diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 3c45c1d..0000000 --- a/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -FROM ubuntu:20.04 -RUN apt update -y && apt install -y \ - apt-transport-https - postfix \ - apache2 \ - libapache2-mod-php7.4 -# https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-kopano-dagent-for-delivery-via-unix-socket -RUN mkdir -p /var/spool/kopano \ - chown kopano:kopano /var/spool/kopano \ - chmod go= /var/spool/kopano \ - setfacl -m u:postfix:rwx /var/spool/kopano \ No newline at end of file diff --git a/build b/build deleted file mode 100644 index 28f5b34..0000000 --- a/build +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/bash -docker build . diff --git a/build.sh b/build.sh new file mode 100644 index 0000000..dd76eb3 --- /dev/null +++ b/build.sh @@ -0,0 +1,2 @@ +#!/usr/bin/bash +docker build -f kopano.dockerfile -t kopano:1 . diff --git a/deploy-kopano.sh b/deploy-kopano.sh new file mode 100644 index 0000000..386a2c3 --- /dev/null +++ b/deploy-kopano.sh @@ -0,0 +1,2 @@ +tar xzf core-11.0.2.50.507cbae-Ubuntu_20.04-amd64.tar.gz +tar xzf webapp-6.0.0.57.1049268-Ubuntu_20.04-all.tar.gz diff --git a/etc/kopano/admin.cfg b/etc/kopano/admin.cfg new file mode 100644 index 0000000..935a65d --- /dev/null +++ b/etc/kopano/admin.cfg @@ -0,0 +1,7 @@ +# The language for folders in newly-created stores, specified as a +# locale identifier ("en_US", "de_DE", etc.) +#default_store_locale = + +#server_socket = default: +#sslkey_file = some.pem +#sslkey_pass = magic diff --git a/etc/kopano/autorespond.cfg b/etc/kopano/autorespond.cfg new file mode 100644 index 0000000..cba6d83 --- /dev/null +++ b/etc/kopano/autorespond.cfg @@ -0,0 +1,22 @@ +############################################################## +# AUTORESPOND SETTINGS + +# Autorespond if the recipient is in the Cc field +#autorespond_cc = no + +# Autorespond if the recipient is in the Bcc field +#autorespond_bcc = no + +# Autorespond if the recipient is not in any of To, Cc or Bcc +# (i.e. received the message through a distribution list) +#autorespond_norecip = no + +# Only send reply to same e-mail address once per 24 hours +#timelimit = 86400 + +# File which contains when vacation message was sent +#senddb = /var/lib/kopano/autorespond.db + +# Copy to sentmail - whether responses should be saved in the +# users sentmail folder or not +#copy_to_sentmail = yes diff --git a/etc/kopano/backup.cfg b/etc/kopano/backup.cfg new file mode 100644 index 0000000..446a394 --- /dev/null +++ b/etc/kopano/backup.cfg @@ -0,0 +1,31 @@ +############################################################## +# SERVER SETTINGS + +# Socket to find the connection to the storage server. +# Use https to reach servers over the network +#server_socket = file:///var/run/kopano/server.sock + +# Login to the storage server using this SSL Key +#sslkey_file = /etc/kopano/ssl/search.pem + +# The password of the SSL Key +#sslkey_pass = replace-with-server-cert-password + +############################################################## +# LOG SETTINGS + +# Logging method (syslog, file) +#log_method = file + +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 + +# Logfile for log_method = file, use '-' for stderr +# Default: - +#log_file = /var/log/kopano/backup.log + +############################################################## +# BACKUP SETTINGS + +# maximum number of stores to backup in parallel +#worker_processes = 1 diff --git a/etc/kopano/dagent.cfg b/etc/kopano/dagent.cfg new file mode 100644 index 0000000..556cbba --- /dev/null +++ b/etc/kopano/dagent.cfg @@ -0,0 +1,92 @@ +# See the kopano-dagent.cfg(5) manpage for details and more directives. + +# Space-separated list of address:port specifiers with optional %interface +# infix for where the server should listen for LMTP connections. +# +# "unix:/var/spool/kopano/dagent.sock" — local socket +# "*:236" — port 2003, all protocols +# "[::]:236" — port 2003 on IPv6 only +# "[2001:db8::1]:236" — port 2003 on specific address only +# +#lmtp_listen = *%lo:2003 +lmtp_listen = unix:/var/spool/kopano/dagent.sock + +# connection to the storage server +#server_socket = file:///var/run/kopano/server.sock +# Login to the storage server using this SSL Key +#sslkey_file = /etc/kopano/ssl/dagent.pem +# The password of the SSL Key +#sslkey_pass = replace-with-dagent-cert-password + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +log_level = 5 +log_file = /var/log/kopano/dagent.log +log_timestamp = yes + +# Log raw message to a file. Can be "no", "all", or a list of usernames +# for which messages should be saved. +#log_raw_message = no +#log_raw_message_path = /var/lib/kopano + +# Maximum LMTP threads that can be running simultaneously +# This is also limited by your SMTP server. (20 is the postfix default concurrency limit) +#lmtp_max_threads = 20 + +# The following e-mail header will mark the mail as spam, so the mail +# is placed in the Junk Mail folder, and not the Inbox. +# The name is case insensitive. +# set to empty to not use this detection scheme. +#spam_header_name = X-Spam-Status + +# If the above header is found, and contains the following value +# the mail will be considered as spam. +# Notes: +# - The value is case insensitive. +# - Leading and trailing spaces are stripped. +# - The word 'bayes' also contains the word 'yes'. +#spam_header_value = Yes, + +# Enable archive_on_delivery to automatically archive all incoming +# messages on delivery. +# This will do nothing if no archive is attached to the target mailbox. +#archive_on_delivery = no + +# Enable the dagent Python plugin framework. Disables threading. +#plugin_enabled = yes + +# Path to the activated dagent plugins. +# This folder contains symlinks to the kopano plugins and custom scripts. The plugins are +# installed in '/usr/share/kopano-dagent/python/plugins/'. To activate a plugin create a symbolic +# link in the 'plugin_path' directory. +# +# Example: +# $ ln -s /usr/share/kopano-dagent/python/plugins/BMP2PNG.py /var/lib/kopano/dagent/plugins/BMP2PNG.py +#plugin_path = /var/lib/kopano/dagent/plugins + +############################################################## +# DAGENT RULE SETTINGS + +# Enable the addition of X-Kopano-Rule-Action headers on messages +# that have been forwarded or replied by a rule. +#set_rule_headers = yes + +# Enable this option to prevent rules from potentially causing a loop. An +# e-mail can only be forwarded once when this option is enabled. Requires the +# set_rule_headers option to also be enabled. +#no_double_forward = yes + +# Domain list to which forwarding is allowed. (Cuts off after 1000 characters, +# and knows no escape chars, so use the _file variants if needed.) +#forward_whitelist_domains = * +#forward_whitelist_domains_file = +#forward_whitelist_domain_subject = REJECT: %subject not forwarded (administratively blocked) +#forward_whitelist_domain_message = The Kopano mail system has rejected your request to forward your e-mail with subject %subject (via mail filters) to %sender: the operation is not permitted.\n\nRemove the rule or contact your administrator about the forward_whitelist_domains setting. +#forward_whitelist_domain_message_file = + +# When multiple HTML MIME parts are found, they can be joined to form a +# continuous e-mail. (If not, they will become attachments.) Joining them +# however can compromise the document integrity, as stylesheets and JavaScripts +# affect the entire joined document. +# +#insecure_html_join = no diff --git a/etc/kopano/gateway.cfg b/etc/kopano/gateway.cfg new file mode 100644 index 0000000..9a326d3 --- /dev/null +++ b/etc/kopano/gateway.cfg @@ -0,0 +1,47 @@ +# See the kopano-gateway.cfg(5) manpage for details and more directives. + +# Space-separated list of address:port specifiers with optional %interface +# infix for where the server should listen for connections. +# imaps is normally on 993, pop3s on 995. +# +#pop3_listen = *%lo:110 +#pop3s_listen = +#imap_listen = *%lo:143 +#imaps_listen = +# File with RSA key for SSL +#ssl_private_key_file = /etc/kopano/gateway/privkey.pem +#File with certificate for SSL +#ssl_certificate_file = /etc/kopano/gateway/cert.pem + +# Disable all plaintext authentications unless SSL/TLS is used +#disable_plaintext_auth = no +# Verify client certificate +#ssl_verify_client = no +# Client verify file and/or path +#ssl_verify_file = +#ssl_verify_path = +#tls_min_proto = tls1.2 + +# Connection to the storage server. +# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket. +#server_socket = http://localhost:236/ +# Bypass authentification when connecting as an administrator to the UNIX socket. +#bypass_auth = no + +# Whether to show the hostname in the logon greeting to clients. +#server_hostname_greeting = no +# Override own DNS name for presentation in the protocol greeting line. +#server_hostname = + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +log_level = 5 +log_file = /var/log/kopano/gateway.log +#log_timestamp = yes + +# Only mail folder for IMAP or all subfolders (calendar, contacts, tasks, etc. too) +#imap_only_mailfolders = yes +# Show Public folders for IMAP +#imap_public_folders = yes +# The maximum size of an email that can be uploaded to the gateway +#imap_max_messagesize = 128M diff --git a/etc/kopano/grapi.cfg b/etc/kopano/grapi.cfg new file mode 100644 index 0000000..303e640 --- /dev/null +++ b/etc/kopano/grapi.cfg @@ -0,0 +1,38 @@ +############################################################## +# Groupware REST API SETTINGS + +# Number of worker processes. +num_workers = 2 + +# Disable TLS validation for all client request. +# When set to yes, TLS certificate validation is turned off. This is insecure +# and should not be used in production setups. +#insecure = no + +# Path where to create the gc-rest sockets. +#socket_path = /var/run/kopano-grapi + +# Socket to find the connection to the storage server. +# Use https to reach servers over the network. +#server_socket = file:///var/run/kopano/server.sock + +# Path where to store persistent runtime data. +#persistency_path = /var/lib/kopano-grapi + +# Path where to find translation catalogs. +#translations_path = /usr/share/kopano-grapi/i18n + +# The API includes experimental endpoints which are not yet recommended to run +# in production setups and are thus disabled by default. When set to yes, all +# endpoints marked experimental are made available. Defaults to no. +#enable_experimental_endpoints = yes + +############################################################### +# Log settings + +# Log level controls the verbosity of the output log. It can be one of +# `critical`, `error`, `warning`, `info` or `debug`. Defaults to `info`. +log_level = info +log_method = file +log_file = /var/log/kopano/server.log + diff --git a/etc/kopano/ical.cfg b/etc/kopano/ical.cfg new file mode 100644 index 0000000..f61e2ff --- /dev/null +++ b/etc/kopano/ical.cfg @@ -0,0 +1,34 @@ +# See the kopano-ical.cfg(5) manpage for details and more directives. + +# Space-separated list of address:port specifiers with optional %interface +# infix for where the server should listen for connections. +# ical has often been placed on 8080 and icals on 8443. +# +#ical_listen = *%lo:8080 +#icals_listen = +#tls_min_proto = tls1.2 +# File with RSA key for SSL +#ssl_private_key_file = /etc/kopano/ical/privkey.pem +# File with certificate for SSL +#ssl_certificate_file = /etc/kopano/ical/cert.pem + +# Verify client certificate +#ssl_verify_client = no +# Client verify file and/or path +#ssl_verify_file = +#ssl_verify_path = + +# default connection to the storage server +# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket. +#server_socket = http://localhost:236/ + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 +#log_file = /var/log/kopano/ical.log +#log_timestamp = yes + +# The timezone of the system clock +#server_timezone = Europe/Amsterdam +# Enable the iCalendar GET method for downloading calendars +#enable_ical_get = yes diff --git a/etc/kopano/kapid-pubs-secret.key b/etc/kopano/kapid-pubs-secret.key new file mode 100644 index 0000000..656700f --- /dev/null +++ b/etc/kopano/kapid-pubs-secret.key @@ -0,0 +1 @@ +3be77a9c8294eb60dadf05399576a9048582bb77f8fc86af40660f931d743b65 \ No newline at end of file diff --git a/etc/kopano/kapid.cfg b/etc/kopano/kapid.cfg new file mode 100644 index 0000000..9052a5a --- /dev/null +++ b/etc/kopano/kapid.cfg @@ -0,0 +1,66 @@ +############################################################## +# Kopano API SETTINGS + +# OpenID Connect Issuer Identifier. +#oidc_issuer_identifier= + +# Address:port specifier for where kapid should listen for +# incoming connections. +#listen = 127.0.0.1:8039 + +# Disable TLS validation for all client request. +# When set to yes, TLS certificate validation is turned off. This is insecure +# and should not be used in production setups. +#insecure = no + +# Comman separated list of plugin names which should be loaded. +# If this is not set or the value is empty, kapid scans the plugins_path +# on startup and loads all plugins found. +#plugins = + +# Path to the location of kapi plugins. +#plugins_path = /usr/lib/kopano/kapi-plugins + +############################################################### +# Log settings + +# Log level controls the verbosity of the output log. It can be one of +# `panic`, `fatal`, `error`, `warn`, `info` or `debug`. Defaults to `info`. +#log_level = info + +############################################################### +# Groupware REST API (grapi) Plugin settings + +# Path where to find Kopano Groupware REST (grapi) sockets. +#plugin_grapi_socket_path = /var/run/kopano-grapi + +############################################################### +# Pubs API (pubs) Plugin settings + +# Path to a key file to be used as secret for Pubs HMAC tokens. +# If no secret_key file is set, a random value will be generated on +# startup (not suitable for production use, since it changes on +# restart). A suitable key file can be generated with +# `openssl rand -out /etc/kopano/kapid-pubs-secret.key -hex 64`. +#plugin_pubs_secret_key = /etc/kopano/kapid-pubs-secret.key + +############################################################### +# Key value store API (kvs) Plugin settings + +# Database backend to use for persistent storage of kvs data. A supported +# backend must be set (sqlite3, mysql). Defaults to `sqlite3` if not set. +#plugin_kvs_db_drivername = sqlite3 + +# Database backend data source name. This setting depends on the storage +# backend (plugin_kvs_db_drivername). A DNS is required to use the kvs plugin. +# - For `sqlite3` the value should be the full path to the database file. +# - For `mysql`, us a MySQL DSN in the following format: +# [username[:password]@][protocol[(address)]]/dbname[?param1=value1&...¶mN=valueN] +# See https://github.com/go-sql-driver/mysql#dsn-data-source-name for a +# full list of supported MySQL DSN params with examples. +# If not set and plugin_kvs_db_drivername is also not set a default value will +# be used which uses SQLite3. +#plugin_kvs_db_datasource = /var/lib/kopano/kapi-kvs/kvs.db + +# Path where to find the database migration scripts. +#plugin_kvs_db_migrations = /usr/lib/kopano/kapi-kvs/db/migrations diff --git a/etc/kopano/konnectd-encryption-secret.key b/etc/kopano/konnectd-encryption-secret.key new file mode 100644 index 0000000..1dd1515 --- /dev/null +++ b/etc/kopano/konnectd-encryption-secret.key @@ -0,0 +1 @@ +rL(k"u$ԟ+oF3 8k \ No newline at end of file diff --git a/etc/kopano/konnectd-identifier-scopes.yaml b/etc/kopano/konnectd-identifier-scopes.yaml new file mode 100644 index 0000000..f9b4b6e --- /dev/null +++ b/etc/kopano/konnectd-identifier-scopes.yaml @@ -0,0 +1,14 @@ +# This file contains additional scopes for Konnect. All of the scopes listed +# here are made available to clients upon request if not limited by other means. + +--- +scopes: + kopano/kwm: + description: "Access Kopano Meet" + + kopano/kvs: + description: "Access Kopano Key Value Store" + + kopano/pubs: + description: "Access Kopano Pub/Sub" + diff --git a/etc/kopano/konnectd-signing-private-key.pem b/etc/kopano/konnectd-signing-private-key.pem new file mode 120000 index 0000000..45ad0b8 --- /dev/null +++ b/etc/kopano/konnectd-signing-private-key.pem @@ -0,0 +1 @@ +konnectkeys/konnect-20210314-0ae1.pem \ No newline at end of file diff --git a/etc/kopano/konnectd.cfg b/etc/kopano/konnectd.cfg new file mode 100644 index 0000000..e9bf222 --- /dev/null +++ b/etc/kopano/konnectd.cfg @@ -0,0 +1,146 @@ +############################################################## +# Kopano Konnect SETTINGS + +# OpenID Connect Issuer Identifier. +# This setting defines the OpenID Connect Issuer Identifier to be provided by +# this Konnect server. Setting this is mandatory and the setting must be a +# https URL which can be accessed by all applications and users which are to +# use this Konnect for sign-in or validation. Defaults to "https://localhost" to +# allow unconfigured startup. +#oidc_issuer_identifier=https://localhost + +# Address:port specifier for where konnectd should listen for +# incoming connections. Defaults to `127.0.0.1:8777`. +#listen = 127.0.0.1:8777 + +# Disable TLS validation for all client request. +# When set to yes, TLS certificate validation is turned off. This is insecure +# and should not be used in production setups. Defaults to `no`. +#insecure = no + +# Identity manager which provides the user backend Konnect should use. This is +# one of `kc` or `ldap`. Defaults to `kc`, which means Konnect will use a +# Kopano Groupware Storage server as backend. +#identity_manager = kc + +# Full file path to a PEM encoded PKCS#1 or PKCS#5 private key which is used to +# sign tokens. This file must exist and be valid to be able to start the +# service. A suitable key can be generated with: +# `openssl genpkey -algorithm RSA \ +# -out konnectd-signing-private-key.pem.pem \ +# -pkeyopt rsa_keygen_bits:4096` +# If this is not set, Konnect will try to load +# /etc/kopano/konnectd-signing-private-key.pem +# and if not found, fall back to a random key on every startup. Not set by +# default. If set, the file must be there. +#signing_private_key = /etc/kopano/konnectd-signing-private-key.pem + +# Key ID to use in created JWT. This setting is useful once private keys need +# to be changed because they expire. It should be a unique value identiying +# the signing_private_key. Example: `k20180912-1`. Not set by default, which +# means that Konnect uses the file name of the key file (dereferencing symlinks) +# without extension. +#signing_kid = + +# JWT signing method. This must match the private key type as defined in +# signing_private_key and defaults to `PS256`. +#signing_method = PS256 + +# Full path to a directory containing pem encoded keys for validation. Konnect +# loads all `*.pem` files in that directory and adds the public key parts (if +# found) to the validator for received tokens using the file name without +# extension as key ID. +#validation_keys_path = + +# Full file path to a encryption secret key file containing random bytes. This +# file must exist to be able to start the service. A suitable file can be +# generated with: +# `openssl rand -out konnectd-encryption-secret.key 32` +# If this is not set, Konnect will try to load +# /etc/kopano/konnectd-encryption-secret.key +# and if not found, fall back to a random key on every startup. Not set by +# default. If set, the file must be there. +#encryption_secret_key = /etc/kopano/konnectd-encryption-secret.key + +# Full file path to the identifier registration configuration file. This file +# must exist to be able to start the service. An example file is shipped with +# the documentation / sources. If not set, Konnect will try to load +# /etc/kopano/konnectd-identifier-registration.yaml +# without failing when the file is not there. If set, the file must be there. +#identifier_registration_conf = /etc/kopano/konnectd-identifier-registration.yaml + +# Full file path to the identifier scopes configuration file. An example file is +# shipped with the documentation / sources. If not set, Konnect will try to +# load /etc/kopano/konnectd-identifier-scopes.yaml without failing if the file +# is not there. If set, the file must be there. +#identifier_scopes_conf = /etc/kopano/konnectd-identifier-scopes.yaml + +# Path to the location of konnectd web resources. This is a mandatory setting +# since Konnect needs to find its web resources to start. +#web_resources_path = /usr/share/kopano-konnect + +# Custom base path for URI endpoints for Konnect API and the identifier web +# application. This needs to be changed when Konnect is served from a path +# instead of the root of the domain. +#uri_base_path = / + +# Space separated list of scopes to be accepted by this Konnect server. By +# default this is not set, which means that all scopes which are known by the +# Konnect server and its configured identifier backend are allowed. +#allowed_scopes = + +# Space separated list of IP address or CIDR network ranges of remote addresses +# which are to be trusted. This is used to allow special behavior if Konnect +# runs behind a trusted proxy which injects authentication credentials into +# HTTP requests. Not set by default. +#trusted_proxies = + +# Flag to enable client controlled guest support. When set to `yes`, a registered +# client can send authorize guests, by sending signed requests. Defaults to `no`. +#allow_client_guests = no + +# Flag to enable dynamic client registration API. When set to `yes`, clients +# can register themselves and make authorized calls to the token endpoint. +# Defaults to `no`. +#allow_dynamic_client_registration = no + +# Additional arguments to be passed to the identity manager. +#identity_manager_args = + +############################################################### +# Log settings + +# Log level controls the verbosity of the output log. It can be one of +# `panic`, `fatal`, `error`, `warn`, `info` or `debug`. Defaults to `info`. +#log_level = info + +############################################################### +# Kopano Groupware Storage Server Identity Manager (kc) + +# URI for connecting to the Kopano Groupware Storage server. This can either be +# a http(s):// URL for remote systems or a file:// URI to a socket for local +# connection. Defaults to `file:///run/kopano/server.sock` and is only used +# when the identity_manager is `kc`. +#kc_server_uri = file:///run/kopano/server.sock + +# Session timeout for sessions of the Kopano Groupware Storage server in +# seconds. Access token valid duration is limited to this value and Konnect +# will expire sessions if they are inactive for the timeout duration. This value +# needs to be lower or same as the corresponding value used in the Kopano +# Groupware Storage server's configuration to avoid constant session expiration +# and recreation. +#kc_session_timeout = 300 + +############################################################### +# LDAP Identity Manager (ldap) + +# Below are the settings for the LDAP identity manager. They are only used when +# the identity_manager is `ldap`. +#ldap_uri = +#ldap_binddn = +#ldap_bindpw = +#ldap_basedn = +#ldap_scope = sub +#ldap_login_attribute = uid +#ldap_uuid_attribute = uidNumber +#ldap_filter = (objectClass=inetOrgPerson) diff --git a/etc/kopano/konnectkeys/konnect-20210314-0ae1.pem b/etc/kopano/konnectkeys/konnect-20210314-0ae1.pem new file mode 100644 index 0000000..3d0c625 --- /dev/null +++ b/etc/kopano/konnectkeys/konnect-20210314-0ae1.