Just use the script directly
This commit is contained in:
parent
c96c04b39d
commit
52e9afcf2f
11 changed files with 47 additions and 54 deletions
|
@ -60,7 +60,7 @@ fi
|
||||||
chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim
|
chown -R opendkim:opendkim $STORAGE_ROOT/mail/dkim
|
||||||
chmod go-rwx $STORAGE_ROOT/mail/dkim
|
chmod go-rwx $STORAGE_ROOT/mail/dkim
|
||||||
|
|
||||||
tools/editconf.py /etc/opendmarc.conf -s \
|
management/editconf.py /etc/opendmarc.conf -s \
|
||||||
"Syslog=true" \
|
"Syslog=true" \
|
||||||
"Socket=inet:8893@[127.0.0.1]"
|
"Socket=inet:8893@[127.0.0.1]"
|
||||||
|
|
||||||
|
@ -76,7 +76,7 @@ tools/editconf.py /etc/opendmarc.conf -s \
|
||||||
# The OpenDMARC milter is skipped in the SMTP submission listener by
|
# The OpenDMARC milter is skipped in the SMTP submission listener by
|
||||||
# configuring smtpd_milters there to only list the OpenDKIM milter
|
# configuring smtpd_milters there to only list the OpenDKIM milter
|
||||||
# (see mail-postfix.sh).
|
# (see mail-postfix.sh).
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\
|
"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\
|
||||||
non_smtpd_milters=\$smtpd_milters \
|
non_smtpd_milters=\$smtpd_milters \
|
||||||
milter_default_action=accept
|
milter_default_action=accept
|
||||||
|
|
|
@ -44,7 +44,7 @@ apt_install \
|
||||||
# See here for discussion:
|
# See here for discussion:
|
||||||
# - https://www.dovecot.org/list/dovecot/2012-August/137569.html
|
# - https://www.dovecot.org/list/dovecot/2012-August/137569.html
|
||||||
# - https://www.dovecot.org/list/dovecot/2011-December/132455.html
|
# - https://www.dovecot.org/list/dovecot/2011-December/132455.html
|
||||||
tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
|
management/editconf.py /etc/dovecot/conf.d/10-master.conf \
|
||||||
default_process_limit=$(echo "`nproc` * 250" | bc) \
|
default_process_limit=$(echo "`nproc` * 250" | bc) \
|
||||||
default_vsz_limit=$(echo "`free -tm | tail -1 | awk '{print $2}'` / 3" | bc)M \
|
default_vsz_limit=$(echo "`free -tm | tail -1 | awk '{print $2}'` / 3" | bc)M \
|
||||||
log_path=/var/log/mail.log
|
log_path=/var/log/mail.log
|
||||||
|
@ -54,13 +54,13 @@ tools/editconf.py /etc/dovecot/conf.d/10-master.conf \
|
||||||
# See http://www.dovecot.org/pipermail/dovecot/2013-March/088834.html.
|
# See http://www.dovecot.org/pipermail/dovecot/2013-March/088834.html.
|
||||||
# A reboot is required for this to take effect (which we don't do as
|
# A reboot is required for this to take effect (which we don't do as
|
||||||
# as a part of setup). Test with `cat /proc/sys/fs/inotify/max_user_instances`.
|
# as a part of setup). Test with `cat /proc/sys/fs/inotify/max_user_instances`.
|
||||||
tools/editconf.py /etc/sysctl.conf \
|
management/editconf.py /etc/sysctl.conf \
|
||||||
fs.inotify.max_user_instances=1024
|
fs.inotify.max_user_instances=1024
|
||||||
|
|
||||||
# Set the location where we'll store user mailboxes. '%d' is the domain name and '%n' is the
|
# Set the location where we'll store user mailboxes. '%d' is the domain name and '%n' is the
|
||||||
# username part of the user's email address. We'll ensure that no bad domains or email addresses
|
# username part of the user's email address. We'll ensure that no bad domains or email addresses
|
||||||
# are created within the management daemon.
|
# are created within the management daemon.
|
||||||
tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
|
management/editconf.py /etc/dovecot/conf.d/10-mail.conf \
|
||||||
mail_location=maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n \
|
mail_location=maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n \
|
||||||
mail_privileged_group=mail \
|
mail_privileged_group=mail \
|
||||||
first_valid_uid=0
|
first_valid_uid=0
|
||||||
|
@ -73,14 +73,14 @@ cp conf/dovecot-mailboxes.conf /etc/dovecot/conf.d/15-mailboxes.conf
