install_update_dovecot-2.4.sh: fix errors Correct errors relating to database access.

.gitignore

@@ -3,6 +3,7 @@
 *.log
 *.swp
 conf/*.conf
+conf/*.env
 
 # - Postfixadmin
 postfixadmin-*

DOC/README.test_mailprotocolls

@@ -1,16 +0,0 @@
-
-## -------------------------------------- ##
-## -          some litle tests            ##
-## -------------------------------------- ##
-
-## - test smtp (STARTTLS), submission (587) (STARTTLS), smtp (SSL),
-## - pop3 (SSL), pop3 (STARTTLS), imap (SSL) and imap (STARTTLS)
-## -
-openssl s_client -crlf -starttls smtp -connect localhost:25 [-state -debug]
-openssl s_client -crlf -starttls smtp -connect localhost:587
-openssl s_client -crlf -connect localhost:465
-openssl s_client -crlf -connect localhost:995
-openssl s_client -crlf -starttls pop3 -connect localhost:110
-openssl s_client -crlf -connect localhost:993
-openssl s_client -crlf -starttls imap -connect localhost:143
-

DOC/README.test_mailprotocols

@@ -0,0 +1,44 @@
+
+## -------------------------------------- ##
+## -          some litle tests            ##
+## -------------------------------------- ##
+
+## -
+## - test smtp (STARTTLS), submission (587) (STARTTLS), smtp (SSL),
+## - pop3 (SSL), pop3 (STARTTLS), imap (SSL) and imap (STARTTLS)
+## -
+
+# ---
+# test - localhost
+# ---
+
+openssl s_client -crlf -starttls smtp -connect localhost:25 [-state -debug]
+openssl s_client -crlf -starttls smtp -connect localhost:587
+openssl s_client -crlf -connect localhost:465
+openssl s_client -crlf -connect localhost:995
+openssl s_client -crlf -starttls pop3 -connect localhost:110
+openssl s_client -crlf -connect localhost:993
+openssl s_client -crlf -starttls imap -connect localhost:143
+
+
+# ---
+# tests -  remote mailserver
+# ---
+
+mailserver="mx.gemeinschaft-altenschlirf.de"
+
+openssl s_client -crlf -starttls smtp -connect ${mailserver}:25 [-state -debug]
+openssl s_client -crlf -starttls smtp -connect ${mailserver}:587
+openssl s_client -crlf -connect ${mailserver}:465
+openssl s_client -crlf -connect ${mailserver}:995
+openssl s_client -crlf -starttls pop3 -connect ${mailserver}:110
+openssl s_client -crlf -connect ${mailserver}:993
+openssl s_client -crlf -starttls imap -connect ${mailserver}:143
+
+
+# Test RSA based TLS connection
+#
+echo "quit" | openssl s_client -connect ${mailserver}:25 -starttls smtp -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
+
+echo "quit" | openssl s_client -connect ${mailserver}:25 -starttls smtp -tls1_2
+echo "quit" | openssl s_client -connect ${mailserver}:25 -starttls smtp

DOC/dovecot/README.maildir-size-fix.pl

@@ -0,0 +1,61 @@
+# ----------
+# Fix Maildir Size
+#
+#     falls sich die tatsächliche Größe einer E-mail im Maildir Format 
+#     von der Größenangabe im Dateinamen unterscheidet, dann läuft
+#     dovecot auf fehler.
+#
+# Es gibt 2 Möglichekeiten das zu verhindern:
+#
+#     1. in der dovecot.conf (z.Bsp. in 10-mail.conf deb Parameter
+#        'maildir_broken_filename_sizes' auf 'yes' setzen
+#
+#              maildir_broken_filename_sizes = yes
+#
+#
+#     2. Die Größenangaben im Dateinamen korrigieren. Dafür gint es ein Skript
+#        namens 'maildir-size-fix.pl'. Dieses Skript steht bei Githup's
+#        'dovecot/tools' zur Verfügung:
+#
+#              https://github.com/dovecot/tools
+#
+# Das Perl-Skript maildir-size-fix.pl ist ein Werkzeug, das im Dovecot-Projekt 
+# verwendet wird, um Probleme mit der Größe von Maildir-Dateien zu beheben.
+#
+# Nützliche Optionen 
+#
+#     - add_missing_size: Fügt die Größeninformation hinzu, wenn sie fehlt.
+#
+#     - fix_existing_size: Überprüft und korrigiert bestehende Größeninformationen.
+#
+#     - recursive: Scannt das Maildir rekursiv, um auch Unterordner zu berücksichtigen.
+#
+#     - verbose: Ermöglicht detaillierte Protokollierung der Vorgänge.
+#
+#
+# ---------------------------------------------------------------------------------------
+#
+# Jede E.Mail in einem Maildir Ordner ist eine eigene Datei, dess dateiname üblicherweise
+# die Größe der datei selbst enthält (..,S=<dateigrösse>,W=..)
+#
+# ein typische Datei innerhalb eines Maildirordners sieht so aus:
+#
+#     1755713024.M837247P2624513.rage,S=38568,W=39101:2,Sc
+#          |            |          |
+#     Zeitstempel       |       Hostname  
+#                    eind. ID 
+#
+#     S= und ,W=: Dateigröße und "Weighted size" (für IMAP/Quota).
+#
+# wobei die flags folgende bedeitung haben:
+#
+#            +-------+-----------------------------+
+#            | Flag  | Bedeutung                   |
+#            +-------+-----------------------------+
+#            | S     | Seen (gelesen)              |
+#            | R     | Replied (beantwortet)       |
+#            | F     | Flagged (markiert / wichtig)|
+#            | T     | Trashed (zum Löschen mark.) |
+#            | D     | Draft (Entwurf)             |
+#            | P     | Passed (weitergeleitet)     |
+#            +-------+-----------------------------+

DOC/postfwd/README.default-rate-limits

@@ -0,0 +1,18 @@
+default rate limits
+===================
+
+- von unbekannten Server 5 Empfänger pro 5 Minuten
+  Message: only 5 recipients per 5 minutes allowed
+
+- von einer IP-Adresse nicht mehr als 50 Nachrichten pro Minute
+  Message: Too many connections from <IP-Adress>
+
+- Pro Nachricht nicht mehr als 50 Empfänger
+  Message: Too many recipients, please reduce to less than 50 or consider using a mailing list
+
+- von einem User (also z.Bsp. cloud@oopen.de) nicht mehr 50 Nachrichten/Stunde
+  Message: Number messages per hour exceeded
+
+- von einem User (also z.Bsp. cloud@oopen.de) nicht mehr 250 Empfänger/Stunde
+  Message: Number recipients per hour exceeded
+

README.disable-milter-mail-filter

@@ -0,0 +1,10 @@
+# ----------
+# Disable Milter (mail filter) for (remote) SMTP client IP address(es).
+
+# see: 
+#     https://www.postfix.org/MILTER_README.html
+#     https://www.postfix.org/MILTER_README.html#per-client
+#
+#     https://www.postfix.org/postconf.5.html#smtpd_milter_maps
+
+

README.virtual-do-not-reply

@@ -0,0 +1,159 @@
+# ====================
+# Forward E-Mails to 'do-not-reply@..' address to (file) /dev/null
+# ====================
+
+# ---
+# Example for this readme:
+#
+# Create a forwarding to /dev/null for the address no-reply@cloud-01.oopen.de
+# ---
+
+DOMAIN=""cloud-01.oopen.de
+E_MAIL="no-reply@cloud-01.oopen.de"
+
+# see also:
+#     https://www.postfix.org/VIRTUAL_README.html
+#
+#     https://think.unblog.ch/weiterleiten-von-postfix-alias-an-dev-null/
+#     https://think.unblog.ch/en/forward-postfix-alias-to-dev-null/
+#
+#     https://www.serverwatch.com/guides/forwarding-a-postfix-virtual-alias-to-dev-null/
+
+
+# Notice:
+#     the usual solution is to forward to (file) /dev/null. In a local-only setup you could do 
+#     that in /etc/aliases.
+#
+#     However, if your're using Postfix virtual domains, it gets a little more complicated. With 
+#     virtual domains/users, you can't forward mail to a file (like /dev/null). 
+
+
+# ---
+# 1. Set up an alias user 'do-not-reply'that forwards incoming e-mails to /dev/null.
+# ---
+
+# Add to file '/etc/aliases' a line like:
+#     do-not-reply: /dev/null
+
+if ! $(grep -q -E "^\s*do-not-reply:" /etc/aliases 2>/devnull) ; then
+   cat <<EOF >> /etc/aliases
+
+do-not-reply: /dev/null
+EOF
+fi
+
+# Renew alias database:
+#
+newaliases
+
+
+# ---
+# 2. Set up the domain (domain part of not-reply address)
+# ---
+
+# Create file '/etc/postfix/virtual_alias_domains' and add your domain '@cloud-01.oopen.de'
+#
+#  ${DOMAIN}         OK
+#
+if [[ ! -f "/etc/postfix/virtual_alias_domains" ]] ; then
+
+   cat <<EOF >> /etc/postfix/virtual_alias_domains
+# - File: /etc/postfix/virtual_alias_domains
+# -
+# - Note:
+# -  a mapping file always has two columns. In such a 'one-dimensional' mapping (list of domains) 
+# -  Postfix does not care about your second column. It does not even have to be 'OK', it can be
+# -  anything.
+# -
+# - Example:
+# -      <domain>            OK
+
+${DOMAIN}    OK
+EOF
+else
+   if ! $(grep -q -E "^\s*${DOMAIN}" /etc/postfix/virtual_alias_domains 2> /dev/null) ; then
+      cat <<EOF >> /etc/postfix/virtual_alias_domains
+
+${DOMAIN}    OK
+EOF
+   fi
+fi
+
+
+# Create Postfix lookup table (database file) from '/etc/postfix/virtual_alias_domains'
+#
+postmap btree:/etc/postfix/virtual_alias_domains
+
+
+# Add virtual_alias_domains to Postfix main Configuration
+#
+#  ...
+#  virtual_alias_domains =
+#     btree:/etc/postfix/virtual_alias_domains
+#  ...
+#
+if ! $(grep -q -E "^\s*virtual_alias_domains\s*=\s*btree:/etc/postfix/virtual_alias_domains" /etc/postfix/main.cf) \
+      && ! $(grep -q -E "^\s*btree:/etc/postfix/virtual_alias_domains" /etc/postfix/main.cf); then
+   perl -i -n -p -e "s#^(\s*virtual_alias_domains\s*=.*)#\1\n   btree:/etc/postfix/virtual_alias_domains#" /etc/postfix/main.cf
+fi
+
+
+
+# ---
+# 3. Set up adress mapping
+# ---
+
+# - Create file '/etc/postfix/virtual_alias_maps' and add your address mapping
+# -
+# -      ${E_MAIL}         do-not-reply
+# -
+if [[ ! -f "/etc/postfix/virtual_alias_maps" ]] ; then
+
+   cat <<EOF >> /etc/postfix/virtual_alias_maps
+# - File: /etc/postfix/virtual_alias_maps
+# -
+# - Redirect mail for one address to one or more addresses.
+# -
+# - Example:
+# -   # incomming address 'no-reply@cloud-01.oopen.de' to local 'do-not-reply' address
+# -   no-reply@cloud-01.oopen.de    do-not-reply
+# -
+
+${E_MAIL}      do-not-reply
+EOF
+else
+   if ! $(grep -q -E "^\s*${E_MAIL}" /etc/postfix/virtual_alias_maps 2> /dev/null) ; then
+      cat <<EOF >> /etc/postfix/virtual_alias_maps
+
+${E_MAIL}      do-not-reply
+EOF
+   fi
+fi
+
+
+# Create Postfix lookup table (database file) from '/etc/postfix/virtual_alias_maps'
+#
+postmap btree:/etc/postfix/virtual_alias_maps
+
+
+
+
+# Add virtual_alias_maps to Postfix main Configuration
+#
+#  ...
+#  virtual_alias_maps =
+#     btree:/etc/postfix/virtual_alias_maps
+#  ...
+#
+if ! $(grep -q -E "^\s*virtual_alias_maps\s*=\s*btree:/etc/postfix/virtual_alias_maps" /etc/postfix/main.cf) \
+      && ! $(grep -q -E "^\s*btree:/etc/postfix/virtual_alias_maps" /etc/postfix/main.cf); then
+   perl -i -n -p -e "s#^(\s*virtual_alias_maps\s*=.*)#\1\n   btree:/etc/postfix/virtual_alias_maps#" /etc/postfix/main.cf
+fi
+
+
+# ---
+# 4. Reload Postfix
+# ---
+
+systemctl reload postfix
+

conf/install_amavis.conf.sample

@@ -6,6 +6,8 @@ _HOSTNAME=
 _IPV4=
 _IPV6=
 
+_SASL_AUTH_ENABLED=no
+
 _QUARANTINE_DIR=/var/QUARANTINE
 _QUARANTINE_ADMIN=postmaster\@$mydomain
 

install_amavis.sh

@@ -110,19 +110,42 @@ detect_os_1 () {
 # --- Some default settings
 # -------------
 
+DEFAULT_SASL_AUTH_ENABLED="no"
+
 DEFAULT_QUARANTINE_DIR="/var/QUARANTINE"
 DEFAULT_QUARANTINE_ADMIN='postmaster\@$mydomain'
 DEFAULT_DB_IN_USE=false
 
 DEFAULT_INSTALL_CLAMAV_UNOFFICIAL_SIGS=true
 
-DEFAULT_MALWARE_PATROL_IN_USE=true
+DEFAULT_MALWARE_PATROL_IN_USE=false
 DEFAULT_MALWERE_PATROL_FREE=false
 DEFAULT_MP_RECEIPT_NUMBER=106015125438
 
