From: Christian Heller Date: Tue, 27 Nov 2018 02:25:29 +0000 (+0100) Subject: WIP. X-Git-Url: https://plomlompom.com/repos/%7B%7Bdb.prefix%7D%7D/%7B%7B%20web_path%20%7D%7D/decks/pick_tasks?a=commitdiff_plain;h=6d6eb420342c2962063f92f8fc5e8b23e5cb1dbf;p=config WIP. --- diff --git a/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-master.conf b/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-master.conf new file mode 100644 index 0000000..0871740 --- /dev/null +++ b/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-master.conf @@ -0,0 +1,10 @@ +service auth { + unix_listener auth-userdb { + } + + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + } +} diff --git a/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-ssl.conf b/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-ssl.conf new file mode 100644 index 0000000..7fa2f5f --- /dev/null +++ b/all_new_2018/linkable_etc_files/mail/etc/dovecot/conf.d/99-ssl.conf @@ -0,0 +1 @@ +ssl = required diff --git a/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf b/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf new file mode 100644 index 0000000..c7691ea --- /dev/null +++ b/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf @@ -0,0 +1,86 @@ +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +# Log to syslog +Syslog yes +# Required to use local socket with MTAs that access the socket as a non- +# privileged user (e.g. Postfix) +UMask 002 + +# Sign for example.com with key in /etc/dkimkeys/dkim.key using +# selector '2007' (e.g. 2007._domainkey.example.com) +#Domain example.com +#KeyFile /etc/dkimkeys/dkim.key +#Selector 2007 +Domain REPLACE_Domain_ECALPER +KeyFile /etc/dkimkeys/REPLACE_Selector_ECALPER.private +Selector REPLACE_Selector_ECALPER + +# Commonly-used options; the commented-out versions show the defaults. +#Canonicalization simple +#Mode sv +#SubDomains no +#SubDomains yes +Canonicalization relaxed/simple + +# Socket smtp://localhost +# +# ## Socket socketspec +# ## +# ## Names the socket where this filter should listen for milter connections +# ## from the MTA. Required. Should be in one of these forms: +# ## +# ## inet:port@address to listen on a specific interface +# ## inet:port to listen on all interfaces +# ## local:/path/to/socket to listen on a UNIX domain socket +# +#Socket inet:8892@localhost +#Socket local:/var/run/opendkim/opendkim.sock +Socket inet:12301@localhost + +## PidFile filename +### default (none) +### +### Name of the file where the filter should write its pid before beginning +### normal operations. +# +PidFile /var/run/opendkim/opendkim.pid + + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +## ResolverConfiguration filename +## default (none) +## +## Specifies a configuration file to be passed to the Unbound library that +## performs DNS queries applying the DNSSEC protocol. See the Unbound +## documentation at http://unbound.net for the expected content of this file. +## The results of using this and the TrustAnchorFile setting at the same +## time are undefined. +## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested +## unbound package + +# ResolverConfiguration /etc/unbound/unbound.conf + +## TrustAnchorFile filename +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +TrustAnchorFile /usr/share/dns/root.key + +## Userid userid +### default (none) +### +### Change to user "userid" before starting normal operation? May include +### a group ID as well, separated from the userid by a colon. +# +UserID opendkim \ No newline at end of file diff --git a/all_new_2018/linkable_etc_files/mail/etc/postfix/main.cf b/all_new_2018/linkable_etc_files/mail/etc/postfix/main.cf new file mode 100644 index 0000000..dbb2b5d --- /dev/null +++ b/all_new_2018/linkable_etc_files/mail/etc/postfix/main.cf @@ -0,0 +1,53 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +# fresh installs. +compatibility_level = 2 + +# TLS parameters (excluding smtpd_tls_(cert|key)_file for own adaption below) +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myorigin = /etc/mailname +myhostname = $myorigin +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = $myhostname, localhost.plomlompom.com, localhost +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all + +# plomlompom-specific adaptions to allow TLS and SASL via LetsEncrypt/Dovecot. +smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem +smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth + +# connect to opendkim +smtpd_milters = inet:localhost:12301 +non_smtpd_milters = inet:localhost:12301 \ No newline at end of file diff --git