2014-07-10 07:18:01 +00:00
#!/bin/bash
#
# Postfix (SMTP)
2014-09-21 17:43:21 +00:00
# --------------
2014-07-10 07:18:01 +00:00
#
# Postfix handles the transmission of email between servers
# using the SMTP protocol. It is a Mail Transfer Agent (MTA).
#
# Postfix listens on port 25 (SMTP) for incoming mail from
# other servers on the Internet. It is responsible for very
# basic email filtering such as by IP address and greylisting,
# it checks that the destination address is valid, rewrites
# destinations according to aliases, and passses email on to
# another service for local mail delivery.
#
# The first hop in local mail delivery is to Spamassassin via
# LMTP. Spamassassin then passes mail over to Dovecot for
# storage in the user's mailbox.
#
# Postfix also listens on port 587 (SMTP+STARTLS) for
# connections from users who can authenticate and then sends
# their email out to the outside world. Postfix queries Dovecot
# to authenticate users.
#
# Address validation, alias rewriting, and user authentication
# is configured in a separate setup script mail-users.sh
# because of the overlap of this part with the Dovecot
# configuration.
source setup/functions.sh # load our functions
source /etc/mailinabox.conf # load global vars
2014-09-21 17:43:21 +00:00
# ### Install packages.
2014-07-10 07:18:01 +00:00
2014-10-04 21:57:26 +00:00
# Install postfix's packages.
#
# * `postfix`: The SMTP server.
# * `postfix-pcre`: Enables header filtering.
# * `postgrey`: A mail policy service that soft-rejects mail the first time
# it is received. Spammers don't usually try agian. Legitimate mail
# always will.
# * `ca-certificates`: A trust store used to squelch postfix warnings about
# untrusted opportunistically-encrypted connections.
2015-08-19 19:58:35 +00:00
echo "Installing Postfix (SMTP server)..."
2018-07-07 18:41:41 +00:00
apt_install postfix postfix-sqlite postfix-pcre postgrey ca-certificates
2014-07-10 07:18:01 +00:00
2014-09-21 17:43:21 +00:00
# ### Basic Settings
2014-07-10 07:18:01 +00:00
2014-10-04 21:57:26 +00:00
# Set some basic settings...
#
# * Have postfix listen on all network interfaces.
2016-02-01 17:36:52 +00:00
# * Make outgoing connections on a particular interface (if multihomed) so that SPF passes on the receiving side.
2014-10-04 21:57:26 +00:00
# * Set our name (the Debian default seems to be "localhost" but make it our hostname).
# * Set the name of the local machine to localhost, which means xxx@localhost is delivered locally, although we don't use it.
# * Set the SMTP banner (which must have the hostname first, then anything).
2014-07-10 07:18:01 +00:00
tools/editconf.py /etc/postfix/main.cf \
inet_interfaces = all \
2016-02-01 17:36:52 +00:00
smtp_bind_address = $PRIVATE_IP \
smtp_bind_address6 = $PRIVATE_IPV6 \
2014-07-10 07:18:01 +00:00
myhostname = $PRIMARY_HOSTNAME \
2014-08-16 13:16:01 +00:00
smtpd_banner = "\$myhostname ESMTP Hi, I'm a Mail-in-a-Box (Ubuntu/Postfix; see https://mailinabox.email/)" \