|
||||||
# Require that passwords are sent over SSL only, and allow the usual IMAP authentication mechanisms.
|
# Require that passwords are sent over SSL only, and allow the usual IMAP authentication mechanisms.
|
||||||
# The LOGIN mechanism is supposedly for Microsoft products like Outlook to do SMTP login (I guess
|
# The LOGIN mechanism is supposedly for Microsoft products like Outlook to do SMTP login (I guess
|
||||||
# since we're using Dovecot to handle SMTP authentication?).
|
# since we're using Dovecot to handle SMTP authentication?).
|
||||||
tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
|
management/editconf.py /etc/dovecot/conf.d/10-auth.conf \
|
||||||
disable_plaintext_auth=yes \
|
disable_plaintext_auth=yes \
|
||||||
"auth_mechanisms=plain login"
|
"auth_mechanisms=plain login"
|
||||||
|
|
||||||
# Enable SSL, specify the location of the SSL certificate and private key files.
|
# Enable SSL, specify the location of the SSL certificate and private key files.
|
||||||
# Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1,
|
# Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.2.33&config=intermediate&openssl-version=1.1.1,
|
||||||
# except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2.
|
# except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2.
|
||||||
tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
management/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
||||||
ssl=required \
|
ssl=required \
|
||||||
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
|
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
|
||||||
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
|
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
|
||||||
|
@ -102,14 +102,14 @@ sed -i "s/#port = 110/port = 0/" /etc/dovecot/conf.d/10-master.conf
|
||||||
# The risk is that if the connection is silent for too long it might be reset
|
# The risk is that if the connection is silent for too long it might be reset
|
||||||
# by a peer. See [#129](https://github.com/mail-in-a-box/mailinabox/issues/129)
|
# by a peer. See [#129](https://github.com/mail-in-a-box/mailinabox/issues/129)
|
||||||
# and [How bad is IMAP IDLE](http://razor.occams.info/blog/2014/08/09/how-bad-is-imap-idle/).
|
# and [How bad is IMAP IDLE](http://razor.occams.info/blog/2014/08/09/how-bad-is-imap-idle/).
|
||||||
tools/editconf.py /etc/dovecot/conf.d/20-imap.conf \
|
management/editconf.py /etc/dovecot/conf.d/20-imap.conf \
|
||||||
imap_idle_notify_interval="4 mins"
|
imap_idle_notify_interval="4 mins"
|
||||||
|
|
||||||
# Set POP3 UIDL.
|
# Set POP3 UIDL.
|
||||||
# UIDLs are used by POP3 clients to keep track of what messages they've downloaded.
|
# UIDLs are used by POP3 clients to keep track of what messages they've downloaded.
|
||||||
# For new POP3 servers, the easiest way to set up UIDLs is to use IMAP's UIDVALIDITY
|
# For new POP3 servers, the easiest way to set up UIDLs is to use IMAP's UIDVALIDITY
|
||||||
# and UID values, the default in Dovecot.
|
# and UID values, the default in Dovecot.
|
||||||
tools/editconf.py /etc/dovecot/conf.d/20-pop3.conf \
|
management/editconf.py /etc/dovecot/conf.d/20-pop3.conf \
|
||||||
pop3_uidl_format="%08Xu%08Xv"
|
pop3_uidl_format="%08Xu%08Xv"
|
||||||
|
|
||||||
# ### LDA (LMTP)
|
# ### LDA (LMTP)
|
||||||
|
@ -150,7 +150,7 @@ EOF
|
||||||
|
|
||||||
# Setting a `postmaster_address` is required or LMTP won't start. An alias
|
# Setting a `postmaster_address` is required or LMTP won't start. An alias
|
||||||
# will be created automatically by our management daemon.
|
# will be created automatically by our management daemon.
|
||||||
tools/editconf.py /etc/dovecot/conf.d/15-lda.conf \
|
management/editconf.py /etc/dovecot/conf.d/15-lda.conf \
|
||||||
postmaster_address=postmaster@$PRIMARY_HOSTNAME
|
postmaster_address=postmaster@$PRIMARY_HOSTNAME
|
||||||
|
|
||||||
# ### Sieve
|
# ### Sieve
|
||||||
|
|
|
@ -53,7 +53,7 @@ apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates
|
||||||
# * Set our name (the Debian default seems to be "localhost" but make it our hostname).
|
# * Set our name (the Debian default seems to be "localhost" but make it our hostname).
|
||||||
# * Set the name of the local machine to localhost, which means xxx@localhost is delivered locally, although we don't use it.
