install_update_dovecot-2.4.sh: fix errors Correct errors relating to database access.

.gitignore

@@ -3,6 +3,7 @@
 *.log
 *.swp
 conf/*.conf
+conf/*.env
 
 # - Postfixadmin
 postfixadmin-*

DOC/README.test_mailprotocols

@@ -3,9 +3,15 @@
 ## -          some litle tests            ##
 ## -------------------------------------- ##
 
+## -
 ## - test smtp (STARTTLS), submission (587) (STARTTLS), smtp (SSL),
 ## - pop3 (SSL), pop3 (STARTTLS), imap (SSL) and imap (STARTTLS)
 ## -
+
+# ---
+# test - localhost
+# ---
+
 openssl s_client -crlf -starttls smtp -connect localhost:25 [-state -debug]
 openssl s_client -crlf -starttls smtp -connect localhost:587
 openssl s_client -crlf -connect localhost:465
@@ -15,9 +21,24 @@ openssl s_client -crlf -connect localhost:993
 openssl s_client -crlf -starttls imap -connect localhost:143
 
 
+# ---
+# tests -  remote mailserver
+# ---
+
+mailserver="mx.gemeinschaft-altenschlirf.de"
+
+openssl s_client -crlf -starttls smtp -connect ${mailserver}:25 [-state -debug]
+openssl s_client -crlf -starttls smtp -connect ${mailserver}:587
+openssl s_client -crlf -connect ${mailserver}:465
+openssl s_client -crlf -connect ${mailserver}:995
+openssl s_client -crlf -starttls pop3 -connect ${mailserver}:110
+openssl s_client -crlf -connect ${mailserver}:993
+openssl s_client -crlf -starttls imap -connect ${mailserver}:143
+
+
 # Test RSA based TLS connection
 #
-echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
+echo "quit" | openssl s_client -connect ${mailserver}:25 -starttls smtp -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
 
-echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2
+echo "quit" | openssl s_client -connect ${mailserver}:25 -starttls smtp -tls1_2
-echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp
+echo "quit" | openssl s_client -connect ${mailserver}:25 -starttls smtp

DOC/dovecot/README.maildir-size-fix.pl

@@ -0,0 +1,61 @@
+# ----------
+# Fix Maildir Size
+#
+#     falls sich die tatsächliche Größe einer E-mail im Maildir Format 
+#     von der Größenangabe im Dateinamen unterscheidet, dann läuft
+#     dovecot auf fehler.
+#
+# Es gibt 2 Möglichekeiten das zu verhindern:
+#
+#     1. in der dovecot.conf (z.Bsp. in 10-mail.conf deb Parameter
+#        'maildir_broken_filename_sizes' auf 'yes' setzen
+#
+#              maildir_broken_filename_sizes = yes
+#
+#
+#     2. Die Größenangaben im Dateinamen korrigieren. Dafür gint es ein Skript
+#        namens 'maildir-size-fix.pl'. Dieses Skript steht bei Githup's
+#        'dovecot/tools' zur Verfügung:
+#
+#              https://github.com/dovecot/tools
+#
+# Das Perl-Skript maildir-size-fix.pl ist ein Werkzeug, das im Dovecot-Projekt 
+# verwendet wird, um Probleme mit der Größe von Maildir-Dateien zu beheben.
+#
+# Nützliche Optionen 
+#
+#     - add_missing_size: Fügt die Größeninformation hinzu, wenn sie fehlt.
+#
+#     - fix_existing_size: Überprüft und korrigiert bestehende Größeninformationen.
+#
+#     - recursive: Scannt das Maildir rekursiv, um auch Unterordner zu berücksichtigen.
+#
+#     - verbose: Ermöglicht detaillierte Protokollierung der Vorgänge.
+#
+#
+# ---------------------------------------------------------------------------------------
+#
+# Jede E.Mail in einem Maildir Ordner ist eine eigene Datei, dess dateiname üblicherweise
+# die Größe der datei selbst enthält (..,S=<dateigrösse>,W=..)
+#
+# ein typische Datei innerhalb eines Maildirordners sieht so aus:
+#
+#     1755713024.M837247P2624513.rage,S=38568,W=39101:2,Sc
+#          |            |          |
+#     Zeitstempel       |       Hostname  
+#                    eind. ID 
+#
+#     S= und ,W=: Dateigröße und "Weighted size" (für IMAP/Quota).
+#
+# wobei die flags folgende bedeitung haben:
+#
+#            +-------+-----------------------------+
+#            | Flag  | Bedeutung                   |
+#            +-------+-----------------------------+
+#            | S     | Seen (gelesen)              |
+#            | R     | Replied (beantwortet)       |
+#            | F     | Flagged (markiert / wichtig)|
+#            | T     | Trashed (zum Löschen mark.) |
+#            | D     | Draft (Entwurf)             |
+#            | P     | Passed (weitergeleitet)     |
+#            +-------+-----------------------------+

