diff --git a/scripts/50-dovecot.sh b/scripts/50-dovecot.sh index 6a0381f..99bac03 100644 --- a/scripts/50-dovecot.sh +++ b/scripts/50-dovecot.sh @@ -8,13 +8,40 @@ MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem" log "Dovecot konfigurieren …" +# ────────────────────────────────────────────────────────────────────────────── +# 1) vmail-Benutzer/Gruppe & Mailspool vorbereiten (DYNAMIC UID!) +# ────────────────────────────────────────────────────────────────────────────── + +# Sicherstellen, dass die Gruppe 'mail' existiert (auf Debian/Ubuntu idR vorhanden) +getent group mail >/dev/null || groupadd -g 8 mail || true + +# vmail anlegen, wenn er fehlt. Bevorzugt UID 109, falls frei – sonst automatisch. +if ! getent passwd vmail >/dev/null; then + if ! getent passwd 109 >/dev/null; then + useradd -u 109 -g mail -d /var/mail -M -s /usr/sbin/nologin vmail + else + useradd -g mail -d /var/mail -M -s /usr/sbin/nologin vmail + fi +fi + +# Tatsächliche vmail-UID ermitteln (wird unten in die Dovecot-Config geschrieben) +VMAIL_UID="$(id -u vmail)" + +# Mailspool-Basis +install -d -m 0770 -o vmail -g mail /var/mail/vhosts + +# ────────────────────────────────────────────────────────────────────────────── +# 2) Dovecot Grundgerüst +# ────────────────────────────────────────────────────────────────────────────── + # Hauptdatei +install -d -m 0755 /etc/dovecot/conf.d cat > /etc/dovecot/dovecot.conf <<'CONF' !include_try /etc/dovecot/conf.d/*.conf CONF -# Mail-Location & Namespace -cat > /etc/dovecot/conf.d/10-mail.conf <<'CONF' +# Mail-Location & Namespace + UID-Grenzen +cat > /etc/dovecot/conf.d/10-mail.conf < /etc/dovecot/dovecot-sql.conf.ext < /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF' passdb { driver = sql @@ -50,13 +83,13 @@ passdb { } userdb { driver = static - args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n + args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n } CONF chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext -# Master-Services (LMTP + AUTH + Listener) +# Master-Services (LMTP + AUTH + IMAP/POP3 Listener) cat > /etc/dovecot/conf.d/10-master.conf <<'CONF' service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { @@ -73,27 +106,18 @@ service auth { } } service imap-login { - inet_listener imap { - port = 143 - } - inet_listener imaps { - port = 993 - ssl = yes - } + inet_listener imap { port = 143 } + inet_listener imaps { port = 993 ssl = yes } } service pop3-login { - inet_listener pop3 { - port = 110 - } - inet_listener pop3s { - port = 995 - ssl = yes - } + inet_listener pop3 { port = 110 } + inet_listener pop3s { port = 995 ssl = yes } } CONF -# SSL – stabile Mail-Pfade +# SSL – auf stabile Mail-Pfade zeigen DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf" +touch "$DOVECOT_SSL_CONF" grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF" if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF" @@ -105,6 +129,7 @@ if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then else echo "ssl_key = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF" fi +grep -q '^ssl_min_protocol' "$DOVECOT_SSL_CONF" || echo "ssl_min_protocol = TLSv1.2" >> "$DOVECOT_SSL_CONF" # Postfix-Socket-Verzeichnis sicherstellen mkdir -p /var/spool/postfix/private @@ -113,5 +138,125 @@ chmod 0755 /var/spool/postfix chown postfix:postfix /var/spool/postfix/private chmod 0755 /var/spool/postfix/private -# Nur aktivieren – Start/Reload erst nach App/DB in 90-services.sh -systemctl enable dovecot >/dev/null 2>&1 || true \ No newline at end of file +# Nur aktivieren – Start/Reload später +systemctl enable dovecot >/dev/null 2>&1 || true + +##!