Commits

Zhang Huangbin committed 7cf5db6

CentOS 7: Firewalld is now working.

Comments (0)

Files changed (10)

iRedMail/conf/global

 
         ENABLE_BACKEND_MYSQL='YES'
         ENABLE_BACKEND_MARIADB='NO'
+
+        # iptables rule file.
+        export FIREWALL_RULE_CONF="${ETC_SYSCONFIG_DIR}/iptables"
     else
         export enable_service='enable_service_systemd'
         export disable_service='disable_service_systemd'
         # No MySQL available since RHEL/CentOS 7.
         ENABLE_BACKEND_MYSQL='NO'
         ENABLE_BACKEND_MARIADB='MYSQL'
+
+        # iptables rule file.
+        export USE_FIREWALLD='YES'
+        export FIREWALLD_CONF_DIR='/etc/firewalld'
+        export FIREWALLD_CONF='/etc/firewalld/firewalld.conf'
+        export FIREWALL_RULE_CONF="${FIREWALLD_CONF_DIR}/zones/iredmail.xml"
     fi
 
     # Syslog config file: rsyslog.
     # Directory /etc/sysconfig/ on RHEL/CentOS.
     export ETC_SYSCONFIG_DIR='/etc/sysconfig'
 
-    # iptables rule file.
-    export FIREWALL_RULE_CONF="${ETC_SYSCONFIG_DIR}/iptables"
-
     # Directory used to store SSL/TLS key/cert file.
     export SSL_FILE_DIR="/etc/pki/tls"
 

iRedMail/functions/amavisd.sh

     banned_admin_maps => [],
     warnbadhsender   => 0,
     warnbannedsender   => 0,
-    warnvirussender  => 1,
-    warnspamsender   => 1,
+    warnvirussender  => 0,
+    warnspamsender   => 0,
     # forward to a smtpd service providing DKIM signing service
     #forward_method => 'smtp:[${AMAVISD_SYS_USER}]:10027',
     # force MTA conversion to 7-bit (e.g. before DKIM signing)
 #\$X_HEADER_TAG = 'X-Virus-Scanned';
 #\$X_HEADER_LINE = "by amavisd at \$myhostname";
 
-# Notify virus sender?
-#\$warnvirussender = 0;
-
-# Notify spam sender?
-#\$warnspamsender = 0;
-
-# Notify sender of banned files?
-\$warnbannedsender = 0;
-
-# Notify sender of syntactically invalid header containing non-ASCII characters?
-\$warnbadhsender = 0;
-
-# Notify virus (or banned files) RECIPIENT?
-#  (not very useful, but some policies demand it)
-\$warnvirusrecip = 0;
-\$warnbannedrecip = 0;
-
-# Notify also non-local virus/banned recipients if \$warn*recip is true?
-#  (including those not matching local_domains*)
-\$warn_offsite = 0;
-
 #\$notify_sender_templ      = read_text('/var/amavis/notify_sender.txt');
 #\$notify_virus_sender_templ= read_text('/var/amavis/notify_virus_sender.txt');
 #\$notify_virus_admin_templ = read_text('/var/amavis/notify_virus_admin.txt');
 \c ${AMAVISD_DB_NAME};
 \i ${PGSQL_SYS_USER_HOME}/amavisd.sql;
 
+ALTER DATABASE amavisd SET bytea_output TO 'escape';
+
 -- Grant privileges
 GRANT SELECT,INSERT,UPDATE,DELETE ON maddr,mailaddr,msgrcpt,msgs,policy,quarantine,users,wblist TO ${AMAVISD_DB_USER};
 GRANT SELECT,UPDATE,USAGE ON maddr_id_seq,mailaddr_id_seq,policy_id_seq,users_id_seq TO ${AMAVISD_DB_USER};

