summaryrefslogtreecommitdiff
path: root/postfix/postfix.sh
blob: 5dc460676bb4aa72380e3ee28f315149eb6b70b8 (plain)
  1. #!/bin/sh
  2. #
  3. # /etc/local-COMMON/postfix/postfix.sh
  4. # Copyright 2002-2007 Jonas Smedegaard <dr@jones.dk>
  5. #
  6. # $Id: postfix.sh,v 1.76 2008-05-25 19:00:16 jonas Exp $
  7. #
  8. # Auto-tweak plain installed postfix Debian package
  9. #
  10. # TODO:
  11. # * Implement stuff from here: http://www.wsrcc.com/spam/
  12. # * Implement stuff from here: http://www.muine.org/~hoang/postfix.html
  13. # * Implement stuff from here: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
  14. # * Figure out a way to use chroot jail for TLS stuff.
  15. # * Use https://www.dnswl.org/
  16. set -e
  17. # Let's standardize sort
  18. export LC_ALL=C
  19. warn() {
  20. echo >&2 "Warning: $1"
  21. }
  22. exit1() {
  23. echo >&2 "Error: $1"
  24. echo >&2 "Exiting..."
  25. exit 1
  26. }
  27. REDPILL=${REDPILL:-REDPILL}
  28. REALM=${REALM:-ORG}
  29. TLS_CERT=${TLS_CERT:-/etc/ssl/certs/postfix.pem}
  30. TLS_KEY=${TLS_KEY:-/etc/ssl/private/postfix.pem}
  31. realmsdir="/etc/local-$REDPILL"
  32. confdir="/etc/postfix"
  33. if ! [ -d "$realmsdir" ]; then
  34. warn "Realms directory \"$realmsdir\" does not exist."
  35. fi
  36. #postgrey=
  37. #if [ -x /usr/sbin/postgrey ]; then
  38. # # FIXME: Use this somehow, and only warn below
  39. # postgrey=1
  40. #else
  41. # exit1 "ERROR: Greylisting support (Debian package postgrey) missing."
  42. #fi
  43. dovecot=
  44. dovecot_lmtp=
  45. dovecot_deliver=
  46. if [ -x /usr/sbin/dovecot ]; then
  47. dovecot=1
  48. if [ -x /usr/lib/dovecot/lmtp ]; then
  49. dovecot_lmtp=1
  50. elif [ -x /usr/lib/dovecot/deliver ]; then
  51. warn "Dovecot LMTP missing - (Debian package dovecot-lmtp)."
  52. dovecot_deliver=1
  53. else
  54. warn "Dovecot deliver missing."
  55. fi
  56. else
  57. warn "Dovecot missing - (Debian package dovecot-core or dovecot)."
  58. fi
  59. tls_cert=
  60. if [ -f "$TLS_CERT" ] && [ -f "$TLS_KEY" ]; then
  61. tls_cert=1
  62. else
  63. warn "No TLS - requires certificate \"$TLS_CERT\" and key \"$TLS_KEY\"."
  64. fi
  65. # TODO: enable only on systems with user accounts
  66. submission=1
  67. # TODO: check that dovecot SASL is configured
  68. sasl_inbound=
  69. if [ -n "$tls_cert" ] && [ -n "$dovecot" ] && [ -n "$submission" ]; then
  70. sasl_inbound=1
  71. else
  72. warn "No inbound SASL authentication - requires TLS encryption and Dovecot."
  73. fi
  74. amavis=
  75. # TODO: maybe use AMaViS default of 20 (instead tuning spamassassin)
  76. # <https://www.ijs.si/software/amavisd/amavisd-new-docs.html#max_requests>
  77. default_amavis_maxproc=2
  78. if [ -x /usr/sbin/amavisd ] || [ -x /usr/sbin/amavisd-new ]; then
  79. amavis=1
  80. else
  81. warn "AMaViS missing (Debian package amavisd-new)."
