diff options
-rwxr-xr-x | postfix/postfix.sh | 183 |
1 files changed, 87 insertions, 96 deletions
diff --git a/postfix/postfix.sh b/postfix/postfix.sh index 1160f76..735d599 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -32,7 +32,6 @@ exit1() { realmsdir='/etc/local-REDPILL' configdirs='/etc/local /etc/local-ORG /etc/local-REDPILL /etc/local-COMMON' confdir='/etc/postfix' -postconf=/usr/sbin/postconf sp='[[:space:]]' if ! [ -d "$realmsdir" ]; then warn "Realms directory \"$realmsdir\" does not exist." @@ -181,16 +180,8 @@ getlinesfromfile() { catfirstfile "$param" | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//;s/[, ]\+/,/g' -e 's/\^/ /g' -e "s/,\$//$replacements" } -addoroverwritewithindents() { - set -e - file="$1" - export token="$2" - # provide replacement as STDIN - perl -0777 -pi \ - -E 'BEGIN{ $s=<STDIN>; chomp $s }'\ - -E 's/$ENV{"token"}.*(?:\n\h.*)+\n/$s/m and $seen=1;'\ - -E 'END{ unless ($seen) { print $s } }'\ - "$file" +_postconf() { + postconf -c "$tempdir" "$1" "$(echo "$2" | tr '\n' ' ')" } postmapfiles= @@ -199,21 +190,21 @@ tempdir="$(mktemp -td postfix.XXXXXX)" cp -a -t "$tempdir" "$confdir"/* # Inspired by D. J. Bernstein: http://cr.yp.to/smtp/greeting.html -$postconf -c "$tempdir" -e 'smtpd_banner = $myhostname NO UCE ESMTP $mail_name (Debian/GNU)' +_postconf -e 'smtpd_banner = $myhostname NO UCE ESMTP $mail_name (Debian/GNU)' # Some badly configured setup use hostname instead of FQDN # Disable completely: Effective, but hurts executive type guys using windows servers... :-( -#if $postconf -c "$tempdir" myhostname | grep -q '\.'; then -# $postconf -c "$tempdir" -e 'smtpd_helo_required = yes' +#if _postconf myhostname | grep -q '\.'; then +# _postconf -e 'smtpd_helo_required = yes' #fi -$postconf -c "$tempdir" -e 'smtpd_helo_required = no' -$postconf -c "$tempdir" -e "`getlinesfromfile permit_mx_backup_networks`" -$postconf -c "$tempdir" -e "maps_rbl_domains =" -$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_client_restrictions reject_rhsbl_client`" -$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_helo_restrictions`" -$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_sender_restrictions reject_rhsbl_sender ${dkimproxy:-sender_access_regex=}`" -$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_recipient_restrictions reject_maps_rbl=reject_rbl_client=maps_rbl_domains`" -$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_data_restrictions`" +_postconf -e 'smtpd_helo_required = no' +_postconf -e "`getlinesfromfile permit_mx_backup_networks`" +_postconf -e "maps_rbl_domains =" +_postconf -e "`getlinesfromfile smtpd_client_restrictions reject_rhsbl_client`" +_postconf -e "`getlinesfromfile smtpd_helo_restrictions`" +_postconf -e "`getlinesfromfile smtpd_sender_restrictions reject_rhsbl_sender ${dkimproxy:-sender_access_regex=}`" +_postconf -e "`getlinesfromfile smtpd_recipient_restrictions reject_maps_rbl=reject_rbl_client=maps_rbl_domains`" +_postconf -e "`getlinesfromfile smtpd_data_restrictions`" # FIXME: clear only specific line (not whole file) when dkimproxy unused if [ -f "$tempdir/sender_access_regex" ]; then @@ -231,7 +222,7 @@ fi # Support exceptions to default response # (Day Old Bread (dob) lists need to reject only temporarily) -$postconf -c "$tempdir" -e "rbl_reply_maps = hash:$confdir/rbl_reply_map" +_postconf -e "rbl_reply_maps = hash:$confdir/rbl_reply_map" cat /etc/local-COMMON/postfix/rbl_reply_map \ | sed 's/#.*//' \ > "$tempdir/rbl_reply_map" @@ -247,93 +238,93 @@ cat /etc/local-COMMON/postfix/maildomains | grep -v yahoo | sort | sed 's/$/ rej | sed 's/\(.