#!/usr/bin/env bash working_dir="$(dirname $(realpath $0))" conf_file="${working_dir}/conf//install_postfix_advanced.conf" _TLS_CERT_DIR=/etc/postfix/ssl _TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" _TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" _TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt tmp_err_msg=$(mktemp) backup_date="$(date +%Y-%m-%d-%H%M)" # ------------- # --- Some functions # ------------- clean_up() { # Perform program exit housekeeping rm -f $tmp_err_msg exit $1 } echononl(){ echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n "$*\\c" 1>&2 else echo -e -n "$*" 1>&2 fi rm /tmp/shprompt$$ } fatal(){ echo "" echo -e "fatal error: $*" echo "" echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m" echo "" clean_up 1 } error(){ echo "" echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" echo "" } warn (){ echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" echo "" } info (){ echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo "" } echo_done() { echo -e "\033[80G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[80G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[80G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]" } trap clean_up SIGHUP SIGINT SIGTERM # - Is this a systemd system? # - if [[ "X`which systemd`" = "X" ]]; then systemd_exists=false else systemd_exists=true fi echo "" # - Default Values # - #_IS_RELAY_HOST=false # - Read Configuration File if exists # - if [[ -f "$conf_file" ]]; then source $conf_file fi clear echo -e "\033[21G\033[32mInstallation script for Postfix basic mailsystem \033[m" echo HOSTNAME= echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert hostname" echo "" if [[ -n "$_HOSTNAME" ]]; then echononl "hostname [${_HOSTNAME}]: " read HOSTNAME if [[ "X${HOSTNAME}" = "X" ]]; then HOSTNAME=$_HOSTNAME fi else while [[ "X${HOSTNAME}" = "X" ]]; do echononl "hostname: " read HOSTNAME if [[ "X${HOSTNAME}" = "X" ]]; then echo -e "\n\t\033[33m\033[1mHostname is reqired\033[m\n" fi done fi IPV4= echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert IPv4 address" echo "" if [[ -n "$_IPV4" ]]; then echononl "IPv4 address [${_IPV4}]: " read IPV4 if [[ "X${IPV4}" = "X" ]]; then IPV4=$_IPV4 fi else while [[ "X${IPV4}" = "X" ]]; do echononl "IPv4 address: " read IPV4 if [[ "X${IPV4}" = "X" ]]; then echo -e "\n\t\033[33m\033[1mIPv4 address is reqired\033[m\n" fi done fi IPV6= echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert IPv6 address" echo "Type:" echo -e "\t\033[33mNone\033[m if IPv6 is not suppoerted" echo "" if [[ -n "$_IPV6" ]]; then [[ "X$_IPV6" = "Xdisabled" ]] && _IPV6=None echononl "IPv6 address [${_IPV6}]: " read IPV6 if [[ "X${IPV6}" = "X" ]]; then IPV6=$_IPV6 fi else while [[ "X${IPV6}" = "X" ]]; do echononl "IPv6 address: " read IPV6 if [[ "X${IPV6}" = "X" ]]; then echo -e "\n\t\033[33m\033[1mIPv4 address is reqired\033[m\n" fi done fi if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then IPV6=disabled fi IS_RELAY_HOST= echo "" echo -e "\033[32m--\033[m" echo "" echo "How will this Mailserver be used?" echo "" if [[ -n "$_IS_RELAY_HOST" ]]; then if $_IS_RELAY_HOST ; then echo "[1] Complete Mailserver (with mailboxes)" echo -e "\033[37m\033[1m[2] Mailrelay Host\033[m" else echo -e "\033[37m\033[1m[1] complete Mailserver (with mailboxes)\033[m" echo "[2] Mailrelay Host" fi echo "" echononl "Choose a number or press for highlighted value: " else echo "[1] Complete Mailserver (with mailboxes)" echo "[2] Mailrelay Host" echo "" echononl "Choose a Number: " fi while [[ "$IS_RELAY_HOST" != "true" && "$IS_RELAY_HOST" != "false" ]];do read OPTION case $OPTION in 1) IS_RELAY_HOST=false ;; 2) IS_RELAY_HOST=true ;; '') if [[ -n "$_IS_RELAY_HOST" ]] ; then IS_RELAY_HOST=$_IS_RELAY_HOST else echo "" echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]" echo "" echononl "Reentry: " fi ;; *) IS_RELAY_HOST= echo "" if [[ -n "$_IS_RELAY_HOST" ]]; then echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host] or type " else echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]" fi