2016-01-20 15:41:34 +00:00
#!/bin/bash
2015-03-28 14:59:15 +00:00
2015-08-26 08:04:07 +00:00
die ( ) {
echo >& 2 " $@ "
exit 1
}
2015-08-18 11:13:08 +00:00
2015-08-26 08:04:07 +00:00
if [ -f /tmp/postfix/accounts.cf ] ; then
echo "Regenerating postfix 'vmailbox' and 'virtual' for given users"
echo "# WARNING: this file is auto-generated. Modify accounts.cf in postfix directory on host" > /etc/postfix/vmailbox
2015-08-18 11:13:08 +00:00
2015-08-26 08:04:07 +00:00
# Checking that /tmp/postfix/accounts.cf ends with a newline
sed -i -e '$a\' /tmp/postfix/accounts.cf
# Creating users
while IFS = $'|' read login pass
do
# Setting variables for better readability
user = $( echo ${ login } | cut -d @ -f1)
domain = $( echo ${ login } | cut -d @ -f2)
# Let's go!
echo " user ' ${ user } ' for domain ' ${ domain } ' with password '********' "
echo " ${ login } ${ domain } / ${ user } / " >> /etc/postfix/vmailbox
/usr/sbin/userdb ${ login } set uid = 5000 gid = 5000 home = /var/mail/${ domain } /${ user } mail = /var/mail/${ domain } /${ user }
echo " ${ pass } " | userdbpw -md5 | userdb ${ login } set systempw
echo " ${ pass } " | saslpasswd2 -p -c -u ${ domain } ${ login }
mkdir -p /var/mail/${ domain }
2016-01-15 23:54:51 +00:00
if [ ! -d " /var/mail/ ${ domain } / ${ user } " ] ; then
2015-12-08 00:59:45 +00:00
maildirmake " /var/mail/ ${ domain } / ${ user } "
2016-02-11 13:00:59 +00:00
maildirmake " /var/mail/ ${ domain } / ${ user } /.Sent "
maildirmake " /var/mail/ ${ domain } / ${ user } /.Trash "
maildirmake " /var/mail/ ${ domain } / ${ user } /.Drafts "
echo -e "INBOX\nINBOX.Sent\nINBOX.Trash\nInbox.Drafts" >> " /var/mail/ ${ domain } / ${ user } /courierimapsubscribed "
touch " /var/mail/ ${ domain } / ${ user } /.Sent/maildirfolder "
2015-12-08 00:59:45 +00:00
fi
2015-08-26 08:04:07 +00:00
echo ${ domain } >> /tmp/vhost.tmp
done < /tmp/postfix/accounts.cf
makeuserdb
else
echo "==> Warning: '/tmp/postfix/accounts.cf' is not provided. No mail account created."
fi
if [ -f /tmp/postfix/virtual ] ; then
# Copying virtual file
cp /tmp/postfix/virtual /etc/postfix/virtual
2015-10-14 14:50:57 +00:00
while IFS = $' ' read from to
do
# Setting variables for better readability
domain = $( echo ${ from } | cut -d @ -f2)
echo ${ domain } >> /tmp/vhost.tmp
done < /tmp/postfix/virtual
2015-08-26 08:04:07 +00:00
else
echo "==> Warning: '/tmp/postfix/virtual' is not provided. No mail alias created."
