Last active
August 21, 2020 23:32
-
-
Save happyhater/ef4fbe3b3a272c01bc5e85d795c963b2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [ "x$(id -u)" != "x0" ]; | |
then | |
echo "Error, can only be executed by root" | |
#exit 1 | |
fi | |
# SOFTWARE="opensmtpd opensmtpd-extras dovecot-imapd spamassassin spampd dkimproxy" | |
SOFTWARE="opensmtpd opensmtpd-extras dovecot-imapd dkimproxy" | |
HELP() { | |
echo -en "\n\n\t!! WARNING !! \t\t***\t\t !! WARNING !!\n\n" | |
echo "* Please kept private this code." | |
echo "* This was written solely for educational purposes." | |
echo "* Use it at your own risk." | |
echo -en "* The author will be not responsible for any damage.\n\n" | |
exit 1 | |
} | |
VERSION() { | |
echo "v0.1 - ZmEu <zmeu@whitehat.ro>" | |
echo "v0.2 - ZmEu <zmeu@whitehat.ro>" | |
echo " - Fixed" | |
echo " - Upgrade from smtpd 6.x to 6.7.x" | |
echo "v0.3 - ZmEu <zmeu@whitehat.ro> 20082020" | |
echo " - Added: process/user/ram limit on dovecot" | |
echo " - Removed: spamassasin" | |
echo " - Moved: dovecot logs to /dev/null due annoying service client_limit" | |
exit 1 | |
} | |
PASS() { | |
MATRIX="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" | |
LENGTH="8" | |
while [ ${n:=1} -le $LENGTH ] | |
do | |
PASS="$PASS${MATRIX:$(($RANDOM%${#MATRIX})):1}" | |
let n+=1 | |
done | |
echo "$PASS" | |
} | |
INSTALLER() { | |
apt-get -y -f install $SOFTWARE | |
systemctl stop dovecot | |
# systemctl stop spamassassin | |
systemctl stop dovecot | |
systemctl stop spampd | |
systemctl stop opensmtpd | |
systemctl stop dkimproxy | |
mkdir -p /etc/mail | |
rm -rf /etc/mail/* /etc/dovecot/* | |
fw=$(PASS) | |
smtp_pass=$(smtpctl encrypt $fw) | |
queue_enc=$(openssl rand -hex 16) | |
gpasswd -a dovecot mail | |
# gpasswd -a spampd debian-spamd | |
gpasswd -a opensmtpd mail | |
# update-rc.d spamassassin defaults | |
update-rc.d dovecot defaults | |
# update-rc.d spampd defaults | |
update-rc.d opensmtpd defaults | |
update-rc.d dkimproxy defaults | |
openssl dhparam -out /etc/ssl/dh.pem 4096 | |
openssl genrsa -out /etc/ssl/private/mail.hat.cx.key 4096 | |
openssl req -new -x509 -key /etc/ssl/private/mail.hat.cx.key -subj "/C=UK/L=London/OU=WhiteHat/O=WhiteHat/CN=mail.hat.cx" -out /etc/ssl/certs/mail.hat.cx.crt -days 730 | |
openssl genrsa -out /etc/ssl/private/dkim.key 4096 | |
# openssl rsa -in /etc/ssl/private/dkim.key -pubout -out /etc/ssl/dkim.pub | |
dkim_pass=$(openssl rsa -in /etc/ssl/private/dkim.key -pubout -outform der 2>/dev/null | openssl base64 -A) | |
echo "" | |
echo "DKIM DNS este: $dkim_pass" | |
echo "Parola este: $fw" | |
echo "" | |
echo "$fw" > .pw | |
echo "\"v=DKIM1;k=rsa;p=$dkim_pass\"" >> .pw | |
echo "zmeu@whitehat.ro:$smtp_pass" > /etc/mail/credentials | |
echo "zmeu@whitehat.ro:mail" > /etc/mail/virtuals | |
echo "mail:/dev/null" > /etc/mail/aliases | |
echo "whitehat.ro" > /etc/mail/domains | |
echo "include \"/etc/mail/smtpd.conf\"" > /etc/smtpd.conf | |
echo "whitehat.ro" > /etc/mailname | |
cat <<"END" > /etc/mail/smtpd.conf | |
filter check_dyndns phase connect match rdns regex { ".*\.dyn\..*", ".*\.dsl\..*", ".*\.shodan\.io", ".*\.censys\.io", ".*\.stretchoid\.com", ".*\.ipip\.net", ".*\.censys-scanner\.com" } disconnect "550 Error: I can break rules, too. Goodbye." | |
