SimpleMailserver/install.sh
2022-07-18 00:37:16 -05:00

355 lines
No EOL
13 KiB
Bash
Executable file

#!/bin/bash
if [[ $(id -u) -ne 0 ]]; then
echo "This script requires root (sudo) to install packages"
exit 1
fi
while :
do
# Read variables before starting
read -ep "Enter domain name: " DOMAIN_NAME
if [[ -z "$DOMAIN_NAME" ]]; then
echo "Please enter domain name"
continue
fi
read -ep "Enter mail subdomain (mail.${DOMAIN_NAME}): " MAIL_SUBDOMAIN \
&& [[ -z "$MAIL_SUBDOMAIN" ]] && MAIL_SUBDOMAIN="mail.${DOMAIN_NAME}"
read -ep "Enter admin user, must be existing user: " ADMIN_USER
if [[ -z "$ADMIN_USER" || $(id -u $ADMIN_USER > /dev/null 2>&1 ; echo $?) -ne 0 ]]; then
echo "Please enter valid user"
continue
fi
read -ep "Enter certbot email (${ADMIN_USER}@${DOMAIN_NAME}): " CERTBOT_EMAIL \
&& [[ -z "$CERTBOT_EMAIL" ]] && CERTBOT_EMAIL="${ADMIN_USER}@${DOMAIN_NAME}"
read -ep "Enter Gmail email for relay: " GOOGLE_EMAIL
if [[ -z "$GOOGLE_EMAIL" ]]; then
echo "Please enter Gmail email"
continue
fi
read -ep "Enter Google app password for relay: " APP_PASSWORD
if [[ -z "$APP_PASSWORD" ]]; then
echo "Please enter Google app password"
continue
fi
SETTINGS_CONFIRM="Chosen settings:
Domain: ${DOMAIN_NAME},
Mail subdomain: ${MAIL_SUBDOMAIN},
Admin email: ${ADMIN_USER}@${DOMAIN_NAME}
Certbot email: ${CERTBOT_EMAIL}
Gmail email: ${GOOGLE_EMAIL}
App password: ${APP_PASSWORD}
Is this ok [y/n]? "
# Prompt user for these settings and continue if ok
read -ep "$SETTINGS_CONFIRM" SETTINGS_OK
if [[ $SETTINGS_OK == "y" || $SETTINGS_OK == "Y" ]]; then
break
fi
done
# Update package repositories
echo "----- Updating package repositories -----"
apt-get update > /dev/null
apt-get upgrade > /dev/null
# Install UFW (firewall)
echo "----- Installing UFW -----"
apt-get install ufw -y > /dev/null
# Install certbot, involved configuration
echo "----- Installing certbot -----"
apt-get install snapd -y > /dev/null
snap install core > /dev/null
snap install --classic certbot > /dev/null
ln -s /snap/bin/certbot /usr/bin/certbot > /dev/null
# Create certificate
echo "----- Creating SSL certificate -----"
sudo certbot certonly --standalone --non-interactive \
--domains $MAIL_SUBDOMAIN --agree-tos -m $CERTBOT_EMAIL > /dev/null
if [[ $? -ne 0 ]]; then
echo "Certbot failed, check that you have AAAA records for ${MAIL_SUBDOMAIN}"
exit 1
fi
# Install postfix
echo "----- Installing postfix -----"
apt-get remove exim4 > /dev/null
debconf-set-selections <<< "postfix postfix/mailname string ${DOMAIN_NAME}"
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
apt-get install postfix libsasl2-modules -y > /dev/null
systemctl stop postfix > /dev/null
# Change postfix master.cf and main.cf configurations
echo "----- Creating configuration files -----"
MASTER_CF_CONTENTS="#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: \"man 5 master\" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute \"postfix reload\" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=\$mua_client_restrictions
-o smtpd_helo_restrictions=\$mua_helo_restrictions
-o smtpd_sender_restrictions=\$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=\$mua_client_restrictions
-o smtpd_helo_restrictions=\$mua_helo_restrictions
-o smtpd_sender_restrictions=\$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/\$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about \${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d \${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing \"lmtp\" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd=\"lmtpd -a\" listen=\"localhost:lmtp\" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r \${sender} -m \${extension} \${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m \${extension} \${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a\$sender - \$nexthop!rmail (\$recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r \$nexthop (\$recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t\$nexthop -f\$sender \$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store \${nexthop} \${user} \${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py \${nexthop} \${user}
"
echo "$MASTER_CF_CONTENTS" > /etc/postfix/master.cf
MAIN_CF_CONTENTS="
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = \$myhostname ESMTP \$mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate \"delayed mail\" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/$MAIL_SUBDOMAIN/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/$MAIL_SUBDOMAIN/privkey.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = $MAIL_SUBDOMAIN
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = \$myhostname, $DOMAIN_NAME, localhost, localhost.localdomain, localhost
relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
smtpd_restriction_classes = mua_sender_restrictions, mua_client_restrictions, mua_helo_restrictions
mua_client_restrictions = permit_sasl_authenticated, reject
mua_sender_restrictions = permit_sasl_authenticated, reject
mua_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
"
echo "$MAIN_CF_CONTENTS" > /etc/postfix/main.cf
# Add aliases
ETC_ALIASES_CONTENTS="
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
root: $ADMIN_USER
"
echo "$ETC_ALIASES_CONTENTS" > /etc/aliases
newaliases
# Add Google app password to access relay
SASL_PASSWORD_CONTENTS="
[smtp.gmail.com]:587 $GOOGLE_EMAIL:$APP_PASSWORD
"
echo "$SASL_PASSWORD_CONTENTS" > /etc/postfix/sasl/sasl_passwd
postmap /etc/postfix/sasl/sasl_passwd
chown root:root /etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd.db
chmod 0600 /etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd.db
rm /etc/postfix/sasl/sasl_passwd
# Install dovecot
echo "----- Installing dovecot -----"
apt-get install dovecot-core dovecot-imapd dovecot-pop3d > /dev/null
DOVECOT_CONF_CONTENTS="
disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = mbox:~/mail:INBOX=/var/mail/%u
userdb {
driver = passwd
}
passdb {
args = %s
driver = pam
}
protocols = \"imap pop3\"
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
ssl=required
ssl_cert = </etc/letsencrypt/live/$MAIL_SUBDOMAIN/fullchain.pem
ssl_key = </etc/letsencrypt/live/$MAIL_SUBDOMAIN/privkey.pem
"
echo "$DOVECOT_CONF_CONTENTS" > /etc/dovecot/dovecot.conf
# Verify hostname is set correctly, can default to localhost otherwise, breaking mail
hostnamectl set-hostname $DOMAIN_NAME
# Open firewall
echo "----- Opening firewall -----"
ufw allow Postfix > /dev/null
ufw allow "Postfix SMTPS" > /dev/null
ufw allow "Postfix Submission" > /dev/null
ufw allow "Dovecot IMAP" > /dev/null
ufw allow "Dovecot Secure IMAP" > /dev/null
# Start services
echo "----- Starting services -----"
postfix start > /dev/null
service dovecot restart > /dev/null