happyhater/opensmtpd.sh

## opensmtpd.sh
#!/bin/bash

if [ "x$(id -u)" != "x0" ];
then
	echo "Error, can only be executed by root"
	#exit 1
fi

# SOFTWARE="opensmtpd opensmtpd-extras dovecot-imapd spamassassin spampd dkimproxy"
SOFTWARE="opensmtpd opensmtpd-extras dovecot-imapd dkimproxy"

HELP() {
	echo -en "\n\n\t!! WARNING !! \t\t***\t\t !! WARNING !!\n\n"
	echo "* Please kept private this code."
	echo "* This was written solely for educational purposes."
	echo "* Use it at your own risk."
	echo -en "* The author will be not responsible for any damage.\n\n"
	exit 1
}

VERSION() {
	echo "v0.1 - ZmEu <zmeu@whitehat.ro>"
	echo "v0.2 - ZmEu <zmeu@whitehat.ro>"
	echo " - Fixed"
	echo " - Upgrade from smtpd 6.x to 6.7.x"
	echo "v0.3 - ZmEu <zmeu@whitehat.ro> 20082020"
	echo " - Added: process/user/ram limit on dovecot"
	echo " - Removed: spamassasin"
	echo " - Moved: dovecot logs to /dev/null due annoying service client_limit"
	exit 1
}

PASS() {
	MATRIX="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
	LENGTH="8"
	while [ ${n:=1} -le $LENGTH ]
	do
		PASS="$PASS${MATRIX:$(($RANDOM%${#MATRIX})):1}"
		let n+=1
	done
	echo "$PASS"
}

INSTALLER() {
	apt-get -y -f install $SOFTWARE

	systemctl stop dovecot
	# systemctl stop spamassassin
	systemctl stop dovecot
	systemctl stop spampd
	systemctl stop opensmtpd
	systemctl stop dkimproxy

	mkdir -p /etc/mail
	rm -rf /etc/mail/* /etc/dovecot/*

	fw=$(PASS)
	smtp_pass=$(smtpctl encrypt $fw)
	queue_enc=$(openssl rand -hex 16)

	gpasswd -a dovecot mail
	# gpasswd -a spampd debian-spamd
	gpasswd -a opensmtpd mail

	# update-rc.d spamassassin defaults
	update-rc.d dovecot defaults
	# update-rc.d spampd defaults
	update-rc.d opensmtpd defaults
	update-rc.d dkimproxy defaults

	openssl dhparam -out /etc/ssl/dh.pem 4096
	openssl genrsa -out /etc/ssl/private/mail.hat.cx.key 4096
	openssl req -new -x509 -key /etc/ssl/private/mail.hat.cx.key -subj "/C=UK/L=London/OU=WhiteHat/O=WhiteHat/CN=mail.hat.cx" -out /etc/ssl/certs/mail.hat.cx.crt -days 730
	openssl genrsa -out /etc/ssl/private/dkim.key 4096
	# openssl rsa -in /etc/ssl/private/dkim.key -pubout -out /etc/ssl/dkim.pub
	dkim_pass=$(openssl rsa -in /etc/ssl/private/dkim.key -pubout -outform der 2>/dev/null | openssl base64 -A)

	echo ""
	echo "DKIM DNS este: $dkim_pass"
	echo "Parola este: $fw"
	echo ""
	echo "$fw" > .pw
	echo "\"v=DKIM1;k=rsa;p=$dkim_pass\"" >> .pw
	echo "zmeu@whitehat.ro:$smtp_pass" > /etc/mail/credentials
	echo "zmeu@whitehat.ro:mail" > /etc/mail/virtuals
	echo "mail:/dev/null" > /etc/mail/aliases
	echo "whitehat.ro" > /etc/mail/domains
	echo "include \"/etc/mail/smtpd.conf\"" > /etc/smtpd.conf
	echo "whitehat.ro" > /etc/mailname