  82. fi
  83. dkimproxy=
  84. #dkimproxy_maxproc_in=5
  85. # FIXME: update actual outgoing maxproc from /etc/default/dkimproxy (and /etc/dkimproxy/dkimproxy_out.conf too?)
  86. dkimproxy_maxproc_out=5
  87. if [ -x /usr/sbin/dkimproxy.in ]; then
  88. if [ "1" = "$amavis" ]; then
  89. dkimproxy=1
  90. else
  91. warn "No DKIM/Domainkey - requires DKIMproxy and AMaViS."
  92. fi
  93. else
  94. warn "DKIMproxy missing (Debian package dkimproxy)."
  95. fi
  96. catfilefromownrealm() {
  97. set -e
  98. file="$1"
  99. [ -d "$realmsdir" ] || exit 0
  100. thisrealm="$(cat "/etc/local-$REALM/realm" || dnsdomainname | tr '[a-z]' '[A-Z]')"
  101. cat "$realmsdir/$thisrealm/$file"
  102. }
  103. catallfilesfromotherrealms() {
  104. set -e
  105. file="$1"
  106. [ -d "$realmsdir" ] || exit 0
  107. [ -f "$realmsdir/realms" ] || exit 0
  108. realms="$(cat "$realmsdir/realms" | sed 's/#.*//')"
  109. thisrealm="$(cat "/etc/local-$REALM/realm" || dnsdomainname | tr '[a-z]' '[A-Z]')"
  110. for realm in $realms; do
  111. if [ "$thisrealm" != "$realm" ]; then
  112. cat "$realmsdir/$realm/$file"
  113. fi
  114. done
  115. }
  116. catfirstfile() {
  117. set -e
  118. file="$1"
  119. context="${2:-postfix}"
  120. configdir=''
  121. for dir in /etc/local "/etc/local-$REALM" "/etc/local-$REDPILL" /etc/local-COMMON; do
  122. if [ -d "$dir/$context" ] && [ -f "$dir/$context/$file" ]; then
  123. configdir="$dir/$context"
  124. break
  125. fi
  126. done
  127. if [ -z "$configdir" ]; then
  128. exit1 "ERROR: file \"$file\" not found."
  129. fi
  130. cat "$configdir/$file"
  131. }
  132. # TODO: support quoted string, and trailing comment.
  133. getperlvarfromfile() {
  134. set -e
  135. export var="$1"
  136. export default="$2"
  137. file="$3"
  138. context="${4:-postfix}"
  139. catfirstfile "$file" "$context" \
  140. | perl -nE'/^\$$ENV{"var"}\h*=\h*(\d+)/ and $s=$1; END {print length($s) ? $s : $ENV{'default'}}'
  141. }
  142. getlinesfromfile() {
  143. set -e
  144. param="$1"
  145. shift
  146. replacements=
  147. for subparam in $@; do
  148. case "$subparam" in
  149. *=)
  150. oldparam="`echo $subparam | awk -F= '{print $1}'`"
  151. replacements="$replacements;s/,*[^,]*$oldparam[^,]*,*/,/"
  152. continue
  153. ;;
  154. *=*=*)
  155. oldparam="`echo $subparam | awk -F= '{print $1}'`"
  156. newparam="`echo $subparam | awk -F= '{print $2}'`"
  157. newparamfile="`echo $subparam | awk -F= '{print $3}'`"
  158. ;;
  159. *)
  160. oldparam=$subparam
  161. newparam=$subparam
  162. newparamfile=$subparam
  163. ;;
  164. esac
  165. newparamvalues="`getlinesfromfile $newparamfile | sed -e 's/.*=[ ]*//' -e 's/,/ /g'`"
  166. newstring=
  167. for newparamvalue in $newparamvalues; do
  168. newstring="${newstring}$newparam $newparamvalue,"
  169. done
  170. replacements="$replacements;s/$oldparam/$newstring/"
