選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

emailwiz.sh 12 KiB

5年前
5年前
5年前
5年前
5年前
5年前
5年前
4年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
3年前
5年前
4年前
4年前
4年前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326
  1. #!/bin/sh
  2. # THE SETUP
  3. # Mail will be stored in non-retarded Maildirs because it's $currentyear. This
  4. # makes it easier for use with isync, which is what I care about so I can have
  5. # an offline repo of mail.
  6. # The mailbox names are: Inbox, Sent, Drafts, Archive, Junk, Trash
  7. # Use the typical unix login system for mail users. Users will log into their
  8. # email with their passnames on the server. No usage of a redundant mySQL
  9. # database to do this.
  10. # DEPENDENCIES BEFORE RUNNING
  11. # 1. Have a Debian system with a static IP and all that. Pretty much any
  12. # default VPS offered by a company will have all the basic stuff you need. This
  13. # script might run on Ubuntu as well. Haven't tried it. If you have, tell me
  14. # what happens.
  15. # 2. Have a Let's Encrypt SSL certificate for $maildomain. You might need one
  16. # for $domain as well, but they're free with Let's Encypt so you should have
  17. # them anyway.
  18. # 3. If you've been toying around with your server settings trying to get
  19. # postfix/dovecot/etc. working before running this, I recommend you `apt purge`
  20. # everything first because this script is build on top of only the defaults.
  21. # Clear out /etc/postfix and /etc/dovecot yourself if needbe.
  22. # NOTE WHILE INSTALLING
  23. # On installation of Postfix, select "Internet Site" and put in TLD (without
  24. # `mail.` before it).
  25. echo "Installing programs..."
  26. apt install postfix dovecot-imapd dovecot-sieve opendkim spamassassin spamc
  27. # Check if OpenDKIM is installed and install it if not.
  28. which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools
  29. domain="$(cat /etc/mailname)"
  30. subdom=${MAIL_SUBDOM:-mail}
  31. maildomain="$subdom.$domain"
  32. certdir="/etc/letsencrypt/live/$maildomain"
  33. [ ! -d "$certdir" ] && certdir="$(dirname "$(certbot certificates 2>/dev/null | grep "$maildomain\|*.$domain" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)")"
  34. [ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain.
  35. Use Let's Encrypt's Certbot to get that and then rerun this script.
  36. You may need to set up a dummy $maildomain site in nginx or Apache for that to work." && exit
  37. # NOTE ON POSTCONF COMMANDS
  38. # The `postconf` command literally just adds the line in question to
  39. # /etc/postfix/main.cf so if you need to debug something, go there. It replaces
  40. # any other line that sets the same setting, otherwise it is appended to the
  41. # end of the file.
  42. echo "Configuring Postfix's main.cf..."
  43. # Change the cert/key files to the default locations of the Let's Encrypt cert/key
  44. postconf -e "smtpd_tls_key_file=$certdir/privkey.pem"
  45. postconf -e "smtpd_tls_cert_file=$certdir/fullchain.pem"
  46. postconf -e "smtpd_tls_security_level = may"
  47. postconf -e "smtpd_tls_auth_only = yes"
  48. postconf -e "smtp_tls_security_level = may"
  49. postconf -e "smtp_tls_loglevel = 1"
  50. postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
  51. postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
  52. postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
  53. postconf -e "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
  54. postconf -e "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
  55. postconf -e "tls_preempt_cipherlist = yes"
  56. postconf -e "smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL"
  57. # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
  58. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
  59. postconf -e "smtpd_sasl_auth_enable = yes"
  60. postconf -e "smtpd_sasl_type = dovecot"
  61. postconf -e "smtpd_sasl_path = private/auth"
  62. # Sender and recipient restrictions
  63. postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination"
  64. # NOTE: the trailing slash here, or for any directory name in the home_mailbox
  65. # command, is necessary as it distinguishes a maildir (which is the actual
  66. # directories that what we want) from a spoolfile (which is what old unix
  67. # boomers want and no one else).
  68. postconf -e "home_mailbox = Mail/Inbox/"
  69. # master.cf
  70. echo "Configuring Postfix's master.cf..."