cat <<"END" > /etc/mail/smtpd.conf
filter check_dyndns phase connect match rdns regex { ".*\.dyn\..*", ".*\.dsl\..*", ".*\.shodan\.io", ".*\.censys\.io", ".*\.stretchoid\.com", ".*\.ipip\.net", ".*\.censys-scanner\.com" } disconnect "550 Error: I can break rules, too. Goodbye."
filter check_rdns phase connect match !rdns disconnect "550 Error: I can break rules, too. Goodbye."
filter check_fcrdns phase connect match !fcrdns disconnect "550 Error: I can break rules, too. Goodbye."
filter all_filters chain { check_dyndns, check_rdns, check_fcrdns }
mta limit
smtp limit max-rcpt 1000
smtp limit max-mails 100
smtp max-message-size 100M
bounce warn-interval 60s
queue compression
queue encryption 342f7804b6f3c3fb246f0b7d4d11bda7
pki "mail.hat.cx" key "/etc/ssl/private/mail.hat.cx.key"
pki "mail.hat.cx" cert "/etc/ssl/certs/mail.hat.cx.crt"
table aliases file:/etc/mail/aliases
table credentials file:/etc/mail/credentials
table virtuals file:/etc/mail/virtuals
table domains file:/etc/mail/domains
# listen on 127.0.0.1 port 10026 tag SPAM_IN
listen on 127.0.0.1 port 10028 tag DKIM_OUT
listen on 8.9.5.28 tls pki "mail.hat.cx" filter all_filters
listen on 8.9.5.28 smtps pki "mail.hat.cx"
listen on 8.9.5.28 port submission tls-require pki "mail.hat.cx" auth <credentials>
listen on :: tls pki "mail.hat.cx" filter all_filters
listen on :: smtps pki "mail.hat.cx"
listen on :: port submission tls-require pki "mail.hat.cx" auth <credentials>
action MAIL_IN maildir "/var/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}" virtual <virtuals>
action LOCAL_IN mbox alias <aliases>
# action RELAY_SPAM_IN relay host "smtp://127.0.0.1:10025"
action RELAY relay
action RELAY_OUT relay host smtp://127.0.0.1:10027
match tag DKIM_OUT for any action RELAY
# match tag SPAM_IN for domain <domains> action MAIL_IN
# match from any for domain <domains> action RELAY_SPAM_IN
match for domain <domains> action MAIL_IN
match from any for domain <domains> action RELAY
match auth from any for any action RELAY_OUT
match from local for local action LOCAL_IN

### from smtpd 6.x
# limit mta
# limit session max-rcpt 1000
# limit session max-mails 100
# queue compression
# queue encryption key 342f7804b6f3c3fb246f0b7d4d11bda7
# max-message-size 100M
# bounce-warn 1h
# expire 1h
# pki "mail.hat.cx" key "/etc/ssl/private/mail.hat.cx.key"
# pki "mail.hat.cx" certificate "/etc/ssl/certs/mail.hat.cx.crt"
# table aliases file:/etc/mail/aliases
# table credentials file:/etc/mail/credentials
# table virtuals file:/etc/mail/virtuals
# table domains file:/etc/mail/domains
# listen on lo port 10026 tag SPAM_IN
# listen on lo port 10028 tag DKIM_OUT
# listen on ens3 tls pki "mail.hat.cx"
# listen on ens3 smtps pki "mail.hat.cx"
# listen on ens3 port submission tls-require pki "mail.hat.cx" auth <credentials>
# accept tagged SPAM_IN for domain <domains> virtual <virtuals> deliver to maildir "/var/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}"
# accept from any for domain <domains> relay via "smtp://127.0.0.1:10025"
# accept for local alias <aliases> deliver to mbox
# accept tagged DKIM_OUT for any relay
# accept from local for any relay via smtp://127.0.0.1:10027
END

cat <<"END" > /etc/dovecot/dovecot.conf
listen = *, [::]
auth_mechanisms = plain
protocols = imap lmtp
ssl = required
ssl_key = </etc/ssl/private/mail.hat.cx.key
ssl_cert = </etc/ssl/certs/mail.hat.cx.crt
ssl_dh = </etc/ssl/dh.pem
mail_location = maildir:/var/mail/%Ld/%Ln
mbox_write_locks = fcntl
mmap_disable = yes
first_valid_uid = 8
first_valid_gid = 8
mail_privileged_group = mail
default_process_limit = 40
default_client_limit = 20
default_vsz_limit = 64M
default_idle_kill = 1M
mail_max_userip_connections = 10
login_greeting = "Error: I can break rules, too. Goodbye."
info_log_path = /dev/null
log_path = /dev/null

