From 19f87a3d1a28de213bca6afd91adf03c5ea61072 Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 9 Oct 2017 03:15:07 +0200 Subject: [PATCH] Add script 'install_postfix_advanced.sh'. --- .gitignore | 3 +- install_postfix_advanced.sh | 1403 +++++++++++++++++++++++++++++++++++ 2 files changed, 1404 insertions(+), 2 deletions(-) create mode 100755 install_postfix_advanced.sh diff --git a/.gitignore b/.gitignore index 92d49c9..158f41c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,4 @@ /hosts/BAK/* *.log *.swp -conf/install_postfix_base.conf -conf/install_postfix_relay.conf +conf/*.conf diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh new file mode 100755 index 0000000..33f0d1e --- /dev/null +++ b/install_postfix_advanced.sh @@ -0,0 +1,1403 @@ +#!/usr/bin/env bash + + +working_dir="$(dirname $(realpath $0))" +conf_file="${working_dir}/conf//install_postfix_advanced.conf" + +_TLS_CERT_DIR=/etc/postfix/ssl +_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt" +_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key" + +_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt + + +tmp_err_msg=$(mktemp) +backup_date="$(date +%Y-%m-%d-%H%M)" + +# ------------- +# --- Some functions +# ------------- +clean_up() { + + # Perform program exit housekeeping + rm -f $tmp_err_msg + exit $1 +} + +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} + +fatal(){ + echo "" + echo -e "fatal error: $*" + echo "" + echo -e "\t\033[31m\033[1mInstalllation will be interrupted\033[m\033[m" + echo "" + clean_up 1 +} + +error(){ + echo "" + echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*" + echo "" +} + +warn (){ + echo "" + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + echo "" +} + +info (){ + echo "" + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + echo "" +} + +echo_done() { + echo -e "\033[80G[ \033[32mdone\033[m ]" +} +echo_ok() { + echo -e "\033[80G[ \033[32mok\033[m ]" +} +echo_warning() { + echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" +} +echo_failed(){ + echo -e "\033[80G[ \033[1;31mfailed\033[m ]" +} +echo_skipped() { + echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]" +} + + +trap clean_up SIGHUP SIGINT SIGTERM + + +# - Is this a systemd system? +# - +if [[ "X`which systemd`" = "X" ]]; then + systemd_exists=false +else + systemd_exists=true +fi + +echo "" + +# - Default Values +# - +#_IS_RELAY_HOST=false + +# - Read Configuration File if exists +# - +if [[ -f "$conf_file" ]]; then + source $conf_file +fi + +clear +echo -e "\033[21G\033[32mInstallation script for Postfix basic mailsystem \033[m" +echo + +HOSTNAME= +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "Insert hostname" +echo "" +if [[ -n "$_HOSTNAME" ]]; then + echononl "hostname [${_HOSTNAME}]: " + read HOSTNAME + if [[ "X${HOSTNAME}" = "X" ]]; then + HOSTNAME=$_HOSTNAME + fi +else + while [[ "X${HOSTNAME}" = "X" ]]; do + echononl "hostname: " + read HOSTNAME + if [[ "X${HOSTNAME}" = "X" ]]; then + echo -e "\n\t\033[33m\033[1mHostname is reqired\033[m\n" + fi + done +fi + +IPV4= +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "Insert IPv4 address" +echo "" +if [[ -n "$_IPV4" ]]; then + echononl "IPv4 address [${_IPV4}]: " + read IPV4 + if [[ "X${IPV4}" = "X" ]]; then + IPV4=$_IPV4 + fi +else + while [[ "X${IPV4}" = "X" ]]; do + echononl "IPv4 address: " + read IPV4 + if [[ "X${IPV4}" = "X" ]]; then + echo -e "\n\t\033[33m\033[1mIPv4 address is reqired\033[m\n" + fi + done +fi +IPV6= +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "Insert IPv6 address" +echo "Type:" +echo -e "\t\033[33mNone\033[m if IPv6 is not suppoerted" +echo "" +if [[ -n "$_IPV6" ]]; then + [[ "X$_IPV6" = "Xdisabled" ]] && _IPV6=None + echononl "IPv6 address [${_IPV6}]: " + read IPV6 + if [[ "X${IPV6}" = "X" ]]; then + IPV6=$_IPV6 + fi +else + while [[ "X${IPV6}" = "X" ]]; do + echononl "IPv6 address: " + read IPV6 + if [[ "X${IPV6}" = "X" ]]; then + echo -e "\n\t\033[33m\033[1mIPv4 address is reqired\033[m\n" + fi + done +fi +if [ "X$IPV6" = "Xnone" -o "X$IPV6" = "XNone" ]; then + IPV6=disabled +fi + + +IS_RELAY_HOST= +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "How will this Mailserver be used?" +echo "" +if [[ -n "$_IS_RELAY_HOST" ]]; then + if $_IS_RELAY_HOST ; then + echo "[1] Complete Mailserver (with mailboxes)" + echo -e "\033[37m\033[1m[2] Mailrelay Host\033[m" + else + echo -e "\033[37m\033[1m[1] complete Mailserver (with mailboxes)\033[m" + echo "[2] Mailrelay Host" + fi + echo "" + echononl "Choose a number or press for highlighted value: " +else + echo "[1] Complete Mailserver (with mailboxes)" + echo "[2] Mailrelay Host" + echo "" + echononl "Choose a Number: " +fi +while [[ "$IS_RELAY_HOST" != "true" && "$IS_RELAY_HOST" != "false" ]];do + read OPTION + case $OPTION in + 1) IS_RELAY_HOST=false + ;; + 2) IS_RELAY_HOST=true + ;; + '') if [[ -n "$_IS_RELAY_HOST" ]] ; then + IS_RELAY_HOST=$_IS_RELAY_HOST + else + echo "" + echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]" + echo "" + echononl "Reentry: " + fi + ;; + *) IS_RELAY_HOST= + echo "" + if [[ -n "$_IS_RELAY_HOST" ]]; then + echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host] or type " + else + echo -e "\tWrong entry! [ 1 = Complete Mailserver ; 2 = Mailrelay Host]" + fi + echo "" + echononl "Reentry: " + ;; + esac +done + + +ADMIN_EMAIL= +echo "" +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "Insert e-mail address where messages to local root should be forwarded" +echo "" +echo "" +if [[ -n "$_ADMIN_EMAIL" ]]; then + echononl "Admin e-mail address [$_ADMIN_EMAIL]: " + read ADMIN_EMAIL + if [[ "X${ADMIN_EMAIL}" = "X" ]]; then + ADMIN_EMAIL=$_ADMIN_EMAIL + fi +else + while [[ "X${ADMIN_EMAIL}" = "X" ]]; do + echononl "Admin e-mail address: " + read ADMIN_EMAIL + if [[ "X${ADMIN_EMAIL}" = "X" ]]; then + echo -e "\n\t\033[33m\033[1mAdmin e-mail address is reqired\033[m\n" + fi + done +fi + + +echo "" +echo "" +echo -e "\033[21G\033[32mStart installation/configuration with the following parameters\033[m" +echo "" +echo -e "\tHostname..........................: $HOSTNAME" +echo -e "\tIPv4 address......................: $IPV4" +echo -e "\tIPv6 address......................: $IPV6" +echo -e "\tAdmin e-mail......................: $ADMIN_EMAIL" +echo "" +if $IS_RELAY_HOST ; then + echo -e "\tConfigure as relay host?..........: \033[33m\033[1m$IS_RELAY_HOST\033[m" + echo -e "\tConfigure as complete mailserver..: false" +else + echo -e "\tConfigure as relay host?..........: $IS_RELAY_HOST" + echo -e "\tConfigure as complete mailserver..: \033[33m\033[1mtrue\033[m" +fi +echo "" +echononl "einverstanden (yes/no): " +read OK +OK=${OK,,} +while [ "X$OK" != "Xyes" -a "X$OK" != "Xno" ]; do + echononl "Wrong entry! [yes/no]: " + read OK + OK=${OK,,} +done +[ $OK = "yes" ] || fatal Repeat with other settings.. + +echo "" +echo "" + + +echononl " Save Configuration" +cat << EOF > $conf_file +# --- +# - Parameter Settins Postfix Relay System +# --- + +_HOSTNAME=$HOSTNAME +_IPV4=$IPV4 +_IPV6=$IPV6 +_ADMIN_EMAIL=$ADMIN_EMAIL +_IS_RELAY_HOST=$IS_RELAY_HOST +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + +[[ "$IPV6" = "disabled" ]] && IPV6="" + + +# - Deinstall debian exim4 packages +# - +echononl " Deinstall debian exim4 packages" +_installed_exim_packages=`dpkg -l | grep exim4 | grep -e "^i" | awk '{print$2}'` +for _pkg in $_installed_exim_packages ; do + installed_exim_packages="$installed_exim_packages $_pkg" +done +if [[ -n "$installed_exim_packages" ]] ; then + + if `dpkg -l | grep bsd-mailx | grep -e "^i" > /dev/null 2>&1` ; then + installed_exim_packages="$installed_exim_packages bsd-mailx" + fi + + apt-get remove --purge -qq -y $installed_exim_packages > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + + + +# - Install Postfix from debian packages system +# - +echononl " Install Postfix from debian packages system" +_needed_packages="postfix postfix-pgsql postfix-mysql postfix-pcre libsasl2-modules bsd-mailx haveged" +for _pkg in $_needed_packages ; do + if `dpkg -l | grep $_pkg | grep -e "^i" > /dev/null 2>&1` ; then + continue + else + needed_packages="$needed_packages $_pkg" + fi +done +if [[ -n "$needed_packages" ]]; then + DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_packages > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + + +## - Install Postgrey from debian packages system +## - +echononl " Install Postgrey from debian packages system" +_pkg="postgrey" +if aptitude search $_pkg | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then + echo_skipped +else + DEBIAN_FRONTEND=noninteractive apt-get -y install $_pkg > /dev/null 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi +fi + +echononl " Adjust /etc/default/postgrey" +perl -i -n -p -e "s#^(\s*)(POSTGREY_OPTS=.