  71. sed -i "/^\s*-o/d;/^\s*submission/d;/^\s*smtp/d" /etc/postfix/master.cf
  72. echo "smtp unix - - n - - smtp
  73. smtp inet n - y - - smtpd
  74. -o content_filter=spamassassin
  75. submission inet n - y - - smtpd
  76. -o syslog_name=postfix/submission
  77. -o smtpd_tls_security_level=encrypt
  78. -o smtpd_sasl_auth_enable=yes
  79. -o smtpd_tls_auth_only=yes
  80. smtps inet n - y - - smtpd
  81. -o syslog_name=postfix/smtps
  82. -o smtpd_tls_wrappermode=yes
  83. -o smtpd_sasl_auth_enable=yes
  84. spamassassin unix - n n - - pipe
  85. user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" >> /etc/postfix/master.cf
  86. # By default, dovecot has a bunch of configs in /etc/dovecot/conf.d/ These
  87. # files have nice documentation if you want to read it, but it's a huge pain to
  88. # go through them to organize. Instead, we simply overwrite
  89. # /etc/dovecot/dovecot.conf because it's easier to manage. You can get a backup
  90. # of the original in /usr/share/dovecot if you want.
  91. echo "Creating Dovecot config..."
  92. echo "# Dovecot config
  93. # Note that in the dovecot conf, you can use:
  94. # %u for username
  95. # %n for the name in name@domain.tld
  96. # %d for the domain
  97. # %h the user's home directory
  98. # If you're not a brainlet, SSL must be set to required.
  99. ssl = required
  100. ssl_cert = <$certdir/fullchain.pem
  101. ssl_key = <$certdir/privkey.pem
  102. ssl_min_protocol = TLSv1.2
  103. ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED
  104. ssl_prefer_server_ciphers = yes
  105. ssl_dh = </usr/share/dovecot/dh.pem
  106. # Plaintext login. This is safe and easy thanks to SSL.
  107. auth_mechanisms = plain login
  108. auth_username_format = %n
  109. protocols = \$protocols imap
  110. # Search for valid users in /etc/passwd
  111. userdb {
  112. driver = passwd
  113. }
  114. #Fallback: Use plain old PAM to find user passwords
  115. passdb {
  116. driver = pam
  117. }
  118. # Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox
  119. # The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
  120. mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
  121. namespace inbox {
  122. inbox = yes
  123. mailbox Drafts {
  124. special_use = \\Drafts
  125. auto = subscribe
  126. }
  127. mailbox Junk {
  128. special_use = \\Junk
  129. auto = subscribe
  130. autoexpunge = 30d
  131. }
  132. mailbox Sent {
  133. special_use = \\Sent
  134. auto = subscribe
  135. }
  136. mailbox Trash {
  137. special_use = \\Trash
  138. }
  139. mailbox Archive {
  140. special_use = \\Archive
  141. }
  142. }
  143. # Here we let Postfix use Dovecot's authetication system.
  144. service auth {
  145. unix_listener /var/spool/postfix/private/auth {
  146. mode = 0660
  147. user = postfix
  148. group = postfix
  149. }
  150. }
  151. protocol lda {
  152. mail_plugins = \$mail_plugins sieve
  153. }
  154. protocol lmtp {
  155. mail_plugins = \$mail_plugins sieve
  156. }
  157. plugin {
  158. sieve = ~/.dovecot.sieve
  159. sieve_default = /var/lib/dovecot/sieve/default.sieve
  160. #sieve_global_path = /var/lib/dovecot/sieve/default.sieve
  161. sieve_dir = ~/.sieve
  162. sieve_global_dir = /var/lib/dovecot/sieve/
  163. }
  164. " > /etc/dovecot/dovecot.conf
  165. # If using an old version of Dovecot, remove the ssl_dl line.
  166. case "$(dovecot --version)" in
  167. 1|2.1*|2.2*) sed -i "/^ssl_dh/d" /etc/dovecot/dovecot.conf ;;
  168. esac
  169. mkdir /var/lib/dovecot/sieve/
  170. echo "require [\"fileinto\", \"mailbox\"];
  171. if header :contains \"X-Spam-Flag\" \"YES\"
  172. {
  173. fileinto \"Junk\";
  174. }" > /var/lib/dovecot/sieve/default.sieve
  175. grep -q "^vmail:" /etc/passwd || useradd vmail
  176. chown -R vmail:vmail /var/lib/dovecot
  177. sievec /var/lib/dovecot/sieve/default.sieve
  178. echo "Preparing user authentication..."
