183 lines
5.8 KiB
Bash
183 lines
5.8 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
MAIL_SSL_DIR="/etc/ssl/mail"
|
||
MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
|
||
MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
|
||
|
||
log "Dovecot konfigurieren …"
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# 1) vmail-Benutzer/Gruppe & Mailspool vorbereiten (DYNAMIC UID!)
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
|
||
# Sicherstellen, dass die Gruppe 'mail' existiert (auf Debian/Ubuntu idR vorhanden)
|
||
getent group mail >/dev/null || groupadd -g 8 mail || true
|
||
|
||
# vmail anlegen, wenn er fehlt. Bevorzugt UID 109, falls frei – sonst automatisch.
|
||
if ! getent passwd vmail >/dev/null; then
|
||
if ! getent passwd 109 >/dev/null; then
|
||
useradd -u 109 -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
|
||
else
|
||
useradd -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
|
||
fi
|
||
fi
|
||
|
||
# Tatsächliche vmail-UID ermitteln (wird unten in die Dovecot-Config geschrieben)
|
||
VMAIL_UID="$(id -u vmail)"
|
||
|
||
# Mailspool-Basis
|
||
install -d -m 0770 -o vmail -g mail /var/mail/vhosts
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# 2) Dovecot Grundgerüst
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
|
||
# Hauptdatei
|
||
install -d -m 0755 /etc/dovecot/conf.d
|
||
cat > /etc/dovecot/dovecot.conf <<'CONF'
|
||
!include_try /etc/dovecot/conf.d/*.conf
|
||
CONF
|
||
|
||
# Mail-Location & Namespace + UID-Grenzen
|
||
cat > /etc/dovecot/conf.d/10-mail.conf <<CONF
|
||
protocols = imap pop3 lmtp
|
||
mail_location = maildir:/var/mail/vhosts/%d/%n
|
||
|
||
namespace inbox {
|
||
inbox = yes
|
||
}
|
||
|
||
mail_privileged_group = mail
|
||
mail_access_groups = mail
|
||
first_valid_uid = ${VMAIL_UID}
|
||
last_valid_uid = ${VMAIL_UID}
|
||
CONF
|
||
|
||
# Standard-Mailboxen automatisch erstellen/abonnieren
|
||
cat > /etc/dovecot/conf.d/15-mailboxes.conf <<'CONF'
|
||
namespace inbox {
|
||
inbox = yes
|
||
|
||
mailbox Drafts {
|
||
special_use = \Drafts
|
||
auto = subscribe
|
||
}
|
||
mailbox Junk {
|
||
special_use = \Junk
|
||
auto = subscribe
|
||
}
|
||
mailbox Trash {
|
||
special_use = \Trash
|
||
auto = subscribe
|
||
}
|
||
mailbox Sent {
|
||
special_use = \Sent
|
||
auto = subscribe
|
||
}
|
||
|
||
# optional: Archive
|
||
mailbox Archive {
|
||
special_use = \Archive
|
||
auto = create
|
||
}
|
||
}
|
||
CONF
|
||
|
||
# Auth
|
||
cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF'
|
||
disable_plaintext_auth = yes
|
||
auth_mechanisms = plain login
|
||
!include_try auth-sql.conf.ext
|
||
CONF
|
||
|
||
# SQL-Anbindung (Passwörter aus App-DB)
|
||
cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
|
||
driver = mysql
|
||
connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
|
||
default_pass_scheme = BLF-CRYPT
|
||
password_query = SELECT u.email AS user, u.password_hash AS password FROM mail_users u JOIN domains d ON d.id = u.domain_id WHERE u.email = '%u' AND u.is_active = 1 AND u.can_login = 1 AND u.password_hash IS NOT NULL AND d.is_active = 1 LIMIT 1;
|
||
CONF
|
||
chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext
|
||
chmod 640 /etc/dovecot/dovecot-sql.conf.ext
|
||
|
||
# Auth-SQL → userdb static auf vmail:mail (Home unter /var/mail/vhosts/%d/%n)
|
||
cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF'
|
||
passdb {
|
||
driver = sql
|
||
args = /etc/dovecot/dovecot-sql.conf.ext
|
||
}
|
||
userdb {
|
||
driver = static
|
||
args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n
|
||
}
|
||
CONF
|
||
chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext
|
||
chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext
|
||
|
||
# Master-Services (LMTP + AUTH + IMAP/POP3 Listener v)
|
||
cat > /etc/dovecot/conf.d/10-master.conf <<'CONF'
|
||
service lmtp {
|
||
unix_listener /var/spool/postfix/private/dovecot-lmtp {
|
||
mode = 0600
|
||
user = postfix
|
||
group = postfix
|
||
}
|
||
}
|
||
service auth {
|
||
unix_listener /var/spool/postfix/private/auth {
|
||
mode = 0660
|
||
user = postfix
|
||
group = postfix
|
||
}
|
||
}
|
||
service imap-login {
|
||
inet_listener imap {
|
||
port = 143
|
||
}
|
||
inet_listener imaps {
|
||
port = 993
|
||
ssl = yes
|
||
}
|
||
}
|
||
service pop3-login {
|
||
inet_listener pop3 {
|
||
port = 110
|
||
}
|
||
inet_listener pop3s {
|
||
port = 995
|
||
ssl = yes
|
||
}
|
||
}
|
||
CONF
|
||
|
||
# SSL – auf stabile Mail-Pfade zeigen
|
||
DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf"
|
||
touch "$DOVECOT_SSL_CONF"
|
||
grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF"
|
||
if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then
|
||
sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF"
|
||
else
|
||
echo "ssl_cert = <${MAIL_CERT}" >> "$DOVECOT_SSL_CONF"
|
||
fi
|
||
if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then
|
||
sed -i "s|^\s*ssl_key\s*=.*|ssl_key = <${MAIL_KEY}|" "$DOVECOT_SSL_CONF"
|
||
else
|
||
echo "ssl_key = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF"
|
||
fi
|
||
grep -q '^ssl_min_protocol' "$DOVECOT_SSL_CONF" || echo "ssl_min_protocol = TLSv1.2" >> "$DOVECOT_SSL_CONF"
|
||
|
||
# Starke Cipher + DH-Params für DHE-Fallback
|
||
grep -q '^ssl_prefer_server_ciphers' "$DOVECOT_SSL_CONF" || echo "ssl_prefer_server_ciphers = yes" >> "$DOVECOT_SSL_CONF"
|
||
grep -q '^ssl_dh' "$DOVECOT_SSL_CONF" || echo "ssl_dh = </etc/ssl/private/dhparams.pem" >> "$DOVECOT_SSL_CONF"
|
||
|
||
# Postfix-Socket-Verzeichnis sicherstellen
|
||
mkdir -p /var/spool/postfix/private
|
||
chown root:root /var/spool/postfix
|
||
chmod 0755 /var/spool/postfix
|
||
chown postfix:postfix /var/spool/postfix/private
|
||
chmod 0755 /var/spool/postfix/private
|
||
|
||
# Nur aktivieren – Start/Reload später
|
||
#systemctl enable dovecot >/dev/null 2>&1 || true |