Install script for full install of mailwatch including all dependencies

[Skywalker-11]

Install script that installs all necessary dependencies and basic configuration of mta, webserver and MailScanner for use with MailWatch.

The current version installs postfix, apache, MailScanner and MailWatch for Debian (tested with Debian 8.7 netinstall) and configures them. Should also work with Ubuntu >= 14.0

TODO:

• nginx install instead of apache 2.4/2.2
• sendmail instead of postfix (help needed)
• exim instead of postfix (help needed)
• ability to use different paths, users/groups, commands for different os
  • find the needed paths, users/groups, commands for RedHead+ tests (help needed)
  • find the needed paths, users/groups, commands for Suse+ tests (help needed)
  • find the needed paths, users/groups, commands for CentOs + tests (help needed)
• (optional) auto detect os
• (optional) detect old install and perform needed updates while keeping old data
• test if db exists

[asuweb]

Great work on this @Skywalker-11 - your script looks very similar to mine, but neater :)

If you need / want any help with it let me know.

[stefaweb]

May be install.sh will be better than setup.sh.

I'll will send you later details and files for exim4.

[asuweb]

@Skywalker-11 - my unfinished version is here, there might be bits you want to use. It's no where near finished, but it implements checks for existing installs of apache / nginx / php / mysql etc and autodetects the OS.

I'll do any testing of redhat/centos/fedora (and any other OS's that need testing).

https://github.com/asuweb/Mailwatch-1.2.0-asuantispam/blob/install-script/tools/install.sh

[stefaweb]

Sorry did a mistake. Again.

For Exim4 on Debian 8.
Files, hierarchy, rights.

With all this, you just needed to to dpkg-reconfigure exim4-config and the Exim config will work.

I've also the default MailScanner config to post and one file missing for Exim4.

[stefaweb]

New version with MaiScanner file and missing Exim file in /etc/default/exim4.

installv2.zip

[asuweb]

nginx install instead of apache 2.4

Must also support apache 2.2

[Skywalker-11]

@stefaweb can you tell which settings in the mailscanner conf file are necessary for mailscanner install and which are optional?

EDIT: It would be nice if you can tell what configuration changes are needed escpecially to get mailscanner work. The changes that have nothing to do with mailscanner/mailwatch but with getting "default" exim without mailscanner to work shouldn't be part of this configuration process.

[stefaweb]

@stefaweb can you tell which settings in the mailscanner conf file are necessary for mailscanner install and which are optional?

The basic idea is to do not modify something in MailScanner.conf. For this reason, I inserted in conf.d all the most needed variables. If the user want to use others variables not included, he can add them after.

I would suggest to use all the variables that I placed in conf.d/mailwatch.conf (was server.conf).
Variables are read in order. First, MailScanner read MailScanner.conf and after the file inside conf.d.

Example: If you setup %org-name% in conf.d/mailwatch.conf but forgot to include all the variables which contains %org-name% inside it, you will not initialise them as they are read before in MailScanner.conf.

For exim, when you install it with apt-get (installed by default in debian). All is fine out of the box. You just have to run dpkg-reconfigure exim4-config to select to use "direct distribution", give the server name and use split config. That all. Exim is working.

When this is done, if you copy all the files I placed in install.zip in the right place, the system will work after an exim restart. You just have to place domains and relay host in relay_domains and hubbed_hosts. You should also create output spool and log folders for exim, copy /etc/default/exim4 and apply rights.

[stefaweb]

Another point.
I would suggest you to do not put all inside setup.php. Use external "default" files with placeholder to be parsed by setup.sh during install. Easy maintenance.
Look as Debian do to build .deb.

[Skywalker-11]

Good idea @stefaweb I did that

[stefaweb]

Sorry, remove exim.crt and exim.key

[stefaweb]

Another error.

I forgot to "empty"

setup.examples/exim/exim-configs/sender_local_deny_exceptions

Just keep the commented lines.

[stefaweb]

How to activate "review" for a file?

[stefaweb]

Delete exim-process.info, this is not a permanent file.

[Skywalker-11]

done

[stefaweb]

Delete all files inside db, they is not a permanent files.

[Skywalker-11]

done

[stefaweb]

Sorry, did mistake when I listed the files.

/var/spool/exim4 exist after deb install. Just check right.
Directories in /var/spool/exim4 exist after deb install. Just check right.
/var/spool/exim4_outgoing to be created and right applied.
Directories in /var/spool/exim4_outgoing need to be created and right applied.
db, input and msglog should be empty.
/etc/default/exim4 exist after deb install. You replace it by the new one.

