選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

emailwiz.sh 13 KiB

5年前
5年前
5年前
5年前
5年前
5年前
5年前
2年前
2年前
1年前
5年前
3年前
3年前
3年前
3年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
3年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
3年前
5年前
5年前
3年前
5年前
3年前
5年前
2年前
2年前
2年前
4年前
4年前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365
  1. #!/bin/sh
  2. # THE SETUP
  3. # Mail will be stored in non-retarded Maildirs because it's $currentyear. This
  4. # makes it easier for use with isync, which is what I care about so I can have
  5. # an offline repo of mail.
  6. # The mailbox names are: Inbox, Sent, Drafts, Archive, Junk, Trash
  7. # Use the typical unix login system for mail users. Users will log into their
  8. # email with their passnames on the server. No usage of a redundant mySQL
  9. # database to do this.
  10. # DEPENDENCIES BEFORE RUNNING
  11. # 1. Have a Debian system with a static IP and all that. Pretty much any
  12. # default VPS offered by a company will have all the basic stuff you need. This
  13. # script might run on Ubuntu as well. Haven't tried it. If you have, tell me
  14. # what happens.
  15. # 2. Have a Let's Encrypt SSL certificate for $maildomain. You might need one
  16. # for $domain as well, but they're free with Let's Encypt so you should have
  17. # them anyway.
  18. # 3. If you've been toying around with your server settings trying to get
  19. # postfix/dovecot/etc. working before running this, I recommend you `apt purge`
  20. # everything first because this script is build on top of only the defaults.
  21. # Clear out /etc/postfix and /etc/dovecot yourself if needbe.
  22. # NOTE WHILE INSTALLING
  23. # On installation of Postfix, select "Internet Site" and put in TLD (without
  24. # `mail.` before it).
  25. umask 0022
  26. apt-get install -y postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim spamassassin spamc net-tools
  27. # Check if OpenDKIM is installed and install it if not.
  28. which opendkim-genkey >/dev/null 2>&1 || apt-get install opendkim-tools
  29. domain="$(cat /etc/mailname)"
  30. subdom=${MAIL_SUBDOM:-mail}
  31. maildomain="$subdom.$domain"
  32. certdir="/etc/letsencrypt/live/$maildomain"
  33. # Open required mail ports, and 80, for Certbot.
  34. for port in 80 993 465 25 587; do
  35. ufw allow "$port" 2>/dev/null
  36. done
  37. [ ! -d "$certdir" ] &&
  38. possiblecert="$(certbot certificates 2>/dev/null | grep "Domains:\.* \(\*\.$domain\|$maildomain\)\(\s\|$\)" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)" &&
  39. certdir="${possiblecert%/*}"
  40. [ ! -d "$certdir" ] &&
  41. certdir="/etc/letsencrypt/live/$maildomain" &&
  42. case "$(netstat -tulpn | grep ":80\s")" in
  43. *nginx*)
  44. apt install -y python3-certbot-nginx
  45. certbot -d "$maildomain" certonly --nginx --register-unsafely-without-email --agree-tos
  46. ;;
  47. *apache*)
  48. apt install -y python3-certbot-apache
  49. certbot -d "$maildomain" certonly --apache --register-unsafely-without-email --agree-tos
  50. ;;
  51. *)
  52. apt install -y python3-certbot
  53. certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos
  54. ;;
  55. esac || exit $1
  56. echo "Configuring Postfix's main.cf..."
  57. # Change the cert/key files to the default locations of the Let's Encrypt cert/key
  58. postconf -e "smtpd_tls_key_file=$certdir/privkey.pem"
  59. postconf -e "smtpd_tls_cert_file=$certdir/fullchain.pem"
  60. postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
  61. # Enable, but do not require TLS. Requiring it with other server would cause
  62. # mail delivery problems and requiring it locally would cause many other
  63. # issues.
  64. postconf -e 'smtpd_tls_security_level = may'
  65. postconf -e 'smtp_tls_security_level = may'
  66. # TLS required for authentication.
  67. postconf -e 'smtpd_tls_auth_only = yes'
  68. # Exclude obsolete, insecure and obsolete encryption protocols.
  69. postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  70. postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  71. postconf -e 'smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  72. postconf -e 'smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  73. # Exclude suboptimal ciphers.
  74. postconf -e 'tls_preempt_cipherlist = yes'
  75. postconf -e 'smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL'
  76. # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
  77. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
  78. postconf -e 'smtpd_sasl_auth_enable = yes'
  79. postconf -e 'smtpd_sasl_type = dovecot'
  80. postconf -e 'smtpd_sasl_path = private/auth'
  81. # Sender, relay and recipient restrictions
  82. postconf -e "smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre"
  83. postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain'
  84. postconf -e 'smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination'
  85. # NOTE: the trailing slash here, or for any directory name in the home_mailbox
  86. # command, is necessary as it distinguishes a maildir (which is the actual
  87. # directories that what we want) from a spoolfile (which is what old unix
  88. # boomers want and no one else).