/usr/bin/env bash +#set -euo pipefail +#source ./lib.sh +# +#MAIL_SSL_DIR="/etc/ssl/mail" +#MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem" +#MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem" +# +#log "Dovecot konfigurieren …" +# +## Hauptdatei +#cat > /etc/dovecot/dovecot.conf <<'CONF' +#!include_try /etc/dovecot/conf.d/*.conf +#CONF +# +## Mail-Location & Namespace +#cat > /etc/dovecot/conf.d/10-mail.conf <<'CONF' +#protocols = imap pop3 lmtp +#mail_location = maildir:/var/mail/vhosts/%d/%n +# +#namespace inbox { +# inbox = yes +#} +# +#mail_privileged_group = mail +#first_valid_uid = 109 +#last_valid_uid = 109 +#CONF +# +## Auth +#cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF' +#disable_plaintext_auth = yes +#auth_mechanisms = plain login +#!include_try auth-sql.conf.ext +#CONF +# +## SQL-Anbindung +#cat > /etc/dovecot/dovecot-sql.conf.ext < /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF' +#passdb { +# driver = sql +# args = /etc/dovecot/dovecot-sql.conf.ext +#} +#userdb { +# driver = static +# args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n +#} +#CONF +#chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext +#chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext +# +## Master-Services (LMTP + AUTH + Listener) +#cat > /etc/dovecot/conf.d/10-master.conf <<'CONF' +#service lmtp { +# unix_listener /var/spool/postfix/private/dovecot-lmtp { +# mode = 0600 +# user = postfix +# group = postfix +# } +#} +#service auth { +# unix_listener /var/spool/postfix/private/auth { +# mode = 0660 +# user = postfix +# group = postfix +# } +#} +#service imap-login { +# inet_listener imap { +# port = 143 +# } +# inet_listener imaps { +# port = 993 +# ssl = yes +# } +#} +#service pop3-login { +# inet_listener pop3 { +# port = 110 +# } +# inet_listener pop3s { +# port = 995 +# ssl = yes +# } +#} +#CONF +# +## SSL – stabile Mail-Pfade +#DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf" +#grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF" +#if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then +# sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF" +#else +# echo "ssl_cert = <${MAIL_CERT}" >> "$DOVECOT_SSL_CONF" +#fi +#if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then +# sed -i "s|^\s*ssl_key\s*=.*|ssl_key = <${MAIL_KEY}|" "$DOVECOT_SSL_CONF" +#else +# echo "ssl_key = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF" +#fi +# +## Postfix-Socket-Verzeichnis sicherstellen +#mkdir -p /var/spool/postfix/private +#chown root:root /var/spool/postfix +#chmod 0755 /var/spool/postfix +#chown postfix:postfix /var/spool/postfix/private +#chmod 0755 /var/spool/postfix/private +# +## Nur aktivieren – Start/Reload erst nach App/DB in 90-services.sh +#systemctl enable dovecot >/dev/null 2>&1 || true \ No newline at end of file diff --git a/scripts/60-rspamd-opendkim.sh b/scripts/60-rspamd-opendkim.sh index 62562ce..05f3c83 100644 --- a/scripts/60-rspamd-opendkim.sh +++ b/scripts/60-rspamd-opendkim.sh @@ -2,25 +2,191 @@ set -euo pipefail source ./lib.sh -log "Rspamd + OpenDKIM …" +log "Rspamd + OpenDKIM einrichten …" -cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF' -password = "admin"; +# --------------------------- +# Variablen / Defaults +# --------------------------- +# Installer-Variablen laden, falls vorhanden +set +u +[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env +set -u + +BASE_DOMAIN="${BASE_DOMAIN:-example.com}" +DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}" +DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1 = Key erzeugen, falls fehlt +RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}" + +# --------------------------- +# Rspamd: Controller + Milter +# --------------------------- +install -d -m 0755 /etc/rspamd/local.d + +# Controller-Passwort gehasht schreiben +if command -v rspamadm >/dev/null 2>&1; then + RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")" +else + # Fallback: falls rspamadm noch nicht verfügbar ist (sollte selten sein) + # schreibe Klartext, damit Rspamd danach startbar ist; Hashen kann im nächsten Lauf erfolgen. + RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}" +fi + +cat >/etc/rspamd/local.d/worker-controller.inc </etc/rspamd/local.d/worker-normal.inc <<'CONF' +bind_socket = "127.0.0.1:11332"; +CONF + +# Authentication-Results Header schreiben (praktisch zum