install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: install:e82b464115a78a8d0792a3fb21af6e1917a189ba
Branches Tags
install:master
...
compare: install:master
Branches Tags
install:master

12 Commits
e82b464115 ... master

Author SHA1 Message Date
Christoph
6d516ed25a install_postfix_advanced.sh: remove depredated parameter 'permit_mx_backup'. 2026-02-11 21:20:00 +01:00
Christoph
c6909c937d Merge branch 'master' of git.oopen.de:install/mailsystem 2026-02-11 21:17:33 +01:00
Christoph
9708c595c4 install_update_dovecot.conf.sample: fix parameter 'cert_base_dir'. 2026-02-11 21:16:37 +01:00
Christoph
9c52e54182 install_postfixadmin.sh: configuration file at version 4.x is 'config.local.php'. 2026-02-11 00:47:05 +01:00
Christoph
849cbfa2e4 install_postfixadmin.sh: some minor changes. 2026-02-10 23:58:58 +01:00
Christoph
0a51e44b93 install_amavis.sh: some minor changes.. 2026-02-10 15:27:39 +01:00
Christoph Kuchenbuch
16618f9949 install_opendmarc.sh: no opendmarc check on non_smtpd connections. 2026-02-10 15:02:05 +01:00
Christoph
b4b47d5a79 install_amavis.sh: keine milters auf localhost:10025. install_postfix_advanced.sh: kein OpenDmarc bei non_smtpd_milters. (DMARC ist eine Inbound-Policy-Prüfung, nicht sinnvoll für lokal/originating.) 2026-02-10 14:14:53 +01:00
Christoph
d1694bf3a4 install_postfix_advanced.sh: adjust '/etc/postfix/header_checks'. 2026-02-10 00:37:03 +01:00
Christoph
ee1e2d0b7e install_amavis.sh: add spamassassin rule for Null sender ( (Return-Path: <>). 2026-02-10 00:35:10 +01:00
Christoph
96a77260c3 Merge branch 'master' of https://git.oopen.de/install/mailsystem 2026-02-04 22:23:01 +01:00
Christoph
71be7f0754 install_update_dovecot.sh: relax/defuse systemd-hardening 2026-02-04 22:22:31 +01:00
6 changed files with 345 additions and 194 deletions
Expand all files Collapse all files

2
conf/install_update_dovecot.conf.sample
View File

@@ -145,7 +145,7 @@ dbhost=""
# - Cert/Key configurations
# ---
cert_base_dir="/etc/postfix/ssl"
cert_base_dir="/etc/dovecot/ssl"
server_cert=${cert_base_dir}/mailserver.crt
server_key=${cert_base_dir}/mailserver.key
dh_pem_file="${cert_base_dir}/dh_4096.pem"

60
install_amavis.sh
View File

@@ -2257,6 +2257,45 @@ if ! $installation_failed ; then
fi
fi
# Create /etc/spamassassin/99_nullsender.cf
#
# Spamassassin Regeln für Nullsender (Return-Path: <>)
#
# Problem:
# echte DSNs haben ebenfalls Return-Path: <>
#
# Aber:
# Echte DSNs sind i.d.R. multipart/report (delivery-status)
#
echononl " Create file \"/etc/spamassassin/99_nullsender.cf\".."