  89. postconf -e 'home_mailbox = Mail/Inbox/'
  90. # Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses
  91. postconf -e "header_checks = regexp:/etc/postfix/header_checks"
  92. # strips "Received From:" in sent emails
  93. echo "/^Received:.*/ IGNORE
  94. /^X-Originating-IP:/ IGNORE" >> /etc/postfix/header_checks
  95. # Create a login map file that ensures that if a sender wants to send a mail from a user at our local
  96. # domain, they must be authenticated as that user
  97. echo "/^(.*)@$(sh -c "echo $domain | sed 's/\./\\\./'")$/ \${1}" > /etc/postfix/login_maps.pcre
  98. # master.cf
  99. echo "Configuring Postfix's master.cf..."
  100. sed -i '/^\s*-o/d;/^\s*submission/d;/^\s*smtp/d' /etc/postfix/master.cf
  101. echo "smtp unix - - n - - smtp
  102. smtp inet n - y - - smtpd
  103. -o content_filter=spamassassin
  104. submission inet n - y - - smtpd
  105. -o syslog_name=postfix/submission
  106. -o smtpd_tls_security_level=encrypt
  107. -o smtpd_sasl_auth_enable=yes
  108. -o smtpd_tls_auth_only=yes
  109. smtps inet n - y - - smtpd
  110. -o syslog_name=postfix/smtps
  111. -o smtpd_tls_wrappermode=yes
  112. -o smtpd_sasl_auth_enable=yes
  113. spamassassin unix - n n - - pipe
  114. user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" >> /etc/postfix/master.cf
  115. # By default, dovecot has a bunch of configs in /etc/dovecot/conf.d/ These
  116. # files have nice documentation if you want to read it, but it's a huge pain to
  117. # go through them to organize. Instead, we simply overwrite
  118. # /etc/dovecot/dovecot.conf because it's easier to manage. You can get a backup
  119. # of the original in /usr/share/dovecot if you want.
  120. mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.backup.conf
  121. echo "Creating Dovecot config..."
  122. echo "# Dovecot config
  123. # Note that in the dovecot conf, you can use:
  124. # %u for username
  125. # %n for the name in name@domain.tld
  126. # %d for the domain
  127. # %h the user's home directory
  128. # If you're not a brainlet, SSL must be set to required.
  129. ssl = required
  130. ssl_cert = <$certdir/fullchain.pem
  131. ssl_key = <$certdir/privkey.pem
  132. ssl_min_protocol = TLSv1.2
  133. ssl_cipher_list = "'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'"
  134. ssl_prefer_server_ciphers = yes
  135. ssl_dh = </usr/share/dovecot/dh.pem
  136. # Plaintext login. This is safe and easy thanks to SSL.
  137. auth_mechanisms = plain login
  138. auth_username_format = %n
  139. protocols = \$protocols imap
  140. # Search for valid users in /etc/passwd
  141. userdb {
  142. driver = passwd
  143. }
  144. #Fallback: Use plain old PAM to find user passwords
  145. passdb {
  146. driver = pam
  147. }
  148. # Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox
  149. # The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
  150. mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
  151. namespace inbox {
  152. inbox = yes
  153. mailbox Drafts {
  154. special_use = \\Drafts
  155. auto = subscribe
  156. }
  157. mailbox Junk {
  158. special_use = \\Junk
  159. auto = subscribe
  160. autoexpunge = 30d
  161. }
  162. mailbox Sent {
  163. special_use = \\Sent
  164. auto = subscribe
  165. }
  166. mailbox Trash {
  167. special_use = \\Trash
  168. }
  169. mailbox Archive {
  170. special_use = \\Archive
  171. }
  172. }
  173. # Here we let Postfix use Dovecot's authetication system.
  174. service auth {
  175. unix_listener /var/spool/postfix/private/auth {
  176. mode = 0660
  177. user = postfix
  178. group = postfix
  179. }
  180. }
  181. protocol lda {
  182. mail_plugins = \$mail_plugins sieve
  183. }
  184. protocol lmtp {
  185. mail_plugins = \$mail_plugins sieve
  186. }
  187. plugin {
  188. sieve = ~/.dovecot.sieve
  189. sieve_default = /var/lib/dovecot/sieve/default.sieve
  190. #sieve_global_path = /var/lib/dovecot/sieve/default.sieve
  191. sieve_dir = ~/.sieve
  192. sieve_global_dir = /var/lib/dovecot/sieve/
  193. }
  194. " > /etc/dovecot/dovecot.conf
  195. # If using an old version of Dovecot, remove the ssl_dl line.
  196. case "$(dovecot --version)" in
  197. 1|2.1*|2.2*) sed -i '/^ssl_dh/d' /etc/dovecot/dovecot.conf ;;
  198. esac
  199. mkdir /var/lib/dovecot/sieve/
  200. echo "require [\"fileinto\", \"mailbox\"];
  201. if header :contains \"X-Spam-Flag\" \"YES\"
  202. {
  203. fileinto \"Junk\";
  204. }" > /var/lib/dovecot/sieve/default.sieve
  205. grep -q '^vmail:' /etc/passwd || useradd vmail
  206. chown -R vmail:vmail /var/lib/dovecot
  207. sievec /var/lib/dovecot/sieve/default.sieve
  208. echo 'Preparing user authentication...'
