Update 'installer.sh'

CHANGELOG.md

@@ -2,6 +2,6 @@
 Dev = done.  
 PostixAdmin, Postfix, Dovecot and Sieve working!  
 
-## 31-08-2019  
+## 31-08-2019 / 01-09-2019:
 Started Alpha Branch.  
-PHP7.3 working!  
+PHP7.3 and MySQL 8 working!  

README.md

@@ -1,8 +1,19 @@
-# Ubuntu-Mail
-**Get Started**:  
-wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/alpha/installer.sh  
-bash installer.sh 2>&1 | tee output.log  
-  
-### Sources
+# Ubuntu-Mail  
 
-https://linuxize.com/post/set-up-an-email-server-with-postfixadmin
+**Get Started**:  
+```
+wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/omega/installer.sh  
+bash installer.sh 2>&1 | tee output.log  
+```  
+
+#### This script uses the following repo's as dependencies:
+```
+* VPS-scripts/Unattended-Security-Updates 
+* VPS-scripts/Ubuntu-MySQL
+```  
+
+
+#### Sources:  
+```  
+https://linuxize.com/post/set-up-an-email-server-with-postfixadmin
+```  

config/amavis/15-content_filter_mode

@@ -0,0 +1,27 @@
+use strict;
+
+# You can modify this file to re-enable SPAM checking through spamassassin
+# and to re-enable antivirus checking.
+
+#
+# Default antivirus checking mode
+# Please note, that anti-virus checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+
+#
+# Default SPAM checking mode
+# Please note, that anti-spam checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
+1;  # ensure a defined return

config/amavis/20-debian_defaults

@@ -0,0 +1,223 @@
+use strict;
+
+# ADMINISTRATORS:
+# Debian suggests that any changes you need to do that should never
+# be "updated" by the Debian package should be made in another file,
+# overriding the settings in this file.
+#
+# The package will *not* overwrite your settings, but by keeping
+# them separate, you will make the task of merging changes on these
+# configuration files much simpler...
+
+#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
+#       a list of all variables with their defaults;
+#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
+#       a traditional-style commented file  
+#   [note: the above files were not converted to Debian settings!]
+#
+#   for more details see documentation in /usr/share/doc/amavisd-new
+#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
+
+$QUARANTINEDIR = "$MYHOME/virusmails";
+$quarantine_subdir_levels = 1; # enable quarantine dir hashing
+
+$log_recip_templ = undef;    # disable by-recipient level-0 log entries
+$DO_SYSLOG = 1;              # log via syslogd (preferred)
+$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
+$syslog_facility = 'mail';
+$syslog_priority = 'debug';  # switch to info to drop debug output, etc
+
+$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
+$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
+
+$inet_socket_port = 10024;   # default listening socket
+
+#$sa_spam_subject_tag = '***SPAM*** ';
+#$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
+#$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
+#$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
+#$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
+
+
+$sa_tag_level_deflt = -999;  # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
+$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
+$sa_dsn_cutoff_level = 4;    # spam level beyond which a DSN is not sent
+
+
+
+
+
+
+$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
+$sa_local_tests_only = 0;    # only tests which do not require internet access?
+
+# Quota limits to avoid bombs (like 42.zip)
+
+$MAXLEVELS = 14;
+$MAXFILES = 1500;
+$MIN_EXPANSION_QUOTA =      100*1024;  # bytes
+$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes
+
+# You should:
+#   Use D_DISCARD to discard data (viruses)
+#   Use D_BOUNCE to generate local bounces by amavisd-new
+#   Use D_REJECT to generate local or remote bounces by the calling MTA
+#   Use D_PASS to deliver the message
+#
+# Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
+# mail to your account.  Use D_BOUNCE instead, otherwise you are delegating
+# the bounce work to your friendly forwarders, which might not like it at all.
+#
+# On dual-MTA setups, one can often D_REJECT, as this just makes your own
+# MTA generate the bounce message.  Test it first.
+#
+# Bouncing viruses is stupid, always discard them after you are sure the AV
+# is working correctly.  Bouncing real SPAM is also useless, if you cannot
+# D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
+
+$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
+$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
+$final_spam_destiny       = D_PASS;
+$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
+
+$enable_dkim_verification = 0; #disabled to prevent warning
+
+$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
+
+# Set to empty ("") to add no header
+$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
+
+# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
+
+#
+# DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
+#
+# These days, almost all viruses fake the envelope sender and mail headers.
+# Therefore, "virus notifications" became nothing but undesired, aggravating
+# SPAM.  This holds true even inside one's domain.  We disable them all by
+# default, except for the EICAR test pattern.
+#
+
+@viruses_that_fake_sender_maps = (new_RE(
+  [qr'\bEICAR\b'i => 0],            # av test pattern name
+  [qr/.*/ => 1],  # true for everything else
+));
+
+@keep_decoded_original_maps = (new_RE(
+# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
+  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
+  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
+# qr'^Zip archive data',     # don't trust Archive::Zip
+));
+
+
+# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
+
+$banned_filename_re = new_RE(
+# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
+
+  # block certain double extensions anywhere in the base name
+  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
+
+  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
+
+  qr'^application/x-msdownload$'i,                  # block these MIME types
+  qr'^application/x-msdos-program$'i,
+  qr'^application/hta$'i,
+
+# qr'^application/x-msmetafile$'i,	# Windows Metafile MIME type
+# qr'^\.wmf$',				# Windows Metafile file(1) type
+
+# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
+
+# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
+# [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
+# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
+# [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives
+
+  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
+# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
+#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
+#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
+#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
+
+# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
+
+  qr'^\.(exe-ms)$',                       # banned file(1) types
+# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
+);
+# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
+# and http://www.cknow.com/vtutor/vtextensions.htm
+
+
+# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
+
+@score_sender_maps = ({ # a by-recipient hash lookup table,
+                        # results from all matching recipient tables are summed
+
+# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
+# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
+# 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
+# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
+#                           '.cleargreen.com'           => -5.0}],
+
+  ## site-wide opinions about senders (the '.' matches any recipient)
+  '.' => [  # the _first_ matching sender determines the score boost
+
+   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
+    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
+    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
+    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
+    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
+    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
+    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
+    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
+   ),
+
+#  read_hash("/var/amavis/sender_scores_sitewide"),
+
+# This are some examples for whitelists, since envelope senders can be forged
+# they are not enabled by default. 
+   { # a hash-type lookup table (associative array)
+     #'nobody@cert.org'                        => -3.0,
+     #'cert-advisory@us-cert.gov'              => -3.0,
+     #'owner-alert@iss.net'                    => -3.0,
+     #'slashdot@slashdot.org'                  => -3.0,
+     #'securityfocus.com'                      => -3.0,
+     #'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
+     #'security-alerts@linuxsecurity.com'      => -3.0,
+     #'mailman-announce-admin@python.org'      => -3.0,
+     #'amavis-user-admin@lists.sourceforge.net'=> -3.0,
+     #'amavis-user-bounces@lists.sourceforge.net' => -3.0,
+     #'spamassassin.apache.org'                => -3.0,
+     #'notification-return@lists.sophos.com'   => -3.0,
+     #'owner-postfix-users@postfix.org'        => -3.0,
+     #'owner-postfix-announce@postfix.org'     => -3.0,
+     #'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
+     #'sendmail-announce-request@lists.sendmail.org' => -3.0,
+     #'donotreply@sendmail.org'                => -3.0,
+     #'ca+envelope@sendmail.org'               => -3.0,
+     #'noreply@freshmeat.net'                  => -3.0,
+     #'owner-technews@postel.acm.org'          => -3.0,
+     #'ietf-123-owner@loki.ietf.org'           => -3.0,
+     #'cvs-commits-list-admin@gnome.org'       => -3.0,
+     #'rt-users-admin@lists.fsck.com'          => -3.0,
+     #'clp-request@comp.nus.edu.sg'            => -3.0,
+     #'surveys-errors@lists.nua.ie'            => -3.0,
+     #'emailnews@genomeweb.com'                => -5.0,
+     #'yahoo-dev-null@yahoo-inc.com'           => -3.0,
+     #'returns.groups.yahoo.com'               => -3.0,
+     #'clusternews@linuxnetworx.com'           => -3.0,
+     #lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
+     #lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
+
+     # soft-blacklisting (positive score)
+     #'sender@example.net'                     =>  3.0,
+     #'.example.net'                           =>  1.0,
+
+   },
+  ],  # end of site-wide tables
+});
+
+1;  # ensure a defined return

