選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

emailwiz.sh 14 KiB

5年前
5年前
5年前
5年前
2年前
2年前
5年前
5年前
3年前
3年前
3年前
3年前
3年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
1年前
5年前
3年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
3年前
5年前
5年前
5年前
2年前
2年前
2年前
4年前
4年前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405
  1. #!/bin/sh
  2. # BEFORE INSTALLING
  3. # Have a Debian or Ubuntu server with a static IP and DNS records (usually
  4. # A/AAAA) that point your domain name to it.
  5. # NOTE WHILE INSTALLING
  6. # On installation of Postfix, select "Internet Site" and put in TLD (without
  7. # `mail.` before it).
  8. # AFTER INSTALLING
  9. # More DNS records will be given to you to install. One of them will be
  10. # different for every installation and is uniquely generated on your machine.
  11. umask 0022
  12. apt-get install -y postfix postfix-pcre dovecot-imapd dovecot-pop3d dovecot-sieve opendkim opendkim-tools spamassassin spamc net-tools fail2ban
  13. domain="$(cat /etc/mailname)"
  14. subdom=${MAIL_SUBDOM:-mail}
  15. maildomain="$subdom.$domain"
  16. certdir="/etc/letsencrypt/live/$maildomain"
  17. # Open required mail ports, and 80, for Certbot.
  18. for port in 80 993 465 25 587; do
  19. ufw allow "$port" 2>/dev/null
  20. done
  21. [ ! -d "$certdir" ] &&
  22. possiblecert="$(certbot certificates 2>/dev/null | grep "Domains:\.* \(\*\.$domain\|$maildomain\)\(\s\|$\)" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)" &&
  23. certdir="${possiblecert%/*}"
  24. [ ! -d "$certdir" ] &&
  25. certdir="/etc/letsencrypt/live/$maildomain" &&
  26. case "$(netstat -tulpn | grep ":80\s")" in
  27. *nginx*)
  28. apt install -y python3-certbot-nginx
  29. certbot -d "$maildomain" certonly --nginx --register-unsafely-without-email --agree-tos
  30. ;;
  31. *apache*)
  32. apt install -y python3-certbot-apache
  33. certbot -d "$maildomain" certonly --apache --register-unsafely-without-email --agree-tos
  34. ;;
  35. *)
  36. apt install -y python3-certbot
  37. certbot -d "$maildomain" certonly --standalone --register-unsafely-without-email --agree-tos
  38. ;;
  39. esac
  40. [ ! -d "$certdir" ] && echo "Error locating or installing SSL certificate." && exit 1
  41. echo "Configuring Postfix's main.cf..."
  42. # Adding additional vars to fix an issue with receiving emails (relay access denied) and adding it to mydestination.
  43. postconf -e "myhostname = $maildomain"
  44. postconf -e "mail_name = $domain" #This is for the smtpd_banner
  45. postconf -e "mydomain = $domain"
  46. postconf -e 'mydestination = $myhostname, $mydomain, mail, localhost.localdomain, localhost, localhost.$mydomain'
  47. # Change the cert/key files to the default locations of the Let's Encrypt cert/key
  48. postconf -e "smtpd_tls_key_file=$certdir/privkey.pem"
  49. postconf -e "smtpd_tls_cert_file=$certdir/fullchain.pem"
  50. postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
  51. # Enable, but do not require TLS. Requiring it with other servers would cause
  52. # mail delivery problems and requiring it locally would cause many other
  53. # issues.
  54. postconf -e 'smtpd_tls_security_level = may'
  55. postconf -e 'smtp_tls_security_level = may'
  56. # TLS required for authentication.
  57. postconf -e 'smtpd_tls_auth_only = yes'
  58. # Exclude insecure and obsolete encryption protocols.
  59. postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  60. postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  61. postconf -e 'smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  62. postconf -e 'smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  63. # Exclude suboptimal ciphers.