passdb {
	args = scheme=sha512-crypt username_format=%Lu /etc/mail/credentials
	driver = passwd-file
}

userdb {
	args = uid=mail gid=mail home=/var/mail/%d/%n
	driver = static
}

service imap-login {
	service_count = 1
	vsz_limit = 64M
	inet_listener imaps {
		port = 993
		ssl = yes
	}
	inet_listener imap {
		port = 0
	}
}
END

cat <<"END" > /etc/dkimproxy/dkimproxy_out.conf
listen 127.0.0.1:10027
relay 127.0.0.1:10028
domain whitehat.ro
signature dkim(c=relaxed)
signature domainkeys(c=nofws)
keyfile /etc/ssl/private/dkim.key
selector default
END

cat <<"END" > /etc/default/dkimproxy
RUN_DKIMPROXY_OUT="1"
RUN_DKIMPROXY_IN="0"
DKIMPROXY_IN_CONF="/etc/dkimproxy/dkimproxy_in.conf"
DKIMPROXY_OUT_CONF="/etc/dkimproxy/dkimproxy_out.conf"
DKIMPROXYUSER="dkimproxy"
DKIMPROXYGROUP="ssl-cert"
DKIMPROXY_OUT_PRIVKEY="/etc/ssl/private/dkim.key"
DKIM_HOSTNAME="whitehat.ro"
DOMAIN="whitehat.ro"
DKIMPROXY_IN_MIN_SERVERS="1"
DKIMPROXY_OUT_MIN_SERVERS="1"
END

	sed -i "s/342f7804b6f3c3fb246f0b7d4d11bda7/$queue_enc/" /etc/mail/smtpd.conf
	# sed -i "s/# rewrite_header Subject \*\*\*\*\*SPAM\*\*\*\*\*/rewrite_header Subject \[SPAM\]/" /etc/spamassassin/local.cf
	# sed -i "s/#RUN_DKIMPROXY_OUT/RUN_DKIMPROXY_OUT/" /etc/default/dkimproxy
	# sed -i "s/#RUN_DKIMPROXY_IN=1/RUN_DKIMPROXY_IN=0/" /etc/default/dkimproxy
	# sed -i "s/#DKIMPROXY_IN_MIN_SERVERS=5/DKIMPROXY_IN_MIN_SERVERS=1/" /etc/default/dkimproxy
	# sed -i "s/#DKIMPROXY_OUT_MIN_SERVERS=5/DKIMPROXY_OUT_MIN_SERVERS=1/" /etc/default/dkimproxy
	# sed -i "s/#DKIMPROXY_OUT_CONF/DKIMPROXY_OUT_CONF/" /etc/default/dkimproxy

	touch /usr/lib/dovecot/lmtp
	chmod a+x /usr/lib/dovecot/lmtp
	chown -R dovecot:dovecot /usr/lib/dovecot
	chmod 0440 /etc/mail/credentials
	chown dovecot /etc/mail/credentials
	chown dkimproxy:ssl-cert /etc/ssl/private/dkim.key
	# chown spampd:spampd /var/cache/spampd

	chmod 700 /etc/ssl/private/mail.hat.cx.key
	chmod 700 /etc/ssl/certs/mail.hat.cx.crt

	systemctl start dovecot
	# systemctl start spamassassin
	systemctl start dovecot
	# systemctl start spampd
	systemctl start opensmtpd
	systemctl start dkimproxy

	echo "DONE."