In /var/spool/exim4
drwxr-x--- 2 Debian-exim Debian-exim 4096 janv.  7 12:06 db
drwxr-x--- 2 Debian-exim Debian-exim 4096 févr. 11 07:14 input
drwxr-x--- 2 Debian-exim Debian-exim 4096 févr. 11 07:14 msglog

exim4_outgoing should be created and the 3 directories inside and right applied.

In /var/spool/exim4_outgoing
drwxr-x--- 2 Debian-exim Debian-exim 4096 févr. 10 09:41 db
drwxr-x--- 2 Debian-exim Debian-exim 4096 févr. 11 07:14 input
drwxr-x--- 2 Debian-exim Debian-exim 4096 févr. 11 07:14 msglog

[stefaweb]

Verify that in /etc/aliases you have these or install them.

mailer-daemon: postmaster
postmaster: root
hostmaster: root
webmaster: root
www: root
clamav: root
root: myaddress@domain.tld

[stefaweb]

new comments

[stefaweb]

Cab ve removed

+#helo_verify_hosts = !*
+#helo_try_verify_hosts = !*
+#helo_accept_junk_hosts = !*
+#helo_allow_chars = _

[stefaweb]

too "specialized"
can be dangerous for "novice" user

[Skywalker-11]

done

[stefaweb]

+chown root:Debian-exim /etc/exim4/exim.key

remove

[Skywalker-11]

done

[stefaweb]

+chmod 640 /etc/exim4/exim.key

remove

[Skywalker-11]

done

[stefaweb]

not sure if done somewhere
stop exim before mods

[Skywalker-11]

done

[stefaweb]

I think that exim reconfigure ask now to create root=mymail

I need to check

[stefaweb]

Yes,

with Debian 8 and dpkg-reconfigure exim4-config

if root=mymail do not exist reconfigure ask to create one and ask for one email

[Skywalker-11]

done is removed

[stefaweb]

do you stop postfix before?

[Skywalker-11]

done

[stefaweb]

mailwatch-postfix.sh
Only this to do in main.cf to have Postfix running "out of box"?

[Skywalker-11]

yes. only header_checks and file permissions

[asuweb]

This will work on RH systems

[stefaweb]

+sed -i -e "s/WEBFOLDER/$WebFolder/" "$DIR/etc/apache2/conf-enabled/mailwatch.conf"
+cp "$DIR/etc/apache2/conf-enabled/mailwatch.conf" /etc/apache2/conf-enabled/mailwatch.conf

For Debian 8 and Apache 2.4

in conf-available

a2enconf mailwatch.conf

[Skywalker-11]

using ln in case a2enconf is not available

[asuweb]

This should be set when we check for installed web servers or select the web server we want.

Also need to make sure this is passed to the other scripts that currently use "www-data"

[Skywalker-11]

done

[asuweb]

if [[ $PM == "yum" ]]; then
$PM install httpd
Webuser="apache"
else
$PM install apache2
Webuser="www-data"
fi

[Skywalker-11]

done

[asuweb]

Need to check that wget is installed before we call it below

if ! ( type "wget" > /dev/null 2>&1 ) ; then
$PM install wget
fi

[Skywalker-11]

done

[asuweb]

need Webuser as above

[Skywalker-11]

done

[stefaweb]

# conf.d/acl/30_exim4-config_check_callback_relay

replace by

# acl_check_recipient_relay

[stefaweb]

#smtp_load_reserve = 5
#deliver_queue_load_max = 10

[stefaweb]

• WebFolder="/var/www/html/mailscanner/"

[Skywalker-11]

done

[stefaweb]

Add # exim.crt and exim.key files needed before activating the feature.

[stefaweb]

+#

remove

[Skywalker-11]

done

[stefaweb]

Or better.

service exim4 stop
service exim4 start

[Skywalker-11]

does the service binary exist for suse/redhat/centos/fedora?

[stefaweb]

Not sure at 100% but more "independent" from type of init systems installed.

• service may run scripts from either upstart, System V or systemd.
• select automatically between systemV, upstart or systemd
• service runs scripts in a predictable environment

[Skywalker-11]

@asuweb does this apply for redhat etc?

[stefaweb]

Fedora / RHEL / CentOS Linux

In fact RedHad started to use "service" many years before Debian.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Managing_Services_with_systemd-Services.html

[stefaweb]

MAIN_FREEZE_TELL = postmaster

[stefaweb]

Hello!