cat <<'EOF' > /etc/spamassassin/99_nullsender.cf 2> $tmp_err_msg
########################################################################
# Null-sender (Return-Path: <>) Behandlung
# Ziel: Fake-Bounces markieren, echte DSNs nicht treffen
########################################################################
# 1) Null-Envelope-From erkannt
header LOCAL_NULL_SENDER Return-Path =~ /^<>$/i
describe LOCAL_NULL_SENDER Null envelope-from (Return-Path <>)
score LOCAL_NULL_SENDER 0.1
# 2) Echte DSNs sind i.d.R. multipart/report (delivery-status)
header LOCAL_DSN_MULTIPART Content-Type =~ /^multipart\/report\b/i
describe LOCAL_DSN_MULTIPART Looks like a real DSN (multipart/report)
score LOCAL_DSN_MULTIPART -3.0
# 3) Fake-Bounce: Null-sender, aber NICHT multipart/report
meta LOCAL_NULL_NOT_DSN LOCAL_NULL_SENDER && !LOCAL_DSN_MULTIPART
describe LOCAL_NULL_NOT_DSN Null-sender but not a DSN (likely fake bounce spam)
score LOCAL_NULL_NOT_DSN 6.0
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
# - Enable nightly cronjob for spamassassin
# -
@@ -3260,6 +3299,18 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
if [[ "$?" -ne 0 ]] ; then
installation_failed=true
error "$(cat $tmp_err_msg)"
warn "command was:
git clone https://github.com/extremeshok/clamav-unofficial-sigs.git /tmp/clamav-unofficial-sigs"
echononl "continue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
if ! $installation_failed ; then
echo_ok
@@ -4957,6 +5008,7 @@ fi
## - localhost:10025 inet n - y - - smtpd
## - -o content_filter=
## - -o smtpd_proxy_filter=
## - -o smtpd_milters=
## - -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
## - -o smtpd_client_restrictions=
## - -o smtpd_helo_restrictions=
@@ -5031,6 +5083,8 @@ EOF
localhost:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
@@ -5093,6 +5147,8 @@ EOF
localhost:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
@@ -5145,6 +5201,8 @@ EOF
localhost:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
@@ -5181,6 +5239,8 @@ EOF
localhost:10025 inet n - y - - smtpd
-o content_filter=
-o smtpd_proxy_filter=
-o smtpd_milters=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=

126
install_opendmarc.sh
View File

@@ -881,26 +881,26 @@ else
error "$(cat $log_file)"
fi
echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
echo_skipped
else
perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
/etc/postfix/main.cf > $log_file 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
postfix_needs_restart=true
else
echo_failed
error "$(cat $log_file)"
fi
fi
else
echo_skipped
warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
fi
#echononl " Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
#if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
# if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
# echo_skipped
# else
# perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
# /etc/postfix/main.cf > $log_file 2>&1
# if [[ $? -eq 0 ]] ; then
# echo_ok
# postfix_needs_restart=true
# else
# echo_failed
# error "$(cat $log_file)"
# fi
# fi
#else
#
# echo_skipped
# warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
#fi
echononl " Set Variable smtpd_milters at '/etc/postfix/main.cf'.."
@@ -975,53 +975,53 @@ EOF
fi
if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
ensure_dmarc_var "non_smtpd_milters" > "${tmp_main_cf_file}"
cp "${tmp_main_cf_file}" "${main_cf_file}"
