選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

emailwiz.sh 12 KiB

5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
2年前
2年前
5年前
5年前
3年前
3年前
3年前
3年前
5年前
3年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
3年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
5年前
3年前
5年前
5年前
3年前
5年前
3年前
5年前
3年前
4年前
4年前
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348
  1. #!/bin/sh
  2. # THE SETUP
  3. # Mail will be stored in non-retarded Maildirs because it's $currentyear. This
  4. # makes it easier for use with isync, which is what I care about so I can have
  5. # an offline repo of mail.
  6. # The mailbox names are: Inbox, Sent, Drafts, Archive, Junk, Trash
  7. # Use the typical unix login system for mail users. Users will log into their
  8. # email with their passnames on the server. No usage of a redundant mySQL
  9. # database to do this.
  10. # DEPENDENCIES BEFORE RUNNING
  11. # 1. Have a Debian system with a static IP and all that. Pretty much any
  12. # default VPS offered by a company will have all the basic stuff you need. This
  13. # script might run on Ubuntu as well. Haven't tried it. If you have, tell me
  14. # what happens.
  15. # 2. Have a Let's Encrypt SSL certificate for $maildomain. You might need one
  16. # for $domain as well, but they're free with Let's Encypt so you should have
  17. # them anyway.
  18. # 3. If you've been toying around with your server settings trying to get
  19. # postfix/dovecot/etc. working before running this, I recommend you `apt purge`
  20. # everything first because this script is build on top of only the defaults.
  21. # Clear out /etc/postfix and /etc/dovecot yourself if needbe.
  22. # NOTE WHILE INSTALLING
  23. # On installation of Postfix, select "Internet Site" and put in TLD (without
  24. # `mail.` before it).
  25. echo "Setting umask to 0022..."
  26. umask 0022
  27. echo "Installing programs..."
  28. apt install postfix postfix-pcre dovecot-imapd dovecot-sieve opendkim spamassassin spamc
  29. # Check if OpenDKIM is installed and install it if not.
  30. which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools
  31. domain="$(cat /etc/mailname)"
  32. subdom=${MAIL_SUBDOM:-mail}
  33. maildomain="$subdom.$domain"
  34. certdir="/etc/letsencrypt/live/$maildomain"
  35. [ ! -d "$certdir" ] &&
  36. possiblecert="$(certbot certificates 2>/dev/null | grep "$maildomain\|*\.$domain" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1)" &&
  37. certdir="${possiblecert%/*}"
  38. [ ! -d "$certdir" ] && echo "Note! You must first have a Let's Encrypt Certbot HTTPS/SSL Certificate for $maildomain.
  39. Use Let's Encrypt's Certbot to get that and then rerun this script." && exit 1
  40. # NOTE ON POSTCONF COMMANDS
  41. # The `postconf` command literally just adds the line in question to
  42. # /etc/postfix/main.cf so if you need to debug something, go there. It replaces
  43. # any other line that sets the same setting, otherwise it is appended to the
  44. # end of the file.
  45. echo "Configuring Postfix's main.cf..."
  46. # Change the cert/key files to the default locations of the Let's Encrypt cert/key
  47. postconf -e "smtpd_tls_key_file=$certdir/privkey.pem"
  48. postconf -e "smtpd_tls_cert_file=$certdir/fullchain.pem"
  49. postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
  50. # Enable, but do not require TLS. Requiring it with other server would cause
  51. # mail delivery problems and requiring it locally would cause many other
  52. # issues.
  53. postconf -e 'smtpd_tls_security_level = may'
  54. postconf -e 'smtp_tls_security_level = may'
  55. # TLS required for authentication.
  56. postconf -e 'smtpd_tls_auth_only = yes'
  57. # Exclude obsolete, insecure and obsolete encryption protocols.
  58. postconf -e 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  59. postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  60. postconf -e 'smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  61. postconf -e 'smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
  62. # Exclude suboptimal ciphers.
  63. postconf -e 'tls_preempt_cipherlist = yes'
  64. postconf -e 'smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL'
  65. # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
  66. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
  67. postconf -e 'smtpd_sasl_auth_enable = yes'
  68. postconf -e 'smtpd_sasl_type = dovecot'
  69. postconf -e 'smtpd_sasl_path = private/auth'
  70. # Sender and recipient restrictions
  71. postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
  72. # NOTE: the trailing slash here, or for any directory name in the home_mailbox
  73. # command, is necessary as it distinguishes a maildir (which is the actual
  74. # directories that what we want) from a spoolfile (which is what old unix
  75. # boomers want and no one else).