  171. done
  172. echo -n "$param = "
  173. catfirstfile "$param" | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//;s/[, ]\+/,/g' -e 's/\^/ /g' -e "s/,\$//$replacements"
  174. }
  175. _postconf() {
  176. postconf -c "$tempdir" "$1" "$(echo "$2" | tr '\n' ' ')"
  177. }
  178. postmapfiles=
  179. tempdir="$(mktemp -td postfix.XXXXXX)"
  180. cp -a -t "$tempdir" "$confdir"/*
  181. # Inspired by D. J. Bernstein: http://cr.yp.to/smtp/greeting.html
  182. _postconf -e 'smtpd_banner = $myhostname NO UCE ESMTP $mail_name (Debian/GNU)'
  183. # Some badly configured setup use hostname instead of FQDN
  184. # Disable completely: Effective, but hurts executive type guys using windows servers... :-(
  185. #if _postconf myhostname | grep -q '\.'; then
  186. # _postconf -e 'smtpd_helo_required = yes'
  187. #fi
  188. _postconf -e 'smtpd_helo_required = no'
  189. _postconf -e "`getlinesfromfile permit_mx_backup_networks`"
  190. _postconf -e "maps_rbl_domains ="
  191. _postconf -e "`getlinesfromfile smtpd_client_restrictions reject_rhsbl_client`"
  192. _postconf -e "`getlinesfromfile smtpd_helo_restrictions`"
  193. _postconf -e "`getlinesfromfile smtpd_sender_restrictions reject_rhsbl_sender ${dkimproxy:-sender_access_regex=}`"
  194. _postconf -e "`getlinesfromfile smtpd_recipient_restrictions reject_maps_rbl=reject_rbl_client=maps_rbl_domains`"
  195. _postconf -e "`getlinesfromfile smtpd_data_restrictions`"
  196. # FIXME: clear only specific line (not whole file) when dkimproxy unused
  197. if [ -f "$tempdir/sender_access_regex" ]; then
  198. if [ -n "$dkimproxy" ]; then
  199. grep -q -F '/^/ FILTER dkimsign:[127.0.0.1]:10026' "$tempdir/sender_access_regex" \
  200. || echo '/^/ FILTER dkimsign:[127.0.0.1]:10026' >> "$tempdir/sender_access_regex"
  201. else
  202. if grep -q -F '/^/ FILTER dkimsign:[127.0.0.1]:10026' "$tempdir/sender_access_regex"; then
  203. echo "echo '' > \"$confdir/sender_access_regex\"" >> "$tempdir/COMMANDS"
  204. rm "$tempdir/sender_access_regex"
  205. fi
  206. fi
  207. postmapfiles="$postmapfiles sender_access_regex"
  208. fi
  209. # Support exceptions to default response
  210. # (Day Old Bread (dob) lists need to reject only temporarily)
  211. _postconf -e "rbl_reply_maps = hash:$confdir/rbl_reply_map"
  212. cat /etc/local-COMMON/postfix/rbl_reply_map \
  213. | sed 's/#.*//' \
  214. > "$tempdir/rbl_reply_map"
  215. postmapfiles="$postmapfiles rbl_reply_map"
  216. # Verify senders of common suspicious and known verifiable domains
  217. # (exclude verification of postmaster@ to not verify verification probes)
  218. # (add own domains before peers for (rare) cases of duplicates)
  219. # FIXME: somehow do this step only if enabled in smtpd_sender_restrictions
  220. # TODO: Properly implement exception exclusion like yahoo (which does not want to be checked any longer!)
