Laudende Default seite entfernen

2025-10-17 17:32:33 +02:00 · 2025-10-17 17:32:33 +02:00 · a2714c3072
parent 0fe9f1d5ac
commit a2714c3072
2 changed files with 350 additions and 39 deletions
--- a/scripts/50-dovecot.sh
+++ b/scripts/50-dovecot.sh
@ -8,13 +8,40 @@ MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"

 log "Dovecot konfigurieren …"

+# ──────────────────────────────────────────────────────────────────────────────
+# 1) vmail-Benutzer/Gruppe & Mailspool vorbereiten (DYNAMIC UID!)
+# ──────────────────────────────────────────────────────────────────────────────
+
+# Sicherstellen, dass die Gruppe 'mail' existiert (auf Debian/Ubuntu idR vorhanden)
+getent group mail >/dev/null || groupadd -g 8 mail || true
+
+# vmail anlegen, wenn er fehlt. Bevorzugt UID 109, falls frei – sonst automatisch.
+if ! getent passwd vmail >/dev/null; then
+  if ! getent passwd 109 >/dev/null; then
+    useradd -u 109 -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
+  else
+    useradd -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
+  fi
+fi
+
+# Tatsächliche vmail-UID ermitteln (wird unten in die Dovecot-Config geschrieben)
+VMAIL_UID="$(id -u vmail)"
+
+# Mailspool-Basis
+install -d -m 0770 -o vmail -g mail /var/mail/vhosts
+
+# ──────────────────────────────────────────────────────────────────────────────
+# 2) Dovecot Grundgerüst
+# ──────────────────────────────────────────────────────────────────────────────
+
 # Hauptdatei
+install -d -m 0755 /etc/dovecot/conf.d
 cat > /etc/dovecot/dovecot.conf <<'CONF'
 !include_try /etc/dovecot/conf.d/*.conf
 CONF

-# Mail-Location & Namespace
-cat > /etc/dovecot/conf.d/10-mail.conf <<'CONF'
+# Mail-Location & Namespace + UID-Grenzen
+cat > /etc/dovecot/conf.d/10-mail.conf <<CONF
 protocols = imap pop3 lmtp
 mail_location = maildir:/var/mail/vhosts/%d/%n

@ -23,6 +50,9 @@ namespace inbox {
 }

 mail_privileged_group = mail
+mail_access_groups = mail
+first_valid_uid = ${VMAIL_UID}
+last_valid_uid  = ${VMAIL_UID}
 CONF

 # Auth
@ -32,17 +62,20 @@ auth_mechanisms = plain login
 !include_try auth-sql.conf.ext
 CONF

-# SQL-Anbindung
+# SQL-Anbindung (Passwörter aus App-DB)
 cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
 driver = mysql
 connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
 default_pass_scheme = BLF-CRYPT
-password_query = SELECT email AS user, password_hash AS password FROM mail_users WHERE email = '%u' AND is_active = 1 LIMIT 1;
+password_query = SELECT email AS user, password_hash AS password
+                 FROM mail_users
+                 WHERE email = '%u' AND is_active = 1
+                 LIMIT 1;
 CONF
 chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext
 chmod 640 /etc/dovecot/dovecot-sql.conf.ext

-# Auth-SQL Einbindung
+# Auth-SQL → userdb static auf vmail:mail (Home unter /var/mail/vhosts/%d/%n)
 cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF'
 passdb {
  driver = sql
@ -50,13 +83,13 @@ passdb {
 }
 userdb {
  driver = static
-  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
+  args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n
 }
 CONF
 chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext
 chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext

-# Master-Services (LMTP + AUTH + Listener)
+# Master-Services (LMTP + AUTH + IMAP/POP3 Listener)
 cat > /etc/dovecot/conf.d/10-master.conf <<'CONF'
 service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
@ -73,27 +106,18 @@ service auth {
  }
 }
 service imap-login {
-  inet_listener imap  {
-    port = 143
-  }
-  inet_listener imaps {
-    port = 993
-    ssl = yes
-  }
+  inet_listener imap  { port = 143 }
+  inet_listener imaps { port = 993  ssl = yes }
 }
 service pop3-login {
-  inet_listener pop3  {
-    port = 110
-  }
-  inet_listener pop3s {
-    port = 995
-    ssl = yes
-  }
+  inet_listener pop3  { port = 110 }
+  inet_listener pop3s { port = 995  ssl = yes }
 }
 CONF

-# SSL – stabile Mail-Pfade
+# SSL – auf stabile Mail-Pfade zeigen
 DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf"
+touch "$DOVECOT_SSL_CONF"
 grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF"
 if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then
  sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF"
@ -105,6 +129,7 @@ if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then
 else
  echo "ssl_key  = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF"
 fi
+grep -q '^ssl_min_protocol' "$DOVECOT_SSL_CONF" || echo "ssl_min_protocol = TLSv1.2" >> "$DOVECOT_SSL_CONF"

 # Postfix-Socket-Verzeichnis sicherstellen
 mkdir -p /var/spool/postfix/private
@ -113,5 +138,125 @@ chmod 0755     /var/spool/postfix
 chown postfix:postfix /var/spool/postfix/private
 chmod 0755            /var/spool/postfix/private

