Add initial not yet running installscript for dovecot version 2.4.x

DOC/README.test_mailprotocolls

@@ -14,3 +14,10 @@ openssl s_client -crlf -starttls pop3 -connect localhost:110
 openssl s_client -crlf -connect localhost:993
 openssl s_client -crlf -starttls imap -connect localhost:143
 
+
+# Test RSA based TLS connection
+#
+echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2 -cipher ECDHE-RSA-AES256-GCM-SHA384
+
+echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp -tls1_2
+echo "quit" | openssl s_client -connect a.mx.oopen.de:25 -starttls smtp

install_amavis.sh

@@ -118,7 +118,7 @@ DEFAULT_DB_IN_USE=false
 
 DEFAULT_INSTALL_CLAMAV_UNOFFICIAL_SIGS=true
 
-DEFAULT_MALWARE_PATROL_IN_USE=true
+DEFAULT_MALWARE_PATROL_IN_USE=false
 DEFAULT_MALWERE_PATROL_FREE=false
 DEFAULT_MP_RECEIPT_NUMBER=106015125438
 
@@ -207,15 +207,18 @@ _needed_packages_clamav="clamav \
    clamav-freshclam \
    libgmp-dev \
    libgmp10"
-if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 10 ]] ; then
+if [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 10 ]] ; then
 	_needed_packages_clamav="$_needed_packages_clamav \
    libclamunrar7"
-elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 11 ]] ; then 
+elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 11 ]] ; then
 	_needed_packages_clamav="$_needed_packages_clamav \
    libclamunrar9"
-elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -lt 12 ]] ; then
+elif [[ "${os_dist,,}" = "debian" ]] && [[ "$os_version" -eq 12 ]] ; then
 	_needed_packages_clamav="$_needed_packages_clamav \
    libclamunrar11"
+else
+   _needed_packages_clamav="$_needed_packages_clamav \
+   libclamunrar13"
 fi
 
 _needed_decoders_amavis="
@@ -413,6 +416,85 @@ else
    done
 fi
 
+
+echo ""
+echo -e "\033[32m--\033[m"
+echo ""
+echo "Use SecuriteInfo Signatures (https://www.securiteinfo.com)?"
+echo ""
+echo "Note: You have to sign up for an account. For a free account thats here:"
+echo "      https://www.securiteinfo.com/clients/customers/signup"
+echo ""
+if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
+   echononl "Load SecuriteInfo Singatures (yes/no): "
+else
+   if $_SECURITE_INFO_IN_USE ; then
+      echononl "Load SecuriteInfo Singatures [yes]: "
+   else
+      echononl "Load SecuriteInfo Singatures [no]: "
+   fi
+fi
+read _TMP_LOAD_SI
+_TMP_LOAD_SI=${_TMP_LOAD_SI,,}
+while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
+   if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
+      echononl "Wrong entry! (yes/no): "
+      read _TMP_LOAD_SI
+      _TMP_LOAD_SI=${_TMP_LOAD_SI,,}
+   else
+      if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
+         if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
+            if $_SECURITE_INFO_IN_USE ; then
+               _TMP_LOAD_SI=yes
+            else
+               _TMP_LOAD_SI=no
+            fi
+         else
+            if $_SECURITE_INFO_IN_USE ; then
+               echononl "Wrong entry! [yes]: "
+            else
+               echononl "Wrong entry! [no]: "
+            fi
+            read _TMP_LOAD_SI
+         fi
+      fi
+   fi
+done
+if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
+   SECURITE_INFO_IN_USE=true
+else
+   SECURITE_INFO_IN_USE=false
+fi
+
+if $SECURITE_INFO_IN_USE ; then
+   echo ""
+   echo -e "\033[32m--\033[m"
+   echo ""
+   echo "Insert SecuriteInfo Authorisation Signature"
+   echo ""
+   echo ""
+   SI_AUTHORISATION_SIGNATURE=
+   if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
+      while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
+         echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
+         read SI_AUTHORISATION_SIGNATURE
+         if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
+               SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
+            fi
+      done
+   else
+
+      while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
+         echononl "SecuriteInfo Authorisation Signature: "
+         read SI_AUTHORISATION_SIGNATURE
+         if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
+            echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
+         fi
+      done
+   fi
+fi
+
+
 echo ""
 echo -e "\033[32m--\033[m"
 echo ""
@@ -586,84 +668,6 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
 
    fi
 
-
-   echo "" 
-   echo -e "\033[32m--\033[m" 
-   echo "" 
-   echo "Load SecuriteInfo Signatures (https://www.securiteinfo.com)?" 
-   echo "" 
-   echo "Note: You have to sign up for an account. For a free account thats here:"
-   echo "      https://www.securiteinfo.com/clients/customers/signup"
-   echo "" 
-   if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
-      echononl "Load SecuriteInfo Singatures (yes/no): "
-   else
-      if $_SECURITE_INFO_IN_USE ; then
-         echononl "Load SecuriteInfo Singatures [yes]: "
-      else
-         echononl "Load SecuriteInfo Singatures [no]: "
-      fi
-   fi
-   read _TMP_LOAD_SI
-   _TMP_LOAD_SI=${_TMP_LOAD_SI,,}
-   while [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; do
-      if [[ -z "$_SECURITE_INFO_IN_USE" ]]; then
-         echononl "Wrong entry! (yes/no): "
-         read _TMP_LOAD_SI
-         _TMP_LOAD_SI=${_TMP_LOAD_SI,,}
-      else
-         if [ "X$_TMP_LOAD_SI" != "Xyes" -a "X$_TMP_LOAD_SI" != "Xno" ]; then
-            if [[ "X$_TMP_LOAD_SI" = "X" ]]; then
-               if $_SECURITE_INFO_IN_USE ; then
-                  _TMP_LOAD_SI=yes
-               else
-                  _TMP_LOAD_SI=no
-               fi
-            else
-               if $_SECURITE_INFO_IN_USE ; then
-                  echononl "Wrong entry! [yes]: "
-               else
-                  echononl "Wrong entry! [no]: "
-               fi
-               read _TMP_LOAD_SI
-            fi
-         fi
-      fi
-   done
-   if [[ "$_TMP_LOAD_SI" = "yes" ]] ; then
-      SECURITE_INFO_IN_USE=true
-   else
-      SECURITE_INFO_IN_USE=false
-   fi
-
-   if $SECURITE_INFO_IN_USE ; then
-      echo ""
-      echo -e "\033[32m--\033[m"
-      echo ""
-      echo "Insert SecuriteInfo Authorisation Signature"
-      echo ""
-      echo ""
-      SI_AUTHORISATION_SIGNATURE=
-      if [[ -n "$_SI_AUTHORISATION_SIGNATURE" ]] ; then
-         while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
-            echononl "SecuriteInfo Authorisation Signature [$(echo ${_SI_AUTHORISATION_SIGNATURE:0:4})..$(echo ${_SI_AUTHORISATION_SIGNATURE: -4})]: "
-            read SI_AUTHORISATION_SIGNATURE
-            if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
-                  SI_AUTHORISATION_SIGNATURE=$_SI_AUTHORISATION_SIGNATURE
-               fi
-         done
-      else
-
-         while [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; do
-            echononl "SecuriteInfo Authorisation Signature: "
-            read SI_AUTHORISATION_SIGNATURE
-            if [[ "X$SI_AUTHORISATION_SIGNATURE" = "X" ]]; then
-               echo -e "\n\t\033[33m\033[1mSecuriteInfo Authorisation Signature is reqired\033[m\n"
-            fi
-         done
-      fi
-   fi
-
 fi
 
 
@@ -2961,7 +2965,7 @@ if $SECURITE_INFO_IN_USE ; then
    if [[ -f "/etc/clamav/freshclam.conf" ]] ; then
 
       _done=false
-      for signatur_database in $SI_SIGNATUR_DATABASES do
+      for signatur_database in $SI_SIGNATUR_DATABASES ; do
 
          if ! $(grep -q -E "DatabaseCustomURL\s+https://www.securiteinfo.com.*${signatur_database}" "/etc/clamav/freshclam.conf" 2>/dev/null) ; then
 
@@ -3550,9 +3554,16 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
 # --------------------------------------
 # --- Begin: User specific modifications
 # --- Inserted by install-script "$(basename "$0")" at $(date +"%Y-%m-%d %H:%M")
+
+# - SecuriteInfo
+# -
+# - SecuriteInfo signatures are now directly integrated into ClamAV's Freshclam.
+# -
+# - We therefore disable them here.
+# -
+securiteinfo_enabled="no"
 EOF
 
-   if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE ; then
 
    if $MALWARE_PATROL_IN_USE ; then
 
@@ -3586,29 +3597,23 @@ EOF
             error "$(cat $tmp_err_msg)"
          fi
       fi
-      fi # if $MALWARE_PATROL_IN_USE
 
