Silenced output when enableing the firewall

Gnegne

CHANGELOG.md

@@ -1,7 +1,20 @@
 ## 29-08-2019 / 31-08-2019:  
+```
 Dev = done.  
 PostixAdmin, Postfix, Dovecot and Sieve working!  
+```
 
-## 31-08-2019  
+## 31-08-2019 / 01-09-2019:
+```
 Started Alpha Branch.  
-PHP7.3 working!  
+PHP7.3 and MySQL 8 working!  
+```
+
+## 01-09-2019 / 12-09-2019:
+```
+Started Omega Branch.
+Debloat option added. ClamAV, Spamassassin and Amavis integrated.
+Added Manual Certbot option for testing purposes.
+Unattended Security Updates integrated.
+Few bugfixes.
+```

Future-Updates.md

@@ -0,0 +1,10 @@
+## Future updates:
+```  
+Update PostfixAdmin to the latest version.  
+Set email quota? Postgrey, FuzzyOCR.  
+
+Mail.log should rotate every week, this needs to be tested.  
+
+Export DKIM key to the home folder.  
+User manual for purging and clearing the mail queue.  
+```

README.md

@@ -1,8 +1,35 @@
-# Ubuntu-Mail
-**Get Started**:  
-wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/alpha/installer.sh  
-bash installer.sh 2>&1 | tee output.log  
-  
-### Sources
+# Ubuntu-Mail  
+### Notice, SSH Port has been set 4242  
 
-https://linuxize.com/post/set-up-an-email-server-with-postfixadmin
+**Get Started with the graphical installer**:  
+```
+wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/beta/installer.sh -O /tmp/installer.sh  
+bash /tmp/installer.sh
+```  
+
+**Legacy Installer for developing and debugging**:
+```
+wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/beta/installer.sh -O /tmp/installer.sh  
+bash /tmp/installer.sh -l 2>&1 | tee ~/output.log 
+```
+
+#### This script uses the following repo's as dependencies:
+```
+* VPS-scripts/Unattended-Security-Updates 
+* VPS-scripts/Ubuntu-MySQL
+* VPS-scripts/Ubuntu-Web
+```  
+
+
+#### Sources:  
+```  
+https://linuxize.com/post/set-up-an-email-server-with-postfixadmin
+https://www.howtoforge.com/amavisd_postfix_debian_ubuntu
+https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
+https://linuxconfig.org/how-to-change-welcome-message-motd-on-ubuntu-18-04-server
+https://phoenixnap.com/kb/automatic-security-updates-ubuntu
+https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
+
+https://www.mail-tester.com
+https://www.emailsecuritycheck.net
+```  

config/amavis/15-content_filter_mode

@@ -0,0 +1,27 @@
+use strict;
+
+# You can modify this file to re-enable SPAM checking through spamassassin
+# and to re-enable antivirus checking.
+
+#
+# Default antivirus checking mode
+# Please note, that anti-virus checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+
+#
+# Default SPAM checking mode
+# Please note, that anti-spam checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
+1;  # ensure a defined return

config/amavis/20-debian_defaults

@@ -0,0 +1,214 @@
+use strict;
+
+# ADMINISTRATORS:
+# Debian suggests that any changes you need to do that should never
+# be "updated" by the Debian package should be made in another file,
+# overriding the settings in this file.
+#
+# The package will *not* overwrite your settings, but by keeping
+# them separate, you will make the task of merging changes on these
+# configuration files much simpler...
+
+#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
+#       a list of all variables with their defaults;
+#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
+#       a traditional-style commented file  
+#   [note: the above files were not converted to Debian settings!]
+#
+#   for more details see documentation in /usr/share/doc/amavisd-new
+#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
+
+$QUARANTINEDIR = "$MYHOME/virusmails";
+$quarantine_subdir_levels = 1; # enable quarantine dir hashing
+
+$log_recip_templ = undef;    # disable by-recipient level-0 log entries
+$DO_SYSLOG = 1;              # log via syslogd (preferred)
+$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
+$syslog_facility = 'mail';
+$syslog_priority = 'debug';  # switch to info to drop debug output, etc
+
+$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
+$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
+
+$inet_socket_port = 10024;   # default listening socket
+
+#$sa_spam_subject_tag = '***SPAM*** ';
+$sa_tag_level_deflt  = 3.0;  # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 3.0; # add 'spam detected' headers at that level
+$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
+$sa_dsn_cutoff_level = 5;   # spam level beyond which a DSN is not sent
+
+
+
+$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
+$sa_local_tests_only = 0;    # only tests which do not require internet access?
+
+# Quota limits to avoid bombs (like 42.zip)
+
+$MAXLEVELS = 14;
+$MAXFILES = 1500;
+$MIN_EXPANSION_QUOTA =      100*1024;  # bytes
+$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes
+
+# You should:
+#   Use D_DISCARD to discard data (viruses)
+#   Use D_BOUNCE to generate local bounces by amavisd-new
+#   Use D_REJECT to generate local or remote bounces by the calling MTA
+#   Use D_PASS to deliver the message
+#
+# Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
+# mail to your account.  Use D_BOUNCE instead, otherwise you are delegating
+# the bounce work to your friendly forwarders, which might not like it at all.
+#
+# On dual-MTA setups, one can often D_REJECT, as this just makes your own
+# MTA generate the bounce message.  Test it first.
+#
+# Bouncing viruses is stupid, always discard them after you are sure the AV
+# is working correctly.  Bouncing real SPAM is also useless, if you cannot
+# D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
+
+$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
+$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
+$final_spam_destiny       = D_PASS;
+$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
+
+$enable_dkim_verification = 0; #disabled to prevent warning
+
+$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
+
+# Set to empty ("") to add no header
+$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
+
+# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
+
+#
+# DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
+#
+# These days, almost all viruses fake the envelope sender and mail headers.
+# Therefore, "virus notifications" became nothing but undesired, aggravating
+# SPAM.  This holds true even inside one's domain.  We disable them all by
+# default, except for the EICAR test pattern.
+#
+
+@viruses_that_fake_sender_maps = (new_RE(
+  [qr'\bEICAR\b'i => 0],            # av test pattern name
+  [qr/.*/ => 1],  # true for everything else
+));
+
+@keep_decoded_original_maps = (new_RE(
+# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
+  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
+  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
+# qr'^Zip archive data',     # don't trust Archive::Zip
+));
+
+
+# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
+
+$banned_filename_re = new_RE(
+# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
+
+  # block certain double extensions anywhere in the base name
+  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
+
+  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
+
+  qr'^application/x-msdownload$'i,                  # block these MIME types
+  qr'^application/x-msdos-program$'i,
+  qr'^application/hta$'i,
+
+# qr'^application/x-msmetafile$'i,	# Windows Metafile MIME type
+# qr'^\.wmf$',				# Windows Metafile file(1) type
+
+# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
+
+# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
+# [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
+# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
+# [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives
+
+  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
+# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
+#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
+#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
+#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
+
+# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
+
+  qr'^\.(exe-ms)$',                       # banned file(1) types
+# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
+);
+# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
+# and http://www.cknow.com/vtutor/vtextensions.htm
+
+
+# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
+
+@score_sender_maps = ({ # a by-recipient hash lookup table,
+                        # results from all matching recipient tables are summed
+
+# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
+# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
+# 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
+# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
+#                           '.cleargreen.com'           => -5.0}],
+
+  ## site-wide opinions about senders (the '.' matches any recipient)
+  '.' => [  # the _first_ matching sender determines the score boost
+
+   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
+    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
+    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
+    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
+    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
+    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
+    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
+    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
+   ),
+
+#  read_hash("/var/amavis/sender_scores_sitewide"),
+
+# This are some examples for whitelists, since envelope senders can be forged
+# they are not enabled by default. 
+   { # a hash-type lookup table (associative array)
+     #'nobody@cert.org'                        => -3.0,
+     #'cert-advisory@us-cert.gov'              => -3.0,
+     #'owner-alert@iss.net'                    => -3.0,
+     #'slashdot@slashdot.org'                  => -3.0,
+     #'securityfocus.com'                      => -3.0,
+     #'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
+     #'security-alerts@linuxsecurity.com'      => -3.0,
+     #'mailman-announce-admin@python.org'      => -3.0,
+     #'amavis-user-admin@lists.sourceforge.net'=> -3.0,
+     #'amavis-user-bounces@lists.sourceforge.net' => -3.0,
+     #'spamassassin.apache.org'                => -3.0,
+     #'notification-return@lists.sophos.com'   => -3.0,
+     #'owner-postfix-users@postfix.org'        => -3.0,
+     #'owner-postfix-announce@postfix.org'     => -3.0,
+     #'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
+     #'sendmail-announce-request@lists.sendmail.org' => -3.0,
+     #'donotreply@sendmail.org'                => -3.0,
+     #'ca+envelope@sendmail.org'               => -3.0,
+     #'noreply@freshmeat.net'                  => -3.0,
+     #'owner-technews@postel.acm.org'          => -3.0,
+     #'ietf-123-owner@loki.ietf.org'           => -3.0,
+     #'cvs-commits-list-admin@gnome.org'       => -3.0,
+     #'rt-users-admin@lists.fsck.com'          => -3.0,
+     #'clp-request@comp.nus.edu.sg'            => -3.0,
+     #'surveys-errors@lists.nua.ie'            => -3.0,
+     #'emailnews@genomeweb.com'                => -5.0,
+     #'yahoo-dev-null@yahoo-inc.com'           => -3.0,
+     #'returns.groups.yahoo.com'               => -3.0,
+     #'clusternews@linuxnetworx.com'           => -3.0,
+     #lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
+     #lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
+
+     # soft-blacklisting (positive score)
+     #'sender@example.net'                     =>  3.0,
+     #'.example.net'                           =>  1.0,
+
+   },
+  ],  # end of site-wide tables
+});
+
+1;  # ensure a defined return

config/amavis/21-ubuntu_defaults

@@ -0,0 +1,27 @@
+use strict;
+
+#
+# These are Ubuntu specific defaults for amavisd-new configuration
+#
+# DOMAIN KEYS IDENTIFIED MAIL (DKIM)
+$enable_dkim_verification = 1;
+# Don't be verbose about sending mail:
+@whitelist_sender_acl = qw( .$mydomain );
+$final_virus_destiny      = D_DISCARD; # (defaults to D_BOUNCE)
+$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)
+$final_spam_destiny       = D_PASS;  # (defaults to D_REJECT)
+$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested
+
+$sa_tag_level_deflt = 3.0;  # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 3.0;  # add 'spam detected' headers at that level
+$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
+$sa_dsn_cutoff_level = 5;    # spam level beyond which a DSN is not sent
+
+
+
+
+$virus_admin = undef;
+$spam_admin = undef;
+
+#------------ Do not modify anything below this line -------------
+1;  # insure a defined return

