install_postfix_advanced.sh: remove depredated parameter 'permit_mx_backup'.

conf/install_update_dovecot.conf.sample

@@ -145,7 +145,7 @@ dbhost=""
 # - Cert/Key configurations
 # ---
 
-cert_base_dir="/etc/postfix/ssl"
+cert_base_dir="/etc/dovecot/ssl"
 server_cert=${cert_base_dir}/mailserver.crt
 server_key=${cert_base_dir}/mailserver.key
 dh_pem_file="${cert_base_dir}/dh_4096.pem"

install_amavis.sh

@@ -2257,6 +2257,45 @@ if ! $installation_failed ; then
    fi
 fi
 
+# Create /etc/spamassassin/99_nullsender.cf
+#
+# Spamassassin Regeln für Nullsender (Return-Path: <>)
+#
+# Problem:
+#     echte DSNs haben ebenfalls Return-Path: <>
+#
+# Aber:
+#     Echte DSNs sind i.d.R. multipart/report (delivery-status)
+#
+echononl "   Create file \"/etc/spamassassin/99_nullsender.cf\".."
+cat <<'EOF' > /etc/spamassassin/99_nullsender.cf 2> $tmp_err_msg
+########################################################################
+# Null-sender (Return-Path: <>) Behandlung
+# Ziel: Fake-Bounces markieren, echte DSNs nicht treffen
+########################################################################
+
+# 1) Null-Envelope-From erkannt
+header  LOCAL_NULL_SENDER      Return-Path =~ /^<>$/i
+describe LOCAL_NULL_SENDER     Null envelope-from (Return-Path <>)
+score   LOCAL_NULL_SENDER      0.1
+
+# 2) Echte DSNs sind i.d.R. multipart/report (delivery-status)
+header  LOCAL_DSN_MULTIPART    Content-Type =~ /^multipart\/report\b/i
+describe LOCAL_DSN_MULTIPART   Looks like a real DSN (multipart/report)
+score   LOCAL_DSN_MULTIPART    -3.0
+
+# 3) Fake-Bounce: Null-sender, aber NICHT multipart/report
+meta    LOCAL_NULL_NOT_DSN     LOCAL_NULL_SENDER && !LOCAL_DSN_MULTIPART
+describe LOCAL_NULL_NOT_DSN    Null-sender but not a DSN (likely fake bounce spam)
+score   LOCAL_NULL_NOT_DSN     6.0
+EOF
+if [[ $? -eq 0 ]] ; then
+   echo_ok
+else
+   echo_failed
+   error "$(cat $tmp_err_msg)"
+fi
+
 
 # - Enable nightly cronjob for spamassassin
 # -
@@ -3260,6 +3299,18 @@ if $INSTALL_CLAMAV_UNOFFICIAL_SIGS ; then
    if [[ "$?" -ne 0 ]] ; then
       installation_failed=true
       error "$(cat $tmp_err_msg)"
+
+      warn "command was:
+
+                     git clone https://github.com/extremeshok/clamav-unofficial-sigs.git /tmp/clamav-unofficial-sigs"
+		echononl "continue anyway [yes/no]: "
+		read OK
+		OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+		while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+			echononl "Wrong entry! - repeat [yes/nno]: "
+			read OK
+		done
+		[[ $OK = "yes" ]] || fatal "Abbruch durch User"
    fi
    if ! $installation_failed ; then
       echo_ok
@@ -4957,6 +5008,7 @@ fi
 ## -  localhost:10025  inet  n       -       y       -       -       smtpd
 ## -     -o content_filter=
 ## -     -o smtpd_proxy_filter=
+## -     -o smtpd_milters=
 ## -     -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
 ## -     -o smtpd_client_restrictions=
 ## -     -o smtpd_helo_restrictions=
@@ -5031,6 +5083,8 @@ EOF
 localhost:10025  inet  n       -       y       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
+   -o smtpd_milters=
+   -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
@@ -5093,6 +5147,8 @@ EOF
 localhost:10025  inet  n       -       y       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
+   -o smtpd_milters=
+   -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
@@ -5145,6 +5201,8 @@ EOF
 localhost:10025  inet  n       -       y       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
+   -o smtpd_milters=
+   -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
@@ -5181,6 +5239,8 @@ EOF
 localhost:10025  inet  n       -       y       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
+   -o smtpd_milters=
+   -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8,[::1]/128
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=