config/amavis/21-ubuntu_defaults

@@ -0,0 +1,27 @@
+use strict;
+
+#
+# These are Ubuntu specific defaults for amavisd-new configuration
+#
+# DOMAIN KEYS IDENTIFIED MAIL (DKIM)
+$enable_dkim_verification = 1;
+# Don't be verbose about sending mail:
+@whitelist_sender_acl = qw( .$mydomain );
+$final_virus_destiny      = D_DISCARD; # (defaults to D_BOUNCE)
+$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)
+$final_spam_destiny       = D_DISCARD;  # (defaults to D_REJECT)
+$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested
+
+$sa_tag_level_deflt = -999;  # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
+$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
+$sa_dsn_cutoff_level = 4;    # spam level beyond which a DSN is not sent
+
+
+
+
+$virus_admin = undef;
+$spam_admin = undef;
+
+#------------ Do not modify anything below this line -------------
+1;  # insure a defined return

config/amavis/50-user

@@ -0,0 +1,48 @@
+use strict;
+#
+# Place your configuration directives here.  They will override those in
+# earlier files.
+#
+# See /usr/share/doc/amavisd-new/ for documentation and examples of
+# the directives you can use in this file
+#
+
+# We need to provide list of domains for which filtering need to be done
+#@lookup_sql_dsn = (
+#    ['DBI:mysql:database=postfixadmin;host=127.0.0.1;port=3306',
+#     'postfixadmin',
+#     'JW9t9ipdgLrWvMqHq7hX']);
+
+# Disable show header recieve from amavisd localhost 127.0.0.1
+$allowed_added_header_fields{lc('Received')} = 0;
+
+@inet_acl = qw( 127.0.0.1 [::1] 23.21.136.138/32 );
+@local_domains_acl = ( "." );
+# Change instance amavisd process
+$max_servers = 5;
+
+# Disable quarantine
+$clean_quarantine_to = undef; # local quarantine
+$virus_quarantine_to = undef; # traditional local quarantine
+$banned_quarantine_to = undef; # local quarantine
+$bad_header_quarantine_to = undef; # local quarantine
+$spam_quarantine_to = undef; # local quarantine
+
+# Don's Discard infected mail
+$final_virus_destiny = D_REJECT;
+$final_banned_destiny = D_REJECT;
+$final_spam_destiny = D_PASS;
+
+# Add Warning to Subject
+$sa_tag_level_deflt = -9999; # always add spam info headers
+$subject_tag_maps_by_ccat{+CC_VIRUS} = [ '***WARNING-VIRUS DETECTED*** ' ];
+$subject_tag_maps_by_ccat{+CC_BANNED} = [ '***WARNING-DANGEROUS DETECTED*** ' ];
+
+# Filter spam mail to Junk folder
+$recipient_delimiter = '+';
+@addr_extension_spam_maps = ('Spam');
+@addr_extension_virus_maps = ('Spam');
+@addr_extension_banned_maps = ('Spam');
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return

config/lets-encrypt/README

@@ -0,0 +1,14 @@
+This directory contains your keys and certificates.
+
+`privkey.pem`  : the private key for your certificate.
+`fullchain.pem`: the certificate file used in most server software.
+`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
+`cert.pem`     : will break many server configurations, and should not be used
+                 without reading further documentation (see link below).
+
+WARNING: DO NOT MOVE OR RENAME THESE FILES!
+         Certbot expects these files to remain in this location in order
+         to function properly!
+
+We recommend not moving these files. For more information, see the Certbot
+User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