config/amavis/50-user

@@ -0,0 +1,48 @@
+use strict;
+#
+# Place your configuration directives here.  They will override those in
+# earlier files.
+#
+# See /usr/share/doc/amavisd-new/ for documentation and examples of
+# the directives you can use in this file
+#
+
+# We need to provide list of domains for which filtering need to be done
+#@lookup_sql_dsn = (
+#    ['DBI:mysql:database=postfixadmin;host=127.0.0.1;port=3306',
+#     'postfixadmin',
+#     'PASSword']);
+
+# Disable show header recieve from amavisd localhost 127.0.0.1
+$allowed_added_header_fields{lc('Received')} = 0;
+
+@inet_acl = qw( 127.0.0.1 [::1] 23.21.136.138/32 );
+@local_domains_acl = ( "." );
+# Change instance amavisd process
+$max_servers = 5;
+
+# Disable quarantine
+$clean_quarantine_to = undef; # local quarantine
+$virus_quarantine_to = undef; # traditional local quarantine
+$banned_quarantine_to = undef; # local quarantine
+$bad_header_quarantine_to = undef; # local quarantine
+$spam_quarantine_to = undef; # local quarantine
+
+# Don's Discard infected mail
+$final_virus_destiny = D_REJECT;
+$final_banned_destiny = D_REJECT;
+$final_spam_destiny = D_PASS;
+
+# Add Warning to Subject
+$sa_tag_level_deflt = -9999; # always add spam info headers
+$subject_tag_maps_by_ccat{+CC_VIRUS} = [ '***WARNING-VIRUS DETECTED*** ' ];
+$subject_tag_maps_by_ccat{+CC_BANNED} = [ '***WARNING-DANGEROUS DETECTED*** ' ];
+
+# Filter spam mail to Junk folder
+$recipient_delimiter = '+';
+@addr_extension_spam_maps = ('Spam');
+@addr_extension_virus_maps = ('Spam');
+@addr_extension_banned_maps = ('Spam');
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return

config/dkim/opendkim.conf

@@ -0,0 +1,95 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog			yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask			007
+
+# Sign for example.com with key in /etc/dkimkeys/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+#Domain			example.com
+#KeyFile		/etc/dkimkeys/dkim.key
+#Selector		2007
+
+# Commonly-used options; the commented-out versions show the defaults.
+Canonicalization	relaxed/simple
+Mode			sv
+SubDomains		no
+AutoRestart         yes
+AutoRestartRate     10/1M
+Background          yes
+DNSTimeout          5
+SignatureAlgorithm  rsa-sha256
+
+# Socket smtp://localhost
+#
+# ##  Socket socketspec
+# ##
+# ##  Names the socket where this filter should listen for milter connections
+# ##  from the MTA.  Required.  Should be in one of these forms:
+# ##
+# ##  inet:port@address           to listen on a specific interface
+# ##  inet:port                   to listen on all interfaces
+# ##  local:/path/to/socket       to listen on a UNIX domain socket
+#
+#Socket                  inet:8892@localhost
+Socket                   local:/var/spool/postfix/opendkim/opendkim.sock
+
+##  PidFile filename
+###      default (none)
+###
+###  Name of the file where the filter should write its pid before beginning
+###  normal operations.
+#
+PidFile               /var/run/opendkim/opendkim.pid
+
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders		From
+
+##  ResolverConfiguration filename
+##      default (none)
+##
+##  Specifies a configuration file to be passed to the Unbound library that
+##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
+##  documentation at http://unbound.net for the expected content of this file.
+##  The results of using this and the TrustAnchorFile setting at the same
+##  time are undefined.
+##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
+##  unbound package
+
+# ResolverConfiguration     /etc/unbound/unbound.conf
+
+##  TrustAnchorFile filename
+##      default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+TrustAnchorFile       /usr/share/dns/root.key
+
+##  Userid userid
+###      default (none)
+###
+###  Change to user "userid" before starting normal operation?  May include
+###  a group ID as well, separated from the userid by a colon.
+#
+UserID                opendkim
+
+# Map domains in From addresses to keys used to sign messages
+KeyTable           refile:/etc/opendkim/key.table
+SigningTable       refile:/etc/opendkim/signing.table
+
+# Hosts to ignore when verifying signatures
+ExternalIgnoreList  /etc/opendkim/trusted.hosts
+
+# A set of internal hosts whose mail should be signed
+InternalHosts       /etc/opendkim/trusted.hosts

config/dkim/opendkim.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+##----------------------------##
+#    OpenDKIM Configuration    #
+##----------------------------##
+
+gpasswd -a postfix opendkim
+
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/beta/config/dkim/opendkim.conf -O /etc/opendkim.conf
+mkdir -p /etc/opendkim
+mkdir -p /etc/opendkim/keys
+chown -R opendkim:opendkim /etc/opendkim
+chmod go-rw /etc/opendkim/keys
+
+echo "*@$domonly    default._domainkey.$domonly" >> /etc/opendkim/signing.table
+echo "default._domainkey.$domonly     $domonly:default:/etc/opendkim/keys/$domonly/default.private" >> /etc/opendkim/key.table
+echo "127.0.0.1" >> /etc/opendkim/trusted.hosts
+echo "localhost" >> /etc/opendkim/trusted.hosts
+echo "" >> /etc/opendkim/trusted.hosts
+echo "*.$domonly" >> /etc/opendkim/trusted.hosts
+
+mkdir -p /etc/opendkim/keys/$domonly
+opendkim-genkey -b $dhparam -d $domonly -D /etc/opendkim/keys/$domonly -s default -v
+chown opendkim:opendkim /etc/opendkim/keys/$domonly/default.private
+
+##---------------------------##
+#    Postfix Configuration    #
+##---------------------------##
+
+mkdir -p /var/spool/postfix/opendkim
+chown opendkim:postfix /var/spool/postfix/opendkim
+
+echo "# Milter configuration" >> /etc/postfix/main.cf
+echo "milter_default_action = accept" >> /etc/postfix/main.cf
+echo "milter_protocol = 6" >> /etc/postfix/main.cf
+echo "smtpd_milters = local:/opendkim/opendkim.sock" >> /etc/postfix/main.cf
+echo 'non_smtpd_milters = $smtpd_milters' >> /etc/postfix/main.cf

config/dovecot/15-mailboxes.conf

@@ -47,6 +47,7 @@ namespace inbox {
   # These mailboxes are widely used and could perhaps be created automatically:
   mailbox Drafts {
     special_use = \Drafts
+    auto = subscribe
   }
   mailbox Spam {
     special_use = \Junk
@@ -54,15 +55,18 @@ namespace inbox {
   }
   mailbox Junk {
     special_use = \Junk
+    auto = subscribe
   }
   mailbox Trash {
     special_use = \Trash
+    auto = subscribe
   }
 
   # For \Sent mailboxes there are two widely used names. We'll mark both of
   # them as \Sent. User typically deletes one of them if duplicates are created.
   mailbox Sent {
     special_use = \Sent
+    auto = subscribe
   }
   mailbox "Sent Messages" {
     special_use = \Sent

config/lets-encrypt/README

@@ -0,0 +1,14 @@
+This directory contains your keys and certificates.
+
+`privkey.pem`  : the private key for your certificate.
+`fullchain.pem`: the certificate file used in most server software.
+`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
+`cert.pem`     : will break many server configurations, and should not be used
+                 without reading further documentation (see link below).
+
+WARNING: DO NOT MOVE OR RENAME THESE FILES!
+         Certbot expects these files to remain in this location in order
+         to function properly!
+
+We recommend not moving these files. For more information, see the Certbot
+User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

config/lets-encrypt/cert.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgISBN+7pm+eon8x1kIYxdzPY6mDMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTEwNzU0MzdaFw0x
+OTEyMTAwNzU0MzdaMB8xHTAbBgNVBAMTFG1haWwuaWN0ZG93bndlcmsuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBlnH/sRyrqwElbTeY23Bjdm
+ZeGgABVN3Z8f7o0q+NzrEIs2qfF5sxzQsTDHQkFQ7BlZL2tlBTvYJzL4f56LP+Ft
+ST0ivabmlfMlqVctGeMhIqQ5t12NKeDj5eXoT1udMvw3/X2J0i7cHJbpHqvCtdy/
+914SyaHwykFybC3vhoz18APUE0jfk1jfsIBzabRpC5C1SD1utMVcpzdc7eIoz6sF
+hI3YeWVvDRfoFkd/D/Qhrom0pHhsAth3FXbgvZkf865xf/Al/PxMJlPZQCYi1KyA
+x2aRR4IFOvCPk8a9EFeIKx9AVTgcu5CNIW0SRSZpQ4u+tTUtxuB7dL7SVbgXbQID
+AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQijuIvsk5b0OD5eZY4
+q6nlv+PIjTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
+BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
+cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
+cnlwdC5vcmcvMB8GA1UdEQQYMBaCFG1haWwuaWN0ZG93bndlcmsuY29tMEwGA1Ud
+IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
+dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
+AHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFtH4gerAAABAMA
+RzBFAiEAqaCymIN2kRHFIXwYMF3q7aRx3OfcCDQH6VkY4nPeQpECIGvCRqQ1uWPa
+6Ui1HQu1MaVjVN8FHNxMm3+10MJ3rxGtAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXeP
+vXWmOLHHaFRL2I0AAAFtH4genAAABAMARzBFAiEA36yPCciL4XPzlOBFwF0MKiLg
+bdJTwrDoRQc+BswOrPQCIDJGAGPGm8Ge00dLSpSZRsVT9frBTKvtY0DMXM+BRDjV
+MA0GCSqGSIb3DQEBCwUAA4IBAQCcI3Ofg9p4cqjWuuLax/MgF6qFloGbajP3hvfD
+kG1C8lXAMUhAxMlwk53fzM7RwemKztPMXXOyA8/3gwE0T8XJm4e6ddKQ9KaG4F3a
+Yj5MerpG+toEg+sSP/GJRZIoJjiB+WCQXt+UxxaZ6GmXiziqmJvnNNQPYBXB/AJk
+W7X54IVfoZn/OOuxGMb3I8JmDS0aPJFr6Sa4IPZdtaDQzvL5YitrVxtuhLFPb+GY
+BJZ/TPJJVFvL19nYe09d578Wu+F8hRMTTI1es+KANBm1NAXCUEw/0Yd3Anv7tYIs
+jnl4PV+Q6whUCdAhOPYnJdJyHlwtWJ80zO8l/X4KlmFJDLT/
+-----END CERTIFICATE-----

