226 lines
10 KiB
Bash
226 lines
10 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
source ./lib.sh
|
|
|
|
MAIL_SSL_DIR="/etc/ssl/mail"
|
|
MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
|
|
MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
|
|
|
|
log "Postfix konfigurieren …"
|
|
|
|
# --- TLS-Dateirechte (falls du sie in /etc/mailwolt/ssl spiegelst) -----------
|
|
if [[ -e "${MAIL_KEY}" ]]; then
|
|
chgrp -R postfix /etc/mailwolt/ssl || true
|
|
chmod 750 /etc/mailwolt/ssl || true
|
|
chmod 640 /etc/mailwolt/ssl/key.pem /etc/mailwolt/ssl/cert.pem || true
|
|
fi
|
|
|
|
# --- Basiskonfiguration -------------------------------------------------------
|
|
/usr/sbin/postconf -e "myhostname = ${MAIL_HOSTNAME}"
|
|
/usr/sbin/postconf -e "myorigin = \$myhostname"
|
|
/usr/sbin/postconf -e "mydestination = "
|
|
/usr/sbin/postconf -e "inet_interfaces = all"
|
|
/usr/sbin/postconf -e "inet_protocols = ipv4"
|
|
/usr/sbin/postconf -e "smtpd_banner = \$myhostname ESMTP"
|
|
|
|
# --- TLS ----------------------------------------------------------------------
|
|
/usr/sbin/postconf -e "smtpd_tls_cert_file = ${MAIL_CERT}"
|
|
/usr/sbin/postconf -e "smtpd_tls_key_file = ${MAIL_KEY}"
|
|
/usr/sbin/postconf -e "smtpd_tls_security_level = may"
|
|
/usr/sbin/postconf -e "smtp_tls_security_level = may"
|
|
/usr/sbin/postconf -e "smtpd_tls_received_header = yes"
|
|
/usr/sbin/postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
|
|
/usr/sbin/postconf -e "smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3"
|
|
/usr/sbin/postconf -e "smtpd_tls_loglevel = 1"
|
|
/usr/sbin/postconf -e "smtp_tls_loglevel = 1"
|
|
|
|
# --- SMTP Sicherheit ----------------------------------------------------------
|
|
/usr/sbin/postconf -e "disable_vrfy_command = yes"
|
|
/usr/sbin/postconf -e "smtpd_helo_required = yes"
|
|
|
|
# --- Milter -------------------------------------------------------------------
|
|
/usr/sbin/postconf -e "milter_default_action = accept"
|
|
/usr/sbin/postconf -e "milter_protocol = 6"
|
|
/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
|
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
|
|
|
# --- SASL Auth via Dovecot ----------------------------------------------------
|
|
/usr/sbin/postconf -e "smtpd_sasl_type = dovecot"
|
|
/usr/sbin/postconf -e "smtpd_sasl_path = private/auth"
|
|
/usr/sbin/postconf -e "smtpd_sasl_auth_enable = yes"
|
|
/usr/sbin/postconf -e "smtpd_sasl_security_options = noanonymous"
|
|
|
|
# --- Recipient & Relay Restriction --------------------------------------------
|
|
/usr/sbin/postconf -e "smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"
|
|
/usr/sbin/postconf -e "smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination"
|
|
|
|
# --- Listener / Master.cf Definition ------------------------------------------
|
|
/usr/sbin/postconf -M "smtp/inet=smtp inet n - n - - smtpd -o smtpd_peername_lookup=no -o smtpd_timeout=30s"
|
|
/usr/sbin/postconf -M "submission/inet=submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_peername_lookup=no -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
|
|
/usr/sbin/postconf -M "smtps/inet=smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_peername_lookup=no -o smtpd_tls_wrappermode=yes -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
|
|
|
|
# postscreen ggf. deaktivieren
|
|
sed -i 's/^[[:space:]]*smtp[[:space:]]\+inet[[:space:]]\+.*postscreen/# &/' /etc/postfix/master.cf || true
|
|
|
|
# --- SQL Maps (Verzeichnis zuerst!) -------------------------------------------
|
|