install_amavis.sh

@@ -4335,96 +4335,15 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
 \$final_spam_destiny       = D_BOUNCE;
 #\$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
 
-\$sa_tag_level_deflt  = 2.0;    # add spam info headers if at, or above that level
-\$sa_tag2_level_deflt = 5.1;    # add 'spam detected' headers at that level
-\$sa_kill_level_deflt = 10.31;  # reject/bounce/discard/pass
 
+##- Moved to file '/etc/amavis/policy_banks.conf'
 ## -
-## - User / Domain specific settings
+## -  \$sa_tag_level_deflt  = 2.0;    # add spam info headers if at, or above that level
+## -  \$sa_tag2_level_deflt = 5.1;    # add 'spam detected' headers at that level
+## -  \$sa_kill_level_deflt = 10.31;  # reject/bounce/discard/pass
 ## -
+do "/etc/amavis/policy_banks.conf";  # Externe Datei einbinden
 
-## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
-## -
-## - Set directly:
-## -
-#\$sa_tag2_level_deflt = {
-#   # oopen.de
-#   'oopen.de'=>'2.1',
-#   'ckubu@oopen.de'=>'2.2',
-#   'argus@oopen.de'=>'2.3',
-#   # k8h.de
-#   'k8h.de'=>'6.5',
-#   # default
-#   '.'=>'5.1'
-#};
-## -
-## - Read from file using @spam_tag2_level_maps
-## -
-## -    default: @spam_tag2_level_maps = (\\\$sa_tag2_level_deflt);
-## -
-## - Example file '/etc/postfix/tag2_level_maps.dat'
-## -
-## -    # oopen.de
-## -    oopen.de           2.1
-## -    ckubu@oopen.de     2.2
-## -    argus@oopen.de     2.3
-## -    [..]
-## -    # k8h.de
-## -    k8h.de             6.5
-## -    [..]
-## -    # default
-## -    .                  5.1
-## -
-#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
-
-## - Per-recipient mapping of kill levels to email addresses (kill level):
-## -
-## - Set directly
-## -
-#\$sa_kill_level_deflt = {
-#   'ckubu@oopen.de'=>'1500.0',
-#   'ckubu-adm@oopen.de'=>'1500.0',
-#   # default
-#   '.'=>'10.31'
-#};
-## -
-## - Read from file using @spam_kill_level_maps
-## -
-## -    default: @spam_kill_level_maps = (\\\$sa_kill_level_deflt);
-## -
-## - Example file '/etc/postfix/kill_level_maps.dat'
-## -
-## -    # oopen.de
-## -    ckubu@oopen.de     1500.0
-## -    ckubu-adm@oopen.de 1500.0
-## -    [..]
-## -    # default
-## -    .                  10.31
-## -
-#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
-
-
-## - We will inform the sender about bouncing his mail with a DSN (Delivery
-## - StatusNotification). That DSN message will no be send, if the spamvalue
-## - exceeds the value of sa_dsn_cutoff_level
-## -
-#\$sa_dsn_cutoff_level = 10;     # spam level beyond which a DSN is not sent
-\$sa_dsn_cutoff_level = 20;
-
-
-## - change the default server response if mail was blocked
-## - because of spam.
-## -
-## - results in (is an example):
-## -    <ckubu@so36.net>: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, Mailserver
-## -    at a.mx.oopen.de: identified as SPAM -  (in reply to end of DATA command)
-## -
-%smtp_reason_by_ccat = (
-  CC_SPAM, "Mailserver at \$myhostname: identified as SPAM - %x"
-);
-
-\$sa_spam_subject_tag = undef;
-#\$sa_spam_subject_tag = '***SPAM*** ';
 
