From c518fb042889a1e81331405237bd5bdd52f9708c Mon Sep 17 00:00:00 2001
From: mqr10 <unknown@example.com>
Date: Sat, 4 Jul 2020 16:14:30 +0200
Subject: [PATCH 1/4] force minimum TLS1.2 connections, disable weak
 ciphersuites

---
 emailwiz.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/emailwiz.sh b/emailwiz.sh
index a4750e4..725dfab 100755
--- a/emailwiz.sh
+++ b/emailwiz.sh
@@ -65,6 +65,14 @@ postconf -e "smtpd_tls_auth_only = yes"
 postconf -e "smtp_tls_security_level = may"
 postconf -e "smtp_tls_loglevel = 1"
 postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
+postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "tls_preempt_cipherlist = yes"
+postconf -e "smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
+                            DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
+                            RSA+AES, eNULL"
 
 # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
 # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
@@ -126,6 +134,9 @@ echo "# Dovecot config
 ssl = required
 ssl_cert = <$certdir/fullchain.pem
 ssl_key = <$certdir/privkey.pem
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH
+ssl_prefer_server_ciphers = yes
 # Plaintext login. This is safe and easy thanks to SSL.
 auth_mechanisms = plain login
 

From 30fd2d5d8d71825fb1bbbe4fc9ca01aebcd0f093 Mon Sep 17 00:00:00 2001
From: Darnell Andries <darnell@andries.ca>
Date: Tue, 21 Jul 2020 14:23:38 -0700
Subject: [PATCH 2/4] Fixes for custom subdomain names

---
 emailwiz.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/emailwiz.sh b/emailwiz.sh
index af3ff66..f05d8ef 100755
--- a/emailwiz.sh
+++ b/emailwiz.sh
@@ -38,7 +38,7 @@ apt install postfix dovecot-imapd dovecot-sieve opendkim spamassassin spamc
 # Check if OpenDKIM is installed and install it if not.
 which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools
 domain="$(cat /etc/mailname)"
-subdom="mail"
+subdom=${MAIL_SUBDOM:-mail}
 maildomain="$subdom.$domain"
 certdir="/etc/letsencrypt/live/$maildomain"
 
@@ -232,7 +232,7 @@ chmod g+r /etc/postfix/dkim/*
 # Generate the OpenDKIM info:
 echo "Configuring OpenDKIM..."
 grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null ||
-echo "$subdom._domainkey.$domain $domain:mail:/etc/postfix/dkim/mail.private" >> /etc/postfix/dkim/keytable
+echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$subdom.private" >> /etc/postfix/dkim/keytable
 
 grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null ||
 echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
@@ -272,7 +272,7 @@ for x in dovecot postfix opendkim spamassassin; do
 	service "$x" restart && printf " ...done\\n"
 done
 
-pval="$(tr -d "\n" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
+pval="$(tr -d "\n" </etc/postfix/dkim/$subdom.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
 dkimentry="$subdom._domainkey.$domain	TXT	v=DKIM1; k=rsa; $pval"
 dmarcentry="_dmarc.$domain	TXT	v=DMARC1; p=none; rua=mailto:dmarc@$domain; fo=1"
 spfentry="@	TXT	v=spf1 mx a:$maildomain -all"

From 591d356dd200eca3ec6a976c7046cdb181cdb130 Mon Sep 17 00:00:00 2001
From: alpha-tango-kilo <atk@aaathats3as.com>
Date: Sun, 27 Sep 2020 11:47:39 +0100
Subject: [PATCH 3/4] Add extra troubleshooting, readability changes

---
 README.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 31846d6..d7deb5f 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ same setup time and time again.
 I've linked this file on Github to a shorter, more memorable address on my
 website so you can get it on your machine with this short command:
 
