install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6f3ae84cac
mailsystem/install_postfix_advanced.sh

2651 lines
71 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
working_dir="$(dirname $(realpath $0))"
conf_file="${working_dir}/conf//install_postfix_advanced.conf"
_TLS_CERT_DIR=/etc/postfix/ssl
_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt"
_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key"
_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt
postfix_master_cf="/etc/postfix/master.cf"
postfix_spool_dir="/var/spool/postfix"
postgrey_socket_dir="${postfix_spool_dir}/postgrey"
postgrey_socket_file="${postgrey_socket_dir}/postgrey.sock"
tmp_err_msg=$(mktemp)
backup_date="$(date +%Y-%m-%d-%H%M)"
# -------------
# --- Some functions
# -------------
clean_up() {
# Perform program exit housekeeping
rm -f $tmp_err_msg
exit $1
}
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
fatal(){
echo ""
echo -e "fatal error: $*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m"
echo ""
clean_up 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]"
}
detect_os_1 () {
if $(which lsb_release > /dev/null 2>&1) ; then
os_dist="$(lsb_release -i | awk '{print tolower($3)}')"
os_version="$(lsb_release -r | awk '{print tolower($2)}')"
os_codename="$(lsb_release -c | awk '{print tolower($2)}')"
if [[ "$os_dist" = "debian" ]]; then
if $(echo "$os_version" | grep -q '\.') ; then
os_version=$(echo "$os_version" | cut --delimiter='.' -f1)
fi
fi
elif [[ -e "/etc/os-release" ]]; then
. /etc/os-release
os_dist=$ID
os_version=${VERSION_ID}
fi
# remove whitespace from os_dist and os_version
os_dist="${os_dist// /}"
os_version="${os_version// /}"
}
trap clean_up SIGHUP SIGINT SIGTERM
# -------------
# --- Some default settings
# -------------
DEFAULT_ADMIN_EMAIL="argus@oopen.de"
# - Is this a systemd system?
# -
if [[ "X`which systemd`" = "X" ]]; then
systemd_exists=false
else
systemd_exists=true
fi
echo ""
# - Detect OS - Set variable
# - os_dist
# - os_version
# - os_codename
# -
detect_os_1
# - Default Values
# -
#_IS_RELAY_HOST=false
# - Read Configuration File if exists
# -
if [[ -f "$conf_file" ]]; then
source $conf_file
fi
[[ -z "$_ADMIN_EMAIL" ]] && _ADMIN_EMAIL="$DEFAULT_ADMIN_EMAIL"
# -------------
# --- Set default values for some non existent variables (i.e. no configuration file is present)
# -------------
if [[ -z "$_HOSTNAME" ]] ; then
_HOSTNAME="$(hostname -f)"
_HOSTNAME_SHORT="$(hostname)"
[[ "$_HOSTNAME" = "$_HOSTNAME_SHORT" ]] && _HOSTNAME=""
fi
clear
echo -e "\033[21G\033[32mInstallation script for Postfix basic mailsystem \033[m"
echo
HOSTNAME=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert hostname"
echo ""
if [[ -n "$_HOSTNAME" ]]; then
echononl "hostname [${_HOSTNAME}]: "
read HOSTNAME
if [[ "X${HOSTNAME}" = "X" ]]; then
HOSTNAME=$_HOSTNAME
fi
else
while [[ "X${HOSTNAME}" = "X" ]]; do
echononl "hostname: "
read HOSTNAME
if [[ "X${HOSTNAME}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mHostname is reqired\033[m\n"
fi
done
fi
# -------------
# --- Some further default values depending on Hostname
# -------------
# - Set default values for ipv4- and ipv6-address
# -
if [[ -z $_IPV4 ]] && [[ -n "$_HOSTNAME" ]] && [[ -x "$(which dig)" ]]; then
_IPV4="$(dig +short "$_HOSTNAME" A)"
fi
if [[ -z $_IPV6 ]] && [[ -n "$_HOSTNAME" ]] && [[ -x "$(which dig)" ]]; then
_IPV6="$(dig +short "$_HOSTNAME" AAAA)"
fi
IPV4=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert IPv4 address"
echo ""
if [[ -n "$_IPV4" ]]; then
echononl "IPv4 address [${_IPV4}]: "
read IPV4
if [[ "X${IPV4}" = "X" ]]; then
IPV4=$_IPV4
fi
else
while [[ "X${IPV4}" = "X" ]]; do
echononl "IPv4 address: "
read IPV4
if [[ "X${IPV4}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mIPv4 address is reqired\033[m\n"
fi
done
fi
IPV6=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert IPv6 address"
echo "Type:"
echo -e "\t\033[33mNone\033[m if IPv6 is not suppoerted"
echo ""
if [[ -n "$_IPV6" ]]; then
[[ "X$_IPV6" = "Xdisabled" ]] && _IPV6=None
echononl "IPv6 address [${_IPV6}]: "
read IPV6
if [[ "X${IPV6}" = "X" ]]; then
IPV6=$_IPV6
fi
else
while [[ "X${IPV6}" = "X" ]]; do
echononl "IPv6 address: "
read IPV6
if [[ "X${IPV6}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mIPv4 address is reqired\033[m\n"
fi
done
fi
if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then
IPV6=disabled
fi
IS_RELAY_HOST=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "How will this Mailserver be used?"
echo ""
if [[ -n "$_IS_RELAY_HOST" ]]; then
if $_IS_RELAY_HOST ; then
echo "[1] Complete Mailserver (with mailboxes)"
echo -e "\033[37m\033[1m[2] Mailrelay Host\033[m"
else
echo -e "\033[37m\033[1m[1] complete Mailserver (with mailboxes)\033[m"
echo "[2] Mailrelay Host"
fi
echo ""
echononl "Choose a number or press <RETURN> for highlighted value: "
else
echo "[1] Complete Mailserver (with mailboxes)"
echo "[2] Mailrelay Host"
echo ""
echononl "Choose a Number: "
fi
while [[ "$IS_RELAY_HOST" != "true" && "$IS_RELAY_HOST" != "false" ]];do
read OPTION
case $OPTION in
1) IS_RELAY_HOST=false
;;
2) IS_RELAY_HOST=true
;;
'') if [[ -n "$_IS_RELAY_HOST" ]] ; then
IS_RELAY_HOST=$_IS_RELAY_HOST
else
echo ""
echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]"
echo ""
echononl "Reentry: "
fi
;;
*) IS_RELAY_HOST=
echo ""
if [[ -n "$_IS_RELAY_HOST" ]]; then
echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host] or type <RETURN>"
else
echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]"
fi
echo ""
echononl "Reentry: "
;;
esac
done
SASL_AUTH_ENABLED="no"
if $IS_RELAY_HOST ; then
SASL_AUTH_ENABLED=""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Should this mail relay server support Cyrus SASL authentication?"