else
cat <<EOF >> /etc/postfix/main.cf 2> $log_file
# Was sind non_smtpd_milters?
#if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
#
# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
# der smtpd-Daemon sind.
# ensure_dmarc_var "non_smtpd_milters" > "${tmp_main_cf_file}"
# cp "${tmp_main_cf_file}" "${main_cf_file}"
#
# Das betrifft z. B.:
#else
#
# cleanup Header/Content-Bereinigung
# qmgr Queue-Manager
# lmtp / smtp Auslieferung nach extern
# local lokale Zustellung
# cat <<EOF >> /etc/postfix/main.cf 2> $log_file
#
# Das sind z. B.:
#
# - interne Bounces (MAILER-DAEMON)
#
# - Cron-Mails vom Server
#
# - Weiterleitungen, die Postfix selbst generiert
#
# - Mails, die über sendmail CLI gesendet werden
#
# - Mails, die Amavis über LMTP zurückgibt
#
# - etc.
#
#
# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
non_smtpd_milters = $opendmarc_socket_string
EOF
fi
postfix_needs_restart=true
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
## Was sind non_smtpd_milters?
##
## non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
## der smtpd-Daemon sind.
##
## Das betrifft z. B.:
##
## cleanup Header/Content-Bereinigung
## qmgr Queue-Manager
## lmtp / smtp Auslieferung nach extern
## local lokale Zustellung
##
## Das sind z. B.:
##
## - interne Bounces (MAILER-DAEMON)
##
## - Cron-Mails vom Server
##
## - Weiterleitungen, die Postfix selbst generiert
##
## - Mails, die über sendmail CLI gesendet werden
##
## - Mails, die Amavis über LMTP zurückgibt
##
## - etc.
##
##
## DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
#non_smtpd_milters = $opendmarc_socket_string
#EOF
#fi
#postfix_needs_restart=true
#if [[ $? -eq 0 ]] ; then
# echo_ok
#else
# echo_failed
# error "$(cat $log_file)"
#fi
echo ""

87
install_postfix_advanced.sh
View File

@@ -2911,8 +2911,13 @@ fi
cat <<EOF >> /etc/postfix/main.cf
# Policyd-Weight
#check_policy_service inet:127.0.0.1:12525,
# ---------------------------------------------------------------------------------
# DEPRECATED permit_mx_backup
#
# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
# permit Backup MX
permit_mx_backup,
# permit_mx_backup,
# ---------------------------------------------------------------------------------
# permit, if all restrictions so far passed
permit
@@ -2953,8 +2958,13 @@ smtpd_relay_restrictions =
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
# ---------------------------------------------------------------------------------
# DEPRECATED permit_mx_backup
#
# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
# permit Backup MX
permit_mx_backup,
# permit_mx_backup,
# ---------------------------------------------------------------------------------
# permit, if all restrictions so far passed
permit
@@ -3058,20 +3068,18 @@ EOF
#
EOF
if [[ -n "$(which opendkim)" ]] && [[ -n "$(which opendmarc)" ]] ; then
if [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
EOF
elif [[ -n "$(which opendkim)" ]] ; then
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sock
EOF
else
cat <<EOF >> /etc/postfix/main.cf
non_smtpd_milters = local:/opendmarc/opendmarc.sock
non_smtpd_milters =
EOF
fi
else
cat <<EOF >> /etc/postfix/main.cf
@@ -3616,41 +3624,58 @@ fi
_file="/etc/postfix/header_checks.pcre"
echononl " Create file '$_file' used for header replacing"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
cat << 'EOF' > "$_file"
# ---
# - Replace headers
# - Header Checks - /etc/postfix/header_checks
# ---
#
# Ziel: offensichtlich kaputte RFC-Header ablehnen (wenig False Positives)
# - Replace recieved from
#/^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4
########################################
# A) Kaputter From:-Header
########################################
# 1) From: ist leer
/^From:\s*$/ REJECT Invalid From header (empty) - Spamschutzregel FROM-1001
# 2) Mehr als ein '@' im From:-Header -> syntaktisch kaputt
/^From:.*@.*@/ REJECT Invalid From header (multiple @) - Spamschutzregel FROM-1002
# ---
# - Ignore Headers
# ---
# 3) Mehrere Mailboxen durch Komma getrennt (wie: Die@..., Lions@..., ...)
# (Legitime Fälle nutzen i.d.R. Display-Namen/Group-Syntax; dieses Muster ist in Spam sehr häufig)
/^From:\s*[^<>,]+@[^,]+,\s*[^<>,]+@/ REJECT Invalid From header (multiple mailboxes) - Spamschutzregel FROM-1003
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# 4) Typische kaputte UTF-8-Fragmente
/^From:.*\xC3\xA2/ REJECT Invalid UTF-8 in From header - Spamschutzregel FROM-1004
# ---
# - Reject / Discard headers
# ---
########################################
# B) Optional: sehr spezifische lokale Blacklist
########################################
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
#/^Reply-To: .+\@inx1and1\..+/ REJECT Possible spam (local pattern)
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
########################################
# C) Warn
########################################
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
# Date-Rejects sind oft zu aggressiv -> wenn nötig: lieber taggen oder loggen statt reject
/^Date: .* 19[0-9][0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1003
########################################
# Bemerkungen
########################################
# (envelope-from <>) nicht pauschal rejecten:
# echte DSNs/Bounces haben legitimerweise MAIL FROM: <>
#/\(envelope-from <>\)/ REJECT Null envelope-from
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
EOF
if [[ $? -eq 0 ]] ; then
echo_ok

12
install_postfixadmin.sh
View File

@@ -938,6 +938,16 @@ done
if $_failed ; then
echo_failed
error "$(cat $log_file)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Script terminated by user input.."
else
echo_ok
fi
@@ -2198,7 +2208,7 @@ fi
echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n"
if [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
if [[ $MAJOR_VERSION -gt 3 ]] || [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php" "$pfa_conf_file"
else

252
install_update_dovecot.sh
View File

@@ -184,7 +184,7 @@ else
fi
if [[ -z "$systemd_support" ]] ; then
if $SYSTEMD_EXISTS ; then
if $SYSTEMD_EXISTS ; then
systemd_support=true
else
systemd_support=false
@@ -305,7 +305,7 @@ _version_short="${_version%-*}"
