選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

emailwiz.sh 10 KiB

5年前
5年前
5年前
5年前
5年前
5年前
5年前
4年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
4年前
4年前
4年前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309
  1. #!/bin/sh
  2. # THE SETUP
  3. # Mail will be stored in non-retarded Maildirs because it's $currentyear. This
  4. # makes it easier for use with isync, which is what I care about so I can have
  5. # an offline repo of mail.
  6. # The mailbox names are: Inbox, Sent, Drafts, Archive, Junk, Trash
  7. # Use the typical unix login system for mail users. Users will log into their
  8. # email with their passnames on the server. No usage of a redundant mySQL
  9. # database to do this.
  10. # DEPENDENCIES BEFORE RUNNING
  11. # 1. Have a Debian system with a static IP and all that. Pretty much any
  12. # default VPS offered by a company will have all the basic stuff you need. This
  13. # script might run on Ubuntu as well. Haven't tried it. If you have, tell me
  14. # what happens.
  15. # 2. Have a Let's Encrypt SSL certificate for $maildomain. You might need one
  16. # for $domain as well, but they're free with Let's Encypt so you should have
  17. # them anyway.
  18. # 3. If you've been toying around with your server settings trying to get
  19. # postfix/dovecot/etc. working before running this, I recommend you `apt purge`
  20. # everything first because this script is build on top of only the defaults.
  21. # Clear out /etc/postfix and /etc/dovecot yourself if needbe.
  22. # NOTE WHILE INSTALLING
  23. # On installation of Postfix, select "Internet Site" and put in TLD (without
  24. # `mail.` before it).
  25. echo "Installing programs..."
  26. apt install postfix dovecot-imapd dovecot-sieve opendkim spamassassin spamc
  27. # Check if OpenDKIM is installed and install it if not.
  28. which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools
  29. domain="$(cat /etc/mailname)"
  30. subdom="mail"
  31. maildomain="$subdom.$domain"
  32. certdir="/etc/letsencrypt/live/$maildomain"
  33. [ ! -d "$certdir" ] && echo "Note! You must first have a HTTPS/SSL Certificate for $maildomain.
  34. Use Let's Encrypt's Certbot to get that and then rerun this script.
  35. You may need to set up a dummy $maildomain site in nginx or Apache for that to work." && exit
  36. # NOTE ON POSTCONF COMMANDS
  37. # The `postconf` command literally just adds the line in question to
  38. # /etc/postfix/main.cf so if you need to debug something, go there. It replaces
  39. # any other line that sets the same setting, otherwise it is appended to the
  40. # end of the file.
  41. echo "Configuring Postfix's main.cf..."
  42. # Change the cert/key files to the default locations of the Let's Encrypt cert/key
  43. postconf -e "smtpd_tls_key_file=$certdir/privkey.pem"
  44. postconf -e "smtpd_tls_cert_file=$certdir/fullchain.pem"
  45. postconf -e "smtpd_use_tls = yes"
  46. postconf -e "smtpd_tls_auth_only = yes"
  47. postconf -e "smtp_tls_security_level = may"
  48. postconf -e "smtp_tls_loglevel = 1"
  49. postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
  50. # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
  51. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
  52. postconf -e "smtpd_sasl_auth_enable = yes"
  53. postconf -e "smtpd_sasl_type = dovecot"
  54. postconf -e "smtpd_sasl_path = private/auth"
  55. #postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination"
  56. # NOTE: the trailing slash here, or for any directory name in the home_mailbox
  57. # command, is necessary as it distinguishes a maildir (which is the actual
  58. # directories that what we want) from a spoolfile (which is what old unix
  59. # boomers want and no one else).
  60. postconf -e "home_mailbox = Mail/Inbox/"
  61. # Research this one:
  62. #postconf -e "mailbox_command ="
  63. # master.cf
  64. echo "Configuring Postfix's master.cf..."
