diff options
Diffstat (limited to 'postfix/postfix.sh')
-rwxr-xr-x | postfix/postfix.sh | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/postfix/postfix.sh b/postfix/postfix.sh new file mode 100755 index 0000000..d7fab85 --- /dev/null +++ b/postfix/postfix.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +set -e + +paramdir='/etc/local-COMMON/postfix' +confdir='/etc/postfix' +sp='[[:space:]]' + +function getlinesfromfile() { + param="$1" + echo -n "$param = " + cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//' +} + +# Some badly configured setup use hostname instead of FQDN +if postconf myhostname | grep '.' &> /dev/null; then + postconf -e 'smtpd_helo_required = yes' +fi +postconf -e "`getlinesfromfile permit_mx_backup_networks`" +postconf -e "`getlinesfromfile maps_rbl_domains`" +postconf -e "`getlinesfromfile smtpd_recipient_restrictions`" + +# TLS breaks postfix if no SASL modules available (and doesn't make sense either) +# (change the test if using some other modules and avoid the plain ones) +if dpkg -L libsasl-modules-plain &> /dev/null && [ -f /etc/ssl/certs/postfix.pem ]; then + mkdir -p $confdir/sasl + echo 'pwcheck_method: pam' >$confdir/sasl/smtpd.conf + echo 'auto_transition: false' >>$confdir/sasl/smtpd.conf + groups postfix | grep shadow &>/dev/null || adduser postfix shadow + # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy) + cp -a $confdir/master.cf $confdir/master.cf.old + cat $confdir/master.cf.old | sed \ + -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \ + -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \ + -e "s/^#\(tlsmgr$sp\)/\1/" \ + > $confdir/master.cf + cat $confdir/master.cf | egrep "^tlsmgr$sp" > /dev/null || \ + echo 'tlsmgr fifo - - - 300 1 tlsmgr' >> $confdir/master.cf + postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' + if [ -f /etc/ssl/private/postfix.pem ]; then + postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' + fi + postconf -e 'smtpd_tls_loglevel = 1' + postconf -e 'smtpd_use_tls = yes' + postconf -e 'smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache' + postconf -e 'smtpd_tls_auth_only = yes' + postconf -e 'smtpd_sasl_auth_enable = no' + postconf -e 'smtpd_sasl_security_options = noanonymous' + postconf -e 'smtpd_sasl_local_domain = $myhostname' + postconf -e 'smtpd_tls_received_header = yes' + postconf -e 'broken_sasl_auth_clients = yes' + postconf -e 'tls_random_source = dev:/dev/urandom' + postconf -e 'tls_daemon_random_source = dev:/dev/urandom' + # Check if using a proper key exists (not just a self-signed one) + # (it is assumed that a CA certificate is made public if used!) + if [ -f /etc/ssl/certs/cacert.pem ]; then + postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' + postconf -e 'smtp_tls_CAfile = $smtpd_tls_CAfile' + postconf -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem' + # Client side TLS only makes sense if a publicly available certificate is available + # (and DON'T publish a self-signed certificate!) + if [ -f /etc/ssl/private/postfix.pem ]; then + postconf -e 'smtp_tls_key_file = $smtpd_tls_key_file' + fi + postconf -e 'smtp_tls_loglevel = 1' + postconf -e 'smtp_use_tls = yes' + postconf -e 'smtp_tls_CApath = /etc/ssl/certs' + postconf -e 'smtp_tls_note_starttls_offer = yes' # Useful when collecting info for smtp_tls_per_site option + postconf -e 'smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache' + # This makes Netscape ask for a certificate, so make sure it IS public! + postconf -e 'smtpd_tls_ask_ccert = yes' + fi +else + echo 'TLS not activated - check the script for requirements...' +fi + +/etc/init.d/postfix reload + +# Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt +# Support for trusted MX backup networks added +# PCRE stuff avoided, as PCRE is only optional on newest Debian packages +# RBLs replaced with those recommended by http://www.antispews.org/ + +# Here's a convenient overview of different blackholes: +# http://rbls.org/ + +# smtpd_tls_CAfile |