 DEFAULT_SECURITE_INFO_IN_USE=true
 DEFAULT_SI_AUTHORISATION_SIGNATURE_WF=76ed7ca6670dbee497e1a0397a7e178c4caa25888bc26d7327d1eab0195342a4cfa522dcf10382623d57dbc2a79bd37627b9a52def4d4bfe617d26e35405ce3b
-DEFAULT_SI_AUTHORISATION_SIGNATURE_OOPEN=b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+
+#DEFAULT_SI_AUTHORISATION_SIGNATURE_OOPEN=b0b7e94d3fcc8f3b1f128edd5830392361868cf0174723a9924ac25bf8b1b588cb974b50234e1bc1d9839dfe0ca6e1627733d90daf1399347b1046d20c2e3a89
+DEFAULT_SI_AUTHORISATION_SIGNATURE_OOPEN=abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07ed6db26621b11bca0e23d2a42b60aef3f7b7803a1466a964d90c7b1e82d67c7680c8f46b59a4e
+
+# SecuriteInfo signatur databases
+#
+SI_SIGNATUR_DATABASES="
+   securiteinfo.hdb
+   securiteinfo.ign2
+   javascript.ndb
+   spam_marketing.ndb
+   securiteinfohtml.hdb
+   securiteinfoascii.hdb
+   securiteinfoandroid.hdb
+   securiteinfoold.hdb
+   securiteinfopdf.hdb
+   securiteinfo0hour.hdb
+   securiteinfo.mdb
+   securiteinfo.yara
+   securiteinfo.pdb
+   securiteinfo.wdb
+"
 
 # - This parameter will be not asked, so setting it here
 # -
@@ -162,6 +185,8 @@ if [[ -z "$_HOSTNAME" ]] ; then
    [[ "$_HOSTNAME" = "$_HOSTNAME_SHORT" ]] && _HOSTNAME=""
 fi
 
+[[ -z "$_SASL_AUTH_ENABLED" ]] && _SASL_AUTH_ENABLED="$DEFAULT_SASL_AUTH_ENABLED"
+
 
 [[ -z "$_QUARANTINE_DIR" ]] && _QUARANTINE_DIR="$DEFAULT_QUARANTINE_DIR"
 
@@ -182,15 +207,18 @@ _needed_packages_clamav="clamav \
    clamav-freshclam \
    libgmp-dev \
    libgmp10"
-if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 10 ]] ; then
+if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 10 ]] ; then
 	_needed_packages_clamav="$_needed_packages_clamav \
    libclamunrar7"
-elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 11 ]] ; then 
+elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 11 ]] ; then
 	_needed_packages_clamav="$_needed_packages_clamav \
    libclamunrar9"
-elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 12 ]] ; then
+elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 12 ]] ; then
 	_needed_packages_clamav="$_needed_packages_clamav \
    libclamunrar11"
+else
+   _needed_packages_clamav="$_needed_packages_clamav \
+   libclamunrar13"
 fi
 
 _needed_decoders_amavis="
@@ -334,6 +362,33 @@ if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then
    IPV6=disabled
 fi
 
+SASL_AUTH_ENABLED=
+echo ""
+echo -e "\033[32m--\033[m"
+echo ""
+echo "Should this mail server support Cyrus SASL authentication?"
+echo ""
+while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
+
+   if [[ -n "$_SASL_AUTH_ENABLED" ]]; then
+      echononl "Support Cyrus SASL authentication [${_SASL_AUTH_ENABLED}]: "
+      read SASL_AUTH_ENABLED
+      SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,}
+      [[ -z "$SASL_AUTH_ENABLED" ]] && SASL_AUTH_ENABLED="$_SASL_AUTH_ENABLED"
+   else
+      echononl "Support Cyrus SASL authentication [yes/no]: "
+      read SASL_AUTH_ENABLED
+      SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,}
+   fi
+
+   if [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]] ; then
+      _SASL_AUTH_ENABLED=""
+      echo -e  "\n\t\033[33m\033[1mWrong entry!\033[m\n Type 'yes' or 'no'"
+   fi
+
+done
+
+
 
 echo ""
 echo -e "\033[32m--\033[m"
@@ -361,6 +416,85 @@ else
    done
 fi
 
+
+echo ""
+echo -e "\033[32m--\033[m"
+echo ""
+echo "Use SecuriteInfo Signatures (https://www.securiteinfo.com)?"
+echo ""
+echo "Note: You have to sign up for an account. For a free account thats here:"
+echo "      https://www.securiteinfo.com/clients/customers/signup"
+echo ""
+if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
+   echononl "Load SecuriteInfo Singatures (yes/no): "
+else
+   if $_SECURITE_INFO_IN_USE ; then
+      echononl "Load SecuriteInfo Singatures [yes]: "
+   else
+      echononl "Load SecuriteInfo Singatures [no]: "
+   fi
+fi
+read _TMP_LOAD_SI
+_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
+while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
+   if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
+      echononl "Wrong entry! (yes/no): "
+      read _TMP_LOAD_SI
+      _TMP_LOAD_SI=${_TMP_LOAD_SI,,}
+   else
+      if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
+         if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
+            if $_SECURITE_INFO_IN_USE ; then
+               _TMP_LOAD_SI=yes
+            else
+               _TMP_LOAD_SI=no
+            fi
+         else
+            if $_SECURITE_INFO_IN_USE ; then
+               echononl "Wrong entry! [yes]: "
+            else
+               echononl "Wrong entry! [no]: "
+            fi
+            read _TMP_LOAD_SI
+         fi
+      fi
+   fi
+done
+if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
+   SECURITE_INFO_IN_USE=true
+else
+   SECURITE_INFO_IN_USE=false
+fi
+
+if $SECURITE_INFO_IN_USE ; then
+   echo ""
+   echo -e "\033[32m--\033[m"
+   echo ""
+   echo "Insert SecuriteInfo Authorisation Signature"
+   echo ""
+   echo ""
+   SI_AUTHORISATION_SIGNATURE=
+   if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
+      while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
+         echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
+         read SI_AUTHORISATION_SIGNATURE
+         if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
+               SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
+            fi
+      done
+   else
+
+      while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
+         echononl "SecuriteInfo Authorisation Signature: "
+         read SI_AUTHORISATION_SIGNATURE
+         if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
+            echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
+         fi
+      done
+   fi
+fi
+
+
 echo ""
 echo -e "\033[32m--\033[m"
 echo ""
@@ -534,84 +668,6 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
 
    fi
 
-
-   echo "" 
-   echo -e "\033[32m--\033[m" 
-   echo "" 
-   echo "Load SecuriteInfo Signatures (https://www.securiteinfo.com)?" 
-   echo "" 
-   echo "Note: You have to sign up for an account. For a free account thats here:"
-   echo "      https://www.securiteinfo.com/clients/customers/signup"
-   echo "" 
-   if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
-      echononl "Load SecuriteInfo Singatures (yes/no): "
-   else
-      if $_SECURITE_INFO_IN_USE ; then
-         echononl "Load SecuriteInfo Singatures [yes]: "
-      else
-         echononl "Load SecuriteInfo Singatures [no]: "
-      fi
-   fi
-   read _TMP_LOAD_SI
-   _TMP_LOAD_SI=${_TMP_LOAD_SI,,}
-   while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
-      if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
-         echononl "Wrong entry! (yes/no): "
-         read _TMP_LOAD_SI
-         _TMP_LOAD_SI=${_TMP_LOAD_SI,,}
-      else
-         if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
-            if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
-               if $_SECURITE_INFO_IN_USE ; then
-                  _TMP_LOAD_SI=yes
-               else
-                  _TMP_LOAD_SI=no
-               fi
-            else
-               if $_SECURITE_INFO_IN_USE ; then
-                  echononl "Wrong entry! [yes]: "
-               else
-                  echononl "Wrong entry! [no]: "
-               fi
-               read _TMP_LOAD_SI
-            fi
-         fi
-      fi
-   done
-   if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
-      SECURITE_INFO_IN_USE=true
-   else
-      SECURITE_INFO_IN_USE=false
-   fi
-
-   if $SECURITE_INFO_IN_USE ; then
-      echo ""
-      echo -e "\033[32m--\033[m"
-      echo ""
-      echo "Insert SecuriteInfo Authorisation Signature"
-      echo ""
-      echo ""
-      SI_AUTHORISATION_SIGNATURE=
-      if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
-         while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
-            echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
-            read SI_AUTHORISATION_SIGNATURE
-            if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
-                  SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
-               fi
-         done
-      else
-
-         while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
-            echononl "SecuriteInfo Authorisation Signature: "
-            read SI_AUTHORISATION_SIGNATURE
-            if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
-               echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
-            fi
-         done
-      fi
-   fi
-
 fi
 
 
@@ -788,6 +844,9 @@ echo ""
 echo -e "\tHostname...............................: $HOSTNAME"
 echo -e "\tIPv4 address...........................: $IPV4"
 echo -e "\tIPv6 address...........................: $IPV6"
+echo ""
+echo -e "\tSASL AUTH support......................: $SASL_AUTH_ENABLED"
+echo ""
 echo -e "\tQuarantine Directory ..................: $QUARANTINE_DIR"
 echo ""
 echo -e "\tInstall ClamAv Unoffical Sigs .........: $INSTALL_CLAMAV_UNOFFICIAL_SIGS"
@@ -837,6 +896,8 @@ _HOSTNAME=$HOSTNAME
 _IPV4=$IPV4
 _IPV6=$IPV6
 
+_SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
+
 _QUARANTINE_DIR=$QUARANTINE_DIR
 _QUARANTINE_ADMIN=$QUARANTINE_ADMIN
 
@@ -2898,6 +2959,50 @@ else
 	[[ $OK = "yes" ]] || fatal "Abbruch durch User"
 fi
 
+echononl "   Add SecuriteInfo signatur databases to freshclam.conf"
+if $SECURITE_INFO_IN_USE ; then
+
+   if [[ -f "/etc/clamav/freshclam.conf" ]] ; then
+
+      _done=false
+      for signatur_database in $SI_SIGNATUR_DATABASES ; do
+
+         if ! $(grep -q -E "DatabaseCustomURL\s+https://www.securiteinfo.com.*${signatur_database}" "/etc/clamav/freshclam.conf" 2>/dev/null) ; then
+
+            echo "DatabaseCustomURL https://www.securiteinfo.com/get/signatures/${SI_AUTHORISATION_SIGNATURE}/${signatur_database}" >> /etc/clamav/freshclam.conf
+
+            _done=true
+
+         fi
+
+      done
+
+      if $_done ; then
+         echo_ok
+      else
+         echo_skipped
+      fi
+
+   else
+
+      echo_failed
+      error "Cannot find freshclam configuration file '/etc/clamav/freshclam.conf'!"
+
+      echononl "continue anyway [yes/no]: "
+      read OK
+      OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+      while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+         echononl "Wrong entry! - repeat [yes/nno]: "
+         read OK
+      done
+      [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+
+   fi # if [[ -f "/etc/clamav/freshclam.conf" ]] ; then
+
+else
+   echo_skipped
+fi
+
 echononl "   Start ClamAv daemon.."
 if $systemd_exists ; then
    systemctl start clamav-daemon > /dev/null 2> $tmp_err_msg
@@ -3449,64 +3554,66 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
 # --------------------------------------
 # --- Begin: User specific modifications
 # --- Inserted by install-script "$(basename "$0")" at $(date +"%Y-%m-%d %H:%M")
+
+# - SecuriteInfo
+# -
+# - SecuriteInfo signatures are now directly integrated into ClamAV's Freshclam.
+# -
+# - We therefore disable them here.
+# -
+securiteinfo_enabled="no"
 EOF
 
-   if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE ; then
 
-      if $MALWARE_PATROL_IN_USE ; then
+   if $MALWARE_PATROL_IN_USE ; then
 
-         cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
+      cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
 
 malwarepatrol_receipt_code="$MP_RECEIPT_NUMBER"
 malwarepatrol_list="clamav_basic"
 EOF
-         if [[ "$?" -ne 0 ]] ; then
+      if [[ "$?" -ne 0 ]] ; then
-            installation_failed=true
+         installation_failed=true
-            error "$(cat $tmp_err_msg)"
+         error "$(cat $tmp_err_msg)"
-         fi
+      fi
 
 
-         if $MALWERE_PATROL_FREE ; then
+      if $MALWERE_PATROL_FREE ; then
-            cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
+         cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
 malwarepatrol_product_code="8"
 malwarepatrol_free="yes"
 EOF
-            if [[ "$?" -ne 0 ]] ; then
+         if [[ "$?" -ne 0 ]] ; then
-               installation_failed=true
+            installation_failed=true
-               error "$(cat $tmp_err_msg)"
+            error "$(cat $tmp_err_msg)"
-            fi
+         fi
-         else
+      else
-            cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
+         cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
 malwarepatrol_product_code="15"
 malwarepatrol_free="no"
-EOF
-            if [[ "$?" -ne 0 ]] ; then
-               installation_failed=true
-               error "$(cat $tmp_err_msg)"
-            fi
-         fi
-      fi # if $MALWARE_PATROL_IN_USE
-
-      if $SECURITE_INFO_IN_USE ; then
-         cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
-# - SecuriteInfo
-# -
-# -    type:     basic
-# -    account:  ckubu@oopen.de
-# -    signatur: abb4ec6b..46b59a4e
-# -
-# -    type:     professional
-# -    account:  oo@oopen.de
-# -    signatur: b0b7e94d..0c2e3a89
-# -
-securiteinfo_authorisation_signature="$SI_AUTHORISATION_SIGNATURE"
 EOF
          if [[ "$?" -ne 0 ]] ; then
             installation_failed=true
             error "$(cat $tmp_err_msg)"
          fi
-      fi # if $SECURITE_INFO_IN_USE
+      fi
-   fi #if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE
+
+   else
+      cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
+
+# - MalwarePatrol
+# -
+# - Not in use
+# -
+malwarepatrol_enabled="no"
+EOF
+      if [[ "$?" -ne 0 ]] ; then
+         installation_failed=true
+         error "$(cat $tmp_err_msg)"
+      fi
+
+   fi #if $MALWARE_PATROL_IN_USE
+
    cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
 