iRedMail/functions/cleanup.sh

         export sshd_port='22'
     else
         # Replace port number in iptable, pf and Fail2ban.
+        [ X"${USE_FIREWALLD}" == X'YES' ] && \
+            perl -pi -e 's#(.* )22( .*)#${1}$ENV{sshd_port}${2}#' ${SAMPLE_DIR}/firewalld/services/ssh.xml
+
         perl -pi -e 's#(.* )22( .*)#${1}$ENV{sshd_port}${2}#' ${SAMPLE_DIR}/iptables.rules
         perl -pi -e 's#(.*mail_services=.*)ssh( .*)#${1}$ENV{sshd_port}${2}#' ${SAMPLE_DIR}/pf.conf
 
             perl -pi -e 's#(.*port=.*)ssh(.*)#${1}$ENV{sshd_port}${2}#' ${FAIL2BAN_JAIL_LOCAL_CONF}
     fi
 
-    ECHO_QUESTION "Would you like to use firewall rules provided by iRedMail now?"
+    ECHO_QUESTION "Would you like to use firewall rules provided by iRedMail?"
     ECHO_QUESTION -n "File: ${FIREWALL_RULE_CONF}, with SSHD port: ${sshd_port}. [Y|n]"
     read_setting ${AUTO_CLEANUP_REPLACE_FIREWALL_RULES}
     case $ANSWER in
             backup_file ${FIREWALL_RULE_CONF}
             if [ X"${KERNEL_NAME}" == X'LINUX' ]; then
                 ECHO_INFO "Copy firewall sample rules: ${FIREWALL_RULE_CONF}."
-                cp -f ${SAMPLE_DIR}/iptables.rules ${FIREWALL_RULE_CONF}
+                if [ X"${USE_FIREWALLD}" == X'YES' ]; then
+                    cp -f ${SAMPLE_DIR}/firewalld/zones/iredmail.xml ${FIREWALL_RULE_CONF}
+
+                    [ X"${sshd_port}" != X'22' ] && \
+                        cp -f ${SAMPLE_DIR}/firewalld/services/ssh.xml ${FIREWALLD_CONF_DIR}/services/
+
+                    cp -f ${SAMPLE_DIR}/firewalld/services/{imap,pop3,submission}.xml ${FIREWALLD_CONF_DIR}/services/
+                else
+                    cp -f ${SAMPLE_DIR}/iptables.rules ${FIREWALL_RULE_CONF}
+                fi
 
                 # Replace HTTP port.
                 [ X"${HTTPD_PORT}" != X"80" ]&& \
                     perl -pi -e 's#(.*)80(,.*)#${1}$ENV{HTTPD_PORT}${2}#' ${FIREWALL_RULE_CONF}
 
-                if [ X"${DISTRO}" == X"DEBIAN" -o X"${DISTRO}" == X"UBUNTU" ]; then
+                if [ X"${DISTRO}" == X'RHEL' ]; then
+                    if [ X"${USE_FIREWALLD}" == X'YES' ]; then
+                        service_control enable firewalld >/dev/null
+                    else
+                        eval ${enable_service} iptables >/dev/null
+                    fi
+                elif [ X"${DISTRO}" == X"DEBIAN" -o X"${DISTRO}" == X"UBUNTU" ]; then
                     # Copy sample rc script for Debian.
                     cp -f ${SAMPLE_DIR}/iptables.init.debian ${DIR_RC_SCRIPTS}/iptables
                     chmod +x ${DIR_RC_SCRIPTS}/iptables
                     if [ X"${DISTRO}" == X'OPENBSD' ]; then
                         /sbin/pfctl -ef ${FIREWALL_RULE_CONF}
                     else
-                        ${DIR_RC_SCRIPTS}/iptables restart &>/dev/null
+                        if [ X"${USE_FIREWALLD}" == X'YES' ]; then
+                            perl -pi -e 's#^(DefaultZone=).*#${1}iredmail#g' ${FIREWALLD_CONF}
+                            firewall-cmd --complete-reload >/dev/null
+                        else
+                            ${DIR_RC_SCRIPTS}/iptables restart &>/dev/null
+                        fi
                     fi
                     ;;
                 N|n|* )
 
