From c518fb042889a1e81331405237bd5bdd52f9708c Mon Sep 17 00:00:00 2001 From: mqr10 Date: Sat, 4 Jul 2020 16:14:30 +0200 Subject: [PATCH 1/3] force minimum TLS1.2 connections, disable weak ciphersuites --- emailwiz.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/emailwiz.sh b/emailwiz.sh index a4750e4..725dfab 100755 --- a/emailwiz.sh +++ b/emailwiz.sh @@ -65,6 +65,14 @@ postconf -e "smtpd_tls_auth_only = yes" postconf -e "smtp_tls_security_level = may" postconf -e "smtp_tls_loglevel = 1" postconf -e "smtp_tls_CAfile=$certdir/cert.pem" +postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" +postconf -e "tls_preempt_cipherlist = yes" +postconf -e "smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, + DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, + RSA+AES, eNULL" # Here we tell Postfix to look to Dovecot for authenticating users/passwords. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth @@ -126,6 +134,9 @@ echo "# Dovecot config ssl = required ssl_cert = <$certdir/fullchain.pem ssl_key = <$certdir/privkey.pem +ssl_min_protocol = TLSv1.2 +ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH +ssl_prefer_server_ciphers = yes # Plaintext login. This is safe and easy thanks to SSL. auth_mechanisms = plain login From 30fd2d5d8d71825fb1bbbe4fc9ca01aebcd0f093 Mon Sep 17 00:00:00 2001 From: Darnell Andries Date: Tue, 21 Jul 2020 14:23:38 -0700 Subject: [PATCH 2/3] Fixes for custom subdomain names --- emailwiz.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/emailwiz.sh b/emailwiz.sh index af3ff66..f05d8ef 100755 --- a/emailwiz.sh +++ b/emailwiz.sh @@ -38,7 +38,7 @@ apt install postfix dovecot-imapd dovecot-sieve opendkim spamassassin spamc # Check if OpenDKIM is installed and install it if not. which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools domain="$(cat /etc/mailname)" -subdom="mail" +subdom=${MAIL_SUBDOM:-mail} maildomain="$subdom.$domain" certdir="/etc/letsencrypt/live/$maildomain" @@ -232,7 +232,7 @@ chmod g+r /etc/postfix/dkim/* # Generate the OpenDKIM info: echo "Configuring OpenDKIM..." grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null || -echo "$subdom._domainkey.$domain $domain:mail:/etc/postfix/dkim/mail.private" >> /etc/postfix/dkim/keytable +echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$subdom.private" >> /etc/postfix/dkim/keytable grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null || echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable @@ -272,7 +272,7 @@ for x in dovecot postfix opendkim spamassassin; do service "$x" restart && printf " ...done\\n" done -pval="$(tr -d "\n" Date: Sun, 27 Sep 2020 11:47:39 +0100 Subject: [PATCH 3/3] Add extra troubleshooting, readability changes --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 31846d6..d7deb5f 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ same setup time and time again. I've linked this file on Github to a shorter, more memorable address on my website so you can get it on your machine with this short command: -``` +```sh curl -LO lukesmith.xyz/emailwiz.sh ``` @@ -22,7 +22,7 @@ actually works perfectly. - **Postfix** to send and receive mail. - **Dovecot** to get mail to your email client (mutt, Thunderbird, etc). -- Config files that unique the two above securely with native log-ins. +- Config files that link the two above securely with native log-ins. - **Spamassassin** to prevent spam and allow you to make custom filters. - **OpenDKIM** to validate you so you can send to Gmail and other big sites. @@ -104,7 +104,7 @@ email program. For my domain, the server information will be as follows: - SMTP port: 587 - IMAP server: `mail.lukesmith.xyz` - IMAP port: 993 -- Username `luke` (I.e. *not* `luke@lukesmith.xyz`) +- Username `luke` (i.e. *not* `luke@lukesmith.xyz`) The last point is important. Many email systems use a full email address on login. Since we just simply use local PAM logins, only the user's name is used @@ -115,8 +115,6 @@ login. Since we just simply use local PAM logins, only the user's name is used You're a big boy now if you have your own mail server! -You can tweak Postfix (sending mail - ## Benefited from this? If this script or documentation has saved you some frustration, you can donate @@ -135,3 +133,5 @@ to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html). worry if you are: sometimes especially new domains are automatically assumed to be spam temporaily. If you are blacklisted by one of these, look into it and it will explain why and how to remove yourself. +- Check your DNS settings using [this site](https://intodns.com/), it'll report any issues with your MX records +- Ensure that port 25 is open on your server. [Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance blocks this by default, you need to open a support ticket with them to open it. You can't send mail if 25 is blocked