efelon/shell_sequencer
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Add step to restrict client access

Browse Source
This commit is contained in:
Martin Winkler
2021-03-20 21:53:12 +01:00
parent 936e58c72b
commit b88a69e68b
1 changed files with 107 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
seqs/mailserver.sh
View File

@@ -34,8 +34,9 @@ step_config() {
echo " Domain: $MAS_DOMAIN" echo " Domain: $MAS_DOMAIN"
elif [ $? -eq 1 ] ; then elif [ $? -eq 1 ] ; then
# Config $CONFIG_FILE_NAME created. Needs modification first # Config $CONFIG_FILE_NAME created. Needs modification first
[ $DRY -eq 0 ] && return 1 [ $DRY -eq 0 ] && return -1
fi fi
return 0
} }
step_1_info() { echo "Update apt repositories"; } step_1_info() { echo "Update apt repositories"; }
@@ -73,11 +74,11 @@ step_4() {
step_5_info() { echo "$mtaName enable submission service"; } step_5_info() { echo "$mtaName enable submission service"; }
step_5() { step_5() {
echo -e " [I] Copy following lines...\n" echoseq -e " [I] Copy following lines...\n"
exe cat "$mtaConfSubmission" exe cat "$mtaConfSubmission"
exe read -rep $'\nPress Enter to open the '$mtaConfLoc'/master.cf' exe read -rep $'\nPress Enter to open the '$mtaConfLoc'/master.cf'
exe vi $mtaConfLoc/master.cf exe vi $mtaConfLoc/master.cf
exe echo exe echoseq
exe cat "$mtaConfSmtps" exe cat "$mtaConfSmtps"
exe read -rep $'\nPress Enter to open the '$mtaConfLoc'/master.cf' exe read -rep $'\nPress Enter to open the '$mtaConfLoc'/master.cf'
exe vi $mtaConfLoc/master.cf exe vi $mtaConfLoc/master.cf
@@ -96,97 +97,108 @@ step_6() {
exe postconf "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" exe postconf "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
exe postconf "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1" exe postconf "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
echo " [I] Restarting $mtaName" echoseq " [I] Restarting $mtaName"
exe service $mtaName restart exe service $mtaName restart
} }
step_7_info() { echo "Install $mdaName"; } step_7_info() {
echo "Restrict client access"
echoinfo "Mainly PTR record check"
}
step_7() { step_7() {
exe apt install $mdaDeps exe postconf -e "smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname"
echo -e "\n [I] Installed version: $(dovecot --version)"
} }
step_8_info() { step_8_info() { echo "Install $mdaName"; }
step_8() {
exe apt install $mdaDeps
echoseq -e "\n [I] Installed version: $(dovecot --version)"
}
step_9_info() {
echo "Configure $mdaName" echo "Configure $mdaName"
} }
step_8() { step_9() {
echo "# Configuring Mailbox Location" outColor green
echo " [/etc/dovecot/conf.d/10-mail.conf]" cat <<MDA_EOF
echo " mail_location = maildir:~/Maildir" # Configuring Mailbox Location
echo " mail_privileged_group = mail" [/etc/dovecot/conf.d/10-mail.conf]
echo mail_location = maildir:~/Maildir
echo " usermod -aG mail dovecot" mail_privileged_group = mail
echo
echo "# Configuring Authentication Mechanism" usermod -aG mail dovecot
echo " [/etc/dovecot/conf.d/10-auth.conf]"
echo " disable_plaintext_auth = yes" # Configuring Authentication Mechanism
echo " # Login with full mail address" [/etc/dovecot/conf.d/10-auth.conf]
echo " auth_username_format = %n" disable_plaintext_auth = yes
echo " # "login" to support older mail clients" # Login with full mail address
echo " auth_mechanisms = plain login" auth_username_format = %n
echo # "login" to support older mail clients
echo "# Configure SSL/TLS Encryption" auth_mechanisms = plain login
echo " [/etc/dovecot/conf.d/10-ssl.conf]"
echo " ssl = required" # Configure SSL/TLS Encryption
echo " ssl_cert = </etc/letsencrypt/live/$MAS_DOMAIN/fullchain.pem" [/etc/dovecot/conf.d/10-ssl.conf]
echo " ssl_key = </etc/letsencrypt/live/$MAS_DOMAIN/privkey.pem" ssl = required
echo " ssl_min_protocol = TLSv1.2" ssl_cert = </etc/letsencrypt/live/$MAS_DOMAIN/fullchain.pem