-      if $SECURITE_INFO_IN_USE ; then
+   else
       cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
-# - SecuriteInfo
+
+# - MalwarePatrol
 # -
-# -    type:     Gold
+# - Not in use
-# -    account:  ckubu@oopen.de
-# -    signatur: abb4ec6..46b59a4e
 # -
-# -    - ALT -
+malwarepatrol_enabled="no"
-# -    type:     professional
-# -    account:  oo@oopen.de
-# -    signatur: b0b7e94d..0c2e3a89
-# -
-securiteinfo_authorisation_signature="$SI_AUTHORISATION_SIGNATURE"
 EOF
       if [[ "$?" -ne 0 ]] ; then
          installation_failed=true
          error "$(cat $tmp_err_msg)"
       fi
-      fi # if $SECURITE_INFO_IN_USE
+
-   fi #if $MALWARE_PATROL_IN_USE || $SECURITE_INFO_IN_USE
+   fi #if $MALWARE_PATROL_IN_USE
+
    cat << EOF >> /etc/clamav-unofficial-sigs/user.conf 2> $tmp_err_msg
 
 # - Disable  Yara-Rule set, because (some?) pgp mails where blocked.
@@ -4330,96 +4335,15 @@ read_hash(\%spam_lovers, '/etc/postfix/spam_lovers');
 \$final_spam_destiny       = D_BOUNCE;
 #\$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
 
-\$sa_tag_level_deflt  = 2.0;    # add spam info headers if at, or above that level
-\$sa_tag2_level_deflt = 5.1;    # add 'spam detected' headers at that level
-\$sa_kill_level_deflt = 10.31;  # reject/bounce/discard/pass
 
+##- Moved to file '/etc/amavis/policy_banks.conf'
 ## -
-## - User / Domain specific settings
+## -  \$sa_tag_level_deflt  = 2.0;    # add spam info headers if at, or above that level
+## -  \$sa_tag2_level_deflt = 5.1;    # add 'spam detected' headers at that level
+## -  \$sa_kill_level_deflt = 10.31;  # reject/bounce/discard/pass
 ## -
+do "/etc/amavis/policy_banks.conf";  # Externe Datei einbinden
 
-## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
-## -
-## - Set directly:
-## -
-#\$sa_tag2_level_deflt = {
-#   # oopen.de
-#   'oopen.de'=>'2.1',
-#   'ckubu@oopen.de'=>'2.2',
-#   'argus@oopen.de'=>'2.3',
-#   # k8h.de
-#   'k8h.de'=>'6.5',
-#   # default
-#   '.'=>'5.1'
-#};
-## -
-## - Read from file using @spam_tag2_level_maps
-## -
-## -    default: @spam_tag2_level_maps = (\\\$sa_tag2_level_deflt);
-## -
-## - Example file '/etc/postfix/tag2_level_maps.dat' 
-## -
-## -    # oopen.de
-## -    oopen.de           2.1
-## -    ckubu@oopen.de     2.2
-## -    argus@oopen.de     2.3
-## -    [..]
-## -    # k8h.de
-## -    k8h.de             6.5
-## -    [..]
-## -    # default
-## -    .                  5.1
-## -
-#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
-
-## - Per-recipient mapping of kill levels to email addresses (kill level):
-## -
-## - Set directly
-## -
-#\$sa_kill_level_deflt = {
-#   'ckubu@oopen.de'=>'1500.0',
-#   'ckubu-adm@oopen.de'=>'1500.0',
-#   # default
-#   '.'=>'10.31'
-#};
-## -
-## - Read from file using @spam_kill_level_maps
-## -
-## -    default: @spam_kill_level_maps = (\\\$sa_kill_level_deflt);
-## -
-## - Example file '/etc/postfix/kill_level_maps.dat' 
-## -
-## -    # oopen.de
-## -    ckubu@oopen.de     1500.0
-## -    ckubu-adm@oopen.de 1500.0
-## -    [..]
-## -    # default
-## -    .                  10.31
-## -
-#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
-
-
-## - We will inform the sender about bouncing his mail with a DSN (Delivery
-## - StatusNotification). That DSN message will no be send, if the spamvalue 
-## - exceeds the value of sa_dsn_cutoff_level
-## -
-#\$sa_dsn_cutoff_level = 10;     # spam level beyond which a DSN is not sent
-\$sa_dsn_cutoff_level = 20;
-
-
-## - change the default server response if mail was blocked
-## - because of spam.
-## -
-## - results in (is an example):
-## -    <ckubu@so36.net>: host 127.0.0.1[127.0.0.1] said: 554 5.7.0 Reject, Mailserver
-## -    at a.mx.oopen.de: identified as SPAM -  (in reply to end of DATA command)
-## -
-%smtp_reason_by_ccat = (
-  CC_SPAM, "Mailserver at \$myhostname: identified as SPAM - %x"
-);
-
-\$sa_spam_subject_tag = undef;
-#\$sa_spam_subject_tag = '***SPAM*** '; 
 
 
 ## - QUARANTINE
@@ -4667,6 +4591,153 @@ else
 fi
 
 
+## - Create File containing policy settings
+## -
+_config_policy_banks_file=/etc/amavis/policy_banks.conf
+echononl "    Create File \"${_config_policy_banks_file}\""
+if [[ -f "${_config_policy_banks_file}" ]]; then
+   echo_skipped
+else
+   cat << EOF > ${_config_policy_banks_file}
+# Externe Richtliniendatei für amavisd
+
+use strict;
+
+
+# ---
+# add spam info headers if at, or above that level
+# ---
+
+## - All recipients with identical the same setting:
+## -
+#\$sa_tag_level_deflt  = 2.0;
+
+## - Per-recipient mapping of tag2 levels to email addresses (tag2 level):
+## -
+## - Set directly:
+## -
+\$sa_tag_level_deflt = {
+   'oopen.de'           => '-4.5',
+   # default
+   '.'=>'2.0'
+};
+
+## - Read from file using @spam_tag2_level_maps
+## -
+## -    default: @spam_tag2_level_maps = (\$sa_tag2_level_deflt);
+## -
+## - Example file '/etc/postfix/tag2_level_maps.dat'
+## -
+## -    # oopen.de
+## -    oopen.de           2.1
+## -    ckubu@oopen.de     2.2
+## -    argus@oopen.de     2.3
+## -    [..]
+## -    # k8h.de
+## -    k8h.de             6.5
+## -    [..]
+## -    # default
+## -    .                  5.1
+## -
+#@spam_tag2_level_maps = ( read_hash('/etc/postfix/tag2_level_maps.dat') );
+
+
+#\$sa_spam_subject_tag = '***SPAM*** ';    # Spam-Betreff-Tag
+\$sa_spam_subject_tag = undef;
+
+
+
+# ---
+# add 'spam detected' headers at that level
+# ---
+
+## - All recipients with identical the same setting:
+## -
+#\$sa_tag2_level_deflt = 5.1;               # add 'spam detected' headers at that level
+
+## - Per-recipient mapping of kill levels to email addresses (kill level):
+## -
+## - Set directly
+## -
+\$sa_tag2_level_deflt = {
+   'oopen.de'           => '3.1',
+   '123comics.net'      => '4.1',
+   'info@123comics.net' => '3.1',
+   # default
+   '.'                  => '5.1',
+};
+
+## - Read from file using @spam_kill_level_maps
+## -
+## -    default: @spam_kill_level_maps = (\$sa_kill_level_deflt);
+## -
+## - Example file '/etc/postfix/kill_level_maps.dat'
+## -
+## -    # oopen.de
+## -    ckubu@oopen.de     1500.0
+## -    ckubu-adm@oopen.de 1500.0
+## -    [..]
+## -    # default
+## -    .                  10.31
+## -
+#@spam_kill_level_maps = ( read_hash('/etc/postfix/kill_level_maps.dat') );
+
+
+
+# ---
+# adding more detailed spam-related headers.
+# ---
+
+## - All recipients with identical the same setting:
+## -
+\$sa_tag3_level_deflt = 7.0;               # threshold for sa_tag3_level_deflt
+
+## - Note
+## -  Like 'sa_tag2_level_deflt' above per-recipient also possible
+
+
+@sa_tag3_level_maps = (
+  ['^Subject:', '\[HIGH-SPAM\] $&'],      # Modify subject
+  ['HEADER', 'X-High-Spam-Flag', 'YES'],  # Add a custom header
+);
+
+
+# ---
+# spam score threshold at which amavisd-new will reject (kill) an email.
+# ---
+
+## - All recipients with identical the same setting:
+## -
+\$sa_kill_level_deflt = 10.31;             # reject/bounce/discard/pass
+
+## - Note
+## -  Like 'sa_tag2_level_deflt' above per-recipient also possible
+
+
+
+# ---
+# The threshold for sending a delivery status notification (DSN) to the sender
+# ---
+
+## - We will inform the sender about bouncing his mail with a DSN (Delivery
+## - StatusNotification). That DSN message will no be send, if the spamvalue
+## - exceeds the value of sa_dsn_cutoff_level
+## -
+#\$sa_dsn_cutoff_level = 10;     # spam level beyond which a DSN is not sent
+\$sa_dsn_cutoff_level = 20;
+
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+   fi
+fi
+
+
 ## - Configure syslogd matching the configuration od amavisd
 ## -
 echononl "   Configure syslogd matching the configuration of amavis"
@@ -5029,6 +5100,12 @@ if grep -iq -E "^amavisfeed\s+" $postfix_master_cf > /dev/null 2>&1 ; then
 else
    amavisfeed_present=false
 fi
+if grep -iq -E "^[0-9]{2,5}\s+inet.*smtpd" $postfix_master_cf > /dev/null 2>&1 ; then
+   listen_on_additional_smtp_port=true
+   additional_smtp_port="$(grep -E "^[0-9]{2,5}\s+inet.*smtpd" /etc/postfix/master.cf | grep -o -E "^[0-9]{2,5}")"
+else
+   listen_on_additional_smtp_port=false
+fi
 