fi
2015-08-07 07:19:38 +00:00
2015-10-14 14:50:57 +00:00
if [ -f /tmp/vhost.tmp ] ; then
cat /tmp/vhost.tmp | sort | uniq > /etc/postfix/vhost && rm /tmp/vhost.tmp
fi
2015-03-31 15:28:13 +00:00
echo "Postfix configurations"
2015-08-26 08:04:07 +00:00
touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox
touch /etc/postfix/virtual && postmap /etc/postfix/virtual
2015-03-28 14:59:15 +00:00
2016-01-23 17:38:21 +00:00
# DKIM
grep -vE '^(\s*$|#)' /etc/postfix/vhost | while read domainname; do
mkdir -p /etc/opendkim/keys/$domainname
if [ ! -f " /etc/opendkim/keys/ $domainname /mail.private " ] ; then
echo " Creating DKIM private key /etc/opendkim/keys/ $domainname /mail.private "
pushd /etc/opendkim/keys/$domainname
opendkim-genkey --subdomains --domain= $domainname --selector= mail
popd
echo ""
echo "DKIM PUBLIC KEY ################################################################"
cat /etc/opendkim/keys/$domainname /mail.txt
echo "################################################################################"
fi
# Write to KeyTable if necessary
keytableentry = " mail._domainkey. $domainname $domainname :mail:/etc/opendkim/keys/ $domainname /mail.private "
if [ ! -f "/etc/opendkim/KeyTable" ] ; then
echo "Creating DKIM KeyTable"
echo " mail._domainkey. $domainname $domainname :mail:/etc/opendkim/keys/ $domainname /mail.private " > /etc/opendkim/KeyTable
else
if ! grep -q " $keytableentry " "/etc/opendkim/KeyTable" ; then
echo $keytableentry >> /etc/opendkim/KeyTable
fi
fi
# Write to SigningTable if necessary
signingtableentry = " *@ $domainname mail._domainkey. $domainname "
if [ ! -f "/etc/opendkim/SigningTable" ] ; then
echo "Creating DKIM SigningTable"
echo " *@ $domainname mail._domainkey. $domainname " > /etc/opendkim/SigningTable
else
if ! grep -q " $signingtableentry " "/etc/opendkim/SigningTable" ; then
echo $signingtableentry >> /etc/opendkim/SigningTable
fi
fi
done
echo "Changing permissions on /etc/opendkim"
# chown entire directory
chown -R opendkim:opendkim /etc/opendkim/
# And make sure permissions are right
chmod -R 0700 /etc/opendkim/keys/
2016-01-26 17:26:50 +00:00
# DMARC
# if ther is no AuthservID create it
2016-01-26 18:03:12 +00:00
if [ ` cat /etc/opendmarc.conf | grep -w AuthservID | wc -l` -eq 0 ] ; then
2016-01-28 11:00:31 +00:00
echo " AuthservID $( hostname) " >> /etc/opendmarc.conf
2016-01-26 17:26:50 +00:00
fi
2016-01-26 18:03:12 +00:00
if [ ` cat /etc/opendmarc.conf | grep -w TrustedAuthservIDs | wc -l` -eq 0 ] ; then
2016-01-28 11:00:31 +00:00
echo " TrustedAuthservIDs $( hostname) " >> /etc/opendmarc.conf
2016-01-26 17:26:50 +00:00
fi
if [ ! -f "/etc/opendmarc/ignore.hosts" ] ; then
mkdir -p /etc/opendmarc/
echo "localhost" >> /etc/opendmarc/ignore.hosts
fi
2015-12-05 15:44:13 +00:00
# SSL Configuration
case $DMS_SSL in
"letsencrypt" )
# letsencrypt folders and files mounted in /etc/letsencrypt
2016-03-30 09:51:40 +00:00
# add eol to all files before concatenation
sed -i -e '$a\' /etc/letsencrypt/live/$( hostname) /cert.pem
sed -i -e '$a\' /etc/letsencrypt/live/$( hostname) /chain.pem
sed -i -e '$a\' /etc/letsencrypt/live/$( hostname) /privkey.pem
2015-12-05 15:44:13 +00:00
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/letsencrypt\/live\/' $( hostname) '\/fullchain.pem/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/' $( hostname) '\/privkey.pem/g' /etc/postfix/main.cf
# Courier configuration
2016-02-09 12:13:52 +00:00
cat " /etc/letsencrypt/live/ $( hostname) /cert.pem " " /etc/letsencrypt/live/ $( hostname) /chain.pem " " /etc/letsencrypt/live/ $( hostname) /privkey.pem " > " /etc/letsencrypt/live/ $( hostname) /combined.pem "
2015-12-05 15:44:13 +00:00
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/' $( hostname) '\/combined.pem/g' /etc/courier/imapd-ssl
2016-01-23 22:51:09 +00:00
# POP3 courier configuration
sed -i -r 's/POP3_TLS_REQUIRED=0/POP3_TLS_REQUIRED=1/g' /etc/courier/pop3d-ssl