echo ""
while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
if [[ -n "$_SASL_AUTH_ENABLED" ]]; then
echononl "Support Cyrus SASL authentication [${_SASL_AUTH_ENABLED}]: "
read SASL_AUTH_ENABLED
SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,}
[[ -z "$SASL_AUTH_ENABLED" ]] && SASL_AUTH_ENABLED="$_SASL_AUTH_ENABLED"
else
echononl "Support Cyrus SASL authentication [yes/no]: "
read SASL_AUTH_ENABLED
SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,}
fi
if [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]] ; then
_SASL_AUTH_ENABLED=""
echo -e "\n\t\033[33m\033[1mWrong entry!\033[m\n Type 'yes' or 'no'"
fi
done
fi
ADMIN_EMAIL=
echo ""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert e-mail address where messages to local root should be forwarded"
echo ""
echo ""
if [[ -n "$_ADMIN_EMAIL" ]]; then
echononl "Admin e-mail address [$_ADMIN_EMAIL]: "
read ADMIN_EMAIL
if [[ "X${ADMIN_EMAIL}" = "X" ]]; then
ADMIN_EMAIL=$_ADMIN_EMAIL
fi
else
while [[ "X${ADMIN_EMAIL}" = "X" ]]; do
echononl "Admin e-mail address: "
read ADMIN_EMAIL
if [[ "X${ADMIN_EMAIL}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mAdmin e-mail address is reqired\033[m\n"
fi
done
fi
echo ""
echo ""
echo -e "\033[21G\033[32mStart installation/configuration with the following parameters\033[m"
echo ""
echo -e "\tHostname..........................: $HOSTNAME"
echo -e "\tIPv4 address......................: $IPV4"
echo -e "\tIPv6 address......................: $IPV6"
echo -e "\tAdmin e-mail......................: $ADMIN_EMAIL"
echo ""
if $IS_RELAY_HOST ; then
echo -e "\tConfigure as relay host?..........: \033[33m\033[1m$IS_RELAY_HOST\033[m"
echo -e "\tConfigure as complete mailserver..: false"
echo ""
echo -e "\tSupport Cyrus SASL authentication.: $SASL_AUTH_ENABLED"
else
echo -e "\tConfigure as relay host?..........: $IS_RELAY_HOST"
echo -e "\tConfigure as complete mailserver..: \033[33m\033[1mtrue\033[m"
fi
echo ""
echononl "einverstanden (yes/no): "
read OK
OK=${OK,,}
while [ "X$OK" != "Xyes" -a "X$OK" != "Xno" ]; do
echononl "Wrong entry! [yes/no]: "
read OK
OK=${OK,,}
done
[ $OK = "yes" ] || fatal Repeat with other settings..
echo ""
echo ""
_failed=false
echononl " Save Configuration"
cat << EOF > $conf_file
# ---
# - Parameter Settins Postfix Relay System
# ---
_HOSTNAME=$HOSTNAME
_IPV4=$IPV4
_IPV6=$IPV6
_ADMIN_EMAIL=$ADMIN_EMAIL
_IS_RELAY_HOST=$IS_RELAY_HOST
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $IS_RELAY_HOST ; then
cat << EOF >> $conf_file
_SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
EOF
fi
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
else
echo_ok
fi
[[ "$IPV6" = "disabled" ]] && IPV6=""
# - Synchronise package index files with the repository
# -
echononl " Synchronise package index files with the repository.."
apt-get update > "$tmp_err_msg" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
# - Deinstall debian exim4 packages
# -
echononl " Deinstall debian exim4 packages"
_installed_exim_packages=`dpkg -l | grep exim4 | grep -e "^i" | awk '{print$2}'`
for _pkg in $_installed_exim_packages ; do
installed_exim_packages="$installed_exim_packages $_pkg"
done
if [[ -n "$installed_exim_packages" ]] ; then
if `dpkg -l | grep bsd-mailx | grep -e "^i" > /dev/null 2>&1` ; then
installed_exim_packages="$installed_exim_packages bsd-mailx"
fi
apt-get remove --purge -qq -y $installed_exim_packages > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
# - Install Postfix from debian packages system
# -
echononl " Install Postfix from debian packages system"
_needed_packages="postfix postfix-pgsql postfix-mysql postfix-pcre libsasl2-modules bsd-mailx haveged"
if [[ "$SASL_AUTH_ENABLED" = "yes" ]]; then
_needed_packages="$_needed_packages sasl2-bin"
fi
for _pkg in $_needed_packages ; do
if `dpkg -l | grep $_pkg | grep -e "^i" > /dev/null 2>&1` ; then
continue
else
needed_packages="$needed_packages $_pkg"
fi
done
if [[ -n "$needed_packages" ]]; then
DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_packages > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
if [[ "$os_dist" = "debian" ]] && [[ $os_version -ne 10 ]] ; then
## - Install Postgrey from debian packages system
## -
echononl " Install Postgrey from debian packages system"
_pkg="postgrey"
if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
echo_skipped
else
DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
echononl " Adjust /etc/default/postgrey"
# postgrey as tcp/ip socket
#
#perl -i -n -p -e "s#^(\s*)(POSTGREY_OPTS=.*)#\#\1\2\nPOSTGREY_OPTS=\"--inet=127.0.0.1:10023 --delay=149 --auto-whitelist-clients=3 --lookup-by-subnet\"#" \
# /etc/default/postgrey > $tmp_err_msg 2>&1
# postgrey as unix socket
#
perl -i -n -p -e "s#^(\s*)(POSTGREY_OPTS=.*)#\#\1\2\nPOSTGREY_OPTS=\"--unix=/var/spool/postfix/postgrey/postgrey.sock --delay=149 --auto-whitelist-clients=3 --lookup-by-subnet\"#" \
/etc/default/postgrey > $tmp_err_msg 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
echononl " Create /etc/postgrey/whitelist_clients.local (additional whitelist entries)"
cat << EOF > /etc/postgrey/whitelist_clients.local
# For Office 365 - servers:
##/.*outbound.protection.outlook.com\$/
/^mail-.*\\.outbound\\.protection\\.outlook\\.com\$/
# facebookmail.com - big pool
/.*\\.mail-mail\\.facebook\\.com\$/
# tor hidde service
127.0.0.25
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create the Postgrey socket directory in Postfix's work aerea.."
if [[ -d "${postgrey_socket_dir}" ]]; then
echo_skipped
else
mkdir "${postgrey_socket_dir}" > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
echononl "\tcontinue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
fi
echononl " Enable Postgrey service at boot time.."
if $systemd_exists ; then
systemctl enable networking >/dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
warn "Skipped this step because systemd service was not found."
