Compare commits

..

25 Commits

Author SHA1 Message Date
ba20cb36fe Add initial not yet running installscript for dovecot version 2.4.x 2025-07-12 12:55:16 +02:00
83ad91f77d install_update_dovecot.sh:cleanup fron debug code.. 2025-07-12 12:54:08 +02:00
3a98ac15f7 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2025-07-12 11:10:26 +02:00
d811cbfbd1 Backup 'BAK/install_update_dovecot.sh' bevor uploading a new one. 2025-07-12 11:10:17 +02:00
5eebd200f4 install_update_dovecot.sh: some minor changes. 2025-07-12 11:07:57 +02:00
14ae5a3ebf install_postfix_advanced.sh: workarround for error: the query to zen.spamhaus.org was blocked due to usage of an open resolver. 2025-05-15 02:59:51 +02:00
e24fb4cad3 install_postfix_advanced.sh: fix error in creating master.cf (+policy-spf). 2025-05-14 11:18:56 +02:00
cc06fe5cfa install_amavis.sh: fix errors in if statements: replace ':' with ';'. 2025-05-14 10:26:50 +02:00
4442c6230e install_postfix_advanced.s - policyd-spf h: increase 'void lookup limit'fro '2' to '5'. 2025-04-29 17:09:27 +02:00
3f141499dc install_postfix_base.sh: update file 'sasl_passwd' instead ao renewing it. 2025-03-12 14:43:41 +01:00
9b12e32853 install_amavis.sh: Moving SPAM policies into an external file. 2025-03-03 17:57:22 +01:00
894ff4eced install_opendmarc.sh: adjust configuration file. 2025-03-03 15:42:04 +01:00
99b1205d1b install_opendkim.sh: adjust configuration file. 2025-03-03 15:41:40 +01:00
ae2b6540af install_postfix_advanced.sh: add support for postfix-policyd-spf-python . 2025-03-02 02:17:25 +01:00
6cc1848e45 install_opendkim.sh: Add an Authentication-Results: header field. 2025-02-26 12:26:19 +01:00
07231ac1c7 install_postfix_advanced.sh: ix.dnsbl.manitu.net (also known as NixSpam) has been shutdown on 2025-01-16. 2025-02-14 14:29:14 +01:00
7b6e4c36d0 install_amavis.sh,install_postfix_advanced.sh: support additional smtp port in case of relay host. 2025-01-27 18:50:01 +01:00
ee41a335b1 install_postfix_base.sh: some really minor changes.. 2025-01-27 17:48:36 +01:00
0b410ad6d8 install_postfix_base.sh: support relaying to non standard port (other than 25). 2025-01-27 17:02:08 +01:00
aa092ea841 install_postfixadmin.sh: orioginal script now has the right charset (utf8). 2025-01-05 01:15:39 +01:00
da6c7fca0e install_postfix_base.sh: fix error if IPv4 address is a loopback address (127.x). 2024-12-18 12:04:04 +01:00
f1f56f48f6 install_amavis.sh: fix error in if statement. 2024-10-01 17:27:21 +02:00
765b16fd59 Merge branch 'master' of git.oopen.de:install/mailsystem 2024-10-01 00:21:35 +02:00
6a34a5b74c README.test_mailprotocolls: add test of RSA based TLS connection. 2024-10-01 00:21:16 +02:00
ad1d844b54 install_postfix_advanced.sh: some minor changes in writing 'main.cf'. 2024-10-01 00:20:04 +02:00
10 changed files with 10096 additions and 228 deletions

4554
BAK/install_update_dovecot.sh.00 Executable file

File diff suppressed because it is too large Load Diff

View File

@ -14,3 +14,10 @@ openssl s_client -crlf -starttls pop3 -connect localhost:110
openssl s_client -crlf -connect localhost:993
openssl s_client -crlf -starttls imap -connect localhost:143
# Test RSA based TLS connection
#
echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2
echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp

View File

@ -216,7 +216,7 @@ elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 11 ]] ; then
elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 12 ]] ; then
_needed_packages_clamav="$_needed_packages_clamav \
libclamunrar11"
elif
else
_needed_packages_clamav="$_needed_packages_clamav \
libclamunrar13"
fi
@ -4335,96 +4335,15 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
\$final_spam_destiny = D_BOUNCE;
#\$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)
\$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
\$sa_tag2_level_deflt = 5.1; # add 'spam detected' headers at that level
\$sa_kill_level_deflt = 10.31; # reject/bounce/discard/pass
##- Moved to file '/etc/amavis/policy_banks.conf'
## -
## - User / Domain specific settings
## - \$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level
## - \$sa_tag2_level_deflt = 5.1; # add 'spam detected' headers at that level
## - \$sa_kill_level_deflt = 10.31; # reject/bounce/discard/pass
## -
do "/etc/amavis/policy_banks.conf"; # Externe Datei einbinden
## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
## -
## - Set directly:
## -
#\$sa_tag2_level_deflt = {
# # oopen.de
# 'oopen.de'=>'2.1',
# 'ckubu@oopen.de'=>'2.2',
# 'argus@oopen.de'=>'2.3',
# # k8h.de
# 'k8h.de'=>'6.5',
# # default
# '.'=>'5.1'
#};
## -
## - Read from file using @spam_tag2_level_maps
## -
## - default: @spam_tag2_level_maps = (\\\$sa_tag2_level_deflt);
## -
## - Example file '/etc/postfix/tag2_level_maps.dat'
## -
## - # oopen.de
## - oopen.de 2.1
## - ckubu@oopen.de 2.2
## - argus@oopen.de 2.3
## - [..]
## - # k8h.de
## - k8h.de 6.5
## - [..]
## - # default
## - . 5.1
## -
#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
## - Per-recipient mapping of kill levels to email addresses (kill level):
## -
## - Set directly
## -
#\$sa_kill_level_deflt = {
# 'ckubu@oopen.de'=>'1500.0',
# 'ckubu-adm@oopen.de'=>'1500.0',
# # default
# '.'=>'10.31'
#};
## -
## - Read from file using @spam_kill_level_maps
## -
## - default: @spam_kill_level_maps = (\\\$sa_kill_level_deflt);
## -
## - Example file '/etc/postfix/kill_level_maps.dat'
## -
## - # oopen.de
## - ckubu@oopen.de 1500.0
## - ckubu-adm@oopen.de 1500.0
## - [..]
## - # default
## - . 10.31
## -
#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
## - We will inform the sender about bouncing his mail with a DSN (Delivery
## - StatusNotification). That DSN message will no be send, if the spamvalue
## - exceeds the value of sa_dsn_cutoff_level
## -
#\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
\$sa_dsn_cutoff_level = 20;
## - change the default server response if mail was blocked
## - because of spam.
## -
## - results in (is an example):
## - <ckubu@so36.net>: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, Mailserver
## - at a.mx.oopen.de: identified as SPAM - (in reply to end of DATA command)
## -
%smtp_reason_by_ccat = (
CC_SPAM, "Mailserver at \$myhostname: identified as SPAM - %x"
);
\$sa_spam_subject_tag = undef;
#\$sa_spam_subject_tag = '***SPAM*** ';
## - QUARANTINE
@ -4672,6 +4591,153 @@ else
fi
## - Create File containing policy settings
## -
_config_policy_banks_file=/etc/amavis/policy_banks.conf
echononl " Create File \"${_config_policy_banks_file}\""
if [[ -f "${_config_policy_banks_file}" ]]; then
echo_skipped
else
cat << EOF > ${_config_policy_banks_file}
# Externe Richtliniendatei für amavisd
use strict;
# ---
# add spam info headers if at, or above that level
# ---
## - All recipients with identical the same setting:
## -
#\$sa_tag_level_deflt = 2.0;
## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
## -
## - Set directly:
## -
\$sa_tag_level_deflt = {
'oopen.de' => '-4.5',
# default
'.'=>'2.0'
};
## - Read from file using @spam_tag2_level_maps
## -
## - default: @spam_tag2_level_maps = (\$sa_tag2_level_deflt);
## -
## - Example file '/etc/postfix/tag2_level_maps.dat'
## -
## - # oopen.de
## - oopen.de 2.1
## - ckubu@oopen.de 2.2
## - argus@oopen.de 2.3
## - [..]
## - # k8h.de
## - k8h.de 6.5
## - [..]
## - # default
## - . 5.1
## -
#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
#\$sa_spam_subject_tag = '***SPAM*** '; # Spam-Betreff-Tag
\$sa_spam_subject_tag = undef;
# ---
# add 'spam detected' headers at that level
# ---
## - All recipients with identical the same setting:
## -
#\$sa_tag2_level_deflt = 5.1; # add 'spam detected' headers at that level
## - Per-recipient mapping of kill levels to email addresses (kill level):
## -
## - Set directly
## -
\$sa_tag2_level_deflt = {
'oopen.de' => '3.1',
'123comics.net' => '4.1',
'info@123comics.net' => '3.1',
# default
'.' => '5.1',
};
## - Read from file using @spam_kill_level_maps
## -
## - default: @spam_kill_level_maps = (\$sa_kill_level_deflt);
## -
## - Example file '/etc/postfix/kill_level_maps.dat'
## -
## - # oopen.de
## - ckubu@oopen.de 1500.0
## - ckubu-adm@oopen.de 1500.0
## - [..]
## - # default
## - . 10.31
## -
#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
# ---
# adding more detailed spam-related headers.
# ---
## - All recipients with identical the same setting:
## -
\$sa_tag3_level_deflt = 7.0; # threshold for sa_tag3_level_deflt
## - Note
## - Like 'sa_tag2_level_deflt' above per-recipient also possible
@sa_tag3_level_maps = (
['^Subject:', '\[HIGH-SPAM\] $&'], # Modify subject
['HEADER', 'X-High-Spam-Flag', 'YES'], # Add a custom header
);
# ---
# spam score threshold at which amavisd-new will reject (kill) an email.
# ---
## - All recipients with identical the same setting:
## -
\$sa_kill_level_deflt = 10.31; # reject/bounce/discard/pass
## - Note
## - Like 'sa_tag2_level_deflt' above per-recipient also possible
# ---
# The threshold for sending a delivery status notification (DSN) to the sender
# ---
## - We will inform the sender about bouncing his mail with a DSN (Delivery
## - StatusNotification). That DSN message will no be send, if the spamvalue
## - exceeds the value of sa_dsn_cutoff_level
## -
#\$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent
\$sa_dsn_cutoff_level = 20;
#------------ Do not modify anything below this line -------------
1; # ensure a defined return
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - Configure syslogd matching the configuration od amavisd
## -
echononl " Configure syslogd matching the configuration of amavis"
@ -5034,6 +5100,12 @@ if grep -iq -E "^amavisfeed\s+" $postfix_master_cf > /dev/null 2>&1 ; then
else
amavisfeed_present=false
fi
if grep -iq -E "^[0-9]{2,5}\s+inet.*smtpd" $postfix_master_cf > /dev/null 2>&1 ; then
listen_on_additional_smtp_port=true
additional_smtp_port="$(grep -E "^[0-9]{2,5}\s+inet.*smtpd" /etc/postfix/master.cf | grep -o -E "^[0-9]{2,5}")"
else
listen_on_additional_smtp_port=false
fi
> $postfix_master_cf
while IFS='' read -r _line || [[ -n $_line ]] ; do
@ -5051,6 +5123,19 @@ EOF
EOF
fi
if ${listen_on_additional_smtp_port} ; then
cat >> $postfix_master_cf << EOF
${additional_smtp_port} inet n - y - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=
EOF
if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
cat >> $postfix_master_cf << EOF
-o smtpd_sasl_auth_enable=no
EOF
fi
fi
if ! $submission_present && ! $smtps_present && ! $localhost_10025_present ; then
cat >> $postfix_master_cf << EOF
localhost:10025 inet n - y - - smtpd
@ -5305,6 +5390,13 @@ else
fi
fi
if ${listen_on_additional_smtp_port}; then
echo ""
warn "Please do not forget to allow incomming traffic on port \033[1m${additional_smtp_port}\033[m.
Check your firewall settings.."
fi
#fi # if $ommit ; then
# -------------------------------