 > $postfix_master_cf
 while IFS='' read -r _line || [[ -n $_line ]] ; do
@@ -5046,6 +5123,19 @@ EOF
 EOF
       fi
 
+      if ${listen_on_additional_smtp_port} ; then
+         cat >> $postfix_master_cf << EOF
+${additional_smtp_port}      inet  n       -       y       -       -       smtpd
+   -o smtpd_proxy_filter=127.0.0.1:10024
+   -o content_filter=
+EOF
+         if [[ "$SASL_AUTH_ENABLED" = "no" ]] ; then
+            cat >> $postfix_master_cf << EOF
+   -o smtpd_sasl_auth_enable=no
+EOF
+         fi
+      fi
+
 		if ! $submission_present && ! $smtps_present && ! $localhost_10025_present ; then
 					cat >> $postfix_master_cf << EOF
 localhost:10025  inet  n       -       y       -       -       smtpd
@@ -5300,6 +5390,13 @@ else
    fi
 fi
 
+if ${listen_on_additional_smtp_port}; then
+
+   echo ""
+   warn "Please do not forget to allow incomming traffic on port \033[1m${additional_smtp_port}\033[m.
+                     Check your firewall settings.."
+fi
+
 
 #fi # if $ommit ; then
 # -------------------------------

install_opendkim.sh

@@ -189,6 +189,13 @@ else
    cat <<EOF > $opendkim_conf_file 2> $log_file
 # Datei $opendkim_conf_file
 
+# Sets the "authserv-id" to use when generating the Authentication-Results:
+# header field after verifying a message. The default is to use the name of
+# the MTA processing the message. If the string "HOSTNAME" is provided, the
+# name of the host running the filter (as returned by the gethostname(3)
+# function) will be used.
+AuthservID              "DKIM check $(hostname -f)"
+
 # OpenDKIM agiert als Mail Filter (= Milter) in den
 # Modi signer (s) und verifier (v) und verwendet eine
 # Socket-Datei zur Kommunikation (alternativ: lokaler Port)
@@ -237,6 +244,21 @@ SignatureAlgorithm      rsa-sha256
 # because it is often the identity key used by reputation systems and thus
 # somewhat security sensitive.
 OversignHeaders         From
+
+# Add an "Authentication-Results:" header field even to unsigned messages
+# from domains with no "signs all" policy. The reported DKIM result will be
+# "none" in such cases. Normally unsigned mail from non-strict domains does
+# not cause the results header field to be added.
+AlwaysAddARHeader       yes
+
+# Causes opendkim to fork and exits immediately, leaving the service running
+# in the background. The default is "true".
+Background              yes
+
+# Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. The
+# default is 5. Ignored if not using an asynchronous resolver package. See
+# also the NOTES section below.
+DNSTimeout              5
 EOF
    opendkim_needs_restart=true
    if [[ $? -eq 0 ]] ; then

install_opendmarc.sh

@@ -23,7 +23,7 @@ opendmarc_socket_dir="${postfix_spool_dir}/opendmarc"
 opendmarc_socket_file="${opendmarc_socket_dir}/opendmarc.sock"
 
 config_file_name_value_parameters="
-   AuthservID|OpenDMARC
+   AuthservID|DMARC check $(hostname -f)
    PidFile|/run/opendmarc/opendmarc.pid
    RejectFailures|true
    Syslog|true
@@ -36,6 +36,7 @@ config_file_name_value_parameters="
    FailureReports|false
    AutoRestart|true
    HistoryFile|/run/opendmarc/opendmarc.dat
+   SPFIgnoreResults|false
    SPFSelfValidate|true
    Socket|${opendmarc_socket_file}
 "
@@ -182,6 +183,200 @@ else
 fi
 
 
+# - Add 'IgnoreHosts' with default value to the original opendmarc.conf file
+#
+echononl " Add 'IgnoreHosts' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^IgnoreHosts\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Specifies the path to a file that contains a list of hostnames, IP addresses,
+## and/or CIDR expressions identifying hosts whose SMTP connections are to be
+## ignored by the filter. If not specified, defaults to "127.0.0.1" only.
+#
+IgnoreHosts 127.0.0.1
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'IgnoreAuthenticatedClients' with default value to the original opendmarc.conf file
+#
+_param="IgnoreAuthenticatedClients"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, causes mail from authenticated clients (i.e., those that used 
+## SMTP AUTH) to be ignored by the filter. The default is "false".
+#
+IgnoreAuthenticatedClients false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
+#
+_param="IgnoreAuthenticatedClients"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, causes mail from authenticated clients (i.e., those that used
+## SMTP AUTH) to be ignored by the filter. The default is "false".
+#
+IgnoreAuthenticatedClients false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'RequiredHeaders' with default value to the original opendmarc.conf file
+#
+_param="RequiredHeaders"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, the filter will ensure the header of the message conforms to the basic 
+## header field count restrictions laid out in RFC5322, Section 3.6. Messages 
+## failing this test are rejected without further processing. A From: field from 
+## which no domain name could be extracted will also be rejected.
+#
+RequiredHeaders false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'AutoRestart' with default value to the original opendmarc.conf file
+#
+_param="AutoRestart"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Automatically re-start on failures. Use with caution; if the filter fails
+## instantly after it starts, this can cause a tight fork(2) loop.
+#
+AutoRestart false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'HistoryFile' with default value to the original opendmarc.conf file
+#
+_param="HistoryFile"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## If set, specifies the location of a text file to which records are written
+## that can be used to generate DMARC aggregate reports. Records are batches of
+## rows containing information about a single received message, and include all
+## relevant information needed to generate a DMARC aggregate report. It is
+## expected that this will not be used in its raw form, but rather periodically
+## imported into a relational database from which the aggregate reports can be
+## extracted using opendmarc-importstats(8).
+#
+HistoryFile /run/opendmarc/opendmarc.dat
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'SPFIgnoreResults' with default value to the original opendmarc.conf file
+#
+_param="SPFIgnoreResults"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Causes the filter to ignore any SPF results in the header of the message. This
+## is useful if you want the filter to perform SPF checks itself, or because you
+## don't trust the arriving header. The default is "false".
+#
+SPFIgnoreResults false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
+# - Add 'SPFSelfValidate' with default value to the original opendmarc.conf file
+#
+_param="SPFSelfValidate"
+echononl " Add '${_param}' with default value to the opendmarc.conf file.."
+if ! $(grep -q -E "^${_param}\s+" ${opendmarc_conf_file} 2> /dev/null) ; then
+   cat << EOF >> ${opendmarc_conf_file}
+
+## Causes the filter to perform a fallback SPF check itself when it can find no
+## SPF results in the message header. If SPFIgnoreResults is also set, it never
+## looks for SPF results in headers and always performs the SPF check itself when
+## this is set. The default is "false".
+#
+SPFSelfValidate false
+EOF
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+
 # - Save configuration file from distribution
 # -
 echononl "   Save configuration file from distribution"

install_postfix_advanced.sh

@@ -125,9 +125,12 @@ trap clean_up SIGHUP SIGINT SIGTERM
 # -
 DEFAULT_ADMIN_EMAIL="argus@oopen.de"
 DEFAULT_IS_RELAY_HOST=false
+DEFAULT_ADDITIONAL_RELAY_PORT=2525
 DEFAULT_IS_SYMPA_LIST_SERVER=no
 DEFAULT_SASL_AUTH_ENABLED=no
 
+DEFAULT_LISTEN_ON_ADDITIONAL_RELAY_PORT=false
+
 
 # - Is this a systemd system?
 # -
@@ -167,6 +170,10 @@ else
    _IS_RELAY_HOST="$_RELAY_HOST"
 fi
 
+if [[ -z "$_LISTEN_ON_ADDITIONAL_RELAY_PORT" ]] ; then
+   _LISTEN_ON_ADDITIONAL_RELAY_PORT=${DEFAULT_LISTEN_ON_ADDITIONAL_RELAY_PORT}
+fi
+
 echo ""
 echo ""
 echo ""
@@ -394,6 +401,42 @@ if $IS_RELAY_HOST ; then
       done
    fi
 