In my opinion, a working mailwatch setup need a complete working mta install too.

If you don't do this, the support will be very high. I prefer to think setup.sh for a "standard" user first not for a power user with special needs or the knowledge to install all these stuff manually. If you look on Google for mailscanner/mailwatch, 80% of support is about the mta part in fact.

Except the use of razor and pyzor, others points I posted are for me needed and respect default packaged binary configs and guideline. No problem to forget these points.

But this detect old install and perform needed updates while keeping old data is really needed for dedicated power user install or for upgrade from previous version.

This is only my personal opinion too. ;)

[stefaweb]

+#CHECK_RCPT_VERIFY_SENDER = true

double

[shawniverson]

I'm going to echo @asuweb here. Be careful trying to be everything for everybody. Although you may be trying to help out those who don't necessarily know how to configure their systems, you are probably going to set yourself up for a support nightmare of your own when you realize just how much you are trying to tackle. What you are doing is a similar thing that I do just on CentOS, and I can tell you that trying to expand what I do to multiple distros and MTA combinations would be a mountainous task.

[stefaweb]

Error, the file should be in /etc/exim4/conf.d/main/

EDIT:

New version for conf.d/main/00_mailscanner_listmacrosdefs
I reduced options to the minimum and added some comments.

# General Exim config for MailScanner Gateway
# conf.d/main/00_mailscanner_listmacrosdefs

# Use these specific config files:
# conf.d/main/01_mailscanner_config
# mailscanner_acldefs

# If you have your own Exim setup remove this file
# and mailscanner_acldefs

# Exim deamon listening port
daemon_smtp_ports = 25 : 587

# Activate TLS/SSL configuration for Exim 
# exim.crt and exim.key files needed before activating the feature
#MAIN_TLS_ENABLE = Yes

# Do a reverse DNS lookup on all incoming IP calls
MAIN_HOST_LOOKUP = Yes

# Access list of domains to relay
# Domains to route are in /etc/exim4/hubbed_hosts 
MAIN_RELAY_TO_DOMAINS = /etc/exim4/relay_domains

# Link to specific ACLs
CHECK_RCPT_LOCAL_ACL_FILE = CONFDIR/mailscanner_acldefs

# To activate sender callback on remote host (mailhub)
# Useful to avoid bad bounce (do verify at SMTP time)
#RECIPIENT_VERIFY_CALLBACK_RELAY = true

# Deny if the sender host does not have valid reverse DNS.
#CHECK_RCPT_REVERSE_DNS_DENY = true

# Various Debian's ACL check
CHECK_MAIL_HELO_ISSUED = true
CHECK_RCPT_VERIFY_SENDER = true
CHECK_RCPT_LOCAL_LOCALPARTS = true
CHECK_RCPT_REMOTE_LOCALPARTS = true

# Various Debian's variables
MAIN_TIMEOUT_FROZEN_AFTER = 2d
MAIN_FREEZE_TELL = postmaster
MESSAGE_SIZE_LIMIT = 50M
MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 3h

# Various Exim variables
rfc1413_hosts = *
rfc1413_query_timeout = 0s
smtp_banner = $smtp_active_hostname ESMTP $tod_full

# To activate logging
MAIN_LOG_SELECTOR = +address_rewrite \
+all_parents \
-arguments \
+connection_reject \
+delay_delivery \
+delivery_size \
+dnslist_defer \
+incoming_interface \
+incoming_port \
+lost_incoming_connection \
+queue_run \
+received_sender \
+received_recipients \
-retry_defer \
+sender_on_delivery \
+size_reject \
-skip_delivery \
+smtp_confirmation \
+smtp_connection \
+smtp_protocol_error \
+subject \
+tls_cipher \
+tls_peerdn

[Skywalker-11]

done

[stefaweb]

Changed the filename from acl_check_recipient_relay to mailscanner_acldefs

EDIT:
Updated content.