 
 ## - QUARANTINE
@@ -4672,6 +4591,153 @@ else
 fi
 
 
+## - Create File containing policy settings
+## -
+_config_policy_banks_file=/etc/amavis/policy_banks.conf
+echononl "    Create File \"${_config_policy_banks_file}\""
+if [[ -f "${_config_policy_banks_file}" ]]; then
+   echo_skipped
+else
+   cat << EOF > ${_config_policy_banks_file}
+# Externe Richtliniendatei für amavisd
+
+use strict;
+
+
+# ---
+# add spam info headers if at, or above that level
+# ---
+
+## - All recipients with identical the same setting:
+## -
+#\$sa_tag_level_deflt  = 2.0;
+
+## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
+## -
+## - Set directly:
+## -
+\$sa_tag_level_deflt = {
+   'oopen.de'           => '-4.5',
+   # default
+   '.'=>'2.0'
+};
+
+## - Read from file using @spam_tag2_level_maps
+## -
+## -    default: @spam_tag2_level_maps = (\$sa_tag2_level_deflt);
+## -
+## - Example file '/etc/postfix/tag2_level_maps.dat'
+## -
+## -    # oopen.de
+## -    oopen.de           2.1
+## -    ckubu@oopen.de     2.2
+## -    argus@oopen.de     2.3
+## -    [..]
+## -    # k8h.de
+## -    k8h.de             6.5
+## -    [..]
+## -    # default
+## -    .                  5.1
+## -
+#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
+
+
+#\$sa_spam_subject_tag = '***SPAM*** ';    # Spam-Betreff-Tag
+\$sa_spam_subject_tag = undef;
+
+
+
+# ---
+# add 'spam detected' headers at that level
+# ---
+
+## - All recipients with identical the same setting:
+## -
+#\$sa_tag2_level_deflt = 5.1;               # add 'spam detected' headers at that level
+
+## - Per-recipient mapping of kill levels to email addresses (kill level):
+## -
+## - Set directly
+## -
+\$sa_tag2_level_deflt = {
+   'oopen.de'           => '3.1',
+   '123comics.net'      => '4.1',
+   'info@123comics.net' => '3.1',
+   # default
+   '.'                  => '5.1',
+};
+
+## - Read from file using @spam_kill_level_maps
+## -
+## -    default: @spam_kill_level_maps = (\$sa_kill_level_deflt);
+## -
+## - Example file '/etc/postfix/kill_level_maps.dat'
+## -
+## -    # oopen.de
+## -    ckubu@oopen.de     1500.0
+## -    ckubu-adm@oopen.de 1500.0
+## -    [..]
+## -    # default
+## -    .                  10.31
+## -
+#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
+
+
+
+# ---
+# adding more detailed spam-related headers.
+# ---
+
+## - All recipients with identical the same setting:
+## -
+\$sa_tag3_level_deflt = 7.0;               # threshold for sa_tag3_level_deflt
+
+## - Note
+## -  Like 'sa_tag2_level_deflt' above per-recipient also possible
+
+
+@sa_tag3_level_maps = (
+  ['^Subject:', '\[HIGH-SPAM\] $&'],      # Modify subject
+  ['HEADER', 'X-High-Spam-Flag', 'YES'],  # Add a custom header
+);
+
+
+# ---
+# spam score threshold at which amavisd-new will reject (kill) an email.
+# ---
+
+## - All recipients with identical the same setting:
+## -
+\$sa_kill_level_deflt = 10.31;             # reject/bounce/discard/pass
+
+## - Note
+## -  Like 'sa_tag2_level_deflt' above per-recipient also possible
+
+
+
+# ---
+# The threshold for sending a delivery status notification (DSN) to the sender
+# ---
+
+## - We will inform the sender about bouncing his mail with a DSN (Delivery
+## - StatusNotification). That DSN message will no be send, if the spamvalue
+## - exceeds the value of sa_dsn_cutoff_level
+## -
+#\$sa_dsn_cutoff_level = 10;     # spam level beyond which a DSN is not sent
+\$sa_dsn_cutoff_level = 20;
+
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+   fi
+fi
+
+
 ## - Configure syslogd matching the configuration od amavisd
 ## -
 echononl "   Configure syslogd matching the configuration of amavis"
@@ -5324,7 +5390,7 @@ else
    fi
 fi
 