install_opendmarc.sh

@@ -881,26 +881,26 @@ else
    error "$(cat $log_file)"
 fi
 
-echononl "   Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
-if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
-   if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
-      echo_skipped
-   else
-      perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
-         /etc/postfix/main.cf > $log_file 2>&1
-      if [[ $? -eq 0 ]] ; then
-         echo_ok
-         postfix_needs_restart=true
-      else
-         echo_failed
-         error "$(cat $log_file)"
-      fi
-   fi
-else
-
-   echo_skipped
-   warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
-fi
+#echononl "   Set Variable non_smtpd_milters at '/etc/postfix/main.cf'.."
+#if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*opendkim.sock" /etc/postfix/main.cf 2> /dev/null) ; then
+#   if $(grep -q -E "^\s*non_smtpd_milters\s*=\s*.*$(basename "${opendmarc_socket_file}")" /etc/postfix/main.cf); then
+#      echo_skipped
+#   else
+#      perl -i -n -p -e "s&^\s*(non_smtpd_milters\s*=.*opendkim.sock)&\1,local:/$(basename "${opendmarc_socket_dir}")/$(basename "${opendmarc_socket_file}")&" \
+#         /etc/postfix/main.cf > $log_file 2>&1
+#      if [[ $? -eq 0 ]] ; then
+#         echo_ok
+#         postfix_needs_restart=true
+#      else
+#         echo_failed
+#         error "$(cat $log_file)"
+#      fi
+#   fi
+#else
+#
+#   echo_skipped
+#   warn "non_smtpd_milters is not adjusted. Complete Postfix configuration (main.cf) manually\!"
+#fi
 
 
 echononl "   Set Variable smtpd_milters at '/etc/postfix/main.cf'.."
@@ -975,53 +975,53 @@ EOF
 fi
 
 
-if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
-
-   ensure_dmarc_var "non_smtpd_milters"     > "${tmp_main_cf_file}"
-   cp "${tmp_main_cf_file}" "${main_cf_file}"
-
-else
-
-      cat <<EOF >> /etc/postfix/main.cf 2> $log_file
-
-# Was sind non_smtpd_milters?
+#if grep -q -E "^\s*#?\s*non_smtpd_milters\s*=" ${main_cf_file} ; then
 #
-# non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
-# der smtpd-Daemon sind.
+#   ensure_dmarc_var "non_smtpd_milters"     > "${tmp_main_cf_file}"
+#   cp "${tmp_main_cf_file}" "${main_cf_file}"
 #
-# Das betrifft z. B.:
+#else
 #
-#     cleanup        Header/Content-Bereinigung
-#     qmgr           Queue-Manager
-#     lmtp / smtp    Auslieferung nach extern
-#     local          lokale Zustellung
+#      cat <<EOF >> /etc/postfix/main.cf 2> $log_file
 #
-# Das sind z. B.:
-#
-#     -  interne Bounces (MAILER-DAEMON)
-#
-#     -  Cron-Mails vom Server
-#
-#     -  Weiterleitungen, die Postfix selbst generiert
-#
-#     -  Mails, die über sendmail CLI gesendet werden
-#
-#     -  Mails, die Amavis über LMTP zurückgibt
-#
-#     -  etc.
-#
-#
-# DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
-non_smtpd_milters = $opendmarc_socket_string
-EOF
-fi
-postfix_needs_restart=true
-if [[ $? -eq 0 ]] ; then
-   echo_ok
-else
-   echo_failed
-   error "$(cat $log_file)"
-fi
+## Was sind non_smtpd_milters?
+##
+## non_smtpd_milters gilt für alle Postfix-Prozesse, die Mails verarbeiten, aber NICHT
+## der smtpd-Daemon sind.
+##
+## Das betrifft z. B.:
+##
+##     cleanup        Header/Content-Bereinigung
+##     qmgr           Queue-Manager
+##     lmtp / smtp    Auslieferung nach extern
+##     local          lokale Zustellung
+##
+## Das sind z. B.:
+##
+##     -  interne Bounces (MAILER-DAEMON)
+##
+##     -  Cron-Mails vom Server
+##
+##     -  Weiterleitungen, die Postfix selbst generiert
+##
+##     -  Mails, die über sendmail CLI gesendet werden
+##
+##     -  Mails, die Amavis über LMTP zurückgibt
+##
+##     -  etc.
+##
+##
+## DKIM soll auch die ausgehenden Mails signieren, die nicht über smtpd daemon versendet werden.
+#non_smtpd_milters = $opendmarc_socket_string
+#EOF
+#fi
+#postfix_needs_restart=true
+#if [[ $? -eq 0 ]] ; then
+#   echo_ok
+#else
+#   echo_failed
+#   error "$(cat $log_file)"
+#fi
 
