Compare commits
6 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
24b3e2f5b9 | ||
|
98d45df08e | ||
|
7044cbcc5f | ||
|
39d9b9adb2 | ||
|
3358b0123a | ||
|
aa0f635a2e |
71
emailwiz.sh
71
emailwiz.sh
@ -17,9 +17,22 @@
|
|||||||
|
|
||||||
umask 0022
|
umask 0022
|
||||||
|
|
||||||
apt-get install -y postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim opendkim-tools spamassassin spamc net-tools fail2ban
|
#A apt-get install -y postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim opendkim-tools spamassassin spamc net-tools fail2ban
|
||||||
domain="$(cat /etc/mailname)"
|
pacman -Syu postfix postfix-pcre dovecot pigeonhole opendkim spamassassin net-tools fail2ban cronie
|
||||||
subdom=${MAIL_SUBDOM:-mail}
|
|
||||||
|
mkdir -p /etc/dovecot
|
||||||
|
cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf
|
||||||
|
cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot
|
||||||
|
|
||||||
|
mkdir -p /var/lib/dovecot/sieve
|
||||||
|
|
||||||
|
mkdir -p /etc/mail/spamassassin/sa-update-keys
|
||||||
|
chown spamd:spamd /etc/mail/spamassassin/sa-update-keys
|
||||||
|
chmod 700 /etc/mail/spamassassin/sa-update-keys
|
||||||
|
|
||||||
|
#A domain="$(cat /etc/mailname)"
|
||||||
|
domain="0124816.xyz"
|
||||||
|
subdom="mail"
|
||||||
maildomain="$subdom.$domain"
|
maildomain="$subdom.$domain"
|
||||||
certdir="/etc/letsencrypt/live/$maildomain"
|
certdir="/etc/letsencrypt/live/$maildomain"
|
||||||
|
|
||||||
@ -36,15 +49,15 @@ done
|
|||||||
certdir="/etc/letsencrypt/live/$maildomain" &&
|
certdir="/etc/letsencrypt/live/$maildomain" &&
|
||||||
case "$(netstat -tulpn | grep ":80\s")" in
|
case "$(netstat -tulpn | grep ":80\s")" in
|
||||||
*nginx*)
|
*nginx*)
|
||||||
apt install -y python3-certbot-nginx
|
pacman -S certbot-nginx
|
||||||
certbot -d "$maildomain" certonly --nginx --register-unsafely-without-email --agree-tos
|
certbot -d "$maildomain" certonly --nginx --register-unsafely-without-email --agree-tos
|
||||||
;;
|
;;
|
||||||
*apache*)
|
*apache*)
|
||||||
apt install -y python3-certbot-apache
|
pacman -S certbot-apache
|
||||||
certbot -d "$maildomain" certonly --apache --register-unsafely-without-email --agree-tos
|
certbot -d "$maildomain" certonly --apache --register-unsafely-without-email --agree-tos
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
apt install -y python3-certbot
|
pacman -S certbot
|
||||||
certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos
|
certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -95,7 +108,7 @@ postconf -e 'smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authentica
|
|||||||
# command, is necessary as it distinguishes a maildir (which is the actual
|
# command, is necessary as it distinguishes a maildir (which is the actual
|
||||||
# directories that what we want) from a spoolfile (which is what old unix
|
# directories that what we want) from a spoolfile (which is what old unix
|
||||||
# boomers want and no one else).
|
# boomers want and no one else).
|
||||||
postconf -e 'home_mailbox = Mail/Inbox/'
|
postconf -e 'home_mailbox = mail/inbox/'
|
||||||
|
|
||||||
# Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses
|
# Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses
|
||||||
postconf -e "header_checks = regexp:/etc/postfix/header_checks"
|
postconf -e "header_checks = regexp:/etc/postfix/header_checks"
|
||||||
@ -137,6 +150,8 @@ mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.backup.conf
|
|||||||
|
|
||||||
echo "Creating Dovecot config..."
|
echo "Creating Dovecot config..."