-if ${listen_on_additional_smtp_port}: then
+if ${listen_on_additional_smtp_port}; then
 
    echo ""
    warn "Please do not forget to allow incomming traffic on port \033[1m${additional_smtp_port}\033[m.

install_opendkim.sh

@@ -189,6 +189,13 @@ else
    cat <<EOF > $opendkim_conf_file 2> $log_file
 # Datei $opendkim_conf_file
 
+# Sets the "authserv-id" to use when generating the Authentication-Results:
+# header field after verifying a message. The default is to use the name of
+# the MTA processing the message. If the string "HOSTNAME" is provided, the
+# name of the host running the filter (as returned by the gethostname(3)
+# function) will be used.
+AuthservID              "DKIM check $(hostname -f)"
+
 # OpenDKIM agiert als Mail Filter (= Milter) in den
 # Modi signer (s) und verifier (v) und verwendet eine
 # Socket-Datei zur Kommunikation (alternativ: lokaler Port)
@@ -243,6 +250,15 @@ OversignHeaders         From
 # "none" in such cases. Normally unsigned mail from non-strict domains does
 # not cause the results header field to be added.
 AlwaysAddARHeader       yes
+
+# Causes opendkim to fork and exits immediately, leaving the service running
+# in the background. The default is "true".
+Background              yes
+
+# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
+# default is 5. Ignored if not using an asynchronous resolver package. See
+# also the NOTES section below.
+DNSTimeout              5
 EOF
    opendkim_needs_restart=true
    if [[ $? -eq 0 ]] ; then

install_opendmarc.sh

@@ -23,7 +23,7 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
 opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
 
 config_file_name_value_parameters="
-   AuthservID|OpenDMARC
+   AuthservID|DMARC check $(hostname -f)
    PidFile|/run/opendmarc/opendmarc.pid
    RejectFailures|true
    Syslog|true
@@ -36,6 +36,7 @@ config_file_name_value_parameters="
    FailureReports|false
    AutoRestart|true
    HistoryFile|/run/opendmarc/opendmarc.dat
+   SPFIgnoreResults|false
    SPFSelfValidate|true
    Socket|${opendmarc_socket_file}
 "
@@ -182,6 +183,200 @@ else
 fi
 
 
+# - Add 'IgnoreHosts' with default value to the original opendmarc.conf file
+#
+echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Specifies the path to a file that contains a list of hostnames, IP addresses,
+## and/or CIDR expressions identifying hosts whose SMTP connections are to be
+## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
+#
+IgnoreHosts 127.0.0.1
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'IgnoreAuthenticatedClients' with default value to the original opendmarc.conf file
+#
+_param="IgnoreAuthenticatedClients"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, causes mail from authenticated clients (i.e., those that used 
+## SMTP AUTH) to be ignored by the filter. The default is "false".
+#
+IgnoreAuthenticatedClients false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
+#
+_param="IgnoreAuthenticatedClients"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, causes mail from authenticated clients (i.e., those that used
+## SMTP AUTH) to be ignored by the filter. The default is "false".
+#
+IgnoreAuthenticatedClients false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
+#
+_param="RequiredHeaders"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, the filter will ensure the header of the message conforms to the basic 
+## header field count restrictions laid out in RFC5322, Section 3.6. Messages 
+## failing this test are rejected without further processing. A From: field from 
+## which no domain name could be extracted will also be rejected.
+#
+RequiredHeaders false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'AutoRestart' with default value to the original opendmarc.conf file
+#
+_param="AutoRestart"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Automatically re-start on failures. Use with caution; if the filter fails
+## instantly after it starts, this can cause a tight fork(2) loop.
+#
+AutoRestart false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'HistoryFile' with default value to the original opendmarc.conf file
+#
+_param="HistoryFile"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, specifies the location of a text file to which records are written
+## that can be used to generate DMARC aggregate reports. Records are batches of
+## rows containing information about a single received message, and include all
+## relevant information needed to generate a DMARC aggregate report. It is
+## expected that this will not be used in its raw form, but rather periodically
+## imported into a relational database from which the aggregate reports can be
+## extracted using opendmarc-importstats(8).
+#
+HistoryFile /run/opendmarc/opendmarc.dat
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'SPFIgnoreResults' with default value to the original opendmarc.conf file
+#
+_param="SPFIgnoreResults"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Causes the filter to ignore any SPF results in the header of the message. This
+## is useful if you want the filter to perform SPF checks itself, or because you
+## don't trust the arriving header. The default is "false".
+#
+SPFIgnoreResults false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'SPFSelfValidate' with default value to the original opendmarc.conf file
+#
+_param="SPFSelfValidate"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Causes the filter to perform a fallback SPF check itself when it can find no
+## SPF results in the message header. If SPFIgnoreResults is also set, it never
+## looks for SPF results in headers and always performs the SPF check itself when
+## this is set. The default is "false".
+#
+SPFSelfValidate false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
 # - Save configuration file from distribution
 # -
 echononl "   Save configuration file from distribution"