  64. # postconf -e 'tls_preempt_cipherlist = yes'
  65. # postconf -e 'smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL'
  66. # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
  67. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
  68. postconf -e 'smtpd_sasl_auth_enable = yes'
  69. postconf -e 'smtpd_sasl_type = dovecot'
  70. postconf -e 'smtpd_sasl_path = private/auth'
  71. # helo, sender, relay and recipient restrictions
  72. postconf -e "smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre"
  73. postconf -e 'smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain'
  74. postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain'
  75. postconf -e 'smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination'
  76. postconf -e 'smtpd_helo_required = yes'
  77. postconf -e 'smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname'
  78. # NOTE: the trailing slash here, or for any directory name in the home_mailbox
  79. # command, is necessary as it distinguishes a maildir (which is the actual
  80. # directory that we want) from a spoolfile (which is what old unix boomers want
  81. # and no one else).
  82. postconf -e 'home_mailbox = Mail/Inbox/'
  83. # Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses
  84. postconf -e "header_checks = regexp:/etc/postfix/header_checks"
  85. # strips "Received From:" in sent emails
  86. echo "/^Received:.*/ IGNORE
  87. /^X-Originating-IP:/ IGNORE" >> /etc/postfix/header_checks
  88. # Create a login map file that ensures that if a sender wants to send a mail from a user at our local
  89. # domain, they must be authenticated as that user
  90. echo "/^(.*)@$(sh -c "echo $domain | sed 's/\./\\\./'")$/ \${1}" > /etc/postfix/login_maps.pcre
  91. # master.cf
  92. echo "Configuring Postfix's master.cf..."
  93. sed -i '/^\s*-o/d;/^\s*submission/d;/^\s*smtp/d' /etc/postfix/master.cf
  94. echo "smtp unix - - n - - smtp
  95. smtp inet n - y - - smtpd
  96. -o content_filter=spamassassin
  97. submission inet n - y - - smtpd
  98. -o syslog_name=postfix/submission
  99. -o smtpd_tls_security_level=encrypt
  100. -o smtpd_tls_auth_only=yes
  101. -o smtpd_enforce_tls=yes
  102. -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  103. -o smtpd_sender_restrictions=reject_sender_login_mismatch
  104. -o smtpd_sender_login_maps=pcre:/etc/postfix/login_maps.pcre
  105. -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
  106. smtps inet n - y - - smtpd
  107. -o syslog_name=postfix/smtps
  108. -o smtpd_tls_wrappermode=yes
  109. -o smtpd_sasl_auth_enable=yes
  110. spamassassin unix - n n - - pipe
  111. user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" >> /etc/postfix/master.cf
  112. # By default, dovecot has a bunch of configs in /etc/dovecot/conf.d/ These
  113. # files have nice documentation if you want to read it, but it's a huge pain to
  114. # go through them to organize. Instead, we simply overwrite
  115. # /etc/dovecot/dovecot.conf because it's easier to manage. You can get a backup
  116. # of the original in /usr/share/dovecot if you want.
  117. mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.backup.conf
  118. echo "Creating Dovecot config..."
  119. echo "# Dovecot config
  120. # Note that in the dovecot conf, you can use:
  121. # %u for username
  122. # %n for the name in name@domain.tld
  123. # %d for the domain
  124. # %h the user's home directory
  125. ssl = required
  126. ssl_cert = <$certdir/fullchain.pem
  127. ssl_key = <$certdir/privkey.pem
  128. ssl_min_protocol = TLSv1.2
  129. ssl_cipher_list = "'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'"
  130. ssl_prefer_server_ciphers = yes
  131. ssl_dh = </usr/share/dovecot/dh.pem
  132. auth_mechanisms = plain login
  133. auth_username_format = %n
  134. protocols = \$protocols imap pop3
  135. # Search for valid users in /etc/passwd
  136. userdb {
  137. driver = passwd
  138. }
  139. #Fallback: Use plain old PAM to find user passwords
  140. passdb {
  141. driver = pam
  142. }
  143. # Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox
  144. # The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
  145. mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
  146. namespace inbox {
  147. inbox = yes
  148. mailbox Drafts {
  149. special_use = \\Drafts
  150. auto = subscribe
  151. }
  152. mailbox Junk {
  153. special_use = \\Junk
  154. auto = subscribe
  155. autoexpunge = 30d
  156. }
  157. mailbox Sent {
  158. special_use = \\Sent
  159. auto = subscribe
  160. }
  161. mailbox Trash {
  162. special_use = \\Trash
  163. }
  164. mailbox Archive {
  165. special_use = \\Archive
  166. }
  167. }
  168. # Here we let Postfix use Dovecot's authentication system.
