path: root/postfix/postfix.sh

#!/bin/sh
#
# /etc/local-COMMON/postfix/postfix.sh
# Copyright 2002-2007 Jonas Smedegaard <dr@jones.dk>
#
# $Id: postfix.sh,v 1.76 2008-05-25 19:00:16 jonas Exp $
#
# Auto-tweak plain installed postfix Debian package
#
# TODO:
#  * Implement stuff from here: http://www.wsrcc.com/spam/
#  * Implement stuff from here: http://www.muine.org/~hoang/postfix.html
#  * Implement stuff from here: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
#  * Figure out a way to use chroot jail for TLS stuff.
#  * Use https://www.dnswl.org/

set -e

# Let's standardize sort
export LC_ALL=C

warn()  {
    echo >&2 "Warning: $1"
}

exit1() {
    echo >&2 "Error: $1"
    echo >&2 "Exiting..."
    exit 1
}

# Favor specific CA for our own server and client certificates
# (comment out to trust any CA)
#cacert_smtpd="/etc/ssl/certs/cacert.org.pem"
cacert_smtp=
cacert_lmtp=

# File containing all trusted CA certificates
# (comment out if no chroot or it contains all individual files)
cacert_default="/etc/ssl/certs/ca-certificates.crt"

realmsdir='/etc/local-REDPILL'
configdirs='/etc/local /etc/local-ORG /etc/local-REDPILL /etc/local-COMMON'
confdir='/etc/postfix'
postconf=/usr/sbin/postconf
sp='[[:space:]]'
pf23="$($postconf -d mail_version | grep -Po '= \K([3-9]|2\.([3-9]|1\d+))(\.[0-9])*$')"
if ! [ -d "$realmsdir" ]; then
    warn "Realms directory \"$realmsdir\" does not exist."
fi
#postgrey=
#if [ -x /usr/sbin/postgrey ]; then
#   # FIXME: Use this somehow, and only warn below
#   postgrey=1
#else
#   exit1 "ERROR: Greylisting support (Debian package postgrey) missing."
#fi
cyrus=
if [ -x /usr/sbin/saslauthd ]; then
    if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then
        cyrus=1
    else
        warn "Cyrus SASL too old - requires >= 2.1.1)."
    fi
else
    warn "Cyrus SASL missing - (Debian package sasl2-bin)."
fi
dovecot=
dovecot_deliver=
if [ -x /usr/sbin/dovecot ]; then
    dovecot=1
    if [ -x /usr/lib/dovecot/deliver ]; then
        dovecot_deliver=1
    else
        warn "Dovecot deliver missing."
    fi
else
    warn "Dovecot missing - (Debian package dovecot-core or dovecot)."
fi
sslcert=
if [ -f /etc/ssl/certs/postfix.pem ]; then
    sslcert=1
else
    warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem."
fi
sasl_main_type=
sasl_dovecot=
sasl_cyrus=
if [ -n "$sslcert" ]; then
    # FIXME: We really want to check for at least 2.1.1 but that's tricky...
    if [ -n "$cyrus" ]; then
        sasl_cyrus=1
        sasl_main_type=cyrus
    fi
    if [ -n "$dovecot" ]; then
        if [ -n "$pf23" ]; then
            sasl_dovecot=1
            sasl_main_type=dovecot
        else
            warn "No Dovecot SASL - requires postfix >= 2.3."
        fi
    fi
    if [ -z "$sasl_main_type" ]; then
        warn "No SASL authentication - requires Cyrus SASL or Dovecot."
    fi
else
    warn "No SASL authentication - requires TLS encryption."
fi
amavis=
default_amavis_maxproc=2
if [ -x /usr/sbin/amavisd ] || [ -x /usr/sbin/amavisd-new ]; then
    amavis=1
else
    warn "AMaViS missing (Debian package amavisd-new)."
fi
dkimproxy=
#dkimproxy_maxproc_in=5
# FIXME: update actual outgoing maxproc from /etc/default/dkimproxy (and /etc/dkimproxy/dkimproxy_out.conf too?)
dkimproxy_maxproc_out=5
if [ -x /usr/sbin/dkimproxy.in ]; then
    if [ "1" = "$amavis" ]; then
        dkimproxy=1
    else
        warn "No DKIM/Domainkey - requires DKIMproxy and AMaViS."
    fi
else
    warn "DKIMproxy missing (Debian package dkimproxy)."
fi