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKeeORq+iJ/Rzp +Q9Jhqldvx0jEprZkTz30DWQrxgzr3lgpowY4sPT9P4uu73Y+czMv8CvMX9gacBv8 +ctbhPL2unmYpRX1Vpgw25E768CyX4etn+LCkZy4KvevuPB8Z6Hx1BseM3tu/nWYP +Uf9TczHN48vjLKrsu6zeEXy3TsUpmEqgIQN9DxdMCVlzh9wl7+gx/9JrpM24slFA +4S/ieeaOtlzv8nIWWUB+qeWM35b5ZEtejsiqDaBGHhNhj2z6igUfRrmEkL3V0lkd +nwaMIWYg0mhiZrX1fQy2wsEpWwDjhy6GQp15IIySv9NgjN5P/PqnCjhPQAxwznt8 +KwZucCAh52g/rwykPoMW14SlfVe97zxjEw1MfFmjwi/7jFHh8AGTNl+BVIbZZ/O/ +YgxLurKbNEeNcyl/aaZFlNL11RYRa5QOwrc65+ChRhO4rbvsenstpQbky/vvbZ8v +9BbvcuC/I0TTWJxFBpGHuK2iTFiViAE9bLfKAxsXuZofw74pwltTXU2wyTm/weih +HVTs4DlUtUefsltZRFHVBDDTcUc9WwVtKjvCNKUbE5ZXHRkiZuWxLgjci/4UvrRj +WstQVzbGfGWgi710ZovvKqn1gRJoakJTrdYk9YQMnKuLWuq9DNby4N/jdlbAs7NM +8jEe9TTnJW8z7HX6NQPT/ugoqfnPFQIDAQABAoICAFVU8VefP62IAvs8HhoTFC6D +qmNWb1/vFYkZa7IXEbMGTdmeXyzdRyLD+TaMrSS8oEH/0jWb3xOlU+Yc7/qVAsvo +7d1O7/d8t4Eazz5qoiCQkgmLgcaHxZu5VwlcRS9CD9GyPb9c3PfweebTA+xDjCXd +bzwawx5qKfydGhaXF/jjue+qejHmfkcJWa2bAGjspssLqb68Agdo/118ihXEkipr +KNfnMbXBf7DiIWAxiwsn/auoOWGRxI5IdpqTO7aLHIWF5QG9joPi1rPpJXVBTi1e +/6cY6m6/ePA9O/MV61X4zt6+jGdUFGp0db0nITpMv8ZORFUCBTw1iU1XRKqejqt6 +/dYb1BTSy5vSUUkjV5isrvXsZd4ZEXzC8xvdu4PyXfIUXDJrCR4N/bLCup6C0r82 +7goPw1Lxlr1nPN5A8rzABFrRgcWiiQNs0s82qbE+bf/ZLDXkjK62dDg9ziKE5mQ6 +sXQOBZYIYrdAXLs7SRHcPXyWgCZKlps02jA1w0jWRJPXooeq34ce7N0BlkS6oSde +nH/m+EiYf3EFJtgIRcp+Wp3uXc2Se87fSs6GFK6FkHt496yZLY8UuFdXky1XQQJB +FsrPNJr9vuYz38AwACm7mylw7G1zn9WvIbBP83lA/TmlO/dhQiX/zgcILhA4lYod +ackLcmQlJCY1Oa9tVUIBAoIBAQDx5oJ/99xq0PC9zNBew9NTMqsDhLjNwEq6xdIe +RcXRlXubZVA7yTnQ6xRQsEyRU2538hq8ErVCngNMOrgS3iTiADIWhRLr0VBEe4rj +IGJGIXbrXNUE3tZvnn/OljNz08grzqsCRJSk2OYvCk/9W7v5gXNIkTXIpUO4TXys +s78BSGkg5k4AWv8i16PUrVblOTJgjCD2EkYrBWD4BazjlkbKNwGnbpEAjfgjuKmT +DyK4fJ+vHc1pjR+2QZyEy94CyVsSi+n9al90ydTzf6kzIPBaYTjbp8edp8Z3dZKL +fyUaQoZ1a+bEBxBQp0qVsFeOCUhMSq65cwt4je2W4TLLmyOhAoIBAQDWRx0nkmIa +zQpsyr7ebpUJ7i973gw4qynnMrWQYlRq7TgGNoYBKmPe/3d+PBBjTsTWT7q8AdFD +KAENEaWM+FzGErR3bu3sR1Flo1aF02mA6p4BEcSVX25PDsBdzBEg5CwVn+pHf1u4 +4GpXlmLhd3HiSzXOUPKrRRhzJHm3GKqoCRIW00eFllPI4vr/4kpgh8V/l4JpKZow +/Sx882EjtxeGC14xKm9y9MF56oajxrPqxu574tBlfTn4eXyTiW4BsTcLcuf+s/lz +R39Ky/FTY9P42QNHIlSX1tlXTe1gRc2qE3QlQYXcc2+P+yasiXNeEiAQFo63TH4I +pWYKmaiTxPb1AoIBAQChr76YhHbK2t+fLbA1N1UgLiTKlELmG9qXXrRkUaS4wt68 +7oojfAvuDcMlb8Gt/YNAHw4pmaOYZH+1yyXQTrV+bj0MemQ8RUsOizk5OSMW1zVi +eklUGRJhxyKMVi8MA4mvZlM9j9N/IA8zcAQpR9CsJA+HeK/nbjeGkBx+XyKTW/AQ +8n8+k5QnmNVDyZzkWEfI6sD5WRuXk9/NyBVYhdDJRt0PKcM4CKzMS5jk1+AQShR9 ++0CahZ6lttNEm/PIDwiVq/l5zkkBigqRu0nACAs/je5wO4QcZ9ErdeW+4fxNwhuX +jsjPTB1mm3sp9JWBNckiXWTORgxrxwoAqIPIPekhAoIBAQCt5TSR4shfO7uUIs3X +siKd1oEOo1uDudTd3lde/43G4REwaZtC4uX+GZEeDxy1mz0/N6Ex5r+vIo4HzyRt +TTntPUzcCFhqAk7ajz4uiS38A2uLLqI9Hx9kZXJULMJR0Rq9yfPVZlRHq0hiIJfK +pqbzoVnfP+5QdFitSRLGNux4RjQ59ej7Ts5cH2jXtQvrXwQ20fxx3+NUkoJCPTm+ +RF6A2ETu3aNoxZ0mleAClcV5aUwtmhrJ4mDjd6RUD5oJIYqsbeo82E4+8e0qBGyq +4j8qmuOAHSpNt3zWz1UvZjbMKdF+UriR+dS2Inp2V24bD9aZd9UGiLtXxPMU8zLO +CXDpAoIBAEycsfTcArULdH9q8mDEM+PiTr49kNL9X7UYDLziNTuU363jcYQ/iXDp +gAdL21caMhcV3C+iAjSb70HwXu6NKEO7Lb703OtgTWHZE9kFssRlA91VSw3X5fCT +I88MqRzFDsdrE9tUlDbQ2S3GP18PuMhLFJdPuZ4whdqiQMfnQxD25rG/Gi8eypz9 +J/t/LhciIJxaaBaT5YU/t0KGEAlsSrpuPN3sSq7iQYrrUKQY2Mghy4wKP1qwLhLX +DEr1HZ3gfTZcdvk5ftkGvy4QP6rNRMNo/74l1yp+vAUf/4uA1Wu9QWOJfFOVvfV3 +bPlsxOijJGo9JSDH/en3wE654P52ygY= +-----END PRIVATE KEY----- diff --git a/etc/kopano/kweb/.kweb/.setup-done b/etc/kopano/kweb/.kweb/.setup-done new file mode 100644 index 0000000..e69de29 diff --git a/etc/kopano/kwebd.cfg b/etc/kopano/kwebd.cfg new file mode 100644 index 0000000..4b8c0fa --- /dev/null +++ b/etc/kopano/kwebd.cfg @@ -0,0 +1,137 @@ +############################################################## +# Kopano Web SETTINGS + +# Site's host name. +# Full qualified host name. If set, kweb provides HTTP/HTTPS for this host +# including automatic ACME CA TLS and Content Security Policy generation. If not +# set (the default), kweb is available under all names and does not try to +# obtain a certificate via ACME. +#hostname= + +# ACME CA email. +# To allow automatic TLS via ACME, the CA needs an email address. Provide your +# email address here to enable automatic TLS via ACME. If tls_acme_email and +# hostname are set, kweb will automatically manage TLS certificates unless +# explictly disabled by other settings. +#tls_acme_email = + +# ACME CA subscriber agreement. +# Set to `yes` to accept the CA's subscriber agreement. If this is `no` or +# not set and kweb is otherwise configured to use ACME, kweb will log the link +# to the CA's subscriber agreement and then exit. You have to change this +# setting to `yes` to use automatic TLS via ACME. +#tls_acme_agree = no + +# ACME CA server directory. +# URL to the certificate authority's ACME server directory. Default is to use +# Let's Encrypt (https://acme-v02.api.letsencrypt.org/directory). +#tls_acme_ca = https://acme-v02.api.letsencrypt.org/directory + +# HTTP Strict Transport Security. +# Value for HTTP Strict Transport Security response header. Default to +# `max-age=31536000;` and is only used if hostname is set. Set explicitly to +# empty to disable. +#hsts=max-age=31536000; + +# Bind address to bind the listeners. +# This setting defines where to bind kweb http listeners. By default kweb binds +# to all interfaces/ips since it needs to be available from external. +#bind=0.0.0.0 + +# Web root folder. +# Full path to the web root. All files below that folder are served by kweb and +# the path is used as base for otherwise relative paths. +# Default: `/usr/share/kopano-kweb/www` +#web_root = /usr/share/kopano-kweb/www + +# Port for HTTPS listener. +# When TLS is enabled, kweb will serve the TLS listener on this port. Defaults +# to 9443 if `hostname` is not set and `443` otherwise. +#https_port = 443 + +# Port for HTTP listener. +# When TLS is disabled, kweb will serve the listener on this port. Defaults to +# 9080 if `hostname` is not set and `80` otherwise. +#http_port = 80 + +# HTTP/2 support. +# Set to `yes` to enable HTTP/2 support on all TLS listeners. HTTP/2 is enabled +# by default. Set to `no` to disable. +#http2 = yes + +# QUIC support. +# Experimental support for QUIC. Set to `true` to enable. Default is `no`. +#quic = no + +############################################################### +# Log settings + +# HTTP request log file (access log in combined format). +# Full path to log file where to log HTTP requests. Not set by default which +# means requests are not logged. +#request_log_file = /var/log/kopano-kweb/access.log + +############################################################### +# TLS settings + +# TLS support. +# Support encrypted listeners and automatic TLS certificate creation when set +# to `yes`. Set to `no` to disable all TLS and listen on plain HTTP. +#tls = yes + +# TLS certificate bundle. +# Path to a TLS certificate bundle (concatenation of the server's certificate +# followed by the CA's certificate chain). If set, the TLS listener will use +# that certificate instead of trying automatic TLS. +#tls_cert = + +# TLS private key. +# Path to the server's private key file which matches the certificate bundle. It +# must match the certificate in tls_cert. +#tls_key = + +# TLS protocols. +# Minimal and maximal TLS protocol versions to be offered. Defaults to TLS 1.2 +# and TLS 1.3 (`tls1.2 tls1.3`). +#tls_protocols = tls1.2 tls1.3 + +# TLS self sign. +# By default kweb creates self signed TLS certificates on startup on if ACME is +# not possible due to missing settings. If set to `yes`, ACME is disabled and a +# self signed certificate will always be created. Default: `no`. +#tls_always_self_sign = no + +# TLS must stable. +# Enables must stable for certificates managed by kweb. If this is set to `yes` +# and kweb requests certificates via ACME, those certificates will require that +# the OSCP information is stapled with the response. Defaults to `no`. +#tls_must_staple = no + +############################################################### +# App settings + +# Default top level redirect. +# When set, top level requests `/` will redirect to the configured value. +# Not set by default. +#default_redirect = + +# Legacy support. +# To make integration into existing environments easier kwebd can act as a +# reverse proxy to allow serving requests Kopano WebApp and Z-Push running e.g. +# in Apache or Nginx. Set the address to the legacy web server here. Not set by +# default. +#legacy_reverse_proxy = 127.0.0.1:8000 + +############################################################### +# Limiting settings + +# Rate limit tate. +# Limits Excessive access to services. Requests will be terminated with an error +# 429 (Too Many Requests) and X-RateLimit-RetryAfter is added. +# Format "rate burst unit", Defaults to "100 200 minute". +#ratelimit_rate = "100 200 minute" + +# Rate limit whitelist. +# Your trusted IPs (comma separated). Defines the CIDR IP range you don't want +# to perform rate limit. Defaults to `127.0.0.1/8`. +#ratelimit_whitelist = 127.0.0.1/8 diff --git a/etc/kopano/ldap.cfg b/etc/kopano/ldap.cfg new file mode 100644 index 0000000..9064409 --- /dev/null +++ b/etc/kopano/ldap.cfg @@ -0,0 +1,36 @@ +# See the kopano-ldap.cfg(5) manpage for details and more directives + +# Select implementation. +# If you have any reason to override settings from /usr/share/kopano/*.cfg, +# do so at the end of this (/etc-resident) config file. +# +!include /usr/share/kopano/ldap.openldap.cfg +#!include /usr/share/kopano/ldap.active-directory.cfg + +# List of URIs of LDAP servers to use. Make sure that etc/ldap/ldap.conf is +# /configured correctly with TLS_CACERT when using "ldaps". +ldap_uri = +#ldap_starttls = no + +# The DN of the user to bind as for normal operations. +# When empty, uses anonymous binding. +ldap_bind_user = +ldap_bind_passwd = + +# Top level search base, every object should be available under this tree +ldap_search_base = + +# The timeout for network operations in seconds +#ldap_network_timeout = 30 + +# ldap_page_size limits the number of results from a query that will be downloaded at a time. +# Default ADS MaxPageSize is 1000. +#ldap_page_size = 1000 + +#ldap_membership_cache_size = 256k +#ldap_membership_cache_lifetime = 5 + +# Use custom defined LDAP property mappings +# This is not a requirement for most environments but allows custom mappings of +# special LDAP properties to custom MAPI attributes +#!propmap /etc/kopano/ldap.propmap.cfg diff --git a/etc/kopano/monitor.cfg b/etc/kopano/monitor.cfg new file mode 100644 index 0000000..010b342 --- /dev/null +++ b/etc/kopano/monitor.cfg @@ -0,0 +1,28 @@ +# See the kopano-monitor.cfg(5) manpage for details and more directives. + +#server_socket = file:///var/run/kopano/server.sock +# Login to the storage server using this SSL Key +#sslkey_file = /etc/kopano/ssl/monitor.pem +# The password of the SSL Key +#sslkey_pass = replace-with-monitor-cert-password +# in a multi-server environment, which servers to monitor (default all) +#servers = + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 +#log_file = - +#log_timestamp = yes + +# Quota check interval (in minutes) +#quota_check_interval = 15 +# Quota mail interval in days +#mailquota_resend_interval = 1 + +# Template to be used for quota emails which are sent to the user +# when the various user quota levels have been exceeded. +#userquota_warning_template = /etc/kopano/quotamail/userwarning.mail + +# Templates to be used for quota emails which are sent to the company administrators +# when the company quota level has been exceeded. +#companyquota_warning_template = /etc/kopano/quotamail/companywarning.mail diff --git a/etc/kopano/php-mapi.cfg b/etc/kopano/php-mapi.cfg new file mode 100644 index 0000000..f36b4d4 --- /dev/null +++ b/etc/kopano/php-mapi.cfg @@ -0,0 +1,30 @@ +############################################################## +# LOG SETTINGS + +# Logging method (syslog, file), syslog facility is 'mail' +#log_method = syslog + +# Logfile (for log_method = file, '-' for stderr) +#log_file = /var/log/kopano/php-mapi.log + +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 + +# Log timestamp - prefix each log line with timestamp in 'file' +# logging mode +#log_timestamp = yes + +# Buffer logging in what sized blocks. 