  76. postconf -e 'home_mailbox = Mail/Inbox/'
  77. # A fix referenced in issue #178 - Postfix configuration leaks ip addresses (https://github.com/LukeSmithxyz/emailwiz/issues/178)
  78. # Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses
  79. postconf -e "header_checks = regexp:/etc/postfix/header_checks"
  80. # strips "Received From:" in sent emails
  81. echo "/^Received:.*/ IGNORE
  82. /^X-Originating-IP:/ IGNORE" >> /etc/postfix/header_checks
  83. # master.cf
  84. echo "Configuring Postfix's master.cf..."
  85. sed -i '/^\s*-o/d;/^\s*submission/d;/^\s*smtp/d' /etc/postfix/master.cf
  86. echo "smtp unix - - n - - smtp
  87. smtp inet n - y - - smtpd
  88. -o content_filter=spamassassin
  89. submission inet n - y - - smtpd
  90. -o syslog_name=postfix/submission
  91. -o smtpd_tls_security_level=encrypt
  92. -o smtpd_sasl_auth_enable=yes
  93. -o smtpd_tls_auth_only=yes
  94. smtps inet n - y - - smtpd
  95. -o syslog_name=postfix/smtps
  96. -o smtpd_tls_wrappermode=yes
  97. -o smtpd_sasl_auth_enable=yes
  98. spamassassin unix - n n - - pipe
  99. user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" >> /etc/postfix/master.cf
  100. # By default, dovecot has a bunch of configs in /etc/dovecot/conf.d/ These
  101. # files have nice documentation if you want to read it, but it's a huge pain to
  102. # go through them to organize. Instead, we simply overwrite
  103. # /etc/dovecot/dovecot.conf because it's easier to manage. You can get a backup
  104. # of the original in /usr/share/dovecot if you want.
  105. mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.backup.conf
  106. echo "Creating Dovecot config..."
  107. echo "# Dovecot config
  108. # Note that in the dovecot conf, you can use:
  109. # %u for username
  110. # %n for the name in name@domain.tld
  111. # %d for the domain
  112. # %h the user's home directory
  113. # If you're not a brainlet, SSL must be set to required.
  114. ssl = required
  115. ssl_cert = <$certdir/fullchain.pem
  116. ssl_key = <$certdir/privkey.pem
  117. ssl_min_protocol = TLSv1.2
  118. ssl_cipher_list = "'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED'"
  119. ssl_prefer_server_ciphers = yes
  120. ssl_dh = </usr/share/dovecot/dh.pem
  121. # Plaintext login. This is safe and easy thanks to SSL.
  122. auth_mechanisms = plain login
  123. auth_username_format = %n
  124. protocols = \$protocols imap
  125. # Search for valid users in /etc/passwd
  126. userdb {
  127. driver = passwd
  128. }
  129. #Fallback: Use plain old PAM to find user passwords
  130. passdb {
  131. driver = pam
  132. }
  133. # Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox
  134. # The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
  135. mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
  136. namespace inbox {
  137. inbox = yes
  138. mailbox Drafts {
  139. special_use = \\Drafts
  140. auto = subscribe
  141. }
  142. mailbox Junk {
  143. special_use = \\Junk
  144. auto = subscribe
  145. autoexpunge = 30d
  146. }
  147. mailbox Sent {
  148. special_use = \\Sent
  149. auto = subscribe
  150. }
  151. mailbox Trash {
  152. special_use = \\Trash
  153. }
  154. mailbox Archive {
  155. special_use = \\Archive
  156. }
  157. }
  158. # Here we let Postfix use Dovecot's authetication system.
  159. service auth {
  160. unix_listener /var/spool/postfix/private/auth {
  161. mode = 0660
  162. user = postfix
  163. group = postfix
  164. }
  165. }
  166. protocol lda {
  167. mail_plugins = \$mail_plugins sieve
  168. }
  169. protocol lmtp {
  170. mail_plugins = \$mail_plugins sieve
  171. }
  172. plugin {
  173. sieve = ~/.dovecot.sieve
  174. sieve_default = /var/lib/dovecot/sieve/default.sieve
  175. #sieve_global_path = /var/lib/dovecot/sieve/default.sieve
  176. sieve_dir = ~/.sieve
  177. sieve_global_dir = /var/lib/dovecot/sieve/
  178. }
  179. " > /etc/dovecot/dovecot.conf
  180. # If using an old version of Dovecot, remove the ssl_dl line.
  181. case "$(dovecot --version)" in
  182. 1|2.1*|2.2*) sed -i '/^ssl_dh/d' /etc/dovecot/dovecot.conf ;;
  183. esac
  184. mkdir /var/lib/dovecot/sieve/
  185. echo "require [\"fileinto\", \"mailbox\"];
  186. if header :contains \"X-Spam-Flag\" \"YES\"
  187. {
  188. fileinto \"Junk\";
  189. }" > /var/lib/dovecot/sieve/default.sieve
  190. grep -q '^vmail:' /etc/passwd || useradd vmail
  191. chown -R vmail:vmail /var/lib/dovecot
  192. sievec /var/lib/dovecot/sieve/default.sieve
  193. echo 'Preparing user authentication...'
