mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-12-22 07:17:05 +00:00
assume scripts are running as root, dont sudo everything
This commit is contained in:
parent
eb47a1471b
commit
e06b4f5ccf
@ -5,7 +5,7 @@
|
||||
|
||||
# Install packages.
|
||||
|
||||
sudo DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
|
||||
postfix postgrey dovecot-core dovecot-imapd dovecot-lmtpd dovecot-sqlite
|
||||
|
||||
# POSTFIX
|
||||
@ -13,8 +13,8 @@ sudo DEBIAN_FRONTEND=noninteractive apt-get install -q -y \
|
||||
mkdir -p $STORAGE_ROOT/mail
|
||||
|
||||
# TLS configuration
|
||||
sudo sed -i "s/#submission/submission/" /etc/postfix/master.cf # enable submission port (not in Drew Crawford's instructions)
|
||||
sudo tools/editconf.py /etc/postfix/main.cf \
|
||||
sed -i "s/#submission/submission/" /etc/postfix/master.cf # enable submission port (not in Drew Crawford's instructions)
|
||||
tools/editconf.py /etc/postfix/main.cf \
|
||||
smtpd_use_tls=yes\
|
||||
smtpd_tls_auth_only=yes \
|
||||
smtp_tls_security_level=may \
|
||||
@ -24,19 +24,19 @@ sudo tools/editconf.py /etc/postfix/main.cf \
|
||||
# note: smtpd_use_tls=yes appears to already be the default, but we can never be too sure
|
||||
|
||||
# authorization via dovecot
|
||||
sudo tools/editconf.py /etc/postfix/main.cf \
|
||||
tools/editconf.py /etc/postfix/main.cf \
|
||||
smtpd_sasl_type=dovecot \
|
||||
smtpd_sasl_path=private/auth \
|
||||
smtpd_sasl_auth_enable=yes \
|
||||
smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
|
||||
|
||||
sudo tools/editconf.py /etc/postfix/main.cf mydestination=localhost
|
||||
tools/editconf.py /etc/postfix/main.cf mydestination=localhost
|
||||
|
||||
# message delivery is directly to dovecot
|
||||
sudo tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:unix:private/dovecot-lmtp
|
||||
tools/editconf.py /etc/postfix/main.cf virtual_transport=lmtp:unix:private/dovecot-lmtp
|
||||
|
||||
# domain and user table is configured in a Sqlite3 database
|
||||
sudo tools/editconf.py /etc/postfix/main.cf \
|
||||
tools/editconf.py /etc/postfix/main.cf \
|
||||
virtual_mailbox_domains=sqlite:/etc/postfix/virtual-mailbox-domains.cf \
|
||||
virtual_mailbox_maps=sqlite:/etc/postfix/virtual-mailbox-maps.cf \
|
||||
virtual_alias_maps=sqlite:/etc/postfix/virtual-alias-maps.cf \
|
||||
@ -44,17 +44,17 @@ sudo tools/editconf.py /etc/postfix/main.cf \
|
||||
|
||||
db_path=$STORAGE_ROOT/mail/users.sqlite
|
||||
|
||||
sudo su root -c "cat > /etc/postfix/virtual-mailbox-domains.cf" << EOF;
|
||||
cat > /etc/postfix/virtual-mailbox-domains.cf << EOF;
|
||||
dbpath=$db_path
|
||||
query = SELECT 1 FROM users WHERE email LIKE '%%@%s'
|
||||
EOF
|
||||
|
||||
sudo su root -c "cat > /etc/postfix/virtual-mailbox-maps.cf" << EOF;
|
||||
cat > /etc/postfix/virtual-mailbox-maps.cf << EOF;
|
||||
dbpath=$db_path
|
||||
query = SELECT 1 FROM users WHERE email='%s'
|
||||
EOF
|
||||
|
||||
sudo su root -c "cat > /etc/postfix/virtual-alias-maps.cf" << EOF;
|
||||
cat > /etc/postfix/virtual-alias-maps.cf << EOF;
|
||||
dbpath=$db_path
|
||||
query = SELECT destination FROM aliases WHERE source='%s'
