Commits

Zhang Huangbin committed b30a531

Improve OpenBSD support:
* Enable pf, spamd, spamlogd, spamd-setup by default.
* Ships basic PF rule sets.

Comments (0)

Files changed (11)

iRedMail/ChangeLog

 iRedMail-0.8.0-beta4:
-    * Add new value of enabledService: doveadm. Required by command doveadm
-      provided by Dovecot-2.
+    * Add new value of enabledService: doveadm. Required by Dovecot-2.0
+      service doveadm.
     * All clients are forced to use IMAPS and POPS (via STARTTLS).
+      To enable POP3/IMAPS without STARTTLS again, set disable_plaintext_auth
+      to 'no' in dovecot.conf.
     * Drop support for Dovecot-1.1. At least Dovecot-1.2 is required.
     * Fixed:
         + DEBUG=NO in conf/global breaks postfix installation on FreeBSD.

iRedMail/conf/global

 # Logrotate configuration directory.
 export LOGROTATE_DIR='/etc/logrotate.d'
 
-# Kernel name.
-export KERNEL_NAME="$(uname -s)"
+# Kernel name, in upper cases.
+export KERNEL_NAME="$(uname -s | tr '[a-z]' '[A-Z]')"
 
 # Hostname.
-if [ X"${KERNEL_NAME}" == X'OpenBSD' ]; then
+if [ X"${KERNEL_NAME}" == X'OPENBSD' ]; then
     export HOSTNAME="$(hostname)"
     export RANDOM_STRING='eval echo $RANDOM | md5'
 else
 #
 # UNSUPPORTED_RELEASE will be set to 'YES' if current Linux/BSD release is
 # an old release and unsupported anymore.
-if [ X"${KERNEL_NAME}" == X"Linux" ]; then
+if [ X"${KERNEL_NAME}" == X"LINUX" ]; then
     # Directory of RC scripts.
     export DIR_RC_SCRIPTS='/etc/init.d'
 
     else
         export UNSUPPORTED_RELEASE='YES'
     fi
-elif [ X"${KERNEL_NAME}" == X"FreeBSD" ]; then
+elif [ X"${KERNEL_NAME}" == X"FREEBSD" ]; then
     export DISTRO='FREEBSD'
     export DISTRO_VERSION="$(uname -r |awk -F'-' '{print $1}')"
 
     if echo "${DISTRO_VERSION}" | grep '^7' &>/dev/null ; then
         export UNSUPPORTED_RELEASE='YES'
     fi
-elif [ X"${KERNEL_NAME}" == X'OpenBSD' ]; then
+elif [ X"${KERNEL_NAME}" == X'OPENBSD' ]; then
     export DISTRO='OPENBSD'
     export DISTRO_VERSION="$(uname -r)"
 
     export CRON_SPOOL_DIR='/var/cron/tabs'
 
     # PF rule file.
-    export IPTABLES_CONFIG="/etc/pf.rules"
+    export IPTABLES_CONFIG="/etc/pf.conf"
 
     # Directory used to store SSL/TLS key/cert file.
     export SSL_FILE_DIR="/etc/ssl"

iRedMail/conf/policy_server

 elif [ X"${DISTRO}" == X'OPENBSD' ]; then
     export USE_CLUEBRINGER='NO'
     export USE_POLICYD='NO'
+    export USE_SPAMD='YES'
 fi
 
 if [ X"${USE_POLICYD}" == X'YES' ]; then

iRedMail/functions/cleanup.sh

         # No port number defined, use default (22).
         export sshd_port='22'
     else
-        # Replace port number in iptable and Fail2ban.
-        perl -pi -e 's#(.*multiport.*,)22 (.*)#${1}$ENV{sshd_port} ${2}#' ${SAMPLE_DIR}/iptables.rules
+        # Replace port number in iptable, pf and Fail2ban.
+        perl -pi -e 's#(.*,)22(.*)#${1}$ENV{sshd_port} ${2}#' ${SAMPLE_DIR}/iptables.rules ${SAMPLE_DIR}/pf.conf
+
         [ -f ${FAIL2BAN_JAIL_LOCAL_CONF} ] && \
             perl -pi -e 's#(.*port=.*)ssh(.*)#${1}$ENV{sshd_port}${2}#' ${FAIL2BAN_JAIL_LOCAL_CONF}
     fi
 