catfilefromownrealm() {
    set -e
    file="$1"
    [ -d "$realmsdir" ] || exit 0

    thisrealm="$(cat /etc/local-ORG/realm || dnsdomainname | tr '[a-z]' '[A-Z]')"

    cat "$realmsdir/$thisrealm/$file"
}

catallfilesfromotherrealms() {
    set -e
    file="$1"
    [ -d "$realmsdir" ] || exit 0
    [ -f "$realmsdir/realms" ] || exit 0

    realms="$(cat "$realmsdir/realms" | sed 's/#.*//')"
    thisrealm="$(cat /etc/local-ORG/realm || dnsdomainname | tr '[a-z]' '[A-Z]')"

    for realm in $realms; do
        if [ "$thisrealm" != "$realm" ]; then
            cat "$realmsdir/$realm/$file"
        fi
    done
}

catfirstfile() {
    set -e
    file="$1"
    context="${2:-postfix}"
    configdir=''
    for dir in $configdirs; do
        if [ -d "$dir/$context" ] && [ -f "$dir/$context/$file" ]; then
            configdir="$dir/$context"
            break
        fi
    done
    if [ -z "$configdir" ]; then
        exit1 "ERROR: file \"$file\" not found."
    fi
    cat "$configdir/$file"
}

# TODO: support quoted string, and trailing comment.
getperlvarfromfile() {
    set -e
    export var="$1"
    export default="$2"
    file="$3"
    context="${4:-postfix}"
    catfirstfile "$file" "$context" \
        | perl -nE'/^\$$ENV{"var"}\h*=\h*(\d+)/ and $s=$1; END {print length($s) ? $s : $ENV{'default'}}'
}

getlinesfromfile() {
    set -e
    param="$1"
    shift
    replacements=
    for subparam in $@; do
        case "$subparam" in
            *=)
            oldparam="`echo $subparam | awk -F= '{print $1}'`"
            replacements="$replacements;s/,*[^,]*$oldparam[^,]*,*/,/"
            continue
            ;;
            *=*=*)
            oldparam="`echo $subparam | awk -F= '{print $1}'`"
            newparam="`echo $subparam | awk -F= '{print $2}'`"
            newparamfile="`echo $subparam | awk -F= '{print $3}'`"
            ;;
            *)
            oldparam=$subparam
            newparam=$subparam
            newparamfile=$subparam
            ;;
        esac
        newparamvalues="`getlinesfromfile $newparamfile | sed -e 's/.*=[ ]*//' -e 's/,/ /g'`"
        newstring=
        for newparamvalue in $newparamvalues; do
            newstring="${newstring}$newparam $newparamvalue,"
        done
        replacements="$replacements;s/$oldparam/$newstring/"
    done
    echo -n "$param = "
    catfirstfile "$param" | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[,     ]*//;s/[,   ]\+/,/g' -e 's/\^/ /g' -e "s/,\$//$replacements"
}

addoroverwritewithindents() {
    set -e
    file="$1"
    export token="$2"
    # provide replacement as STDIN
    perl -0777 -pi \
        -E 'BEGIN{ $s=<STDIN>; chomp $s }'\
        -E 's/$ENV{"token"}.*(?:\n\h.*)+\n/$s/m and $seen=1;'\
        -E 'END{ unless ($seen) { print $s } }'\
        "$file"
}

postmapfiles=

tempdir="$(mktemp -td postfix.XXXXXX)"
cp -a -t "$tempdir" "$confdir"/*

# Inspired by D. J. Bernstein: http://cr.yp.to/smtp/greeting.html
$postconf -c "$tempdir" -e 'smtpd_banner = $myhostname NO UCE ESMTP $mail_name (Debian/GNU)'