install_postfix_advanced.sh

@@ -530,7 +530,7 @@ _SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
 _SYMPA_LIST_SERVER=$IS_SYMPA_LIST_SERVER
 _LISTEN_ON_ADDITIONAL_RELAY_PORT=${LISTEN_ON_ADDITIONAL_RELAY_PORT}
 EOF
-   if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} : then
+   if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
       cat << EOF >> $conf_file
 _ADDITIONAL_RELAY_LISTEN_PORT=${ADDITIONAL_RELAY_LISTEN_PORT}
 EOF
@@ -1086,6 +1086,10 @@ Header_Type = SPF
 #  skip SPF for internal networks if desired. Defaults are standard IPv4 and
 #  IPv6 localhost addresses.
 skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
+
+# RFC 7208 adds a new processing limit called "void lookup limit" (See section
+# 4.6.4).  Default is 2, but it can be adjusted.
+Void_Limit = 5
 EOF
 if [[ $? -eq 0 ]] ; then
    echo_ok
@@ -2383,6 +2387,45 @@ virtual_alias_domains =
    btree:/etc/postfix/virtual_alias_domains
 
 
+#======= Postfix DSN Support ============
+
+# 
+# Use the smtpd_discard_ehlo_keyword_address_maps feature if you wish to allow DSN 
+# requests from trusted clients but not from random strangers
+#
+#     smtpd_discard_ehlo_keyword_address_maps =
+#        cidr:/etc/postfix/esmtp_access
+#
+#     /etc/postfix/esmtp_access:
+#         # Allow DSN requests from local subnet only
+#         192.168.0.0/28      silent-discard
+#         0.0.0.0/0           silent-discard, dsn
+#         ::/0                silent-discard, dsn
+#
+#smtpd_discard_ehlo_keyword_address_maps =
+
+
+# If you want to disallow all use of DSN requests from the network, use the 
+# smtpd_discard_ehlo_keywords feature:
+#
+#    /etc/postfix/main.cf:
+#        smtpd_discard_ehlo_keywords = silent-discard, dsn
+#
+# 
+#
+# A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that 
+# the Postfix SMTP server will not send in the EHLO response to a remote SMTP client.
+#
+#
+#    Notes:
+#
+#        Specify the silent-discard pseudo keyword to prevent this action from being logged.
+#
+#        Use the smtpd_discard_ehlo_keyword_address_maps feature to discard EHLO keywords selectively.
+#
+#smtpd_discard_ehlo_keywords = silent-discard, dsn
+
+
 #======= Rate Limiting ============
 