 # - Disable  Yara-Rule set, because (some?) pgp mails where blocked.
@@ -4228,96 +4335,15 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
 \$final_spam_destiny       = D_BOUNCE;
 #\$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
 
-\$sa_tag_level_deflt  = 2.0;    # add spam info headers if at, or above that level
-\$sa_tag2_level_deflt = 5.1;    # add 'spam detected' headers at that level
-\$sa_kill_level_deflt = 10.31;  # reject/bounce/discard/pass
 
+##- Moved to file '/etc/amavis/policy_banks.conf'
 ## -
-## - User / Domain specific settings
+## -  \$sa_tag_level_deflt  = 2.0;    # add spam info headers if at, or above that level
+## -  \$sa_tag2_level_deflt = 5.1;    # add 'spam detected' headers at that level
+## -  \$sa_kill_level_deflt = 10.31;  # reject/bounce/discard/pass
 ## -
+do "/etc/amavis/policy_banks.conf";  # Externe Datei einbinden
 
-## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
-## -
-## - Set directly:
-## -
-#\$sa_tag2_level_deflt = {
-#   # oopen.de
-#   'oopen.de'=>'2.1',
-#   'ckubu@oopen.de'=>'2.2',
-#   'argus@oopen.de'=>'2.3',
-#   # k8h.de
-#   'k8h.de'=>'6.5',
-#   # default
-#   '.'=>'5.1'
-#};
-## -
-## - Read from file using @spam_tag2_level_maps
-## -
-## -    default: @spam_tag2_level_maps = (\\\$sa_tag2_level_deflt);
-## -
-## - Example file '/etc/postfix/tag2_level_maps.dat' 
-## -
-## -    # oopen.de
-## -    oopen.de           2.1
-## -    ckubu@oopen.de     2.2
-## -    argus@oopen.de     2.3
-## -    [..]
-## -    # k8h.de
-## -    k8h.de             6.5
-## -    [..]
-## -    # default
-## -    .                  5.1
-## -
-#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
-
-## - Per-recipient mapping of kill levels to email addresses (kill level):
-## -
-## - Set directly
-## -
-#\$sa_kill_level_deflt = {
-#   'ckubu@oopen.de'=>'1500.0',
-#   'ckubu-adm@oopen.de'=>'1500.0',
-#   # default
-#   '.'=>'10.31'
-#};
-## -
-## - Read from file using @spam_kill_level_maps
-## -
-## -    default: @spam_kill_level_maps = (\\\$sa_kill_level_deflt);
-## -
-## - Example file '/etc/postfix/kill_level_maps.dat' 
-## -
-## -    # oopen.de
-## -    ckubu@oopen.de     1500.0
-## -    ckubu-adm@oopen.de 1500.0
-## -    [..]
-## -    # default
-## -    .                  10.31
-## -
-#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
-
-
-## - We will inform the sender about bouncing his mail with a DSN (Delivery
-## - StatusNotification). That DSN message will no be send, if the spamvalue 
-## - exceeds the value of sa_dsn_cutoff_level
-## -
-#\$sa_dsn_cutoff_level = 10;     # spam level beyond which a DSN is not sent
-\$sa_dsn_cutoff_level = 20;
-
-
-## - change the default server response if mail was blocked
-## - because of spam.
-## -
-## - results in (is an example):
-## -    <ckubu@so36.net>: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, Mailserver
-## -    at a.mx.oopen.de: identified as SPAM -  (in reply to end of DATA command)
-## -
-%smtp_reason_by_ccat = (
-  CC_SPAM, "Mailserver at \$myhostname: identified as SPAM - %x"
-);
-
-\$sa_spam_subject_tag = undef;
-#\$sa_spam_subject_tag = '***SPAM*** '; 
 
 
 ## - QUARANTINE
@@ -4565,6 +4591,153 @@ else
 fi
 
 
+## - Create File containing policy settings
+## -
+_config_policy_banks_file=/etc/amavis/policy_banks.conf
+echononl "    Create File \"${_config_policy_banks_file}\""
+if [[ -f "${_config_policy_banks_file}" ]]; then
+   echo_skipped
+else
+   cat << EOF > ${_config_policy_banks_file}
+# Externe Richtliniendatei für amavisd
+
+use strict;
+
+
+# ---
+# add spam info headers if at, or above that level
+# ---
+
+## - All recipients with identical the same setting:
+## -
+#\$sa_tag_level_deflt  = 2.0;
+
+## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
+## -
+## - Set directly:
+## -
+\$sa_tag_level_deflt = {
+   'oopen.de'           => '-4.5',
+   # default
+   '.'=>'2.0'
+};
+
+## - Read from file using @spam_tag2_level_maps
+## -
+## -    default: @spam_tag2_level_maps = (\$sa_tag2_level_deflt);
+## -
+## - Example file '/etc/postfix/tag2_level_maps.dat'
+## -
+## -    # oopen.de
+## -    oopen.de           2.1
+## -    ckubu@oopen.de     2.2
+## -    argus@oopen.de     2.3
+## -    [..]
+## -    # k8h.de
+## -    k8h.de             6.5
+## -    [..]
+## -    # default
+## -    .                  5.1
+## -
+#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
+
+
+#\$sa_spam_subject_tag = '***SPAM*** ';    # Spam-Betreff-Tag
+\$sa_spam_subject_tag = undef;
+
+
+
+# ---
+# add 'spam detected' headers at that level
+# ---
+
+## - All recipients with identical the same setting:
+## -
+#\$sa_tag2_level_deflt = 5.1;               # add 'spam detected' headers at that level
+
+## - Per-recipient mapping of kill levels to email addresses (kill level):
+## -
+## - Set directly
+## -
+\$sa_tag2_level_deflt = {
+   'oopen.de'           => '3.1',
+   '123comics.net'      => '4.1',
+   'info@123comics.net' => '3.1',
+   # default
+   '.'                  => '5.1',
+};
+
+## - Read from file using @spam_kill_level_maps
+## -
+## -    default: @spam_kill_level_maps = (\$sa_kill_level_deflt);
+## -
+## - Example file '/etc/postfix/kill_level_maps.dat'
+## -
+## -    # oopen.de
+## -    ckubu@oopen.de     1500.0
+## -    ckubu-adm@oopen.de 1500.0
+## -    [..]
+## -    # default
+## -    .                  10.31
+## -
+#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
+
+
+
+# ---
+# adding more detailed spam-related headers.
+# ---
+
+## - All recipients with identical the same setting:
+## -
+\$sa_tag3_level_deflt = 7.0;               # threshold for sa_tag3_level_deflt
+
+## - Note
+## -  Like 'sa_tag2_level_deflt' above per-recipient also possible
+
+
+@sa_tag3_level_maps = (
+  ['^Subject:', '\[HIGH-SPAM\] $&'],      # Modify subject
+  ['HEADER', 'X-High-Spam-Flag', 'YES'],  # Add a custom header
+);
+
+
+# ---
+# spam score threshold at which amavisd-new will reject (kill) an email.
+# ---
+
+## - All recipients with identical the same setting:
+## -
+\$sa_kill_level_deflt = 10.31;             # reject/bounce/discard/pass
+
+## - Note
+## -  Like 'sa_tag2_level_deflt' above per-recipient also possible
+
+
+
+# ---
+# The threshold for sending a delivery status notification (DSN) to the sender
+# ---
+
+## - We will inform the sender about bouncing his mail with a DSN (Delivery
+## - StatusNotification). That DSN message will no be send, if the spamvalue
+## - exceeds the value of sa_dsn_cutoff_level
+## -
+#\$sa_dsn_cutoff_level = 10;     # spam level beyond which a DSN is not sent
+\$sa_dsn_cutoff_level = 20;
+
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+   fi
+fi
+
+
 ## - Configure syslogd matching the configuration od amavisd
 ## -
 echononl "   Configure syslogd matching the configuration of amavis"
@@ -4927,6 +5100,12 @@ if grep -iq -E "^amavisfeed\s+" $postfix_master_cf > /dev/null 2>&1 ; then
 else
    amavisfeed_present=false
 fi
+if grep -iq -E "^[0-9]{2,5}\s+inet.*smtpd" $postfix_master_cf > /dev/null 2>&1 ; then
+   listen_on_additional_smtp_port=true
+   additional_smtp_port="$(grep -E "^[0-9]{2,5}\s+inet.*smtpd" /etc/postfix/master.cf | grep -o -E "^[0-9]{2,5}")"
+else
+   listen_on_additional_smtp_port=false
+fi
 
 > $postfix_master_cf
 while IFS='' read -r _line || [[ -n $_line ]] ; do
@@ -4937,8 +5116,26 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
 smtp      inet  n       -       y       -       -       smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o content_filter=
+EOF
+      if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
+         cat >> $postfix_master_cf << EOF
    -o smtpd_sasl_auth_enable=no
 EOF
+      fi
+
+      if ${listen_on_additional_smtp_port} ; then
+         cat >> $postfix_master_cf << EOF
+${additional_smtp_port}      inet  n       -       y       -       -       smtpd
+   -o smtpd_proxy_filter=127.0.0.1:10024
+   -o content_filter=
+EOF
+         if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
+            cat >> $postfix_master_cf << EOF
+   -o smtpd_sasl_auth_enable=no
+EOF
+         fi
+      fi
+
 		if ! $submission_present && ! $smtps_present && ! $localhost_10025_present ; then
 					cat >> $postfix_master_cf << EOF
 localhost:10025  inet  n       -       y       -       -       smtpd
@@ -5193,6 +5390,13 @@ else
    fi
 fi
 
+if ${listen_on_additional_smtp_port}; then
+
+   echo ""
+   warn "Please do not forget to allow incomming traffic on port \033[1m${additional_smtp_port}\033[m.
+                     Check your firewall settings.."
+fi
+
 
 #fi # if $ommit ; then
 # -------------------------------

install_opendkim.sh

@@ -189,6 +189,13 @@ else
    cat <<EOF > $opendkim_conf_file 2> $log_file
 # Datei $opendkim_conf_file
 
+# Sets the "authserv-id" to use when generating the Authentication-Results:
+# header field after verifying a message. The default is to use the name of
+# the MTA processing the message. If the string "HOSTNAME" is provided, the
+# name of the host running the filter (as returned by the gethostname(3)
+# function) will be used.
+AuthservID              "DKIM check $(hostname -f)"
+
 # OpenDKIM agiert als Mail Filter (= Milter) in den
 # Modi signer (s) und verifier (v) und verwendet eine
 # Socket-Datei zur Kommunikation (alternativ: lokaler Port)
@@ -237,6 +244,21 @@ SignatureAlgorithm      rsa-sha256
 # because it is often the identity key used by reputation systems and thus
 # somewhat security sensitive.
 OversignHeaders         From
+
+# Add an "Authentication-Results:" header field even to unsigned messages
+# from domains with no "signs all" policy. The reported DKIM result will be
+# "none" in such cases. Normally unsigned mail from non-strict domains does
+# not cause the results header field to be added.
+AlwaysAddARHeader       yes
+
+# Causes opendkim to fork and exits immediately, leaving the service running
+# in the background. The default is "true".
+Background              yes
+
+# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
+# default is 5. Ignored if not using an asynchronous resolver package. See
+# also the NOTES section below.
+DNSTimeout              5
 EOF
    opendkim_needs_restart=true
    if [[ $? -eq 0 ]] ; then

install_opendmarc.sh

@@ -23,7 +23,7 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
 opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
 
 config_file_name_value_parameters="
-   AuthservID|OpenDMARC
+   AuthservID|DMARC check $(hostname -f)
    PidFile|/run/opendmarc/opendmarc.pid
    RejectFailures|true
    Syslog|true
@@ -31,11 +31,12 @@ config_file_name_value_parameters="
    TrustedAuthservIDs|$(hostname -f)
    IgnoreHosts|/etc/opendmarc/ignore.hosts
    IgnoreAuthenticatedClients|true
-   RequiredHeaders|true
+   RequiredHeaders|false
    UMask|002
    FailureReports|false
    AutoRestart|true
    HistoryFile|/run/opendmarc/opendmarc.dat
+   SPFIgnoreResults|false
    SPFSelfValidate|true
    Socket|${opendmarc_socket_file}
 "
@@ -182,6 +183,200 @@ else
 fi
 