  209. grep -q nullok /etc/pam.d/dovecot ||
  210. echo 'auth required pam_unix.so nullok
  211. account required pam_unix.so' >> /etc/pam.d/dovecot
  212. # OpenDKIM
  213. # A lot of the big name email services, like Google, will automatically reject
  214. # as spam unfamiliar and unauthenticated email addresses. As in, the server
  215. # will flatly reject the email, not even delivering it to someone's Spam
  216. # folder.
  217. # OpenDKIM is a way to authenticate your email so you can send to such services
  218. # without a problem.
  219. # Create an OpenDKIM key in the proper place with proper permissions.
  220. echo 'Generating OpenDKIM keys...'
  221. mkdir -p "/etc/postfix/dkim/$domain"
  222. opendkim-genkey -D "/etc/postfix/dkim/$domain" -d "$domain" -s "$subdom"
  223. chgrp -R opendkim /etc/postfix/dkim/*
  224. chmod -R g+r /etc/postfix/dkim/*
  225. # Generate the OpenDKIM info:
  226. echo 'Configuring OpenDKIM...'
  227. grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null ||
  228. echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$domain/$subdom.private" >> /etc/postfix/dkim/keytable
  229. grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null ||
  230. echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
  231. grep -q '127.0.0.1' /etc/postfix/dkim/trustedhosts 2>/dev/null ||
  232. echo '127.0.0.1
  233. 10.1.0.0/16' >> /etc/postfix/dkim/trustedhosts
  234. # ...and source it from opendkim.conf
  235. grep -q '^KeyTable' /etc/opendkim.conf 2>/dev/null || echo 'KeyTable file:/etc/postfix/dkim/keytable
  236. SigningTable refile:/etc/postfix/dkim/signingtable
  237. InternalHosts refile:/etc/postfix/dkim/trustedhosts' >> /etc/opendkim.conf
  238. sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
  239. sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
  240. sed -i '/Socket/s/^#*/#/' /etc/opendkim.conf
  241. grep -q '^Socket\s*inet:12301@localhost' /etc/opendkim.conf || echo 'Socket inet:12301@localhost' >> /etc/opendkim.conf
  242. # OpenDKIM daemon settings, removing previously activated socket.
  243. sed -i '/^SOCKET/d' /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
  244. # Here we add to postconf the needed settings for working with OpenDKIM
  245. echo 'Configuring Postfix with OpenDKIM settings...'
  246. postconf -e 'smtpd_sasl_security_options = noanonymous, noplaintext'
  247. postconf -e 'smtpd_sasl_tls_security_options = noanonymous'
  248. postconf -e "myhostname = $domain"
  249. postconf -e 'milter_default_action = accept'
  250. postconf -e 'milter_protocol = 6'
  251. postconf -e 'smtpd_milters = inet:localhost:12301'
  252. postconf -e 'non_smtpd_milters = inet:localhost:12301'
  253. postconf -e 'mailbox_command = /usr/lib/dovecot/deliver'
  254. postconf -e 'smtpd_helo_required = yes'
  255. postconf -e 'smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname'
  256. postconf -e 'smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain'
  257. # A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442
  258. /lib/opendkim/opendkim.service.generate
  259. systemctl daemon-reload
  260. for x in spamassassin opendkim dovecot postfix; do
  261. printf "Restarting %s..." "$x"
  262. service "$x" restart && printf " ...done\\n"
  263. systemctl enable "$x"
  264. done
  265. pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
  266. dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
  267. dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1"
  268. spfentry="$domain TXT v=spf1 mx a:$maildomain -all"
  269. useradd -m -G mail dmarc
  270. grep -q '^deploy-hook = echo "$RENEWED_DOMAINS" | grep -q' /etc/letsencrypt/cli.ini ||
  271. echo "
  272. deploy-hook = echo \"\$RENEWED_DOMAINS\" | grep -q '$maildomain' && service postfix reload && service dovecot reload" >> /etc/letsencrypt/cli.ini
  273. echo "$dkimentry
  274. $dmarcentry
  275. $spfentry" > "$HOME/dns_emailwizard"
  276. printf "\033[31m
  277. _ _
  278. | \ | | _____ ___
  279. | \| |/ _ \ \ /\ / (_)
  280. | |\ | (_) \ V V / _
  281. |_| \_|\___/ \_/\_/ (_)\033[0m
  282. Add these three records to your DNS TXT records on either your registrar's site
  283. or your DNS server:
  284. \033[32m
  285. $dkimentry
  286. $dmarcentry
  287. $spfentry
  288. \033[0m
  289. NOTE: You may need to omit the \`.$domain\` portion at the beginning if
  290. inputting them in a registrar's web interface.
  291. Also, these are now saved to \033[34m~/dns_emailwizard\033[0m in case you want them in a file.
  292. Once you do that, you're done! Check the README for how to add users/accounts
  293. and how to log in.\n"