View File

@ -189,6 +189,13 @@ else
cat <<EOF > $opendkim_conf_file 2> $log_file
# Datei $opendkim_conf_file
# Sets the "authserv-id" to use when generating the Authentication-Results:
# header field after verifying a message. The default is to use the name of
# the MTA processing the message. If the string "HOSTNAME" is provided, the
# name of the host running the filter (as returned by the gethostname(3)
# function) will be used.
AuthservID "DKIM check $(hostname -f)"
# OpenDKIM agiert als Mail Filter (= Milter) in den
# Modi signer (s) und verifier (v) und verwendet eine
# Socket-Datei zur Kommunikation (alternativ: lokaler Port)
@ -237,6 +244,21 @@ SignatureAlgorithm rsa-sha256
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
# Add an "Authentication-Results:" header field even to unsigned messages
# from domains with no "signs all" policy. The reported DKIM result will be
# "none" in such cases. Normally unsigned mail from non-strict domains does
# not cause the results header field to be added.
AlwaysAddARHeader yes
# Causes opendkim to fork and exits immediately, leaving the service running
# in the background. The default is "true".
Background yes
# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
# default is 5. Ignored if not using an asynchronous resolver package. See
# also the NOTES section below.
DNSTimeout 5
EOF
opendkim_needs_restart=true
if [[ $? -eq 0 ]] ; then

View File

@ -23,7 +23,7 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
config_file_name_value_parameters="
AuthservID|OpenDMARC
AuthservID|DMARC check $(hostname -f)
PidFile|/run/opendmarc/opendmarc.pid
RejectFailures|true
Syslog|true
@ -36,6 +36,7 @@ config_file_name_value_parameters="
FailureReports|false
AutoRestart|true
HistoryFile|/run/opendmarc/opendmarc.dat
SPFIgnoreResults|false
SPFSelfValidate|true
Socket|${opendmarc_socket_file}
"
@ -182,6 +183,200 @@ else
fi
# - Add 'IgnoreHosts' with default value to the original opendmarc.conf file
#
echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Specifies the path to a file that contains a list of hostnames, IP addresses,
## and/or CIDR expressions identifying hosts whose SMTP connections are to be
## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
#
IgnoreHosts 127.0.0.1
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'IgnoreAuthenticatedClients' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="IgnoreAuthenticatedClients"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter. The default is "false".
#
IgnoreAuthenticatedClients false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
#
_param="RequiredHeaders"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, the filter will ensure the header of the message conforms to the basic
## header field count restrictions laid out in RFC5322, Section 3.6. Messages
## failing this test are rejected without further processing. A From: field from
## which no domain name could be extracted will also be rejected.
#
RequiredHeaders false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'AutoRestart' with default value to the original opendmarc.conf file
#
_param="AutoRestart"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Automatically re-start on failures. Use with caution; if the filter fails
## instantly after it starts, this can cause a tight fork(2) loop.
#
AutoRestart false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'HistoryFile' with default value to the original opendmarc.conf file
#
_param="HistoryFile"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## If set, specifies the location of a text file to which records are written
## that can be used to generate DMARC aggregate reports. Records are batches of
## rows containing information about a single received message, and include all
## relevant information needed to generate a DMARC aggregate report. It is
## expected that this will not be used in its raw form, but rather periodically
## imported into a relational database from which the aggregate reports can be
## extracted using opendmarc-importstats(8).
#
HistoryFile /run/opendmarc/opendmarc.dat
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'SPFIgnoreResults' with default value to the original opendmarc.conf file
#
_param="SPFIgnoreResults"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Causes the filter to ignore any SPF results in the header of the message. This
## is useful if you want the filter to perform SPF checks itself, or because you
## don't trust the arriving header. The default is "false".
#
SPFIgnoreResults false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Add 'SPFSelfValidate' with default value to the original opendmarc.conf file
#
_param="SPFSelfValidate"
echononl " Add '${_param}' with default value to the opendmarc.conf file.."
if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
cat << EOF >> ${opendmarc_conf_file}
## Causes the filter to perform a fallback SPF check itself when it can find no
## SPF results in the message header. If SPFIgnoreResults is also set, it never
## looks for SPF results in headers and always performs the SPF check itself when
## this is set. The default is "false".
#
SPFSelfValidate false
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
# - Save configuration file from distribution
# -
echononl " Save configuration file from distribution"