2014-07-10 07:18:01 +00:00
mydestination = localhost
2016-02-15 23:42:03 +00:00
# Tweak some queue settings:
# * Inform users when their e-mail delivery is delayed more than 3 hours (default is not to warn).
# * Stop trying to send an undeliverable e-mail after 2 days (instead of 5), and for bounce messages just try for 1 day.
tools/editconf.py /etc/postfix/main.cf \
2016-01-21 15:05:43 +00:00
delay_warning_time = 3h \
maximal_queue_lifetime = 2d \
2016-01-21 07:38:39 +00:00
bounce_queue_lifetime = 1d
2014-07-10 07:18:01 +00:00
2014-09-21 17:43:21 +00:00
# ### Outgoing Mail
2014-07-10 07:18:01 +00:00
# Enable the 'submission' port 587 smtpd server and tweak its settings.
2014-09-21 17:43:21 +00:00
#
2018-11-30 14:49:00 +00:00
# * Enable authentication. It's disabled globally so that it is disabled on port 25,
# so we need to explicitly enable it here.
2015-03-21 16:14:01 +00:00
# * Do not add the OpenDMAC Authentication-Results header. That should only be added
# on incoming mail. Omit the OpenDMARC milter by re-setting smtpd_milters to the
# OpenDKIM milter only. See dkim.sh.
2015-05-06 00:25:03 +00:00
# * Even though we dont allow auth over non-TLS connections (smtpd_tls_auth_only below, and without auth the client cant
# send outbound mail), don't allow non-TLS mail submission on this port anyway to prevent accidental misconfiguration.
2020-01-20 10:50:52 +00:00
# Setting smtpd_tls_security_level=encrypt also triggers the use of the 'mandatory' settings below.
2014-09-21 17:43:21 +00:00
# * Give it a different name in syslog to distinguish it from the port 25 smtpd server.
# * Add a new cleanup service specific to the submission service ('authclean')
# that filters out privacy-sensitive headers on mail being sent out by
2016-10-18 18:15:33 +00:00
# authenticated users. By default Postfix also applies this to attached
# emails but we turn this off by setting nested_header_checks empty.
2014-07-10 07:18:01 +00:00
tools/editconf.py /etc/postfix/master.cf -s -w \
" submission=inet n - - - - smtpd
2018-11-30 14:49:00 +00:00
-o smtpd_sasl_auth_enable = yes
2014-07-10 07:18:01 +00:00
-o syslog_name = postfix/submission
2015-03-21 16:14:01 +00:00
-o smtpd_milters = inet:127.0.0.1:8891
2015-05-06 00:25:03 +00:00
-o smtpd_tls_security_level = encrypt
2014-07-10 07:18:01 +00:00
-o cleanup_service_name = authclean" \
" authclean=unix n - - - 0 cleanup
2016-10-18 18:15:33 +00:00
-o header_checks = pcre:/etc/postfix/outgoing_mail_header_filters
-o nested_header_checks = "
2014-07-10 07:18:01 +00:00
# Install the `outgoing_mail_header_filters` file required by the new 'authclean' service.
cp conf/postfix_outgoing_mail_header_filters /etc/postfix/outgoing_mail_header_filters
2015-06-28 19:06:05 +00:00
# Modify the `outgoing_mail_header_filters` file to use the local machine name and ip
# on the first received header line. This may help reduce the spam score of email by
# removing the 127.0.0.1 reference.
sed -i " s/PRIMARY_HOSTNAME/ $PRIMARY_HOSTNAME / " /etc/postfix/outgoing_mail_header_filters
sed -i " s/PUBLIC_IP/ $PUBLIC_IP / " /etc/postfix/outgoing_mail_header_filters
2020-01-20 10:50:52 +00:00
# Enable TLS on incoming connections. It is not required on port 25, allowing for opportunistic
# encryption. On port 587 it is mandatory (see above). Shared and non-shared settings are
# given here. Shared settings include:
# * Require TLS before a user is allowed to authenticate.
# * Set the path to the server TLS certificate and 2048-bit DH parameters for old DH ciphers.
# For port 25 only:
# * Disable extremely old versions of TLS and extremely unsafe ciphers, but some mail servers out in
# the world are very far behind and if we disable too much, they may not be able to use TLS and
# won't fall back to cleartext. So we don't disable too much. smtpd_tls_exclude_ciphers applies to
# both port 25 and port 587, but because we override the cipher list for both, it probably isn't used.
# Use Mozilla's "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1
# For port 587 (via the 'mandatory' settings):
# * Use Mozilla's "Intermediate" TLS recommendations from https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=intermediate&openssl-version=1.1.1
