Update 'installer.sh'

CHANGELOG.md

@@ -1 +1,7 @@
-## 29-08-2019:  
+## 29-08-2019 / 31-08-2019:  
+Dev = done.  
+PostixAdmin, Postfix, Dovecot and Sieve working!  
+
+## 31-08-2019 / 01-09-2019:
+Started Alpha Branch.  
+PHP7.3 and MySQL 8 working!  

README.md

@@ -1,8 +1,19 @@
-# Ubuntu-Mail
-**Get Started**:  
-wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/dev/installer.sh  
-bash installer.sh 2>&1 | tee output.log  
-  
-### Sources
+# Ubuntu-Mail  
 
-https://linuxize.com/post/set-up-an-email-server-with-postfixadmin
+**Get Started**:  
+```
+wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/omega/installer.sh  
+bash installer.sh 2>&1 | tee output.log  
+```  
+
+#### This script uses the following repo's as dependencies:
+```
+* VPS-scripts/Unattended-Security-Updates 
+* VPS-scripts/Ubuntu-MySQL
+```  
+
+
+#### Sources:  
+```  
+https://linuxize.com/post/set-up-an-email-server-with-postfixadmin
+```  

config/amavis/15-content_filter_mode

@@ -0,0 +1,27 @@
+use strict;
+
+# You can modify this file to re-enable SPAM checking through spamassassin
+# and to re-enable antivirus checking.
+
+#
+# Default antivirus checking mode
+# Please note, that anti-virus checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_virus_checks_maps = (
+   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
+
+
+#
+# Default SPAM checking mode
+# Please note, that anti-spam checking is DISABLED by 
+# default.
+# If You wish to enable it, please uncomment the following lines:
+
+
+@bypass_spam_checks_maps = (
+   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
+
+1;  # ensure a defined return

config/amavis/20-debian_defaults

@@ -0,0 +1,223 @@
+use strict;
+
+# ADMINISTRATORS:
+# Debian suggests that any changes you need to do that should never
+# be "updated" by the Debian package should be made in another file,
+# overriding the settings in this file.
+#
+# The package will *not* overwrite your settings, but by keeping
+# them separate, you will make the task of merging changes on these
+# configuration files much simpler...
+
+#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-default for
+#       a list of all variables with their defaults;
+#   see /usr/share/doc/amavisd-new/examples/amavisd.conf-sample for
+#       a traditional-style commented file  
+#   [note: the above files were not converted to Debian settings!]
+#
+#   for more details see documentation in /usr/share/doc/amavisd-new
+#   and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html
+
+$QUARANTINEDIR = "$MYHOME/virusmails";
+$quarantine_subdir_levels = 1; # enable quarantine dir hashing
+
+$log_recip_templ = undef;    # disable by-recipient level-0 log entries
+$DO_SYSLOG = 1;              # log via syslogd (preferred)
+$syslog_ident = 'amavis';    # syslog ident tag, prepended to all messages
+$syslog_facility = 'mail';
+$syslog_priority = 'debug';  # switch to info to drop debug output, etc
+
+$enable_db = 1;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
+$enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
+
+$inet_socket_port = 10024;   # default listening socket
+
+#$sa_spam_subject_tag = '***SPAM*** ';
+#$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
+#$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
+#$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
+#$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
+
+
+$sa_tag_level_deflt = -999;  # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
+$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
+$sa_dsn_cutoff_level = 4;    # spam level beyond which a DSN is not sent
+
+
+
+
+
+
+$sa_mail_body_size_limit = 200*1024; # don't waste time on SA if mail is larger
+$sa_local_tests_only = 0;    # only tests which do not require internet access?
+
+# Quota limits to avoid bombs (like 42.zip)
+
+$MAXLEVELS = 14;
+$MAXFILES = 1500;
+$MIN_EXPANSION_QUOTA =      100*1024;  # bytes
+$MAX_EXPANSION_QUOTA = 300*1024*1024;  # bytes
+
+# You should:
+#   Use D_DISCARD to discard data (viruses)
+#   Use D_BOUNCE to generate local bounces by amavisd-new
+#   Use D_REJECT to generate local or remote bounces by the calling MTA
+#   Use D_PASS to deliver the message
+#
+# Whatever you do, *NEVER* use D_REJECT if you have other MTAs *forwarding*
+# mail to your account.  Use D_BOUNCE instead, otherwise you are delegating
+# the bounce work to your friendly forwarders, which might not like it at all.
+#
+# On dual-MTA setups, one can often D_REJECT, as this just makes your own
+# MTA generate the bounce message.  Test it first.
+#
+# Bouncing viruses is stupid, always discard them after you are sure the AV
+# is working correctly.  Bouncing real SPAM is also useless, if you cannot
+# D_REJECT it (and don't D_REJECT mail coming from your forwarders!).
+
+$final_virus_destiny      = D_DISCARD;  # (data not lost, see virus quarantine)
+$final_banned_destiny     = D_BOUNCE;   # D_REJECT when front-end MTA
+$final_spam_destiny       = D_PASS;
+$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)
+
+$enable_dkim_verification = 0; #disabled to prevent warning
+
+$virus_admin = "postmaster\@$mydomain"; # due to D_DISCARD default
+
+# Set to empty ("") to add no header
+$X_HEADER_LINE = "Debian $myproduct_name at $mydomain";
+
+# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS
+
+#
+# DO NOT SEND VIRUS NOTIFICATIONS TO OUTSIDE OF YOUR DOMAIN. EVER.
+#
+# These days, almost all viruses fake the envelope sender and mail headers.
+# Therefore, "virus notifications" became nothing but undesired, aggravating
+# SPAM.  This holds true even inside one's domain.  We disable them all by
+# default, except for the EICAR test pattern.
+#
+
+@viruses_that_fake_sender_maps = (new_RE(
+  [qr'\bEICAR\b'i => 0],            # av test pattern name
+  [qr/.*/ => 1],  # true for everything else
+));
+
+@keep_decoded_original_maps = (new_RE(
+# qr'^MAIL$',   # retain full original message for virus checking (can be slow)
+  qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
+  qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
+# qr'^Zip archive data',     # don't trust Archive::Zip
+));
+
+
+# for $banned_namepath_re, a new-style of banned table, see amavisd.conf-sample
+
+$banned_filename_re = new_RE(
+# qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components
+
+  # block certain double extensions anywhere in the base name
+  qr'\.[^./]*\.(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)\.?$'i,
+
+  qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?$'i, # Windows Class ID CLSID, strict
+
+  qr'^application/x-msdownload$'i,                  # block these MIME types
+  qr'^application/x-msdos-program$'i,
+  qr'^application/hta$'i,
+
+# qr'^application/x-msmetafile$'i,	# Windows Metafile MIME type
+# qr'^\.wmf$',				# Windows Metafile file(1) type
+
+# qr'^message/partial$'i, qr'^message/external-body$'i, # rfc2046 MIME types
+
+# [ qr'^\.(Z|gz|bz2)$'           => 0 ],  # allow any in Unix-compressed
+# [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives
+# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within such archives
+# [ qr'^application/x-zip-compressed$'i => 0],  # allow any within such archives
+
+  qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
+# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta|
+#        inf|ins|isp|js|jse|lnk|mda|mdb|mde|mdw|mdt|mdz|msc|msi|msp|mst|
+#        ops|pcd|pif|prg|reg|scr|sct|shb|shs|vb|vbe|vbs|
+#        wmf|wsc|wsf|wsh)$'ix,  # banned ext - long
+
+# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
+
+  qr'^\.(exe-ms)$',                       # banned file(1) types
+# qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types
+);
+# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631
+# and http://www.cknow.com/vtutor/vtextensions.htm
+
+
+# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING
+
+@score_sender_maps = ({ # a by-recipient hash lookup table,
+                        # results from all matching recipient tables are summed
+
+# ## per-recipient personal tables  (NOTE: positive: black, negative: white)
+# 'user1@example.com'  => [{'bla-mobile.press@example.com' => 10.0}],
+# 'user3@example.com'  => [{'.ebay.com'                 => -3.0}],
+# 'user4@example.com'  => [{'cleargreen@cleargreen.com' => -7.0,
+#                           '.cleargreen.com'           => -5.0}],
+
+  ## site-wide opinions about senders (the '.' matches any recipient)
+  '.' => [  # the _first_ matching sender determines the score boost
+
+   new_RE(  # regexp-type lookup table, just happens to be all soft-blacklist
+    [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i         => 5.0],
+    [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0],
+    [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0],
+    [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i   => 5.0],
+    [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i  => 5.0],
+    [qr'^(your_friend|greatoffers)@'i                                => 5.0],
+    [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i                    => 5.0],
+   ),
+
+#  read_hash("/var/amavis/sender_scores_sitewide"),
+
+# This are some examples for whitelists, since envelope senders can be forged
+# they are not enabled by default. 
+   { # a hash-type lookup table (associative array)
+     #'nobody@cert.org'                        => -3.0,
+     #'cert-advisory@us-cert.gov'              => -3.0,
+     #'owner-alert@iss.net'                    => -3.0,
+     #'slashdot@slashdot.org'                  => -3.0,
+     #'securityfocus.com'                      => -3.0,
+     #'ntbugtraq@listserv.ntbugtraq.com'       => -3.0,
+     #'security-alerts@linuxsecurity.com'      => -3.0,
+     #'mailman-announce-admin@python.org'      => -3.0,
+     #'amavis-user-admin@lists.sourceforge.net'=> -3.0,
+     #'amavis-user-bounces@lists.sourceforge.net' => -3.0,
+     #'spamassassin.apache.org'                => -3.0,
+     #'notification-return@lists.sophos.com'   => -3.0,
+     #'owner-postfix-users@postfix.org'        => -3.0,
+     #'owner-postfix-announce@postfix.org'     => -3.0,
+     #'owner-sendmail-announce@lists.sendmail.org'   => -3.0,
+     #'sendmail-announce-request@lists.sendmail.org' => -3.0,
+     #'donotreply@sendmail.org'                => -3.0,
+     #'ca+envelope@sendmail.org'               => -3.0,
+     #'noreply@freshmeat.net'                  => -3.0,
+     #'owner-technews@postel.acm.org'          => -3.0,
+     #'ietf-123-owner@loki.ietf.org'           => -3.0,
+     #'cvs-commits-list-admin@gnome.org'       => -3.0,
+     #'rt-users-admin@lists.fsck.com'          => -3.0,
+     #'clp-request@comp.nus.edu.sg'            => -3.0,
+     #'surveys-errors@lists.nua.ie'            => -3.0,
+     #'emailnews@genomeweb.com'                => -5.0,
+     #'yahoo-dev-null@yahoo-inc.com'           => -3.0,
+     #'returns.groups.yahoo.com'               => -3.0,
+     #'clusternews@linuxnetworx.com'           => -3.0,
+     #lc('lvs-users-admin@LinuxVirtualServer.org')    => -3.0,
+     #lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0,
+
+     # soft-blacklisting (positive score)
+     #'sender@example.net'                     =>  3.0,
+     #'.example.net'                           =>  1.0,
+
+   },
+  ],  # end of site-wide tables
+});
+
+1;  # ensure a defined return