|
# * Set the name of the local machine to localhost, which means xxx@localhost is delivered locally, although we don't use it.
|
||||||
# * Set the SMTP banner (which must have the hostname first, then anything).
|
# * Set the SMTP banner (which must have the hostname first, then anything).
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
inet_interfaces=all \
|
inet_interfaces=all \
|
||||||
smtp_bind_address=$PRIVATE_IP \
|
smtp_bind_address=$PRIVATE_IP \
|
||||||
smtp_bind_address6=$PRIVATE_IPV6 \
|
smtp_bind_address6=$PRIVATE_IPV6 \
|
||||||
|
@ -64,7 +64,7 @@ tools/editconf.py /etc/postfix/main.cf \
|
||||||
# Tweak some queue settings:
|
# Tweak some queue settings:
|
||||||
# * Inform users when their e-mail delivery is delayed more than 3 hours (default is not to warn).
|
# * Inform users when their e-mail delivery is delayed more than 3 hours (default is not to warn).
|
||||||
# * Stop trying to send an undeliverable e-mail after 2 days (instead of 5), and for bounce messages just try for 1 day.
|
# * Stop trying to send an undeliverable e-mail after 2 days (instead of 5), and for bounce messages just try for 1 day.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
delay_warning_time=3h \
|
delay_warning_time=3h \
|
||||||
maximal_queue_lifetime=2d \
|
maximal_queue_lifetime=2d \
|
||||||
bounce_queue_lifetime=1d
|
bounce_queue_lifetime=1d
|
||||||
|
@ -86,7 +86,7 @@ tools/editconf.py /etc/postfix/main.cf \
|
||||||
# that filters out privacy-sensitive headers on mail being sent out by
|
# that filters out privacy-sensitive headers on mail being sent out by
|
||||||
# authenticated users. By default Postfix also applies this to attached
|
# authenticated users. By default Postfix also applies this to attached
|
||||||
# emails but we turn this off by setting nested_header_checks empty.
|
# emails but we turn this off by setting nested_header_checks empty.
|
||||||
tools/editconf.py /etc/postfix/master.cf -s -w \
|
management/editconf.py /etc/postfix/master.cf -s -w \
|
||||||
"submission=inet n - - - - smtpd
|
"submission=inet n - - - - smtpd
|
||||||
-o smtpd_sasl_auth_enable=yes
|
-o smtpd_sasl_auth_enable=yes
|
||||||
-o syslog_name=postfix/submission
|
-o syslog_name=postfix/submission
|
||||||
|
@ -120,7 +120,7 @@ sed -i "s/PUBLIC_IP/$PUBLIC_IP/" /etc/postfix/outgoing_mail_header_filters
|
||||||
# For port 587 (via the 'mandatory' settings):
|
# For port 587 (via the 'mandatory' settings):
|
||||||
# * Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1
|
# * Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1
|
||||||
# using and overriding the "high" cipher list so we don't conflict with the more permissive settings for port 25.
|
# using and overriding the "high" cipher list so we don't conflict with the more permissive settings for port 25.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