#clean_up 0
# 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed.
# 'expire plugin'was rRemoved in version 2.3.14: This plugin is not needed.
# Use mailbox { autoexpunge } Mailbox settings instead.
#
if [[ $dovecot_major_version -gt 2 ]] \
@@ -362,12 +362,12 @@ if [[ -n "$_update" ]]; then
echo -e "[1] Update"
echo -e "\033[37m\033[1m[2] New Installation\033[m"
fi
echo ""
echo ""
echononl "Choose a number or press <RETURN> for highlighted value: "
else
echo -e "[1] Update"
echo "[2] New Installation"
echo ""
echo ""
echononl "Choose a Number: "
fi
update=""
@@ -392,13 +392,13 @@ while [[ "$update" != "true" && "$update" != "false" ]] ; do
fi
;;
*) update=""
echo ""
echo ""
if [[ -n "$_IS_RELAY_HOST" ]]; then
echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ] or type <RETURN>"
else
echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ]"
echo -e "\tWrong entry! [ 1 = Update ; 2 = New Installation ]"
fi
echo ""
echo ""
echononl "Reentry: "
;;
esac
@@ -415,7 +415,7 @@ done
clear;
echo ""
if $update ;then
if $update ;then
echo -e "\tUpdate Dovecot................: $update"
else
echo -e "\tInstall Dovecot first time....: Yes"
@@ -507,7 +507,7 @@ export MAKEFLAGS=-j$(expr `grep "^processor" /proc/cpuinfo | sort -u | wc -l` -
echo ""
if $update ;then
if $update ;then
_new=false;
else
_new=true;
@@ -683,7 +683,7 @@ mkdir -p $_log_dir
## -----------------
## --- Download
## --- Download
cd ${_src_base_dir}
@@ -720,7 +720,7 @@ fi
## - Download Pigeonhole for Dovecot v2.2
## -
if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]] ; then
echononl "\tDownload dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz.."
if [ ! -f "${_src_base_dir}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz" ]; then
wget --no-check-certificate https://pigeonhole.dovecot.org/releases/${dovecot_main_version}/dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz > /dev/null 2>&1
@@ -730,7 +730,7 @@ if [[ ${dovecot_major_version} -eq 2 ]] && [[ ${dovecot_minor_version} -lt 4 ]]
echo -e "$rc_failed"
error "Direct download of 'dovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz' failed
Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually
Download \033[1mdovecot-${dovecot_main_version}-pigeonhole-${_pigeonhole}.tar.gz\033[m manually
and proceed instllation."
echononl "\tProceed instllation [yes/no]: "
@@ -1071,7 +1071,7 @@ fi
## - if [ -d $checkdir ]; then
## - PATH=$PATH:$checkdir
## - fi
## -
## -
echononl "\tAdd /usr/local/dovecot/bin to PATH variable.."
if ! grep "checkdir=\"/usr/local/dovecot/bin\"" /etc/profile > /dev/null ; then
perl -i -n -p -e "s#^(\s*)(export\ +PATH)#checkdir=\"/usr/local/dovecot/bin\"\nif [ -d \\\$checkdir ]; then\n PATH=\\\$PATH:\\\$checkdir\nfi\n\n\1\2#" /etc/profile
@@ -1166,9 +1166,9 @@ cp -r /usr/local/dovecot-${_version}/share/doc/dovecot/example-config/* \
## - base_dir =/run/dovecot/
## - state_dir = /run/dovecot
## - shutdown_clients = no
## -
## -
## - dict {
## - expire = $db_driver:/usr/local/dovecot/etc/dovecot/sql-dict.conf.ext
## - expire = $db_driver:/usr/local/dovecot/etc/dovecot/sql-dict.conf.ext
## - }
## -
echononl "\tAdjust file dovecot.conf.."
@@ -1253,7 +1253,7 @@ if $_new ; then
echononl "\tCreate table expires in database ${dbname}.."
if $plugin_expire ; then
cat << EOF | psql -U$dbuser $dbname > ${_log_dir}/error.log 2>&1
CREATE TABLE IF NOT EXISTS expires (
username varchar(100) not null,
mailbox varchar(255) not null,
@@ -1395,7 +1395,7 @@ EOF
echononl "\tCreate table expires in database ${dbname}.."
if $plugin_expire ; then
cat << EOF | mysql -u$dbuser -p$dbpassword $dbname > /dev/null 2>&1
CREATE TABLE IF NOT EXISTS expires (
username varchar(100) not null,
mailbox varchar(255) not null,
@@ -1450,7 +1450,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END IF;
# END;
# \$\$ LANGUAGE plpgsql;
#
#
# CREATE TRIGGER mergeexpires BEFORE INSERT ON expires
# FOR EACH ROW EXECUTE PROCEDURE merge_expires();
@@ -1505,7 +1505,7 @@ EOF
echo -e "$rc_failed"
fatal "Creating file sql-dict.conf.ext failed"
fi
fi
fi
else
echo -e "$rc_skipped"
fi
@@ -1519,15 +1519,15 @@ fi
## - default_vsz_limit = 512M
## -
## - !! Bemerkung !!
## -
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird.
## -
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird.