0 for line-buffered (syslog-style). +#log_buffer_size = 0 + +# This setting will make php-mapi trace how long each MAPI-call +# took into the selected logfile. +# Make sure that the file exists and/or can be written to by the +# apache user. +# php_mapi_performance_trace_file = /var/log/kopano/php-mapi-perf-trace.log + +# Enable debug output for the mapi extension +# Bitmask: +# 1 = Log start of a function +# 2 = Log end of a function +#php_mapi_debug = 0 diff --git a/etc/kopano/quotamail/companywarning.mail b/etc/kopano/quotamail/companywarning.mail new file mode 100644 index 0000000..fd22f6c --- /dev/null +++ b/etc/kopano/quotamail/companywarning.mail @@ -0,0 +1,11 @@ +Subject: Quota of company ${KOPANO_QUOTA_COMPANY} has been exceeded + +The size of the public store for company ${KOPANO_QUOTA_COMPANY} has exceeded +the size limits set by the administrator. +The public store size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limit: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded this warning message will be sent + +See client Help for more information. diff --git a/etc/kopano/quotamail/userhard.mail b/etc/kopano/quotamail/userhard.mail new file mode 100644 index 0000000..2c499cb --- /dev/null +++ b/etc/kopano/quotamail/userhard.mail @@ -0,0 +1,17 @@ +Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded + +Your mailbox has exceeded one or more size limits set by your administrator. +Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limits: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded a warning message will be sent + * Softlevel (${KOPANO_QUOTA_SOFT_SIZE}) + - When this limit is exceeded you will not be able to send new email + * Hardlevel (${KOPANO_QUOTA_HARD_SIZE}) + - When this limit is exceeded you will not be able to send and receive new email + +To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server. +Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. +You must empty the Deleted Items folder after deleting items or the space will not be freed. +See client Help for more information. diff --git a/etc/kopano/quotamail/usersoft.mail b/etc/kopano/quotamail/usersoft.mail new file mode 100644 index 0000000..2c499cb --- /dev/null +++ b/etc/kopano/quotamail/usersoft.mail @@ -0,0 +1,17 @@ +Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded + +Your mailbox has exceeded one or more size limits set by your administrator. +Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limits: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded a warning message will be sent + * Softlevel (${KOPANO_QUOTA_SOFT_SIZE}) + - When this limit is exceeded you will not be able to send new email + * Hardlevel (${KOPANO_QUOTA_HARD_SIZE}) + - When this limit is exceeded you will not be able to send and receive new email + +To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server. +Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. +You must empty the Deleted Items folder after deleting items or the space will not be freed. +See client Help for more information. diff --git a/etc/kopano/quotamail/userwarning.mail b/etc/kopano/quotamail/userwarning.mail new file mode 100644 index 0000000..2c499cb --- /dev/null +++ b/etc/kopano/quotamail/userwarning.mail @@ -0,0 +1,17 @@ +Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded + +Your mailbox has exceeded one or more size limits set by your administrator. +Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limits: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded a warning message will be sent + * Softlevel (${KOPANO_QUOTA_SOFT_SIZE}) + - When this limit is exceeded you will not be able to send new email + * Hardlevel (${KOPANO_QUOTA_HARD_SIZE}) + - When this limit is exceeded you will not be able to send and receive new email + +To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server. +Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. +You must empty the Deleted Items folder after deleting items or the space will not be freed. +See client Help for more information. diff --git a/etc/kopano/search.cfg b/etc/kopano/search.cfg new file mode 100644 index 0000000..f14439f --- /dev/null +++ b/etc/kopano/search.cfg @@ -0,0 +1,40 @@ +# See kopano-search.cfg(5) for more details and directives. + +# Location of the index files +#index_path = /var/lib/kopano/search/ +# Limit the number of results returned (0 = no limit) +#limit_results = 1000 + +# Socket to the storage server. +# Use https to reach servers over the network +#server_socket = file:///var/run/kopano/server.sock +# Login to the storage server using this SSL Key +#sslkey_file = /etc/kopano/ssl/search.pem +# The password of the SSL Key +#sslkey_pass = replace-with-server-cert-password + +# To setup for multi-server, use: http://0.0.0.0:port or https://0.0.0.0:port +#server_bind_name = file:///var/run/kopano/search.sock +# File with certificate for SSL, used when server_bind_name uses https://... +#ssl_certificate_file = /etc/kopano/search/cert.pem +# File with RSA key for SSL, used when server_bind_name uses https://... +#ssl_private_key_file = /etc/kopano/search/privkey.pem + +#log_method = file +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +log_level = 5 +log_file = /var/log/kopano/search.log +#log_timestamp = yes + +# Number of indexing processes used during initial indexing +#index_processes = 1 +#index_drafts = yes +#index_junk = yes +# Prepare search suggestions ("did-you-mean?") during indexing +# This takes up a large percentage of the used disk space +#suggestions = yes + +# Should attachments be indexed +#index_attachments = no +# Maximum file size for attachments +#index_attachment_max_size = 5M diff --git a/etc/kopano/server.cfg b/etc/kopano/server.cfg new file mode 100644 index 0000000..5d0cd7c --- /dev/null +++ b/etc/kopano/server.cfg @@ -0,0 +1,120 @@ +# See the kopano-server.cfg(5) manpage for details and more directives. + +# If a directive is not used (i.e. commented out), the built-in server default +# is used, so to disable certain features, the empty string value must explicitly be +# set on them. + +# Space-separated list of address:port specifiers with optional %interface +# infix for where the server should listen for connections. +server_listen = 0.0.0.0:236 +#server_listen_tls = +#server_ssl_key_file = /etc/kopano/ssl/server.pem +#server_ssl_key_pass = +#server_ssl_ca_file = /etc/kopano/ssl/cacert.pem +#server_ssl_ca_path = +#server_tls_min_proto = tls1.2 +# Path of SSL Public keys of clients +#sslkeys_path = /etc/kopano/sslkeys + +# Name for identifying the server in a multi-server environment. Need +# not be a DNS name, but this name needs to be present on a LDAP +# kopano-server object's cn value. +server_name = mail.zntrl.de +# Multi-server +#enable_distributed_kopano = false + +database_engine = mysql +mysql_host = localhost +mysql_port = 3306 +mysql_user = kopano +mysql_password = zAKt(85& +mysql_database = kopano + +# Allow connections from normal users through the Unix socket +#allow_local_users = yes + +# Space-separated list of users that are considered Kopano admins. +local_admin_users = root kopano + +log_method = file +log_file = /var/log/kopano/server.log +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +log_level = 5 +log_timestamp = yes + +# Attachment backend driver type: "database", "files", "files_v2", "s3" +#attachment_storage = files +#attachment_path = /var/lib/kopano/attachments + +#attachment_s3_hostname = s3-eu-west-1.amazonaws.com +# The region where the bucket is located, e.g. "eu-west-1" +#attachment_s3_region = +# The protocol that should be used to connect to S3, 'http' or 'https' (preferred) +#attachment_s3_protocol = +# The URL style of the bucket, "virtualhost" or "path" +#attachment_s3_uristyle = +# The access key id of your S3 account +#attachment_s3_accesskeyid = +# The secret access key of your S3 account +#attachment_s3_secretaccesskey = +# The bucket name in which the files will be stored +#attachment_s3_bucketname = + +# User backend driver type: "db", "unix", "ldap" +#user_plugin = db +#user_plugin_config = /etc/kopano/ldap.cfg +#enable_sso = false +# Hostname override for Kerberos SSO +#server_hostname = + +# OpenID Connect Issuer Identifier. When set, the server attempts OIDC discovery +# and initialization on startup, using the configured issuer identifier. +#kcoidc_issuer_identifier = +#kcoidc_initialize_timeout = 60 + +# Skip creation/deletion of users for testing purposes, instead log it. +#user_safe_mode = no + +# Multi-tenancy +#enable_hosted_kopano = false +# Display format of store name +# Allowed variables: +# %u Username +# %f Full name +# %c Tenant's name +#storename_format = %f + +# Loginname format for multi-tenancy installations +# When the user does not login through a system-wide unique +# username (like the email address) a unique name is created +# by combining the username and the tenantname. +# With this configuration option you can set how the +# loginname should be built up. +# +# Note: Do not use the = character in the format. +# +# Allowed variables: +# %u Username +# %c Teantname +# +#loginname_format = %u + +#enable_gab = yes +# Whether to hide/show the special GAB "Everyone" group that contains +# every user and group for non-admins. +#hide_everyone = no +# Whether to hide/show the special GAB "SYSTEM" user for non-admins. +#hide_system = yes +# Synchronize GAB users on every open of the GAB (otherwise, only on +# kopano-admin --sync) +#sync_gab_realtime = yes + +# Use indexing service for faster searching. +# Enabling this option requires kopano-indexd or kopano-search to be active. +#search_enabled = yes +#search_socket = file:///var/run/kopano/search.sock +#search_timeout = 10 + +# Disable features for users. This list is space separated. +# Currently valid values: imap pop3 mobile outlook webapp +disabled_features = pop3 diff --git a/etc/kopano/spamd.cfg b/etc/kopano/spamd.cfg new file mode 100644 index 0000000..c51812b --- /dev/null +++ b/etc/kopano/spamd.cfg @@ -0,0 +1,53 @@ +############################################################## +# SPAMD SERVICE SETTINGS + +# run as specific user +#run_as_user = kopano + +# run as specific group +#run_as_group = kopano + +# control pid file +#pid_file = /var/run/kopano/spamd.pid + +# run server in this path (when not using the -F switch) +#running_path = /var/lib/kopano + +############################################################## +# LOG SETTINGS + +# Logging method (syslog, file) +#log_method = file + +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 + +# Logfile for log_method = file, use '-' for stderr +#log_file = /var/log/kopano/spamd.log + +# Log timestamp - prefix each log line with timestamp in 'file' logging mode +#log_timestamp = 1 + +############################################################### +# SPAMD Specific settings + +# The dir where spam mails are written to which are later picked up +# by the sa-learn program +#spam_dir = /var/lib/kopano/spamd/spam + +# Location for the database containing metadata on learned spam +#spam_db = /var/lib/kopano/spamd/spam.db + +# Learn ham, when the user moves emails from junk to inbox, +# enabled by default. +#learn_ham = yes + +# The dir where ham mails are written to which are later picked up +# by the sa-learn program +#ham_dir = /var/lib/kopano/spamd/ham + +# Spamassassin group +#sa_group = amavis + +# Header tag for spam emails +#header_tag = X-Spam-Flag diff --git a/etc/kopano/spooler.cfg b/etc/kopano/spooler.cfg new file mode 100644 index 0000000..6956516 --- /dev/null +++ b/etc/kopano/spooler.cfg @@ -0,0 +1,30 @@ +# See the kopano-spooler.cfg(5) manpage for details and more directives. + +# Outgoing mailserver +#smtp_server = localhost +#smtp_port = 25 + +# Server Unix socket location +#server_socket = default: +# Login to the storage server using this SSL Key +#sslkey_file = /etc/kopano/ssl/spooler.pem +# The password of the SSL Key +#sslkey_pass = replace-with-server-cert-password + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 +#log_file = - +#log_timestamp = yes + +# Dump raw messages into specified directory before sending via SMTP. +#log_raw_message_path = /var/lib/kopano +#log_raw_message_stage1 = no + +# Maximum number of threads used to send outgoing messages +#max_threads = 5 + +# spooler Python plugin framework. Disables threading. +#plugin_enabled = no +# Path to the activated spooler plugins. +#plugin_path = /var/lib/kopano/spooler/plugins diff --git a/etc/kopano/statsd.cfg b/etc/kopano/statsd.cfg new file mode 100644 index 0000000..26050b8 --- /dev/null +++ b/etc/kopano/statsd.cfg @@ -0,0 +1,8 @@ +# One address:port specifier for where to listen for HTTP connections. +#statsd_listen = unix:/var/run/kopano/statsd.sock + +# Location for keeping RRD files +#statsd_rrd = /var/lib/kopano/rrd + +#run_as_user = kopano +#run_as_group = kopano diff --git a/etc/kopano/unix.cfg b/etc/kopano/unix.cfg new file mode 100644 index 0000000..b1d807f --- /dev/null +++ b/etc/kopano/unix.cfg @@ -0,0 +1,42 @@ +############################################################## +# UNIX USER PLUGIN SETTINGS +# +# Any of these directives that are required, are only required if the +# userplugin parameter is set to unix. + +# Charset used in /etc/passwd for the fullname of a user. Normally this +# is us-ascii, but this can differ according to your setup. +# The charset specified here must be supported by your iconv(1) +# setup. See iconv -l for all charsets. +fullname_charset = iso-8859-15 + +# Default email domain for constructing new users +# Required, no default +default_domain = kopano.com + +# The lowest user id that is considered a regular user +# Optional, default = 1000 +min_user_uid = 1000 + +# The