  221. cat /etc/local-COMMON/postfix/maildomains | grep -v yahoo | sort | sed 's/$/ reject_unverified_sender/' > "$tempdir/sender_access"
  222. ( catfilefromownrealm maildomains | sort; catallfilesfromotherrealms maildomains | sort ) \
  223. | sed 's/\(.*\)$/postmaster@\1 permit\n\1 reject_unverified_sender/' >> "$tempdir/sender_access"
  224. [ ! -f "$tempdir/sender_access.addon" ] || cat "$tempdir/sender_access.addon" >> "$tempdir/sender_access"
  225. postmapfiles="$postmapfiles sender_access"
  226. _postconf -e "unverified_sender_reject_code = 550"
  227. # Trust recipient verification too
  228. _postconf -e "unverified_recipient_reject_code = 550"
  229. if [ -n "$dovecot_lmtp" ]; then
  230. _postconf -e mailbox_transport=lmtp:unix:private/dovecot-lmtp
  231. _postconf -X mailbox_command
  232. elif [ -n "$dovecot_deliver" ]; then
  233. _postconf -X mailbox_transport
  234. _postconf -e mailbox_command=/usr/lib/dovecot/deliver
  235. else
  236. _postconf -X mailbox_transport
  237. _postconf -X mailbox_command
  238. fi
  239. # outbound opportunistic encryption
  240. _postconf -e smtp_tls_security_level=may
  241. if [ -n "$tls_cert" ]; then
  242. _postconf -e smtp_tls_cert_file="$TLS_CERT"
  243. _postconf -e smtp_tls_key_file="$TLS_KEY"
  244. else
  245. _postconf -X smtp_tls_cert_file
  246. _postconf -X smtp_tls_key_file
  247. fi
  248. _postconf -e smtp_tls_loglevel=1
  249. # enforce TLS trust path towards peers
  250. catallfilesfromotherrealms mailhost | sort | sed 's/^/[/;s/$/]:submission secure/' > "$tempdir/tls_policy"
  251. [ ! -f "$tempdir/tls_policy.addon" ] || cat "$tempdir/tls_policy.addon" >> "$tempdir/tls_policy"
  252. postmapfiles="$postmapfiles tls_policy"
  253. _postconf -e smtp_tls_policy_maps="hash:$confdir/tls_policy"
  254. # inbound opportunistic encryption
  255. if [ -n "$tls_cert" ]; then
  256. _postconf -e smtpd_tls_security_level=may
  257. _postconf -e smtpd_tls_cert_file="$TLS_CERT"
  258. _postconf -e smtpd_tls_key_file="$TLS_KEY"
  259. _postconf -e 'smtpd_tls_loglevel = 1'
  260. _postconf -e 'smtpd_tls_auth_only = yes'
  261. _postconf -e 'smtpd_tls_received_header = yes'
  262. else
  263. _postconf -e smtpd_tls_security_level=none
  264. _postconf -X smtpd_tls_cert_file
  265. _postconf -X smtpd_tls_key_file
  266. _postconf -X smtpd_tls_loglevel
  267. _postconf -X smtpd_tls_auth_only
  268. _postconf -X smtpd_tls_received_header
  269. fi
  270. # Avoid smtpd_tls_CApath or smtpd_tls_CAfile to trick outlook.com
  271. # See <http://postfix.1071664.n5.nabble.com/Problems-with-incoming-mails-from-outlook-com-td78356.html>
  272. _postconf -X smtpd_tls_CApath
  273. _postconf -X smtpd_tls_CAfile
  274. # obsolete TLS-related settings
  275. _postconf -X smtpd_use_tls
  276. _postconf -X smtp_tls_CApath
  277. _postconf -X lmtp_tls_CApath
  278. _postconf -X smtp_tls_CAfile
  279. _postconf -X lmtp_tls_CAfile
  280. _postconf -X smtpd_tls_ask_ccert
  281. _postconf -X smtp_tls_note_starttls_offer
  282. _postconf -X smtpd_tls_session_cache_database
  283. _postconf -X smtpd_tls_session_cache_timeout
  284. _postconf -X smtp_tls_session_cache_database