config/lets-encrypt/cert.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgISBN+7pm+eon8x1kIYxdzPY6mDMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTEwNzU0MzdaFw0x
+OTEyMTAwNzU0MzdaMB8xHTAbBgNVBAMTFG1haWwuaWN0ZG93bndlcmsuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBlnH/sRyrqwElbTeY23Bjdm
+ZeGgABVN3Z8f7o0q+NzrEIs2qfF5sxzQsTDHQkFQ7BlZL2tlBTvYJzL4f56LP+Ft
+ST0ivabmlfMlqVctGeMhIqQ5t12NKeDj5eXoT1udMvw3/X2J0i7cHJbpHqvCtdy/
+914SyaHwykFybC3vhoz18APUE0jfk1jfsIBzabRpC5C1SD1utMVcpzdc7eIoz6sF
+hI3YeWVvDRfoFkd/D/Qhrom0pHhsAth3FXbgvZkf865xf/Al/PxMJlPZQCYi1KyA
+x2aRR4IFOvCPk8a9EFeIKx9AVTgcu5CNIW0SRSZpQ4u+tTUtxuB7dL7SVbgXbQID
+AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQijuIvsk5b0OD5eZY4
+q6nlv+PIjTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
+BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
+cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
+cnlwdC5vcmcvMB8GA1UdEQQYMBaCFG1haWwuaWN0ZG93bndlcmsuY29tMEwGA1Ud
+IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
+dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
+AHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFtH4gerAAABAMA
+RzBFAiEAqaCymIN2kRHFIXwYMF3q7aRx3OfcCDQH6VkY4nPeQpECIGvCRqQ1uWPa
+6Ui1HQu1MaVjVN8FHNxMm3+10MJ3rxGtAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXeP
+vXWmOLHHaFRL2I0AAAFtH4genAAABAMARzBFAiEA36yPCciL4XPzlOBFwF0MKiLg
+bdJTwrDoRQc+BswOrPQCIDJGAGPGm8Ge00dLSpSZRsVT9frBTKvtY0DMXM+BRDjV
+MA0GCSqGSIb3DQEBCwUAA4IBAQCcI3Ofg9p4cqjWuuLax/MgF6qFloGbajP3hvfD
+kG1C8lXAMUhAxMlwk53fzM7RwemKztPMXXOyA8/3gwE0T8XJm4e6ddKQ9KaG4F3a
+Yj5MerpG+toEg+sSP/GJRZIoJjiB+WCQXt+UxxaZ6GmXiziqmJvnNNQPYBXB/AJk
+W7X54IVfoZn/OOuxGMb3I8JmDS0aPJFr6Sa4IPZdtaDQzvL5YitrVxtuhLFPb+GY
+BJZ/TPJJVFvL19nYe09d578Wu+F8hRMTTI1es+KANBm1NAXCUEw/0Yd3Anv7tYIs
+jnl4PV+Q6whUCdAhOPYnJdJyHlwtWJ80zO8l/X4KlmFJDLT/
+-----END CERTIFICATE-----

config/lets-encrypt/chain.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----

config/lets-encrypt/fullchain.pem

@@ -0,0 +1,58 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgISBN+7pm+eon8x1kIYxdzPY6mDMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTEwNzU0MzdaFw0x
+OTEyMTAwNzU0MzdaMB8xHTAbBgNVBAMTFG1haWwuaWN0ZG93bndlcmsuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBlnH/sRyrqwElbTeY23Bjdm
+ZeGgABVN3Z8f7o0q+NzrEIs2qfF5sxzQsTDHQkFQ7BlZL2tlBTvYJzL4f56LP+Ft
+ST0ivabmlfMlqVctGeMhIqQ5t12NKeDj5eXoT1udMvw3/X2J0i7cHJbpHqvCtdy/
+914SyaHwykFybC3vhoz18APUE0jfk1jfsIBzabRpC5C1SD1utMVcpzdc7eIoz6sF
+hI3YeWVvDRfoFkd/D/Qhrom0pHhsAth3FXbgvZkf865xf/Al/PxMJlPZQCYi1KyA
+x2aRR4IFOvCPk8a9EFeIKx9AVTgcu5CNIW0SRSZpQ4u+tTUtxuB7dL7SVbgXbQID
+AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQijuIvsk5b0OD5eZY4
+q6nlv+PIjTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
+BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
+cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
+cnlwdC5vcmcvMB8GA1UdEQQYMBaCFG1haWwuaWN0ZG93bndlcmsuY29tMEwGA1Ud
+IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
+dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
+AHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFtH4gerAAABAMA
+RzBFAiEAqaCymIN2kRHFIXwYMF3q7aRx3OfcCDQH6VkY4nPeQpECIGvCRqQ1uWPa
+6Ui1HQu1MaVjVN8FHNxMm3+10MJ3rxGtAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXeP
+vXWmOLHHaFRL2I0AAAFtH4genAAABAMARzBFAiEA36yPCciL4XPzlOBFwF0MKiLg
+bdJTwrDoRQc+BswOrPQCIDJGAGPGm8Ge00dLSpSZRsVT9frBTKvtY0DMXM+BRDjV
+MA0GCSqGSIb3DQEBCwUAA4IBAQCcI3Ofg9p4cqjWuuLax/MgF6qFloGbajP3hvfD
+kG1C8lXAMUhAxMlwk53fzM7RwemKztPMXXOyA8/3gwE0T8XJm4e6ddKQ9KaG4F3a
+Yj5MerpG+toEg+sSP/GJRZIoJjiB+WCQXt+UxxaZ6GmXiziqmJvnNNQPYBXB/AJk
+W7X54IVfoZn/OOuxGMb3I8JmDS0aPJFr6Sa4IPZdtaDQzvL5YitrVxtuhLFPb+GY
+BJZ/TPJJVFvL19nYe09d578Wu+F8hRMTTI1es+KANBm1NAXCUEw/0Yd3Anv7tYIs
+jnl4PV+Q6whUCdAhOPYnJdJyHlwtWJ80zO8l/X4KlmFJDLT/
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----