View File

@ -125,9 +125,12 @@ trap clean_up SIGHUP SIGINT SIGTERM
# -
DEFAULT_ADMIN_EMAIL="argus@oopen.de"
DEFAULT_IS_RELAY_HOST=false
DEFAULT_ADDITIONAL_RELAY_PORT=2525
DEFAULT_IS_SYMPA_LIST_SERVER=no
DEFAULT_SASL_AUTH_ENABLED=no
DEFAULT_LISTEN_ON_ADDITIONAL_RELAY_PORT=false
# - Is this a systemd system?
# -
@ -167,6 +170,10 @@ else
_IS_RELAY_HOST="$_RELAY_HOST"
fi
if [[ -z "$_LISTEN_ON_ADDITIONAL_RELAY_PORT" ]] ; then
_LISTEN_ON_ADDITIONAL_RELAY_PORT=${DEFAULT_LISTEN_ON_ADDITIONAL_RELAY_PORT}
fi
echo ""
echo ""
echo ""
@ -394,6 +401,42 @@ if $IS_RELAY_HOST ; then
done
fi
ADDITIONAL_RELAY_LISTEN_PORT=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Should this mail relay server listen on an additional port?"
echo ""
if [[ -n "$_ADDITIONAL_RELAY_LISTEN_PORT" ]]; then
echo "Type:"
echo -e "\t\033[33mNone\033[m for no additional listen port."
else
echo "Type:"
echo -e "\t\033[33mNone\033[m or lrave empty for no additional listen port."
fi
echo ""
if [[ -n "$_ADDITIONAL_RELAY_LISTEN_PORT" ]]; then
echononl "additional listen port [${_ADDITIONAL_RELAY_LISTEN_PORT}]: "
read ADDITIONAL_RELAY_LISTEN_PORT
if [[ "X${ADDITIONAL_RELAY_LISTEN_PORT}" = "X" ]]; then
ADDITIONAL_RELAY_LISTEN_PORT=$_ADDITIONAL_RELAY_LISTEN_PORT
LISTEN_ON_ADDITIONAL_RELAY_PORT=true
fi
if [[ "${ADDITIONAL_RELAY_LISTEN_PORT,,}" = "none" ]] ; then
ADDITIONAL_RELAY_LISTEN_PORT=""
LISTEN_ON_ADDITIONAL_RELAY_PORT=false
fi
else
echononl "additional listen port: "
read ADDITIONAL_RELAY_LISTEN_PORT
if [[ "X${ADDITIONAL_RELAY_LISTEN_PORT}" = "X" ]] || [[ "${ADDITIONAL_RELAY_LISTEN_PORT,,}" = "none" ]]; then
ADDITIONAL_RELAY_LISTEN_PORT=""
LISTEN_ON_ADDITIONAL_RELAY_PORT=false
else
LISTEN_ON_ADDITIONAL_RELAY_PORT=true
fi
fi
else
IS_SYMPA_LIST_SERVER=false
@ -441,6 +484,11 @@ if $IS_RELAY_HOST ; then
echo -e "\tConfigure as sympa list server?...: \033[33m\033[1m$IS_SYMPA_LIST_SERVER\033[m"
echo ""
echo -e "\tSupport Cyrus SASL authentication.: $SASL_AUTH_ENABLED"
echo ""
echo -e "\tListen on an additional port?.......: \033[33m\033[1m${LISTEN_ON_ADDITIONAL_RELAY_PORT}\033[m"
if ${LISTEN_ON_ADDITIONAL_RELAY_PORT}; then
echo -e "\tAdditional Listen Port..............: ${ADDITIONAL_RELAY_LISTEN_PORT}"
fi
else
echo -e "\tConfigure as relay host?..........: $IS_RELAY_HOST"
echo -e "\tConfigure as complete mailserver..: \033[33m\033[1mtrue\033[m"
@ -464,7 +512,7 @@ _failed=false
echononl " Save Configuration"
cat << EOF > $conf_file
# ---
# - Parameter Settins Postfix Relay System
# - Parameter Settings Postfix Relay System
# ---
_HOSTNAME=$HOSTNAME
@ -480,7 +528,13 @@ if $IS_RELAY_HOST ; then
cat << EOF >> $conf_file
_SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
_SYMPA_LIST_SERVER=$IS_SYMPA_LIST_SERVER
_LISTEN_ON_ADDITIONAL_RELAY_PORT=${LISTEN_ON_ADDITIONAL_RELAY_PORT}
EOF
if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
cat << EOF >> $conf_file
_ADDITIONAL_RELAY_LISTEN_PORT=${ADDITIONAL_RELAY_LISTEN_PORT}
EOF
fi
fi
if [[ $? -ne 0 ]]; then
_failed=true
@ -930,6 +984,120 @@ EOF
fi
# - Install SPF-Policy-Tools
# -
echononl " Install Postfix SPF-Policy-Tools 'postfix-policyd-spf-python'"
_pkg=postfix-policyd-spf-python
if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
echo_skipped
else
DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
# - Backup existing configuration file for policyd-spf daemon
# -
_file="/etc/postfix-policyd-spf-python/policyd-spf.conf"
echononl " Backup configuration file '${_file}'."
if [[ -f "${_file}" ]]; then
cp -a "${_file}" "${_file}.${backup_date}" > /dev/null 2> $log_file
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
echononl " Creeate new configuration '${_file}'.."
cat <<EOF > "${_file}"
# For a fully commented sample config file see policyd-spf.conf.commented
# Reject and deferred reason
Reason_Message = Message {rejectdefer} due to: {spf}.
# Amount of debugging information logged. 0 logs no debugging messages
# 5 includes all debug messages.
debugLevel = 1
# HELO check rejection policy. Options are:
# HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail.
# HELO_reject = Softfail - Reject if result Softfail and Fail
# HELO_reject = Fail - Reject on HELO Fail
# HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
# HELO_reject = False - Never reject/defer on HELO, append header only.
# HELO_reject = No_Check - Never check HELO.
HELO_reject = SPF_Not_Pass
# Mail From rejection policy. Options are:
# Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
# Mail_From_reject = Softfail - Reject if result Softfail and Fail
# Mail_From_reject = Fail - Reject on Mail From Fail (default)
# Mail_From_reject = False - Never reject/defer on Mail From, append header only
# Mail_From_reject = No_Check - Never check Mail From/Return Path.
#
# Dieser Parameter steuert, wie der SPF-Check auf Fehler bei der Überprüfung der
# MAIL FROM-Adresse reagiert. Ein Fehler tritt auf, wenn die IP-Adresse des sendenden
# Servers nicht den SPF-Einträgen der Domain in der MAIL FROM-Adresse entspricht.
#
Mail_From_reject = Fail
# Policy for rejecting due to SPF PermError. Options are:
# PermError_reject = True
# PermError_reject = False
#
# Wirkung: Dieser Parameter bestimmt, wie der SPF-Check auf permanente Fehler (PermError)
# reagiert. Ein permanenter Fehler tritt auf, wenn die SPF-DNS-Einträge ungültig oder
# fehlerhaft sind (z. B. syntaktische Fehler oder ungültige Mechanismen).
#
# Wenn PermError_reject auf True gesetzt ist, wird die E-Mail abgewiesen (rejected),
#
PermError_reject = True
# Policy for deferring messages due to SPF TempError. Options are:
# TempError_Defer = True
# TempError_Defer = False
#
# Wirkung: Dieser Parameter bestimmt das Verhalten bei temporären SPF-Fehlern (TempError).
# Ein temporärer Fehler tritt auf, wenn der SPF-Check aufgrund von vorübergehenden
# Problemen (z. B. DNS-Auflösungsfehler oder Netzwerkprobleme) nicht durchgeführt werden kann.
#
# Wenn TempError_Defer auf True gesetzt ist, wird die E-Mail vorübergehend zurückgewiesen
# (deferred), und der empfangende Server versucht später erneut, die E-Mail zuzustelle
#
TempError_Defer = Defer
