From c518fb042889a1e81331405237bd5bdd52f9708c Mon Sep 17 00:00:00 2001
From: mqr10 <unknown@example.com>
Date: Sat, 4 Jul 2020 16:14:30 +0200
Subject: force minimum TLS1.2 connections, disable weak ciphersuites

---
 emailwiz.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'emailwiz.sh')

diff --git a/emailwiz.sh b/emailwiz.sh
index a4750e4..725dfab 100755
--- a/emailwiz.sh
+++ b/emailwiz.sh
@@ -65,6 +65,14 @@ postconf -e "smtpd_tls_auth_only = yes"
 postconf -e "smtp_tls_security_level = may"
 postconf -e "smtp_tls_loglevel = 1"
 postconf -e "smtp_tls_CAfile=$certdir/cert.pem"
+postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1"
+postconf -e "tls_preempt_cipherlist = yes"
+postconf -e "smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
+                            DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
+                            RSA+AES, eNULL"
 
 # Here we tell Postfix to look to Dovecot for authenticating users/passwords.
 # Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
@@ -126,6 +134,9 @@ echo "# Dovecot config
 ssl = required
 ssl_cert = <$certdir/fullchain.pem
 ssl_key = <$certdir/privkey.pem
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH
+ssl_prefer_server_ciphers = yes
 # Plaintext login. This is safe and easy thanks to SSL.
 auth_mechanisms = plain login
 
-- 
cgit v1.2.3-70-g09d2


From 30fd2d5d8d71825fb1bbbe4fc9ca01aebcd0f093 Mon Sep 17 00:00:00 2001
From: Darnell Andries <darnell@andries.ca>
Date: Tue, 21 Jul 2020 14:23:38 -0700
Subject: Fixes for custom subdomain names

---
 emailwiz.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'emailwiz.sh')

diff --git a/emailwiz.sh b/emailwiz.sh
index af3ff66..f05d8ef 100755
--- a/emailwiz.sh
+++ b/emailwiz.sh
@@ -38,7 +38,7 @@ apt install postfix dovecot-imapd dovecot-sieve opendkim spamassassin spamc
 # Check if OpenDKIM is installed and install it if not.
 which opendkim-genkey >/dev/null 2>&1 || apt install opendkim-tools
 domain="$(cat /etc/mailname)"
-subdom="mail"
+subdom=${MAIL_SUBDOM:-mail}
 maildomain="$subdom.$domain"
 certdir="/etc/letsencrypt/live/$maildomain"
 
@@ -232,7 +232,7 @@ chmod g+r /etc/postfix/dkim/*
 # Generate the OpenDKIM info:
 echo "Configuring OpenDKIM..."
 grep -q "$domain" /etc/postfix/dkim/keytable 2>/dev/null ||
-echo "$subdom._domainkey.$domain $domain:mail:/etc/postfix/dkim/mail.private" >> /etc/postfix/dkim/keytable
+echo "$subdom._domainkey.$domain $domain:$subdom:/etc/postfix/dkim/$subdom.private" >> /etc/postfix/dkim/keytable
 
 grep -q "$domain" /etc/postfix/dkim/signingtable 2>/dev/null ||
 echo "*@$domain $subdom._domainkey.$domain" >> /etc/postfix/dkim/signingtable
@@ -272,7 +272,7 @@ for x in dovecot postfix opendkim spamassassin; do
 	service "$x" restart && printf " ...done\\n"
 done
 
-pval="$(tr -d "\n" </etc/postfix/dkim/mail.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
+pval="$(tr -d "\n" </etc/postfix/dkim/$subdom.txt | sed "s/k=rsa.* \"p=/k=rsa; p=/;s/\"\s*\"//;s/\"\s*).*//" | grep -o "p=.*")"
 dkimentry="$subdom._domainkey.$domain	TXT	v=DKIM1; k=rsa; $pval"
 dmarcentry="_dmarc.$domain	TXT	v=DMARC1; p=none; rua=mailto:dmarc@$domain; fo=1"
 spfentry="@	TXT	v=spf1 mx a:$maildomain -all"
-- 
cgit v1.2.3-70-g09d2