2016-01-20 16:41:34 +01:00
#!/bin/bash
2015-03-28 15:59:15 +01:00
2015-08-26 10:04:07 +02:00
die ( ) {
echo >& 2 " $@ "
exit 1
}
2015-08-18 13:13:08 +02:00
2015-08-26 10:04:07 +02:00
if [ -f /tmp/postfix/accounts.cf ] ; then
echo "Regenerating postfix 'vmailbox' and 'virtual' for given users"
echo "# WARNING: this file is auto-generated. Modify accounts.cf in postfix directory on host" > /etc/postfix/vmailbox
2015-08-18 13:13:08 +02:00
2015-08-26 10:04:07 +02:00
# Checking that /tmp/postfix/accounts.cf ends with a newline
sed -i -e '$a\' /tmp/postfix/accounts.cf
# Creating users
while IFS = $'|' read login pass
do
# Setting variables for better readability
user = $( echo ${ login } | cut -d @ -f1)
domain = $( echo ${ login } | cut -d @ -f2)
# Let's go!
echo " user ' ${ user } ' for domain ' ${ domain } ' with password '********' "
echo " ${ login } ${ domain } / ${ user } / " >> /etc/postfix/vmailbox
/usr/sbin/userdb ${ login } set uid = 5000 gid = 5000 home = /var/mail/${ domain } /${ user } mail = /var/mail/${ domain } /${ user }
echo " ${ pass } " | userdbpw -md5 | userdb ${ login } set systempw
echo " ${ pass } " | saslpasswd2 -p -c -u ${ domain } ${ login }
mkdir -p /var/mail/${ domain }
2016-01-16 00:54:51 +01:00
if [ ! -d " /var/mail/ ${ domain } / ${ user } " ] ; then
2015-12-08 01:59:45 +01:00
maildirmake " /var/mail/ ${ domain } / ${ user } "
2016-02-11 14:00:59 +01:00
maildirmake " /var/mail/ ${ domain } / ${ user } /.Sent "
maildirmake " /var/mail/ ${ domain } / ${ user } /.Trash "
maildirmake " /var/mail/ ${ domain } / ${ user } /.Drafts "
echo -e "INBOX\nINBOX.Sent\nINBOX.Trash\nInbox.Drafts" >> " /var/mail/ ${ domain } / ${ user } /courierimapsubscribed "
touch " /var/mail/ ${ domain } / ${ user } /.Sent/maildirfolder "
2015-12-08 01:59:45 +01:00
fi
2015-08-26 10:04:07 +02:00
echo ${ domain } >> /tmp/vhost.tmp
done < /tmp/postfix/accounts.cf
makeuserdb
else
echo "==> Warning: '/tmp/postfix/accounts.cf' is not provided. No mail account created."
fi
if [ -f /tmp/postfix/virtual ] ; then
# Copying virtual file
cp /tmp/postfix/virtual /etc/postfix/virtual
2015-10-14 16:50:57 +02:00
while IFS = $' ' read from to
do
# Setting variables for better readability
domain = $( echo ${ from } | cut -d @ -f2)
echo ${ domain } >> /tmp/vhost.tmp
done < /tmp/postfix/virtual
2015-08-26 10:04:07 +02:00
else
echo "==> Warning: '/tmp/postfix/virtual' is not provided. No mail alias created."