+   ADDITIONAL_RELAY_LISTEN_PORT=
+   echo ""
+   echo -e "\033[32m--\033[m"
+   echo ""
+   echo "Should this mail relay server listen on an additional port?"
+   echo ""
+   if [[ -n "$_ADDITIONAL_RELAY_LISTEN_PORT" ]]; then
+      echo "Type:"
+      echo -e "\t\033[33mNone\033[m for no additional listen port."
+   else
+      echo "Type:"
+      echo -e "\t\033[33mNone\033[m or lrave empty for no additional listen port."
+   fi
+   echo ""
+   if [[ -n "$_ADDITIONAL_RELAY_LISTEN_PORT" ]]; then
+      echononl "additional listen port [${_ADDITIONAL_RELAY_LISTEN_PORT}]: "
+      read ADDITIONAL_RELAY_LISTEN_PORT
+      if [[ "X${ADDITIONAL_RELAY_LISTEN_PORT}" = "X" ]]; then
+         ADDITIONAL_RELAY_LISTEN_PORT=$_ADDITIONAL_RELAY_LISTEN_PORT
+         LISTEN_ON_ADDITIONAL_RELAY_PORT=true
+      fi
+      if [[ "${ADDITIONAL_RELAY_LISTEN_PORT,,}" = "none" ]] ; then
+         ADDITIONAL_RELAY_LISTEN_PORT=""
+         LISTEN_ON_ADDITIONAL_RELAY_PORT=false
+      fi
+   else
+      echononl "additional listen port: "
+      read ADDITIONAL_RELAY_LISTEN_PORT
+      if [[ "X${ADDITIONAL_RELAY_LISTEN_PORT}" = "X" ]] || [[ "${ADDITIONAL_RELAY_LISTEN_PORT,,}" = "none" ]]; then
+         ADDITIONAL_RELAY_LISTEN_PORT=""
+         LISTEN_ON_ADDITIONAL_RELAY_PORT=false
+      else
+         LISTEN_ON_ADDITIONAL_RELAY_PORT=true
+      fi
+   fi
+
 
 else
    IS_SYMPA_LIST_SERVER=false
@@ -441,6 +484,11 @@ if $IS_RELAY_HOST ; then
    echo -e "\tConfigure as sympa list server?...: \033[33m\033[1m$IS_SYMPA_LIST_SERVER\033[m"
    echo ""
    echo -e "\tSupport Cyrus SASL authentication.: $SASL_AUTH_ENABLED"
+   echo ""
+   echo -e "\tListen on an additional port?.......: \033[33m\033[1m${LISTEN_ON_ADDITIONAL_RELAY_PORT}\033[m"
+   if ${LISTEN_ON_ADDITIONAL_RELAY_PORT}; then
+      echo -e "\tAdditional Listen Port..............: ${ADDITIONAL_RELAY_LISTEN_PORT}"
+   fi
 else
    echo -e "\tConfigure as relay host?..........: $IS_RELAY_HOST"
    echo -e "\tConfigure as complete mailserver..: \033[33m\033[1mtrue\033[m"
@@ -464,7 +512,7 @@ _failed=false
 echononl "   Save Configuration"
 cat << EOF > $conf_file
 # ---
-# - Parameter Settins Postfix Relay System
+# - Parameter Settings Postfix Relay System
 # ---
 
 _HOSTNAME=$HOSTNAME
@@ -480,7 +528,13 @@ if $IS_RELAY_HOST ; then
    cat << EOF >> $conf_file
 _SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
 _SYMPA_LIST_SERVER=$IS_SYMPA_LIST_SERVER
+_LISTEN_ON_ADDITIONAL_RELAY_PORT=${LISTEN_ON_ADDITIONAL_RELAY_PORT}
 EOF
+   if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
+      cat << EOF >> $conf_file
+_ADDITIONAL_RELAY_LISTEN_PORT=${ADDITIONAL_RELAY_LISTEN_PORT}
+EOF
+   fi
 fi
 if [[ $? -ne 0 ]]; then
    _failed=true
@@ -930,6 +984,120 @@ EOF
 fi
 
 
+# - Install SPF-Policy-Tools
+# -
+echononl "   Install Postfix SPF-Policy-Tools 'postfix-policyd-spf-python'"
+_pkg=postfix-policyd-spf-python
+if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
+   echo_skipped
+else
+   DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $log_file
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+fi
+
+
+# - Backup existing configuration file for policyd-spf daemon
+# -
+_file="/etc/postfix-policyd-spf-python/policyd-spf.conf"
+echononl "   Backup configuration file '${_file}'."
+if [[ -f "${_file}" ]]; then
+   cp -a "${_file}" "${_file}.${backup_date}" > /dev/null 2> $log_file
+   if [[ $? -eq 0 ]] ; then
+      echo_ok
+   else
+      echo_failed
+      error "$(cat $log_file)"
+   fi
+else
+   echo_skipped
+fi
+
+echononl "   Creeate new configuration '${_file}'.."
+cat <<EOF > "${_file}"
+#  For a fully commented sample config file see policyd-spf.conf.commented
+
+#  Reject and deferred reason
+Reason_Message = Message {rejectdefer} due to: {spf}.
+
+#  Amount of debugging information logged.  0 logs no debugging messages
+#  5 includes all debug messages.
+debugLevel = 1
+
+#  HELO check rejection policy. Options are:
+#  HELO_reject = SPF_Not_Pass (default) - Reject if result not Pass/None/Tempfail.
+#  HELO_reject = Softfail - Reject if result Softfail and Fail
+#  HELO_reject = Fail - Reject on HELO Fail
+#  HELO_reject = Null - Only reject HELO Fail for Null sender (SPF Classic)
+#  HELO_reject = False - Never reject/defer on HELO, append header only.
+#  HELO_reject = No_Check - Never check HELO.
+HELO_reject = SPF_Not_Pass
+
+#  Mail From rejection policy.  Options are:
+#  Mail_From_reject = SPF_Not_Pass - Reject if result not Pass/None/Tempfail.
+#  Mail_From_reject = Softfail - Reject if result Softfail and Fail
+#  Mail_From_reject = Fail - Reject on Mail From Fail (default)
+#  Mail_From_reject = False - Never reject/defer on Mail From, append header only
+#  Mail_From_reject = No_Check - Never check Mail From/Return Path.
+#
+# Dieser Parameter steuert, wie der SPF-Check auf Fehler bei der Überprüfung der
+# MAIL FROM-Adresse reagiert. Ein Fehler tritt auf, wenn die IP-Adresse des sendenden
+# Servers nicht den SPF-Einträgen der Domain in der MAIL FROM-Adresse entspricht.
+#
+Mail_From_reject = Fail
+
+#  Policy for rejecting due to SPF PermError.  Options are:
+#  PermError_reject = True
+#  PermError_reject = False
+#
+# Wirkung: Dieser Parameter bestimmt, wie der SPF-Check auf permanente Fehler (PermError)
+# reagiert. Ein permanenter Fehler tritt auf, wenn die SPF-DNS-Einträge ungültig oder
+# fehlerhaft sind (z. B. syntaktische Fehler oder ungültige Mechanismen).
+#
+# Wenn PermError_reject auf True gesetzt ist, wird die E-Mail abgewiesen (rejected),
+#
+PermError_reject = True
+
+#  Policy for deferring messages due to SPF TempError.  Options are:
+#  TempError_Defer = True
+#  TempError_Defer = False
+#
+# Wirkung: Dieser Parameter bestimmt das Verhalten bei temporären SPF-Fehlern (TempError).
+# Ein temporärer Fehler tritt auf, wenn der SPF-Check aufgrund von vorübergehenden
+# Problemen (z. B. DNS-Auflösungsfehler oder Netzwerkprobleme) nicht durchgeführt werden kann.
+#
+# Wenn TempError_Defer auf True gesetzt ist, wird die E-Mail vorübergehend zurückgewiesen
+# (deferred), und der empfangende Server versucht später erneut, die E-Mail zuzustelle
+#
+TempError_Defer = Defer
+
+# Type of header to insert to document SPF result. Can be Received-SPF (SPF)
+# or Authentication Results (AR). It cannot be both.
+# Examples: (default is Received-SPF):
+# Header_Type = AR
+# Header_Type = SPF
+Header_Type = SPF
+
+#  Do not check SPF for localhost addresses - add to skip addresses to
+#  skip SPF for internal networks if desired. Defaults are standard IPv4 and
+#  IPv6 localhost addresses.
+skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1
+
+# RFC 7208 adds a new processing limit called "void lookup limit" (See section
+# 4.6.4).  Default is 2, but it can be adjusted.
+Void_Limit = 5
+EOF
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+fi
+
+
 ## - Install Postfix Firewall Daemon from debian packages system
 ## -
 echononl "   Install Postfix Firewall Daemon from debian packages system"
@@ -1747,38 +1915,157 @@ cat <<EOF >> /etc/postfix/main.cf
 
