[ "$1" = "configure" ] || exit 0
[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
-# Load CARNet Tools
+# Load CARNET Tools
. /usr/share/carnet-tools/functions.sh
+
# Load Debconf
. /usr/share/debconf/confmodule
db_set postfix-cn/rbl "$rbl" || true
fi
+# Wed, 12 Jun 2013 15:15:28 +0200
+# dnsbl.njabl.org je ugasen 2013-03
+if echo $rbl | grep -q dnsbl.njabl.org; then
+ rbl="`echo $rbl | sed 's/dnsbl.njabl.org, //g'`"
+ # za svaki slucaj, ako je na kraju
+ rbl="`echo $rbl | sed 's/dnsbl.njabl.org//g'`"
+ db_set postfix-cn/rbl "$rbl" || true
+fi
+
db_get postfix-cn/matchgecos || true
matchgecos="$RET"
cp -pf /etc/postfix/master.cf /etc/postfix/master.cf.dpkg-tmp.$$
cp -pf /etc/postfix/main.cf /etc/postfix/main.cf.dpkg-tmp.$$
-# srediti master.cf za TLS
+# srediti master.cf za TLS & submission & retry
if [ -f /etc/postfix/master.cf ]; then
cp_check_and_sed '^#tlsmgr' \
's/^#tlsmgr/tlsmgr/g' \
/etc/postfix/master.cf || true
+ cp_check_and_sed '^#submission' \
+ 's/^#submission/submission/g' \
+ /etc/postfix/master.cf || true
+
+ cp_check_and_sed '^#retry' \
+ 's/^#retry/retry/g' \
+ /etc/postfix/master.cf || true
+
cp_check_and_sed '^#smtps' \
's/^#smtps/smtps/g' \
/etc/postfix/master.cf || true
+
+ cp_check_and_sed '^# -o' \
+ 's/^# -o/ -o/g' \
+ /etc/postfix/master.cf || true
+
+ for option in "-o milter_macro_daemon_name=ORIGINATING" \
+ "-o smtpd_recipient_restrictions=" \
+ "-o smtpd_reject_unlisted_recipient=no" \
+ "-o smtpd_relay_restrictions=permit_sasl_authenticated,reject" \
+ "-o smtpd_sasl_auth_enable=yes" \
+ "-o smtpd_tls_security_level=encrypt" \
+ "-o smtpd_tls_wrappermode=yes" \
+ "-o syslog_name=postfix/smtps" \
+ "-o syslog_name=postfix/submission"; do
+ cp_check_and_sed "^# $option" \
+ "s/# $option/$option/g" \
+ /etc/postfix/master.cf || true
+ done
+
+ for option in "o smtpd_client_restrictions=" \
+ "o smtpd_helo_restrictions=" \
+ "o smtpd_sender_restrictions="; do
+ cp_check_and_sed "$option" \
+ "s/.*$option/# -$option/g" \
+ /etc/postfix/master.cf || true
+ done
fi
# ovo manje/vise uzima kao default, ali u slucaju da je multihomed stroj,
postconf -e append_dot_mydomain="yes"
postconf -e append_at_myorigin="yes"
-# dodaj 127.0.0.0/8 i netaddr
+# dodaj 127.0.0.0/8, netaddr i ipv6-localhost
+# dodaje izlazne servere za webmail --zelja
mynetworks="`postconf -h mynetworks`"
-for i in "127.0.0.0/8" "$netaddr"; do
+for i in "127.0.0.0/8" "\[::1\]/128" "$netaddr" "193.198.233.95" "193.198.233.96"; do
if ! echo $mynetworks | grep -q $i; then
mynetworks="$mynetworks, $i"
fi
reject_unauth_pipelining, \
permit_sasl_authenticated, \
permit_mynetworks, \
- reject_unauth_destination"
+ reject_unauth_destination, \
+ check_client_access hash:/etc/postfix/access_client_cn, \
+ check_helo_access hash:/etc/postfix/access_helo_cn, \
+ check_sender_access hash:/etc/postfix/access_sender_cn, \