a/all_new_2018/linkable_etc_files/mail/etc/postfix/master.cf b/all_new_2018/linkable_etc_files/mail/etc/postfix/master.cf new file mode 100644 index 0000000..bce1262 --- /dev/null +++ b/all_new_2018/linkable_etc_files/mail/etc/postfix/master.cf @@ -0,0 +1,124 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +smtps inet n - y - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + diff --git a/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-master.conf b/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-master.conf deleted file mode 100644 index 0871740..0000000 --- a/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-master.conf +++ /dev/null @@ -1,10 +0,0 @@ -service auth { - unix_listener auth-userdb { - } - - unix_listener /var/spool/postfix/private/auth { - mode = 0660 - user = postfix - group = postfix - } -} diff --git a/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-ssl.conf b/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-ssl.conf deleted file mode 100644 index 7fa2f5f..0000000 --- a/all_new_2018/linkable_etc_files/server/etc/dovecot/conf.d/99-ssl.conf +++ /dev/null @@ -1 +0,0 @@ -ssl = required diff --git a/all_new_2018/linkable_etc_files/server/etc/postfix/main.cf b/all_new_2018/linkable_etc_files/server/etc/postfix/main.cf deleted file mode 100644 index 7e38957..0000000 --- a/all_new_2018/linkable_etc_files/server/etc/postfix/main.cf +++ /dev/null @@ -1,49 +0,0 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version - - -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname - -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) -biff = no - -# appending .domain is the MUA's job. -append_dot_mydomain = no - -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h - -readme_directory = no - -# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on -# fresh installs. -compatibility_level = 2 - -# TLS parameters (excluding smtpd_tls_(cert|key)_file for own adaption below) -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache - -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - -smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination -myorigin = /etc/mailname -myhostname = $myorigin -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -mydestination = $myhostname, localhost.plomlompom.com, localhost -relayhost = -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 -mailbox_size_limit = 0 -recipient_delimiter = + -inet_interfaces = all -inet_protocols = all - -# plomlompom-specific adaptions to allow TLS and SASL via LetsEncrypt/Dovecot. -smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem -smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem -smtpd_sasl_type = dovecot -smtpd_sasl_path = private/auth diff --git a/all_new_2018/linkable_etc_files/server/etc/postfix/master.cf b/all_new_2018/linkable_etc_files/server/etc/postfix/master.cf deleted file mode 100644 index bce1262..0000000 --- a/all_new_2018/linkable_etc_files/server/etc/postfix/master.cf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master" or -# on-line: http://www.postfix.org/master.5.html). -# -# Do not forget to execute "postfix reload" after editing this file. -# -# ========================================================================== -# service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (no) (never) (100) -# ========================================================================== -smtp inet n - y - - smtpd -#smtp inet n - y - 1 postscreen -#smtpd pass - - y - - smtpd -#dnsblog unix - - y - 0 dnsblog -#tlsproxy unix - - y - 0 tlsproxy -#submission inet n - y - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_reject_unlisted_recipient=no -# -o smtpd_client_restrictions=$mua_client_restrictions -# -o smtpd_helo_restrictions=$mua_helo_restrictions -# -o smtpd_sender_restrictions=$mua_sender_restrictions -# -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -smtps inet n - y - - smtpd - -o syslog_name=postfix/smtps - -o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes - -o smtpd_reject_unlisted_recipient=no -# -o smtpd_client_restrictions=$mua_client_restrictions -# -o smtpd_helo_restrictions=$mua_helo_restrictions -# -o smtpd_sender_restrictions=$mua_sender_restrictions -# -o smtpd_recipient_restrictions= -# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#628 inet n - y - - qmqpd -pickup unix n - y 60 1 pickup -cleanup unix n - y - 0 cleanup -qmgr unix n - n 300 1 qmgr -#qmgr unix n - n 300 1 oqmgr -tlsmgr unix - - y 1000? 1 tlsmgr -rewrite unix - - y - - trivial-rewrite -bounce unix - - y - 0 bounce -defer unix - - y - 0 bounce -trace unix - - y - 0 bounce -verify unix - - y - 1 verify -flush unix n - y 1000? 0 flush -proxymap unix - - n - - proxymap -proxywrite unix - - n - 1 proxymap -smtp unix - - y - - smtp -relay unix - - y - - smtp -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - y - - showq -error unix - - y - - error -retry unix - - y - - error -discard unix - - y - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - y - - lmtp -anvil unix - - y - 1 anvil -scache unix - - y - 1 scache -# -# ==================================================================== -# Interfaces to non-Postfix software. Be sure to examine the manual -# pages of the non-Postfix software to find out what options it wants. -# -# Many of the following services use the Postfix pipe(8) delivery -# agent. See the pipe(8) man page for information about ${recipient} -# and other message envelope options. -# ==================================================================== -# -# maildrop. See the Postfix MAILDROP_README file for details. -# Also specify in main.cf: maildrop_destination_recipient_limit=1 -# -maildrop unix - n n - - pipe - flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} -# -# ==================================================================== -# -# Recent Cyrus versions can use the existing "lmtp" master.cf entry. -# -# Specify in cyrus.conf: -# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 -# -# Specify in main.cf one or more of the following: -# mailbox_transport = lmtp:inet:localhost -# virtual_transport = lmtp:inet:localhost -# -# ==================================================================== -# -# Cyrus 2.1.5 (Amos Gouaux) -# Also specify in main.cf: cyrus_destination_recipient_limit=1 -# -#cyrus unix - n n - - pipe -# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} -# -# ==================================================================== -# Old example of delivery via Cyrus. -# -#old-cyrus unix - n n - - pipe -# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} -# -# ==================================================================== -# -# See the Postfix UUCP_README file for configuration details. -# -uucp unix - n n - - pipe - flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) -# -# Other external delivery methods. -# -ifmail unix - n n - - pipe - flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -bsmtp unix - n n - - pipe - flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient -scalemail-backend unix - n n - 2 pipe - flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} -mailman unix - n n - - pipe - flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py - ${nexthop} ${user} - diff --git a/all_new_2018/setup_mail.sh b/all_new_2018/setup_mail.sh index a3045e6..285ecb6 100755 --- a/all_new_2018/setup_mail.sh +++ b/all_new_2018/setup_mail.sh @@ -1,11 +1,48 @@ #/bin/sh set -e +selector=$1 +if [ ! -n "${selector}" ]; then + echo "Give DKIM selector argument." + false +fi + +# Set up DKIM key if necessary. +mkdir -p /etc/dkimkeys/ +add_dkim_record=0 +if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then + add_dkim_record=1 + dpkg -s opendkim-tools &> /dev/null + preinstalled="$?" + if [ ! "${preinstalled}" -eq "0" ]; then + apt install -y opendkim-tools + fi + opendkim-genkey -s "${dkim_selector}" + if [ ! "${preinstalled}" -eq "0" ]; then + apt --purge autoremove opendkim-tools + fi +fi + +# Link and adapt mail-server-specific /etc/ files. +./hardlink_etc.sh mail +sed -i "s/REPLACE_Domain_ECALPER/$(hostname -f)/g" /etc/opendkim.conf +sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf + +# Some useful debconf selections. echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections -echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections -echo "$(hostname -f)" > /etc/mailname -apt install -y postfix -mkdir -p /etc/dovecot/conf.d/ echo "ssl_cert = /etc/dovecot/conf.d/99-ssl-certs.conf echo "ssl_key = > /etc/dovecot/conf.d/99-ssl-certs.conf -apt install -y dovecot-imapd + +# The second line should not be necessary due to the first line, but for +# some reason the installation forgets to set up /etc/mailname early +# enough to not (when running newaliases) stumble over its absence. +echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections +echo "$(hostname -f)" > /etc/mailname + +# Everything should now be ready for installations. +apt install -y postfix dovecot-imapd opendkim +echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration." +if [ "${add_dkim_record}" -eq "1" ]; then + echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):" + cat "${dkim_selector}.txt" +fi