echo " ssl_prefer_server_ciphers = yes" ssl_key = </etc/letsencrypt/live/$MAS_DOMAIN/privkey.pem
echo " ssl_dh = </etc/dovecot/dh.pem" ssl_min_protocol = TLSv1.2
echo ssl_prefer_server_ciphers = yes
echo " openssl dhparam -out /etc/dovecot/dh.pem 4096" ssl_dh = </etc/dovecot/dh.pem
echo
echo "# SASL Authentication Between Postfix and Dovecot" openssl dhparam -out /etc/dovecot/dh.pem 4096
echo " [/etc/dovecot/conf.d/10-master.conf]"
echo " # Add to service auth {" # SASL Authentication Between Postfix and Dovecot
echo " service auth {" [/etc/dovecot/conf.d/10-master.conf]
echo " unix_listener /var/spool/postfix/private/auth {" # Add to service auth {
echo " mode = 0600" service auth {
echo " user = postfix" unix_listener /var/spool/postfix/private/auth {
echo " group = postfix" mode = 0600
echo " }" user = postfix
echo " }" group = postfix
echo }
echo "# Auto-subscribe Drafts, Sent, Junk and Trash Folder" }
echo " and auto delete after 30 days"
echo " [/etc/dovecot/conf.d/15-mailboxes.conf]" # Auto-subscribe Drafts, Sent, Junk and Trash Folder
echo " # Add \"auto = create\" to folder e.g.:" and auto delete after 30 days
echo " mailbox Trash {" [/etc/dovecot/conf.d/15-mailboxes.conf]
echo " auto = subscribe" # Add "auto = create" to folder e.g.:
echo " autoexpunge = 30d" mailbox Trash {
echo " special_use = \\Trash" auto = subscribe
echo " }" autoexpunge = 30d
echo special_use = \\Trash
echo "# Using Dovecot to Deliver Email to Message Store" }
echo " Make sure lmtp protocol is installed with dovecot-lmtp"
echo " [/etc/dovecot/conf.d/10-master.conf]" # Using Dovecot to Deliver Email to Message Store
echo " # Change lmtp service definition to:" Make sure lmtp protocol is installed with dovecot-lmtp
echo " service lmtp {" [/etc/dovecot/conf.d/10-master.conf]
echo " unix_listener /var/spool/postfix/private/dovecot-lmtp {" # Change lmtp service definition to:
echo " mode = 0600" service lmtp {
echo " user = postfix" unix_listener /var/spool/postfix/private/dovecot-lmtp {
echo " group = postfix" mode = 0600
echo " }" user = postfix
echo " }" group = postfix
echo }
echo " postconf -e \"mailbox_transport = lmtp:unix:private/dovecot-lmtp\"" }
echo " postconf -e \"smtputf8_enable = no\""
echo postconf -e "mailbox_transport = lmtp:unix:private/dovecot-lmtp"
echo "# Clean outgoing mail header from sensitiv information" postconf -e "smtputf8_enable = no"
echo " [/etc/postfix/master.cf]"
echo " smtps inet n - y - - smtpd" # Clean outgoing mail header from sensitiv information
echo " [...]" [/etc/postfix/master.cf]
echo " -o cleanup_service_name=headclean" smtps inet n - y - - smtpd
echo " #add below \"cleanup\"" [...]
echo " headclean unix n - - - 0 cleanup" -o cleanup_service_name=headclean
echo " -o header_checks=regexp:/etc/postfix/sender_header_checks" #add below "cleanup"
echo headclean unix n - - - 0 cleanup
echo " [/etc/postfix/sender_header_checks]" -o header_checks=regexp:/etc/postfix/sender_header_checks
echo " /^Received:/ IGNORE"
echo " /^X-PHP-Originating-Script:/ IGNORE" [/etc/postfix/sender_header_checks]
echo " /^X-Originating-IP:/ IGNORE" /^Received:/ IGNORE
echo " /^X-Mailer:/ IGNORE" /^X-PHP-Originating-Script:/ IGNORE
echo " /^User-Agent:/ IGNORE" /^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^User-Agent:/ IGNORE
MDA_EOF
} }
step_20_info() { step_20_info() {
@@ -223,7 +235,7 @@ step_21() {
for mtaFile in ${mtaMysqlFiles[@]} for mtaFile in ${mtaMysqlFiles[@]}
do do
eval 'mtaVar=$MAS_'${mtaFile} eval 'mtaVar=$MAS_'${mtaFile}
echo " [I] creating ${mtaFile}.cf" echoseq " [I] creating ${mtaFile}.cf"
exe echo -e "$localMysqlUser\n$mtaVar" > "$mtaMysqlConfLoc/${mtaFile}.cf" exe echo -e "$localMysqlUser\n$mtaVar" > "$mtaMysqlConfLoc/${mtaFile}.cf"
done done
@@ -255,7 +267,7 @@ step_23() {