config/lets-encrypt/privkey.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC4GWcf+xHKurAS
+VtN5jbcGN2Zl4aAAFU3dnx/ujSr43OsQizap8XmzHNCxMMdCQVDsGVkva2UFO9gn
+Mvh/nos/4W1JPSK9puaV8yWpVy0Z4yEipDm3XY0p4OPl5ehPW50y/Df9fYnSLtwc
+lukeq8K13L/3XhLJofDKQXJsLe+GjPXwA9QTSN+TWN+wgHNptGkLkLVIPW60xVyn
+N1zt4ijPqwWEjdh5ZW8NF+gWR38P9CGuibSkeGwC2HcVduC9mR/zrnF/8CX8/Ewm
+U9lAJiLUrIDHZpFHggU68I+Txr0QV4grH0BVOBy7kI0hbRJFJmlDi761NS3G4Ht0
+vtJVuBdtAgMBAAECggEASp1xIJMf2OzlY+lw+LkpTwmxJOXXdXEtB//wbz0kB41y
+cFgcJbDLRH8PTmGYwQ+7/pUfgoqifQaOSwTrlr3pblCtfJucswUsO+Y6g3Hjw7Q8
+v8+T3O+7wRd3Bryx9UgKZJm5D7KL43Y+nA/GGDpBRnhcDaRBNRu/fhociB/uDrfu
+ZpaTBM3E2glXkbKAn2mwrv1sNog7DvgmzqSzcq/OgiDk6GhYeiU9wFlJJkidQmii
+HpBe22er6XscTEhhnDvcaljwzwBxOoKI7EoCRTjhLSfU6j+rQXX2y2ODBEWg0yx8
+6Lntgl5o4BVaixvZ7pH5mTxLpQ87drq7yXzGzGtwQQKBgQDs+8y0u8a0hj4SxNtd
+Hem6KhPkD7f3Pxuh+ZgphOp/lM0tYLDmoxZp/PhLxQX3N2qmXWS5fy4uBWpreoRJ
+FbZnyN2JlnAW4R+ba8HJR+7cqWIlqC3AFRsNLswRPn5s2k1Pc/PqtXx3kPNhdupj
+miB/pGtI6RhWHuhkkOZuFwtviQKBgQDG3zvoFaLOIAgRfkYrsV8V4iRUlbcCT1TS
+dOrqKx54gHAs0yTQqLSGwOjpQC4V/nQKxi54Ybu+aZ1A6IaNqkL5zIGnDNIJQlas
+E06D3LytVQM1dOCY5qz5xOqCJtxIL0fiMdTckenChL6ldufelVHRiN1Llv/xcoQL
+g+ent6VrxQKBgA9LuUy5CfxA5eTEO/xon9taN+pycUdOFXSA7adQYupVKmERapmY
+USwKHeSWFOp98y5FvOiUIuDpjJLfV4Z4FkvglRv6T8XKRgX8EIfzUqF/dUxE7J8H
+PbW+HYHHbNWNyYulSksN57i37F2QFVTUb+CNNjeAhAea+xjymUzlw+ExAoGAdr1u
+7WGNtXjWmGtGxmu/FDfT7VT+0jg/svDwGiToqpY1Y+4luxgfwZ2I80vIuIUXEB/I
+O0RPbp9srwam4Aratn9uoik7dx/O1Csq4/x2AyARLGe+ekyw1ujGBDPjro3cY6fR
+KmlMo0HS+sSGKRYKpgsL5kggRS9Uu/Nj63XxJOkCgYBaWOYoHpq7cJH2t0iHPjOi
+BlHBEt1dn4v9tOtAYfsU/tH3NLMhae7riq69o5Tsrm5X2SuMF8krTydRPvXsEIX7
+kPPIzHcWjpjWzIBD5v7cU+jjdqXDwtVlbbWBkFXBpzLh3jpQ+tz5y5TJ/0DXGrWo
+jTiQFMRVfzEWCncLODqywA==
+-----END PRIVATE KEY-----

config/nginx/domainconfig.cf

@@ -2,20 +2,20 @@
 
 server {
     listen       80;
-    server_name   www.$domain;
-    return       301 http://$domain\$request_uri;
+    server_name   www.DOMAINNAME;
+    return       301 http://DOMAINNAME$request_uri;
 }
 
 server {
     listen 80;
     listen [::]:80;
-    root /var/www/$domain/html;
+    root /var/www/DOMAINNAME/html;
     index index.php index.html index.htm index.nginx-debian.html;
-    server_name $domain;
-    #return 301 \$scheme:/\$domain\$request_uri; Redirect to non-www
-    #return 301 https://domein.nl$request_uri; Redirect to other domain
+    server_name DOMAINNAME;
+    #return 301 $scheme:/$domain$request_uri; Redirect to non-www
+    #return 301 https://domein.nl; Redirect to other domain
 
-    #add_header X-Cache "\$upstream_cache_status";
+    #add_header X-Cache "$upstream_cache_status";
 
     #netdata here
         
@@ -28,32 +28,32 @@ server {
 
 #    location /rspamd {
 #    proxy_pass http://127.0.0.1:11334/;
-#    proxy_set_header Host \$host;
-#    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #}
 
         location / {
-            #try_files \$uri \$uri/ =404;
-            try_files \$uri \$uri/ /index.php\$is_args\$args;
-            #try_files \$uri \$uri/ \$uri.html \$uri.php\$is_args\$query_string;
+            #try_files $uri $uri/ =404;
+            try_files $uri $uri/ /index.php$is_args$args;
+            #try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
         }
 
         location = /favicon.ico { log_not_found off; access_log off; }
         location = /robots.txt { log_not_found off; access_log off; allow all; }
-        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)\$ {
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
             expires max;
             log_not_found off;
             add_header Cache-Control "public, no-transform";
         }
 
-        location ~ \.php\$ {
+        location ~ \.php$ {
             include snippets/fastcgi-php.conf;
-            fastcgi_pass unix:/var/run/php/php${phpver}-fpm.sock;
+            fastcgi_pass unix:/var/run/php/phpPHPVER-fpm.sock;
             #fastcgi_cache MYAPP;
             #fastcgi_cache_valid 200 302 301 1m;
             #fastcgi_cache_valid 404 1m;
-            #fastcgi_cache_bypass \$no_cache;
-            #fastcgi_no_cache \$no_cache;
+            #fastcgi_cache_bypass $no_cache;
+            #fastcgi_no_cache $no_cache;
             #fastcgi_cache_revalidate on;
             #fastcgi_cache_background_update on;
             #fastcgi_cache_lock on;
@@ -73,25 +73,25 @@ server {
         }
 
