install/mailsystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cc193c7339
mailsystem/install_postfix_advanced.sh

1566 lines
39 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
working_dir="$(dirname $(realpath $0))"
conf_file="${working_dir}/conf//install_postfix_advanced.conf"
_TLS_CERT_DIR=/etc/postfix/ssl
_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt"
_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key"
_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt
tmp_err_msg=$(mktemp)
backup_date="$(date +%Y-%m-%d-%H%M)"
# -------------
# --- Some functions
# -------------
clean_up() {
# Perform program exit housekeeping
rm -f $tmp_err_msg
exit $1
}
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
fatal(){
echo ""
echo -e "fatal error: $*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m"
echo ""
clean_up 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]"
}
trap clean_up SIGHUP SIGINT SIGTERM
# - Is this a systemd system?
# -
if [[ "X`which systemd`" = "X" ]]; then
systemd_exists=false
else
systemd_exists=true
fi
echo ""
# - Default Values
# -
#_IS_RELAY_HOST=false
# - Read Configuration File if exists
# -
if [[ -f "$conf_file" ]]; then
source $conf_file
fi
clear
echo -e "\033[21G\033[32mInstallation script for Postfix basic mailsystem \033[m"
echo
HOSTNAME=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert hostname"
echo ""
if [[ -n "$_HOSTNAME" ]]; then
echononl "hostname [${_HOSTNAME}]: "
read HOSTNAME
if [[ "X${HOSTNAME}" = "X" ]]; then
HOSTNAME=$_HOSTNAME
fi
else
while [[ "X${HOSTNAME}" = "X" ]]; do
echononl "hostname: "
read HOSTNAME
if [[ "X${HOSTNAME}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mHostname is reqired\033[m\n"
fi
done
fi
IPV4=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert IPv4 address"
echo ""
if [[ -n "$_IPV4" ]]; then
echononl "IPv4 address [${_IPV4}]: "
read IPV4
if [[ "X${IPV4}" = "X" ]]; then
IPV4=$_IPV4
fi
else
while [[ "X${IPV4}" = "X" ]]; do
echononl "IPv4 address: "
read IPV4
if [[ "X${IPV4}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mIPv4 address is reqired\033[m\n"
fi
done
fi
IPV6=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert IPv6 address"
echo "Type:"
echo -e "\t\033[33mNone\033[m if IPv6 is not suppoerted"
echo ""
if [[ -n "$_IPV6" ]]; then
[[ "X$_IPV6" = "Xdisabled" ]] && _IPV6=None
echononl "IPv6 address [${_IPV6}]: "
read IPV6
if [[ "X${IPV6}" = "X" ]]; then
IPV6=$_IPV6
fi
else
while [[ "X${IPV6}" = "X" ]]; do
echononl "IPv6 address: "
read IPV6
if [[ "X${IPV6}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mIPv4 address is reqired\033[m\n"
fi
done
fi
if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then
IPV6=disabled
fi
IS_RELAY_HOST=
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "How will this Mailserver be used?"
echo ""
if [[ -n "$_IS_RELAY_HOST" ]]; then
if $_IS_RELAY_HOST ; then
echo "[1] Complete Mailserver (with mailboxes)"
echo -e "\033[37m\033[1m[2] Mailrelay Host\033[m"
else
echo -e "\033[37m\033[1m[1] complete Mailserver (with mailboxes)\033[m"
echo "[2] Mailrelay Host"
fi
echo ""
echononl "Choose a number or press <RETURN> for highlighted value: "
else
echo "[1] Complete Mailserver (with mailboxes)"
echo "[2] Mailrelay Host"
echo ""
echononl "Choose a Number: "
fi
while [[ "$IS_RELAY_HOST" != "true" && "$IS_RELAY_HOST" != "false" ]];do
read OPTION
case $OPTION in
1) IS_RELAY_HOST=false
;;
2) IS_RELAY_HOST=true
;;
'') if [[ -n "$_IS_RELAY_HOST" ]] ; then
IS_RELAY_HOST=$_IS_RELAY_HOST
else
echo ""
echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]"
echo ""
echononl "Reentry: "
fi
;;
*) IS_RELAY_HOST=
echo ""
if [[ -n "$_IS_RELAY_HOST" ]]; then
echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host] or type <RETURN>"
else
echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]"
fi
echo ""
echononl "Reentry: "
;;
esac
done
SASL_AUTH_ENABLED="no"
if $IS_RELAY_HOST ; then
SASL_AUTH_ENABLED=""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Should this mail relay server support Cyrus SASL authentication?"
