Add step to restrict client access

seqs/mailserver.sh

@@ -34,8 +34,9 @@ step_config() {
     echo "     Domain: $MAS_DOMAIN"
   elif [ $? -eq 1 ] ; then
     # Config $CONFIG_FILE_NAME created. Needs modification first
-    [ $DRY -eq 0 ] && return 1
+    [ $DRY -eq 0 ] && return -1
   fi
+  return 0
 }
 
 step_1_info() { echo "Update apt repositories"; }
@@ -73,11 +74,11 @@ step_4() {
 
 step_5_info() { echo "$mtaName enable submission service"; }
 step_5() {
-  echo -e " [I] Copy following lines...\n"
+  echoseq -e " [I] Copy following lines...\n"
   exe cat "$mtaConfSubmission"
   exe read -rep $'\nPress Enter to open the '$mtaConfLoc'/master.cf'
   exe vi $mtaConfLoc/master.cf
-  exe echo
+  exe echoseq
   exe cat "$mtaConfSmtps"
   exe read -rep $'\nPress Enter to open the '$mtaConfLoc'/master.cf'
   exe vi $mtaConfLoc/master.cf
@@ -96,97 +97,108 @@ step_6() {
   exe postconf "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
   exe postconf "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
 
-  echo " [I] Restarting $mtaName"
+  echoseq " [I] Restarting $mtaName"
   exe service $mtaName restart
 }
 
-step_7_info() { echo "Install $mdaName"; }
+step_7_info() {
+  echo "Restrict client access"
+  echoinfo "Mainly PTR record check"
+}
 step_7() {
-  exe apt install $mdaDeps
-  echo -e "\n [I] Installed version: $(dovecot --version)"
+  exe postconf -e "smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname"
 }
 