highest user id that is considered a regular user +# Optional, default = 10000 +max_user_uid = 10000 + +# A list of user ids that are not considered to be regular users +# Optional, default = empty +# except_user_uids = + +# The lowest group id that is considered a regular group +# Optional, default = 1000 +min_group_gid = 1000 + +# The highest group id that is considered a regular group +# Optional, default = 10000 +max_group_gid = 10000 + +# A list of group ids that are not considered to be regular groups +# Optional, default = empty +# except_group_gids = + +# Create a user as non-active when it has this Unix shell +non_login_shell = /sbin/nologin /bin/false diff --git a/etc/kopano/webapp/.htaccess b/etc/kopano/webapp/.htaccess new file mode 100644 index 0000000..a6c4a4f --- /dev/null +++ b/etc/kopano/webapp/.htaccess @@ -0,0 +1,28 @@ +# some apache settings +Options -Indexes + +# The maximum POST limit. To upload large files, this value must be larger than upload_max_filesize. + + php_value post_max_size 31M + php_value upload_max_filesize 30M + + + + php_value post_max_size 31M + php_value upload_max_filesize 30M + + +# Deny access to config.php, config.php.dist, debug.php, debug.php.dist, defaults.php +# because they could become a security vulnerability when accessible +# Better safe then sorry + + + Deny from all + + + = 2.4> + + Require all denied + + + diff --git a/etc/kopano/webapp/config-contactfax.php b/etc/kopano/webapp/config-contactfax.php new file mode 100644 index 0000000..06f2da4 --- /dev/null +++ b/etc/kopano/webapp/config-contactfax.php @@ -0,0 +1,4 @@ + diff --git a/etc/kopano/webapp/config-gmaps.php b/etc/kopano/webapp/config-gmaps.php new file mode 100644 index 0000000..9f2acd1 --- /dev/null +++ b/etc/kopano/webapp/config-gmaps.php @@ -0,0 +1,13 @@ + diff --git a/etc/kopano/webapp/config-intranet.php b/etc/kopano/webapp/config-intranet.php new file mode 100644 index 0000000..6682ac0 --- /dev/null +++ b/etc/kopano/webapp/config-intranet.php @@ -0,0 +1,17 @@ +'); + +// This setting can be changed by the user in his settings. +// Here you can define the default behaviour. +define('PLUGIN_MATTERMOST_AUTOSTART', true); diff --git a/etc/kopano/webapp/config-meet.php b/etc/kopano/webapp/config-meet.php new file mode 100644 index 0000000..44dc00b --- /dev/null +++ b/etc/kopano/webapp/config-meet.php @@ -0,0 +1,19 @@ + + * + *******************************************************************************/ + +// This file contains the configuration options of the Meet plugin + +// This disables the plugin by default +define('PLUGIN_MEET_USER_DEFAULT_ENABLE', false); + +// The URL of the Meet PWA +//define('PLUGIN_MEET_MEET_URL', 'https://'); + +// The URL of the Meet join flow +//define('PLUGIN_MEET_MEET_JOIN_URL' '/meet/r/join/group/'); diff --git a/etc/kopano/webapp/config-pimfolder.php b/etc/kopano/webapp/config-pimfolder.php new file mode 100644 index 0000000..261104f --- /dev/null +++ b/etc/kopano/webapp/config-pimfolder.php @@ -0,0 +1,4 @@ + diff --git a/etc/kopano/webapp/config-threema4deskapp.php b/etc/kopano/webapp/config-threema4deskapp.php new file mode 100644 index 0000000..4bd35a7 --- /dev/null +++ b/etc/kopano/webapp/config-threema4deskapp.php @@ -0,0 +1,6 @@ + 'pink', + // 'displayName' => _('Pink'), + // 'base' => '#ff0099' + // ) + // ))); + + // Additional categories can be added by uncommenting and editing the following define. + // The format is the same as the format of DEFAULT_CATEGORIES which is defined in default.php + // To change the default categories, DEFAULT_CATEGORIES can also be defined here. + // Note: Every category should have a unique name, because it is used to identify the category + // define("ADDITIONAL_CATEGORIES", json_encode(array( + // array( + // 'name' => _('Family'), + // 'color' => '#000000', + // 'quickAccess' => true, + // 'sortIndex' => 10 + // ) + // ))); + + // Additional Prefix for the Contact name can be added by uncommenting and editing the following define. + // define("CONTACT_PREFIX", json_encode(array( + // array(_('Er.')), + // array(_('Gr.')) + // ))); + + // Additional Suffix for the Contact name can be added by uncommenting and editing the following define. + // define("CONTACT_SUFFIX", json_encode(array( + // array(_('A')), + // array(_('B')) + // ))); + + // Define the polling interval in minutes for unread mail in shared stores. + define("SHARED_STORE_POLLING_INTERVAL", 15); + + // Define the amount of emails to load in the background, in batches of 10 emails per request every x seconds + // defined by PREFETCH_EMAIL_INTERVAL until the defined amount of items is loaded. Setting this value to zero + // disables this feature. + define("PREFETCH_EMAIL_COUNT", 10); + + // Define the interval between loading of new emails in the background. + define("PREFETCH_EMAIL_INTERVAL", 30); + + /**************************************\ + * Memory usage and timeouts * + \**************************************/ + + // This sets the maximum time in seconds that is allowed to run before it is terminated by the parser. + ini_set("max_execution_time", 300); // 5 minutes + + // BLOCK_SIZE (in bytes) is used for attachments by mapi_stream_read/mapi_stream_write + define("BLOCK_SIZE", 1048576); + + // Time that static files may exist in the client's cache (13 weeks) + define("EXPIRES_TIME", 60*60*24*7*13); + + // Time that the state files are allowed to survive (in seconds) + // For filesystems on which relatime is used, this value should be larger then the relatime_interval + // for kernels 2.6.30 and above relatime is enabled by default, and the relatime_interval is set to + // 24 hours. + define("STATE_FILE_MAX_LIFETIME", 28*60*60); + + // Time that attachments are allowed to survive (in seconds) + define("UPLOADED_ATTACHMENT_MAX_LIFETIME", 6*60*60); + + /********************************************************************************** + * Logging settings + * + * Possible LOG_USER_LEVEL values are: + * LOGLEVEL_OFF - no logging + * LOGLEVEL_FATAL - log only critical errors + * LOGLEVEL_ERROR - logs events which might require corrective actions + * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future + * LOGLEVEL_INFO - usually completed actions + * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers + * + * The verbosity increases from top to bottom. More verbose levels include less verbose + * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR, + * LOGLEVEL_WARN and LOGLEVEL_INFO level entries. + * + **************************************************************************************/ + define("LOG_USER_LEVEL", LOGLEVEL_OFF); + + // To save e.g. user activity data only for selected users, provide the username followed by semicolon. + // The data will be saved into a dedicated file per user in the LOG_FILE_DIR + // Users have to be encapsulated in quotes, several users are semicolon separated, like: + // define('LOG_USERS', 'user1;user2;user3'); + define("LOG_USERS", ""); + + // Location of the log directory + // e.g /var/log/webapp-userslog/users/ + // The directory will be created when it does not exist. + // Webserver user should have permissions to write in this folder + define("LOG_FILE_DIR", ""); + + /**************************************\ + * Languages * + \**************************************/ + + // Location to the translations + define("LANGUAGE_DIR", "server/language/"); + + // Defines the default interface language. This can be overridden by the user. + if (isset($_ENV['LANG']) && $_ENV['LANG']!="C") { + define('LANG', $_ENV["LANG"]); // This means the server environment language determines the web client language. + } else { + define('LANG', 'en_US.UTF-8'); // default fallback language + } + + // List of languages that should be enabled in the logon + // screen's language drop down. Languages should be specified + // using _[.UTF-8], and separated with + // semicolon. A list of available languages can be found in + // the manual or by looking at the list of directories in + // /usr/share/kopano-webapp/server/language . + define("ENABLED_LANGUAGES", "cs_CZ;da_DK;de_DE;en_GB;en_US;es_CA;es_ES;fi_FI;fr_FR;hu_HU;it_IT;ja_JP;nb_NO;nl_NL;pl_PL;pt_BR;ru_RU;sl_SI;tr_TR;zh_CN"); + + // Defines the default time zone + if (!ini_get('date.timezone')) { + date_default_timezone_set('Europe/Amsterdam'); + } + + /**************************************\ + * Powerpaste * + \**************************************/ + + // Options for TinyMCE's powerpaste plugin, see https://www.tiny.cloud/docs/plugins/powerpaste/#configurationoptions + // for more details. + define("POWERPASTE_WORD_IMPORT", "merge"); + define("POWERPASTE_HTML_IMPORT", "merge"); + define("POWERPASTE_ALLOW_LOCAL_IMAGES", true); + + /**************************************\ + * Debugging * + \**************************************/ + + // Do not log errors into stdout, since this generates faulty JSON responses. + ini_set("display_errors", false); + + ini_set("log_errors", true); + error_reporting(E_ERROR); + + // Log successful logins + define("LOG_SUCCESSFUL_LOGINS", false); + + if (file_exists('debug.php')) { + include_once('debug.php'); + } else { + // define empty dump function in case we still use it somewhere + function dump(){} + } +?> diff --git a/etc/postfix/dynamicmaps.cf b/etc/postfix/dynamicmaps.cf new file mode 100644 index 0000000..1b6c95a --- /dev/null +++ b/etc/postfix/dynamicmaps.cf @@ -0,0 +1 @@ +# dict-type so-name (pathname) dict-function mkmap-function diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf new file mode 100644 index 0000000..92af7c5 --- /dev/null +++ b/etc/postfix/main.cf @@ -0,0 +1,57 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +# fresh installs. +compatibility_level = 2 + +# local domains +myhostname = nuc0.fritz.box +mydestination = $myhostname, localhost.fritz.box, localhost +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 + +# virtual domains +virtual_mailbox_domains = zntrl.de +virtual_mailbox_maps = hash:/etc/postfix/vmailbox +virtual_alias_maps = hash:/etc/postfix/virtual +virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock + +# default domains +default_transport = smtp:[relay.zntrl.de]:465 + +# SMPTD (inbound) TLS parameters +smtpd_tls_CApath = /etc/ssl/certs +smtpd_tls_CAfile = /etc/ssl/certs/balusign-signing-ca.pem +smtpd_tls_cert_file = /etc/ssl/nuc0-full-chain.pem +smtpd_tls_key_file = /etc/ssl/private/nuc0.lan.key +smtpd_tls_security_level=may +smtpd_tls_loglevel = 1 + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination + +# SMTP (outbound) +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_key_file = /etc/ssl/private/nuc0.lan.key +smtp_tls_cert_file = /etc/ssl/nuc0-full-chain.pem +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_wrappermode = yes +smtp_tls_security_level = encrypt +smtp_tls_loglevel = 1 + +mailbox_size_limit = 0 +message_size_limit = 50000000 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all + diff --git a/etc/postfix/main.cf.proto b/etc/postfix/main.cf.proto new file mode 100644 index 0000000..5c0aa11 --- /dev/null +++ b/etc/postfix/main.cf.proto @@ -0,0 +1,684 @@ +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# COMPATIBILITY +# +# The compatibility_level determines what default settings Postfix +# will use for main.cf and master.cf settings. These defaults will +# change over time. +# +# To avoid breaking things, Postfix will use backwards-compatible +# default settings and log where it uses those old backwards-compatible +# default settings, until the system administrator has determined +# if any backwards-compatible default settings need to be made +# permanent in main.cf or master.cf. +# +# When this review is complete, update the compatibility_level setting +# below as recommended in the RELEASE_NOTES file. +# +# The level below is what should be used with new (not upgrade) installs. +# +compatibility_level = 2 + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +#queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/sbin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/lib/postfix/sbin + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). +# +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +#mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +#myhostname = host.domain.tld +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +# Debian GNU/Linux specific: Specifying a file name will cause the +# first line of that file to be used as the name. The Debian default +# is /etc/mailname. +# +#myorigin = /etc/mailname +#myorigin = $myhostname +#myorigin = $mydomain + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain + localhost. On +# a mail domain gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +#mydestination = $myhostname, localhost.