echo "" echononl "Reentry: " ;; esac done SASL_AUTH_ENABLED="no" if $IS_RELAY_HOST ; then SASL_AUTH_ENABLED="" echo "" echo -e "\033[32m--\033[m" echo "" echo "Should this mail relay server support Cyrus SASL authentication?" echo "" while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do if [[ -n "$_SASL_AUTH_ENABLED" ]]; then echononl "Support Cyrus SASL authentication [${_SASL_AUTH_ENABLED}]: " read SASL_AUTH_ENABLED SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,} [[ -z "$SASL_AUTH_ENABLED" ]] && SASL_AUTH_ENABLED="$_SASL_AUTH_ENABLED" else echononl "Support Cyrus SASL authentication [yes/no]: " read SASL_AUTH_ENABLED SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,} fi if [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]] ; then _SASL_AUTH_ENABLED="" echo -e "\n\t\033[33m\033[1mWrong entry!\033[m\n Type 'yes' or 'no'" fi done fi ADMIN_EMAIL= echo "" echo "" echo -e "\033[32m--\033[m" echo "" echo "Insert e-mail address where messages to local root should be forwarded" echo "" echo "" if [[ -n "$_ADMIN_EMAIL" ]]; then echononl "Admin e-mail address [$_ADMIN_EMAIL]: " read ADMIN_EMAIL if [[ "X${ADMIN_EMAIL}" = "X" ]]; then ADMIN_EMAIL=$_ADMIN_EMAIL fi else while [[ "X${ADMIN_EMAIL}" = "X" ]]; do echononl "Admin e-mail address: " read ADMIN_EMAIL if [[ "X${ADMIN_EMAIL}" = "X" ]]; then echo -e "\n\t\033[33m\033[1mAdmin e-mail address is reqired\033[m\n" fi done fi echo "" echo "" echo -e "\033[21G\033[32mStart installation/configuration with the following parameters\033[m" echo "" echo -e "\tHostname..........................: $HOSTNAME" echo -e "\tIPv4 address......................: $IPV4" echo -e "\tIPv6 address......................: $IPV6" echo -e "\tAdmin e-mail......................: $ADMIN_EMAIL" echo "" if $IS_RELAY_HOST ; then echo -e "\tConfigure as relay host?..........: \033[33m\033[1m$IS_RELAY_HOST\033[m" echo -e "\tConfigure as complete mailserver..: false" echo "" echo -e "\tSupport Cyrus SASL authentication.: $SASL_AUTH_ENABLED" else echo -e "\tConfigure as relay host?..........: $IS_RELAY_HOST" echo -e "\tConfigure as complete mailserver..: \033[33m\033[1mtrue\033[m" fi echo "" echononl "einverstanden (yes/no): " read OK OK=${OK,,} while [ "X$OK" != "Xyes" -a "X$OK" != "Xno" ]; do echononl "Wrong entry! [yes/no]: " read OK OK=${OK,,} done [ $OK = "yes" ] || fatal Repeat with other settings.. echo "" echo "" _failed=false echononl " Save Configuration" cat << EOF > $conf_file # --- # - Parameter Settins Postfix Relay System # --- _HOSTNAME=$HOSTNAME _IPV4=$IPV4 _IPV6=$IPV6 _ADMIN_EMAIL=$ADMIN_EMAIL _IS_RELAY_HOST=$IS_RELAY_HOST EOF if [[ $? -ne 0 ]]; then _failed=true fi if $IS_RELAY_HOST ; then cat << EOF >> $conf_file _SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED EOF if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed else echo_ok fi [[ "$IPV6" = "disabled" ]] && IPV6="" # - Deinstall debian exim4 packages # - echononl " Deinstall debian exim4 packages" _installed_exim_packages=`dpkg -l | grep exim4 | grep -e "^i" | awk '{print$2}'` for _pkg in $_installed_exim_packages ; do installed_exim_packages="$installed_exim_packages $_pkg" done if [[ -n "$installed_exim_packages" ]] ; then if `dpkg -l | grep bsd-mailx | grep -e "^i" > /dev/null 2>&1` ; then installed_exim_packages="$installed_exim_packages bsd-mailx" fi apt-get remove --purge -qq -y $installed_exim_packages > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi # - Install Postfix from debian packages system # - echononl " Install Postfix from debian packages system" _needed_packages="postfix postfix-pgsql postfix-mysql postfix-pcre libsasl2-modules bsd-mailx haveged" if [[ "$SASL_AUTH_ENABLED" = "yes" ]]; then _needed_packages="$_needed_packages sasl2-bin" fi for _pkg in $_needed_packages ; do if `dpkg -l | grep $_pkg | grep -e "^i" > /dev/null 2>&1` ; then continue else needed_packages="$needed_packages $_pkg" fi done if [[ -n "$needed_packages" ]]; then DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_packages > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi ## - Install Postgrey from debian packages system ## - echononl " Install Postgrey from debian packages system" _pkg="postgrey" if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then echo_skipped else DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $tmp_err_msg)" fi fi echononl " Adjust /etc/default/postgrey" perl -i -n -p -e "s#^(\s*)(POSTGREY_OPTS=.