|
||||
EOF
|
||||
@ -72,22 +72,22 @@ fi
|
||||
# The dovecot-imapd dovecot-lmtpd packages automatically enable those protocols.
|
||||
|
||||
# mail storage location
|
||||
sudo tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
|
||||
tools/editconf.py /etc/dovecot/conf.d/10-mail.conf \
|
||||
mail_location=maildir:$STORAGE_ROOT/mail/mailboxes/%d/%n \
|
||||
mail_privileged_group=mail \
|
||||
first_valid_uid=0
|
||||
|
||||
# authentication mechanisms
|
||||
sudo tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
|
||||
tools/editconf.py /etc/dovecot/conf.d/10-auth.conf \
|
||||
disable_plaintext_auth=yes \
|
||||
"auth_mechanisms=plain login"
|
||||
|
||||
# use SQL-based authentication, not the system users
|
||||
sudo sed -i "s/\(\!include auth-system.conf.ext\)/#\1/" /etc/dovecot/conf.d/10-auth.conf
|
||||
sudo sed -i "s/#\(\!include auth-sql.conf.ext\)/\1/" /etc/dovecot/conf.d/10-auth.conf
|
||||
sed -i "s/\(\!include auth-system.conf.ext\)/#\1/" /etc/dovecot/conf.d/10-auth.conf
|
||||
sed -i "s/#\(\!include auth-sql.conf.ext\)/\1/" /etc/dovecot/conf.d/10-auth.conf
|
||||
|
||||
# how to access SQL
|
||||
sudo su root -c "cat > /etc/dovecot/conf.d/auth-sql.conf.ext" << EOF;
|
||||
cat > /etc/dovecot/conf.d/auth-sql.conf.ext << EOF;
|
||||
passdb {
|
||||
driver = sql
|
||||
args = /etc/dovecot/dovecot-sql.conf.ext
|
||||
@ -97,7 +97,7 @@ userdb {
|
||||
args = uid=mail gid=mail home=$STORAGE_ROOT/mail/mailboxes/%d/%n
|
||||
}
|
||||
EOF
|
||||
sudo su root -c "cat > /etc/dovecot/dovecot-sql.conf.ext" << EOF;
|
||||
cat > /etc/dovecot/dovecot-sql.conf.ext << EOF;
|
||||
driver = sqlite
|
||||
connect = $db_path
|
||||
default_pass_scheme = SHA512-CRYPT
|
||||
@ -106,25 +106,25 @@ EOF
|
||||
|
||||
# disable in-the-clear IMAP and POP because we're paranoid (we haven't even
|
||||
# enabled POP).
|
||||
sudo sed -i "s/#port = 143/port = 0/" /etc/dovecot/conf.d/10-master.conf
|
||||
sudo sed -i "s/#port = 110/port = 0/" /etc/dovecot/conf.d/10-master.conf
|
||||
sed -i "s/#port = 143/port = 0/" /etc/dovecot/conf.d/10-master.conf
|
||||
sed -i "s/#port = 110/port = 0/" /etc/dovecot/conf.d/10-master.conf
|
||||
|
||||
# Modify the unix socket for LMTP.
|
||||
sudo sed -i "s/unix_listener lmtp \(.*\)/unix_listener \/var\/spool\/postfix\/private\/dovecot-lmtp \1\n user = postfix\n group = postfix\n/" /etc/dovecot/conf.d/10-master.conf
|
||||
sed -i "s/unix_listener lmtp \(.*\)/unix_listener \/var\/spool\/postfix\/private\/dovecot-lmtp \1\n user = postfix\n group = postfix\n/" /etc/dovecot/conf.d/10-master.conf
