boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Laudende Default seite entfernen

main
boksbc 2025-10-17 17:32:33 +02:00
parent 0fe9f1d5ac
commit a2714c3072
2 changed files with 350 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

193
scripts/50-dovecot.sh
View File

@ -8,13 +8,40 @@ MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
log "Dovecot konfigurieren …" log "Dovecot konfigurieren …"
# ──────────────────────────────────────────────────────────────────────────────
# 1) vmail-Benutzer/Gruppe & Mailspool vorbereiten (DYNAMIC UID!)
# ──────────────────────────────────────────────────────────────────────────────
# Sicherstellen, dass die Gruppe 'mail' existiert (auf Debian/Ubuntu idR vorhanden)
getent group mail >/dev/null || groupadd -g 8 mail || true
# vmail anlegen, wenn er fehlt. Bevorzugt UID 109, falls frei sonst automatisch.
if ! getent passwd vmail >/dev/null; then
if ! getent passwd 109 >/dev/null; then
useradd -u 109 -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
else
useradd -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
fi
fi
# Tatsächliche vmail-UID ermitteln (wird unten in die Dovecot-Config geschrieben)
VMAIL_UID="$(id -u vmail)"
# Mailspool-Basis
install -d -m 0770 -o vmail -g mail /var/mail/vhosts
# ──────────────────────────────────────────────────────────────────────────────
# 2) Dovecot Grundgerüst
# ──────────────────────────────────────────────────────────────────────────────
# Hauptdatei # Hauptdatei
install -d -m 0755 /etc/dovecot/conf.d
cat > /etc/dovecot/dovecot.conf <<'CONF' cat > /etc/dovecot/dovecot.conf <<'CONF'
!include_try /etc/dovecot/conf.d/*.conf !include_try /etc/dovecot/conf.d/*.conf
CONF CONF
# Mail-Location & Namespace # Mail-Location & Namespace + UID-Grenzen
cat > /etc/dovecot/conf.d/10-mail.conf <<'CONF' cat > /etc/dovecot/conf.d/10-mail.conf <<CONF
protocols = imap pop3 lmtp protocols = imap pop3 lmtp
mail_location = maildir:/var/mail/vhosts/%d/%n mail_location = maildir:/var/mail/vhosts/%d/%n
@ -23,6 +50,9 @@ namespace inbox {
} }
mail_privileged_group = mail mail_privileged_group = mail
mail_access_groups = mail
first_valid_uid = ${VMAIL_UID}
last_valid_uid = ${VMAIL_UID}
CONF CONF
# Auth # Auth
@ -32,17 +62,20 @@ auth_mechanisms = plain login
!include_try auth-sql.conf.ext !include_try auth-sql.conf.ext
CONF CONF
# SQL-Anbindung # SQL-Anbindung (Passwörter aus App-DB)
cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
driver = mysql driver = mysql
connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS} connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
default_pass_scheme = BLF-CRYPT default_pass_scheme = BLF-CRYPT
password_query = SELECT email AS user, password_hash AS password FROM mail_users WHERE email = '%u' AND is_active = 1 LIMIT 1; password_query = SELECT email AS user, password_hash AS password
FROM mail_users
WHERE email = '%u' AND is_active = 1
LIMIT 1;
CONF CONF
chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext
chmod 640 /etc/dovecot/dovecot-sql.conf.ext chmod 640 /etc/dovecot/dovecot-sql.conf.ext
# Auth-SQL Einbindung # Auth-SQL → userdb static auf vmail:mail (Home unter /var/mail/vhosts/%d/%n)
cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF' cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF'
passdb { passdb {
driver = sql driver = sql
@ -50,13 +83,13 @@ passdb {
} }
userdb { userdb {
driver = static driver = static
args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n
} }
CONF CONF
chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext
chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext
# Master-Services (LMTP + AUTH + Listener) # Master-Services (LMTP + AUTH + IMAP/POP3 Listener)
cat > /etc/dovecot/conf.d/10-master.conf <<'CONF' cat > /etc/dovecot/conf.d/10-master.conf <<'CONF'
service lmtp { service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp {
@ -73,27 +106,18 @@ service auth {
} }
} }
service imap-login { service imap-login {
inet_listener imap { inet_listener imap { port = 143 }
port = 143 inet_listener imaps { port = 993 ssl = yes }
}
inet_listener imaps {
port = 993
ssl = yes
}
} }
service pop3-login { service pop3-login {
inet_listener pop3 { inet_listener pop3 { port = 110 }
port = 110 inet_listener pop3s { port = 995 ssl = yes }
}
inet_listener pop3s {
port = 995
ssl = yes
}
} }
CONF CONF