 # anvil_rate_time_unit (default: 60s)
@@ -2650,7 +2693,7 @@ smtpd_client_restrictions =
    permit_mynetworks,
    # Whitelist clients
    #
-   check_client_access btree:/etc/postfix/client_whitelist
+   check_client_access btree:/etc/postfix/client_whitelist,
    # White- / Blacklisting
    #
    check_sender_access btree:/etc/postfix/access_sender,
@@ -2669,15 +2712,20 @@ smtpd_client_restrictions =
    #     blacklisted. Postfix will fetch the client hostname from PTR record. If the hostname is
    #     blacklisted, reject the email.
    #
-   #   -  reject_rhsbl_sender makes Postfix reject email when the MAIL FROM domain is blacklisted.
+   #   - reject_rhsbl_sender makes Postfix reject email when the MAIL FROM domain is blacklisted.
    #
    #   - reject_rbl_client: This is an IP-based blacklist. When the client IP address is backlisted,
    #     reject the email.
    #
-   reject_rhsbl_helo dbl.spamhaus.org,
+   #  reject_rhsbl_helo dbl.spamhaus.org,
-   reject_rhsbl_reverse_client dbl.spamhaus.org,
+   #  reject_rhsbl_reverse_client dbl.spamhaus.org,
-   reject_rhsbl_sender dbl.spamhaus.org,
+   #  reject_rhsbl_sender dbl.spamhaus.org,
-   reject_rbl_client zen.spamhaus.org,
+   #  reject_rbl_client zen.spamhaus.org,
+   #
+   reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
+   reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],
+   reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
+   reject_rbl_client zen.spamhaus.org=127.0.1.[2..99],
 
    # Greylisting check
    #
@@ -3822,7 +3870,7 @@ EOF
    if ! $(grep -iq -E "^policyd-spf\s+" "$postfix_master_cf" 2> /dev/null) ; then
       cat <<EOF >> $postfix_master_cf
 
-policyd-spf  unix  -       n       n       -       0       spawn
+policy-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf
 EOF
    fi

install_postfix_base.sh

@@ -1103,11 +1103,20 @@ echo_ok
 echononl "   Configure SASL authentification"
 if $SASL_AUTH ; then
 
+   _sasl_pw_file="/etc/postfix/sasl_passwd"
+   if [[ -f "${_sasl_pw_file}" ]] && $(grep -q -E "^\[${RELAY_HOST}\]" ${_sasl_pw_file} 2> /dev/null); then
+      sed -i "/^\[${RELAY_HOST}/d" ${_sasl_pw_file}
+      if [[ "$?" != "0" ]]; then
+         error "Setting \"/etc/postfix/sasl_passwd\" failed! "
+         _failed=true
+      fi
+   fi
+
    _failed=false
    if [[ ${RELAY_PORT} -ne 25 ]] ; then
-      echo "[$RELAY_HOST]:${RELAY_PORT} ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" > /etc/postfix/sasl_passwd
+      echo "[$RELAY_HOST]:${RELAY_PORT} ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
    else
-      echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" > /etc/postfix/sasl_passwd
+      echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
    fi
    if [[ "$?" != "0" ]]; then
       error "Setting \"/etc/postfix/sasl_passwd\" failed! "

install_update_dovecot.sh

@@ -287,14 +287,21 @@ dovecot_main_version="$(echo $_version | cut -d '.' -f1,2)"
 dovecot_major_version="$(echo $_version | cut -d '.' -f1)"
 dovecot_minor_version="$(echo $_version | cut -d '.' -f2)"
 dovecot_patch_level="$(echo $_version | cut -d '.' -f3)"
+dovecot_minor_patch_level="$(echo $_version | cut -d '.' -f4)"
+
+_version_short="${_version%-*}"
 
 #echo ""
-#echo "_version:              $_version"
+#echo "_version:                  $_version"
-#echo "dovecot_main_version   $dovecot_main_version"
+#echo "dovecot_main_version       $dovecot_main_version"
-#echo "dovecot_major_version  $dovecot_major_version"
+#echo "dovecot_major_version      $dovecot_major_version"
-#echo "dovecot_minor_version  $dovecot_minor_version"
+#echo "dovecot_minor_version      $dovecot_minor_version"
-#echo "dovecot_patch_level    $dovecot_patch_level"
+#echo "dovecot_patch_level        $dovecot_patch_level"
+#echo "dovecot_minor_patch_level  $dovecot_minor_patch_level"
 #echo ""
+#
+#clean_up 0
+
 