*)#\#\1\2\nPOSTGREY_OPTS=\"--inet=10023 --delay=149 --auto-whitelist-clients=3 --lookup-by-subnet\"#" \ /etc/default/postgrey > $tmp_err_msg 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $tmp_err_msg)" fi echononl " Create /etc/postgrey/whitelist_clients.local (additional whitelist entries)" cat << EOF > /etc/postgrey/whitelist_clients.local # For Office 365 - servers: ##/.*outbound.protection.outlook.com\$/ /^mail-.*\.outbound\.protection\.outlook\.com\$/ EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Restart postrey daemon" if $systemd_exists ; then systemctl restart postgrey > /dev/null 2> $tmp_err_msg if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $tmp_err_msg)" fi else /etc/init.d/postgrey restart > /dev/null 2> $tmp_err_msg if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $tmp_err_msg)" fi fi # - Backup existing postfix configuration file # - echononl " Backup existing postfix configuration file" if [[ -f "/etc/postfix/main.cf" ]]; then cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi # - Creeate new postfix configuration file # - echononl " Creeate new postfix configuration file" cat < /etc/postfix/main.cf # ============ Basic settings ============ # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname myorigin = /etc/mailname smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix html_directory = /usr/share/doc/postfix/html ## - The Internet protocols Postfix will attempt to use when making ## - or accepting connections. ## - DEFAULT: ipv4 EOF if [ -n "$IPV6" ]; then cat <> /etc/postfix/main.cf inet_protocols = ipv4, ipv6 #inet_interfaces = all inet_interfaces = 127.0.0.1 $IPV4 $IPV6 myhostname = $HOSTNAME mydestination = $HOSTNAME localhost ## - The list of "trusted" SMTP clients that have more ## - privileges than "strangers" ## - mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 ${IPV4}/32 [${IPV6}]/128 # a.mx.oopen.de #83.223.86.91 #[2a01:30:0:13:2f7:50ff:fed2:cef7]/128 # b.mx.oopen.de #83.223.86.97 #[2a01:30:0:13:21f:92ff:fe00:538b] # d.mx.oopen.de #83.223.86.92/32 #[2a01:30:0:13:254:9eff:fed5:e7fd]/128 smtp_bind_address = $IPV4 smtp_bind_address6 = $IPV6 EOF else cat <> /etc/postfix/main.cf inet_protocols = ipv4 #inet_interfaces = all inet_interfaces = 127.0.0.1 $IPV4 myhostname = $HOSTNAME mydestination = $HOSTNAME localhost ## - The list of "trusted" SMTP clients that have more ## - privileges than "strangers" ## - mynetworks = 127.0.0.0/8 ${IPV4}/32 #smtp_bind_address = $IPV4 #smtp_bind_address6 = $IPV6 EOF fi cat <> /etc/postfix/main.cf ## - The method to generate the default value for the mynetworks parameter. ## - ## - mynetworks_style = host" when Postfix should "trust" only the local machine ## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP ## - clients in the same IP subnetworks as the local machine. ## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same ## - IP class A/B/C networks as the local machine. ## - #mynetworks_style = host ## - The maximal size of any local(8) individual mailbox or maildir file, ## - or zero (no limit). In fact, this limits the size of any file that is ## - written to upon local delivery, including files written by external ## - commands that are executed by the local(8) delivery agent. ## - mailbox_size_limit = 0 ## - The maximal size in bytes of an individual virtual(8) mailbox or ## - maildir file, or zero (no limit). ## - virtual_mailbox_limit = 0 ## - The maximal size in bytes of a message, including envelope information. ## - ## - we user 50MB ## - message_size_limit = 52480000 ## - The system-wide recipient address extension delimiter ## - recipient_delimiter = + ## - The alias databases that are used for local(8) delivery. ## - alias_maps = hash:/etc/aliases ## - The alias databases for local(8) delivery that are updated ## - with "newaliases" or with "sendmail -bi". ## - alias_database = hash:/etc/aliases ## - Optional lookup tables with mappings from recipient address ## - to (message delivery transport, next-hop destination). ## - See transport(5) for details. ## - transport_maps = btree:/etc/postfix/transport btree:/etc/postfix/relay_domains ## - The maximal time a message is queued before it is sent back as ## - undeliverable. Defaults to 5d (5 days) ## - Specify 0 when mail delivery should be tried only once. ## - maximal_queue_lifetime = 3d bounce_queue_lifetime = \$maximal_queue_lifetime ## - delay_warning_time (default: 0h) ## - ## - The time after which the sender receives a copy of the message ## - headers of mail that is still queued. To enable this feature, ## - specify a non-zero time value (an integral value plus an optional ## - one-letter suffix that specifies the time unit). ## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). ## - The default time unit is h (hours). delay_warning_time = 1d #header_checks = pcre:/etc/postfix/header_checks prepend_delivered_header = forward file ## - proxy_read_maps ## - ## - The lookup tables that the proxymap(8) server is allowed to access for the read-only service. ## - ## - Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Table ## - references that don't begin with proxy: are ignored. ## - #proxy_read_maps = \$local_recipient_maps \$mydestination \$virtual_alias_maps \$virtual_alias_domains \$virtual_mailbox_maps \$virtual_mailbox_domains \$relay_recipient_maps \$relay_domains \$canonical_maps \$sender_canonical_maps \$recipient_canonical_maps \$relocated_maps \$transport_maps \$mynetworks \$sender_bcc_maps \$recipient_bcc_maps \$smtp_generic_maps \$lmtp_generic_maps \$smtpd_sender_login_maps # ============ Relay parameters ============ relayhost = relay_domains = \$mydestination btree:/etc/postfix/relay_domains # ============ TLS parameters ============ ## - supports DNSSEC ## - ## - !! Notice !! ## - In order to support DNSSEC and DANE your resolver MUST support ## - DNSSEC too. ## - ## - If your resolver does not support DNSSEC, install "unbound". ## - smtp_host_lookup = dns smtp_dns_support_level = dnssec ## - Aktiviert TLS für den Mailempfang ## - ## - may: ## - Opportunistic TLS. Use TLS if this is supported by the remote ## - SMTP server, otherwise use plaintext ## - ## - This overrides the obsolete parameters smtpd_use_tls and ## - smtpd_enforce_tls. This parameter is ignored with ## - "smtpd_tls_wrappermode = yes". #smtpd_use_tls=yes smtpd_tls_security_level=may ## - Aktiviert TLS für den Mailversand ## - ## - may: ## - Opportunistic TLS: announce STARTTLS support to SMTP clients, ## - but do not require that clients use TLS encryption. # smtp_use_tls=yes #smtp_tls_security_level=may smtp_tls_security_level=dane ## - 0 Disable logging of TLS activity. ## - 1 Log TLS handshake and certificate information. ## - 2 Log levels during TLS negotiation. ## - 3 Log hexadecimal and ASCII dump of TLS negotiation process. ## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. ## - smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1 smtpd_tls_cert_file = $_TLS_CERT_FILE smtpd_tls_key_file = $_TLS_KEY_FILE ## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. ## - ## - Dont't forget to create it, e.g with openssl: ## - openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024 ## - #smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem ## - also possible to use 2048 key with that parameter ## - smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem ## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. ## - ## - Dont't forget to create it, e.g with openssl: ## - openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512 ## - smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem ## - File containing CA certificates of root CAs trusted to sign either remote SMTP ## - server certificates or intermediate CA certificates. These are loaded into ## - memory !! BEFORE !! the smtp(8) client enters the chroot jail. ## - smtp_tls_CAfile = $_TLS_CA_FILE ## - Directory with PEM format certificate authority certificates that the Postfix SMTP ## - client uses to verify a remote SMTP server certificate. Don't forget to create the ## - necessary "hash" links with, for example, " ## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". ## - ## - !! Note !! ## - To use this option in chroot mode, this directory (or a copy) must be inside ## - the chroot jail. ## - ## - Note that a chrooted daemon resolves all filenames relative to the Postfix ## - queue directory (/var/spool/postfix) ## - #smtpd_tls_CApath = /etc/postfix/certs # Disable SSLv2 SSLv3 - Postfix SMTP server # # List of TLS protocols that the Postfix SMTP server will exclude or # include with opportunistic TLS encryption. smtpd_tls_protocols = !SSLv2, !SSLv3 # # The SSL/TLS protocols accepted by the Postfix SMTP server # with mandatory TLS encryption. smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 # Disable SSLv2 SSLv3 - Postfix SMTP client # # List of TLS protocols that the Postfix SMTP client will exclude or # include with opportunistic TLS encryption. smtp_tls_protocols = !SSLv2, !SSLv3 # # List of SSL/TLS protocols that the Postfix SMTP client will use # with mandatory TLS encryption smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 ## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange ## - openssl > 1.0 ## - smtpd_tls_eecdh_grade = strong # standard list cryptographic algorithm tls_preempt_cipherlist = yes # Disable ciphers which are less than 256-bit: # #smtpd_tls_mandatory_ciphers = high # # opportunistic smtpd_tls_ciphers = high # Exclude ciphers #smtpd_tls_exclude_ciphers = # RC4 # aNULL # SEED-SHA # EXP # MD5 smtpd_tls_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache EOF if $IS_RELAY_HOST ; then cat <> /etc/postfix/main.cf #======= SASL Authentification ============ smtpd_sasl_auth_enable = \$SASL_AUTH_ENABLED smtpd_sasl_type = cyrus smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options smtpd_sasl_authenticated_header = yes broken_sasl_auth_clients = yes ## - Optional lookup table with the SASL login names that own ## - sender (MAIL FROM) addresses. smtpd_sender_login_maps = #======= Virtual mailboxes ============ ## - Local Mailboxes ## - virtual_mailbox_base = virtual_uid_maps = virtual_gid_maps = EOF else cat <> /etc/postfix/main.cf #======= SASL Authentification ============ ## - Enable SASL authentication in the Postfix SMTP server. By default, ## - the Postfix SMTP server does not use authentication. ## - smtpd_sasl_auth_enable = no ## - The SASL plug-in type that the Postfix SMTP server should use for authentication. ## - The available types are listed with the "postconf -a" command. ## - ## - Available values are at least: cyrus, dovecot ## - smtpd_sasl_type = dovecot ## - Implementation-specific information that the Postfix SMTP server passes ## - through to the SASL plug-in implementation that is selected with smtpd_sasl_type. ## - Typically this specifies the name of a configuration file or rendezvous point. ## - smtpd_sasl_path = private/dovecot-auth smtpd_sasl_security_options = noanonymous smtpd_sasl_authenticated_header = yes broken_sasl_auth_clients = yes ## - Optional lookup table with the SASL login names that own ## - sender (MAIL FROM) addresses. smtpd_sender_login_maps = #======= Virtual mailboxes ============ ## - Local Mailboxes ## - virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 EOF fi cat <> /etc/postfix/main.cf ## - virtual_transport ## - ================= ## - ## - using postfix ## - virtual_transport = virtual ## - ## - using dovecot lda ## - virtual_transport = dovecot ## - ## - using dovecot's lmtp service ## - virtual_transport = lmtp:unix:private/dovecot-lmtp ## - virtual_transport = virtual virtual_mailbox_maps = virtual_mailbox_domains = ## - Optional lookup tables that alias specific mail addresses or domains ## - to other local or remote address. The table format and lookups are ## - documented in