 
 echo ""

install_postfix_advanced.sh

@@ -2911,8 +2911,13 @@ fi
 cat <<EOF >> /etc/postfix/main.cf
 # Policyd-Weight
    #check_policy_service inet:127.0.0.1:12525,
+# ---------------------------------------------------------------------------------
+# DEPRECATED permit_mx_backup
+#
+# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
 # permit Backup MX
-   permit_mx_backup,
+#   permit_mx_backup,
+# ---------------------------------------------------------------------------------
 # permit, if all restrictions so far passed
    permit
 
@@ -2953,8 +2958,13 @@ smtpd_relay_restrictions =
 # managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
 # for more details
    reject_unverified_recipient,
+# ---------------------------------------------------------------------------------
+# DEPRECATED permit_mx_backup
+#
+# warning: support for restriction "permit_mx_backup" will be removed from Postfix;
 # permit Backup MX
-   permit_mx_backup,
+#   permit_mx_backup,
+# ---------------------------------------------------------------------------------
 # permit, if all restrictions so far passed
    permit
 
@@ -3058,20 +3068,18 @@ EOF
 #
 EOF
 
-   if [[ -n "$(which opendkim)" ]]  && [[ -n "$(which opendmarc)" ]] ; then
-      cat <<EOF >> /etc/postfix/main.cf
-non_smtpd_milters =  local:/opendkim/opendkim.sock,local:/opendmarc/opendmarc.sock
-EOF
-   elif [[ -n "$(which opendkim)" ]] ; then
+   if [[ -n "$(which opendkim)" ]]  ; then
       cat <<EOF >> /etc/postfix/main.cf
 non_smtpd_milters =  local:/opendkim/opendkim.sock
 EOF
    else
       cat <<EOF >> /etc/postfix/main.cf
-non_smtpd_milters = local:/opendmarc/opendmarc.sock
+non_smtpd_milters =
 EOF
    fi
+
 else
+
    cat <<EOF >> /etc/postfix/main.cf
 
 
@@ -3616,41 +3624,58 @@ fi
 _file="/etc/postfix/header_checks.pcre"
 echononl "   Create file '$_file' used for header replacing"
 if [[ ! -f "$_file" ]]; then
-	cat << EOF > "$_file"
+	cat << 'EOF' > "$_file"
 # ---
-# - Replace headers
+# - Header Checks - /etc/postfix/header_checks
 # ---
+#
+#     Ziel: offensichtlich kaputte RFC-Header ablehnen (wenig False Positives)
 
-# - Replace recieved from
-#/^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4
+########################################
+# A) Kaputter From:-Header
+########################################
+
+# 1) From: ist leer
+/^From:\s*$/                           REJECT Invalid From header (empty) - Spamschutzregel FROM-1001
+
+# 2) Mehr als ein '@' im From:-Header -> syntaktisch kaputt
+/^From:.*@.*@/                         REJECT Invalid From header (multiple @) - Spamschutzregel FROM-1002
 
