Skip to content

M
mailinabox
Commit e06b4f5c authored by Joshua Tauberer's avatar Joshua Tauberer
Browse files
Options

assume scripts are running as root, dont sudo everything

parent eb47a147
Hide whitespace changes
Inline Side-by-side
Showing with 41 additions and 41 deletions
scripts/mail.sh
View file @ e06b4f5c
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
# Install packages. # Install packages.
sudo DEBIAN_FRONTEND=noninteractive apt-get install -q -y \ DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
postfix postgrey dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite postfix postgrey dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite
# POSTFIX # POSTFIX
...@@ -13,8 +13,8 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -q -y \ ...@@ -13,8 +13,8 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
mkdir -p $STORAGE_ROOT/mail mkdir -p $STORAGE_ROOT/mail
# TLS configuration # TLS configuration
sudo sed -i "s/#submission/submission/" /etc/postfix/master.cf # enable submission port (not in Drew Crawford's instructions) sed -i "s/#submission/submission/" /etc/postfix/master.cf # enable submission port (not in Drew Crawford's instructions)
sudo tools/editconf.py /etc/postfix/main.cf \ tools/editconf.py /etc/postfix/main.cf \
smtpd_use_tls=yes\ smtpd_use_tls=yes\
smtpd_tls_auth_only=yes \ smtpd_tls_auth_only=yes \
smtp_tls_security_level=may \ smtp_tls_security_level=may \
...@@ -24,19 +24,19 @@ sudo tools/editconf.py /etc/postfix/main.cf \ ...@@ -24,19 +24,19 @@ sudo tools/editconf.py /etc/postfix/main.cf \
# note: smtpd_use_tls=yes appears to already be the default, but we can never be too sure # note: smtpd_use_tls=yes appears to already be the default, but we can never be too sure
# authorization via dovecot # authorization via dovecot
sudo tools/editconf.py /etc/postfix/main.cf \ tools/editconf.py /etc/postfix/main.cf \
smtpd_sasl_type=dovecot \ smtpd_sasl_type=dovecot \
smtpd_sasl_path=private/auth \ smtpd_sasl_path=private/auth \
smtpd_sasl_auth_enable=yes \ smtpd_sasl_auth_enable=yes \
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
sudo tools/editconf.py /etc/postfix/main.cf mydestination=localhost tools/editconf.py /etc/postfix/main.cf mydestination=localhost
# message delivery is directly to dovecot # message delivery is directly to dovecot
sudo tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:unix:private/dovecot-lmtp tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:unix:private/dovecot-lmtp
# domain and user table is configured in a Sqlite3 database # domain and user table is configured in a Sqlite3 database
sudo tools/editconf.py /etc/postfix/main.cf \ tools/editconf.py /etc/postfix/main.cf \
virtual_mailbox_domains=sqlite:/etc/postfix/virtual-mailbox-domains.cf \ virtual_mailbox_domains=sqlite:/etc/postfix/virtual-mailbox-domains.cf \
virtual_mailbox_maps=sqlite:/etc/postfix/virtual-mailbox-maps.cf \ virtual_mailbox_maps=sqlite:/etc/postfix/virtual-mailbox-maps.cf \
virtual_alias_maps=sqlite:/etc/postfix/virtual-alias-maps.cf \ virtual_alias_maps=sqlite:/etc/postfix/virtual-alias-maps.cf \
...@@ -44,17 +44,17 @@ sudo tools/editconf.py /etc/postfix/main.cf \ ...@@ -44,17 +44,17 @@ sudo tools/editconf.py /etc/postfix/main.cf \
db_path=$STORAGE_ROOT/mail/users.sqlite db_path=$STORAGE_ROOT/mail/users.sqlite
sudo su root -c "cat > /etc/postfix/virtual-mailbox-domains.cf" << EOF; cat > /etc/postfix/virtual-mailbox-domains.cf << EOF;
dbpath=$db_path dbpath=$db_path
query = SELECT 1 FROM users WHERE email LIKE '%%@%s' query = SELECT 1 FROM users WHERE email LIKE '%%@%s'
EOF EOF
sudo su root -c "cat > /etc/postfix/virtual-mailbox-maps.cf" << EOF; cat > /etc/postfix/virtual-mailbox-maps.cf << EOF;
dbpath=$db_path dbpath=$db_path
query = SELECT 1 FROM users WHERE email='%s' query = SELECT 1 FROM users WHERE email='%s'
EOF EOF
sudo su root -c "cat > /etc/postfix/virtual-alias-maps.cf" << EOF; cat > /etc/postfix/virtual-alias-maps.cf << EOF;
dbpath=$db_path dbpath=$db_path
query = SELECT destination FROM aliases WHERE source='%s' query = SELECT destination FROM aliases WHERE source='%s'
EOF EOF
...@@ -72,22 +72,22 @@ fi ...@@ -72,22 +72,22 @@ fi
# The dovecot-imapd dovecot-lmtpd packages automatically enable those protocols. # The dovecot-imapd dovecot-lmtpd packages automatically enable those protocols.