  169. service auth {
  170. unix_listener /var/spool/postfix/private/auth {
  171. mode = 0660
  172. user = postfix
  173. group = postfix
  174. }
  175. }
  176. protocol lda {
  177. mail_plugins = \$mail_plugins sieve
  178. }
  179. protocol lmtp {
  180. mail_plugins = \$mail_plugins sieve
  181. }
  182. protocol pop3 {
  183. pop3_uidl_format = %08Xu%08Xv
  184. pop3_no_flag_updates = yes
  185. }
  186. plugin {
  187. sieve = ~/.dovecot.sieve
  188. sieve_default = /var/lib/dovecot/sieve/default.sieve
  189. #sieve_global_path = /var/lib/dovecot/sieve/default.sieve
  190. sieve_dir = ~/.sieve
  191. sieve_global_dir = /var/lib/dovecot/sieve/
  192. }
  193. " > /etc/dovecot/dovecot.conf
  194. # If using an old version of Dovecot, remove the ssl_dl line.
  195. case "$(dovecot --version)" in
  196. 1|2.1*|2.2*) sed -i '/^ssl_dh/d' /etc/dovecot/dovecot.conf ;;
  197. esac
  198. mkdir /var/lib/dovecot/sieve/
  199. echo "require [\"fileinto\", \"mailbox\"];
  200. if header :contains \"X-Spam-Flag\" \"YES\"
  201. {
  202. fileinto \"Junk\";
  203. }" > /var/lib/dovecot/sieve/default.sieve
  204. grep -q '^vmail:' /etc/passwd || useradd vmail
  205. chown -R vmail:vmail /var/lib/dovecot
  206. sievec /var/lib/dovecot/sieve/default.sieve
  207. echo 'Preparing user authentication...'
  208. grep -q nullok /etc/pam.d/dovecot ||
  209. echo 'auth required pam_unix.so nullok
  210. account required pam_unix.so' >> /etc/pam.d/dovecot
  211. # OpenDKIM
  212. # A lot of the big name email services, like Google, will automatically reject
  213. # as spam unfamiliar and unauthenticated email addresses. As in, the server
  214. # will flatly reject the email, not even delivering it to someone's Spam
  215. # folder.
  216. # OpenDKIM is a way to authenticate your email so you can send to such services
  217. # without a problem.
  218. # Create an OpenDKIM key in the proper place with proper permissions.
  219. echo 'Generating OpenDKIM keys...'
  220. mkdir -p "/etc/postfix/dkim/$domain"
  221. opendkim-genkey -D "/etc/postfix/dkim/$domain" -d "$domain" -s "$subdom"
  222. chgrp -R opendkim /etc/postfix/dkim/*
  223. chmod -R g+r /etc/postfix/dkim/*
  224. # Generate the OpenDKIM info:
  225. echo 'Configuring OpenDKIM...'
  226. grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null ||
  227. echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$domain/$subdom.private" >> /etc/postfix/dkim/keytable
  228. grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null ||
  229. echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
  230. grep -q '127.0.0.1' /etc/postfix/dkim/trustedhosts 2>/dev/null ||
  231. echo '127.0.0.1
  232. 10.1.0.0/16' >> /etc/postfix/dkim/trustedhosts
  233. # ...and source it from opendkim.conf
  234. grep -q '^KeyTable' /etc/opendkim.conf 2>/dev/null || echo 'KeyTable file:/etc/postfix/dkim/keytable
  235. SigningTable refile:/etc/postfix/dkim/signingtable
  236. InternalHosts refile:/etc/postfix/dkim/trustedhosts' >> /etc/opendkim.conf
  237. sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
  238. sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
  239. sed -i '/Socket/s/^#*/#/' /etc/opendkim.conf
  240. grep -q '^Socket\s*inet:12301@localhost' /etc/opendkim.conf || echo 'Socket inet:12301@localhost' >> /etc/opendkim.conf
  241. # OpenDKIM daemon settings, removing previously activated socket.
  242. sed -i '/^SOCKET/d' /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
  243. # Here we add to postconf the needed settings for working with OpenDKIM
  244. echo 'Configuring Postfix with OpenDKIM settings...'