 # ============ TLS parameters ============
 
-## - supports DNSSEC
+# What mechanisms the Postfix SMTP client uses to look up a host's IP address.
-## -
+# This parameter is ignored when DNS lookups are disabled (see: disable_dns_lookups
-## - !! Notice !!
+# and smtp_dns_support_level). The "dns" mechanism is always tried before "native"
-## - In order to support DNSSEC and DANE your resolver MUST support
+# if both are listed.
-## - DNSSEC too.
+#
-## -
+# Specify one of the following:
-## - If your resolver does not support DNSSEC, install "unbound".
+#
-## -
+#  dns
+#     Hosts can be found in the DNS (preferred).
+#
+#  native
+#     Use the native naming service only (nsswitch.conf, or equivalent mechanism).
+#
+#  dns, native
+#     Use the native service for hosts not found in the DNS.
+#
 smtp_host_lookup = dns
+
+# Level of DNS support in the Postfix SMTP client. With "smtp_dns_support_level"
+# left at its empty default value, the legacy "disable_dns_lookups" parameter c
+# ontrols whether DNS is enabled in the Postfix SMTP client, otherwise the l
+# egacy parameter is ignored.
+#
+#  Specify one of the following:
+#
+#  disabled
+#     Disable DNS lookups. No MX lookups are performed and hostname to address lookups
+#     are unconditionally "native". This setting is not appropriate for hosts that
+#     deliver mail to the public Internet. Some obsolete how-to documents recommend
+#     disabling DNS lookups in some configurations with content_filters. This is no
+#     longer required and strongly discouraged.
+#
+#  enabled
+#     Enable DNS lookups. Nexthop destination domains not enclosed in "[]" will be
+#     subject to MX lookups. If "dns" and "native" are included in the "smtp_host_lookup"
+#     parameter value, DNS will be queried first to resolve MX-host A records, followed by
+#     "native" lookups if no answer is found in DNS.
+#
+#  dnssec
+#     Enable DNSSEC lookups. The "dnssec" setting differs from the "enabled" setting above
+#     in the following ways:
+#
+#        - Any MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to request DNSSEC-validated
+#          responses. If the MX response is DNSSEC-validated the corresponding hostnames are
+#          considered validated.
+#
+#        - The address lookups of validated hostnames are also validated, (provided of course
+#          "smtp_host_lookup" includes "dns", see below).
+#
+#        - Temporary failures in DNSSEC-enabled hostname-to-address resolution block any
+#          "native" lookups. Additional "native" lookups only happen when DNSSEC lookups
+#          hard-fail (NODATA or NXDOMAIN).
+#
+# default: empty
+#
+# !! Notice !!
+# In order to support DNSSEC and DANE your resolver MUST support
+# DNSSEC too.
+#
+# If your resolver does not support DNSSEC, install "unbound".
+#
 smtp_dns_support_level = dnssec
 
+
 ## - Aktiviert TLS für den Mailempfang
 ## -
-## - may:
+
-## - Opportunistic TLS. Use TLS if this is supported by the remote 
+# The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is
-## - SMTP server, otherwise use plaintext
+# specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls.
-## -
+# This parameter is ignored with "smtpd_tls_wrappermode = yes".
-## - This overrides the obsolete parameters smtpd_use_tls and 
+#
-## - smtpd_enforce_tls. This parameter is ignored with 
+# Specify one of the following security levels:
-## - "smtpd_tls_wrappermode = yes".
+#
-#smtpd_use_tls=yes
+#  none
+#     TLS will not be used.
+#
+#  may
+#     Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not
+#     require that clients use TLS encryption.
+#
+#  encrypt
+#     Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and
+#     reject all plaintext commands except HELO, EHLO, XCLIENT, STARTTLS, NOOP, QUIT,
+#     and (Postfix ≥ 3.9) HELP. According to RFC 2487 this MUST NOT be applied in case
+#     of a publicly-referenced SMTP server. Instead, this should be used on dedicated
+#     servers, for example submission (port 587).
+#
 smtpd_tls_security_level=may
 
+
 ## - Aktiviert TLS für den Mailversand
 ## -
-## - may:
+
-## - Opportunistic TLS: announce STARTTLS support to SMTP clients, 
+# The default SMTP TLS security level for the Postfix SMTP client. When a non-empty value
-## - but do not require that clients use TLS encryption.
+# is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls,
-# smtp_use_tls=yes
+# and smtp_tls_enforce_peername; when no value is specified for smtp_tls_enforce_peername
-#smtp_tls_security_level=may
+# or the obsolete parameters, the default SMTP TLS security level is none.
+#
+# Specify one of the following security levels:
+#
+#  none
+#     No TLS. TLS will not be used unless enabled for specific destinations
+#     via smtp_tls_policy_maps.
+#
+#  may
+#     Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise
+#     use plaintext; after a failed TLS handshake or TLS session, fall back to plaintext
+#     if the message has spent minimal_backoff_time in the mail queue. Since sending in the
+#     clear is acceptable, demanding stronger than default TLS security merely reduces
+#     interoperability. The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6)
+#     configuration parameters provide control over the protocols and cipher grade used
+#     with opportunistic TLS. With earlier releases the opportunistic TLS cipher grade is
+#     always "export" and no protocols are disabled. When TLS handshakes fail, the
+#     connection is retried with TLS disabled. This allows mail delivery to sites with
+#     non-interoperable TLS implementations.
+#
+#  encrypt
+#     Mandatory TLS encryption. Since a minimum level of security is intended, it is
+#     reasonable to be specific about sufficiently secure protocol versions and ciphers.
+#     At this security level and higher, the main.cf parameters smtp_tls_mandatory_protocols
+#     and smtp_tls_mandatory_ciphers specify the TLS protocols and minimum cipher grade
+#     which the administrator considers secure enough for mandatory encrypted sessions.
+#     This security level is not an appropriate default for systems delivering mail to the
+#     Internet.
+#
+#  dane
+#     Opportunistic DANE TLS. At this security level, the TLS policy for the destination
+#     is obtained via DNSSEC. For TLSA policy to be in effect, the destination domain's
+#     containing DNS zone must be signed and the Postfix SMTP client's operating system
+#     must be configured to send its DNS queries to a recursive DNS nameserver that is
+#     able to validate the signed records. Each MX host's DNS zone should also be signed,
+#     and should publish DANE TLSA (RFC 7672) records that specify how that MX host's TLS
+#     certificate is to be verified. TLSA records do not preempt the normal SMTP MX host
+#     selection algorithm, if some MX hosts support TLSA and others do not, TLS security
+#     will vary from delivery to delivery.
+#
+#  dane-only
+#     ...
+#
+#  fingerprint
+#     ...
+#
+#  verify
+#     ...
+#
+#  secure
+#     ...
+#
 smtp_tls_security_level=dane
 
+
 ## -    0 Disable logging of TLS activity.
 ## -    1 Log TLS handshake and certificate information.
 ## -    2 Log levels during TLS negotiation.
@@ -1791,6 +2078,7 @@ smtp_tls_loglevel = 1
 smtpd_tls_cert_file = $_TLS_CERT_FILE
 smtpd_tls_key_file = $_TLS_KEY_FILE
 
+
 ## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
 ## -
 ## - Dont't forget to create it, e.g with openssl:
@@ -1830,64 +2118,109 @@ smtp_tls_CAfile = $_TLS_CA_FILE
 #smtpd_tls_CApath = /etc/postfix/certs
 
 
-# Disable SSLv2 SSLv3 - Postfix SMTP server 
+# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
+# If the list is empty, the server supports all available TLS protocol versions.
 #
-# List of TLS protocols that the Postfix SMTP server will exclude or  
+# default: see 'postconf -d' output
-# include with opportunistic TLS encryption.  
-smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
 #
-# The SSL/TLS protocols accepted by the Postfix SMTP server  
+smtpd_tls_protocols = >=TLSv1.1
-# with mandatory TLS encryption. 
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
 
-
+# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
-# Disable SSLv2 SSLv3 - Postfix SMTP client 
 #
-# List of TLS protocols that the Postfix SMTP client will exclude or  
+smtpd_tls_mandatory_protocols = >=TLSv1.1
-# include with opportunistic TLS encryption.  
+
-smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+
+# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
 #
-# List of SSL/TLS protocols that the Postfix SMTP client will use  
+# default: see 'postconf -d' output
-# with mandatory TLS encryption 
+#
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_protocols = >=TLSv1.2
+
+# TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption.
+#
+# default: see 'postconf -d' output
+#
+smtp_tls_mandatory_protocols = >=TLSv1.2
 
 
-## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
+# The Postfix SMTP server security grade for ephemeral elliptic-curve
-## -    openssl > 1.0
+# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
-## -
+# parameter is always ignored, and Postfix behaves as though the auto value
-smtpd_tls_eecdh_grade = strong
+# (described below) was chosen.
+#
+# auto
+#    Use the most preferred curve that is supported by both the client and the server.
+#    This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
+#    is the default setting under the above conditions (and the only setting used with
+#    Postfix ≥ 3.6).
+#
+# none
+#    Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
+#    default in Postfix versions 2.6 and 2.7.
+#
+# strong
+#    Use EECDH with approximately 128 bits of security at a reasonable computational cost.
+#    This is the default in Postfix versions 2.8-3.5.
+#
+# ultra
+#    Use EECDH with approximately 192 bits of security at computational cost that is
+#    approximately twice as high as 128 bit strength ECC.
+#
+#smtpd_tls_eecdh_grade = auto
 
-# standard list cryptographic algorithm
+
+# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
+# of the remote client's cipher preference order.
+#
+# By default, the OpenSSL server selects the client's most preferred cipher that the
+# server supports. With SSLv3 and later, the server may choose its own most preferred
+# cipher that is supported (offered) by the client.
+#
+# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
+#
+# default: no
+#
 tls_preempt_cipherlist = yes
 