*)#\#\1\2\nPOSTGREY_OPTS=\"--inet=10023 --delay=149 --auto-whitelist-clients=3 --lookup-by-subnet\"#" \ + /etc/default/postgrey > $tmp_err_msg 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $tmp_err_msg)" +fi + +echononl " Create /etc/postgrey/whitelist_clients.local (additional whitelist entries)" +cat << EOF > /etc/postgrey/whitelist_clients.local +# For Office 365 - servers: +##/.*outbound.protection.outlook.com\$/ +/^mail-.*\.outbound\.protection\.outlook\.com\$/ +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + +echononl " Restart postrey daemon" +if $systemd_exists ; then + systemctl restart postgrey > /dev/null 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi +else + /etc/init.d/postgrey restart > /dev/null 2> $tmp_err_msg + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $tmp_err_msg)" + fi +fi + + +# - Backup existing postfix configuration file +# - +echononl " Backup existing postfix configuration file" +if [[ -f "/etc/postfix/main.cf" ]]; then + cp -a /etc/postfix/main.cf /etc/postfix/main.cf.$backup_date + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + + +# - Creeate new postfix configuration file +# - +echononl " Creeate new postfix configuration file" +cat < /etc/postfix/main.cf +# ============ Basic settings ============ + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname +myorigin = /etc/mailname + +smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = /usr/share/doc/postfix +html_directory = /usr/share/doc/postfix/html + +## - The Internet protocols Postfix will attempt to use when making +## - or accepting connections. +## - DEFAULT: ipv4 +EOF + +if [ -n "$IPV6" ]; then + cat <> /etc/postfix/main.cf +inet_protocols = ipv4, ipv6 + +#inet_interfaces = all +inet_interfaces = + 127.0.0.1 + $IPV4 + $IPV6 + +myhostname = $HOSTNAME + +mydestination = + $HOSTNAME + localhost + +## - The list of "trusted" SMTP clients that have more +## - privileges than "strangers" +## - +mynetworks = + 127.0.0.0/8 + [::ffff:127.0.0.0]/104 + [::1]/128 + ${IPV4}/32 + [${IPV6}]/128 + # a.mx.oopen.de + #83.223.86.91 + #[2a01:30:0:13:2f7:50ff:fed2:cef7]/128 + # b.mx.oopen.de + #83.223.86.97 + #[2a01:30:0:13:21f:92ff:fe00:538b] + # d.mx.oopen.de + #83.223.86.92/32 + #[2a01:30:0:13:254:9eff:fed5:e7fd]/128 + +smtp_bind_address = $IPV4 +smtp_bind_address6 = $IPV6 + +EOF +else + cat <> /etc/postfix/main.cf +inet_protocols = ipv4 + +#inet_interfaces = all +inet_interfaces = + 127.0.0.1 + $IPV4 + +myhostname = $HOSTNAME + +mydestination = + $HOSTNAME + localhost + +## - The list of "trusted" SMTP clients that have more +## - privileges than "strangers" +## - +mynetworks = + 127.0.0.0/8 + ${IPV4}/32 + +#smtp_bind_address = $IPV4 +#smtp_bind_address6 = $IPV6 + +EOF +fi + +cat <> /etc/postfix/main.cf + +## - The method to generate the default value for the mynetworks parameter. +## - +## - mynetworks_style = host" when Postfix should "trust" only the local machine +## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP +## - clients in the same IP subnetworks as the local machine. +## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same +## - IP class A/B/C networks as the local machine. +## - +#mynetworks_style = host + + +## - The maximal size of any local(8) individual mailbox or maildir file, +## - or zero (no limit). In fact, this limits the size of any file that is +## - written to upon local delivery, including files written by external +## - commands that are executed by the local(8) delivery agent. +## - +mailbox_size_limit = 0 + +## - The maximal size in bytes of an individual virtual(8) mailbox or +## - maildir file, or zero (no limit). +## - +virtual_mailbox_limit = 0 + +## - The maximal size in bytes of a message, including envelope information. +## - +## - we user 50MB +## - +message_size_limit = 52480000 + +## - The system-wide recipient address extension delimiter +## - +recipient_delimiter = + + +## - The alias databases that are used for