virtual(5). For an overview of Postfix address ## - manipulations see the ADDRESS_REWRITING_README document. ## - virtual_alias_maps = ## - mailman #hash:/var/lib/mailman/data/virtual-mailman ## - Postfix is final destination for the specified list of virtual alias ## - domains, that is, domains for which all addresses are aliased to addresses ## - in other local or remote domains. The SMTP server validates recipient ## - addresses with \$virtual_alias_maps and rejects non-existent recipients. ## - See also the virtual alias domain class in the ADDRESS_CLASS_README file ## - virtual_alias_domains = #======= Restrictions ============ smtpd_recipient_restrictions = # only special accounts (postmaster, abuse and other rolr accounts) check_recipient_access btree:/etc/postfix/access_recipient-rfc, # White- / Blacklisting check_sender_access btree:/etc/postfix/access_sender, check_recipient_access btree:/etc/postfix/access_recipient, # permit trusted network (mynetwork) permit_mynetworks, # permit our users permit_sasl_authenticated, # dont' accept misconfigured Mail reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unlisted_recipient, # don't accept misconfigured recipients # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use # Whitelist (configured on a.ns.oopen.de # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone ) permit_dnswl_client dnswl.oopen.de, # Blacklists reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, #reject_rbl_client bl.spamcop.net, # March 1, 2013: NJABL is in the process of being shut down #reject_rbl_client dnsbl.njabl.org, # Policyd-Weight #check_policy_service inet:127.0.0.1:12525, # Greylisting check warn_if_reject, check_policy_service inet:127.0.0.1:10023, # Reject the request unless one of the following is true: # # - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains # or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain), # # # - Postfix is the final destination: the resolved RCPT TO domain matches # \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains, # or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain). reject_unverified_recipient, # permit Backup MX permit_mx_backup, # forbid all other relaying reject_unauth_destination, # permit, if all restrictions so far passed permit ## - Sinve version 2.11 ## - smtpd_relay_restrictions = # only special accounts (postmaster, abuse and other rolr accounts) check_recipient_access btree:/etc/postfix/access_recipient-rfc, # White- / Blacklisting check_sender_access btree:/etc/postfix/access_sender, check_recipient_access btree:/etc/postfix/access_recipient, # permit trusted network (mynetwork) permit_mynetworks, # permit our users permit_sasl_authenticated, # dont' accept misconfigured Mail reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unlisted_recipient, # don't accept misconfigured recipients # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use # Whitelist (configured on a.ns.oopen.de # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone ) permit_dnswl_client dnswl.oopen.de, # Blacklists reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, #reject_rbl_client bl.spamcop.net, # March 1, 2013: NJABL is in the process of being shut down #reject_rbl_client dnsbl.njabl.org, # Policyd-Weight #check_policy_service inet:127.0.0.1:12525, # Greylisting check warn_if_reject, check_policy_service inet:127.0.0.1:10023, # Reject the request unless one of the following is true: # # - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains # or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain), # # # - Postfix is the final destination: the resolved RCPT TO domain matches # \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains, # or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain). reject_unverified_recipient, # permit Backup MX permit_mx_backup, # forbid all other relaying reject_unauth_destination, # permit, if all restrictions so far passed permit EOF echo_ok ## - /etc/mailname ## - echononl " Set \"/etc/mailname\"" echo $HOSTNAME > /etc/mailname