143 lines
4.8 KiB
Bash
Executable File
143 lines
4.8 KiB
Bash
Executable File
#!/bin/bash
|
|
set -euo pipefail
|
|
|
|
if [[ "${EUID}" -ne 0 ]]; then
|
|
echo "Please run with sudo."
|
|
exit 1
|
|
fi
|
|
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
MAIL_DOMAIN="${BOSS_MAIL_DOMAIN:-boss.hyzq.net}"
|
|
MAILBOX_USER="${BOSS_MAILBOX_USER:-bossmail}"
|
|
MAILBOX_HOME="/home/${MAILBOX_USER}"
|
|
STATE_DIR="/etc/boss-mail"
|
|
TLS_DIR="${STATE_DIR}/tls"
|
|
TLS_CERT_TARGET="${TLS_DIR}/fullchain.pem"
|
|
TLS_KEY_TARGET="${TLS_DIR}/privkey.pem"
|
|
MAILBOX_ENV_FILE="${STATE_DIR}/mailbox.env"
|
|
|
|
echo "postfix postfix/mailname string ${MAIL_DOMAIN}" | debconf-set-selections
|
|
echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
|
|
|
|
apt-get update
|
|
apt-get install -y postfix dovecot-core dovecot-imapd mailutils swaks
|
|
|
|
install -d -m 700 "${STATE_DIR}"
|
|
install -d -m 700 "${TLS_DIR}"
|
|
|
|
if ! id "${MAILBOX_USER}" >/dev/null 2>&1; then
|
|
useradd -m -s /usr/sbin/nologin "${MAILBOX_USER}"
|
|
fi
|
|
|
|
MAILBOX_PASSWORD="${BOSS_MAILBOX_PASSWORD:-}"
|
|
if [[ -z "${MAILBOX_PASSWORD}" && -f "${MAILBOX_ENV_FILE}" ]]; then
|
|
# shellcheck disable=SC1090
|
|
source "${MAILBOX_ENV_FILE}"
|
|
MAILBOX_PASSWORD="${BOSS_MAILBOX_PASSWORD:-${MAILBOX_PASSWORD:-}}"
|
|
fi
|
|
|
|
if [[ -z "${MAILBOX_PASSWORD}" ]]; then
|
|
MAILBOX_PASSWORD="$(openssl rand -base64 24 | tr -d '\n=' | cut -c1-20)"
|
|
fi
|
|
|
|
cat >"${MAILBOX_ENV_FILE}" <<EOF
|
|
BOSS_MAIL_DOMAIN=${MAIL_DOMAIN}
|
|
BOSS_MAILBOX_USER=${MAILBOX_USER}
|
|
BOSS_MAILBOX_PASSWORD=${MAILBOX_PASSWORD}
|
|
EOF
|
|
chmod 600 "${MAILBOX_ENV_FILE}"
|
|
|
|
echo "${MAILBOX_USER}:${MAILBOX_PASSWORD}" | chpasswd
|
|
|
|
install -m 755 "${SCRIPT_DIR}/sync-caddy-mail-cert.sh" /usr/local/bin/boss-mail-cert-sync.sh
|
|
cp "${SCRIPT_DIR}/systemd/boss-mail-cert-sync.service" /etc/systemd/system/boss-mail-cert-sync.service
|
|
cp "${SCRIPT_DIR}/systemd/boss-mail-cert-sync.timer" /etc/systemd/system/boss-mail-cert-sync.timer
|
|
|
|
cat > /etc/dovecot/conf.d/99-boss-mail.conf <<EOF
|
|
protocols = imap
|
|
mail_location = maildir:~/Maildir
|
|
disable_plaintext_auth = yes
|
|
auth_mechanisms = plain login
|
|
ssl = required
|
|
ssl_cert = <${TLS_CERT_TARGET}
|
|
ssl_key = <${TLS_KEY_TARGET}
|
|
|
|
service auth {
|
|
unix_listener /var/spool/postfix/private/auth {
|
|
mode = 0660
|
|
user = postfix
|
|
group = postfix
|
|
}
|
|
}
|
|
EOF
|
|
|
|
postconf -e "myhostname = ${MAIL_DOMAIN}"
|
|
postconf -e "myorigin = /etc/mailname"
|
|
postconf -e "mydestination = \$myhostname, localhost.\$mydomain, localhost, ${MAIL_DOMAIN}"
|
|