2016-02-18 21:16:50 +00:00
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/pop3d.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/' $( hostname) '\/combined.pem/g' /etc/courier/pop3d-ssl
2016-01-23 22:51:09 +00:00
# needed to support gmail
2016-02-18 21:16:50 +00:00
sed -i -r 's/TLS_TRUSTCERTS=\/etc\/ssl\/certs/TLS_TRUSTCERTS=\/etc\/letsencrypt\/live\/' $( hostname) '\/fullchain.pem/g' /etc/courier/pop3d-ssl
2016-01-23 22:51:09 +00:00
2015-12-05 15:44:13 +00:00
echo "SSL configured with letsencrypt certificates"
; ;
2016-02-27 16:16:28 +00:00
"custom" )
# Adding CA signed SSL certificate if provided in 'postfix/ssl' folder
if [ -e " /tmp/postfix/ssl/ $( hostname) -full.pem " ] ; then
echo " Adding $( hostname) SSL certificate "
mkdir -p /etc/postfix/ssl
cp " /tmp/postfix/ssl/ $( hostname) -full.pem " /etc/postfix/ssl
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/' $( hostname) '-full.pem/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/' $( hostname) '-full.pem/g' /etc/postfix/main.cf
# Courier configuration
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-full.pem/g' /etc/courier/imapd-ssl
# POP3 courier configuration
sed -i -r 's/POP3_TLS_REQUIRED=0/POP3_TLS_REQUIRED=1/g' /etc/courier/pop3d-ssl
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/pop3d.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-full.pem/g' /etc/courier/pop3d-ssl
echo "SSL configured with CA signed/custom certificates"
2016-03-11 20:37:04 +00:00
2016-02-27 16:16:28 +00:00
fi
; ;
2015-12-05 15:44:13 +00:00
"self-signed" )
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
2016-01-20 15:41:34 +00:00
if [ -e " /tmp/postfix/ssl/ $( hostname) -cert.pem " ] \
2015-12-05 15:44:13 +00:00
&& [ -e " /tmp/postfix/ssl/ $( hostname) -key.pem " ] \
&& [ -e " /tmp/postfix/ssl/ $( hostname) -combined.pem " ] \
&& [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ] ; then
echo " Adding $( hostname) SSL certificate "
mkdir -p /etc/postfix/ssl
2016-01-20 15:41:34 +00:00
cp " /tmp/postfix/ssl/ $( hostname) -cert.pem " /etc/postfix/ssl
cp " /tmp/postfix/ssl/ $( hostname) -key.pem " /etc/postfix/ssl
cp " /tmp/postfix/ssl/ $( hostname) -combined.pem " /etc/postfix/ssl
2015-12-05 15:44:13 +00:00
cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/' $( hostname) '-cert.pem/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/' $( hostname) '-key.pem/g' /etc/postfix/main.cf
sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
2016-01-20 15:41:34 +00:00
ln -s /etc/postfix/ssl/cacert.pem " /etc/ssl/certs/cacert- $( hostname) .pem "
2015-12-05 15:44:13 +00:00
# Courier configuration
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-combined.pem/g' /etc/courier/imapd-ssl
2016-01-20 15:41:34 +00:00
2016-01-23 22:51:09 +00:00
# POP3 courier configuration
sed -i -r 's/POP3_TLS_REQUIRED=0/POP3_TLS_REQUIRED=1/g' /etc/courier/pop3d-ssl
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/pop3d.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-combined.pem/g' /etc/courier/pop3d-ssl
2015-12-05 15:44:13 +00:00
2016-01-20 15:41:34 +00:00
echo "SSL configured with self-signed/custom certificates"
2015-12-05 15:44:13 +00:00
2016-01-26 11:56:26 +00:00
fi
2015-12-05 15:44:13 +00:00
; ;
esac
2015-08-18 11:13:08 +00:00
2016-02-20 02:16:54 +00:00
if [ -f /tmp/postfix/main.cf ] ; then
while read line; do
postconf -e " $line "
done < /tmp/postfix/main.cf
echo "Loaded '/tmp/postfix/main.cf'"
else
2016-03-18 19:10:05 +00:00
echo "'/tmp/postfix/main.cf' not provided. No extra postfix settings loaded."
2016-02-20 02:16:54 +00:00
fi
2016-02-20 02:17:14 +00:00
if [ ! -z " $SASL_PASSWD " ] ; then
echo " $SASL_PASSWD " > /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd
rm /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd.db
echo "Loaded SASL_PASSWORD"
else
echo "==> Warning: 'SASL_PASSWORD' is not provided. /etc/postfix/sasl_passwd not created."
