2016-01-20 15:41:34 +00:00
#!/bin/bash
2015-03-28 14:59:15 +00:00
2015-08-26 08:04:07 +00:00
die ( ) {
echo >& 2 " $@ "
exit 1
}
2015-08-18 11:13:08 +00:00
2015-08-26 08:04:07 +00:00
if [ -f /tmp/postfix/accounts.cf ] ; then
echo "Regenerating postfix 'vmailbox' and 'virtual' for given users"
echo "# WARNING: this file is auto-generated. Modify accounts.cf in postfix directory on host" > /etc/postfix/vmailbox
2015-08-18 11:13:08 +00:00
2015-08-26 08:04:07 +00:00
# Checking that /tmp/postfix/accounts.cf ends with a newline
sed -i -e '$a\' /tmp/postfix/accounts.cf
# Creating users
while IFS = $'|' read login pass
do
# Setting variables for better readability
user = $( echo ${ login } | cut -d @ -f1)
domain = $( echo ${ login } | cut -d @ -f2)
# Let's go!
echo " user ' ${ user } ' for domain ' ${ domain } ' with password '********' "
echo " ${ login } ${ domain } / ${ user } / " >> /etc/postfix/vmailbox
/usr/sbin/userdb ${ login } set uid = 5000 gid = 5000 home = /var/mail/${ domain } /${ user } mail = /var/mail/${ domain } /${ user }
echo " ${ pass } " | userdbpw -md5 | userdb ${ login } set systempw
echo " ${ pass } " | saslpasswd2 -p -c -u ${ domain } ${ login }
mkdir -p /var/mail/${ domain }
2016-01-15 23:54:51 +00:00
if [ ! -d " /var/mail/ ${ domain } / ${ user } " ] ; then
2015-12-08 00:59:45 +00:00
maildirmake " /var/mail/ ${ domain } / ${ user } "
2016-02-11 13:00:59 +00:00
maildirmake " /var/mail/ ${ domain } / ${ user } /.Sent "
maildirmake " /var/mail/ ${ domain } / ${ user } /.Trash "
maildirmake " /var/mail/ ${ domain } / ${ user } /.Drafts "
echo -e "INBOX\nINBOX.Sent\nINBOX.Trash\nInbox.Drafts" >> " /var/mail/ ${ domain } / ${ user } /courierimapsubscribed "
touch " /var/mail/ ${ domain } / ${ user } /.Sent/maildirfolder "
2015-12-08 00:59:45 +00:00
fi
2015-08-26 08:04:07 +00:00
echo ${ domain } >> /tmp/vhost.tmp
done < /tmp/postfix/accounts.cf
makeuserdb
else
echo "==> Warning: '/tmp/postfix/accounts.cf' is not provided. No mail account created."
fi
if [ -f /tmp/postfix/virtual ] ; then
# Copying virtual file
cp /tmp/postfix/virtual /etc/postfix/virtual
2015-10-14 14:50:57 +00:00
while IFS = $' ' read from to
do
# Setting variables for better readability
domain = $( echo ${ from } | cut -d @ -f2)
echo ${ domain } >> /tmp/vhost.tmp
done < /tmp/postfix/virtual
2015-08-26 08:04:07 +00:00
else
echo "==> Warning: '/tmp/postfix/virtual' is not provided. No mail alias created."
fi
2015-08-07 07:19:38 +00:00
2015-10-14 14:50:57 +00:00
if [ -f /tmp/vhost.tmp ] ; then
cat /tmp/vhost.tmp | sort | uniq > /etc/postfix/vhost && rm /tmp/vhost.tmp
fi
2015-03-31 15:28:13 +00:00
echo "Postfix configurations"
2015-08-26 08:04:07 +00:00
touch /etc/postfix/vmailbox && postmap /etc/postfix/vmailbox
touch /etc/postfix/virtual && postmap /etc/postfix/virtual
2015-03-28 14:59:15 +00:00
2016-01-23 17:38:21 +00:00
# DKIM
grep -vE '^(\s*$|#)' /etc/postfix/vhost | while read domainname; do
mkdir -p /etc/opendkim/keys/$domainname
if [ ! -f " /etc/opendkim/keys/ $domainname /mail.private " ] ; then
echo " Creating DKIM private key /etc/opendkim/keys/ $domainname /mail.private "
pushd /etc/opendkim/keys/$domainname
opendkim-genkey --subdomains --domain= $domainname --selector= mail
popd
echo ""
echo "DKIM PUBLIC KEY ################################################################"
cat /etc/opendkim/keys/$domainname /mail.txt
echo "################################################################################"
fi
# Write to KeyTable if necessary
keytableentry = " mail._domainkey. $domainname $domainname :mail:/etc/opendkim/keys/ $domainname /mail.private "
if [ ! -f "/etc/opendkim/KeyTable" ] ; then
echo "Creating DKIM KeyTable"