if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi ## - /etc/aliases ## - echononl " Adjust \"/etc/aliases\"" cat << EOF > /etc/aliases # See man 5 aliases for format mailer-daemon: postmaster postmaster: root nobody: root hostmaster: root usenet: root news: root webmaster: root www: root ftp: root abuse: root noc: root security: root do-not-reply: /dev/null root: $ADMIN_EMAIL EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi ## - create directory for certificates and copy certificates ## - and coresponding keys to /etc/postfix/ssl/ ## - echononl " Create directory for certificates \"/etc/postfix/ssl\"" if [[ -d "/etc/postfix/ssl" ]] ; then echo_skipped else mkdir -p /etc/postfix/ssl if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi ## - generate DH parameters that the Postfix SMTP server should use ## - with EDH ciphers (length 512 and 1024 ## - echononl " Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\"" if [ ! -f /etc/postfix/ssl/dh_512.pem ]; then openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512 > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi echononl " Generate DH key length=1024 \"/etc/postfix/ssl/dh_1024.pem\"" if [ ! -f /etc/postfix/ssl/dh_1024.pem ]; then openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024 > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi echononl " Generate DH key length=2048 \"/etc/postfix/ssl/dh_2048.pem\"" if [ ! -f /etc/postfix/ssl/dh_2048.pem ]; then openssl dhparam -out /etc/postfix/ssl/dh_2048.pem -2 2048 > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi echononl " Create Symlink \"$_TLS_CERT_FILE\"" if [ ! -h "$_TLS_CERT_FILE" ]; then ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem $_TLS_CERT_FILE if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi echononl " Create Symlink \"$_TLS_KEY_FILE\"" if [ ! -h "$_TLS_KEY_FILE" ]; then ln -s /etc/ssl/private/ssl-cert-snakeoil.key $_TLS_KEY_FILE if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi ## - rebuld alias database ## - echononl " Rebuld alias database" newaliases > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi ## - create files ## - echononl " Create file \"access_recipient-rfc\"" cat < /etc/postfix/access_recipient-rfc # if destination is ok, permit /^postmaster\@/ permit_auth_destination /^abuse\@/ permit_auth_destination EOF postmap btree:/etc/postfix/access_recipient-rfc if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi ## - Notice: ## - The access_sender list can also be used as white list: ## - backup@b3-bornim.de OK ## - backup_file-ah@oopen.de OK ## - backup_file-spr@oopen.de OK ## - root_file_spr@oopen.de OK ## - backup_anw-urban@oopen.de OK ## - anonymous@bbb-server.b3-bornim.de OK echononl " Create file \"access_sender\"" cat < /etc/postfix/access_sender # - bekannte Virus/Spam Absener blocken # - error@mailfrom.com REJECT EOF postmap btree:/etc/postfix/access_sender if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Create file \"access_recipient\"" echo > /etc/postfix/access_recipient postmap btree:/etc/postfix/access_recipient if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Create file \"transport\"" echo > /etc/postfix/transport postmap btree:/etc/postfix/transport if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Create file \"relay_domains\"" echo > /etc/postfix/relay_domains postmap btree:/etc/postfix/relay_domains if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi if ! $_IS_RELAY_HOST ; then ## - Create Directory '/var/vmail' for virtual mailboxes ## - echononl " Create directory '/var/vmail'" if [[ ! -d "/var/vmail" ]]; then mkdir /var/vmail > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi ## - Create user (vmail) for virtual mailboxes ## - echononl " Create user 'vmail' for virtual mailboxes" if id -u vmail > /dev/null 2>&1; then echo_skipped else useradd -s /bin/false -d /var/vmail -M -u 5000 vmail > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi ## - Change ownership 'vmail:vmail' for dir '/var/vmail' ## - echononl " Change ownership 'vmail:vmail' for dir '/var/vmail'" chown