Dovecot Systax Problem

2025-10-19 11:34:37 +02:00 · 2025-10-19 11:34:37 +02:00 · a126204bb3
parent 80fb2d9d9f
commit a126204bb3
4 changed files with 22 additions and 332 deletions
--- a/scripts/20-ssl.sh
+++ b/scripts/20-ssl.sh
@ -39,4 +39,22 @@ fi
 install -d -m 0755 "$UI_SSL_DIR" "$WEBMAIL_SSL_DIR" "$MAIL_SSL_DIR"
 ln -sf "$CERT" "$UI_CERT";     ln -sf "$KEY" "$UI_KEY"
 ln -sf "$CERT" "$WEBMAIL_CERT";ln -sf "$KEY" "$WEBMAIL_KEY"
-ln -sf "$CERT" "$MAIL_CERT";   ln -sf "$KEY" "$MAIL_KEY"
+ln -sf "$CERT" "$MAIL_CERT";   ln -sf "$KEY" "$MAIL_KEY"
+
+# --- Mail-Zertifikate: Rechte für Postfix & Dovecot -------------------------
+# WICHTIG: Rechte am *Target* (KEY/CERT im $CERT_DIR) setzen, nicht an den Symlinks.
+if [[ -f "$KEY" && -f "$CERT" ]]; then
+  echo "[+] Setze Berechtigungen für Mail-Zertifikate …"
+  # Key: nur root + Gruppe lesen. Gruppe → postfix
+  chgrp postfix "$KEY" || true
+  chmod 640     "$KEY" || true
+  # Dovecot zusätzlich Leserechte via ACL
+  setfacl -m u:dovecot:r "$KEY" || true
+  # Zertifikat darf weltweit lesbar sein
+  chmod 644     "$CERT" || true
+else
+  echo "[!] Zertifikatsdateien fehlen: $KEY oder $CERT" >&2
+fi
+
+# Optional: kurze Info, wohin verlinkt wurde
+echo "[i] Mail TLS: $MAIL_CERT -> $CERT ; $MAIL_KEY -> $KEY"
--- a/scripts/40-postfix.sh
+++ b/scripts/40-postfix.sh
@ -27,11 +27,12 @@ fi
 /usr/sbin/postconf -e "smtpd_tls_cert_file = ${MAIL_CERT}"
 /usr/sbin/postconf -e "smtpd_tls_key_file  = ${MAIL_KEY}"
 /usr/sbin/postconf -e "smtpd_tls_security_level = may"
-/usr/sbin/postconf -e "smtp_tls_security_level  = may"
+/usr/sbin/postconf -e "smtpd_use_tls = yes"
 /usr/sbin/postconf -e "smtpd_tls_received_header = yes"
 /usr/sbin/postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
 /usr/sbin/postconf -e "smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3"
 /usr/sbin/postconf -e "smtpd_tls_loglevel = 1"
+/usr/sbin/postconf -e "smtp_tls_security_level  = may"
 /usr/sbin/postconf -e "smtp_tls_loglevel = 1"

 # --- SMTP Sicherheit ----------------------------------------------------------
@ -106,102 +107,3 @@ chmod 640 /etc/postfix/sql/mysql-virtual-alias-maps.cf

 # --- Dienst aktivieren & neu laden --------------------------------------------
 systemctl enable postfix >/dev/null 2>&1 || true
-
-#systemctl reload postfix || systemctl restart postfix
-##!/usr/bin/env bash
-#set -euo pipefail
-#source ./lib.sh
-#
-#MAIL_SSL_DIR="/etc/ssl/mail"
-#MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
-#MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
-#
-#log "Postfix konfigurieren …"
-#
-## --- Sicherheit & TLS-Rechte ---------------------------------------------------
-#if [[ -e "${MAIL_KEY}" ]]; then
-#  chgrp -R postfix /etc/mailwolt/ssl || true
-#  chmod 750 /etc/mailwolt/ssl || true
-#  chmod 640 /etc/mailwolt/ssl/key.pem /etc/mailwolt/ssl/cert.pem || true
-#fi
-#
-## --- Basiskonfiguration --------------------------------------------------------
-#/usr/sbin/postconf -e "myhostname = ${MAIL_HOSTNAME}"
-#/usr/sbin/postconf -e "myorigin = \$myhostname"
-#/usr/sbin/postconf -e "mydestination = "
-#/usr/sbin/postconf -e "inet_interfaces = all"
-#/usr/sbin/postconf -e "inet_protocols = ipv4"
-#/usr/sbin/postconf -e "smtpd_banner = \$myhostname ESMTP"
-#
-## --- TLS ----------------------------------------------------------------------
-#/usr/sbin/postconf -e "smtpd_tls_cert_file = ${MAIL_CERT}"