echo " mail._domainkey. $domainname $domainname :mail:/etc/opendkim/keys/ $domainname /mail.private " > /etc/opendkim/KeyTable
else
if ! grep -q " $keytableentry " "/etc/opendkim/KeyTable" ; then
echo $keytableentry >> /etc/opendkim/KeyTable
fi
fi
# Write to SigningTable if necessary
signingtableentry = " *@ $domainname mail._domainkey. $domainname "
if [ ! -f "/etc/opendkim/SigningTable" ] ; then
echo "Creating DKIM SigningTable"
echo " *@ $domainname mail._domainkey. $domainname " > /etc/opendkim/SigningTable
else
if ! grep -q " $signingtableentry " "/etc/opendkim/SigningTable" ; then
echo $signingtableentry >> /etc/opendkim/SigningTable
fi
fi
done
echo "Changing permissions on /etc/opendkim"
# chown entire directory
chown -R opendkim:opendkim /etc/opendkim/
# And make sure permissions are right
chmod -R 0700 /etc/opendkim/keys/
2016-01-26 17:26:50 +00:00
# DMARC
# if ther is no AuthservID create it
2016-01-26 18:03:12 +00:00
if [ ` cat /etc/opendmarc.conf | grep -w AuthservID | wc -l` -eq 0 ] ; then
2016-01-28 11:00:31 +00:00
echo " AuthservID $( hostname) " >> /etc/opendmarc.conf
2016-01-26 17:26:50 +00:00
fi
2016-01-26 18:03:12 +00:00
if [ ` cat /etc/opendmarc.conf | grep -w TrustedAuthservIDs | wc -l` -eq 0 ] ; then
2016-01-28 11:00:31 +00:00
echo " TrustedAuthservIDs $( hostname) " >> /etc/opendmarc.conf
2016-01-26 17:26:50 +00:00
fi
if [ ! -f "/etc/opendmarc/ignore.hosts" ] ; then
mkdir -p /etc/opendmarc/
echo "localhost" >> /etc/opendmarc/ignore.hosts
fi
2015-12-05 15:44:13 +00:00
# SSL Configuration
case $DMS_SSL in
"letsencrypt" )
# letsencrypt folders and files mounted in /etc/letsencrypt
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/letsencrypt\/live\/' $( hostname) '\/fullchain.pem/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/letsencrypt\/live\/' $( hostname) '\/privkey.pem/g' /etc/postfix/main.cf
# Courier configuration
2016-02-09 12:13:52 +00:00
cat " /etc/letsencrypt/live/ $( hostname) /cert.pem " " /etc/letsencrypt/live/ $( hostname) /chain.pem " " /etc/letsencrypt/live/ $( hostname) /privkey.pem " > " /etc/letsencrypt/live/ $( hostname) /combined.pem "
2015-12-05 15:44:13 +00:00
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/' $( hostname) '\/combined.pem/g' /etc/courier/imapd-ssl
2016-01-23 22:51:09 +00:00
# POP3 courier configuration
sed -i -r 's/POP3_TLS_REQUIRED=0/POP3_TLS_REQUIRED=1/g' /etc/courier/pop3d-ssl
2016-02-18 21:16:50 +00:00
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/pop3d.pem/TLS_CERTFILE=\/etc\/letsencrypt\/live\/' $( hostname) '\/combined.pem/g' /etc/courier/pop3d-ssl
2016-01-23 22:51:09 +00:00
# needed to support gmail
2016-02-18 21:16:50 +00:00
sed -i -r 's/TLS_TRUSTCERTS=\/etc\/ssl\/certs/TLS_TRUSTCERTS=\/etc\/letsencrypt\/live\/' $( hostname) '\/fullchain.pem/g' /etc/courier/pop3d-ssl
2016-01-23 22:51:09 +00:00
2015-12-05 15:44:13 +00:00
echo "SSL configured with letsencrypt certificates"
; ;
"self-signed" )
# Adding self-signed SSL certificate if provided in 'postfix/ssl' folder
2016-01-20 15:41:34 +00:00
if [ -e " /tmp/postfix/ssl/ $( hostname) -cert.pem " ] \
2015-12-05 15:44:13 +00:00
&& [ -e " /tmp/postfix/ssl/ $( hostname) -key.pem " ] \
&& [ -e " /tmp/postfix/ssl/ $( hostname) -combined.pem " ] \
&& [ -e "/tmp/postfix/ssl/demoCA/cacert.pem" ] ; then
echo " Adding $( hostname) SSL certificate "
mkdir -p /etc/postfix/ssl
2016-01-20 15:41:34 +00:00
cp " /tmp/postfix/ssl/ $( hostname) -cert.pem " /etc/postfix/ssl
cp " /tmp/postfix/ssl/ $( hostname) -key.pem " /etc/postfix/ssl
cp " /tmp/postfix/ssl/ $( hostname) -combined.pem " /etc/postfix/ssl
2015-12-05 15:44:13 +00:00
cp /tmp/postfix/ssl/demoCA/cacert.pem /etc/postfix/ssl
# Postfix configuration
sed -i -r 's/smtpd_tls_cert_file=\/etc\/ssl\/certs\/ssl-cert-snakeoil.pem/smtpd_tls_cert_file=\/etc\/postfix\/ssl\/' $( hostname) '-cert.pem/g' /etc/postfix/main.cf