smtpd_tls_security_level=may\
|
smtpd_tls_security_level=may\
|
||||||
smtpd_tls_auth_only=yes \
|
smtpd_tls_auth_only=yes \
|
||||||
smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
|
smtpd_tls_cert_file=$STORAGE_ROOT/ssl/ssl_certificate.pem \
|
||||||
|
@ -144,7 +144,7 @@ tools/editconf.py /etc/postfix/main.cf \
|
||||||
# * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587).
|
# * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587).
|
||||||
# * `permit_mynetworks`: Mail that originates locally.
|
# * `permit_mynetworks`: Mail that originates locally.
|
||||||
# * `reject_unauth_destination`: No one else. (Permits mail whose destination is local and rejects other mail.)
|
# * `reject_unauth_destination`: No one else. (Permits mail whose destination is local and rejects other mail.)
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
|
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
|
||||||
|
|
||||||
|
|
||||||
|
@ -172,7 +172,7 @@ tools/editconf.py /etc/postfix/main.cf \
|
||||||
# which we don't care about seeing because Postfix is doing opportunistic TLS anyway. Better to encrypt,
|
# which we don't care about seeing because Postfix is doing opportunistic TLS anyway. Better to encrypt,
|
||||||
# even if we don't know if it's to the right party, than to not encrypt at all. Instead we'll
|
# even if we don't know if it's to the right party, than to not encrypt at all. Instead we'll
|
||||||
# now see notices about trusted certs. The CA file is provided by the package `ca-certificates`.
|
# now see notices about trusted certs. The CA file is provided by the package `ca-certificates`.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
smtp_tls_protocols=\!SSLv2,\!SSLv3 \
|
smtp_tls_protocols=\!SSLv2,\!SSLv3 \
|
||||||
smtp_tls_ciphers=medium \
|
smtp_tls_ciphers=medium \
|
||||||
smtp_tls_exclude_ciphers=aNULL,RC4 \
|
smtp_tls_exclude_ciphers=aNULL,RC4 \
|
||||||
|
@ -191,10 +191,10 @@ tools/editconf.py /etc/postfix/main.cf \
|
||||||
#
|
#
|
||||||
# In a basic setup we would pass mail directly to Dovecot by setting
|
# In a basic setup we would pass mail directly to Dovecot by setting
|
||||||
# virtual_transport to `lmtp:unix:private/dovecot-lmtp`.
|
# virtual_transport to `lmtp:unix:private/dovecot-lmtp`.
|
||||||
tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025
|
management/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:[127.0.0.1]:10025
|
||||||
# Because of a spampd bug, limit the number of recipients in each connection.
|
# Because of a spampd bug, limit the number of recipients in each connection.
|
||||||
# See https://github.com/mail-in-a-box/mailinabox/issues/1523.
|
# See https://github.com/mail-in-a-box/mailinabox/issues/1523.
|
||||||
tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
|
management/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
|
||||||
|
|
||||||
|
|
||||||
# Who can send mail to us? Some basic filters.
|
# Who can send mail to us? Some basic filters.
|
||||||
|
@ -214,7 +214,7 @@ tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit=1
|
||||||
# so these IPs get mail delivered quickly. But when an IP is not listed in the permit_dnswl_client list (i.e. it is not #NODOC
|
# so these IPs get mail delivered quickly. But when an IP is not listed in the permit_dnswl_client list (i.e. it is not #NODOC
|
||||||
# whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC
|
# whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC
|
||||||
# "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
|
# "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \
|
smtpd_sender_restrictions="reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \
|
||||||
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"
|
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org",reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"
|
||||||
|
|
||||||
|
@ -225,7 +225,7 @@ tools/editconf.py /etc/postfix/main.cf \
|
||||||
# other MTA have their own intervals. To fix the problem of receiving
|
# other MTA have their own intervals. To fix the problem of receiving
|
||||||
# e-mails really latter, delay of greylisting has been set to
|
# e-mails really latter, delay of greylisting has been set to
|
||||||
# 180 seconds (default is 300 seconds).
|
# 180 seconds (default is 300 seconds).
|
||||||
tools/editconf.py /etc/default/postgrey \
|
management/editconf.py /etc/default/postgrey \
|
||||||
POSTGREY_OPTS=\"'--inet=127.0.0.1:10023 --delay=180'\"
|
POSTGREY_OPTS=\"'--inet=127.0.0.1:10023 --delay=180'\"
|
||||||
|
|
||||||
|
|
||||||
|
@ -257,11 +257,11 @@ chmod +x /etc/cron.daily/mailinabox-postgrey-whitelist
|
||||||
|
|
||||||
# Increase the message size limit from 10MB to 128MB.
|
# Increase the message size limit from 10MB to 128MB.
|
||||||
# The same limit is specified in nginx.conf for mail submitted via webmail and Z-Push.
|
# The same limit is specified in nginx.conf for mail submitted via webmail and Z-Push.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