  65. sed -i "/^\s*-o/d;/^\s*submission/d;/^\s*smtp/d" /etc/postfix/master.cf
  66. echo "smtp unix - - n - - smtp
  67. smtp inet n - y - - smtpd
  68. -o content_filter=spamassassin
  69. submission inet n - y - - smtpd
  70. -o syslog_name=postfix/submission
  71. -o smtpd_tls_security_level=encrypt
  72. -o smtpd_sasl_auth_enable=yes
  73. -o smtpd_tls_auth_only=yes
  74. smtps inet n - y - - smtpd
  75. -o syslog_name=postfix/smtps
  76. -o smtpd_tls_wrappermode=yes
  77. -o smtpd_sasl_auth_enable=yes
  78. spamassassin unix - n n - - pipe
  79. user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" >> /etc/postfix/master.cf
  80. # By default, dovecot has a bunch of configs in /etc/dovecot/conf.d/ These
  81. # files have nice documentation if you want to read it, but it's a huge pain to
  82. # go through them to organize. Instead, we simply overwrite
  83. # /etc/dovecot/dovecot.conf because it's easier to manage. You can get a backup
  84. # of the original in /usr/share/dovecot if you want.
  85. echo "Creating Dovecot config..."
  86. echo "# Dovecot config
  87. # Note that in the dovecot conf, you can use:
  88. # %u for username
  89. # %n for the name in name@domain.tld
  90. # %d for the domain
  91. # %h the user's home directory
  92. # If you're not a brainlet, SSL must be set to required.
  93. ssl = required
  94. ssl_cert = <$certdir/fullchain.pem
  95. ssl_key = <$certdir/privkey.pem
  96. # Plaintext login. This is safe and easy thanks to SSL.
  97. auth_mechanisms = plain login
  98. protocols = \$protocols imap
  99. # Search for valid users in /etc/passwd
  100. userdb {
  101. driver = passwd
  102. }
  103. #Fallback: Use plain old PAM to find user passwords
  104. passdb {
  105. driver = pam
  106. }
  107. # Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox
  108. # The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
  109. mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
  110. namespace inbox {
  111. inbox = yes
  112. mailbox Drafts {
  113. special_use = \\Drafts
  114. auto = subscribe
  115. }
  116. mailbox Junk {
  117. special_use = \\Junk
  118. auto = subscribe
  119. autoexpunge = 30d
  120. }
  121. mailbox Sent {
  122. special_use = \\Sent
  123. auto = subscribe
  124. }
  125. mailbox Trash {
  126. special_use = \\Trash
  127. }
  128. mailbox Archive {
  129. special_use = \\Archive
  130. }
  131. }
  132. # Here we let Postfix use Dovecot's authetication system.
  133. service auth {
  134. unix_listener /var/spool/postfix/private/auth {
  135. mode = 0660
  136. user = postfix
  137. group = postfix
  138. }
  139. }
  140. protocol lda {
  141. mail_plugins = \$mail_plugins sieve
  142. }
  143. protocol lmtp {
  144. mail_plugins = \$mail_plugins sieve
  145. }
  146. plugin {
  147. sieve = ~/.dovecot.sieve
  148. sieve_default = /var/lib/dovecot/sieve/default.sieve
  149. #sieve_global_path = /var/lib/dovecot/sieve/default.sieve
  150. sieve_dir = ~/.sieve
  151. sieve_global_dir = /var/lib/dovecot/sieve/
  152. }
  153. " > /etc/dovecot/dovecot.conf
  154. mkdir /var/lib/dovecot/sieve/
  155. echo "require [\"fileinto\", \"mailbox\"];
  156. if header :contains \"X-Spam-Flag\" \"YES\"
  157. {
  158. fileinto \"Junk\";
  159. }" > /var/lib/dovecot/sieve/default.sieve
  160. cut -d: -f1 /etc/passwd | grep -q "^vmail" || useradd vmail
  161. chown -R vmail:vmail /var/lib/dovecot
  162. sievec /var/lib/dovecot/sieve/default.sieve
  163. echo "Preparing user authetication..."
  164. grep -q nullok /etc/pam.d/dovecot ||
  165. echo "auth required pam_unix.so nullok
  166. account required pam_unix.so" >> /etc/pam.d/dovecot
  167. # OpenDKIM
  168. # A lot of the big name email services, like Google, will automatically
  169. # rejectmark as spam unfamiliar and unauthenticated email addresses. As in, the
  170. # server will flattly reject the email, not even deliverring it to someone's
  171. # Spam folder.