         #Cache everything by default
-        set \$no_cache 0;
+        set $no_cache 0;
 
         #Don't cache POST requests
-        if (\$request_method = POST) {
-            set \$no_cache 1;
+        if ($request_method = POST) {
+            set $no_cache 1;
         }
 
         #Don't cache if the URL contains a query string
-        if (\$query_string != "") {
-            set \$no_cache 1;
+        if ($query_string != "") {
+            set $no_cache 1;
         }
 
         #Don't cache the following URLs
-        if (\$request_uri ~* "/(administrator/|login.php)") {
-            set \$no_cache 1;
+        if ($request_uri ~* "/(administrator/|login.php)") {
+            set $no_cache 1;
         }
 
         #Don't cache if there is a cookie called PHPSESSID
-        if (\$http_cookie = "PHPSESSID") {
-            set \$no_cache 1;
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
         }
     }

config/nginx/site-enabled

@@ -0,0 +1,206 @@
+#fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m max_size=10g inactive=1440m;
+
+server {
+    listen       80;
+    server_name   www.mail.ictdownwerk.com;
+    return       301 http://mail.ictdownwerk.com$request_uri;
+}
+
+server {
+    root /var/www/mail.ictdownwerk.com/html;
+    index index.php index.html index.htm index.nginx-debian.html;
+    server_name mail.ictdownwerk.com;
+    #return 301 $scheme:/$domain$request_uri; Redirect to non-www
+    #return 301 https://domein.nl; Redirect to other domain
+
+    #add_header X-Cache "$upstream_cache_status";
+
+    #netdata here
+        
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
+    gzip_comp_level 2;
+    gzip_disable "msie6";
+    gzip_buffers 16 8k;
+
+#    location /rspamd {
+#    proxy_pass http://127.0.0.1:11334/;
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#}
+
+        location / {
+            #try_files $uri $uri/ =404;
+            try_files $uri $uri/ /index.php$is_args$args;
+            #try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
+        }
+
+        location = /favicon.ico { log_not_found off; access_log off; }
+        location = /robots.txt { log_not_found off; access_log off; allow all; }
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
+            expires max;
+            log_not_found off;
+            add_header Cache-Control "public, no-transform";
+        }
+
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+            #fastcgi_cache MYAPP;
+            #fastcgi_cache_valid 200 302 301 1m;
+            #fastcgi_cache_valid 404 1m;
+            #fastcgi_cache_bypass $no_cache;
+            #fastcgi_no_cache $no_cache;
+            #fastcgi_cache_revalidate on;
+            #fastcgi_cache_background_update on;
+            #fastcgi_cache_lock on;
+            #fastcgi_cache_use_stale updating;
+            #fastcgi_buffer_size 128k;
+            #fastcgi_buffers 256 16k;
+            #fastcgi_busy_buffers_size 256k;
+            #fastcgi_temp_file_write_size 256k;
+        }
+
+        location ~ /\.ht {
+            deny all;
+        }
+
+        location /phpmyadmin {
+            index index.php;
+        }
+
+        #Cache everything by default
+        set $no_cache 0;
+
+        #Don't cache POST requests
+        if ($request_method = POST) {
+            set $no_cache 1;
+        }
+
+        #Don't cache if the URL contains a query string
+        if ($query_string != "") {
+            set $no_cache 1;
+        }
+
+        #Don't cache the following URLs
+        if ($request_uri ~* "/(administrator/|login.php)") {
+            set $no_cache 1;
+        }
+
+        #Don't cache if there is a cookie called PHPSESSID
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
+        }
+    
+    listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
+    listen 443 ssl http2; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/mail.ictdownwerk.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/mail.ictdownwerk.com/privkey.pem; # managed by Certbot
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
+
+}
+
+
+server {
+    if ($host = mail.ictdownwerk.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    listen [::]:80;
+    root /var/www/mail.ictdownwerk.com/html;
+    index index.php index.html index.htm index.nginx-debian.html;
+    server_name mail.ictdownwerk.com;
+    #return 301 $scheme:/$domain$request_uri; Redirect to non-www
+    #return 301 https://domein.nl; Redirect to other domain
+
+    #add_header X-Cache "$upstream_cache_status";
+
+    #netdata here
+        
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
+    gzip_comp_level 2;
+    gzip_disable "msie6";
+    gzip_buffers 16 8k;
+
+#    location /rspamd {
+#    proxy_pass http://127.0.0.1:11334/;
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#}
+
+        location / {
+            #try_files $uri $uri/ =404;
+            try_files $uri $uri/ /index.php$is_args$args;
+            #try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
+        }
+
+        location = /favicon.ico { log_not_found off; access_log off; }
+        location = /robots.txt { log_not_found off; access_log off; allow all; }
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
+            expires max;
+            log_not_found off;
+            add_header Cache-Control "public, no-transform";
+        }
+
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+            #fastcgi_cache MYAPP;
+            #fastcgi_cache_valid 200 302 301 1m;
+            #fastcgi_cache_valid 404 1m;
+            #fastcgi_cache_bypass $no_cache;
+            #fastcgi_no_cache $no_cache;
+            #fastcgi_cache_revalidate on;
+            #fastcgi_cache_background_update on;
+            #fastcgi_cache_lock on;
+            #fastcgi_cache_use_stale updating;
+            #fastcgi_buffer_size 128k;
+            #fastcgi_buffers 256 16k;
+            #fastcgi_busy_buffers_size 256k;
+            #fastcgi_temp_file_write_size 256k;
+        }
+
+        location ~ /\.ht {
+            deny all;
+        }
+
+        location /phpmyadmin {
+            index index.php;
+        }
+
+        #Cache everything by default
+        set $no_cache 0;
+
+        #Don't cache POST requests
+        if ($request_method = POST) {
+            set $no_cache 1;
+        }
+
+        #Don't cache if the URL contains a query string
+        if ($query_string != "") {
+            set $no_cache 1;
+        }
+
+        #Don't cache the following URLs
+        if ($request_uri ~* "/(administrator/|login.php)") {
+            set $no_cache 1;
+        }
+
+        #Don't cache if there is a cookie called PHPSESSID
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
+        }
+    
+
+
+
+}