  194. grep -q nullok /etc/pam.d/dovecot ||
  195. echo 'auth required pam_unix.so nullok
  196. account required pam_unix.so' >> /etc/pam.d/dovecot
  197. # OpenDKIM
  198. # A lot of the big name email services, like Google, will automatically reject
  199. # as spam unfamiliar and unauthenticated email addresses. As in, the server
  200. # will flatly reject the email, not even delivering it to someone's Spam
  201. # folder.
  202. # OpenDKIM is a way to authenticate your email so you can send to such services
  203. # without a problem.
  204. # Create an OpenDKIM key in the proper place with proper permissions.
  205. echo 'Generating OpenDKIM keys...'
  206. mkdir -p /etc/postfix/dkim
  207. opendkim-genkey -D /etc/postfix/dkim/ -d "$domain" -s "$subdom"
  208. chgrp opendkim /etc/postfix/dkim/*
  209. chmod g+r /etc/postfix/dkim/*
  210. # Generate the OpenDKIM info:
  211. echo 'Configuring OpenDKIM...'
  212. grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null ||
  213. echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$subdom.private" >> /etc/postfix/dkim/keytable
  214. grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null ||
  215. echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
  216. grep -q '127.0.0.1' /etc/postfix/dkim/trustedhosts 2>/dev/null ||
  217. echo '127.0.0.1
  218. 10.1.0.0/16' >> /etc/postfix/dkim/trustedhosts
  219. # ...and source it from opendkim.conf
  220. grep -q '^KeyTable' /etc/opendkim.conf 2>/dev/null || echo 'KeyTable file:/etc/postfix/dkim/keytable
  221. SigningTable refile:/etc/postfix/dkim/signingtable
  222. InternalHosts refile:/etc/postfix/dkim/trustedhosts' >> /etc/opendkim.conf
  223. sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
  224. sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
  225. sed -i '/Socket/s/^#*/#/' /etc/opendkim.conf
  226. grep -q '^Socket\s*inet:12301@localhost' /etc/opendkim.conf || echo 'Socket inet:12301@localhost' >> /etc/opendkim.conf
  227. # OpenDKIM daemon settings, removing previously activated socket.
  228. sed -i '/^SOCKET/d' /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
  229. # Here we add to postconf the needed settings for working with OpenDKIM
  230. echo 'Configuring Postfix with OpenDKIM settings...'
  231. postconf -e 'smtpd_sasl_security_options = noanonymous, noplaintext'
  232. postconf -e 'smtpd_sasl_tls_security_options = noanonymous'
  233. postconf -e "myhostname = $domain"
  234. postconf -e 'milter_default_action = accept'
  235. postconf -e 'milter_protocol = 6'
  236. postconf -e 'smtpd_milters = inet:localhost:12301'
  237. postconf -e 'non_smtpd_milters = inet:localhost:12301'
  238. postconf -e 'mailbox_command = /usr/lib/dovecot/deliver'
  239. # A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442
  240. /lib/opendkim/opendkim.service.generate
  241. systemctl daemon-reload
  242. for x in spamassassin opendkim dovecot postfix; do
  243. printf "Restarting %s..." "$x"
  244. service "$x" restart && printf " ...done\\n"
  245. done
  246. # If ufw is used, enable the mail ports.
  247. pgrep ufw >/dev/null && { ufw allow 993; ufw allow 465 ; ufw allow 587; ufw allow 25 ;}
  248. pval="$(tr -d '\n' </etc/postfix/dkim/"$subdom".txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
  249. dkimentry="$subdom._domainkey.$domain TXT v=DKIM1; k=rsa; $pval"
  250. dmarcentry="_dmarc.$domain TXT v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1"
  251. spfentry="$domain TXT v=spf1 mx a:$maildomain -all"
  252. useradd -m -G mail dmarc
  253. echo "$dkimentry
  254. $dmarcentry
  255. $spfentry" > "$HOME/dns_emailwizard"
  256. printf "\033[31m
  257. _ _
  258. | \ | | _____ ___
  259. | \| |/ _ \ \ /\ / (_)
  260. | |\ | (_) \ V V / _
  261. |_| \_|\___/ \_/\_/ (_)\033[0m
  262. Add these three records to your DNS TXT records on either your registrar's site
  263. or your DNS server:
  264. \033[32m
  265. $dkimentry
  266. $dmarcentry
  267. $spfentry
  268. \033[0m
  269. NOTE: You may need to omit the \`.$domain\` portion at the beginning if
  270. inputting them in a registrar's web interface.
  271. Also, these are now saved to \033[34m~/dns_emailwizard\033[0m in case you want them in a file.
  272. Once you do that, you're done! Check the README for how to add users/accounts
  273. and how to log in.\n"