 
+# - Add 'IgnoreHosts' with default value to the original opendmarc.conf file
+#
+echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Specifies the path to a file that contains a list of hostnames, IP addresses,
+## and/or CIDR expressions identifying hosts whose SMTP connections are to be
+## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
+#
+IgnoreHosts 127.0.0.1
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'IgnoreAuthenticatedClients' with default value to the original opendmarc.conf file
+#
+_param="IgnoreAuthenticatedClients"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, causes mail from authenticated clients (i.e., those that used 
+## SMTP AUTH) to be ignored by the filter. The default is "false".
+#
+IgnoreAuthenticatedClients false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
+#
+_param="IgnoreAuthenticatedClients"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, causes mail from authenticated clients (i.e., those that used
+## SMTP AUTH) to be ignored by the filter. The default is "false".
+#
+IgnoreAuthenticatedClients false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
+#
+_param="RequiredHeaders"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, the filter will ensure the header of the message conforms to the basic 
+## header field count restrictions laid out in RFC5322, Section 3.6. Messages 
+## failing this test are rejected without further processing. A From: field from 
+## which no domain name could be extracted will also be rejected.
+#
+RequiredHeaders false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'AutoRestart' with default value to the original opendmarc.conf file
+#
+_param="AutoRestart"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Automatically re-start on failures. Use with caution; if the filter fails
+## instantly after it starts, this can cause a tight fork(2) loop.
+#
+AutoRestart false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'HistoryFile' with default value to the original opendmarc.conf file
+#
+_param="HistoryFile"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, specifies the location of a text file to which records are written
+## that can be used to generate DMARC aggregate reports. Records are batches of
+## rows containing information about a single received message, and include all
+## relevant information needed to generate a DMARC aggregate report. It is
+## expected that this will not be used in its raw form, but rather periodically
+## imported into a relational database from which the aggregate reports can be
+## extracted using opendmarc-importstats(8).
+#
+HistoryFile /run/opendmarc/opendmarc.dat
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'SPFIgnoreResults' with default value to the original opendmarc.conf file
+#
+_param="SPFIgnoreResults"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Causes the filter to ignore any SPF results in the header of the message. This
+## is useful if you want the filter to perform SPF checks itself, or because you
+## don't trust the arriving header. The default is "false".
+#
+SPFIgnoreResults false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'SPFSelfValidate' with default value to the original opendmarc.conf file
+#
+_param="SPFSelfValidate"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Causes the filter to perform a fallback SPF check itself when it can find no
+## SPF results in the message header. If SPFIgnoreResults is also set, it never
+## looks for SPF results in headers and always performs the SPF check itself when
+## this is set. The default is "false".
+#
+SPFSelfValidate false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
 # - Save configuration file from distribution
 # -
 echononl "   Save configuration file from distribution"

install_postfix_base.sh

@@ -84,18 +84,25 @@ blank_line() {
    fi
 }
 
+trim() {
+    local var="$*"
+    var="${var#"${var%%[![:space:]]*}"}"   # remove leading whitespace characters
+    var="${var%"${var##*[![:space:]]}"}"   # remove trailing whitespace characters
+    echo -n "$var"
+}
 
-detect_os () {
+
+detect_os_1 () {
 
    if $(which lsb_release > /dev/null 2>&1) ; then
 
-      DIST="$(lsb_release -i | awk '{print tolower($3)}')"
+      os_dist="$(lsb_release -i | awk '{print tolower($3)}')"
-      DIST_VERSION="$(lsb_release -r | awk '{print tolower($2)}')"
+      os_version="$(lsb_release -r | awk '{print tolower($2)}')"
-      DIST_CODENAME="$(lsb_release -c | awk '{print tolower($2)}')"
+      os_codename="$(lsb_release -c | awk '{print tolower($2)}')"
 
-      if [[ "$DIST" = "debian" ]]; then
+      if [[ "$os_dist" = "debian" ]]; then
-         if $(echo "$DIST_VERSION" | grep -q '\.') ; then
+         if $(echo "$os_version" | grep -q '\.') ; then
-            DIST_VERSION=$(echo "$DIST_VERSION" | cut --delimiter='.' -f1)
+            os_version=$(echo "$os_version" | cut --delimiter='.' -f1)
          fi
       fi
 
@@ -103,14 +110,14 @@ detect_os () {
 
       . /etc/os-release
 
-      DIST=$ID
+      os_dist=$ID
-      DIST_VERSION=${VERSION_ID}
+      os_version=${VERSION_ID}
 
    fi
 
-   # remove whitespace from DIST and DIST_VERSION
+   # remove whitespace from os_dist and os_version
-   DIST="${DIST// /}"
+   os_dist="${os_dist// /}"
-   DIST_VERSION="${DIST_VERSION// /}"
+   os_version="${os_version// /}"
 
 }
 
@@ -122,7 +129,9 @@ detect_os () {
 
 DEFAULT_ADMIN_EMAIL="argus@oopen.de"
 DEFAULT_RELAY_HOST="b.mx.oopen.de"
+DEFAULT_RELAY_PORT=25
 DEFAULT_SASL_AUTH=false
+DEFAULT_REWRITE_SENDER_DOMAIN=None
 
 
 # - Is this a systemd system?
@@ -157,7 +166,7 @@ fi
 
 blank_line
 echononl "Detect distribution/release of running OS.."
-detect_os  > /dev/null 2>&1
+detect_os_1  > /dev/null 2>&1
 if [[ $? -ne 0 ]]; then
    echo_failed
 else
@@ -332,13 +341,17 @@ fi
 # --- Some further default values depending on sasl authentification
 # -------------
 
-# - Set default value for relay host if sasl authentification should be
+# - Set default value for relay host / relay port if sasl authentification should be
-# - supported and value for _RELAY_HOST not given
+# - supported and value for _RELAY_HOST / _RELAY_PORT not given
 # -
 if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
    [[ -z "$_RELAY_HOST" ]] && _RELAY_HOST="$DEFAULT_RELAY_HOST"
+   [[ -z "$_RELAY_PORT" ]] && _RELAY_PORT="$DEFAULT_RELAY_PORT"
 fi
 
+if [[ -z ${_REWRITE_SENDER_DOMAIN} ]] ; then
+   _REWRITE_SENDER_DOMAIN="${DEFAULT_REWRITE_SENDER_DOMAIN}"
+fi
 
 
 if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
@@ -405,11 +418,57 @@ if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
    fi
 
 
+   RELAY_PORT=
+   echo ""
+   echo "Insert the target port to connect to ${RELAY_HOST}"
+   echo ""
+   if [[ -n "$_RELAY_PORT" ]];then
+      echononl "(target) Port on ${RELAY_HOST} [$_RELAY_PORT]: "
+      read RELAY_PORT
+      if [[ "X${RELAY_PORT}" = "X" ]]; then
+         RELAY_PORT=$_RELAY_PORT
+      fi
+   else
+      while [[ "X${RELAY_PORT}" = "X" ]]; do
+         echononl "(target) Port on ${RELAY_HOST}: "
+         read RELAY_PORT
+         if [[ "X${RELAY_PORT}" = "X" ]]; then
+            echo -e "\n\t\033[33m\033[1mi(target) Port of ${RELAY_HOST} is reqired\033[m\n"
+         fi
+      done
+   fi
 
 else
    SASL_AUTH=false
 fi
 
+REWRITE_SENDER_DOMAIN=
+echo ""
+echo ""
+echo -e "\033[33m** \033[32m-- \033[33m**\033[m"
+echo ""
+echo "Change the sender domain"
+echo ""
+echo -e "\t'\033[33mNone\033[m' if no change is desired"
+echo ""
+if [[ -n "${_REWRITE_SENDER_DOMAIN}" ]] ; then
+   echononl "New sender domain [${_REWRITE_SENDER_DOMAIN}]: "
+   read REWRITE_SENDER_DOMAIN
+   if [[ "X${REWRITE_SENDER_DOMAIN}" = "X" ]]; then
+      REWRITE_SENDER_DOMAIN="${_REWRITE_SENDER_DOMAIN}"
+   fi
+else
+   while [[ "X${IPV6}" = "X" ]]; do
+      echononl "New sender domain: "
+      read REWRITE_SENDER_DOMAIN
+      if [[ "X${REWRITE_SENDER_DOMAIN}" = "X" ]]; then
+         REWRITE_SENDER_DOMAIN="None"
+      fi
+   done
+fi
+
+echo ""
+echo -e "\033[33m** \033[32m-- \033[33m**\033[m"
 
 echo ""
 echo ""
@@ -420,11 +479,18 @@ echo -e "\tIPv4 address.............: $IPV4"
 echo -e "\tIPv6 address.............: $IPV6"
 echo -e "\tAdmin e-mail.............: $ADMIN_EMAIL"
 echo ""
+if [[ "$(trim ${REWRITE_SENDER_DOMAIN,,})" = 'none' ]] ; then
+   echo -e "\trewrite sender domain....: \033[33mNone\033[m"
+else
+   echo -e "\trewrite sender domain....: $REWRITE_SENDER_DOMAIN"
+fi
+echo ""
 echo -e "\tRelay using sasl auth....: $SASL_AUTH"
 if $SASL_AUTH ; then
    echo -e "\t   sasl user.............: $SASL_USER"
    echo -e "\t   sasl password.........: $SASL_PASS"
    echo -e "\t   Relayhost.............: $RELAY_HOST"
+   echo -e "\t   Port on Relayhost.....: $RELAY_PORT"
 fi
 echo ""
 echononl "einverstanden (yes/no): "
@@ -456,6 +522,8 @@ _SASL_AUTH=$SASL_AUTH
 _SASL_USER=$SASL_USER
 _SASL_PASS=$SASL_PASS
 _RELAY_HOST=$RELAY_HOST
+_RELAY_PORT=$RELAY_PORT
+_REWRITE_SENDER_DOMAIN=$REWRITE_SENDER_DOMAIN
 EOF
 if [[ $? -eq 0 ]] ; then
    echo_ok
@@ -631,12 +699,25 @@ mydestination =
 ## -
 mynetworks =
    127.0.0.0/8
-   ${IPV4}/32
+EOF
 
-smtp_bind_address = $IPV4
+   if [[ ${IPV4} =~ ^127 ]] ; then
-smtp_bind_address6 = $IPV6
+
+      cat <<EOF >> /etc/postfix/main.cf
+
+smtp_bind_address =
+smtp_bind_address6 =
 
 EOF
+   else
+      cat <<EOF >> /etc/postfix/main.cf
+      ${IPV4}/32
+
+smtp_bind_address = $IPV4
+#smtp_bind_address6 =
+
+EOF
+   fi
 fi
 
 cat <<EOF >> /etc/postfix/main.cf
@@ -689,9 +770,21 @@ alias_database =
 ## -
 ## - Note: \$sender_canonical_maps is processed before \$canonical_maps.
 ## -
-sender_canonical_maps = btree:/etc/postfix/sender_canonical
+sender_canonical_maps =
+   btree:/etc/postfix/sender_canonical
 
 
+## - smtp_generic_maps (default: empty)
+## -
+## - Optional lookup tables that perform address rewriting in the Postfix
+## - SMTP client, typically to transform a locally valid address into a
+## - globally valid address when sending mail across the Internet. This is
+## - needed when the local machine does not have its own Internet domain name,
+## -but uses something like localdomain.local instead.
+## -
+smtp_generic_maps =
+   btree:/etc/postfix/generic
+
 ## - The maximal time a message is queued before it is sent back as
 ## - undeliverable. Defaults to 5d (5 days)
 ## - Specify 0 when mail delivery should be tried only once.
@@ -733,9 +826,24 @@ smtp_sasl_auth_enable = yes
 
 # Only offer SMTP AUTH when talking over an encrypted connection
 smtpd_tls_auth_only = yes
+EOF
+
+   if [[ ${RELAY_PORT} -ne 25 ]] ; then
+      cat <<EOF >> /etc/postfix/main.cf
+
+# Forwarding to the ip-adress of host b.mx.oopen.de
+relayhost = [${RELAY_HOST}]:${RELAY_PORT}
+EOF
+   else
+      cat <<EOF >> /etc/postfix/main.cf
 
 # Forwarding to the ip-adress of host b.mx.oopen.de
 relayhost = [${RELAY_HOST}]
+EOF
+
+   fi
+
+   cat <<EOF >> /etc/postfix/main.cf
 
 # File including login data
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
@@ -854,59 +962,103 @@ smtp_tls_CAfile = $_TLS_CA_FILE
 #
 # List of TLS protocols that the Postfix SMTP server will exclude or
 # include with opportunistic TLS encryption.
-smtpd_tls_protocols = !SSLv2, !SSLv3
+#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
+
+# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
 #
-# The SSL/TLS protocols accepted by the Postfix SMTP server  
+#smtpd_tls_protocols = >=TLSv1
-# with mandatory TLS encryption. 
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 
-
+# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
-# Disable SSLv2 SSLv3 - Postfix SMTP client 
 #
-# List of TLS protocols that the Postfix SMTP client will exclude or  
+#smtpd_tls_mandatory_protocols = >=TLSv1
-# include with opportunistic TLS encryption.  
+
-smtp_tls_protocols = !SSLv2, !SSLv3
+# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
 #
-# List of SSL/TLS protocols that the Postfix SMTP client will use  
+#smtp_tls_protocols = >=TLSv1
-# with mandatory TLS encryption 
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 
-
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption.
-## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
-## -    openssl > 1.0
-## -
-smtpd_tls_eecdh_grade = strong
-
-# standard list cryptographic algorithm
-tls_preempt_cipherlist = yes
-
-# Disable ciphers which are less than 256-bit:
 #
-#smtpd_tls_mandatory_ciphers = high
+smtp_tls_mandatory_protocols = >=TLSv1.2
+
+
+# The Postfix SMTP server security grade for ephemeral elliptic-curve
+# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
+# parameter is always ignored, and Postfix behaves as though the auto value
+# (described below) was chosen.
 #
-# opportunistic
+# auto
-smtpd_tls_ciphers = high
+#    Use the most preferred curve that is supported by both the client and the server.
+#    This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
+#    is the default setting under the above conditions (and the only setting used with
+#    Postfix ≥ 3.6).
+#
+# none
+#    Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
+#    default in Postfix versions 2.6 and 2.7.
+#
+# strong
+#    Use EECDH with approximately 128 bits of security at a reasonable computational cost.
+#    This is the default in Postfix versions 2.8-3.5.
+#
+# ultra
+#    Use EECDH with approximately 192 bits of security at computational cost that is
+#    approximately twice as high as 128 bit strength ECC.
+#
+smtpd_tls_eecdh_grade = auto
 
