install/postfix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial import

Browse Source
This commit is contained in:
Christoph
2017-02-19 11:35:16 +01:00
commit 27a0b0a2bf
7 changed files with 4356 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

502
BAK/install_postfix_base.sh.00 Executable file
View File

@@ -0,0 +1,502 @@
#!/usr/bin/env bash
_TLS_CERT_DIR=/etc/postfix/ssl
_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt"
_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key"
_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt
_HOSTNAME=<hostname>
_IPV4=<IPv4-address>
_EXT_IF_IP=<extern interface IPv4>
## - Leave empty, if no IPv6 should be supported
## -
_IPV6=<IPv6 Address>
#_IPV6=
_ADMIN_EMAIL=<admin email>
_SASL_AUTH=<true|false>
_RELAY_HOST=b.mx.oopen.de
_SASL_USER=anw-urb
_SASL_PASS='OhPie2aethei'
## ---
# - Is this a systemd system?
# -
if [[ "X`which systemd`" = "X" ]]; then
systemd_exists=true
else
systemd_exists=false
fi
# - Deinstall debian exim4 packages
# -
_installed_exim_packages=`dpkg -l | grep exim4 | grep -e "^i" | awk '{print$2}'`
installed_exim_packages="bsd-mailx"
for _pkg in $_installed_exim_packages ; do
installed_exim_packages="$_installed_exim_packages $_pkg"
done
apt-get remove --purge -q -y $installed_exim_packages > /dev/null 2>&1
# - Install Postfix from debian packages system
# -
needed_packages="postfix postfix-pcre libsasl2-modules bsd-mailx haveged"
