Refactor mail setup.

diff --git a/buster/other_files/append_opendkim.conf b/buster/other_files/append_opendkim.conf
new file mode 100644 (file)
index 0000000..67bd960
--- /dev/null
+++ b/buster/other_files/append_opendkim.conf
@@ -0,0 +1,6 @@
+
+# plomlompom customizations
+Domain REPLACE_hostname_ECALPER
+KeyFile /etc/dkimkeys/REPLACE_selector_ECALPER.private
+Selector REPLACE_selector_ECALPER
+Socket inet:8892@localhost

diff --git a/buster/other_files/append_postfix_main.cf b/buster/other_files/append_postfix_main.cf
new file mode 100644 (file)
index 0000000..b5b29f2
--- /dev/null
+++ b/buster/other_files/append_postfix_main.cf
@@ -0,0 +1,18 @@
+
+# TLS certs
+smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem
+
+# OpenDKIM milter
+non_smtpd_milters = inet:localhost:8892
+
+# transport mail to dovecot; not strictly needed, as even without this
+# postfix will throw mail to /var/mail/USER to be found by dovecot for
+# serving via IMAP etc.; but using dovecot's LMTP server for delivery
+# allows us to do stuff like dovecot-side sieve filtering.
+mailbox_transport = lmtp:inet:127.0.0.1:2424
+
+# use dovecot SASL for SMTP access
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes

diff --git a/buster/other_files/append_postfix_master.cf b/buster/other_files/append_postfix_master.cf
new file mode 100644 (file)
index 0000000..5d1aa3c
--- /dev/null
+++ b/buster/other_files/append_postfix_master.cf
@@ -0,0 +1,4 @@
+
+# Run SMTPS on port 465, enforce TLS there.
+smtps     inet  n       -       y       -       -       smtpd
+  -o smtpd_tls_wrappermode=yes

diff --git a/buster/setup_scripts/setup_mail.sh b/buster/setup_scripts/setup_mail.sh
index 9406bee16fd461f670f34117565221eb1cf9194a..925d433beb601a2d337be96c178b66fa67ae2ee8 100755 (executable)
--- a/buster/setup_scripts/setup_mail.sh
+++ b/buster/setup_scripts/setup_mail.sh
@@ -14,59 +14,36 @@ echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
 ./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" mail
 nft -f /etc/nftables.conf
 
 ./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" mail
 nft -f /etc/nftables.conf
 

-# Set up letsencrypt certificate.
+cat "${config_tree_prefix}/other_files/append_postfix_main.cf" >> /etc/postfix/main.cf
+cat "${config_tree_prefix}/other_files/append_postfix_master.cf" >> /etc/postfix/main.cf
+cat "${config_tree_prefix}/other_files/append_opendkim.conf" >> /etc/opendkim.conf
+
+# Set up letsencrypt certificate.  We need this for STARTTLS on port
+# 25/SMTP (some mail servers refuse delivering mails here if no
+# STARTTLS available) and transport-layer TLS on port 465 (for
+# user-to-server SMTPS)

 # TODO: Is it auto-renewed?
 # TODO: Is it auto-renewed?

-# TODO: Find out if/why this works despite firewall?

 certbot certonly --standalone --agree-tos --no-eff-email -m "${mail}" -d "$(hostname -f)"
 
 certbot certonly --standalone --agree-tos --no-eff-email -m "${mail}" -d "$(hostname -f)"
 

-# generate opendkim selector
+# OpenDKIM setup.

 selector=$(hostname)$(date +%Y%m%d)
 #opendkim-genkey -D /etc/dkimkeys -s "${selector}"
 opendkim-genkey -d "$(hostname -f)" -D /etc/dkimkeys -s "${selector}"
 selector=$(hostname)$(date +%Y%m%d)
 #opendkim-genkey -D /etc/dkimkeys -s "${selector}"
 opendkim-genkey -d "$(hostname -f)" -D /etc/dkimkeys -s "${selector}"

+sed -i "s/REPLACE_hostname_ECALPER/$(hostname -f)/g" /etc/opendkim.conf
+sed -i "s/REPLACE_selector_ECALPER/${selector}/g" /etc/opendkim.conf

 
 