# Config for MailScanner Gateway
# /etc/exim4/mailscanner_acldefs
# Use with CHECK_RCPT_LOCAL_ACL_FILE = CONFDIR/mailscanner_acldefs

# To activate sender callback on remote host (mailhub) at SMTP time
# Useful to avoid bad bounce (do verify at SMTP time)
.ifdef RECIPIENT_VERIFY_CALLBACK_RELAY
# Recipient verification for relay domains with callback
deny    !acl           = acl_local_deny_exceptions
        log_message    = 550 Unknown user ${local_part}@${domain} (Recipient relay callback verification failed)
        message        = 550 Unknown user
      ! verify         = recipient/defer_ok/callout=10s,defer_ok
.endif

# Deny if the sender host does not have valid reverse DNS.
#
# If your system can do DNS lookups without delay or cost, you might want
# to enable this.
# If sender_host_address is defined, it's a remote call.  If
# sender_host_name is not defined, then reverse lookup failed.  Use
# this instead of !verify = reverse_host_lookup to catch deferrals
# as well as outright failures.
.ifdef CHECK_RCPT_REVERSE_DNS_DENY
deny
  condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
                    {yes}{no}}
  add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
.endif

[Skywalker-11]

done

[stefaweb]

Not sure at 100% but more "independent" from type of init systems installed.

• service may run scripts from either upstart, System V or systemd.
• select automatically between systemV, upstart or systemd
• service runs scripts in a predictable environment

[stefaweb]

@shawniverson

I agree. Difficult and painful to support all distributions. Start with Debian - Ubuntu / RedHat - CentOS will be enough.

http://distrowatch.com/dwres.php?resource=popularity

[stefaweb]

Remove cp -R "$DIR"/etc/exim4/* /etc/exim4/

Should be:

cp  -f "$DIR"/etc/exim4/mailscanner_acldefs /etc/exim4/.
cp  -f "$DIR"/etc/exim4/hubbed_hosts /etc/exim4/.
cp  -f "$DIR"/etc/exim4/relay_domains /etc/exim4/.
cp  -f "$DIR"/etc/exim4/conf.d/main/00_mailscanner_listmacrosdefs /etc/exim4/conf.d/main/.
cp  -f "$DIR"/etc/exim4/conf.d/main/01_mailscanner_config /etc/exim4/conf.d/main/.

And to simplify again, remove all these not essential files:

host_local_deny_exceptions
local_host_blacklist
local_rcpt_callout
local_sender_blacklist
local_sender_callout
sender_local_deny_exceptions

Should be over now.

[Skywalker-11]

done

[stefaweb]

Delete chmod 755 /etc/exim4/eximconfig/

[Skywalker-11]

done

[stefaweb]

Add before restart:

check if run_mailscanner=1 in /etc/MailScanner/defaults, if not add it

[Skywalker-11]

If mailscanner is installed by the script at the end the user gets a message that he has to configure needed settings in mailscanner.conf and the defaults file. And because the user should at least look at mailscanner configuration he should set this himself I think

[stefaweb]

ok, I understand.

[stefaweb]

%org-name% and all occurrence missing.

[stefaweb]

In fact, I'm wrong to try to put in /etc/MailScanner/conf.d/mailwatch.conf "personal" informations.

We just need to have in mailwatch.conf the essential values needed by MailWatch and say to the user to define another file as /etc/MailScanner/conf.d/server.conf where he will put is own personal informations.

If we do this, may be this is not needed in mailwatch.conf:

Max Unscanned Messages Per Scan = 50
 Max Unsafe Messages Per Scan = 50
 Max Normal Queue Size = 2000
 Deliver Unparsable TNEF = yes
 Find UU-Encoded Files = yes
 Max Children = 10

To check.

[stefaweb]

I tried to split in 2 files in conf.d. Work fine.

[Skywalker-11]

done

[stefaweb]

Clean up to be as postfix version (same variable order).

# Example config for Exim  /etc/MailScanner/conf.d/mailwatch.conf

Run As User = Debian-exim
Run As Group = Debian-exim

MTA = exim
Incoming Work User = Debian-exim
Incoming Work Group = mtagroup
Incoming Work Permissions = 0660

Detailed Spam Report = yes
Quarantine Whole Message = yes
Quarantine Whole Messages As Queue Files = no
Include Scores In SpamAssassin Report = yes
Quarantine User = Debian-exim
Quarantine Group = mtagroup
Quarantine Permissions = 0644

Always Looked Up Last = &MailWatchLogging
Is Definitely Not Spam = &SQLWhitelist
Is Definitely Spam = &SQLBlacklist

Incoming Queue Dir = /var/spool/exim4/input
Outgoing Queue Dir = /var/spool/exim4_outgoing/input

Sendmail = /usr/sbin/exim4
Sendmail2 = /usr/sbin/exim4 -DOUTGOING

SpamAssassin Local State Dir = /var/lib/spamassassin

[Skywalker-11]

done

[asuweb]

The path for RH based systems is:

/etc/httpd/conf.d/

[asuweb]

need to pass OS specific directories (/etc/httpd/conf.d/ for RH based systems)

[asuweb]

No symbolic links required for RH

[asuweb]

Debian specific, no "a2" commands on RH

[asuweb]

service httpd reload for RH

[asuweb]

No conf.d on RH for exim

[asuweb]

service exim stop for RH

[asuweb]

Probably better if this is separated as not compatible with RH - probably better to use separate exim setup script for RH if we decide we want it.

