X-Git-Url: https://plomlompom.com/repos/?p=config;a=blobdiff_plain;f=buster%2Fsetup_scripts%2Fsetup_mail.sh;h=dd8f80f8e63e3f60d03b3e39a76617cd90f05102;hp=9406bee16fd461f670f34117565221eb1cf9194a;hb=decb103a10c87150712da651e9c5b99ac35dab26;hpb=b427e539c34c181ee681c249d8ba564f0c0d1d87 diff --git a/buster/setup_scripts/setup_mail.sh b/buster/setup_scripts/setup_mail.sh index 9406bee..dd8f80f 100755 --- a/buster/setup_scripts/setup_mail.sh +++ b/buster/setup_scripts/setup_mail.sh @@ -1,114 +1,118 @@ #!/bin/sh set -e -if [ "$#" -ne 1 ]; then - echo 'Need mail for letsencrypt.' +# Check we have the necessary arguments. +if [ "$#" -lt 1 ]; then + echo 'Need mail for letsencrypt, mail domain, and optionally old server IP.' false fi mail="$1" +mail_domain="$2" +old_server="$3" config_tree_prefix="${HOME}/config/buster" echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections -echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections +echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections ./install_for_target.sh mail ./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" mail nft -f /etc/nftables.conf -# Set up letsencrypt certificate. +# Rebuild aliases DB from /etc/aliases +newaliases + +# Update config files without overwriting defaults. +cat "${config_tree_prefix}/other_files/append_postfix_main.cf" >> /etc/postfix/main.cf +cat "${config_tree_prefix}/other_files/append_postfix_master.cf" >> /etc/postfix/master.cf +cat "${config_tree_prefix}/other_files/append_opendkim.conf" >> /etc/opendkim.conf + +# Set up letsencrypt certificate. We need this for STARTTLS on port +# 25/SMTP (some mail servers refuse delivering mails here if no +# STARTTLS available) and transport-layer TLS on port 465 (for +# user-to-server SMTPS) # TODO: Is it auto-renewed? -# TODO: Find out if/why this works despite firewall? certbot certonly --standalone --agree-tos --no-eff-email -m "${mail}" -d "$(hostname -f)" -# generate opendkim selector +# For if FQDN != mail domain name. +sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf +sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/postfix/main.cf + +# OpenDKIM setup. selector=$(hostname)$(date +%Y%m%d) -#opendkim-genkey -D /etc/dkimkeys -s "${selector}" -opendkim-genkey -d "$(hostname -f)" -D /etc/dkimkeys -s "${selector}" - -# customize /etc/opendkim.conf -echo '' >> /etc/opendkim.conf -echo '# plomlompom customizations' >> /etc/opendkim.conf -echo "Domain $(hostname -f)" >> /etc/opendkim.conf -echo "KeyFile /etc/dkimkeys/${selector}.private" >> /etc/opendkim.conf -echo "Selector ${selector}" >> /etc/opendkim.conf -echo 'Socket inet:8892@localhost' >> /etc/opendkim.conf - -# customize /etc/postfix/main.cf -echo '' >> /etc/postfix/main.cf -echo '# opendkim milter' >> /etc/postfix/main.cf -echo 'non_smtpd_milters = inet:localhost:8892' >> /etc/postfix/main.cf -echo '' >> /etc/postfix/main.cf -echo '# TLS certs' -echo 'smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem' >> /etc/postfix/main.cf -echo 'smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem' >> /etc/postfix/main.cf - -# TODO: consider - -# Dovecot sieve filtering via LMTP -echo '' >> /etc/postfix/main.cf -echo '# transport mail to dovecot; not strictly needed, as even without this' >> /etc/postfix/main.cf -echo '# postfix will throw mail to /var/mail/USER to be found by dovecot for' >> /etc/postfix/main.cf -echo "# serving via IMAP etc.; but using dovecot's LMTP server for delivery" >> /etc/postfix/main.cf -echo '# allows us to do stuff like dovecot-side sieve filtering.' >> /etc/postfix/main.cf -echo 'mailbox_transport = lmtp:inet:127.0.0.1:2424' >> /etc/postfix/main.cf +opendkim-genkey -d "${mail_domain}" -D /etc/dkimkeys -s "${selector}" +sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/opendkim.conf +sed -i "s/REPLACE_selector_ECALPER/${selector}/g" /etc/opendkim.conf + +# Dovecot sieve filtering via LMTP. Without this, mail only gets +# delivered to /var/mail/…, with it /var/mail/… remains the fallback +# inbox, but all else is sieve-filtered to ~/mail/. cp "${config_tree_prefix}/other_files/dovecot.sieve" /home/plom/.dovecot.sieve chown plom:plom /home/plom/.dovecot.sieve -# To allow IMAPS access +# In addition to our postfix server receiving mails, we funnel mails from a +# POP3 account into dovecot via fetchmail. It might make sense to adapt the +# ~/.dovecot.sieve to move mails targeted to the fetched mail account to their +# own mbox. +cp "${config_tree_prefix}/other_files/fetchmailrc" /home/plom/.fetchmailrc +chown plom:plom /home/plom/.fetchmailrc +chmod 0700 /home/plom/.fetchmailrc + +# Pingmail setup. +cp "${config_tree_prefix}/other_files/pingmailrc" /home/plom/.pingmailrc +chown plom:plom /home/plom/.pingmailrc +su -lc "cd && git clone https://plomlompom.com/repos/clone/pingmail" plom + +# To allow IMAPS access. echo "ssl_cert = /etc/dovecot/conf.d/99-ssl-certs.conf echo "ssl_key = > /etc/dovecot/conf.d/99-ssl-certs.conf password=$(pwgen -s 100 1) -#echo 'mail_privileged_group = mail' >> /etc/dovecot/conf.d/99-mail.conf echo "plom:${password}" | chpasswd -# To use Dovecot SASL for SMTP access. -echo '' >> /etc/postfix/main.cf -echo '# use dovecot SASL for SMTP access' >> /etc/postfix/main.cf -echo 'smtpd_sasl_type = dovecot' >> /etc/postfix/main.cf -echo 'smtpd_sasl_path = private/auth' >> /etc/postfix/main.cf -echo 