echo ""
while [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]];do
if [[ -n "$_SASL_AUTH_ENABLED" ]]; then
echononl "Support Cyrus SASL authentication [${_SASL_AUTH_ENABLED}]: "
read SASL_AUTH_ENABLED
SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,}
[[ -z "$SASL_AUTH_ENABLED" ]] && SASL_AUTH_ENABLED="$_SASL_AUTH_ENABLED"
else
echononl "Support Cyrus SASL authentication [yes/no]: "
read SASL_AUTH_ENABLED
SASL_AUTH_ENABLED=${SASL_AUTH_ENABLED,,}
fi
if [[ "$SASL_AUTH_ENABLED" != "yes" && "$SASL_AUTH_ENABLED" != "no" ]] ; then
_SASL_AUTH_ENABLED=""
echo -e "\n\t\033[33m\033[1mWrong entry!\033[m\n Type 'yes' or 'no'"
fi
done
fi
ADMIN_EMAIL=
echo ""
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert e-mail address where messages to local root should be forwarded"
echo ""
echo ""
if [[ -n "$_ADMIN_EMAIL" ]]; then
echononl "Admin e-mail address [$_ADMIN_EMAIL]: "
read ADMIN_EMAIL
if [[ "X${ADMIN_EMAIL}" = "X" ]]; then
ADMIN_EMAIL=$_ADMIN_EMAIL
fi
else
while [[ "X${ADMIN_EMAIL}" = "X" ]]; do
echononl "Admin e-mail address: "
read ADMIN_EMAIL
if [[ "X${ADMIN_EMAIL}" = "X" ]]; then
echo -e "\n\t\033[33m\033[1mAdmin e-mail address is reqired\033[m\n"
fi
done
fi
echo ""
echo ""
echo -e "\033[21G\033[32mStart installation/configuration with the following parameters\033[m"
echo ""
echo -e "\tHostname..........................: $HOSTNAME"
echo -e "\tIPv4 address......................: $IPV4"
echo -e "\tIPv6 address......................: $IPV6"
echo -e "\tAdmin e-mail......................: $ADMIN_EMAIL"
echo ""
if $IS_RELAY_HOST ; then
echo -e "\tConfigure as relay host?..........: \033[33m\033[1m$IS_RELAY_HOST\033[m"
echo -e "\tConfigure as complete mailserver..: false"
echo ""
echo -e "\tSupport Cyrus SASL authentication.: $SASL_AUTH_ENABLED"
else
echo -e "\tConfigure as relay host?..........: $IS_RELAY_HOST"
echo -e "\tConfigure as complete mailserver..: \033[33m\033[1mtrue\033[m"
fi
echo ""
echononl "einverstanden (yes/no): "
read OK
OK=${OK,,}
while [ "X$OK" != "Xyes" -a "X$OK" != "Xno" ]; do
echononl "Wrong entry! [yes/no]: "
read OK
OK=${OK,,}
done
[ $OK = "yes" ] || fatal Repeat with other settings..
echo ""
echo ""
_failed=false
echononl " Save Configuration"
cat << EOF > $conf_file
# ---
# - Parameter Settins Postfix Relay System
# ---
_HOSTNAME=$HOSTNAME
_IPV4=$IPV4
_IPV6=$IPV6
_ADMIN_EMAIL=$ADMIN_EMAIL
_IS_RELAY_HOST=$IS_RELAY_HOST
EOF
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $IS_RELAY_HOST ; then
cat << EOF >> $conf_file
_SASL_AUTH_ENABLED=$SASL_AUTH_ENABLED
EOF
fi
if [[ $? -ne 0 ]]; then
_failed=true
fi
if $_failed ; then
echo_failed
else
echo_ok
fi
[[ "$IPV6" = "disabled" ]] && IPV6=""
# - Synchronise package index files with the repository
# -
echononl " Synchronise package index files with the repository.."