-#/usr/sbin/postconf -e "smtpd_tls_key_file  = ${MAIL_KEY}"
-#/usr/sbin/postconf -e "smtpd_tls_security_level = may"
-#/usr/sbin/postconf -e "smtp_tls_security_level  = may"
-#/usr/sbin/postconf -e "smtpd_tls_received_header = yes"
-#/usr/sbin/postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
-#/usr/sbin/postconf -e "smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3"
-#/usr/sbin/postconf -e "smtpd_tls_loglevel = 1"
-#/usr/sbin/postconf -e "smtp_tls_loglevel = 1"
-#
-## --- SMTP Sicherheit ----------------------------------------------------------
-#/usr/sbin/postconf -e "disable_vrfy_command = yes"
-#/usr/sbin/postconf -e "smtpd_helo_required = yes"
-#
-## --- Milter -------------------------------------------------------------------
-#/usr/sbin/postconf -e "milter_default_action = accept"
-#/usr/sbin/postconf -e "milter_protocol = 6"
-#/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
-#/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
-#
-## --- SASL Auth via Dovecot ----------------------------------------------------
-#/usr/sbin/postconf -e "smtpd_sasl_type = dovecot"
-#/usr/sbin/postconf -e "smtpd_sasl_path = private/auth"
-#/usr/sbin/postconf -e "smtpd_sasl_auth_enable = yes"
-#/usr/sbin/postconf -e "smtpd_sasl_security_options = noanonymous"
-#
-## --- Recipient & Relay Restriction --------------------------------------------
-#/usr/sbin/postconf -e "smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"
-#/usr/sbin/postconf -e "smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination"
-#
-## --- Listener / Master.cf Definition ------------------------------------------
-#/usr/sbin/postconf -M "smtp/inet=smtp inet n - n - - smtpd -o smtpd_peername_lookup=no -o smtpd_timeout=30s"
-#/usr/sbin/postconf -M "submission/inet=submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_peername_lookup=no -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
-#/usr/sbin/postconf -M "smtps/inet=smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_peername_lookup=no -o smtpd_tls_wrappermode=yes -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
-#
-## postscreen ggf. deaktivieren (verhindert Port-Konflikte)
-#sed -i 's/^[[:space:]]*smtp[[:space:]]\+inet[[:space:]]\+.*postscreen/# &/' /etc/postfix/master.cf || true
-#
-## --- SQL Maps -----------------------------------------------------------------
-#install -d -o root -g postfix -m 750 /etc/postfix/sql
-#
-#cat > /etc/postfix/sql/mysql-virtual-mailbox-maps.cf <<CONF
-#hosts = 127.0.0.1
-#user = ${DB_USER}
-#password = ${DB_PASS}
-#dbname = ${DB_NAME}
-#query = SELECT 1
-#        FROM mail_users u
-#        JOIN domains d ON d.id = u.domain_id
-#        WHERE u.email = '%s' AND u.is_active = 1 AND d.is_active = 1
-#        LIMIT 1;
-#CONF
-#chown root:postfix /etc/postfix/sql/mysql-virtual-mailbox-maps.cf
-#chmod 640 /etc/postfix/sql/mysql-virtual-mailbox-maps.cf
-#
-#cat > /etc/postfix/sql/mysql-virtual-alias-maps.cf <<CONF
-#hosts = 127.0.0.1
-#user = ${DB_USER}
-#password = ${DB_PASS}
-#dbname = ${DB_NAME}
-#query = SELECT destination
-#        FROM mail_aliases a
-#        JOIN domains d ON d.id = a.domain_id
-#        WHERE a.source = '%s' AND a.is_active = 1 AND d.is_active = 1
-#        LIMIT 1;
-#CONF
-#chown root:postfix /etc/postfix/sql/mysql-virtual-alias-maps.cf
-#chmod 640 /etc/postfix/sql/mysql-virtual-alias-maps.cf