sed -i -r 's/smtpd_tls_key_file=\/etc\/ssl\/private\/ssl-cert-snakeoil.key/smtpd_tls_key_file=\/etc\/postfix\/ssl\/' $( hostname) '-key.pem/g' /etc/postfix/main.cf
sed -i -r 's/#smtpd_tls_CAfile=/smtpd_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
sed -i -r 's/#smtp_tls_CAfile=/smtp_tls_CAfile=\/etc\/postfix\/ssl\/cacert.pem/g' /etc/postfix/main.cf
2016-01-20 15:41:34 +00:00
ln -s /etc/postfix/ssl/cacert.pem " /etc/ssl/certs/cacert- $( hostname) .pem "
2015-12-05 15:44:13 +00:00
# Courier configuration
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/imapd.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-combined.pem/g' /etc/courier/imapd-ssl
2016-01-20 15:41:34 +00:00
2016-01-23 22:51:09 +00:00
# POP3 courier configuration
sed -i -r 's/POP3_TLS_REQUIRED=0/POP3_TLS_REQUIRED=1/g' /etc/courier/pop3d-ssl
sed -i -r 's/TLS_CERTFILE=\/etc\/courier\/pop3d.pem/TLS_CERTFILE=\/etc\/postfix\/ssl\/' $( hostname) '-combined.pem/g' /etc/courier/pop3d-ssl
2015-12-05 15:44:13 +00:00
2016-01-20 15:41:34 +00:00
echo "SSL configured with self-signed/custom certificates"
2015-12-05 15:44:13 +00:00
2016-01-26 11:56:26 +00:00
fi
2015-12-05 15:44:13 +00:00
; ;
esac
2015-08-18 11:13:08 +00:00
2015-03-28 14:59:15 +00:00
echo "Fixing permissions"
chown -R 5000:5000 /var/mail
2015-03-29 12:07:56 +00:00
mkdir -p /var/log/clamav && chown -R clamav:root /var/log/clamav
2016-01-12 00:02:47 +00:00
chown postfix.sasl /etc/sasldb2
2015-03-28 14:59:15 +00:00
echo "Creating /etc/mailname"
2015-08-17 20:16:08 +00:00
echo $( hostname -d) > /etc/mailname
2015-03-28 14:59:15 +00:00
2015-07-04 13:54:40 +00:00
echo "Configuring Spamassassin"
echo "required_hits 5.0" >> /etc/mail/spamassassin/local.cf
echo "report_safe 0" >> /etc/mail/spamassassin/local.cf
echo "required_score 5" >> /etc/mail/spamassassin/local.cf
echo "rewrite_header Subject ***SPAM***" >> /etc/mail/spamassassin/local.cf
2015-07-16 17:35:11 +00:00
cp /tmp/spamassassin/rules.cf /etc/spamassassin/
2015-07-04 13:54:40 +00:00
2016-02-11 23:19:21 +00:00
echo "Configuring fail2ban"
# enable filters
perl -i -0pe 's/(\[postfix\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
perl -i -0pe 's/(\[couriersmtp\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
perl -i -0pe 's/(\[courierauth\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
perl -i -0pe 's/(\[sasl\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
# increase ban time and find time to 3h
sed -i "/^bantime *=/c\bantime = 10800" /etc/fail2ban/jail.conf
sed -i "/^findtime *=/c\findtime = 10800" /etc/fail2ban/jail.conf
# avoid warning on startup
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
2015-03-28 14:59:15 +00:00
echo "Starting daemons"
2015-08-19 13:52:50 +00:00
cron
2015-03-29 12:07:56 +00:00
/etc/init.d/rsyslog start
2015-03-28 14:59:15 +00:00
/etc/init.d/saslauthd start
/etc/init.d/courier-authdaemon start
/etc/init.d/courier-imap start
2015-03-31 17:31:18 +00:00
/etc/init.d/courier-imap-ssl start
2016-01-23 22:51:09 +00:00
if [ " $ENABLE_POP3 " = 1 ] ; then
echo "Starting POP3 services"
/etc/init.d/courier-pop start
/etc/init.d/courier-pop-ssl start
fi
2015-03-28 14:59:15 +00:00
/etc/init.d/spamassassin start
/etc/init.d/clamav-daemon start
/etc/init.d/amavis start
2016-01-20 15:41:34 +00:00
/etc/init.d/opendkim start
2016-01-26 17:26:50 +00:00
/etc/init.d/opendmarc start
2015-03-28 14:59:15 +00:00
/etc/init.d/postfix start
2016-02-11 23:19:21 +00:00
/etc/init.d/fail2ban start
2015-03-28 14:59:15 +00:00
echo "Listing SASL users"
sasldblistusers2
2015-03-29 12:07:56 +00:00
echo "Starting..."
2015-03-31 14:36:53 +00:00
tail -f /var/log/mail.log