*\)$/postmaster@\1 permit\n\1 reject_unverified_sender/' >> "$tempdir/sender_access" [ ! -f "$tempdir/sender_access.addon" ] || cat "$tempdir/sender_access.addon" >> "$tempdir/sender_access" postmapfiles="$postmapfiles sender_access" -$postconf -c "$tempdir" -e "unverified_sender_reject_code = 550" +_postconf -e "unverified_sender_reject_code = 550" # Trust recipient verification too -$postconf -c "$tempdir" -e "unverified_recipient_reject_code = 550" +_postconf -e "unverified_recipient_reject_code = 550" if [ -n "$dovecot_lmtp" ]; then - $postconf -c "$tempdir" -e mailbox_transport=lmtp:unix:private/dovecot-lmtp - $postconf -c "$tempdir" -X mailbox_command + _postconf -e mailbox_transport=lmtp:unix:private/dovecot-lmtp + _postconf -X mailbox_command elif [ -n "$dovecot_deliver" ]; then - $postconf -c "$tempdir" -X mailbox_transport - $postconf -c "$tempdir" -e mailbox_command=/usr/lib/dovecot/deliver + _postconf -X mailbox_transport + _postconf -e mailbox_command=/usr/lib/dovecot/deliver else - $postconf -c "$tempdir" -X mailbox_transport - $postconf -c "$tempdir" -X mailbox_command + _postconf -X mailbox_transport + _postconf -X mailbox_command fi # outbound opportunistic encryption -$postconf -c "$tempdir" -e smtp_tls_security_level=may -$postconf -c "$tempdir" -e smtp_tls_cert_file=/etc/ssl/certs/postfix.pem -$postconf -c "$tempdir" -e smtp_tls_key_file=/etc/ssl/private/postfix.pem -$postconf -c "$tempdir" -e smtp_tls_loglevel=1 +_postconf -e smtp_tls_security_level=may +_postconf -e smtp_tls_cert_file=/etc/ssl/certs/postfix.pem +_postconf -e smtp_tls_key_file=/etc/ssl/private/postfix.pem +_postconf -e smtp_tls_loglevel=1 # Force TLS towards peers catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy" [ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy" postmapfiles="$postmapfiles tls_policy" -$postconf -c "$tempdir" -e smtp_tls_policy_maps="hash:$confdir/tls_policy" +_postconf -e smtp_tls_policy_maps="hash:$confdir/tls_policy" # inbound opportunistic encryption if [ -n "$tls_cert" ]; then - $postconf -c "$tempdir" -e smtpd_tls_security_level=may - $postconf -c "$tempdir" -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' - $postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' - $postconf -c "$tempdir" -e 'smtpd_tls_loglevel = 1' - $postconf -c "$tempdir" -e 'smtpd_tls_auth_only = yes' - $postconf -c "$tempdir" -e 'smtpd_tls_received_header = yes' + _postconf -e smtpd_tls_security_level=may + _postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' + _postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + _postconf -e 'smtpd_tls_loglevel = 1' + _postconf -e 'smtpd_tls_auth_only = yes' + _postconf -e 'smtpd_tls_received_header = yes' if [ -n "$sasl" ]; then - $postconf -c "$tempdir" -e smtpd_sasl_type=dovecot - $postconf -c "$tempdir" -e smtpd_sasl_path=private/auth - $postconf -c "$tempdir" -e broken_sasl_auth_clients=yes + _postconf -e smtpd_sasl_type=dovecot + _postconf -e smtpd_sasl_path=private/auth + _postconf -e broken_sasl_auth_clients=yes else - $postconf -c "$tempdir" -X smtpd_sasl_type - $postconf -c "$tempdir" -X smtpd_sasl_path - $postconf -c "$tempdir" -X broken_sasl_auth_clients + _postconf -X smtpd_sasl_type + _postconf -X smtpd_sasl_path + _postconf -X broken_sasl_auth_clients fi else - $postconf -c "$tempdir" -e smtpd_tls_security_level=none - $postconf -c "$tempdir" -X smtpd_tls_cert_file - $postconf -c "$tempdir" -X smtpd_tls_key_file - $postconf -c "$tempdir" -X smtpd_tls_loglevel - $postconf -c "$tempdir" -X smtpd_tls_auth_only - $postconf -c "$tempdir" -X smtpd_tls_received_header + _postconf -e smtpd_tls_security_level=none + _postconf -X smtpd_tls_cert_file + _postconf -X smtpd_tls_key_file + _postconf -X smtpd_tls_loglevel + _postconf -X smtpd_tls_auth_only + _postconf -X smtpd_tls_received_header fi # Avoid smtpd_tls_CApath or smtpd_tls_CAfile to trick outlook.com # See <http://postfix.1071664.n5.nabble.com/Problems-with-incoming-mails-from-outlook-com-td78356.html> -$postconf -c "$tempdir" -X smtpd_tls_CApath -$postconf -c "$tempdir" -X smtpd_tls_CAfile +_postconf -X smtpd_tls_CApath +_postconf -X smtpd_tls_CAfile # obsolete TLS-related settings -$postconf -c "$tempdir" -X smtpd_use_tls -$postconf -c "$tempdir" -X smtp_tls_CApath -$postconf -c "$tempdir" -X lmtp_tls_CApath -$postconf -c "$tempdir" -X smtp_tls_CAfile -$postconf -c "$tempdir" -X lmtp_tls_CAfile -$postconf -c "$tempdir" -X smtpd_sasl_auth_enable -$postconf -c "$tempdir" -X smtpd_sasl_security_options -$postconf -c "$tempdir" -X smtpd_tls_ask_ccert -$postconf -c "$tempdir" -X smtp_tls_note_starttls_offer -$postconf -c "$tempdir" -X smtpd_sasl_local_domain -$postconf -c "$tempdir" -X smtpd_tls_session_cache_database -$postconf -c "$tempdir" -X smtpd_tls_session_cache_timeout -$postconf -c "$tempdir" -X smtp_tls_session_cache_database -$postconf -c "$tempdir" -X tls_random_exchange_name -$postconf -c "$tempdir" -X tls_random_source +_postconf -X smtpd_use_tls +_postconf -X smtp_tls_CApath +_postconf -X lmtp_tls_CApath +_postconf -X smtp_tls_CAfile +_postconf -X lmtp_tls_CAfile +_postconf -X smtpd_sasl_auth_enable +_postconf -X smtpd_sasl_security_options +_postconf -X smtpd_tls_ask_ccert +_postconf -X smtp_tls_note_starttls_offer +_postconf -X smtpd_sasl_local_domain +_postconf -X smtpd_tls_session_cache_database +_postconf -X smtpd_tls_session_cache_timeout +_postconf -X smtp_tls_session_cache_database +_postconf -X tls_random_exchange_name +_postconf -X tls_random_source if [ -n "$amavis" ]; then - $postconf -c "$tempdir" -e 'max_use = 10' # Avoid too much reuse + _postconf -e 'max_use = 10' # Avoid too much reuse amavis_maxproc=$(getperlvarfromfile max_servers "$default_amavis_maxproc" amavisd.conf.addon amavis) - addoroverwritewithindents $tempdir/master.cf '^amavisfeed\h' << EOF + _postconf -Me amavisfeed/unix=" amavisfeed unix - - n - $amavis_maxproc lmtp -o lmtp_data_done_timeout=1200s -o lmtp_never_send_ehlo=yes -o lmtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 -EOF - addoroverwritewithindents $tempdir/master.cf '^127.0.0.1:10025\h' << EOF +" + _postconf -Me 127.0.0.1:10025/inet=' 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= @@ -353,28 +344,28 @@ EOF -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters -EOF +' if [ -n "$dkimproxy" ]; then - $postconf -c "$tempdir" -e 'content_filter = amavisfeed:[127.0.0.1]:10028' - $postconf -c "$tempdir" -e receive_override_options=no_address_mappings - addoroverwritewithindents $tempdir/master.cf '^submission\h' << EOF + _postconf -e 'content_filter = amavisfeed:[127.0.0.1]:10028' + _postconf -e receive_override_options=no_address_mappings + _postconf -Me submission/inet=' submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=dkimsign:[127.0.0.1]:10028 -EOF - addoroverwritewithindents $tempdir/master.cf '^pickup\h' << EOF -pickup fifo n - - 60 1 pickup +' + _postconf -Me pickup/fifo=' +pickup fifo n - - 60 1 pickup -o content_filter=dkimsign:127.0.0.1:10028 -EOF - addoroverwritewithindents $tempdir/master.cf '^dkimsign\h' << EOF +' + _postconf -Me dkimsign/unix=" dkimsign unix - - n - $dkimproxy_maxproc_out smtp -o smtp_send_xforward_command=yes -o smtp_discard_ehlo_keywords=8bitmime,starttls -EOF - addoroverwritewithindents $tempdir/master.cf '^127\.0\.0\.1:10029\h' << EOF +" + _postconf -Me 127.0.0.1:10029/inet=' 127.0.0.1:10029 inet n - n - - smtpd -o content_filter= -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters @@ -384,24 +375,24 @@ EOF -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -EOF +' else - $postconf -c "$tempdir" -e 'content_filter = amavisfeed:[127.0.0.1]:10024' - $postconf -c "$tempdir" -e 'receive_override_options = no_address_mappings' - addoroverwritewithindents $tempdir/master.cf '^submission\h' << EOF + _postconf -e 'content_filter = amavisfeed:[127.0.0.1]:10024' + _postconf -e 'receive_override_options = no_address_mappings' + _postconf -Me submission/inet=' submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes - -o smtpd_sasl_local_domain=\$mydomain -EOF - addoroverwritewithindents $tempdir/master.cf '^pickup\h' << EOF + -o smtpd_sasl_local_domain=$mydomain +' + _postconf -Me pickup/fifo=' pickup fifo n - - 60 1 pickup -EOF +' fi else - $postconf -c "$tempdir" -X content_filter - $postconf -c "$tempdir" -X receive_override_options + _postconf -X content_filter + _postconf -X receive_override_options fi diff -ruN "$confdir" "$tempdir" || if [ $? -gt 1 ]; then exit $?; else needs_reload="1"; fi |