[stefaweb]

Probably better if this is separated as not compatible with RH - probably better to use separate exim setup script for RH if we decide we want it.

Not only for exim, for all. rpm and deb distributions are too differents.

[asuweb]

This will work on RH systems

[asuweb]

need to check that mtagroup exists before we run the chown - it exists by default in centos 7.

Doesn't appear to exist by default in in debian 8, centos 6, Ubuntu 14.04 / 16.04

[Skywalker-11]

Will be create if not existant but I think mailscanner setup would do this too

[asuweb]

Yes, you are correct, mailscanner install creates the group :)

[asuweb]

Should probably check is PHP is already installed, and what version.

On debian based systems the below will install php5 regardless of any other versions of php.

On RH systems, only 1 version of PHP can be installed by yum - and packages are defined as php php-gd etc default version is v5.

[stefaweb]

If useful, I propose some ideas for the hierarchy and scripts for rpm and deb based distributions. May be complex but can manage all cases. Its modular and easy to maintain.

Bash script can be called as this (example with exim):

exim.sh (--help, without param do nothing)
exim.sh -- create (first clean install)
exim.sh --upgrade (existing install)

We can add more -- parameters as --db, --webroot, --debian, --ubuntu, and others.

We have a branch/directory only when we have a "template" to place inside it.

mailwatch/
├── setup
│   ├── deb
│   │   ├── apache.sh
│   │   ├── apache2
│   │   │   └── conf-available
│   │   │       └── mailwatch.conf
│   │   ├── cron_crontab.sh
│   │   ├── exim
│   │   │   └── etc
│   │   │       ├── default
│   │   │       │   └── exim
│   │   │       └── exim
│   │   │           ├── conf.d
│   │   │           │   └── main
│   │   │           │       ├── 00_mailscanner_listmacrosdefs
│   │   │           │       └── 01_mailscanner_config
│   │   │           ├── hubbed_hosts
│   │   │           ├── mailscanner_acldefs
│   │   │           └── relay_domains
│   │   ├── exim.sh
│   │   ├── mailscanner
│   │   │   └── etc
│   │   │       └── MailScanner
│   │   │           └── conf.d
│   │   │               └── mailwatch.conf
│   │   ├── mailscanner.sh
│   │   ├── postfix
│   │   │   └── etc
│   │   │       └── postfix
│   │   │           └── header_checks
│   │   └── postfix.sh
│   └── rpm
│       ├── apache
│       │   └── conf.d
│       │       └── mailwatch.conf
│       ├── apache.sh
│       ├── cron_crontab.sh
│       ├── exim
│       │   └── etc
│       │       └── exim
│       │           └── ?
│       ├── exim.sh
│       ├── mailscanner
│       │   └── etc
│       │       └── MailScanner
│       │           └── conf.d
│       │               └── mailwatch.conf
│       ├── mailscanner.sh
│       └── postfix
│           └── etc
│               └── postfix
│                   └── header_checks
└── setup.sh

mailwatchV2.zip

And others branches if some missing.

If you like, I can complete with the 'template" files inside the directories.

[Skywalker-11]

@stefaweb the downside on that is that large parts are equal on deb and rpm and when doing maintenance you always have to check two files if both need the changes

[stefaweb]

@Skywalker-11

No problem. I propose. ;)

And you have a tree for free!

[stefaweb]

Seems @endelwar is back!

[endelwar]

Good work guys!
I've created a new repository https://github.com/mailwatch/mailwatch-install-script where you can work on this.
I prefer to keep this work separated from MailWatch code, also look out for @shawniverson advices, he is maintaining E.F.A. (https://efa-project.org/) and known A LOT about this kind of automatic setups.

[stefaweb]

Is it possible to have a "debug simulation" feature?

We see "action", but nothing is done...

[asuweb]

@Skywalker-11 - can you push this branch to the new install repo please?

[Skywalker-11]

pr is now in that develop branch

[Skywalker-11]

@endelwar is it on purpose that we have GPL-3 in that new repo and GPL-2 here?