vmail:vmail /var/vmail > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi ## - Change permissions for dir '/var/vmail' ## - echononl " Change permissions for dir '/var/vmail'" chmod 700 /var/vmail > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else if [[ "$SASL_AUTH_ENABLED" = "yes" ]]; then echononl " Create directory '/etc/postfix/sasl'.." if [[ ! -d "/etc/postfix/sasl" ]] ; then mkdir "/etc/postfix/sasl" > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else echo_skipped fi echononl " Create file '/etc/postfix/sasl/smtpd.conf'.." cat < /etc/postfix/sasl/smtpd.conf # - Take care only using provided login mechanisms. You can check this, by # - running command # - # - saslpluginviewer -x AUXPROP_MECHS # - pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi fi ## - /etc/postfix/master.cf ## - ## - Create Listener for user authenticated smtp connection port 587 (submission) ## - and port 465 (smtps) ## - postfix_master_cf="/etc/postfix/master.cf" echononl " Backup file \"${postfix_master_cf}\"" cp -a $postfix_master_cf "${postfix_master_cf}.$backup_date" > /dev/null 2> $tmp_err_msg if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $tmp_err_msg)" fi if grep -iq -E "^submission\s+" $postfix_master_cf > /dev/null 2>&1 ; then submission_present=true else submission_present=false fi if grep -iq -E "^smtps\s+" $postfix_master_cf > /dev/null 2>&1 ; then smtps_present=true else smtps_present=false fi _found=false echononl " Create new file \"${postfix_master_cf}\"" if [[ -f "${postfix_master_cf}.$backup_date" ]]; then > $postfix_master_cf while IFS='' read -r _line || [[ -n $_line ]] ; do if echo "$_line" | grep -i -E "^\s*smtp\s+inet\s+" > /dev/null 2>&1 ; then _found=true cat >> $postfix_master_cf << EOF smtp inet n - y - - smtpd EOF if ! $IS_RELAY_HOST ; then if ! $submission_present ; then cat >> $postfix_master_cf << EOF submission inet n - y - 20 smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject #-o milter_macro_daemon_name=ORIGINATING EOF fi if ! $smtps_present ; then cat >> $postfix_master_cf << EOF smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject #-o milter_macro_daemon_name=ORIGINATING EOF fi fi continue fi if $submission_present && echo "$_line" | grep -iq -E "^submission\s+" 2> /dev/null ; then _found=true if ! $IS_RELAY_HOST ; then cat >> $postfix_master_cf << EOF submission inet n - y - 20 smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING EOF fi continue fi if $smtps_present && echo "$_line" | grep -iq -E "^smtps\s+" 2> /dev/null ; then _found=true if ! $IS_RELAY_HOST ; then cat >> $postfix_master_cf << EOF smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING EOF fi continue fi # - [[:blank:]] means space and tab. This makes it similar to: [ \t] # - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed, # - and vertical tab. This makes it similar to: [ \t\n\r\f\v] # - #if [[ $_line =~ ^[[:space:]]+[^[:space:]]+ ]] && $_smtp_found ; then # - if [[ $_line =~ ^[[:blank:]]+[^[:space:]]+ ]] && $_found ; then continue fi _found=false echo "$_line" >> $postfix_master_cf done < "${postfix_master_cf}.$backup_date" echo_done warn "Please check file \"$postfix_master_cf\" !" else echo_failed error "File \"${postfix_master_cf}.$backup_date\" not found!" fi ## - restart postfix ## - echononl " Restart postfix" if $systemd_exists ; then systemctl restart postfix > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else /etc/init.d/postfix restart > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi ## - Omitt logging into system.log ## - echononl " Create \"/etc/rsyslog.d/postfix.conf\"" cat << EOF >> /etc/rsyslog.d/postfix.conf # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err mail.* -/var/log/mail.log & ~ EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi echononl " Restart rsyslog daemon" if $systemd_exists ; then systemctl restart rsyslog > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi else /etc/init.d/rsyslog restart > /dev/null 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fi fi rm $tmp_err_msg echo "" clean_up 0