diff --git a/scripts/40-postfix.sh b/scripts/40-postfix.sh index 0445a2a..a8a5b39 100644 --- a/scripts/40-postfix.sh +++ b/scripts/40-postfix.sh @@ -35,14 +35,15 @@ fi /usr/sbin/postconf -e "smtp_tls_security_level = may" /usr/sbin/postconf -e "smtp_tls_loglevel = 1" -# ++ HÄRTUNG: DH-Parameter + ECDHE bevorzugen ++ -DH_FILE="/etc/ssl/private/dhparams.pem" +DH_FILE="/etc/ssl/private/dhparam.pem" if [[ ! -s "$DH_FILE" ]]; then - openssl dhparam -out "$DH_FILE" 4096 + log "Generiere 2048-Bit DH-Parameter …" + openssl dhparam -out "$DH_FILE" 2048 chmod 600 "$DH_FILE" chown root:root "$DH_FILE" fi /usr/sbin/postconf -e "smtpd_tls_dh1024_param_file = ${DH_FILE}" +/usr/sbin/postconf -e "smtpd_tls_dh1024_param_file = ${DH_FILE}" /usr/sbin/postconf -e "smtpd_tls_eecdh_grade = strong" /usr/sbin/postconf -e "tls_preempt_cipherlist = yes" diff --git a/scripts/50-dovecot.sh b/scripts/50-dovecot.sh index 0122e42..bd2922f 100644 --- a/scripts/50-dovecot.sh +++ b/scripts/50-dovecot.sh @@ -55,7 +55,6 @@ first_valid_uid = ${VMAIL_UID} last_valid_uid = ${VMAIL_UID} CONF -# Standard-Mailboxen automatisch erstellen/abonnieren cat > /etc/dovecot/conf.d/15-mailboxes.conf <<'CONF' namespace inbox { inbox = yes @@ -76,8 +75,6 @@ namespace inbox { special_use = \Sent auto = subscribe } - - # optional: Archive mailbox Archive { special_use = \Archive auto = create @@ -90,6 +87,9 @@ cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF' disable_plaintext_auth = yes auth_mechanisms = plain login !include_try auth-sql.conf.ext + +auth_cache_size = 10M +auth_cache_ttl = 1 hour CONF # SQL-Anbindung (Passwörter aus App-DB) @@ -116,7 +116,26 @@ CONF chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext -# Master-Services (LMTP + AUTH + IMAP/POP3 Listener v) +# ────────────────────────────────────────────────────────────────────────────── +# 3) IMAP Optimierung (iOS/IDLE-freundlich) +# ────────────────────────────────────────────────────────────────────────────── + +cat > /etc/dovecot/conf.d/20-imap.conf <<'CONF' +# IMAP-spezifische Einstellungen + +imap_idle_notify_interval = 2 mins +imap_hibernate_timeout = 0 + +protocol imap { + mail_max_userip_connections = 20 + imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} +} +CONF + +# ────────────────────────────────────────────────────────────────────────────── +# 4) Master Services (LMTP, AUTH, IMAP, POP3, STATS) +# ────────────────────────────────────────────────────────────────────────────── + cat > /etc/dovecot/conf.d/10-master.conf <<'CONF' service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { @@ -131,6 +150,12 @@ service auth { user = postfix group = postfix } + unix_listener auth-userdb { + mode = 0660 + user = vmail + group = mail + } + process_limit = 1 } service imap-login { inet_listener imap { @@ -140,6 +165,10 @@ service imap-login { port = 993 ssl = yes } + process_limit = 128 + process_min_avail = 10 + service_count = 0 + vsz_limit = 512M } service pop3-login { inet_listener pop3 { @@ -149,6 +178,8 @@ service pop3-login { port = 995 ssl = yes } + process_limit = 50 + service_count = 0 } CONF @@ -176,7 +207,10 @@ service stats { } CONF -# SSL – auf stabile Mail-Pfade zeigen +# ────────────────────────────────────────────────────────────────────────────── +# 5) SSL-Konfiguration (ohne DH-Param-Erzeugung) +# ────────────────────────────────────────────────────────────────────────────── + DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf" touch "$DOVECOT_SSL_CONF" grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF" @@ -191,17 +225,23 @@ else echo "ssl_key = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF" fi grep -q '^ssl_min_protocol' "$DOVECOT_SSL_CONF" || echo "ssl_min_protocol = TLSv1.2" >> "$DOVECOT_SSL_CONF" - -# Starke Cipher + DH-Params für DHE-Fallback grep -q '^ssl_prefer_server_ciphers' "$DOVECOT_SSL_CONF" || echo "ssl_prefer_server_ciphers = yes" >> "$DOVECOT_SSL_CONF" -grep -q '^ssl_dh' "$DOVECOT_SSL_CONF" || echo "ssl_dh = > "$DOVECOT_SSL_CONF" -# Postfix-Socket-Verzeichnis sicherstellen +grep -q '^ssl_dh' "$DOVECOT_SSL_CONF" || echo "ssl_dh = > "$DOVECOT_SSL_CONF" + +# ────────────────────────────────────────────────────────────────────────────── +# 6) Verzeichnisse & Rechte prüfen +# ────────────────────────────────────────────────────────────────────────────── + mkdir -p /var/spool/postfix/private chown root:root /var/spool/postfix chmod 0755 /var/spool/postfix chown postfix:postfix /var/spool/postfix/private chmod 0755 /var/spool/postfix/private -# Nur aktivieren – Start/Reload später -#systemctl enable dovecot >/dev/null 2>&1 || true \ No newline at end of file + +# ────────────────────────────────────────────────────────────────────────────── +# 7) Abschluss +# ────────────────────────────────────────────────────────────────────────────── + +log "Dovecot-Konfiguration abgeschlossen."