# Some badly configured setup use hostname instead of FQDN
# Disable completely: Effective, but hurts executive type guys using windows servers... :-(
#if $postconf -c "$tempdir" myhostname | grep -q '\.'; then
#   $postconf -c "$tempdir" -e 'smtpd_helo_required = yes'
#fi
$postconf -c "$tempdir" -e 'smtpd_helo_required = no'
$postconf -c "$tempdir" -e "`getlinesfromfile permit_mx_backup_networks`"
$postconf -c "$tempdir" -e "maps_rbl_domains ="
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_client_restrictions reject_rhsbl_client`"
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_helo_restrictions`"
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_sender_restrictions reject_rhsbl_sender ${dkimproxy:-sender_access_regex=}`"
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_recipient_restrictions reject_maps_rbl=reject_rbl_client=maps_rbl_domains`"
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_data_restrictions`"

# FIXME: clear only specific line (not whole file) when dkimproxy unused
if [ -f "$tempdir/sender_access_regex" ]; then
    if [ -n "$dkimproxy" ]; then
        grep -q -F '/^/  FILTER dkimsign:[127.0.0.1]:10026' "$tempdir/sender_access_regex" \
        || echo '/^/  FILTER dkimsign:[127.0.0.1]:10026' >> "$tempdir/sender_access_regex"
    else
        if grep -q -F '/^/  FILTER dkimsign:[127.0.0.1]:10026' "$tempdir/sender_access_regex"; then
            echo "echo '' > \"$confdir/sender_access_regex\"" >> "$tempdir/COMMANDS"
            rm "$tempdir/sender_access_regex"
        fi
    fi
    postmapfiles="$postmapfiles sender_access_regex"
fi

# Support exceptions to default response
# (Day Old Bread (dob) lists need to reject only temporarily)
$postconf -c "$tempdir" -e "rbl_reply_maps = hash:$confdir/rbl_reply_map"
cat /etc/local-COMMON/postfix/rbl_reply_map \
    | sed 's/#.*//' \
    > "$tempdir/rbl_reply_map"
postmapfiles="$postmapfiles rbl_reply_map"

# Verify senders of common suspicious and known verifiable domains
# (exclude verification of postmaster@ to not verify verification probes)
# (add own domains before peers for (rare) cases of duplicates)
# FIXME: somehow do this step only if enabled in smtpd_sender_restrictions
# TODO: Properly implement exception exclusion like yahoo (which does not want to be checked any longer!)
cat /etc/local-COMMON/postfix/maildomains | grep -v yahoo | sort | sed 's/$/    reject_unverified_sender/' > "$tempdir/sender_access"
( catfilefromownrealm maildomains | sort; catallfilesfromotherrealms maildomains | sort ) \
    | sed 's/\(.*\)$/postmaster@\1  permit\n\1  reject_unverified_sender/' >> "$tempdir/sender_access"
[ ! -f "$tempdir/sender_access.addon" ] || cat "$tempdir/sender_access.addon" >> "$tempdir/sender_access"
postmapfiles="$postmapfiles sender_access"
$postconf -c "$tempdir" -e "unverified_sender_reject_code = 550"