 
-# ---
-# - Ignore Headers
-# ---
+# 3) Mehrere Mailboxen durch Komma getrennt (wie: Die@..., Lions@..., ...)
+#    (Legitime Fälle nutzen i.d.R. Display-Namen/Group-Syntax; dieses Muster ist in Spam sehr häufig)
+/^From:\s*[^<>,]+@[^,]+,\s*[^<>,]+@/   REJECT Invalid From header (multiple mailboxes) - Spamschutzregel FROM-1003
 
-#/^\s*User-Agent/        IGNORE
-#/^\s*X-Enigmail/        IGNORE
-#/^\s*X-Mailer/          IGNORE
-#/^\s*X-Originating-IP/  IGNORE
+# 4) Typische kaputte UTF-8-Fragmente
+/^From:.*\xC3\xA2/                     REJECT Invalid UTF-8 in From header - Spamschutzregel FROM-1004
 
 
-# ---
-# - Reject / Discard headers
-# ---
+########################################
+# B) Optional: sehr spezifische lokale Blacklist
+########################################
 
-/^To:.*<>/                    REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
+#/^Reply-To: .+\@inx1and1\..+/         REJECT Possible spam (local pattern)
 
-/\(envelope-from <>\)/        REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
 
-/^Reply-To: .+\@inx1and1\..+/                REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
+########################################
+# C) Warn
+########################################
 
-/^From:.*<>/                             REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
+# Date-Rejects sind oft zu aggressiv -> wenn nötig: lieber taggen oder loggen statt reject
+/^Date: .* 19[0-9][0-9]/               WARN Date far in the past Header-Spamschutzregel DATE-1001
+/^Date: .* 200[0-9]/                   WARN Date far in the past Header-Spamschutzregel DATE-1002
+/^Date: .* 201[0-9]/                   WARN Date far in the past Header-Spamschutzregel DATE-1003
+
+
+
+########################################
+# Bemerkungen
+########################################
+
+# (envelope-from <>) nicht pauschal rejecten:
+# echte DSNs/Bounces haben legitimerweise MAIL FROM: <>
+#/\(envelope-from <>\)/                REJECT Null envelope-from
 
-/^Date: .* 19[0-9][0-9]/      REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
-/^Date: .* 200[0-9]/          REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
-/^Date: .* 201[0-9]/          REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
-/^Date: .* 2020/              REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
 EOF
 	if [[ $? -eq 0 ]] ; then
 		echo_ok

install_postfixadmin.sh

@@ -938,6 +938,16 @@ done
 if $_failed ; then
    echo_failed
    error "$(cat $log_file)"
+
+   echononl "\tcontinue anyway [yes/no]: "
+   read OK
+   OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
+   while [[ "$OK" != "yes" ]] && [[  "$OK" != "no" ]] ; do
+      echononl "Wrong entry! - repeat [yes/nno]: "
+      read OK
+   done
+   [[ $OK = "yes" ]] || fatal "Script terminated by user input.."
+
 else
    echo_ok
 fi
@@ -2198,7 +2208,7 @@ fi
 
 echo -e "\n\n\t\033[37m\033[1mConfigure Postfix Admin\033[m\n"
 