apt-get update > "$tmp_err_msg" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
# - Deinstall debian exim4 packages
# -
echononl " Deinstall debian exim4 packages"
_installed_exim_packages=`dpkg -l | grep exim4 | grep -e "^i" | awk '{print$2}'`
for _pkg in $_installed_exim_packages ; do
installed_exim_packages="$installed_exim_packages $_pkg"
done
if [[ -n "$installed_exim_packages" ]] ; then
if `dpkg -l | grep bsd-mailx | grep -e "^i" > /dev/null 2>&1` ; then
installed_exim_packages="$installed_exim_packages bsd-mailx"
fi
apt-get remove --purge -qq -y $installed_exim_packages > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
# - Install Postfix from debian packages system
# -
echononl " Install Postfix from debian packages system"
_needed_packages="postfix postfix-pgsql postfix-mysql postfix-pcre libsasl2-modules bsd-mailx haveged"
if [[ "$SASL_AUTH_ENABLED" = "yes" ]]; then
_needed_packages="$_needed_packages sasl2-bin"
fi
for _pkg in $_needed_packages ; do
if `dpkg -l | grep $_pkg | grep -e "^i" > /dev/null 2>&1` ; then
continue
else
needed_packages="$needed_packages $_pkg"
fi
done
if [[ -n "$needed_packages" ]]; then
DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_packages > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
## - Install Postgrey from debian packages system
## -
echononl " Install Postgrey from debian packages system"
_pkg="postgrey"
if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then
echo_skipped
else
DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
echononl " Adjust /etc/default/postgrey"
perl -i -n -p -e "s#^(\s*)(POSTGREY_OPTS=.*)#\#\1\2\nPOSTGREY_OPTS=\"--inet=10023 --delay=149 --auto-whitelist-clients=3 --lookup-by-subnet\"#" \
/etc/default/postgrey > $tmp_err_msg 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
echononl " Create /etc/postgrey/whitelist_clients.local (additional whitelist entries)"
cat << EOF > /etc/postgrey/whitelist_clients.local
# For Office 365 - servers:
##/.*outbound.protection.outlook.com\$/
/^mail-.*\.outbound\.protection\.outlook\.com\$/
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Restart postrey daemon"
if $systemd_exists ; then
systemctl restart postgrey > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
/etc/init.d/postgrey restart > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
fi
# - Backup existing postfix configuration file
# -
echononl " Backup existing postfix configuration file"
if [[ -f "/etc/postfix/main.cf" ]]; then
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
# - Creeate new postfix configuration file
# -
echononl " Creeate new postfix configuration file"
cat <<EOF > /etc/postfix/main.cf
# ============ Basic settings ============
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myorigin = /etc/mailname
smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
EOF
if [ -n "$IPV6" ]; then
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4, ipv6
#inet_interfaces = all
inet_interfaces =
127.0.0.1
$IPV4
$IPV6
myhostname = $HOSTNAME
mydestination =
$HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
[::ffff:127.0.0.0]/104
[::1]/128
${IPV4}/32
[${IPV6}]/128
# a.mx.oopen.de
#83.223.86.91
#[2a01:30:0:13:2f7:50ff:fed2:cef7]/128
# b.mx.oopen.de
#83.223.86.97
#[2a01:30:0:13:21f:92ff:fe00:538b]