## -
## -
## - Systemd System:
## - ===============
## -
## -
## - In der service datei (z.Bsp. /etc/systemd/system/multi-user.target.wants/dovecot.service)
## - den Wert 'LimitNOFILE' hochsetzen:
## -
@@ -1536,15 +1536,15 @@ fi
## - systemctl daemon-reload
## - systemctl restart dovecot.service
## -
## - Im Falle von LX containern muss zusätzlich auf dem hostsystem
## - in der datei '/etc/systemd/system.conf' der Wert für 'DefaultLimitNOFILE'
## - Im Falle von LX containern muss zusätzlich auf dem hostsystem
## - in der datei '/etc/systemd/system.conf' der Wert für 'DefaultLimitNOFILE'
## - hochgesetzt werden.
## -
## - System V systems:
## - =================
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird. Z.Bsp. in der Datei /etc/init.d/dovecot
## - Das Hochsetzen des default_client_limit Parameters auf einen Wert größer
## - als 1024 geht nur dann wenn auch die Anzahl der zulässigen "open files"
## - (default = 1024) geändert wird. Z.Bsp. in der Datei /etc/init.d/dovecot
## - durch Einfügen der zeile:
## - ulimit -n 32768
## -
@@ -1596,10 +1596,10 @@ fi
## - address = $imaps_listener_adresses
## - ..
## - }
## -
## -
## - process_min_avail = 16
## - }
## -
## -
## - service pop3-login {
## - inet_listener pop3 {
## - address = $pop_listener_adresses
@@ -1678,7 +1678,7 @@ fi
## - permanently on filesystem. So we have to create such a file
## -
## - openssl dhparam -out /etc/postfix/ssl/dh_4096.pem`
## -
## -
if [[ $dovecot_major_version -ge 3 ]] \
|| ( [[ $dovecot_major_version -eq 2 ]] && [[ $dovecot_minor_version -ge 3 ]] ); then
@@ -1687,7 +1687,7 @@ if [[ $dovecot_major_version -ge 3 ]] \
echo -en "$rc_wait"
if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 11 ]] ; then
openssl dhparam -out "$dh_pem_file" 4096 > /dev/null 2>&1
else
else
openssl dhparam -dsaparam -out "$dh_pem_file" 4096 > /dev/null 2>&1
fi
if [[ $? -eq 0 ]]; then
@@ -1784,7 +1784,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf
## -
## -
## - mail_location = maildir:/var/vmail/%d/%n/Maildir
## -
## - mail_uid = vmail
@@ -1794,7 +1794,7 @@ fi
## - last_valid_uid = 5000
## -
## - mail_temp_dir = /var/vmail/tmp
## -
## -
## - first_valid_gid = 5000
## - last_valid_gid = 5000
## -
@@ -1842,7 +1842,7 @@ else
echo -e "$rc_failed"
fatal "Adjusting file '10-mail.conf' failed"
fi
echononl "\tCreate TEMP directory '/var/vmail/tmp' .."
@@ -1937,7 +1937,7 @@ fi
## -
## - Add namespaces type private
## -
## - Add:
## - Add:
## - namespace inbox {
## - type = private
## - separator = /
@@ -1957,7 +1957,7 @@ namespace inbox {
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =
#separator =
separator = /
# Prefix required to access this namespace. This needs to be different for
@@ -2007,12 +2007,12 @@ fi
## - auto = subscribe
## - special_use = \Drafts
## - }
## -
## -
## - mailbox Trash {
## - auto = subscribe
## - special_use = \Trash
## - }
## -
## -
## - mailbox Sent {
## - auto = subscribe
## - special_use = \Sent
@@ -2072,7 +2072,7 @@ fi
## -
## - disable_plaintext_auth = no
## - auth_mechanisms = $auth_mechanisms
## - !include auth-sql.conf.ext # comment all other includes
## - !include auth-sql.conf.ext # comment all other includes
## - auth_username_translation = "%@"
## -
_failed=false
@@ -2101,14 +2101,14 @@ fi
## -
## - passdb {
## - driver = sql
## -
## -
## -
## -
## - # path for sql configuration file, see example-config/dovecot-sql.conf.ext
## - args = /usr/local/dovecot/etc/dovecot/sql-connect.conf.ext
## - }
## -
## -
## - ..
## -
## -
## - userdb {
## - driver = sql
## - args = /usr/local/dovecot/etc/dovecot/sql-connect.conf.ext
@@ -2194,14 +2194,14 @@ fi
## - if running inetd-script:
## -
## - log_path = /var/log/dovecot/dovecot.log
## -
## -
## - or for example
## -
## - log_path = syslog
## - syslog_facility = local1
## - auth_verbose = yes
## - auth_verbose_passwords = plain
## -
## -
## - in conjunction with the the following entries in /etc/rsyslog.conf
## -
## - local1.* -/var/log/dovecot.log
@@ -2310,7 +2310,7 @@ fi
## - hostname = $hostname
## - sendmail_path = /usr/sbin/sendmail
## - lda_mailbox_autocreate = no
## - mail_plugins = $mail_plugins sieve
## - mail_plugins = $mail_plugins sieve
## -
_failed=false
echononl "\tAdjusting file 15-lda.conf"
@@ -2406,7 +2406,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/90-plugin.conf