$mydomain, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = subnet), Postfix "trusts" SMTP +# clients in the same IP subnetworks as the local machine. +# On Linux, this works correctly only with interfaces specified +# with the "ifconfig" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +#mynetworks = 168.100.189.0/28, 127.0.0.0/8 +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table +mynetworks = 127.0.0.0/8 + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_recipient_restrictions description in +# postconf(5) for detailed information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is $mydestination. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = $mydestination + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +#alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +#alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +#recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /usr/bin/procmail +#mailbox_command = /usr/bin/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" +# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. +#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp +# +# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and +# subsequent line in master.cf. +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/file/name +#fallback_transport = cyrus +#fallback_transport = + +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +#header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) + + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +#debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen session, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = + +# readme_directory: The location of the Postfix README files. +# +readme_directory = +inet_protocols = ipv4 diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf new file mode 100644 index 0000000..26f51e5 --- /dev/null +++ b/etc/postfix/master.cf @@ -0,0 +1,67 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd diff --git a/etc/postfix/master.cf.proto b/etc/postfix/master.cf.proto new file mode 100644 index 0000000..ea53632 --- /dev/null +++ b/etc/postfix/master.cf.proto @@ -0,0 +1,127 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + diff --git a/etc/postfix/post-install b/etc/postfix/post-install new file mode 100644 index 0000000..975266b --- /dev/null +++ b/etc/postfix/post-install @@ -0,0 +1,925 @@ +#!/bin/sh + +# To view the formatted manual page of this file, type: +# POSTFIXSOURCE/mantools/srctoman - post-install | nroff -man + +#++ +# NAME +# post-install +# SUMMARY +# Postfix post-installation script +# SYNOPSIS +# postfix post-install [name=value] command ... +# DESCRIPTION +# The post-install script performs the finishing touch of a Postfix +# installation, after the executable programs and configuration +# files are installed. Usage is one of the following: +# .IP o +# While installing Postfix from source code on the local machine, the +# script is run by the postfix-install script to update selected file +# or directory permissions and to update Postfix configuration files. +# .IP o +# While installing Postfix from a pre-built package, the script is run +# by the package management procedure to set all file or directory +# permissions and to update Postfix configuration files. +# .IP o +# The script can be used to change installation parameter settings such +# as mail_owner or setgid_group after Postfix is already installed. +# .IP o +# The script can be used to upgrade configuration files and to upgrade +# file/directory permissions of a secondary Postfix instance. +# .IP o +# At Postfix start-up time, the script is run from "postfix check" to +# create missing queue directories. +# .PP +# The post-install script is controlled by installation parameters. +# Specific parameters are described at the end of this document. +# All installation parameters must be specified ahead of time via +# one of the methods described below. +# +# Arguments +# .IP create-missing +# Create missing queue directories with ownerships and permissions +# according to the contents of $meta_directory/postfix-files +# and optionally in $meta_directory/postfix-files.d/*, using +# the mail_owner and setgid_group parameter settings from the +# command line, process environment or from the installed +# main.cf file. +# +# This is required at Postfix start-up time. +# .IP set-permissions +# Set all file/directory ownerships and permissions according to the +# contents of $meta_directory/postfix-files and optionally +# in $meta_directory/postfix-files.d/*, using the mail_owner +# and setgid_group parameter settings from the command line, +# process environment or from the installed main.cf file. +# Implies create-missing. +# +# This is required when installing Postfix from a pre-built package, +# or when changing the mail_owner or setgid_group installation parameter +# settings after Postfix is already installed. +# .IP upgrade-permissions +# Update ownership and permission of existing files/directories as +# specified in $meta_directory/postfix-files and optionally +# in $meta_directory/postfix-files.d/*, using the mail_owner +# and setgid_group parameter settings from the command line, +# process environment or from the installed main.cf file. +# Implies create-missing. +# +# This is required when upgrading an existing Postfix instance. +# .IP upgrade-configuration +# Edit the installed main.cf and master.cf files, in order to account +# for missing services and to fix deprecated parameter settings. +# +# This is required when upgrading an existing Postfix instance. +# .IP upgrade-source +# Short-hand for: upgrade-permissions upgrade-configuration. +# +# This is recommended when upgrading Postfix from source code. +# .IP upgrade-package +# Short-hand for: set-permissions upgrade-configuration. +# +# This is recommended when upgrading Postfix from a pre-built package. +# .IP first-install-reminder +# Remind the user that they still need to configure main.cf and the +# aliases file, and that newaliases still needs to be run. +# +# This is recommended when Postfix is installed for the first time. +# MULTIPLE POSTFIX INSTANCES +# .ad +# .fi +# Multiple Postfix instances on the same machine can share command and +# daemon program files but must have separate configuration and queue +# directories. +# +# To create a secondary Postfix installation on the same machine, +# copy the configuration files from the primary Postfix instance to +# a secondary configuration directory and execute: +# +# postfix post-install config_directory=secondary-config-directory \e +# .in +4 +# queue_directory=secondary-queue-directory \e +# .br +# create-missing +# .PP +# This creates secondary Postfix queue directories, sets their access +# permissions, and saves the specified installation parameters to the +# secondary main.cf file. +# +# Be sure to list the secondary configuration directory in the +# alternate_config_directories parameter in the primary main.cf file. +# +# To upgrade a secondary Postfix installation on the same machine, +# execute: +# +# postfix post-install config_directory=secondary-config-directory \e +# .in +4 +# upgrade-permissions upgrade-configuration +# INSTALLATION PARAMETER INPUT METHODS +# .ad +# .fi +# Parameter settings can be specified through a variety of +# mechanisms. In order of decreasing precedence these are: +# .IP "command line" +# Parameter settings can be given as name=value arguments on +# the post-install command line. These have the highest precedence. +# Settings that override the installed main.cf file are saved. +# .IP "process environment" +# Parameter settings can be given as name=value environment +# variables. +# Settings that override the installed main.cf file are saved. +# .IP "installed configuration files" +# If a parameter is not specified via the command line or via the +# process environment, post-install will attempt to extract its +# value from the already installed Postfix main.cf configuration file. +# These settings have the lowest precedence. +# INSTALLATION PARAMETER DESCRIPTION +# .ad +# .fi +# The description of installation parameters is as follows: +# .IP config_directory +# The directory for Postfix configuration files. +# .IP daemon_directory +# The directory for Postfix daemon programs. This directory +# should not be in the command search path of any users. +# .IP command_directory +# The directory for Postfix administrative commands. This +# directory should be in the command search path of adminstrative users. +# .IP queue_directory +# The directory for Postfix queues. +# .IP data_directory +# The directory for Postfix writable data files (caches, etc.). +# .IP sendmail_path +# The full pathname for the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# .IP newaliases_path +# The full pathname for the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases +# for the Postfix local delivery agent. +# .IP mailq_path +# The full pathname for the Postfix mailq command. +# This is the Sendmail-compatible command to list the mail queue. +# .IP mail_owner +# The owner of the Postfix queue. Its numerical user ID and group ID +# must not be used by any other accounts on the system. +# .IP setgid_group +# The group for mail submission and for queue management commands. +# Its numerical group ID must not be used by any other accounts on the +# system, not even by the mail_owner account. +# .IP html_directory +# The directory for the Postfix HTML files. +# .IP manpage_directory +# The directory for the Postfix on-line manual pages. +# .IP sample_directory +# The directory for the Postfix sample configuration files. +# This feature is obsolete as of Postfix 2.1. +# .IP readme_directory +# The directory for the Postfix README files. +# .IP shlib_directory +# The directory for the Postfix shared-library files, and for +# the Postfix dabatase plugin files with a relative pathname +# in the file dynamicmaps.cf. +# .IP meta_directory +# The directory for non-executable files that are shared +# among multiple Postfix instances, such as postfix-files, +# dynamicmaps.cf, as well as the multi-instance template files +# main.cf.proto and master.cf.proto. +# SEE ALSO +# postfix-install(1) Postfix primary installation script. +# FILES +# $config_directory/main.cf, Postfix installation parameters. +# $meta_directory/postfix-files, installation control file. +# $meta_directory/postfix-files.d/*, optional control files. +# $config_directory/install.cf, obsolete configuration file. +# LICENSE +# .ad +# .fi +# The Secure Mailer license must be distributed with this software. +# AUTHOR(S) +# Wietse Venema +# IBM T.J. Watson Research +# P.O. Box 704 +# Yorktown Heights, NY 10598, USA +# +# Wietse Venema +# Google, Inc. +# 111 8th Avenue +# New York, NY 10011, USA +#-- + +umask 022 + +PATH=/bin:/usr/bin:/usr/sbin:/usr/etc:/sbin:/etc:/usr/contrib/bin:/usr/gnu/bin:/usr/ucb:/usr/bsd +SHELL=/bin/sh +IFS=" +" +BACKUP_IFS="$IFS" +debug=: +#debug=echo +MOST_PARAMETERS="command_directory daemon_directory data_directory + html_directory mail_owner mailq_path manpage_directory + newaliases_path queue_directory readme_directory sample_directory + sendmail_path setgid_group shlib_directory meta_directory" +NON_SHARED="config_directory queue_directory data_directory" + +USAGE="Usage: $0 [name=value] command + create-missing Create missing queue directories. + upgrade-source When installing or upgrading from source code. + upgrade-package When installing or upgrading from pre-built package. + first-install-reminder Remind of mandatory first-time configuration steps. + name=value Specify an installation parameter". + +# Process command-line options and parameter settings. Work around +# brain damaged shells. "IFS=value command" should not make the +# IFS=value setting permanent. But some broken standard allows it. + +create=; set_perms=; upgrade_perms=; upgrade_conf=; first_install_reminder= +obsolete=; keep_list=; + +for arg +do + case $arg in + *[" "]*) echo $0: "Error: argument contains whitespace: '$arg'" + exit 1;; + *=*) IFS= eval $arg; IFS="$BACKUP_IFS";; + create-missing) create=1;; + set-perm*) create=1; set_perms=1;; + upgrade-perm*) create=1; upgrade_perms=1;; + upgrade-conf*) upgrade_conf=1;; + upgrade-source) create=1; upgrade_conf=1; upgrade_perms=1;; + upgrade-package) create=1; upgrade_conf=1; set_perms=1;; + first-install*) first_install_reminder=1;; + *) echo "$0: Error: $USAGE" 1>&2; exit 1;; + esac + shift +done + +# Sanity checks. + +test -n "$create$upgrade_conf$first_install_reminder" || { + echo "$0: Error: $USAGE" 1>&2 + exit 1 +} + +# Bootstrapping problem. + +if [ -n "$command_directory" ] +then + POSTCONF="$command_directory/postconf" +else + POSTCONF="postconf" +fi + +$POSTCONF -d mail_version >/dev/null 2>/dev/null || { + echo $0: Error: no $POSTCONF command found. 