# d.mx.oopen.de
#83.223.86.92/32
#[2a01:30:0:13:254:9eff:fed5:e7fd]/128
smtp_bind_address = $IPV4
smtp_bind_address6 = $IPV6
EOF
else
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4
#inet_interfaces = all
inet_interfaces =
127.0.0.1
$IPV4
myhostname = $HOSTNAME
mydestination =
$HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
${IPV4}/32
#smtp_bind_address = $IPV4
#smtp_bind_address6 = $IPV6
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
## - The maximal size in bytes of an individual virtual(8) mailbox or
## - maildir file, or zero (no limit).
## -
virtual_mailbox_limit = 0
## - The maximal size in bytes of a message, including envelope information.
## -
## - we user 50MB
## -
message_size_limit = 52480000
## - The system-wide recipient address extension delimiter
## -
recipient_delimiter = +
## - The alias databases that are used for local(8) delivery.
## -
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - Optional lookup tables with mappings from recipient address
## - to (message delivery transport, next-hop destination).
## - See transport(5) for details.
## -
transport_maps =
btree:/etc/postfix/transport
btree:/etc/postfix/relay_domains
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = \$maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
#header_checks = pcre:/etc/postfix/header_checks
prepend_delivered_header =
forward
file
## - proxy_read_maps
## -
## - The lookup tables that the proxymap(8) server is allowed to access for the read-only service.
## -
## - Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Table
## - references that don't begin with proxy: are ignored.
## -
#proxy_read_maps = \$local_recipient_maps \$mydestination \$virtual_alias_maps \$virtual_alias_domains \$virtual_mailbox_maps \$virtual_mailbox_domains \$relay_recipient_maps \$relay_domains \$canonical_maps \$sender_canonical_maps \$recipient_canonical_maps \$relocated_maps \$transport_maps \$mynetworks \$sender_bcc_maps \$recipient_bcc_maps \$smtp_generic_maps \$lmtp_generic_maps \$smtpd_sender_login_maps