 EOF
 
-    ECHO_DEBUG "Decrease sshd service start order via chkconfig."
-    if [ X"${DISTRO}" == X"RHEL" ]; then
-        # Unclearly power off might cause damage to OpenLDAP database, it will
-        # hangs while system startup. Decrease sshd start order to make sure you
-        # can always log into server for maintaince.
-        #
-        # 10 -> network, 12 -> syslog, rsyslog.
-        disable_service_rh sshd
-        perl -pi -e 's#(.*chkconfig.*)55(.*)#${1}13${2}#' ${DIR_RC_SCRIPTS}/sshd
-        enable_service_rh sshd
-    fi
-
     ECHO_INFO "Mail sensitive administration info to ${FIRST_USER}@${FIRST_DOMAIN}."
     FILE_IREDMAIL_INSTALLATION_DETAILS="${FIRST_USER_MAILDIR_INBOX}/details.eml"
     FILE_IREDMAIL_LINKS="${FIRST_USER_MAILDIR_INBOX}/links.eml"

iRedMail/pkgs/get_all.sh

 EOF
 
     ECHO_INFO "Install epel yum repo."
+    yum clean metadata
+
     # Create a temporary yum repo to install epel-release without GPG check.
     cat > ${YUM_REPOS_DIR}/tmp_epel.repo <<EOF
 [tmp_epel]
 
     eval ${install_pkg} epel-release && rm ${YUM_REPOS_DIR}/tmp_epel.repo
 
-    tmp_os_name="${DISTRO_CODENAME}"
-    if [ X"${DISTRO_CODENAME}" != X'rhel' -o X"${DISTRO_CODENAME}" != X'centos' ]; then
-        tmp_os_name="centos"
-    fi
-    cat >> ${YUM_REPOS_DIR}/nginx.repo <<EOF
-[nginx]
-name=Official nginx repo
-baseurl=http://nginx.org/packages/${tmp_os_name}/\$releasever/\$basearch/
-enabled=1
-gpgcheck=0
-EOF
-
     ECHO_INFO "Clean metadata of yum repositories."
     yum clean metadata
 

iRedMail/samples/firewalld/services/imap.xml

+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>IMAP</short>
+  <description>The Internet Message Access Protocol (IMAP) allows a local client to access email on a remote server in a secure way. If you plan to provide a IMAP over SSL service (e.g. with dovecot), enable this option.</description>
+  <port protocol="tcp" port="143"/>
+</service>

iRedMail/samples/firewalld/services/pop3.xml

+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>POP-3</short>
+  <description>The Post Office Protocol version 3 (POP3) is a protocol to retrieve email from a remote server over a TCP/IP connection. Enable this option, if you plan to provide a POP3 service (e.g. with dovecot).</description>
+  <port protocol="tcp" port="110"/>
+</service>

iRedMail/samples/firewalld/services/ssh.xml

+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>SSH</short>
+  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
+  <port protocol="tcp" port="22"/>
+</service>

iRedMail/samples/firewalld/services/submission.xml

+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>SMTP over TLS</short>
+  <description>This option allows incoming SMTP mail delivery over TLS.</description>
+  <port protocol="tcp" port="587"/>
+</service>

iRedMail/samples/firewalld/zones/iredmail.xml

+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+    <short>Mail services</short>
+    <description>Allow access to mail services from external network.</description>
+    <service name="ssh"/>
+    <service name="http"/>
+    <service name="https"/>
+    <service name="smtp"/>
+    <service name="submission"/>
+    <service name="pop3"/>
+    <service name="pop3s"/>
+    <service name="imap"/>
+    <service name="imaps"/>
+    <service name="ldap"/>
+    <service name="ldaps"/>
+</zone>

iRedMail/samples/iptables.rules

 #   /etc/sysconfig/iptables
 #
 # Shipped within iRedMail project:
-#   * http://iRedMail.googlecode.com/
+#   * http://www.iRedMail.org/
 #
 
 *filter