diff --git a/README.md b/README.md index 56abdc1..5bd6b40 100644 --- a/README.md +++ b/README.md @@ -34,10 +34,10 @@ give your full domain without any subdomain, i.e. `lukesmith.xyz`. have an offline mirror of my email setup and I recommend the same. There are other ways of doing it though, like Thunderbird, etc. -## Requirements +## Before you run this script you need... 1. A **Debian or Ubuntu server**. I've tested this on a - [Vultr](https://www.vultr.com/?ref=8384069-6G) Debian server and one running + [Vultr](https://www.vultr.com/?ref=8940911-8H) Debian server and one running Ubuntu and their setup works, but I suspect other VPS hosts will have similar/possibly identical default settings which will let you run this on them. Note that the affiliate link there to Vultr gives you a $100 credit @@ -65,6 +65,9 @@ give your full domain without any subdomain, i.e. `lukesmith.xyz`. You may need to request these ports be opened to send mail successfully. Vultr and most other VPS providers will respond immediately and open the ports for you if you open a support ticket. +7. If you have a firewall, you'll need to open ports on your side as well. For + example, with `ufw`, just run: `ufw allow 587` on ports 587, 993 and 25 (you + will need port 80 for Certbot too). ## Post-install requirement! @@ -135,3 +138,8 @@ support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html). [Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance blocks this by default, you need to open a support ticket with them to open it. You can't send mail if 25 is blocked + +## TODO + +- Fail2ban for security. +- Scripts for easier spam prevention. diff --git a/emailwiz.sh b/emailwiz.sh index 818cb3d..faa1a6d 100755 --- a/emailwiz.sh +++ b/emailwiz.sh @@ -37,21 +37,21 @@ echo "Setting umask to 0022..." umask 0022 echo "Installing programs..." -apt install postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim spamassassin spamc +apt-get install postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim spamassassin spamc # Check if OpenDKIM is installed and install it if not. -which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools +which opendkim-genkey >/dev/null 2>&1 || apt-get install opendkim-tools domain="$(cat /etc/mailname)" subdom=${MAIL_SUBDOM:-mail} maildomain="$subdom.$domain" certdir="/etc/letsencrypt/live/$maildomain" -[ ! -d "$certdir" ] && certdir="$(dirname "$(certbot certificates 2>/dev/null | grep "$maildomain\|*.$domain" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)")" +[ ! -d "$certdir" ] && + possiblecert="$(certbot certificates 2>/dev/null | grep "$maildomain\|*\.$domain" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)" && + certdir="${possiblecert%/*}" [ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain. -Use Let's Encrypt's Certbot to get that and then rerun this script. - -You may need to set up a dummy $maildomain site in nginx or Apache for that to work." && exit 1 +Use Let's Encrypt's Certbot to get that and then rerun this script." && exit 1 # NOTE ON POSTCONF COMMANDS @@ -311,18 +311,23 @@ systemctl daemon-reload for x in spamassassin opendkim dovecot postfix; do printf "Restarting %s..." "$x" service "$x" restart && printf " ...done\\n" + systemctl enable "$x" done # If ufw is used, enable the mail ports. pgrep ufw >/dev/null && { ufw allow 993; ufw allow 465 ; ufw allow 587; ufw allow 25 ;} -pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed 's/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//' | grep -o 'p=.*')" +pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')" dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval" dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1" spfentry="$domain TXT v=spf1 mx a:$maildomain -all" useradd -m -G mail dmarc +grep -q '^deploy-hook = echo "$RENEWED_DOMAINS" | grep -q' /etc/letsencrypt/cli.ini || + echo " +deploy-hook = echo \"\$RENEWED_DOMAINS\" | grep -q '$maildomain' && service postfix reload && service dovecot reload" >> /etc/letsencrypt/cli.ini + echo "$dkimentry $dmarcentry $spfentry" > "$HOME/dns_emailwizard"