Merge branch 'master' into patch-1

2 files changed, 66 insertions, 13 deletions

diff --git a/adddomain.sh b/adddomain.sh
new file mode 100755
index 0000000..d44b567
--- /dev/null
+++ b/adddomain.sh
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+domain="$1"
+[ -z "$1" ] && exit
+
+domain="$1"
+subdom="mail"
+
+# Add the domain to the valid postfix addresses.
+grep -q "^mydestination.*$domain" /etc/postfix/main.cf ||
+	sed -i "s/^mydestination.*/&, $domain/" /etc/postfix/main.cf
+
+# Create DKIM for new domain.
+mkdir -p "/etc/postfix/dkim/$domain"
+opendkim-genkey -D "/etc/postfix/dkim/$domain" -d "$domain" -s "$subdom"
+chgrp -R opendkim /etc/postfix/dkim/*
+chmod -R g+r /etc/postfix/dkim/*
+
+# Add entries to keytable and signing table.
+echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$domain/$subdom.private" >> /etc/postfix/dkim/keytable
+echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
+
+systemctl reload opendkim postfix
+
+# Print out DKIM TXT entry.
+pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
+
+dkimentry="$subdom._domainkey.$domain	TXT	v=DKIM1; k=rsa; $pval"
+dmarcentry="_dmarc.$domain	TXT	v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1"
+spfentry="$domain	TXT	v=spf1 mx a:$maildomain -all"
+mxentry="$domain	MX	10	$maildomain	300"
+
+echo "$dkimentry
+$dmarcentry
+$spfentry
+$mxentry" >> "$HOME/dns_emailwizard_added"
+
+echo "=== ADD THE FOLLOWING TO YOUR DNS TXT RECORDS ==="
+echo "$dkimentry
+$dmarcentry
+$spfentry
+$mxentry"
+echo "They have also been stored in ~/dns_emailwizard_added"
diff --git a/emailwiz.sh b/emailwiz.sh
index d4018b4..56e57bd 100644
--- a/emailwiz.sh
+++ b/emailwiz.sh
@@ -17,7 +17,7 @@
 
 umask 0022
 
-install_packages="postfix postfix-pcre dovecot-imapd dovecot-pop3d dovecot-sieve opendkim opendkim-tools spamassassin spamc net-tools fail2ban"
+install_packages="postfix postfix-pcre dovecot-imapd dovecot-pop3d dovecot-sieve opendkim opendkim-tools spamassassin spamc net-tools fail2ban bind9-host"
 
 systemctl -q stop dovecot
 systemctl -q stop postfix
@@ -54,8 +54,14 @@ if [ "$use_cert_config" = "yes" ]; then
 
 fi
 
+# Preliminary record checks
+ipv4=$(host "$domain" | grep -m1 -Eo '([0-9]+\.){3}[0-9]+')
+[ -z "$ipv4" ] && echo "\033[0;31mPlease point your domain ("$domain") to your server's ipv4 address." && exit 1
+ipv6=$(host "$domain" | grep "IPv6" | awk '{print $NF}')
+[ -z "$ipv6" ] && echo "\033[0;31mPlease point your domain ("$domain") to your server's ipv6 address." && exit 1
+
 # Open required mail ports
-for port in 993 465 25 587; do
+for port in 80 993 465 25 587 110 995; do
 	ufw allow "$port" 2>/dev/null
 done
 
@@ -125,7 +131,7 @@ if [ "$selfsigned" != "yes" ]; then
 	postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
 fi
 
-# Enable, but do not require TLS. Requiring it with other server would cause
+# Enable, but do not require TLS. Requiring it with other servers would cause
 # mail delivery problems and requiring it locally would cause many other
 # issues.
 postconf -e 'smtpd_tls_security_level = may'
@@ -162,8 +168,8 @@ postconf -e 'smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authentica
 
 # NOTE: the trailing slash here, or for any directory name in the home_mailbox
 # command, is necessary as it distinguishes a maildir (which is the actual
-# directories that what we want) from a spoolfile (which is what old unix
-# boomers want and no one else).
+# directory that we want) from a spoolfile (which is what old unix boomers want
+# and no one else).
 postconf -e 'home_mailbox = Mail/Inbox/'
 
 # Prevent "Received From:" header in sent emails in order to prevent leakage of public ip addresses
@@ -264,7 +270,7 @@ namespace inbox {
 }
 }
 
-# Here we let Postfix use Dovecot's authetication system.
+# Here we let Postfix use Dovecot's authentication system.
 service auth {
   unix_listener /var/spool/postfix/private/auth {
 	mode = 0660
@@ -371,6 +377,10 @@ postconf -e 'smtpd_milters = inet:localhost:12301'
 postconf -e 'non_smtpd_milters = inet:localhost:12301'
 postconf -e 'mailbox_command = /usr/lib/dovecot/deliver'
 
+# Long-term fix to prevent SMTP smuggling
+postconf -e 'smtpd_forbid_bare_newline = normalize'
+postconf -e 'smtpd_forbid_bare_newline_exclusions = $mynetworks'
+
 # A fix for "Opendkim won't start: can't open PID file?", as specified here: https://serverfault.com/a/847442
 /lib/opendkim/opendkim.service.generate
 systemctl daemon-reload
@@ -412,20 +422,20 @@ done
 
 pval="$(tr -d '\n' <"/etc/postfix/dkim/$domain/$subdom.txt" | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o 'p=.*')"
 dkimentry="$subdom._domainkey.$domain	TXT	v=DKIM1; k=rsa; $pval"
-dmarcentry="_dmarc.$domain	TXT	v=DMARC1; p=reject; rua=mailto:dmarc@$domain; fo=1"
-spfentry="$domain	TXT	v=spf1 mx a:$maildomain -all"
+dmarcentry="_dmarc.$domain	TXT	v=DMARC1; p=reject; rua=mailto:postmaster@$domain; fo=1"
+spfentry="$domain	TXT	v=spf1 mx a:$maildomain ip4:$ipv4 ip6:$ipv6 -all"
 mxentry="$domain	MX	10	$maildomain	300"
 
-useradd -m -G mail dmarc
+useradd -m -G mail postmaster
 
-# Create a cronjob that deletes month-old dmarc feedback:
-cat <<EOF > /etc/cron.weekly/dmarc-clean
+# Create a cronjob that deletes month-old postmaster mails:
+cat <<EOF > /etc/cron.weekly/postmaster-clean
 #!/bin/sh
 
-find /home/dmarc/Mail -type f -mtime +30 -name '*.mail*' -delete >/dev/null 2>&1
+find /home/postmaster/Mail -type f -mtime +30 -name '*.mail*' -delete >/dev/null 2>&1
 exit 0
 EOF
-chmod 755 /etc/cron.weekly/dmarc-clean
+chmod 755 /etc/cron.weekly/postmaster-clean
 
 grep -q '^deploy-hook = echo "$RENEWED_DOMAINS" | grep -q' /etc/letsencrypt/cli.ini ||
 	echo "