local(8) delivery. +## - +alias_maps = + hash:/etc/aliases + +## - The alias databases for local(8) delivery that are updated +## - with "newaliases" or with "sendmail -bi". +## - +alias_database = + hash:/etc/aliases + +## - Optional lookup tables with mappings from recipient address +## - to (message delivery transport, next-hop destination). +## - See transport(5) for details. +## - +transport_maps = + btree:/etc/postfix/transport + btree:/etc/postfix/relay_domains + +## - The maximal time a message is queued before it is sent back as +## - undeliverable. Defaults to 5d (5 days) +## - Specify 0 when mail delivery should be tried only once. +## - +maximal_queue_lifetime = 3d +bounce_queue_lifetime = \$maximal_queue_lifetime + +## - delay_warning_time (default: 0h) +## - +## - The time after which the sender receives a copy of the message +## - headers of mail that is still queued. To enable this feature, +## - specify a non-zero time value (an integral value plus an optional +## - one-letter suffix that specifies the time unit). +## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +## - The default time unit is h (hours). +delay_warning_time = 1d + +#header_checks = pcre:/etc/postfix/header_checks +prepend_delivered_header = + forward + file + + +## - proxy_read_maps +## - +## - The lookup tables that the proxymap(8) server is allowed to access for the read-only service. +## - +## - Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Table +## - references that don't begin with proxy: are ignored. +## - +#proxy_read_maps = \$local_recipient_maps \$mydestination \$virtual_alias_maps \$virtual_alias_domains \$virtual_mailbox_maps \$virtual_mailbox_domains \$relay_recipient_maps \$relay_domains \$canonical_maps \$sender_canonical_maps \$recipient_canonical_maps \$relocated_maps \$transport_maps \$mynetworks \$sender_bcc_maps \$recipient_bcc_maps \$smtp_generic_maps \$lmtp_generic_maps \$smtpd_sender_login_maps + + +# ============ Relay parameters ============ + +relayhost = +relay_domains = + \$mydestination + btree:/etc/postfix/relay_domains + + +# ============ TLS parameters ============ + +## - supports DNSSEC +## - +## - !! Notice !! +## - In order to support DNSSEC and DANE your resolver MUST support +## - DNSSEC too. +## - +## - If your resolver does not support DNSSEC, install "unbound". +## - +smtp_host_lookup = dns +smtp_dns_support_level = dnssec + +## - Aktiviert TLS für den Mailempfang +## - +## - may: +## - Opportunistic TLS. Use TLS if this is supported by the remote +## - SMTP server, otherwise use plaintext +## - +## - This overrides the obsolete parameters smtpd_use_tls and +## - smtpd_enforce_tls. This parameter is ignored with +## - "smtpd_tls_wrappermode = yes". +#smtpd_use_tls=yes +smtpd_tls_security_level=may + +## - Aktiviert TLS für den Mailversand +## - +## - may: +## - Opportunistic TLS: announce STARTTLS support to SMTP clients, +## - but do not require that clients use TLS encryption. +# smtp_use_tls=yes +#smtp_tls_security_level=may +smtp_tls_security_level=dane + +## - 0 Disable logging of TLS activity. +## - 1 Log TLS handshake and certificate information. +## - 2 Log levels during TLS negotiation. +## - 3 Log hexadecimal and ASCII dump of TLS negotiation process. +## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS. +## - +smtpd_tls_loglevel = 1 +smtp_tls_loglevel = 1 + +smtpd_tls_cert_file = $_TLS_CERT_FILE +smtpd_tls_key_file = $_TLS_KEY_FILE + +## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. +## - +## - Dont't forget to create it, e.g with openssl: +## - openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024 +## - +#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem +## - also possible to use 2048 key with that parameter +## - +smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem + +## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers. +## - +## - Dont't forget to create it, e.g with openssl: +## - openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512 +## - +smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem + + +## - File containing CA certificates of root CAs trusted to sign either remote SMTP +## - server certificates or intermediate CA certificates. These are loaded into +## - memory !! BEFORE !! the smtp(8) client enters the chroot jail. +## - +smtp_tls_CAfile = $_TLS_CA_FILE + +## - Directory with PEM format certificate authority certificates that the Postfix SMTP +## - client uses to verify a remote SMTP server certificate. Don't forget to create the +## - necessary "hash" links with, for example, " +## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". +## - +## - !! Note !! +## - To use this option in chroot mode, this directory (or a copy) must be inside +## - the chroot jail. +## - +## - Note that a chrooted daemon resolves all filenames relative to the Postfix +## - queue directory (/var/spool/postfix) +## - +#smtpd_tls_CApath = /etc/postfix/certs + + +# Disable SSLv2 SSLv3 - Postfix SMTP server +# +# List of TLS protocols that the Postfix SMTP server will exclude or +# include with opportunistic TLS encryption. +smtpd_tls_protocols = !SSLv2, !SSLv3 +# +# The SSL/TLS protocols accepted by the Postfix SMTP server +# with mandatory TLS encryption. +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 + + +# Disable SSLv2 SSLv3 - Postfix SMTP client +# +# List of TLS protocols that the Postfix SMTP client will exclude or +# include with opportunistic TLS encryption. +smtp_tls_protocols = !SSLv2, !SSLv3 +# +# List of SSL/TLS protocols that the Postfix SMTP client will use +# with mandatory TLS encryption +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 + + +## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange +## - openssl > 1.0 +## - +smtpd_tls_eecdh_grade = strong + +# standard list cryptographic algorithm +tls_preempt_cipherlist = yes + +# Disable ciphers which are less than 256-bit: +# +#smtpd_tls_mandatory_ciphers = high +# +# opportunistic +smtpd_tls_ciphers = high + + +# Exclude ciphers +#smtpd_tls_exclude_ciphers = +# RC4 +# aNULL +# SEED-SHA +# EXP +# MD5 +smtpd_tls_exclude_ciphers = + aNULL + eNULL + EXPORT + DES + RC4 + MD5 + PSK + aECDH + EDH-DSS-DES-CBC3-SHA + EDH-RSA-DES-CDC3-SHA + KRB5-DE5 + CBC3-SHA + + +smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache + +EOF +if $IS_RELAY_HOST ; then + cat <> /etc/postfix/main.cf + +#======= SASL Authentification ============ +smtpd_sasl_auth_enable = no +smtpd_sasl_type = cyrus +smtpd_sasl_path = smtpd + +smtpd_sasl_security_options = noanonymous +smtpd_sasl_authenticated_header = yes +broken_sasl_auth_clients = yes + + +## - Optional lookup table with the SASL login names that own +## - sender (MAIL FROM) addresses. +smtpd_sender_login_maps = + + +#======= Virtual mailboxes ============ + +## - Local Mailboxes +## - +virtual_mailbox_base = +virtual_uid_maps = +virtual_gid_maps = +EOF + +else + + cat <> /etc/postfix/main.cf + +#======= SASL Authentification ============ + +## - Enable SASL authentication in the Postfix SMTP server. By default, +## - the Postfix SMTP server does not use authentication. +## - +smtpd_sasl_auth_enable = no + +## - The SASL plug-in type that the Postfix SMTP server should use for authentication. +## - The available types are listed with the "postconf -a" command. +## - +## - Available values are at least: cyrus, dovecot +## - +smtpd_sasl_type = dovecot + + +## - Implementation-specific information that the Postfix SMTP server passes +## - through to the SASL plug-in implementation that is selected with smtpd_sasl_type. +## - Typically this specifies the name of a configuration file or rendezvous point. +## - +smtpd_sasl_path = private/dovecot-auth + +smtpd_sasl_security_options = noanonymous +smtpd_sasl_authenticated_header = yes +broken_sasl_auth_clients = yes + + +## - Optional lookup table with the SASL login names that own +## - sender (MAIL FROM) addresses. +smtpd_sender_login_maps = + + +#======= Virtual mailboxes ============ + +## - Local Mailboxes +## - +virtual_mailbox_base = /var/vmail +virtual_uid_maps = static:5000 +virtual_gid_maps = static:5000 +EOF + +fi + +cat <> /etc/postfix/main.cf + +## - virtual_transport +## - ================= +## - +## - using postfix +## - virtual_transport = virtual +## - +## - using dovecot lda +## - virtual_transport = dovecot +## - +## - using dovecot's lmtp service +## - virtual_transport = lmtp:unix:private/dovecot-lmtp +## - +virtual_transport = virtual + +virtual_mailbox_maps = + +virtual_mailbox_domains = + +## - Optional lookup tables that alias specific mail addresses or domains +## - to other local or remote address. The table format and lookups are +## - documented in virtual(5). For an overview of Postfix address +## - manipulations see the ADDRESS_REWRITING_README document. +## - +virtual_alias_maps = + ## - mailman + #hash:/var/lib/mailman/data/virtual-mailman + +## - Postfix is final destination for the specified list of virtual alias +## - domains, that is, domains for which all addresses are aliased to addresses +## - in other local or remote domains. The SMTP server validates recipient +## - addresses with \$virtual_alias_maps and rejects non-existent recipients. +## - See also the virtual alias domain class in the ADDRESS_CLASS_README file +## - +virtual_alias_domains = + + +#======= Restrictions ============ +smtpd_recipient_restrictions = +# only special accounts (postmaster, abuse and other rolr accounts) + check_recipient_access btree:/etc/postfix/access_recipient-rfc, +# White- / Blacklisting + check_sender_access btree:/etc/postfix/access_sender, + check_recipient_access btree:/etc/postfix/access_recipient, +# permit trusted network (mynetwork) + permit_mynetworks, +# permit our users + permit_sasl_authenticated, +# dont' accept misconfigured Mail + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + reject_unlisted_recipient, +# don't accept misconfigured recipients +# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use + # Whitelist (configured on a.ns.oopen.de + # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone ) + permit_dnswl_client dnswl.oopen.de, + # Blacklists + reject_rbl_client zen.spamhaus.org, + reject_rbl_client ix.dnsbl.manitu.net, + #reject_rbl_client bl.spamcop.net, + # March 1, 2013: NJABL is in the process of being shut down + #reject_rbl_client dnsbl.njabl.org, +# Policyd-Weight + #check_policy_service inet:127.0.0.1:12525, +# Greylisting check + warn_if_reject, + check_policy_service inet:127.0.0.1:10023, +# Reject the request unless one of the following is true: +# +# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains +# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain), +# +# +# - Postfix is the final destination: the resolved RCPT TO domain matches +# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains, +# or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain). + reject_unverified_recipient, +# permit Backup MX + permit_mx_backup, +# forbid all other relaying + reject_unauth_destination, +# permit, if all restrictions so far passed + permit + + +## - Sinve version 2.11 +## - +smtpd_relay_restrictions = +# only special accounts (postmaster, abuse and other rolr accounts) + check_recipient_access btree:/etc/postfix/access_recipient-rfc, +# White- / Blacklisting + check_sender_access btree:/etc/postfix/access_sender, + check_recipient_access btree:/etc/postfix/access_recipient, +# permit trusted network (mynetwork) + permit_mynetworks, +# permit our users + permit_sasl_authenticated, +# dont' accept misconfigured Mail + reject_non_fqdn_sender, + reject_non_fqdn_recipient, + reject_unknown_sender_domain, + reject_unknown_recipient_domain, + reject_unlisted_recipient, +# don't accept misconfigured recipients +# RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use + # Whitelist (configured on a.ns.oopen.de + # in /opt/tinydns/root/zonefiles/dnswl.oopen.de.zone ) + permit_dnswl_client dnswl.oopen.de, + # Blacklists + reject_rbl_client zen.spamhaus.org, + reject_rbl_client ix.dnsbl.manitu.net, + #reject_rbl_client bl.spamcop.net, + # March 1, 2013: NJABL is in the process of being shut down + #reject_rbl_client dnsbl.njabl.org, +# Policyd-Weight + #check_policy_service inet:127.0.0.1:12525, +# Greylisting check + warn_if_reject, + check_policy_service inet:127.0.0.1:10023, +# Reject the request unless one of the following is true: +# +# - Postfix is mail forwarder: the resolved RCPT TO domain matches \$relay_domains +# or a subdomain thereof, and contains no sender-specified routing (user@elsewhere@domain), +# +# +# - Postfix is the final destination: the resolved RCPT TO domain matches +# \$mydestination, \$inet_interfaces, \$proxy_interfaces, \$virtual_alias_domains, +# or \$virtual_mailbox_domains, and contains no sender-specified routing (user@elsewhere@domain). + reject_unverified_recipient, +# permit Backup MX + permit_mx_backup, +# forbid all other relaying + reject_unauth_destination, +# permit, if all restrictions so far passed + permit + +EOF +echo_ok + + +## - /etc/mailname +## - +echononl " Set \"/etc/mailname\"" +echo $HOSTNAME > /etc/mailname +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + +## - /etc/aliases +## - +echononl " Adjust \"/etc/aliases\"" +cat << EOF > /etc/aliases +# See man 5 aliases for format +mailer-daemon: postmaster +postmaster: root +nobody: root +hostmaster: root +usenet: root +news: root +webmaster: root +www: root +ftp: root +abuse: root +noc: root +security: root + +do-not-reply: /dev/null + +root: $ADMIN_EMAIL +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + + +## - create directory for certificates and copy certificates +## - and coresponding keys to /etc/postfix/ssl/ +## - +echononl " Create directory for certificates \"/etc/postfix/ssl\"" +if [[ -d "/etc/postfix/ssl" ]] ; then + echo_skipped +else + mkdir -p /etc/postfix/ssl + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +fi + + +## - generate DH parameters that the Postfix SMTP server should use +## - with EDH ciphers (length 512 and 1024 +## - +echononl " Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\"" +if [ ! -f /etc/postfix/ssl/dh_512.pem ]; then + openssl dhparam -out /etc/postfix/ssl/dh_512.pem -2 512 > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi +echononl " Generate DH key length=1024 \"/etc/postfix/ssl/dh_1024.pem\"" +if [ ! -f /etc/postfix/ssl/dh_1024.pem ]; then + openssl dhparam -out /etc/postfix/ssl/dh_1024.pem -2 1024 > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi +echononl " Generate DH key length=2048 \"/etc/postfix/ssl/dh_2048.pem\"" +if [ ! -f /etc/postfix/ssl/dh_2048.pem ]; then + openssl dhparam -out /etc/postfix/ssl/dh_2048.pem -2 2048 > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi +echononl " Create Symlink \"$_TLS_CERT_FILE\"" +if [ ! -h "$_TLS_CERT_FILE" ]; then + ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem $_TLS_CERT_FILE + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi +echononl " Create Symlink \"$_TLS_KEY_FILE\"" +if [ ! -h "$_TLS_KEY_FILE" ]; then + ln -s /etc/ssl/private/ssl-cert-snakeoil.key $_TLS_KEY_FILE + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + echo_skipped +fi + +## - rebuld alias database +## - +echononl " Rebuld alias database" +newaliases > /dev/null 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + + +## - create files +## - +echononl " Create file \"access_recipient-rfc\"" +cat < /etc/postfix/access_recipient-rfc +# if destination is ok, permit +/^postmaster\@/ permit_auth_destination +/^abuse\@/ permit_auth_destination +EOF +postmap btree:/etc/postfix/access_recipient-rfc +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + + +## - Notice: +## - The access_sender list can also be used as white list: +## - backup@b3-bornim.de OK +## - backup_file-ah@oopen.de OK +## - backup_file-spr@oopen.de OK +## - root_file_spr@oopen.de OK +## - backup_anw-urban@oopen.de OK +## - anonymous@bbb-server.b3-bornim.de OK +echononl " Create file \"access_sender\"" +cat < /etc/postfix/access_sender +# - bekannte Virus/Spam Absener blocken +# - +error@mailfrom.com REJECT +EOF +postmap btree:/etc/postfix/access_sender +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + +echononl " Create file \"access_recipient\"" +echo > /etc/postfix/access_recipient +postmap btree:/etc/postfix/access_recipient +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + +echononl " Create file \"transport\"" +echo > /etc/postfix/transport +postmap btree:/etc/postfix/transport +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + +echononl " Create file \"relay_domains\"" +echo > /etc/postfix/relay_domains +postmap btree:/etc/postfix/relay_domains +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + +if ! $_IS_RELAY_HOST ; then + ## - Create Directory '/var/vmail' for virtual mailboxes + ## - + echononl " Create directory '/var/vmail'" + if [[ ! -d "/var/vmail" ]]; then + mkdir /var/vmail > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi + else + echo_skipped + fi + + + ## - Create user (vmail) for virtual mailboxes + ## - + echononl " Create user 'vmail' for virtual mailboxes" + if id -u vmail > /dev/null 2>&1; then + echo_skipped + else + useradd -s /bin/false -d /var/vmail -M -u 5000 vmail > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi + fi + + ## - Change ownership 'vmail:vmail' for dir '/var/vmail' + ## - + echononl " Change ownership 'vmail:vmail' for dir '/var/vmail'" + chown vmail:vmail /var/vmail > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi + + + ## - Change permissions for dir '/var/vmail' + ## - + echononl " Change permissions for dir '/var/vmail'" + chmod 700 /var/vmail > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +fi + + +## - /etc/postfix/master.cf +## - +## - Create Listener for user authenticated smtp connection port 587 (submission) +## - and port 465 (smtps) +## - +postfix_master_cf="/etc/postfix/master.cf" +echononl " Backup file \"${postfix_master_cf}\"" +cp -a $postfix_master_cf "${postfix_master_cf}.$backup_date" > /dev/null 2> $tmp_err_msg +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $tmp_err_msg)" +fi + +if grep -iq -E "^submission\s+" $postfix_master_cf > /dev/null 2>&1 ; then + submission_present=true +else + submission_present=false +fi + +if grep -iq -E "^smtps\s+" $postfix_master_cf > /dev/null 2>&1 ; then + smtps_present=true +else + smtps_present=false +fi + +_found=false +echononl " Create new file \"${postfix_master_cf}\"" +if [[ -f "${postfix_master_cf}.$backup_date" ]]; then + > $postfix_master_cf + while IFS='' read -r _line || [[ -n $_line ]] ; do + + if echo "$_line" | grep -i -E "^\s*smtp\s+inet\s+" > /dev/null 2>&1 ; then + _found=true + cat >> $postfix_master_cf << EOF +smtp inet n - y - - smtpd +EOF + if ! $IS_RELAY_HOST ; then + if ! $submission_present ; then + cat >> $postfix_master_cf << EOF +submission inet n - y - 20 smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + #-o milter_macro_daemon_name=ORIGINATING +EOF + fi + if ! $smtps_present ; then + cat >> $postfix_master_cf << EOF +smtps inet n - y - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + #-o milter_macro_daemon_name=ORIGINATING +EOF + fi + fi + continue + fi + + if $submission_present && echo "$_line" | grep -iq -E "^submission\s+" 2> /dev/null ; then + _found=true + if ! $IS_RELAY_HOST ; then + cat >> $postfix_master_cf << EOF +submission inet n - y - 20 smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +EOF + fi + continue + fi + + if $smtps_present && echo "$_line" | grep -iq -E "^smtps\s+" 2> /dev/null ; then + _found=true + if ! $IS_RELAY_HOST ; then + cat >> $postfix_master_cf << EOF +smtps inet n - y - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +EOF + fi + continue + fi + + # - [[:blank:]] means space and tab. This makes it similar to: [ \t] + # - [[:space;]] in addition to space and tab, includes newline, linefeed, formfeed, + # - and vertical tab. This makes it similar to: [ \t\n\r\f\v] + # - + #if [[ $_line =~ ^[[:space:]]+[^[:space:]]+ ]] && $_smtp_found ; then + # - + if [[ $_line =~ ^[[:blank:]]+[^[:space:]]+ ]] && $_found ; then + continue + fi + _found=false + + echo "$_line" >> $postfix_master_cf + + done < "${postfix_master_cf}.$backup_date" + + echo_done + warn "Please check file \"$postfix_master_cf\" !" +else + echo_failed + error "File \"${postfix_master_cf}.$backup_date\" not found!" +fi + + +## - restart postfix +## - +echononl " Restart postfix" +if $systemd_exists ; then + systemctl restart postfix > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + /etc/init.d/postfix restart > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +fi + + +## - Omitt logging into system.log +## - +echononl " Create \"/etc/rsyslog.d/postfix.conf\"" +cat << EOF >> /etc/rsyslog.d/postfix.conf + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +mail.* -/var/log/mail.log +& ~ +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + +echononl " Restart rsyslog daemon" +if $systemd_exists ; then + systemctl restart rsyslog > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +else + /etc/init.d/rsyslog restart > /dev/null 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fi +fi + + +rm $tmp_err_msg +echo "" +clean_up 0