install -d -o root -g postfix -m 750 /etc/postfix/sql
|
|
|
|
# Domains
|
|
cat > /etc/postfix/sql/mysql-virtual-domains.cf <<CONF
|
|
hosts = 127.0.0.1
|
|
user = ${DB_USER}
|
|
password = ${DB_PASS}
|
|
dbname = ${DB_NAME}
|
|
query = SELECT 1 FROM domains WHERE domain = '%s' AND is_active = 1 LIMIT 1;
|
|
CONF
|
|
chown root:postfix /etc/postfix/sql/mysql-virtual-domains.cf
|
|
chmod 640 /etc/postfix/sql/mysql-virtual-domains.cf
|
|
|
|
# Mailboxen
|
|
cat > /etc/postfix/sql/mysql-virtual-mailbox-maps.cf <<CONF
|
|
hosts = 127.0.0.1
|
|
user = ${DB_USER}
|
|
password = ${DB_PASS}
|
|
dbname = ${DB_NAME}
|
|
query = SELECT 1
|
|
FROM mail_users u
|
|
JOIN domains d ON d.id = u.domain_id
|
|
WHERE u.email = '%s'
|
|
AND u.is_active = 1
|
|
AND u.can_login = 1
|
|
AND u.password_hash IS NOT NULL
|
|
AND d.is_active = 1
|
|
LIMIT 1;
|
|
CONF
|
|
chown root:postfix /etc/postfix/sql/mysql-virtual-mailbox-maps.cf
|
|
chmod 640 /etc/postfix/sql/mysql-virtual-mailbox-maps.cf
|
|
|
|
# Aliase
|
|
cat > /etc/postfix/sql/mysql-virtual-alias-maps.cf <<CONF
|
|
hosts = 127.0.0.1
|
|
user = ${DB_USER}
|
|
password = ${DB_PASS}
|
|
dbname = ${DB_NAME}
|
|
|
|
query = SELECT COALESCE(mu.email, r.email) AS destination
|
|
FROM mail_aliases a
|
|
JOIN domains d ON d.id = a.domain_id
|
|
JOIN mail_alias_recipients r ON r.alias_id = a.id
|
|
LEFT JOIN mail_users mu ON mu.id = r.mail_user_id
|
|
WHERE d.domain = SUBSTRING_INDEX('%s','@',-1)
|
|
AND a.local = SUBSTRING_INDEX('%s','@', 1)
|
|
AND a.is_active = 1
|
|
AND d.is_active = 1
|
|
AND (mu.email IS NOT NULL OR r.email IS NOT NULL)
|
|
ORDER BY r.position ASC;
|
|
CONF
|
|
chown root:postfix /etc/postfix/sql/mysql-virtual-alias-maps.cf
|
|
chmod 640 /etc/postfix/sql/mysql-virtual-alias-maps.cf
|
|
|
|
# Aktivieren
|
|
/usr/sbin/postconf -e "virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql-virtual-domains.cf"
|
|
/usr/sbin/postconf -e "virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql-virtual-mailbox-maps.cf"
|
|
/usr/sbin/postconf -e "virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql-virtual-alias-maps.cf"
|
|
/usr/sbin/postconf -e "virtual_transport = lmtp:unix:private/dovecot-lmtp"
|
|
|
|
# --- Dienst aktivieren & neu laden --------------------------------------------
|
|
systemctl enable postfix >/dev/null 2>&1 || true
|
|
|
|
#systemctl reload postfix || systemctl restart postfix
|
|
##!/usr/bin/env bash
|
|
#set -euo pipefail
|
|
#source ./lib.sh
|
|
#
|
|
#MAIL_SSL_DIR="/etc/ssl/mail"
|
|
#MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
|
|
#MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
|
|
#
|
|
#log "Postfix konfigurieren …"
|
|
#
|
|
## --- Sicherheit & TLS-Rechte ---------------------------------------------------
|
|
#if [[ -e "${MAIL_KEY}" ]]; then
|
|
# chgrp -R postfix /etc/mailwolt/ssl || true
|
|
# chmod 750 /etc/mailwolt/ssl || true
|
|
# chmod 640 /etc/mailwolt/ssl/key.pem /etc/mailwolt/ssl/cert.pem || true
|
|
#fi
|
|
#
|
|
## --- Basiskonfiguration --------------------------------------------------------
|
|
#/usr/sbin/postconf -e "myhostname = ${MAIL_HOSTNAME}"
|
|
#/usr/sbin/postconf -e "myorigin = \$myhostname"
|
|
#/usr/sbin/postconf -e "mydestination = "
|
|
#/usr/sbin/postconf -e "inet_interfaces = all"
|
|
#/usr/sbin/postconf -e "inet_protocols = ipv4"
|
|
#/usr/sbin/postconf -e "smtpd_banner = \$myhostname ESMTP"
|
|
#
|
|
## --- TLS ----------------------------------------------------------------------
|
|
#/usr/sbin/postconf -e "smtpd_tls_cert_file = ${MAIL_CERT}"
|
|
#/usr/sbin/postconf -e "smtpd_tls_key_file = ${MAIL_KEY}"
|
|