apt-get install -q -y $needed_packages > /dev/null 2>&1
# - Backup existing postfix configuration file
# -
if [[ -f "/etc/postfix/main.cf" ]]; then
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.`date +%Y%m%d-%H%M`
fi
# - Creeate nes postfix configuration filr
## -
cat <<EOF > /etc/postfix/main.cf
# ============ Basic settings ============
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myorigin = /etc/mailname
smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
EOF
if [ -n "$_IPV6" ]; then
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4, ipv6
#inet_interfaces = all
inet_interfaces = 127.0.0.1
$_IPV4
$_IPV6
myhostname = $_HOSTNAME
mydestination =
$_HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
[::ffff:127.0.0.0]/104
[::1]/128
${_IPV4}/32
[${_IPV6}]/128
smtp_bind_address = $_IPV4
smtp_bind_address6 = $_IPV6
EOF
else
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4
#inet_interfaces = all
inet_interfaces =
127.0.0.1
$_IPV4
myhostname = $_HOSTNAME
mydestination =
$_HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
${_IPV4}/32
smtp_bind_address = $_IPV4
#smtp_bind_address6 = $_IPV6
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
## - The maximal size in bytes of a message, including envelope information.
## -
## - we user 50MB
## -
message_size_limit = 52480000
## - The system-wide recipient address extension delimiter
## -
recipient_delimiter = +
## - The alias databases that are used for local(8) delivery.
## -
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = \$maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
EOF
if $_SASL_AUTH ; then
cat <<EOF >> /etc/postfix/main.cf
# ============ Relay parameters ============
#relayhost =
# ============ SASL authentication ============
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [b.mx.oopen.de]
# File including login data
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Force using a (TLS) security connection
# obsulete - use smtp_tls_security_level instead
#smtp_use_tls = yes
#smtp_tls_enforce_peername = no
smtp_tls_security_level = encrypt
# Disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=encrypt
EOF
else
cat <<EOF >> /etc/postfix/main.cf
# ============ Relay parameters ============
relayhost =
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=may
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
smtpd_tls_security_level=may
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
smtp_tls_CAfile = $_TLS_CA_FILE
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
#
#smtpd_tls_mandatory_ciphers = high
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
EOF
if $_SASL_AUTH ; then
echo "[$_RELAY_HOST] ${_SASL_USER}@${_RELAY_HOST}:$_SASL_PASS" > /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd.db
fi
## - /etc/mailname
## -
echo $_HOSTNAME > /etc/mailname
## - /etc/aliases
## -
cat << EOF > /etc/aliases
# See man 5 aliases for format
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: $_ADMIN_EMAIL
EOF
## - create directory for certificates and copy certificates
## - and coresponding keys to /etc/postfix/ssl/
## -
mkdir -p /etc/postfix/ssl
## - generate DH parameters that the Postfix SMTP server should use
## - with EDH ciphers (length 512 and 1024
## -
if [ ! -f /etc/postfix/ssl/dh_512.pem ]; then
openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
fi
if [ ! -f /etc/postfix/ssl/dh_1024.pem ]; then
openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
fi
if [ ! -f /etc/postfix/ssl/dh_2048.pem ]; then
openssl gendh -out /etc/postfix/ssl/dh_2048.pem -2 2048
fi
if [ ! -h "$_TLS_CERT_FILE" ]; then
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem $_TLS_CERT_FILE
fi
if [ ! -h "$_TLS_KEY_FILE" ]; then
ln -s /etc/ssl/private/ssl-cert-snakeoil.key $_TLS_KEY_FILE
fi
## - rebuld alias database
## -
newaliases
## - restart postfix
## -
if $systemd_exists ; then
systemctl restart postfix
else
/etc/init.d/postfix restart
fi
## - Omitt logging into system.log
## -
cat << EOF >> /etc/rsyslog.d/postfix.conf
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
mail.* -/var/log/mail.log
& ~
EOF
if $systemd_exists ; then
systemctl restart rsyslog
else
/etc/init.d/rsyslog restart
fi
exit

725
BAK/install_postfix_base.sh.01 Executable file
View File

@@ -0,0 +1,725 @@
#!/usr/bin/env bash
_TLS_CERT_DIR=/etc/postfix/ssl
_TLS_CERT_FILE="${_TLS_CERT_DIR}/mailserver.crt"
_TLS_KEY_FILE="${_TLS_CERT_DIR}/mailserver.key"
_TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt
_HOSTNAME=o15.oopen.de
_IPV4=83.223.86.96
_EXT_IF_IP=83.223.86.96
## - Leave empty, if no IPv6 should be supported
## -
_IPV6=2a01:30:0:13:5054:ff:fe09:2318
#_IPV6=
_ADMIN_EMAIL=admin@oopen.de
_SASL_AUTH=false
_RELAY_HOST=b.mx.oopen.de
_SASL_USER=anw-urb
_SASL_PASS='OhPie2aethei'
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
fatal(){
echo ""
echo -e "fataler Fehler: $*"
echo ""
echo -e "\t\033[31m\033[1mInstalllation wird abgebrochen\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[80G[ \033[33m\033[1mskipped\033[m ]"
}
# - Is this a systemd system?
# -
if [[ "X`which systemd`" = "X" ]]; then
systemd_exists=false
else
systemd_exists=true
fi
echo ""
# - Deinstall debian exim4 packages
# -
echononl " Deinstall debian exim4 packages"
_installed_exim_packages=`dpkg -l | grep exim4 | grep -e "^i" | awk '{print$2}'`
for _pkg in $_installed_exim_packages ; do
installed_exim_packages="$installed_exim_packages $_pkg"
done
if [[ -n "$installed_exim_packages" ]] ; then
if `dpkg -l | grep bsd-mailx | grep -e "^i" > /dev/null 2>&1` ; then
installed_exim_packages="$installed_exim_packages bsd-mailx"
fi
apt-get remove --purge -qq -y $installed_exim_packages > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
# - Install Postfix from debian packages system
# -
echononl " Install Postfix from debian packages system"
_needed_packages="postfix postfix-pcre libsasl2-modules bsd-mailx haveged"
for _pkg in $_needed_packages ; do
if `dpkg -l | grep $_pkg | grep -e "^i" > /dev/null 2>&1` ; then
continue
else
needed_packages="$needed_packages $_pkg"
fi
done
if [[ -n "$needed_packages" ]]; then
DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_packages > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
# - Backup existing postfix configuration file
# -
echononl " Backup existing postfix configuration file"
if [[ -f "/etc/postfix/main.cf" ]]; then
cp -a /etc/postfix/main.cf /etc/postfix/main.cf.`date +%Y%m%d-%H%M`
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
# - Creeate new postfix configuration file
# -
echononl " Creeate new postfix configuration file"