# SSL stabile Mail-Pfade # SSL auf stabile Mail-Pfade zeigen
DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf" DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf"
touch "$DOVECOT_SSL_CONF"
grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF" grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF"
if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then
sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF" sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF"
@ -105,6 +129,7 @@ if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then
else else
echo "ssl_key = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF" echo "ssl_key = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF"
fi fi
grep -q '^ssl_min_protocol' "$DOVECOT_SSL_CONF" || echo "ssl_min_protocol = TLSv1.2" >> "$DOVECOT_SSL_CONF"
# Postfix-Socket-Verzeichnis sicherstellen # Postfix-Socket-Verzeichnis sicherstellen
mkdir -p /var/spool/postfix/private mkdir -p /var/spool/postfix/private
@ -113,5 +138,125 @@ chmod 0755 /var/spool/postfix
chown postfix:postfix /var/spool/postfix/private chown postfix:postfix /var/spool/postfix/private
chmod 0755 /var/spool/postfix/private chmod 0755 /var/spool/postfix/private
# Nur aktivieren Start/Reload erst nach App/DB in 90-services.sh # Nur aktivieren Start/Reload später
systemctl enable dovecot >/dev/null 2>&1 || true systemctl enable dovecot >/dev/null 2>&1 || true
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#MAIL_SSL_DIR="/etc/ssl/mail"
#MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
#MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
#
#log "Dovecot konfigurieren …"
#
## Hauptdatei
#cat > /etc/dovecot/dovecot.conf <<'CONF'
#!include_try /etc/dovecot/conf.d/*.conf
#CONF
#
## Mail-Location & Namespace
#cat > /etc/dovecot/conf.d/10-mail.conf <<'CONF'
#protocols = imap pop3 lmtp
#mail_location = maildir:/var/mail/vhosts/%d/%n
#
#namespace inbox {
# inbox = yes
#}
#
#mail_privileged_group = mail
#first_valid_uid = 109
#last_valid_uid = 109
#CONF
#
## Auth
#cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF'
#disable_plaintext_auth = yes
#auth_mechanisms = plain login
#!include_try auth-sql.conf.ext
#CONF
#
## SQL-Anbindung
#cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
#driver = mysql
#connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
#default_pass_scheme = BLF-CRYPT
#password_query = SELECT email AS user, password_hash AS password FROM mail_users WHERE email = '%u' AND is_active = 1 LIMIT 1;
#CONF
#chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext
#chmod 640 /etc/dovecot/dovecot-sql.conf.ext
#
## Auth-SQL Einbindung
#cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF'
#passdb {
# driver = sql
# args = /etc/dovecot/dovecot-sql.conf.ext
#}
#userdb {
# driver = static
# args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n
#}
#CONF
#chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext
#chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext
#
## Master-Services (LMTP + AUTH + Listener)
#cat > /etc/dovecot/conf.d/10-master.conf <<'CONF'
#service lmtp {
# unix_listener /var/spool/postfix/private/dovecot-lmtp {
# mode = 0600
# user = postfix
# group = postfix
# }
#}
#service auth {
# unix_listener /var/spool/postfix/private/auth {
# mode = 0660
# user = postfix
# group = postfix
# }
#}
#service imap-login {
# inet_listener imap {
# port = 143
# }
# inet_listener imaps {
# port = 993
# ssl = yes
# }
#}
#service pop3-login {
# inet_listener pop3 {
# port = 110
# }
# inet_listener pop3s {
# port = 995
# ssl = yes
# }
#}
#CONF
#
## SSL stabile Mail-Pfade
#DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf"
#grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF"
#if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then
# sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF"
#else
# echo "ssl_cert = <${MAIL_CERT}" >> "$DOVECOT_SSL_CONF"
#fi
#if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then
# sed -i "s|^\s*ssl_key\s*=.*|ssl_key = <${MAIL_KEY}|" "$DOVECOT_SSL_CONF"
#else
# echo "ssl_key = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF"
#fi
#
## Postfix-Socket-Verzeichnis sicherstellen
#mkdir -p /var/spool/postfix/private
#chown root:root /var/spool/postfix
#chmod 0755 /var/spool/postfix
#chown postfix:postfix /var/spool/postfix/private
#chmod 0755 /var/spool/postfix/private
#
## Nur aktivieren Start/Reload erst nach App/DB in 90-services.sh
#systemctl enable dovecot >/dev/null 2>&1 || true