 
-# Exclude ciphers
+# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
+# of the remote client's cipher preference order.
+#
+# By default, the OpenSSL server selects the client's most preferred cipher that the
+# server supports. With SSLv3 and later, the server may choose its own most preferred
+# cipher that is supported (offered) by the client.
+#
+# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
+#
+# default: no
+#
+#tls_preempt_cipherlist = no
+
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
+# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
+# from globally restricting TLS sessions to a more stringent grade is likely negligible,
+# especially given the fact that many implementations still do not offer any stronger
+# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
+# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
+# or "low" ciphers is typically not a good idea, as systems limited to just these are
+# limited to obsolete browsers. No known SMTP clients fail to support at least one
+# "medium" or "high" grade cipher.
+#
+# default: medium
+#
+#smtpd_tls_mandatory_ciphers = medium
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
+# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
+# base definition of the selected cipher grade.
+#
+# default: medium
+#
+#smtpd_tls_ciphers = medium
+
+
+# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
+# TLS security levels.
+#
+# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
+# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
+# or one or more "+" separated cipher properties, in which case only ciphers matching all the
+# properties are excluded.
+#
 #smtpd_tls_exclude_ciphers =
-#   RC4
+
-#   aNULL
+# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
-#   SEED-SHA
+# list at mandatory TLS security levels. This list works in addition to the exclusions listed
-#   EXP
+# with smtp_tls_exclude_ciphers
-#   MD5
+#
-smtpd_tls_exclude_ciphers =
+#smtp_tls_mandatory_exclude_ciphers =
-   aNULL
-   eNULL
-   EXPORT
-   DES
-   RC4
-   MD5
-   PSK
-   aECDH
-   EDH-DSS-DES-CBC3-SHA
-   EDH-RSA-DES-CDC3-SHA
-   KRB5-DE5, CBC3-SHA
 
 
 smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
@@ -951,8 +1103,21 @@ echo_ok
 echononl "   Configure SASL authentification"
 if $SASL_AUTH ; then
 
+   _sasl_pw_file="/etc/postfix/sasl_passwd"
+   if [[ -f "${_sasl_pw_file}" ]] && $(grep -q -E "^\[${RELAY_HOST}\]" ${_sasl_pw_file} 2> /dev/null); then
+      sed -i "/^\[${RELAY_HOST}/d" ${_sasl_pw_file}
+      if [[ "$?" != "0" ]]; then
+         error "Setting \"/etc/postfix/sasl_passwd\" failed! "
+         _failed=true
+      fi
+   fi
+
    _failed=false
-   echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" > /etc/postfix/sasl_passwd
+   if [[ ${RELAY_PORT} -ne 25 ]] ; then
+      echo "[$RELAY_HOST]:${RELAY_PORT} ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
+   else
+      echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
+   fi
    if [[ "$?" != "0" ]]; then
       error "Setting \"/etc/postfix/sasl_passwd\" failed! "
       _failed=true
@@ -1047,7 +1212,7 @@ fi
 ## -
 echononl "   Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\""
 if [[ ! -f /etc/postfix/ssl/dh_512.pem ]]; then
-   if [[ $DIST_VERSION -gt 11 ]] ; then
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
       openssl dhparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1
    else
       openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1
@@ -1058,7 +1223,7 @@ if [[ ! -f /etc/postfix/ssl/dh_512.pem ]]; then
       echo_failed
    fi
 else
-   if [[ $DIST_VERSION -gt 11 ]] ; then
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
       if $(grep -q -E "X9.42" /etc/postfix/ssl/dh_512.pem 2> /dev/null); then
          openssl dhparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1
          if [[ $? -eq 0 ]] ; then
@@ -1075,7 +1240,7 @@ else
 fi
 echononl "   Generate DH key length=1024 \"/etc/postfix/ssl/dh_1024.pem\""
 if [[ ! -f /etc/postfix/ssl/dh_1024.pem ]]; then
-   if [[ $DIST_VERSION -gt 11 ]] ; then
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
       openssl dhparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1
    else
       openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1
@@ -1086,7 +1251,7 @@ if [[ ! -f /etc/postfix/ssl/dh_1024.pem ]]; then
       echo_failed
    fi
 else
-   if [[ $DIST_VERSION -gt 11 ]] ; then
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
       if $(grep -q -E "X9.42" /etc/postfix/ssl/dh_1024.pem 2> /dev/null); then
          openssl dhparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1
          if [[ $? -eq 0 ]] ; then
@@ -1103,7 +1268,7 @@ else
 fi
 echononl "   Generate DH key length=2048 \"/etc/postfix/ssl/dh_2048.pem\""
 if [[ ! -f /etc/postfix/ssl/dh_2048.pem ]]; then
-   if [[ $DIST_VERSION -gt 11 ]] ; then
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
       openssl dhparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1
    else
       openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1
@@ -1114,7 +1279,7 @@ if [[ ! -f /etc/postfix/ssl/dh_2048.pem ]]; then
       echo_failed
    fi
 else
-   if [[ $DIST_VERSION -gt 11 ]] ; then
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
       if $(grep -q -E "X9.42" /etc/postfix/ssl/dh_2048.pem 2> /dev/null); then
          openssl dhparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1
          if [[ $? -eq 0 ]] ; then
@@ -1129,6 +1294,8 @@ else
       echo_skipped
    fi
 fi
+
+
 echononl "   Create Symlink \"$_TLS_CERT_FILE\""
 if [ ! -h "$_TLS_CERT_FILE" ]; then
    ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem  $_TLS_CERT_FILE
@@ -1217,6 +1384,21 @@ else
    echo_failed
 fi
 
+echononl "   Create file \"generic\""
+if [[ "$(trim ${REWRITE_SENDER_DOMAIN,,})" = 'none' ]] ; then
+   touch /etc/postfix/generic
+else
+   cat <<EOF > /etc/postfix/generic
+@$(cat cat /etc/mailname) $(hostname)@$(trim ${REWRITE_SENDER_DOMAIN,,})
+EOF
+fi
+postmap btree:/etc/postfix/generic
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+fi
+
 
 ## - restart postfix
 ## -
@@ -1241,15 +1423,19 @@ fi
 ## - Omitt logging into system.log
 ## -
 echononl "   Create \"/etc/rsyslog.d/postfix.conf\""
-cat << EOF >> /etc/rsyslog.d/postfix.conf
+cat << EOF > /etc/rsyslog.d/postfix.conf
+# Create an additional socket in postfix's chroot in order not to break
+# mail logging when rsyslog is restarted.  If the directory is missing,
+# rsyslog will silently skip creating the socket.
+\$AddUnixListenSocket /var/spool/postfix/dev/log
 
 #
 # Logging for the mail system.  Split it up so that
 # it is easy to write scripts to parse these files.
 #
-mail.info                       -/var/log/mail.info
+#mail.info                       -/var/log/mail.info
-mail.warn                       -/var/log/mail.warn
+#mail.warn                       -/var/log/mail.warn
-mail.err                        /var/log/mail.err
+#mail.err                        /var/log/mail.err
 
 mail.*                          -/var/log/mail.log
 & stop
@@ -1277,6 +1463,12 @@ else
    fi
 fi
 
+if [[ ${RELAY_PORT} -ne 25 ]] ; then
+
+   echo ""
+   warn "Please do not forget to allow port \033[1m${RELAY_PORT}\033[m on both sides, outgoing
+                     on this host here and incoming on the relay host '${RELAY_HOST}'."
+fi
 
 echo ""
 clean_up 0

install_postfixadmin.sh

@@ -126,6 +126,61 @@ detect_os_1 () {
 
 }
 
+detect_mysql_version () {
+
+   _MYSQLD_VERSION="$(mysqld -V 2>/dev/null)"
+
+   if [[ -z "$_MYSQLD_VERSION" ]]; then
+      fatal "No installed MySQL server or distribution found!"
+   elif [[ -d "/usr/local/mysql" ]] && [[ "$(basename "$(realpath "/usr/local/mysql")")" =~ percona- ]]; then
+      MYSQL_CUR_DISTRIBUTION="Percona"
+   elif [[ "$_MYSQLD_VERSION" =~ MariaDB ]]; then
+      MYSQL_CUR_DISTRIBUTION="MariaDB"
+   elif [[ "$_MYSQLD_VERSION" =~ MySQL ]]; then
+      MYSQL_CUR_DISTRIBUTION="MySQL"
+   elif [[ -d "/usr/local/mysql" ]] && [[ "$(basename "$(realpath "/usr/local/mysql")")" =~ mysql- ]]; then
+      MYSQL_CUR_DISTRIBUTION="MySQL"
+   elif [[ -d "/usr/local/mysql" ]] && [[ "$(basename "$(realpath "/usr/local/mysql")")" =~ mariadb- ]]; then
+      MYSQL_CUR_DISTRIBUTION="MariaDB"
+   else
+      error "MySQL Instalation found, but cannot determin the distribution!"
+
+      MYSQL_CUR_DISTRIBUTION=
+      echo ""
+      echo "   Select the installed MySQL distribution."
+      echo ""
+      echo "   [1] MySQL (the original community edition)"
+      echo "   [2] Percona Server for MySQL"
+      echo "   [3] MariaDB"
+      echo ""
+      echononl "   Eingabe [1/2/3]: "
+
+      while [ "$MYSQL_CUR_DISTRIBUTION" != "MySQL" -a "$MYSQL_CUR_DISTRIBUTION" != "MariaDB" -a "$MYSQL_CUR_DISTRIBUTION" != "Percona" ];do
+         read OPTION
+         case $OPTION in
+               1)      MYSQL_CUR_DISTRIBUTION="MySQL"
+               ;;
+               2)      MYSQL_CUR_DISTRIBUTION="Percona"
+               ;;
+               3)      MYSQL_CUR_DISTRIBUTION="MariaDB"
+               ;;
+               *)    echo ""
+                     echo -e "\tFalsche Eingabe ! [ 1 = MySQL ; 2 = Percona ; 3 = MariaDB ]"
+                     echo ""
+                     echononl "   Eingabe:"
+               ;;
+         esac
+      done
+   fi
+
+   MYSQL_VERSION="$(echo $_MYSQLD_VERSION | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?" | head -n 1)"
+   MYSQL_MAJOR_VERSION="$(echo $MYSQL_VERSION | cut -d '.' -f1)"
+   MYSQL_MINOR_VERSION="$(echo $MYSQL_VERSION | cut -d '.' -f2)"
+   MYSQL_PATCH_LEVEL="$(echo $MYSQL_VERSION | cut -d '.' -f3)"
+   MYSQL_MAIN_VERSION="$(echo $MYSQL_VERSION | cut -d '.' -f1,2)"
+
+}
+
 
 
 # - Is 'systemd' supported on this system
@@ -228,14 +283,14 @@ else
 fi
 DEFAULT_POSTFIX_DB_NAME="postfix"
 DEFAULT_POSTFIX_DB_USER="postfix"
-if [[ -f "/usr/local/mysql/sys-maint.cnf" ]] ; then
+#if [[ -f "/usr/local/mysql/sys-maint.cnf" ]] ; then
-   DEFAULT_MYSQL_CREDENTIALS="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+#   DEFAULT_MYSQL_CREDENTIALS="--defaults-file=/usr/local/mysql/sys-maint.cnf"
-elif [[ -f "/etc/mysql/debian.cnf" ]] ; then
+#elif [[ -f "/etc/mysql/debian.cnf" ]] ; then
-   DEFAULT_MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
+#   DEFAULT_MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
-else
+#else
-   DEFAULT_MYSQL_CREDENTIALS=""
+#   DEFAULT_MYSQL_CREDENTIALS=""
-fi
+#fi
-DEFAULT_DEBIAN_MYSQL_CREDENTIALS="/etc/mysql/debian.cnf"
+#DEFAULT_DEBIAN_MYSQL_CREDENTIALS="/etc/mysql/debian.cnf"
 
 DEFAULT_DOVEADM_PW="/usr/local/dovecot/bin/doveadm pw"
 DEFAULT_DELETED_MAILBOX_DIR="/var/deleted-maildirs"
@@ -341,11 +396,64 @@ fi
 
 [[ -n "$MYSQL_DEBIAN_INSTALLATION" ]] || MYSQL_DEBIAN_INSTALLATION=false
 
-if [[ "$POSTFIX_DB_TYPE" = "mysql" ]]; then
+if [[ "$POSTFIX_DB_TYPE" = "mysql" ]] ; then
-   if $MYSQL_DEBIAN_INSTALLATION ; then
+
-      [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_DEBIAN_MYSQL_CREDENTIALS"
+   if [[ -z ${MYSQL_CREDENTIALS} ]] ; then
-   else
+
-      [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_MYSQL_CREDENTIALS"
+      detect_mysql_version
+
+      if [[ "$MYSQL_CUR_DISTRIBUTION" = "MariaDB" ]] && ([[ $MYSQL_MAJOR_VERSION -gt 10 ]] \
+            || ( [[ $MYSQL_MAJOR_VERSION -eq 10 ]] && [[ $MYSQL_MINOR_VERSION -gt 3 ]] )) ; then
+         if [[ -S "/tmp/mysql.sock" ]]; then
+            MYSQL_CREDENTIALS="-u root -S /tmp/mysql.sock"
+         elif [[ -S "/run/mysqld/mysqld.sock" ]]; then
+            MYSQL_CREDENTIALS="-u root -S /run/mysqld/mysqld.sock"
+         elif [[ -S "/var/run/mysqld/mysqld.sock" ]]; then
+            MYSQL_CREDENTIALS="-u root -S /var/run/mysqld/mysqld.sock"
+         else
+            fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated.
+
+               Use configuration file "$conf_file" to set
+               parameter manually."
+         fi
+
+      else
+      
+         echononl "\tGet MySQL command.."
+         mysql_command="$(which mysql)"
+         if [[ $? -eq 0 ]]; then
+            echo_ok
+         else
+
+            if [[ -x "/usr/local/mysql/bin/mysql" ]]; then
+               mysql_command="/usr/local/mysql/bin/mysql"
+               echo_ok
+            else
+               echo_failed
+               fatal "$(cat $tmp_log_file)"
+            fi
+         fi
+
+         if $(${mysql_command} --login-path=local  -e ";" > /dev/null 2>&1) ; then
+            MYSQL_CREDENTIALS="--login-path=local"
+         elif [[ -f "/usr/local/mysql/sys-maint.cnf" ]] ; then
+            MYSQL_CREDENTIALS="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+         elif [[ -f "/etc/mysql/debian.cnf" ]] ; then
+            MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
+         else
+            fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated. 
+
+               Use configuration file "$conf_file" to set 
+               parameter manually."
+         fi
+      fi
+
+      #if $MYSQL_DEBIAN_INSTALLATION ; then
+      #   [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_DEBIAN_MYSQL_CREDENTIALS"
+      #else
+      #   [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_MYSQL_CREDENTIALS"
+      #fi
+
    fi
 else
    [[ "$POSTFIX_DB_TYPE" = "pgsql" ]] || fatal "Unknown Database Type '$POSTFIX_DB_TYPE' (POSTFIX_DB_TYPE)"
@@ -1734,23 +1842,25 @@ fi
 