config/amavis/21-ubuntu_defaults

@@ -0,0 +1,27 @@
+use strict;
+
+#
+# These are Ubuntu specific defaults for amavisd-new configuration
+#
+# DOMAIN KEYS IDENTIFIED MAIL (DKIM)
+$enable_dkim_verification = 1;
+# Don't be verbose about sending mail:
+@whitelist_sender_acl = qw( .$mydomain );
+$final_virus_destiny      = D_DISCARD; # (defaults to D_BOUNCE)
+$final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)
+$final_spam_destiny       = D_DISCARD;  # (defaults to D_REJECT)
+$final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested
+
+$sa_tag_level_deflt = -999;  # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
+$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
+$sa_dsn_cutoff_level = 4;    # spam level beyond which a DSN is not sent
+
+
+
+
+$virus_admin = undef;
+$spam_admin = undef;
+
+#------------ Do not modify anything below this line -------------
+1;  # insure a defined return

config/amavis/50-user

@@ -0,0 +1,48 @@
+use strict;
+#
+# Place your configuration directives here.  They will override those in
+# earlier files.
+#
+# See /usr/share/doc/amavisd-new/ for documentation and examples of
+# the directives you can use in this file
+#
+
+# We need to provide list of domains for which filtering need to be done
+#@lookup_sql_dsn = (
+#    ['DBI:mysql:database=postfixadmin;host=127.0.0.1;port=3306',
+#     'postfixadmin',
+#     'JW9t9ipdgLrWvMqHq7hX']);
+
+# Disable show header recieve from amavisd localhost 127.0.0.1
+$allowed_added_header_fields{lc('Received')} = 0;
+
+@inet_acl = qw( 127.0.0.1 [::1] 23.21.136.138/32 );
+@local_domains_acl = ( "." );
+# Change instance amavisd process
+$max_servers = 5;
+
+# Disable quarantine
+$clean_quarantine_to = undef; # local quarantine
+$virus_quarantine_to = undef; # traditional local quarantine
+$banned_quarantine_to = undef; # local quarantine
+$bad_header_quarantine_to = undef; # local quarantine
+$spam_quarantine_to = undef; # local quarantine
+
+# Don's Discard infected mail
+$final_virus_destiny = D_REJECT;
+$final_banned_destiny = D_REJECT;
+$final_spam_destiny = D_PASS;
+
+# Add Warning to Subject
+$sa_tag_level_deflt = -9999; # always add spam info headers
+$subject_tag_maps_by_ccat{+CC_VIRUS} = [ '***WARNING-VIRUS DETECTED*** ' ];
+$subject_tag_maps_by_ccat{+CC_BANNED} = [ '***WARNING-DANGEROUS DETECTED*** ' ];
+
+# Filter spam mail to Junk folder
+$recipient_delimiter = '+';
+@addr_extension_spam_maps = ('Spam');
+@addr_extension_virus_maps = ('Spam');
+@addr_extension_banned_maps = ('Spam');
+
+#------------ Do not modify anything below this line -------------
+1;  # ensure a defined return

config/fail2ban/dovecot-pop3imap.conf

@@ -0,0 +1,3 @@
+[Definition]
+failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
+ignoreregex =

config/fail2ban/jail.local

@@ -0,0 +1,52 @@
+[dovecot-pop3imap]
+enabled = true
+filter = dovecot-pop3imap
+action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
+logpath = /var/log/mail.log
+maxretry = 3
+findtime = 600
+bantime = 3600
+
+[postfix-sasl]
+enabled  = true
+port     = smtp
+filter   = postfix-sasl
+logpath  = /var/log/mail.log
+maxretry = 3
+findtime = 600
+bantime = 3600
+
+[rainloop]
+enabled = true
+port = http,https
+logpath = /opt/rainloop/data/_data_/_default_/logs/fail2ban/auth-fail.txt
+maxretry = 3
+findtime = 600
+bantime = 3600
+
+[nginx-http-auth]
+enabled = false
+filter  = nginx-http-auth
+action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
+logpath = /var/log/nginx/error.log
+maxretry = 3
+findtime = 600
+bantime = 3600
+
+[sieve]
+enabled = false
+filter  = sieve
+action  = iptables-multiport[name=sieve,port="25,465,587"]
+logpath = /var/log/mail*log
+maxretry = 3
+findtime = 600
+bantime = 3600
+
+[ssh]
+enabled  = true
+port     = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+maxretry = 5
+findtime = 600
+bantime = 3600

config/fail2ban/postfix-sasl.conf

@@ -0,0 +1,6 @@
+    # Fail2Ban filter for postfix authentication failures
+    [INCLUDES]
+    before = common.conf
+    [Definition]
+    _daemon = postfix/smtpd
+    failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$

config/fail2ban/rainloop.conf

@@ -0,0 +1,3 @@
+[Definition]
+failregex = Auth failed: ip=<HOST> user=.* host=.* port=.*$
+ignoreregex =

config/lets-encrypt/README

@@ -0,0 +1,14 @@
+This directory contains your keys and certificates.
+
+`privkey.pem`  : the private key for your certificate.
+`fullchain.pem`: the certificate file used in most server software.
+`chain.pem`    : used for OCSP stapling in Nginx >=1.3.7.
+`cert.pem`     : will break many server configurations, and should not be used
+                 without reading further documentation (see link below).
+
+WARNING: DO NOT MOVE OR RENAME THESE FILES!
+         Certbot expects these files to remain in this location in order
+         to function properly!
+
+We recommend not moving these files. For more information, see the Certbot
+User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