cat <<EOF > /etc/postfix/main.cf
# ============ Basic settings ============
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myorigin = /etc/mailname
smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
## - The Internet protocols Postfix will attempt to use when making
## - or accepting connections.
## - DEFAULT: ipv4
EOF
if [ -n "$_IPV6" ]; then
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4, ipv6
#inet_interfaces = all
inet_interfaces = 127.0.0.1
$_IPV4
$_IPV6
myhostname = $_HOSTNAME
mydestination =
$_HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
[::ffff:127.0.0.0]/104
[::1]/128
${_IPV4}/32
[${_IPV6}]/128
smtp_bind_address = $_IPV4
smtp_bind_address6 = $_IPV6
EOF
else
cat <<EOF >> /etc/postfix/main.cf
inet_protocols = ipv4
#inet_interfaces = all
inet_interfaces =
127.0.0.1
$_IPV4
myhostname = $_HOSTNAME
mydestination =
$_HOSTNAME
localhost
## - The list of "trusted" SMTP clients that have more
## - privileges than "strangers"
## -
mynetworks =
127.0.0.0/8
${_IPV4}/32
smtp_bind_address = $_IPV4
#smtp_bind_address6 = $_IPV6
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - The method to generate the default value for the mynetworks parameter.
## -
## - mynetworks_style = host" when Postfix should "trust" only the local machine
## - mynetworks_style = subnet (default value) "when Postfix should "trust" SMTP
## - clients in the same IP subnetworks as the local machine.
## - mynetworks_style = class" when Postfix should "trust" SMTP clients in the same
## - IP class A/B/C networks as the local machine.
## -
#mynetworks_style = host
## - The maximal size of any local(8) individual mailbox or maildir file,
## - or zero (no limit). In fact, this limits the size of any file that is
## - written to upon local delivery, including files written by external
## - commands that are executed by the local(8) delivery agent.
## -
mailbox_size_limit = 0
## - The maximal size in bytes of a message, including envelope information.
## -
## - we user 50MB
## -
message_size_limit = 52480000
## - The system-wide recipient address extension delimiter
## -
recipient_delimiter = +
## - The alias databases that are used for local(8) delivery.
## -
alias_maps =
hash:/etc/aliases
## - The alias databases for local(8) delivery that are updated
## - with "newaliases" or with "sendmail -bi".
## -
alias_database =
hash:/etc/aliases
## - The maximal time a message is queued before it is sent back as
## - undeliverable. Defaults to 5d (5 days)
## - Specify 0 when mail delivery should be tried only once.
## -
maximal_queue_lifetime = 3d
bounce_queue_lifetime = \$maximal_queue_lifetime
## - delay_warning_time (default: 0h)
## -
## - The time after which the sender receives a copy of the message
## - headers of mail that is still queued. To enable this feature,
## - specify a non-zero time value (an integral value plus an optional
## - one-letter suffix that specifies the time unit).
## - Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
## - The default time unit is h (hours).
delay_warning_time = 1d
EOF
if $_SASL_AUTH ; then
cat <<EOF >> /etc/postfix/main.cf
# ============ Relay parameters ============
#relayhost =
# ============ SASL authentication ============
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Forwarding to the ip-adress of host b.mx.oopen.de
relayhost = [b.mx.oopen.de]
# File including login data
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Force using a (TLS) security connection
# obsulete - use smtp_tls_security_level instead
#smtp_use_tls = yes
#smtp_tls_enforce_peername = no
smtp_tls_security_level = encrypt
# Disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=encrypt
EOF
else
cat <<EOF >> /etc/postfix/main.cf
# ============ Relay parameters ============
relayhost =
# ============ TLS parameters ============
## - Aktiviert TLS für den Mailempfang
## -
## - may:
## - Opportunistic TLS. Use TLS if this is supported by the remote
## - SMTP server, otherwise use plaintext
## -
## - This overrides the obsolete parameters smtpd_use_tls and
## - smtpd_enforce_tls. This parameter is ignored with
## - "smtpd_tls_wrappermode = yes".
#smtpd_use_tls=yes
smtp_tls_security_level=may
EOF
fi
cat <<EOF >> /etc/postfix/main.cf
## - Aktiviert TLS für den Mailversand
## -
## - may:
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
## - but do not require that clients use TLS encryption.
# smtp_use_tls=yes
smtpd_tls_security_level=may
## - 0 Disable logging of TLS activity.
## - 1 Log TLS handshake and certificate information.
## - 2 Log levels during TLS negotiation.
## - 3 Log hexadecimal and ASCII dump of TLS negotiation process.
## - 4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.
## -
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtpd_tls_cert_file = $_TLS_CERT_FILE