fi
echononl " Restart postrey daemon"
if $systemd_exists ; then
systemctl restart postgrey > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
/etc/init.d/postgrey restart > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
postgrey_socket="postgrey/postgrey.sock"
#postgrey_additional_options="postgrey_time_limit = 3600"
postgrey_additional_options=""
else
## - Install tumgreyspf from debian packages system
echononl " Install tumgreyspf from debian packages system"
_pkg="tumgreyspf"
if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
echo_skipped
else
DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
echononl " Add entry for 'tumgreyspf' at end of file '$postfix_master_cf"
if ! $(grep -iq -E "^\s*tumgreyspf\s+" 2>/dev/null $postfix_master_cf) ; then
cat <<EOF >> /etc/postfix/master.cf 2> $tmp_err_msg
# This is tumgreyspf, an external policy checker for the postfix mail server.
# It can optionally greylist and/or use spfquery to check SPF records to
# determine if email should be accepted by your server.
#
tumgreyspf unix - n n - - spawn
user=tumgreyspf argv=/usr/bin/tumgreyspf
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create configuration file for whitelisting: /etc/tumgreyspf/disable.conf"
if [[ ! -f /etc/tumgreyspf/disable.conf ]] ; then
cat <<EOF > "/etc/tumgreyspf/disable.conf" 2> $tmp_err_msg
SPFSEEDONLY=0
GREYLISTTIME=300
CHECKERS=
OTHERCONFIGS=
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
_failed=false
echononl " Whitelist tor hidde service '127.0.0.25'.."
if [[ ! -d "/var/lib/tumgreyspf/config/client_address/127/0/0/" ]] ; then
mkdir -p /var/lib/tumgreyspf/config/client_address/127/0/0/ 2> $tmp_err_msg
if [[ $? -ne 0 ]]; then
_failed=true
fi
fi
if [[ ! -L /var/lib/tumgreyspf/config/client_address/127/0/0/25 ]]; then
ln -s /etc/tumgreyspf/disable.conf /var/lib/tumgreyspf/config/client_address/127/0/0/25 2>> $tmp_err_msg
fi
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
error "$(cat $tmp_err_msg)"
else
echo_ok
fi
# ---
# Configure parameters of tumgreyspf service
# ---
_setup_key="SPFSEEDONLY"
_setup_val="0"
_setup_file="/etc/tumgreyspf/default.conf"
echononl " Setup defaults for tumgreyspf: $_setup_key .."
if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then
cat <<EOF >> "$_setup_file" 2> $tmp_err_msg
# Added by script $(basename $0) at $(date +%Y-%m-%d)
$_setup_key = $_setup_val
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*0$" "$_setup_file") ; then
perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
fi
_setup_key="GREYLISTTIME"
_setup_val="180"
_setup_file="/etc/tumgreyspf/default.conf"
echononl " Setup defaults for tumgreyspf: $_setup_key .."
if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then
cat <<EOF >> "$_setup_file" 2> $tmp_err_msg
# Added by script $(basename $0) at $(date +%Y-%m-%d)
$_setup_key = $_setup_val
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*${_setup_val/}$" "$_setup_file") ; then
perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
fi
_setup_key="CHECKERS"
_setup_val="spf,greylist"
_setup_file="/etc/tumgreyspf/default.conf"
echononl " Setup defaults for tumgreyspf: $_setup_key .."
if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then
cat <<EOF >> "$_setup_file" 2> $tmp_err_msg
# Added by script $(basename $0) at $(date +%Y-%m-%d)
$_setup_key = $_setup_val
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*${_setup_val/}$" "$_setup_file") ; then
perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
fi
_setup_key="OTHERCONFIGS"
_setup_val="client_address,envelope_sender,envelope_recipient"
_setup_file="/etc/tumgreyspf/default.conf"
echononl " Setup defaults for tumgreyspf: $_setup_key .."
if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then
cat <<EOF >> "$_setup_file" 2> $tmp_err_msg
# Added by script $(basename $0) at $(date +%Y-%m-%d)
$_setup_key = $_setup_val
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*${_setup_val/}$" "$_setup_file") ; then
perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
fi
_setup_key="GREYLISTEXPIREDAYS"
_setup_val="10.0"
_setup_file="/etc/tumgreyspf/default.conf"
echononl " Setup defaults for tumgreyspf: $_setup_key .."
if ! $(grep -iq -E "^\s*${_setup_key}\s*=" "$_setup_file") ; then
cat <<EOF >> "$_setup_file" 2> $tmp_err_msg
# Added by script $(basename $0) at $(date +%Y-%m-%d)
$_setup_key = $_setup_val
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
if ! $(grep -iq -E "^\s*${_setup_key}\s*=\s*${_setup_val/}$" "$_setup_file") ; then
perl -i -n -p -e "s/(\s*${_setup_key}.*)/#\1\n${_setup_key} = $_setup_val/" "$_setup_file" 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
fi
postgrey_socket="unix:private/tumgreyspf"
postgrey_additional_options="tumgreyspf_time_limit = 3600"
fi
## - Install Postfix Firewall Daemon from debian packages system
## -
echononl " Install Postfix Firewall Daemon from debian packages system"
_pkg="postfwd"
if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
echo_skipped
else
DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
echononl " Adjust /etc/default/postfwd"
perl -i -n -p -e "s#^(\s*)(STARTUP=.*)#\#\1\2\nSTARTUP=1#" \
/etc/default/postfwd > $tmp_err_msg 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
_file="/etc/postfix/postfwd.wl-user"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# SASL Users whitelisted by postfwd
# ---
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-user"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# SASL Users blocked by postfwd
# ---
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/postfwd.bl-sender"
echononl " Create whitelist file '$_file' for postfwd"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# Sender addresses blocked by postfwd
# ---
# annoying spammer domains
@acieu.co.uk
# annoying spammer addresses
error@mailfrom.com
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create configuration file '/etc/postfix/postfwd.cf'.."
if [[ ! -f "/etc/postfix/postfwd.cf" ]]; then
cat << EOF > /etc/postfix/postfwd.cf
#======= Definitions ============
# Match messages with an associated SASL username
&&SASL_AUTH {
sasl_username!~^\$
}
# Whitelist users
&&TRUSTED_USERS {
sasl_username==file:/etc/postfix/postfwd.wl-user
}
# Blacklist users
&&BLOCK_USERS {
sasl_username==file:/etc/postfix/postfwd.bl-user
}
# Blacklist sender adresses
&&BLOCK_SENDER {
# =~
# using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
sender=~file:/etc/postfix/postfwd.bl-sender
}
# Inbound emails only
&&INCOMING {
client_address!=127.0.0.1
}
#======= Rule Sets ============
# Whitelists
# Whitelist sasl users
id=WHL_USERS
&&TRUSTED_USERS
action=DUNNO
# Blacklist users
id=BL_USERS
&&BLOCK_USERS
action=REJECT User is blocked by so36.NET admins. Error: BL_USERS
# Blacklist sender
#
# Claim successful delivery and silently discard the message.
#
id=BL_SENDER
&&BLOCK_SENDER
action=DISCARD
#action=REJECT Sender address is blocked by so36.NET admins. Error: BL_SENDER
# Rate Limits
# Block messages with more than 50 recipients
id=BLOCK_MSG_RCPT
&&INCOMING
&&SASL_AUTH
recipient_count=50
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
# Block users sending more than 50 messages/hour
id=RATE_MSG
&&INCOMING
&&SASL_AUTH
action=rate(\$\$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
# Block users sending more than 250 recipients total/hour
id=RATE_RCPT
&&INCOMING
&&SASL_AUTH
action=rcpt(\$\$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Enable Postfix firewall daemon at boot time .."