# Type of header to insert to document SPF result. Can be Received-SPF (SPF)
# or Authentication Results (AR). It cannot be both.
# Examples: (default is Received-SPF):
# Header_Type = AR
# Header_Type = SPF
Header_Type = SPF
# Do not check SPF for localhost addresses - add to skip addresses to
# skip SPF for internal networks if desired. Defaults are standard IPv4 and
# IPv6 localhost addresses.
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
# RFC 7208 adds a new processing limit called "void lookup limit" (See section
# 4.6.4). Default is 2, but it can be adjusted.
Void_Limit = 5
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - Install Postfix Firewall Daemon from debian packages system
## -
echononl " Install Postfix Firewall Daemon from debian packages system"
@ -1998,7 +2166,7 @@ smtp_tls_mandatory_protocols = >=TLSv1.2
# Use EECDH with approximately 192 bits of security at computational cost that is
# approximately twice as high as 128 bit strength ECC.
#
smtpd_tls_eecdh_grade = auto
#smtpd_tls_eecdh_grade = auto
# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
@ -2444,6 +2612,20 @@ else
EOF
fi
if [[ -n "$(which policyd-spf)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# The time limit for delivery to '/usr/bin/policyd-spf'
#
# An entry in '/etc/postfix/master.cf' is needed:
#
# policyd-spf unix - n n - 0 spawn
# user=policyd-spf argv=/usr/bin/policyd-spf
#
policyd-spf_time_limit = 3600
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
@ -2472,7 +2654,7 @@ smtpd_client_restrictions =
permit_mynetworks,
# Whitelist clients
#
check_client_access btree:/etc/postfix/client_whitelist
check_client_access btree:/etc/postfix/client_whitelist,
# White- / Blacklisting
#
check_sender_access btree:/etc/postfix/access_sender,
@ -2491,16 +2673,21 @@ smtpd_client_restrictions =
# blacklisted. Postfix will fetch the client hostname from PTR record. If the hostname is
# blacklisted, reject the email.
#
# - reject_rhsbl_sender makes Postfix reject email when the MAIL FROM domain is blacklisted.
# - reject_rhsbl_sender makes Postfix reject email when the MAIL FROM domain is blacklisted.
#
# - reject_rbl_client: This is an IP-based blacklist. When the client IP address is backlisted,
# reject the email.
#
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
# reject_rhsbl_helo dbl.spamhaus.org,
# reject_rhsbl_reverse_client dbl.spamhaus.org,
# reject_rhsbl_sender dbl.spamhaus.org,
# reject_rbl_client zen.spamhaus.org,
#
reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],
reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
reject_rbl_client zen.spamhaus.org=127.0.1.[2..99],
# Greylisting check
#
# check_policy_service inet:127.0.0.1:10023,
@ -2634,6 +2821,17 @@ smtpd_recipient_restrictions =
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
EOF
if [[ -n "$(which policyd-spf)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Check Postfix policy service ..
#
check_policy_service unix:private/policy-spf
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# Policyd-Weight
#check_policy_service inet:127.0.0.1:12525,
# permit Backup MX
@ -2689,18 +2887,32 @@ smtpd_relay_restrictions =
## ---
smtpd_data_restrictions =
# Block clients that speak too early.
#
# Block clients that speak too early.
#
reject_unauth_pipelining
## ---
## - smtpd END OF ATA Restrictions
## ---
smtpd_end_of_data_restrictions =
# Check Postfix Firewall Daemon
#
EOF
if [[ -n "$(which postfwd)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Check Postfix Firewall Daemon
#
check_policy_service inet:127.0.0.1:10040
EOF
else
cat <<EOF >> /etc/postfix/main.cf
if [[ -n "$(which opendkim)" ]] ; then
EOF
fi
if [[ -n "$(which opendkim)" ]] || [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# ======= Milter configuration =======
@ -2721,10 +2933,23 @@ milter_protocol = 6
# 'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
# localhost:10025 section in master.cf: 'smtpd_milters='
#
#smtpd_milters = local:/opendkim/opendkim.sock
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
smtpd_milters =
EOF
fi
if [[ -n "$(which opendkim)" ]] ; then
if [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
EOF
else
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
fi
elif [[ -n "$(which opendmarc)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendmarc/opendmarc.sock
EOF
fi
@ -3514,6 +3739,12 @@ else
smtps_present=false
fi
if grep -iq -E "^policyd-spf\s+" $postfix_master_cf > /dev/null 2>&1 ; then
policyd_spf_present=true
else
policyd_spf_present=false
fi
_found=false
echononl " Create new file \"${postfix_master_cf}\""
if [[ -f "${postfix_master_cf}.$backup_date" ]]; then
@ -3544,6 +3775,10 @@ smtps inet n - y - - smtpd
#-o milter_macro_daemon_name=ORIGINATING
EOF
fi
elif $LISTEN_ON_ADDITIONAL_RELAY_PORT ; then
cat >> $postfix_master_cf << EOF
${ADDITIONAL_RELAY_LISTEN_PORT} inet n - y - - smtpd
EOF
fi
continue
fi
@ -3591,6 +3826,17 @@ EOF
done < "${postfix_master_cf}.$backup_date"
# - Add support for policyd-spf service
# -
if ! $(grep -iq -E "^policyd-spf\s+" "$postfix_master_cf" 2> /dev/null) ; then
cat <<EOF >> $postfix_master_cf
policy-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
EOF
fi
# - Add transport definitions for only sending over IPv4/IPv6
# -
if ! $(grep -iq -E "^smtp-ipv4-only\s+" "$postfix_master_cf" 2> /dev/null) ; then
@ -3838,6 +4084,14 @@ else
fi
fi
if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
echo ""
warn "Please do not forget to allow incomming traffic on port \033[1m${ADDITIONAL_RELAY_LISTEN_PORT}\033[m.
Check your firewall settings.."
fi
if [[ -n "$(which amavisd-new)" ]] ; then
warn "You have to run \033[1minstall_amavis.sh\033[m script to continue the configuration."