fi
2015-08-07 09:19:38 +02:00
2015-10-14 16:50:57 +02:00
if [ -f /tmp/vhost.tmp ] ; then
cat /tmp/vhost.tmp | sort | uniq > /etc/postfix/vhost && rm /tmp/vhost.tmp
fi
2015-03-31 17:28:13 +02:00
echo "Postfix configurations"
2015-08-26 10:04:07 +02:00
touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox
touch /etc/postfix/virtual && postmap /etc/postfix/virtual
2015-03-28 15:59:15 +01:00
2016-01-23 18:38:21 +01:00
# DKIM
grep -vE '^(\s*$|#)' /etc/postfix/vhost | while read domainname; do
mkdir -p /etc/opendkim/keys/$domainname
if [ ! -f " /etc/opendkim/keys/ $domainname /mail.private " ] ; then
echo " Creating DKIM private key /etc/opendkim/keys/ $domainname /mail.private "
pushd /etc/opendkim/keys/$domainname
opendkim-genkey --subdomains --domain= $domainname --selector= mail
popd
echo ""
echo "DKIM PUBLIC KEY ################################################################"
cat /etc/opendkim/keys/$domainname /mail.txt
echo "################################################################################"
fi
# Write to KeyTable if necessary
keytableentry = " mail._domainkey. $domainname $domainname :mail:/etc/opendkim/keys/ $domainname /mail.private "
if [ ! -f "/etc/opendkim/KeyTable" ] ; then
echo "Creating DKIM KeyTable"
echo " mail._domainkey. $domainname $domainname :mail:/etc/opendkim/keys/ $domainname /mail.private " > /etc/opendkim/KeyTable
else
if ! grep -q " $keytableentry " "/etc/opendkim/KeyTable" ; then
echo $keytableentry >> /etc/opendkim/KeyTable
fi
fi
# Write to SigningTable if necessary
signingtableentry = " *@ $domainname mail._domainkey. $domainname "
if [ ! -f "/etc/opendkim/SigningTable" ] ; then
echo "Creating DKIM SigningTable"
echo " *@ $domainname mail._domainkey. $domainname " > /etc/opendkim/SigningTable
else
if ! grep -q " $signingtableentry " "/etc/opendkim/SigningTable" ; then
echo $signingtableentry >> /etc/opendkim/SigningTable
fi
fi
done
echo "Changing permissions on /etc/opendkim"
# chown entire directory
chown -R opendkim:opendkim /etc/opendkim/
# And make sure permissions are right
chmod -R 0700 /etc/opendkim/keys/
2016-01-26 18:26:50 +01:00
# DMARC
# if ther is no AuthservID create it
2016-01-26 19:03:12 +01:00
if [ ` cat /etc/opendmarc.conf | grep -w AuthservID | wc -l` -eq 0 ] ; then
2016-01-28 12:00:31 +01:00
echo " AuthservID $( hostname) " >> /etc/opendmarc.conf
2016-01-26 18:26:50 +01:00
fi
2016-01-26 19:03:12 +01:00
if [ ` cat /etc/opendmarc.conf | grep -w TrustedAuthservIDs | wc -l` -eq 0 ] ; then
2016-01-28 12:00:31 +01:00
echo " TrustedAuthservIDs $( hostname) " >> /etc/opendmarc.conf
2016-01-26 18:26:50 +01:00
fi
if [ ! -f "/etc/opendmarc/ignore.hosts" ] ; then
mkdir -p /etc/opendmarc/
echo "localhost" >> /etc/opendmarc/ignore.hosts
fi
2015-12-05 16:44:13 +01:00
# SSL Configuration
case $DMS_SSL in
"letsencrypt" )
# letsencrypt folders and files mounted in /etc/letsencrypt
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/letsencrypt\/live\/' $( hostname) '\/fullchain.pem/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/' $( hostname) '\/privkey.pem/g' /etc/postfix/main.cf
# Courier configuration
2016-02-09 13:13:52 +01:00
cat " /etc/letsencrypt/live/ $( hostname) /cert.pem " " /etc/letsencrypt/live/ $( hostname) /chain.pem " " /etc/letsencrypt/live/ $( hostname) /privkey.pem " > " /etc/letsencrypt/live/ $( hostname) /combined.pem "
2015-12-05 16:44:13 +01:00
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/' $( hostname) '\/combined.pem/g' /etc/courier/imapd-ssl
2016-01-23 23:51:09 +01:00