smtpd_tls_key_file = $_TLS_KEY_FILE
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024
## -
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_1024.pem
## - also possible to use 2048 key with that parameter
## -
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dh_2048.pem
## - File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
## -
## - Dont't forget to create it, e.g with openssl:
## - openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512
## -
smtpd_tls_dh512_param_file = /etc/postfix/ssl/dh_512.pem
## - File containing CA certificates of root CAs trusted to sign either remote SMTP
## - server certificates or intermediate CA certificates. These are loaded into
## - memory !! BEFORE !! the smtp(8) client enters the chroot jail.
## -
smtp_tls_CAfile = $_TLS_CA_FILE
## - Directory with PEM format certificate authority certificates that the Postfix SMTP
## - client uses to verify a remote SMTP server certificate. Don't forget to create the
## - necessary "hash" links with, for example, "
## - $OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
## -
## - !! Note !!
## - To use this option in chroot mode, this directory (or a copy) must be inside
## - the chroot jail.
## -
## - Note that a chrooted daemon resolves all filenames relative to the Postfix
## - queue directory (/var/spool/postfix)
## -
#smtpd_tls_CApath = /etc/postfix/certs
# Disable SSLv2 SSLv3 - Postfix SMTP server
#
# List of TLS protocols that the Postfix SMTP server will exclude or
# include with opportunistic TLS encryption.
smtpd_tls_protocols = !SSLv2, !SSLv3
#
# The SSL/TLS protocols accepted by the Postfix SMTP server
# with mandatory TLS encryption.
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
# Disable SSLv2 SSLv3 - Postfix SMTP client
#
# List of TLS protocols that the Postfix SMTP client will exclude or
# include with opportunistic TLS encryption.
smtp_tls_protocols = !SSLv2, !SSLv3
#
# List of SSL/TLS protocols that the Postfix SMTP client will use
# with mandatory TLS encryption
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
## - Activate des "Ephemeral Elliptic Curve Diffie-Hellman" (EECDH) key exchange
## - openssl > 1.0
## -
smtpd_tls_eecdh_grade = strong
# standard list cryptographic algorithm
tls_preempt_cipherlist = yes
# Disable ciphers which are less than 256-bit:
#
#smtpd_tls_mandatory_ciphers = high
#
# opportunistic
smtpd_tls_ciphers = high
# Exclude ciphers
#smtpd_tls_exclude_ciphers =
# RC4
# aNULL
# SEED-SHA
# EXP
# MD5
smtpd_tls_exclude_ciphers =
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
EDH-RSA-DES-CDC3-SHA
KRB5-DE5, CBC3-SHA
smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
EOF
echo_ok
echononl " Configure SASL authentification"
if $_SASL_AUTH ; then
_failed=false
echo "[$_RELAY_HOST] ${_SASL_USER}@${_RELAY_HOST}:$_SASL_PASS" > /etc/postfix/sasl_passwd
if [[ "$?" != "0" ]]; then
error "Setting \"/etc/postfix/sasl_passwd\" failed! "
_failed=true
fi
chown root:root /etc/postfix/sasl_passwd
if [[ "$?" != "0" ]]; then
error "Setting ownership of \"/etc/postfix/sasl_passwd\" failed! "
_failed=true
fi
chmod 600 /etc/postfix/sasl_passwd
if [[ "$?" != "0" ]]; then
error "Setting permissions on \"/etc/postfix/sasl_passwd\" failed! "
_failed=true
fi
postmap /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd.db
if [[ "$?" != "0" ]]; then
error "Creating \"/etc/postfix/sasl_passwd\" failed! "
_failed=true
fi
chown root:root /etc/postfix/sasl_passwd.db
if [[ "$?" != "0" ]]; then
error "Setting ownership of \"/etc/postfix/sasl_passwd.db\" failed! "
_failed=true
fi
if $_failed ; then
echo_failed
else
echo_ok
fi
else
echo_skipped
fi
## - /etc/mailname
## -
echononl " Set \"/etc/mailname\""
echo $_HOSTNAME > /etc/mailname
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - /etc/aliases
## -
echononl " Adjust \"/etc/aliases\""
cat << EOF > /etc/aliases
# See man 5 aliases for format
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: $_ADMIN_EMAIL
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - create directory for certificates and copy certificates
## - and coresponding keys to /etc/postfix/ssl/
## -
echononl " Create directory for certificates \"/etc/postfix/ssl\""
if [[ -d "/etc/postfix/ssl" ]] ; then
echo_skipped
else
mkdir -p /etc/postfix/ssl
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - generate DH parameters that the Postfix SMTP server should use
## - with EDH ciphers (length 512 and 1024
## -
echononl " Generate DH key length=512 \"/etc/postfix/ssl/dh_512.pem\""
if [ ! -f /etc/postfix/ssl/dh_512.pem ]; then
openssl gendh -out /etc/postfix/ssl/dh_512.pem -2 512 > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Generate DH key length=1024 \"/etc/postfix/ssl/dh_1024.pem\""
if [ ! -f /etc/postfix/ssl/dh_1024.pem ]; then
openssl gendh -out /etc/postfix/ssl/dh_1024.pem -2 1024 > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Generate DH key length=2048 \"/etc/postfix/ssl/dh_2048.pem\""
if [ ! -f /etc/postfix/ssl/dh_2048.pem ]; then
openssl gendh -out /etc/postfix/ssl/dh_2048.pem -2 2048 > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create Symlink \"$_TLS_CERT_FILE\""
if [ ! -h "$_TLS_CERT_FILE" ]; then
ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem $_TLS_CERT_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
echononl " Create Symlink \"$_TLS_KEY_FILE\""
if [ ! -h "$_TLS_KEY_FILE" ]; then
ln -s /etc/ssl/private/ssl-cert-snakeoil.key $_TLS_KEY_FILE
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
echo_skipped
fi
## - rebuld alias database
## -
echononl " Rebuld alias database"
newaliases > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
## - restart postfix
## -
echononl " Restart postfix"
if $systemd_exists ; then
systemctl restart postfix > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
/etc/init.d/postfix restart > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
## - Omitt logging into system.log
## -
echononl " Create \"/etc/rsyslog.d/postfix.conf\""
cat << EOF >> /etc/rsyslog.d/postfix.conf
#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err
mail.* -/var/log/mail.log
& ~
EOF
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
echononl " Restart rsyslog daemon"
if $systemd_exists ; then
systemctl restart rsyslog > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
else
/etc/init.d/rsyslog restart > /dev/null 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
fi
fi
echo ""
exit

1011
BAK/install_postfix_relay.sh.00 Executable file
View File

File diff suppressed because it is too large Load Diff