Compare commits

...

6 Commits
master ... arch

Author SHA1 Message Date
juvilius
24b3e2f5b9
dh.pem in /etc/dovecot/ 2023-04-07 17:59:31 +02:00
juvilius
98d45df08e
Generate dh.pem for dovecot 2023-04-07 17:29:45 +02:00
juvilius
7044cbcc5f
SpamAssasin also needs a directory created 2023-04-07 17:22:54 +02:00
juvilius
39d9b9adb2
special_use wants capital letters; file location changes 2023-04-07 17:11:58 +02:00
juvilius
3358b0123a
2nd try: mkdir of config directories 2023-04-07 17:03:06 +02:00
juvilius
aa0f635a2e
Change obvious stuff (1st read)
before trying it out
2023-04-07 16:46:28 +02:00

View File

@ -17,9 +17,22 @@
umask 0022 umask 0022
apt-get install -y postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim opendkim-tools spamassassin spamc net-tools fail2ban #A apt-get install -y postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim opendkim-tools spamassassin spamc net-tools fail2ban
domain="$(cat /etc/mailname)" pacman -Syu postfix postfix-pcre dovecot pigeonhole opendkim spamassassin net-tools fail2ban cronie
subdom=${MAIL_SUBDOM:-mail}
mkdir -p /etc/dovecot
cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf
cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot
mkdir -p /var/lib/dovecot/sieve
mkdir -p /etc/mail/spamassassin/sa-update-keys
chown spamd:spamd /etc/mail/spamassassin/sa-update-keys
chmod 700 /etc/mail/spamassassin/sa-update-keys
#A domain="$(cat /etc/mailname)"
domain="0124816.xyz"
subdom="mail"
maildomain="$subdom.$domain" maildomain="$subdom.$domain"
certdir="/etc/letsencrypt/live/$maildomain" certdir="/etc/letsencrypt/live/$maildomain"
@ -36,15 +49,15 @@ done
certdir="/etc/letsencrypt/live/$maildomain" && certdir="/etc/letsencrypt/live/$maildomain" &&
case "$(netstat -tulpn | grep ":80\s")" in case "$(netstat -tulpn | grep ":80\s")" in
*nginx*) *nginx*)
apt install -y python3-certbot-nginx pacman -S certbot-nginx
certbot -d "$maildomain" certonly --nginx --register-unsafely-without-email --agree-tos certbot -d "$maildomain" certonly --nginx --register-unsafely-without-email --agree-tos
;; ;;
*apache*) *apache*)
apt install -y python3-certbot-apache pacman -S certbot-apache
certbot -d "$maildomain" certonly --apache --register-unsafely-without-email --agree-tos certbot -d "$maildomain" certonly --apache --register-unsafely-without-email --agree-tos
;; ;;
*) *)
apt install -y python3-certbot pacman -S certbot
certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos
;; ;;
esac esac
@ -95,7 +108,7 @@ postconf -e 'smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authentica
# command, is necessary as it distinguishes a maildir (which is the actual # command, is necessary as it distinguishes a maildir (which is the actual
# directories that what we want) from a spoolfile (which is what old unix # directories that what we want) from a spoolfile (which is what old unix
# boomers want and no one else). # boomers want and no one else).
postconf -e 'home_mailbox = Mail/Inbox/' postconf -e 'home_mailbox = mail/inbox/'
# Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses # Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses
postconf -e "header_checks = regexp:/etc/postfix/header_checks" postconf -e "header_checks = regexp:/etc/postfix/header_checks"
@ -137,6 +150,8 @@ mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.backup.conf
echo "Creating Dovecot config..." echo "Creating Dovecot config..."
[ -f "/etc/dovecot/dh.pem" ] || openssl dhparam -out /etc/dovecot/dh.pem 4096
echo "# Dovecot config echo "# Dovecot config
# Note that in the dovecot conf, you can use: # Note that in the dovecot conf, you can use:
# %u for username # %u for username
@ -150,7 +165,7 @@ ssl_key = <$certdir/privkey.pem
ssl_min_protocol = TLSv1.2 ssl_min_protocol = TLSv1.2
ssl_cipher_list = "'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'" ssl_cipher_list = "'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'"
ssl_prefer_server_ciphers = yes ssl_prefer_server_ciphers = yes
ssl_dh = </usr/share/dovecot/dh.pem ssl_dh = </etc/dovecot/dh.pem
auth_mechanisms = plain login auth_mechanisms = plain login
auth_username_format = %n auth_username_format = %n
@ -165,28 +180,28 @@ passdb {
driver = pam driver = pam
} }
# Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox # Our mail for each user will be in ~/mail, and the inbox will be ~/mail/inbox
# The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`. # The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs mail_location = maildir:~/mail:INBOX=~/mail/inbox:LAYOUT=fs
namespace inbox { namespace inbox {
inbox = yes inbox = yes
mailbox Drafts { mailbox drafts {
