diff --git a/scripts/10-provision.sh b/scripts/10-provision.sh index fd28ec8..d58aea6 100644 --- a/scripts/10-provision.sh +++ b/scripts/10-provision.sh @@ -25,6 +25,25 @@ apt-get -y autoremove >/dev/null 2>&1 || true log "Systemuser/Dirs …" id vmail >/dev/null 2>&1 || adduser --system --group --home /var/mail vmail id "$APP_USER" >/dev/null 2>&1 || adduser --disabled-password --gecos "" "$APP_USER" +# Systemuser/Dirs … +id vmail >/dev/null 2>&1 || adduser --system --group --home /var/mail vmail +id "$APP_USER" >/dev/null 2>&1 || adduser --disabled-password --gecos "" "$APP_USER" + +# --- FIX: Gruppen und Berechtigungen für Maildir und Dovecot-Zugriff --- +# vmail soll primär der Gruppe "mail" angehören, zusätzlich dovecot +usermod -g mail -a -G dovecot vmail || true + +# App-User in relevante Gruppen +usermod -a -G "$APP_GROUP" "$APP_USER" || true +usermod -a -G mail,dovecot "$APP_USER" || true + +# Maildir-Baum für Gruppe mail lesbar +chgrp -R mail /var/mail/vhosts || true +chmod -R g+rx /var/mail/vhosts || true + +# ACLs setzen, damit neue Verzeichnisse automatisch passende Rechte bekommen +setfacl -R -m g:mail:rx /var/mail/vhosts || true +setfacl -dR -m g:mail:rx /var/mail/vhosts || true usermod -a -G "$APP_GROUP" "$APP_USER" || true install -d -m 0755 -o root -g root /var/www install -d -m 0775 -o "$APP_USER" -g "$APP_GROUP" "$APP_DIR" @@ -54,6 +73,17 @@ if ! visudo -c -f "${SUDOERS_DKIM}" >/dev/null 2>&1; then rm -f "${SUDOERS_DKIM}" fi +SUDOERS_DOVEADM="/etc/sudoers.d/mailwolt-doveadm" +cat > "${SUDOERS_DOVEADM}" <<'EOF' +Cmnd_Alias MW_DOVEADM_STATUS = /usr/bin/doveadm -f tab mailbox status -u * messages INBOX, \ + /usr/bin/doveadm mailbox status -u * messages INBOX +www-data ALL=(vmail) NOPASSWD: MW_DOVEADM_STATUS +mailwolt ALL=(vmail) NOPASSWD: MW_DOVEADM_STATUS +EOF +chown root:root "${SUDOERS_DOVEADM}" +chmod 440 "${SUDOERS_DOVEADM}" +visudo -c -f "${SUDOERS_DOVEADM}" || rm -f "${SUDOERS_DOVEADM}" + log "MariaDB include-fix …" mkdir -p /etc/mysql/mariadb.conf.d [[ -f /etc/mysql/mariadb.cnf ]] || echo '!include /etc/mysql/mariadb.conf.d/*.cnf' > /etc/mysql/mariadb.cnf diff --git a/scripts/50-dovecot.sh b/scripts/50-dovecot.sh index 0892cfb..0122e42 100644 --- a/scripts/50-dovecot.sh +++ b/scripts/50-dovecot.sh @@ -152,6 +152,30 @@ service pop3-login { } CONF +# --- Dovecot: doveadm-server für App-Zugriff --- +cat >/etc/dovecot/conf.d/99-mailwolt-perms.conf <<'CONF' +service auth { + unix_listener auth-userdb { + mode = 0660 + user = vmail + group = mail + } +} + +service stats { + unix_listener stats-reader { + mode = 0660 + user = vmail + group = mail + } + unix_listener stats-writer { + mode = 0660 + user = vmail + group = mail + } +} +CONF + # SSL – auf stabile Mail-Pfade zeigen DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf" touch "$DOVECOT_SSL_CONF"