#!/bin/sh
set -e
-if [ "$#" -ne 1 ]; then
- echo 'Need mail for letsencrypt.'
+if [ "$#" -lt 1 ]; then
+ echo 'Need mail for letsencrypt (and optionally old server IP).'
false
fi
mail="$1"
+old_server="$2"
config_tree_prefix="${HOME}/config/buster"
echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
./install_for_target.sh mail
./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" mail
nft -f /etc/nftables.conf
+newaliases
-# Set up letsencrypt certificate.
+cat "${config_tree_prefix}/other_files/append_postfix_main.cf" >> /etc/postfix/main.cf
+cat "${config_tree_prefix}/other_files/append_postfix_master.cf" >> /etc/postfix/master.cf
+cat "${config_tree_prefix}/other_files/append_opendkim.conf" >> /etc/opendkim.conf
+
+# Set up letsencrypt certificate. We need this for STARTTLS on port
+# 25/SMTP (some mail servers refuse delivering mails here if no
+# STARTTLS available) and transport-layer TLS on port 465 (for
+# user-to-server SMTPS)
# TODO: Is it auto-renewed?
-# TODO: Find out if/why this works despite firewall?
certbot certonly --standalone --agree-tos --no-eff-email -m "${mail}" -d "$(hostname -f)"
-# generate opendkim selector
+# OpenDKIM setup.
selector=$(hostname)$(date +%Y%m%d)
#opendkim-genkey -D /etc/dkimkeys -s "${selector}"
opendkim-genkey -d "$(hostname -f)" -D /etc/dkimkeys -s "${selector}"
+sed -i "s/REPLACE_hostname_ECALPER/$(hostname -f)/g" /etc/opendkim.conf
+sed -i "s/REPLACE_selector_ECALPER/${selector}/g" /etc/opendkim.conf
-# customize /etc/opendkim.conf
-echo '' >> /etc/opendkim.conf
-echo '# plomlompom customizations' >> /etc/opendkim.conf
-echo "Domain $(hostname -f)" >> /etc/opendkim.conf
-echo "KeyFile /etc/dkimkeys/${selector}.private" >> /etc/opendkim.conf
-echo "Selector ${selector}" >> /etc/opendkim.conf
-echo 'Socket inet:8892@localhost' >> /etc/opendkim.conf
-
-# customize /etc/postfix/main.cf
-echo '' >> /etc/postfix/main.cf
-echo '# opendkim milter' >> /etc/postfix/main.cf
-echo 'non_smtpd_milters = inet:localhost:8892' >> /etc/postfix/main.cf
-echo '' >> /etc/postfix/main.cf
-echo '# TLS certs'
-echo 'smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem' >> /etc/postfix/main.cf
-echo 'smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem' >> /etc/postfix/main.cf
-
-# TODO: consider <https://wiki.debian.org/opendkim#Postfix_integration>
-
-# Dovecot sieve filtering via LMTP
-echo '' >> /etc/postfix/main.cf
-echo '# transport mail to dovecot; not strictly needed, as even without this' >> /etc/postfix/main.cf
-echo '# postfix will throw mail to /var/mail/USER to be found by dovecot for' >> /etc/postfix/main.cf
-echo "# serving via IMAP etc.; but using dovecot's LMTP server for delivery" >> /etc/postfix/main.cf
-echo '# allows us to do stuff like dovecot-side sieve filtering.' >> /etc/postfix/main.cf
-echo 'mailbox_transport = lmtp:inet:127.0.0.1:2424' >> /etc/postfix/main.cf
+# Dovecot sieve filtering via LMTP. Without this, mail only gets
+# delivered to /var/mail/….
cp "${config_tree_prefix}/other_files/dovecot.sieve" /home/plom/.dovecot.sieve
chown plom:plom /home/plom/.dovecot.sieve
-# To allow IMAPS access
+cp "${config_tree_prefix}/other_files/fetchmailrc" /home/plom/.fetchmailrc
+chown plom:plom /home/plom/.fetchmailrc
+chmod 0700 /home/plom/.fetchmailrc
+cp "${config_tree_prefix}/other_files/pingmailrc" /home/plom/.pingmailrc
+chown plom:plom /home/plom/.pingmailrc
+su -lc "cd && git clone https://plomlompom.com/repos/clone/pingmail" plom
+systemctl daemon-reload
+systemctl enable --now fetchmail_old_account.timer
+systemctl enable --now pingmail.timer
+
+# To allow IMAPS access.
echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
password=$(pwgen -s 100 1)
#echo 'mail_privileged_group = mail' >> /etc/dovecot/conf.d/99-mail.conf
echo "plom:${password}" | chpasswd
-# To use Dovecot SASL for SMTP access.
-echo '' >> /etc/postfix/main.cf
-echo '# use dovecot SASL for SMTP access' >> /etc/postfix/main.cf
-echo 'smtpd_sasl_type = dovecot' >> /etc/postfix/main.cf
-echo 'smtpd_sasl_path = private/auth' >> /etc/postfix/main.cf
-echo 'smtpd_sasl_auth_enable = yes' >> /etc/postfix/main.cf
+# Get old mail data, shutdown old postfix server.
+if [ "${old_server}" != "" ]; then
+ cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
+ #chown plom:plom /home/plom/prepare_to_meet_server.sh
+ su -lc "./prepare_to_meet_server.sh ${old_server}" plom
+ read -p'Hit Enter when you are done.' ignore
+ rm /home/plom/prepare_to_meet_server.sh
+ su -lc "scp plom@${old_server}:.dovecot.sieve ~" plom
+ su -lc "scp plom@${old_server}:.fetchmailrc ~" plom
+ su -lc "scp plom@${old_server}:.pingmailrc ~" plom
+ su -lc "ssh plom@${old_server} \"su -lc 'service postfix stop'\"" plom
+ cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
+ su -lc "./mirror_dir.sh ${old_server} /home/plom/mail" plom
+ rm /home/plom/mirror_dir.sh
+ touch /var/mail/plom
+ chown plom:mail /var/mail/plom
+ chmod 0600 /var/mail/plom
+ su -lc "scp plom@${old_server}:/var/mail/plom /var/mail/plom" plom
+fi
service opendkim restart
service postfix restart
cat "/etc/dkimkeys/${selector}.txt"
echo "If subdomain, append .subdomain to _domainkeys!"
echo "Also ensure DMARC record of 'v=DMARC1; p=none; rua=mailto:plom+dmarc@plomlompom.com;' as TXT entry at _dmarc or, if subdomain, _dmarc.subdomain"
-echo "Also ensure SPF record of 'v=spf1 mx -all' at @ or subdomain"
+echo "Also ensure SPF record of 'v=spf1 mx -all' as TXT entry at @ or subdomain"
echo "Also ensure reverse DNS lookup for our IP points to $(hostname -f)"
echo "Also ensure MX record of priority 10 for @ or subdomain pointing to $(hostname -f)"
echo "IMAPS password for user plom is: ${password}"
# - wild guess: TLS/SSL is used to authenticate /the server/ to the client, while SASL is used to identify /the client/ to the server
# - then it should be possible to do SASL without TLS/STARTTLS first? (experiment)
# - the telnet test should offer AUTH then without doing STARTTLS first
-#
-# for receiving mails: make sure firewall opens SMTP port 25, and for STARTTLS to work need certificate installed (set in postfix/main.cf) – some providers only deliver via STARTTLS, i.e. GMail – this all only delivers mails to /var/mail/…, dovecot should do more then