View File

@ -129,6 +129,7 @@ detect_os_1 () {
DEFAULT_ADMIN_EMAIL="argus@oopen.de"
DEFAULT_RELAY_HOST="b.mx.oopen.de"
DEFAULT_RELAY_PORT=25
DEFAULT_SASL_AUTH=false
DEFAULT_REWRITE_SENDER_DOMAIN=None
@ -264,7 +265,7 @@ else
fi
done
fi
if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then
if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then
IPV6=disabled
fi
@ -277,7 +278,7 @@ echo "Insert e-mail address where messages to local root should be forwarded"
echo ""
echo ""
if [[ -n "$_ADMIN_EMAIL" ]]; then
echononl "Admin e-mail address [$_ADMIN_EMAIL]: "
echononl "Admin e-mail address [$_ADMIN_EMAIL]: "
read ADMIN_EMAIL
if [[ "X${ADMIN_EMAIL}" = "X" ]]; then
ADMIN_EMAIL=$_ADMIN_EMAIL
@ -340,11 +341,12 @@ fi
# --- Some further default values depending on sasl authentification
# -------------
# - Set default value for relay host if sasl authentification should be
# - supported and value for _RELAY_HOST not given
# - Set default value for relay host / relay port if sasl authentification should be
# - supported and value for _RELAY_HOST / _RELAY_PORT not given
# -
if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
[[ -z "$_RELAY_HOST" ]] && _RELAY_HOST="$DEFAULT_RELAY_HOST"
[[ -z "$_RELAY_PORT" ]] && _RELAY_PORT="$DEFAULT_RELAY_PORT"
fi
if [[ -z ${_REWRITE_SENDER_DOMAIN} ]] ; then
@ -415,6 +417,27 @@ if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
done
fi
RELAY_PORT=
echo ""
echo "Insert the target port to connect to ${RELAY_HOST}"
echo ""
if [[ -n "$_RELAY_PORT" ]];then
echononl "(target) Port on ${RELAY_HOST} [$_RELAY_PORT]: "
read RELAY_PORT
if [[ "X${RELAY_PORT}" = "X" ]]; then
RELAY_PORT=$_RELAY_PORT
fi
else
while [[ "X${RELAY_PORT}" = "X" ]]; do
echononl "(target) Port on ${RELAY_HOST}: "
read RELAY_PORT
if [[ "X${RELAY_PORT}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mi(target) Port of ${RELAY_HOST} is reqired\033[m\n"
fi
done
fi
else
SASL_AUTH=false
fi
@ -467,6 +490,7 @@ if $SASL_AUTH ; then
echo -e "\t sasl user.............: $SASL_USER"
echo -e "\t sasl password.........: $SASL_PASS"
echo -e "\t Relayhost.............: $RELAY_HOST"
echo -e "\t Port on Relayhost.....: $RELAY_PORT"
fi
echo ""
echononl "einverstanden (yes/no): "
@ -487,7 +511,7 @@ cat << EOF > $conf_file
# ---
# - Parameter Settings Postfix Bases System
# -
# - - automated generated config file -
# - - automated generated config file -
# ---
_HOSTNAME=$HOSTNAME
@ -498,6 +522,7 @@ _SASL_AUTH=$SASL_AUTH
_SASL_USER=$SASL_USER
_SASL_PASS=$SASL_PASS
_RELAY_HOST=$RELAY_HOST
_RELAY_PORT=$RELAY_PORT
_REWRITE_SENDER_DOMAIN=$REWRITE_SENDER_DOMAIN
EOF
if [[ $? -eq 0 ]] ; then
@ -506,7 +531,7 @@ else
echo_failed
fi
[[ "$IPV6" = "disabled" ]] && IPV6=""
[[ "$IPV6" = "disabled" ]] && IPV6=""
# - Synchronise package index files with the repository
@ -611,7 +636,7 @@ append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
EOF
@ -622,7 +647,7 @@ inet_protocols = ipv4, ipv6
#inet_interfaces = all
inet_interfaces =
inet_interfaces =
127.0.0.1
::1
#$IPV4
@ -630,14 +655,14 @@ inet_interfaces =
myhostname = $HOSTNAME
mydestination =
mydestination =
$HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
mynetworks =
127.0.0.0/8
[::ffff:127.0.0.0]/104
[::1]/128
@ -665,21 +690,34 @@ inet_interfaces =
myhostname = $HOSTNAME
mydestination =
mydestination =
$HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
mynetworks =
127.0.0.0/8
${IPV4}/32
EOF
smtp_bind_address = $IPV4
smtp_bind_address6 = $IPV6
if [[ ${IPV4} =~ ^127 ]] ; then
cat <<EOF >> /etc/postfix/main.cf
smtp_bind_address =
smtp_bind_address6 =
EOF
else
cat <<EOF >> /etc/postfix/main.cf
${IPV4}/32
smtp_bind_address = $IPV4
#smtp_bind_address6 =
EOF
fi
fi
cat <<EOF >> /etc/postfix/main.cf
@ -687,18 +725,18 @@ cat <<EOF >> /etc/postfix/main.cf
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
@ -717,51 +755,51 @@ recipient_delimiter = +
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - Optional address mapping lookup tables for envelope and header sender
## - Optional address mapping lookup tables for envelope and header sender
## - addresses. The table format and lookups are documented in canonical(5).
## -
## - Example: you want to rewrite the SENDER address "user@ugly.domain"
## - to "user@pretty.domain", while still being able to send mail to the
## - Example: you want to rewrite the SENDER address "user@ugly.domain"
## - to "user@pretty.domain", while still being able to send mail to the
## - RECIPIENT address "user@ugly.domain".
## -
## - Note: \$sender_canonical_maps is processed before \$canonical_maps.
## -
sender_canonical_maps =
sender_canonical_maps =
btree:/etc/postfix/sender_canonical
## - smtp_generic_maps (default: empty)
## -
## - Optional lookup tables that perform address rewriting in the Postfix
## - SMTP client, typically to transform a locally valid address into a
## - globally valid address when sending mail across the Internet. This is
## - needed when the local machine does not have its own Internet domain name,
## -but uses something like localdomain.local instead.
## - Optional lookup tables that perform address rewriting in the Postfix
## - SMTP client, typically to transform a locally valid address into a
## - globally valid address when sending mail across the Internet. This is
## - needed when the local machine does not have its own Internet domain name,
## -but uses something like localdomain.local instead.
## -
smtp_generic_maps =