# using and overriding the "high" cipher list so we don't conflict with the more permissive settings for port 25.
2014-07-10 07:18:01 +00:00
tools/editconf.py /etc/postfix/main.cf \
smtpd_tls_security_level = may\
smtpd_tls_auth_only = yes \
smtpd_tls_cert_file = $STORAGE_ROOT /ssl/ssl_certificate.pem \
smtpd_tls_key_file = $STORAGE_ROOT /ssl/ssl_private_key.pem \
2014-09-26 22:01:38 +00:00
smtpd_tls_dh1024_param_file = $STORAGE_ROOT /ssl/dh2048.pem \
2020-01-20 10:50:52 +00:00
smtpd_tls_protocols = "!SSLv2,!SSLv3" \
smtpd_tls_ciphers = medium \
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA \
smtpd_tls_exclude_ciphers = aNULL,RC4 \
2019-12-01 22:49:36 +00:00
smtpd_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
smtpd_tls_mandatory_ciphers = high \
tls_high_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 \
2020-01-20 10:50:52 +00:00
smtpd_tls_mandatory_exclude_ciphers = aNULL,DES,3DES,MD5,DES+MD5,RC4 \
2019-12-01 22:49:36 +00:00
tls_preempt_cipherlist = no \
2014-07-10 07:18:01 +00:00
smtpd_tls_received_header = yes
2014-09-21 17:43:21 +00:00
# Prevent non-authenticated users from sending mail that requires being
# relayed elsewhere. We don't want to be an "open relay". On outbound
# mail, require one of:
#
2014-10-13 14:00:26 +00:00
# * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587).
# * `permit_mynetworks`: Mail that originates locally.
# * `reject_unauth_destination`: No one else. (Permits mail whose destination is local and rejects other mail.)
2014-09-21 17:43:21 +00:00
tools/editconf.py /etc/postfix/main.cf \
smtpd_relay_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
# ### DANE
2014-10-04 21:57:26 +00:00
2014-07-10 07:18:01 +00:00
# When connecting to remote SMTP servers, prefer TLS and use DANE if available.
2014-08-02 15:39:47 +00:00
#
2014-10-04 21:57:26 +00:00
# Prefering ("opportunistic") TLS means Postfix will use TLS if the remote end
# offers it, otherwise it will transmit the message in the clear. Postfix will
# accept whatever SSL certificate the remote end provides. Opportunistic TLS
# protects against passive easvesdropping (but not man-in-the-middle attacks).
2019-12-01 22:49:36 +00:00
# Since we'd rather have poor encryption than none at all, we use Mozilla's
# "Old" recommendations at https://ssl-config.mozilla.org/#server=postfix&server-version=3.3.0&config=old&openssl-version=1.1.1
# for opportunistic encryption but "Intermediate" recommendations when DANE
2020-01-20 10:50:52 +00:00
# is used (see next and above). The cipher lists are set above.
2019-12-01 22:49:36 +00:00
2014-10-04 21:57:26 +00:00
# DANE takes this a step further:
2014-08-02 15:39:47 +00:00
# Postfix queries DNS for the TLSA record on the destination MX host. If no TLSA records are found,
2014-07-10 07:18:01 +00:00
# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
2018-10-03 18:28:43 +00:00
# relies on our local DNS server (see system.sh) and `smtp_dns_support_level=dnssec`.
2014-08-02 15:39:47 +00:00
#
2014-10-04 21:57:26 +00:00
# The `smtp_tls_CAfile` is superflous, but it eliminates warnings in the logs about untrusted certs,
# which we don't care about seeing because Postfix is doing opportunistic TLS anyway. Better to encrypt,
# even if we don't know if it's to the right party, than to not encrypt at all. Instead we'll
# now see notices about trusted certs. The CA file is provided by the package `ca-certificates`.
2014-07-10 07:18:01 +00:00
tools/editconf.py /etc/postfix/main.cf \
2016-06-12 12:59:53 +00:00
smtp_tls_protocols = \! SSLv2,\! SSLv3 \
smtp_tls_ciphers = medium \
2020-01-20 10:50:52 +00:00
smtp_tls_exclude_ciphers = aNULL,RC4 \
2014-07-10 07:18:01 +00:00
smtp_tls_security_level = dane \
smtp_dns_support_level = dnssec \
2019-12-01 22:49:36 +00:00
smtp_tls_mandatory_protocols = "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" \
