get cert if absent fix #253. ufw fix #256.

This commit is contained in:
Luke Smith 2023-01-26 19:06:37 -05:00
parent eb5b6743f3
commit bf982255aa

View File

@ -43,20 +43,33 @@ subdom=${MAIL_SUBDOM:-mail}
maildomain="$subdom.$domain" maildomain="$subdom.$domain"
certdir="/etc/letsencrypt/live/$maildomain" certdir="/etc/letsencrypt/live/$maildomain"
# Open required mail ports, and 80, for Certbot.
for port in 80 993 465 25 587; do
ufw allow "$port" 2>/dev/null
done
[ ! -d "$certdir" ] && [ ! -d "$certdir" ] &&
possiblecert="$(certbot certificates 2>/dev/null | grep "$maildomain\|*\.$domain" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)" && possiblecert="$(certbot certificates 2>/dev/null | grep "Domains:\.* $maildomain\(\s\|$\)" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)" &&
certdir="${possiblecert%/*}" certdir="${possiblecert%/*}"
[ ! -d "$certdir" ] && case "$(netstat -tulpn | grep ":80\s")" in
*nginx*)
apt install -y python3-certbot-nginx
certbot -d "$maildomain" certonly --nginx --register-unsafely-without-email --agree-tos
;;
*apache*)
apt install -y python3-certbot-apache
certbot -d "$maildomain" certonly --apache --register-unsafely-without-email --agree-tos
;;
*)
apt install -y python3-certbot
certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos
;;
esac
[ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain. [ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain.
Use Let's Encrypt's Certbot to get that and then rerun this script." && exit 1 Use Let's Encrypt's Certbot to get that and then rerun this script. It failed to run automatically here." && exit 1
# NOTE ON POSTCONF COMMANDS
# The `postconf` command literally just adds the line in question to
# /etc/postfix/main.cf so if you need to debug something, go there. It replaces
# any other line that sets the same setting, otherwise it is appended to the
# end of the file.
echo "Configuring Postfix's main.cf..." echo "Configuring Postfix's main.cf..."
@ -314,9 +327,6 @@ for x in spamassassin opendkim dovecot postfix; do
systemctl enable "$x" systemctl enable "$x"
done done
# If ufw is used, enable the mail ports.
pgrep ufw >/dev/null && { ufw allow 993; ufw allow 465 ; ufw allow 587; ufw allow 25 ;}
pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')" pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval" dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1" dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1"