  285. _postconf -X tls_random_exchange_name
  286. _postconf -X tls_random_source
  287. # submission
  288. # <http://www.postfix.org/SASL_README.html>
  289. # <https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/#using-sasl-with-postfix-submission-port>
  290. if [ -n "$submission" ]; then
  291. _postconf -Me submission/inet='
  292. submission inet n - y - - smtpd
  293. -o syslog_name=postfix/$service_name
  294. -o smtpd_tls_security_level=encrypt
  295. '
  296. _postconf -Me smtps/inet='
  297. smtps inet n - y - - smtpd
  298. -o syslog_name=postfix/$service_name
  299. -o smtpd_tls_wrappermode=yes
  300. -o smtpd_sasl_auth_enable=yes
  301. '
  302. if [ -n "$sasl_inbound" ]; then
  303. _postconf -Pe submission/inet/smtpd_sasl_auth_enable=yes
  304. _postconf -Pe smtps/inet/smtpd_sasl_auth_enable=yes
  305. else
  306. _postconf -PX submission/inet/smtpd_sasl_auth_enable
  307. _postconf -PX smtps/inet/smtpd_sasl_auth_enable
  308. fi
  309. else
  310. _postconf -MX submission/inet
  311. _postconf -MX smtps/inet
  312. fi
  313. if [ -n "$sasl_inbound" ]; then
  314. _postconf -e smtpd_sasl_local_domain='$mydomain'
  315. _postconf -e smtpd_sasl_type=dovecot
  316. _postconf -e smtpd_sasl_path=private/auth
  317. _postconf -e broken_sasl_auth_clients=yes
  318. else
  319. _postconf -X smtpd_sasl_local_domain
  320. _postconf -X smtpd_sasl_type
  321. _postconf -X smtpd_sasl_path
  322. _postconf -X broken_sasl_auth_clients
  323. fi
  324. # obsolete SASL-related settings
  325. _postconf -X smtpd_sasl_auth_enable
  326. _postconf -X smtpd_sasl_security_options
  327. if [ -n "$amavis" ]; then
  328. amavis_maxproc=$(getperlvarfromfile max_servers "$default_amavis_maxproc" amavisd.conf.addon amavis)
  329. _postconf -Me amavisfeed/unix="
  330. amavisfeed unix - - n - $amavis_maxproc lmtp
  331. -o lmtp_data_done_timeout=1200s
  332. -o lmtp_send_xforward_command=yes
  333. -o disable_dns_lookups=yes
  334. -o max_use=$amavis_maxproc
  335. "
  336. _postconf -Me 127.0.0.1:10025/inet='
  337. 127.0.0.1:10025 inet n - n - - smtpd
  338. -o content_filter=
  339. -o local_recipient_maps=
  340. -o relay_recipient_maps=
  341. -o smtpd_restriction_classes=
  342. -o smtpd_delay_reject=no
  343. -o smtpd_client_restrictions=permit_mynetworks,reject
  344. -o smtpd_helo_restrictions=
  345. -o smtpd_sender_restrictions=
  346. -o smtpd_recipient_restrictions=permit_mynetworks,reject
  347. -o smtpd_data_restrictions=reject_unauth_pipelining
  348. -o smtpd_end_of_data_restrictions=
  349. -o mynetworks=127.0.0.0/8
  350. -o smtpd_error_sleep_time=0
  351. -o smtpd_soft_error_limit=1001
  352. -o smtpd_hard_error_limit=1000
  353. -o smtpd_client_connection_count_limit=0
  354. -o smtpd_client_connection_rate_limit=0
  355. -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
  356. '
  357. _postconf -e receive_override_options=no_address_mappings
  358. if [ -n "$dkimproxy" ]; then
  359. _postconf -e 'content_filter = amavisfeed:[127.0.0.1]:10028'
  360. _postconf -Pe pickup/fifo/content_filter=dkimsign:127.0.0.1:10028
  361. if [ -n "$submission" ]; then