 # - Encoding does not work as exspected.
 # -
+# - Update: Encoding seems to works now
+# -
 # - NOTE:
 # -    this IS NOT a fix, but a workaround
 # -
-echononl "\tWorkaround, because encoding does not work as exspected."
+#echononl "\tWorkaround, because encoding does not work as exspected."
-# - Vacation script changed. Since Version 3.2 we need another perl regexp.
+## - Vacation script changed. Since Version 3.2 we need another perl regexp.
-# - The old one was: 
+## - The old one was: 
-# -    perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
+## -    perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
-# -
+## -
-perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
+##perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
-   /var/spool/vacation/vacation.pl > "$log_file" 2>&1
+##   /var/spool/vacation/vacation.pl > "$log_file" 2>&1
-if [[ $? -eq 0 ]];then
+#if [[ $? -eq 0 ]];then
-   echo_ok
+#   echo_ok
-   info "This IS NOT a fix, but a workaround."
+#   info "This IS NOT a fix, but a workaround."
-else
+#else
-   echo_failed
+#   echo_failed
-   error "$(cat $log_file)"
+#   error "$(cat $log_file)"
-fi
+#fi
 
 echononl "\tSet Permission on vacation script"
 _failed=false
@@ -2256,6 +2366,7 @@ fi
 ## -    $CONF['transport_default'] = 'lmtp:unix:private/dovecot-lmtp';
 ## -    $CONF['vacation'] = 'NO';
 ## -    $CONF['vacation_domain'] = '$AUTOREPLY_HOSTNAME';
+## -    $CONF['password_expiration'] = 'NO';
 ## -
 echononl "\tAdjust Postfix Admin's Configuration - Part 3"
 _failed=false
@@ -2284,6 +2395,8 @@ perl -i -n -p -e "s#^(\s*\\\$CONF\['vacation'\]\s*=.*)#//!\1\n\\\$CONF['vacation
   $pfa_conf_file >> $log_file 2>&1 || _failed=true
 perl -i -n -p -e "s#^(\s*\\\$CONF\['vacation_domain'\]\s*=.*)#//!\1\n\\\$CONF['vacation_domain'] = '$AUTOREPLY_HOSTNAME';#" \
   $pfa_conf_file >> $log_file 2>&1 || _failed=true
+perl -i -n -p -e "s#^(\s*\\\$CONF\['password_expiration'\]\s*=.*)#//!\1\n\\\$CONF['password_expiration'] = 'NO';#" \
+  $pfa_conf_file >> $log_file 2>&1 || _failed=true
 if $_failed ; then
    echo_failed
    error "$(cat $log_file)"

install_roundcube.sh

@@ -108,6 +108,62 @@ is_number() {
    #return $([[ ! -z "${1##*[!0-9]*}" ]])
 }
 
+detect_mysql_version () {
+
+   _MYSQLD_VERSION="$(mysqld -V 2>/dev/null)"
+
+   if [[ -z "$_MYSQLD_VERSION" ]]; then
+      fatal "No installed MySQL server or distribution found!"
+   elif [[ -d "/usr/local/mysql" ]] && [[ "$(basename "$(realpath "/usr/local/mysql")")" =~ percona- ]]; then
+      MYSQL_CUR_DISTRIBUTION="Percona"
+   elif [[ "$_MYSQLD_VERSION" =~ MariaDB ]]; then
+      MYSQL_CUR_DISTRIBUTION="MariaDB"
+   elif [[ "$_MYSQLD_VERSION" =~ MySQL ]]; then
+      MYSQL_CUR_DISTRIBUTION="MySQL"
+   elif [[ -d "/usr/local/mysql" ]] && [[ "$(basename "$(realpath "/usr/local/mysql")")" =~ mysql- ]]; then
+      MYSQL_CUR_DISTRIBUTION="MySQL"
+   elif [[ -d "/usr/local/mysql" ]] && [[ "$(basename "$(realpath "/usr/local/mysql")")" =~ mariadb- ]]; then
+      MYSQL_CUR_DISTRIBUTION="MariaDB"
+   else
+      error "MySQL Instalation found, but cannot determin the distribution!"
+
+      MYSQL_CUR_DISTRIBUTION=
+      echo ""
+      echo "   Select the installed MySQL distribution."
+      echo ""
+      echo "   [1] MySQL (the original community edition)"
+      echo "   [2] Percona Server for MySQL"
+      echo "   [3] MariaDB"
+      echo ""
+      echononl "   Eingabe [1/2/3]: "
+
+      while [ "$MYSQL_CUR_DISTRIBUTION" != "MySQL" -a "$MYSQL_CUR_DISTRIBUTION" != "MariaDB" -a "$MYSQL_CUR_DISTRIBUTION" != "Percona" ];do
+         read OPTION
+         case $OPTION in
+               1)      MYSQL_CUR_DISTRIBUTION="MySQL"
+               ;;
+               2)      MYSQL_CUR_DISTRIBUTION="Percona"
+               ;;
+               3)      MYSQL_CUR_DISTRIBUTION="MariaDB"
+               ;;
+               *)    echo ""
+                     echo -e "\tFalsche Eingabe ! [ 1 = MySQL ; 2 = Percona ; 3 = MariaDB ]"
+                     echo ""
+                     echononl "   Eingabe:"
+               ;;
+         esac
+      done
+   fi
+
+   MYSQL_VERSION="$(echo $_MYSQLD_VERSION | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?" | head -n 1)"
+   MYSQL_MAJOR_VERSION="$(echo $MYSQL_VERSION | cut -d '.' -f1)"
+   MYSQL_MINOR_VERSION="$(echo $MYSQL_VERSION | cut -d '.' -f2)"
+   MYSQL_PATCH_LEVEL="$(echo $MYSQL_VERSION | cut -d '.' -f3)"
+   MYSQL_MAIN_VERSION="$(echo $MYSQL_VERSION | cut -d '.' -f1,2)"
+
+}
+
+
 trim() {
     local var="$*"
     var="${var#"${var%%[![:space:]]*}"}"   # remove leading whitespace characters
@@ -296,14 +352,6 @@ DEFAULT_APACHE_VHOST_DIR="/usr/local/apache2/conf/vhosts"
 DEFAULT_DB_HOST="localhost"
 DEFAULT_DB_NAME="roundcubemail"
 DEFAULT_DB_USER="roundcube"
-if [[ -f "/usr/local/mysql/sys-maint.cnf" ]] ; then
-   DEFAULT_MYSQL_CREDENTIALS="--defaults-file=/usr/local/mysql/sys-maint.cnf"
-elif [[ -f "/etc/mysql/debian.cnf" ]] ; then
-   DEFAULT_MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
-else
-   DEFAULT_MYSQL_CREDENTIALS=""
-fi
-DEFAULT_DEBIAN_MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
 
 [[ -n "$ROUNDCUBE_VERSION" ]] || fatal "Roundcube Version (ROUNDCUBE_VERSION) not present!"
 [[ -n "$WEBSITE_NAME" ]] || fatal "Website's name (WEBSITE_NAME) not present!"
@@ -401,16 +449,76 @@ fi
 
 [[ -n "$MYSQL_DEBIAN_INSTALLATION" ]] || MYSQL_DEBIAN_INSTALLATION=false
 
-if [[ "$DB_TYPE" = "mysql" ]]; then
+
-   if $MYSQL_DEBIAN_INSTALLATION ; then
+if [ "$DB_TYPE" = "postgres" -o  "$DB_TYPE" = "postgresql" -o "$DB_TYPE" = "pgsql" -o "$DB_TYPE" = "psql" ];then
-      [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_DEBIAN_MYSQL_CREDENTIALS"
+   DB_TYPE="pgsql"
-   else
+fi
-      [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_MYSQL_CREDENTIALS"
+
+
+if [[ "$DB_TYPE" = "mysql" ]] ; then
+
+   if [[ -z ${MYSQL_CREDENTIALS} ]] ; then
+
+      detect_mysql_version
+
+      if [[ "$MYSQL_CUR_DISTRIBUTION" = "MariaDB" ]] && ([[ $MYSQL_MAJOR_VERSION -gt 10 ]] \
+            || ( [[ $MYSQL_MAJOR_VERSION -eq 10 ]] && [[ $MYSQL_MINOR_VERSION -gt 3 ]] )) ; then
+         if [[ -S "/tmp/mysql.sock" ]]; then
+            MYSQL_CREDENTIALS="-u root -S /tmp/mysql.sock"
+         elif [[ -S "/run/mysqld/mysqld.sock" ]]; then
+            MYSQL_CREDENTIALS="-u root -S /run/mysqld/mysqld.sock"
+         elif [[ -S "/var/run/mysqld/mysqld.sock" ]]; then
+            MYSQL_CREDENTIALS="-u root -S /var/run/mysqld/mysqld.sock"
+         else
+            fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated.
+
+               Use configuration file "$conf_file" to set
+               parameter manually."
+         fi
+
+      else
+
+         echononl "\tGet MySQL command.."
+         mysql_command="$(which mysql)"
+         if [[ $? -eq 0 ]]; then
+            echo_ok
+         else
+
+            if [[ -x "/usr/local/mysql/bin/mysql" ]]; then
+               mysql_command="/usr/local/mysql/bin/mysql"
+               echo_ok
+            else
+               echo_failed
+               fatal "$(cat $tmp_log_file)"
+            fi
+         fi
+
+         if $(${mysql_command} --login-path=local  -e ";" > /dev/null 2>&1) ; then
+            MYSQL_CREDENTIALS="--login-path=local"
+         elif [[ -f "/usr/local/mysql/sys-maint.cnf" ]] ; then
+            MYSQL_CREDENTIALS="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+         elif [[ -f "/etc/mysql/debian.cnf" ]] ; then
+            MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
+         else
+            fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated.
+
+               Use configuration file "$conf_file" to set
+               parameter manually."
+         fi
+      fi
+
+      #if $MYSQL_DEBIAN_INSTALLATION ; then
+      #   [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_DEBIAN_MYSQL_CREDENTIALS"
+      #else
+      #   [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_MYSQL_CREDENTIALS"
+      #fi
+
    fi
 else
    [[ "$DB_TYPE" = "pgsql" ]] || fatal "Unknown Database Type '$DB_TYPE' (DB_TYPE)"
 fi
 
+
 [[ -n "$SPAM_FOLDER_NAME" ]] || SPAM_FOLDER_NAME=$DEFAULT_SPAM_FOLDER_NAME
 
 [[ -n "$SUPPORT_URL" ]] || SUPPORT_URL="http://www.${MAIN_DOMAIN}.$TLD"
@@ -1480,7 +1588,7 @@ EOF
 EOF
       else
          cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file
-      SetHandler "proxy:unix:/tmp/php-${php_latest_ver}-fpm.www.sock|fcgi://127.0.0.1"
+      SetHandler "proxy:unix:/run/php/php-${php_latest_ver}-fpm.www.sock|fcgi://127.0.0.1"
 EOF
       fi
       cat <<EOF >> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file

install_update_dovecot.sh

@@ -115,6 +115,35 @@ echo_skipped() {
    echo -e "\033[71G[ \033[33m\033[1mskipped\033[m ]"
 }
 
+detect_os_1 () {
+
+   if $(which lsb_release > /dev/null 2>&1) ; then
+
+      os_dist="$(lsb_release -i | awk '{print tolower($3)}')"
+      os_version="$(lsb_release -r | awk '{print tolower($2)}')"
+      os_codename="$(lsb_release -c | awk '{print tolower($2)}')"
+
+      if [[ "$os_dist" = "debian" ]]; then
+         if $(echo "$os_version" | grep -q '\.') ; then
+            os_version=$(echo "$os_version" | cut --delimiter='.' -f1)
+         fi
+      fi
+
+   elif [[ -e "/etc/os-release" ]]; then
+
+      . /etc/os-release
+
+      os_dist=$ID
+      os_version=${VERSION_ID}
+
+   fi
+
+   # remove whitespace from os_dist and os_version
+   os_dist="${os_dist// /}"
+   os_version="${os_version// /}"
+
+}
+
 