Debuggen) +cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF' +use = ["authentication-results"]; +header = "Authentication-Results"; +CONF + systemctl enable --now rspamd || true -cat > /etc/opendkim.conf <<'CONF' -Syslog yes -UMask 002 -Mode sv -Socket inet:8891@127.0.0.1 -Canonicalization relaxed/simple -On-BadSignature accept -On-Default accept -On-KeyNotFound accept -On-NoSignature accept -LogWhy yes -OversignHeaders From +# --------------------------- +# OpenDKIM Grund-Setup +# --------------------------- +install -d -m 0755 /etc/opendkim +install -d -m 0750 /etc/opendkim/keys +chown -R opendkim:opendkim /etc/opendkim +chmod 750 /etc/opendkim/keys + +# TrustedHosts (wer signieren darf) +cat >/etc/opendkim/TrustedHosts <<'CONF' +127.0.0.1 +::1 +localhost CONF +chown opendkim:opendkim /etc/opendkim/TrustedHosts +chmod 640 /etc/opendkim/TrustedHosts + +# Key-/Signing-Tabellen vorbereiten +KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}" +KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private" + +install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}" + +# Falls gewünscht: fehlenden Key erzeugen +if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then + if command -v opendkim-genkey >/dev/null 2>&1; then + opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}" + # opendkim legt .private und .txt an (Selector.*) + chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true + chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true + fi +fi + +# KeyTable (Selector → Keydatei) +cat >/etc/opendkim/KeyTable </etc/opendkim/SigningTable </etc/opendkim.conf <<'CONF' +Syslog yes +UMask 002 +Mode sv +Socket inet:8891@127.0.0.1 +Canonicalization relaxed/simple + +# Nicht blockieren, wenn mal was fehlt +On-BadSignature accept +On-Default accept +On-KeyNotFound accept +On-NoSignature accept + +LogWhy yes +OversignHeaders From + +# Tabellen/Listen +KeyTable /etc/opendkim/KeyTable +SigningTable refile:/etc/opendkim/SigningTable +ExternalIgnoreList /etc/opendkim/TrustedHosts +InternalHosts /etc/opendkim/TrustedHosts + +UserID opendkim:opendkim +AutoRestart yes +AutoRestartRate 10/1h +Background yes +DNSTimeout 5 +SignatureAlgorithm rsa-sha256 +CONF + systemctl enable --now opendkim || true +systemctl restart opendkim || true +systemctl restart rspamd || true + +# --------------------------- +# Postfix: Milter-Anbindung prüfen/setzen (nur ergänzen, nicht zerstören) +# --------------------------- +# Diese Werte setzt dein Postfix-Skript normalerweise bereits. +# Hier nur als Absicherung, falls noch leer. +need_set() { + local key="$1" + local cur + cur="$(postconf -h "$key" 2>/dev/null || true)" + [[ -z "$cur" ]] +} + +if need_set smtpd_milters; then + /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891" +fi +if need_set non_smtpd_milters; then + /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891" +fi + +systemctl reload postfix || true + +# --------------------------- +# Hinweise (einmalig, nicht kritisch) +# --------------------------- +if [[ ! -s "${KEY_PRIV}" ]]; then + echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}" + echo " - Wenn deine App die Keys verwaltet, lege die Private-Key-Datei genau dort ab" + echo " (Owner: opendkim:opendkim, Mode: 600) und passe ggf. DKIM_SELECTOR/BASIS_DOMAIN an." + echo " - Oder setze DKIM_GENERATE=1 und starte dieses Skript erneut, um einen Key zu erzeugen." +fi + +echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden." + +##!/usr/bin/env bash +#set -euo pipefail +#source ./lib.sh +# +#log "Rspamd + OpenDKIM …" +# +#cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF' +#password = "admin"; +#bind_socket = "127.0.0.1:11334"; +#CONF +#systemctl enable --now rspamd || true +# +#cat > /etc/opendkim.conf <<'CONF' +#Syslog yes +#UMask 002 +#Mode sv +#Socket inet:8891@127.0.0.1 +#Canonicalization relaxed/simple +#On-BadSignature accept +#On-Default accept +#On-KeyNotFound accept +#On-NoSignature accept +#LogWhy yes +#OversignHeaders From +#CONF +#systemctl enable --now opendkim || true