config/lets-encrypt/cert.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgISBN+7pm+eon8x1kIYxdzPY6mDMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTEwNzU0MzdaFw0x
+OTEyMTAwNzU0MzdaMB8xHTAbBgNVBAMTFG1haWwuaWN0ZG93bndlcmsuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBlnH/sRyrqwElbTeY23Bjdm
+ZeGgABVN3Z8f7o0q+NzrEIs2qfF5sxzQsTDHQkFQ7BlZL2tlBTvYJzL4f56LP+Ft
+ST0ivabmlfMlqVctGeMhIqQ5t12NKeDj5eXoT1udMvw3/X2J0i7cHJbpHqvCtdy/
+914SyaHwykFybC3vhoz18APUE0jfk1jfsIBzabRpC5C1SD1utMVcpzdc7eIoz6sF
+hI3YeWVvDRfoFkd/D/Qhrom0pHhsAth3FXbgvZkf865xf/Al/PxMJlPZQCYi1KyA
+x2aRR4IFOvCPk8a9EFeIKx9AVTgcu5CNIW0SRSZpQ4u+tTUtxuB7dL7SVbgXbQID
+AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQijuIvsk5b0OD5eZY4
+q6nlv+PIjTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
+BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
+cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
+cnlwdC5vcmcvMB8GA1UdEQQYMBaCFG1haWwuaWN0ZG93bndlcmsuY29tMEwGA1Ud
+IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
+dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
+AHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFtH4gerAAABAMA
+RzBFAiEAqaCymIN2kRHFIXwYMF3q7aRx3OfcCDQH6VkY4nPeQpECIGvCRqQ1uWPa
+6Ui1HQu1MaVjVN8FHNxMm3+10MJ3rxGtAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXeP
+vXWmOLHHaFRL2I0AAAFtH4genAAABAMARzBFAiEA36yPCciL4XPzlOBFwF0MKiLg
+bdJTwrDoRQc+BswOrPQCIDJGAGPGm8Ge00dLSpSZRsVT9frBTKvtY0DMXM+BRDjV
+MA0GCSqGSIb3DQEBCwUAA4IBAQCcI3Ofg9p4cqjWuuLax/MgF6qFloGbajP3hvfD
+kG1C8lXAMUhAxMlwk53fzM7RwemKztPMXXOyA8/3gwE0T8XJm4e6ddKQ9KaG4F3a
+Yj5MerpG+toEg+sSP/GJRZIoJjiB+WCQXt+UxxaZ6GmXiziqmJvnNNQPYBXB/AJk
+W7X54IVfoZn/OOuxGMb3I8JmDS0aPJFr6Sa4IPZdtaDQzvL5YitrVxtuhLFPb+GY
+BJZ/TPJJVFvL19nYe09d578Wu+F8hRMTTI1es+KANBm1NAXCUEw/0Yd3Anv7tYIs
+jnl4PV+Q6whUCdAhOPYnJdJyHlwtWJ80zO8l/X4KlmFJDLT/
+-----END CERTIFICATE-----

config/lets-encrypt/chain.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----

config/lets-encrypt/fullchain.pem

@@ -0,0 +1,58 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgISBN+7pm+eon8x1kIYxdzPY6mDMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MTEwNzU0MzdaFw0x
+OTEyMTAwNzU0MzdaMB8xHTAbBgNVBAMTFG1haWwuaWN0ZG93bndlcmsuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuBlnH/sRyrqwElbTeY23Bjdm
+ZeGgABVN3Z8f7o0q+NzrEIs2qfF5sxzQsTDHQkFQ7BlZL2tlBTvYJzL4f56LP+Ft
+ST0ivabmlfMlqVctGeMhIqQ5t12NKeDj5eXoT1udMvw3/X2J0i7cHJbpHqvCtdy/
+914SyaHwykFybC3vhoz18APUE0jfk1jfsIBzabRpC5C1SD1utMVcpzdc7eIoz6sF
+hI3YeWVvDRfoFkd/D/Qhrom0pHhsAth3FXbgvZkf865xf/Al/PxMJlPZQCYi1KyA
+x2aRR4IFOvCPk8a9EFeIKx9AVTgcu5CNIW0SRSZpQ4u+tTUtxuB7dL7SVbgXbQID
+AQABo4ICaTCCAmUwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
+BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQijuIvsk5b0OD5eZY4
+q6nlv+PIjTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
+BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
+cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
+cnlwdC5vcmcvMB8GA1UdEQQYMBaCFG1haWwuaWN0ZG93bndlcmsuY29tMEwGA1Ud
+IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
+dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
+AHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFtH4gerAAABAMA
+RzBFAiEAqaCymIN2kRHFIXwYMF3q7aRx3OfcCDQH6VkY4nPeQpECIGvCRqQ1uWPa
+6Ui1HQu1MaVjVN8FHNxMm3+10MJ3rxGtAHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXeP
+vXWmOLHHaFRL2I0AAAFtH4genAAABAMARzBFAiEA36yPCciL4XPzlOBFwF0MKiLg
+bdJTwrDoRQc+BswOrPQCIDJGAGPGm8Ge00dLSpSZRsVT9frBTKvtY0DMXM+BRDjV
+MA0GCSqGSIb3DQEBCwUAA4IBAQCcI3Ofg9p4cqjWuuLax/MgF6qFloGbajP3hvfD
+kG1C8lXAMUhAxMlwk53fzM7RwemKztPMXXOyA8/3gwE0T8XJm4e6ddKQ9KaG4F3a
+Yj5MerpG+toEg+sSP/GJRZIoJjiB+WCQXt+UxxaZ6GmXiziqmJvnNNQPYBXB/AJk
+W7X54IVfoZn/OOuxGMb3I8JmDS0aPJFr6Sa4IPZdtaDQzvL5YitrVxtuhLFPb+GY
+BJZ/TPJJVFvL19nYe09d578Wu+F8hRMTTI1es+KANBm1NAXCUEw/0Yd3Anv7tYIs
+jnl4PV+Q6whUCdAhOPYnJdJyHlwtWJ80zO8l/X4KlmFJDLT/
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----

config/lets-encrypt/privkey.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC4GWcf+xHKurAS
+VtN5jbcGN2Zl4aAAFU3dnx/ujSr43OsQizap8XmzHNCxMMdCQVDsGVkva2UFO9gn
+Mvh/nos/4W1JPSK9puaV8yWpVy0Z4yEipDm3XY0p4OPl5ehPW50y/Df9fYnSLtwc
+lukeq8K13L/3XhLJofDKQXJsLe+GjPXwA9QTSN+TWN+wgHNptGkLkLVIPW60xVyn
+N1zt4ijPqwWEjdh5ZW8NF+gWR38P9CGuibSkeGwC2HcVduC9mR/zrnF/8CX8/Ewm
+U9lAJiLUrIDHZpFHggU68I+Txr0QV4grH0BVOBy7kI0hbRJFJmlDi761NS3G4Ht0
+vtJVuBdtAgMBAAECggEASp1xIJMf2OzlY+lw+LkpTwmxJOXXdXEtB//wbz0kB41y
+cFgcJbDLRH8PTmGYwQ+7/pUfgoqifQaOSwTrlr3pblCtfJucswUsO+Y6g3Hjw7Q8
+v8+T3O+7wRd3Bryx9UgKZJm5D7KL43Y+nA/GGDpBRnhcDaRBNRu/fhociB/uDrfu
+ZpaTBM3E2glXkbKAn2mwrv1sNog7DvgmzqSzcq/OgiDk6GhYeiU9wFlJJkidQmii
+HpBe22er6XscTEhhnDvcaljwzwBxOoKI7EoCRTjhLSfU6j+rQXX2y2ODBEWg0yx8
+6Lntgl5o4BVaixvZ7pH5mTxLpQ87drq7yXzGzGtwQQKBgQDs+8y0u8a0hj4SxNtd
+Hem6KhPkD7f3Pxuh+ZgphOp/lM0tYLDmoxZp/PhLxQX3N2qmXWS5fy4uBWpreoRJ
+FbZnyN2JlnAW4R+ba8HJR+7cqWIlqC3AFRsNLswRPn5s2k1Pc/PqtXx3kPNhdupj
+miB/pGtI6RhWHuhkkOZuFwtviQKBgQDG3zvoFaLOIAgRfkYrsV8V4iRUlbcCT1TS
+dOrqKx54gHAs0yTQqLSGwOjpQC4V/nQKxi54Ybu+aZ1A6IaNqkL5zIGnDNIJQlas
+E06D3LytVQM1dOCY5qz5xOqCJtxIL0fiMdTckenChL6ldufelVHRiN1Llv/xcoQL
+g+ent6VrxQKBgA9LuUy5CfxA5eTEO/xon9taN+pycUdOFXSA7adQYupVKmERapmY
+USwKHeSWFOp98y5FvOiUIuDpjJLfV4Z4FkvglRv6T8XKRgX8EIfzUqF/dUxE7J8H
+PbW+HYHHbNWNyYulSksN57i37F2QFVTUb+CNNjeAhAea+xjymUzlw+ExAoGAdr1u
+7WGNtXjWmGtGxmu/FDfT7VT+0jg/svDwGiToqpY1Y+4luxgfwZ2I80vIuIUXEB/I
+O0RPbp9srwam4Aratn9uoik7dx/O1Csq4/x2AyARLGe+ekyw1ujGBDPjro3cY6fR
+KmlMo0HS+sSGKRYKpgsL5kggRS9Uu/Nj63XxJOkCgYBaWOYoHpq7cJH2t0iHPjOi
+BlHBEt1dn4v9tOtAYfsU/tH3NLMhae7riq69o5Tsrm5X2SuMF8krTydRPvXsEIX7
+kPPIzHcWjpjWzIBD5v7cU+jjdqXDwtVlbbWBkFXBpzLh3jpQ+tz5y5TJ/0DXGrWo
+jTiQFMRVfzEWCncLODqywA==
+-----END PRIVATE KEY-----

