264 lines
9.7 KiB

  1. #!/bin/sh
  2. # THE SETUP
  3. # - Mail will be stored in non-retarded Maildirs because it's $currentyear. This makes it easier for use with isync, which is what I care about so I can have an offline repo of mail.
  4. # - Mail boxes will be sensible: Inbox, Sent, Drafts, Archive, Junk, Trash
  5. # - Use the typical unix login system for mail users. Users will log into their email with their passnames on the server. No usage of a redundant mySQL database to do this.
  6. # BEFORE YOU RUN THIS
  7. # - Have a Debian system with a static IP and all that. Pretty much any default VPS offered by a company will have all the basic stuff you need. This script might run on Ubuntu as well. Haven't tried it.
  8. # - Have a Let's Encrypt SSL certificate for $maildomain. You might need one for $domain as well, but they're free with Let's Encypt so you should have them anyway.
  9. # - If you've been toying around with your server settings trying to get postfix/dovecot/etc. working before running this, I recommend you `apt purge` everything first because this script is build on top of only the defaults. Clearr out /etc/postfix and /etc/dovecot yourself if needbe.
  10. # On installation of Postfix, select "Internet Site" and put in TLD (without before it mail.)
  11. echo "Installing programs..."
  12. apt install postfix dovecot-imapd dovecot-sieve opendkim spamassassin spamc
  13. # Install another requirement for opendikm only if the above command didn't get it already
  14. [ which opendkim-genkey > /dev/null 2>&1 ] || apt install opendkim-tools
  15. domain="$(cat /etc/mailname)"
  16. subdom="mail"
  17. maildomain="$subdom.$domain"
  18. # NOTE ON POSTCONF COMMANDS
  19. # The `postconf` command literally just adds the line in question to /etc/postfix/main.cf so if you need to debug something, go there.
  20. # It replaces any other line that sets the same setting, otherwise it is appended to the end of the file.
  21. echo "Configuring Postfix's main.cf..."
  22. # Change the cert/key files to the default locations of the Let's Encrypt cert/key
  23. postconf -e "smtpd_tls_key_file=/etc/letsencrypt/live/$maildomain/privkey.pem"
  24. postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/live/$maildomain/fullchain.pem"
  25. postconf -e "smtpd_use_tls = yes"
  26. postconf -e "smtpd_tls_auth_only = yes"
  27. postconf -e "smtp_tls_security_level = may"
  28. postconf -e "smtp_tls_loglevel = 1"
  29. postconf -e "smtp_tls_CAfile = /etc/letsencrypt/live/$maildomain/cert.pem"
  30. # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
  31. # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
  32. postconf -e "smtpd_sasl_auth_enable = yes"
  33. postconf -e "smtpd_sasl_type = dovecot"
  34. postconf -e "smtpd_sasl_path = private/auth"
  35. #postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination"
  36. # NOTE: the trailing slash here, or for any directory name in the home_mailbox command, is necessary as it distinguishes a maildir (which is the actual directories that what we want) from a spoolfile (which is what old unix boomers want and no one else).
  37. postconf -e "home_mailbox = Mail/Inbox/"
  38. # Research this one:
  39. #postconf -e "mailbox_command ="
  40. # master.cf
  41. echo "Configuring Postfix's master.cf..."
  42. sed -i "/^\s*-o/d;/^\s*submission/d;/^\s*smtp/d" /etc/postfix/master.cf
  43. echo "smtp unix - - n - - smtp
  44. smtp inet n - y - - smtpd
  45. -o content_filter=spamassassin
  46. submission inet n - y - - smtpd
  47. -o syslog_name=postfix/submission
  48. -o smtpd_tls_security_level=encrypt
  49. -o smtpd_sasl_auth_enable=yes
  50. -o smtpd_tls_auth_only=yes
  51. smtps inet n - y - - smtpd
  52. -o syslog_name=postfix/smtps
  53. -o smtpd_tls_wrappermode=yes
  54. -o smtpd_sasl_auth_enable=yes
  55. spamassassin unix - n n - - pipe
  56. user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}" >> /etc/postfix/master.cf
  57. # By default, dovecot has a bunch of configs in /etc/dovecot/conf.d/
  58. # These files have nice documentation if you want to read it, but it's a huge pain to go through them to organize.