if $systemd_exists ; then
systemctl enable postfwd > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
update-rc.d postfwd defaults > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
echononl " Restart Postfix firewall daemon 'postfwd'.."
if $systemd_exists ; then
systemctl restart postfwd > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
/etc/init.d/postfwd restart > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
# - Backup existing postfix configuration file
# -
echononl " Backup existing postfix configuration file"
if [[ -f "/etc/postfix/main.cf" ]]; then
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
# - Creeate new postfix configuration file
# -
echononl " Creeate new postfix configuration file"
cat <<EOF > /etc/postfix/main.cf
# ============ Basic settings ============
# Disable backwards compatibility
compatibility_level = 2
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myorigin = /etc/mailname
smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
EOF
if [ -n "$IPV6" ]; then
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4, ipv6
#inet_interfaces = all
inet_interfaces =
127.0.0.1
$IPV4
$IPV6
myhostname = $HOSTNAME
mydestination =
$HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
# +++++++++++++++++++++++++++++++++++++
# replace 127.0.0.1/8 with 127.0.0.1/32
# +++++++++++++++++++++++++++++++++++++
# So we can use i.e 127.0.0.25 (or any other 127.x.x.x address)
# to bind to hidden tor service on port 25 without having an
# open relay
#
# see also: https://github.com/ehloonion/onionmx/blob/master/open-relay.md
#
#127.0.0.0/8
127.0.0.1/32
[::ffff:127.0.0.0]/104
[::1]/128
${IPV4}/32
[${IPV6}]/128
# a.mx.oopen.de
#95.217.204.247/32
#[2a01:4f9:4a:47e5::247]/128
# b.mx.oopen.de
#162.55.82.73/32
#[2a01:4f8:271:1266::73]/128
# d.mx.oopen.de
#95.217.204.227/32
#[2a01:4f9:4a:47e5::227]/128
# e.mx.oopen.de
#95.217.204.205/32
#[2a01:4f9:4a:47e5::205]/128
smtp_bind_address = $IPV4
smtp_bind_address6 = $IPV6
EOF
else
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4
#inet_interfaces = all
inet_interfaces =
127.0.0.1
$IPV4
myhostname = $HOSTNAME
mydestination =
$HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
# +++++++++++++++++++++++++++++++++++++
# replace 127.0.0.1/8 with 127.0.0.1/32
# +++++++++++++++++++++++++++++++++++++
# So we can use i.e 127.0.0.25 (or any other 127.x.x.x address)
# to bind to hidden tor service on port 25 without having an
# open relay
#
# see also: https://github.com/ehloonion/onionmx/blob/master/open-relay.md
#
#127.0.0.0/8
127.0.0.1/32
${IPV4}/32
# a.mx.oopen.de
#95.217.204.247
# b.mx.oopen.de
#162.55.82.73
# d.mx.oopen.de
#95.217.204.227/32
smtp_bind_address = $IPV4
#smtp_bind_address6 = $IPV6
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
## - The maximal size in bytes of an individual virtual(8) mailbox or
## - maildir file, or zero (no limit).
## -
virtual_mailbox_limit = 0
## - The maximal size in bytes of a message, including envelope information.
## -
## - we user 50MB
## -
message_size_limit = 52480000
## - The system-wide recipient address extension delimiter
## -
recipient_delimiter = +
## - The alias databases that are used for local(8) delivery.
## -
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - Optional address mapping lookup tables for envelope and header sender
## - addresses. The table format and lookups are documented in canonical(5).
## -
## - Example: you want to rewrite the SENDER address "user@ugly.domain"
## - to "user@pretty.domain", while still being able to send mail to the
## - RECIPIENT address "user@ugly.domain".
## -
## - Note: \$sender_canonical_maps is processed before \$canonical_maps.
## -
sender_canonical_maps = btree:/etc/postfix/sender_canonical
## - Optional lookup tables with mappings from recipient address
## - to (message delivery transport, next-hop destination).
## - See transport(5) for details.
## -
transport_maps =
btree:/etc/postfix/transport
btree:/etc/postfix/relay_domains
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = \$maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
# ============ header/mime-header/body checks ============
header_checks = pcre:/etc/postfix/header_checks.pcre
mime_header_checks = pcre:/etc/postfix/mime_header_check.pcre
body_checks = pcre:/etc/postfix/body_check.pcre
prepend_delivered_header =
forward
file
## - proxy_read_maps
## -
## - The lookup tables that the proxymap(8) server is allowed to access for the read-only service.
## -
## - Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Table
## - references that don't begin with proxy: are ignored.
## -
#proxy_read_maps = \$local_recipient_maps \$mydestination \$virtual_alias_maps \$virtual_alias_domains \$virtual_mailbox_maps \$virtual_mailbox_domains \$relay_recipient_maps \$relay_domains \$canonical_maps \$sender_canonical_maps \$recipient_canonical_maps \$relocated_maps \$transport_maps \$mynetworks \$sender_bcc_maps \$recipient_bcc_maps \$smtp_generic_maps \$lmtp_generic_maps \$smtpd_sender_login_maps
# ============ Relay parameters ============
relayhost =
relay_domains =
\$mydestination
btree:/etc/postfix/relay_domains
# ============ TLS parameters ============
## - supports DNSSEC
## -
## - !! Notice !!
## - In order to support DNSSEC and DANE your resolver MUST support
## - DNSSEC too.
## -
## - If your resolver does not support DNSSEC, install "unbound".
## -
smtp_host_lookup = dns
smtp_dns_support_level = dnssec
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtpd_tls_security_level=may
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
#smtp_tls_security_level=may
smtp_tls_security_level=dane
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
## - or using '-dsaparam' to avoid long creation time:
## - openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_1024.pem 1024
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512
## -
## - or using '-dsaparam' to avoid long creation time:
## - openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_512.pem 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
smtp_tls_CAfile = $_TLS_CA_FILE
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - /usr/bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