-# Nur aktivieren – Start/Reload erst nach App/DB in 90-services.sh
+# Nur aktivieren – Start/Reload später
 systemctl enable dovecot >/dev/null 2>&1 || true
+
+##!/usr/bin/env bash
+#set -euo pipefail
+#source ./lib.sh
+#
+#MAIL_SSL_DIR="/etc/ssl/mail"
+#MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
+#MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
+#
+#log "Dovecot konfigurieren …"
+#
+## Hauptdatei
+#cat > /etc/dovecot/dovecot.conf <<'CONF'
+#!include_try /etc/dovecot/conf.d/*.conf
+#CONF
+#
+## Mail-Location & Namespace
+#cat > /etc/dovecot/conf.d/10-mail.conf <<'CONF'
+#protocols = imap pop3 lmtp
+#mail_location = maildir:/var/mail/vhosts/%d/%n
+#
+#namespace inbox {
+#  inbox = yes
+#}
+#
+#mail_privileged_group = mail
+#first_valid_uid = 109
+#last_valid_uid  = 109
+#CONF
+#
+## Auth
+#cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF'
+#disable_plaintext_auth = yes
+#auth_mechanisms = plain login
+#!include_try auth-sql.conf.ext
+#CONF
+#
+## SQL-Anbindung
+#cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
+#driver = mysql
+#connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
+#default_pass_scheme = BLF-CRYPT
+#password_query = SELECT email AS user, password_hash AS password FROM mail_users WHERE email = '%u' AND is_active = 1 LIMIT 1;
+#CONF
+#chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext
+#chmod 640 /etc/dovecot/dovecot-sql.conf.ext
+#
+## Auth-SQL Einbindung
+#cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF'
+#passdb {
+#  driver = sql
+#  args = /etc/dovecot/dovecot-sql.conf.ext
+#}
+#userdb {
+#  driver = static
+#  args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n
+#}
+#CONF
+#chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext
+#chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext
+#
+## Master-Services (LMTP + AUTH + Listener)
+#cat > /etc/dovecot/conf.d/10-master.conf <<'CONF'
+#service lmtp {
+#  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+#    mode = 0600
+#    user = postfix
+#    group = postfix
+#  }
+#}
+#service auth {
+#  unix_listener /var/spool/postfix/private/auth {
+#    mode = 0660
+#    user = postfix
+#    group = postfix
+#  }
+#}
+#service imap-login {
+#  inet_listener imap  {
+#    port = 143
+#  }
+#  inet_listener imaps {
+#    port = 993
+#    ssl = yes
+#  }
+#}
+#service pop3-login {
+#  inet_listener pop3  {
+#    port = 110
+#  }
+#  inet_listener pop3s {
+#    port = 995
+#    ssl = yes
+#  }
+#}
+#CONF
+#
+## SSL – stabile Mail-Pfade
+#DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf"
+#grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF"
+#if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then
+#  sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF"
+#else
+#  echo "ssl_cert = <${MAIL_CERT}" >> "$DOVECOT_SSL_CONF"
+#fi
+#if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then
+#  sed -i "s|^\s*ssl_key\s*=.*|ssl_key  = <${MAIL_KEY}|" "$DOVECOT_SSL_CONF"
+#else
+#  echo "ssl_key  = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF"
+#fi
+#
+## Postfix-Socket-Verzeichnis sicherstellen
+#mkdir -p /var/spool/postfix/private
+#chown root:root /var/spool/postfix
+#chmod 0755     /var/spool/postfix
+#chown postfix:postfix /var/spool/postfix/private
+#chmod 0755            /var/spool/postfix/private
+#
+## Nur aktivieren – Start/Reload erst nach App/DB in 90-services.sh
+#systemctl enable dovecot >/dev/null 2>&1 || true
--- a/scripts/60-rspamd-opendkim.sh
+++ b/scripts/60-rspamd-opendkim.sh
@ -2,25 +2,191 @@
 set -euo pipefail
 source ./lib.sh

-log "Rspamd + OpenDKIM …"
+log "Rspamd + OpenDKIM einrichten …"

-cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF'
-password = "admin";
+# ---------------------------
+# Variablen / Defaults
+# ---------------------------
+# Installer-Variablen laden, falls vorhanden
+set +u
+[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
+set -u
+
+BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
+DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
+DKIM_GENERATE="${DKIM_GENERATE:-0}"             # 1 = Key erzeugen, falls fehlt
+RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
+
+# ---------------------------
+# Rspamd: Controller + Milter
+# ---------------------------
+install -d -m 0755 /etc/rspamd/local.d
+
+# Controller-Passwort gehasht schreiben
+if command -v rspamadm >/dev/null 2>&1; then
+  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
+else
+  # Fallback: falls rspamadm noch nicht verfügbar ist (sollte selten sein)
+  # schreibe Klartext, damit Rspamd danach startbar ist; Hashen kann im nächsten Lauf erfolgen.
+  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
+fi
+
+cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
+password = "${RSPAMD_HASH}";
 bind_socket = "127.0.0.1:11334";
 CONF
+
+# Normal-Worker (Milter-Port für Postfix)
+cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
+bind_socket = "127.0.0.1:11332";
+CONF
+
+# Authentication-Results Header schreiben (praktisch zum Debuggen)
+cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
+use = ["authentication-results"];
+header = "Authentication-Results";
+CONF
+
 systemctl enable --now rspamd || true