btree:/etc/postfix/generic
## - The maximal time a message is queued before it is sent back as
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = \$maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
@ -788,9 +826,24 @@ smtp_sasl_auth_enable = yes
# Only offer SMTP AUTH when talking over an encrypted connection
smtpd_tls_auth_only = yes
EOF
if [[ ${RELAY_PORT} -ne 25 ]] ; then
cat <<EOF >> /etc/postfix/main.cf
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [${RELAY_HOST}]:${RELAY_PORT}
EOF
else
cat <<EOF >> /etc/postfix/main.cf
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [${RELAY_HOST}]
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# File including login data
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
@ -799,7 +852,7 @@ smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
# Report the SASL authenticated user name in the smtpd(8) Received message header.
# Report the SASL authenticated user name in the smtpd(8) Received message header.
smtpd_sasl_authenticated_header = no
@ -809,11 +862,11 @@ smtpd_sasl_authenticated_header = no
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=encrypt
@ -833,11 +886,11 @@ relayhost =
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=may
@ -849,16 +902,16 @@ cat <<EOF >> /etc/postfix/main.cf
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
smtpd_tls_security_level=may
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
@ -867,7 +920,7 @@ smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
@ -876,30 +929,30 @@ smtpd_tls_key_file = $_TLS_KEY_FILE
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
## -
smtp_tls_CAfile = $_TLS_CA_FILE
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
@ -1017,8 +1070,8 @@ smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
# smtpd_relay_restrictions
#
# IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipient_restrictions
# parameter must specify at least one of the following restrictions. Otherwise Postfix
# IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipient_restrictions
# parameter must specify at least one of the following restrictions. Otherwise Postfix
# will refuse to receive mail:
#
# reject, reject_unauth_destination
@ -1028,20 +1081,20 @@ smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
#
# The upstream default is:
#
# smtpd_relay_restrictions = \${{\$compatibility_level} < {1} ? {} :
# smtpd_relay_restrictions = \${{\$compatibility_level} < {1} ? {} :
# {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
#
# AGAIN, that means: if parameter compatibility_level is not set or compatibility_level is
# AGAIN, that means: if parameter compatibility_level is not set or compatibility_level is
# set to '0', you MUST specify this value. Otherwise Postfix will refuse to receive mail
# and you get the following error message:
#
# fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify
# at least one working instance of: reject_unauth_destination, defer_unauth_destination,
# fatal: in parameter smtpd_relay_restrictions or smtpd_recipient_restrictions, specify
# at least one working instance of: reject_unauth_destination, defer_unauth_destination,
# reject, defer, defer_if_permit or check_relay_domains
#
#smtpd_relay_restrictions =
# permit_mynetworks,
# permit_sasl_authenticated,
#smtpd_relay_restrictions =
# permit_mynetworks,
# permit_sasl_authenticated,
# defer_unauth_destination
EOF
@ -1050,8 +1103,21 @@ echo_ok
echononl " Configure SASL authentification"
if $SASL_AUTH ; then
_sasl_pw_file="/etc/postfix/sasl_passwd"
if [[ -f "${_sasl_pw_file}" ]] && $(grep -q -E "^\[${RELAY_HOST}\]" ${_sasl_pw_file} 2> /dev/null); then
sed -i "/^\[${RELAY_HOST}/d" ${_sasl_pw_file}
if [[ "$?" != "0" ]]; then
error "Setting \"/etc/postfix/sasl_passwd\" failed! "
_failed=true
fi
fi
_failed=false
echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" > /etc/postfix/sasl_passwd
if [[ ${RELAY_PORT} -ne 25 ]] ; then
echo "[$RELAY_HOST]:${RELAY_PORT} ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
else
echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
fi
if [[ "$?" != "0" ]]; then
error "Setting \"/etc/postfix/sasl_passwd\" failed! "
_failed=true
@ -1125,7 +1191,7 @@ else
fi
## - create directory for certificates and copy certificates
## - create directory for certificates and copy certificates
## - and coresponding keys to /etc/postfix/ssl/
## -
echononl " Create directory for certificates \"/etc/postfix/ssl\""
@ -1141,7 +1207,7 @@ else
fi
## - generate DH parameters that the Postfix SMTP server should use
## - generate DH parameters that the Postfix SMTP server should use
## - with EDH ciphers (length 512 and 1024
## -
echononl " Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\""
@ -1397,6 +1463,12 @@ else
fi
fi
if [[ ${RELAY_PORT} -ne 25 ]] ; then
echo ""
warn "Please do not forget to allow port \033[1m${RELAY_PORT}\033[m on both sides, outgoing
on this host here and incoming on the relay host '${RELAY_HOST}'."
fi
echo ""
clean_up 0