# ============ Relay parameters ============
relayhost =
relay_domains =
\$mydestination
btree:/etc/postfix/relay_domains
# ============ TLS parameters ============
## - supports DNSSEC
## -
## - !! Notice !!
## - In order to support DNSSEC and DANE your resolver MUST support
## - DNSSEC too.
## -
## - If your resolver does not support DNSSEC, install "unbound".
## -
smtp_host_lookup = dns
smtp_dns_support_level = dnssec
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtpd_tls_security_level=may
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
#smtp_tls_security_level=may
smtp_tls_security_level=dane
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
smtp_tls_CAfile = $_TLS_CA_FILE
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
#
#smtpd_tls_mandatory_ciphers = high
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5
CBC3-SHA
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
EOF
if $IS_RELAY_HOST ; then
cat <<EOF >> /etc/postfix/main.cf
#======= SASL Authentification ============
smtpd_sasl_auth_enable = $SASL_AUTH_ENABLED
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
## - Optional lookup table with the SASL login names that own
## - sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
#======= Virtual mailboxes ============
## - Local Mailboxes
## -
virtual_mailbox_base =
virtual_uid_maps =
virtual_gid_maps =
EOF
else
cat <<EOF >> /etc/postfix/main.cf
#======= SASL Authentification ============
## - Enable SASL authentication in the Postfix SMTP server. By default,
## - the Postfix SMTP server does not use authentication.
## -
smtpd_sasl_auth_enable = no
## - The SASL plug-in type that the Postfix SMTP server should use for authentication.
## - The available types are listed with the "postconf -a" command.
## -
## - Available values are at least: cyrus, dovecot
## -
smtpd_sasl_type = dovecot
## - Implementation-specific information that the Postfix SMTP server passes
## - through to the SASL plug-in implementation that is selected with smtpd_sasl_type.
## - Typically this specifies the name of a configuration file or rendezvous point.
## -
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
## - Optional lookup table with the SASL login names that own
## - sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
#======= Virtual mailboxes ============
## - Local Mailboxes
## -
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - virtual_transport
## - =================
## -
## - using postfix
## - virtual_transport = virtual
## -
## - using dovecot lda
## - virtual_transport = dovecot
## -
## - using dovecot's lmtp service
## - virtual_transport = lmtp:unix:private/dovecot-lmtp
## -
virtual_transport = virtual
virtual_mailbox_maps =
virtual_mailbox_domains =
## - Optional lookup tables that alias specific mail addresses or domains
## - to other local or remote address. The table format and lookups are
## - documented in virtual(5). For an overview of Postfix address
## - manipulations see the ADDRESS_REWRITING_README document.
## -
virtual_alias_maps =
## - mailman
#hash:/var/lib/mailman/data/virtual-mailman
## - Postfix is final destination for the specified list of virtual alias
## - domains, that is, domains for which all addresses are aliased to addresses
## - in other local or remote domains. The SMTP server validates recipient
## - addresses with \$virtual_alias_maps and rejects non-existent recipients.
## - See also the virtual alias domain class in the ADDRESS_CLASS_README file
## -
virtual_alias_domains =
#======= Restrictions ============
smtpd_recipient_restrictions =
# only special accounts (postmaster, abuse and other rolr accounts)
check_recipient_access btree:/etc/postfix/access_recipient-rfc,
# White- / Blacklisting
check_sender_access btree:/etc/postfix/access_sender,
check_recipient_access btree:/etc/postfix/access_recipient,
# permit trusted network (mynetwork)
permit_mynetworks,
# permit our users
permit_sasl_authenticated,
# dont' accept misconfigured Mail
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
# don't accept misconfigured recipients
# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
# Whitelist (configured on a.ns.oopen.de
# in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone )
permit_dnswl_client dnswl.oopen.de,
# Blacklists
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
#reject_rbl_client bl.spamcop.net,
# March 1, 2013: NJABL is in the process of being shut down
#reject_rbl_client dnsbl.njabl.org,
# Policyd-Weight
#check_policy_service inet:127.0.0.1:12525,
# Greylisting check
warn_if_reject,
check_policy_service inet:127.0.0.1:10023,
# Reject the request unless one of the following is true:
#
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
#
#
# - Postfix is the final destination: the resolved RCPT TO domain matches
# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains,
# or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
reject_unverified_recipient,
# permit Backup MX
permit_mx_backup,
# forbid all other relaying
reject_unauth_destination,
# permit, if all restrictions so far passed
permit
## - Sinve version 2.11
## -
smtpd_relay_restrictions =
# only special accounts (postmaster, abuse and other rolr accounts)
check_recipient_access btree:/etc/postfix/access_recipient-rfc,
# White- / Blacklisting
check_sender_access btree:/etc/postfix/access_sender,
check_recipient_access btree:/etc/postfix/access_recipient,
# permit trusted network (mynetwork)
permit_mynetworks,
# permit our users
permit_sasl_authenticated,
# dont' accept misconfigured Mail
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
# don't accept misconfigured recipients
# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
# Whitelist (configured on a.ns.oopen.de
# in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone )
permit_dnswl_client dnswl.oopen.de,
# Blacklists
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
#reject_rbl_client bl.spamcop.net,
# March 1, 2013: NJABL is in the process of being shut down
#reject_rbl_client dnsbl.njabl.org,
# Policyd-Weight
#check_policy_service inet:127.0.0.1:12525,
# Greylisting check
warn_if_reject,
check_policy_service inet:127.0.0.1:10023,