fi
2015-03-28 14:59:15 +00:00
echo "Fixing permissions"
chown -R 5000:5000 /var/mail
2016-01-12 00:02:47 +00:00
chown postfix.sasl /etc/sasldb2
2015-03-28 14:59:15 +00:00
echo "Creating /etc/mailname"
2015-08-17 20:16:08 +00:00
echo $( hostname -d) > /etc/mailname
2015-03-28 14:59:15 +00:00
2015-07-04 13:54:40 +00:00
echo "Configuring Spamassassin"
2016-02-18 21:11:24 +00:00
SA_TAG = ${ SA_TAG : = "2.0" } && sed -i -r 's/^\$sa_tag_level_deflt (.*);/\$sa_tag_level_deflt = ' $SA_TAG ';/g' /etc/amavis/conf.d/20-debian_defaults
SA_TAG2 = ${ SA_TAG2 : = "6.31" } && sed -i -r 's/^\$sa_tag2_level_deflt (.*);/\$sa_tag2_level_deflt = ' $SA_TAG2 ';/g' /etc/amavis/conf.d/20-debian_defaults
SA_KILL = ${ SA_KILL : = "6.31" } && sed -i -r 's/^\$sa_kill_level_deflt (.*);/\$sa_kill_level_deflt = ' $SA_KILL ';/g' /etc/amavis/conf.d/20-debian_defaults
2016-04-01 15:18:13 +00:00
test -e /tmp/spamassassin/rules.cf && cp /tmp/spamassassin/rules.cf /etc/spamassassin/
2015-07-04 13:54:40 +00:00
2016-02-11 23:19:21 +00:00
echo "Configuring fail2ban"
# enable filters
2016-04-01 15:18:13 +00:00
awk ' BEGIN{ unit = 0} { if ( $1 = = "[postfix]" || $1 = = "[couriersmtp]" || $1 = = "[courierauth]" || $1 = = "[sasl]" ) { unit = 1; }
if ( $1 = = "enabled" && unit = = 1) $3 = "true" ;
else if ( $1 = = "logpath" && unit = = 1) $3 = "/var/log/mail/mail.log" ;
print;
if ( unit = = 1 && $1 ~/\[ / && $1 !~/postfix| couriersmtp| courierauth| sasl/) unit = 0;
} ' /etc/fail2ban/jail.conf > /tmp/jail.conf.new && mv /tmp/jail.conf.new /etc/fail2ban/jail.conf && rm -f /tmp/jail.conf.new
2016-02-11 23:19:21 +00:00
# increase ban time and find time to 3h
sed -i "/^bantime *=/c\bantime = 10800" /etc/fail2ban/jail.conf
sed -i "/^findtime *=/c\findtime = 10800" /etc/fail2ban/jail.conf
# avoid warning on startup
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
2016-03-11 20:37:04 +00:00
# continue to write the log information in the newly created file after rotating the old log file
sed -i -r "/^#?compress/c\compress\ncopytruncate" /etc/logrotate.conf
2016-02-11 23:19:21 +00:00
2016-04-01 15:18:13 +00:00
# Setup logging
mkdir -p /var/log/mail && chown syslog:root /var/log/mail
touch /var/log/mail/clamav.log && chown -R clamav:root /var/log/mail/clamav.log
touch /var/log/mail/freshclam.log && chown -R clamav:root /var/log/mail/freshclam.log
sed -i -r 's|/var/log/mail|/var/log/mail/mail|g' /etc/rsyslog.d/50-default.conf
sed -i -r 's|LogFile /var/log/clamav/|LogFile /var/log/mail/|g' /etc/clamav/clamd.conf
sed -i -r 's|UpdateLogFile /var/log/clamav/|UpdateLogFile /var/log/mail/|g' /etc/clamav/freshclam.conf
2015-03-28 14:59:15 +00:00
echo "Starting daemons"
2015-08-19 13:52:50 +00:00
cron
2015-03-29 12:07:56 +00:00
/etc/init.d/rsyslog start
2015-03-28 14:59:15 +00:00
/etc/init.d/saslauthd start
2016-02-29 22:52:10 +00:00
if [ " $SMTP_ONLY " != 1 ] ; then
2015-03-28 14:59:15 +00:00
/etc/init.d/courier-authdaemon start
/etc/init.d/courier-imap start
2015-03-31 17:31:18 +00:00
/etc/init.d/courier-imap-ssl start
2016-01-23 22:51:09 +00:00
2016-02-29 22:52:10 +00:00
fi
if [ " $ENABLE_POP3 " = 1 -a " $SMTP_ONLY " != 1 ] ; then
2016-01-23 22:51:09 +00:00
echo "Starting POP3 services"
/etc/init.d/courier-pop start
/etc/init.d/courier-pop-ssl start
fi
2015-03-28 14:59:15 +00:00
/etc/init.d/spamassassin start
/etc/init.d/clamav-daemon start
/etc/init.d/amavis start
2016-01-20 15:41:34 +00:00
/etc/init.d/opendkim start
2016-01-26 17:26:50 +00:00
/etc/init.d/opendmarc start
2015-03-28 14:59:15 +00:00
/etc/init.d/postfix start
2016-03-31 10:33:47 +00:00
if [ " $ENABLE_FAIL2BAN " = 1 ] ; then
echo "Starting fail2ban service"
/etc/init.d/fail2ban start
fi
2015-03-28 14:59:15 +00:00
echo "Listing SASL users"
sasldblistusers2
2015-03-29 12:07:56 +00:00
echo "Starting..."
2016-04-01 15:18:13 +00:00
tail -f /var/log/mail/mail.log