#!/bin/sh
#
# /etc/local-COMMON/postfix/postfix.sh
# Copyright 2002-2007 Jonas Smedegaard <dr@jones.dk>
#
# $Id: postfix.sh,v 1.76 2008-05-25 19:00:16 jonas Exp $
#
# Auto-tweak plain installed postfix Debian package
#
# TODO:
#  * Implement stuff from here: http://www.wsrcc.com/spam/
#  * Implement stuff from here: http://www.muine.org/~hoang/postfix.html
#  * Implement stuff from here: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
#  * Figure out a way to use chroot jail for TLS stuff.

set -e

# Let's standardize sort
export LC_ALL=C

exit1()	{
	echo >&2 "Error: $1"
	echo >&2 "Exiting..."
	exit 1
}

realmsdir='/etc/local-REDPILL'
configdirs='/etc/local/postfix /etc/local-ORG/postfix /etc/local-REDPILL/postfix /etc/local-COMMON/postfix'
confdir='/etc/postfix'
postconf=/usr/sbin/postconf
sp='[[:space:]]'
if ! $postconf -d mail_version | egrep -q '= 2\.[2-9]'; then
	exit1 "ERROR: Bad postfix version - this script is known to work only for postfix 2.2 and later"
fi
if ! [ -d "$realmsdir" ]; then
	echo >&2 "WARNING: Realms directory \"$realmsdir\" does not exist."
fi
#postgrey=
#if [ -x /usr/sbin/postgrey ]; then
#	# FIXME: Use this somehow, and only warn below
#	postgrey=1
#else
#	exit1 "ERROR: Greylisting support (Debian package postgrey) missing."
#fi
# FIXME: We really want to check for at least 2.1.1 but that's tricky...
sasl2=
if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then
	sasl2=1
else
	echo >&2 "WARNING: Encryption requires sasl tools 2.1.1 (Debian package sasl2-bin)."
fi
saslsubdir="sasl"

sslcert=
if [ -n "$sasl2" ] && [ -f /etc/ssl/certs/postfix.pem ]; then
	sslcert=1
else
	echo >&2 "WARNING: Encryption requires SSL certificate at /etc/ssl/certs/postfix.pem."
fi

amavis=
if [ -x /usr/sbin/amavisd ] || [ -x /usr/sbin/amavisd-new ]; then
	amavis=1
else
	echo >&2 "WARNING: Avoiding AMaViS setup: not installed."
fi

dkimproxy=
if [ "1" = "$amavis" ] && [ -x /usr/bin/dkimsign ] && grep -q :10024 /etc/init.d/dkimproxy; then
	dkimproxy=1
else
	echo >&2 "WARNING: Avoiding/disabling DKIMproxy setup: not installed or fully configured."
fi

catfilefromownrealm() {
	file="$1"
	[ -d "$realmsdir" ] || exit 0

	thisrealm="$(cat /etc/local-ORG/realm || dnsdomainname | tr '[a-z]' '[A-Z]')"

	cat "$realmsdir/$thisrealm/$file"
}

catallfilesfromotherrealms() {
	file="$1"
	[ -d "$realmsdir" ] || exit 0
	[ -f "$realmsdir/realms" ] || exit 0

	realms="$(cat "$realmsdir/realms" | sed 's/#.*//')"
	thisrealm="$(cat /etc/local-ORG/realm || dnsdomainname | tr '[a-z]' '[A-Z]')"

	for realm in $realms; do
		if [ "$thisrealm" != "$realm" ]; then
			cat "$realmsdir/$realm/$file"
		fi
	done
}

catfirstfile() {
	file="$1"
	configdir=''
	for dir in $configdirs; do
		if [ -d "$dir" ] && [ -f "$dir/$file" ]; then
			configdir="$dir"
			break
		fi
	done
	if [ -z "$configdir" ]; then
		exit1 "ERROR: file \"$file\" not found."
	fi
	cat "$configdir/$file"
}