-step_8_info() {
+step_8_info() { echo "Install $mdaName"; }
+step_8() {
+  exe apt install $mdaDeps
+  echoseq -e "\n [I] Installed version: $(dovecot --version)"
+}
+
+step_9_info() {
   echo "Configure $mdaName"
 }
-step_8() {
-  echo "# Configuring Mailbox Location"
-  echo "  [/etc/dovecot/conf.d/10-mail.conf]"
-  echo "   mail_location = maildir:~/Maildir"
-  echo "   mail_privileged_group = mail"
-  echo
-  echo "  usermod -aG mail dovecot"
-  echo
-  echo "# Configuring Authentication Mechanism"
-  echo "  [/etc/dovecot/conf.d/10-auth.conf]"
-  echo "   disable_plaintext_auth = yes"
-  echo "   # Login with full mail address"
-  echo "   auth_username_format = %n"
-  echo "   # "login" to support older mail clients"
-  echo "   auth_mechanisms = plain login"
-  echo
-  echo "# Configure SSL/TLS Encryption"
-  echo "  [/etc/dovecot/conf.d/10-ssl.conf]"
-  echo "   ssl = required"
-  echo "   ssl_cert = </etc/letsencrypt/live/$MAS_DOMAIN/fullchain.pem"
-  echo "   ssl_key = </etc/letsencrypt/live/$MAS_DOMAIN/privkey.pem"
-  echo "   ssl_min_protocol = TLSv1.2"
-  echo "   ssl_prefer_server_ciphers = yes"
-  echo "   ssl_dh = </etc/dovecot/dh.pem"
-  echo
-  echo "   openssl dhparam -out /etc/dovecot/dh.pem 4096"
-  echo
-  echo "# SASL Authentication Between Postfix and Dovecot"
-  echo "  [/etc/dovecot/conf.d/10-master.conf]"
-  echo "   # Add to service auth {"
-  echo "   service auth {"
-  echo "     unix_listener /var/spool/postfix/private/auth {"
-  echo "       mode = 0600"
-  echo "       user = postfix"
-  echo "       group = postfix"
-  echo "     }"
-  echo "   }"
-  echo
-  echo "# Auto-subscribe Drafts, Sent, Junk and Trash Folder"
-  echo "  and auto delete after 30 days"
-  echo "  [/etc/dovecot/conf.d/15-mailboxes.conf]"
-  echo "   # Add \"auto = create\" to folder e.g.:"
-  echo "   mailbox Trash {"
-  echo "     auto = subscribe"
-  echo "     autoexpunge = 30d"
-  echo "     special_use = \\Trash"
-  echo "   }"
-  echo
-  echo "# Using Dovecot to Deliver Email to Message Store"
-  echo "  Make sure lmtp protocol is installed with dovecot-lmtp"
-  echo "  [/etc/dovecot/conf.d/10-master.conf]"
-  echo "   # Change lmtp service definition to:"
-  echo "   service lmtp {"
-  echo "     unix_listener /var/spool/postfix/private/dovecot-lmtp {"
-  echo "       mode = 0600"
-  echo "       user = postfix"
-  echo "       group = postfix"
-  echo "     }"
-  echo "   }"
-  echo
-  echo "  postconf -e \"mailbox_transport = lmtp:unix:private/dovecot-lmtp\""
-  echo "  postconf -e \"smtputf8_enable = no\""
-  echo
-  echo "# Clean outgoing mail header from sensitiv information"
-  echo "  [/etc/postfix/master.cf]"
-  echo "   smtps     inet  n       -       y       -       -       smtpd"
-  echo "   [...]"
-  echo "    -o cleanup_service_name=headclean"
-  echo "   #add below \"cleanup\""
-  echo "   headclean unix n    -       -       -       0       cleanup"
-  echo "    -o header_checks=regexp:/etc/postfix/sender_header_checks"
-  echo
-  echo "  [/etc/postfix/sender_header_checks]"
-  echo "   /^Received:/                  IGNORE"
-  echo "   /^X-PHP-Originating-Script:/  IGNORE"
-  echo "   /^X-Originating-IP:/          IGNORE"
-  echo "   /^X-Mailer:/                  IGNORE"
-  echo "   /^User-Agent:/                IGNORE"
+step_9() {
+  outColor green
+  cat <<MDA_EOF
+# Configuring Mailbox Location
+  [/etc/dovecot/conf.d/10-mail.conf]
+   mail_location = maildir:~/Maildir
+   mail_privileged_group = mail
+
+  usermod -aG mail dovecot
+
+# Configuring Authentication Mechanism
+  [/etc/dovecot/conf.d/10-auth.conf]
+   disable_plaintext_auth = yes
+   # Login with full mail address
+   auth_username_format = %n
+   # "login" to support older mail clients
+   auth_mechanisms = plain login
+
+# Configure SSL/TLS Encryption
+  [/etc/dovecot/conf.d/10-ssl.conf]
+   ssl = required
+   ssl_cert = </etc/letsencrypt/live/$MAS_DOMAIN/fullchain.pem
+   ssl_key = </etc/letsencrypt/live/$MAS_DOMAIN/privkey.pem
+   ssl_min_protocol = TLSv1.2
+   ssl_prefer_server_ciphers = yes
+   ssl_dh = </etc/dovecot/dh.pem
+
+   openssl dhparam -out /etc/dovecot/dh.pem 4096
+
+# SASL Authentication Between Postfix and Dovecot
+  [/etc/dovecot/conf.d/10-master.conf]
+   # Add to service auth {
+   service auth {
+     unix_listener /var/spool/postfix/private/auth {
+       mode = 0600
+       user = postfix
+       group = postfix
+     }
+   }
+
+# Auto-subscribe Drafts, Sent, Junk and Trash Folder
+  and auto delete after 30 days
+  [/etc/dovecot/conf.d/15-mailboxes.conf]
+   # Add "auto = create" to folder e.g.:
+   mailbox Trash {
+     auto = subscribe
+     autoexpunge = 30d
+     special_use = \\Trash
+   }
+
+# Using Dovecot to Deliver Email to Message Store
+  Make sure lmtp protocol is installed with dovecot-lmtp
+  [/etc/dovecot/conf.d/10-master.conf]
+   # Change lmtp service definition to:
+   service lmtp {
+     unix_listener /var/spool/postfix/private/dovecot-lmtp {
+       mode = 0600
+       user = postfix
+       group = postfix
+     }
+   }
+
+  postconf -e "mailbox_transport = lmtp:unix:private/dovecot-lmtp"
+  postconf -e "smtputf8_enable = no"
+
+# Clean outgoing mail header from sensitiv information
+  [/etc/postfix/master.cf]
+   smtps     inet  n       -       y       -       -       smtpd
+   [...]
+    -o cleanup_service_name=headclean
+   #add below "cleanup"
+   headclean unix n    -       -       -       0       cleanup
+    -o header_checks=regexp:/etc/postfix/sender_header_checks
+
+  [/etc/postfix/sender_header_checks]
+   /^Received:/                  IGNORE
+   /^X-PHP-Originating-Script:/  IGNORE
+   /^X-Originating-IP:/          IGNORE
+   /^X-Mailer:/                  IGNORE
+   /^User-Agent:/                IGNORE
+MDA_EOF
 }
 
