Merge branch 'master' of github.com:LukeSmithxyz/emailwiz

This commit is contained in:
Luke Smith 2022-09-28 11:20:49 -04:00
commit ae2ee398f6
2 changed files with 22 additions and 9 deletions

View File

@ -34,10 +34,10 @@ give your full domain without any subdomain, i.e. `lukesmith.xyz`.
have an offline mirror of my email setup and I recommend the same. There are have an offline mirror of my email setup and I recommend the same. There are
other ways of doing it though, like Thunderbird, etc. other ways of doing it though, like Thunderbird, etc.
## Requirements ## Before you run this script you need...
1. A **Debian or Ubuntu server**. I've tested this on a 1. A **Debian or Ubuntu server**. I've tested this on a
[Vultr](https://www.vultr.com/?ref=8384069-6G) Debian server and one running [Vultr](https://www.vultr.com/?ref=8940911-8H) Debian server and one running
Ubuntu and their setup works, but I suspect other VPS hosts will have Ubuntu and their setup works, but I suspect other VPS hosts will have
similar/possibly identical default settings which will let you run this on similar/possibly identical default settings which will let you run this on
them. Note that the affiliate link there to Vultr gives you a $100 credit them. Note that the affiliate link there to Vultr gives you a $100 credit
@ -65,6 +65,9 @@ give your full domain without any subdomain, i.e. `lukesmith.xyz`.
You may need to request these ports be opened to send mail successfully. You may need to request these ports be opened to send mail successfully.
Vultr and most other VPS providers will respond immediately and open the Vultr and most other VPS providers will respond immediately and open the
ports for you if you open a support ticket. ports for you if you open a support ticket.
7. If you have a firewall, you'll need to open ports on your side as well. For
example, with `ufw`, just run: `ufw allow 587` on ports 587, 993 and 25 (you
will need port 80 for Certbot too).
## Post-install requirement! ## Post-install requirement!
@ -135,3 +138,8 @@ support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
[Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance [Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance
blocks this by default, you need to open a support ticket with them to open blocks this by default, you need to open a support ticket with them to open
it. You can't send mail if 25 is blocked it. You can't send mail if 25 is blocked
## TODO
- Fail2ban for security.
- Scripts for easier spam prevention.

View File

@ -37,21 +37,21 @@ echo "Setting umask to 0022..."
umask 0022 umask 0022
echo "Installing programs..." echo "Installing programs..."
apt install postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim spamassassin spamc apt-get install postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim spamassassin spamc
# Check if OpenDKIM is installed and install it if not. # Check if OpenDKIM is installed and install it if not.
which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools which opendkim-genkey >/dev/null 2>&1 || apt-get install opendkim-tools
domain="$(cat /etc/mailname)" domain="$(cat /etc/mailname)"
subdom=${MAIL_SUBDOM:-mail} subdom=${MAIL_SUBDOM:-mail}
maildomain="$subdom.$domain" maildomain="$subdom.$domain"
certdir="/etc/letsencrypt/live/$maildomain" certdir="/etc/letsencrypt/live/$maildomain"
[ ! -d "$certdir" ] && certdir="$(dirname "$(certbot certificates 2>/dev/null | grep "$maildomain\|*.$domain" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)")" [ ! -d "$certdir" ] &&
possiblecert="$(certbot certificates 2>/dev/null | grep "$maildomain\|*\.$domain" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)" &&
certdir="${possiblecert%/*}"
[ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain. [ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain.
Use Let's Encrypt's Certbot to get that and then rerun this script. Use Let's Encrypt's Certbot to get that and then rerun this script." && exit 1
You may need to set up a dummy $maildomain site in nginx or Apache for that to work." && exit 1
# NOTE ON POSTCONF COMMANDS # NOTE ON POSTCONF COMMANDS
@ -311,18 +311,23 @@ systemctl daemon-reload
for x in spamassassin opendkim dovecot postfix; do for x in spamassassin opendkim dovecot postfix; do
printf "Restarting %s..." "$x" printf "Restarting %s..." "$x"
service "$x" restart && printf " ...done\\n" service "$x" restart && printf " ...done\\n"
systemctl enable "$x"
done done
# If ufw is used, enable the mail ports. # If ufw is used, enable the mail ports.
pgrep ufw >/dev/null && { ufw allow 993; ufw allow 465 ; ufw allow 587; ufw allow 25 ;} pgrep ufw >/dev/null && { ufw allow 993; ufw allow 465 ; ufw allow 587; ufw allow 25 ;}
pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed 's/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//' | grep -o 'p=.*')" pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval" dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1" dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1"
spfentry="$domain TXT v=spf1 mx a:$maildomain -all" spfentry="$domain TXT v=spf1 mx a:$maildomain -all"
useradd -m -G mail dmarc useradd -m -G mail dmarc
grep -q '^deploy-hook = echo "$RENEWED_DOMAINS" | grep -q' /etc/letsencrypt/cli.ini ||
echo "
deploy-hook = echo \"\$RENEWED_DOMAINS\" | grep -q '$maildomain' && service postfix reload && service dovecot reload" >> /etc/letsencrypt/cli.ini
echo "$dkimentry echo "$dkimentry
$dmarcentry $dmarcentry
$spfentry" > "$HOME/dns_emailwizard" $spfentry" > "$HOME/dns_emailwizard"