-#
-## --- Aktivieren, Start erfolgt später durch 90-services.sh --------------------
-#systemctl enable postfix >/dev/null 2>&1 || true
--- a/scripts/50-dovecot.sh
+++ b/scripts/50-dovecot.sh
@ -97,15 +97,7 @@ cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
 driver = mysql
 connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
 default_pass_scheme = BLF-CRYPT
-password_query = SELECT u.email AS user, u.password_hash AS password
-                 FROM mail_users u
-                 JOIN domains d ON d.id = u.domain_id
-                 WHERE u.email = '%u'
-                   AND u.is_active = 1
-                   AND u.can_login = 1
-                   AND u.password_hash IS NOT NULL
-                   AND d.is_active = 1
-                 LIMIT 1;
+password_query = SELECT u.email AS user, u.password_hash AS password FROM mail_users u JOIN domains d ON d.id = u.domain_id WHERE u.email = '%u' AND u.is_active = 1 AND u.can_login = 1 AND u.password_hash IS NOT NULL AND d.is_active = 1 LIMIT 1;
 CONF
 chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext
 chmod 640 /etc/dovecot/dovecot-sql.conf.ext
--- a/scripts/80-app.sh
+++ b/scripts/80-app.sh
@ -264,225 +264,3 @@ install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage" "$APP_DIR/b

 relink_and_reload
 systemctl restart php*-fpm || true
-
-##!/usr/bin/env bash
-#set -euo pipefail
-#source ./lib.sh
-#
-#relink_and_reload() {
-#  if [[ -d /etc/letsencrypt/renewal-hooks/deploy ]]; then
-#    run-parts /etc/letsencrypt/renewal-hooks/deploy || true
-#  fi
-#  # Nur reloaden, wenn nginx läuft (während Erstinstallation evtl. noch nicht aktiv)
-#  if systemctl is-active --quiet nginx; then
-#    systemctl reload nginx || true
-#  fi
-#}
-#
-#log "App bereitstellen …"
-#mkdir -p "$(dirname "$APP_DIR")"
-#chown -R "$APP_USER":"$APP_GROUP" "$(dirname "$APP_DIR")"
-#
-## Repo holen oder Laravel anlegen – passe GIT_REPO/GIT_BRANCH bei Bedarf an
-#GIT_REPO="${GIT_REPO:-https://git.nexlab.at/boban/mailwolt.git}"
-#GIT_BRANCH="${GIT_BRANCH:-main}"
-#
-#if [[ "${GIT_REPO}" == "https://example.com/your-repo-placeholder.git" ]]; then
-#  [[ -d "$APP_DIR" && -n "$(ls -A "$APP_DIR" 2>/dev/null || true)" ]] || \
-#    sudo -u "$APP_USER" -H bash -lc "cd /var/www && composer create-project laravel/laravel ${APP_USER} --no-interaction"
-#else
-#  if [[ ! -d "${APP_DIR}/.git" ]]; then
-#    sudo -u "$APP_USER" -H bash -lc "git clone --depth=1 -b ${GIT_BRANCH} ${GIT_REPO} ${APP_DIR}"
-#  else
-#    sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && git fetch --depth=1 origin ${GIT_BRANCH} && git reset --hard origin/${GIT_BRANCH}"
-#  fi
-#  [[ -f "${APP_DIR}/composer.json" ]] && sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && composer install --no-interaction --prefer-dist"
-#fi
-#
-#ENV_FILE="${APP_DIR}/.env"
-#sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && cp -n .env.example .env || true"
-#grep -q '^APP_KEY=' "$ENV_FILE" || echo "APP_KEY=" >> "$ENV_FILE"
-#sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan key:generate --force || true"
-#
-## --- Hilfen -----------------------------------------------------------------
-## DNS-Check (A/AAAA zeigt auf SERVER_PUBLIC_IPV4) – kommt aus lib.sh
-## resolve_ok "$host" -> 0/1
-#
-## APP_HOST und APP_URL bestimmen
-#SERVER_PUBLIC_IPV4="${SERVER_PUBLIC_IPV4:-}"
-#if [[ -z "$SERVER_PUBLIC_IPV4" ]] && command -v curl >/dev/null 2>&1; then