# Trust recipient verification too
$postconf -c "$tempdir" -e "unverified_recipient_reject_code = 550"

if [ -n "$dovecot_deliver" ]; then
    $postconf -c "$tempdir" -e mailbox_command=/usr/lib/dovecot/deliver
fi
if [ -n "$sasl_cyrus" ]; then
    saslsubdir="sasl"
    mkdir -p "$tempdir/$saslsubdir"
    echo 'mech_list: plain login' > "$tempdir/$saslsubdir/smtpd.conf"
    echo 'minimum_layer: 0' >> "$tempdir/$saslsubdir/smtpd.conf"
    echo 'sasl_pwcheck_method: saslauthd' >> "$tempdir/$saslsubdir/smtpd.conf"
    echo 'auto_transition: false' >> "$tempdir/$saslsubdir/smtpd.conf"
    groups postfix | grep -q sasl || echo "adduser postfix sasl" >> "$tempdir/COMMANDS"
    # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy)
    sed --in-place \
        -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
        -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
        -e "s/^#\(tlsmgr$sp\)/\1/" \
        "$tempdir/master.cf"
    addoroverwritewithindents $tempdir/master.cf '^tlsmgr\h' << EOF
tlsmgr  unix    -   -   -   300 1   tlsmgr
EOF
fi
case "$sasl_main_type" in
  '')   ;;
  dovecot)
    $postconf -c "$tempdir" -e smtpd_sasl_type=dovecot
    $postconf -c "$tempdir" -e smtpd_sasl_path=private/auth
    ;;
  cyrus)
    $postconf -c "$tempdir" -e smtpd_sasl_type=cyrus
    [ -z "$pf23" ] || $postconf -c "$tempdir" -e smtpd_sasl_path=smtpd
    [ -n "$pf23" ] || $postconf -c "$tempdir" -e smtpd_sasl_application_name=smtpd
    ;;
  *) exit1 "ERROR: Wrong SASL type \"$sasl_main_type\"!";;
esac
# Avoid smtpd_tls_CApath or smtpd_tls_CAfile to trick outlook.com
# See <http://postfix.1071664.n5.nabble.com/Problems-with-incoming-mails-from-outlook-com-td78356.html>
if [ -n "$sslcert" ]; then
    $postconf -c "$tempdir" -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem'
    $postconf -c "$tempdir" -e 'smtpd_tls_loglevel = 1'
    $postconf -c "$tempdir" -e 'smtpd_use_tls = yes'
    $postconf -c "$tempdir" -e 'smtp_tls_CApath = /etc/ssl/certs'
    $postconf -c "$tempdir" -e 'smtpd_tls_CApath = '
    $postconf -c "$tempdir" -e 'lmtp_tls_CApath = /etc/ssl/certs'
    $postconf -c "$tempdir" -e 'smtpd_tls_CAfile = '
    $postconf -c "$tempdir" -e smtp_tls_CAfile="${cacert_smtp:-$cacert_default}"
    $postconf -c "$tempdir" -e lmtp_tls_CAfile="${cacert_lmtp:-$cacert_default}"
    $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache'
    $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_timeout = 3600s'
    $postconf -c "$tempdir" -e 'tls_random_exchange_name = ${data_directory}/prng_exch'
    $postconf -c "$tempdir" -e 'smtpd_tls_auth_only = yes'
    $postconf -c "$tempdir" -e 'smtpd_sasl_auth_enable = no' # SASL is enabled explicitly with TLS transport
    $postconf -c "$tempdir" -e 'smtpd_sasl_security_options = noanonymous'
    $postconf -c "$tempdir" -e 'smtpd_sasl_local_domain = '
    $postconf -c "$tempdir" -e 'smtpd_tls_received_header = yes'
    $postconf -c "$tempdir" -e 'broken_sasl_auth_clients = yes'
    $postconf -c "$tempdir" -e 'tls_random_source = dev:/dev/urandom'
    # Accepting client certificates breaks SMTP AUTH on OutLook Express on Mac (Classic)
    $postconf -c "$tempdir" -e 'smtpd_tls_ask_ccert = no'
    if [ -e /etc/ssl/private/postfix.pem ]; then
        $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem'
        # Enable client side TLS only when private certificate is present
        $postconf -c "$tempdir" -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem'
        $postconf -c "$tempdir" -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem'
        $postconf -c "$tempdir" -e 'smtp_tls_loglevel = 1'
        $postconf -c "$tempdir" -e 'smtp_use_tls = yes'
        $postconf -c "$tempdir" -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option
        $postconf -c "$tempdir" -e 'smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache'
        # Force using TLS for peers
        catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission   secure/' > "$tempdir/tls_policy"
        [ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy"
        postmapfiles="$postmapfiles tls_policy"
        $postconf -c "$tempdir" -e "smtp_tls_policy_maps = hash:$confdir/tls_policy"
    else
        $postconf -c "$tempdir" -e 'smtp_use_tls = no'
        warn "No client-side TLS - requires private SSL certificate at /etc/ssl/private/postfix.pem."
    fi
fi

