Merge pull request #344 from goatsrcool/emailwiz_update

Swap restriction order in main.cf to catch sender login mismatch

README.md

@@ -26,6 +26,7 @@ sizeable network of people with email servers thanks to this script.
 - **Certbot** SSL certificates, if not already present.
 - **fail2ban** to increase server security, with enabled modules for the above
   programs.
+- (optionally) **a self-signed certificate** instead of OpenDKIM and Certbot. This allows to quickly set up an isolated mail server that collects email notifications from devices in the same local network(s) or serves as secure/private messaging system over VPN.
 
 ## This script does _not_...
 
@@ -107,6 +108,36 @@ in the server, you could just install mutt, add `set spoolfile="+Inbox"` to
 your `~/.muttrc` and use mutt to view and reply to mail. You'll probably want
 to log in remotely though:
 
+## Installing with self-signed certificate, in "isolated" mode
+
+This mode skips the setup of OpenDKIM and Certbot, and will instead create a self-signed cert that lasts 100 years. It also allows to customize the logic country name, state/province name and organization name to generate the certificate automatically. An example usecase is for an isolated server that collects notifications from devices in the same local network(s) or serves as secure/private messaging system over VPN (wireguard or whatever).
+This server with self-signed certificate as configured will NOT be able to send anything to public mail servers (Gmail, Outlook and so on), at least not directly.
+
+open the script and change the following line 
+```
+selfsigned="no" # yes no
+```
+to become 
+```
+selfsigned="yes" # yes no
+```
+it's also possible to customize and automate the self-signed certificate creation
+by changing the following lines in the script 
+```
+use_cert_config="no"
+```
+to
+```
+use_cert_config="yes"
+```
+
+and then write country name, state/province name and organization name in the following lines
+```
+country_name="" # IT US UK IN etc etc
+state_or_province_name=""
+organization_name=""
+```
+
 ## Logging in from email clients (Thunderbird/mutt/etc)
 
 Let's say you want to access your mail with Thunderbird or mutt or another

adddomain.sh

@@ -1,28 +1,33 @@
 #!/bin/sh
 
 domain="$1"
-[ -z "$1" ] && exit
 
-domain="$1"
+# Input validation to allow only valid domain characters
+if ! [[ "$domain" =~ ^[a-zA-Z0-9.-]+$ ]]; then
+    echo "Give a valid domain as an argument to add mail server for it. Only alphanumeric characters, dashes, and dots are allowed."
+    exit 1
+fi
+
 subdom="mail"
+maildomain="mail.$(cat /etc/mailname)"
 
-# Add the domain to the valid postfix addresses.
+# Add the domain to the valid postfix addresses
 grep -q "^mydestination.*$domain" /etc/postfix/main.cf ||
-	sed -i "s/^mydestination.*/&, $domain/" /etc/postfix/main.cf
+    sed -i "s/^mydestination.*/&, $domain/" /etc/postfix/main.cf
 
-# Create DKIM for new domain.
+# Create DKIM for the new domain
 mkdir -p "/etc/postfix/dkim/$domain"
 opendkim-genkey -D "/etc/postfix/dkim/$domain" -d "$domain" -s "$subdom"
 chgrp -R opendkim /etc/postfix/dkim/*
 chmod -R g+r /etc/postfix/dkim/*
 
-# Add entries to keytable and signing table.
+# Add entries to keytable and signing table
 echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$domain/$subdom.private" >> /etc/postfix/dkim/keytable
 echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
 
 systemctl reload opendkim postfix
 
-# Print out DKIM TXT entry.
+# Print out DKIM TXT entry
 pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
 
 dkimentry="$subdom._domainkey.$domain	TXT	v=DKIM1; k=rsa; $pval"

emailwiz.sh

@@ -160,7 +160,7 @@ postconf -e 'smtpd_sasl_path = private/auth'
 
 # helo, sender, relay and recipient restrictions
 postconf -e "smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre"
-postconf -e 'smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain'
+postconf -e 'smtpd_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, permit_mynetworks, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain'
 postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain'
 postconf -e 'smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination'
 postconf -e 'smtpd_helo_required = yes'