-```
+```sh
 curl -LO lukesmith.xyz/emailwiz.sh
 ```
 
@@ -22,7 +22,7 @@ actually works perfectly.
 
 - **Postfix** to send and receive mail.
 - **Dovecot** to get mail to your email client (mutt, Thunderbird, etc).
-- Config files that unique the two above securely with native log-ins.
+- Config files that link the two above securely with native log-ins.
 - **Spamassassin** to prevent spam and allow you to make custom filters.
 - **OpenDKIM** to validate you so you can send to Gmail and other big sites.
 
@@ -104,7 +104,7 @@ email program. For my domain, the server information will be as follows:
 - SMTP port: 587
 - IMAP server: `mail.lukesmith.xyz`
 - IMAP port: 993
-- Username `luke` (I.e. *not* `luke@lukesmith.xyz`)
+- Username `luke` (i.e. *not* `luke@lukesmith.xyz`)
 
 The last point is important. Many email systems use a full email address on
 login. Since we just simply use local PAM logins, only the user's name is used
@@ -115,8 +115,6 @@ login. Since we just simply use local PAM logins, only the user's name is used
 
 You're a big boy now if you have your own mail server!
 
-You can tweak Postfix (sending mail
-
 ## Benefited from this?
 
 If this script or documentation has saved you some frustration, you can donate
@@ -135,3 +133,5 @@ to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
   worry if you are: sometimes especially new domains are automatically assumed
   to be spam temporaily. If you are blacklisted by one of these, look into it
   and it will explain why and how to remove yourself.
+- Check your DNS settings using [this site](https://intodns.com/), it'll report any issues with your MX records
+- Ensure that port 25 is open on your server. [Vultr](https://www.vultr.com/docs/what-ports-are-blocked) for instance blocks this by default, you need to open a support ticket with them to open it. You can't send mail if 25 is blocked

From 1ab9f432df8912e26677935e4d4a26cf278f6a6c Mon Sep 17 00:00:00 2001
From: Luke Smith <luke@lukesmith.xyz>
Date: Sat, 14 Nov 2020 14:18:50 -0500
Subject: [PATCH 4/4] log in with full email addr instead of username
 documentation changes

---
 README.md   | 42 +++++++++++++++++-------------------------
 emailwiz.sh |  2 +-
 2 files changed, 18 insertions(+), 26 deletions(-)

diff --git a/README.md b/README.md
index 228430c..191588a 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # Email server setup script
 
-I wrote this script during the gruelling process of installing and setting up
+I wrote this script during the grueling process of installing and setting up
 an email server.  It perfectly reproduces my successful steps to ensure the
 same setup time and time again.
 
@@ -14,14 +14,10 @@ curl -LO lukesmith.xyz/emailwiz.sh
 When prompted by a dialog menu at the beginning, select "Internet Site", then
 give your full domain without any subdomain, i.e. `lukesmith.xyz`.
 
-Read this readme and peruse the script's comments before running it.  Expect it
-to fail and you have to do bug testing and you will be very happy when it
-actually works perfectly.
-
 ## This script installs
 
 - **Postfix** to send and receive mail.
-- **Dovecot** to get mail to your email client (mutt, Thunderbird, etc).
+- **Dovecot** to get mail to your email client (mutt, Thunderbird, etc.).
 - Config files that unique the two above securely with native log-ins.
 - **Spamassassin** to prevent spam and allow you to make custom filters.
 - **OpenDKIM** to validate you so you can send to Gmail and other big sites.
@@ -50,19 +46,19 @@ actually works perfectly.
    server: (1) an **MX record** pointing to your own main domain/IP and (2) a
    **CNAME record** for your `mail.` subdomain.
 4. **A Reverse DNS entry for your site.** Go to your VPS settings and add an
-   entry for your IPV4 Reverse DNS that goes from your IP address to
-   `<yourdomain.com>` (not mail subdomain). If you would like IPV6, you can do 
+   entry for your IPv4 Reverse DNS that goes from your IP address to
+   `<yourdomain.com>` (not mail subdomain). If you would like IPv6, you can do
    the same for that. This has been tested on Vultr, and all decent VPS hosts
-   will have a section on their instance settings page to add a reverse DNS PTR 
+   will have a section on their instance settings page to add a reverse DNS PTR
    entry.
    You can use the 'Test Email Server' or ':smtp' tool on
    [mxtoolbox](https://mxtoolbox.com/SuperTool.aspx) to test if you set up
    a reverse DNS correctly. This step is not required for everyone, but some
-   big email services like gmail will stop emails coming from mail servers
+   big email services like Gmail will stop emails coming from mail servers
    with no/invalid rDNS lookups. This means your email will fail to even
-   make it to the receipients spam folder; it will never make it to them.
+   make it to the recipients spam folder; it will never make it to them.
 5. `apt purge` all your previous (failed) attempts to install and configure a
-   mailserver. Get rid of _all_ your system settings for Postfix, Dovecot,
+   mail server. Get rid of _all_ your system settings for Postfix, Dovecot,
    OpenDKIM and everything else. This script builds off of a fresh install.
 6. Some VPS providers block port 25 (used to send mail). You may need to
    request that this port be opened to send mail successfully. Although I have
@@ -105,27 +101,23 @@ email program. For my domain, the server information will be as follows:
 - SMTP port: 587
 - IMAP server: `mail.lukesmith.xyz`
 - IMAP port: 993
-- Username `luke` (I.e. *not* `luke@lukesmith.xyz`)
-
-The last point is important. Many email systems use a full email address on
-login. Since we just simply use local PAM logins, only the user's name is used
-(this makes a difference if you're using my
-[mutt-wizard](https://github.com/lukesmithxyz/mutt-wizard), etc.).
-
-## Tweaking things
-
-You're a big boy now if you have your own mail server!
 
-You can tweak Postfix (sending mail
+In previous versions of emailwiz, you also had to log on with *only* your
+username (i.e. `luke`) rather than your whole email address (i.e.
+`luke@lukesmith.xyz`), which caused some confusion.  This is no longer the
+case.
 
 ## Benefited from this?
 
-If this script or documentation has saved you some frustration, you can donate
-to support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
+I am always glad to hear this script is still making life easy for people!  If
+this script or documentation has saved you some frustration, you can donate to
+support me at [lukesmith.xyz/donate](https://lukesmith.xyz/donate.html).
 
 ## Troubleshooting -- Can't send mail?
 
 - Always check `journalctl -xe` to see the specific problem.
+- Check with your VPS host and ask them to enable mail ports. Some providers
+  disable them by default. It shouldn't take any time.
 - Go to [this site](https://appmaildev.com/en/dkim) to test your TXT records.
   If your DKIM, SPF or DMARC tests fail you probably copied in the TXT records
   incorrectly.
diff --git a/emailwiz.sh b/emailwiz.sh
index 837ea1c..20685ea 100755
--- a/emailwiz.sh
+++ b/emailwiz.sh
@@ -130,6 +130,7 @@ ssl_key = <$certdir/privkey.pem
 ssl_dh = </usr/share/dovecot/dh.pem
 # Plaintext login. This is safe and easy thanks to SSL.
 auth_mechanisms = plain login
+auth_username_format = %n
 
 protocols = \$protocols imap
 
@@ -286,7 +287,6 @@ $dmarcentry
 $spfentry" > "$HOME/dns_emailwizard"
 
 echo "
-
  _   _
 | \ | | _____      ___
 |  \| |/ _ \ \ /\ / (_)