config/lets-encrypt/chain.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----

config/lets-encrypt/fullchain.pem

@@ -0,0 +1,58 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgISBN+7pm+eon8x1kIYxdzPY6mDMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTEwNzU0MzdaFw0x
+OTEyMTAwNzU0MzdaMB8xHTAbBgNVBAMTFG1haWwuaWN0ZG93bndlcmsuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBlnH/sRyrqwElbTeY23Bjdm
+ZeGgABVN3Z8f7o0q+NzrEIs2qfF5sxzQsTDHQkFQ7BlZL2tlBTvYJzL4f56LP+Ft
+ST0ivabmlfMlqVctGeMhIqQ5t12NKeDj5eXoT1udMvw3/X2J0i7cHJbpHqvCtdy/
+914SyaHwykFybC3vhoz18APUE0jfk1jfsIBzabRpC5C1SD1utMVcpzdc7eIoz6sF
+hI3YeWVvDRfoFkd/D/Qhrom0pHhsAth3FXbgvZkf865xf/Al/PxMJlPZQCYi1KyA
+x2aRR4IFOvCPk8a9EFeIKx9AVTgcu5CNIW0SRSZpQ4u+tTUtxuB7dL7SVbgXbQID
+AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQijuIvsk5b0OD5eZY4
+q6nlv+PIjTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
+BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
+cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
+cnlwdC5vcmcvMB8GA1UdEQQYMBaCFG1haWwuaWN0ZG93bndlcmsuY29tMEwGA1Ud
+IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
+dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
+AHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFtH4gerAAABAMA
+RzBFAiEAqaCymIN2kRHFIXwYMF3q7aRx3OfcCDQH6VkY4nPeQpECIGvCRqQ1uWPa
+6Ui1HQu1MaVjVN8FHNxMm3+10MJ3rxGtAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXeP
+vXWmOLHHaFRL2I0AAAFtH4genAAABAMARzBFAiEA36yPCciL4XPzlOBFwF0MKiLg
+bdJTwrDoRQc+BswOrPQCIDJGAGPGm8Ge00dLSpSZRsVT9frBTKvtY0DMXM+BRDjV
+MA0GCSqGSIb3DQEBCwUAA4IBAQCcI3Ofg9p4cqjWuuLax/MgF6qFloGbajP3hvfD
+kG1C8lXAMUhAxMlwk53fzM7RwemKztPMXXOyA8/3gwE0T8XJm4e6ddKQ9KaG4F3a
+Yj5MerpG+toEg+sSP/GJRZIoJjiB+WCQXt+UxxaZ6GmXiziqmJvnNNQPYBXB/AJk
+W7X54IVfoZn/OOuxGMb3I8JmDS0aPJFr6Sa4IPZdtaDQzvL5YitrVxtuhLFPb+GY
+BJZ/TPJJVFvL19nYe09d578Wu+F8hRMTTI1es+KANBm1NAXCUEw/0Yd3Anv7tYIs
+jnl4PV+Q6whUCdAhOPYnJdJyHlwtWJ80zO8l/X4KlmFJDLT/
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----

config/lets-encrypt/privkey.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC4GWcf+xHKurAS
+VtN5jbcGN2Zl4aAAFU3dnx/ujSr43OsQizap8XmzHNCxMMdCQVDsGVkva2UFO9gn
+Mvh/nos/4W1JPSK9puaV8yWpVy0Z4yEipDm3XY0p4OPl5ehPW50y/Df9fYnSLtwc
+lukeq8K13L/3XhLJofDKQXJsLe+GjPXwA9QTSN+TWN+wgHNptGkLkLVIPW60xVyn
+N1zt4ijPqwWEjdh5ZW8NF+gWR38P9CGuibSkeGwC2HcVduC9mR/zrnF/8CX8/Ewm
+U9lAJiLUrIDHZpFHggU68I+Txr0QV4grH0BVOBy7kI0hbRJFJmlDi761NS3G4Ht0
+vtJVuBdtAgMBAAECggEASp1xIJMf2OzlY+lw+LkpTwmxJOXXdXEtB//wbz0kB41y
+cFgcJbDLRH8PTmGYwQ+7/pUfgoqifQaOSwTrlr3pblCtfJucswUsO+Y6g3Hjw7Q8
+v8+T3O+7wRd3Bryx9UgKZJm5D7KL43Y+nA/GGDpBRnhcDaRBNRu/fhociB/uDrfu
+ZpaTBM3E2glXkbKAn2mwrv1sNog7DvgmzqSzcq/OgiDk6GhYeiU9wFlJJkidQmii
+HpBe22er6XscTEhhnDvcaljwzwBxOoKI7EoCRTjhLSfU6j+rQXX2y2ODBEWg0yx8
+6Lntgl5o4BVaixvZ7pH5mTxLpQ87drq7yXzGzGtwQQKBgQDs+8y0u8a0hj4SxNtd
+Hem6KhPkD7f3Pxuh+ZgphOp/lM0tYLDmoxZp/PhLxQX3N2qmXWS5fy4uBWpreoRJ
+FbZnyN2JlnAW4R+ba8HJR+7cqWIlqC3AFRsNLswRPn5s2k1Pc/PqtXx3kPNhdupj
+miB/pGtI6RhWHuhkkOZuFwtviQKBgQDG3zvoFaLOIAgRfkYrsV8V4iRUlbcCT1TS
+dOrqKx54gHAs0yTQqLSGwOjpQC4V/nQKxi54Ybu+aZ1A6IaNqkL5zIGnDNIJQlas
+E06D3LytVQM1dOCY5qz5xOqCJtxIL0fiMdTckenChL6ldufelVHRiN1Llv/xcoQL
+g+ent6VrxQKBgA9LuUy5CfxA5eTEO/xon9taN+pycUdOFXSA7adQYupVKmERapmY
+USwKHeSWFOp98y5FvOiUIuDpjJLfV4Z4FkvglRv6T8XKRgX8EIfzUqF/dUxE7J8H
+PbW+HYHHbNWNyYulSksN57i37F2QFVTUb+CNNjeAhAea+xjymUzlw+ExAoGAdr1u
+7WGNtXjWmGtGxmu/FDfT7VT+0jg/svDwGiToqpY1Y+4luxgfwZ2I80vIuIUXEB/I
+O0RPbp9srwam4Aratn9uoik7dx/O1Csq4/x2AyARLGe+ekyw1ujGBDPjro3cY6fR
+KmlMo0HS+sSGKRYKpgsL5kggRS9Uu/Nj63XxJOkCgYBaWOYoHpq7cJH2t0iHPjOi
+BlHBEt1dn4v9tOtAYfsU/tH3NLMhae7riq69o5Tsrm5X2SuMF8krTydRPvXsEIX7
+kPPIzHcWjpjWzIBD5v7cU+jjdqXDwtVlbbWBkFXBpzLh3jpQ+tz5y5TJ/0DXGrWo
+jTiQFMRVfzEWCncLODqywA==
+-----END PRIVATE KEY-----

config/manual.sh

@@ -0,0 +1,9 @@
+echo "##----------------##"$'\n'"#   OpenDKIM key   #"$'\n'"##----------------##"$'\n' >> ~/Readme.md
+cat /etc/opendkim/keys/$domonly/default.txt >> ~/Readme.md
+echo "" >> ~/Readme.md
+
+echo "##----------------------##"$'\n'"#   Postfix mail queue   #"$'\n'"##----------------------##"$'\n'  >> ~/Readme.md
+echo "#Show queue"$'\n'"postqueue -p"$'\n'"#Show message"$'\n'"postcat -vq XXXXXXXXXX"$'\n'"#Flushing the queue"$'\n'"postqueue -f"$'\n'"#Removing all queued messages"$'\n'"postsuper -d ALL"$'\n'"#Remove differed messages from the queue (i.e. only the ones the system intends to retry later)"$'\n'"postsuper -d ALL deferred" >> ~/Readme.md
+
+echo "##--------------##"$'\n'"#   SPF Record   #"$'\n'"##--------------##"$'\n' >> ~/Readme.md
+echo "v=spf1 a mx ip4:$wanip ~all"$'\n' >> ~/Readme.md

config/motd/01-custom

@@ -0,0 +1,4 @@
+#!/bin/sh
+printf "\n"
+printf " * System started, please wait for services to enable!\n"
+printf " * This takes 5 minutes\n"

config/nginx/PostfixAdmin-site-unconfigured

@@ -0,0 +1,52 @@
+server {
+    listen 80;
+    listen [::]:80;
+    root /var/www/DOMAINname/html;
+    index index.php index.html index.htm index.nginx-debian.html;
+    server_name DOMAINname;
+            
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
+    gzip_comp_level 2;
+    gzip_disable "msie6";
+    gzip_buffers 16 8k;
+
+        location / {
+            try_files $uri $uri/ /index.php$is_args$args;
+        }
+
+        location = /favicon.ico { log_not_found off; access_log off; }
+        location = /robots.txt { log_not_found off; access_log off; allow all; }
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
+            expires max;
+            log_not_found off;
+            add_header Cache-Control "public, no-transform";
+        }
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/phpPHPver-fpm.sock;
+        }
+        location ~ /\.ht {
+            deny all;
+        }
+        set $no_cache 0;
+        if ($request_method = POST) {
+            set $no_cache 1;
+        }
+        if ($query_string != "") {
+            set $no_cache 1;
+        }
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
+        }
+            
+    location ^~ /rainloop/data {
+    deny all;
+    }
+
+    location ^~ /data {
+    deny all;
+    }
+
+}

config/nginx/domainconfig.cf

@@ -2,20 +2,20 @@
 
 server {
     listen       80;
-    server_name   www.$domain;
-    return       301 http://$domain\$request_uri;
+    server_name   www.DOMAINNAME;
+    return       301 http://DOMAINNAME$request_uri;
 }
 
 server {
     listen 80;
     listen [::]:80;
-    root /var/www/$domain/html;
+    root /var/www/DOMAINNAME/html;
     index index.php index.html index.htm index.nginx-debian.html;
-    server_name $domain;
-    #return 301 \$scheme:/\$domain\$request_uri; Redirect to non-www
-    #return 301 https://domein.nl$request_uri; Redirect to other domain
+    server_name DOMAINNAME;
+    #return 301 $scheme:/$domain$request_uri; Redirect to non-www
+    #return 301 https://domein.nl; Redirect to other domain
 
-    #add_header X-Cache "\$upstream_cache_status";
+    #add_header X-Cache "$upstream_cache_status";
 