# POP3 courier configuration
sed -i -r 's/POP3_TLS_REQUIRED=0/POP3_TLS_REQUIRED=1/g' /etc/courier/pop3d-ssl
2016-02-18 22:16:50 +01:00
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/pop3d.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/' $( hostname) '\/combined.pem/g' /etc/courier/pop3d-ssl
2016-01-23 23:51:09 +01:00
# needed to support gmail
2016-02-18 22:16:50 +01:00
sed -i -r 's/TLS_TRUSTCERTS=\/etc\/ssl\/certs/TLS_TRUSTCERTS=\/etc\/letsencrypt\/live\/' $( hostname) '\/fullchain.pem/g' /etc/courier/pop3d-ssl
2016-01-23 23:51:09 +01:00
2015-12-05 16:44:13 +01:00
echo "SSL configured with letsencrypt certificates"
; ;
2016-02-27 17:16:28 +01:00
"custom" )
# Adding CA signed SSL certificate if provided in 'postfix/ssl' folder
if [ -e " /tmp/postfix/ssl/ $( hostname) -full.pem " ] ; then
echo " Adding $( hostname) SSL certificate "
mkdir -p /etc/postfix/ssl
cp " /tmp/postfix/ssl/ $( hostname) -full.pem " /etc/postfix/ssl
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/' $( hostname) '-full.pem/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/' $( hostname) '-full.pem/g' /etc/postfix/main.cf
# Courier configuration
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-full.pem/g' /etc/courier/imapd-ssl
# POP3 courier configuration
sed -i -r 's/POP3_TLS_REQUIRED=0/POP3_TLS_REQUIRED=1/g' /etc/courier/pop3d-ssl
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/pop3d.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-full.pem/g' /etc/courier/pop3d-ssl
echo "SSL configured with CA signed/custom certificates"
fi
; ;
2015-12-05 16:44:13 +01:00
"self-signed" )
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
2016-01-20 16:41:34 +01:00
if [ -e " /tmp/postfix/ssl/ $( hostname) -cert.pem " ] \
2015-12-05 16:44:13 +01:00
&& [ -e " /tmp/postfix/ssl/ $( hostname) -key.pem " ] \
&& [ -e " /tmp/postfix/ssl/ $( hostname) -combined.pem " ] \
&& [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ] ; then
echo " Adding $( hostname) SSL certificate "
mkdir -p /etc/postfix/ssl
2016-01-20 16:41:34 +01:00
cp " /tmp/postfix/ssl/ $( hostname) -cert.pem " /etc/postfix/ssl
cp " /tmp/postfix/ssl/ $( hostname) -key.pem " /etc/postfix/ssl
cp " /tmp/postfix/ssl/ $( hostname) -combined.pem " /etc/postfix/ssl
2015-12-05 16:44:13 +01:00
cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/' $( hostname) '-cert.pem/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/' $( hostname) '-key.pem/g' /etc/postfix/main.cf
sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
2016-01-20 16:41:34 +01:00
ln -s /etc/postfix/ssl/cacert.pem " /etc/ssl/certs/cacert- $( hostname) .pem "
2015-12-05 16:44:13 +01:00
# Courier configuration
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-combined.pem/g' /etc/courier/imapd-ssl
2016-01-20 16:41:34 +01:00
2016-01-23 23:51:09 +01:00
# POP3 courier configuration
sed -i -r 's/POP3_TLS_REQUIRED=0/POP3_TLS_REQUIRED=1/g' /etc/courier/pop3d-ssl
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/pop3d.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-combined.pem/g' /etc/courier/pop3d-ssl
2015-12-05 16:44:13 +01:00
2016-01-20 16:41:34 +01:00
echo "SSL configured with self-signed/custom certificates"
2015-12-05 16:44:13 +01:00
2016-01-26 12:56:26 +01:00
fi
2015-12-05 16:44:13 +01:00
; ;
esac
2015-08-18 13:13:08 +02:00
2016-02-20 03:16:54 +01:00
if [ -f /tmp/postfix/main.cf ] ; then
while read line; do
postconf -e " $line "
done < /tmp/postfix/main.cf
echo "Loaded '/tmp/postfix/main.cf'"
else
2016-03-18 20:10:05 +01:00
echo "'/tmp/postfix/main.cf' not provided. No extra postfix settings loaded."
