtp Auslieferung nach extern
|
||||
## local lokale Zustellung
|
||||
##
|
||||
## Das sind z. B.:
|
||||
##
|
||||
## - interne Bounces (MAILER-DAEMON)
|
||||
##
|
||||
## - Cron-Mails vom Server
|
||||
##
|
||||
## - Weiterleitungen, die Postfix selbst generiert
|
||||
##
|
||||
## - Mails, die über sendmail CLI gesendet werden
|
||||
##
|
||||
## - Mails, die Amavis über LMTP zurückgibt
|
||||
##
|
||||
## - etc.
|
||||
##
|
||||
##
|
||||
## DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
|
||||
#non_smtpd_milters = $opendmarc_socket_string
|
||||
#EOF
|
||||
#fi
|
||||
#postfix_needs_restart=true
|
||||
#if [[ $? -eq 0 ]] ; then
|
||||
# echo_ok
|
||||
#else
|
||||
# echo_failed
|
||||
# error "$(cat $log_file)"
|
||||
#fi
|
||||
|
||||
|
||||
echo ""
|
||||
|
||||
@@ -2911,8 +2911,13 @@ fi
|
||||
cat <<EOF >> /etc/postfix/main.cf
|
||||
# Policyd-Weight
|
||||
#check_policy_service inet:127.0.0.1:12525,
|
||||
# ---------------------------------------------------------------------------------
|
||||
# DEPRECATED permit_mx_backup
|
||||
#
|
||||
# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
|
||||
# permit Backup MX
|
||||
permit_mx_backup,
|
||||
# permit_mx_backup,
|
||||
# ---------------------------------------------------------------------------------
|
||||
# permit, if all restrictions so far passed
|
||||
permit
|
||||
|
||||
@@ -2953,8 +2958,13 @@ smtpd_relay_restrictions =
|
||||
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
|
||||
# for more details
|
||||
reject_unverified_recipient,
|
||||
# ---------------------------------------------------------------------------------
|
||||
# DEPRECATED permit_mx_backup
|
||||
#
|
||||
# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
|
||||
# permit Backup MX
|
||||
permit_mx_backup,
|
||||
# permit_mx_backup,
|
||||
# ---------------------------------------------------------------------------------
|
||||
# permit, if all restrictions so far passed
|
||||
permit
|
||||
|
||||
@@ -3058,20 +3068,18 @@ EOF
|
||||
#
|
||||
EOF
|
||||
|
||||
if [[ -n "$(which opendkim)" ]] && [[ -n "$(which opendmarc)" ]] ; then
|
||||
cat <<EOF >> /etc/postfix/main.cf
|
||||
non_smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
|
||||
EOF
|
||||
elif [[ -n "$(which opendkim)" ]] ; then
|
||||
if [[ -n "$(which opendkim)" ]] ; then
|
||||
cat <<EOF >> /etc/postfix/main.cf
|
||||
non_smtpd_milters = local:/opendkim/opendkim.sock
|
||||
EOF
|
||||
else
|
||||
cat <<EOF >> /etc/postfix/main.cf
|
||||
non_smtpd_milters = local:/opendmarc/opendmarc.sock
|
||||
non_smtpd_milters =
|
||||
EOF
|
||||
fi
|
||||
|
||||
else
|
||||
|
||||
cat <<EOF >> /etc/postfix/main.cf
|
||||
|
||||
|
||||
@@ -3616,41 +3624,58 @@ fi
|
||||
_file="/etc/postfix/header_checks.pcre"
|
||||
echononl " Create file '$_file' used for header replacing"
|
||||
if [[ ! -f "$_file" ]]; then
|
||||
cat << EOF > "$_file"
|
||||
cat << 'EOF' > "$_file"
|
||||
# ---
|
||||
# - Replace headers
|
||||
# - Header Checks - /etc/postfix/header_checks
|
||||
# ---
|
||||
#
|
||||
# Ziel: offensichtlich kaputte RFC-Header ablehnen (wenig False Positives)
|
||||
|
||||
# - Replace recieved from
|
||||
#/^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4
|
||||
########################################
|
||||
# A) Kaputter From:-Header
|
||||
########################################
|
||||
|
||||
# 1) From: ist leer
|
||||
/^From:\s*$/ REJECT Invalid From header (empty) - Spamschutzregel FROM-1001
|
||||
|
||||
# 2) Mehr als ein '@' im From:-Header -> syntaktisch kaputt
|
||||
/^From:.*@.*@/ REJECT Invalid From header (multiple @) - Spamschutzregel FROM-1002