|
||||||
|
|
||||||
|
[ -f "/etc/dovecot/dh.pem" ] || openssl dhparam -out /etc/dovecot/dh.pem 4096
|
||||||
|
|
||||||
echo "# Dovecot config
|
echo "# Dovecot config
|
||||||
# Note that in the dovecot conf, you can use:
|
# Note that in the dovecot conf, you can use:
|
||||||
# %u for username
|
# %u for username
|
||||||
@ -150,7 +165,7 @@ ssl_key = <$certdir/privkey.pem
|
|||||||
ssl_min_protocol = TLSv1.2
|
ssl_min_protocol = TLSv1.2
|
||||||
ssl_cipher_list = "'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'"
|
ssl_cipher_list = "'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'"
|
||||||
ssl_prefer_server_ciphers = yes
|
ssl_prefer_server_ciphers = yes
|
||||||
ssl_dh = </usr/share/dovecot/dh.pem
|
ssl_dh = </etc/dovecot/dh.pem
|
||||||
auth_mechanisms = plain login
|
auth_mechanisms = plain login
|
||||||
auth_username_format = %n
|
auth_username_format = %n
|
||||||
|
|
||||||
@ -165,28 +180,28 @@ passdb {
|
|||||||
driver = pam
|
driver = pam
|
||||||
}
|
}
|
||||||
|
|
||||||
# Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox
|
# Our mail for each user will be in ~/mail, and the inbox will be ~/mail/inbox
|
||||||
# The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
|
# The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
|
||||||
mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
|
mail_location = maildir:~/mail:INBOX=~/mail/inbox:LAYOUT=fs
|
||||||
namespace inbox {
|
namespace inbox {
|
||||||
inbox = yes
|
inbox = yes
|
||||||
mailbox Drafts {
|
mailbox drafts {
|
||||||
special_use = \\Drafts
|
special_use = \\Drafts
|
||||||
auto = subscribe
|
auto = subscribe
|
||||||
}
|
}
|
||||||
mailbox Junk {
|
mailbox junk {
|
||||||
special_use = \\Junk
|
special_use = \\Junk
|
||||||
auto = subscribe
|
auto = subscribe
|
||||||
autoexpunge = 30d
|
autoexpunge = 60d
|
||||||
}
|
}
|
||||||
mailbox Sent {
|
mailbox sent {
|
||||||
special_use = \\Sent
|
special_use = \\Sent
|
||||||
auto = subscribe
|
auto = subscribe
|
||||||
}
|
}
|
||||||
mailbox Trash {
|
mailbox trash {
|
||||||
special_use = \\Trash
|
special_use = \\Trash
|
||||||
}
|
}
|
||||||
mailbox Archive {
|
mailbox archive {
|
||||||
special_use = \\Archive
|
special_use = \\Archive
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -227,7 +242,7 @@ mkdir /var/lib/dovecot/sieve/
|
|||||||
echo "require [\"fileinto\", \"mailbox\"];
|
echo "require [\"fileinto\", \"mailbox\"];
|
||||||
if header :contains \"X-Spam-Flag\" \"YES\"
|
if header :contains \"X-Spam-Flag\" \"YES\"
|
||||||
{
|
{
|
||||||
fileinto \"Junk\";
|
fileinto \"junk\";
|
||||||
}" > /var/lib/dovecot/sieve/default.sieve
|
}" > /var/lib/dovecot/sieve/default.sieve
|
||||||
|
|
||||||
grep -q '^vmail:' /etc/passwd || useradd vmail
|
grep -q '^vmail:' /etc/passwd || useradd vmail
|
||||||
@ -269,15 +284,15 @@ grep -q '127.0.0.1' /etc/postfix/dkim/trustedhosts 2>/dev/null ||
|
|||||||
10.1.0.0/16' >> /etc/postfix/dkim/trustedhosts
|
10.1.0.0/16' >> /etc/postfix/dkim/trustedhosts
|
||||||
|
|
||||||
# ...and source it from opendkim.conf
|
# ...and source it from opendkim.conf
|
||||||
grep -q '^KeyTable' /etc/opendkim.conf 2>/dev/null || echo 'KeyTable file:/etc/postfix/dkim/keytable
|
grep -q '^KeyTable' /etc/opendkim/opendkim.conf 2>/dev/null || echo 'KeyTable file:/etc/postfix/dkim/keytable
|
||||||
SigningTable refile:/etc/postfix/dkim/signingtable
|
SigningTable refile:/etc/postfix/dkim/signingtable
|
||||||
InternalHosts refile:/etc/postfix/dkim/trustedhosts' >> /etc/opendkim.conf
|
InternalHosts refile:/etc/postfix/dkim/trustedhosts' >> /etc/opendkim/opendkim.conf
|
||||||
|
|
||||||
sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
|
sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim/opendkim.conf
|
||||||
sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
|
sed -i '/^#Canonicalization/s/^#//' /etc/opendkim/opendkim.conf
|
||||||
|
|
||||||
sed -i '/Socket/s/^#*/#/' /etc/opendkim.conf
|
sed -i '/Socket/s/^#*/#/' /etc/opendkim/opendkim.conf
|
||||||
grep -q '^Socket\s*inet:12301@localhost' /etc/opendkim.conf || echo 'Socket inet:12301@localhost' >> /etc/opendkim.conf
|
grep -q '^Socket\s*inet:12301@localhost' /etc/opendkim/opendkim.conf || echo 'Socket inet:12301@localhost' >> /etc/opendkim/opendkim.conf