  59. # Instead, we simply overwrite /etc/dovecot/dovecot.conf because it's easier to manage. You can get a backup of the original in /usr/share/dovecot if you want.
  60. echo "Creating Dovecot config..."
  61. echo "# Dovecot config
  62. # Note that in the dovecot conf, you can use:
  63. # %u for username
  64. # %n for the name in name@domain.tld
  65. # %d for the domain
  66. # %h the user's home directory
  67. # If you're not a brainlet, SSL must be set to required.
  68. ssl = required
  69. ssl_cert = </etc/letsencrypt/live/$maildomain/fullchain.pem
  70. ssl_key = </etc/letsencrypt/live/$maildomain/privkey.pem
  71. # Plaintext login. This is safe and easy thanks to SSL.
  72. auth_mechanisms = plain login cram-md5
  73. protocols = \$protocols imap
  74. # Search for valid users in /etc/passwd
  75. userdb {
  76. driver = passwd
  77. }
  78. # Use file with cram-md5 hashed passwords to find user passwords
  79. passdb {
  80. driver = passwd-file
  81. args = scheme=cram-md5 /etc/cram-md5.pwd
  82. }
  83. #Fallback: Use plain old PAM to find user passwords
  84. passdb {
  85. driver = pam
  86. }
  87. # Our mail for each user will be in ~/Mail, and the inbox will be ~/Mail/Inbox
  88. # The LAYOUT option is also important because otherwise, the boxes will be \`.Sent\` instead of \`Sent\`.
  89. mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
  90. namespace inbox {
  91. inbox = yes
  92. mailbox Drafts {
  93. special_use = \\Drafts
  94. auto = subscribe
  95. }
  96. mailbox Junk {
  97. special_use = \\Junk
  98. auto = subscribe
  99. autoexpunge = 30d
  100. }
  101. mailbox Sent {
  102. special_use = \\Sent
  103. auto = subscribe
  104. }
  105. mailbox Trash {
  106. special_use = \\Trash
  107. }
  108. mailbox Archive {
  109. special_use = \\Archive
  110. }
  111. }
  112. # Here we let Postfix use Dovecot's authetication system.
  113. service auth {
  114. unix_listener /var/spool/postfix/private/auth {
  115. mode = 0660
  116. user = postfix
  117. group = postfix
  118. }
  119. }
  120. protocol lda {
  121. mail_plugins = \$mail_plugins sieve
  122. }
  123. protocol lmtp {
  124. mail_plugins = \$mail_plugins sieve
  125. }
  126. plugin {
  127. sieve = ~/.dovecot.sieve
  128. sieve_default = /var/lib/dovecot/sieve/default.sieve
  129. #sieve_global_path = /var/lib/dovecot/sieve/default.sieve
  130. sieve_dir = ~/.sieve
  131. sieve_global_dir = /var/lib/dovecot/sieve/
  132. }
  133. " > /etc/dovecot/dovecot.conf
  134. mkdir /var/lib/dovecot/sieve/
  135. echo "require [\"fileinto\", \"mailbox\"];
  136. if header :contains \"X-Spam-Flag\" \"YES\"
  137. {
  138. fileinto \"Junk\";
  139. }" > /var/lib/dovecot/sieve/default.sieve
  140. cut -d: -f1 /etc/passwd | grep ^vmail > /dev/null 2&>1 || useradd vmail
  141. chown -R vmail:vmail /var/lib/dovecot
  142. sievec /var/lib/dovecot/sieve/default.sieve
  143. echo "Preparing user authetication..."
  144. grep nullok /etc/pam.d/dovecot >/dev/null ||
  145. echo "auth required pam_unix.so nullok
  146. account required pam_unix.so" >> /etc/pam.d/dovecot
  147. # OpenDKIM
  148. # A lot of the big name email services, like Google, will automatically rejectmark as spam unfamiliar and unauthenticated email addresses. As in, the server will flattly reject the email, not even deliverring it to someone's Spam folder.