  245. postconf -e 'smtpd_sasl_security_options = noanonymous, noplaintext'
  246. postconf -e 'smtpd_sasl_tls_security_options = noanonymous'
  247. postconf -e "myhostname = $maildomain"
  248. postconf -e 'milter_default_action = accept'
  249. postconf -e 'milter_protocol = 6'
  250. postconf -e 'smtpd_milters = inet:localhost:12301'
  251. postconf -e 'non_smtpd_milters = inet:localhost:12301'
  252. postconf -e 'mailbox_command = /usr/lib/dovecot/deliver'
  253. # A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442
  254. /lib/opendkim/opendkim.service.generate
  255. systemctl daemon-reload
  256. # Enable fail2ban security for dovecot and postfix.
  257. [ ! -f /etc/fail2ban/jail.d/emailwiz.local ] && echo "[postfix]
  258. enabled = true
  259. [postfix-sasl]
  260. enabled = true
  261. [sieve]
  262. enabled = true
  263. [dovecot]
  264. enabled = true" > /etc/fail2ban/jail.d/emailwiz.local
  265. sed -i "s|^backend = auto$|backend = systemd|" /etc/fail2ban/jail.conf
  266. # Enable SpamAssassin update cronjob.
  267. if [ -f /etc/default/spamassassin ]
  268. then
  269. sed -i "s|^CRON=0|CRON=1|" /etc/default/spamassassin
  270. printf "Restarting spamassassin..."
  271. service spamassassin restart && printf " ...done\\n"
  272. systemctl enable spamassassin
  273. elif [ -f /etc/default/spamd ]
  274. then
  275. sed -i "s|^CRON=0|CRON=1|" /etc/default/spamd
  276. printf "Restarting spamd..."
  277. service spamd restart && printf " ...done\\n"
  278. systemctl enable spamd
  279. else
  280. printf "!!! Neither /etc/default/spamassassin or /etc/default/spamd exists, this is unexpected and needs to be investigated"
  281. fi
  282. for x in opendkim dovecot postfix fail2ban; do
  283. printf "Restarting %s..." "$x"
  284. service "$x" restart && printf " ...done\\n"
  285. systemctl enable "$x"
  286. done
  287. # Generate spf mechanisms
  288. mailip4=$(host "$domain" | grep -m1 -Eo '([0-9]+\.){3}[0-9]+')
  289. mailip6=$(host "$domain" | grep "IPv6" | awk '{print $NF}')
  290. pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
  291. dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
  292. dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1"
  293. spfentry="$domain TXT v=spf1 mx a:$maildomain ip4:$mailip4 ip6:$mailip6 -all"
  294. mxentry="$domain MX 10 $maildomain 300"
  295. useradd -m -G mail dmarc
  296. # Create a cronjob that deletes month-old dmarc feedback:
  297. cat <<EOF > /etc/cron.weekly/dmarc-clean
  298. #!/bin/sh
  299. find /home/dmarc/Mail -type f -mtime +30 -name '*.mail*' -delete >/dev/null 2>&1
  300. exit 0
  301. EOF
  302. chmod 755 /etc/cron.weekly/dmarc-clean
  303. grep -q '^deploy-hook = echo "$RENEWED_DOMAINS" | grep -q' /etc/letsencrypt/cli.ini ||
  304. echo "
  305. deploy-hook = echo \"\$RENEWED_DOMAINS\" | grep -q '$maildomain' && service postfix reload && service dovecot reload" >> /etc/letsencrypt/cli.ini
  306. echo "NOTE: Elements in the entries might appear in a different order in your registrar's DNS settings.
  307. $dkimentry
  308. $dmarcentry
  309. $spfentry
  310. $mxentry" > "$HOME/dns_emailwizard"
  311. printf "\033[31m
  312. _ _
  313. | \ | | _____ ___
  314. | \| |/ _ \ \ /\ / (_)
  315. | |\ | (_) \ V V / _
  316. |_| \_|\___/ \_/\_/ (_)\033[0m
  317. Add these three records to your DNS TXT records on either your registrar's site
  318. or your DNS server:
  319. \033[32m
  320. $dkimentry
  321. $dmarcentry
  322. $spfentry
  323. $mxentry
  324. \033[0m
  325. NOTE: You may need to omit the \`.$domain\` portion at the beginning if
  326. inputting them in a registrar's web interface.
  327. Also, these are now saved to \033[34m~/dns_emailwizard\033[0m in case you want them in a file.
  328. Once you do that, you're done! Check the README for how to add users/accounts
  329. and how to log in.\n"