#
#smtpd_tls_mandatory_ciphers = high
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5
CBC3-SHA
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
EOF
if $IS_RELAY_HOST ; then
cat <<EOF >> /etc/postfix/main.cf
#======= SASL Authentification ============
# Enable SASL authentication
smtpd_sasl_auth_enable = $SASL_AUTH_ENABLED
# Only offer SMTP AUTH when talking over an encrypted connection
smtpd_tls_auth_only = yes
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
# Disallow methods that allow anonymous authentication.
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
# Report the SASL authenticated user name in the smtpd(8) Received message header.
smtpd_sasl_authenticated_header = yes
# Enable interoperability with remote SMTP clients that implement an obsolete version
# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook
# Express version 4 and MicroSoft Exchange version 5.0.
#
# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support
# in a non-standard way.
#
broken_sasl_auth_clients = yes
## - Optional lookup table with the SASL login names that own
## - sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
#======= Virtual mailboxes ============
## - Local Mailboxes
## -
virtual_mailbox_base =
virtual_uid_maps =
virtual_gid_maps =
EOF
else
cat <<EOF >> /etc/postfix/main.cf
#======= SASL Authentification ============
## - Enable SASL authentication in the Postfix SMTP server. By default,
## - the Postfix SMTP server does not use authentication.
## -
smtpd_sasl_auth_enable = no
## - Only offer SMTP AUTH when talking over an encrypted connection
## -
smtpd_tls_auth_only = yes
## - The SASL plug-in type that the Postfix SMTP server should use for authentication.
## - The available types are listed with the "postconf -a" command.
## -
## - Available values are at least: cyrus, dovecot
## -
smtpd_sasl_type = dovecot
## - Implementation-specific information that the Postfix SMTP server passes
## - through to the SASL plug-in implementation that is selected with smtpd_sasl_type.
## - Typically this specifies the name of a configuration file or rendezvous point.
## -
smtpd_sasl_path = private/dovecot-auth
# Disallow methods that allow anonymous authentication.
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
# Report the SASL authenticated user name in the smtpd(8) Received message header.
smtpd_sasl_authenticated_header = no
# Enable interoperability with remote SMTP clients that implement an obsolete version
# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook
# Express version 4 and MicroSoft Exchange version 5.0.
#
# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support
# in a non-standard way.
#
broken_sasl_auth_clients = yes
## - Optional lookup table with the SASL login names that own
## - sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
#======= Virtual mailboxes ============
## - Local Mailboxes
## -
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - virtual_transport
## - =================
## -
## - using postfix
## - virtual_transport = virtual
## -
## - using dovecot lda
## - virtual_transport = dovecot
## - dovecot_destination_recipient_limit = 1
## -
## - using dovecot's lmtp service
## - virtual_transport = lmtp:unix:private/dovecot-lmtp
## -
virtual_transport = virtual
virtual_mailbox_maps =
virtual_mailbox_domains =
## - Optional lookup tables that alias specific mail addresses or domains
## - to other local or remote address. The table format and lookups are
## - documented in virtual(5). For an overview of Postfix address
## - manipulations see the ADDRESS_REWRITING_README document.
## -
virtual_alias_maps =
## - mailman
#hash:/var/lib/mailman/data/virtual-mailman
## - Postfix is final destination for the specified list of virtual alias
## - domains, that is, domains for which all addresses are aliased to addresses
## - in other local or remote domains. The SMTP server validates recipient
## - addresses with \$virtual_alias_maps and rejects non-existent recipients.
## - See also the virtual alias domain class in the ADDRESS_CLASS_README file
## -
virtual_alias_domains =
#======= smtpd Restrictions ============
# - Order of evaluating smtpd restriction lists:
# -
# - smtpd_client_restrictions
# - smtpd_helo_restrictions
# - smtpd_sender_restrictions
# - smtpd_relay_restrictions
# - smtpd_recipient_restrictions
# - smtpd_data_restrictions
# - smtpd_end_of_data_restrictions
# -
# - Note:
# - all smtpd restrictions are evaluated until one of them
# - results in 'REJECT'
## ---
## - Define smtpd Restrictions
## ---
smtpd_restriction_classes = check_greylist
check_greylist = check_policy_service $postgrey_socket
EOF
if [[ -n "$postgrey_additional_options" ]]; then
cat <<EOF >> /etc/postfix/main.cf
$postgrey_additional_options
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
# The time limit for delivery to 'postfwd'
#
# Note
# This Parameter is used only if you've defined a 127.0.0.1:10040 spawn service
# in master.cf to have postfix control starting/stopping of the service.
#
# If the service is started externally, such as by an init script, I
# don't believe it's used or needed.
#
# The time limit for all external commands is controlled by command_time_limit
#
#
#127.0.0.1:10040_time_limit = 3600
# smtpd_delay_reject (default: yes)
#
# Wait until the RCPT TO command before evaluating \$smtpd_client_restrictions,
# \$smtpd_helo_restrictions and \$smtpd_sender_restrictions, or wait until the
# ETRN command before evaluating \$smtpd_client_restrictions and \$smtpd_helo_restrictions.
#
# This feature is turned on by default because some clients apparently mis-behave
# when the Postfix SMTP server rejects commands before RCPT TO.
#
# The default setting has one major benefit: it allows Postfix to log recipient address
# information when rejecting a client name/address or sender address, so that it is
# possible to find out whose mail is being rejected.
smtpd_delay_reject = yes
## ---
## smtpd Client Restrictions
## ---
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
# Whitelist clients
#
check_client_access btree:/etc/postfix/client_whitelist
# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
# Whitelist (configured at a.ns.oopen.de)
#
permit_dnswl_client dnswl.oopen.de,
# Blacklists
#
# - rhs stands for right hand side, i.e, the domain name.
#
# - reject_rhsbl_helo makes Postfix reject email when the client HELO or EHLO hostname is blacklisted.
#
# - reject_rhsbl_reverse_client: reject the email when the unverified reverse client hostname is
# blacklisted. Postfix will fetch the client hostname from PTR record. If the hostname is
# blacklisted, reject the email.
#
# - reject_rhsbl_sender makes Postfix reject email when the MAIL FROM domain is blacklisted.
#
# - reject_rbl_client: This is an IP-based blacklist. When the client IP address is backlisted,
# reject the email.
#
reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
# Greylisting check
#
# check_policy_service inet:127.0.0.1:10023,
#
#
# Using defined restriction class (see smtpd_restriction_classes):
#
# greylist all connections:
# check_greylist,
#
# selctive greylisting:
# check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
#
#warn_if_reject,