-# Disable ciphers which are less than 256-bit:
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
+# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
+# from globally restricting TLS sessions to a more stringent grade is likely negligible,
+# especially given the fact that many implementations still do not offer any stronger
+# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
+# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
+# or "low" ciphers is typically not a good idea, as systems limited to just these are
+# limited to obsolete browsers. No known SMTP clients fail to support at least one
+# "medium" or "high" grade cipher.
 #
-#smtpd_tls_mandatory_ciphers = high
+# default: medium
+#
+#smtpd_tls_mandatory_ciphers = medium
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
+# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
+# base definition of the selected cipher grade.
+#
+# default: medium
 #
-# opportunistic
 smtpd_tls_ciphers = high
 
 
-# Exclude ciphers
+# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
+# TLS security levels.
+#
+# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
+# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
+# or one or more "+" separated cipher properties, in which case only ciphers matching all the
+# properties are excluded.
+#
 #smtpd_tls_exclude_ciphers =
-#   RC4
+
-#   aNULL
+# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
-#   SEED-SHA
+# list at mandatory TLS security levels. This list works in addition to the exclusions listed
-#   EXP
+# with smtp_tls_exclude_ciphers
-#   MD5
+#
-smtpd_tls_exclude_ciphers =
+#smtp_tls_mandatory_exclude_ciphers =
-   aNULL
-   eNULL
-   EXPORT
-   DES
-   RC4
-   MD5
-   PSK
-   aECDH
-   EDH-DSS-DES-CBC3-SHA
-   EDH-RSA-DES-CDC3-SHA
-   KRB5-DE5
-   CBC3-SHA
 
 
 smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
@@ -2279,6 +2612,20 @@ else
 EOF
 fi
 
+if [[ -n "$(which policyd-spf)" ]]  ; then
+   cat <<EOF >> /etc/postfix/main.cf
+
+# The time limit for delivery to '/usr/bin/policyd-spf'
+#
+# An entry in '/etc/postfix/master.cf' is needed:
+#
+#  policyd-spf  unix  -       n       n       -       0       spawn
+#     user=policyd-spf argv=/usr/bin/policyd-spf
+#
+policyd-spf_time_limit = 3600
+EOF
+fi
+
 cat <<EOF >> /etc/postfix/main.cf
 
 
@@ -2307,7 +2654,7 @@ smtpd_client_restrictions =
    permit_mynetworks,
    # Whitelist clients
    #
-   check_client_access btree:/etc/postfix/client_whitelist
+   check_client_access btree:/etc/postfix/client_whitelist,
    # White- / Blacklisting
    #
    check_sender_access btree:/etc/postfix/access_sender,
@@ -2331,11 +2678,16 @@ smtpd_client_restrictions =
    #   - reject_rbl_client: This is an IP-based blacklist. When the client IP address is backlisted,
    #     reject the email.
    #
-   reject_rhsbl_helo dbl.spamhaus.org,
+   #  reject_rhsbl_helo dbl.spamhaus.org,
-   reject_rhsbl_reverse_client dbl.spamhaus.org,
+   #  reject_rhsbl_reverse_client dbl.spamhaus.org,
-   reject_rhsbl_sender dbl.spamhaus.org,
+   #  reject_rhsbl_sender dbl.spamhaus.org,
-   reject_rbl_client zen.spamhaus.org,
+   #  reject_rbl_client zen.spamhaus.org,
-   reject_rbl_client ix.dnsbl.manitu.net,
+   #
+   reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
+   reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],
+   reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
+   reject_rbl_client zen.spamhaus.org=127.0.1.[2..99],
+
    # Greylisting check
    #
    #     check_policy_service inet:127.0.0.1:10023,
@@ -2469,6 +2821,17 @@ smtpd_recipient_restrictions =
 # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
 # for more details
    reject_unverified_recipient,
+EOF
+
+if [[ -n "$(which policyd-spf)" ]]  ; then
+   cat <<EOF >> /etc/postfix/main.cf   
+# Check Postfix policy service ..
+#
+   check_policy_service unix:private/policy-spf
+EOF
+fi
+
+cat <<EOF >> /etc/postfix/main.cf
 # Policyd-Weight
    #check_policy_service inet:127.0.0.1:12525,
 # permit Backup MX
@@ -2528,14 +2891,28 @@ smtpd_data_restrictions =
 #
    reject_unauth_pipelining
 
+
+## ---
+## - smtpd END OF ATA Restrictions
+## ---
+
 smtpd_end_of_data_restrictions =
+EOF
+
+if [[ -n "$(which postfwd)" ]]  ; then
+   cat <<EOF >> /etc/postfix/main.cf
 # Check Postfix Firewall Daemon
 #
    check_policy_service inet:127.0.0.1:10040
 
 EOF
+else
+   cat <<EOF >> /etc/postfix/main.cf
 
-if [[ -n "$(which opendkim)" ]]  ; then
+EOF
+fi
+
+if [[ -n "$(which opendkim)" ]]  || [[ -n "$(which opendmarc)" ]] ; then
    cat <<EOF >> /etc/postfix/main.cf
 
 # ======= Milter configuration =======
@@ -2556,12 +2933,25 @@ milter_protocol = 6
 #    'smtpd_milters = local:/opendkim/opendkim.sock' here and add to
 #    localhost:10025 section in master.cf: 'smtpd_milters='
 #
-#smtpd_milters = local:/opendkim/opendkim.sock
 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
 smtpd_milters =
+EOF
+fi
+if [[ -n "$(which opendkim)" ]] ; then
+   if [[ -n "$(which opendmarc)" ]] ; then
+      cat <<EOF >> /etc/postfix/main.cf
+non_smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
+EOF
+   else
+      cat <<EOF >> /etc/postfix/main.cf
 non_smtpd_milters = local:/opendkim/opendkim.sock
 EOF
    fi
+elif [[ -n "$(which opendmarc)" ]] ; then
+   cat <<EOF >> /etc/postfix/main.cf
+non_smtpd_milters = local:/opendmarc/opendmarc.sock
+EOF
+fi
 
 
 echo_ok
@@ -3349,6 +3739,12 @@ else
 	smtps_present=false
 fi
 
+if grep -iq -E "^policyd-spf\s+" $postfix_master_cf > /dev/null 2>&1 ; then
+	policyd_spf_present=true
+else
+	policyd_spf_present=false
+fi
+
 _found=false
 echononl "   Create new file \"${postfix_master_cf}\""
 if [[ -f "${postfix_master_cf}.$backup_date" ]]; then
@@ -3379,6 +3775,10 @@ smtps     inet  n       -       y       -       -       smtpd
    #-o milter_macro_daemon_name=ORIGINATING
 EOF
 				fi
+         elif $LISTEN_ON_ADDITIONAL_RELAY_PORT ; then
+            cat >> $postfix_master_cf << EOF
+${ADDITIONAL_RELAY_LISTEN_PORT}      inet  n       -       y       -       -       smtpd
+EOF
 			fi
 			continue
 		fi
@@ -3426,6 +3826,17 @@ EOF
 
 	done < "${postfix_master_cf}.$backup_date"
 
+   # - Add support for policyd-spf service
+   # -
+   if ! $(grep -iq -E "^policyd-spf\s+" "$postfix_master_cf" 2> /dev/null) ; then
+      cat <<EOF >> $postfix_master_cf
+
+policy-spf  unix  -       n       n       -       0       spawn
+   user=policyd-spf argv=/usr/bin/policyd-spf
+EOF
+   fi
+
+
    # - Add transport definitions for only sending over IPv4/IPv6
    # -
    if ! $(grep -iq -E "^smtp-ipv4-only\s+" "$postfix_master_cf" 2> /dev/null) ; then
@@ -3633,15 +4044,19 @@ fi
 ## - Omitt logging into system.log
 ## -
 echononl "   Create \"/etc/rsyslog.d/postfix.conf\""
-cat << EOF >> /etc/rsyslog.d/postfix.conf
+cat << EOF > /etc/rsyslog.d/postfix.conf
+# Create an additional socket in postfix's chroot in order not to break
+# mail logging when rsyslog is restarted.  If the directory is missing,
+# rsyslog will silently skip creating the socket.
+\$AddUnixListenSocket /var/spool/postfix/dev/log
 
 #
 # Logging for the mail system.  Split it up so that
 # it is easy to write scripts to parse these files.
 #
-mail.info                       -/var/log/mail.info
+#mail.info                       -/var/log/mail.info
-mail.warn                       -/var/log/mail.warn
+#mail.warn                       -/var/log/mail.warn
-mail.err                        /var/log/mail.err
+#mail.err                        /var/log/mail.err
 
 mail.*                          -/var/log/mail.log
 & stop
@@ -3669,6 +4084,14 @@ else
    fi
 fi
 
+if ${LISTEN_ON_ADDITIONAL_RELAY_PORT} ; then
+
+   echo ""
+   warn "Please do not forget to allow incomming traffic on port \033[1m${ADDITIONAL_RELAY_LISTEN_PORT}\033[m.
+                     Check your firewall settings.."
+fi
+
+
 if [[ -n "$(which amavisd-new)" ]] ; then
 
    warn "You have to run \033[1minstall_amavis.sh\033[m script to continue the configuration."