message_size_limit=134217728
|
message_size_limit=134217728
|
||||||
|
|
||||||
# Store default configurations for SMTP relays:
|
# Store default configurations for SMTP relays:
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
smtp_sasl_auth_enable=no \
|
smtp_sasl_auth_enable=no \
|
||||||
smtp_sasl_password_maps="hash:/etc/postfix/sasl_passwd" \
|
smtp_sasl_password_maps="hash:/etc/postfix/sasl_passwd" \
|
||||||
smtp_sasl_security_options=anonymous \
|
smtp_sasl_security_options=anonymous \
|
||||||
|
|
|
@ -70,7 +70,7 @@ EOF
|
||||||
# does not run DKIM on relayed mail, so outbound mail isn't
|
# does not run DKIM on relayed mail, so outbound mail isn't
|
||||||
# correct, see #830), but we enable it specifically for the
|
# correct, see #830), but we enable it specifically for the
|
||||||
# submission port.
|
# submission port.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
smtpd_sasl_type=dovecot \
|
smtpd_sasl_type=dovecot \
|
||||||
smtpd_sasl_path=private/auth \
|
smtpd_sasl_path=private/auth \
|
||||||
smtpd_sasl_auth_enable=no
|
smtpd_sasl_auth_enable=no
|
||||||
|
@ -83,7 +83,7 @@ tools/editconf.py /etc/postfix/main.cf \
|
||||||
# address (aka envelope or return path address) must be "owned" by the user
|
# address (aka envelope or return path address) must be "owned" by the user
|
||||||
# who authenticated. An SQL query will find who are the owners of any given
|
# who authenticated. An SQL query will find who are the owners of any given
|
||||||
# address.
|
# address.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
smtpd_sender_login_maps=sqlite:/etc/postfix/sender-login-maps.cf
|
smtpd_sender_login_maps=sqlite:/etc/postfix/sender-login-maps.cf
|
||||||
|
|
||||||
# Postfix will query the exact address first, where the priority will be alias
|
# Postfix will query the exact address first, where the priority will be alias
|
||||||
|
@ -100,7 +100,7 @@ EOF
|
||||||
|
|
||||||
# Use a Sqlite3 database to check whether a destination email address exists,
|
# Use a Sqlite3 database to check whether a destination email address exists,
|
||||||
# and to perform any email alias rewrites in Postfix.
|
# and to perform any email alias rewrites in Postfix.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
management/editconf.py /etc/postfix/main.cf \
|
||||||
virtual_mailbox_domains=sqlite:/etc/postfix/virtual-mailbox-domains.cf \
|
virtual_mailbox_domains=sqlite:/etc/postfix/virtual-mailbox-domains.cf \
|
||||||
virtual_mailbox_maps=sqlite:/etc/postfix/virtual-mailbox-maps.cf \
|
virtual_mailbox_maps=sqlite:/etc/postfix/virtual-mailbox-maps.cf \
|
||||||
virtual_alias_maps=sqlite:/etc/postfix/virtual-alias-maps.cf \
|
virtual_alias_maps=sqlite:/etc/postfix/virtual-alias-maps.cf \
|
||||||
|
|
|
@ -39,7 +39,7 @@ chown munin. /var/log/munin/munin-cgi-graph.log
|
||||||
|
|
||||||
# ensure munin-node knows the name of this machine
|
# ensure munin-node knows the name of this machine
|
||||||
# and reduce logging level to warning
|
# and reduce logging level to warning
|
||||||
tools/editconf.py /etc/munin/munin-node.conf -s \
|
management/editconf.py /etc/munin/munin-node.conf -s \
|
||||||
host_name=$PRIMARY_HOSTNAME \
|
host_name=$PRIMARY_HOSTNAME \
|
||||||
log_level=1
|
log_level=1
|
||||||
|
|
||||||
|
|
|
@ -285,7 +285,7 @@ if [ \( $? -ne 0 \) -a \( $? -ne 3 \) ]; then exit 1; fi
|
||||||
|
|
||||||
# Set PHP FPM values to support large file uploads
|
# Set PHP FPM values to support large file uploads
|
||||||
# (semicolon is the comment character in this file, hashes produce deprecation warnings)
|
# (semicolon is the comment character in this file, hashes produce deprecation warnings)
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/fpm/php.ini -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/fpm/php.ini -c ';' \
|
||||||
upload_max_filesize=16G \
|
upload_max_filesize=16G \
|
||||||
post_max_size=16G \
|
post_max_size=16G \
|
||||||
output_buffering=16384 \
|
output_buffering=16384 \
|
||||||
|
@ -294,7 +294,7 @@ tools/editconf.py /etc/php/$PHP_VERSION/fpm/php.ini -c ';' \
|
||||||
short_open_tag=On
|
short_open_tag=On
|
||||||
|
|
||||||
# Set Nextcloud recommended opcache settings
|
# Set Nextcloud recommended opcache settings
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/cli/conf.d/10-opcache.ini -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/cli/conf.d/10-opcache.ini -c ';' \
|
||||||
opcache.enable=1 \
|
opcache.enable=1 \
|
||||||
opcache.enable_cli=1 \
|
opcache.enable_cli=1 \
|
||||||
opcache.interned_strings_buffer=8 \
|
opcache.interned_strings_buffer=8 \
|
||||||
|
@ -305,7 +305,7 @@ tools/editconf.py /etc/php/$PHP_VERSION/cli/conf.d/10-opcache.ini -c ';' \
|
||||||
|
|
||||||
# If apc is explicitly disabled we need to enable it
|
# If apc is explicitly disabled we need to enable it
|
||||||
if grep -q apc.enabled=0 /etc/php/$PHP_VERSION/mods-available/apcu.ini; then
|
if grep -q apc.enabled=0 /etc/php/$PHP_VERSION/mods-available/apcu.ini; then
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/mods-available/apcu.ini -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/mods-available/apcu.ini -c ';' \
|
||||||
apc.enabled=1
|
apc.enabled=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,7 @@ echo "Installing SpamAssassin..."