     #netdata here
         
@@ -28,32 +28,32 @@ server {
 
 #    location /rspamd {
 #    proxy_pass http://127.0.0.1:11334/;
-#    proxy_set_header Host \$host;
-#    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #}
 
         location / {
-            #try_files \$uri \$uri/ =404;
-            try_files \$uri \$uri/ /index.php\$is_args\$args;
-            #try_files \$uri \$uri/ \$uri.html \$uri.php\$is_args\$query_string;
+            #try_files $uri $uri/ =404;
+            try_files $uri $uri/ /index.php$is_args$args;
+            #try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
         }
 
         location = /favicon.ico { log_not_found off; access_log off; }
         location = /robots.txt { log_not_found off; access_log off; allow all; }
-        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)\$ {
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
             expires max;
             log_not_found off;
             add_header Cache-Control "public, no-transform";
         }
 
-        location ~ \.php\$ {
+        location ~ \.php$ {
             include snippets/fastcgi-php.conf;
-            fastcgi_pass unix:/var/run/php/php${phpver}-fpm.sock;
+            fastcgi_pass unix:/var/run/php/phpPHPVER-fpm.sock;
             #fastcgi_cache MYAPP;
             #fastcgi_cache_valid 200 302 301 1m;
             #fastcgi_cache_valid 404 1m;
-            #fastcgi_cache_bypass \$no_cache;
-            #fastcgi_no_cache \$no_cache;
+            #fastcgi_cache_bypass $no_cache;
+            #fastcgi_no_cache $no_cache;
             #fastcgi_cache_revalidate on;
             #fastcgi_cache_background_update on;
             #fastcgi_cache_lock on;
@@ -73,25 +73,25 @@ server {
         }
 
         #Cache everything by default
-        set \$no_cache 0;
+        set $no_cache 0;
 
         #Don't cache POST requests
-        if (\$request_method = POST) {
-            set \$no_cache 1;
+        if ($request_method = POST) {
+            set $no_cache 1;
         }
 
         #Don't cache if the URL contains a query string
-        if (\$query_string != "") {
-            set \$no_cache 1;
+        if ($query_string != "") {
+            set $no_cache 1;
         }
 
         #Don't cache the following URLs
-        if (\$request_uri ~* "/(administrator/|login.php)") {
-            set \$no_cache 1;
+        if ($request_uri ~* "/(administrator/|login.php)") {
+            set $no_cache 1;
         }
 
         #Don't cache if there is a cookie called PHPSESSID
-        if (\$http_cookie = "PHPSESSID") {
-            set \$no_cache 1;
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
         }
     }

config/nginx/site-enabled

@@ -0,0 +1,206 @@
+#fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m max_size=10g inactive=1440m;
+
+server {
+    listen       80;
+    server_name   www.mail.ictdownwerk.com;
+    return       301 http://mail.ictdownwerk.com$request_uri;
+}
+
+server {
+    root /var/www/mail.ictdownwerk.com/html;
+    index index.php index.html index.htm index.nginx-debian.html;
+    server_name mail.ictdownwerk.com;
+    #return 301 $scheme:/$domain$request_uri; Redirect to non-www
+    #return 301 https://domein.nl; Redirect to other domain
+
+    #add_header X-Cache "$upstream_cache_status";
+
+    #netdata here
+        
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
+    gzip_comp_level 2;
+    gzip_disable "msie6";
+    gzip_buffers 16 8k;
+
+#    location /rspamd {
+#    proxy_pass http://127.0.0.1:11334/;
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#}
+
+        location / {
+            #try_files $uri $uri/ =404;
+            try_files $uri $uri/ /index.php$is_args$args;
+            #try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
+        }
+
+        location = /favicon.ico { log_not_found off; access_log off; }
+        location = /robots.txt { log_not_found off; access_log off; allow all; }
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
+            expires max;
+            log_not_found off;
+            add_header Cache-Control "public, no-transform";
+        }
+
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+            #fastcgi_cache MYAPP;
+            #fastcgi_cache_valid 200 302 301 1m;
+            #fastcgi_cache_valid 404 1m;
+            #fastcgi_cache_bypass $no_cache;
+            #fastcgi_no_cache $no_cache;
+            #fastcgi_cache_revalidate on;
+            #fastcgi_cache_background_update on;
+            #fastcgi_cache_lock on;
+            #fastcgi_cache_use_stale updating;
+            #fastcgi_buffer_size 128k;
+            #fastcgi_buffers 256 16k;
+            #fastcgi_busy_buffers_size 256k;
+            #fastcgi_temp_file_write_size 256k;
+        }
+
+        location ~ /\.ht {
+            deny all;
+        }
+
+        location /phpmyadmin {
+            index index.php;
+        }
+
+        #Cache everything by default
+        set $no_cache 0;
+
+        #Don't cache POST requests
+        if ($request_method = POST) {
+            set $no_cache 1;
+        }
+
+        #Don't cache if the URL contains a query string
+        if ($query_string != "") {
+            set $no_cache 1;
+        }
+
+        #Don't cache the following URLs
+        if ($request_uri ~* "/(administrator/|login.php)") {
+            set $no_cache 1;
+        }
+
+        #Don't cache if there is a cookie called PHPSESSID
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
+        }
+    
+    listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
+    listen 443 ssl http2; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/mail.ictdownwerk.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/mail.ictdownwerk.com/privkey.pem; # managed by Certbot
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
+
+}
+
+
+server {
+    if ($host = mail.ictdownwerk.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    listen [::]:80;
+    root /var/www/mail.ictdownwerk.com/html;
+    index index.php index.html index.htm index.nginx-debian.html;
+    server_name mail.ictdownwerk.com;
+    #return 301 $scheme:/$domain$request_uri; Redirect to non-www
+    #return 301 https://domein.nl; Redirect to other domain
+
+    #add_header X-Cache "$upstream_cache_status";
+
+    #netdata here
+        
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
+    gzip_comp_level 2;
+    gzip_disable "msie6";
+    gzip_buffers 16 8k;
+
+#    location /rspamd {
+#    proxy_pass http://127.0.0.1:11334/;
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#}
+
+        location / {
+            #try_files $uri $uri/ =404;
+            try_files $uri $uri/ /index.php$is_args$args;
+            #try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
+        }
+
+        location = /favicon.ico { log_not_found off; access_log off; }
+        location = /robots.txt { log_not_found off; access_log off; allow all; }
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
+            expires max;
+            log_not_found off;
+            add_header Cache-Control "public, no-transform";
+        }
+
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+            #fastcgi_cache MYAPP;
+            #fastcgi_cache_valid 200 302 301 1m;
+            #fastcgi_cache_valid 404 1m;
+            #fastcgi_cache_bypass $no_cache;
+            #fastcgi_no_cache $no_cache;
+            #fastcgi_cache_revalidate on;
+            #fastcgi_cache_background_update on;
+            #fastcgi_cache_lock on;
+            #fastcgi_cache_use_stale updating;
+            #fastcgi_buffer_size 128k;
+            #fastcgi_buffers 256 16k;
+            #fastcgi_busy_buffers_size 256k;
+            #fastcgi_temp_file_write_size 256k;
+        }
+
+        location ~ /\.ht {
+            deny all;
+        }
+
+        location /phpmyadmin {
+            index index.php;
+        }
+
+        #Cache everything by default
+        set $no_cache 0;
+
+        #Don't cache POST requests
+        if ($request_method = POST) {
+            set $no_cache 1;
+        }
+
+        #Don't cache if the URL contains a query string
+        if ($query_string != "") {
+            set $no_cache 1;
+        }
+
+        #Don't cache the following URLs
+        if ($request_uri ~* "/(administrator/|login.php)") {
+            set $no_cache 1;
+        }
+
+        #Don't cache if there is a cookie called PHPSESSID
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
+        }
+    
+
+
+
+}

config/postfix/clear-queue.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+echo "#Purge mail queue every night" >> /etc/crontab
+echo "0 0 * * * root /opt/clear-queue.sh" >> /etc/crontab
+echo "#!/bin/sh" >> /opt/purge-queue.sh
+echo "postfix -f" >> /opt/purge-queue.sh
+chmod +x /opt/purge-queue.sh
+
+echo "#Clear mail queue weekly" >> /etc/crontab
+echo "@weekly root /opt/clear-queue.sh" >> /etc/crontab
+echo "#!/bin/sh" >> /opt/clear-queue.sh
+echo "postsuper -d ALL" >> /opt/clear-queue.sh
+chmod +x /opt/clear-queue.sh

config/rainloop/application.ini

@@ -275,7 +275,7 @@ allow_prefetch = On
 allow_smart_html_links = On
 cache_system_data = On
 date_from_headers = On
-autocreate_system_folders = On
+autocreate_system_folders = Off
 allow_message_append = Off
 disable_iconv_if_mbstring_supported = Off
 login_fault_delay = 1

config/rainloop/rainloop.sh

@@ -1,36 +1,46 @@
-##
-# Crates system wide avalible rainloop instance 
-# to enable this on a domain create a symlink to the webroot
-#
-# and don't forget disable acces to data folder in nginx 
-##
-apt install php${phpver}-curl php${phpver}-dom unzip gnupg2 curl -y
+#!/bin/bash
 
-##install
+###=============================================================###
+##  Rainloop installer                                           ## 
+###=============================================================###
+#   Creates a system wide available rainloop instance             #
+#   to enable this on a domain create a symlink to the webroot    #
+#   Don't forget disable access to the data folder in nginx       #
+###=============================================================###
+
+##-----------##
+#   Install   #
+##-----------##
 mkdir -p /opt/rainloop
 wget http://www.rainloop.net/repository/webmail/rainloop-community-latest.zip -O /tmp/rlcl.zip
 unzip -q /tmp/rlcl.zip -d /opt/rainloop
-rm  /tmp/rlcl.zip
-
 php /opt/rainloop/index.php  > /dev/null 2>&1
 rm -f /opt/rainloop/data/_data_/_default_/domains/*
 
-#fetching config files
+##-------------------------##
+#   Fetching config files   #
+##-------------------------##
 mkdir -p /opt/rainloop/data/_data_/_default_/domains/
 mkdir -p /opt/rainloop/data/_data_/_default_/configs/
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/domains-default.ini -O /opt/rainloop/data/_data_/_default_/domains/default.ini
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/application.ini -O /opt/rainloop/data/_data_/_default_/configs/application.ini
 
-#setting Permissions
+##-----------------------##
+#   Setting permissions   #
+##-----------------------##
 chown -R www-data:www-data  /opt/rainloop
 find /opt/rainloop/ -type d -exec chmod 755 {} \;
 find /opt/rainloop/ -type f -exec chmod 644 {} \;
 
-#Storing version signature for auto updates
+##----------------------------------------------##
+#   Storing version signature for auto-updates   #
+##----------------------------------------------##
 signature=$(curl -s "https://www.rainloop.net/repository/webmail/rainloop-community-latest.zip.asc")
 echo "$signature" > /var/log/rainloop-installed.asc
 