config/sieve/default.sieve

@@ -1,4 +1,5 @@
 require "fileinto";
 if header :contains "X-Spam-Flag" "YES" {
 	fileinto "Spam";
+    stop;
 }

config/spamassassin/local.cf

@@ -0,0 +1,104 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# Only a small subset of options are listed below
+#
+###########################################################################
+
+#   Add *****SPAM***** to the Subject header of spam e-mails
+#
+#rewrite_header Subject *****SPAM*****
+
+
+#   Save spam messages as a message/rfc822 MIME attachment instead of
+#   modifying the original message (0: off, 2: use text/plain instead)
+#
+report_safe 0
+
+
+#   Set which networks or hosts are considered 'trusted' by your mail
+#   server (i.e. not spammers)
+#
+# trusted_networks 212.17.35.
+
+
+#   Set file-locking method (flock is not safe over NFS, but is faster)
+#
+# lock_method flock
+
+
+#   Set the threshold at which a message is considered spam (default: 5.0)
+#
+required_score 5.0
+
+
+#   Use Bayesian classifier (default: 1)
+#
+use_bayes 1
+use_bayes_rules 1
+
+#   Bayesian classifier auto-learning (default: 1)
+#
+bayes_auto_learn 1
+
+#   Set headers which may provide inappropriate cues to the Bayesian
+#   classifier
+#
+# bayes_ignore_header X-Bogosity
+# bayes_ignore_header X-Spam-Flag
+# bayes_ignore_header X-Spam-Status
+
+
+#   Whether to decode non- UTF-8 and non-ASCII textual parts and recode
+#   them to UTF-8 before the text is given over to rules processing.
+#
+# normalize_charset 1
+
+#   Some shortcircuiting, if the plugin is enabled
+# 
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+#   default: strongly-whitelisted mails are *really* whitelisted now, if the
+#   shortcircuiting plugin is active, causing early exit to save CPU load.
+#   Uncomment to turn this on
+#
+# shortcircuit USER_IN_WHITELIST       on
+# shortcircuit USER_IN_DEF_WHITELIST   on
+# shortcircuit USER_IN_ALL_SPAM_TO     on
+# shortcircuit SUBJECT_IN_WHITELIST    on
+
+#   the opposite; blacklisted mails can also save CPU
+#
+# shortcircuit USER_IN_BLACKLIST       on
+# shortcircuit USER_IN_BLACKLIST_TO    on
+# shortcircuit SUBJECT_IN_BLACKLIST    on
+
+#   if you have taken the time to correctly specify your "trusted_networks",
+#   this is another good way to save CPU
+#
+# shortcircuit ALL_TRUSTED             on
+
+#   and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99                spam
+# shortcircuit BAYES_00                ham
+
+skip_rbl_checks 0
+
+#pyzor
+use_pyzor 1
+pyzor_path /usr/bin/pyzor
+pyzor_add_header 1
+
+#razor
+use_razor2 1
+razor_config /etc/razor/razor-agent.conf
+
+#bayes
+use_bayes 1
+use_bayes_rules 1
+bayes_auto_learn 1
+
+endif # Mail::SpamAssassin::Plugin::Shortcircuit

config/spamassassin/spamassassin

@@ -0,0 +1,34 @@
+# /etc/default/spamassassin
+# Duncan Findlay
+
+# WARNING: please read README.spamd before using.
+# There may be security risks.
+
+# If you're using systemd (default for jessie), the ENABLED setting is
+# not used. Instead, enable spamd by issuing:
+# systemctl enable spamassassin.service
+# Change to "1" to enable spamd on systems using sysvinit:
+ENABLED=1
+
+# Options
+# See man spamd for possible options. The -d option is automatically added.
+
+# SpamAssassin uses a preforking model, so be careful! You need to
+# make sure --max-children is not set to anything higher than 5,
+# unless you know what you're doing.
+
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir --username spamd -H /var/log/spamassassin -s /var/log/spamassassin/spamd.log"
+
+# Pid file
+# Where should spamd write its PID to file? If you use the -u or
+# --username option above, this needs to be writable by that user.
+# Otherwise, the init script will not be able to shut spamd down.
+PIDFILE="/var/run/spamd.pid"
+
+# Set nice level of spamd
+#NICE="--nicelevel 15"
+
+# Cronjob
+# Set to anything but 0 to enable the cron job to automatically update
+# spamassassin's rules on a nightly basis
+CRON=1

installer.sh

@@ -1,7 +1,6 @@
-###===========================================================
-##      Ubuntu 18.04 Mailserver installer
-###===========================================================
-
+###==========================================###
+##      Ubuntu 18.04 Mailserver installer     ## 
+###==========================================###
 
 ##----------##
 #    Menu    #
@@ -20,19 +19,18 @@
 #    Static-Vars    #
 ##-----------------##
 echo "Static-Vars"
-domain=ict-dagbesteding.nl
+domain=ictdownwerk.com
 password=JW9t9ipdgLrWvMqHq7hX
 email=admin@ictdagbesteding.nl
 phpver=7.3
 domonly=${domain}
 domain=mail.${domain}
-branch=alpha
+branch=omega
 dhparam=1024
+
 ##----------------##
 #    Pre-Config    #
 ##----------------##
-echo "Pre-Config"
-
 hostnamectl set-hostname $domain
 apt update
 add-apt-repository universe -y
@@ -45,23 +43,22 @@ mkdir -p /etc/nginx
 mkdir -p /var/www/"$domain"/html
 chmod -R 755 /var/www
 
+##-------------##
+#    Debloat    #
+##-------------##
+apt autoremove --purge lxcfs lxd lxd-client geoip-database snapd -y
+
 ##-----------------------##
 #    Html Folder Perms    #
 ##-----------------------##
-echo "Html Folder Perms"
-
 chown -R www-data:www-data /var/www/"$domain"/html
 
 ##-----------##
 #    NGINX    #
 ##-----------##
-echo "NGINX"
-
-#installing nginx from apt
 apt install -y nginx
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Web/raw/branch/master/config/nginx/nginx-default.conf -O /etc/nginx/nginx.conf
 