|
||||||
apt_install spampd razor pyzor dovecot-antispam libmail-dkim-perl
|
apt_install spampd razor pyzor dovecot-antispam libmail-dkim-perl
|
||||||
|
|
||||||
# Allow spamassassin to download new rules.
|
# Allow spamassassin to download new rules.
|
||||||
tools/editconf.py /etc/default/spamassassin \
|
management/editconf.py /etc/default/spamassassin \
|
||||||
CRON=1
|
CRON=1
|
||||||
|
|
||||||
# Configure pyzor, which is a client to a live database of hashes of
|
# Configure pyzor, which is a client to a live database of hashes of
|
||||||
|
@ -34,7 +34,7 @@ tools/editconf.py /etc/default/spamassassin \
|
||||||
# we can skip 'pyzor discover', both of which are currently broken by
|
# we can skip 'pyzor discover', both of which are currently broken by
|
||||||
# something happening on Sourceforge (#496).
|
# something happening on Sourceforge (#496).
|
||||||
rm -rf ~/.pyzor
|
rm -rf ~/.pyzor
|
||||||
tools/editconf.py /etc/spamassassin/local.cf -s \
|
management/editconf.py /etc/spamassassin/local.cf -s \
|
||||||
pyzor_options="--homedir /etc/spamassassin/pyzor"
|
pyzor_options="--homedir /etc/spamassassin/pyzor"