-#creating Contact DB
+##-----------------------##
+#   Creating Contact DB   #
+##-----------------------##
 db_name="rainloop_contacts"
 db_user="rainloop_contacts"
 db_pass=$(date +%s|sha256sum|base64|head -c 32)
@@ -41,11 +51,15 @@ mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
 sed -i 's/MYSQLPASS/'$db_pass'/g' /opt/rainloop/data/_data_/_default_/configs/application.ini
 sed -i 's/MYSQLUSER/'$db_user'/g' /opt/rainloop/data/_data_/_default_/configs/application.ini
 sed -i 's/MYSQLNAME/'$db_name'/g' /opt/rainloop/data/_data_/_default_/configs/application.ini
-    
-#scripts for enableing/disabling admin panel
+
+##----------------------------------##
+#   Enabling/disabling admin panel   #
+##----------------------------------##
 echo "sed -i 's/allow_admin_panel = Off/allow_admin_panel = On/g'  /opt/rainloop/data/_data_/_default_/configs/application.ini" > ~/Enable-RLadmin.sh
 echo "sed -i 's/allow_admin_panel = On/allow_admin_panel = Off/g'  /opt/rainloop/data/_data_/_default_/configs/application.ini" > ~/Disable-RLadmin.sh
 
-#downloading Update tool
+##---------------------------##
+#   Downloading Update tool   #
+##---------------------------##
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/update-tools.sh -O /opt/update-rainloop.sh
 chmod +x /opt/update-rainloop.sh

config/sieve/default.sieve

@@ -1,4 +1,5 @@
 require "fileinto";
 if header :contains "X-Spam-Flag" "YES" {
 	fileinto "Spam";
+    stop;
 }

config/spamassassin/local.cf

@@ -0,0 +1,104 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# Only a small subset of options are listed below
+#
+###########################################################################
+
+#   Add *****SPAM***** to the Subject header of spam e-mails
+#
+#rewrite_header Subject *****SPAM*****
+
+
+#   Save spam messages as a message/rfc822 MIME attachment instead of
+#   modifying the original message (0: off, 2: use text/plain instead)
+#
+report_safe 0
+
+
+#   Set which networks or hosts are considered 'trusted' by your mail
+#   server (i.e. not spammers)
+#
+# trusted_networks 212.17.35.
+
+
+#   Set file-locking method (flock is not safe over NFS, but is faster)
+#
+# lock_method flock
+
+
+#   Set the threshold at which a message is considered spam (default: 5.0)
+#
+required_score 5.0
+
+
+#   Use Bayesian classifier (default: 1)
+#
+use_bayes 1
+use_bayes_rules 1
+
+#   Bayesian classifier auto-learning (default: 1)
+#
+bayes_auto_learn 1
+
+#   Set headers which may provide inappropriate cues to the Bayesian
+#   classifier
+#
+# bayes_ignore_header X-Bogosity
+# bayes_ignore_header X-Spam-Flag
+# bayes_ignore_header X-Spam-Status
+
+
+#   Whether to decode non- UTF-8 and non-ASCII textual parts and recode
+#   them to UTF-8 before the text is given over to rules processing.
+#
+# normalize_charset 1
+
+#   Some shortcircuiting, if the plugin is enabled
+# 
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+#   default: strongly-whitelisted mails are *really* whitelisted now, if the
+#   shortcircuiting plugin is active, causing early exit to save CPU load.
+#   Uncomment to turn this on
+#
+# shortcircuit USER_IN_WHITELIST       on
+# shortcircuit USER_IN_DEF_WHITELIST   on
+# shortcircuit USER_IN_ALL_SPAM_TO     on
+# shortcircuit SUBJECT_IN_WHITELIST    on
+
+#   the opposite; blacklisted mails can also save CPU
+#
+# shortcircuit USER_IN_BLACKLIST       on
+# shortcircuit USER_IN_BLACKLIST_TO    on
+# shortcircuit SUBJECT_IN_BLACKLIST    on
+
+#   if you have taken the time to correctly specify your "trusted_networks",
+#   this is another good way to save CPU
+#
+# shortcircuit ALL_TRUSTED             on
+
+#   and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99                spam
+# shortcircuit BAYES_00                ham
+
+skip_rbl_checks 0
+
+#pyzor
+use_pyzor 1
+pyzor_path /usr/bin/pyzor
+pyzor_add_header 1
+
+#razor
+use_razor2 1
+razor_config /etc/razor/razor-agent.conf
+
+#bayes
+use_bayes 1
+use_bayes_rules 1
+bayes_auto_learn 1
+
+endif # Mail::SpamAssassin::Plugin::Shortcircuit

config/spamassassin/spamassassin

@@ -0,0 +1,34 @@
+# /etc/default/spamassassin
+# Duncan Findlay
+
+# WARNING: please read README.spamd before using.
+# There may be security risks.
+
+# If you're using systemd (default for jessie), the ENABLED setting is
+# not used. Instead, enable spamd by issuing:
+# systemctl enable spamassassin.service
+# Change to "1" to enable spamd on systems using sysvinit:
+ENABLED=1
+
+# Options
+# See man spamd for possible options. The -d option is automatically added.
+
+# SpamAssassin uses a preforking model, so be careful! You need to
+# make sure --max-children is not set to anything higher than 5,
+# unless you know what you're doing.
+
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir --username spamd -H /var/log/spamassassin -s /var/log/spamassassin/spamd.log"
+
+# Pid file
+# Where should spamd write its PID to file? If you use the -u or
+# --username option above, this needs to be writable by that user.
+# Otherwise, the init script will not be able to shut spamd down.
+PIDFILE="/var/run/spamd.pid"
+
+# Set nice level of spamd
+#NICE="--nicelevel 15"
+
+# Cronjob
+# Set to anything but 0 to enable the cron job to automatically update
+# spamassassin's rules on a nightly basis
+CRON=1

config/spf/incoming_spf.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+echo "#Check for incoming SPF" >> /etc/postfix/master.cf
+echo "policyd-spf  unix  -       n       n       -       0       spawn" >> /etc/postfix/master.cf
+echo "    user=policyd-spf argv=/usr/bin/policyd-spf" >> /etc/postfix/master.cf
+echo "#Check for incoming SPF" >> /etc/postfix/main.cf
+echo "policyd-spf_time_limit = 3600" >> /etc/postfix/main.cf

config/ufw/config.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+#ufw config
+sed -i 's/IPV6=yes/IPV6=no/g'   /etc/default/ufw
+ufw default deny incoming > $OUTPUT 2>&1
+
+#Web interface
+ufw allow 80/tcp > $OUTPUT 2>&1
+ufw allow 443/tcp > $OUTPUT 2>&1
+
+#IMAP/POP3
+ufw allow 25/tcp > $OUTPUT 2>&1
+ufw allow 110/tcp > $OUTPUT 2>&1
+ufw allow 143/tcp > $OUTPUT 2>&1
+ufw allow 465/tcp > $OUTPUT 2>&1
+ufw allow 587/tcp > $OUTPUT 2>&1
+ufw allow 993/tcp > $OUTPUT 2>&1
+ufw allow 995/tcp > $OUTPUT 2>&1
+
+#DNS
+ufw allow 53/tcp > $OUTPUT 2>&1
+
+#SSH
+ufw limit 4242/tcp > $OUTPUT 2>&1
+
+echo "y" | ufw enable > $OUTPUT 2>&1

installer.sh

@@ -1,247 +1,254 @@
-###===========================================================
-##      Ubuntu 18.04 Mailserver installer
-###===========================================================
+#!/bin/bash
 
+###############################
+# @author: Bram Prieshof      #
+# @author: Branco van de Waal #
+###############################
 
 ##----------##
 #    Menu    #
 ##----------##
-#echo "Menu"
+sed -i -e 's/magenta/blue/g' /etc/newt/palette
+if [ "$1" != "-l" ]; then
+  echo "Normal mode"
+  PKGM="debconf-apt-progress -- apt"
+  OUTPUT='/dev/null'
+  IMODE=n
+fi
 
-#echo "Ubuntu 18.04 Mailserver installatie script."
-#echo "Domein zonder www en mail.:"
-#read domain
-#echo "Algemeen wachtwoord:"
-#read password
-#echo "Administrator email:"
-#read email
+if [ "$1" = "-l" ]; then
+  echo "Legacy mode";
+  PKGM="apt"
+  OUTPUT='/dev/tty'
+  IMODE=l
+fi
+PKGA="add-apt-repository"
+PKGI="${PKGM} install -y"
 