  179. grep -q nullok /etc/pam.d/dovecot ||
  180. echo "auth required pam_unix.so nullok
  181. account required pam_unix.so" >> /etc/pam.d/dovecot
  182. # OpenDKIM
  183. # A lot of the big name email services, like Google, will automatically reject
  184. # as spam unfamiliar and unauthenticated email addresses. As in, the server
  185. # will flatly reject the email, not even delivering it to someone's Spam
  186. # folder.
  187. # OpenDKIM is a way to authenticate your email so you can send to such services
  188. # without a problem.
  189. # Create an OpenDKIM key in the proper place with proper permissions.
  190. echo "Generating OpenDKIM keys..."
  191. mkdir -p /etc/postfix/dkim
  192. opendkim-genkey -D /etc/postfix/dkim/ -d "$domain" -s "$subdom"
  193. chgrp opendkim /etc/postfix/dkim/*
  194. chmod g+r /etc/postfix/dkim/*
  195. # Generate the OpenDKIM info:
  196. echo "Configuring OpenDKIM..."
  197. grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null ||
  198. echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$subdom.private" >> /etc/postfix/dkim/keytable
  199. grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null ||
  200. echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
  201. grep -q "127.0.0.1" /etc/postfix/dkim/trustedhosts 2>/dev/null ||
  202. echo "127.0.0.1
  203. 10.1.0.0/16
  204. 1.2.3.4/24" >> /etc/postfix/dkim/trustedhosts
  205. # ...and source it from opendkim.conf
  206. grep -q "^KeyTable" /etc/opendkim.conf 2>/dev/null || echo "KeyTable file:/etc/postfix/dkim/keytable
  207. SigningTable refile:/etc/postfix/dkim/signingtable
  208. InternalHosts refile:/etc/postfix/dkim/trustedhosts" >> /etc/opendkim.conf
  209. sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
  210. sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
  211. sed -e '/Socket/s/^#*/#/' -i /etc/opendkim.conf
  212. grep -q "^Socket\s*inet:12301@localhost" /etc/opendkim.conf || echo "Socket inet:12301@localhost" >> /etc/opendkim.conf
  213. # OpenDKIM daemon settings, removing previously activated socket.
  214. sed -i "/^SOCKET/d" /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
  215. # Here we add to postconf the needed settings for working with OpenDKIM
  216. echo "Configuring Postfix with OpenDKIM settings..."
  217. postconf -e "smtpd_sasl_security_options = noanonymous, noplaintext"
  218. postconf -e "smtpd_sasl_tls_security_options = noanonymous"
  219. postconf -e "myhostname = $maildomain"
  220. postconf -e "milter_default_action = accept"
  221. postconf -e "milter_protocol = 6"
  222. postconf -e "smtpd_milters = inet:localhost:12301"
  223. postconf -e "non_smtpd_milters = inet:localhost:12301"
  224. postconf -e "mailbox_command = /usr/lib/dovecot/deliver"
  225. # A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442
  226. /lib/opendkim/opendkim.service.generate
  227. systemctl daemon-reload
  228. for x in spamassassin opendkim dovecot postfix; do
  229. printf "Restarting %s..." "$x"
  230. service "$x" restart && printf " ...done\\n"
  231. done
  232. service ufw disable
  233. service ufw stop
  234. pval="$(tr -d "\n" </etc/postfix/dkim/$subdom.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
  235. dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
  236. dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1"
  237. spfentry="@ TXT v=spf1 mx a:$maildomain -all"
  238. useradd -m -G mail dmarc
  239. echo "$dkimentry
  240. $dmarcentry
  241. $spfentry" > "$HOME/dns_emailwizard"
  242. printf "\033[31m
  243. _ _
  244. | \ | | _____ ___
  245. | \| |/ _ \ \ /\ / (_)
  246. | |\ | (_) \ V V / _
  247. |_| \_|\___/ \_/\_/ (_)\033[0m
  248. Add these three records to your DNS TXT records on either your registrar's site
  249. or your DNS server:
  250. \033[32m
  251. $dkimentry
  252. $dmarcentry
  253. $spfentry
  254. \033[0m
  255. NOTE: You may need to omit the \`.$domain\` portion at the beginning if
  256. inputting them in a registrar's web interface.
  257. Also, these are now saved to \033[34m~/dns_emailwizard\033[0m in case you want them in a file.
  258. Once you do that, you're done! Check the README for how to add users/accounts
  259. and how to log in."