# Reject the request unless one of the following is true:
#
# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains
# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain),
#
#
# - Postfix is the final destination: the resolved RCPT TO domain matches
# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains,
# or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain).
reject_unverified_recipient,
# permit Backup MX
permit_mx_backup,
# forbid all other relaying
reject_unauth_destination,
# permit, if all restrictions so far passed
permit
EOF
echo_ok
## - /etc/mailname
## -
echononl " Set \"/etc/mailname\""
echo $HOSTNAME > /etc/mailname
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - /etc/aliases
## -
echononl " Backup existing file '/etc/aliases'"
if [[ -f /etc/aliases ]] ; then
mv /etc/aliases "/etc/aliases.$backup_date" > $tmp_err_msg 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
echononl " Adjust \"/etc/aliases\""
cat << EOF > /etc/aliases
# See man 5 aliases for format
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
do-not-reply: /dev/null
root: $ADMIN_EMAIL
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - create directory for certificates and copy certificates
## - and coresponding keys to /etc/postfix/ssl/
## -
echononl " Create directory for certificates \"/etc/postfix/ssl\""
if [[ -d "/etc/postfix/ssl" ]] ; then
echo_skipped
else
mkdir -p /etc/postfix/ssl
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - generate DH parameters that the Postfix SMTP server should use
## - with EDH ciphers (length 512 and 1024
## -
echononl " Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\""
if [ ! -f /etc/postfix/ssl/dh_512.pem ]; then
openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512 > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Generate DH key length=1024 \"/etc/postfix/ssl/dh_1024.pem\""
if [ ! -f /etc/postfix/ssl/dh_1024.pem ]; then
openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024 > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Generate DH key length=2048 \"/etc/postfix/ssl/dh_2048.pem\""
if [ ! -f /etc/postfix/ssl/dh_2048.pem ]; then
openssl dhparam -out /etc/postfix/ssl/dh_2048.pem -2 2048 > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create Symlink \"$_TLS_CERT_FILE\""
if [ ! -h "$_TLS_CERT_FILE" ]; then
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem $_TLS_CERT_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create Symlink \"$_TLS_KEY_FILE\""
if [ ! -h "$_TLS_KEY_FILE" ]; then
ln -s /etc/ssl/private/ssl-cert-snakeoil.key $_TLS_KEY_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
## - rebuld alias database
## -
echononl " Rebuld alias database"
newaliases > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - create files
## -
echononl " Create file \"access_recipient-rfc\""
if [[ ! -f /etc/postfix/access_recipient-rfc ]]; then
cat <<EOF > /etc/postfix/access_recipient-rfc
# if destination is ok, permit
/^postmaster\@/ permit_auth_destination
/^abuse\@/ permit_auth_destination
EOF
fi
postmap btree:/etc/postfix/access_recipient-rfc
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - Notice:
## - The access_sender list can also be used as white list:
## - backup@b3-bornim.de OK
## - backup_file-ah@oopen.de OK
## - backup_file-spr@oopen.de OK
## - root_file_spr@oopen.de OK
## - backup_anw-urban@oopen.de OK
## - anonymous@bbb-server.b3-bornim.de OK
echononl " Create file \"access_sender\""
if [[ ! -f /etc/postfix/access_sender ]]; then
cat <<EOF > /etc/postfix/access_sender
# - bekannte Virus/Spam Absener blocken
# -
error@mailfrom.com REJECT
EOF
fi
postmap btree:/etc/postfix/access_sender
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create file \"access_recipient\""
if [[ ! -f /etc/postfix/access_recipient ]]; then
touch /etc/postfix/access_recipient
fi
postmap btree:/etc/postfix/access_recipient
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create file \"transport\""
if [[ ! -f /etc/postfix/transport ]]; then
cat <<EOF > /etc/postfix/transport
# - Force sending through IPv4
# -
# - Take care your master.cf file (/etc/postfix/master.cf) contains:
# -
# - smtp-ipv4-only unix - - n - - smtp
# - -o inet_protocols=ipv4
# -
#example.com smtp-ipv4-only:
# - Force sending through IPv6
# -
# - Take care your master.cf file (/etc/postfix/master.cf) contains:
# -
# - smtp-ipv6-only unix - - n - - smtp
# - -o inet_protocols=ipv6
# -
#example.net smtp-ipv6-only:
EOF
fi
postmap btree:/etc/postfix/transport
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Create file \"relay_domains\""
if [[ ! -f /etc/postfix/relay_domains ]] ; then
touch /etc/postfix/relay_domains
fi
postmap btree:/etc/postfix/relay_domains
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
if ! $_IS_RELAY_HOST ; then
## - Create Directory '/var/vmail' for virtual mailboxes
## -
echononl " Create directory '/var/vmail'"
if [[ ! -d "/var/vmail" ]]; then
mkdir /var/vmail > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
## - Create user (vmail) for virtual mailboxes
## -
echononl " Create user 'vmail' for virtual mailboxes"
if id -u vmail > /dev/null 2>&1; then
echo_skipped
else
useradd -s /bin/false -d /var/vmail -M -u 5000 vmail > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - Change ownership 'vmail:vmail' for dir '/var/vmail'
## -
echononl " Change ownership 'vmail:vmail' for dir '/var/vmail'"
chown vmail:vmail /var/vmail > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - Change permissions for dir '/var/vmail'
## -
echononl " Change permissions for dir '/var/vmail'"
chmod 700 /var/vmail > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
if [[ "$SASL_AUTH_ENABLED" = "yes" ]]; then
echononl " Create directory '/etc/postfix/sasl'.."
if [[ ! -d "/etc/postfix/sasl" ]] ; then
mkdir "/etc/postfix/sasl" > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Backup existing file '/etc/postfix/sasl/smtpd.conf'"
if [[ -f /etc/postfix/sasl/smtpd.conf ]] ; then
mv /etc/postfix/sasl/smtpd.conf "/etc/postfix/sasl/smtpd.conf.$backup_date" > $tmp_err_msg 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
else
echo_skipped
fi
echononl " Create file '/etc/postfix/sasl/smtpd.conf'.."