  149. # OpenDKIM is a way to authenticate your email so you can send to such services without a problem.
  150. # add opendkim-tools ?
  151. # Create an OpenDKIM key and put in in the proper place with proper permissions.
  152. echo "Generating OpenDKIM keys..."
  153. mkdir -p /etc/postfix/dkim
  154. opendkim-genkey -D /etc/postfix/dkim/ -d $ "$domain" -s "$subdom"
  155. chgrp opendkim /etc/postfix/dkim/*
  156. chmod g+r /etc/postfix/dkim/*
  157. # Generate the OpenDKIM info:
  158. echo "Configuring OpenDKIM..."
  159. grep "$domain" >/dev/null 2>&1 /etc/postfix/dkim/keytable ||
  160. echo "$subdom._domainkey.$domain $domain:mail:/etc/postfix/dkim/mail.private" >> /etc/postfix/dkim/keytable
  161. grep "$domain" >/dev/null 2>&1 /etc/postfix/dkim/signingtable ||
  162. echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
  163. grep "127.0.0.1" >/dev/null 2>&1 /etc/postfix/dkim/trustedhosts ||
  164. echo "127.0.0.1
  165. 10.1.0.0/16
  166. 1.2.3.4/24" >> /etc/postfix/dkim/trustedhosts
  167. # ...and source it from opendkim.conf
  168. grep ^KeyTable /etc/opendkim.conf >/dev/null || echo "KeyTable file:/etc/postfix/dkim/keytable
  169. SigningTable refile:/etc/postfix/dkim/signingtable
  170. InternalHosts refile:/etc/postfix/dkim/trustedhosts" >> /etc/opendkim.conf
  171. sed -i '/^#Canonicalization/s/simple/relaxed\/simple/' /etc/opendkim.conf
  172. sed -i '/^#Canonicalization/s/^#//' /etc/opendkim.conf
  173. sed -e '/Socket/s/^#*/#/' -i /etc/opendkim.conf
  174. sed -i '/\local:\/var\/run\/opendkim\/opendkim.sock/a \Socket\t\t\tinet:12301@localhost' /etc/opendkim.conf
  175. # OpenDKIM daemon settings, removing previously activated socket.
  176. sed -i "/^SOCKET/d" /etc/default/opendkim && echo "SOCKET=\"inet:12301@localhost\"" >> /etc/default/opendkim
  177. # Here we add to postconf the needed settings for working with OpenDKIM
  178. echo "Configuring Postfix with OpenDKIM settings..."
  179. postconf -e "smtpd_sasl_security_options = noanonymous, noplaintext"
  180. postconf -e "smtpd_sasl_tls_security_options = noanonymous"
  181. postconf -e "myhostname = $maildomain"
  182. postconf -e "milter_default_action = accept"
  183. postconf -e "milter_protocol = 6"
  184. postconf -e "smtpd_milters = inet:localhost:12301"
  185. postconf -e "non_smtpd_milters = inet:localhost:12301"
  186. postconf -e "mailbox_command = /usr/lib/dovecot/deliver"
  187. echo "Restarting Dovecot..."
  188. service dovecot restart && echo "Dovecot restarted."
  189. echo "Restarting Postfix..."
  190. service postfix restart && echo "Postfix restarted."
  191. echo "Restarting OpenDKIM..."
  192. service opendkim restart && echo "OpenDKIM restarted."
  193. echo "Restarting Spam Assassin..."
  194. service spamassassin restart && echo "Spamassassin restarted."
  195. pval="$(tr -d "\n" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o p=.*)"
  196. echo "Here is your TXT entry:"
  197. echo
  198. echo
  199. echo
  200. printf "Record Name\\tRecord Type\\tText of entry\\n"
  201. # the DKIM record is this one
  202. printf "%s._domainkey\\tTXT\\t\\tv=DKIM1; k=rsa; %s\\n" "$subdom" "$pval"
  203. # the SPF record is this one
  204. printf "%s\\tTXT\\t\\tv=spf1 mx a:%s -all\\n" "@" "$maildomain"
  205. echo
  206. echo
  207. echo "$pval"