config/nginx/domainconfig.cf

@@ -2,20 +2,20 @@
 
 server {
     listen       80;
-    server_name   www.$domain;
-    return       301 http://$domain\$request_uri;
+    server_name   www.DOMAINNAME;
+    return       301 http://DOMAINNAME$request_uri;
 }
 
 server {
     listen 80;
     listen [::]:80;
-    root /var/www/$domain/html;
+    root /var/www/DOMAINNAME/html;
     index index.php index.html index.htm index.nginx-debian.html;
-    server_name $domain;
-    #return 301 \$scheme:/\$domain\$request_uri; Redirect to non-www
-    #return 301 https://domein.nl$request_uri; Redirect to other domain
+    server_name DOMAINNAME;
+    #return 301 $scheme:/$domain$request_uri; Redirect to non-www
+    #return 301 https://domein.nl; Redirect to other domain
 
-    #add_header X-Cache "\$upstream_cache_status";
+    #add_header X-Cache "$upstream_cache_status";
 
     #netdata here
         
@@ -28,32 +28,32 @@ server {
 
 #    location /rspamd {
 #    proxy_pass http://127.0.0.1:11334/;
-#    proxy_set_header Host \$host;
-#    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 #}
 
         location / {
-            #try_files \$uri \$uri/ =404;
-            try_files \$uri \$uri/ /index.php\$is_args\$args;
-            #try_files \$uri \$uri/ \$uri.html \$uri.php\$is_args\$query_string;
+            #try_files $uri $uri/ =404;
+            try_files $uri $uri/ /index.php$is_args$args;
+            #try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
         }
 
         location = /favicon.ico { log_not_found off; access_log off; }
         location = /robots.txt { log_not_found off; access_log off; allow all; }
-        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)\$ {
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
             expires max;
             log_not_found off;
             add_header Cache-Control "public, no-transform";
         }
 
-        location ~ \.php\$ {
+        location ~ \.php$ {
             include snippets/fastcgi-php.conf;
-            fastcgi_pass unix:/var/run/php/php${phpver}-fpm.sock;
+            fastcgi_pass unix:/var/run/php/phpPHPVER-fpm.sock;
             #fastcgi_cache MYAPP;
             #fastcgi_cache_valid 200 302 301 1m;
             #fastcgi_cache_valid 404 1m;
-            #fastcgi_cache_bypass \$no_cache;
-            #fastcgi_no_cache \$no_cache;
+            #fastcgi_cache_bypass $no_cache;
+            #fastcgi_no_cache $no_cache;
             #fastcgi_cache_revalidate on;
             #fastcgi_cache_background_update on;
             #fastcgi_cache_lock on;
@@ -73,25 +73,25 @@ server {
         }
 
         #Cache everything by default
-        set \$no_cache 0;
+        set $no_cache 0;
 
         #Don't cache POST requests
-        if (\$request_method = POST) {
-            set \$no_cache 1;
+        if ($request_method = POST) {
+            set $no_cache 1;
         }
 
         #Don't cache if the URL contains a query string
-        if (\$query_string != "") {
-            set \$no_cache 1;
+        if ($query_string != "") {
+            set $no_cache 1;
         }
 
         #Don't cache the following URLs
-        if (\$request_uri ~* "/(administrator/|login.php)") {
-            set \$no_cache 1;
+        if ($request_uri ~* "/(administrator/|login.php)") {
+            set $no_cache 1;
         }
 
         #Don't cache if there is a cookie called PHPSESSID
-        if (\$http_cookie = "PHPSESSID") {
-            set \$no_cache 1;
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
         }
     }

config/nginx/site-enabled

@@ -0,0 +1,206 @@
+#fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m max_size=10g inactive=1440m;
+
+server {
+    listen       80;
+    server_name   www.mail.ictdownwerk.com;
+    return       301 http://mail.ictdownwerk.com$request_uri;
+}
+
+server {
+    root /var/www/mail.ictdownwerk.com/html;
+    index index.php index.html index.htm index.nginx-debian.html;
+    server_name mail.ictdownwerk.com;
+    #return 301 $scheme:/$domain$request_uri; Redirect to non-www
+    #return 301 https://domein.nl; Redirect to other domain
+
+    #add_header X-Cache "$upstream_cache_status";
+
+    #netdata here
+        
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
+    gzip_comp_level 2;
+    gzip_disable "msie6";
+    gzip_buffers 16 8k;
+
+#    location /rspamd {
+#    proxy_pass http://127.0.0.1:11334/;
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#}
+
+        location / {
+            #try_files $uri $uri/ =404;
+            try_files $uri $uri/ /index.php$is_args$args;
+            #try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
+        }
+
+        location = /favicon.ico { log_not_found off; access_log off; }
+        location = /robots.txt { log_not_found off; access_log off; allow all; }
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
+            expires max;
+            log_not_found off;
+            add_header Cache-Control "public, no-transform";
+        }
+
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+            #fastcgi_cache MYAPP;
+            #fastcgi_cache_valid 200 302 301 1m;
+            #fastcgi_cache_valid 404 1m;
+            #fastcgi_cache_bypass $no_cache;
+            #fastcgi_no_cache $no_cache;
+            #fastcgi_cache_revalidate on;
+            #fastcgi_cache_background_update on;
+            #fastcgi_cache_lock on;
+            #fastcgi_cache_use_stale updating;
+            #fastcgi_buffer_size 128k;
+            #fastcgi_buffers 256 16k;
+            #fastcgi_busy_buffers_size 256k;
+            #fastcgi_temp_file_write_size 256k;
+        }
+
+        location ~ /\.ht {
+            deny all;
+        }
+
+        location /phpmyadmin {
+            index index.php;
+        }
+
+        #Cache everything by default
+        set $no_cache 0;
+
+        #Don't cache POST requests
+        if ($request_method = POST) {
+            set $no_cache 1;
+        }
+
+        #Don't cache if the URL contains a query string
+        if ($query_string != "") {
+            set $no_cache 1;
+        }
+
+        #Don't cache the following URLs
+        if ($request_uri ~* "/(administrator/|login.php)") {
+            set $no_cache 1;
+        }
+
+        #Don't cache if there is a cookie called PHPSESSID
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
+        }
+    
+    listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
+    listen 443 ssl http2; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/mail.ictdownwerk.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/mail.ictdownwerk.com/privkey.pem; # managed by Certbot
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+
+    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
+
+}
+
+
+server {
+    if ($host = mail.ictdownwerk.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    listen [::]:80;
+    root /var/www/mail.ictdownwerk.com/html;
+    index index.php index.html index.htm index.nginx-debian.html;
+    server_name mail.ictdownwerk.com;
+    #return 301 $scheme:/$domain$request_uri; Redirect to non-www
+    #return 301 https://domein.nl; Redirect to other domain
+
+    #add_header X-Cache "$upstream_cache_status";
+
+    #netdata here
+        
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
+    gzip_comp_level 2;
+    gzip_disable "msie6";
+    gzip_buffers 16 8k;
+
+#    location /rspamd {
+#    proxy_pass http://127.0.0.1:11334/;
+#    proxy_set_header Host $host;
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#}
+
+        location / {
+            #try_files $uri $uri/ =404;
+            try_files $uri $uri/ /index.php$is_args$args;
+            #try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
+        }
+
+        location = /favicon.ico { log_not_found off; access_log off; }
+        location = /robots.txt { log_not_found off; access_log off; allow all; }
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
+            expires max;
+            log_not_found off;
+            add_header Cache-Control "public, no-transform";
+        }
+
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+            #fastcgi_cache MYAPP;
+            #fastcgi_cache_valid 200 302 301 1m;
+            #fastcgi_cache_valid 404 1m;
+            #fastcgi_cache_bypass $no_cache;
+            #fastcgi_no_cache $no_cache;
+            #fastcgi_cache_revalidate on;
+            #fastcgi_cache_background_update on;
+            #fastcgi_cache_lock on;
+            #fastcgi_cache_use_stale updating;
+            #fastcgi_buffer_size 128k;
+            #fastcgi_buffers 256 16k;
+            #fastcgi_busy_buffers_size 256k;
+            #fastcgi_temp_file_write_size 256k;
+        }
+
+        location ~ /\.ht {
+            deny all;
+        }
+
+        location /phpmyadmin {
+            index index.php;
+        }
+
+        #Cache everything by default
+        set $no_cache 0;
+
+        #Don't cache POST requests
+        if ($request_method = POST) {
+            set $no_cache 1;
+        }
+
+        #Don't cache if the URL contains a query string
+        if ($query_string != "") {
+            set $no_cache 1;
+        }
+
+        #Don't cache the following URLs
+        if ($request_uri ~* "/(administrator/|login.php)") {
+            set $no_cache 1;
+        }
+
+        #Don't cache if there is a cookie called PHPSESSID
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
+        }
+    
+
+
+
+}