-cat > /etc/opendkim.conf <<'CONF'
+# ---------------------------
+# OpenDKIM Grund-Setup
+# ---------------------------
+install -d -m 0755 /etc/opendkim
+install -d -m 0750 /etc/opendkim/keys
+chown -R opendkim:opendkim /etc/opendkim
+chmod 750 /etc/opendkim/keys
+
+# TrustedHosts (wer signieren darf)
+cat >/etc/opendkim/TrustedHosts <<'CONF'
+127.0.0.1
+::1
+localhost
+CONF
+chown opendkim:opendkim /etc/opendkim/TrustedHosts
+chmod 640 /etc/opendkim/TrustedHosts
+
+# Key-/Signing-Tabellen vorbereiten
+KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
+KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
+
+install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
+
+# Falls gewünscht: fehlenden Key erzeugen
+if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
+  if command -v opendkim-genkey >/dev/null 2>&1; then
+    opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
+    # opendkim legt .private und .txt an (Selector.*)
+    chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
+    chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
+  fi
+fi
+
+# KeyTable (Selector → Keydatei)
+cat >/etc/opendkim/KeyTable <<CONF
+${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
+CONF
+chown opendkim:opendkim /etc/opendkim/KeyTable
+chmod 640 /etc/opendkim/KeyTable
+
+# SigningTable (welche From:-Domains werden womit signiert)
+cat >/etc/opendkim/SigningTable <<CONF
+*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
+CONF
+chown opendkim:opendkim /etc/opendkim/SigningTable
+chmod 640 /etc/opendkim/SigningTable
+
+# Hauptkonfiguration
+cat >/etc/opendkim.conf <<'CONF'
 Syslog            yes
 UMask             002
 Mode              sv
 Socket            inet:8891@127.0.0.1
 Canonicalization  relaxed/simple
+
+# Nicht blockieren, wenn mal was fehlt
 On-BadSignature   accept
 On-Default        accept
 On-KeyNotFound    accept
 On-NoSignature    accept
+
 LogWhy            yes
 OversignHeaders   From
+
+# Tabellen/Listen
+KeyTable          /etc/opendkim/KeyTable
+SigningTable      refile:/etc/opendkim/SigningTable
+ExternalIgnoreList /etc/opendkim/TrustedHosts
+InternalHosts       /etc/opendkim/TrustedHosts
+
+UserID            opendkim:opendkim
+AutoRestart       yes
+AutoRestartRate   10/1h
+Background        yes
+DNSTimeout        5
+SignatureAlgorithm rsa-sha256
 CONF
+
 systemctl enable --now opendkim || true
+systemctl restart opendkim || true
+systemctl restart rspamd   || true
+
+# ---------------------------
+# Postfix: Milter-Anbindung prüfen/setzen (nur ergänzen, nicht zerstören)
+# ---------------------------
+# Diese Werte setzt dein Postfix-Skript normalerweise bereits.
+# Hier nur als Absicherung, falls noch leer.
+need_set() {
+  local key="$1"
+  local cur
+  cur="$(postconf -h "$key" 2>/dev/null || true)"
+  [[ -z "$cur" ]]
+}
+
+if need_set smtpd_milters; then
+  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
+fi
+if need_set non_smtpd_milters; then
+  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
+fi
+
+systemctl reload postfix || true
+
+# ---------------------------
+# Hinweise (einmalig, nicht kritisch)
+# ---------------------------
+if [[ ! -s "${KEY_PRIV}" ]]; then
+  echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
+  echo "    - Wenn deine App die Keys verwaltet, lege die Private-Key-Datei genau dort ab"
+  echo "      (Owner: opendkim:opendkim, Mode: 600) und passe ggf. DKIM_SELECTOR/BASIS_DOMAIN an."
+  echo "    - Oder setze DKIM_GENERATE=1 und starte dieses Skript erneut, um einen Key zu erzeugen."
+fi
+
+echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."
+
+##!/usr/bin/env bash
+#set -euo pipefail
+#source ./lib.sh
+#
+#log "Rspamd + OpenDKIM …"
+#
+#cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF'
+#password = "admin";
+#bind_socket = "127.0.0.1:11334";
+#CONF
+#systemctl enable --now rspamd || true
+#
+#cat > /etc/opendkim.conf <<'CONF'
+#Syslog           yes
+#UMask            002
+#Mode             sv
+#Socket           inet:8891@127.0.0.1
+#Canonicalization relaxed/simple
+#On-BadSignature  accept
+#On-Default       accept
+#On-KeyNotFound   accept
+#On-NoSignature   accept
+#LogWhy           yes
+#OversignHeaders  From
+#CONF
+#systemctl enable --now opendkim || true