diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2002-12-31 05:27:24 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2002-12-31 05:27:24 +0000 |
| commit | 733e3991ac90d4e036027047ac7cc1a33770ef76 (patch) | |
| tree | 650b08418d826187db4fbb65f5e8d12fd33ce6dc /postfix/anti-uce.sh | |
| parent | 88309022fae1c882328552313e71135b3af29940 (diff) | |
Rename anti-uce.sh to the more general postfix.sh.
Diffstat (limited to 'postfix/anti-uce.sh')
| -rwxr-xr-x | postfix/anti-uce.sh | 87 |
1 files changed, 0 insertions, 87 deletions
diff --git a/postfix/anti-uce.sh b/postfix/anti-uce.sh deleted file mode 100755 index d7fab85..0000000 --- a/postfix/anti-uce.sh +++ /dev/null @@ -1,87 +0,0 @@ -#!/bin/bash - -set -e - -paramdir='/etc/local-COMMON/postfix' -confdir='/etc/postfix' -sp='[[:space:]]' - -function getlinesfromfile() { - param="$1" - echo -n "$param = " - cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//' -} - -# Some badly configured setup use hostname instead of FQDN -if postconf myhostname | grep '.' &> /dev/null; then - postconf -e 'smtpd_helo_required = yes' -fi -postconf -e "`getlinesfromfile permit_mx_backup_networks`" -postconf -e "`getlinesfromfile maps_rbl_domains`" -postconf -e "`getlinesfromfile smtpd_recipient_restrictions`" - -# TLS breaks postfix if no SASL modules available (and doesn't make sense either) -# (change the test if using some other modules and avoid the plain ones) -if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.pem ]; then - mkdir -p $confdir/sasl - echo 'pwcheck_method: pam' >$confdir/sasl/smtpd.conf - echo 'auto_transition: false' >>$confdir/sasl/smtpd.conf - groups postfix | grep shadow &>/dev/null || adduser postfix shadow - # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy) - cp -a $confdir/master.cf $confdir/master.cf.old - cat $confdir/master.cf.old | sed \ - -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \ - -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \ - -e "s/^#\(tlsmgr$sp\)/\1/" \ - > $confdir/master.cf - cat $confdir/master.cf | egrep "^tlsmgr$sp" > /dev/null || \ - echo 'tlsmgr fifo - - - 300 1 tlsmgr' >> $confdir/master.cf - postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' - if [ -f /etc/ssl/private/postfix.pem ]; then - postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' - fi - postconf -e 'smtpd_tls_loglevel = 1' - postconf -e 'smtpd_use_tls = yes' - postconf -e 'smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache' - postconf -e 'smtpd_tls_auth_only = yes' - postconf -e 'smtpd_sasl_auth_enable = no' - postconf -e 'smtpd_sasl_security_options = noanonymous' - postconf -e 'smtpd_sasl_local_domain = $myhostname' - postconf -e 'smtpd_tls_received_header = yes' - postconf -e 'broken_sasl_auth_clients = yes' - postconf -e 'tls_random_source = dev:/dev/urandom' - postconf -e 'tls_daemon_random_source = dev:/dev/urandom' - # Check if using a proper key exists (not just a self-signed one) - # (it is assumed that a CA certificate is made public if used!) - if [ -f /etc/ssl/certs/cacert.pem ]; then - postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' - postconf -e 'smtp_tls_CAfile = $smtpd_tls_CAfile' - postconf -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem' - # Client side TLS only makes sense if a publicly available certificate is available - # (and DON'T publish a self-signed certificate!) - if [ -f /etc/ssl/private/postfix.pem ]; then - postconf -e 'smtp_tls_key_file = $smtpd_tls_key_file' - fi - postconf -e 'smtp_tls_loglevel = 1' - postconf -e 'smtp_use_tls = yes' - postconf -e 'smtp_tls_CApath = /etc/ssl/certs' - postconf -e 'smtp_tls_note_starttls_offer = yes' # Useful when collecting info for smtp_tls_per_site option - postconf -e 'smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache' - # This makes Netscape ask for a certificate, so make sure it IS public! - postconf -e 'smtpd_tls_ask_ccert = yes' - fi -else - echo 'TLS not activated - check the script for requirements...' -fi - -/etc/init.d/postfix reload - -# Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt -# Support for trusted MX backup networks added -# PCRE stuff avoided, as PCRE is only optional on newest Debian packages -# RBLs replaced with those recommended by http://www.antispews.org/ - -# Here's a convenient overview of different blackholes: -# http://rbls.org/ - -# smtpd_tls_CAfile |