getlinesfromfile() {
	param="$1"
	shift
	replacements=
	for subparam in $@; do
		case "$subparam" in
		    *=*=*)
			oldparam="`echo $subparam | awk -F= '{print $1}'`"
			newparam="`echo $subparam | awk -F= '{print $2}'`"
			newparamfile="`echo $subparam | awk -F= '{print $3}'`"
			shift
			;;
		    *)
			oldparam=$subparam
			newparam=$subparam
			newparamfile=$subparam
			shift
			;;
		esac
		newparamvalues="`getlinesfromfile $newparamfile | sed -e 's/.*=[ ]*//' -e 's/,/ /g'`"
		newstring=
		for newparamvalue in $newparamvalues; do
			newstring="${newstring}$newparam $newparamvalue,"
		done
		replacements="$replacements;s/$oldparam/$newstring/"
	done
	echo -n "$param = "
	catfirstfile "$param" | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, 	]*//;s/[, 	]\+/,/g' -e 's/\^/ /g' -e "s/,\$//$replacements"
}

postmapfiles=

tempdir="$(mktemp -td postfix.XXXXXX)"
cp -a -t "$tempdir" "$confdir"/*

# Inspired by D. J. Bernstein: http://cr.yp.to/smtp/greeting.html
$postconf -c "$tempdir" -e 'smtpd_banner = $myhostname NO UCE ESMTP $mail_name (Debian/GNU)'

# Some badly configured setup use hostname instead of FQDN
# Disable completely: Effective, but hurts executive type guys using windows servers... :-(
#if $postconf -c "$tempdir" myhostname | grep -q '\.'; then
#	$postconf -c "$tempdir" -e 'smtpd_helo_required = yes'
#fi
$postconf -c "$tempdir" -e 'smtpd_helo_required = no'
$postconf -c "$tempdir" -e "`getlinesfromfile permit_mx_backup_networks`"
$postconf -c "$tempdir" -e "maps_rbl_domains ="
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_client_restrictions reject_rhsbl_client`"
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_helo_restrictions`"
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_sender_restrictions reject_rhsbl_sender`"
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_recipient_restrictions reject_maps_rbl=reject_rbl_client=maps_rbl_domains`"
$postconf -c "$tempdir" -e "`getlinesfromfile smtpd_data_restrictions`"

if [ -n "$dkimproxy" ]; then
	[ -f "$tempdir/sender_access_regex" ] \
		&& grep -q -F '/^/  FILTER dkimsign:[127.0.0.1]:10026' "$tempdir/sender_access_regex" \
		|| echo '/^/  FILTER dkimsign:[127.0.0.1]:10026' >> "$tempdir/sender_access_regex"
else
	[ -f "$tempdir/sender_access_regex" ] \
		|| echo "touch \"$confdir/sender_access_regex\"" >> "$tempdir/COMMANDS"
fi

# Support exceptions to default response
# (Day Old Bread (dob) lists need to reject only temporarily)
$postconf -c "$tempdir" -e "rbl_reply_maps = hash:$confdir/rbl_reply_map"
cat /etc/local-COMMON/postfix/rbl_reply_map \
	| sed 's/#.*//' \
	> "$tempdir/rbl_reply_map"
postmapfiles="$postmapfiles rbl_reply_map"

# Verify senders of common suspicious and known verifiable domains
# (exclude verification of postmaster@ to not verify verification probes)
# (add own domains before peers for (rare) cases of duplicates)
# FIXME: somehow do this step only if enabled in smtpd_sender_restrictions
# TODO: Properly implement exception exclusion like yahoo (which does not want to be checked any longer!)
cat /etc/local-COMMON/postfix/maildomains | grep -v yahoo | sort | sed 's/$/	reject_unverified_sender/' > "$tempdir/sender_access"
( catfilefromownrealm maildomains | sort; catallfilesfromotherrealms maildomains | sort ) \
	| sed 's/\(.*\)$/postmaster@\1	permit\n\1	reject_unverified_sender/' >> "$tempdir/sender_access"
[ ! -f "$tempdir/sender_access.addon" ] || cat "$tempdir/sender_access.addon" >> "$tempdir/sender_access"
postmapfiles="$postmapfiles sender_access"
$postconf -c "$tempdir" -e "unverified_sender_reject_code = 550"