1>&2 + echo Re-run this command as $0 command_directory=/some/where. 1>&2 + exit 1 +} + +# Also used to require license etc. files only in the default instance. + +def_config_directory=`$POSTCONF -d -h config_directory` || exit 1 +test -n "$config_directory" || + config_directory="$def_config_directory" + +test -d "$config_directory" || { + echo $0: Error: $config_directory is not a directory. 1>&2 + exit 1 +} + +# If this is a secondary instance, don't touch shared files. +# XXX Solaris does not have "test -e". + +instances=`test ! -f $def_config_directory/main.cf || + $POSTCONF -c $def_config_directory -h multi_instance_directories | + sed 's/,/ /'` || exit 1 + +update_shared_files=1 +for name in $instances +do + case "$name" in + "$def_config_directory") ;; + "$config_directory") update_shared_files=; break;; + esac +done + +test -f $meta_directory/postfix-files || { + echo $0: Error: $meta_directory/postfix-files is not a file. 1>&2 + exit 1 +} + +# SunOS5 fmt(1) truncates lines > 1000 characters. + +fake_fmt() { + sed ' + :top + /^\( *\)\([^ ][^ ]*\) */{ + s//\1\2\ +\1/ + P + D + b top + } + ' | fmt +} + +case `uname -s` in +HP-UX*) FMT=cat;; +SunOS*) FMT=fake_fmt;; + *) FMT=fmt;; +esac + +# If a parameter is not set via the command line or environment, +# try to use settings from installed configuration files. + +# Extract parameter settings from the obsolete install.cf file, as +# a transitional aid. + +grep setgid_group $config_directory/main.cf >/dev/null 2>&1 || { + test -f $config_directory/install.cf && { + for name in sendmail_path newaliases_path mailq_path setgid manpages + do + eval junk=\$$name + case "$junk" in + "") eval unset $name;; + esac + eval : \${$name="\`. $config_directory/install.cf; echo \$$name\`"} \ + || exit 1 + done + : ${setgid_group=$setgid} + : ${manpage_directory=$manpages} + } +} + +# Extract parameter settings from the installed main.cf file. + +test -f $config_directory/main.cf && { + for name in $MOST_PARAMETERS + do + eval junk=\$$name + case "$junk" in + "") eval unset $name;; + esac + eval : \${$name=\`$POSTCONF -c $config_directory -h $name\`} || exit 1 + done +} + +# Sanity checks + +case $manpage_directory in + no) echo $0: Error: manpage_directory no longer accepts \"no\" values. 1>&2 + echo Try again with \"$0 manpage_directory=/pathname ...\". 1>&2; exit 1;; +esac + +case $setgid_group in + no) echo $0: Error: setgid_group no longer accepts \"no\" values. 1>&2 + echo Try again with \"$0 setgid_group=groupname ...\" 1>&2; exit 1;; +esac + +for path in "$daemon_directory" "$command_directory" "$queue_directory" \ + "$sendmail_path" "$newaliases_path" "$mailq_path" "$manpage_directory" \ + "$meta_directory" +do + case "$path" in + /*) ;; + *) echo $0: Error: \"$path\" should be an absolute path name. 1>&2; exit 1;; + esac +done + +for path in "$html_directory" "$readme_directory" "$shlib_directory" +do + case "$path" in + /*) ;; + no) ;; + *) echo $0: Error: \"$path\" should be \"no\" or an absolute path name. 1>&2; exit 1;; + esac +done + +# Find out what parameters were not specified via command line, +# via environment, or via installed configuration files. + +missing= +for name in $MOST_PARAMETERS +do + eval test -n \"\$$name\" || missing="$missing $name" +done + +# All parameters must be specified at this point. + +test -n "$non_interactive" -a -n "$missing" && { + cat <&2 +$0: Error: some required installation parameters are not defined. + +- Either the parameters need to be given in the $config_directory/main.cf +file from a recent Postfix installation, + +- Or the parameters need to be specified through the process +environment. + +- Or the parameters need to be specified as name=value arguments +on the $0 command line, + +The following parameters were missing: + + $missing + +EOF + exit 1 +} + +POSTCONF="$command_directory/postconf" + +# Save settings, allowing command line/environment override. + +# Undo MAIL_VERSION expansion at the end of a parameter value. If +# someone really wants the expanded mail version in main.cf, then +# we're sorry. + +# Confine side effects from mail_version unexpansion within a subshell. + +(case "$mail_version" in +"") mail_version="`$POSTCONF -dhx mail_version`" || exit 1 +esac + +for name in $MOST_PARAMETERS +do + eval junk=\$$name + case "$junk" in + *"$mail_version"*) + case "$pattern" in + "") pattern=`echo "$mail_version" | sed 's/\./\\\\./g'` || exit 1 + esac + val=`echo "$junk" | sed "s/$pattern"'$/${mail_version}/g'` || exit 1 + eval ${name}='"$val"' + esac +done + +# XXX Maybe update main.cf only with first install, upgrade, set +# permissions, and what else? Should there be a warning otherwise? + +override= +for name in $MOST_PARAMETERS +do + eval junk=\"\$$name\" + test "$junk" = "`$POSTCONF -c $config_directory -h $name`" || { + override=1 + break + } +done + +test -n "$override" && { + $POSTCONF -c $config_directory -e \ + "daemon_directory = $daemon_directory" \ + "command_directory = $command_directory" \ + "queue_directory = $queue_directory" \ + "data_directory = $data_directory" \ + "mail_owner = $mail_owner" \ + "setgid_group = $setgid_group" \ + "sendmail_path = $sendmail_path" \ + "mailq_path = $mailq_path" \ + "newaliases_path = $newaliases_path" \ + "html_directory = $html_directory" \ + "manpage_directory = $manpage_directory" \ + "sample_directory = $sample_directory" \ + "readme_directory = $readme_directory" \ + "shlib_directory = $shlib_directory" \ + "meta_directory = $meta_directory" \ + || exit 1 +} || exit 0) || exit 1 + +# Use file/directory status information in $meta_directory/postfix-files. + +test -n "$create" && { + postfix_files_d=$meta_directory/postfix-files.d + for postfix_file in $meta_directory/postfix-files \ + `test -d $postfix_files_d && { find $postfix_files_d -type f | sort; }` + do + exec <$postfix_file || exit 1 + while IFS=: read path type owner group mode flags junk + do + IFS="$BACKUP_IFS" + set_permission= + # Skip comments. Skip shared files, if updating a secondary instance. + case $path in + [$]*) case "$update_shared_files" in + 1) $debug keep non-shared or shared $path;; + *) non_shared= + for name in $NON_SHARED + do + case $path in + "\$$name"*) non_shared=1; break;; + esac + done + case "$non_shared" in + 1) $debug keep non-shared $path;; + *) $debug skip shared $path; continue;; + esac;; + esac;; + *) continue;; + esac + # Skip hard links and symbolic links. + case $type in + [hl]) continue;; + [df]) ;; + *) echo unknown type $type for $path in $postfix_file 1>&2; exit 1;; + esac + # Expand $name, and canonicalize null fields. + for name in path owner group flags + do + eval junk=\${$name} + case $junk in + [$]*) eval $name=$junk;; + -) eval $name=;; + *) ;; + esac + done + # Skip uninstalled files. + case $path in + no|no/*) continue;; + esac + # Pick up the flags. + case $flags in *u*) upgrade_flag=1;; *) upgrade_flag=;; esac + case $flags in *c*) create_flag=1;; *) create_flag=;; esac + case $flags in *r*) recursive="-R";; *) recursive=;; esac + case $flags in *o*) obsolete_flag=1;; *) obsolete_flag=;; esac + case $flags in *[1i]*) test ! -r "$path" -a "$config_directory" != \ + "$def_config_directory" && continue;; esac + # Flag obsolete objects. XXX Solaris 2..9 does not have "test -e". + if [ -n "$obsolete_flag" ] + then + test -r $path -a "$type" != "d" && obsolete="$obsolete $path" + continue; + else + keep_list="$keep_list $path" + fi + # Create missing directories with proper owner/group/mode settings. + if [ -n "$create" -a "$type" = "d" -a -n "$create_flag" -a ! -d "$path" ] + then + mkdir $path || exit 1 + set_permission=1 + # Update all owner/group/mode settings. + elif [ -n "$set_perms" ] + then + set_permission=1 + # Update obsolete owner/group/mode settings. + elif [ -n "$upgrade_perms" -a -n "$upgrade_flag" ] + then + set_permission=1 + fi + test -n "$set_permission" && { + chown $recursive $owner $path || exit 1 + test -z "$group" || chgrp $recursive $group $path || exit 1 + # Don't "chmod -R"; queue file status is encoded in mode bits. + if [ "$type" = "d" -a -n "$recursive" ] + then + find $path -type d -exec chmod $mode "{}" ";" + else + chmod $mode $path + fi || exit 1 + } + done + IFS="$BACKUP_IFS" + done +} + +# Upgrade existing Postfix configuration files if necessary. + +test -n "$upgrade_conf" && { + + # Postfix 2.0. + # Add missing relay service to master.cf. + + grep '^relay' $config_directory/master.cf >/dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for relay service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for flush service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for trace service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for verify service + cat >>$config_directory/master.cf </dev/null && { + echo Editing $config_directory/master.cf, setting verify process limit to 1 + ed $config_directory/master.cf </dev/null && { + echo Editing $config_directory/master.cf, making the pickup service unprivileged + ed $config_directory/master.cf </dev/null && { + echo Editing $config_directory/master.cf, making the $name service public + ed $config_directory/master.cf </dev/null) || missing="$missing defer" + (echo "$found" | grep deferred>/dev/null)|| missing="$missing deferred" + test -n "$missing" && { + echo fixing main.cf hash_queue_names for missing $missing + $POSTCONF -c $config_directory -e hash_queue_names="$found$missing" || + exit 1 + } + + # Turn on safety nets for new features that could bounce mail that + # would be accepted by a previous Postfix version. + + # [The "unknown_local_recipient_reject_code = 450" safety net, + # introduced with Postfix 2.0 and deleted after Postfix 2.3.] + + # Postfix 2.0. + # Add missing proxymap service to master.cf. + + grep '^proxymap.*proxymap' $config_directory/master.cf >/dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for proxymap service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for anvil service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for scache service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for discard service + cat >>$config_directory/master.cf <unix service. + + grep "^tlsmgr[ ]*fifo[ ]" \ + $config_directory/master.cf >/dev/null && { + echo Editing $config_directory/master.cf, updating the tlsmgr from fifo to unix service + ed $config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for tlsmgr service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for retry service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for proxywrite service + cat >>$config_directory/master.cf </dev/null && { + echo Editing $config_directory/master.cf, setting proxywrite process limit to 1 + ed $config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for postscreen TCP service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for smtpd unix-domain service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for dnsblog unix-domain service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for tlsproxy unix-domain service + cat >>$config_directory/master.cf </dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for postlog unix-domain datagram service + cat >>$config_directory/master.cf <&2 + echo Do not run directly. 