# mail storage location # mail storage location
sudo tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \ tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
mail_location=maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n \ mail_location=maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n \
mail_privileged_group=mail \ mail_privileged_group=mail \
first_valid_uid=0 first_valid_uid=0
# authentication mechanisms # authentication mechanisms
sudo tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \ tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
disable_plaintext_auth=yes \ disable_plaintext_auth=yes \
"auth_mechanisms=plain login" "auth_mechanisms=plain login"
# use SQL-based authentication, not the system users # use SQL-based authentication, not the system users
sudo sed -i "s/\(\!include auth-system.conf.ext\)/#\1/" /etc/dovecot/conf.d/10-auth.conf sed -i "s/\(\!include auth-system.conf.ext\)/#\1/" /etc/dovecot/conf.d/10-auth.conf
sudo sed -i "s/#\(\!include auth-sql.conf.ext\)/\1/" /etc/dovecot/conf.d/10-auth.conf sed -i "s/#\(\!include auth-sql.conf.ext\)/\1/" /etc/dovecot/conf.d/10-auth.conf
# how to access SQL # how to access SQL
sudo su root -c "cat > /etc/dovecot/conf.d/auth-sql.conf.ext" << EOF; cat > /etc/dovecot/conf.d/auth-sql.conf.ext << EOF;
passdb { passdb {
driver = sql driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext args = /etc/dovecot/dovecot-sql.conf.ext
...@@ -97,7 +97,7 @@ userdb { ...@@ -97,7 +97,7 @@ userdb {
args = uid=mail gid=mail home=$STORAGE_ROOT/mail/mailboxes/%d/%n args = uid=mail gid=mail home=$STORAGE_ROOT/mail/mailboxes/%d/%n
} }
EOF EOF
sudo su root -c "cat > /etc/dovecot/dovecot-sql.conf.ext" << EOF; cat > /etc/dovecot/dovecot-sql.conf.ext << EOF;
driver = sqlite driver = sqlite
connect = $db_path connect = $db_path
default_pass_scheme = SHA512-CRYPT default_pass_scheme = SHA512-CRYPT
...@@ -106,25 +106,25 @@ EOF ...@@ -106,25 +106,25 @@ EOF
# disable in-the-clear IMAP and POP because we're paranoid (we haven't even # disable in-the-clear IMAP and POP because we're paranoid (we haven't even
# enabled POP). # enabled POP).
sudo sed -i "s/#port = 143/port = 0/" /etc/dovecot/conf.d/10-master.conf sed -i "s/#port = 143/port = 0/" /etc/dovecot/conf.d/10-master.conf
sudo sed -i "s/#port = 110/port = 0/" /etc/dovecot/conf.d/10-master.conf sed -i "s/#port = 110/port = 0/" /etc/dovecot/conf.d/10-master.conf
# Modify the unix socket for LMTP. # Modify the unix socket for LMTP.
sudo sed -i "s/unix_listener lmtp \(.*\)/unix_listener \/var\/spool\/postfix\/private\/dovecot-lmtp \1\n user = postfix\n group = postfix\n/" /etc/dovecot/conf.d/10-master.conf sed -i "s/unix_listener lmtp \(.*\)/unix_listener \/var\/spool\/postfix\/private\/dovecot-lmtp \1\n user = postfix\n group = postfix\n/" /etc/dovecot/conf.d/10-master.conf
# Add an additional auth socket for postfix. Check if it already is # Add an additional auth socket for postfix. Check if it already is