+ check_recipient_access hash:/etc/postfix/access_recipient_cn, \
+ check_header_access regexp:/etc/postfix/access_header_cn, \
+ check_mime_header_access regexp:/etc/postfix/access_mime_header_cn, \
+ check_body_access regexp:/etc/postfix/access_body_cn"
# dodaj samo rbl-ove iz debconfa
if [ "$rbl" ]; then
# restart saslauthd
if [ "$restart_saslauthd" = "yes" ]; then
- if [ -x /usr/sbin/invoke-rc.d ]; then
- [ -x /etc/init.d/saslauthd ] && invoke-rc.d saslauthd restart
- else
- [ -x /etc/init.d/saslauthd ] && /etc/init.d/saslauthd restart
- fi
-fi
-
-# izgenerirati certifikate
-cert="postfix" # basename of certificate
-description="Postfix SMTP daemon" # descriptive text
-cd /etc/ssl/certs
-PATH=$PATH:/usr/bin/ssl
-if [ -f "$cert.pem" ]; then
- echo "CN: You already have /etc/ssl/certs/$cert.pem"
-else
- echo "CN: Creating generic self-signed certificate: /etc/ssl/certs/$cert.pem"
- echo "CN: (replace with hand-crafted or authorized one if needed)."
- HOSTNAME=`hostname -s`
- FQDN=`hostname -f`
- openssl req -new -x509 -days 365 -nodes -out "$cert.pem" -keyout "$cert.pem" > /dev/null 2>&1 <<+
-.
-.
-.
-$description
-$hostname
-$fqdn
-root@$mailname
-+
- ln -sf "$cert.pem" `openssl x509 -noout -hash < "$cert.pem"`.0
- chown root:root "/etc/ssl/certs/$cert.pem"
- chmod 0640 "/etc/ssl/certs/$cert.pem"
+ service saslauthd restart
fi
# TLS stuff
-postconf -e smtp_use_tls="yes"
-postconf -e smtp_tls_session_cache_database="sdbm:/var/lib/postfix/smtp_scache"
+postconf -e smtp_tls_security_level="may"
+postconf -e smtp_tls_session_cache_database="btree:/var/lib/postfix/smtp_scache"
postconf -e smtp_tls_session_cache_timeout="3600s"
-postconf -e smtpd_use_tls="yes"
-postconf -e smtpd_tls_session_cache_database="sdbm:/var/lib/postfix/smtpd_scache"
+postconf -e smtpd_tls_security_level="may"
+postconf -e smtpd_tls_session_cache_database="btree:/var/lib/postfix/smtpd_scache"
postconf -e smtpd_tls_session_cache_timeout="3600s"
postconf -e tls_random_source="dev:/dev/urandom"
postconf -e smtpd_tls_exclude_ciphers="aNULL"
postconf -e smtpd_tls_mandatory_exclude_ciphers="aNULL"
-# ako je postavljen neki drugi certifikat, ne diraj
-smtp_tls_cert_file="`postconf -h smtp_tls_cert_file`"
-if [ -z "$smtp_tls_cert_file" ]; then
- postconf -e smtp_tls_cert_file="/etc/ssl/certs/$cert.pem"
+
+# nije potrebno generiranje certifikata jer postfix koristi paket ssl-cert
+# ako je postavljen snakeoil certifikat za smtpd_tls_* postavi isti za smtp_tls_*
+smtpd_tls_cert_file="`postconf -h smtpd_tls_cert_file`"
+if [ "$smtpd_tls_cert_file" = "/etc/ssl/certs/ssl-cert-snakeoil.pem" ]; then
+ postconf -e smtp_tls_cert_file="/etc/ssl/certs/ssl-cert-snakeoil.pem"
+ postconf -e smtp_tls_key_file="/etc/ssl/private/ssl-cert-snakeoil.key"
fi
+
+# ako je prazan, postavi na defaultni iz paketa ssl-cert
smtpd_tls_cert_file="`postconf -h smtpd_tls_cert_file`"
if [ -z "$smtpd_tls_cert_file" ]; then
