248 lines
8.9 KiB
Bash
248 lines
8.9 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
MAIL_SSL_DIR="/etc/ssl/mail"
|
||
MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
|
||
MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
|
||
|
||
log "Dovecot konfigurieren …"
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# 1) vmail-Benutzer/Gruppe & Mailspool vorbereiten (DYNAMIC UID!)
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
|
||
# Sicherstellen, dass die Gruppe 'mail' existiert (auf Debian/Ubuntu idR vorhanden)
|
||
getent group mail >/dev/null || groupadd -g 8 mail || true
|
||
|
||
# vmail anlegen, wenn er fehlt. Bevorzugt UID 109, falls frei – sonst automatisch.
|
||
if ! getent passwd vmail >/dev/null; then
|
||
if ! getent passwd 109 >/dev/null; then
|
||
useradd -u 109 -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
|
||
else
|
||
useradd -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
|
||
fi
|
||
fi
|
||
|
||
# Tatsächliche vmail-UID ermitteln (wird unten in die Dovecot-Config geschrieben)
|
||
VMAIL_UID="$(id -u vmail)"
|
||
|
||
# Mailspool-Basis
|
||
install -d -m 0770 -o vmail -g mail /var/mail/vhosts
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# 2) Dovecot Grundgerüst
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
|
||
# Hauptdatei
|
||
install -d -m 0755 /etc/dovecot/conf.d
|
||
cat > /etc/dovecot/dovecot.conf <<'CONF'
|
||
!include_try /etc/dovecot/conf.d/*.conf
|
||
CONF
|
||
|
||
# Mail-Location & Namespace + UID-Grenzen
|
||
cat > /etc/dovecot/conf.d/10-mail.conf <<CONF
|
||
protocols = imap pop3 lmtp
|
||
mail_location = maildir:/var/mail/vhosts/%d/%n
|
||
|
||
namespace inbox {
|
||
inbox = yes
|
||
}
|
||
|
||
mail_privileged_group = mail
|
||
mail_access_groups = mail
|
||
first_valid_uid = ${VMAIL_UID}
|
||
last_valid_uid = ${VMAIL_UID}
|
||
CONF
|
||
|
||
cat > /etc/dovecot/conf.d/15-mailboxes.conf <<'CONF'
|
||
namespace inbox {
|
||
inbox = yes
|
||
|
||
mailbox Drafts {
|
||
special_use = \Drafts
|
||
auto = subscribe
|
||
}
|
||
mailbox Junk {
|
||
special_use = \Junk
|
||
auto = subscribe
|
||
}
|
||
mailbox Trash {
|
||
special_use = \Trash
|
||
auto = subscribe
|
||
}
|
||
mailbox Sent {
|
||
special_use = \Sent
|
||
auto = subscribe
|
||
}
|
||
mailbox Archive {
|
||
special_use = \Archive
|
||
auto = create
|
||
}
|
||
}
|
||
CONF
|
||
|
||
# Auth
|
||
cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF'
|
||
disable_plaintext_auth = yes
|
||
auth_mechanisms = plain login
|
||
!include_try auth-sql.conf.ext
|
||
|
||
auth_cache_size = 10M
|
||
auth_cache_ttl = 1 hour
|
||
CONF
|
||
|
||
# SQL-Anbindung (Passwörter aus App-DB)
|
||
cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
|
||
driver = mysql
|
||
connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
|
||
default_pass_scheme = BLF-CRYPT
|
||
password_query = SELECT u.email AS user, u.password_hash AS password FROM mail_users u JOIN domains d ON d.id = u.domain_id WHERE u.email = '%u' AND u.is_active = 1 AND u.can_login = 1 AND u.password_hash IS NOT NULL AND d.is_active = 1 LIMIT 1;
|
||
CONF
|
||
chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext
|
||
chmod 640 /etc/dovecot/dovecot-sql.conf.ext
|
||
|
||
# Auth-SQL → userdb static auf vmail:mail (Home unter /var/mail/vhosts/%d/%n)
|
||
cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF'
|
||
passdb {
|
||
driver = sql
|
||
args = /etc/dovecot/dovecot-sql.conf.ext
|
||
}
|
||
userdb {
|
||
driver = static
|
||
args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n
|
||
}
|
||
CONF
|
||
chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext
|
||
chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# 3) IMAP Optimierung (iOS/IDLE-freundlich)
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
|
||
cat > /etc/dovecot/conf.d/20-imap.conf <<'CONF'
|
||
# IMAP-spezifische Einstellungen
|
||
|
||
imap_idle_notify_interval = 2 mins
|
||
imap_hibernate_timeout = 0
|
||
|
||
protocol imap {
|
||
mail_max_userip_connections = 20
|
||
imap_logout_format = in=%i out=%o deleted=%{deleted} expunged=%{expunged}
|
||
}
|
||
CONF
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# 4) Master Services (LMTP, AUTH, IMAP, POP3, STATS)
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
|
||
cat > /etc/dovecot/conf.d/10-master.conf <<'CONF'
|
||
service lmtp {
|
||
unix_listener /var/spool/postfix/private/dovecot-lmtp {
|
||
mode = 0600
|
||
user = postfix
|
||
group = postfix
|
||
}
|
||
}
|
||
service auth {
|
||
unix_listener /var/spool/postfix/private/auth {
|
||
mode = 0660
|
||
user = postfix
|
||
group = postfix
|
||
}
|
||
unix_listener auth-userdb {
|
||
mode = 0660
|
||
user = vmail
|
||
group = mail
|
||
}
|
||
process_limit = 1
|
||
}
|
||
service imap-login {
|
||
inet_listener imap {
|
||
port = 143
|
||
}
|
||
inet_listener imaps {
|
||
port = 993
|
||
ssl = yes
|
||
}
|
||
process_limit = 128
|
||
process_min_avail = 10
|
||
service_count = 0
|
||
vsz_limit = 512M
|
||
}
|
||
service pop3-login {
|
||
inet_listener pop3 {
|
||
port = 110
|
||
}
|
||
inet_listener pop3s {
|
||
port = 995
|
||
ssl = yes
|
||
}
|
||
process_limit = 50
|
||
service_count = 0
|
||
}
|
||
CONF
|
||
|
||
# --- Dovecot: doveadm-server für App-Zugriff ---
|
||
cat >/etc/dovecot/conf.d/99-mailwolt-perms.conf <<'CONF'
|
||
service auth {
|
||
unix_listener auth-userdb {
|
||
mode = 0660
|
||
user = vmail
|
||
group = mail
|
||
}
|
||
}
|
||
|
||
service stats {
|
||
unix_listener stats-reader {
|
||
mode = 0660
|
||
user = vmail
|
||
group = mail
|
||
}
|
||
unix_listener stats-writer {
|
||
mode = 0660
|
||
user = vmail
|
||
group = mail
|
||
}
|
||
}
|
||
CONF
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# 5) SSL-Konfiguration (ohne DH-Param-Erzeugung)
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
|
||
DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf"
|
||
touch "$DOVECOT_SSL_CONF"
|
||
grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF"
|
||
if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then
|
||
sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF"
|
||
else
|
||
echo "ssl_cert = <${MAIL_CERT}" >> "$DOVECOT_SSL_CONF"
|
||
fi
|
||
if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then
|
||
sed -i "s|^\s*ssl_key\s*=.*|ssl_key = <${MAIL_KEY}|" "$DOVECOT_SSL_CONF"
|
||
else
|
||
echo "ssl_key = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF"
|
||
fi
|
||
grep -q '^ssl_min_protocol' "$DOVECOT_SSL_CONF" || echo "ssl_min_protocol = TLSv1.2" >> "$DOVECOT_SSL_CONF"
|
||
grep -q '^ssl_prefer_server_ciphers' "$DOVECOT_SSL_CONF" || echo "ssl_prefer_server_ciphers = yes" >> "$DOVECOT_SSL_CONF"
|
||
|
||
grep -q '^ssl_dh' "$DOVECOT_SSL_CONF" || echo "ssl_dh = </etc/ssl/private/dhparam.pem" >> "$DOVECOT_SSL_CONF"
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# 6) Verzeichnisse & Rechte prüfen
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
|
||
mkdir -p /var/spool/postfix/private
|
||
chown root:root /var/spool/postfix
|
||
chmod 0755 /var/spool/postfix
|
||
chown postfix:postfix /var/spool/postfix/private
|
||
chmod 0755 /var/spool/postfix/private
|
||
|
||
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
# 7) Abschluss
|
||
# ──────────────────────────────────────────────────────────────────────────────
|
||
|
||
log "Dovecot-Konfiguration abgeschlossen."
|