# set to make sure this is idempotent. # set to make sure this is idempotent.
if sudo grep -q "mailinabox-postfix-private-auth" /etc/dovecot/conf.d/10-master.conf; then if grep -q "mailinabox-postfix-private-auth" /etc/dovecot/conf.d/10-master.conf; then
# already done # already done
true; true;
else else
sudo sed -i "s/\(\s*unix_listener auth-userdb\)/ unix_listener \/var\/spool\/postfix\/private\/auth \{ # mailinabox-postfix-private-auth\n mode = 0666\n user = postfix\n group = postfix\n \}\n\1/" /etc/dovecot/conf.d/10-master.conf sed -i "s/\(\s*unix_listener auth-userdb\)/ unix_listener \/var\/spool\/postfix\/private\/auth \{ # mailinabox-postfix-private-auth\n mode = 0666\n user = postfix\n group = postfix\n \}\n\1/" /etc/dovecot/conf.d/10-master.conf
fi fi
# Drew Crawford sets the auth-worker process to run as the mail user, but we don't care if it runs as root. # Drew Crawford sets the auth-worker process to run as the mail user, but we don't care if it runs as root.
# Enable SSL. # Enable SSL.
sudo tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
ssl=required \ ssl=required \
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \ "ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \ "ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
...@@ -133,22 +133,22 @@ sudo tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \ ...@@ -133,22 +133,22 @@ sudo tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
# in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem, which we'll # in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem, which we'll
# use unless certificates already exist. # use unless certificates already exist.
mkdir -p $STORAGE_ROOT/ssl mkdir -p $STORAGE_ROOT/ssl
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then sudo cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then sudo cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi
sudo chown -R mail:dovecot /etc/dovecot chown -R mail:dovecot /etc/dovecot
sudo chmod -R o-rwx /etc/dovecot chmod -R o-rwx /etc/dovecot
mkdir -p $STORAGE_ROOT/mail/mailboxes mkdir -p $STORAGE_ROOT/mail/mailboxes
sudo chown -R mail.mail $STORAGE_ROOT/mail/mailboxes chown -R mail.mail $STORAGE_ROOT/mail/mailboxes
# restart services # restart services
sudo service postfix restart service postfix restart
sudo service dovecot restart service dovecot restart
# allow mail-related ports in the firewall # allow mail-related ports in the firewall
sudo ufw allow smtp ufw allow smtp
sudo ufw allow submission ufw allow submission
sudo ufw allow imaps ufw allow imaps
scripts/system.sh
View file @ e06b4f5c
# Base system configuration. # Base system configuration.
sudo apt-get -q update apt-get -q update
sudo apt-get -q -y upgrade apt-get -q -y upgrade
# Basic packages. # Basic packages.
sudo apt-get -q -y install sqlite3 apt-get -q -y install sqlite3
# Turn on basic services: # Turn on basic services:
# #
...@@ -15,15 +15,15 @@ sudo apt-get -q -y install sqlite3 ...@@ -15,15 +15,15 @@ sudo apt-get -q -y install sqlite3
# #
# These services don't need further configuration and are started immediately after installation. # These services don't need further configuration and are started immediately after installation.
sudo apt-get install -q -y ntp fail2ban apt-get install -q -y ntp fail2ban
# Turn on the firewall. First allow incoming SSH, then turn on the firewall. Additional open # Turn on the firewall. First allow incoming SSH, then turn on the firewall. Additional open
# ports will be set up in the scripts that set up those services. # ports will be set up in the scripts that set up those services.
sudo ufw allow ssh ufw allow ssh
#sudo ufw allow domain #ufw allow domain
#sudo ufw allow http #ufw allow http
#sudo ufw allow https #ufw allow https
sudo ufw --force enable ufw --force enable
# Mount the storage volume. # Mount the storage volume.
export STORAGE_ROOT=/home/ubuntu/storage export STORAGE_ROOT=/home/ubuntu/storage
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023