-if [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
+if [[ $MAJOR_VERSION -gt 3 ]] || [[ $MAJOR_VERSION -eq 3 ]] && [[ $MINOR_VERSION -gt 0 ]]; then
    pfa_conf_file="${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.local.php"
    cp -a "${WEBSITE_BASEDIR}/postfixadmin-${PF_ADMIN_VERSION}/config.inc.php"  "$pfa_conf_file"
 else

install_update_dovecot.sh

@@ -2597,6 +2597,8 @@ chown -R vmail:vmail /usr/local/dovecot-${_version}/etc/dovecot/sieve
 
 if $systemd_support; then
 
+   _folder_created=false
+
    ## - # - At time, we don't use private tmp directory for divecot.
    ## - # -
    ## - echononl "\tAdjust Systemd service file, set PrivateTmp=false.."
@@ -2621,8 +2623,15 @@ if $systemd_support; then
    ## - here:
    ## -    LimitNOFILE=32768
    ## -
-   if [[ -f "/lib/systemd/system/dovecot.service" ]] \
-      && $(grep -q -E "^LimitNOFILE=" /lib/systemd/system/dovecot.service) ; then 
+   ## - zwei Bemerkungen:
+   ## -     - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
+   ## -     - hier auch keine backslah '\' am ende der zeile notwendig, da statement
+   ## -       offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
+   ## -
+   if [[ -f /lib/systemd/system/dovecot.service ]] &&
+      grep -qE '^[[:space:]]*LimitNOFILE=' /lib/systemd/system/dovecot.service ||
+      [[ -f /etc/systemd/system/dovecot.service ]] &&
+      grep -qE '^[[:space:]]*LimitNOFILE=' /etc/systemd/system/dovecot.service ; then
 
       _LimitNOFILE="$(grep -E "^LimitNOFILE=[[:digit:]]+" /lib/systemd/system/dovecot.service | cut -d'=' -f2)"
 
@@ -2638,6 +2647,7 @@ if $systemd_support; then
             mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
             if [[ $? -eq 0 ]]; then
                echo -e "$rc_done"
+               _folder_created=true
             else
                echo -e "$rc_failed"
                adjust_limit_nofile=false
@@ -2656,8 +2666,54 @@ LimitNOFILE=$service_limit_nofile
 EOF
          echo -e "$rc_done"
       fi
+
    fi
 
+   ## - Adjust systemd hardening:
+   ## -
+   ## - Options such as ProtectSystem=full/strict make the service's mount namespace,
+   ## - including /usr (and thus /usr/local/dovecote/..), read-only, even though it is w
+   ## - ritable outside the service.
+   ## -
+   ## - However, we would like to allow dovecot to write to the directory
+   ## - /usr/local/dovecot/etc/dovecot/sieve/.
+   ## -
+   ## -    ProtectSystem=off
+   ## -
+   ## - zwei Bemerkungen:
+   ## -     - keine runden Klammern notwendig, da die bash '&&' vor '||' auswertet
+   ## -     - hier auch keine backslah '\' am ende der zeile notwendig, da statement
+   ## -       offensichtlich noch nichzt abgeschlossen ist (die bash erkennt das)
+   ## -
+   if [[ -f /lib/systemd/system/dovecot.service ]] &&
+      grep -qE '^[[:space:]]*ProtectSystem=' /lib/systemd/system/dovecot.service ||
+      [[ -f /etc/systemd/system/dovecot.service ]] &&
+      grep -qE '^[[:space:]]*ProtectSystem=' /etc/systemd/system/dovecot.service ; then
+
+      if ! ${_folder_created} ; then
+
+         echononl "\tCreate Directory '/etc/systemd/system/dovecot.service.d'.."
+         if [[ -d "/etc/systemd/system/dovecot.service.d" ]] ; then
+            echo -e "$rc_skipped"
+         else
+            mkdir "/etc/systemd/system/dovecot.service.d" > /dev/null 2>&1
+            if [[ $? -eq 0 ]]; then
+               echo -e "$rc_done"
+            else
+               echo -e "$rc_failed"
+            fi
+         fi
+
+      fi
+
+      echononl "\tSet 'ProtectSystem=off' for 'dovecot.service'.."
+      cat <<EOF > /etc/systemd/system/dovecot.service.d/systemd-hardening.conf
+[Service]
+ProtectSystem=off
+EOF
+         echo -e "$rc_done"
+
+   fi
 
    echononl "\tReload systemd .."
    systemctl daemon-reload > /dev/null 2>&1