From c518fb042889a1e81331405237bd5bdd52f9708c Mon Sep 17 00:00:00 2001
From: mqr10 <unknown@example.com>
Date: Sat, 4 Jul 2020 16:14:30 +0200
Subject: [PATCH 1/3] force minimum TLS1.2 connections, disable weak
 ciphersuites

---
 emailwiz.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/emailwiz.sh b/emailwiz.sh
index a4750e4..725dfab 100755
--- a/emailwiz.sh
+++ b/emailwiz.sh
@@ -65,6 +65,14 @@ postconf -e "smtpd_tls_auth_only = yes"
 postconf -e "smtp_tls_security_level = may"
 postconf -e "smtp_tls_loglevel = 1"
 postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
+postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "tls_preempt_cipherlist = yes"
+postconf -e "smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
+                            DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
+                            RSA+AES, eNULL"
 
 # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
 # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
@@ -126,6 +134,9 @@ echo "# Dovecot config
 ssl = required
 ssl_cert = <$certdir/fullchain.pem
 ssl_key = <$certdir/privkey.pem
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH
+ssl_prefer_server_ciphers = yes
 # Plaintext login. This is safe and easy thanks to SSL.
 auth_mechanisms = plain login
 

From 30fd2d5d8d71825fb1bbbe4fc9ca01aebcd0f093 Mon Sep 17 00:00:00 2001
From: Darnell Andries <darnell@andries.ca>
Date: Tue, 21 Jul 2020 14:23:38 -0700
Subject: [PATCH 2/3] Fixes for custom subdomain names

---
 emailwiz.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/emailwiz.sh b/emailwiz.sh
index af3ff66..f05d8ef 100755
--- a/emailwiz.sh
+++ b/emailwiz.sh
@@ -38,7 +38,7 @@ apt install postfix dovecot-imapd dovecot-sieve opendkim spamassassin spamc
 # Check if OpenDKIM is installed and install it if not.
 which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools
 domain="$(cat /etc/mailname)"
-subdom="mail"
+subdom=${MAIL_SUBDOM:-mail}
 maildomain="$subdom.$domain"
 certdir="/etc/letsencrypt/live/$maildomain"
 
@@ -232,7 +232,7 @@ chmod g+r /etc/postfix/dkim/*
 # Generate the OpenDKIM info:
 echo "Configuring OpenDKIM..."
 grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null ||
-echo "$subdom._domainkey.$domain $domain:mail:/etc/postfix/dkim/mail.private" >> /etc/postfix/dkim/keytable
+echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$subdom.private" >> /etc/postfix/dkim/keytable
 
 grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null ||
 echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
@@ -272,7 +272,7 @@ for x in dovecot postfix opendkim spamassassin; do
 	service "$x" restart && printf " ...done\\n"
 done
 
-pval="$(tr -d "\n" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
+pval="$(tr -d "\n" </etc/postfix/dkim/$subdom.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
 dkimentry="$subdom._domainkey.$domain	TXT	v=DKIM1; k=rsa; $pval"
 dmarcentry="_dmarc.$domain	TXT	v=DMARC1; p=none; rua=mailto:dmarc@$domain; fo=1"
 spfentry="@	TXT	v=spf1 mx a:$maildomain -all"

From 591d356dd200eca3ec6a976c7046cdb181cdb130 Mon Sep 17 00:00:00 2001
From: alpha-tango-kilo <atk@aaathats3as.com>
Date: Sun, 27 Sep 2020 11:47:39 +0100
Subject: [PATCH 3/3] Add extra troubleshooting, readability changes

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 31846d6..d7deb5f 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ same setup time and time again.
 I've linked this file on Github to a shorter, more memorable address on my
 website so you can get it on your machine with this short command:
 
-```
+```sh
 curl -LO lukesmith.xyz/emailwiz.sh
 ```
 
@@ -22,7 +22,7 @@ actually works perfectly.
 
 - **Postfix** to send and receive mail.
 - **Dovecot** to get mail to your email client (mutt, Thunderbird, etc).
-- Config files that unique the two above securely with native log-ins.
+- Config files that link the two above securely with native log-ins.
 - **Spamassassin** to prevent spam and allow you to make custom filters.
 - **OpenDKIM** to validate you so you can send to Gmail and other big sites.
 
@@ -104,7 +104,7 @@ email program. For my domain, the server information will be as follows:
 - SMTP port: 587
 - IMAP server: `mail.lukesmith.xyz`
 - IMAP port: 993
-- Username `luke` (I.e. *not* `luke@lukesmith.xyz`)
+- Username `luke` (i.e. *not* `luke@lukesmith.xyz`)
 
 The last point is important. Many email systems use a full email address on
 login. Since we just simply use local PAM logins, only the user's name is used
@@ -115,8 +115,6 @@ login. Since we just simply use local PAM logins, only the user's name is used
 
 You're a big boy now if you have your own mail server!
 
-You can tweak Postfix (sending mail
-
 ## Benefited from this?
 
 If this script or documentation has saved you some frustration, you can donate
@@ -135,3 +133,5 @@ to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
   worry if you are: sometimes especially new domains are automatically assumed
   to be spam temporaily. If you are blacklisted by one of these, look into it
   and it will explain why and how to remove yourself.
+- Check your DNS settings using [this site](https://intodns.com/), it'll report any issues with your MX records
+- Ensure that port 25 is open on your server. [Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance blocks this by default, you need to open a support ticket with them to open it. You can't send mail if 25 is blocked