smtp_tls_mandatory_ciphers = high \
2014-08-02 15:39:47 +00:00
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt \
2014-07-10 07:18:01 +00:00
smtp_tls_loglevel = 2
2014-09-21 17:43:21 +00:00
# ### Incoming Mail
2014-07-10 07:18:01 +00:00
# Pass any incoming mail over to a local delivery agent. Spamassassin
# will act as the LDA agent at first. It is listening on port 10025
# with LMTP. Spamassassin will pass the mail over to Dovecot after.
#
2014-09-21 17:43:21 +00:00
# In a basic setup we would pass mail directly to Dovecot by setting
# virtual_transport to `lmtp:unix:private/dovecot-lmtp`.
2014-07-10 07:18:01 +00:00
tools/editconf.py /etc/postfix/main.cf virtual_transport = lmtp:[ 127.0.0.1] :10025
2019-02-25 18:18:30 +00:00
# Because of a spampd bug, limit the number of recipients in each connection.
# See https://github.com/mail-in-a-box/mailinabox/issues/1523.
tools/editconf.py /etc/postfix/main.cf lmtp_destination_recipient_limit = 1
2014-07-10 07:18:01 +00:00
# Who can send mail to us? Some basic filters.
#
2014-10-13 14:00:26 +00:00
# * `reject_non_fqdn_sender`: Reject not-nice-looking return paths.
# * `reject_unknown_sender_domain`: Reject return paths with invalid domains.
2015-06-20 10:27:18 +00:00
# * `reject_authenticated_sender_login_mismatch`: Reject if mail FROM address does not match the client SASL login
2014-10-13 14:00:26 +00:00
# * `reject_rhsbl_sender`: Reject return paths that use blacklisted domains.
# * `permit_sasl_authenticated`: Authenticated users (i.e. on port 587) can skip further checks.
# * `permit_mynetworks`: Mail that originates locally can skip further checks.
# * `reject_rbl_client`: Reject connections from IP addresses blacklisted in zen.spamhaus.org
# * `reject_unlisted_recipient`: Although Postfix will reject mail to unknown recipients, it's nicer to reject such mail ahead of greylisting rather than after.
# * `check_policy_service`: Apply greylisting using postgrey.
#
# Notes: #NODOC
# permit_dnswl_client can pass through mail from whitelisted IP addresses, which would be good to put before greylisting #NODOC
# so these IPs get mail delivered quickly. But when an IP is not listed in the permit_dnswl_client list (i.e. it is not #NODOC
# whitelisted) then postfix does a DEFER_IF_REJECT, which results in all "unknown user" sorts of messages turning into #NODOC
# "450 4.7.1 Client host rejected: Service unavailable". This is a retry code, so the mail doesn't properly bounce. #NODOC
2014-07-10 07:18:01 +00:00
tools/editconf.py /etc/postfix/main.cf \
2015-06-20 10:27:18 +00:00
smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,reject_rhsbl_sender dbl.spamhaus.org" \
2014-08-03 00:06:54 +00:00
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,"reject_rbl_client zen.spamhaus.org" ,reject_unlisted_recipient,"check_policy_service inet:127.0.0.1:10023"