2016-02-20 03:16:54 +01:00
fi
2016-02-20 03:17:14 +01:00
if [ ! -z " $SASL_PASSWD " ] ; then
echo " $SASL_PASSWD " > /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd
rm /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd.db
echo "Loaded SASL_PASSWORD"
else
echo "==> Warning: 'SASL_PASSWORD' is not provided. /etc/postfix/sasl_passwd not created."
fi
2015-03-28 15:59:15 +01:00
echo "Fixing permissions"
chown -R 5000:5000 /var/mail
2015-03-29 14:07:56 +02:00
mkdir -p /var/log/clamav && chown -R clamav:root /var/log/clamav
2016-01-12 01:02:47 +01:00
chown postfix.sasl /etc/sasldb2
2015-03-28 15:59:15 +01:00
echo "Creating /etc/mailname"
2015-08-17 22:16:08 +02:00
echo $( hostname -d) > /etc/mailname
2015-03-28 15:59:15 +01:00
2015-07-04 15:54:40 +02:00
echo "Configuring Spamassassin"
2016-02-18 22:11:24 +01:00
SA_TAG = ${ SA_TAG : = "2.0" } && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = ' $SA_TAG ';/g' /etc/amavis/conf.d/20-debian_defaults
SA_TAG2 = ${ SA_TAG2 : = "6.31" } && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = ' $SA_TAG2 ';/g' /etc/amavis/conf.d/20-debian_defaults
SA_KILL = ${ SA_KILL : = "6.31" } && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = ' $SA_KILL ';/g' /etc/amavis/conf.d/20-debian_defaults
2015-07-16 19:35:11 +02:00
cp /tmp/spamassassin/rules.cf /etc/spamassassin/
2015-07-04 15:54:40 +02:00
2016-02-12 00:19:21 +01:00
echo "Configuring fail2ban"
# enable filters
perl -i -0pe 's/(\[postfix\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
perl -i -0pe 's/(\[couriersmtp\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
perl -i -0pe 's/(\[courierauth\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
perl -i -0pe 's/(\[sasl\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
# increase ban time and find time to 3h
sed -i "/^bantime *=/c\bantime = 10800" /etc/fail2ban/jail.conf
sed -i "/^findtime *=/c\findtime = 10800" /etc/fail2ban/jail.conf
# avoid warning on startup
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
2015-03-28 15:59:15 +01:00
echo "Starting daemons"
2015-08-19 15:52:50 +02:00
cron
2015-03-29 14:07:56 +02:00
/etc/init.d/rsyslog start
2015-03-28 15:59:15 +01:00
/etc/init.d/saslauthd start
2016-02-29 23:52:10 +01:00
if [ " $SMTP_ONLY " != 1 ] ; then
2015-03-28 15:59:15 +01:00
/etc/init.d/courier-authdaemon start
/etc/init.d/courier-imap start
2015-03-31 19:31:18 +02:00
/etc/init.d/courier-imap-ssl start
2016-01-23 23:51:09 +01:00
2016-02-29 23:52:10 +01:00
fi
if [ " $ENABLE_POP3 " = 1 -a " $SMTP_ONLY " != 1 ] ; then
2016-01-23 23:51:09 +01:00
echo "Starting POP3 services"
/etc/init.d/courier-pop start
/etc/init.d/courier-pop-ssl start
fi
2015-03-28 15:59:15 +01:00
/etc/init.d/spamassassin start
/etc/init.d/clamav-daemon start
/etc/init.d/amavis start
2016-01-20 16:41:34 +01:00
/etc/init.d/opendkim start
2016-01-26 18:26:50 +01:00
/etc/init.d/opendmarc start
2015-03-28 15:59:15 +01:00
/etc/init.d/postfix start
2016-02-12 00:19:21 +01:00
/etc/init.d/fail2ban start
2015-03-28 15:59:15 +01:00
echo "Listing SASL users"
sasldblistusers2
2015-03-29 14:07:56 +02:00
echo "Starting..."
2015-03-31 16:36:53 +02:00
tail -f /var/log/mail.log