#/usr/sbin/postconf -e "smtpd_tls_security_level = may"
|
|
#/usr/sbin/postconf -e "smtp_tls_security_level = may"
|
|
#/usr/sbin/postconf -e "smtpd_tls_received_header = yes"
|
|
#/usr/sbin/postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
|
|
#/usr/sbin/postconf -e "smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3"
|
|
#/usr/sbin/postconf -e "smtpd_tls_loglevel = 1"
|
|
#/usr/sbin/postconf -e "smtp_tls_loglevel = 1"
|
|
#
|
|
## --- SMTP Sicherheit ----------------------------------------------------------
|
|
#/usr/sbin/postconf -e "disable_vrfy_command = yes"
|
|
#/usr/sbin/postconf -e "smtpd_helo_required = yes"
|
|
#
|
|
## --- Milter -------------------------------------------------------------------
|
|
#/usr/sbin/postconf -e "milter_default_action = accept"
|
|
#/usr/sbin/postconf -e "milter_protocol = 6"
|
|
#/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
|
#/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
|
#
|
|
## --- SASL Auth via Dovecot ----------------------------------------------------
|
|
#/usr/sbin/postconf -e "smtpd_sasl_type = dovecot"
|
|
#/usr/sbin/postconf -e "smtpd_sasl_path = private/auth"
|
|
#/usr/sbin/postconf -e "smtpd_sasl_auth_enable = yes"
|
|
#/usr/sbin/postconf -e "smtpd_sasl_security_options = noanonymous"
|
|
#
|
|
## --- Recipient & Relay Restriction --------------------------------------------
|
|
#/usr/sbin/postconf -e "smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"
|
|
#/usr/sbin/postconf -e "smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination"
|
|
#
|
|
## --- Listener / Master.cf Definition ------------------------------------------
|
|
#/usr/sbin/postconf -M "smtp/inet=smtp inet n - n - - smtpd -o smtpd_peername_lookup=no -o smtpd_timeout=30s"
|
|
#/usr/sbin/postconf -M "submission/inet=submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_peername_lookup=no -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
|
|
#/usr/sbin/postconf -M "smtps/inet=smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_peername_lookup=no -o smtpd_tls_wrappermode=yes -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
|
|
#
|
|
## postscreen ggf. deaktivieren (verhindert Port-Konflikte)
|
|
#sed -i 's/^[[:space:]]*smtp[[:space:]]\+inet[[:space:]]\+.*postscreen/# &/' /etc/postfix/master.cf || true
|
|
#
|
|
## --- SQL Maps -----------------------------------------------------------------
|
|
#install -d -o root -g postfix -m 750 /etc/postfix/sql
|
|
#
|
|
#cat > /etc/postfix/sql/mysql-virtual-mailbox-maps.cf <<CONF
|
|
#hosts = 127.0.0.1
|
|
#user = ${DB_USER}
|
|
#password = ${DB_PASS}
|
|
#dbname = ${DB_NAME}
|
|
#query = SELECT 1
|
|
# FROM mail_users u
|
|
# JOIN domains d ON d.id = u.domain_id
|
|
# WHERE u.email = '%s' AND u.is_active = 1 AND d.is_active = 1
|
|
# LIMIT 1;
|
|
#CONF
|
|
#chown root:postfix /etc/postfix/sql/mysql-virtual-mailbox-maps.cf
|
|
#chmod 640 /etc/postfix/sql/mysql-virtual-mailbox-maps.cf
|
|
#
|
|
#cat > /etc/postfix/sql/mysql-virtual-alias-maps.cf <<CONF
|
|
#hosts = 127.0.0.1
|
|
#user = ${DB_USER}
|
|
#password = ${DB_PASS}
|
|
#dbname = ${DB_NAME}
|
|
#query = SELECT destination
|
|
# FROM mail_aliases a
|
|
# JOIN domains d ON d.id = a.domain_id
|
|
# WHERE a.source = '%s' AND a.is_active = 1 AND d.is_active = 1
|
|
# LIMIT 1;
|
|
#CONF
|
|
#chown root:postfix /etc/postfix/sql/mysql-virtual-alias-maps.cf
|
|
#chmod 640 /etc/postfix/sql/mysql-virtual-alias-maps.cf
|
|
#
|
|
## --- Aktivieren, Start erfolgt später durch 90-services.sh --------------------
|
|
#systemctl enable postfix >/dev/null 2>&1 || true |