check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
#reject_rbl_client bl.spamcop.net,
# Reject the request when
# 1) the client IP address->name mapping fails
# 2) the name->address mapping fails
# 3) the name->address mapping does not match the client IP address.
#
# Note:
# This is a stronger restriction than the reject_unknown_reverse_client_hostname
# feature, which triggers only under condition 1) above.
#
#reject_unknown_client
## ---
## smtpd HELO Restrictions
## ---
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
# Whitelist clients
#
check_client_access btree:/etc/postfix/client_whitelist
# Reject the request when the HELO or EHLO hostname is malformed.
#
# Note
# specify "smtpd_helo_required = yes" to fully enforce this restriction
# (without "smtpd_helo_required = yes", a client can simply skip
# reject_invalid_helo_hostname by not sending HELO or EHLO).
#
reject_invalid_helo_hostname,
# Reject the request when the HELO or EHLO hostname is not in fully-qualified
# domain or address literal form, as required by the RFC.
#
reject_non_fqdn_helo_hostname
# Don't talk to mail systems that don't know their own hostname.
#
reject_unknown_helo_hostname
## ---
## - smtpd Sender Restrictions
## ---
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain,
reject_non_fqdn_sender
reject_unknown_reverse_client_hostname
## ---
## - smtpd Recipient Restrictions
## ---
# Applied in the context of a client RCPT TO command, after smtpd_relay_restrictions
#
smtpd_recipient_restrictions =
# only special accounts (postmaster, abuse and other rolr accounts)
check_recipient_access btree:/etc/postfix/access_recipient-rfc,
# White- / Blacklisting
check_sender_access btree:/etc/postfix/access_sender,
check_recipient_access btree:/etc/postfix/access_recipient,
# permit trusted network (mynetwork)
permit_mynetworks,
# permit our users
permit_sasl_authenticated,
# dont' accept misconfigured Mail
reject_non_fqdn_recipient,
# don't accept misconfigured recipients
reject_unknown_recipient_domain,
# Reject the request when the RCPT TO address is not listed in the list of valid
# recipients for its domain class. See the smtpd_reject_unlisted_recipient
# parameter description for details.
#
# smtpd_reject_unlisted_recipient (default: yes)
#
# Request that the Postfix SMTP server rejects mail for unknown recipient addresses,
# even when no explicit reject_unlisted_recipient access restriction is specified.
# This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages.
#
# An address is always considered "known" when it matches a virtual(5) alias or
# a canonical(5) mapping.
# - The recipient domain matches \$mydestination, \$inet_interfaces or \$proxy_interfaces,
# but the recipient is not listed in \$local_recipient_maps, and \$local_recipient_maps
# is not null.
# - The recipient domain matches \$virtual_alias_domains but the recipient is not listed
# in \$virtual_alias_maps.
# - The recipient domain matches \$virtual_mailbox_domains but the recipient is not
# listed in \$virtual_mailbox_maps, and \$virtual_mailbox_maps is not null.
# - The recipient domain matches \$relay_domains but the recipient is not listed in
# \$relay_recipient_maps, and \$relay_recipient_maps is not null.
#
reject_unlisted_recipient,
# reject_unauth_destination
#
# Reject the request unless one of the following is true:
#
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
#
#
# - Postfix is the final destination: the resolved RCPT TO domain matches
# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains,
# or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
#
# Note:
# reject_unauth_destination is not needed here if the mail
# relay policy is specified under smtpd_relay_restrictions
# (available with Postfix 2.10 and later).
#reject_unauth_destination,
# Reject the request when mail to the RCPT TO address is known to bounce, or when the
# recipient address destination is not reachable. Address verification information is
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
# Policyd-Weight
#check_policy_service inet:127.0.0.1:12525,
# permit Backup MX
permit_mx_backup,
# permit, if all restrictions so far passed
permit
## ---
## - smtpd Relay Restrictions (since version 2.11)
## ---
# Access restrictions for mail relay control applied in the context of
# the RCPT TO command, before smtpd_recipient_restrictions.
#
smtpd_relay_restrictions =
# only special accounts (postmaster, abuse and other rolr accounts)
check_recipient_access btree:/etc/postfix/access_recipient-rfc,
# White- / Blacklisting
check_sender_access btree:/etc/postfix/access_sender,
check_recipient_access btree:/etc/postfix/access_recipient,
# permit trusted network (mynetwork)
permit_mynetworks,
# permit our users
permit_sasl_authenticated,
# dont' accept misconfigured Mail
reject_non_fqdn_recipient,
# don't accept misconfigured recipients
reject_unknown_recipient_domain,
# Reject the request unless one of the following is true:
#
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
#
# - Postfix is the final destination: the resolved RCPT TO domain matches
# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains,
# or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
reject_unauth_destination,
# Reject the request when mail to the RCPT TO address is known to bounce, or when the
# recipient address destination is not reachable. Address verification information is
# managed by the verify(8) server; see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
# for more details
reject_unverified_recipient,
# permit Backup MX
permit_mx_backup,
# permit, if all restrictions so far passed
permit
## ---
## - smtpd DATA Restrictions
## ---
smtpd_data_restrictions =
# Block clients that speak too early.
#
reject_unauth_pipelining
smtpd_end_of_data_restrictions =
# Check Postfix Firewall Daemon
#
check_policy_service inet:127.0.0.1:10040
EOF
echo_ok
## - /etc/mailname
## -
echononl " Set \"/etc/mailname\""
echo $HOSTNAME > /etc/mailname
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - /etc/aliases
## -
echononl " Backup existing file '/etc/aliases'"
if [[ -f /etc/aliases ]] ; then
mv /etc/aliases "/etc/aliases.$backup_date" > $tmp_err_msg 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
echononl " Adjust \"/etc/aliases\""
cat << EOF > /etc/aliases
# See man 5 aliases for format
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
do-not-reply: /dev/null
root: $ADMIN_EMAIL
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - create directory for certificates and copy certificates
## - and coresponding keys to /etc/postfix/ssl/
## -
echononl " Create directory for certificates \"/etc/postfix/ssl\""
if [[ -d "/etc/postfix/ssl" ]] ; then
echo_skipped
else
mkdir -p /etc/postfix/ssl
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - generate DH parameters that the Postfix SMTP server should use
## - with EDH ciphers (length 512 and 1024
## -
echononl " Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\""