}

while getopts "ivh" Option
do
	case $Option in
		i) INSTALLER;;
		v) VERSION;;
		h) HELP;;
		*) HELP;;
	esac
done
	#!/bin/bash

	if [ "x$(id -u)" != "x0" ];
	then
	echo "Error, can only be executed by root"
	#exit 1
	fi

	# SOFTWARE="opensmtpd opensmtpd-extras dovecot-imapd spamassassin spampd dkimproxy"
	SOFTWARE="opensmtpd opensmtpd-extras dovecot-imapd dkimproxy"

	HELP() {
	echo -en "\n\n\t!! WARNING !! \t\t***\t\t !! WARNING !!\n\n"
	echo "* Please kept private this code."
	echo "* This was written solely for educational purposes."
	echo "* Use it at your own risk."
	echo -en "* The author will be not responsible for any damage.\n\n"
	exit 1
	}

	VERSION() {
	echo "v0.1 - ZmEu <zmeu@whitehat.ro>"
	echo "v0.2 - ZmEu <zmeu@whitehat.ro>"
	echo " - Fixed"
	echo " - Upgrade from smtpd 6.x to 6.7.x"
	echo "v0.3 - ZmEu <zmeu@whitehat.ro> 20082020"
	echo " - Added: process/user/ram limit on dovecot"
	echo " - Removed: spamassasin"
	echo " - Moved: dovecot logs to /dev/null due annoying service client_limit"
	exit 1
	}

	PASS() {
	MATRIX="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
	LENGTH="8"
	while [ ${n:=1} -le $LENGTH ]
	do
	PASS="$PASS${MATRIX:$(($RANDOM%${#MATRIX})):1}"
	let n+=1
	done
	echo "$PASS"
	}

	INSTALLER() {
	apt-get -y -f install $SOFTWARE

	systemctl stop dovecot
	# systemctl stop spamassassin
	systemctl stop dovecot
	systemctl stop spampd
	systemctl stop opensmtpd
	systemctl stop dkimproxy

	mkdir -p /etc/mail
	rm -rf /etc/mail/* /etc/dovecot/*

	fw=$(PASS)
	smtp_pass=$(smtpctl encrypt $fw)
	queue_enc=$(openssl rand -hex 16)

	gpasswd -a dovecot mail
	# gpasswd -a spampd debian-spamd
	gpasswd -a opensmtpd mail

	# update-rc.d spamassassin defaults
	update-rc.d dovecot defaults
	# update-rc.d spampd defaults
	update-rc.d opensmtpd defaults
	update-rc.d dkimproxy defaults

	openssl dhparam -out /etc/ssl/dh.pem 4096
	openssl genrsa -out /etc/ssl/private/mail.hat.cx.key 4096
	openssl req -new -x509 -key /etc/ssl/private/mail.hat.cx.key -subj "/C=UK/L=London/OU=WhiteHat/O=WhiteHat/CN=mail.hat.cx" -out /etc/ssl/certs/mail.hat.cx.crt -days 730
	openssl genrsa -out /etc/ssl/private/dkim.key 4096
	# openssl rsa -in /etc/ssl/private/dkim.key -pubout -out /etc/ssl/dkim.pub
	dkim_pass=$(openssl rsa -in /etc/ssl/private/dkim.key -pubout -outform der 2>/dev/null \| openssl base64 -A)

	echo ""
	echo "DKIM DNS este: $dkim_pass"
	echo "Parola este: $fw"
	echo ""
	echo "$fw" > .pw
	echo "\"v=DKIM1;k=rsa;p=$dkim_pass\"" >> .pw
	echo "zmeu@whitehat.ro:$smtp_pass" > /etc/mail/credentials
	echo "zmeu@whitehat.ro:mail" > /etc/mail/virtuals
	echo "mail:/dev/null" > /etc/mail/aliases
	echo "whitehat.ro" > /etc/mail/domains
	echo "include \"/etc/mail/smtpd.conf\"" > /etc/smtpd.conf
	echo "whitehat.ro" > /etc/mailname