1>&2 + exit 1 +esac + +LOGGER="$command_directory/postlog -t $MAIL_LOGTAG/postfix-script" +INFO="$LOGGER -p info" +WARN="$LOGGER -p warn" +ERROR="$LOGGER -p error" +FATAL="$LOGGER -p fatal" +PANIC="$LOGGER -p panic" + +if [ "X${1#quiet-}" != "X${1}" ]; then + INFO=: + x=${1#quiet-} + shift + set -- $x "$@" +fi + +umask 022 +SHELL=/bin/sh + +# +# Can't do much without these in place. +# +cd $command_directory || { + $FATAL no Postfix command directory $command_directory! + exit 1 +} +cd $daemon_directory || { + $FATAL no Postfix daemon directory $daemon_directory! + exit 1 +} +test -f master || { + $FATAL no Postfix master program $daemon_directory/master! + exit 1 +} +cd $config_directory || { + $FATAL no Postfix configuration directory $config_directory! + exit 1 +} +case $shlib_directory in +no) ;; + *) cd $shlib_directory || { + $FATAL no Postfix shared-library directory $shlib_directory! + exit 1 + } +esac +cd $meta_directory || { + $FATAL no Postfix meta directory $meta_directory! + exit 1 +} +cd $queue_directory || { + $FATAL no Postfix queue directory $queue_directory! + exit 1 +} +def_config_directory=`$command_directory/postconf -dh config_directory` || { + $FATAL cannot execute $command_directory/postconf! + exit 1 +} + +# If this is a secondary instance, don't touch shared files. + +instances=`test ! -f $def_config_directory/main.cf || + $command_directory/postconf -c $def_config_directory \ + -h multi_instance_directories | sed 's/,/ /'` || { + $FATAL cannot execute $command_directory/postconf! + exit 1 +} + +check_shared_files=1 +for name in $instances +do + case "$name" in + "$def_config_directory") ;; + "$config_directory") check_shared_files=; break;; + esac +done + +# +# Parse JCL +# +case $1 in + +start_msg) + + echo "Start postfix" + ;; + +stop_msg) + + echo "Stop postfix" + ;; + +quick-start) + + $daemon_directory/master -t 2>/dev/null || { + $FATAL the Postfix mail system is already running + exit 1 + } + $daemon_directory/postfix-script quick-check || { + $FATAL Postfix integrity check failed! + exit 1 + } + $INFO starting the Postfix mail system + $daemon_directory/master & + ;; + +start|start-fg) + + $daemon_directory/master -t 2>/dev/null || { + $FATAL the Postfix mail system is already running + exit 1 + } + if [ -f $queue_directory/quick-start ] + then + rm -f $queue_directory/quick-start + else + $daemon_directory/postfix-script check-fatal || { + $FATAL Postfix integrity check failed! + exit 1 + } + # Foreground this so it can be stopped. All inodes are cached. + $daemon_directory/postfix-script check-warn + fi + $INFO starting the Postfix mail system || exit 1 + case $1 in + start) + # NOTE: wait in foreground process to get the initialization status. + $daemon_directory/master -w || { + $FATAL "mail system startup failed" + exit 1 + } + ;; + start-fg) + # Foreground start-up is incompatible with multi-instance mode. + # Use "exec $daemon_directory/master" only if PID == 1. + # Otherwise, doing so would break process group management, + # and "postfix stop" would kill too many processes. + case $instances in + "") case $$ in + 1) exec $daemon_directory/master -i + $FATAL "cannot start-fg the master daemon" + exit 1;; + *) $daemon_directory/master -s;; + esac + ;; + *) $FATAL "start-fg does not support multi_instance_directories" + exit 1 + ;; + esac + ;; + esac + ;; + +drain) + + $daemon_directory/master -t 2>/dev/null && { + $FATAL the Postfix mail system is not running + exit 1 + } + $INFO stopping the Postfix mail system + kill -9 `sed 1q pid/master.pid` + ;; + +quick-stop) + + $daemon_directory/postfix-script stop + touch $queue_directory/quick-start + ;; + +stop) + + $daemon_directory/master -t 2>/dev/null && { + $FATAL the Postfix mail system is not running + exit 0 + } + $INFO stopping the Postfix mail system + kill `sed 1q pid/master.pid` + for i in 5 4 3 2 1 + do + $daemon_directory/master -t && exit 0 + $INFO waiting for the Postfix mail system to terminate + sleep 1 + done + $WARN stopping the Postfix mail system with force + pid=`awk '{ print $1; exit 0 } END { exit 1 }' pid/master.pid` && + kill -9 -$pid + ;; + +abort) + + $daemon_directory/master -t 2>/dev/null && { + $FATAL the Postfix mail system is not running + exit 0 + } + $INFO aborting the Postfix mail system + kill `sed 1q pid/master.pid` + ;; + +reload) + + $daemon_directory/master -t 2>/dev/null && { + $FATAL the Postfix mail system is not running + exit 1 + } + $INFO refreshing the Postfix mail system + $command_directory/postsuper active || exit 1 + kill -HUP `sed 1q pid/master.pid` + $command_directory/postsuper & + ;; + +flush) + + cd $queue_directory || { + $FATAL no Postfix queue directory $queue_directory! + exit 1 + } + $command_directory/postqueue -f + ;; + +check) + + $daemon_directory/postfix-script check-fatal || exit 1 + $daemon_directory/postfix-script check-warn + exit 0 + ;; + +status) + + $daemon_directory/master -t 2>/dev/null && { + $INFO the Postfix mail system is not running + exit 1 + } + $INFO the Postfix mail system is running: PID: `sed 1q pid/master.pid` + exit 0 + ;; + +quick-check) + # This command is NOT part of the public interface. + + $SHELL $daemon_directory/post-install create-missing || { + $WARN unable to create missing queue directories + exit 1 + } + + # Look for incomplete installations. + + test -f $config_directory/master.cf || { + $FATAL no $config_directory/master.cf file found + exit 1 + } + exit 0 + ;; + +check-fatal) + # This command is NOT part of the public interface. + + $daemon_directory/postfix-script quick-check + + maillog_file=`$command_directory/postconf -h maillog_file` || { + $FATAL cannot execute $command_directory/postconf! + exit 1 + } + test -n "$maillog_file" && { + $command_directory/postconf -M postlog/unix-dgram 2>/dev/null \ + | grep . >/dev/null || { + $FATAL "missing 'postlog' service in master.cf - run 'postfix upgrade-configuration'" + exit 1 + } + } + + # See if all queue files are in the right place. This is slow. + # We must scan all queues for mis-named queue files before the + # mail system can run. + + $command_directory/postsuper || exit 1 + exit 0 + ;; + +check-warn) + # This command is NOT part of the public interface. + + # Check Postfix root-owned directory owner/permissions. + + find $queue_directory/. $queue_directory/pid \ + -prune ! -user root \ + -exec $WARN not owned by root: {} \; + + find $queue_directory/. $queue_directory/pid \ + -prune \( -perm -020 -o -perm -002 \) \ + -exec $WARN group or other writable: {} \; + + # Check Postfix root-owned directory tree owner/permissions. + + todo="$config_directory/." + test -n "$check_shared_files" && { + todo="$daemon_directory/. $meta_directory/. $todo" + test "$shlib_directory" = "no" || + todo="$shlib_directory/. $todo" + } + todo=`echo "$todo" | tr ' ' '\12' | sort -u` + + find $todo ! -user root \ + -exec $WARN not owned by root: {} \; + + # Handle symlinks separately + find -L $todo \( -perm -020 -o -perm -002 \) \ + -exec $WARN group or other writable: {} \; + + find $todo -type l | while read f; do \ + readlink "$f" | grep -q / && $WARN symlink leaves directory: "$f"; \ + done; \ + + # Check Postfix mail_owner-owned directory tree owner/permissions. + + find $data_directory/. ! -user $mail_owner \ + -exec $WARN not owned by $mail_owner: {} \; + + find $data_directory/. \( -perm -020 -o -perm -002 \) \ + -exec $WARN group or other writable: {} \; + + # Check Postfix mail_owner-owned directory tree owner. + + find `ls -d $queue_directory/* | \ + egrep '/(saved|incoming|active|defer|deferred|bounce|hold|trace|corrupt|public|private|flush)$'` \ + ! \( -type p -o -type s \) ! -user $mail_owner \ + -exec $WARN not owned by $mail_owner: {} \; + + # WARNING: this should not descend into the maildrop directory. + # maildrop is the least trusted Postfix directory. + + find $queue_directory/maildrop -prune ! -user $mail_owner \ + -exec $WARN not owned by $mail_owner: $queue_directory/maildrop \; + + # Check Postfix setgid_group-owned directory and file group/permissions. + + todo="$queue_directory/public $queue_directory/maildrop" + test -n "$check_shared_files" && + todo="$command_directory/postqueue $command_directory/postdrop $todo" + + find $todo \ + -prune ! -group $setgid_group \ + -exec $WARN not owned by group $setgid_group: {} \; + + test -n "$check_shared_files" && + find $command_directory/postqueue $command_directory/postdrop \ + -prune ! -perm -02111 \ + -exec $WARN not set-gid or not owner+group+world executable: {} \; + + # Check non-Postfix root-owned directory tree owner/content. + + for dir in bin etc lib sbin usr + do + test -d $dir && { + find $dir ! -user root \ + -exec $WARN not owned by root: $queue_directory/{} \; + + find $dir -type f -print | while read path + do + test -f /$path && { + cmp -s $path /$path || + $WARN $queue_directory/$path and /$path differ + } + done + } + done + + find corrupt -type f -exec $WARN damaged message: {} \; + + # Check for non-Postfix MTA remnants. + + test -n "$check_shared_files" -a -f /usr/sbin/sendmail -a \ + -f /usr/lib/sendmail && { + cmp -s /usr/sbin/sendmail /usr/lib/sendmail || { + $WARN /usr/lib/sendmail and /usr/sbin/sendmail differ + $WARN Replace one by a symbolic link to the other + } + } + exit 0 + ;; + +set-permissions|upgrade-configuration) + $daemon_directory/post-install create-missing "$@" + ;; + +post-install) + # Currently not part of the public interface. + shift + $daemon_directory/post-install "$@" + ;; + +tls) + shift + $daemon_directory/postfix-tls-script "$@" + ;; + +/*) + # Currently not part of the public interface. + "$@" + ;; + +logrotate) + case $# in + 1) ;; + *) $FATAL "usage postfix $1 (no arguments)"; exit 1;; + esac + for name in maillog_file maillog_file_compressor \ + maillog_file_rotate_suffix + do + value="`$command_directory/postconf -h $name`" + case "$value" in + "") $FATAL "empty '$name' parameter value - logfile rotation failed" + exit 1;; + esac + eval $name='"$value"'; + done + + case "$maillog_file" in + /dev/*) $FATAL "not rotating '$maillog_file'"; exit 1;; + esac + + errors=`( + suffix="\`date +$maillog_file_rotate_suffix\`" || exit 1 + mv "$maillog_file" "$maillog_file.$suffix" || exit 1 + $daemon_directory/master -t 2>/dev/null || + kill -HUP \`sed 1q pid/master.pid\` || exit 1 + sleep 1 + "$maillog_file_compressor" "$maillog_file.$suffix" || exit 1 + ) 2>&1` || { + $FATAL "logfile '$maillog_file' rotation failed: $errors" + exit 1 + } + ;; + +*) + $FATAL "unknown command: '$1'. Usage: postfix start (or stop, reload, abort, flush, check, status, set-permissions, upgrade-configuration, logrotate)" + exit 1 + ;; + +esac diff --git a/etc/postfix/virtual b/etc/postfix/virtual new file mode 100644 index 0000000..96bcbd2 --- /dev/null +++ b/etc/postfix/virtual @@ -0,0 +1,3 @@ +postmaster@zntrl.de baloan +abuse@zntrl.de baloan + diff --git a/etc/postfix/virtual.db b/etc/postfix/virtual.db new file mode 100644 index 0000000..4ee150b Binary files /dev/null and b/etc/postfix/virtual.db differ diff --git a/etc/postfix/vmailbox b/etc/postfix/vmailbox new file mode 100644 index 0000000..b79eb6e --- /dev/null +++ b/etc/postfix/vmailbox @@ -0,0 +1,4 @@ +baloan@zntrl.de notused +# Comment out the entry below to implement a catch-all. +# @zntrl.de notused + diff --git a/etc/postfix/vmailbox.db b/etc/postfix/vmailbox.db new file mode 100644 index 0000000..fd501d7 Binary files /dev/null and b/etc/postfix/vmailbox.db differ diff --git a/kopano.dockerfile b/kopano.dockerfile new file mode 100644 index 0000000..4ba9980 --- /dev/null +++ b/kopano.dockerfile @@ -0,0 +1,18 @@ +# FROM ubuntu:20.04 +FROM tozd/runit:ubuntu-focal +# declaration section +ARG MAIL_DOMAIN=zntrl.de +EXPOSE 80 2003 +# build section +RUN apt update -y +RUN DEBIAN_FRONTEND=noninteractive TZ=Europe/Berlin apt-get install -y tzdata +# kopano +WORKDIR /root +COPY dist/core-11.0.2.50.507cbae-Ubuntu_20.04-amd64.tar.gz . +COPY dist/webapp-6.0.0.57.1049268-Ubuntu_20.04-all.tar.gz . +COPY deploy-kopano.sh . +RUN ./deploy-kopano.sh +# https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-kopano-dagent-for-delivery-via-unix-socket +# create run scripts in etc/service +COPY ./etc etc +# CMD ["/usr/sbin/kopano-server", "-F", "-c", "/etc/kopano/server.cfg"] \ No newline at end of file diff --git a/postfix.dockerfile b/postfix.dockerfile new file mode 100644 index 0000000..6a26c84 --- /dev/null +++ b/postfix.dockerfile @@ -0,0 +1,8 @@ +FROM ubuntu:20.04 +# declaration section +ARG MAIL_DOMAIN=zntrl.de +EXPOSE 25/tcp 465/tcp 587/tcp +# build section +RUN apt update -y +VOLUME ["/var/lib/postfix"] +CMD ["postfix"] \ No newline at end of file