exe chown -R ${MAS_VIRTUAL_USER}: "$MAS_VIRTUAL_FOLDER_BASE" exe chown -R ${MAS_VIRTUAL_USER}: "$MAS_VIRTUAL_FOLDER_BASE"
exe chmod -R 770 "$MAS_VIRTUAL_FOLDER_BASE" exe chmod -R 770 "$MAS_VIRTUAL_FOLDER_BASE"
echo " [I] Restarting $mtaName" echoseq " [I] Restarting $mtaName"
exe service $mtaName restart exe service $mtaName restart
} }
@@ -331,7 +343,7 @@ step_50() {
exe postconf -e "smtp_sasl_password_maps = hash:$saslPassFile" exe postconf -e "smtp_sasl_password_maps = hash:$saslPassFile"
addConf -s "$MAS_RELAYHOST $MAS_RELAYUSER:$MAS_RELAYPASS" "$saslPassFile" addConf -s "$MAS_RELAYHOST $MAS_RELAYUSER:$MAS_RELAYPASS" "$saslPassFile"
fi fi
echo " [I] Updating $saslPassFile" echoseq " [I] Updating $saslPassFile"
exe postmap "$saslPassFile" exe postmap "$saslPassFile"
} }
saslPassFile="$mtaConfLoc/sasl_password" saslPassFile="$mtaConfLoc/sasl_password"
@@ -350,7 +362,7 @@ step_52() {
echo " smtpd_relay_restrictions =" echo " smtpd_relay_restrictions ="
echo " check_client_access hash:$mtaClientAccessLoc" echo " check_client_access hash:$mtaClientAccessLoc"
fi fi
echo " [I] Updating $mtaClientAccessLoc" echoseq " [I] Updating $mtaClientAccessLoc"
exe postmap "$mtaClientAccessLoc" exe postmap "$mtaClientAccessLoc"
} }
mtaClientAccessLoc="$mtaConfLoc/client_access" mtaClientAccessLoc="$mtaConfLoc/client_access"
@@ -361,14 +373,14 @@ step_54_info() {
step_54_alias() { ALIAS="recipient_access"; } step_54_alias() { ALIAS="recipient_access"; }
step_54() { step_54() {
if [ ! -f "$mtaRecipientAccessLoc" ] ; then if [ ! -f "$mtaRecipientAccessLoc" ] ; then
echo " [I] Generating $mtaRecipientAccessLoc" echoseq " [I] Generating $mtaRecipientAccessLoc"
exep "echo \"# unwanted@${MAS_DOMAIN} 550 No mailbox. Nothing to see here.\" > \"$mtaRecipientAccessLoc\"" exep "echo \"# unwanted@${MAS_DOMAIN} 550 No mailbox. Nothing to see here.\" > \"$mtaRecipientAccessLoc\""
echo " [I] Don't forget to add the following" echo " [I] Don't forget to add the following"
echo " [$mtaConfLoc/main.cf]" echo " [$mtaConfLoc/main.cf]"
echo " smtpd_recipient_restrictions =" echo " smtpd_recipient_restrictions ="
echo " check_recipient_access hash:$mtaRecipientAccessLoc" echo " check_recipient_access hash:$mtaRecipientAccessLoc"
fi fi
echo " [I] Updating $mtaRecipientAccessLoc" echoseq " [I] Updating $mtaRecipientAccessLoc"
exe postmap "$mtaRecipientAccessLoc" exe postmap "$mtaRecipientAccessLoc"
} }
mtaRecipientAccessLoc="$mtaConfLoc/recipient_access" mtaRecipientAccessLoc="$mtaConfLoc/recipient_access"
@@ -377,7 +389,7 @@ step_56_info() { echo "Add sender dependant relay with authentication"; }
step_56_alias() { ALIAS="sender_relay"; } step_56_alias() { ALIAS="sender_relay"; }
step_56() { step_56() {
if [ ! -f "$mtaSenderRelayLoc" ] ; then if [ ! -f "$mtaSenderRelayLoc" ] ; then
echo " [I] Generating $mtaSenderRelayLoc" echoseq " [I] Generating $mtaSenderRelayLoc"
exep "echo \"# user@extern.com smtp:[mail.extern.com]:587\" > \"$mtaSenderRelayLoc\"" exep "echo \"# user@extern.com smtp:[mail.extern.com]:587\" > \"$mtaSenderRelayLoc\""
exe postconf -e "smtp_sender_dependent_authentication = yes" exe postconf -e "smtp_sender_dependent_authentication = yes"
exe postconf -e "sender_dependent_relayhost_maps = hash:$mtaSenderRelayLoc" exe postconf -e "sender_dependent_relayhost_maps = hash:$mtaSenderRelayLoc"
@@ -390,7 +402,7 @@ step_56() {
echo " user@extern.com username:passwort" echo " user@extern.com username:passwort"
echo " postmap $saslPassFile" echo " postmap $saslPassFile"
fi fi
echo " [I] Updating $mtaSenderRelayLoc" echoseq " [I] Updating $mtaSenderRelayLoc"
exe postmap "$mtaSenderRelayLoc" exe postmap "$mtaSenderRelayLoc"
exe postmap "$saslPassFile" exe postmap "$saslPassFile"
} }
@@ -450,5 +462,5 @@ step_104() {
exe postsuper -d "$msgId" exe postsuper -d "$msgId"
} }
VERSION_SEQREV=11 VERSION_SEQREV=12
. /usr/local/bin/sequencer.sh . /usr/local/bin/sequencer.sh