diff options
| author | Jonas Smedegaard <dr@jones.dk> | 2007-12-05 09:53:38 +0000 |
|---|---|---|
| committer | Jonas Smedegaard <dr@jones.dk> | 2007-12-05 09:53:38 +0000 |
| commit | a85d338459d6aaed71ed0a7efdfe95b9cfc995d5 (patch) | |
| tree | bdff711b235db337a5ac77cdc957fdb8c2fabeec /postfix | |
| parent | 5b28da9b5c2b61b46e8fbf2cf0feb2ec9de246d8 (diff) | |
Major rewrite to prepare in tempdir and show diff before applying.
Diffstat (limited to 'postfix')
| -rwxr-xr-x | postfix/postfix.sh | 211 |
1 files changed, 115 insertions, 96 deletions
diff --git a/postfix/postfix.sh b/postfix/postfix.sh index 66b5a66..3685a04 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -3,7 +3,7 @@ # /etc/local-COMMON/postfix/postfix.sh # Copyright 2002-2007 Jonas Smedegaard <dr@jones.dk> # -# $Id: postfix.sh,v 1.60 2007-09-24 23:15:08 jonas Exp $ +# $Id: postfix.sh,v 1.61 2007-12-05 09:53:38 jonas Exp $ # # Auto-tweak plain installed postfix Debian package # @@ -18,36 +18,38 @@ set -e # Let's standardize sort export LC_ALL=C +exit1() { + echo >&2 "Error: $1" + echo >&2 "Exiting..." + exit 1 +} + realmsdir='/etc/local-REDPILL' configdirs='/etc/local/postfix /etc/local-ORG/postfix /etc/local-REDPILL/postfix /etc/local-COMMON/postfix' confdir='/etc/postfix' postconf=/usr/sbin/postconf sp='[[:space:]]' if ! $postconf -d mail_version | egrep -q '= 2\.[2-9]'; then - echo "ERROR: Bad postfix version - this script is known to work only for postfix 2.2 and later" - exit 1 + exit1 "ERROR: Bad postfix version - this script is known to work only for postfix 2.2 and later" fi if ! [ -d "$realmsdir" ]; then - echo "WARNING: Realms directory \"$realmsdir\" does not exist." + echo >&2 "WARNING: Realms directory \"$realmsdir\" does not exist." fi #postgrey= #if [ -x /usr/sbin/postgrey ]; then # # FIXME: Use this somehow, and only warn below # postgrey=1 #else -# echo "ERROR: Greylisting support missing." -# echo " (on Debian: install the package postgrey)" -# exit 1 +# exit1 "ERROR: Greylisting support (Debian package postgrey) missing." #fi # FIXME: We really want to check for at least 2.1.1 but that's tricky... sasl2= if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then sasl2=1 else - echo "WARNING: Not enabling encryption: sasl tools 2.1.1 or greater is required." - echo " (on Debian: install the package sasl2-bin)" + echo >&2 "WARNING: Encryption requires sasl tools 2.1.1 (Debian package sasl2-bin)." fi -sasldir="$confdir/sasl" +saslsubdir="sasl" catfilefromownrealm() { file="$1" @@ -83,8 +85,7 @@ catfirstfile() { fi done if [ -z "$configdir" ]; then - echo "ERROR: file \"$file\" not found." - exit 1 + exit1 "ERROR: file \"$file\" not found." fi cat "$configdir/$file" } @@ -119,131 +120,149 @@ getlinesfromfile() { catfirstfile "$param" | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//;s/[, ]\+/,/g' -e 's/\^/ /g' -e "s/,\$//$replacements" } +postmapfiles= + +tempdir="$(mktemp -td postfix.XXXXXX)" +cp -a -t "$tempdir" "$confdir"/* + # Inspired by D. J. Bernstein: http://cr.yp.to/smtp/greeting.html -$postconf -e 'smtpd_banner = $myhostname NO UCE ESMTP $mail_name (Debian/GNU)' +$postconf -c "$tempdir" -e 'smtpd_banner = $myhostname NO UCE ESMTP $mail_name (Debian/GNU)' # Some badly configured setup use hostname instead of FQDN # Disable completely: Effective, but hurts executive type guys using windows servers... :-( -#if $postconf myhostname | grep -q '\.'; then -# $postconf -e 'smtpd_helo_required = yes' +#if $postconf -c "$tempdir" myhostname | grep -q '\.'; then +# $postconf -c "$tempdir" -e 'smtpd_helo_required = yes' #fi -$postconf -e 'smtpd_helo_required = no' -$postconf -e "`getlinesfromfile permit_mx_backup_networks`" -$postconf -e "maps_rbl_domains =" -$postconf -e "`getlinesfromfile smtpd_client_restrictions reject_rhsbl_client`" -$postconf -e "`getlinesfromfile smtpd_helo_restrictions`" -$postconf -e "`getlinesfromfile smtpd_sender_restrictions reject_rhsbl_sender`" -$postconf -e "`getlinesfromfile smtpd_recipient_restrictions reject_maps_rbl=reject_rbl_client=maps_rbl_domains`" -$postconf -e "`getlinesfromfile smtpd_data_restrictions`" +$postconf -c "$tempdir" -e 'smtpd_helo_required = no' +$postconf -c "$tempdir" -e "`getlinesfromfile permit_mx_backup_networks`" +$postconf -c "$tempdir" -e "maps_rbl_domains =" +$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_client_restrictions reject_rhsbl_client`" +$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_helo_restrictions`" +$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_sender_restrictions reject_rhsbl_sender`" +$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_recipient_restrictions reject_maps_rbl=reject_rbl_client=maps_rbl_domains`" +$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_data_restrictions`" # Verify senders of common suspicious and known verifiable domains # (exclude verification of postmaster@ to not verify verification probes) # (add own domains before peers for (rare) cases of duplicates) # FIXME: somehow do this step only if enabled in smtpd_sender_restrictions # TODO: Properly implement exception exclusion like yahoo (which does not want to be checked any longer!) -cat /etc/local-COMMON/postfix/maildomains | grep -v yahoo | sort | sed 's/$/ reject_unverified_sender/' > "$confdir/sender_access" +cat /etc/local-COMMON/postfix/maildomains | grep -v yahoo | sort | sed 's/$/ reject_unverified_sender/' > "$tempdir/sender_access" ( catfilefromownrealm maildomains | sort; catallfilesfromotherrealms maildomains | sort ) \ - | sed 's/\(.*\)$/postmaster@\1 permit\n\1 reject_unverified_sender/' >> "$confdir/sender_access" -postmap "$confdir/sender_access" -$postconf -e "unverified_sender_reject_code = 550" + | sed 's/\(.*\)$/postmaster@\1 permit\n\1 reject_unverified_sender/' >> "$tempdir/sender_access" +postmapfiles="$postmapfiles sender_access" +$postconf -c "$tempdir" -e "unverified_sender_reject_code = 550" # Trust recipient verification too -$postconf -e "unverified_recipient_reject_code = 550" +$postconf -c "$tempdir" -e "unverified_recipient_reject_code = 550" # TLS breaks postfix if no SASL modules available (and doesn't make sense either) # (change the test if using some other modules and avoid the plain ones) if [ -n "$sasl2" ] && [ -f /etc/ssl/certs/postfix.pem ]; then - mkdir -p "$sasldir" - echo 'mech_list: plain login' > "$sasldir/smtpd.conf" - echo 'minimum_layer: 0' >> "$sasldir/smtpd.conf" - echo 'sasl_pwcheck_method: saslauthd' >> "$sasldir/smtpd.conf" - echo 'auto_transition: false' >> "$sasldir/smtpd.conf" - groups postfix | grep -q sasl || adduser postfix sasl + mkdir -p "$tempdir/$saslsubdir" + echo 'mech_list: plain login' > "$tempdir/$saslsubdir/smtpd.conf" + echo 'minimum_layer: 0' >> "$tempdir/$saslsubdir/smtpd.conf" + echo 'sasl_pwcheck_method: saslauthd' >> "$tempdir/$saslsubdir/smtpd.conf" + echo 'auto_transition: false' >> "$tempdir/$saslsubdir/smtpd.conf" + groups postfix | grep -q sasl || echo "adduser postfix sasl" >> "$tempdir/COMMANDS" # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy) - cp -a $confdir/master.cf $confdir/master.cf.old - cat $confdir/master.cf.old | sed \ + sed --in-place \ -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \ -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \ -e "s/^#\(tlsmgr$sp\)/\1/" \ - > $confdir/master.cf - cat $confdir/master.cf | egrep -q "^tlsmgr$sp" || \ - echo 'tlsmgr unix - - - 300 1 tlsmgr' >> $confdir/master.cf - $postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' + "$tempdir/master.cf" + cat $tempdir/master.cf | egrep -q "^tlsmgr$sp" || \ + echo 'tlsmgr unix - - - 300 1 tlsmgr' >> $tempdir/master.cf + $postconf -c "$tempdir" -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' if [ -f /etc/ssl/private/postfix.pem ]; then - $postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' fi - $postconf -e 'smtpd_tls_loglevel = 1' - $postconf -e 'smtpd_use_tls = yes' - $postconf -e 'smtp_tls_CApath = /etc/ssl/certs' - $postconf -e 'smtpd_tls_CApath = /etc/ssl/certs' - $postconf -e 'lmtp_tls_CApath = /etc/ssl/certs' - $postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' - $postconf -e 'smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_scache' - $postconf -e 'smtpd_tls_session_cache_timeout = 3600s' - $postconf -e 'tls_random_exchange_name = /var/spool/postfix/prng_exch' - $postconf -e 'smtpd_tls_auth_only = yes' - $postconf -e 'smtpd_sasl_auth_enable = no' # SASL is enabled explicitly with TLS transport - $postconf -e 'smtpd_sasl_security_options = noanonymous' - $postconf -e 'smtpd_sasl_local_domain = ' - $postconf -e 'smtpd_tls_received_header = yes' - $postconf -e 'broken_sasl_auth_clients = yes' - $postconf -e 'tls_random_source = dev:/dev/urandom' - $postconf -e 'tls_daemon_random_source = dev:/dev/urandom' + $postconf -c "$tempdir" -e 'smtpd_tls_loglevel = 1' + $postconf -c "$tempdir" -e 'smtpd_use_tls = yes' + $postconf -c "$tempdir" -e 'smtp_tls_CApath = /etc/ssl/certs' + $postconf -c "$tempdir" -e 'smtpd_tls_CApath = /etc/ssl/certs' + $postconf -c "$tempdir" -e 'lmtp_tls_CApath = /etc/ssl/certs' + $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_scache' + $postconf -c "$tempdir" -e 'smtpd_tls_session_cache_timeout = 3600s' + $postconf -c "$tempdir" -e 'tls_random_exchange_name = /var/spool/postfix/prng_exch' + $postconf -c "$tempdir" -e 'smtpd_tls_auth_only = yes' + $postconf -c "$tempdir" -e 'smtpd_sasl_auth_enable = no' # SASL is enabled explicitly with TLS transport + $postconf -c "$tempdir" -e 'smtpd_sasl_security_options = noanonymous' + $postconf -c "$tempdir" -e 'smtpd_sasl_local_domain = ' + $postconf -c "$tempdir" -e 'smtpd_tls_received_header = yes' + $postconf -c "$tempdir" -e 'broken_sasl_auth_clients = yes' + $postconf -c "$tempdir" -e 'tls_random_source = dev:/dev/urandom' + $postconf -c "$tempdir" -e 'tls_daemon_random_source = dev:/dev/urandom' # Check if using a proper key exists (not just a self-signed one) # (it is assumed that a CA certificate is made public if used!) if [ -f /etc/ssl/certs/cacert.pem ]; then - $postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' + $postconf -c "$tempdir" -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' # Client side TLS only makes sense if a publicly available certificate is available # (and DON'T publish a self-signed certificate!) - $postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/cacert.pem' - $postconf -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem' + $postconf -c "$tempdir" -e 'smtp_tls_CAfile = /etc/ssl/certs/cacert.pem' + $postconf -c "$tempdir" -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem' if [ -f /etc/ssl/private/postfix.pem ]; then - $postconf -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem' + $postconf -c "$tempdir" -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem' fi - $postconf -e 'smtp_tls_loglevel = 1' - $postconf -e 'smtp_use_tls = yes' - $postconf -e 'smtp_tls_CApath = /etc/ssl/certs' - $postconf -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option - $postconf -e 'smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_scache' + $postconf -c "$tempdir" -e 'smtp_tls_loglevel = 1' + $postconf -c "$tempdir" -e 'smtp_use_tls = yes' + $postconf -c "$tempdir" -e 'smtp_tls_CApath = /etc/ssl/certs' + $postconf -c "$tempdir" -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option + $postconf -c "$tempdir" -e 'smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_scache' # Accepting client certificates breaks SMTP AUTH on OutLook Express on Mac (Classic) - $postconf -e 'smtpd_tls_ask_ccert = no' + $postconf -c "$tempdir" -e 'smtpd_tls_ask_ccert = no' # Force using TLS for peers - catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$confdir/tls_policy" - postmap "$confdir/tls_policy" - $postconf -e 'smtp_tls_policy_maps = hash:/etc/postfix/tls_policy' + catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy" + postmapfiles="$postmapfiles tls_policy" + $postconf -c "$tempdir" -e 'smtp_tls_policy_maps = hash:/etc/postfix/tls_policy' else - echo "WARNING: CA certificate not found - consider using proper signed certificates!" + echo >&2 "WARNING: CA certificate not found - consider using proper signed certificates!" fi else - echo 'WARNING: TLS not activated - check the script for requirements...' + echo >&2 'WARNING: TLS not activated - check the script for requirements...' fi if [ -x /usr/sbin/amavisd ] || [ -x /usr/sbin/amavisd-new ]; then - $postconf -e 'max_use = 10' # Avoid too much reuse - cat $confdir/master.cf | egrep -q "^smtp-amavis$sp" || \ - echo "smtp-amavis unix - - n - 2 lmtp -o smtp_data_done_timeout=1200s -o smtp_never_send_ehlo=yes -o disable_dns_lookups=yes" >> $confdir/master.cf - cat $confdir/master.cf | egrep -q "^127.0.0.1:10025$sp" || \ - echo '127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes' >> $confdir/master.cf - $postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024' - $postconf -e 'allow_mail_to_file = yes' - mkdir -p /var/lib/amavis/mboxes - chown nobody.nogroup /var/lib/amavis/mboxes - for mail in virus-quarantine virusalert spam-quarantine spamalert; do - touch /var/lib/amavis/mboxes/$mail - chown nobody.nogroup /var/lib/amavis/mboxes/$mail - if ! grep -q "^$mail:" /etc/aliases; then - echo "$mail: /var/lib/amavis/mboxes/$mail" >> /etc/aliases - newaliases - fi - done - if ! grep -q "^spam.police:" /etc/aliases; then - echo "spam.police: root" >> /etc/aliases - newaliases - fi + $postconf -c "$tempdir" -e 'max_use = 10' # Avoid too much reuse + cat $tempdir/master.cf | egrep -q "^smtp-amavis$sp" || \ + echo "smtp-amavis unix - - n - 2 lmtp -o smtp_data_done_timeout=1200s -o smtp_never_send_ehlo=yes -o disable_dns_lookups=yes" >> $tempdir/master.cf + cat $tempdir/master.cf | egrep -q "^127.0.0.1:10025$sp" || \ + echo '127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes' >> $tempdir/master.cf + $postconf -c "$tempdir" -e 'content_filter = smtp-amavis:[127.0.0.1]:10024' fi -# FIXME: restart if master.conf has been edited -/etc/init.d/postfix reload +diff -ruN "$confdir" "$tempdir" || if [ $? -gt 1 ]; then exit $?; fi + +if [ "$force" = "1" ]; then + do_update="y" +else + echo -n "Above is the intended changes. OK to update (y/N)? " + read do_update +fi +case $do_update in + y|Y) + if [ -f "$tempdir/COMMANDS" ]; then + sh -c "$tempdir/COMMANDS" + fi + rm -f "$tempdir/COMMANDS" + + cp -a -f -t "$confdir" "$tempdir"/* + rm -rf "$tempdir" + + for file in $postmapfiles; do + postmap "$confdir/$file" + done + + # FIXME: restart if master.conf has been edited + invoke-rc.d postfix reload + + echo >&2 "Changes applied!" + ;; + *) + exit1 "Aborted!" + ;; +esac # Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt # Support for trusted MX backup networks added |