cat <<EOF > /etc/postfix/sasl/smtpd.conf
# - Take care only using provided login mechanisms. You can check this, by
# - running command
# -
# - saslpluginviewer -x AUXPROP_MECHS
# -
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
fi
## - /etc/postfix/master.cf
## -
## - Create Listener for user authenticated smtp connection port 587 (submission)
## - and port 465 (smtps)
## -
postfix_master_cf="/etc/postfix/master.cf"
echononl " Backup file \"${postfix_master_cf}\""
cp -a $postfix_master_cf "${postfix_master_cf}.$backup_date" > /dev/null 2> $tmp_err_msg
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $tmp_err_msg)"
fi
if grep -iq -E "^submission\s+" $postfix_master_cf > /dev/null 2>&1 ; then
submission_present=true
else
submission_present=false
fi
if grep -iq -E "^smtps\s+" $postfix_master_cf > /dev/null 2>&1 ; then
smtps_present=true
else
smtps_present=false
fi
_found=false
echononl " Create new file \"${postfix_master_cf}\""
if [[ -f "${postfix_master_cf}.$backup_date" ]]; then
> $postfix_master_cf
while IFS='' read -r _line || [[ -n $_line ]] ; do
if echo "$_line" | grep -i -E "^\s*smtp\s+inet\s+" > /dev/null 2>&1 ; then
_found=true
cat >> $postfix_master_cf << EOF
smtp inet n - y - - smtpd
EOF
if ! $IS_RELAY_HOST ; then
if ! $submission_present ; then
cat >> $postfix_master_cf << EOF
submission inet n - y - 20 smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#-o milter_macro_daemon_name=ORIGINATING
EOF
fi
if ! $smtps_present ; then
cat >> $postfix_master_cf << EOF
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#-o milter_macro_daemon_name=ORIGINATING
EOF
fi
fi
continue
fi
if $submission_present && echo "$_line" | grep -iq -E "^submission\s+" 2> /dev/null ; then
_found=true
if ! $IS_RELAY_HOST ; then
cat >> $postfix_master_cf << EOF
submission inet n - y - 20 smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
EOF
fi
continue
fi
if $smtps_present && echo "$_line" | grep -iq -E "^smtps\s+" 2> /dev/null ; then
_found=true
if ! $IS_RELAY_HOST ; then
cat >> $postfix_master_cf << EOF
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
EOF
fi
continue
fi
# - [[:blank:]] means space and tab. This makes it similar to: [ \t]
# - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed,
# - and vertical tab. This makes it similar to: [ \t\n\r\f\v]
# -
#if [[ $_line =~ ^[[:space:]]+[^[:space:]]+ ]] && $_smtp_found ; then
# -
if [[ $_line =~ ^[[:blank:]]+[^[:space:]]+ ]] && $_found ; then
continue
fi
_found=false
echo "$_line" >> $postfix_master_cf
done < "${postfix_master_cf}.$backup_date"
# - Add transport definitions for only sending over IPv4/IPv6
# -
cat <<EOF >> $postfix_master_cf
smtp-ipv4-only unix - - n - - smtp
-o inet_protocols=ipv4
smtp-ipv6-only unix - - n - - smtp
-o inet_protocols=ipv6
EOF
echo_done
warn "Please check file \"$postfix_master_cf\" !"
else
echo_failed
error "File \"${postfix_master_cf}.$backup_date\" not found!"
fi
## - restart postfix
## -
echononl " Restart postfix"
if $systemd_exists ; then
systemctl restart postfix > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
/etc/init.d/postfix restart > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - Omitt logging into system.log
## -
echononl " Create \"/etc/rsyslog.d/postfix.conf\""
cat << EOF >> /etc/rsyslog.d/postfix.conf
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
mail.* -/var/log/mail.log
& ~
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Restart rsyslog daemon"
if $systemd_exists ; then
systemctl restart rsyslog > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
/etc/init.d/rsyslog restart > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
rm $tmp_err_msg
echo ""
clean_up 0
Reference in New Issue View Git Blame Copy Permalink