config/rainloop/application.ini

@@ -0,0 +1,351 @@
+; RainLoop Webmail configuration file
+; Please don't add custom parameters here, those will be overwritten
+
+[webmail]
+; Text displayed as page title
+title = "ICT Maatwerk Webmail"
+
+; Text displayed on startup
+loading_description = "ICT Maatwerk Webmail"
+favicon_url = ""
+
+; Theme used by default
+theme = "Blurred"
+
+; Allow theme selection on settings screen
+allow_themes = On
+allow_user_background = Off
+
+; Language used by default
+language = "nl_NL"
+
+; Admin Panel interface language
+language_admin = "en"
+
+; Allow language selection on settings screen
+allow_languages_on_settings = On
+allow_additional_accounts = Off
+allow_additional_identities = Off
+
+;  Number of messages displayed on page by default
+messages_per_page = 20
+
+; File size limit (MB) for file upload on compose screen
+; 0 for unlimited.
+attachment_size_limit = 25
+
+[interface]
+show_attachment_thumbnail = On
+use_native_scrollbars = Off
+new_move_to_folder_button = On
+
+[branding]
+login_logo = ""
+login_background = ""
+login_desc = ""
+login_css = ""
+login_powered = Off
+user_css = ""
+user_logo = ""
+user_logo_title = ""
+user_logo_message = ""
+user_iframe_message = ""
+welcome_page_url = ""
+welcome_page_display = "none"
+
+[contacts]
+; Enable contacts
+enable = On
+allow_sync = Off
+sync_interval = 20
+type = "mysql"
+pdo_dsn = "mysql:host=127.0.0.1;port=3306;dbname=MYSQLNAME"
+pdo_user = "MYSQLUSER"
+pdo_password = "MYSQLPASS"
+suggestions_limit = 30
+
+[security]
+; Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)
+csrf_protection = On
+custom_server_signature = "RainLoop"
+x_frame_options_header = ""
+openpgp = Off
+
+; Login and password for web admin panel
+admin_login = "admin"
+admin_password = "12345"
+
+; Access settings
+allow_admin_panel = Off
+allow_two_factor_auth = Off
+force_two_factor_auth = Off
+hide_x_mailer_header = Off
+admin_panel_host = ""
+admin_panel_key = "admin"
+content_security_policy = ""
+core_install_access_domain = ""
+
+[ssl]
+; Require verification of SSL certificate used.
+verify_certificate = Off
+
+; Allow self-signed certificates. Requires verify_certificate.
+allow_self_signed = On
+
+; Location of Certificate Authority file on local filesystem (/etc/ssl/certs/ca-certificates.crt)
+cafile = ""
+
+; capath must be a correctly hashed certificate directory. (/etc/ssl/certs/)
+capath = ""
+
+[capa]
+folders = On
+composer = On
+contacts = On
+settings = On
+quota = On
+help = On
+reload = On
+search = On
+search_adv = On
+filters = On
+x-templates = Off
+dangerous_actions = On
+message_actions = On
+messagelist_actions = On
+attachments_actions = On
+
+[login]
+default_domain = ""
+
+; Allow language selection on webmail login screen
+allow_languages_on_login = On
+determine_user_language = On
+determine_user_domain = Off
+welcome_page = Off
+hide_submit_button = On
+forgot_password_link_url = ""
+registration_link_url = ""
+login_lowercase = On
+
+; This option allows webmail to remember the logged in user
+; once they closed the browser window.
+; 
+; Values:
+;   "DefaultOff" - can be used, disabled by default;
+;   "DefaultOn"  - can be used, enabled by default;
+;   "Unused"     - cannot be used
+sign_me_auto = "DefaultOff"
+
+[plugins]
+; Enable plugin support
+enable = Off
+
+; List of enabled plugins
+enabled_list = ""
+
+[defaults]
+; Editor mode used by default (Plain, Html, HtmlForced or PlainForced)
+view_editor_type = "Html"
+
+; layout: 0 - no preview, 1 - side preview, 2 - bottom preview
+view_layout = 1
+view_use_checkboxes = On
+autologout = 30
+show_images = Off
+contacts_autosave = On
+mail_use_threads = Off
+allow_draft_autosave = On
+mail_reply_same_folder = Off
+
+[logs]
+; Enable logging
+enable = On
+
+; Logs entire request only if error occured (php requred)
+write_on_error_only = Off
+
+; Logs entire request only if php error occured
+write_on_php_error_only = Off
+
+; Logs entire request only if request timeout (in seconds) occured.
+write_on_timeout_only = 0
+
+; Required for development purposes only.
+; Disabling this option is not recommended.
+hide_passwords = On
+time_offset = "0"
+session_filter = ""
+
+; Log filename.
+; For security reasons, some characters are removed from filename.
+; Allows for pattern-based folder creation (see examples below).
+; 
+; Patterns:
+;   {date:Y-m-d}  - Replaced by pattern-based date
+;                   Detailed info: http://www.php.net/manual/en/function.date.php
+;   {user:email}  - Replaced by user's email address
+;                   If user is not logged in, value is set to "unknown"
+;   {user:login}  - Replaced by user's login (the user part of an email)
+;                   If user is not logged in, value is set to "unknown"
+;   {user:domain} - Replaced by user's domain name (the domain part of an email)
+;                   If user is not logged in, value is set to "unknown"
+;   {user:uid}    - Replaced by user's UID regardless of account currently used
+; 
+;   {user:ip}
+;   {request:ip}  - Replaced by user's IP address
+; 
+; Others:
+;   {imap:login} {imap:host} {imap:port}
+;   {smtp:login} {smtp:host} {smtp:port}
+; 
+; Examples:
+;   filename = "log-{date:Y-m-d}.txt"
+;   filename = "{date:Y-m-d}/{user:domain}/{user:email}_{user:uid}.log"
+;   filename = "{user:email}-{date:Y-m-d}.txt"
+filename = "log-{date:Y-m-d}.txt"
+
+; Enable auth logging in a separate file (for fail2ban)
+auth_logging = On
+auth_logging_filename = "fail2ban/auth-fail.txt"
+auth_logging_format = "[{date:Y-m-d H:i:s T}] Auth failed: ip={request:ip} user={imap:login} host={imap:host} port={imap:port}"
+
+[debug]
+; Special option required for development purposes
+enable = Off
+
+[social]
+; Google
+google_enable = Off
+google_enable_auth = Off
+google_enable_auth_fast = Off
+google_enable_drive = Off
+google_enable_preview = Off
+google_client_id = ""
+google_client_secret = ""
+google_api_key = ""
+
+; Facebook
+fb_enable = Off
+fb_app_id = ""
+fb_app_secret = ""
+
+; Twitter
+twitter_enable = Off
+twitter_consumer_key = ""
+twitter_consumer_secret = ""
+
+; Dropbox
+dropbox_enable = Off
+dropbox_api_key = ""
+
+[cache]
+; The section controls caching of the entire application.
+; 
+; Enables caching in the system
+enable = On
+
+; Additional caching key. If changed, cache is purged
+index = "v1"
+
+; Can be: files, APC, memcache, redis (beta)
+fast_cache_driver = "files"
+
+; Additional caching key. If changed, fast cache is purged
+fast_cache_index = "v1"
+
+; Browser-level cache. If enabled, caching is maintainted without using files
+http = On
+
+; Browser-level cache time (seconds, Expires header)
+http_expires = 3600
+
+; Caching message UIDs when searching and sorting (threading)
+server_uids = On
+
+[labs]
+; Experimental settings. Handle with care.
+; 
+allow_mobile_version = On
+ignore_folders_subscription = Off
+check_new_password_strength = On
+update_channel = "stable"
+allow_gravatar = On
+allow_prefetch = On
+allow_smart_html_links = On
+cache_system_data = On
+date_from_headers = On
+autocreate_system_folders = On
+allow_message_append = Off
+disable_iconv_if_mbstring_supported = Off
+login_fault_delay = 1
+log_ajax_response_write_limit = 300
+allow_html_editor_source_button = Off
+allow_html_editor_biti_buttons = Off
+allow_ctrl_enter_on_compose = On
+try_to_detect_hidden_images = Off
+hide_dangerous_actions = Off
+use_app_debug_js = Off
+use_mobile_version_for_tablets = Off
+use_app_debug_css = Off
+use_imap_sort = On
+use_imap_force_selection = Off
+use_imap_list_subscribe = On
+use_imap_thread = On
+use_imap_move = Off
+use_imap_expunge_all_on_delete = Off
+imap_forwarded_flag = "$Forwarded"
+imap_read_receipt_flag = "$ReadReceipt"
+imap_body_text_limit = 555000
+imap_message_list_fast_simple_search = On
+imap_message_list_count_limit_trigger = 0
+imap_message_list_date_filter = 0
+imap_message_list_permanent_filter = ""
+imap_message_all_headers = Off
+imap_large_thread_limit = 50
+imap_folder_list_limit = 200
+imap_show_login_alert = On
+imap_use_auth_plain = On
+imap_use_auth_cram_md5 = Off
+smtp_show_server_errors = Off
+smtp_use_auth_plain = On
+smtp_use_auth_cram_md5 = Off
+sieve_allow_raw_script = Off
+sieve_utf8_folder_name = On
+sieve_auth_plain_initial = On
+sieve_allow_fileinto_inbox = Off
+imap_timeout = 300
+smtp_timeout = 60
+sieve_timeout = 10
+domain_list_limit = 99
+mail_func_clear_headers = On
+mail_func_additional_parameters = Off
+favicon_status = On
+folders_spec_limit = 50
+owncloud_save_folder = "Attachments"
+owncloud_suggestions = On
+curl_proxy = ""
+curl_proxy_auth = ""
+in_iframe = Off
+force_https = Off
+custom_login_link = ""
+custom_logout_link = ""
+allow_external_login = Off
+allow_external_sso = Off
+external_sso_key = ""
+http_client_ip_check_proxy = Off
+fast_cache_memcache_host = "127.0.0.1"
+fast_cache_memcache_port = 11211
+fast_cache_redis_host = "127.0.0.1"
+fast_cache_redis_port = 6379
+use_local_proxy_for_external_images = Off
+detect_image_exif_orientation = On
+cookie_default_path = ""
+cookie_default_secure = Off
+check_new_messages = On
+replace_env_in_configuration = ""
+startup_url = ""
+strict_html_parser = Off
+allow_cmd = Off
+dev_email = ""
+dev_password = ""