-
 cat <<EOF > /etc/nginx/sites-available/"$domain"
 #fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m max_size=10g inactive=1440m;
 
@@ -181,7 +178,6 @@ source /tmp/mysql-8.0.sh
 ##------------------------------##
 #    MySQL_Secure_Installation   #
 ##------------------------------##
-mysqladmin -u root password "$password"
 mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
 mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User=''"
 mysql -u root -p"$password" -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'"
@@ -200,12 +196,10 @@ mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
 ##------------------##
 #    PostfixADMIN    #
 ##------------------##
-echo "PostfixADMIN"
-
 apt install php${phpver} php${phpver}-zip php${phpver}-fpm php${phpver}-cli php${phpver}-json php${phpver}-mysql php${phpver}-opcache php${phpver}-mbstring php${phpver}-readline -y
 apt install libc-client2007e mlock php${phpver}-common php${phpver}-imap -y
 mkdir -p /var/www/"$domain"/html/postfixadmin/templates_c
-wget -q -t7 https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.1/postfixadmin-3.1.tar.gz -O /tmp/postfixadmin.tar.gz
+wget -q -t7 https://git.ictmaatwerk.com/downloads/pfa/postfixadmin-3.1.tar.gz -O /tmp/postfixadmin.tar.gz
 tar -xf /tmp/postfixadmin.tar.gz -C /var/www/"$domain"/html/postfixadmin --strip-components=1
 chmod 755 -R /var/www/"$domain"/html/postfixadmin/templates_c
 chown -R www-data: /var/www/"$domain"/html/
@@ -216,20 +210,40 @@ bash /var/www/"$domain"/html/postfixadmin/scripts/postfixadmin-cli admin add sup
 groupadd -g 5000 vmail
 useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail
 
-##-------------##
-#    Certbot    #
-##-------------##
+##--------------------##
+#    Certbot (Auto)    #
+##--------------------##
 #add-apt-repository ppa:certbot/certbot -y
 #apt install -y python-certbot-nginx
-mkdir -p /etc/letsencrypt/live/$domain/
 #certbot --nginx -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
 #echo "certbot --nginx -n -d $domain -m $email --hsts --redirect --no-eff-email --agree-tos" > ~/certbotactivate.sh
+#sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
+#sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
+#sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
+#openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam"
+#chmod 777 -R /etc/ssl/certs/dhparam.pem
+
+##----------------------##
+#    Certbot (Manual)    #
+##----------------------##
+mkdir -p /etc/letsencrypt/live/$domain/
 sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
 sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
 sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/cert.pem -O /etc/letsencrypt/live/$domain/cert.pem
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/chain.pem -O /etc/letsencrypt/live/$domain/chain.pem
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/fullchain.pem -O /etc/letsencrypt/live/$domain/fullchain.pem
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/privkey.pem -O /etc/letsencrypt/live/$domain/privkey.pem
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/nginx/site-enabled -O /etc/nginx/sites-available/mail.ictdownwerk.com
 openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam"
-chmod 755 -R /etc/ssl/certs/dhparam.pem
-systemctl restart nginx
+openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem "$dhparam"
+chmod 777 -R /etc/letsencrypt/ssl-dhparams.pem
+chmod 777 -R /etc/ssl/certs/dhparam.pem
+chmod 777 -R /etc/letsencrypt/live/$domain/cert.pem
+chmod 777 -R /etc/letsencrypt/live/$domain/chain.pem
+chmod 777 -R /etc/letsencrypt/live/$domain/fullchain.pem
+chmod 777 -R /etc/letsencrypt/live/$domain/privkey.pem
+chmod 644 -R /etc/nginx/sites-available/mail.ictdownwerk.com
 