filter check_rdns phase connect match !rdns disconnect "550 Error: I can break rules, too. Goodbye." | |
filter check_fcrdns phase connect match !fcrdns disconnect "550 Error: I can break rules, too. Goodbye." | |
filter all_filters chain { check_dyndns, check_rdns, check_fcrdns } | |
mta limit | |
smtp limit max-rcpt 1000 | |
smtp limit max-mails 100 | |
smtp max-message-size 100M | |
bounce warn-interval 60s | |
queue compression | |
queue encryption 342f7804b6f3c3fb246f0b7d4d11bda7 | |
pki "mail.hat.cx" key "/etc/ssl/private/mail.hat.cx.key" | |
pki "mail.hat.cx" cert "/etc/ssl/certs/mail.hat.cx.crt" | |
table aliases file:/etc/mail/aliases | |
table credentials file:/etc/mail/credentials | |
table virtuals file:/etc/mail/virtuals | |
table domains file:/etc/mail/domains | |
# listen on 127.0.0.1 port 10026 tag SPAM_IN | |
listen on 127.0.0.1 port 10028 tag DKIM_OUT | |
listen on 8.9.5.28 tls pki "mail.hat.cx" filter all_filters | |
listen on 8.9.5.28 smtps pki "mail.hat.cx" | |
listen on 8.9.5.28 port submission tls-require pki "mail.hat.cx" auth <credentials> | |
listen on :: tls pki "mail.hat.cx" filter all_filters | |
listen on :: smtps pki "mail.hat.cx" | |
listen on :: port submission tls-require pki "mail.hat.cx" auth <credentials> | |
action MAIL_IN maildir "/var/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}" virtual <virtuals> | |
action LOCAL_IN mbox alias <aliases> | |
# action RELAY_SPAM_IN relay host "smtp://127.0.0.1:10025" | |
action RELAY relay | |
action RELAY_OUT relay host smtp://127.0.0.1:10027 | |
match tag DKIM_OUT for any action RELAY | |
# match tag SPAM_IN for domain <domains> action MAIL_IN | |
# match from any for domain <domains> action RELAY_SPAM_IN | |
match for domain <domains> action MAIL_IN | |
match from any for domain <domains> action RELAY | |
match auth from any for any action RELAY_OUT | |
match from local for local action LOCAL_IN | |
### from smtpd 6.x | |
# limit mta | |
# limit session max-rcpt 1000 | |
# limit session max-mails 100 | |
# queue compression | |
# queue encryption key 342f7804b6f3c3fb246f0b7d4d11bda7 | |
# max-message-size 100M | |
# bounce-warn 1h | |
# expire 1h | |
# pki "mail.hat.cx" key "/etc/ssl/private/mail.hat.cx.key" | |
# pki "mail.hat.cx" certificate "/etc/ssl/certs/mail.hat.cx.crt" | |
# table aliases file:/etc/mail/aliases | |
# table credentials file:/etc/mail/credentials | |
# table virtuals file:/etc/mail/virtuals | |
# table domains file:/etc/mail/domains | |
# listen on lo port 10026 tag SPAM_IN | |
# listen on lo port 10028 tag DKIM_OUT | |
# listen on ens3 tls pki "mail.hat.cx" | |
# listen on ens3 smtps pki "mail.hat.cx" | |
# listen on ens3 port submission tls-require pki "mail.hat.cx" auth <credentials> | |
# accept tagged SPAM_IN for domain <domains> virtual <virtuals> deliver to maildir "/var/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}" | |
# accept from any for domain <domains> relay via "smtp://127.0.0.1:10025" | |
# accept for local alias <aliases> deliver to mbox | |
# accept tagged DKIM_OUT for any relay | |
# accept from local for any relay via smtp://127.0.0.1:10027 | |
END | |