config/rainloop/domains-default.ini

@@ -0,0 +1,16 @@
+imap_host = "localhost"
+imap_port = 993
+imap_secure = "SSL"
+imap_short_login = Off
+sieve_use = Off
+sieve_allow_raw = Off
+sieve_host = ""
+sieve_port = 4190
+sieve_secure = "None"
+smtp_host = "localhost"
+smtp_port = 465
+smtp_secure = "SSL"
+smtp_short_login = Off
+smtp_auth = On
+smtp_php_mail = Off
+white_list = ""

config/rainloop/update-tools.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+### Begin update tool script
+
+new_signature=$(curl -s "https://www.rainloop.net/repository/webmail/rainloop-community-latest.zip.asc")
+old_signature=$(cat "/var/log/rainloop-installed.asc" || true)
+TMPDIR=$(mktemp -d) 
+
+printf "RainLoop: checking for upgrades... "
+
+if [ "$new_signature" != "$old_signature" ];
+then
+  echo "found"
+  echo "RainLoop: upgrading..." 
+
+  wget http://www.rainloop.net/repository/webmail/rainloop-community-latest.zip -O $TMPDIR/rlcl.zip
+  unzip -q $TMPDIR/rlcl.zip -d $TMPDIR
+  cp -r $TMPDIR/rainloop /opt/rainloop/
+  cp -r $TMPDIR/data/EMPTY /opt/rainloop/data/EMPTY
+  cp -r $TMPDIR/data/VERSION /opt/rainloop/data/VERSION
+  cp -r $TMPDIR/index.php /opt/rainloop/index.php
+  rm -rf $TMPDIR
+  chown -R www-data:www-data  /opt/rainloop
+  find /opt/rainloop/ -type d -exec chmod 755 {} \;
+  find /opt/rainloop/ -type f -exec chmod 644 {} \;
+  echo "$new_signature" > /var/log/rainloop-installed.asc
+  
+  echo "RainLoop: upgrade complete"
+else
+  echo "not found"
+fi
+echo "Done" 
+
+### End update tool script

config/sieve/default.sieve

@@ -1,4 +1,5 @@
 require "fileinto";
 if header :contains "X-Spam-Flag" "YES" {
 	fileinto "Spam";
+    stop;
 }

config/spamassassin/local.cf

@@ -0,0 +1,104 @@
+# This is the right place to customize your installation of SpamAssassin.
+#
+# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
+# tweaked.
+#
+# Only a small subset of options are listed below
+#
+###########################################################################
+
+#   Add *****SPAM***** to the Subject header of spam e-mails
+#
+#rewrite_header Subject *****SPAM*****
+
+
+#   Save spam messages as a message/rfc822 MIME attachment instead of
+#   modifying the original message (0: off, 2: use text/plain instead)
+#
+report_safe 0
+
+
+#   Set which networks or hosts are considered 'trusted' by your mail
+#   server (i.e. not spammers)
+#
+# trusted_networks 212.17.35.
+
+
+#   Set file-locking method (flock is not safe over NFS, but is faster)
+#
+# lock_method flock
+
+
+#   Set the threshold at which a message is considered spam (default: 5.0)
+#
+required_score 5.0
+
+
+#   Use Bayesian classifier (default: 1)
+#
+use_bayes 1
+use_bayes_rules 1
+
+#   Bayesian classifier auto-learning (default: 1)
+#
+bayes_auto_learn 1
+
+#   Set headers which may provide inappropriate cues to the Bayesian
+#   classifier
+#
+# bayes_ignore_header X-Bogosity
+# bayes_ignore_header X-Spam-Flag
+# bayes_ignore_header X-Spam-Status
+
+
+#   Whether to decode non- UTF-8 and non-ASCII textual parts and recode
+#   them to UTF-8 before the text is given over to rules processing.
+#
+# normalize_charset 1
+
+#   Some shortcircuiting, if the plugin is enabled
+# 
+ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
+#
+#   default: strongly-whitelisted mails are *really* whitelisted now, if the
+#   shortcircuiting plugin is active, causing early exit to save CPU load.
+#   Uncomment to turn this on
+#
+# shortcircuit USER_IN_WHITELIST       on
+# shortcircuit USER_IN_DEF_WHITELIST   on
+# shortcircuit USER_IN_ALL_SPAM_TO     on
+# shortcircuit SUBJECT_IN_WHITELIST    on
+
+#   the opposite; blacklisted mails can also save CPU
+#
+# shortcircuit USER_IN_BLACKLIST       on
+# shortcircuit USER_IN_BLACKLIST_TO    on
+# shortcircuit SUBJECT_IN_BLACKLIST    on
+
+#   if you have taken the time to correctly specify your "trusted_networks",
+#   this is another good way to save CPU
+#
+# shortcircuit ALL_TRUSTED             on
+
+#   and a well-trained bayes DB can save running rules, too
+#
+# shortcircuit BAYES_99                spam
+# shortcircuit BAYES_00                ham
+
+skip_rbl_checks 0
+
+#pyzor
+use_pyzor 1
+pyzor_path /usr/bin/pyzor
+pyzor_add_header 1
+
+#razor
+use_razor2 1
+razor_config /etc/razor/razor-agent.conf
+
+#bayes
+use_bayes 1
+use_bayes_rules 1
+bayes_auto_learn 1
+
+endif # Mail::SpamAssassin::Plugin::Shortcircuit

config/spamassassin/spamassassin

@@ -0,0 +1,34 @@
+# /etc/default/spamassassin
+# Duncan Findlay
+
+# WARNING: please read README.spamd before using.
+# There may be security risks.
+
+# If you're using systemd (default for jessie), the ENABLED setting is
+# not used. Instead, enable spamd by issuing:
+# systemctl enable spamassassin.service
+# Change to "1" to enable spamd on systems using sysvinit:
+ENABLED=1
+
+# Options
+# See man spamd for possible options. The -d option is automatically added.
+
+# SpamAssassin uses a preforking model, so be careful! You need to
+# make sure --max-children is not set to anything higher than 5,
+# unless you know what you're doing.
+
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir --username spamd -H /var/log/spamassassin -s /var/log/spamassassin/spamd.log"
+
+# Pid file
+# Where should spamd write its PID to file? If you use the -u or
+# --username option above, this needs to be writable by that user.
+# Otherwise, the init script will not be able to shut spamd down.
+PIDFILE="/var/run/spamd.pid"
+
+# Set nice level of spamd
+#NICE="--nicelevel 15"
+
+# Cronjob
+# Set to anything but 0 to enable the cron job to automatically update
+# spamassassin's rules on a nightly basis
+CRON=1

installer.sh

@@ -1,7 +1,6 @@
-###============================================================
-##      Ubuntu 18.04 Mailserver installer
-###============================================================
-
+###==========================================###
+##      Ubuntu 18.04 Mailserver installer     ## 
+###==========================================###
 