if [ -n "$amavis" ]; then
    $postconf -c "$tempdir" -e 'max_use = 10' # Avoid too much reuse
    amavis_maxproc=$(getperlvarfromfile max_servers "$default_amavis_maxproc" amavisd.conf.addon amavis)
    addoroverwritewithindents $tempdir/master.cf '^smtp-amavis\h' << EOF
smtp-amavis unix -  -   n   -   $amavis_maxproc smtp
    -o smtp_data_done_timeout=1200s
    -o smtp_never_send_ehlo=yes
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
EOF
    addoroverwritewithindents $tempdir/master.cf '^127.0.0.1:10025\h' << EOF
127.0.0.1:10025 inet n  -   n   -   -   smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
EOF
    if [ -n "$dkimproxy" ]; then
        $postconf -c "$tempdir" -e 'content_filter = smtp-amavis:[127.0.0.1]:10028'
        addoroverwritewithindents $tempdir/master.cf '^submission\h' << EOF
submission inet n   -   n   -   -   smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o content_filter=dkimsign:[127.0.0.1]:10028
EOF
        addoroverwritewithindents $tempdir/master.cf '^pickup\h' << EOF
pickup  fifo    n   -   -   60  1   pickup
    -o content_filter=dkimsign:127.0.0.1:10028
EOF
        addoroverwritewithindents $tempdir/master.cf '^dkimsign\h' << EOF
dkimsign unix   -   -   n   -   $dkimproxy_maxproc_out  smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls
EOF
        addoroverwritewithindents $tempdir/master.cf '^127\.0\.0\.1:10029\h' << EOF
127.0.0.1:10029 inet n  -   n   -   -   smtpd
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
EOF
    else
        $postconf -c "$tempdir" -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'
        addoroverwritewithindents $tempdir/master.cf '^submission\h' << EOF
submission inet n   -   n   -   -   smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_local_domain=\$mydomain
EOF
        addoroverwritewithindents $tempdir/master.cf '^pickup\h' << EOF
pickup  fifo    n   -   -   60  1   pickup
EOF
    fi
fi

diff -ruN "$confdir" "$tempdir" || if [ $? -gt 1 ]; then exit $?; else needs_reload="1"; fi

if [ "$force" = "1" ]; then
    do_update="y"
elif [ "1" = "$needs_reload" ]; then
    echo -n "Above is the intended changes. OK to update (y/N)? "
    read do_update
fi
case $do_update in
    y|Y)
    if [ -f "$tempdir/COMMANDS" ]; then
        cat "$tempdir/COMMANDS" | sh -s
    fi
    rm -f "$tempdir/COMMANDS"

    diff -q "$confdir/master.cf" "$tempdir/master.cf" || if [ $? -gt 1 ]; then exit $?; else needs_restart="1"; fi

    cp -a -f -t "$confdir" "$tempdir"/*
    rm -rf "$tempdir"

    for file in $postmapfiles; do
        postmap "$confdir/$file"
    done

    if [ "1" = "$needs_restart" ]; then
        invoke-rc.d postfix restart
    else
        invoke-rc.d postfix force-reload
    fi

    if [ "1" = "$needs_reload" ]; then
        echo >&2 "Changes applied!"
    fi
    ;;
    *)
    if [ "1" = "$needs_reload" ]; then
        exit1 "Aborted!"
    fi
    ;;
esac

if [ "1" != "$needs_reload" ]; then
    echo >&2 "No changes needed!"
fi

# Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
# Support for trusted MX backup networks added
# PCRE stuff avoided, as PCRE is only optional on newest Debian packages
# RBLs replaced with those recommended by http://www.antispews.org/
# AMaViS tweaks as documented in amavisd-new package
# AUTH-SMTP based on these:
#   http://lists.q-linux.com/pipermail/plug/2003-July/029503.html
#   http://www.porcupine.org/postfix-mirror/newdoc/SASL_README.html

# Here's a convenient overview of different blackholes:
#   http://rbls.org/