postconf -e "inet_interfaces = all"
|
|
postconf -e "inet_protocols = all"
|
|
postconf -e "home_mailbox = Maildir/"
|
|
postconf -e "mailbox_size_limit = 0"
|
|
postconf -e "recipient_delimiter = +"
|
|
postconf -e "alias_maps = hash:/etc/aliases"
|
|
postconf -e "alias_database = hash:/etc/aliases"
|
|
postconf -e "smtpd_tls_cert_file = ${TLS_CERT_TARGET}"
|
|
postconf -e "smtpd_tls_key_file = ${TLS_KEY_TARGET}"
|
|
postconf -e "smtpd_tls_security_level = may"
|
|
postconf -e "smtp_tls_security_level = may"
|
|
postconf -e "smtpd_sasl_auth_enable = yes"
|
|
postconf -e "smtpd_sasl_type = dovecot"
|
|
postconf -e "smtpd_sasl_path = private/auth"
|
|
postconf -e "broken_sasl_auth_clients = yes"
|
|
postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination"
|
|
|
|
touch /etc/aliases
|
|
ALIASES_TMP="$(mktemp)"
|
|
grep -Ev '^(verify|no-reply|noreply|root|postmaster):|^# BOSS MAIL ALIASES (START|END)$' /etc/aliases > "${ALIASES_TMP}" || true
|
|
echo "postmaster: root" >> "${ALIASES_TMP}"
|
|
cat >> "${ALIASES_TMP}" <<EOF
|
|
root: ${MAILBOX_USER}
|
|
# BOSS MAIL ALIASES START
|
|
verify: ${MAILBOX_USER}
|
|
no-reply: ${MAILBOX_USER}
|
|
noreply: ${MAILBOX_USER}
|
|
# BOSS MAIL ALIASES END
|
|
EOF
|
|
install -m 644 "${ALIASES_TMP}" /etc/aliases
|
|
rm -f "${ALIASES_TMP}"
|
|
newaliases
|
|
|
|
if ! grep -q "^submission inet" /etc/postfix/master.cf; then
|
|
cat >> /etc/postfix/master.cf <<'EOF'
|
|
submission inet n - y - - smtpd
|
|
-o syslog_name=postfix/submission
|
|
-o smtpd_tls_security_level=encrypt
|
|
-o smtpd_sasl_auth_enable=yes
|
|
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
|
smtps inet n - y - - smtpd
|
|
-o syslog_name=postfix/smtps
|
|
-o smtpd_tls_wrappermode=yes
|
|
-o smtpd_sasl_auth_enable=yes
|
|
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
|
EOF
|
|
fi
|
|
|
|
touch "${MAILBOX_HOME}/.hushlogin"
|
|
install -d -m 700 -o "${MAILBOX_USER}" -g "${MAILBOX_USER}" "${MAILBOX_HOME}/Maildir"
|
|
install -d -m 700 -o "${MAILBOX_USER}" -g "${MAILBOX_USER}" "${MAILBOX_HOME}/Maildir/cur"
|
|
install -d -m 700 -o "${MAILBOX_USER}" -g "${MAILBOX_USER}" "${MAILBOX_HOME}/Maildir/new"
|
|
install -d -m 700 -o "${MAILBOX_USER}" -g "${MAILBOX_USER}" "${MAILBOX_HOME}/Maildir/tmp"
|
|
|
|
/usr/local/bin/boss-mail-cert-sync.sh
|
|
|
|
systemctl daemon-reload
|
|
systemctl enable postfix dovecot boss-mail-cert-sync.timer
|
|
systemctl restart postfix dovecot
|
|
systemctl restart boss-mail-cert-sync.timer
|
|
|
|
printf 'Boss mail stack installed for %s\n' "${MAIL_DOMAIN}"
|
|
printf 'Mailbox user: %s\n' "${MAILBOX_USER}"
|
|
printf 'Mailbox password file: %s\n' "${MAILBOX_ENV_FILE}"
|