'smtpd_sasl_auth_enable = yes' >> /etc/postfix/main.cf +# Get old mail data, shutdown old postfix server. +if [ "${old_server}" != "" ]; then + cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/ + #chown plom:plom /home/plom/prepare_to_meet_server.sh + su -lc "./prepare_to_meet_server.sh ${old_server}" plom + read -p'Hit Enter when you are done.' ignore + rm /home/plom/prepare_to_meet_server.sh + su -lc "scp plom@${old_server}:.dovecot.sieve ~" plom + su -lc "scp plom@${old_server}:.fetchmailrc ~" plom + su -lc "scp plom@${old_server}:.pingmailrc ~" plom + su -lc "ssh -t plom@${old_server} \"su -lc 'service postfix stop'\"" plom + #su -lc "ssh plom@${old_server} \"su -lc 'service fetchmail_old_account stop'\"" plom + su -lc "ssh -t plom@${old_server} \"su -lc 'service fetchmail stop'\"" plom + cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/ + su -lc "./mirror_dir.sh ${old_server} /home/plom/mail" plom + rm /home/plom/mirror_dir.sh + touch /var/mail/plom + chown plom:mail /var/mail/plom + chmod 0600 /var/mail/plom + su -lc "scp plom@${old_server}:/var/mail/plom /var/mail/plom" plom +fi +# Start everything anew to ensure new configurations. service opendkim restart service postfix restart service dovecot restart +# Pingmail and fetchmail have some systemd timers waiting. To let systemd +# know about them, do this. +systemctl daemon-reload +systemctl enable --now fetchmail_old_account.timer +systemctl enable --now pingmail.timer + +# Final advice to user. echo "To put into DNS:" cat "/etc/dkimkeys/${selector}.txt" echo "If subdomain, append .subdomain to _domainkeys!" echo "Also ensure DMARC record of 'v=DMARC1; p=none; rua=mailto:plom+dmarc@plomlompom.com;' as TXT entry at _dmarc or, if subdomain, _dmarc.subdomain" -echo "Also ensure SPF record of 'v=spf1 mx -all' at @ or subdomain" +echo "Also ensure SPF record of 'v=spf1 mx -all' as TXT entry at @ or subdomain" echo "Also ensure reverse DNS lookup for our IP points to $(hostname -f)" echo "Also ensure MX record of priority 10 for @ or subdomain pointing to $(hostname -f)" echo "IMAPS password for user plom is: ${password}" # todo just for proper mail /sending/: -# * figure out /etc/mailname ("used by the Mail Transfer Agent (i.e. mail server) to know its own hostname", "will contain the portion after the username and @ (at) sign for email addresses of users on the machine", "Postfix sets myorigin=/etc/mailname. Myorigin is appended (with an @) to any bare name in any address field. During (re)configure, if /etc/mailname exists, it is used as the default value for myorigin in debconf dialogs. Changing it from the default results in postinst rewriting /etc/mailname to the new value.") – figure out if it is actually used? -# * figure out /etc/postfix/main.cf -# - myorigin ("specifies the domain that appears in mail that is posted on this machine. The default is to use the local machine name, $myhostname, which defaults to the name of the machine. Unless you are running a really small site, you probably want to change that into $mydomain, which defaults to the parent domain of the machine name") -# - myhostname ("The internet hostname of this mail system. The default is to use the fully-qualified domain name (FQDN) from gethostname(), or to use the non-FQDN result from gethostname() and append ".$mydomain". $myhostname is used as a default value for many other configuration parameters.") -# - mydomain ("The internet domain name of this mail system. The default is to use $myhostname minus the first component, or "localdomain" (Postfix 2.3 and later). $mydomain is used as a default value for many other configuration parameters.") -# - relay_domains ("What destination domains (and subdomains thereof) this system will relay mail to") -# - mydestination ("The list of domains that are delivered via the $local_transport mail delivery transport.") -# * figure out /etc/postfix/master.cf (configures what postfix daemons run in what way?) # * how to check IP safety # https://talosintelligence.com/reputation_center/lookup?search=$IP # http://www.anti-abuse.org/multi-rbl-check-results/?host= # https://www.dnsbl.info/dnsbl-database-check.php # note that none of these catch the IPs that gmx etc. reject - -# other stuff: -# * figure out /etc/aliases (maps whom what is sent to – just re-use old core.plomlompom.com one? – also, run newaliases to generate /etc/aliases.db) -# * more /etc/postfix/main.cf -# - smtpd_recipient_restrictions -# - smtpd_helo_restrictions -# - smtpd_client_restrictions -# -# for using SMTP server remotely: -# - SASL mechanism, may use dovecot for that (smtpd_sasl_type, smtpd_sasl_path) -# - see https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL -# - SASL is not a protocol but an abstraction layer to some auth mechanism -# - SSL works on transport layer -# - wild guess: TLS/SSL is used to authenticate /the server/ to the client, while SASL is used to identify /the client/ to the server -# - then it should be possible to do SASL without TLS/STARTTLS first? (experiment) -# - the telnet test should offer AUTH then without doing STARTTLS first -# -# for receiving mails: make sure firewall opens SMTP port 25, and for STARTTLS to work need certificate installed (set in postfix/main.cf) – some providers only deliver via STARTTLS, i.e. GMail – this all only delivers mails to /var/mail/…, dovecot should do more then