-    ECHO_QUESTION "Would you like to use firewall rules shipped within iRedMail now?"
+    ECHO_QUESTION "Would you like to use firewall rules provided by iRedMail now?"
     ECHO_QUESTION -n "File: ${IPTABLES_CONFIG}, with SSHD port: ${sshd_port}. [Y|n]"
     read_setting ${AUTO_CLEANUP_REPLACE_IPTABLES_RULE}
     case $ANSWER in
         N|n ) ECHO_INFO "Skip firewall rules." ;;
         Y|y|* ) 
-            if [ X"${DISTRO}" != X"SUSE" ]; then
+            backup_file ${IPTABLES_CONFIG}
+            if [ X"${KERNEL_NAME}" == X'LINUX' ]; then
+                if [ X"${DISTRO}" != X"SUSE" ]; then
+                    ECHO_INFO "Copy firewall sample rules: ${IPTABLES_CONFIG}."
+                    cp -f ${SAMPLE_DIR}/iptables.rules ${IPTABLES_CONFIG}
+
+                    # Replace HTTP port.
+                    [ X"${HTTPD_PORT}" != X"80" ]&& \
+                        perl -pi -e 's#(.*)80(,.*)#${1}$ENV{HTTPD_PORT}${2}#' ${IPTABLES_CONFIG}
+                fi
+
+                if [ X"${DISTRO}" == X"SUSE" ]; then
+                    # Below services are not accessable from external network:
+                    #   - ldaps (636)
+                    perl -pi -e 's/^(FW_SERVICES_EXT_TCP=)(.*)/${1}"$ENV{'HTTPD_PORT'} 443 25 110 995 143 993 587 465 $ENV{'sshd_port'}"\n#${2}/' ${IPTABLES_CONFIG}
+
+                elif [ X"${DISTRO}" == X"DEBIAN" -o X"${DISTRO}" == X"UBUNTU" ]; then
+                    # Copy sample rc script for Debian.
+                    cp -f ${SAMPLE_DIR}/iptables.init.debian ${DIR_RC_SCRIPTS}/iptables
+                    chmod +x ${DIR_RC_SCRIPTS}/iptables
+
+                    eval ${enable_service} iptables >/dev/null
+
+                else
+                    eval ${enable_service} iptables >/dev/null
+                fi
+            elif [ X"${KERNEL_NAME}" == X'OPENBSD' ]; then
                 ECHO_INFO "Copy firewall sample rules: ${IPTABLES_CONFIG}."
-                backup_file ${IPTABLES_CONFIG}
-                cp -f ${SAMPLE_DIR}/iptables.rules ${IPTABLES_CONFIG}
-
-                # Replace HTTP port.
-                [ X"${HTTPD_PORT}" != X"80" ]&& \
-                    perl -pi -e 's#(.*)80(,.*)#${1}$ENV{HTTPD_PORT}${2}#' ${IPTABLES_CONFIG}
-            fi
-
-            if [ X"${DISTRO}" == X"SUSE" ]; then
-                # Below services are not accessable from external network:
-                #   - ldaps (636)
-                perl -pi -e 's/^(FW_SERVICES_EXT_TCP=)(.*)/${1}"$ENV{'HTTPD_PORT'} 443 25 110 995 143 993 587 465 $ENV{'sshd_port'}"\n#${2}/' ${IPTABLES_CONFIG}
-
-            elif [ X"${DISTRO}" == X"DEBIAN" -o X"${DISTRO}" == X"UBUNTU" ]; then
-                # Copy sample rc script for Debian.
-                cp -f ${SAMPLE_DIR}/iptables.init.debian ${DIR_RC_SCRIPTS}/iptables
-                chmod +x ${DIR_RC_SCRIPTS}/iptables
-
-                eval ${enable_service} iptables >/dev/null
-
-            else
-                eval ${enable_service} iptables >/dev/null
+                cp -f ${SAMPLE_DIR}/pf.conf ${IPTABLES_CONFIG}
             fi
 
             # Prompt to restart iptables.
                     ECHO_INFO "Restarting firewall ..."
 
                     # openSUSE will use /etc/init.d/{SuSEfirewall2_init, SuSEfirewall2_setup} instead.
-                    if [ X"${DISTRO}" != X"SUSE" ]; then
-                        ${DIR_RC_SCRIPTS}/iptables restart
+                    if [ X"${DISTRO}" == X'OPENBSD' ]; then
+                        /sbin/pfctl -f ${IPTABLES_CONFIG}
+                    else
+                        if [ X"${DISTRO}" != X"SUSE" ]; then
+                            ${DIR_RC_SCRIPTS}/iptables restart
+                        fi
                     fi
                     ;;
                 N|n|* )
 cleanup_amavisd_preconfig()
 {
     # Required on Gentoo and FreeBSD to start Amavisd-new.
-    ECHO_INFO "Fetching SpamAssassin rules (sa-update), please wait ..."
+    ECHO_INFO "Updating SpamAssassin rules (sa-update), please wait ..."
     ${BIN_SA_UPDATE} &>/dev/null
 