196
scripts/60-rspamd-opendkim.sh
View File

@ -2,25 +2,191 @@
set -euo pipefail set -euo pipefail
source ./lib.sh source ./lib.sh
log "Rspamd + OpenDKIM …" log "Rspamd + OpenDKIM einrichten …"
cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF' # ---------------------------
password = "admin"; # Variablen / Defaults
# ---------------------------
# Installer-Variablen laden, falls vorhanden
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1 = Key erzeugen, falls fehlt
RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
# ---------------------------
# Rspamd: Controller + Milter
# ---------------------------
install -d -m 0755 /etc/rspamd/local.d
# Controller-Passwort gehasht schreiben
if command -v rspamadm >/dev/null 2>&1; then
RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
else
# Fallback: falls rspamadm noch nicht verfügbar ist (sollte selten sein)
# schreibe Klartext, damit Rspamd danach startbar ist; Hashen kann im nächsten Lauf erfolgen.
RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
fi
cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
password = "${RSPAMD_HASH}";
bind_socket = "127.0.0.1:11334"; bind_socket = "127.0.0.1:11334";
CONF CONF
# Normal-Worker (Milter-Port für Postfix)
cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
bind_socket = "127.0.0.1:11332";
CONF
# Authentication-Results Header schreiben (praktisch zum Debuggen)
cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
use = ["authentication-results"];
header = "Authentication-Results";
CONF
systemctl enable --now rspamd || true systemctl enable --now rspamd || true
cat > /etc/opendkim.conf <<'CONF' # ---------------------------
Syslog yes # OpenDKIM Grund-Setup
UMask 002 # ---------------------------
Mode sv install -d -m 0755 /etc/opendkim
Socket inet:8891@127.0.0.1 install -d -m 0750 /etc/opendkim/keys
Canonicalization relaxed/simple chown -R opendkim:opendkim /etc/opendkim
On-BadSignature accept chmod 750 /etc/opendkim/keys
On-Default accept
On-KeyNotFound accept # TrustedHosts (wer signieren darf)
On-NoSignature accept cat >/etc/opendkim/TrustedHosts <<'CONF'
LogWhy yes 127.0.0.1
OversignHeaders From ::1
localhost
CONF CONF
chown opendkim:opendkim /etc/opendkim/TrustedHosts
chmod 640 /etc/opendkim/TrustedHosts
# Key-/Signing-Tabellen vorbereiten
KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
# Falls gewünscht: fehlenden Key erzeugen
if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
if command -v opendkim-genkey >/dev/null 2>&1; then
opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
# opendkim legt .private und .txt an (Selector.*)
chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
fi
fi
# KeyTable (Selector → Keydatei)
cat >/etc/opendkim/KeyTable <<CONF
${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
CONF
chown opendkim:opendkim /etc/opendkim/KeyTable
chmod 640 /etc/opendkim/KeyTable
# SigningTable (welche From:-Domains werden womit signiert)
cat >/etc/opendkim/SigningTable <<CONF
*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
CONF
chown opendkim:opendkim /etc/opendkim/SigningTable
chmod 640 /etc/opendkim/SigningTable
# Hauptkonfiguration
cat >/etc/opendkim.conf <<'CONF'
Syslog yes
UMask 002
Mode sv
Socket inet:8891@127.0.0.1
Canonicalization relaxed/simple
# Nicht blockieren, wenn mal was fehlt
On-BadSignature accept
On-Default accept
On-KeyNotFound accept
On-NoSignature accept
LogWhy yes
OversignHeaders From
# Tabellen/Listen
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
UserID opendkim:opendkim
AutoRestart yes
AutoRestartRate 10/1h
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
CONF
systemctl enable --now opendkim || true systemctl enable --now opendkim || true
systemctl restart opendkim || true
systemctl restart rspamd || true
# ---------------------------
# Postfix: Milter-Anbindung prüfen/setzen (nur ergänzen, nicht zerstören)
# ---------------------------
# Diese Werte setzt dein Postfix-Skript normalerweise bereits.
# Hier nur als Absicherung, falls noch leer.
need_set() {
local key="$1"
local cur
cur="$(postconf -h "$key" 2>/dev/null || true)"
[[ -z "$cur" ]]
}
if need_set smtpd_milters; then
/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
fi
if need_set non_smtpd_milters; then
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
fi
systemctl reload postfix || true
# ---------------------------
# Hinweise (einmalig, nicht kritisch)
# ---------------------------
if [[ ! -s "${KEY_PRIV}" ]]; then
echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
echo " - Wenn deine App die Keys verwaltet, lege die Private-Key-Datei genau dort ab"
echo " (Owner: opendkim:opendkim, Mode: 600) und passe ggf. DKIM_SELECTOR/BASIS_DOMAIN an."
echo " - Oder setze DKIM_GENERATE=1 und starte dieses Skript erneut, um einen Key zu erzeugen."
fi
echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Rspamd + OpenDKIM …"
#
#cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF'
#password = "admin";
#bind_socket = "127.0.0.1:11334";
#CONF
#systemctl enable --now rspamd || true
#
#cat > /etc/opendkim.conf <<'CONF'
#Syslog yes
#UMask 002
#Mode sv
#Socket inet:8891@127.0.0.1
#Canonicalization relaxed/simple
#On-BadSignature accept
#On-Default accept
#On-KeyNotFound accept
#On-NoSignature accept
#LogWhy yes
#OversignHeaders From
#CONF
#systemctl enable --now opendkim || true