 ##----------##
 #    Menu    #
@@ -20,46 +19,46 @@
 #    Static-Vars    #
 ##-----------------##
 echo "Static-Vars"
-domain=ongz.nl
+domain=ictdownwerk.com
 password=JW9t9ipdgLrWvMqHq7hX
 email=admin@ictdagbesteding.nl
-phpver=7.2
+phpver=7.3
 domonly=${domain}
 domain=mail.${domain}
-branch=dev
+branch=omega
 dhparam=1024
+
 ##----------------##
 #    Pre-Config    #
 ##----------------##
-echo "Pre-Config"
-
 hostnamectl set-hostname $domain
 apt update
 add-apt-repository universe -y
 add-apt-repository ppa:ondrej/php -y
-apt install mysql-server software-properties-common wget -y
+apt install software-properties-common -y
 apt upgrade -y
 apt autoremove -y
+timedatectl set-timezone Europe/Amsterdam
+mkdir -p /etc/nginx
 mkdir -p /var/www/"$domain"/html
 chmod -R 755 /var/www
 
+##-------------##
+#    Debloat    #
+##-------------##
+apt autoremove --purge lxcfs lxd lxd-client geoip-database snapd -y
+
 ##-----------------------##
 #    Html Folder Perms    #
 ##-----------------------##
-echo "Html Folder Perms"
-
 chown -R www-data:www-data /var/www/"$domain"/html
 
 ##-----------##
 #    NGINX    #
 ##-----------##
-echo "NGINX"
-
-#installing nginx from apt
 apt install -y nginx
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Web/raw/branch/master/config/nginx/nginx-default.conf -O /etc/nginx/nginx.conf
 
-
 cat <<EOF > /etc/nginx/sites-available/"$domain"
 #fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m max_size=10g inactive=1440m;
 
@@ -165,19 +164,20 @@ ln -s /etc/nginx/sites-available/"$domain" /etc/nginx/sites-enabled/
 ##-------------------------------##
 #    NGINX Single core bug fix    #
 ##-------------------------------##
-echo "NGINX Single core bug fix"
-
 mkdir /etc/systemd/system/nginx.service.d
 printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
 systemctl daemon-reload
 systemctl restart nginx
 
+##-----------------------##
+#    MySQL Installation   #
+##-----------------------##
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-MySQL/raw/branch/master/mysql-8.0.sh -O /tmp/mysql-8.0.sh
+source /tmp/mysql-8.0.sh
+
 ##------------------------------##
 #    MySQL_Secure_Installation   #
 ##------------------------------##
-echo "MySQL_Secure_Installation"
-
-mysqladmin -u root password "$password"
 mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
 mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User=''"
 mysql -u root -p"$password" -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'"
@@ -185,25 +185,21 @@ mysql -u root -p"$password" -e "SELECT user,authentication_string,plugin,host FR
 mysql -u root -p"$password" -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '"$password"';"
 mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
 
-##-----------##
-#    MySQL    #
-##-----------##
-echo "MySQL"
-
-mkdir -p /etc/nginx
+##-----------------------------##
+#    MySQL Database Creation    #
+##-----------------------------##
 mysql -u root -p"$password" -e "CREATE DATABASE postfixadmin;"
-mysql -u root -p"$password" -e "GRANT ALL ON postfixadmin.* TO 'postfixadmin'@'localhost' IDENTIFIED BY '"$password"';"
+mysql -u root -p"$password" -e "CREATE USER '"postfixadmin"'@'localhost' IDENTIFIED BY '"$password"';"
+mysql -u root -p"$password" -e "GRANT ALL ON "postfixadmin".* TO "postfixadmin"@'localhost';"
 mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
 
 ##------------------##
 #    PostfixADMIN    #
 ##------------------##
-echo "PostfixADMIN"
-
 apt install php${phpver} php${phpver}-zip php${phpver}-fpm php${phpver}-cli php${phpver}-json php${phpver}-mysql php${phpver}-opcache php${phpver}-mbstring php${phpver}-readline -y
 apt install libc-client2007e mlock php${phpver}-common php${phpver}-imap -y
 mkdir -p /var/www/"$domain"/html/postfixadmin/templates_c
-wget -q -t7 https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.1/postfixadmin-3.1.tar.gz -O /tmp/postfixadmin.tar.gz
+wget -q -t7 https://git.ictmaatwerk.com/downloads/pfa/postfixadmin-3.1.tar.gz -O /tmp/postfixadmin.tar.gz
 tar -xf /tmp/postfixadmin.tar.gz -C /var/www/"$domain"/html/postfixadmin --strip-components=1
 chmod 755 -R /var/www/"$domain"/html/postfixadmin/templates_c
 chown -R www-data: /var/www/"$domain"/html/
@@ -214,21 +210,40 @@ bash /var/www/"$domain"/html/postfixadmin/scripts/postfixadmin-cli admin add sup
 groupadd -g 5000 vmail
 useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail
 
-##-------------##
-#    Certbot    #
-##-------------##
-add-apt-repository ppa:certbot/certbot -y
-apt install -y python-certbot-nginx
+##--------------------##
+#    Certbot (Auto)    #
+##--------------------##
+#add-apt-repository ppa:certbot/certbot -y
+#apt install -y python-certbot-nginx
+#certbot --nginx -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+#echo "certbot --nginx -n -d $domain -m $email --hsts --redirect --no-eff-email --agree-tos" > ~/certbotactivate.sh
+#sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
+#sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
+#sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
+#openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam"
+#chmod 777 -R /etc/ssl/certs/dhparam.pem
+
+##----------------------##
+#    Certbot (Manual)    #
+##----------------------##
 mkdir -p /etc/letsencrypt/live/$domain/
-certbot --nginx -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
-echo "certbot --nginx -n -d $domain -m $email --hsts --redirect --no-eff-email --agree-tos" > ~/certbotactivate.sh
-bash ~/certbotactivate.sh
 sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
 sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
 sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/cert.pem -O /etc/letsencrypt/live/$domain/cert.pem
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/chain.pem -O /etc/letsencrypt/live/$domain/chain.pem
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/fullchain.pem -O /etc/letsencrypt/live/$domain/fullchain.pem
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/privkey.pem -O /etc/letsencrypt/live/$domain/privkey.pem
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/nginx/site-enabled -O /etc/nginx/sites-available/mail.ictdownwerk.com
 openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam"
-chmod 755 -R /etc/ssl/certs/dhparam.pem
-systemctl restart nginx
+openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem "$dhparam"
+chmod 777 -R /etc/letsencrypt/ssl-dhparams.pem
+chmod 777 -R /etc/ssl/certs/dhparam.pem
+chmod 777 -R /etc/letsencrypt/live/$domain/cert.pem
+chmod 777 -R /etc/letsencrypt/live/$domain/chain.pem
+chmod 777 -R /etc/letsencrypt/live/$domain/fullchain.pem
+chmod 777 -R /etc/letsencrypt/live/$domain/privkey.pem
+chmod 644 -R /etc/nginx/sites-available/mail.ictdownwerk.com
 