-#  SERVER_PUBLIC_IPV4="$(curl -fsS --max-time 2 https://ifconfig.me 2>/dev/null || true)"
-#  [[ "$SERVER_PUBLIC_IPV4" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] || SERVER_PUBLIC_IPV4=""
-#fi
-#[[ -n "$SERVER_PUBLIC_IPV4" ]] || SERVER_PUBLIC_IPV4="$(detect_ip)"
-#
-## 2) Domain bevorzugen, wenn UI_HOST gesetzt (z.B. hinter Nginx Proxy Manager)
-#UI_CERT="/etc/ssl/ui/fullchain.pem"
-#UI_KEY="/etc/ssl/ui/privkey.pem"
-#
-#if [[ -n "${UI_HOST:-}" ]]; then
-#  APP_HOST_VAL="$UI_HOST"
-#  APP_URL_VAL="https://${UI_HOST}"   # TLS terminiert am Proxy
-#else
-#  APP_HOST_VAL="$SERVER_PUBLIC_IPV4"
-#  SCHEME="http"
-#  [[ -s "$UI_CERT" && -s "$UI_KEY" ]] && SCHEME="https"
-#  APP_URL_VAL="${SCHEME}://${SERVER_PUBLIC_IPV4}"
-#fi
-#
-## --- .env schreiben (vollständig wie vorher) --------------------------------
-#upsert_env APP_URL             "${APP_URL_VAL}"
-#
-#if [[ "$PROXY_MODE" -eq 1 ]]; then
-#  TP_LIST="127.0.0.1,::1"
-#  [[ -n "$NPM_IP" ]] && TP_LIST="${TP_LIST},${NPM_IP}"
-#  upsert_env TRUSTED_PROXIES "$TP_LIST"
-#  upsert_env TRUSTED_HEADERS "x-forwarded-all"
-#else
-#  upsert_env TRUSTED_PROXIES ""
-#  upsert_env TRUSTED_HEADERS "x-forwarded-all"
-#fi
-#
-#upsert_env APP_HOST            "${APP_HOST_VAL}"
-#upsert_env APP_NAME            "${APP_NAME}"
-#upsert_env APP_ENV             "${APP_ENV:-production}"
-#upsert_env APP_DEBUG           "${APP_DEBUG:-false}"
-#
-## Locale
-#upsert_env APP_LOCALE          "${APP_LOCALE:-de}"
-#upsert_env APP_FALLBACK_LOCALE "en"
-#
-## Server IPs
-#upsert_env SERVER_PUBLIC_IPV4 "${SERVER_PUBLIC_IPV4}"
-#if [[ -n "${SERVER_PUBLIC_IPV6:-}" ]]; then
-#  upsert_env SERVER_PUBLIC_IPV6 "${SERVER_PUBLIC_IPV6}"
-#else
-#  upsert_env SERVER_PUBLIC_IPV6 ""
-#fi
-#
-## Hosts & LE
-#upsert_env BASE_DOMAIN "${BASE_DOMAIN}"
-#upsert_env UI_SUB      "${UI_SUB}"
-#upsert_env WEBMAIL_SUB "${WEBMAIL_SUB}"
-#upsert_env MTA_SUB     "${MTA_SUB}"
-#upsert_env LE_EMAIL    "${LE_EMAIL:-admin@${BASE_DOMAIN}}"
-#
-## DB
-#upsert_env DB_CONNECTION "mysql"
-#upsert_env DB_HOST       "127.0.0.1"
-#upsert_env DB_PORT       "3306"
-#upsert_env DB_DATABASE   "${DB_NAME}"
-#upsert_env DB_USERNAME   "${DB_USER}"
-#upsert_env DB_PASSWORD   "${DB_PASS}"
-#
-## Cache/Session/Redis
-#upsert_env CACHE_SETTINGS_STORE         "redis"
-#upsert_env CACHE_STORE                  "redis"
-#upsert_env CACHE_DRIVER                 "redis"
-#upsert_env CACHE_PREFIX                 "${APP_USER_PREFIX}_cache:"
-#upsert_env SESSION_DRIVER               "redis"
-#upsert_env SESSION_SECURE_COOKIE        "true"
-#upsert_env SESSION_SAMESITE             "lax"
-#upsert_env REDIS_CLIENT                 "phpredis"
-#upsert_env REDIS_HOST                   "127.0.0.1"
-#upsert_env REDIS_PORT                   "6379"
-#upsert_env REDIS_PASSWORD               "${REDIS_PASS}"
-#upsert_env REDIS_DB                     "0"
-#upsert_env REDIS_CACHE_DB               "1"
-#upsert_env REDIS_CACHE_CONNECTION       "cache"
-#upsert_env REDIS_CACHE_LOCK_CONNECTION  "default"
-#
-## Reverb / Queue / Logs
-#upsert_env BROADCAST_DRIVER      "reverb"
-#upsert_env QUEUE_CONNECTION      "redis"
-#upsert_env LOG_CHANNEL           "daily"
-#
-## Reverb Credentials/Host
-#upsert_env REVERB_APP_ID         "${APP_USER_PREFIX}"
-## nur Generieren, wenn leer – sonst vorhandene Werte erhalten