|
||||||
mkdir -p /etc/spamassassin/pyzor
|
mkdir -p /etc/spamassassin/pyzor
|
||||||
echo "public.pyzor.org:24441" > /etc/spamassassin/pyzor/servers
|
echo "public.pyzor.org:24441" > /etc/spamassassin/pyzor/servers
|
||||||
|
@ -46,7 +46,7 @@ echo "public.pyzor.org:24441" > /etc/spamassassin/pyzor/servers
|
||||||
# * Increase the maximum message size of scanned messages from the default of 64KB to 500KB, which
|
# * Increase the maximum message size of scanned messages from the default of 64KB to 500KB, which
|
||||||
# is Spamassassin (spamc)'s own default. Specified in KBytes.
|
# is Spamassassin (spamc)'s own default. Specified in KBytes.
|
||||||
# * Disable localmode so Pyzor, DKIM and DNS checks can be used.
|
# * Disable localmode so Pyzor, DKIM and DNS checks can be used.
|
||||||
tools/editconf.py /etc/default/spampd \
|
management/editconf.py /etc/default/spampd \
|
||||||
DESTPORT=10026 \
|
DESTPORT=10026 \
|
||||||
ADDOPTS="\"--maxsize=2000\"" \
|
ADDOPTS="\"--maxsize=2000\"" \
|
||||||
LOCALONLY=0
|
LOCALONLY=0
|
||||||
|
@ -62,7 +62,7 @@ tools/editconf.py /etc/default/spampd \
|
||||||
#
|
#
|
||||||
# Tell Spamassassin not to modify the original message except for adding
|
# Tell Spamassassin not to modify the original message except for adding
|
||||||
# the X-Spam-Status & X-Spam-Score mail headers and related headers.
|
# the X-Spam-Status & X-Spam-Score mail headers and related headers.
|
||||||
tools/editconf.py /etc/spamassassin/local.cf -s \
|
management/editconf.py /etc/spamassassin/local.cf -s \
|
||||||
report_safe=0 \
|
report_safe=0 \
|
||||||
"add_header all Report"=_REPORT_ \
|
"add_header all Report"=_REPORT_ \
|
||||||
"add_header all Score"=_SCORE_
|
"add_header all Score"=_SCORE_
|
||||||
|
@ -84,7 +84,7 @@ tools/editconf.py /etc/spamassassin/local.cf -s \
|
||||||
# Spamassassin will change the access rights back to the defaults, so we must also configure
|
# Spamassassin will change the access rights back to the defaults, so we must also configure
|
||||||
# the filemode in the config file.
|
# the filemode in the config file.
|
||||||
|
|
||||||
tools/editconf.py /etc/spamassassin/local.cf -s \
|
management/editconf.py /etc/spamassassin/local.cf -s \
|
||||||
bayes_path=$STORAGE_ROOT/mail/spamassassin/bayes \
|
bayes_path=$STORAGE_ROOT/mail/spamassassin/bayes \
|
||||||
bayes_file_mode=0666
|
bayes_file_mode=0666
|
||||||
|
|
||||||
|
@ -116,7 +116,7 @@ EOF
|
||||||
# Have Dovecot run its mail process with a supplementary group (the spampd group)
|
# Have Dovecot run its mail process with a supplementary group (the spampd group)
|
||||||
# so that it can access the learning files.
|
# so that it can access the learning files.
|
||||||
|
|
||||||
tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
|
management/editconf.py /etc/dovecot/conf.d/10-mail.conf \
|
||||||
mail_access_groups=spampd
|
mail_access_groups=spampd
|
||||||
|
|
||||||
# Here's the script that the antispam plugin executes. It spools the message into
|
# Here's the script that the antispam plugin executes. It spools the message into
|
||||||
|
|
|
@ -134,7 +134,7 @@ apt_install python3 python3-dev python3-pip \
|
||||||
# When Ubuntu 20 comes out, we don't want users to be prompted to upgrade,
|
# When Ubuntu 20 comes out, we don't want users to be prompted to upgrade,
|
||||||
# because we don't yet support it.
|
# because we don't yet support it.
|
||||||
if [ -f /etc/update-manager/release-upgrades ]; then
|
if [ -f /etc/update-manager/release-upgrades ]; then
|
||||||
tools/editconf.py /etc/update-manager/release-upgrades Prompt=never
|
management/editconf.py /etc/update-manager/release-upgrades Prompt=never
|
||||||
rm -f /var/lib/ubuntu-release-upgrader/release-upgrade-available
|
rm -f /var/lib/ubuntu-release-upgrader/release-upgrade-available
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -315,7 +315,7 @@ fi #NODOC
|
||||||
# * The listen-on directive in named.conf.options restricts `bind9` to
|
# * The listen-on directive in named.conf.options restricts `bind9` to
|
||||||
# binding to the loopback interface instead of all interfaces.
|
# binding to the loopback interface instead of all interfaces.
|
||||||
apt_install bind9
|
apt_install bind9
|
||||||
tools/editconf.py /etc/default/bind9 \
|
management/editconf.py /etc/default/bind9 \
|
||||||
"OPTIONS=\"-u bind -4\""
|
"OPTIONS=\"-u bind -4\""
|
||||||
if ! grep -q "listen-on " /etc/bind/named.conf.options; then
|
if ! grep -q "listen-on " /etc/bind/named.conf.options; then
|
||||||
# Add a listen-on directive if it doesn't exist inside the options block.
|
# Add a listen-on directive if it doesn't exist inside the options block.
|
||||||
|
@ -329,7 +329,7 @@ fi
|
||||||
# installing bind9 or else apt won't be able to resolve a server to
|
# installing bind9 or else apt won't be able to resolve a server to
|
||||||
# download bind9 from.
|
# download bind9 from.
|
||||||
rm -f /etc/resolv.conf
|
rm -f /etc/resolv.conf
|
||||||
tools/editconf.py /etc/systemd/resolved.conf DNSStubListener=no
|
management/editconf.py /etc/systemd/resolved.conf DNSStubListener=no
|
||||||
echo "nameserver 127.0.0.1" > /etc/resolv.conf
|
echo "nameserver 127.0.0.1" > /etc/resolv.conf
|
||||||
|
|
||||||
# Restart the DNS services.
|
# Restart the DNS services.
|
||||||
|
|
16
setup/web.sh
16
setup/web.sh
|
@ -41,20 +41,20 @@ sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
|
||||||
#
|
#
|
||||||
# Drop TLSv1.0, TLSv1.1, following the Mozilla "Intermediate" recommendations
|
# Drop TLSv1.0, TLSv1.1, following the Mozilla "Intermediate" recommendations
|
||||||
# at https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&openssl-version=1.1.1.
|
# at https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.0&config=intermediate&openssl-version=1.1.1.
|
||||||
tools/editconf.py /etc/nginx/nginx.conf -s \
|
management/editconf.py /etc/nginx/nginx.conf -s \
|
||||||
server_names_hash_bucket_size="128;" \
|
server_names_hash_bucket_size="128;" \
|
||||||
ssl_protocols="TLSv1.2 TLSv1.3;"
|
ssl_protocols="TLSv1.2 TLSv1.3;"