# Trust recipient verification too
$postconf -c "$tempdir" -e "unverified_recipient_reject_code = 550"

# TLS breaks postfix if no SASL modules available (and doesn't make sense either)
# (change the test if using some other modules and avoid the plain ones)
if [ -n "$sasl2" ] && [ -n "$sslcert" ]; then
	mkdir -p "$tempdir/$saslsubdir"
	echo 'mech_list: plain login' > "$tempdir/$saslsubdir/smtpd.conf"
	echo 'minimum_layer: 0' >> "$tempdir/$saslsubdir/smtpd.conf"
	echo 'sasl_pwcheck_method: saslauthd' >> "$tempdir/$saslsubdir/smtpd.conf"
	echo 'auto_transition: false' >> "$tempdir/$saslsubdir/smtpd.conf"
	groups postfix | grep -q sasl || echo "adduser postfix sasl" >> "$tempdir/COMMANDS"
	# Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy)
	sed --in-place \
		-e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
		-e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
		-e "s/^#\(tlsmgr$sp\)/\1/" \
		"$tempdir/master.cf"
	cat $tempdir/master.cf | egrep -q "^tlsmgr$sp" || \
		echo 'tlsmgr	  unix	-	-	-	300	1	tlsmgr' >> $tempdir/master.cf
	$postconf -c "$tempdir" -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem'
	if [ -f /etc/ssl/private/postfix.pem ]; then
		$postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem'
	fi
	$postconf -c "$tempdir" -e 'smtpd_tls_loglevel = 1'
	$postconf -c "$tempdir" -e 'smtpd_use_tls = yes'
	$postconf -c "$tempdir" -e 'smtp_tls_CApath = /etc/ssl/certs'
	$postconf -c "$tempdir" -e 'smtpd_tls_CApath = /etc/ssl/certs'
	$postconf -c "$tempdir" -e 'lmtp_tls_CApath = /etc/ssl/certs'
	$postconf -c "$tempdir" -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem'
	$postconf -c "$tempdir" -e 'smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache'
	$postconf -c "$tempdir" -e 'smtpd_tls_session_cache_timeout = 3600s'
	$postconf -c "$tempdir" -e 'tls_random_exchange_name = ${queue_directory}/prng_exch'
	$postconf -c "$tempdir" -e 'smtpd_tls_auth_only = yes'
	$postconf -c "$tempdir" -e 'smtpd_sasl_auth_enable = no' # SASL is enabled explicitly with TLS transport
	$postconf -c "$tempdir" -e 'smtpd_sasl_security_options = noanonymous'
	$postconf -c "$tempdir" -e 'smtpd_sasl_local_domain = '
	$postconf -c "$tempdir" -e 'smtpd_tls_received_header = yes'
	$postconf -c "$tempdir" -e 'broken_sasl_auth_clients = yes'
	$postconf -c "$tempdir" -e 'tls_random_source = dev:/dev/urandom'
	$postconf -c "$tempdir" -e 'tls_daemon_random_source = dev:/dev/urandom'
	# Check if using a proper key exists (not just a self-signed one)
	# (it is assumed that a CA certificate is made public if used!)
	if [ -f /etc/ssl/certs/cacert.pem ]; then
		$postconf -c "$tempdir" -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
		# Client side TLS only makes sense if a publicly available certificate is available
		# (and DON'T publish a self-signed certificate!)
		$postconf -c "$tempdir" -e 'smtp_tls_CAfile = /etc/ssl/certs/cacert.pem'
		$postconf -c "$tempdir" -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem'
		if [ -f /etc/ssl/private/postfix.pem ]; then
			$postconf -c "$tempdir" -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem'
		fi
		$postconf -c "$tempdir" -e 'smtp_tls_loglevel = 1'
		$postconf -c "$tempdir" -e 'smtp_use_tls = yes'
		$postconf -c "$tempdir" -e 'smtp_tls_CApath = /etc/ssl/certs'
		$postconf -c "$tempdir" -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option
		$postconf -c "$tempdir" -e 'smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache'
		# Accepting client certificates breaks SMTP AUTH on OutLook Express on Mac (Classic)
		$postconf -c "$tempdir" -e 'smtpd_tls_ask_ccert = no'
		# Force using TLS for peers
		catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission	secure/' > "$tempdir/tls_policy"
		[ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy"
		postmapfiles="$postmapfiles tls_policy"
		$postconf -c "$tempdir" -e "smtp_tls_policy_maps = hash:$confdir/tls_policy"
	else
		echo >&2 "WARNING: CA certificate not found - consider using proper signed certificates!"
	fi
else
	echo >&2 'WARNING: TLS not activated due to missing requirements...'
fi