     ECHO_INFO "Compiling SpamAssassin rulesets (sa-compile), please wait ..."
     [ X"${DISTRO}" == X"RHEL" ] && check_status_before_run cleanup_disable_selinux
     [ X"${DISTRO}" != X'OPENBSD' ] && check_status_before_run cleanup_remove_sendmail
     check_status_before_run cleanup_remove_mod_python
-    [ X"${KERNEL_NAME}" == X"Linux" ] && check_status_before_run cleanup_replace_iptables_rule
+    [ X"${KERNEL_NAME}" == X'LINUX' \
+        -o X"${KERNEL_NAME}" == X'OPENBSD' \
+        ] && check_status_before_run cleanup_replace_iptables_rule
     [ X"${DISTRO}" == X"RHEL" ] && check_status_before_run cleanup_replace_mysql_config
     check_status_before_run cleanup_backup_scripts
     [ X"${BACKEND}" == X'PGSQL' ] && check_status_before_run cleanup_pgsql_force_password
-    [ X"${DISTRO}" != X'GENTOO' -a X"${DISTRO}" != X'OPENBSD' ] && check_status_before_run cleanup_start_postfix_now
+    [ X"${DISTRO}" != X'GENTOO' \
+        -a X"${DISTRO}" != X'FREEBSD' \
+        -a X"${DISTRO}" != X'OPENBSD' \
+        ] && check_status_before_run cleanup_start_postfix_now
 
     # Start Postfix to deliver emails.
     [ X"${DISTRO}" == X'GENTOO' ] && ${DIR_RC_SCRIPTS}/postfix restart >/dev/null

iRedMail/functions/dovecot1.sh

     flags=DRhu user=${VMAIL_USER_NAME}:${VMAIL_GROUP_NAME} argv=${DOVECOT_DELIVER} -f \${sender} -d \${user}@\${domain} -m \${extension}
 EOF
 
-    if [ X"${KERNEL_NAME}" == X"Linux" ]; then
+    if [ X"${KERNEL_NAME}" == X'LINUX' ]; then
         ECHO_DEBUG "Setting logrotate for dovecot log file."
         cat > ${DOVECOT_LOGROTATE_FILE} <<EOF
 ${CONF_MSG}

iRedMail/functions/dovecot2.sh

     flags=DRhu user=${VMAIL_USER_NAME}:${VMAIL_GROUP_NAME} argv=${DOVECOT_DELIVER} -f \${sender} -d \${user}@\${domain} -m \${extension}
 EOF
 
-    if [ X"${KERNEL_NAME}" == X"Linux" ]; then
+    if [ X"${KERNEL_NAME}" == X'LINUX' ]; then
         ECHO_DEBUG "Setting logrotate for dovecot log file."
         cat > ${DOVECOT_LOGROTATE_FILE} <<EOF
 ${CONF_MSG}

iRedMail/functions/openldap.sh

     chown ${LDAP_USER}:${LDAP_GROUP} ${OPENLDAP_LOGFILE}
     chmod 0600 ${OPENLDAP_LOGFILE}
 
-    if [ X"${KERNEL_NAME}" == X"Linux" ]; then
+    if [ X"${KERNEL_NAME}" == X'LINUX' ]; then
         ECHO_DEBUG "Setting logrotate for openldap log file: ${OPENLDAP_LOGFILE}."
         cat > ${OPENLDAP_LOGROTATE_FILE} <<EOF
 ${CONF_MSG}

iRedMail/functions/packages.sh

             ALL_PKGS="${ALL_PKGS} openldap mysql"
 
         elif [ X"${DISTRO}" == X'OPENBSD' ]; then
-            ALL_PKGS="${ALL_PKGS} openldap-server openldap-client mysql-server mysql-client"
+            ALL_PKGS="${ALL_PKGS} cyrus-sasl--ldap openldap-server openldap-client mysql-server mysql-client"
             PKG_SCRIPTS="${PKG_SCRIPTS} ${LDAP_RC_SCRIPT_NAME} ${MYSQL_RC_SCRIPT_NAME}"
 