2014-07-10 07:18:01 +00:00
2015-01-02 23:37:14 +00:00
# Postfix connects to Postgrey on the 127.0.0.1 interface specifically. Ensure that
# Postgrey listens on the same interface (and not IPv6, for instance).
2015-05-19 09:53:10 +00:00
# A lot of legit mail servers try to resend before 300 seconds.
# As a matter of fact RFC is not strict about retry timer so postfix and
# other MTA have their own intervals. To fix the problem of receiving
# e-mails really latter, delay of greylisting has been set to
# 180 seconds (default is 300 seconds).
2015-01-02 23:37:14 +00:00
tools/editconf.py /etc/default/postgrey \
2019-11-23 12:58:29 +00:00
POSTGREY_OPTS = \" '--inet=127.0.0.1:10023 --delay=180' \"
2019-08-31 12:38:41 +00:00
# We are going to setup a newer whitelist for postgrey, the version included in the distribution is old
cat > /etc/cron.daily/mailinabox-postgrey-whitelist << EOF;
#!/bin/bash
# Mail-in-a-Box
# check we have a postgrey_whitelist_clients file and that it is not older than 28 days
2019-09-06 19:59:30 +00:00
if [ ! -f /etc/postgrey/whitelist_clients ] || find /etc/postgrey/whitelist_clients -mtime +28 | grep -q '.' ; then
2019-08-31 12:38:41 +00:00
# ok we need to update the file, so lets try to fetch it
if curl https://postgrey.schweikert.ch/pub/postgrey_whitelist_clients --output /tmp/postgrey_whitelist_clients -sS --fail > /dev/null 2>& 1 ; then
# if fetching hasn't failed yet then check it is a plain text file
# curl manual states that --fail sometimes still produces output
# this final check will at least check the output is not html
# before moving it into place
if [ "\$(file -b --mime-type /tmp/postgrey_whitelist_clients)" = = "text/plain" ] ; then
mv /tmp/postgrey_whitelist_clients /etc/postgrey/whitelist_clients
service postgrey restart
else
rm /tmp/postgrey_whitelist_clients
fi
fi
fi
EOF
chmod +x /etc/cron.daily/mailinabox-postgrey-whitelist
/etc/cron.daily/mailinabox-postgrey-whitelist
2015-01-02 23:37:14 +00:00
2014-07-10 07:18:01 +00:00
# Increase the message size limit from 10MB to 128MB.
2014-10-16 21:49:28 +00:00
# The same limit is specified in nginx.conf for mail submitted via webmail and Z-Push.
2014-07-10 07:18:01 +00:00
tools/editconf.py /etc/postfix/main.cf \
message_size_limit = 134217728
2020-05-30 14:17:11 +00:00
# install the postfix MTA-STS resolver. the MTA-STS resolver service is
# used by Postfix to ensure outgoing mail uses TLS when the recipient
# announces MTA-STS.
hide_output /usr/bin/pip3 install --upgrade postfix-mta-sts-resolver aiosqlite
# add a user to use solely for MTA-STS resolution
id -u mta-sts & >/dev/null || useradd -c "Daemon for MTA-STS policy checks" mta-sts -s /usr/sbin/nologin
# create systemd services for MTA-STS
cat > /etc/systemd/system/postfix-mta-sts-daemon@.service << EOF
[ Unit]
Description = Postfix MTA STS daemon instance
After = syslog.target network.target
[ Service]
Type = notify
User = mta-sts
Group = mta-sts
ExecStart = /usr/local/bin/mta-sts-daemon
Restart = always
KillMode = process
TimeoutStartSec = 10
TimeoutStopSec = 30
[ Install]
WantedBy = multi-user.target
EOF
cat > /etc/systemd/system/postfix-mta-sts.service << EOF
[ Unit]
Description = Postfix MTA STS daemon
After = syslog.target network.target
[ Service]
Type = oneshot
RemainAfterExit = yes
ExecStart = /bin/systemctl start postfix-mta-sts-daemon@main.service
ExecReload = /bin/systemctl start postfix-mta-sts-daemon@backup.service ; /bin/systemctl restart postfix-mta-sts-daemon@main.service ; /bin/systemctl stop postfix-mta-sts-daemon@backup.service
ExecStop = /bin/systemctl stop postfix-mta-sts-daemon@main.service
[ Install]
WantedBy = multi-user.target
EOF
# create the cache directory for the MTA-STS daemon
mkdir -p $STORAGE_ROOT /mta-sts
chown -R mta-sts:mta-sts $STORAGE_ROOT /mta-sts
# configure the MTA-STS daemon for postfix
cat > /etc/mta-sts-daemon.yml << EOF
host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
cache:
type: sqlite
options:
filename: " $STORAGE_ROOT /mta-sts/mta-sts-cache.db "
default_zone:
strict_testing: false
timeout: 4
zones:
myzone:
strict_testing: false
timeout: 4
EOF
# add postfix configuration
tools/editconf.py /etc/postfix/main.cf \
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
# enable and start the MTA-STS service
hide_output /bin/systemctl enable postfix-mta-sts.service
restart_service postfix-mta-sts
2014-07-10 07:18:01 +00:00
# Allow the two SMTP ports in the firewall.
ufw_allow smtp
ufw_allow submission
# Restart services
2014-08-02 15:39:47 +00:00
restart_service postfix
2015-05-29 12:59:24 +00:00
restart_service postgrey