 # 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed. 
 # Use mailbox { autoexpunge } Mailbox settings instead.
@@ -710,32 +717,72 @@ fi
 
 ## - Download Pigeonhole for Dovecot v2.2
 ## -
-echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
+if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then
-if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
+   
-   wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+   echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
-   if [ "$?" = 0 ]; then
+   if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
-      echo -e "$rc_done"
+      wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+      if [ "$?" = 0 ]; then
+         echo -e "$rc_done"
+      else
+         echo -e "$rc_failed"
+         error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
+
+                     Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually 
+                     and proceed instllation."
+
+         echononl "\tProceed instllation [yes/no]: "
+         read OK
+         OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+         while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+            echononl "Wrong entry! - repeat [yes/no]: "
+            read OK
+         done
+         [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+
+      fi
    else
-      echo -e "$rc_failed"
+      echo -e "$rc_skipped"
-      error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
-
-                   Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually 
-                   and proceed instllation."
-
-		echononl "\tProceed instllation [yes/no]: "
-		read OK
-		OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
-		while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
-			echononl "Wrong entry! - repeat [yes/no]: "
-			read OK
-		done
-		[[ $OK = "yes" ]] || fatal "Abbruch durch User"
-
    fi
+
+   dovecot_pigeonhole_archiv="dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz"
+
 else
-   echo -e "$rc_skipped"
+
+   echononl "\tDownload dovecot-pigeonhole-${_pigeonhole}.tar.gz.."
+   if [ ! -f "${_src_base_dir}/dovecot-pigeonhole-${_pigeonhole}.tar.gz" ]; then
+      wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+      if [ "$?" = 0 ]; then
+         echo -e "$rc_done"
+         dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
+      else
+         echo -e "$rc_failed"
+
+         error "Direct download of 'Pigeonhole Sieve and ManageSieve' source archiv  failed
+
+                  Download Pigeonhole Sieve and ManageSieve manually and name it to
+
+                  \033[1mdovecot-pigeonhole-${_pigeonhole}.tar.gz\033[m\n"
+
+
+         echononl "\tProceed instllation [yes/no]: "
+         read OK
+         OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+         while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+            echononl "Wrong entry! - repeat [yes/no]: "
+            read OK
+         done
+         [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+      fi
+   else
+      echo -e "$rc_skipped"
+   fi
+
+   dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
 fi
 
+dovecot_pigeonhole_archiv_prefix="${dovecot_pigeonhole_archiv%.tar.gz}"
+dovecot_pigeonhole_archiv_dir="${dovecot_pigeonhole_archiv%.tar.gz}"
 
 
 if $_new ; then
@@ -901,6 +948,7 @@ config_params="
    --prefix=/usr/local/dovecot-${_version} \
    --with-${db_driver} \
    --with-gssapi=yes
+   --with-ldap=yes
    --with-rundir=/run/dovecot"
 if $systemd_support ; then
    config_params="$config_params \
@@ -1055,20 +1103,20 @@ fi
 cd ${_src_base_dir}
 echo ""
 echononl "\tExtracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
-gunzip < dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz | tar -xf -
+gunzip < ${_src_base_dir}/${dovecot_pigeonhole_archiv} | tar -C ${_src_base_dir} -xf -
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
    echo -e "$rc_failed"
-   fatal Extracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz failed
+   fatal Extracting ${dovecot_pigeonhole_archiv} failed
 fi
-cd dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}
+cd ${dovecot_pigeonhole_archiv_dir}
 
 
 echononl "\tConfigure Pigeonhole ManageSieve.."
 ./configure \
 	--prefix=/usr/local/dovecot-${_version} \
-   --with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-configure.log 2<&1
+   --with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-configure.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1077,7 +1125,7 @@ else
 fi
 
 echononl "\tCompile Pigeonhole ManageSieve.."
-make > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-make.log 2<&1
+make > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-make.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1086,7 +1134,7 @@ else
 fi
 
 echononl "\tInstall Pigeonhole ManageSieve.."
-make install > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-install.log 2<&1
+make install > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-install.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1095,6 +1143,7 @@ else
 fi
 
 
+
 ## -----------------
 ## --- Configure dovecot services