|
||||
|
||||
# Add an additional auth socket for postfix. Check if it already is
|
||||
# set to make sure this is idempotent.
|
||||
if sudo grep -q "mailinabox-postfix-private-auth" /etc/dovecot/conf.d/10-master.conf; then
|
||||
if grep -q "mailinabox-postfix-private-auth" /etc/dovecot/conf.d/10-master.conf; then
|
||||
# already done
|
||||
true;
|
||||
else
|
||||
sudo sed -i "s/\(\s*unix_listener auth-userdb\)/ unix_listener \/var\/spool\/postfix\/private\/auth \{ # mailinabox-postfix-private-auth\n mode = 0666\n user = postfix\n group = postfix\n \}\n\1/" /etc/dovecot/conf.d/10-master.conf
|
||||
sed -i "s/\(\s*unix_listener auth-userdb\)/ unix_listener \/var\/spool\/postfix\/private\/auth \{ # mailinabox-postfix-private-auth\n mode = 0666\n user = postfix\n group = postfix\n \}\n\1/" /etc/dovecot/conf.d/10-master.conf
|
||||
fi
|
||||
|
||||
# Drew Crawford sets the auth-worker process to run as the mail user, but we don't care if it runs as root.
|
||||
|
||||
# Enable SSL.
|
||||
sudo tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
||||
tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
||||
ssl=required \
|
||||
"ssl_cert=<$STORAGE_ROOT/ssl/ssl_certificate.pem" \
|
||||
"ssl_key=<$STORAGE_ROOT/ssl/ssl_private_key.pem" \
|
||||
@ -133,22 +133,22 @@ sudo tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
|
||||
# in /etc/dovecot/dovecot.pem and /etc/dovecot/private/dovecot.pem, which we'll
|
||||
# use unless certificates already exist.
|
||||
mkdir -p $STORAGE_ROOT/ssl
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then sudo cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then sudo cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then cp /etc/dovecot/dovecot.pem $STORAGE_ROOT/ssl/ssl_certificate.pem; fi
|
||||
if [ ! -f $STORAGE_ROOT/ssl/ssl_private_key.pem ]; then cp /etc/dovecot/private/dovecot.pem $STORAGE_ROOT/ssl/ssl_private_key.pem; fi
|
||||
|
||||
sudo chown -R mail:dovecot /etc/dovecot
|
||||
sudo chmod -R o-rwx /etc/dovecot
|
||||
chown -R mail:dovecot /etc/dovecot
|
||||
chmod -R o-rwx /etc/dovecot
|
||||
|
||||
mkdir -p $STORAGE_ROOT/mail/mailboxes
|
||||
sudo chown -R mail.mail $STORAGE_ROOT/mail/mailboxes
|
||||
chown -R mail.mail $STORAGE_ROOT/mail/mailboxes
|
||||
|
||||
# restart services
|
||||
sudo service postfix restart
|
||||
sudo service dovecot restart
|
||||
service postfix restart
|
||||
service dovecot restart
|
||||
|
||||
# allow mail-related ports in the firewall
|
||||
sudo ufw allow smtp
|
||||
sudo ufw allow submission
|
||||
sudo ufw allow imaps
|
||||
ufw allow smtp
|
||||
ufw allow submission
|
||||
ufw allow imaps
|
||||
|
||||
|
||||
|
@ -1,11 +1,11 @@
|
||||
# Base system configuration.
|
||||
|
||||
sudo apt-get -q update
|
||||
sudo apt-get -q -y upgrade
|
||||
apt-get -q update
|
||||
apt-get -q -y upgrade
|
||||
|
||||
# Basic packages.
|
||||
|
||||
sudo apt-get -q -y install sqlite3
|
||||
apt-get -q -y install sqlite3
|
||||
|
||||
# Turn on basic services:
|
||||
#
|
||||
@ -15,15 +15,15 @@ sudo apt-get -q -y install sqlite3
|
||||
#
|
||||
# These services don't need further configuration and are started immediately after installation.
|
||||
|
||||
sudo apt-get install -q -y ntp fail2ban
|
||||
apt-get install -q -y ntp fail2ban
|
||||
|
||||
# Turn on the firewall. First allow incoming SSH, then turn on the firewall. Additional open
|
||||
# ports will be set up in the scripts that set up those services.
|
||||
sudo ufw allow ssh
|
||||
#sudo ufw allow domain
|
||||
#sudo ufw allow http
|
||||
#sudo ufw allow https
|
||||
sudo ufw --force enable
|
||||
ufw allow ssh
|
||||
#ufw allow domain
|
||||
#ufw allow http
|
||||
#ufw allow https
|
||||
ufw --force enable
|
||||
|
||||
# Mount the storage volume.
|
||||
export STORAGE_ROOT=/home/ubuntu/storage
|
||||
|
Loading…
Reference in New Issue
Block a user