 ##-----------------------##
 #    Postfix Installer    #
@@ -310,10 +324,79 @@ chmod +x /usr/local/bin/quota-warning.sh
 ##--------------------------------------##
 apt install dovecot-sieve dovecot-managesieved -y
 mkdir -p /etc/dovecot/sieve/
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/$branch/config/dovecot/15-lda.conf -O /etc/dovecot/conf.d/15-lda.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/90-sieve.conf -O /etc/dovecot/conf.d/90-sieve.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/sieve/default.sieve -O /etc/dovecot/sieve/default.sieve
-sievec /etc/dovecot/sieve/default.sieve
 chown vmail:vmail /etc/dovecot/sieve/ -R
+chgrp dovecot /etc/dovecot/conf.d/90-sieve.conf
+sievec /etc/dovecot/sieve/default.sieve
+chgrp dovecot /etc/dovecot/sieve/default.svbin
+
+##------------------##
+#    Spamassassin    #
+##------------------##
+apt install spamassassin spamc razor pyzor -y
+sed -i -e 's/# report_safe 1/report_safe 0/' -e 's/# required_score 5.0/required_score 5.0/' -e 's/endif # Mail::SpamAssassin::Plugin::Shortcircuit//' /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "skip_rbl_checks 0" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "#pyzor" >> /etc/spamassassin/local.cf
+echo "use_pyzor 1" >> /etc/spamassassin/local.cf
+echo "pyzor_path /usr/bin/pyzor" >> /etc/spamassassin/local.cf
+echo "pyzor_add_header 1" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "#razor" >> /etc/spamassassin/local.cf
+echo "use_razor2 1" >> /etc/spamassassin/local.cf
+echo "razor_config /etc/razor/razor-agent.conf" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "#bayes" >> /etc/spamassassin/local.cf
+echo "use_bayes 1" >> /etc/spamassassin/local.cf
+echo "use_bayes_rules 1" >> /etc/spamassassin/local.cf
+echo "bayes_auto_learn 1" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "endif # Mail::SpamAssassin::Plugin::Shortcircuit" >> /etc/spamassassin/local.cf
+
+##------------##
+#    ClamAV    #
+##------------##
+apt install clamav clamav-daemon clamsmtp libclamunrar7 clamdscan -y
+chown -R clamav:clamav /var/log/clamav
+chown -R clamav:clamav /var/lib/clamav
+chmod 777 -R /var/lib/clamav
+
+##------------##
+#    Amavis    #
+##------------##
+apt install amavisd-new -y
+apt install zip lrzip liblz4-tool lhasa arj unzip bzip2 nomarch cpio lzop cabextract arc apt-listchanges libauthen-sasl-perl libdbd-mysql-perl libdbi-perl libmail-dkim-perl ripole p7zip p7zip-full p7zip-rar rpm unrar unrar-free altermime libsnmp-perl libnet-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl -y
+sed -i -e 's/@bypass/'@bypass'/' -e 's/   /    /' /etc/amavis/conf.d/15-content_filter_mode
+adduser clamav amavis
+sed -i 's/clamd.conf/'clamd.conf'/g' /etc/clamav/freshclam.conf
+echo "#Pipe incoming mail trough Amavis" >> /etc/postfix/main.cf
+postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
+postconf -e 'receive_override_options = no_address_mappings'
+echo "" >> /etc/postfix/master.cf
+echo "#Pipe incoming mail trough Amavis" >> /etc/postfix/master.cf
+echo "amavis unix - - - - 2 smtp" >> /etc/postfix/master.cf
+echo "  -o smtp_data_done_timeout=1200" >> /etc/postfix/master.cf
+echo "  -o smtp_send_xforward_command=yes" >> /etc/postfix/master.cf
+echo "127.0.0.1:10025 inet n - - - - smtpd" >> /etc/postfix/master.cf
+echo "  -o content_filter=" >> /etc/postfix/master.cf
+echo "  -o local_recipient_maps=" >> /etc/postfix/master.cf
+echo "  -o relay_recipient_maps=" >> /etc/postfix/master.cf
+echo "  -o smtpd_restriction_classes=" >> /etc/postfix/master.cf
+echo "  -o smtpd_client_restrictions=" >> /etc/postfix/master.cf
+echo "  -o smtpd_helo_restrictions=" >> /etc/postfix/master.cf
+echo "  -o smtpd_sender_restrictions=" >> /etc/postfix/master.cf
+echo "  -o smtpd_recipient_restrictions=permit_mynetworks,reject" >> /etc/postfix/master.cf
+echo "  -o mynetworks=127.0.0.0/8" >> /etc/postfix/master.cf
+echo "  -o strict_rfc821_envelopes=yes" >> /etc/postfix/master.cf
+echo "  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks" >> /etc/postfix/master.cf
+echo "  -o smtpd_bind_address=127.0.0.1" >> /etc/postfix/master.cf
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/15-content_filter_mode -O /etc/amavis/conf.d/15-content_filter_mode
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/20-debian_defaults -O /etc/amavis/conf.d/20-debian_defaults
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/21-ubuntu_defaults -O /etc/amavis/conf.d/21-ubuntu_defaults
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/50-user -O /etc/amavis/conf.d/50-user
 
 ##--------------##
 #    Rainloop    #
@@ -334,12 +417,24 @@ wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$bra
 sed -i 's/root@localhost/'$email'/g' /etc/fail2ban/jail.conf
 systemctl restart fail2ban
 
+##---------------------------------##
+#    Unattended Security Updates    #
+##---------------------------------##
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Unattended-Security-Updates/raw/branch/master/installer.sh -O /tmp/unattended.sh
+source /tmp/unattended.sh
+
 ##-----------------------##
 #    Enabling Services    #
 ##-----------------------##
-systemctl enable postfix.service postfix@-.service dovecot.service fail2ban.service
+systemctl enable nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin amavisd-snmp-subagent amavis-mc amavis-snmp-subagent
 
 ##-----------------------##
 #    Starting Services    #
 ##-----------------------##
-systemctl restart postfix.service postfix@-.service dovecot.service fail2ban.service
+systemctl restart nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin amavisd-snmp-subagent amavis-mc amavis-snmp-subagent
+
+##------------------##
+#    Final Update    #
+##------------------##
+apt update
+apt upgrade -y

mysql-8.0.sh

@@ -1,58 +0,0 @@
-##------------##
-#     MySQL    #
-##------------##
-
-export DEBIAN_FRONTEND=noninteractive
-
-apt install gnupg -y
-
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/repo-codename select bionic'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/repo-distro select ubuntu'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/repo-url string http://repo.mysql.com/apt/'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-preview select '
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-product select Ok'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-server select mysql-8.0'
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/select-tools select '
-debconf-set-selections <<< 'mysql-apt-config mysql-apt-config/unsupported-platform select abort'
-debconf-set-selections <<< "mysql-community-server mysql-community-server/root-pass password $password"
-debconf-set-selections <<< "mysql-community-server mysql-community-server/re-root-pass password $password"
-debconf-set-selections <<< "mysql-community-server mysql-server/default-auth-override select Use Legacy Authentication Method (Retain MySQL 5.x Compatibility)"
-
-wget https://dev.mysql.com/get/mysql-apt-config_0.8.13-1_all.deb -O /tmp/mysql-apt-conf.deb
-dpkg -i /tmp/mysql-apt-conf.deb
-apt-get update
-apt-get install -y mysql-server
-
-rm /etc/mysql/mysql.conf.d/mysqld.cnf
-cat > /etc/mysql/mysql.conf.d/mysqld.cnf <<- "EOF"
-[mysqld]
-user            = mysql
-pid-file        = /var/run/mysqld/mysqld.pid
-socket          = /var/run/mysqld/mysqld.sock
-port            = 3306
-basedir         = /usr
-datadir         = /var/lib/mysql
-tmpdir          = /tmp
-lc-messages-dir = /usr/share/mysql
-skip-external-locking
-
-innodb_buffer_pool_size = 1G # (adjust value here, 50%-70% of total RAM)
-innodb_log_file_size = 256M
-innodb_flush_log_at_trx_commit = 1 # may change to 2 or 0
-innodb_flush_method = O_DIRECT
-bind-address            = 127.0.0.1
-key_buffer_size         = 16M
-max_allowed_packet      = 16M
-thread_stack            = 192K
-thread_cache_size       = 8
-myisam-recover-options  = BACKUP
-#max_connections = 100
-#table_open_cache = 64
-#innodb-thread-concurrency     = 10
-log_error = /var/log/mysql/error.log
-expire_logs_days        = 10
-max_binlog_size   = 100M
-EOF
-
-systemctl restart mysql
-systemctl enable mysql