-#grep -q '^REVERB_APP_KEY=' "$ENV_FILE"  || upsert_env REVERB_APP_KEY    "${APP_USER_PREFIX}_$(openssl rand -hex 16)"
-#grep -q '^REVERB_APP_SECRET=' "$ENV_FILE" || upsert_env REVERB_APP_SECRET "${APP_USER_PREFIX}_$(openssl rand -hex 32)"
-#upsert_env REVERB_HOST           "\${APP_HOST}"
-#upsert_env REVERB_PORT           "443"
-#upsert_env REVERB_SCHEME         "https"
-#upsert_env REVERB_PATH           "/ws"
-#upsert_env REVERB_SCALING_ENABLED "true"
-#upsert_env REVERB_SCALING_CHANNEL "reverb"
-#
-## Vite Expose
-#upsert_env VITE_REVERB_APP_KEY   "\${REVERB_APP_KEY}"
-#upsert_env VITE_REVERB_HOST      "\${REVERB_HOST}"
-#upsert_env VITE_REVERB_PORT      "\${REVERB_PORT}"
-#upsert_env VITE_REVERB_SCHEME    "\${REVERB_SCHEME}"
-#upsert_env VITE_REVERB_PATH      "\${REVERB_PATH}"
-#
-## Reverb Server (Backend)
-#upsert_env REVERB_SERVER_APP_KEY "\${REVERB_APP_KEY}"
-#upsert_env REVERB_SERVER_HOST    "127.0.0.1"
-#upsert_env REVERB_SERVER_PORT    "8080"
-#upsert_env REVERB_SERVER_PATH    ""
-#upsert_env REVERB_SERVER_SCHEME  "http"
-#
-## DEV-Block (optional per DEV_MODE=1)
-#DEV_MODE="${DEV_MODE:-0}"
-#if [[ "$DEV_MODE" = "1" ]]; then
-#  # vor doppelten Blöcken schützen
-#  sed -i '/^# --- MailWolt DEV/,/^# --- \/MailWolt DEV/d' "${ENV_FILE}"
-#  cat >> "${ENV_FILE}" <<CONF
-## --- MailWolt DEV ---
-#VITE_DEV_HOST=127.0.0.1
-#VITE_DEV_PORT=5173
-#VITE_HMR_PROTOCOL=wss
-#VITE_HMR_CLIENT_PORT=443
-#VITE_HMR_HOST=${SERVER_PUBLIC_IPV4}
-#VITE_DEV_ORIGIN=$(grep '^APP_URL=' "${ENV_FILE}" | cut -d= -f2-)
-## --- /MailWolt DEV ---
-#CONF
-#fi
-#
-## --- LE-Symlinks & Nginx (vor Seeder), damit UI/Webmail schon LE-Zert nutzen ---
-#relink_and_reload
-#
-## Laravel Caches säubern und migrieren
-#sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear"
-#
-## Migration erzwingen (damit 'settings' & Co. existieren)
-#sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan migrate --force"
-#
-#
-#
-## System-Domain seeden, wenn eine echte Domain gesetzt wurde
-#if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
-#  sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan db:seed --class=SystemDomainSeeder --force"
-#fi
-#
-#sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan config:cache"
-#
-## --- Frontend / Vite: einmaliger Build, wenn kein manifest.json vorhanden ---
-#if [[ -f "${APP_DIR}/package.json" && ! -f "${APP_DIR}/public/build/manifest.json" ]]; then
-#  # Node nur installieren, wenn nicht vorhanden
-#  if ! command -v node >/dev/null 2>&1; then
-#    curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
-#    apt-get install -y nodejs
-#  fi
-#
-#  # Dependencies installieren (bevorzugt ci, Fallback auf install)
-#  sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && (npm ci --no-audit --no-fund || npm install)"
-#
-#  # Build ausführen (wenn kein "build"-Script, nutze npx vite)
-#  sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && (npm run build || npx --yes vite build)"
-#fi
-#
-#sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache"
-#
-#
-## Rechte & Laravel Cache
-#chown -R "$APP_USER":"$APP_GROUP" "$APP_DIR"
-#chmod -R u=rwX,g=rwX,o=rX "$APP_DIR"
-#install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR/storage" "$APP_DIR/bootstrap/cache"
-#
-#sudo -u "$APP_USER" -H bash -lc "cd ${APP_DIR} && php artisan optimize:clear && php artisan config:cache"
-#
-#relink_and_reload
-#
-#sudo systemctl restart php*-fpm || true