-##-----------------##
-#    Static-Vars    #
-##-----------------##
-echo "Static-Vars"
-domain=ongz.nl
-password=JW9t9ipdgLrWvMqHq7hX
-email=admin@ictdagbesteding.nl
+if [ $IMODE = n ]; then
+if (whiptail --title "Ubuntu 18.04 Mail Server" --yesno "                  Do you want to install a mail server?" 11 78)
+    then
+        echo "" >/dev/null
+    else
+    	whiptail --title "Credits" --msgbox "                   Made by: your local Wizard and God" 11 78
+        clear
+        exit
+fi
+echo "" >/dev/null
+password=$(whiptail --nocancel --passwordbox "Please enter your password (should contain at least 2 digits and 6 characters)" 11 82 --title "Config" 3>&1 1>&2 2>&3)
+domain=$(whiptail --nocancel --inputbox "                     Enter the domain without www or mail." 11 82 --title "Config" 3>&1 1>&2 2>&3)
+email=$(whiptail --nocancel --inputbox "                        Enter the administrator e-mail" 11 82 --title "Config" 3>&1 1>&2 2>&3)
+uploadsize=$(whiptail --nocancel --title "Config" --radiolist "                      Choose the maximum attachment size:" 11 82 4 "10" "MB                                                             " on "25" "MB" off "50" "MB" off "100" "MB" off 3>&1 1>&2 2>&3)
+elif [ $IMODE = l ]; then
+echo "" >/dev/null
+echo "Ubuntu 18.04 Mailserver installation script."
+echo "Domain without www or e-mail:"
+read domain
+echo "Please enter your password (should contain at least 2 digits and 6 characters:"
+read password
+echo "Administrator E-mail:"
+read email
+echo "Enter the maximum attachment size in MB (without MB)"
+read uploadsize
+fi
+
+##---------------##
+#    Functions    #
+##---------------##
+msg () {
+if [ $IMODE = n ]; then
+TERM=ansi whiptail --title "Info" --infobox "$1" 8 52
+fi
+if [ $IMODE = l ]; then
+echo "$1"
+fi
+}
+
+##--------------##
+#    Variables   #
+##--------------##
 phpver=7.3
 domonly=${domain}
 domain=mail.${domain}
-branch=alpha
+branch=beta
 dhparam=1024
+PHPMyadmin=1
+PKGA="add-apt-repository"
+PKGI="${PKGM} install -y"
+db_pass=$(date +%s|sha256sum|base64|head -c 32)
+wanip=`ip -o route get 1.1.1.1 | sed -e 's/^.* src \([^ ]*\) .*$/\1/'`
+debconf-set-selections <<< "postfix postfix/mailname string $(hostname -f)"
+debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
+
 ##----------------##
 #    Pre-Config    #
 ##----------------##
-echo "Pre-Config"
-
-hostnamectl set-hostname $domain
-apt update
-add-apt-repository universe -y
-add-apt-repository ppa:ondrej/php -y
-apt install software-properties-common -y
-apt upgrade -y
-apt autoremove -y
-timedatectl set-timezone Europe/Amsterdam
+msg "                Pre-Configuring"
+sleep 2
+sed -i '/Port 22/c\Port 4242' /etc/ssh/sshd_config
+hostnamectl set-hostname $domain > $OUTPUT 2>&1
+timedatectl set-timezone Europe/Amsterdam > $OUTPUT 2>&1
+hostname --fqdn > /etc/mailname
 mkdir -p /etc/nginx
 mkdir -p /var/www/"$domain"/html
 chmod -R 755 /var/www
+#if free | awk '/^Swap:/ {exit !$2}'; then
+#    echo "swap enabled" >/dev/null
+#else
+#    fallocate -l 3G /swapfile
+#    chmod 600 /swapfile
+#    mkswap /swapfile
+#    swapon /swapfile
+#    echo '/swapfile swap swap defaults 0 0' >> /etc/fstab
+#fi
+#sed -i 's/#/vm.swappiness=40/g' /etc/sysctl.conf
+
+##----------------------##
+#    Pre-Requirements    #
+##----------------------##
+msg "                Buzzy like a bee"
+$PKGM update
+$PKGI software-properties-common sudo
+$PKGA universe -y > $OUTPUT 2>&1
+$PKGA ppa:ondrej/php -y > $OUTPUT 2>&1
+$PKGA ppa:certbot/certbot -y > $OUTPUT 2>&1
+wget -q -t7 -O- https://repo.dovecot.org/DOVECOT-REPO-GPG | sudo apt-key add -
+echo "deb https://repo.dovecot.org/ce-2.3-latest/ubuntu/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/dovecot.list > $OUTPUT 2>&1
+$PKGM update
+$PKGM upgrade -y
+
+##-----------------------------##
+#    Installing Requirements    #
+##-----------------------------##
+$PKGI nginx postfix postfix-mysql php${phpver} php${phpver}-curl php${phpver}-dom php${phpver}-common php${phpver}-imap php${phpver}-zip php${phpver}-fpm php${phpver}-cli php${phpver}-json php${phpver}-mysql php${phpver}-opcache php${phpver}-mbstring php${phpver}-readline libc-client2007e mlock gnupg2 curl dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-managesieved spamassassin spamc razor pyzor clamav clamav-daemon clamsmtp libclamunrar7 clamdscan amavisd-new zip lrzip liblz4-tool lhasa arj unzip bzip2 nomarch cpio lzop cabextract arc apt-listchanges libauthen-sasl-perl libdbd-mysql-perl libdbi-perl libmail-dkim-perl ripole p7zip p7zip-full p7zip-rar rpm unrar unrar-free altermime libsnmp-perl libnet-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl unzip unattended-upgrades fail2ban bc python-certbot-nginx postfix-policyd-spf-python opendkim opendkim-tools
+
+##-------------##
+#    Debloat    #
+##-------------##
+$PKGM remove --purge lxcfs lxd lxd-client geoip-database snapd -y
+$PKGM autoremove -y
 
 ##-----------------------##
-#    Html Folder Perms    #
+#    HTML Folder Perms    #
 ##-----------------------##
-echo "Html Folder Perms"
-
+msg "          Configuring HTML permissions"
+sleep 2
 chown -R www-data:www-data /var/www/"$domain"/html
 
 ##-----------##
 #    NGINX    #
 ##-----------##
-echo "NGINX"
-
-#installing nginx from apt
-apt install -y nginx
+#$PKGI nginx
+msg "               Configuring Nginx"
+sleep 2
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Web/raw/branch/master/config/nginx/nginx-default.conf -O /etc/nginx/nginx.conf
-
-
-cat <<EOF > /etc/nginx/sites-available/"$domain"
-#fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m max_size=10g inactive=1440m;
-
-server {
-    listen       80;
-    server_name   www.$domain;
-    return       301 http://$domain\$request_uri;
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-    root /var/www/$domain/html;
-    index index.php index.html index.htm index.nginx-debian.html;
-    server_name $domain;
-    #return 301 \$scheme:/\$domain\$request_uri; Redirect to non-www
-    #return 301 https://domein.nl$request_uri; Redirect to other domain
-
-    #add_header X-Cache "\$upstream_cache_status";
-
-    #netdata here
-        
-    gzip on;
-    gzip_proxied any;
-    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
-    gzip_comp_level 2;
-    gzip_disable "msie6";
-    gzip_buffers 16 8k;
-
-#    location /rspamd {
-#    proxy_pass http://127.0.0.1:11334/;
-#    proxy_set_header Host \$host;
-#    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-#}
-
-        location / {
-            #try_files \$uri \$uri/ =404;
-            try_files \$uri \$uri/ /index.php\$is_args\$args;
-            #try_files \$uri \$uri/ \$uri.html \$uri.php\$is_args\$query_string;
-        }
-
-        location = /favicon.ico { log_not_found off; access_log off; }
-        location = /robots.txt { log_not_found off; access_log off; allow all; }
-        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)\$ {
-            expires max;
-            log_not_found off;
-            add_header Cache-Control "public, no-transform";
-        }
-
-        location ~ \.php\$ {
-            include snippets/fastcgi-php.conf;
-            fastcgi_pass unix:/var/run/php/php${phpver}-fpm.sock;
-            #fastcgi_cache MYAPP;
-            #fastcgi_cache_valid 200 302 301 1m;
-            #fastcgi_cache_valid 404 1m;
-            #fastcgi_cache_bypass \$no_cache;
-            #fastcgi_no_cache \$no_cache;
-            #fastcgi_cache_revalidate on;
-            #fastcgi_cache_background_update on;
-            #fastcgi_cache_lock on;
-            #fastcgi_cache_use_stale updating;
-            #fastcgi_buffer_size 128k;
-            #fastcgi_buffers 256 16k;
-            #fastcgi_busy_buffers_size 256k;
-            #fastcgi_temp_file_write_size 256k;
-        }
-
-        location ~ /\.ht {
-            deny all;
-        }
-
-        location /phpmyadmin {
-            index index.php;
-        }
-
-        #Cache everything by default
-        set \$no_cache 0;
-
-        #Don't cache POST requests
-        if (\$request_method = POST) {
-            set \$no_cache 1;
-        }
-
-        #Don't cache if the URL contains a query string
-        if (\$query_string != "") {
-            set \$no_cache 1;
-        }
-
-        #Don't cache the following URLs
-        if (\$request_uri ~* "/(administrator/|login.php)") {
-            set \$no_cache 1;
-        }
-
-        #Don't cache if there is a cookie called PHPSESSID
-        if (\$http_cookie = "PHPSESSID") {
-            set \$no_cache 1;
-        }
-    }
-EOF
-
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/stable/config/nginx/PostfixAdmin-site-unconfigured -O /etc/nginx/sites-available/"$domain"
+sed -i -e 's/DOMAINname/'$domain'/' -e 's/PHPver/'$phpver'/' /etc/nginx/sites-available/"$domain"
 ln -s /etc/nginx/sites-available/"$domain" /etc/nginx/sites-enabled/
 
 ##-------------------------------##
 #    NGINX Single core bug fix    #
 ##-------------------------------##
+msg  "             Applying Nginx bug-fix"
+sleep 2
 mkdir /etc/systemd/system/nginx.service.d
 printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
 systemctl daemon-reload
-systemctl restart nginx
 
 ##-----------------------##
 #    MySQL Installation   #
 ##-----------------------##
-wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/mysql-8.0.sh -O /tmp/mysql-8.0.sh
+msg "                Installing MySQL"
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-MySQL/raw/branch/master/mysql-8.0.sh -O /tmp/mysql-8.0.sh
 source /tmp/mysql-8.0.sh
 
 ##------------------------------##
 #    MySQL_Secure_Installation   #
 ##------------------------------##
-mysqladmin -u root password "$password"
-mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
-mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User=''"
-mysql -u root -p"$password" -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'"
-mysql -u root -p"$password" -e "SELECT user,authentication_string,plugin,host FROM mysql.user;"
-mysql -u root -p"$password" -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '"$password"';"
-mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
+msg "                 Securing MySQL"
+sleep 2
+mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User=''" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "SELECT user,authentication_string,plugin,host FROM mysql.user;" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '"$password"';" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "FLUSH PRIVILEGES;" > $OUTPUT 2>&1
 
 ##-----------------------------##
 #    MySQL Database Creation    #
 ##-----------------------------##
-mysql -u root -p"$password" -e "CREATE DATABASE postfixadmin;"
-mysql -u root -p"$password" -e "CREATE USER '"postfixadmin"'@'localhost' IDENTIFIED BY '"$password"';"
-mysql -u root -p"$password" -e "GRANT ALL ON "postfixadmin".* TO "postfixadmin"@'localhost';"
-mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
+msg "            Creating MySQL Databases"
+sleep 2
+mysql -u root -p"$password" -e "CREATE DATABASE postfixadmin;" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "CREATE USER '"postfixadmin"'@'localhost' IDENTIFIED BY '"$db_pass"';" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "GRANT ALL ON "postfixadmin".* TO "postfixadmin"@'localhost';" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "FLUSH PRIVILEGES;" > $OUTPUT 2>&1
+
+##----------------##
+#    PhpMyAdmin    #
+##----------------##
+ln -s /usr/share/phpmyadmin /var/www/mail.ictdownwerk.com/html/phpmyadmin
 