 step_20_info() { 
@@ -223,7 +235,7 @@ step_21() {
   for mtaFile in ${mtaMysqlFiles[@]}
   do
     eval 'mtaVar=$MAS_'${mtaFile}
-    echo " [I] creating ${mtaFile}.cf"
+    echoseq " [I] creating ${mtaFile}.cf"
     exe echo -e "$localMysqlUser\n$mtaVar" > "$mtaMysqlConfLoc/${mtaFile}.cf"
   done
   
@@ -255,7 +267,7 @@ step_23() {
   exe chown -R ${MAS_VIRTUAL_USER}: "$MAS_VIRTUAL_FOLDER_BASE"
   exe chmod -R 770 "$MAS_VIRTUAL_FOLDER_BASE"
 
-  echo " [I] Restarting $mtaName"
+  echoseq " [I] Restarting $mtaName"
   exe service $mtaName restart
 }
 
@@ -331,7 +343,7 @@ step_50() {
     exe postconf -e "smtp_sasl_password_maps = hash:$saslPassFile"
     addConf -s "$MAS_RELAYHOST $MAS_RELAYUSER:$MAS_RELAYPASS" "$saslPassFile"
   fi
-  echo " [I] Updating $saslPassFile"
+  echoseq " [I] Updating $saslPassFile"
   exe postmap "$saslPassFile"
 }
 saslPassFile="$mtaConfLoc/sasl_password"
@@ -350,7 +362,7 @@ step_52() {
     echo "      smtpd_relay_restrictions ="
     echo "          check_client_access hash:$mtaClientAccessLoc"
   fi
-  echo " [I] Updating $mtaClientAccessLoc"
+  echoseq " [I] Updating $mtaClientAccessLoc"
   exe postmap "$mtaClientAccessLoc"
 }
 mtaClientAccessLoc="$mtaConfLoc/client_access"
@@ -361,14 +373,14 @@ step_54_info() {
 step_54_alias() { ALIAS="recipient_access"; }
 step_54() {
   if [ ! -f "$mtaRecipientAccessLoc" ] ; then
-    echo " [I] Generating $mtaRecipientAccessLoc"
+    echoseq " [I] Generating $mtaRecipientAccessLoc"
     exep "echo \"# unwanted@${MAS_DOMAIN} 550 No mailbox. Nothing to see here.\" > \"$mtaRecipientAccessLoc\""
     echo " [I] Don't forget to add the following"
     echo "     [$mtaConfLoc/main.cf]"
     echo "      smtpd_recipient_restrictions ="
     echo "          check_recipient_access hash:$mtaRecipientAccessLoc"
   fi
-  echo " [I] Updating $mtaRecipientAccessLoc"
+  echoseq " [I] Updating $mtaRecipientAccessLoc"
   exe postmap "$mtaRecipientAccessLoc"
 }
 mtaRecipientAccessLoc="$mtaConfLoc/recipient_access"
@@ -377,7 +389,7 @@ step_56_info() { echo "Add sender dependant relay with authentication"; }
 step_56_alias() { ALIAS="sender_relay"; }
 step_56() {
   if [ ! -f "$mtaSenderRelayLoc" ] ; then
-    echo " [I] Generating $mtaSenderRelayLoc"
+    echoseq " [I] Generating $mtaSenderRelayLoc"
     exep "echo \"# user@extern.com smtp:[mail.extern.com]:587\" > \"$mtaSenderRelayLoc\""
     exe postconf -e "smtp_sender_dependent_authentication = yes"
     exe postconf -e "sender_dependent_relayhost_maps = hash:$mtaSenderRelayLoc"
@@ -390,7 +402,7 @@ step_56() {
     echo "      user@extern.com username:passwort"
     echo "     postmap $saslPassFile"
   fi
-  echo " [I] Updating $mtaSenderRelayLoc"
+  echoseq " [I] Updating $mtaSenderRelayLoc"
   exe postmap "$mtaSenderRelayLoc"
   exe postmap "$saslPassFile"
 }
@@ -450,5 +462,5 @@ step_104() {
   exe postsuper -d "$msgId"
 }
 
-VERSION_SEQREV=11
+VERSION_SEQREV=12
 . /usr/local/bin/sequencer.sh