#!/usr/bin/env bash set -euo pipefail source ./lib.sh MAIL_SSL_DIR="/etc/ssl/mail" MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem" MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem" log "Dovecot konfigurieren …" # ────────────────────────────────────────────────────────────────────────────── # 1) vmail-Benutzer/Gruppe & Mailspool vorbereiten (DYNAMIC UID!) # ────────────────────────────────────────────────────────────────────────────── # Sicherstellen, dass die Gruppe 'mail' existiert (auf Debian/Ubuntu idR vorhanden) getent group mail >/dev/null || groupadd -g 8 mail || true # vmail anlegen, wenn er fehlt. Bevorzugt UID 109, falls frei – sonst automatisch. if ! getent passwd vmail >/dev/null; then if ! getent passwd 109 >/dev/null; then useradd -u 109 -g mail -d /var/mail -M -s /usr/sbin/nologin vmail else useradd -g mail -d /var/mail -M -s /usr/sbin/nologin vmail fi fi # Tatsächliche vmail-UID ermitteln (wird unten in die Dovecot-Config geschrieben) VMAIL_UID="$(id -u vmail)" # Mailspool-Basis install -d -m 0770 -o vmail -g mail /var/mail/vhosts # ────────────────────────────────────────────────────────────────────────────── # 2) Dovecot Grundgerüst # ────────────────────────────────────────────────────────────────────────────── # Hauptdatei install -d -m 0755 /etc/dovecot/conf.d cat > /etc/dovecot/dovecot.conf <<'CONF' !include_try /etc/dovecot/conf.d/*.conf CONF # Mail-Location & Namespace + UID-Grenzen cat > /etc/dovecot/conf.d/10-mail.conf < /etc/dovecot/conf.d/15-mailboxes.conf <<'CONF' namespace inbox { inbox = yes mailbox Drafts { special_use = \Drafts auto = subscribe } mailbox Junk { special_use = \Junk auto = subscribe } mailbox Trash { special_use = \Trash auto = subscribe } mailbox Sent { special_use = \Sent auto = subscribe } mailbox Archive { special_use = \Archive auto = create } } CONF # Auth cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF' disable_plaintext_auth = yes auth_mechanisms = plain login !include_try auth-sql.conf.ext auth_cache_size = 10M auth_cache_ttl = 1 hour CONF # SQL-Anbindung (Passwörter aus App-DB) cat > /etc/dovecot/dovecot-sql.conf.ext < /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF' passdb { driver = sql args = /etc/dovecot/dovecot-sql.conf.ext } userdb { driver = static args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n } CONF chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext # ────────────────────────────────────────────────────────────────────────────── # 3) IMAP Optimierung (iOS/IDLE-freundlich) # ────────────────────────────────────────────────────────────────────────────── cat > /etc/dovecot/conf.d/20-imap.conf <<'CONF' # IMAP-spezifische Einstellungen imap_idle_notify_interval = 2 mins imap_hibernate_timeout = 0 protocol imap { mail_max_userip_connections = 20 imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged} } CONF # ────────────────────────────────────────────────────────────────────────────── # 4) Master Services (LMTP, AUTH, IMAP, POP3, STATS) # ────────────────────────────────────────────────────────────────────────────── cat > /etc/dovecot/conf.d/10-master.conf <<'CONF' service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } unix_listener auth-userdb { mode = 0660 user = vmail group = mail } process_limit = 1 } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } process_limit = 128 process_min_avail = 10 service_count = 0 vsz_limit = 512M } service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } process_limit = 50 service_count = 0 } CONF # --- Dovecot: doveadm-server für App-Zugriff --- cat >/etc/dovecot/conf.d/99-mailwolt-perms.conf <<'CONF' service auth { unix_listener auth-userdb { mode = 0660 user = vmail group = mail } } service stats { unix_listener stats-reader { mode = 0660 user = vmail group = mail } unix_listener stats-writer { mode = 0660 user = vmail group = mail } } CONF # ────────────────────────────────────────────────────────────────────────────── # 5) SSL-Konfiguration (ohne DH-Param-Erzeugung) # ────────────────────────────────────────────────────────────────────────────── DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf" touch "$DOVECOT_SSL_CONF" grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF" if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF" else echo "ssl_cert = <${MAIL_CERT}" >> "$DOVECOT_SSL_CONF" fi if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then sed -i "s|^\s*ssl_key\s*=.*|ssl_key = <${MAIL_KEY}|" "$DOVECOT_SSL_CONF" else echo "ssl_key = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF" fi grep -q '^ssl_min_protocol' "$DOVECOT_SSL_CONF" || echo "ssl_min_protocol = TLSv1.2" >> "$DOVECOT_SSL_CONF" grep -q '^ssl_prefer_server_ciphers' "$DOVECOT_SSL_CONF" || echo "ssl_prefer_server_ciphers = yes" >> "$DOVECOT_SSL_CONF" grep -q '^ssl_dh' "$DOVECOT_SSL_CONF" || echo "ssl_dh = > "$DOVECOT_SSL_CONF" # ────────────────────────────────────────────────────────────────────────────── # 6) Verzeichnisse & Rechte prüfen # ────────────────────────────────────────────────────────────────────────────── mkdir -p /var/spool/postfix/private chown root:root /var/spool/postfix chmod 0755 /var/spool/postfix chown postfix:postfix /var/spool/postfix/private chmod 0755 /var/spool/postfix/private # ────────────────────────────────────────────────────────────────────────────── # 7) Abschluss # ────────────────────────────────────────────────────────────────────────────── log "Dovecot-Konfiguration abgeschlossen."