summaryrefslogtreecommitdiff
path: root/postfix/anti-uce.sh
blob: fc7ecf9e42a9312f41a558b56f85d9cfd905c359 (plain) 
    

  1. #!/bin/bash
    2. 

  2. 

  3. set -e
    4. 

  4. 

  5. paramdir="/etc/local-COMMON/postfix"
    6. 

  6. confdir="/etc/postfix"
    7. 

  7. sp='[[:space:]]'
    8. 

  8. 

  9. function getlinesfromfile() {
    10. 

  10.     param="$1"
    11. 

  11.     echo -n "$param = "
    12. 

  12.     cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr "\n" "," | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//'
    13. 

  13. }
    14. 

  14. 

  15. postconf -e "smtpd_helo_required = yes"
    16. 

  16. postconf -e "`getlinesfromfile permit_mx_backup_networks`"
    17. 

  17. postconf -e "`getlinesfromfile maps_rbl_domains`"
    18. 

  18. postconf -e "`getlinesfromfile smtpd_recipient_restrictions`"
    19. 

  19. 

  20. # These options can be fatal if no SASL plugins are available!
    21. 

  21. if dpkg -L libsasl-modules-plain &> /dev/null; then
    22. 

  22.     mkdir -p $confdir/sasl
    23. 

  23.     echo "pwcheck_method: pam" >$confdir/sasl/smtpd.conf
    24. 

  24.     echo "auto_transition: false" >>$confdir/sasl/smtpd.conf
    25. 

  25.     groups postfix | grep shadow &>/dev/null || adduser postfix shadow
    26. 

  26.     cp -a $confdir/master.cf $confdir/master.cf.old
    27. 

  27.     cat $confdir/master.cf.old | sed \
    28. 

  28.         "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
    29. 

  29.         "s/^#?\(\(smtps|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
    30. 

  30.         > $confdir/master.cf
    31. 

  31.     postconf -e "smtpd_use_tls = yes"
    32. 

  32.     postconf -e "smtpd_tls_auth_only = yes"
    33. 

  33.     postconf -e "smtpd_sasl_auth_enable = no"
    34. 

  34.     postconf -e "broken_sasl_auth_clients = yes"
    35. 

  35.     postconf -e "smtpd_sasl_security_options = noanonymous"
    36. 

  36.     postconf -e "smtpd_sasl_local_domain = \$myhostname"
    37. 

  37.     postconf -e "smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt"
    38. 

  38.     postconf -e "smtpd_tls_key_file = /etc/ssl/certs/postfix.key"
    39. 

  39.     postconf -e "tls_random_source = dev:/dev/urandom"
    40. 

  40.     postconf -e "tls_daemon_random_source = dev:/dev/urandom"
    41. 

  41. fi
    42. 

  42. 

  43. /etc/init.d/postfix reload
    44. 

  44. 

  45. # Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
    46. 

  46. # Support for trusted MX backup networks added
    47. 

  47. # PCRE stuff avoided, as PCRE is only optional on newest Debian packages
    48. 

  48. # RBLs replaced with those recommended by http://www.antispews.org/
    49. 

  49. 

  50. # Here's a convenient overview of different blackholes:
    51. 

  51. #   http://rbls.org/
    52. 

  52. 

  53. # smtpd_tls_CAfile
    54.
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-30 19:46:44 +0000