|
||||||
|
|
||||||
# OpenDKIM daemon settings, removing previously activated socket.
|
# OpenDKIM daemon settings, removing previously activated socket.
|
||||||
sed -i '/^SOCKET/d' /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
|
sed -i '/^SOCKET/d' /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
|
||||||
@ -294,8 +309,8 @@ postconf -e 'non_smtpd_milters = inet:localhost:12301'
|
|||||||
postconf -e 'mailbox_command = /usr/lib/dovecot/deliver'
|
postconf -e 'mailbox_command = /usr/lib/dovecot/deliver'
|
||||||
|
|
||||||
# A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442
|
# A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442
|
||||||
/lib/opendkim/opendkim.service.generate
|
# /lib/opendkim/opendkim.service.generate
|
||||||
systemctl daemon-reload
|
# systemctl daemon-reload
|
||||||
|
|
||||||
# Enable fail2ban security for dovecot and postfix.
|
# Enable fail2ban security for dovecot and postfix.
|
||||||
[ ! -f /etc/fail2ban/jail.d/emailwiz.local ] && echo "[postfix]
|
[ ! -f /etc/fail2ban/jail.d/emailwiz.local ] && echo "[postfix]
|
||||||
@ -308,11 +323,11 @@ enabled = true
|
|||||||
enabled = true" > /etc/fail2ban/jail.d/emailwiz.local
|
enabled = true" > /etc/fail2ban/jail.d/emailwiz.local
|
||||||
|
|
||||||
# Enable SpamAssassin update cronjob.
|
# Enable SpamAssassin update cronjob.
|
||||||
sed -i "s|^CRON=0|CRON=1|" /etc/default/spamassassin
|
sed -i "s|^CRON=0|CRON=1|" /etc/spamassassin
|
||||||
|
|
||||||
for x in spamassassin opendkim dovecot postfix fail2ban; do
|
for x in spamassassin opendkim dovecot postfix fail2ban; do
|
||||||
printf "Restarting %s..." "$x"
|
printf "Restarting %s..." "$x"
|
||||||
service "$x" restart && printf " ...done\\n"
|
systemctl restart "$x" && printf " ...done\\n"
|
||||||
systemctl enable "$x"
|
systemctl enable "$x"
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -335,7 +350,7 @@ chmod 755 /etc/cron.weekly/dmarc-clean
|
|||||||
|
|
||||||
grep -q '^deploy-hook = echo "$RENEWED_DOMAINS" | grep -q' /etc/letsencrypt/cli.ini ||
|
grep -q '^deploy-hook = echo "$RENEWED_DOMAINS" | grep -q' /etc/letsencrypt/cli.ini ||
|
||||||
echo "
|
echo "
|
||||||
deploy-hook = echo \"\$RENEWED_DOMAINS\" | grep -q '$maildomain' && service postfix reload && service dovecot reload" >> /etc/letsencrypt/cli.ini
|
deploy-hook = echo \"\$RENEWED_DOMAINS\" | grep -q '$maildomain' && systemctl reload postfix && systemctl reload dovecot" >> /etc/letsencrypt/cli.ini
|
||||||
|
|
||||||
echo "NOTE: Elements in the entries might appear in a different order in your registrar's DNS settings.
|
echo "NOTE: Elements in the entries might appear in a different order in your registrar's DNS settings.
|
||||||
$dkimentry
|
$dkimentry
|
||||||
|
Loading…
Reference in New Issue
Block a user