|
||||||
|
|
||||||
# Tell PHP not to expose its version number in the X-Powered-By header.
|
# Tell PHP not to expose its version number in the X-Powered-By header.
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/fpm/php.ini -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/fpm/php.ini -c ';' \
|
||||||
expose_php=Off
|
expose_php=Off
|
||||||
|
|
||||||
# Set PHPs default charset to UTF-8, since we use it. See #367.
|
# Set PHPs default charset to UTF-8, since we use it. See #367.
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/fpm/php.ini -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/fpm/php.ini -c ';' \
|
||||||
default_charset="UTF-8"
|
default_charset="UTF-8"
|
||||||
|
|
||||||
# Configure the path environment for php-fpm
|
# Configure the path environment for php-fpm
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
||||||
env[PATH]=/usr/local/bin:/usr/bin:/bin \
|
env[PATH]=/usr/local/bin:/usr/bin:/bin \
|
||||||
|
|
||||||
# Configure php-fpm based on the amount of memory the machine has
|
# Configure php-fpm based on the amount of memory the machine has
|
||||||
|
@ -64,7 +64,7 @@ tools/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
||||||
TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
|
TOTAL_PHYSICAL_MEM=$(head -n 1 /proc/meminfo | awk '{print $2}' || /bin/true)
|
||||||
if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ]
|
if [ $TOTAL_PHYSICAL_MEM -lt 1000000 ]
|
||||||
then
|
then
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
||||||
pm=ondemand \
|
pm=ondemand \
|
||||||
pm.max_children=8 \
|
pm.max_children=8 \
|
||||||
pm.start_servers=2 \
|
pm.start_servers=2 \
|
||||||
|
@ -72,7 +72,7 @@ then
|
||||||
pm.max_spare_servers=3
|
pm.max_spare_servers=3
|
||||||
elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ]
|
elif [ $TOTAL_PHYSICAL_MEM -lt 2000000 ]
|
||||||
then
|
then
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
||||||
pm=ondemand \
|
pm=ondemand \
|
||||||
pm.max_children=16 \
|
pm.max_children=16 \
|
||||||
pm.start_servers=4 \
|
pm.start_servers=4 \
|
||||||
|
@ -80,14 +80,14 @@ then
|
||||||
pm.max_spare_servers=6
|
pm.max_spare_servers=6
|
||||||
elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ]
|
elif [ $TOTAL_PHYSICAL_MEM -lt 3000000 ]
|
||||||
then
|
then
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
||||||
pm=dynamic \
|
pm=dynamic \
|
||||||
pm.max_children=60 \
|
pm.max_children=60 \
|
||||||
pm.start_servers=6 \
|
pm.start_servers=6 \
|
||||||
pm.min_spare_servers=3 \
|
pm.min_spare_servers=3 \
|
||||||
pm.max_spare_servers=9
|
pm.max_spare_servers=9
|
||||||
else
|
else
|
||||||
tools/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
management/editconf.py /etc/php/$PHP_VERSION/fpm/pool.d/www.conf -c ';' \
|
||||||
pm=dynamic \
|
pm=dynamic \
|
||||||
pm.max_children=120 \
|
pm.max_children=120 \
|
||||||
pm.start_servers=12 \
|
pm.start_servers=12 \
|
||||||
|
|
|
@ -168,7 +168,7 @@ sudo -u www-data touch /var/log/roundcubemail/errors
|
||||||
cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
|
cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
|
||||||
${RCM_PLUGIN_DIR}/password/config.inc.php
|
${RCM_PLUGIN_DIR}/password/config.inc.php
|
||||||
|
|
||||||
tools/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
|
management/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
|
||||||
"\$config['password_minimum_length']=8;" \
|
"\$config['password_minimum_length']=8;" \
|
||||||
"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
|
"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
|
||||||
"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
|
"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
#!/usr/bin/python3
|
|
||||||
|
|
||||||
from os import system
|
|
||||||
from sys import argv
|
|
||||||
|
|
||||||
# Pass control to the actual script
|
|
||||||
system(f"management/editconf.py {' '.join(str(x) for x in argv[1:])}")
|
|
Loading…
Reference in a new issue