  172. # OpenDKIM is a way to authenticate your email so you can send to such services
  173. # without a problem.
  174. # TODO: add opendkim-tools ?
  175. # Create an OpenDKIM key in the proper place with proper permissions.
  176. echo "Generating OpenDKIM keys..."
  177. mkdir -p /etc/postfix/dkim
  178. opendkim-genkey -D /etc/postfix/dkim/ -d $ "$domain" -s "$subdom"
  179. chgrp opendkim /etc/postfix/dkim/*
  180. chmod g+r /etc/postfix/dkim/*
  181. # Generate the OpenDKIM info:
  182. echo "Configuring OpenDKIM..."
  183. grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null ||
  184. echo "$subdom._domainkey.$domain $domain:mail:/etc/postfix/dkim/mail.private" >> /etc/postfix/dkim/keytable
  185. grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null ||
  186. echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
  187. grep -q "127.0.0.1" /etc/postfix/dkim/trustedhosts 2>/dev/null ||
  188. echo "127.0.0.1
  189. 10.1.0.0/16
  190. 1.2.3.4/24" >> /etc/postfix/dkim/trustedhosts
  191. # ...and source it from opendkim.conf
  192. grep -q "^KeyTable" /etc/opendkim.conf 2>/dev/null || echo "KeyTable file:/etc/postfix/dkim/keytable
  193. SigningTable refile:/etc/postfix/dkim/signingtable
  194. InternalHosts refile:/etc/postfix/dkim/trustedhosts" >> /etc/opendkim.conf
  195. sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
  196. sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
  197. sed -e '/Socket/s/^#*/#/' -i /etc/opendkim.conf
  198. sed -i '/\local:\/var\/run\/opendkim\/opendkim.sock/a \Socket\t\t\tinet:12301@localhost' /etc/opendkim.conf
  199. # OpenDKIM daemon settings, removing previously activated socket.
  200. sed -i "/^SOCKET/d" /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
  201. # Here we add to postconf the needed settings for working with OpenDKIM
  202. echo "Configuring Postfix with OpenDKIM settings..."
  203. postconf -e "smtpd_sasl_security_options = noanonymous, noplaintext"
  204. postconf -e "smtpd_sasl_tls_security_options = noanonymous"
  205. postconf -e "myhostname = $maildomain"
  206. postconf -e "milter_default_action = accept"
  207. postconf -e "milter_protocol = 6"
  208. postconf -e "smtpd_milters = inet:localhost:12301"
  209. postconf -e "non_smtpd_milters = inet:localhost:12301"
  210. postconf -e "mailbox_command = /usr/lib/dovecot/deliver"
  211. for x in dovecot postfix opendkim spamassassin; do
  212. printf "Restarting %s..." "$x"
  213. service "$x" restart && printf " ...done\\n"
  214. done
  215. pval="$(tr -d "\n" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
  216. dkimentry="$subdom._domainkey.$domain\\tTXT\\tv=DKIM1; k=rsa; $pval"
  217. dmarcentry="_dmarc.$domain\\tTXT\\tv=DMARC1; p=none; rua=mailto:dmarc@$domain; fo=1"
  218. spfentry="@\\tTXT\\tv=spf1 mx a:$maildomain -all"
  219. useradd -m -G mail dmarc
  220. echo -e "$dkimentry
  221. $dmarcentry
  222. $spfentry" > "$HOME/dns_emailwizard"
  223. echo -e "
  224. _ _
  225. | \ | | _____ ___
  226. | \| |/ _ \ \ /\ / (_)
  227. | |\ | (_) \ V V / _
  228. |_| \_|\___/ \_/\_/ (_)
  229. Add these three records to your DNS TXT records on either your registrar's site
  230. or your DNS server:
  231. $dkimentry
  232. $dmarcentry
  233. $spfentry
  234. NOTE: You may need to omit the \`.$domain\` portion at the beginning if
  235. inputting them in a registrar's web interface.
  236. Also saving these to ~/dns_emailwizard in case you want them in a file.
  237. Once you do that, you're done! Check the README for how to add users/accounts
  238. and how to log in."