if [ -n "$amavis" ]; then
	$postconf -c "$tempdir" -e 'max_use = 10' # Avoid too much reuse
	cat $tempdir/master.cf | egrep -q "^smtp-amavis$sp" || \
		cat >> $tempdir/master.cf << EOF
smtp-amavis unix -	-	n	-	5	smtp
	-o smtp_data_done_timeout=1200s
	-o smtp_never_send_ehlo=yes
	-o smtp_send_xforward_command=yes
	-o disable_dns_lookups=yes
	-o max_use=20
EOF
	cat $tempdir/master.cf | egrep -q "^127.0.0.1:10025$sp" || \
		cat >> $tempdir/master.cf << EOF
127.0.0.1:10025 inet n	-	n	-	-	smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_delay_reject=no
	-o smtpd_client_restrictions=permit_mynetworks,reject
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o mynetworks_style=host
	-o mynetworks=127.0.0.0/8
	-o strict_rfc821_envelopes=yes
	-o smtpd_error_sleep_time=0
	-o smtpd_soft_error_limit=1001
EOF
	if [ -n "$dkimproxy" ]; then
		$postconf -c "$tempdir" -e 'content_filter = smtp-amavis:[127.0.0.1]:10028'
# FIXME: needs multiline replacementroutine (using perl?)
#		cat $tempdir/master.cf | egrep -q "^submission$sp" || \
#			cat >> $tempdir/master.cf << EOF
#submission  inet  n     -       n       -       -       smtpd
#	-o smtpd_etrn_restrictions=reject
#	-o smtpd_enforce_tls=yes
#	-o smtpd_sasl_auth_enable=yes
#	-o content_filter=dkimsign:[127.0.0.1]:10028
#	-o receive_override_options=no_address_mappings
#	-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#EOF
#		cat $tempdir/master.cf | egrep -q "^pickup$sp" || \
#			cat >> $tempdir/master.cf << EOF
#pickup    fifo  n       -       -       60      1       pickup
#	-o content_filter=dkimsign:127.0.0.1:10028
#EOF
		cat $tempdir/master.cf | egrep -q "^dkimsign$sp" || \
			cat >> $tempdir/master.cf << EOF
dkimsign  unix  -       -       n       -       10      smtp
	-o smtp_send_xforward_command=yes
	-o smtp_discard_ehlo_keywords=8bitmime
EOF
		cat $tempdir/master.cf | egrep -q "^127\.0\.0\.1:10029$sp" || \
			cat >> $tempdir/master.cf << EOF
127.0.0.1:10029 inet  n  -      n       -       10      smtpd
	-o content_filter=
	-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
	-o smtpd_helo_restrictions=
	-o smtpd_client_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o mynetworks=127.0.0.0/8
	-o smtpd_authorized_xforward_hosts=127.0.0.0/8
EOF
	else
		$postconf -c "$tempdir" -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'
	fi
fi

diff -ruN "$confdir" "$tempdir" || if [ $? -gt 1 ]; then exit $?; else needs_reload="1"; fi

if [ "$force" = "1" ]; then
	do_update="y"
elif [ "1" = "$needs_reload" ]; then
	echo -n "Above is the intended changes. OK to update (y/N)? "
	read do_update
fi
case $do_update in
    y|Y)
	if [ -f "$tempdir/COMMANDS" ]; then
		cat "$tempdir/COMMANDS" | sh -r -s
	fi
	rm -f "$tempdir/COMMANDS"

	diff -q "$confdir/master.cf" "$tempdir/master.cf" || if [ $? -gt 1 ]; then exit $?; else needs_restart="1"; fi

	cp -a -f -t "$confdir" "$tempdir"/*
	rm -rf "$tempdir"

	for file in $postmapfiles; do
		postmap "$confdir/$file"
	done

	if [ "1" = "$needs_restart" ]; then
		invoke-rc.d postfix restart
	else
		invoke-rc.d postfix force-reload
	fi

	if [ "1" = "$needs_reload" ]; then
		echo >&2 "Changes applied!"
	fi
	;;
    *)
	if [ "1" = "$needs_reload" ]; then
		exit1 "Aborted!"
	fi
	;;
esac

if [ "1" != "$needs_reload" ]; then
	echo >&2 "No changes needed!"
fi

# Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
# Support for trusted MX backup networks added
# PCRE stuff avoided, as PCRE is only optional on newest Debian packages
# RBLs replaced with those recommended by http://www.antispews.org/
# AMaViS tweaks as documented in amavisd-new package
# AUTH-SMTP based on these:
#   http://lists.q-linux.com/pipermail/plug/2003-July/029503.html
#   http://www.porcupine.org/postfix-mirror/newdoc/SASL_README.html

# Here's a convenient overview of different blackholes:
#   http://rbls.org/

# smtpd_tls_CAfile