From 1e122e234af3af5a644fa85c03690101618f5313 Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Fri, 15 May 2020 23:40:35 +0200 Subject: [PATCH] Refactor mail setup. --- buster/other_files/append_opendkim.conf | 6 +++ buster/other_files/append_postfix_main.cf | 18 +++++++ buster/other_files/append_postfix_master.cf | 4 ++ buster/setup_scripts/setup_mail.sh | 53 ++++++--------------- 4 files changed, 42 insertions(+), 39 deletions(-) create mode 100644 buster/other_files/append_opendkim.conf create mode 100644 buster/other_files/append_postfix_main.cf create mode 100644 buster/other_files/append_postfix_master.cf diff --git a/buster/other_files/append_opendkim.conf b/buster/other_files/append_opendkim.conf new file mode 100644 index 0000000..67bd960 --- /dev/null +++ b/buster/other_files/append_opendkim.conf @@ -0,0 +1,6 @@ + +# plomlompom customizations +Domain REPLACE_hostname_ECALPER +KeyFile /etc/dkimkeys/REPLACE_selector_ECALPER.private +Selector REPLACE_selector_ECALPER +Socket inet:8892@localhost diff --git a/buster/other_files/append_postfix_main.cf b/buster/other_files/append_postfix_main.cf new file mode 100644 index 0000000..b5b29f2 --- /dev/null +++ b/buster/other_files/append_postfix_main.cf @@ -0,0 +1,18 @@ + +# TLS certs +smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem +smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem + +# OpenDKIM milter +non_smtpd_milters = inet:localhost:8892 + +# transport mail to dovecot; not strictly needed, as even without this +# postfix will throw mail to /var/mail/USER to be found by dovecot for +# serving via IMAP etc.; but using dovecot's LMTP server for delivery +# allows us to do stuff like dovecot-side sieve filtering. +mailbox_transport = lmtp:inet:127.0.0.1:2424 + +# use dovecot SASL for SMTP access +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/auth +smtpd_sasl_auth_enable = yes diff --git a/buster/other_files/append_postfix_master.cf b/buster/other_files/append_postfix_master.cf new file mode 100644 index 0000000..5d1aa3c --- /dev/null +++ b/buster/other_files/append_postfix_master.cf @@ -0,0 +1,4 @@ + +# Run SMTPS on port 465, enforce TLS there. +smtps inet n - y - - smtpd + -o smtpd_tls_wrappermode=yes diff --git a/buster/setup_scripts/setup_mail.sh b/buster/setup_scripts/setup_mail.sh index 9406bee..925d433 100755 --- a/buster/setup_scripts/setup_mail.sh +++ b/buster/setup_scripts/setup_mail.sh @@ -14,59 +14,36 @@ echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections ./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" mail nft -f /etc/nftables.conf -# Set up letsencrypt certificate. +cat "${config_tree_prefix}/other_files/append_postfix_main.cf" >> /etc/postfix/main.cf +cat "${config_tree_prefix}/other_files/append_postfix_master.cf" >> /etc/postfix/main.cf +cat "${config_tree_prefix}/other_files/append_opendkim.conf" >> /etc/opendkim.conf + +# Set up letsencrypt certificate. We need this for STARTTLS on port +# 25/SMTP (some mail servers refuse delivering mails here if no +# STARTTLS available) and transport-layer TLS on port 465 (for +# user-to-server SMTPS) # TODO: Is it auto-renewed? -# TODO: Find out if/why this works despite firewall? certbot certonly --standalone --agree-tos --no-eff-email -m "${mail}" -d "$(hostname -f)" -# generate opendkim selector +# OpenDKIM setup. selector=$(hostname)$(date +%Y%m%d) #opendkim-genkey -D /etc/dkimkeys -s "${selector}" opendkim-genkey -d "$(hostname -f)" -D /etc/dkimkeys -s "${selector}" +sed -i "s/REPLACE_hostname_ECALPER/$(hostname -f)/g" /etc/opendkim.conf +sed -i "s/REPLACE_selector_ECALPER/${selector}/g" /etc/opendkim.conf -# customize /etc/opendkim.conf -echo '' >> /etc/opendkim.conf -echo '# plomlompom customizations' >> /etc/opendkim.conf -echo "Domain $(hostname -f)" >> /etc/opendkim.conf -echo "KeyFile /etc/dkimkeys/${selector}.private" >> /etc/opendkim.conf -echo "Selector ${selector}" >> /etc/opendkim.conf -echo 'Socket inet:8892@localhost' >> /etc/opendkim.conf - -# customize /etc/postfix/main.cf -echo '' >> /etc/postfix/main.cf -echo '# opendkim milter' >> /etc/postfix/main.cf -echo 'non_smtpd_milters = inet:localhost:8892' >> /etc/postfix/main.cf -echo '' >> /etc/postfix/main.cf -echo '# TLS certs' -echo 'smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem' >> /etc/postfix/main.cf -echo 'smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem' >> /etc/postfix/main.cf - -# TODO: consider - -# Dovecot sieve filtering via LMTP -echo '' >> /etc/postfix/main.cf -echo '# transport mail to dovecot; not strictly needed, as even without this' >> /etc/postfix/main.cf -echo '# postfix will throw mail to /var/mail/USER to be found by dovecot for' >> /etc/postfix/main.cf -echo "# serving via IMAP etc.; but using dovecot's LMTP server for delivery" >> /etc/postfix/main.cf -echo '# allows us to do stuff like dovecot-side sieve filtering.' >> /etc/postfix/main.cf -echo 'mailbox_transport = lmtp:inet:127.0.0.1:2424' >> /etc/postfix/main.cf +# Dovecot sieve filtering via LMTP. Without this, mail only gets +# delivered to /var/mail/…. cp "${config_tree_prefix}/other_files/dovecot.sieve" /home/plom/.dovecot.sieve chown plom:plom /home/plom/.dovecot.sieve -# To allow IMAPS access +# To allow IMAPS access. echo "ssl_cert = /etc/dovecot/conf.d/99-ssl-certs.conf echo "ssl_key = > /etc/dovecot/conf.d/99-ssl-certs.conf password=$(pwgen -s 100 1) #echo 'mail_privileged_group = mail' >> /etc/dovecot/conf.d/99-mail.conf echo "plom:${password}" | chpasswd -# To use Dovecot SASL for SMTP access. -echo '' >> /etc/postfix/main.cf -echo '# use dovecot SASL for SMTP access' >> /etc/postfix/main.cf -echo 'smtpd_sasl_type = dovecot' >> /etc/postfix/main.cf -echo 'smtpd_sasl_path = private/auth' >> /etc/postfix/main.cf -echo 'smtpd_sasl_auth_enable = yes' >> /etc/postfix/main.cf - service opendkim restart service postfix restart service dovecot restart @@ -110,5 +87,3 @@ echo "IMAPS password for user plom is: ${password}" # - wild guess: TLS/SSL is used to authenticate /the server/ to the client, while SASL is used to identify /the client/ to the server # - then it should be possible to do SASL without TLS/STARTTLS first? (experiment) # - the telnet test should offer AUTH then without doing STARTTLS first -# -# for receiving mails: make sure firewall opens SMTP port 25, and for STARTTLS to work need certificate installed (set in postfix/main.cf) – some providers only deliver via STARTTLS, i.e. GMail – this all only delivers mails to /var/mail/…, dovecot should do more then -- 2.30.2