View File

@ -1842,23 +1842,25 @@ fi
# - Encoding does not work as exspected.
# -
# - Update: Encoding seems to works now
# -
# - NOTE:
# - this IS NOT a fix, but a workaround
# -
echononl "\tWorkaround, because encoding does not work as exspected."
# - Vacation script changed. Since Version 3.2 we need another perl regexp.
# - The old one was:
# - perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
# -
perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
/var/spool/vacation/vacation.pl > "$log_file" 2>&1
if [[ $? -eq 0 ]];then
echo_ok
info "This IS NOT a fix, but a workaround."
else
echo_failed
error "$(cat $log_file)"
fi
#echononl "\tWorkaround, because encoding does not work as exspected."
## - Vacation script changed. Since Version 3.2 we need another perl regexp.
## - The old one was:
## - perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
## -
##perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
## /var/spool/vacation/vacation.pl > "$log_file" 2>&1
#if [[ $? -eq 0 ]];then
# echo_ok
# info "This IS NOT a fix, but a workaround."
#else
# echo_failed
# error "$(cat $log_file)"
#fi
echononl "\tSet Permission on vacation script"
_failed=false

4621
install_update_dovecot-2.4.sh Executable file

File diff suppressed because it is too large Load Diff

View File

@ -287,14 +287,21 @@ dovecot_main_version="$(echo $_version | cut -d '.' -f1,2)"
dovecot_major_version="$(echo $_version | cut -d '.' -f1)"
dovecot_minor_version="$(echo $_version | cut -d '.' -f2)"
dovecot_patch_level="$(echo $_version | cut -d '.' -f3)"
dovecot_minor_patch_level="$(echo $_version | cut -d '.' -f4)"
_version_short="${_version%-*}"
#echo ""
#echo "_version: $_version"
#echo "dovecot_main_version $dovecot_main_version"
#echo "dovecot_major_version $dovecot_major_version"
#echo "dovecot_minor_version $dovecot_minor_version"
#echo "dovecot_patch_level $dovecot_patch_level"
#echo "_version: $_version"
#echo "dovecot_main_version $dovecot_main_version"
#echo "dovecot_major_version $dovecot_major_version"
#echo "dovecot_minor_version $dovecot_minor_version"
#echo "dovecot_patch_level $dovecot_patch_level"
#echo "dovecot_minor_patch_level $dovecot_minor_patch_level"
#echo ""
#
#clean_up 0
# 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed.
# Use mailbox { autoexpunge } Mailbox settings instead.
@ -710,32 +717,72 @@ fi
## - Download Pigeonhole for Dovecot v2.2
## -
echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then
echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else
echo -e "$rc_failed"
error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually
and proceed instllation."
echononl "\tProceed instllation [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/no]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
else
echo -e "$rc_failed"
error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually
and proceed instllation."
echononl "\tProceed instllation [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/no]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
echo -e "$rc_skipped"
fi
dovecot_pigeonhole_archiv="dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz"
else
echo -e "$rc_skipped"
echononl "\tDownload dovecot-pigeonhole-${_pigeonhole}.tar.gz.."
if [ ! -f "${_src_base_dir}/dovecot-pigeonhole-${_pigeonhole}.tar.gz" ]; then
wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
else
echo -e "$rc_failed"
error "Direct download of 'Pigeonhole Sieve and ManageSieve' source archiv failed
Download Pigeonhole Sieve and ManageSieve manually and name it to
\033[1mdovecot-pigeonhole-${_pigeonhole}.tar.gz\033[m\n"
echononl "\tProceed instllation [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/no]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
else
echo -e "$rc_skipped"
fi
dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
fi
dovecot_pigeonhole_archiv_prefix="${dovecot_pigeonhole_archiv%.tar.gz}"
dovecot_pigeonhole_archiv_dir="${dovecot_pigeonhole_archiv%.tar.gz}"
if $_new ; then
@ -901,6 +948,7 @@ config_params="
--prefix=/usr/local/dovecot-${_version} \
--with-${db_driver} \
--with-gssapi=yes
--with-ldap=yes
--with-rundir=/run/dovecot"
if $systemd_support ; then
config_params="$config_params \
@ -1055,20 +1103,20 @@ fi
cd ${_src_base_dir}
echo ""
echononl "\tExtracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
gunzip < dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz | tar -xf -
gunzip < ${_src_base_dir}/${dovecot_pigeonhole_archiv} | tar -C ${_src_base_dir} -xf -
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else
echo -e "$rc_failed"
fatal Extracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz failed
fatal Extracting ${dovecot_pigeonhole_archiv} failed
fi
cd dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}
cd ${dovecot_pigeonhole_archiv_dir}
echononl "\tConfigure Pigeonhole ManageSieve.."
./configure \
--prefix=/usr/local/dovecot-${_version} \
--with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-configure.log 2<&1
--with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-configure.log 2<&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else
@ -1077,7 +1125,7 @@ else
fi
echononl "\tCompile Pigeonhole ManageSieve.."
make > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-make.log 2<&1
make > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-make.log 2<&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else
@ -1086,7 +1134,7 @@ else
fi
echononl "\tInstall Pigeonhole ManageSieve.."
make install > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-install.log 2<&1
make install > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-install.log 2<&1
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else
@ -1095,6 +1143,7 @@ else
fi
## -----------------
## --- Configure dovecot services