#!/bin/bash # # /etc/local-COMMON/postfix/postfix.sh # Copyright 2002 Jonas Smedegaard # # $Id: postfix.sh,v 1.7 2003-01-04 02:46:14 jonas Exp $ # # Auto-tweak plain installed postfix Debian package # # TODO: Check for postfix 2.0 and include improve RBL logic with new # options reject_rhsbl_sender and default_rbl_reply # # TODO: Figure out a way to use chroot jail for TLS stuff. set -e paramdir='/etc/local-COMMON/postfix' confdir='/etc/postfix' sp='[[:space:]]' function getlinesfromfile() { param="$1" echo -n "$param = " cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//' } # Some badly configured setup use hostname instead of FQDN if /usr/sbin/postconf myhostname | grep '.' &> /dev/null; then /usr/sbin/postconf -e 'smtpd_helo_required = yes' fi /usr/sbin/postconf -e "`getlinesfromfile permit_mx_backup_networks`" /usr/sbin/postconf -e "`getlinesfromfile maps_rbl_domains`" /usr/sbin/postconf -e "`getlinesfromfile smtpd_recipient_restrictions`" # TLS breaks postfix if no SASL modules available (and doesn't make sense either) # (change the test if using some other modules and avoid the plain ones) if [ -f /usr/lib/postfix/tlsmgr -a -f /usr/lib/sasl/libplain.so -a -f /etc/ssl/certs/postfix.pem ]; then mkdir -p $confdir/sasl echo 'pwcheck_method: pam' >$confdir/sasl/smtpd.conf echo 'auto_transition: false' >>$confdir/sasl/smtpd.conf groups postfix | grep shadow &>/dev/null || adduser postfix shadow # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy) cp -a $confdir/master.cf $confdir/master.cf.old cat $confdir/master.cf.old | sed \ -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \ -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \ -e "s/^#\(tlsmgr$sp\)/\1/" \ > $confdir/master.cf cat $confdir/master.cf | egrep "^tlsmgr$sp" > /dev/null || \ echo 'tlsmgr fifo - - - 300 1 tlsmgr' >> $confdir/master.cf /usr/sbin/postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem' if [ -f /etc/ssl/private/postfix.pem ]; then /usr/sbin/postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem' fi /usr/sbin/postconf -e 'smtpd_tls_loglevel = 1' /usr/sbin/postconf -e 'smtpd_use_tls = yes' /usr/sbin/postconf -e 'smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache' /usr/sbin/postconf -e 'smtpd_tls_auth_only = yes' /usr/sbin/postconf -e 'smtpd_sasl_auth_enable = no' /usr/sbin/postconf -e 'smtpd_sasl_security_options = noanonymous' /usr/sbin/postconf -e 'smtpd_sasl_local_domain = $myhostname' /usr/sbin/postconf -e 'smtpd_tls_received_header = yes' /usr/sbin/postconf -e 'broken_sasl_auth_clients = yes' /usr/sbin/postconf -e 'tls_random_source = dev:/dev/urandom' /usr/sbin/postconf -e 'tls_daemon_random_source = dev:/dev/urandom' # Check if using a proper key exists (not just a self-signed one) # (it is assumed that a CA certificate is made public if used!) if [ -f /etc/ssl/certs/cacert.pem ]; then /usr/sbin/postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' # Client side TLS only makes sense if a publicly available certificate is available # (and DON'T publish a self-signed certificate!) /usr/sbin/postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/cacert.pem' /usr/sbin/postconf -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem' if [ -f /etc/ssl/private/postfix.pem ]; then /usr/sbin/postconf -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem' fi /usr/sbin/postconf -e 'smtp_tls_loglevel = 1' /usr/sbin/postconf -e 'smtp_use_tls = yes' /usr/sbin/postconf -e 'smtp_tls_CApath = /etc/ssl/certs' /usr/sbin/postconf -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option /usr/sbin/postconf -e 'smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache' # This makes Netscape ask for a certificate, so make sure it IS public! /usr/sbin/postconf -e 'smtpd_tls_ask_ccert = yes' fi else echo 'TLS not activated - check the script for requirements...' fi /etc/init.d/postfix reload # Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt # Support for trusted MX backup networks added # PCRE stuff avoided, as PCRE is only optional on newest Debian packages # RBLs replaced with those recommended by http://www.antispews.org/ # Here's a convenient overview of different blackholes: # http://rbls.org/ # smtpd_tls_CAfile