## -
## - Note:
## - Setting "autocreate", "autosubscribe" here is depricated. Use mailbox { auto } setting instead.
## - Setting "autocreate", "autosubscribe" here is depricated. Use mailbox { auto } setting instead.
## -
## - expire = Trash
## - expire2 = Trash/*
@@ -2419,7 +2419,7 @@ fi
## - # it's better to enable it only after you've verified that the expire plugin is
## - # working as wanted. (v2.2.16+)
## - expire_cache = yes
## -
## -
_failed=false
echononl "\tAdjusting file 90-plugin.conf"
if $plugin_expire ; then
@@ -2483,7 +2483,7 @@ while IFS='' read -r _line || [[ -n $_line ]] ; do
cat <<EOF >> "$_tmp_file"
# Add Setting 'sieve_vacation_send_from_recipient' from (included)
# Add Setting 'sieve_vacation_send_from_recipient' from (included)
#
# Pigeonhole Sieve: Vacation Extension
# ====================================
@@ -2563,7 +2563,7 @@ else
fi
## - NOTICE: if you pre-compile your (global) scripts, you will increase
## - NOTICE: if you pre-compile your (global) scripts, you will increase
## - performance
## -
echononl "\tPrecompile global sieve script"
@@ -2597,12 +2597,14 @@ chown -R vmail:vmail /usr/local/dovecot-${_version}/etc/dovecot/sieve
if $systemd_support; then
_folder_created=false
## - # - At time, we don't use private tmp directory for divecot.
## - # -
## - echononl "\tAdjust Systemd service file, set PrivateTmp=false.."
## - if [[ -f "/etc/systemd/system/dovecot.service" ]] ; then
## -
## - if $(grep -o -E "PrivateTmp\s*=\s*[^[:blank:]]+" /etc/systemd/system/dovecot.service | grep -q true 2> /dev/null ) ; then
## -
## - if $(grep -o -E "PrivateTmp\s*=\s*[^[:blank:]]+" /etc/systemd/system/dovecot.service | grep -q true 2> /dev/null ) ; then
## - perl -i -n -p -e "s/(PrivateTmp\s*=\s*)true/\1false/" /etc/systemd/system/dovecot.service
## - if [[ $? -eq 0 ]]; then
## - echo -e "$rc_done"
@@ -2620,9 +2622,16 @@ if $systemd_support; then
## -
## - here:
## - LimitNOFILE=32768
## -
if [[ -f "/lib/systemd/system/dovecot.service" ]] \
&& $(grep -q -E "^LimitNOFILE=" /lib/systemd/system/dovecot.service) ; then
## -
## - zwei Bemerkungen:
## - - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
## - - hier auch keine backslah '\' am ende der zeile notwendig, da statement
## - offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
## -
if [[ -f /lib/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*LimitNOFILE=' /lib/systemd/system/dovecot.service ||
[[ -f /etc/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*LimitNOFILE=' /etc/systemd/system/dovecot.service ; then
_LimitNOFILE="$(grep -E "^LimitNOFILE=[[:digit:]]+" /lib/systemd/system/dovecot.service | cut -d'=' -f2)"
@@ -2638,6 +2647,7 @@ if $systemd_support; then
mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo -e "$rc_done"
_folder_created=true
else
echo -e "$rc_failed"
adjust_limit_nofile=false
@@ -2656,8 +2666,54 @@ LimitNOFILE=$service_limit_nofile
EOF
echo -e "$rc_done"
fi
fi
## - Adjust systemd hardening:
## -
## - Options such as ProtectSystem=full/strict make the service's mount namespace,
## - including /usr (and thus /usr/local/dovecote/..), read-only, even though it is w
## - ritable outside the service.
## -
## - However, we would like to allow dovecot to write to the directory
## - /usr/local/dovecot/etc/dovecot/sieve/.
## -
## - ProtectSystem=off
## -
## - zwei Bemerkungen:
## - - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
## - - hier auch keine backslah '\' am ende der zeile notwendig, da statement
## - offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
## -
if [[ -f /lib/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*ProtectSystem=' /lib/systemd/system/dovecot.service ||
[[ -f /etc/systemd/system/dovecot.service ]] &&
grep -qE '^[[:space:]]*ProtectSystem=' /etc/systemd/system/dovecot.service ; then
if ! ${_folder_created} ; then
echononl "\tCreate Directory '/etc/systemd/system/dovecot.service.d'.."