special_use = \\Drafts special_use = \\Drafts
auto = subscribe auto = subscribe
} }
mailbox Junk { mailbox junk {
special_use = \\Junk special_use = \\Junk
auto = subscribe auto = subscribe
autoexpunge = 30d autoexpunge = 60d
} }
mailbox Sent { mailbox sent {
special_use = \\Sent special_use = \\Sent
auto = subscribe auto = subscribe
} }
mailbox Trash { mailbox trash {
special_use = \\Trash special_use = \\Trash
} }
mailbox Archive { mailbox archive {
special_use = \\Archive special_use = \\Archive
} }
} }
@ -227,7 +242,7 @@ mkdir /var/lib/dovecot/sieve/
echo "require [\"fileinto\", \"mailbox\"]; echo "require [\"fileinto\", \"mailbox\"];
if header :contains \"X-Spam-Flag\" \"YES\" if header :contains \"X-Spam-Flag\" \"YES\"
{ {
fileinto \"Junk\"; fileinto \"junk\";
}" > /var/lib/dovecot/sieve/default.sieve }" > /var/lib/dovecot/sieve/default.sieve
grep -q '^vmail:' /etc/passwd || useradd vmail grep -q '^vmail:' /etc/passwd || useradd vmail
@ -269,15 +284,15 @@ grep -q '127.0.0.1' /etc/postfix/dkim/trustedhosts 2>/dev/null ||
10.1.0.0/16' >> /etc/postfix/dkim/trustedhosts 10.1.0.0/16' >> /etc/postfix/dkim/trustedhosts
# ...and source it from opendkim.conf # ...and source it from opendkim.conf
grep -q '^KeyTable' /etc/opendkim.conf 2>/dev/null || echo 'KeyTable file:/etc/postfix/dkim/keytable grep -q '^KeyTable' /etc/opendkim/opendkim.conf 2>/dev/null || echo 'KeyTable file:/etc/postfix/dkim/keytable
SigningTable refile:/etc/postfix/dkim/signingtable SigningTable refile:/etc/postfix/dkim/signingtable
InternalHosts refile:/etc/postfix/dkim/trustedhosts' >> /etc/opendkim.conf InternalHosts refile:/etc/postfix/dkim/trustedhosts' >> /etc/opendkim/opendkim.conf
sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim/opendkim.conf
sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf sed -i '/^#Canonicalization/s/^#//' /etc/opendkim/opendkim.conf
sed -i '/Socket/s/^#*/#/' /etc/opendkim.conf sed -i '/Socket/s/^#*/#/' /etc/opendkim/opendkim.conf
grep -q '^Socket\s*inet:12301@localhost' /etc/opendkim.conf || echo 'Socket inet:12301@localhost' >> /etc/opendkim.conf grep -q '^Socket\s*inet:12301@localhost' /etc/opendkim/opendkim.conf || echo 'Socket inet:12301@localhost' >> /etc/opendkim/opendkim.conf
# OpenDKIM daemon settings, removing previously activated socket. # OpenDKIM daemon settings, removing previously activated socket.
sed -i '/^SOCKET/d' /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim sed -i '/^SOCKET/d' /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
@ -294,8 +309,8 @@ postconf -e 'non_smtpd_milters = inet:localhost:12301'
postconf -e 'mailbox_command = /usr/lib/dovecot/deliver' postconf -e 'mailbox_command = /usr/lib/dovecot/deliver'
# A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442 # A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442
/lib/opendkim/opendkim.service.generate # /lib/opendkim/opendkim.service.generate
systemctl daemon-reload # systemctl daemon-reload
# Enable fail2ban security for dovecot and postfix. # Enable fail2ban security for dovecot and postfix.
[ ! -f /etc/fail2ban/jail.d/emailwiz.local ] && echo "[postfix] [ ! -f /etc/fail2ban/jail.d/emailwiz.local ] && echo "[postfix]
@ -308,11 +323,11 @@ enabled = true
enabled = true" > /etc/fail2ban/jail.d/emailwiz.local enabled = true" > /etc/fail2ban/jail.d/emailwiz.local
# Enable SpamAssassin update cronjob. # Enable SpamAssassin update cronjob.
sed -i "s|^CRON=0|CRON=1|" /etc/default/spamassassin sed -i "s|^CRON=0|CRON=1|" /etc/spamassassin
for x in spamassassin opendkim dovecot postfix fail2ban; do for x in spamassassin opendkim dovecot postfix fail2ban; do
printf "Restarting %s..." "$x" printf "Restarting %s..." "$x"
service "$x" restart && printf " ...done\\n" systemctl restart "$x" && printf " ...done\\n"
systemctl enable "$x" systemctl enable "$x"
done done
@ -335,7 +350,7 @@ chmod 755 /etc/cron.weekly/dmarc-clean
grep -q '^deploy-hook = echo "$RENEWED_DOMAINS" | grep -q' /etc/letsencrypt/cli.ini || grep -q '^deploy-hook = echo "$RENEWED_DOMAINS" | grep -q' /etc/letsencrypt/cli.ini ||
echo " echo "
deploy-hook = echo \"\$RENEWED_DOMAINS\" | grep -q '$maildomain' && service postfix reload && service dovecot reload" >> /etc/letsencrypt/cli.ini deploy-hook = echo \"\$RENEWED_DOMAINS\" | grep -q '$maildomain' && systemctl reload postfix && systemctl reload dovecot" >> /etc/letsencrypt/cli.ini
echo "NOTE: Elements in the entries might appear in a different order in your registrar's DNS settings. echo "NOTE: Elements in the entries might appear in a different order in your registrar's DNS settings.
$dkimentry $dkimentry