4 if [ "$#" -lt 1 ]; then
5 echo 'Need mail for letsencrypt (and optionally old server IP).'
11 config_tree_prefix="${HOME}/config/buster"
12 echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
13 echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
14 ./install_for_target.sh mail
15 ./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" mail
16 nft -f /etc/nftables.conf
19 cat "${config_tree_prefix}/other_files/append_postfix_main.cf" >> /etc/postfix/main.cf
20 cat "${config_tree_prefix}/other_files/append_postfix_master.cf" >> /etc/postfix/master.cf
21 cat "${config_tree_prefix}/other_files/append_opendkim.conf" >> /etc/opendkim.conf
23 # Set up letsencrypt certificate. We need this for STARTTLS on port
24 # 25/SMTP (some mail servers refuse delivering mails here if no
25 # STARTTLS available) and transport-layer TLS on port 465 (for
26 # user-to-server SMTPS)
27 # TODO: Is it auto-renewed?
28 certbot certonly --standalone --agree-tos --no-eff-email -m "${mail}" -d "$(hostname -f)"
31 selector=$(hostname)$(date +%Y%m%d)
32 #opendkim-genkey -D /etc/dkimkeys -s "${selector}"
33 opendkim-genkey -d "$(hostname -f)" -D /etc/dkimkeys -s "${selector}"
34 sed -i "s/REPLACE_hostname_ECALPER/$(hostname -f)/g" /etc/opendkim.conf
35 sed -i "s/REPLACE_selector_ECALPER/${selector}/g" /etc/opendkim.conf
37 # Dovecot sieve filtering via LMTP. Without this, mail only gets
38 # delivered to /var/mail/….
39 cp "${config_tree_prefix}/other_files/dovecot.sieve" /home/plom/.dovecot.sieve
40 chown plom:plom /home/plom/.dovecot.sieve
42 cp "${config_tree_prefix}/other_files/fetchmailrc" /home/plom/.fetchmailrc
43 chown plom:plom /home/plom/.fetchmailrc
44 chmod 0700 /home/plom/.fetchmailrc
45 cp "${config_tree_prefix}/other_files/pingmailrc" /home/plom/.pingmailrc
46 chown plom:plom /home/plom/.pingmailrc
47 su -lc "cd && git clone https://plomlompom.com/repos/clone/pingmail" plom
48 systemctl daemon-reload
50 # To allow IMAPS access.
51 echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
52 echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
53 password=$(pwgen -s 100 1)
54 #echo 'mail_privileged_group = mail' >> /etc/dovecot/conf.d/99-mail.conf
55 echo "plom:${password}" | chpasswd
57 # Get old mail data, shutdown old postfix server.
58 if [ "${old_server}" != "" ]; then
59 cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
60 #chown plom:plom /home/plom/prepare_to_meet_server.sh
61 su -lc "./prepare_to_meet_server.sh ${old_server}" plom
62 read -p'Hit Enter when you are done.' ignore
63 rm /home/plom/prepare_to_meet_server.sh
64 su -lc "scp plom@${old_server}:.dovecot.sieve ~" plom
65 su -lc "scp plom@${old_server}:.fetchmailrc ~" plom
66 su -lc "scp plom@${old_server}:.pingmailrc ~" plom
67 su -lc "ssh plom@${old_server} \"su -lc 'service postfix stop'\"" plom
68 cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
69 su -lc "./mirror_dir.sh ${old_server} /home/plom/mail" plom
70 rm /home/plom/mirror_dir.sh
72 chown plom:mail /var/mail/plom
73 chmod 0600 /var/mail/plom
74 su -lc "scp plom@${old_server}:/var/mail/plom /var/mail/plom" plom
77 service opendkim restart
78 service postfix restart
79 service dovecot restart
81 echo "To put into DNS:"
82 cat "/etc/dkimkeys/${selector}.txt"
83 echo "If subdomain, append .subdomain to _domainkeys!"
84 echo "Also ensure DMARC record of 'v=DMARC1; p=none; rua=mailto:plom+dmarc@plomlompom.com;' as TXT entry at _dmarc or, if subdomain, _dmarc.subdomain"
85 echo "Also ensure SPF record of 'v=spf1 mx -all' as TXT entry at @ or subdomain"
86 echo "Also ensure reverse DNS lookup for our IP points to $(hostname -f)"
87 echo "Also ensure MX record of priority 10 for @ or subdomain pointing to $(hostname -f)"
88 echo "IMAPS password for user plom is: ${password}"
90 # todo just for proper mail /sending/:
91 # * figure out /etc/mailname ("used by the Mail Transfer Agent (i.e. mail server) to know its own hostname", "will contain the portion after the username and @ (at) sign for email addresses of users on the machine", "Postfix sets myorigin=/etc/mailname. Myorigin is appended (with an @) to any bare name in any address field. During (re)configure, if /etc/mailname exists, it is used as the default value for myorigin in debconf dialogs. Changing it from the default results in postinst rewriting /etc/mailname to the new value.") – figure out if it is actually used?
92 # * figure out /etc/postfix/main.cf
93 # - myorigin ("specifies the domain that appears in mail that is posted on this machine. The default is to use the local machine name, $myhostname, which defaults to the name of the machine. Unless you are running a really small site, you probably want to change that into $mydomain, which defaults to the parent domain of the machine name")
94 # - myhostname ("The internet hostname of this mail system. The default is to use the fully-qualified domain name (FQDN) from gethostname(), or to use the non-FQDN result from gethostname() and append ".$mydomain". $myhostname is used as a default value for many other configuration parameters.")
95 # - mydomain ("The internet domain name of this mail system. The default is to use $myhostname minus the first component, or "localdomain" (Postfix 2.3 and later). $mydomain is used as a default value for many other configuration parameters.")
96 # - relay_domains ("What destination domains (and subdomains thereof) this system will relay mail to")
97 # - mydestination ("The list of domains that are delivered via the $local_transport mail delivery transport.")
98 # * figure out /etc/postfix/master.cf (configures what postfix daemons run in what way?)
99 # * how to check IP safety
100 # https://talosintelligence.com/reputation_center/lookup?search=$IP
101 # http://www.anti-abuse.org/multi-rbl-check-results/?host=
102 # https://www.dnsbl.info/dnsbl-database-check.php
103 # note that none of these catch the IPs that gmx etc. reject
106 # * figure out /etc/aliases (maps whom what is sent to – just re-use old core.plomlompom.com one? – also, run newaliases to generate /etc/aliases.db)
107 # * more /etc/postfix/main.cf
108 # - smtpd_recipient_restrictions
109 # - smtpd_helo_restrictions
110 # - smtpd_client_restrictions
112 # for using SMTP server remotely:
113 # - SASL mechanism, may use dovecot for that (smtpd_sasl_type, smtpd_sasl_path)
114 # - see https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
115 # - SASL is not a protocol but an abstraction layer to some auth mechanism
116 # - SSL works on transport layer
117 # - wild guess: TLS/SSL is used to authenticate /the server/ to the client, while SASL is used to identify /the client/ to the server
118 # - then it should be possible to do SASL without TLS/STARTTLS first? (experiment)
119 # - the telnet test should offer AUTH then without doing STARTTLS first