Merge pull request #344 from goatsrcool/emailwiz_update

Swap restriction order in main.cf to catch sender login mismatch
Reversed order of reject_sender_login_mismatch and permit_sasl_authenticated in sender restrictions (main.cf)
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ sizeable network of people with email servers thanks to this script.
 - **Certbot** SSL certificates, if not already present.
 - **fail2ban** to increase server security, with enabled modules for the above
  programs.
 - (optionally) **a self-signed certificate** instead of OpenDKIM and Certbot. This allows to quickly set up an isolated mail server that collects email notifications from devices in the same local network(s) or serves as secure/private messaging system over VPN.

 ## This script does _not_...

@@ -107,6 +108,36 @@ in the server, you could just install mutt, add `set spoolfile="+Inbox"` to
 your `~/.muttrc` and use mutt to view and reply to mail. You'll probably want
 to log in remotely though:

 ## Installing with self-signed certificate, in "isolated" mode

 This mode skips the setup of OpenDKIM and Certbot, and will instead create a self-signed cert that lasts 100 years. It also allows to customize the logic country name, state/province name and organization name to generate the certificate automatically. An example usecase is for an isolated server that collects notifications from devices in the same local network(s) or serves as secure/private messaging system over VPN (wireguard or whatever).
 This server with self-signed certificate as configured will NOT be able to send anything to public mail servers (Gmail, Outlook and so on), at least not directly.

 open the script and change the following line 
 ```
 selfsigned="no" # yes no
 ```
 to become 
 ```
 selfsigned="yes" # yes no
 ```
 it's also possible to customize and automate the self-signed certificate creation
 by changing the following lines in the script 
 ```
 use_cert_config="no"
 ```
 to
 ```
 use_cert_config="yes"
 ```

 and then write country name, state/province name and organization name in the following lines
 ```
 country_name="" # IT US UK IN etc etc
 state_or_province_name=""
 organization_name=""
 ```

 ## Logging in from email clients (Thunderbird/mutt/etc)

 Let's say you want to access your mail with Thunderbird or mutt or another
--- a/adddomain.sh
+++ b/adddomain.sh
@@ -1,28 +1,33 @@
 #!/bin/sh

 domain="$1"
 [ -z "$1" ] && exit

 domain="$1"
 # Input validation to allow only valid domain characters
 if ! [[ "$domain" =~ ^[a-zA-Z0-9.-]+$ ]]; then
    echo "Give a valid domain as an argument to add mail server for it. Only alphanumeric characters, dashes, and dots are allowed."
    exit 1
 fi

 subdom="mail"
 maildomain="mail.$(cat /etc/mailname)"

 # Add the domain to the valid postfix addresses.
 # Add the domain to the valid postfix addresses
 grep -q "^mydestination.*$domain" /etc/postfix/main.cf ||
 	sed -i "s/^mydestination.*/&, $domain/" /etc/postfix/main.cf
    sed -i "s/^mydestination.*/&, $domain/" /etc/postfix/main.cf

 # Create DKIM for new domain.
 # Create DKIM for the new domain
 mkdir -p "/etc/postfix/dkim/$domain"
 opendkim-genkey -D "/etc/postfix/dkim/$domain" -d "$domain" -s "$subdom"
 chgrp -R opendkim /etc/postfix/dkim/*
 chmod -R g+r /etc/postfix/dkim/*

 # Add entries to keytable and signing table.
 # Add entries to keytable and signing table
 echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$domain/$subdom.private" >> /etc/postfix/dkim/keytable
 echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable

 systemctl reload opendkim postfix

 # Print out DKIM TXT entry.
 # Print out DKIM TXT entry
 pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"

 dkimentry="$subdom._domainkey.$domain	TXT	v=DKIM1; k=rsa; $pval"
--- a/emailwiz.sh
+++ b/emailwiz.sh
@@ -160,7 +160,7 @@ postconf -e 'smtpd_sasl_path = private/auth'

 # helo, sender, relay and recipient restrictions
 postconf -e "smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre"
 postconf -e 'smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain'
 postconf -e 'smtpd_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, permit_mynetworks, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain'
 postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain'
 postconf -e 'smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination'
 postconf -e 'smtpd_helo_required = yes'
Tekijä	SHA1	Viesti	Päivämäärä
Luke Smith	905ac6c7d4	Merge pull request #344 from goatsrcool/emailwiz_update Swap restriction order in main.cf to catch sender login mismatch	11 kuukautta sitten
Goats!	668aef1c73	Reversed order of reject_sender_login_mismatch and permit_sasl_authenticated in sender restrictions (main.cf)	11 kuukautta sitten
Luke Smith	c0f20647d5	Merge pull request #327 from bobafetthotmail/patch-2 Add instructions for self-signed certs	1 vuosi sitten
Luke Smith	3998323db0	close #329 , fix #337 , close #326	1 vuosi sitten
Luke Smith	8ce112c4d8	Merge pull request #334 from alpernae/patch-2 fix: sanitize domain input to prevent command injection	1 vuosi sitten
Alperen	770fe178d2	fix: sanitize domain input to prevent command injection - Added input validation for the domain parameter to allow only alphanumeric characters, dots, and dashes. - This mitigates a command injection vulnerability on line 9 where unsanitized user input could be injected into the sed command. - The fix improves security for local script execution in multi-user environments or when the script is run with elevated privileges.	1 vuosi sitten
Alberto Bursi	d483bd46a1	Add instructions for self-signed certs	1 vuosi sitten