if [ ! -f /etc/postfix/ssl/dh_512.pem ]; then
#openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512 > /dev/null 2>&1
openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_512.pem 512 > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Generate DH key length=1024 \"/etc/postfix/ssl/dh_1024.pem\""
if [ ! -f /etc/postfix/ssl/dh_1024.pem ]; then
#openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024 > /dev/null 2>&1
openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_1024.pem 1024 > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Generate DH key length=2048 \"/etc/postfix/ssl/dh_2048.pem\""
if [ ! -f /etc/postfix/ssl/dh_2048.pem ]; then
#openssl dhparam -out /etc/postfix/ssl/dh_2048.pem -2 2048 > /dev/null 2>&1
openssl dhparam -dsaparam -out /etc/postfix/ssl/dh_2048.pem 2048 > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create Symlink \"$_TLS_CERT_FILE\""
if [ ! -h "$_TLS_CERT_FILE" ]; then
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem $_TLS_CERT_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create Symlink \"$_TLS_KEY_FILE\""
if [ ! -h "$_TLS_KEY_FILE" ]; then
ln -s /etc/ssl/private/ssl-cert-snakeoil.key $_TLS_KEY_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
## - rebuld alias database
## -
echononl " Rebuld alias database"
newaliases > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - create files
## -
echononl " Create file \"access_recipient-rfc\""
if [[ ! -f /etc/postfix/access_recipient-rfc ]]; then
cat <<EOF > /etc/postfix/access_recipient-rfc
# if destination is ok, permit
/^postmaster\@/ permit_auth_destination
/^abuse\@/ permit_auth_destination
EOF
fi
postmap btree:/etc/postfix/access_recipient-rfc
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - Notice:
## - The access_sender list can also be used as white list:
## - backup@b3-bornim.de OK
## - backup_file-ah@oopen.de OK
## - backup_file-spr@oopen.de OK
## - root_file_spr@oopen.de OK
## - backup_anw-urban@oopen.de OK
## - anonymous@bbb-server.b3-bornim.de OK
echononl " Create file \"access_sender\""
if [[ ! -f /etc/postfix/access_sender ]]; then
cat <<EOF > /etc/postfix/access_sender
# - bekannte Virus/Spam Absener blocken
# -
# annoying spammer domains
acieu.co.uk REJECT
# annoying spammer addresses
error@mailfrom.com REJECT
EOF
fi
postmap btree:/etc/postfix/access_sender
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create file \"access_recipient\""
if [[ ! -f /etc/postfix/access_recipient ]]; then
touch /etc/postfix/access_recipient
fi
postmap btree:/etc/postfix/access_recipient
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create file \"client_whitelist\""
if [[ ! -f "/etc/postfix/client_whitelist" ]]; then
cat <<EOF > /etc/postfix/client_whitelist
# onion - tor hidden service
127.0.0.25 OK
EOF
fi
postmap btree:/etc/postfix/client_whitelist
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create file \"sender_canonical\""
if [[ ! -f /etc/postfix/sender_canonical ]]; then
cat <<EOF > /etc/postfix/sender_canonical
@localhost @$(hostname -f)
EOF
fi
postmap btree:/etc/postfix/sender_canonical
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create file \"transport\""
if [[ ! -f /etc/postfix/transport ]]; then
cat <<EOF > /etc/postfix/transport
# - Force sending through IPv4
# -
# - Take care your master.cf file (/etc/postfix/master.cf) contains:
# -
# - smtp-ipv4-only unix - - n - - smtp
# - -o inet_protocols=ipv4
# -
#example.com smtp-ipv4-only:
# - Force sending through IPv6
# -
# - Take care your master.cf file (/etc/postfix/master.cf) contains:
# -
# - smtp-ipv6-only unix - - n - - smtp
# - -o inet_protocols=ipv6
# -
#example.net smtp-ipv6-only:
EOF
fi
postmap btree:/etc/postfix/transport
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create file \"relay_domains\""
if [[ ! -f /etc/postfix/relay_domains ]] ; then
touch /etc/postfix/relay_domains
fi
postmap btree:/etc/postfix/relay_domains
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create file \"greylist_client_access_pcre\""
if [[ ! -f /etc/postfix/greylist_client_access_pcre ]]; then
cat <<EOF > /etc/postfix/greylist_client_access_pcre
# ---
# Check Client Access for greylisting (selective greylisting)
# ---
#
# - Note:
# -
# - Action 'check_greylist' must be defined by 'smtpd_restriction_classes'
# - and also set with an action (check_policy_service inet:127.0.0.1:10023)
# - in file /etc/postfix/ main.cf.
# -
# - Your main.cf may looks like:
# -
# - smtpd_restriction_classes = check_greylist
# - check_greylist = check_policy_service inet:127.0.0.1:10023
# -
# - smtpd_recipient_restrictions =
# - ...
# - check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
# - ...
# -
# - smtpd_relay_restrictions =
# - ...
# - check_client_access pcre:/etc/postfix/greylist_client_access_pcre,
# - ...
# ---
# - For clients matching the following rules greylisting check is applied.
# ---
# unkown clients
/^unknown$/ check_greylist
# everything with 3 or more hyphens in the hostname
/(\\-.+){3}$/ check_greylist
# everything with 4 or more dots in the hostname
/(\\..+){4}$/ check_greylist
# dialups
/(^|[0-9.x_-])(abo|br(e|oa)dband|cabel|(hk)?cablep?|catv|cbl|cidr|d?client2?|cust(omer)?s?|dhcp|dial?(in|up)?|d[iu]p|[asx]?dsld?|dyn(a(dsl|mic)?)?|home|in-addr|modem(cable)?|(di)?pool|ppp|ptr|rev|static|user|YahooBB[0-9]{12}|c[[:alnum:]]{6,}(\\.[a-z]{3})?\\.virtua|[1-9]Cust[0-9]+|AC[A-Z][0-9A-F]{5}\\.ipt|pcp[0-9]{6,}pcs|S0106[[:alnum:]]{12,}\\.[a-z]{2})[0-9.x_-]/ check_greylist
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/header_checks.pcre"
echononl " Create file '$_file' used for header replacing"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# - Replace headers
# ---
# - Replace recieved from
#/^Received: from (.* \\([-._[:alnum:]]+ \\[[.[:digit:]]{7,15}\\]\\)).*?([[:space:]]+).*\\(Authenticated sender: ([^)]+)\\)(.*)/ REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1])\$2(Authenticated sender: \$3)\$4
# ---
# - Ignore Headers
# ---
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# ---
# - Reject / Discard headers
# ---
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
/^Reply-To: .+\@ppe-healthcare-europe\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1002
/^Reply-To: .+\@testbedarf.shop/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1003
/^Reply-To: .+\@acieu\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1004
/^Reply-To: .+\@acievents\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1005
/^Reply-To: .+\@dokpotenz\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1006
/^Reply-To: .+\@doktorapo\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1007
/^Reply-To: .+\@sendelope.eu/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1008
/^Reply-To: .+\@team-de-luxe\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1009
/^Reply-To: .+\@klickensiejetzt\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1010
/^Reply-To: .+\@podiumskate\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1011
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
/^From: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1002