	cat <<"END" > /etc/mail/smtpd.conf
	filter check_dyndns phase connect match rdns regex { ".\.dyn\..", ".\.dsl\..", ".\.shodan\.io", ".\.censys\.io", ".\.stretchoid\.com", ".\.ipip\.net", ".*\.censys-scanner\.com" } disconnect "550 Error: I can break rules, too. Goodbye."
	filter check_rdns phase connect match !rdns disconnect "550 Error: I can break rules, too. Goodbye."
	filter check_fcrdns phase connect match !fcrdns disconnect "550 Error: I can break rules, too. Goodbye."
	filter all_filters chain { check_dyndns, check_rdns, check_fcrdns }
	mta limit
	smtp limit max-rcpt 1000
	smtp limit max-mails 100
	smtp max-message-size 100M
	bounce warn-interval 60s
	queue compression
	queue encryption 342f7804b6f3c3fb246f0b7d4d11bda7
	pki "mail.hat.cx" key "/etc/ssl/private/mail.hat.cx.key"
	pki "mail.hat.cx" cert "/etc/ssl/certs/mail.hat.cx.crt"
	table aliases file:/etc/mail/aliases
	table credentials file:/etc/mail/credentials
	table virtuals file:/etc/mail/virtuals
	table domains file:/etc/mail/domains
	# listen on 127.0.0.1 port 10026 tag SPAM_IN
	listen on 127.0.0.1 port 10028 tag DKIM_OUT
	listen on 8.9.5.28 tls pki "mail.hat.cx" filter all_filters
	listen on 8.9.5.28 smtps pki "mail.hat.cx"
	listen on 8.9.5.28 port submission tls-require pki "mail.hat.cx" auth <credentials>
	listen on :: tls pki "mail.hat.cx" filter all_filters
	listen on :: smtps pki "mail.hat.cx"
	listen on :: port submission tls-require pki "mail.hat.cx" auth <credentials>
	action MAIL_IN maildir "/var/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}" virtual <virtuals>
	action LOCAL_IN mbox alias <aliases>
	# action RELAY_SPAM_IN relay host "smtp://127.0.0.1:10025"
	action RELAY relay
	action RELAY_OUT relay host smtp://127.0.0.1:10027
	match tag DKIM_OUT for any action RELAY
	# match tag SPAM_IN for domain <domains> action MAIL_IN
	# match from any for domain <domains> action RELAY_SPAM_IN
	match for domain <domains> action MAIL_IN
	match from any for domain <domains> action RELAY
	match auth from any for any action RELAY_OUT
	match from local for local action LOCAL_IN

	### from smtpd 6.x
	# limit mta
	# limit session max-rcpt 1000
	# limit session max-mails 100
	# queue compression
	# queue encryption key 342f7804b6f3c3fb246f0b7d4d11bda7
	# max-message-size 100M
	# bounce-warn 1h
	# expire 1h
	# pki "mail.hat.cx" key "/etc/ssl/private/mail.hat.cx.key"
	# pki "mail.hat.cx" certificate "/etc/ssl/certs/mail.hat.cx.crt"
	# table aliases file:/etc/mail/aliases
	# table credentials file:/etc/mail/credentials
	# table virtuals file:/etc/mail/virtuals
	# table domains file:/etc/mail/domains
	# listen on lo port 10026 tag SPAM_IN
	# listen on lo port 10028 tag DKIM_OUT
	# listen on ens3 tls pki "mail.hat.cx"
	# listen on ens3 smtps pki "mail.hat.cx"
	# listen on ens3 port submission tls-require pki "mail.hat.cx" auth <credentials>
	# accept tagged SPAM_IN for domain <domains> virtual <virtuals> deliver to maildir "/var/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}"
	# accept from any for domain <domains> relay via "smtp://127.0.0.1:10025"
	# accept for local alias <aliases> deliver to mbox
	# accept tagged DKIM_OUT for any relay
	# accept from local for any relay via smtp://127.0.0.1:10027
	END

	cat <<"END" > /etc/dovecot/dovecot.conf
	listen = *, [::]
	auth_mechanisms = plain
	protocols = imap lmtp
	ssl = required
	ssl_key = </etc/ssl/private/mail.hat.cx.key
	ssl_cert = </etc/ssl/certs/mail.hat.cx.crt
	ssl_dh = </etc/ssl/dh.pem
	mail_location = maildir:/var/mail/%Ld/%Ln
	mbox_write_locks = fcntl
	mmap_disable = yes
	first_valid_uid = 8
	first_valid_gid = 8
	mail_privileged_group = mail
	default_process_limit = 40
	default_client_limit = 20
	default_vsz_limit = 64M
	default_idle_kill = 1M
	mail_max_userip_connections = 10
	login_greeting = "Error: I can break rules, too. Goodbye."
	info_log_path = /dev/null
	log_path = /dev/null