cat <<"END" > /etc/dovecot/dovecot.conf | |
listen = *, [::] | |
auth_mechanisms = plain | |
protocols = imap lmtp | |
ssl = required | |
ssl_key = </etc/ssl/private/mail.hat.cx.key | |
ssl_cert = </etc/ssl/certs/mail.hat.cx.crt | |
ssl_dh = </etc/ssl/dh.pem | |
mail_location = maildir:/var/mail/%Ld/%Ln | |
mbox_write_locks = fcntl | |
mmap_disable = yes | |
first_valid_uid = 8 | |
first_valid_gid = 8 | |
mail_privileged_group = mail | |
default_process_limit = 40 | |
default_client_limit = 20 | |
default_vsz_limit = 64M | |
default_idle_kill = 1M | |
mail_max_userip_connections = 10 | |
login_greeting = "Error: I can break rules, too. Goodbye." | |
info_log_path = /dev/null | |
log_path = /dev/null | |
passdb { | |
args = scheme=sha512-crypt username_format=%Lu /etc/mail/credentials | |
driver = passwd-file | |
} | |
userdb { | |
args = uid=mail gid=mail home=/var/mail/%d/%n | |
driver = static | |
} | |
service imap-login { | |
service_count = 1 | |
vsz_limit = 64M | |
inet_listener imaps { | |
port = 993 | |
ssl = yes | |
} | |
inet_listener imap { | |
port = 0 | |
} | |
} | |
END | |
cat <<"END" > /etc/dkimproxy/dkimproxy_out.conf | |
listen 127.0.0.1:10027 | |
relay 127.0.0.1:10028 | |
domain whitehat.ro | |
signature dkim(c=relaxed) | |
signature domainkeys(c=nofws) | |
keyfile /etc/ssl/private/dkim.key | |
selector default | |
END | |
cat <<"END" > /etc/default/dkimproxy | |
RUN_DKIMPROXY_OUT="1" | |
RUN_DKIMPROXY_IN="0" | |
DKIMPROXY_IN_CONF="/etc/dkimproxy/dkimproxy_in.conf" | |
DKIMPROXY_OUT_CONF="/etc/dkimproxy/dkimproxy_out.conf" | |
DKIMPROXYUSER="dkimproxy" | |
DKIMPROXYGROUP="ssl-cert" | |
DKIMPROXY_OUT_PRIVKEY="/etc/ssl/private/dkim.key" | |
DKIM_HOSTNAME="whitehat.ro" | |
DOMAIN="whitehat.ro" | |
DKIMPROXY_IN_MIN_SERVERS="1" | |
DKIMPROXY_OUT_MIN_SERVERS="1" | |
END | |
sed -i "s/342f7804b6f3c3fb246f0b7d4d11bda7/$queue_enc/" /etc/mail/smtpd.conf | |
# sed -i "s/# rewrite_header Subject \*\*\*\*\*SPAM\*\*\*\*\*/rewrite_header Subject \[SPAM\]/" /etc/spamassassin/local.cf | |
# sed -i "s/#RUN_DKIMPROXY_OUT/RUN_DKIMPROXY_OUT/" /etc/default/dkimproxy | |
# sed -i "s/#RUN_DKIMPROXY_IN=1/RUN_DKIMPROXY_IN=0/" /etc/default/dkimproxy | |
# sed -i "s/#DKIMPROXY_IN_MIN_SERVERS=5/DKIMPROXY_IN_MIN_SERVERS=1/" /etc/default/dkimproxy | |
# sed -i "s/#DKIMPROXY_OUT_MIN_SERVERS=5/DKIMPROXY_OUT_MIN_SERVERS=1/" /etc/default/dkimproxy | |
# sed -i "s/#DKIMPROXY_OUT_CONF/DKIMPROXY_OUT_CONF/" /etc/default/dkimproxy | |
touch /usr/lib/dovecot/lmtp | |
chmod a+x /usr/lib/dovecot/lmtp | |
chown -R dovecot:dovecot /usr/lib/dovecot | |
chmod 0440 /etc/mail/credentials | |
chown dovecot /etc/mail/credentials | |
chown dkimproxy:ssl-cert /etc/ssl/private/dkim.key | |
# chown spampd:spampd /var/cache/spampd | |
chmod 700 /etc/ssl/private/mail.hat.cx.key | |
chmod 700 /etc/ssl/certs/mail.hat.cx.crt | |
systemctl start dovecot | |
# systemctl start spamassassin | |
systemctl start dovecot | |
# systemctl start spampd | |
systemctl start opensmtpd | |
systemctl start dkimproxy | |
echo "DONE." | |
} | |
while getopts "ivh" Option | |
do | |
case $Option in | |
i) INSTALLER;; | |
v) VERSION;; | |
h) HELP;; | |
*) HELP;; | |
esac | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment