Silenced output when enableing the firewall

Gnegne

CHANGELOG.md

@@ -1,7 +1,20 @@
 ## 29-08-2019 / 31-08-2019:  
+```
 Dev = done.  
 PostixAdmin, Postfix, Dovecot and Sieve working!  
+```
 
 ## 31-08-2019 / 01-09-2019:
+```
 Started Alpha Branch.  
-PHP7.3 and MySQL 8 working!  
+PHP7.3 and MySQL 8 working!  
+```
+
+## 01-09-2019 / 12-09-2019:
+```
+Started Omega Branch.
+Debloat option added. ClamAV, Spamassassin and Amavis integrated.
+Added Manual Certbot option for testing purposes.
+Unattended Security Updates integrated.
+Few bugfixes.
+```

Future-Updates.md

@@ -0,0 +1,10 @@
+## Future updates:
+```  
+Update PostfixAdmin to the latest version.  
+Set email quota? Postgrey, FuzzyOCR.  
+
+Mail.log should rotate every week, this needs to be tested.  
+
+Export DKIM key to the home folder.  
+User manual for purging and clearing the mail queue.  
+```

README.md

@@ -1,19 +1,35 @@
 # Ubuntu-Mail  
+### Notice, SSH Port has been set 4242  
 
-**Get Started**:  
+**Get Started with the graphical installer**:  
 ```
-wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/omega/installer.sh  
-bash installer.sh 2>&1 | tee output.log  
+wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/beta/installer.sh -O /tmp/installer.sh  
+bash /tmp/installer.sh
 ```  
 
+**Legacy Installer for developing and debugging**:
+```
+wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/beta/installer.sh -O /tmp/installer.sh  
+bash /tmp/installer.sh -l 2>&1 | tee ~/output.log 
+```
+
 #### This script uses the following repo's as dependencies:
 ```
 * VPS-scripts/Unattended-Security-Updates 
 * VPS-scripts/Ubuntu-MySQL
+* VPS-scripts/Ubuntu-Web
 ```  
 
 
 #### Sources:  
 ```  
 https://linuxize.com/post/set-up-an-email-server-with-postfixadmin
+https://www.howtoforge.com/amavisd_postfix_debian_ubuntu
+https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
+https://linuxconfig.org/how-to-change-welcome-message-motd-on-ubuntu-18-04-server
+https://phoenixnap.com/kb/automatic-security-updates-ubuntu
+https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
+
+https://www.mail-tester.com
+https://www.emailsecuritycheck.net
 ```  

config/amavis/20-debian_defaults

@@ -33,19 +33,10 @@ $enable_global_cache = 1;    # enable use of libdb-based cache if $enable_db=1
 $inet_socket_port = 10024;   # default listening socket
 
 #$sa_spam_subject_tag = '***SPAM*** ';
-#$sa_tag_level_deflt  = 2.0;  # add spam info headers if at, or above that level
-#$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level
-#$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
-#$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent
-
-
-$sa_tag_level_deflt = -999;  # add spam info headers if at, or above that level
-$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
+$sa_tag_level_deflt  = 3.0;  # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 3.0; # add 'spam detected' headers at that level
 $sa_kill_level_deflt = 21.0; # triggers spam evasive actions
-$sa_dsn_cutoff_level = 4;    # spam level beyond which a DSN is not sent
-
-
-
+$sa_dsn_cutoff_level = 5;   # spam level beyond which a DSN is not sent
 
 
 

config/amavis/21-ubuntu_defaults

@@ -9,13 +9,13 @@ $enable_dkim_verification = 1;
 @whitelist_sender_acl = qw( .$mydomain );
 $final_virus_destiny      = D_DISCARD; # (defaults to D_BOUNCE)
 $final_banned_destiny     = D_DISCARD;  # (defaults to D_BOUNCE)
-$final_spam_destiny       = D_DISCARD;  # (defaults to D_REJECT)
+$final_spam_destiny       = D_PASS;  # (defaults to D_REJECT)
 $final_bad_header_destiny = D_PASS;  # (defaults to D_PASS), D_BOUNCE suggested
 
-$sa_tag_level_deflt = -999;  # add spam info headers if at, or above that level
-$sa_tag2_level_deflt = 1.0;  # add 'spam detected' headers at that level
+$sa_tag_level_deflt = 3.0;  # add spam info headers if at, or above that level
+$sa_tag2_level_deflt = 3.0;  # add 'spam detected' headers at that level
 $sa_kill_level_deflt = 21.0; # triggers spam evasive actions
-$sa_dsn_cutoff_level = 4;    # spam level beyond which a DSN is not sent
+$sa_dsn_cutoff_level = 5;    # spam level beyond which a DSN is not sent
 
 
 

config/amavis/50-user

@@ -11,7 +11,7 @@ use strict;
 #@lookup_sql_dsn = (
 #    ['DBI:mysql:database=postfixadmin;host=127.0.0.1;port=3306',
 #     'postfixadmin',
-#     'JW9t9ipdgLrWvMqHq7hX']);
+#     'PASSword']);
 
 # Disable show header recieve from amavisd localhost 127.0.0.1
 $allowed_added_header_fields{lc('Received')} = 0;

config/dkim/opendkim.conf

@@ -0,0 +1,95 @@
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog			yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask			007
+
+# Sign for example.com with key in /etc/dkimkeys/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+#Domain			example.com
+#KeyFile		/etc/dkimkeys/dkim.key
+#Selector		2007
+
+# Commonly-used options; the commented-out versions show the defaults.
+Canonicalization	relaxed/simple
+Mode			sv
+SubDomains		no
+AutoRestart         yes
+AutoRestartRate     10/1M
+Background          yes
+DNSTimeout          5
+SignatureAlgorithm  rsa-sha256
+
+# Socket smtp://localhost
+#
+# ##  Socket socketspec
+# ##
+# ##  Names the socket where this filter should listen for milter connections
+# ##  from the MTA.  Required.  Should be in one of these forms:
+# ##
+# ##  inet:port@address           to listen on a specific interface
+# ##  inet:port                   to listen on all interfaces
+# ##  local:/path/to/socket       to listen on a UNIX domain socket
+#
+#Socket                  inet:8892@localhost
+Socket                   local:/var/spool/postfix/opendkim/opendkim.sock
+
+##  PidFile filename
+###      default (none)
+###
+###  Name of the file where the filter should write its pid before beginning
+###  normal operations.
+#
+PidFile               /var/run/opendkim/opendkim.pid
+
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier.  From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders		From
+
+##  ResolverConfiguration filename
+##      default (none)
+##
+##  Specifies a configuration file to be passed to the Unbound library that
+##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
+##  documentation at http://unbound.net for the expected content of this file.
+##  The results of using this and the TrustAnchorFile setting at the same
+##  time are undefined.
+##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
+##  unbound package
+
+# ResolverConfiguration     /etc/unbound/unbound.conf
+
+##  TrustAnchorFile filename
+##      default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+TrustAnchorFile       /usr/share/dns/root.key
+
+##  Userid userid
+###      default (none)
+###
+###  Change to user "userid" before starting normal operation?  May include
+###  a group ID as well, separated from the userid by a colon.
+#
+UserID                opendkim
+
+# Map domains in From addresses to keys used to sign messages
+KeyTable           refile:/etc/opendkim/key.table
+SigningTable       refile:/etc/opendkim/signing.table
+
+# Hosts to ignore when verifying signatures
+ExternalIgnoreList  /etc/opendkim/trusted.hosts
+
+# A set of internal hosts whose mail should be signed
+InternalHosts       /etc/opendkim/trusted.hosts

config/dkim/opendkim.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+##----------------------------##
+#    OpenDKIM Configuration    #
+##----------------------------##
+
+gpasswd -a postfix opendkim
+
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/beta/config/dkim/opendkim.conf -O /etc/opendkim.conf
+mkdir -p /etc/opendkim
+mkdir -p /etc/opendkim/keys
+chown -R opendkim:opendkim /etc/opendkim
+chmod go-rw /etc/opendkim/keys
+
+echo "*@$domonly    default._domainkey.$domonly" >> /etc/opendkim/signing.table
+echo "default._domainkey.$domonly     $domonly:default:/etc/opendkim/keys/$domonly/default.private" >> /etc/opendkim/key.table
+echo "127.0.0.1" >> /etc/opendkim/trusted.hosts
+echo "localhost" >> /etc/opendkim/trusted.hosts
+echo "" >> /etc/opendkim/trusted.hosts
+echo "*.$domonly" >> /etc/opendkim/trusted.hosts
+
+mkdir -p /etc/opendkim/keys/$domonly
+opendkim-genkey -b $dhparam -d $domonly -D /etc/opendkim/keys/$domonly -s default -v
+chown opendkim:opendkim /etc/opendkim/keys/$domonly/default.private
+
+##---------------------------##
+#    Postfix Configuration    #
+##---------------------------##
+
+mkdir -p /var/spool/postfix/opendkim
+chown opendkim:postfix /var/spool/postfix/opendkim
+
+echo "# Milter configuration" >> /etc/postfix/main.cf
+echo "milter_default_action = accept" >> /etc/postfix/main.cf
+echo "milter_protocol = 6" >> /etc/postfix/main.cf
+echo "smtpd_milters = local:/opendkim/opendkim.sock" >> /etc/postfix/main.cf
+echo 'non_smtpd_milters = $smtpd_milters' >> /etc/postfix/main.cf

config/dovecot/15-mailboxes.conf

@@ -47,6 +47,7 @@ namespace inbox {
   # These mailboxes are widely used and could perhaps be created automatically:
   mailbox Drafts {
     special_use = \Drafts
+    auto = subscribe
   }
   mailbox Spam {
     special_use = \Junk
@@ -54,15 +55,18 @@ namespace inbox {
   }
   mailbox Junk {
     special_use = \Junk
+    auto = subscribe
   }
   mailbox Trash {
     special_use = \Trash
+    auto = subscribe
   }
 
   # For \Sent mailboxes there are two widely used names. We'll mark both of
   # them as \Sent. User typically deletes one of them if duplicates are created.
   mailbox Sent {
     special_use = \Sent
+    auto = subscribe
   }
   mailbox "Sent Messages" {
     special_use = \Sent

config/manual.sh

@@ -0,0 +1,9 @@
+echo "##----------------##"$'\n'"#   OpenDKIM key   #"$'\n'"##----------------##"$'\n' >> ~/Readme.md
+cat /etc/opendkim/keys/$domonly/default.txt >> ~/Readme.md
+echo "" >> ~/Readme.md
+
+echo "##----------------------##"$'\n'"#   Postfix mail queue   #"$'\n'"##----------------------##"$'\n'  >> ~/Readme.md
+echo "#Show queue"$'\n'"postqueue -p"$'\n'"#Show message"$'\n'"postcat -vq XXXXXXXXXX"$'\n'"#Flushing the queue"$'\n'"postqueue -f"$'\n'"#Removing all queued messages"$'\n'"postsuper -d ALL"$'\n'"#Remove differed messages from the queue (i.e. only the ones the system intends to retry later)"$'\n'"postsuper -d ALL deferred" >> ~/Readme.md
+
+echo "##--------------##"$'\n'"#   SPF Record   #"$'\n'"##--------------##"$'\n' >> ~/Readme.md
+echo "v=spf1 a mx ip4:$wanip ~all"$'\n' >> ~/Readme.md

config/motd/01-custom

@@ -0,0 +1,4 @@
+#!/bin/sh
+printf "\n"
+printf " * System started, please wait for services to enable!\n"
+printf " * This takes 5 minutes\n"

config/nginx/PostfixAdmin-site-unconfigured

@@ -0,0 +1,52 @@
+server {
+    listen 80;
+    listen [::]:80;
+    root /var/www/DOMAINname/html;
+    index index.php index.html index.htm index.nginx-debian.html;
+    server_name DOMAINname;
+            
+    gzip on;
+    gzip_proxied any;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
+    gzip_comp_level 2;
+    gzip_disable "msie6";
+    gzip_buffers 16 8k;
+
+        location / {
+            try_files $uri $uri/ /index.php$is_args$args;
+        }
+
+        location = /favicon.ico { log_not_found off; access_log off; }
+        location = /robots.txt { log_not_found off; access_log off; allow all; }
+        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)$ {
+            expires max;
+            log_not_found off;
+            add_header Cache-Control "public, no-transform";
+        }
+        location ~ \.php$ {
+            include snippets/fastcgi-php.conf;
+            fastcgi_pass unix:/var/run/php/phpPHPver-fpm.sock;
+        }
+        location ~ /\.ht {
+            deny all;
+        }
+        set $no_cache 0;
+        if ($request_method = POST) {
+            set $no_cache 1;
+        }
+        if ($query_string != "") {
+            set $no_cache 1;
+        }
+        if ($http_cookie = "PHPSESSID") {
+            set $no_cache 1;
+        }
+            
+    location ^~ /rainloop/data {
+    deny all;
+    }
+
+    location ^~ /data {
+    deny all;
+    }
+
+}

config/postfix/clear-queue.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+echo "#Purge mail queue every night" >> /etc/crontab
+echo "0 0 * * * root /opt/clear-queue.sh" >> /etc/crontab
+echo "#!/bin/sh" >> /opt/purge-queue.sh
+echo "postfix -f" >> /opt/purge-queue.sh
+chmod +x /opt/purge-queue.sh
+
+echo "#Clear mail queue weekly" >> /etc/crontab
+echo "@weekly root /opt/clear-queue.sh" >> /etc/crontab
+echo "#!/bin/sh" >> /opt/clear-queue.sh
+echo "postsuper -d ALL" >> /opt/clear-queue.sh
+chmod +x /opt/clear-queue.sh

config/rainloop/application.ini

@@ -275,7 +275,7 @@ allow_prefetch = On
 allow_smart_html_links = On
 cache_system_data = On
 date_from_headers = On
-autocreate_system_folders = On
+autocreate_system_folders = Off
 allow_message_append = Off
 disable_iconv_if_mbstring_supported = Off
 login_fault_delay = 1

config/rainloop/rainloop.sh

@@ -1,36 +1,46 @@
-##
-# Crates system wide avalible rainloop instance 
-# to enable this on a domain create a symlink to the webroot
-#
-# and don't forget disable acces to data folder in nginx 
-##
-apt install php${phpver}-curl php${phpver}-dom unzip gnupg2 curl -y
+#!/bin/bash
 
-##install
+###=============================================================###
+##  Rainloop installer                                           ## 
+###=============================================================###
+#   Creates a system wide available rainloop instance             #
+#   to enable this on a domain create a symlink to the webroot    #
+#   Don't forget disable access to the data folder in nginx       #
+###=============================================================###
+
+##-----------##
+#   Install   #
+##-----------##
 mkdir -p /opt/rainloop
 wget http://www.rainloop.net/repository/webmail/rainloop-community-latest.zip -O /tmp/rlcl.zip
 unzip -q /tmp/rlcl.zip -d /opt/rainloop
-rm  /tmp/rlcl.zip
-
 php /opt/rainloop/index.php  > /dev/null 2>&1
 rm -f /opt/rainloop/data/_data_/_default_/domains/*
 
-#fetching config files
+##-------------------------##
+#   Fetching config files   #
+##-------------------------##
 mkdir -p /opt/rainloop/data/_data_/_default_/domains/
 mkdir -p /opt/rainloop/data/_data_/_default_/configs/
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/domains-default.ini -O /opt/rainloop/data/_data_/_default_/domains/default.ini
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/application.ini -O /opt/rainloop/data/_data_/_default_/configs/application.ini
 
-#setting Permissions
+##-----------------------##
+#   Setting permissions   #
+##-----------------------##
 chown -R www-data:www-data  /opt/rainloop
 find /opt/rainloop/ -type d -exec chmod 755 {} \;
 find /opt/rainloop/ -type f -exec chmod 644 {} \;
 
-#Storing version signature for auto updates
+##----------------------------------------------##
+#   Storing version signature for auto-updates   #
+##----------------------------------------------##
 signature=$(curl -s "https://www.rainloop.net/repository/webmail/rainloop-community-latest.zip.asc")
 echo "$signature" > /var/log/rainloop-installed.asc
 
-#creating Contact DB
+##-----------------------##
+#   Creating Contact DB   #
+##-----------------------##
 db_name="rainloop_contacts"
 db_user="rainloop_contacts"
 db_pass=$(date +%s|sha256sum|base64|head -c 32)
@@ -41,11 +51,15 @@ mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
 sed -i 's/MYSQLPASS/'$db_pass'/g' /opt/rainloop/data/_data_/_default_/configs/application.ini
 sed -i 's/MYSQLUSER/'$db_user'/g' /opt/rainloop/data/_data_/_default_/configs/application.ini
 sed -i 's/MYSQLNAME/'$db_name'/g' /opt/rainloop/data/_data_/_default_/configs/application.ini
-    
-#scripts for enableing/disabling admin panel
+
+##----------------------------------##
+#   Enabling/disabling admin panel   #
+##----------------------------------##
 echo "sed -i 's/allow_admin_panel = Off/allow_admin_panel = On/g'  /opt/rainloop/data/_data_/_default_/configs/application.ini" > ~/Enable-RLadmin.sh
 echo "sed -i 's/allow_admin_panel = On/allow_admin_panel = Off/g'  /opt/rainloop/data/_data_/_default_/configs/application.ini" > ~/Disable-RLadmin.sh
 
-#downloading Update tool
+##---------------------------##
+#   Downloading Update tool   #
+##---------------------------##
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/update-tools.sh -O /opt/update-rainloop.sh
 chmod +x /opt/update-rainloop.sh

config/spf/incoming_spf.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+echo "#Check for incoming SPF" >> /etc/postfix/master.cf
+echo "policyd-spf  unix  -       n       n       -       0       spawn" >> /etc/postfix/master.cf
+echo "    user=policyd-spf argv=/usr/bin/policyd-spf" >> /etc/postfix/master.cf
+echo "#Check for incoming SPF" >> /etc/postfix/main.cf
+echo "policyd-spf_time_limit = 3600" >> /etc/postfix/main.cf

config/ufw/config.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+#ufw config
+sed -i 's/IPV6=yes/IPV6=no/g'   /etc/default/ufw
+ufw default deny incoming > $OUTPUT 2>&1
+
+#Web interface
+ufw allow 80/tcp > $OUTPUT 2>&1
+ufw allow 443/tcp > $OUTPUT 2>&1
+
+#IMAP/POP3
+ufw allow 25/tcp > $OUTPUT 2>&1
+ufw allow 110/tcp > $OUTPUT 2>&1
+ufw allow 143/tcp > $OUTPUT 2>&1
+ufw allow 465/tcp > $OUTPUT 2>&1
+ufw allow 587/tcp > $OUTPUT 2>&1
+ufw allow 993/tcp > $OUTPUT 2>&1
+ufw allow 995/tcp > $OUTPUT 2>&1
+
+#DNS
+ufw allow 53/tcp > $OUTPUT 2>&1
+
+#SSH
+ufw limit 4242/tcp > $OUTPUT 2>&1
+
+echo "y" | ufw enable > $OUTPUT 2>&1

installer.sh

@@ -1,260 +1,254 @@
-###==========================================###
-##      Ubuntu 18.04 Mailserver installer     ## 
-###==========================================###
+#!/bin/bash
+
+###############################
+# @author: Bram Prieshof      #
+# @author: Branco van de Waal #
+###############################
 
 ##----------##
 #    Menu    #
 ##----------##
-#echo "Menu"
+sed -i -e 's/magenta/blue/g' /etc/newt/palette
+if [ "$1" != "-l" ]; then
+  echo "Normal mode"
+  PKGM="debconf-apt-progress -- apt"
+  OUTPUT='/dev/null'
+  IMODE=n
+fi
 
-#echo "Ubuntu 18.04 Mailserver installatie script."
-#echo "Domein zonder www en mail.:"
-#read domain
-#echo "Algemeen wachtwoord:"
-#read password
-#echo "Administrator email:"
-#read email
+if [ "$1" = "-l" ]; then
+  echo "Legacy mode";
+  PKGM="apt"
+  OUTPUT='/dev/tty'
+  IMODE=l
+fi
+PKGA="add-apt-repository"
+PKGI="${PKGM} install -y"
 
-##-----------------##
-#    Static-Vars    #
-##-----------------##
-echo "Static-Vars"
-domain=ictdownwerk.com
-password=JW9t9ipdgLrWvMqHq7hX
-email=admin@ictdagbesteding.nl
+if [ $IMODE = n ]; then
+if (whiptail --title "Ubuntu 18.04 Mail Server" --yesno "                  Do you want to install a mail server?" 11 78)
+    then
+        echo "" >/dev/null
+    else
+    	whiptail --title "Credits" --msgbox "                   Made by: your local Wizard and God" 11 78
+        clear
+        exit
+fi
+echo "" >/dev/null
+password=$(whiptail --nocancel --passwordbox "Please enter your password (should contain at least 2 digits and 6 characters)" 11 82 --title "Config" 3>&1 1>&2 2>&3)
+domain=$(whiptail --nocancel --inputbox "                     Enter the domain without www or mail." 11 82 --title "Config" 3>&1 1>&2 2>&3)
+email=$(whiptail --nocancel --inputbox "                        Enter the administrator e-mail" 11 82 --title "Config" 3>&1 1>&2 2>&3)
+uploadsize=$(whiptail --nocancel --title "Config" --radiolist "                      Choose the maximum attachment size:" 11 82 4 "10" "MB                                                             " on "25" "MB" off "50" "MB" off "100" "MB" off 3>&1 1>&2 2>&3)
+elif [ $IMODE = l ]; then
+echo "" >/dev/null
+echo "Ubuntu 18.04 Mailserver installation script."
+echo "Domain without www or e-mail:"
+read domain
+echo "Please enter your password (should contain at least 2 digits and 6 characters:"
+read password
+echo "Administrator E-mail:"
+read email
+echo "Enter the maximum attachment size in MB (without MB)"
+read uploadsize
+fi
+
+##---------------##
+#    Functions    #
+##---------------##
+msg () {
+if [ $IMODE = n ]; then
+TERM=ansi whiptail --title "Info" --infobox "$1" 8 52
+fi
+if [ $IMODE = l ]; then
+echo "$1"
+fi
+}
+
+##--------------##
+#    Variables   #
+##--------------##
 phpver=7.3
 domonly=${domain}
 domain=mail.${domain}
-branch=omega
+branch=beta
 dhparam=1024
+PHPMyadmin=1
+PKGA="add-apt-repository"
+PKGI="${PKGM} install -y"
+db_pass=$(date +%s|sha256sum|base64|head -c 32)
+wanip=`ip -o route get 1.1.1.1 | sed -e 's/^.* src \([^ ]*\) .*$/\1/'`
+debconf-set-selections <<< "postfix postfix/mailname string $(hostname -f)"
+debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
 
 ##----------------##
 #    Pre-Config    #
 ##----------------##
-hostnamectl set-hostname $domain
-apt update
-add-apt-repository universe -y
-add-apt-repository ppa:ondrej/php -y
-apt install software-properties-common -y
-apt upgrade -y
-apt autoremove -y
-timedatectl set-timezone Europe/Amsterdam
+msg "                Pre-Configuring"
+sleep 2
+sed -i '/Port 22/c\Port 4242' /etc/ssh/sshd_config
+hostnamectl set-hostname $domain > $OUTPUT 2>&1
+timedatectl set-timezone Europe/Amsterdam > $OUTPUT 2>&1
+hostname --fqdn > /etc/mailname
 mkdir -p /etc/nginx
 mkdir -p /var/www/"$domain"/html
 chmod -R 755 /var/www
+#if free | awk '/^Swap:/ {exit !$2}'; then
+#    echo "swap enabled" >/dev/null
+#else
+#    fallocate -l 3G /swapfile
+#    chmod 600 /swapfile
+#    mkswap /swapfile
+#    swapon /swapfile
+#    echo '/swapfile swap swap defaults 0 0' >> /etc/fstab
+#fi
+#sed -i 's/#/vm.swappiness=40/g' /etc/sysctl.conf
+
+##----------------------##
+#    Pre-Requirements    #
+##----------------------##
+msg "                Buzzy like a bee"
+$PKGM update
+$PKGI software-properties-common sudo
+$PKGA universe -y > $OUTPUT 2>&1
+$PKGA ppa:ondrej/php -y > $OUTPUT 2>&1
+$PKGA ppa:certbot/certbot -y > $OUTPUT 2>&1
+wget -q -t7 -O- https://repo.dovecot.org/DOVECOT-REPO-GPG | sudo apt-key add -
+echo "deb https://repo.dovecot.org/ce-2.3-latest/ubuntu/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/dovecot.list > $OUTPUT 2>&1
+$PKGM update
+$PKGM upgrade -y
+
+##-----------------------------##
+#    Installing Requirements    #
+##-----------------------------##
+$PKGI nginx postfix postfix-mysql php${phpver} php${phpver}-curl php${phpver}-dom php${phpver}-common php${phpver}-imap php${phpver}-zip php${phpver}-fpm php${phpver}-cli php${phpver}-json php${phpver}-mysql php${phpver}-opcache php${phpver}-mbstring php${phpver}-readline libc-client2007e mlock gnupg2 curl dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-managesieved spamassassin spamc razor pyzor clamav clamav-daemon clamsmtp libclamunrar7 clamdscan amavisd-new zip lrzip liblz4-tool lhasa arj unzip bzip2 nomarch cpio lzop cabextract arc apt-listchanges libauthen-sasl-perl libdbd-mysql-perl libdbi-perl libmail-dkim-perl ripole p7zip p7zip-full p7zip-rar rpm unrar unrar-free altermime libsnmp-perl libnet-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl unzip unattended-upgrades fail2ban bc python-certbot-nginx postfix-policyd-spf-python opendkim opendkim-tools
 
 ##-------------##
 #    Debloat    #
 ##-------------##
-apt autoremove --purge lxcfs lxd lxd-client geoip-database snapd -y
+$PKGM remove --purge lxcfs lxd lxd-client geoip-database snapd -y
+$PKGM autoremove -y
 
 ##-----------------------##
-#    Html Folder Perms    #
+#    HTML Folder Perms    #
 ##-----------------------##
+msg "          Configuring HTML permissions"
+sleep 2
 chown -R www-data:www-data /var/www/"$domain"/html
 
 ##-----------##
 #    NGINX    #
 ##-----------##
-apt install -y nginx
+#$PKGI nginx
+msg "               Configuring Nginx"
+sleep 2
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Web/raw/branch/master/config/nginx/nginx-default.conf -O /etc/nginx/nginx.conf
-
-cat <<EOF > /etc/nginx/sites-available/"$domain"
-#fastcgi_cache_path /etc/nginx/cache levels=1:2 keys_zone=MYAPP:100m max_size=10g inactive=1440m;
-
-server {
-    listen       80;
-    server_name   www.$domain;
-    return       301 http://$domain\$request_uri;
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-    root /var/www/$domain/html;
-    index index.php index.html index.htm index.nginx-debian.html;
-    server_name $domain;
-    #return 301 \$scheme:/\$domain\$request_uri; Redirect to non-www
-    #return 301 https://domein.nl$request_uri; Redirect to other domain
-
-    #add_header X-Cache "\$upstream_cache_status";
-
-    #netdata here
-        
-    gzip on;
-    gzip_proxied any;
-    gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript image/svg image/svg+xml application/xml image/x-icon;
-    gzip_comp_level 2;
-    gzip_disable "msie6";
-    gzip_buffers 16 8k;
-
-#    location /rspamd {
-#    proxy_pass http://127.0.0.1:11334/;
-#    proxy_set_header Host \$host;
-#    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-#}
-
-        location / {
-            #try_files \$uri \$uri/ =404;
-            try_files \$uri \$uri/ /index.php\$is_args\$args;
-            #try_files \$uri \$uri/ \$uri.html \$uri.php\$is_args\$query_string;
-        }
-
-        location = /favicon.ico { log_not_found off; access_log off; }
-        location = /robots.txt { log_not_found off; access_log off; allow all; }
-        location ~* \.(css|gif|ico|jpeg|jpg|js|png|svg|webp|eot|otf|woff|woff2|ttf|ogg)\$ {
-            expires max;
-            log_not_found off;
-            add_header Cache-Control "public, no-transform";
-        }
-
-        location ~ \.php\$ {
-            include snippets/fastcgi-php.conf;
-            fastcgi_pass unix:/var/run/php/php${phpver}-fpm.sock;
-            #fastcgi_cache MYAPP;
-            #fastcgi_cache_valid 200 302 301 1m;
-            #fastcgi_cache_valid 404 1m;
-            #fastcgi_cache_bypass \$no_cache;
-            #fastcgi_no_cache \$no_cache;
-            #fastcgi_cache_revalidate on;
-            #fastcgi_cache_background_update on;
-            #fastcgi_cache_lock on;
-            #fastcgi_cache_use_stale updating;
-            #fastcgi_buffer_size 128k;
-            #fastcgi_buffers 256 16k;
-            #fastcgi_busy_buffers_size 256k;
-            #fastcgi_temp_file_write_size 256k;
-        }
-
-        location ~ /\.ht {
-            deny all;
-        }
-
-        location /phpmyadmin {
-            index index.php;
-        }
-
-        #Cache everything by default
-        set \$no_cache 0;
-
-        #Don't cache POST requests
-        if (\$request_method = POST) {
-            set \$no_cache 1;
-        }
-
-        #Don't cache if the URL contains a query string
-        if (\$query_string != "") {
-            set \$no_cache 1;
-        }
-
-        #Don't cache the following URLs
-        if (\$request_uri ~* "/(administrator/|login.php)") {
-            set \$no_cache 1;
-        }
-
-        #Don't cache if there is a cookie called PHPSESSID
-        if (\$http_cookie = "PHPSESSID") {
-            set \$no_cache 1;
-        }
-    }
-EOF
-
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/stable/config/nginx/PostfixAdmin-site-unconfigured -O /etc/nginx/sites-available/"$domain"
+sed -i -e 's/DOMAINname/'$domain'/' -e 's/PHPver/'$phpver'/' /etc/nginx/sites-available/"$domain"
 ln -s /etc/nginx/sites-available/"$domain" /etc/nginx/sites-enabled/
 
 ##-------------------------------##
 #    NGINX Single core bug fix    #
 ##-------------------------------##
+msg  "             Applying Nginx bug-fix"
+sleep 2
 mkdir /etc/systemd/system/nginx.service.d
 printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
 systemctl daemon-reload
-systemctl restart nginx
 
 ##-----------------------##
 #    MySQL Installation   #
 ##-----------------------##
+msg "                Installing MySQL"
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-MySQL/raw/branch/master/mysql-8.0.sh -O /tmp/mysql-8.0.sh
 source /tmp/mysql-8.0.sh
 
 ##------------------------------##
 #    MySQL_Secure_Installation   #
 ##------------------------------##
-mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"
-mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User=''"
-mysql -u root -p"$password" -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'"
-mysql -u root -p"$password" -e "SELECT user,authentication_string,plugin,host FROM mysql.user;"
-mysql -u root -p"$password" -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '"$password"';"
-mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
+msg "                 Securing MySQL"
+sleep 2
+mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "DELETE FROM mysql.user WHERE User=''" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "SELECT user,authentication_string,plugin,host FROM mysql.user;" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '"$password"';" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "FLUSH PRIVILEGES;" > $OUTPUT 2>&1
 
 ##-----------------------------##
 #    MySQL Database Creation    #
 ##-----------------------------##
-mysql -u root -p"$password" -e "CREATE DATABASE postfixadmin;"
-mysql -u root -p"$password" -e "CREATE USER '"postfixadmin"'@'localhost' IDENTIFIED BY '"$password"';"
-mysql -u root -p"$password" -e "GRANT ALL ON "postfixadmin".* TO "postfixadmin"@'localhost';"
-mysql -u root -p"$password" -e "FLUSH PRIVILEGES;"
+msg "            Creating MySQL Databases"
+sleep 2
+mysql -u root -p"$password" -e "CREATE DATABASE postfixadmin;" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "CREATE USER '"postfixadmin"'@'localhost' IDENTIFIED BY '"$db_pass"';" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "GRANT ALL ON "postfixadmin".* TO "postfixadmin"@'localhost';" > $OUTPUT 2>&1
+mysql -u root -p"$password" -e "FLUSH PRIVILEGES;" > $OUTPUT 2>&1
+
+##----------------##
+#    PhpMyAdmin    #
+##----------------##
+ln -s /usr/share/phpmyadmin /var/www/mail.ictdownwerk.com/html/phpmyadmin
 
 ##------------------##
 #    PostfixADMIN    #
 ##------------------##
-apt install php${phpver} php${phpver}-zip php${phpver}-fpm php${phpver}-cli php${phpver}-json php${phpver}-mysql php${phpver}-opcache php${phpver}-mbstring php${phpver}-readline -y
-apt install libc-client2007e mlock php${phpver}-common php${phpver}-imap -y
+msg "           Configuring PostfixAdmin"
+sleep 2
 mkdir -p /var/www/"$domain"/html/postfixadmin/templates_c
-wget -q -t7 https://git.ictmaatwerk.com/downloads/pfa/postfixadmin-3.1.tar.gz -O /tmp/postfixadmin.tar.gz
+wget -q -t7 https://git.ictmaatwerk.com/downloads/pfa/postfixadmin-3.1-dark.tar.gz -O /tmp/postfixadmin.tar.gz
 tar -xf /tmp/postfixadmin.tar.gz -C /var/www/"$domain"/html/postfixadmin --strip-components=1
 chmod 755 -R /var/www/"$domain"/html/postfixadmin/templates_c
 chown -R www-data: /var/www/"$domain"/html/
-wget https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfixadmin/config.local.php -O /var/www/$domain/html/postfixadmin/config.local.php
-sed -i -e 's/PASSword/'$password'/' -e 's/dOmaINnamE/'$domonly'/' /var/www/"$domain"/html/postfixadmin/config.local.php
-sudo -u www-data php /var/www/"$domain"/html/postfixadmin/upgrade.php
-bash /var/www/"$domain"/html/postfixadmin/scripts/postfixadmin-cli admin add superadmin@"$domonly" --superadmin 1 --active 1 --password "$password" --password2 "$password"
-groupadd -g 5000 vmail
-useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfixadmin/config.local.php -O /var/www/$domain/html/postfixadmin/config.local.php
+sed -i -e 's/PASSword/'$db_pass'/' -e 's/dOmaINnamE/'$domonly'/' /var/www/"$domain"/html/postfixadmin/config.local.php
+sed -i 's/Welcome to your new account./Welkom bij je nieuwe mailbox!/g' /var/www/"$domain"/html/postfixadmin/config.inc.php       
+sudo -u www-data php /var/www/"$domain"/html/postfixadmin/upgrade.php > $OUTPUT 2>&1
+bash /var/www/"$domain"/html/postfixadmin/scripts/postfixadmin-cli admin add superadmin@"$domonly" --superadmin 1 --active 1 --password "$password" --password2 "$password" > $OUTPUT 2>&1
+groupadd -g 5000 vmail > $OUTPUT 2>&1
+useradd -u 5000 -g vmail -s /usr/sbin/nologin -d /var/mail/vmail -m vmail > $OUTPUT 2>&1
 
 ##--------------------##
 #    Certbot (Auto)    #
 ##--------------------##
-#add-apt-repository ppa:certbot/certbot -y
-#apt install -y python-certbot-nginx
-#certbot --nginx -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
-#echo "certbot --nginx -n -d $domain -m $email --hsts --redirect --no-eff-email --agree-tos" > ~/certbotactivate.sh
-#sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
-#sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
-#sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
-#openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam"
-#chmod 777 -R /etc/ssl/certs/dhparam.pem
+msg "              Configuring Certbot"
+sleep 2
+certbot --nginx -n -d "$domain" -m "$email" --hsts --redirect --no-eff-email --agree-tos
+echo "certbot --nginx -n -d $domain -m $email --hsts --redirect --no-eff-email --agree-tos" > ~/certbotactivate.sh
+sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
+sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
+sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
+openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam" > $OUTPUT 2>&1
+chmod 755 -R /etc/ssl/certs/dhparam.pem
 
 ##----------------------##
 #    Certbot (Manual)    #
 ##----------------------##
-mkdir -p /etc/letsencrypt/live/$domain/
-sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
-sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
-sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
-wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/cert.pem -O /etc/letsencrypt/live/$domain/cert.pem
-wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/chain.pem -O /etc/letsencrypt/live/$domain/chain.pem
-wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/fullchain.pem -O /etc/letsencrypt/live/$domain/fullchain.pem
-wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/privkey.pem -O /etc/letsencrypt/live/$domain/privkey.pem
-wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/nginx/site-enabled -O /etc/nginx/sites-available/mail.ictdownwerk.com
-openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam"
-openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem "$dhparam"
-chmod 777 -R /etc/letsencrypt/ssl-dhparams.pem
-chmod 777 -R /etc/ssl/certs/dhparam.pem
-chmod 777 -R /etc/letsencrypt/live/$domain/cert.pem
-chmod 777 -R /etc/letsencrypt/live/$domain/chain.pem
-chmod 777 -R /etc/letsencrypt/live/$domain/fullchain.pem
-chmod 777 -R /etc/letsencrypt/live/$domain/privkey.pem
-chmod 644 -R /etc/nginx/sites-available/mail.ictdownwerk.com
-
-##-----------------------##
-#    Postfix Installer    #
-##-----------------------##
-debconf-set-selections <<< "postfix postfix/mailname string $(hostname -f)"
-debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
-apt install postfix postfix-mysql -y
+#msg "         Configuring Certbot (manual)"
+#sleep 2
+#mkdir -p /etc/letsencrypt/live/$domain/
+#sed -i 's/ssl ipv6only/ssl http2 ipv6only/g' /etc/nginx/sites-available/"$domain"
+#sed -i 's/listen 443 ssl/listen 443 ssl http2/g' /etc/nginx/sites-available/"$domain"
+#sed -i 's#include /etc/letsencrypt/options-ssl-nginx.conf;#ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;#g' /etc/nginx/sites-available/"$domain"
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/cert.pem -O /etc/letsencrypt/live/$domain/cert.pem
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/chain.pem -O /etc/letsencrypt/live/$domain/chain.pem
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/fullchain.pem -O /etc/letsencrypt/live/$domain/fullchain.pem
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/lets-encrypt/privkey.pem -O /etc/letsencrypt/live/$domain/privkey.pem
+#wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/nginx/site-enabled -O /etc/nginx/sites-available/mail.ictdownwerk.com
+#openssl dhparam -out /etc/ssl/certs/dhparam.pem "$dhparam" > $OUTPUT 2>&1
+#openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem "$dhparam" > $OUTPUT 2>&1
+#chmod 755 -R /etc/letsencrypt/ssl-dhparams.pem
+#chmod 755 -R /etc/ssl/certs/dhparam.pem
+#chmod 755 -R /etc/letsencrypt/live/$domain/cert.pem
+#chmod 755 -R /etc/letsencrypt/live/$domain/chain.pem
+#chmod 755 -R /etc/letsencrypt/live/$domain/fullchain.pem
+#chmod 755 -R /etc/letsencrypt/live/$domain/privkey.pem
+#chmod 644 -R /etc/nginx/sites-available/mail.ictdownwerk.com
 
 ##---------------------------##
 #    Postfix Configuration    #
 ##---------------------------##
+msg "              Configuring Postfix"
+sleep 2
 mkdir -p /etc/postfix/sql
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_alias_domain_catchall_maps.cf -O /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_alias_domain_mailbox_maps.cf -O /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
@@ -262,12 +256,7 @@ wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$bra
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_alias_maps.cf -O /etc/postfix/sql/mysql_virtual_alias_maps.cf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_domains_maps.cf -O /etc/postfix/sql/mysql_virtual_domains_maps.cf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/mysql_virtual_mailbox_maps.cf -O /etc/postfix/sql/mysql_virtual_mailbox_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_domains_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_alias_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_mailbox_maps.cf
-sed -i 's/PASSword/'$password'/g' /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
+sed -i 's/PASSword/'$db_pass'/g' /etc/postfix/sql/mysql_virtual_domains_maps.cf /etc/postfix/sql/mysql_virtual_alias_maps.cf /etc/postfix/sql/mysql_virtual_alias_domain_maps.cf /etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf /etc/postfix/sql/mysql_virtual_mailbox_maps.cf /etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
 echo "#MySQL Database" >> /etc/postfix/main.cf
 postconf -e "virtual_mailbox_domains = mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf"
 postconf -e "virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf"
@@ -289,21 +278,15 @@ postconf -e "smtpd_sasl_local_domain ="
 postconf -e "smtpd_sasl_security_options = noanonymous"
 postconf -e "broken_sasl_auth_clients = yes"
 postconf -e "smtpd_sasl_auth_enable = yes"
-postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination"
+postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policyd-spf"
 sed -i 's/mynetworks = /#mynetworks = /g' /etc/postfix/main.cf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/$branch/config/postfix/master.cf -O /etc/postfix/master.cf
 
-##-----------------------##
-#    Dovecot Installer    #
-##-----------------------##
-wget -O- https://repo.dovecot.org/DOVECOT-REPO-GPG | sudo apt-key add -
-echo "deb https://repo.dovecot.org/ce-2.3-latest/ubuntu/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/dovecot.list
-apt update
-apt install dovecot-imapd dovecot-lmtpd dovecot-pop3d dovecot-mysql -y
-
 ##---------------------------##
 #    Dovecot Configuration    #
 ##---------------------------##
+msg "              Configuring Dovecot"
+sleep 2
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/15-mailboxes.conf -O /etc/dovecot/conf.d/15-mailboxes.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/10-mail.conf -O /etc/dovecot/conf.d/10-mail.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/10-auth.conf -O /etc/dovecot/conf.d/10-auth.conf
@@ -314,28 +297,29 @@ wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$bra
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/dovecot-dict-sql.conf.ext -O /etc/dovecot/dovecot-dict-sql.conf.ext
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/dovecot-sql.conf.ext -O /etc/dovecot/dovecot-sql.conf.ext
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/quota-warning.sh -O /usr/local/bin/quota-warning.sh
-sed -i 's/PASSword/'$password'/g' /etc/dovecot/dovecot-sql.conf.ext
-sed -i 's/PASSword/'$password'/g' /etc/dovecot/dovecot-dict-sql.conf.ext
+sed -i 's/PASSword/'$db_pass'/g' /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-dict-sql.conf.ext
 sed -i -e 's/DOMAINname/'$domain'/' -e 's/#ssl_cert  = /ssl_cert  = /' -e 's/#ssl_key  = /ssl_key  = /' -e 's/#ssl_dh  = /ssl_dh  = /' /etc/dovecot/conf.d/10-ssl.conf
 chmod +x /usr/local/bin/quota-warning.sh
 
 ##--------------------------------------##
 #    Dovecot move Spam to Spam Folder    #
 ##--------------------------------------##
-apt install dovecot-sieve dovecot-managesieved -y
+msg "            Configuring Spam Folder"
+sleep 2
 mkdir -p /etc/dovecot/sieve/
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/$branch/config/dovecot/15-lda.conf -O /etc/dovecot/conf.d/15-lda.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dovecot/90-sieve.conf -O /etc/dovecot/conf.d/90-sieve.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/sieve/default.sieve -O /etc/dovecot/sieve/default.sieve
-chown vmail:vmail /etc/dovecot/sieve/ -R
+chown -R vmail:vmail /etc/dovecot/sieve/
 chgrp dovecot /etc/dovecot/conf.d/90-sieve.conf
-sievec /etc/dovecot/sieve/default.sieve
-chgrp dovecot /etc/dovecot/sieve/default.svbin
+sievec /etc/dovecot/sieve/default.sieve > $OUTPUT 2>&1
+chgrp dovecot /etc/dovecot/sieve/default.svbin > $OUTPUT 2>&1
 
 ##------------------##
 #    Spamassassin    #
 ##------------------##
-apt install spamassassin spamc razor pyzor -y
+msg "            Configuring Spamassassin"
+sleep 2
 sed -i -e 's/# report_safe 1/report_safe 0/' -e 's/# required_score 5.0/required_score 5.0/' -e 's/endif # Mail::SpamAssassin::Plugin::Shortcircuit//' /etc/spamassassin/local.cf
 echo "" >> /etc/spamassassin/local.cf
 echo "skip_rbl_checks 0" >> /etc/spamassassin/local.cf
@@ -359,18 +343,21 @@ echo "endif # Mail::SpamAssassin::Plugin::Shortcircuit" >> /etc/spamassassin/loc
 ##------------##
 #    ClamAV    #
 ##------------##
-apt install clamav clamav-daemon clamsmtp libclamunrar7 clamdscan -y
+msg "               Configuring ClamAV"
+sleep 2
+mkdir -p /var/log/clamav
+mkdir -p /var/lib/clamav
 chown -R clamav:clamav /var/log/clamav
 chown -R clamav:clamav /var/lib/clamav
-chmod 777 -R /var/lib/clamav
+chmod 775 -R /var/lib/clamav/* /var/lib/clamav
 
 ##------------##
 #    Amavis    #
 ##------------##
-apt install amavisd-new -y
-apt install zip lrzip liblz4-tool lhasa arj unzip bzip2 nomarch cpio lzop cabextract arc apt-listchanges libauthen-sasl-perl libdbd-mysql-perl libdbi-perl libmail-dkim-perl ripole p7zip p7zip-full p7zip-rar rpm unrar unrar-free altermime libsnmp-perl libnet-ldap-perl libnet-ph-perl libnet-snpp-perl libnet-telnet-perl -y
+msg "               Configuring Amavis"
+sleep 2
 sed -i -e 's/@bypass/'@bypass'/' -e 's/   /    /' /etc/amavis/conf.d/15-content_filter_mode
-adduser clamav amavis
+adduser clamav amavis > $OUTPUT 2>&1
 sed -i 's/clamd.conf/'clamd.conf'/g' /etc/clamav/freshclam.conf
 echo "#Pipe incoming mail trough Amavis" >> /etc/postfix/main.cf
 postconf -e 'content_filter = amavis:[127.0.0.1]:10024'
@@ -397,44 +384,147 @@ wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$bra
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/20-debian_defaults -O /etc/amavis/conf.d/20-debian_defaults
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/21-ubuntu_defaults -O /etc/amavis/conf.d/21-ubuntu_defaults
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/amavis/50-user -O /etc/amavis/conf.d/50-user
+sed -i 's/PASSword/'$db_pass'/g' /etc/amavis/conf.d/50-user
+
+##------------------##
+#    Incoming SPF    #
+##------------------##
+msg "         Configuring incoming SPF"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/spf/incoming_spf.sh -O /tmp/incoming_spf.sh
+source /tmp/incoming_spf.sh > $OUTPUT 2>&1
 
 ##--------------##
 #    Rainloop    #
 ##--------------##
-apt install unzip -y
-wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/rainloop.sh -O /tmp/rainloop.sh
-source /tmp/rainloop.sh
+msg "             Configuring Rainloop"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/rainloop/rainloop.sh -O /tmp/rainloop.sh
+source /tmp/rainloop.sh > $OUTPUT 2>&1
 ln -s /opt/rainloop /var/www/"$domain"/html/
 
+##--------------##
+#    OpenDKIM    #
+##--------------##
+msg "             Configuring OpenDKIM"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/dkim/opendkim.sh -O /tmp/opendkim.sh
+source /tmp/opendkim.sh > $OUTPUT 2>&1
+
+##-------------------------##
+#    Max attachment size    #
+##-------------------------##
+msg "     Configuring attachment sizes"
+sleep 2
+sed -i 's/body_size 8/body_size '$uploadsize'/g' /etc/nginx/nginx.conf 
+sed -i 's/attachment_size_limit = 25/attachment_size_limit = '$uploadsize'/g' /var/www/$domain/html/rainloop/data/_data_/_default_/configs/application.ini
+sed -i 's/max_filesize = 2/max_filesize = '$uploadsize'/g' /etc/php/$phpver/fpm/php.ini /etc/php/$phpver/cli/php.ini
+sed -i 's/post_max_size = 8/post_max_size = '$uploadsize'/g' /etc/php/$phpver/fpm/php.ini /etc/php/$phpver/cli/php.ini
+
 ##--------------##
 #    Fail2Ban    #
 ##--------------##
-apt install fail2ban -y
+msg "             Configuring Fail2Ban"
+sleep 2
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/dovecot-pop3imap.conf -O /etc/fail2ban/filter.d/dovecot-pop3imap.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/postfix-sasl.conf -O /etc/fail2ban/filter.d/postfix-sasl.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/rainloop.conf -O /etc/fail2ban/filter.d/rainloop.conf
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/fail2ban/jail.local -O /etc/fail2ban/jail.local
 sed -i 's/root@localhost/'$email'/g' /etc/fail2ban/jail.conf
-systemctl restart fail2ban
+systemctl restart fail2ban > $OUTPUT 2>&1
 
 ##---------------------------------##
 #    Unattended Security Updates    #
 ##---------------------------------##
+msg "    Configuring Unattended Security Updates"
+sleep 2
 wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Unattended-Security-Updates/raw/branch/master/installer.sh -O /tmp/unattended.sh
 source /tmp/unattended.sh
 
-##-----------------------##
-#    Enabling Services    #
-##-----------------------##
-systemctl enable nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin amavisd-snmp-subagent amavis-mc amavis-snmp-subagent
+##--------------------------------------##
+#    Clearing / purging the mail queue   #
+##--------------------------------------##
+msg "             Configuring Mail-queue"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/postfix/clear-queue.sh -O /tmp/clear-queue.sh
+source /tmp/clear-queue.sh
 
-##-----------------------##
-#    Starting Services    #
-##-----------------------##
-systemctl restart nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin amavisd-snmp-subagent amavis-mc amavis-snmp-subagent
+##----------##
+#    MOTD    #
+##----------##
+msg "             Configuring MOTD"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/motd/01-custom -O /etc/update-motd.d/01-custom
+chmod +x /etc/update-motd.d/01-custom
+chmod -x /etc/update-motd.d/80-livepatch
+chmod -x /etc/update-motd.d/10-help-text
+
+##---------##
+#    UFW    #
+##---------##
+msg "               Configuring UFW"
+sleep 2
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/"$branch"/config/ufw/config.sh -O /tmp/ufw-config.sh
+source /tmp/ufw-config.sh
+
+##---------------------##
+#    System services    #
+##---------------------##
+msg "          Setting up system services"
+sleep 2
+systemctl enable nginx mysql postfix postfix@- dovecot fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin > $OUTPUT 2>&1
+systemctl disable amavis amavisd-snmp-subagent amavis-mc postfix dovecot> $OUTPUT 2>&1
+systemctl stop amavis amavisd-snmp-subagent amavis-mc postfix dovecot > $OUTPUT 2>&1
+systemctl restart sshd nginx mysql postfix@- fail2ban clamav-daemon clamav-freshclam clamsmtp spamassassin opendkim php7.3-fpm > $OUTPUT 2>&1
+
+##---------------------------------##
+#    Updating ClamAV definitions    #
+##---------------------------------##
+{
+    for ((i = 0 ; i <= 100 ; i+=1)); do sleep 3.0
+        echo $i
+    done
+} | whiptail --gauge "      Please wait while ClamAV is updating definitions..." 6 52 0
+
+##-------------------------##
+#    Configuring Services   #
+##-------------------------##
+systemctl start amavis amavisd-snmp-subagent amavis-mc postfix dovecot > $OUTPUT 2>&1
+echo "@reboot root sleep 300 && systemctl start amavis amavisd-snmp-subagent amavis-mc postfix dovecot" >> /etc/crontab
 
 ##------------------##
 #    Final Update    #
 ##------------------##
-apt update
-apt upgrade -y
+msg "                  Final Update"
+sleep 2
+$PKGM update
+$PKGM upgrade -y
+$PKGM autoremove -y
+
+##------------##
+#    Readme    #
+##------------##
+wget -q -t7 https://git.ictmaatwerk.com/VPS-scripts/Ubuntu-Mail/raw/branch/beta/config/manual.sh -O /tmp/manual.sh
+source /tmp/manual.sh
+
+##----------------------##
+#    End of installer    #
+##----------------------##
+msg "                Done installing!"
+sleep 3
+
+if [ $IMODE = n ]; then
+whiptail --title "Info" --msgbox "Point your browser to https://$domain/postfixadmin to get started \n\nYour login is:    superadmin@$domonly\nYour password is: $password" 10 108
+whiptail --title "Credits" --msgbox "                   Made by: your local Wizard and God" 8 78
+clear
+fi
+if [ $IMODE = l ]; then
+clear
+echo "Point your browser to https://$domain/postfixadmin to get started"
+echo ""
+echo "Your login is: superadmin@$domonly"
+echo "Your password is: $password"
+echo ""
+read -p "Press enter to continue"
+clear
+fi