- postconf -e smtpd_tls_cert_file="/etc/ssl/certs/$cert.pem"
-fi
-smtp_tls_key_file="`postconf -h smtp_tls_key_file`"
-if [ -z "$smtp_tls_key_file" ]; then
- postconf -e smtp_tls_key_file="\$smtp_tls_cert_file"
+ postconf -e smtpd_tls_cert_file="/etc/ssl/certs/ssl-cert-snakeoil.pem"
+ postconf -e smtpd_tls_key_file="/etc/ssl/private/ssl-cert-snakeoil.key"
fi
-smtpd_tls_key_file="`postconf -h smtpd_tls_key_file`"
-if [ -z "$smtpd_tls_key_file" ]; then
- postconf -e smtpd_tls_key_file="\$smtpd_tls_cert_file"
+smtp_tls_cert_file="`postconf -h smtp_tls_cert_file`"
+if [ -z "$smtp_tls_cert_file" ]; then
+ postconf -e smtp_tls_cert_file="/etc/ssl/certs/ssl-cert-snakeoil.pem"
+ postconf -e smtp_tls_key_file="/etc/ssl/private/ssl-cert-snakeoil.key"
fi
# prije bilo u /etc/postfix/, od verzije 2.1.5-2 je u /var/spool/postfix
fi
rm -f /etc/postfix/main.cf.dpkg-tmp.$$
-if ! grep -q "retry unix - - - - - error" /etc/postfix/master.cf; then
- echo "CN: Please, add this line in /etc/postfix/master.cf and restart Postfix."
- echo "retry unix - - - - - error"
- echo
-fi
+#if ! grep -q "retry unix - - y - - error" /etc/postfix/master.cf; then
+# echo "CN: Please, add this line in /etc/postfix/master.cf and restart Postfix."
+# echo "retry unix - - y - - error"
+# echo
+#fi
# kreiraj aliases_gecos
-if [ -x /usr/share/postfix-cn/make-aliases-gecos.sh ]; then
+if [ -x /usr/sbin/newaliases-gecos ]; then
if [ "$matchgecos" = "true" ]; then
echo "CN: Creating GECOS alias map..."
- /usr/share/postfix-cn/make-aliases-gecos.sh
+ /usr/sbin/newaliases-gecos
fi
fi
+# rjesava gresku using backwards-compatible default setting chroot=y
+
+for service in smtp/inet smtp/unix submission/inet pickup/fifo cleanup/unix qmgr/fifo rewrite/unix bounce/unix defer/unix trace/unix verify/unix flush/unix relay/unix showq/unix error/unix scache/unix discard/unix retry/unix
+do
+ postconf -F $service/chroot=y
+done
+restart_postfix="yes"
+
+
+# obavijest za webmail
+
+cp-update -t postfix-cn /etc/postfix/main.cf <<EOF
+
+# Posluzitelji "193.198.233.95" "193.198.233.96" su odlazni posluzitelji za webmail.carnet.hr
+# Ukoliko koristite uslugu CARNET-ovog Webmaila, nemojte ih brisati iz "mynetworks"!
+
+EOF
+
+test -f /etc/postfix/access_client_cn && /usr/sbin/postmap /etc/postfix/access_client_cn
+test -f /etc/postfix/access_recipient_cn && /usr/sbin/postmap /etc/postfix/access_recipient_cn
+test -f /etc/postfix/access_sender_cn && /usr/sbin/postmap /etc/postfix/access_sender_cn
+test -f /etc/postfix/access_helo_cn && /usr/sbin/postmap /etc/postfix/access_helo_cn
+
+
# restart
if [ "$restart_postfix" = "yes" ]; then
- if [ -x /usr/sbin/invoke-rc.d ]; then
- [ -x /etc/init.d/postfix ] && invoke-rc.d postfix restart
- else
- [ -x /etc/init.d/postfix ] && /etc/init.d/postfix restart
- fi
+ service postfix restart
fi
cp_mail postfix-cn
+
+#DEBHELPER#
projects / postfix-cn.git / blobdiff