if [[ -d "/etc/systemd/system/dovecot.service.d" ]] ; then
echo -e "$rc_skipped"
else
mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo -e "$rc_done"
else
echo -e "$rc_failed"
fi
fi
fi
echononl "\tSet 'ProtectSystem=off' for 'dovecot.service'.."
cat <<EOF > /etc/systemd/system/dovecot.service.d/systemd-hardening.conf
[Service]
ProtectSystem=off
EOF
echo -e "$rc_done"
fi
echononl "\tReload systemd .."
systemctl daemon-reload > /dev/null 2>&1
@@ -2692,7 +2748,7 @@ else
fi
fi
if $_new ; then
@@ -2707,7 +2763,7 @@ if $_new ; then
## - running dovecot service via init-script
## -
cat <<EOF > /etc/init.d/dovecot
#! /bin/sh
#! /bin/sh
### BEGIN INIT INFO
# Provides: dovecot
# Required-Start: \$syslog \$postgresql
@@ -2899,7 +2955,7 @@ EOF
echo -e "$rc_failed"
fatal "Creating init script for dovecot failed"
fi
chmod 755 /etc/init.d/dovecot
else
@@ -2910,7 +2966,7 @@ EOF
fi
## - Add a cronjob to restart dovecot after booting the system.
## -
## -
## - Notice:
## - On normal start, dovecot started its service even if ipv6 is not
## - yet present and dovecot cannot bind to ipv6 listeners.
@@ -2964,10 +3020,10 @@ EOF
## - add/uncomment:
## -
## - smtpd_tls_auth_only
## -
## -
## - smtpd_sasl_type = dovecot
## - smtpd_sasl_path = private/dovecot-auth
## -
## -
## - virtual_transport = dovecot
## - dovecot_destination_recipient_limit = 1
## -
@@ -3172,22 +3228,22 @@ echo -e "\033[1mConfigure quota support for dovecot\033[m"
## - take care quota plugins (quota,imap-quota) will
## - be loaded:
## -
## -
## - there are two quota related plugins:
## -
## -
## - * quota: implements the actual quota handling and includes also all the quota backends.
## - * imap_quota: for reporting quota information via imap.
## -
## - * imap_quota: for reporting quota information via imap.
## -
## - enable them in configuration files, e.g.:
## -
## -
## - conf.d/10-mail.conf:
## -
## -
## - # space separated list of plugins to load for all services. plugins specific to
## - # imap, lda, etc. are added to this list in their own .conf files.
## - mail_plugins = $mail_plugins quota
## -
## -
## - conf.d/20-imap.conf:
## -
## -
## - protocol imap {
## - # space separated list of plugins to load (default is global mail_plugins).
## - mail_plugins = $mail_plugins imap_quota
@@ -3222,7 +3278,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/dovecot.conf
## -
## -
## - add:
## -
## - dict {
@@ -3369,7 +3425,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END IF;
# return NEW;
# END IF;
#
#
# LOOP
# UPDATE quota2 SET bytes = bytes + NEW.bytes,
# messages = messages + NEW.messages
@@ -3377,7 +3433,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# IF found THEN
# RETURN NULL;
# END IF;
#
#
# BEGIN
# IF NEW.messages = 0 THEN
# INSERT INTO quota2 (bytes, messages, username) VALUES (NEW.bytes, NULL, NEW.username);
@@ -3391,10 +3447,10 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END LOOP;
# END;
# \$\$;
#
#
#
#
# ALTER FUNCTION public.merge_quota2() OWNER TO postfix;
#
#
# CREATE TRIGGER mergequota2
# BEFORE INSERT ON quota2
# FOR EACH ROW
@@ -3444,7 +3500,7 @@ EOF
# END IF;
# END;
# \$\$ LANGUAGE plpgsql;
#
#
# CREATE TRIGGER mergeexpires BEFORE INSERT ON expires
# FOR EACH ROW EXECUTE PROCEDURE merge_expires();
@@ -3473,7 +3529,7 @@ EOF
fi
## - you also have to update the userdb's query in file
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - support extra variable "quota_rule"
## -
echononl "\tRenew file sql-connect.conf.ext"
@@ -3570,7 +3626,7 @@ EOF
fi
## - you also have to update the userdb's query in file
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - "/usr/local/dovecot/etc/dovecot/sql-connect.conf.ext" to
## - support extra variable "quota_rule"
## -
echononl "\tRenew file sql-connect.conf.ext"
@@ -3697,20 +3753,20 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/90-quota.conf
## -
## -
## - add to the end of file or in seperate plugin-blocks
## - as designed in that file:
## - plugin {
## - # sql backend:
## - quota = dict:user quota::proxy::quota
## -
## -
## - quota_rule = *:storage=1g
## - quota_rule2 = trash:storage=+100m
## -
## - quota_warning = storage=80%% quota-warning 80 %u
## - quota_warning2 = storage=95%% quota-warning 95 %u
## - }
## -
## -
## - service quota-warning {
## - executable = script /usr/local/bin/quota-warning.sh
## - user = vmail
@@ -3725,7 +3781,7 @@ cp -a /usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf \
/usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf.ORIG
cat <<EOF >>/usr/local/dovecot-${_version}/etc/dovecot/conf.d/90-quota.conf
## -
## -
plugin {
# SQL backend:
quota = dict:User quota::proxy::quota
@@ -3832,7 +3888,7 @@ fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf
## -
## - Add namespaces type shared to 10-mail.conf
## - Take care to enable ACL plugin also, otherwise all users can access all the shared
## - Take care to enable ACL plugin also, otherwise all users can access all the shared
## - mailboxes, assuming they have permissions on filesystem level to do so.
## - we will do that later..
## - namespace {
@@ -3894,7 +3950,7 @@ else
fi
## - edit /usr/local/dovecot/etc/dovecot/conf.d/10-mail.conf
## -
## -
## - mail_plugins = quota expire acl
## -
_failed=false
@@ -3961,7 +4017,7 @@ fi
## -
## - plugin {
## - ## acl = vfile:/etc/dovecot/global-acls:cache_secs=300
## -
## -
## - # Without global ACLs:
## - acl = vfile
## - ..
@@ -4094,8 +4150,8 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
## - NOTE:
## -
## - All changes on database (CREATE TABLE / CREATE TRIGGER / what else..)
## - need to be done as the dbuser (here postfix) under whom dovecot
## - accesses the database. If not, you have to change the permissiond to allow
## - need to be done as the dbuser (here postfix) under whom dovecot
## - accesses the database. If not, you have to change the permissiond to allow
## - dovecot dbuser to access the createt table/trigger/...
## -
@@ -4125,7 +4181,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END IF;
# return NEW;
# END IF;
#
#
# LOOP
# UPDATE quota2 SET bytes = bytes + NEW.bytes,
# messages = messages + NEW.messages
@@ -4133,7 +4189,7 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# IF found THEN
# RETURN NULL;
# END IF;
#
#
# BEGIN
# IF NEW.messages = 0 THEN
# INSERT INTO quota2 (bytes, messages, username) VALUES (NEW.bytes, NULL, NEW.username);
@@ -4147,10 +4203,10 @@ connect = host=$dbhost user=$dbuser password=$dbpassword dbname=$dbname
# END LOOP;
# END;
# \$\$;
#
#
#
#
# ALTER FUNCTION public.merge_quota2() OWNER TO postfix;
#
#
# CREATE TRIGGER mergequota2
# BEFORE INSERT ON quota2
# FOR EACH ROW
@@ -4200,7 +4256,7 @@ EOF
# END IF;
# END;
# \$\$ LANGUAGE plpgsql;
#
#
# CREATE TRIGGER mergeexpires BEFORE INSERT ON expires
# FOR EACH ROW EXECUTE PROCEDURE merge_expires();
@@ -4230,7 +4286,7 @@ EOF
# primary key (from_user, to_user)
# );
# COMMENT ON TABLE user_shares IS 'User from_user shares folders to user to_user.';
#
#
# CREATE TABLE anyone_shares (
# from_user varchar(100) not null,
# dummy char(1) DEFAULT '1', -- always '1' currently
@@ -4336,7 +4392,7 @@ EOF
# dummy char(1) DEFAULT '1', -- always '1' currently
# primary key (from_user, to_user)
# ) COMMENT = 'User from_user shares folders to user to_user.';
#
#
# CREATE TABLE anyone_shares (
# from_user varchar(100) not null,
# dummy char(1) DEFAULT '1', -- always '1' currently
@@ -4576,7 +4632,7 @@ fi
blank_line
echononl "\tSet '_update=true' in file '$(basename "$conf_file")'.."
if grep -q -E "^\s*_update=false" "$conf_file" 2> /dev/null ; then
perl -i -n -p -e "s/^\s*_update=.*/_update=true/" "$conf_file"
perl -i -n -p -e "s/^\s*_update=.*/_update=true/" "$conf_file"
if [ "$?" = 0 ]; then
echo -e "$rc_done"
else