install_postfix_base.sh

@@ -129,6 +129,7 @@ detect_os_1 () {
 
 DEFAULT_ADMIN_EMAIL="argus@oopen.de"
 DEFAULT_RELAY_HOST="b.mx.oopen.de"
+DEFAULT_RELAY_PORT=25
 DEFAULT_SASL_AUTH=false
 DEFAULT_REWRITE_SENDER_DOMAIN=None
 
@@ -340,11 +341,12 @@ fi
 # --- Some further default values depending on sasl authentification
 # -------------
 
-# - Set default value for relay host if sasl authentification should be
+# - Set default value for relay host / relay port if sasl authentification should be
-# - supported and value for _RELAY_HOST not given
+# - supported and value for _RELAY_HOST / _RELAY_PORT not given
 # -
 if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
    [[ -z "$_RELAY_HOST" ]] && _RELAY_HOST="$DEFAULT_RELAY_HOST"
+   [[ -z "$_RELAY_PORT" ]] && _RELAY_PORT="$DEFAULT_RELAY_PORT"
 fi
 
 if [[ -z ${_REWRITE_SENDER_DOMAIN} ]] ; then
@@ -415,6 +417,27 @@ if [[ "$SASL_AUTH" = "yes" ]] || $SASL_AUTH ; then
       done
    fi
 
+
+   RELAY_PORT=
+   echo ""
+   echo "Insert the target port to connect to ${RELAY_HOST}"
+   echo ""
+   if [[ -n "$_RELAY_PORT" ]];then
+      echononl "(target) Port on ${RELAY_HOST} [$_RELAY_PORT]: "
+      read RELAY_PORT
+      if [[ "X${RELAY_PORT}" = "X" ]]; then
+         RELAY_PORT=$_RELAY_PORT
+      fi
+   else
+      while [[ "X${RELAY_PORT}" = "X" ]]; do
+         echononl "(target) Port on ${RELAY_HOST}: "
+         read RELAY_PORT
+         if [[ "X${RELAY_PORT}" = "X" ]]; then
+            echo -e "\n\t\033[33m\033[1mi(target) Port of ${RELAY_HOST} is reqired\033[m\n"
+         fi
+      done
+   fi
+
 else
    SASL_AUTH=false
 fi
@@ -467,6 +490,7 @@ if $SASL_AUTH ; then
    echo -e "\t   sasl user.............: $SASL_USER"
    echo -e "\t   sasl password.........: $SASL_PASS"
    echo -e "\t   Relayhost.............: $RELAY_HOST"
+   echo -e "\t   Port on Relayhost.....: $RELAY_PORT"
 fi
 echo ""
 echononl "einverstanden (yes/no): "
@@ -498,6 +522,7 @@ _SASL_AUTH=$SASL_AUTH
 _SASL_USER=$SASL_USER
 _SASL_PASS=$SASL_PASS
 _RELAY_HOST=$RELAY_HOST
+_RELAY_PORT=$RELAY_PORT
 _REWRITE_SENDER_DOMAIN=$REWRITE_SENDER_DOMAIN
 EOF
 if [[ $? -eq 0 ]] ; then
@@ -674,13 +699,26 @@ mydestination =
 ## -
 mynetworks =
    127.0.0.0/8
+EOF
+
+   if [[ ${IPV4} =~ ^127 ]] ; then
+
+      cat <<EOF >> /etc/postfix/main.cf
+
+smtp_bind_address =
+smtp_bind_address6 =
+
+EOF
+   else
+      cat <<EOF >> /etc/postfix/main.cf
       ${IPV4}/32
 
 smtp_bind_address = $IPV4
-smtp_bind_address6 = $IPV6
+#smtp_bind_address6 =
 
 EOF
    fi
+fi
 
 cat <<EOF >> /etc/postfix/main.cf
 
@@ -788,9 +826,24 @@ smtp_sasl_auth_enable = yes
 
 # Only offer SMTP AUTH when talking over an encrypted connection
 smtpd_tls_auth_only = yes
+EOF
+
+   if [[ ${RELAY_PORT} -ne 25 ]] ; then
+      cat <<EOF >> /etc/postfix/main.cf
+
+# Forwarding to the ip-adress of host b.mx.oopen.de
+relayhost = [${RELAY_HOST}]:${RELAY_PORT}
+EOF
+   else
+      cat <<EOF >> /etc/postfix/main.cf
 
 # Forwarding to the ip-adress of host b.mx.oopen.de
 relayhost = [${RELAY_HOST}]
+EOF
+
+   fi
+
+   cat <<EOF >> /etc/postfix/main.cf
 
 # File including login data
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
@@ -909,59 +962,103 @@ smtp_tls_CAfile = $_TLS_CA_FILE
 #
 # List of TLS protocols that the Postfix SMTP server will exclude or
 # include with opportunistic TLS encryption.
-smtpd_tls_protocols = !SSLv2, !SSLv3
+#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
+
+# TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption.
 #
-# The SSL/TLS protocols accepted by the Postfix SMTP server  
+#smtpd_tls_protocols = >=TLSv1
-# with mandatory TLS encryption. 
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 
-
+# TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption.
-# Disable SSLv2 SSLv3 - Postfix SMTP client 
 #
-# List of TLS protocols that the Postfix SMTP client will exclude or  
+#smtpd_tls_mandatory_protocols = >=TLSv1
-# include with opportunistic TLS encryption.  
+
-smtp_tls_protocols = !SSLv2, !SSLv3
+# TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption.
 #
-# List of SSL/TLS protocols that the Postfix SMTP client will use  
+#smtp_tls_protocols = >=TLSv1
-# with mandatory TLS encryption 
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 
-
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption.
-## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange 
-## -    openssl > 1.0
-## -
-smtpd_tls_eecdh_grade = strong
-
-# standard list cryptographic algorithm
-tls_preempt_cipherlist = yes
-
-# Disable ciphers which are less than 256-bit:
 #
-#smtpd_tls_mandatory_ciphers = high
+smtp_tls_mandatory_protocols = >=TLSv1.2
+
+
+# The Postfix SMTP server security grade for ephemeral elliptic-curve
+# Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of this
+# parameter is always ignored, and Postfix behaves as though the auto value
+# (described below) was chosen.
 #
-# opportunistic
+# auto
-smtpd_tls_ciphers = high
+#    Use the most preferred curve that is supported by both the client and the server.
+#    This setting requires Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This
+#    is the default setting under the above conditions (and the only setting used with
+#    Postfix ≥ 3.6).
+#
+# none
+#    Don't use EECDH. Ciphers based on EECDH key exchange will be disabled. This is the
+#    default in Postfix versions 2.6 and 2.7.
+#
+# strong
+#    Use EECDH with approximately 128 bits of security at a reasonable computational cost.
+#    This is the default in Postfix versions 2.8-3.5.
+#
+# ultra
+#    Use EECDH with approximately 192 bits of security at computational cost that is
+#    approximately twice as high as 128 bit strength ECC.
+#
+smtpd_tls_eecdh_grade = auto
 
 
-# Exclude ciphers
+# With SSLv3 and later, use the Postfix SMTP server's cipher preference order instead
+# of the remote client's cipher preference order.
+#
+# By default, the OpenSSL server selects the client's most preferred cipher that the
+# server supports. With SSLv3 and later, the server may choose its own most preferred
+# cipher that is supported (offered) by the client.
+#
+# Setting "tls_preempt_cipherlist = yes" enables server cipher preferences.
+#
+# default: no
+#
+#tls_preempt_cipherlist = no
+
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory
+# TLS encryption. The default grade ("medium") is sufficiently strong that any benefit
+# from globally restricting TLS sessions to a more stringent grade is likely negligible,
+# especially given the fact that many implementations still do not offer any stronger
+# ("high" grade) ciphers, while those that do, will always use "high" grade ciphers.
+# So insisting on "high" grade ciphers is generally counter-productive. Allowing "export"
+# or "low" ciphers is typically not a good idea, as systems limited to just these are
+# limited to obsolete browsers. No known SMTP clients fail to support at least one
+# "medium" or "high" grade cipher.
+#
+# default: medium
+#
+#smtpd_tls_mandatory_ciphers = medium
+
+# The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic
+# TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the
+# base definition of the selected cipher grade.
+#
+# default: medium
+#
+#smtpd_tls_ciphers = medium
+
+
+# List of ciphers or cipher types to exclude from the SMTP server cipher list at all
+# TLS security levels.
+#
+# DO NOT exclude ciphers unless it is essential to do so. This is not an OpenSSL cipherlist;
+# it is a simple list separated by whitespace and/or commas. The elements are a single cipher,
+# or one or more "+" separated cipher properties, in which case only ciphers matching all the
+# properties are excluded.
+#
 #smtpd_tls_exclude_ciphers =
-#   RC4
+
-#   aNULL
+# Additional list of ciphers or cipher types to exclude from the Postfix SMTP client cipher
-#   SEED-SHA
+# list at mandatory TLS security levels. This list works in addition to the exclusions listed
-#   EXP
+# with smtp_tls_exclude_ciphers
-#   MD5
+#
-smtpd_tls_exclude_ciphers =
+#smtp_tls_mandatory_exclude_ciphers =
-   aNULL
-   eNULL
-   EXPORT
-   DES
-   RC4
-   MD5
-   PSK
-   aECDH
-   EDH-DSS-DES-CBC3-SHA
-   EDH-RSA-DES-CDC3-SHA
-   KRB5-DE5, CBC3-SHA
 
 
 smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
@@ -1006,8 +1103,21 @@ echo_ok
 echononl "   Configure SASL authentification"
 if $SASL_AUTH ; then
 