/^From: .+\@ppe-healthcare-europe\..+/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1003
/^From: .+\@testbedarf.shop/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1004
/^From: .+\@acieu\..+/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1005
/^From: .+\@acievents\..+/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1006
/^From: .+\@dokpotenz\..+/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1007
/^From: .+\@doktorapo\..+/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1008
/^From: .+\@sendelope.eu/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1009
/^From: .+\@team-de-luxe\..+/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1010
/^From: .+\@klickensiejetzt\..+/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1011
/^From: .+\@podiumskate\..+/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1012
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/mime_header_check.pcre"
echononl " Create file '$_file' used for header replacing"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# - MIME-Header Checks
# ---
/name=[^>]*\.exe/ REJECT No .exe files allowed - Mime--Spamschutzregel EXE-1001
/name=[^>]*\.bat/ REJECT No .bat files allowed - Mime--Spamschutzregel BAT-1002
/name=[^>](screensaver|movie)\.zip/ REJECT Sobig Virus found - Mime-Spamschutzregel VIR-1003
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
_file="/etc/postfix/body_check.pcre"
echononl " Create file '$_file' used for header replacing"
if [[ ! -f "$_file" ]]; then
cat << EOF > "$_file"
# ---
# - Body Checks
# ---
/See the attached file for details/ REJECT Sobig Virus found. - Body-Spamschutzregel TEXT-1001
/.*https?:\/\/click2eat.shop\/Installer\/updatedwebmails/ REJECT Maype fishing E-Mail credentials - Body-Spamschutzregel TEXT-1002
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
if ! $IS_RELAY_HOST ; then
## - Create Directory '/var/vmail' for virtual mailboxes
## -
echononl " Create directory '/var/vmail'"
if [[ ! -d "/var/vmail" ]]; then
mkdir /var/vmail > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
## - Create user (vmail) for virtual mailboxes
## -
echononl " Create user 'vmail' for virtual mailboxes"
if id -u vmail > /dev/null 2>&1; then
echo_skipped
else
useradd -s /bin/false -d /var/vmail -M -u 5000 vmail > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - Change ownership 'vmail:vmail' for dir '/var/vmail'
## -
echononl " Change ownership 'vmail:vmail' for dir '/var/vmail'"
chown vmail:vmail /var/vmail > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - Change permissions for dir '/var/vmail'
## -
echononl " Change permissions for dir '/var/vmail'"
chmod 700 /var/vmail > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
if [[ "$SASL_AUTH_ENABLED" = "yes" ]]; then
echononl " Create directory '/etc/postfix/sasl'.."
if [[ ! -d "/etc/postfix/sasl" ]] ; then
mkdir "/etc/postfix/sasl" > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Backup existing file '/etc/postfix/sasl/smtpd.conf'"
if [[ -f /etc/postfix/sasl/smtpd.conf ]] ; then
mv /etc/postfix/sasl/smtpd.conf "/etc/postfix/sasl/smtpd.conf.$backup_date" > $tmp_err_msg 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
echononl " Create file '/etc/postfix/sasl/smtpd.conf'.."
cat <<EOF > /etc/postfix/sasl/smtpd.conf
# - Take care only using provided login mechanisms. You can check this, by
# - running command
# -
# - saslpluginviewer -x AUXPROP_MECHS
# -
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
fi
## - /etc/postfix/master.cf
## -
## - Create Listener for user authenticated smtp connection port 587 (submission)
## - and port 465 (smtps)
## -
echononl " Backup file \"${postfix_master_cf}\""
cp -a $postfix_master_cf "${postfix_master_cf}.$backup_date" > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
if grep -iq -E "^submission\s+" $postfix_master_cf > /dev/null 2>&1 ; then
submission_present=true
else
submission_present=false
fi
if grep -iq -E "^smtps\s+" $postfix_master_cf > /dev/null 2>&1 ; then
smtps_present=true
else
smtps_present=false
fi
_found=false
echononl " Create new file \"${postfix_master_cf}\""
if [[ -f "${postfix_master_cf}.$backup_date" ]]; then
> $postfix_master_cf
while IFS='' read -r _line || [[ -n $_line ]] ; do
if echo "$_line" | grep -i -E "^\s*smtp\s+inet\s+" > /dev/null 2>&1 ; then
_found=true
cat >> $postfix_master_cf << EOF
smtp inet n - y - - smtpd
EOF
if ! $IS_RELAY_HOST ; then
if ! $submission_present ; then
cat >> $postfix_master_cf << EOF
submission inet n - y - 20 smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#-o milter_macro_daemon_name=ORIGINATING
EOF
fi
if ! $smtps_present ; then
cat >> $postfix_master_cf << EOF
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#-o milter_macro_daemon_name=ORIGINATING
EOF
fi
fi
continue
fi
if $submission_present && echo "$_line" | grep -iq -E "^submission\s+" 2> /dev/null ; then
_found=true
if ! $IS_RELAY_HOST ; then
cat >> $postfix_master_cf << EOF
submission inet n - y - 20 smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
EOF
fi
continue
fi
if $smtps_present && echo "$_line" | grep -iq -E "^smtps\s+" 2> /dev/null ; then
_found=true
if ! $IS_RELAY_HOST ; then
cat >> $postfix_master_cf << EOF
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
EOF
fi
continue
fi
# - [[:blank:]] means space and tab. This makes it similar to: [ \t]
# - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed,
# - and vertical tab. This makes it similar to: [ \t\n\r\f\v]
# -
#if [[ $_line =~ ^[[:space:]]+[^[:space:]]+ ]] && $_smtp_found ; then
# -
if [[ $_line =~ ^[[:blank:]]+[^[:space:]]+ ]] && $_found ; then
continue
fi
_found=false
echo "$_line" >> $postfix_master_cf
done < "${postfix_master_cf}.$backup_date"
# - Add transport definitions for only sending over IPv4/IPv6
# -
if ! $(grep -iq -E "^smtp-ipv4-only\s+" "$postfix_master_cf" 2> /dev/null) ; then
cat <<EOF >> $postfix_master_cf
smtp-ipv4-only unix - - n - - smtp
-o inet_protocols=ipv4
EOF
fi
if ! $(grep -iq -E "^smtp-ipv6-only\s+" "$postfix_master_cf" 2> /dev/null) ; then
cat <<EOF >> $postfix_master_cf
smtp-ipv6-only unix - - n - - smtp
-o inet_protocols=ipv6
EOF
fi
echo_done
warn "Please check file \"$postfix_master_cf\" !"
else
echo_failed
error "File \"${postfix_master_cf}.$backup_date\" not found!"
fi
## - restart postfix
## -
echononl " Restart postfix"
if $systemd_exists ; then
systemctl restart postfix > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
/etc/init.d/postfix restart > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - Omitt logging into system.log
## -
echononl " Create \"/etc/rsyslog.d/postfix.conf\""
cat << EOF >> /etc/rsyslog.d/postfix.conf
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
mail.* -/var/log/mail.log
& ~
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Restart rsyslog daemon"
if $systemd_exists ; then
systemctl restart rsyslog > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
/etc/init.d/rsyslog restart > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
rm $tmp_err_msg
echo ""
clean_up 0
Reference in New Issue View Git Blame Copy Permalink