 
 # - Support systemd ?
@@ -134,6 +163,14 @@ else
 fi
 
 
+# - Detect OS - Set variable
+# -    os_dist
+# -    os_version
+# -    os_codename
+# -
+detect_os_1
+
+
 echo
 echononl "\tInclude Configuration file.."
 if [[ ! -f $conf_file ]]; then
@@ -250,14 +287,21 @@ dovecot_main_version="$(echo $_version | cut -d '.' -f1,2)"
 dovecot_major_version="$(echo $_version | cut -d '.' -f1)"
 dovecot_minor_version="$(echo $_version | cut -d '.' -f2)"
 dovecot_patch_level="$(echo $_version | cut -d '.' -f3)"
+dovecot_minor_patch_level="$(echo $_version | cut -d '.' -f4)"
+
+_version_short="${_version%-*}"
 
 #echo ""
-#echo "_version:              $_version"
+#echo "_version:                  $_version"
-#echo "dovecot_main_version   $dovecot_main_version"
+#echo "dovecot_main_version       $dovecot_main_version"
-#echo "dovecot_major_version  $dovecot_major_version"
+#echo "dovecot_major_version      $dovecot_major_version"
-#echo "dovecot_minor_version  $dovecot_minor_version"
+#echo "dovecot_minor_version      $dovecot_minor_version"
-#echo "dovecot_patch_level    $dovecot_patch_level"
+#echo "dovecot_patch_level        $dovecot_patch_level"
+#echo "dovecot_minor_patch_level  $dovecot_minor_patch_level"
 #echo ""
+#
+#clean_up 0
+
 
 # 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed. 
 # Use mailbox { autoexpunge } Mailbox settings instead.
@@ -673,32 +717,72 @@ fi
 
 ## - Download Pigeonhole for Dovecot v2.2
 ## -
-echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
+if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then
-if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
+   
-   wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+   echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
-   if [ "$?" = 0 ]; then
+   if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
-      echo -e "$rc_done"
+      wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+      if [ "$?" = 0 ]; then
+         echo -e "$rc_done"
+      else
+         echo -e "$rc_failed"
+         error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
+
+                     Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually 
+                     and proceed instllation."
+
+         echononl "\tProceed instllation [yes/no]: "
+         read OK
+         OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+         while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+            echononl "Wrong entry! - repeat [yes/no]: "
+            read OK
+         done
+         [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+
+      fi
    else
-      echo -e "$rc_failed"
+      echo -e "$rc_skipped"
-      error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
-
-                   Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually 
-                   and proceed instllation."
-
-		echononl "\tProceed instllation [yes/no]: "
-		read OK
-		OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
-		while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
-			echononl "Wrong entry! - repeat [yes/no]: "
-			read OK
-		done
-		[[ $OK = "yes" ]] || fatal "Abbruch durch User"
-
    fi
+
+   dovecot_pigeonhole_archiv="dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz"
+
 else
-   echo -e "$rc_skipped"
+
+   echononl "\tDownload dovecot-pigeonhole-${_pigeonhole}.tar.gz.."
+   if [ ! -f "${_src_base_dir}/dovecot-pigeonhole-${_pigeonhole}.tar.gz" ]; then
+      wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+      if [ "$?" = 0 ]; then
+         echo -e "$rc_done"
+         dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
+      else
+         echo -e "$rc_failed"
+
+         error "Direct download of 'Pigeonhole Sieve and ManageSieve' source archiv  failed
+
+                  Download Pigeonhole Sieve and ManageSieve manually and name it to
+
+                  \033[1mdovecot-pigeonhole-${_pigeonhole}.tar.gz\033[m\n"
+
+
+         echononl "\tProceed instllation [yes/no]: "
+         read OK
+         OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+         while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+            echononl "Wrong entry! - repeat [yes/no]: "
+            read OK
+         done
+         [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+      fi
+   else
+      echo -e "$rc_skipped"
+   fi
+
+   dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
 fi
 
+dovecot_pigeonhole_archiv_prefix="${dovecot_pigeonhole_archiv%.tar.gz}"
+dovecot_pigeonhole_archiv_dir="${dovecot_pigeonhole_archiv%.tar.gz}"
 
 
 if $_new ; then
@@ -864,6 +948,7 @@ config_params="
    --prefix=/usr/local/dovecot-${_version} \
    --with-${db_driver} \
    --with-gssapi=yes
+   --with-ldap=yes
    --with-rundir=/run/dovecot"
 if $systemd_support ; then
    config_params="$config_params \
@@ -1018,20 +1103,20 @@ fi
 cd ${_src_base_dir}
 echo ""
 echononl "\tExtracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
-gunzip < dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz | tar -xf -
+gunzip < ${_src_base_dir}/${dovecot_pigeonhole_archiv} | tar -C ${_src_base_dir} -xf -
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
    echo -e "$rc_failed"
-   fatal Extracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz failed
+   fatal Extracting ${dovecot_pigeonhole_archiv} failed
 fi
-cd dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}
+cd ${dovecot_pigeonhole_archiv_dir}
 
 
 echononl "\tConfigure Pigeonhole ManageSieve.."
 ./configure \
 	--prefix=/usr/local/dovecot-${_version} \
-   --with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-configure.log 2<&1
+   --with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-configure.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1040,7 +1125,7 @@ else
 fi
 
 echononl "\tCompile Pigeonhole ManageSieve.."
-make > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-make.log 2<&1
+make > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-make.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1049,7 +1134,7 @@ else
 fi
 
 echononl "\tInstall Pigeonhole ManageSieve.."
-make install > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-install.log 2<&1
+make install > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-install.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1058,6 +1143,7 @@ else
 fi
 
 
+
 ## -----------------
 ## --- Configure dovecot services
 
@@ -1597,7 +1683,11 @@ if [[ $dovecot_major_version -ge 3 ]] \
    if [[ ! -f "$dh_pem_file" ]] ; then
       echononl "\tCreate SSL DH parameters '$dh_pem_file'.."
       echo -en "$rc_wait"
-      openssl dhparam -dsaparam -out "$dh_pem_file" 4096 > /dev/null 2>&1
+      if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
+         openssl dhparam -out "$dh_pem_file" 4096 > /dev/null 2>&1
+      else 
+         openssl dhparam -dsaparam -out "$dh_pem_file" 4096 > /dev/null 2>&1
+      fi
 		if [[ $? -eq 0 ]]; then
 			echo -e "$rc_done"
 		else
@@ -2164,7 +2254,12 @@ EOF
       fatal "Creating file /etc/rsyslog.d/dovecot.conf failed"
    fi
 
-   /etc/init.d/rsyslog restart > /dev/null 2>&1
+   echononl "\tRestart rsyslog Servive"
+   if $systemd_support ; then
+      systemctl restart rsyslog.service > /dev/null 2>&1
+   else
+      /etc/init.d/rsyslog restart > /dev/null 2>&1
+   fi
    if [ "$?" = 0 ]; then
       echo -e "$rc_done"
    else
@@ -3610,8 +3705,8 @@ fi
 ## -      quota_rule = *:storage=1g
 ## -      quota_rule2 = trash:storage=+100m
 ## -
-## -      quota_warning = storage=95%% quota-warning 95 %u
+## -      quota_warning = storage=80%% quota-warning 80 %u
-## -      quota_warning2 = storage=80%% quota-warning 80 %u
+## -      quota_warning2 = storage=95%% quota-warning 95 %u
 ## -    }
 ## -    
 ## -    service quota-warning {
@@ -3636,8 +3731,8 @@ plugin {
   quota_rule = *:storage=1G
   quota_rule2 = Trash:storage=+200M
 
-  quota_warning = storage=95%% quota-warning 95 %u
+  quota_warning = storage=80%% quota-warning 80 %u
-  quota_warning2 = storage=80%% quota-warning 80 %u
+  quota_warning2 = storage=95%% quota-warning 95 %u
 }
 
 service quota-warning {
@@ -4393,6 +4488,16 @@ if [[ -x "/root/bin/monitoring/check_cert_for_dovecot.sh" ]] ; then
    else
       echo -e "$rc_failed"
       error "$(cat "$log_file")"
+
+      echononl "\tcontinue anyway [yes/no]: "
+      read OK
+      OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+      while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+         echononl "Wrong entry! - repeat [yes/no]: "
+         read OK
+      done
+      [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+
    fi
 else
    echo -e "$rc_skipped"

update_postfix_dh_parameters.sh

@@ -0,0 +1,285 @@
+#!/usr/bin/env bash
+
+script_dir="$(dirname $(realpath $0))"
+script_name="$(basename "$0")"
+
+conf_dir=$(dirname $0)/conf
+conf_file="${conf_dir}/install_postfix_base.conf"
+
+_TLS_CERT_DIR=/etc/postfix/ssl
+_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt"
+_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key"
+_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt
+
+
+log_file=$(mktemp)
+
+
+# -------------
+# --- Some functions
+# -------------
+clean_up() {
+
+   # Perform program exit housekeeping
+   rm -f $log_file
+   exit $1
+}
+
+echononl(){
+   echo X\\c > /tmp/shprompt$$
+   if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
+      echo -e -n "$*\\c" 1>&2
+   else
+       echo -e -n "$*" 1>&2
+   fi
+   rm /tmp/shprompt$$
+}
+
+fatal(){
+   echo ""
+   echo -e "fatal error: $*"
+   echo ""
+   echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m"
+   echo ""
+   clean_up 1
+}
+
+error(){
+   echo ""
+   echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
+   echo ""
+}
+
+warn (){
+   echo ""
+   echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   echo ""
+}
+
+info (){
+   echo ""
+   echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   echo ""
+}
+
+echo_done() {
+   echo -e "\033[80G[ \033[32mdone\033[m ]"
+}
+echo_ok() {
+   echo -e "\033[80G[ \033[32mok\033[m ]"
+}
+echo_warning() {
+   echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
+}
+echo_failed(){
+   echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
+}
+echo_skipped() {
+   echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]"
+}
+
+blank_line() {
+   if $terminal ; then
+      echo ""
+   fi
+}
+
+detect_os_1 () {
+
+   if $(which lsb_release > /dev/null 2>&1) ; then
+
+      os_dist="$(lsb_release -i | awk '{print tolower($3)}')"
+      os_version="$(lsb_release -r | awk '{print tolower($2)}')"
+      os_codename="$(lsb_release -c | awk '{print tolower($2)}')"
+
+      if [[ "$os_dist" = "debian" ]]; then
+         if $(echo "$os_version" | grep -q '\.') ; then
+            os_version=$(echo "$os_version" | cut --delimiter='.' -f1)
+         fi
+      fi
+
+   elif [[ -e "/etc/os-release" ]]; then
+
+      . /etc/os-release
+
+      os_dist=$ID
+      os_version=${VERSION_ID}
+
+   fi
+
+   # remove whitespace from os_dist and os_version
+   os_dist="${os_dist// /}"
+   os_version="${os_version// /}"
+
+}
+
+
+
+# -------------
+# --- Some default settings
+# -------------
+
+DEFAULT_ADMIN_EMAIL="argus@oopen.de"
+DEFAULT_RELAY_HOST="b.mx.oopen.de"
+DEFAULT_SASL_AUTH=false
+
+
+# - Is this a systemd system?
+# -
+if [[ "X`which systemd`" = "X" ]]; then
+   systemd_exists=false
+else
+   systemd_exists=true
+fi
+
+echo ""
+
+# - Read Configuration File if exists
+# -
+if [[ -f "$conf_file" ]]; then
+   source $conf_file
+fi
+
+
+# -------------
+# --- Set default values for some non existent variables (i.e. no configuration file is present)
+# -------------
+
+[[ -z "$_ADMIN_EMAIL" ]] && _ADMIN_EMAIL="$DEFAULT_ADMIN_EMAIL"
+[[ -z "$_SASL_AUTH" ]] && _SASL_AUTH="$DEFAULT_SASL_AUTH"
+
+if [[ -z "$_HOSTNAME" ]] ; then
+   _HOSTNAME="$(hostname -f)"
+   _HOSTNAME_SHORT="$(hostname)"
+   [[ "$_HOSTNAME" = "$_HOSTNAME_SHORT" ]] && _HOSTNAME=""
+fi
+
+blank_line
+echononl "Detect distribution/release of running OS.."
+detect_os_1  > /dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+   echo_failed
+else
+   echo_ok
+fi
+blank_line
+blank_line
+
+## - create directory for certificates and copy certificates 
+## - and coresponding keys to /etc/postfix/ssl/
+## -
+if [[ ! -d "/etc/postfix/ssl" ]] ; then
+   fatal "Certification directory \033[1m/etc/postfix/ssl\033[m not found!"
+fi
+
+
+## - generate DH parameters that the Postfix SMTP server should use 
+## - with EDH ciphers (length 512 and 1024
+## -
+echononl "   Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\""
+if [[ ! -f /etc/postfix/ssl/dh_512.pem ]]; then
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
+      openssl dhparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1
+   else
+      openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1
+   fi
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+   fi
+else
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
+      if $(grep -q -E "X9.42" /etc/postfix/ssl/dh_512.pem 2> /dev/null); then
+         openssl dhparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1
+         if [[ $? -eq 0 ]] ; then
+            echo_ok
+         else
+            echo_failed
+         fi
+      else
+         echo_skipped
+      fi
+   else
+      echo_skipped
+   fi
+fi
+echononl "   Generate DH key length=1024 \"/etc/postfix/ssl/dh_1024.pem\""
+if [[ ! -f /etc/postfix/ssl/dh_1024.pem ]]; then
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
+      openssl dhparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1
+   else
+      openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1
+   fi
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+   fi
+else
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
+      if $(grep -q -E "X9.42" /etc/postfix/ssl/dh_1024.pem 2> /dev/null); then
+         openssl dhparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1
+         if [[ $? -eq 0 ]] ; then
+            echo_ok
+         else
+            echo_failed
+         fi
+      else
+         echo_skipped
+      fi
+   else
+      echo_skipped
+   fi
+fi
+echononl "   Generate DH key length=2048 \"/etc/postfix/ssl/dh_2048.pem\""
+if [[ ! -f /etc/postfix/ssl/dh_2048.pem ]]; then
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
+      openssl dhparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1
+   else
+      openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1
+   fi
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+   fi
+else
+   if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
+      if $(grep -q -E "X9.42" /etc/postfix/ssl/dh_2048.pem 2> /dev/null); then
+         openssl dhparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1
+         if [[ $? -eq 0 ]] ; then
+            echo_ok
+         else
+            echo_failed
+         fi
+      else
+         echo_skipped
+      fi
+   else
+      echo_skipped
+   fi
+fi
+
+## - restart postfix
+## -
+echononl "   Restart postfix"
+if $systemd_exists ; then
+   systemctl restart postfix > /dev/null 2>&1
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+   fi
+else
+   /etc/init.d/postfix restart > /dev/null 2>&1
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+   fi
+fi
+
+
+echo ""
+clean_up 0

upgrade_roundcube.sh

@@ -3,6 +3,8 @@
 clear
 echo -e "\n   \033[32mStart script for upgrading Roundcube Webmailer..\033[m"
 