         fi
             ALL_PKGS="${ALL_PKGS} mysql mod_auth_mysql"
 
         elif [ X"${DISTRO}" == X'OPENBSD' ]; then
-            ALL_PKGS="${ALL_PKGS} mysql-server mysql-client"
+            ALL_PKGS="${ALL_PKGS} cyrus-sasl--mysql mysql-server mysql-client"
             PKG_SCRIPTS="${PKG_SCRIPTS} ${MYSQL_RC_SCRIPT_NAME}"
 
         fi
             ALL_PKGS="${ALL_PKGS} postgresql-server mod_auth_pgsql"
 
         elif [ X"${DISTRO}" == X'OPENBSD' ]; then
-            ALL_PKGS="${ALL_PKGS} postgresql-server postgresql-client postgresql-contrib"
+            ALL_PKGS="${ALL_PKGS} cyrus-sasl--pgsql postgresql-server postgresql-client postgresql-contrib"
             PKG_SCRIPTS="${PKG_SCRIPTS} ${PGSQL_RC_SCRIPT_NAME}"
         fi
     fi

iRedMail/functions/policy_server.sh

 # along with iRedMail.  If not, see <http://www.gnu.org/licenses/>.
 #---------------------------------------------------------------------
 
+spamd_config()
+{
+    # Enable PF, spamd, spamlogd.
+    cat >> ${RC_CONF_LOCAL} <<EOF
+pf=YES
+spamd_flags=''
+spamlogd_flags=''
+EOF
+
+    # Whitelists in file
+    touch /etc/mail/nospamd
+
+    # Enable spamd-setup in cron
+    perl -pi -e 's/#(.*spamd-setup.*)/#${1}/' ${CRON_SPOOL_DIR}/root
+}
+
 policy_server_config()
 {
     if [ X"${USE_POLICYD}" == X'YES' ]; then
-        if [ X"${DISTRO}" == X'OPENBSD' ]; then
-            :
-        else
-            . ${FUNCTIONS_DIR}/policyd.sh
+        . ${FUNCTIONS_DIR}/policyd.sh
 
-            ECHO_INFO "Configure Policyd (postfix policy server, version 1.8)."
-            check_status_before_run policyd_user
-            check_status_before_run policyd_config
-        fi
+        ECHO_INFO "Configure Policyd (postfix policy server, version 1.8)."
+        check_status_before_run policyd_user
+        check_status_before_run policyd_config
     fi
 
     if [ X"${USE_CLUEBRINGER}" == X'YES' ]; then
         check_status_before_run cluebringer_webui_config
     fi
 
+    # OpenBSD special
+    if [ X"${USE_SPAMD}" == X'YES' ]; then
+        check_status_before_run spamd_config
+    fi
+
     echo 'export status_policy_server_config="DONE"' >> ${STATUS_FILE}
 }

iRedMail/functions/system_accounts.sh

     ECHO_DEBUG "Create system user: iredadmin."
 
     # Low privilege user used to run iRedAdmin.
-    if [ X"${KERNEL_NAME}" == X"FreeBSD" ]; then
+    if [ X"${DISTRO}" == X'FREEBSD' ]; then
         pw useradd -m -d ${IREDADMIN_HOME_DIR} -s ${SHELL_NOLOGIN} -n ${IREDADMIN_HTTPD_USER}
     elif [ X"${DISTRO}" == X'OPENBSD' ]; then
         groupadd ${IREDADMIN_HTTPD_GROUP} 2>/dev/null

iRedMail/samples/pf.conf

+# Basic OpenBSD PF rules, based on the original /etc/pf.conf.
+
+set block-policy drop
+
+set skip on lo
+pass            # to establish keep-state
+
+# rules for spamd(8)
+table <spamd-white> persist
+table <nospamd> persist file "/etc/mail/nospamd"
+pass in on egress proto tcp from any to any port smtp \
+    rdr-to 127.0.0.1 port spamd
+pass in on egress proto tcp from <nospamd> to any port smtp
+pass in log on egress proto tcp from <spamd-white> to any port smtp
+pass out log on egress proto tcp to any port smtp
+
+# Access to other mail services
+pass in on egress proto tcp from any to any port {80,443,587,110,995,143,993,22}
+
+# By default, do not permit remote connections to X11
+block in on ! lo0 proto tcp to port 6000:6010
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.