|
||||
|
||||
|
||||
# ---
|
||||
# - Ignore Headers
|
||||
# ---
|
||||
# 3) Mehrere Mailboxen durch Komma getrennt (wie: Die@..., Lions@..., ...)
|
||||
# (Legitime Fälle nutzen i.d.R. Display-Namen/Group-Syntax; dieses Muster ist in Spam sehr häufig)
|
||||
/^From:\s*[^<>,]+@[^,]+,\s*[^<>,]+@/ REJECT Invalid From header (multiple mailboxes) - Spamschutzregel FROM-1003
|
||||
|
||||
#/^\s*User-Agent/ IGNORE
|
||||
#/^\s*X-Enigmail/ IGNORE
|
||||
#/^\s*X-Mailer/ IGNORE
|
||||
#/^\s*X-Originating-IP/ IGNORE
|
||||
# 4) Typische kaputte UTF-8-Fragmente
|
||||
/^From:.*\xC3\xA2/ REJECT Invalid UTF-8 in From header - Spamschutzregel FROM-1004
|
||||
|
||||
|
||||
# ---
|
||||
# - Reject / Discard headers
|
||||
# ---
|
||||
########################################
|
||||
# B) Optional: sehr spezifische lokale Blacklist
|
||||
########################################
|
||||
|
||||
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
|
||||
#/^Reply-To: .+\@inx1and1\..+/ REJECT Possible spam (local pattern)
|
||||
|
||||
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
|
||||
|
||||
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
|
||||
########################################
|
||||
# C) Warn
|
||||
########################################
|
||||
|
||||
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
|
||||
# Date-Rejects sind oft zu aggressiv -> wenn nötig: lieber taggen oder loggen statt reject
|
||||
/^Date: .* 19[0-9][0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1001
|
||||
/^Date: .* 200[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1002
|
||||
/^Date: .* 201[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1003
|
||||
|
||||
|
||||
|
||||
########################################
|
||||
# Bemerkungen
|
||||
########################################
|
||||
|
||||
# (envelope-from <>) nicht pauschal rejecten:
|
||||
# echte DSNs/Bounces haben legitimerweise MAIL FROM: <>
|
||||
#/\(envelope-from <>\)/ REJECT Null envelope-from
|
||||
|
||||
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
|
||||
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
|
||||
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
|
||||
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
|
||||
EOF
|
||||
if [[ $? -eq 0 ]] ; then
|
||||
echo_ok
|
||||
|
||||
@@ -938,6 +938,16 @@ done
|
||||
if $_failed ; then
|
||||
echo_failed
|
||||
error "$(cat $log_file)"
|
||||
|
||||
echononl "\tcontinue anyway [yes/no]: "
|
||||
read OK
|
||||
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
|
||||
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
|
||||
echononl "Wrong entry! - repeat [yes/nno]: "
|
||||
read OK
|
||||
done
|
||||
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
|
||||
|
||||
else
|
||||
echo_ok
|
||||
fi
|
||||
@@ -2198,7 +2208,7 @@ fi
|
||||
|
||||
echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n"
|
||||
|
||||
if [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
|
||||
if [[ $MAJOR_VERSION -gt 3 ]] || [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
|
||||
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
|
||||
cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file"
|
||||
else
|
||||
|
||||
Reference in New Issue
Block a user