+   _sasl_pw_file="/etc/postfix/sasl_passwd"
+   if [[ -f "${_sasl_pw_file}" ]] && $(grep -q -E "^\[${RELAY_HOST}\]" ${_sasl_pw_file} 2> /dev/null); then
+      sed -i "/^\[${RELAY_HOST}/d" ${_sasl_pw_file}
+      if [[ "$?" != "0" ]]; then
+         error "Setting \"/etc/postfix/sasl_passwd\" failed! "
+         _failed=true
+      fi
+   fi
+
    _failed=false
-   echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" > /etc/postfix/sasl_passwd
+   if [[ ${RELAY_PORT} -ne 25 ]] ; then
+      echo "[$RELAY_HOST]:${RELAY_PORT} ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
+   else
+      echo "[$RELAY_HOST] ${SASL_USER}@${RELAY_HOST}:$SASL_PASS" >> /etc/postfix/sasl_passwd
+   fi
    if [[ "$?" != "0" ]]; then
       error "Setting \"/etc/postfix/sasl_passwd\" failed! "
       _failed=true
@@ -1313,15 +1423,19 @@ fi
 ## - Omitt logging into system.log
 ## -
 echononl "   Create \"/etc/rsyslog.d/postfix.conf\""
-cat << EOF >> /etc/rsyslog.d/postfix.conf
+cat << EOF > /etc/rsyslog.d/postfix.conf
+# Create an additional socket in postfix's chroot in order not to break
+# mail logging when rsyslog is restarted.  If the directory is missing,
+# rsyslog will silently skip creating the socket.
+\$AddUnixListenSocket /var/spool/postfix/dev/log
 
 #
 # Logging for the mail system.  Split it up so that
 # it is easy to write scripts to parse these files.
 #
-mail.info                       -/var/log/mail.info
+#mail.info                       -/var/log/mail.info
-mail.warn                       -/var/log/mail.warn
+#mail.warn                       -/var/log/mail.warn
-mail.err                        /var/log/mail.err
+#mail.err                        /var/log/mail.err
 
 mail.*                          -/var/log/mail.log
 & stop
@@ -1349,6 +1463,12 @@ else
    fi
 fi
 
+if [[ ${RELAY_PORT} -ne 25 ]] ; then
+
+   echo ""
+   warn "Please do not forget to allow port \033[1m${RELAY_PORT}\033[m on both sides, outgoing
+                     on this host here and incoming on the relay host '${RELAY_HOST}'."
+fi
 
 echo ""
 clean_up 0

install_postfixadmin.sh

@@ -1842,23 +1842,25 @@ fi
 
 # - Encoding does not work as exspected.
 # -
+# - Update: Encoding seems to works now
+# -
 # - NOTE:
 # -    this IS NOT a fix, but a workaround
 # -
-echononl "\tWorkaround, because encoding does not work as exspected."
+#echononl "\tWorkaround, because encoding does not work as exspected."
-# - Vacation script changed. Since Version 3.2 we need another perl regexp.
+## - Vacation script changed. Since Version 3.2 we need another perl regexp.
-# - The old one was: 
+## - The old one was: 
-# -    perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
+## -    perl -i -n -p -e "s/(\s*\'ctype\'\s* =>\s*)\'text\/plain.*$/\1\'text\/plain; charset=iso-8859-1\',/" \
-# -
+## -
-perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
+##perl -i -n -p -e "s/(\s*\'Content-Type\'\s* =>\s*)\"text\/plain.*$/\1\"text\/plain; charset=iso-8859-1\",/" \
-   /var/spool/vacation/vacation.pl > "$log_file" 2>&1
+##   /var/spool/vacation/vacation.pl > "$log_file" 2>&1
-if [[ $? -eq 0 ]];then
+#if [[ $? -eq 0 ]];then
-   echo_ok
+#   echo_ok
-   info "This IS NOT a fix, but a workaround."
+#   info "This IS NOT a fix, but a workaround."
-else
+#else
-   echo_failed
+#   echo_failed
-   error "$(cat $log_file)"
+#   error "$(cat $log_file)"
-fi
+#fi
 
 echononl "\tSet Permission on vacation script"
 _failed=false

install_update_dovecot.sh

@@ -287,6 +287,9 @@ dovecot_main_version="$(echo $_version | cut -d '.' -f1,2)"
 dovecot_major_version="$(echo $_version | cut -d '.' -f1)"
 dovecot_minor_version="$(echo $_version | cut -d '.' -f2)"
 dovecot_patch_level="$(echo $_version | cut -d '.' -f3)"
+dovecot_minor_patch_level="$(echo $_version | cut -d '.' -f4)"
+
+_version_short="${_version%-*}"
 
 #echo ""
 #echo "_version:                  $_version"
@@ -294,7 +297,11 @@ dovecot_patch_level="$(echo $_version | cut -d '.' -f3)"
 #echo "dovecot_major_version      $dovecot_major_version"
 #echo "dovecot_minor_version      $dovecot_minor_version"
 #echo "dovecot_patch_level        $dovecot_patch_level"
+#echo "dovecot_minor_patch_level  $dovecot_minor_patch_level"
 #echo ""
+#
+#clean_up 0
+
 
 # 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed. 
 # Use mailbox { autoexpunge } Mailbox settings instead.
@@ -710,6 +717,8 @@ fi
 
 ## - Download Pigeonhole for Dovecot v2.2
 ## -
+if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then
+   
    echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
    if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
       wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
@@ -736,6 +745,44 @@ else
       echo -e "$rc_skipped"
    fi
 
+   dovecot_pigeonhole_archiv="dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz"
+
+else
+
+   echononl "\tDownload dovecot-pigeonhole-${_pigeonhole}.tar.gz.."
+   if [ ! -f "${_src_base_dir}/dovecot-pigeonhole-${_pigeonhole}.tar.gz" ]; then
+      wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
+      if [ "$?" = 0 ]; then
+         echo -e "$rc_done"
+         dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
+      else
+         echo -e "$rc_failed"
+
+         error "Direct download of 'Pigeonhole Sieve and ManageSieve' source archiv  failed
+
+                  Download Pigeonhole Sieve and ManageSieve manually and name it to
+
+                  \033[1mdovecot-pigeonhole-${_pigeonhole}.tar.gz\033[m\n"
+
+
+         echononl "\tProceed instllation [yes/no]: "
+         read OK
+         OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+         while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+            echononl "Wrong entry! - repeat [yes/no]: "
+            read OK
+         done
+         [[ $OK = "yes" ]] || fatal "Abbruch durch User"
+      fi
+   else
+      echo -e "$rc_skipped"
+   fi
+
+   dovecot_pigeonhole_archiv="dovecot-pigeonhole-${_pigeonhole}.tar.gz"
+fi
+
+dovecot_pigeonhole_archiv_prefix="${dovecot_pigeonhole_archiv%.tar.gz}"
+dovecot_pigeonhole_archiv_dir="${dovecot_pigeonhole_archiv%.tar.gz}"
 
 
 if $_new ; then
@@ -901,6 +948,7 @@ config_params="
    --prefix=/usr/local/dovecot-${_version} \
    --with-${db_driver} \
    --with-gssapi=yes
+   --with-ldap=yes
    --with-rundir=/run/dovecot"
 if $systemd_support ; then
    config_params="$config_params \
@@ -1055,20 +1103,20 @@ fi
 cd ${_src_base_dir}
 echo ""
 echononl "\tExtracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
-gunzip < dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz | tar -xf -
+gunzip < ${_src_base_dir}/${dovecot_pigeonhole_archiv} | tar -C ${_src_base_dir} -xf -
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
    echo -e "$rc_failed"
-   fatal Extracting dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz failed
+   fatal Extracting ${dovecot_pigeonhole_archiv} failed
 fi
-cd dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}
+cd ${dovecot_pigeonhole_archiv_dir}
 
 
 echononl "\tConfigure Pigeonhole ManageSieve.."
 ./configure \
 	--prefix=/usr/local/dovecot-${_version} \
-   --with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-configure.log 2<&1
+   --with-dovecot=/usr/local/dovecot-${_version}/lib/dovecot > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-configure.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1077,7 +1125,7 @@ else
 fi
 
 echononl "\tCompile Pigeonhole ManageSieve.."
-make > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-make.log 2<&1
+make > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-make.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1086,7 +1134,7 @@ else
 fi
 
 echononl "\tInstall Pigeonhole ManageSieve.."
-make install > ${_log_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}-install.log 2<&1
+make install > ${_log_dir}/${dovecot_pigeonhole_archiv_prefix}-install.log 2<&1
 if [ "$?" = 0 ]; then
    echo -e "$rc_done"
 else
@@ -1095,6 +1143,7 @@ else
 fi
 
 
+
 ## -----------------
 ## --- Configure dovecot services