+CUR_IFS="$IFS"
+
 ## -----------------------------------------------------------------
 ## ----------------------------------------------------------------
 ## ---
@@ -110,6 +112,62 @@ echo_not_yet_implemented(){
    echo -e "\033[85G[ \033[30m\033[1mnot yet implemented\033[m ]"
 }
 
+detect_mysql_version () {
+
+   _MYSQLD_VERSION="$(mysqld -V 2>/dev/null)"
+
+   if [[ -z "$_MYSQLD_VERSION" ]]; then
+      fatal "No installed MySQL server or distribution found!"
+   elif [[ -d "/usr/local/mysql" ]] && [[ "$(basename "$(realpath "/usr/local/mysql")")" =~ percona- ]]; then
+      MYSQL_CUR_DISTRIBUTION="Percona"
+   elif [[ "$_MYSQLD_VERSION" =~ MariaDB ]]; then
+      MYSQL_CUR_DISTRIBUTION="MariaDB"
+   elif [[ "$_MYSQLD_VERSION" =~ MySQL ]]; then
+      MYSQL_CUR_DISTRIBUTION="MySQL"
+   elif [[ -d "/usr/local/mysql" ]] && [[ "$(basename "$(realpath "/usr/local/mysql")")" =~ mysql- ]]; then
+      MYSQL_CUR_DISTRIBUTION="MySQL"
+   elif [[ -d "/usr/local/mysql" ]] && [[ "$(basename "$(realpath "/usr/local/mysql")")" =~ mariadb- ]]; then
+      MYSQL_CUR_DISTRIBUTION="MariaDB"
+   else
+      error "MySQL Instalation found, but cannot determin the distribution!"
+
+      MYSQL_CUR_DISTRIBUTION=
+      echo ""
+      echo "   Select the installed MySQL distribution."
+      echo ""
+      echo "   [1] MySQL (the original community edition)"
+      echo "   [2] Percona Server for MySQL"
+      echo "   [3] MariaDB"
+      echo ""
+      echononl "   Eingabe [1/2/3]: "
+
+      while [ "$MYSQL_CUR_DISTRIBUTION" != "MySQL" -a "$MYSQL_CUR_DISTRIBUTION" != "MariaDB" -a "$MYSQL_CUR_DISTRIBUTION" != "Percona" ];do
+         read OPTION
+         case $OPTION in
+               1)      MYSQL_CUR_DISTRIBUTION="MySQL"
+               ;;
+               2)      MYSQL_CUR_DISTRIBUTION="Percona"
+               ;;
+               3)      MYSQL_CUR_DISTRIBUTION="MariaDB"
+               ;;
+               *)    echo ""
+                     echo -e "\tFalsche Eingabe ! [ 1 = MySQL ; 2 = Percona ; 3 = MariaDB ]"
+                     echo ""
+                     echononl "   Eingabe:"
+               ;;
+         esac
+      done
+   fi
+
+   MYSQL_VERSION="$(echo $_MYSQLD_VERSION | grep -o -E "[0-9]+\.[0-9]+\.[0-9]+(-[0-9]+)?" | head -n 1)"
+   MYSQL_MAJOR_VERSION="$(echo $MYSQL_VERSION | cut -d '.' -f1)"
+   MYSQL_MINOR_VERSION="$(echo $MYSQL_VERSION | cut -d '.' -f2)"
+   MYSQL_PATCH_LEVEL="$(echo $MYSQL_VERSION | cut -d '.' -f3)"
+   MYSQL_MAIN_VERSION="$(echo $MYSQL_VERSION | cut -d '.' -f1,2)"
+
+}
+
+
 trap clean_up SIGHUP SIGINT SIGTERM
 
 
@@ -154,15 +212,6 @@ fi
 DEFAULT_DB_HOST="localhost"
 DEFAULT_DB_NAME="roundcubemail"
 DEFAULT_DB_USER="roundcube"
-if [[ -f "/usr/local/mysql/sys-maint.cnf" ]] ; then
-   DEFAULT_MYSQL_CREDENTIALS="--defaults-file=/usr/local/mysql/sys-maint.cnf"
-elif [[ -f "/etc/mysql/debian.cnf" ]] ; then
-   DEFAULT_MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
-else
-   DEFAULT_MYSQL_CREDENTIALS=""
-fi
-DEFAULT_DEBIAN_MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
-DEFAULT_MYSQL_CREDENTIALS="--defaults-file=/usr/local/mysql/sys-maint.cnf"
 
 
 while IFS='' read -r -d '' _conf_file ; do
@@ -186,6 +235,7 @@ while IFS='' read -r -d '' _conf_file ; do
    fi
    WEBSITE_NAME=""
 done  < <(find "${conf_dir}" -maxdepth 1 -type f -name "install_upgrade_roundcube*.conf" -print0)
+IFS="$CUR_IFS"
 
 if [[ ${#unsorted_website_arr} -eq 0 ]]; then
    fatal "No configuration files found in '${script_dir}/conf' or no website configured!"
@@ -194,7 +244,7 @@ fi
 # - Sort array
 # -
 IFS=$'\n' website_arr=($(sort <<<"${unsorted_website_arr[*]}"))
-IFS=' '
+IFS="$CUR_IFS"
 
 
 WEBSITE_NAME=
@@ -208,6 +258,8 @@ for _site in ${website_arr[@]} ; do
    echo "   [$i] ${_arr[0]}"
    ((i++))
 done
+IFS="$CUR_IFS"
+
 echo
 echononl "   Eingabe: "
 while ! $_OK ; do
@@ -223,6 +275,7 @@ read _IN
       echononl "   Eingabe: "
    fi
 done
+IFS="$CUR_IFS"
 
 echo ""
 echononl "   Include Configuration file.."
@@ -234,6 +287,7 @@ else
    echo_ok
 fi
 
+
 [[ -n "$WEBSITE_NAME" ]] || fatal "Website's name (WEBSITE_NAME) not present!"
 
 DEFAULT_WEBSITE_BASEDIR="/var/www/${WEBSITE_NAME}"
@@ -269,17 +323,98 @@ if [ "$DB_TYPE" = "postgres" -o  "$DB_TYPE" = "postgresql" -o "$DB_TYPE" = "pgsq
 fi
 
 
-if [[ "$DB_TYPE" = "mysql" ]]; then
+if [[ "$DB_TYPE" = "mysql" ]] ; then
-   if $MYSQL_DEBIAN_INSTALLATION ; then
+
-      [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_DEBIAN_MYSQL_CREDENTIALS"
+   if [[ -z ${MYSQL_CREDENTIALS} ]] ; then
-   else
+
-      [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_MYSQL_CREDENTIALS"
+      detect_mysql_version
+
+      if [[ "$MYSQL_CUR_DISTRIBUTION" = "MariaDB" ]] && ([[ $MYSQL_MAJOR_VERSION -gt 10 ]] \
+            || ( [[ $MYSQL_MAJOR_VERSION -eq 10 ]] && [[ $MYSQL_MINOR_VERSION -gt 3 ]] )) ; then
+         if [[ -S "/tmp/mysql.sock" ]]; then
+            MYSQL_CREDENTIALS="-u root -S /tmp/mysql.sock"
+         elif [[ -S "/run/mysqld/mysqld.sock" ]]; then
+            MYSQL_CREDENTIALS="-u root -S /run/mysqld/mysqld.sock"
+         elif [[ -S "/var/run/mysqld/mysqld.sock" ]]; then
+            MYSQL_CREDENTIALS="-u root -S /var/run/mysqld/mysqld.sock"
+         else
+            fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated.
+
+               Use configuration file "$conf_file" to set
+               parameter manually."
+         fi
+
+      else
+      
+         echononl "\tGet MySQL command.."
+         mysql_command="$(which mysql)"
+         if [[ $? -eq 0 ]]; then
+            echo_ok
+         else
+
+            if [[ -x "/usr/local/mysql/bin/mysql" ]]; then
+               mysql_command="/usr/local/mysql/bin/mysql"
+               echo_ok
+            else
+               echo_failed
+               fatal "$(cat $tmp_log_file)"
+            fi
+         fi
+
+         if $(${mysql_command} --login-path=local  -e ";" > /dev/null 2>&1) ; then
+            MYSQL_CREDENTIALS="--login-path=local"
+         elif [[ -f "/usr/local/mysql/sys-maint.cnf" ]] ; then
+            MYSQL_CREDENTIALS="--defaults-file=/usr/local/mysql/sys-maint.cnf"
+         elif [[ -f "/etc/mysql/debian.cnf" ]] ; then
+            MYSQL_CREDENTIALS="--defaults-file=/etc/mysql/debian.cnf"
+         else
+            fatal "Parameter 'MYSQL_CREDENTIALS' cannot be determined automated. 
+
+               Use configuration file "$conf_file" to set 
+               parameter manually."
+         fi
+      fi
+
+      #if $MYSQL_DEBIAN_INSTALLATION ; then
+      #   [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_DEBIAN_MYSQL_CREDENTIALS"
+      #else
+      #   [[ -n "$MYSQL_CREDENTIALS" ]] || MYSQL_CREDENTIALS="$DEFAULT_MYSQL_CREDENTIALS"
+      #fi
+
    fi
 else
+   #[[ "$POSTFIX_DB_TYPE" = "pgsql" ]] || fatal "Unknown Database Type '$POSTFIX_DB_TYPE' (POSTFIX_DB_TYPE)"
    [[ "$DB_TYPE" = "pgsql" ]] || fatal "Unknown Database Type '$DB_TYPE' (DB_TYPE)"
 fi
 
 
+if [[ "$DB_TYPE" = "mysql" ]]; then
+   echononl "   Get MySQL command.."
+   mysql_command="$(which mysql)"
+   if [[ $? -eq 0 ]]; then
+      echo_ok
+   else
+
+      if [[ -x "/usr/local/mysql/bin/mysql" ]]; then
+         mysql_command="/usr/local/mysql/bin/mysql"
+         echo_ok
+      else
+         echo_failed
+         fatal "$(cat $tmp_log_file)"
+      fi
+   fi
+elif [[ "$DB_TYPE" = "pgsql" ]] ; then
+   echononl "   Get PostgreSQL command.."
+   psql_command="$(which psql)"
+   if [[ $? -eq 0 ]]; then
+      echo_ok
+   else
+      echo_failed
+   fi
+
+fi
+
+
 echo -e "\033[32m--\033[m"
 echo ""
 echo "Version of the Roundcube Webmailer to install"
@@ -330,6 +465,7 @@ else
    else
       echo_ok
    fi
+   IFS="$CUR_IFS"
 fi
 
 # - Get the latest PHP version
@@ -447,16 +583,44 @@ else
    fatal "Abort by user request - Answer as not 'YES'"
 fi
 
+echononl "\tCheck Database connection .."
 if [[ "$DB_TYPE" = "mysql" ]]; then
-   if ! mysql $MYSQL_CREDENTIALS -N -s -e \
+   ${mysql_command} $MYSQL_CREDENTIALS -N -s -e \
       "SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME = '$DB_NAME'" 2>> $log_file \
-      | grep $DB_NAME >> $log_file 2>&1 ; then
+      | grep $DB_NAME >> $log_file 2>&1
-		fatal "MySQL Database '$DB_NAME' does not exit. (See Parameter 'DB_NAME')"
+
+   if [[ "$?" = "0" ]]; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+
+      echononl "continue anyway [yes/no]: "
+      read OK
+      OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+      while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+         echononl "Wrong entry! - repeat [yes/no]: "
+         read OK
+      done
+      [[ $OK = "yes" ]] || fatal "Abbruch durch User"
    fi
+ 
 elif [[ "$DB_TYPE" = "pgsql" ]]; then
-   count=$(su - postgres -c "psql -q -A -t -l" | grep -c -e "^$DB_NAME")
+   count=$(su - postgres -c "${psql_command} -q -A -t -l" | grep -c -e "^$DB_NAME")
    if [[ $count -eq 0 ]];then
-		fatal "PostgreSQL Database '$DB_NAME' does not exit. (See Parameter 'DB_NAME')"
+      echo_failed
+      error "$(cat $log_file)"
+
+      echononl "continue anyway [yes/no]: "
+      read OK
+      OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+      while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+         echononl "Wrong entry! - repeat [yes/no]: "
+         read OK
+      done
+      [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+   else
+      echo_ok
    fi
 else
    fatal "Cannot detect database type (value of  DB_TYPE is neither 'mysql' nor 'pgsql')"