 ##------------------##
 #    PostfixADMIN    #
 ##------------------##
-echo "PostfixADMIN"
-
-apt install php${phpver} php${phpver}-zip php${phpver}-fpm php${phpver}-cli php${phpver}-json php${phpver}-mysql php${phpver}-opcache php${phpver}-mbstring php${phpver}-readline -y
-apt install libc-client2007e mlock php${phpver}-common php${phpver}-imap -y
+msg "           Configuring PostfixAdmin"
+sleep 2
 mkdir -p /var/www/"$domain"/html/postfixadmin/templates_c
-wget -q -t7 https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.1/postfixadmin-3.1.tar.gz -O /tmp/postfixadmin.tar.gz
+wget -q -t7 https://git.ictmaatwerk.com/downloads/pfa/postfixadmin-3.1-dark.tar.gz -O /tmp/postfixadmin.tar.gz
 tar -xf /tmp/postfixadmin.tar.gz -C /var/www/"$domain"/html/postfixadmin --strip-components=1
 chmod 755 -R /var/www/"$domain"/html/postfixadmin/templates_c
 chown -R www-data: /var/www/"$domain"/html/
-wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfixadmin/config.local.php -O /var/www/$domain/html/postfixadmin/config.local.php
-sed -i -e 's/PASSword/'$password'/' -e 's/dOmaINnamE/'$domonly'/' /var/www/"$domain"/html/postfixadmin/config.local.php
-sudo -u www-data php /var/www/"$domain"/html/postfixadmin/upgrade.php
-bash /var/www/"$domain"/html/postfixadmin/scripts/postfixadmin-cli admin add superadmin@"$domonly" --superadmin 1 --active 1 --password "$password" --password2 "$password"
-groupadd -g 5000 vmail
-useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfixadmin/config.local.php -O /var/www/$domain/html/postfixadmin/config.local.php
+sed -i -e 's/PASSword/'$db_pass'/' -e 's/dOmaINnamE/'$domonly'/' /var/www/"$domain"/html/postfixadmin/config.local.php
+sed -i 's/Welcome to your new account./Welkom bij je nieuwe mailbox!/g' /var/www/"$domain"/html/postfixadmin/config.inc.php       
+sudo -u www-data php /var/www/"$domain"/html/postfixadmin/upgrade.php > $OUTPUT 2>&1
+bash /var/www/"$domain"/html/postfixadmin/scripts/postfixadmin-cli admin add superadmin@"$domonly" --superadmin 1 --active 1 --password "$password" --password2 "$password" > $OUTPUT 2>&1
+groupadd -g 5000 vmail > $OUTPUT 2>&1
+useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail > $OUTPUT 2>&1
 
-##-------------##
-#    Certbot    #
-##-------------##
-add-apt-repository ppa:certbot/certbot -y
-apt install -y python-certbot-nginx
-mkdir -p /etc/letsencrypt/live/$domain/
+##--------------------##
+#    Certbot (Auto)    #
+##--------------------##
+msg "              Configuring Certbot"
+sleep 2
 certbot --nginx -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
 echo "certbot --nginx -n -d $domain -m $email --hsts --redirect --no-eff-email --agree-tos" > ~/certbotactivate.sh
-bash ~/certbotactivate.sh
 sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
 sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
 sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
-openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam"
+openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam" > $OUTPUT 2>&1
 chmod 755 -R /etc/ssl/certs/dhparam.pem
-systemctl restart nginx
 
-##-----------------------##
-#    Postfix Installer    #
-##-----------------------##
-debconf-set-selections <<< "postfix postfix/mailname string $(hostname -f)"
-debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
-apt install postfix postfix-mysql -y
+##----------------------##
+#    Certbot (Manual)    #
+##----------------------##
+#msg "         Configuring Certbot (manual)"
+#sleep 2
+#mkdir -p /etc/letsencrypt/live/$domain/
+#sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
+#sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
+#sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/cert.pem -O /etc/letsencrypt/live/$domain/cert.pem
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/chain.pem -O /etc/letsencrypt/live/$domain/chain.pem
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/fullchain.pem -O /etc/letsencrypt/live/$domain/fullchain.pem
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/privkey.pem -O /etc/letsencrypt/live/$domain/privkey.pem
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/nginx/site-enabled -O /etc/nginx/sites-available/mail.ictdownwerk.com
+#openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam" > $OUTPUT 2>&1
+#openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem "$dhparam" > $OUTPUT 2>&1
+#chmod 755 -R /etc/letsencrypt/ssl-dhparams.pem
+#chmod 755 -R /etc/ssl/certs/dhparam.pem
+#chmod 755 -R /etc/letsencrypt/live/$domain/cert.pem
+#chmod 755 -R /etc/letsencrypt/live/$domain/chain.pem
+#chmod 755 -R /etc/letsencrypt/live/$domain/fullchain.pem
+#chmod 755 -R /etc/letsencrypt/live/$domain/privkey.pem
+#chmod 644 -R /etc/nginx/sites-available/mail.ictdownwerk.com
 
 ##---------------------------##
 #    Postfix Configuration    #
 ##---------------------------##
+msg "              Configuring Postfix"
+sleep 2
 mkdir -p /etc/postfix/sql
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_alias_domain_catchall_maps.cf -O /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_alias_domain_mailbox_maps.cf -O /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
@@ -249,12 +256,7 @@ wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$bra
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_alias_maps.cf -O /etc/postfix/sql/mysql_virtual_alias_maps.cf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_domains_maps.cf -O /etc/postfix/sql/mysql_virtual_domains_maps.cf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_mailbox_maps.cf -O /etc/postfix/sql/mysql_virtual_mailbox_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_domains_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_alias_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_mailbox_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
+sed -i 's/PASSword/'$db_pass'/g' /etc/postfix/sql/mysql_virtual_domains_maps.cf /etc/postfix/sql/mysql_virtual_alias_maps.cf /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf /etc/postfix/sql/mysql_virtual_mailbox_maps.cf /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
 echo "#MySQL Database" >> /etc/postfix/main.cf
 postconf -e "virtual_mailbox_domains = mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf"
 postconf -e "virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf"
@@ -276,21 +278,15 @@ postconf -e "smtpd_sasl_local_domain ="
 postconf -e "smtpd_sasl_security_options = noanonymous"
 postconf -e "broken_sasl_auth_clients = yes"
 postconf -e "smtpd_sasl_auth_enable = yes"
-postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination"
+postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policyd-spf"
 sed -i 's/mynetworks = /#mynetworks = /g' /etc/postfix/main.cf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/$branch/config/postfix/master.cf -O /etc/postfix/master.cf
 
-##-----------------------##
-#    Dovecot Installer    #
-##-----------------------##
-wget -O- https://repo.dovecot.org/DOVECOT-REPO-GPG | sudo apt-key add -
-echo "deb https://repo.dovecot.org/ce-2.3-latest/ubuntu/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/dovecot.list
-apt update
-apt install dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysql -y
-
 ##---------------------------##
 #    Dovecot Configuration    #
 ##---------------------------##
+msg "              Configuring Dovecot"
+sleep 2
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/15-mailboxes.conf -O /etc/dovecot/conf.d/15-mailboxes.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/10-mail.conf -O /etc/dovecot/conf.d/10-mail.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/10-auth.conf -O /etc/dovecot/conf.d/10-auth.conf
@@ -301,46 +297,234 @@ wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$bra
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/dovecot-dict-sql.conf.ext -O /etc/dovecot/dovecot-dict-sql.conf.ext
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/dovecot-sql.conf.ext -O /etc/dovecot/dovecot-sql.conf.ext
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/quota-warning.sh -O /usr/local/bin/quota-warning.sh
-sed -i 's/PASSword/'$password'/g' /etc/dovecot/dovecot-sql.conf.ext
-sed -i 's/PASSword/'$password'/g' /etc/dovecot/dovecot-dict-sql.conf.ext
+sed -i 's/PASSword/'$db_pass'/g' /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-dict-sql.conf.ext
 sed -i -e 's/DOMAINname/'$domain'/' -e 's/#ssl_cert  = /ssl_cert  = /' -e 's/#ssl_key  = /ssl_key  = /' -e 's/#ssl_dh  = /ssl_dh  = /' /etc/dovecot/conf.d/10-ssl.conf
 chmod +x /usr/local/bin/quota-warning.sh
 
 ##--------------------------------------##
 #    Dovecot move Spam to Spam Folder    #
 ##--------------------------------------##
-apt install dovecot-sieve dovecot-managesieved -y
+msg "            Configuring Spam Folder"
+sleep 2
 mkdir -p /etc/dovecot/sieve/
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/$branch/config/dovecot/15-lda.conf -O /etc/dovecot/conf.d/15-lda.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/90-sieve.conf -O /etc/dovecot/conf.d/90-sieve.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/sieve/default.sieve -O /etc/dovecot/sieve/default.sieve
-sievec /etc/dovecot/sieve/default.sieve
-chown vmail:vmail /etc/dovecot/sieve/ -R
+chown -R vmail:vmail /etc/dovecot/sieve/
+chgrp dovecot /etc/dovecot/conf.d/90-sieve.conf
+sievec /etc/dovecot/sieve/default.sieve > $OUTPUT 2>&1
+chgrp dovecot /etc/dovecot/sieve/default.svbin > $OUTPUT 2>&1
+
+##------------------##
+#    Spamassassin    #
+##------------------##
+msg "            Configuring Spamassassin"
+sleep 2
+sed -i -e 's/# report_safe 1/report_safe 0/' -e 's/# required_score 5.0/required_score 5.0/' -e 's/endif # Mail::SpamAssassin::Plugin::Shortcircuit//' /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "skip_rbl_checks 0" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "#pyzor" >> /etc/spamassassin/local.cf
+echo "use_pyzor 1" >> /etc/spamassassin/local.cf
+echo "pyzor_path /usr/bin/pyzor" >> /etc/spamassassin/local.cf
+echo "pyzor_add_header 1" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "#razor" >> /etc/spamassassin/local.cf
+echo "use_razor2 1" >> /etc/spamassassin/local.cf
+echo "razor_config /etc/razor/razor-agent.conf" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "#bayes" >> /etc/spamassassin/local.cf
+echo "use_bayes 1" >> /etc/spamassassin/local.cf
+echo "use_bayes_rules 1" >> /etc/spamassassin/local.cf
+echo "bayes_auto_learn 1" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "endif # Mail::SpamAssassin::Plugin::Shortcircuit" >> /etc/spamassassin/local.cf
+
+##------------##
+#    ClamAV    #
+##------------##
+msg "               Configuring ClamAV"
+sleep 2
+mkdir -p /var/log/clamav
+mkdir -p /var/lib/clamav
+chown -R clamav:clamav /var/log/clamav
+chown -R clamav:clamav /var/lib/clamav
+chmod 775 -R /var/lib/clamav/* /var/lib/clamav
+
+##------------##
+#    Amavis    #
+##------------##
+msg "               Configuring Amavis"
+sleep 2
+sed -i -e 's/@bypass/'@bypass'/' -e 's/   /    /' /etc/amavis/conf.d/15-content_filter_mode
+adduser clamav amavis > $OUTPUT 2>&1
+sed -i 's/clamd.conf/'clamd.conf'/g' /etc/clamav/freshclam.conf
+echo "#Pipe incoming mail trough Amavis" >> /etc/postfix/main.cf
+postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
+postconf -e 'receive_override_options = no_address_mappings'
+echo "" >> /etc/postfix/master.cf
+echo "#Pipe incoming mail trough Amavis" >> /etc/postfix/master.cf
+echo "amavis unix - - - - 2 smtp" >> /etc/postfix/master.cf
+echo "  -o smtp_data_done_timeout=1200" >> /etc/postfix/master.cf
+echo "  -o smtp_send_xforward_command=yes" >> /etc/postfix/master.cf
+echo "127.0.0.1:10025 inet n - - - - smtpd" >> /etc/postfix/master.cf
+echo "  -o content_filter=" >> /etc/postfix/master.cf
+echo "  -o local_recipient_maps=" >> /etc/postfix/master.cf
+echo "  -o relay_recipient_maps=" >> /etc/postfix/master.cf
+echo "  -o smtpd_restriction_classes=" >> /etc/postfix/master.cf
+echo "  -o smtpd_client_restrictions=" >> /etc/postfix/master.cf
+echo "  -o smtpd_helo_restrictions=" >> /etc/postfix/master.cf
+echo "  -o smtpd_sender_restrictions=" >> /etc/postfix/master.cf
+echo "  -o smtpd_recipient_restrictions=permit_mynetworks,reject" >> /etc/postfix/master.cf
+echo "  -o mynetworks=127.0.0.0/8" >> /etc/postfix/master.cf
+echo "  -o strict_rfc821_envelopes=yes" >> /etc/postfix/master.cf
+echo "  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks" >> /etc/postfix/master.cf
+echo "  -o smtpd_bind_address=127.0.0.1" >> /etc/postfix/master.cf
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/15-content_filter_mode -O /etc/amavis/conf.d/15-content_filter_mode
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/20-debian_defaults -O /etc/amavis/conf.d/20-debian_defaults
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/21-ubuntu_defaults -O /etc/amavis/conf.d/21-ubuntu_defaults
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/50-user -O /etc/amavis/conf.d/50-user
+sed -i 's/PASSword/'$db_pass'/g' /etc/amavis/conf.d/50-user
+
+##------------------##
+#    Incoming SPF    #
+##------------------##
+msg "         Configuring incoming SPF"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/spf/incoming_spf.sh -O /tmp/incoming_spf.sh
+source /tmp/incoming_spf.sh > $OUTPUT 2>&1
 
