postfix/postfix.sh



#!/bin/bash
#
# /etc/local-COMMON/postfix/postfix.sh
# Copyright 2002 Jonas Smedegaard <dr@jones.dk>
#
# $Id: postfix.sh,v 1.13 2003-03-18 11:14:29 jonas Exp $
#
# Auto-tweak plain installed postfix Debian package
#
# TODO: Check for postfix 2.0 and include improve RBL logic with new
# options reject_rhsbl_sender and default_rbl_reply
#
# TODO: Implement stuff from here: http://www.wsrcc.com/spam/
#
# TODO: Figure out a way to use chroot jail for TLS stuff.

set -e

paramdir='/etc/local-COMMON/postfix'
confdir='/etc/postfix'
postconf=/usr/sbin/postconf
sp='[[:space:]]'
pf2=
if $postconf -d mail_version | grep -q '= 2'; then
    pf2=1
fi

function getlinesfromfile() {
    param="$1"
    echo -n "$param = "
    cat $paramdir/$param | grep -v '^#' | sed 's/#.*//' | tr '\n' ',' | sed -e 's/^[, ]*//' -e 's/[, ]\+/,/g' -e 's/,$//'
}

# Some badly configured setup use hostname instead of FQDN
if $postconf myhostname | grep -q '\.'; then
    $postconf -e 'smtpd_helo_required = yes'
fi
$postconf -e "`getlinesfromfile permit_mx_backup_networks`"
if [ "$pf2" ]; then
    rbl_domains="`getlinesfromfile maps_rbl_domains | sed -e 's/.*=[ ]*//' -e 's/,/ /g'`"
    rbl_domain_line=
    for rbl_domain in $rbl_domains; do
        rbl_domain_line="${rbl_domain_line}reject_rbl_client $rbl_domain,"
    done
    recipient_restrictions="`getlinesfromfile smtpd_recipient_restrictions | sed 's/.*=[ ]*//' | sed \"s/reject_maps_rbl/$rbl_domain_line/\"`"
    $postconf -e "maps_rbl_domains ="
    $postconf -e "smtpd_recipient_restrictions = $recipient_restrictions"
else
    $postconf -e "`getlinesfromfile maps_rbl_domains`"
    $postconf -e "`getlinesfromfile smtpd_recipient_restrictions`"
fi

# TLS breaks postfix if no SASL modules available (and doesn't make sense either)
# (change the test if using some other modules and avoid the plain ones)
if [ -f /usr/lib/postfix/tlsmgr -a -f /usr/lib/sasl/libplain.so -a -f /etc/ssl/certs/postfix.pem ]; then
    mkdir -p $confdir/sasl
    echo 'pwcheck_method: pam' >$confdir/sasl/smtpd.conf
    echo 'auto_transition: false' >>$confdir/sasl/smtpd.conf
    groups postfix | grep -q shadow || adduser postfix shadow
    # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy)
    cp -a $confdir/master.cf $confdir/master.cf.old
    cat $confdir/master.cf.old | sed \
        -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
        -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
        -e "s/^#\(tlsmgr$sp\)/\1/" \
        > $confdir/master.cf
    cat $confdir/master.cf | egrep -q "^tlsmgr$sp" || \
        echo 'tlsmgr      fifo  -   -   -   300 1   tlsmgr' >> $confdir/master.cf
    $postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem'
    if [ -f /etc/ssl/private/postfix.pem ]; then
        $postconf -e 'smtpd_tls_key_file = /etc/ssl/private/postfix.pem'
    fi
    $postconf -e 'smtpd_tls_loglevel = 1'
    $postconf -e 'smtpd_use_tls = yes'
    $postconf -e 'smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache'
    $postconf -e 'smtpd_tls_auth_only = yes'
    $postconf -e 'smtpd_sasl_auth_enable = no'
    $postconf -e 'smtpd_sasl_security_options = noanonymous'
    $postconf -e 'smtpd_sasl_local_domain = $myhostname'
    $postconf -e 'smtpd_tls_received_header = yes'
    $postconf -e 'broken_sasl_auth_clients = yes'
    $postconf -e 'tls_random_source = dev:/dev/urandom'
    $postconf -e 'tls_daemon_random_source = dev:/dev/urandom'
    # Check if using a proper key exists (not just a self-signed one)
    # (it is assumed that a CA certificate is made public if used!)
    if [ -f /etc/ssl/certs/cacert.pem ]; then
        $postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
        # Client side TLS only makes sense if a publicly available certificate is available
        # (and DON'T publish a self-signed certificate!)
        $postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/cacert.pem'
        $postconf -e 'smtp_tls_cert_file = /etc/ssl/certs/postfix.pem'
        if [ -f /etc/ssl/private/postfix.pem ]; then
            $postconf -e 'smtp_tls_key_file = /etc/ssl/private/postfix.pem'
        fi
        $postconf -e 'smtp_tls_loglevel = 1'
        $postconf -e 'smtp_use_tls = yes'
        $postconf -e 'smtp_tls_CApath = /etc/ssl/certs'
        $postconf -e 'smtp_tls_note_starttls_offer = no' # Enable to collect info for smtp_tls_per_site option
        $postconf -e 'smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache'
        # This makes Netscape ask for a certificate, so make sure it IS public!
        $postconf -e 'smtpd_tls_ask_ccert = yes'
    fi
else
    echo 'TLS not activated - check the script for requirements...'
fi

if [ -x /usr/sbin/amavisd ]; then
    cat $confdir/master.cf | egrep -q "^smtp-amavis$sp" || \
        echo 'smtp-amavis unix -    -   n   -   2   smtp -o smtp_data_done_timeout=1200s -o smtp_never_send_ehlo=yes -o disable_dns_lookups=yes' >> $confdir/master.cf
    cat $confdir/master.cf | egrep -q "^127.0.0.1:10025$sp" || \
        echo '127.0.0.1:10025 inet n    -   n   -   -   smtpd -o content_filter= -o local_recipient_maps= -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8' >> $confdir/master.cf
    $postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'
fi

/etc/init.d/postfix reload

# Based on this: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
# Support for trusted MX backup networks added
# PCRE stuff avoided, as PCRE is only optional on newest Debian packages
# RBLs replaced with those recommended by http://www.antispews.org/

# Here's a convenient overview of different blackholes:
#   http://rbls.org/

# smtpd_tls_CAfile