  362. _postconf -Pe submission/inet/content_filter='dkimsign:[127.0.0.1]:10028'
  363. _postconf -Pe smtps/inet/content_filter='dkimsign:[127.0.0.1]:10028'
  364. fi
  365. _postconf -Me dkimsign/unix="
  366. dkimsign unix - - n - $dkimproxy_maxproc_out smtp
  367. -o smtp_send_xforward_command=yes
  368. -o smtp_discard_ehlo_keywords=8bitmime,starttls
  369. "
  370. _postconf -Me 127.0.0.1:10029/inet='
  371. 127.0.0.1:10029 inet n - n - - smtpd
  372. -o content_filter=
  373. -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
  374. -o smtpd_helo_restrictions=
  375. -o smtpd_client_restrictions=
  376. -o smtpd_sender_restrictions=
  377. -o smtpd_recipient_restrictions=permit_mynetworks,reject
  378. -o mynetworks=127.0.0.0/8
  379. -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  380. '
  381. else
  382. _postconf -MX dkimsign/unix
  383. _postconf -MX 127.0.0.1:10029/inet
  384. _postconf -e 'content_filter = amavisfeed:[127.0.0.1]:10024'
  385. _postconf -PX pickup/fifo/content_filter
  386. if [ -n "$submission" ]; then
  387. _postconf -PX submission/inet/content_filter
  388. _postconf -PX smtps/inet/content_filter
  389. fi
  390. fi
  391. else
  392. _postconf -MX amavisfeed/unix
  393. _postconf -MX 127.0.0.1:10025/inet
  394. _postconf -X content_filter
  395. _postconf -X receive_override_options
  396. fi
  397. # obsolete settings
  398. _postconf -X max_use
  399. _postconf -MX smtp-amavis/unix
  400. diff -ruNw "$confdir" "$tempdir" || if [ $? -gt 1 ]; then exit $?; else needs_reload="1"; fi
  401. if [ "$force" = "1" ]; then
  402. do_update="y"
  403. elif [ "1" = "$needs_reload" ]; then
  404. echo -n "Above is the intended changes. OK to update (y/N)? "
  405. read do_update
  406. fi
  407. case $do_update in
  408. y|Y)
  409. if [ -f "$tempdir/COMMANDS" ]; then
  410. cat "$tempdir/COMMANDS" | sh -s
  411. fi
  412. rm -f "$tempdir/COMMANDS"
  413. diff -q "$confdir/master.cf" "$tempdir/master.cf" || if [ $? -gt 1 ]; then exit $?; else needs_restart="1"; fi
  414. cp -a -f -t "$confdir" "$tempdir"/*
  415. rm -rf "$tempdir"
  416. for file in $postmapfiles; do
  417. postmap "$confdir/$file"
  418. done
  419. if [ "1" = "$needs_restart" ]; then
  420. service postfix restart
  421. else
  422. service postfix force-reload
  423. fi
  424. if [ "1" = "$needs_reload" ]; then
  425. echo >&2 "Changes applied!"
  426. fi
  427. ;;
  428. *)
  429. if [ "1" = "$needs_reload" ]; then
  430. exit1 "Aborted!"
  431. fi
  432. ;;
  433. esac
  434. if [ "1" != "$needs_reload" ]; then
  435. echo >&2 "No changes needed!"
  436. fi
  437. # Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
  438. # Support for trusted MX backup networks added
  439. # PCRE stuff avoided, as PCRE is only optional on newest Debian packages
  440. # RBLs replaced with those recommended by http://www.antispews.org/
  441. # spam filter based on these: http://www.postfix.org/FILTER_README.html
  442. # https://www.ijs.si/software/amavisd/amavisd-new-docs.html
  443. # TLS based on this: http://www.postfix.org/TLS_README.html
  444. # Here's a convenient overview of different blackholes:
  445. # http://rbls.org/