-# customize /etc/opendkim.conf
-echo '' >> /etc/opendkim.conf
-echo '# plomlompom customizations' >> /etc/opendkim.conf
-echo "Domain $(hostname -f)" >> /etc/opendkim.conf
-echo "KeyFile /etc/dkimkeys/${selector}.private" >> /etc/opendkim.conf
-echo "Selector ${selector}" >> /etc/opendkim.conf
-echo 'Socket inet:8892@localhost' >> /etc/opendkim.conf
-
-# customize /etc/postfix/main.cf
-echo '' >> /etc/postfix/main.cf
-echo '# opendkim milter' >> /etc/postfix/main.cf
-echo 'non_smtpd_milters = inet:localhost:8892' >> /etc/postfix/main.cf
-echo '' >> /etc/postfix/main.cf
-echo '# TLS certs'
-echo 'smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem' >> /etc/postfix/main.cf
-echo 'smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem' >> /etc/postfix/main.cf
-
-# TODO: consider <https://wiki.debian.org/opendkim#Postfix_integration>
-
-# Dovecot sieve filtering via LMTP
-echo '' >> /etc/postfix/main.cf
-echo '# transport mail to dovecot; not strictly needed, as even without this' >> /etc/postfix/main.cf
-echo '# postfix will throw mail to /var/mail/USER to be found by dovecot for' >> /etc/postfix/main.cf
-echo "# serving via IMAP etc.; but using dovecot's LMTP server for delivery" >> /etc/postfix/main.cf
-echo '# allows us to do stuff like dovecot-side sieve filtering.' >> /etc/postfix/main.cf
-echo 'mailbox_transport = lmtp:inet:127.0.0.1:2424' >> /etc/postfix/main.cf
+# Dovecot sieve filtering via LMTP.  Without this, mail only gets
+# delivered to /var/mail/….

 cp "${config_tree_prefix}/other_files/dovecot.sieve" /home/plom/.dovecot.sieve
 chown plom:plom /home/plom/.dovecot.sieve
 
 cp "${config_tree_prefix}/other_files/dovecot.sieve" /home/plom/.dovecot.sieve
 chown plom:plom /home/plom/.dovecot.sieve
 

-# To allow IMAPS access
+# To allow IMAPS access.

 echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
 echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
 password=$(pwgen -s 100 1)
 #echo 'mail_privileged_group = mail' >> /etc/dovecot/conf.d/99-mail.conf
 echo "plom:${password}" | chpasswd
 
 echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
 echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
 password=$(pwgen -s 100 1)
 #echo 'mail_privileged_group = mail' >> /etc/dovecot/conf.d/99-mail.conf
 echo "plom:${password}" | chpasswd
 

-# To use Dovecot SASL for SMTP access.
-echo '' >> /etc/postfix/main.cf
-echo '# use dovecot SASL for SMTP access' >> /etc/postfix/main.cf
-echo 'smtpd_sasl_type = dovecot' >> /etc/postfix/main.cf
-echo 'smtpd_sasl_path = private/auth' >> /etc/postfix/main.cf
-echo 'smtpd_sasl_auth_enable = yes' >> /etc/postfix/main.cf
-

 service opendkim restart
 service postfix restart
 service dovecot restart
 service opendkim restart
 service postfix restart
 service dovecot restart


@@ -110,5 +87,3 @@ echo "IMAPS password for user plom is: ${password}"
 # - wild guess: TLS/SSL is used to authenticate /the server/ to the client, while SASL is used to identify /the client/ to the server
 #   - then it should be possible to do SASL without TLS/STARTTLS first? (experiment)
 #   - the telnet test should offer AUTH then without doing STARTTLS first
 # - wild guess: TLS/SSL is used to authenticate /the server/ to the client, while SASL is used to identify /the client/ to the server
 #   - then it should be possible to do SASL without TLS/STARTTLS first? (experiment)
 #   - the telnet test should offer AUTH then without doing STARTTLS first

-#
-# for receiving mails: make sure firewall opens SMTP port 25, and for STARTTLS to work need certificate installed (set in postfix/main.cf) – some providers only deliver via STARTTLS, i.e. GMail – this all only delivers mails to /var/mail/…, dovecot should do more then