	passdb {
	args = scheme=sha512-crypt username_format=%Lu /etc/mail/credentials
	driver = passwd-file
	}

	userdb {
	args = uid=mail gid=mail home=/var/mail/%d/%n
	driver = static
	}

	service imap-login {
	service_count = 1
	vsz_limit = 64M
	inet_listener imaps {
	port = 993
	ssl = yes
	}
	inet_listener imap {
	port = 0
	}
	}
	END

	cat <<"END" > /etc/dkimproxy/dkimproxy_out.conf
	listen 127.0.0.1:10027
	relay 127.0.0.1:10028
	domain whitehat.ro
	signature dkim(c=relaxed)
	signature domainkeys(c=nofws)
	keyfile /etc/ssl/private/dkim.key
	selector default
	END

	cat <<"END" > /etc/default/dkimproxy
	RUN_DKIMPROXY_OUT="1"
	RUN_DKIMPROXY_IN="0"
	DKIMPROXY_IN_CONF="/etc/dkimproxy/dkimproxy_in.conf"
	DKIMPROXY_OUT_CONF="/etc/dkimproxy/dkimproxy_out.conf"
	DKIMPROXYUSER="dkimproxy"
	DKIMPROXYGROUP="ssl-cert"
	DKIMPROXY_OUT_PRIVKEY="/etc/ssl/private/dkim.key"
	DKIM_HOSTNAME="whitehat.ro"
	DOMAIN="whitehat.ro"
	DKIMPROXY_IN_MIN_SERVERS="1"
	DKIMPROXY_OUT_MIN_SERVERS="1"
	END

	sed -i "s/342f7804b6f3c3fb246f0b7d4d11bda7/$queue_enc/" /etc/mail/smtpd.conf
	# sed -i "s/# rewrite_header Subject \\\\\SPAM\\\\\/rewrite_header Subject \[SPAM\]/" /etc/spamassassin/local.cf
	# sed -i "s/#RUN_DKIMPROXY_OUT/RUN_DKIMPROXY_OUT/" /etc/default/dkimproxy
	# sed -i "s/#RUN_DKIMPROXY_IN=1/RUN_DKIMPROXY_IN=0/" /etc/default/dkimproxy
	# sed -i "s/#DKIMPROXY_IN_MIN_SERVERS=5/DKIMPROXY_IN_MIN_SERVERS=1/" /etc/default/dkimproxy
	# sed -i "s/#DKIMPROXY_OUT_MIN_SERVERS=5/DKIMPROXY_OUT_MIN_SERVERS=1/" /etc/default/dkimproxy
	# sed -i "s/#DKIMPROXY_OUT_CONF/DKIMPROXY_OUT_CONF/" /etc/default/dkimproxy

	touch /usr/lib/dovecot/lmtp
	chmod a+x /usr/lib/dovecot/lmtp
	chown -R dovecot:dovecot /usr/lib/dovecot
	chmod 0440 /etc/mail/credentials
	chown dovecot /etc/mail/credentials
	chown dkimproxy:ssl-cert /etc/ssl/private/dkim.key
	# chown spampd:spampd /var/cache/spampd

	chmod 700 /etc/ssl/private/mail.hat.cx.key
	chmod 700 /etc/ssl/certs/mail.hat.cx.crt

	systemctl start dovecot
	# systemctl start spamassassin
	systemctl start dovecot
	# systemctl start spampd
	systemctl start opensmtpd
	systemctl start dkimproxy

	echo "DONE."

	}

	while getopts "ivh" Option
	do
	case $Option in
	i) INSTALLER;;
	v) VERSION;;
	h) HELP;;
	*) HELP;;
	esac
	done