 ##--------------##
 #    Rainloop    #
 ##--------------##
-apt install unzip -y
-wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/rainloop.sh -O /tmp/rainloop.sh
-source /tmp/rainloop.sh
+msg "             Configuring Rainloop"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/rainloop.sh -O /tmp/rainloop.sh
+source /tmp/rainloop.sh > $OUTPUT 2>&1
 ln -s /opt/rainloop /var/www/"$domain"/html/
 
+##--------------##
+#    OpenDKIM    #
+##--------------##
+msg "             Configuring OpenDKIM"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dkim/opendkim.sh -O /tmp/opendkim.sh
+source /tmp/opendkim.sh > $OUTPUT 2>&1
+
+##-------------------------##
+#    Max attachment size    #
+##-------------------------##
+msg "     Configuring attachment sizes"
+sleep 2
+sed -i 's/body_size 8/body_size '$uploadsize'/g' /etc/nginx/nginx.conf 
+sed -i 's/attachment_size_limit = 25/attachment_size_limit = '$uploadsize'/g' /var/www/$domain/html/rainloop/data/_data_/_default_/configs/application.ini
+sed -i 's/max_filesize = 2/max_filesize = '$uploadsize'/g' /etc/php/$phpver/fpm/php.ini /etc/php/$phpver/cli/php.ini
+sed -i 's/post_max_size = 8/post_max_size = '$uploadsize'/g' /etc/php/$phpver/fpm/php.ini /etc/php/$phpver/cli/php.ini
+
 ##--------------##
 #    Fail2Ban    #
 ##--------------##
-apt install fail2ban -y
+msg "             Configuring Fail2Ban"
+sleep 2
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/dovecot-pop3imap.conf -O /etc/fail2ban/filter.d/dovecot-pop3imap.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/postfix-sasl.conf -O /etc/fail2ban/filter.d/postfix-sasl.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/rainloop.conf -O /etc/fail2ban/filter.d/rainloop.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/jail.local -O /etc/fail2ban/jail.local
 sed -i 's/root@localhost/'$email'/g' /etc/fail2ban/jail.conf
-systemctl restart fail2ban
+systemctl restart fail2ban > $OUTPUT 2>&1
 
-##-----------------------##
-#    Enabling Services    #
-##-----------------------##
-systemctl enable postfix.service postfix@-.service dovecot.service fail2ban.service
+##---------------------------------##
+#    Unattended Security Updates    #
+##---------------------------------##
+msg "    Configuring Unattended Security Updates"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Unattended-Security-Updates/raw/branch/master/installer.sh -O /tmp/unattended.sh
+source /tmp/unattended.sh
 
-##-----------------------##
-#    Starting Services    #
-##-----------------------##
-systemctl restart postfix.service postfix@-.service dovecot.service fail2ban.service
+##--------------------------------------##
+#    Clearing / purging the mail queue   #
+##--------------------------------------##
+msg "             Configuring Mail-queue"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/clear-queue.sh -O /tmp/clear-queue.sh
+source /tmp/clear-queue.sh
+
+##----------##
+#    MOTD    #
+##----------##
+msg "             Configuring MOTD"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/motd/01-custom -O /etc/update-motd.d/01-custom
+chmod +x /etc/update-motd.d/01-custom
+chmod -x /etc/update-motd.d/80-livepatch
+chmod -x /etc/update-motd.d/10-help-text
+
+##---------##
+#    UFW    #
+##---------##
+msg "               Configuring UFW"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/ufw/config.sh -O /tmp/ufw-config.sh
+source /tmp/ufw-config.sh
+
+##---------------------##
+#    System services    #
+##---------------------##
+msg "          Setting up system services"
+sleep 2
+systemctl enable nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin > $OUTPUT 2>&1
+systemctl disable amavis amavisd-snmp-subagent amavis-mc postfix dovecot> $OUTPUT 2>&1
+systemctl stop amavis amavisd-snmp-subagent amavis-mc postfix dovecot > $OUTPUT 2>&1
+systemctl restart sshd nginx mysql postfix@- fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin opendkim php7.3-fpm > $OUTPUT 2>&1
+
+##---------------------------------##
+#    Updating ClamAV definitions    #
+##---------------------------------##
+{
+    for ((i = 0 ; i <= 100 ; i+=1)); do sleep 3.0
+        echo $i
+    done
+} | whiptail --gauge "      Please wait while ClamAV is updating definitions..." 6 52 0
+
+##-------------------------##
+#    Configuring Services   #
+##-------------------------##
+systemctl start amavis amavisd-snmp-subagent amavis-mc postfix dovecot > $OUTPUT 2>&1
+echo "@reboot root sleep 300 && systemctl start amavis amavisd-snmp-subagent amavis-mc postfix dovecot" >> /etc/crontab
+
+##------------------##
+#    Final Update    #
+##------------------##
+msg "                  Final Update"
+sleep 2
+$PKGM update
+$PKGM upgrade -y
+$PKGM autoremove -y
+
+##------------##
+#    Readme    #
+##------------##
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/beta/config/manual.sh -O /tmp/manual.sh
+source /tmp/manual.sh
+
+##----------------------##
+#    End of installer    #
+##----------------------##
+msg "                Done installing!"
+sleep 3
+
+if [ $IMODE = n ]; then
+whiptail --title "Info" --msgbox "Point your browser to https://$domain/postfixadmin to get started \n\nYour login is:    superadmin@$domonly\nYour password is: $password" 10 108
+whiptail --title "Credits" --msgbox "                   Made by: your local Wizard and God" 8 78
+clear
+fi
+if [ $IMODE = l ]; then
+clear
+echo "Point your browser to https://$domain/postfixadmin to get started"
+echo ""
+echo "Your login is: superadmin@$domonly"
+echo "Your password is: $password"
+echo ""
+read -p "Press enter to continue"
+clear
+fi

mysql-8.0.sh

@@ -1,58 +0,0 @@
-##------------##
-#     MySQL    #
-##------------##
-
-export DEBIAN_FRONTEND=noninteractive
-
-apt install gnupg -y
-
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/repo-codename select bionic'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/repo-distro select ubuntu'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/repo-url string http://repo.mysql.com/apt/'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-preview select '
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-product select Ok'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-server select mysql-8.0'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-tools select '
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/unsupported-platform select abort'
-debconf-set-selections <<< "mysql-community-server mysql-community-server/root-pass password $password"
-debconf-set-selections <<< "mysql-community-server mysql-community-server/re-root-pass password $password"
-debconf-set-selections <<< "mysql-community-server mysql-server/default-auth-override select Use Legacy Authentication Method (Retain MySQL 5.x Compatibility)"
-
-wget https://dev.mysql.com/get/mysql-apt-config_0.8.13-1_all.deb -O /tmp/mysql-apt-conf.deb
-dpkg -i /tmp/mysql-apt-conf.deb
-apt-get update
-apt-get install -y mysql-server
-
-rm /etc/mysql/mysql.conf.d/mysqld.cnf
-cat > /etc/mysql/mysql.conf.d/mysqld.cnf <<- "EOF"
-[mysqld]
-user            = mysql
-pid-file        = /var/run/mysqld/mysqld.pid
-socket          = /var/run/mysqld/mysqld.sock
-port            = 3306
-basedir         = /usr
-datadir         = /var/lib/mysql
-tmpdir          = /tmp
-lc-messages-dir = /usr/share/mysql
-skip-external-locking
-
-innodb_buffer_pool_size = 1G # (adjust value here, 50%-70% of total RAM)
-innodb_log_file_size = 256M
-innodb_flush_log_at_trx_commit = 1 # may change to 2 or 0
-innodb_flush_method = O_DIRECT
-bind-address            = 127.0.0.1
-key_buffer_size         = 16M
-max_allowed_packet      = 16M
-thread_stack            = 192K
-thread_cache_size       = 8
-myisam-recover-options  = BACKUP
-#max_connections = 100
-#table_open_cache = 64
-#innodb-thread-concurrency     = 10
-log_error = /var/log/mysql/error.log
-expire_logs_days        = 10
-max_binlog_size   = 100M
-EOF
-
-systemctl restart mysql
-systemctl enable mysql