 ##-----------------------##
 #    Postfix Installer    #
@@ -309,17 +324,117 @@ chmod +x /usr/local/bin/quota-warning.sh
 ##--------------------------------------##
 apt install dovecot-sieve dovecot-managesieved -y
 mkdir -p /etc/dovecot/sieve/
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/$branch/config/dovecot/15-lda.conf -O /etc/dovecot/conf.d/15-lda.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/90-sieve.conf -O /etc/dovecot/conf.d/90-sieve.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/sieve/default.sieve -O /etc/dovecot/sieve/default.sieve
-sievec /etc/dovecot/sieve/default.sieve
 chown vmail:vmail /etc/dovecot/sieve/ -R
+chgrp dovecot /etc/dovecot/conf.d/90-sieve.conf
+sievec /etc/dovecot/sieve/default.sieve
+chgrp dovecot /etc/dovecot/sieve/default.svbin
+
+##------------------##
+#    Spamassassin    #
+##------------------##
+apt install spamassassin spamc razor pyzor -y
+sed -i -e 's/# report_safe 1/report_safe 0/' -e 's/# required_score 5.0/required_score 5.0/' -e 's/endif # Mail::SpamAssassin::Plugin::Shortcircuit//' /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "skip_rbl_checks 0" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "#pyzor" >> /etc/spamassassin/local.cf
+echo "use_pyzor 1" >> /etc/spamassassin/local.cf
+echo "pyzor_path /usr/bin/pyzor" >> /etc/spamassassin/local.cf
+echo "pyzor_add_header 1" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "#razor" >> /etc/spamassassin/local.cf
+echo "use_razor2 1" >> /etc/spamassassin/local.cf
+echo "razor_config /etc/razor/razor-agent.conf" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "#bayes" >> /etc/spamassassin/local.cf
+echo "use_bayes 1" >> /etc/spamassassin/local.cf
+echo "use_bayes_rules 1" >> /etc/spamassassin/local.cf
+echo "bayes_auto_learn 1" >> /etc/spamassassin/local.cf
+echo "" >> /etc/spamassassin/local.cf
+echo "endif # Mail::SpamAssassin::Plugin::Shortcircuit" >> /etc/spamassassin/local.cf
+
+##------------##
+#    ClamAV    #
+##------------##
+apt install clamav clamav-daemon clamsmtp libclamunrar7 clamdscan -y
+chown -R clamav:clamav /var/log/clamav
+chown -R clamav:clamav /var/lib/clamav
+chmod 777 -R /var/lib/clamav
+
+##------------##
+#    Amavis    #
+##------------##
+apt install amavisd-new -y
+apt install zip lrzip liblz4-tool lhasa arj unzip bzip2 nomarch cpio lzop cabextract arc apt-listchanges libauthen-sasl-perl libdbd-mysql-perl libdbi-perl libmail-dkim-perl ripole p7zip p7zip-full p7zip-rar rpm unrar unrar-free altermime libsnmp-perl libnet-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl -y
+sed -i -e 's/@bypass/'@bypass'/' -e 's/   /    /' /etc/amavis/conf.d/15-content_filter_mode
+adduser clamav amavis
+sed -i 's/clamd.conf/'clamd.conf'/g' /etc/clamav/freshclam.conf
+echo "#Pipe incoming mail trough Amavis" >> /etc/postfix/main.cf
+postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
+postconf -e 'receive_override_options = no_address_mappings'
+echo "" >> /etc/postfix/master.cf
+echo "#Pipe incoming mail trough Amavis" >> /etc/postfix/master.cf
+echo "amavis unix - - - - 2 smtp" >> /etc/postfix/master.cf
+echo "  -o smtp_data_done_timeout=1200" >> /etc/postfix/master.cf
+echo "  -o smtp_send_xforward_command=yes" >> /etc/postfix/master.cf
+echo "127.0.0.1:10025 inet n - - - - smtpd" >> /etc/postfix/master.cf
+echo "  -o content_filter=" >> /etc/postfix/master.cf
+echo "  -o local_recipient_maps=" >> /etc/postfix/master.cf
+echo "  -o relay_recipient_maps=" >> /etc/postfix/master.cf
+echo "  -o smtpd_restriction_classes=" >> /etc/postfix/master.cf
+echo "  -o smtpd_client_restrictions=" >> /etc/postfix/master.cf
+echo "  -o smtpd_helo_restrictions=" >> /etc/postfix/master.cf
+echo "  -o smtpd_sender_restrictions=" >> /etc/postfix/master.cf
+echo "  -o smtpd_recipient_restrictions=permit_mynetworks,reject" >> /etc/postfix/master.cf
+echo "  -o mynetworks=127.0.0.0/8" >> /etc/postfix/master.cf
+echo "  -o strict_rfc821_envelopes=yes" >> /etc/postfix/master.cf
+echo "  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks" >> /etc/postfix/master.cf
+echo "  -o smtpd_bind_address=127.0.0.1" >> /etc/postfix/master.cf
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/15-content_filter_mode -O /etc/amavis/conf.d/15-content_filter_mode
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/20-debian_defaults -O /etc/amavis/conf.d/20-debian_defaults
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/21-ubuntu_defaults -O /etc/amavis/conf.d/21-ubuntu_defaults
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/50-user -O /etc/amavis/conf.d/50-user
+
+##--------------##
+#    Rainloop    #
+##--------------##
+apt install unzip -y
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/rainloop.sh -O /tmp/rainloop.sh
+source /tmp/rainloop.sh
+ln -s /opt/rainloop /var/www/"$domain"/html/
+
+##--------------##
+#    Fail2Ban    #
+##--------------##
+apt install fail2ban -y
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/dovecot-pop3imap.conf -O /etc/fail2ban/filter.d/dovecot-pop3imap.conf
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/postfix-sasl.conf -O /etc/fail2ban/filter.d/postfix-sasl.conf
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/rainloop.conf -O /etc/fail2ban/filter.d/rainloop.conf
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/jail.local -O /etc/fail2ban/jail.local
+sed -i 's/root@localhost/'$email'/g' /etc/fail2ban/jail.conf
+systemctl restart fail2ban
+
+##---------------------------------##
+#    Unattended Security Updates    #
+##---------------------------------##
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Unattended-Security-Updates/raw/branch/master/installer.sh -O /tmp/unattended.sh
+source /tmp/unattended.sh
 
 ##-----------------------##
 #    Enabling Services    #
 ##-----------------------##
-systemctl enable postfix.service postfix@-.service dovecot.service
+systemctl enable nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin amavisd-snmp-subagent amavis-mc amavis-snmp-subagent
 
 ##-----------------------##
 #    Starting Services    #
 ##-----------------------##
-systemctl restart postfix.service postfix@-.service dovecot.service
+systemctl restart nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin amavisd-snmp-subagent amavis-mc amavis-snmp-subagent
+
+##------------------##
+#    Final Update    #
+##------------------##
+apt update
+apt upgrade -y

rainloop.sh

@@ -0,0 +1,51 @@
+##
+# Crates system wide avalible rainloop instance 
+# to enable this on a domain create a symlink to the webroot
+#
+# and don't forget disable acces to data folder in nginx 
+##
+apt install php${phpver}-curl php${phpver}-dom unzip gnupg2 curl -y
+
+##install
+mkdir -p /opt/rainloop
+wget http://www.rainloop.net/repository/webmail/rainloop-community-latest.zip -O /tmp/rlcl.zip
+unzip -q /tmp/rlcl.zip -d /opt/rainloop
+rm  /tmp/rlcl.zip
+
+php /opt/rainloop/index.php  > /dev/null 2>&1
+rm -f /opt/rainloop/data/_data_/_default_/domains/*
+
+#fetching config files
+mkdir -p /opt/rainloop/data/_data_/_default_/domains/
+mkdir -p /opt/rainloop/data/_data_/_default_/configs/
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/domains-default.ini -O /opt/rainloop/data/_data_/_default_/domains/default.ini
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/application.ini -O /opt/rainloop/data/_data_/_default_/configs/application.ini
+
+#setting Permissions
+chown -R www-data:www-data  /opt/rainloop
+find /opt/rainloop/ -type d -exec chmod 755 {} \;
+find /opt/rainloop/ -type f -exec chmod 644 {} \;
+
+#Storing version signature for auto updates
+signature=$(curl -s "https://www.rainloop.net/repository/webmail/rainloop-community-latest.zip.asc")
+echo "$signature" > /var/log/rainloop-installed.asc
+
+#creating Contact DB
+db_name="rainloop_contacts"
+db_user="rainloop_contacts"
+db_pass=$(date +%s|sha256sum|base64|head -c 32)
+mysql -u root -p"$password" -e "CREATE DATABASE "$db_name" DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;"
+mysql -u root -p"$password" -e "CREATE USER '"$db_user"'@'localhost' IDENTIFIED BY '"$db_pass"';"
+mysql -u root -p"$password" -e "GRANT ALL ON "$db_name".* TO '"$db_user"'@'localhost';"
+mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
+sed -i 's/MYSQLPASS/'$db_pass'/g' /opt/rainloop/data/_data_/_default_/configs/application.ini
+sed -i 's/MYSQLUSER/'$db_user'/g' /opt/rainloop/data/_data_/_default_/configs/application.ini
+sed -i 's/MYSQLNAME/'$db_name'/g' /opt/rainloop/data/_data_/_default_/configs/application.ini
+    
+#scripts for enableing/disabling admin panel
+echo "sed -i 's/allow_admin_panel = Off/allow_admin_panel = On/g'  /opt/rainloop/data/_data_/_default_/configs/application.ini" > ~/Enable-RLadmin.sh
+echo "sed -i 's/allow_admin_panel = On/allow_admin_panel = Off/g'  /opt/rainloop/data/_data_/_default_/configs/application.ini" > ~/Disable-RLadmin.sh
+
+#downloading Update tool
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/update-tools.sh -O /opt/update-rainloop.sh
+chmod +x /opt/update-rainloop.sh