wtserver 0.51

c4fa772e · w4t · b7d51f4f · c4fa772e · c4fa772e · c4fa772e
Commit c4fa772e authored Mar 14, 2025 by w4t
6 changed files
--- a/conf/cron/miab_clean_mail
+++ b/conf/cron/miab_clean_mail
+#!/bin/bash
+#
+doveadm expunge -A mailbox Trash savedbefore 120d
+doveadm expunge -A mailbox Spam savedbefore 120d
+
--- a/conf/cron/miab_dovecot
+++ b/conf/cron/miab_dovecot
+#!/bin/bash
+/usr/bin/doveadm fts optimize -A > /dev/null 2>&1
--- a/conf/ssl_cleanup
+++ b/conf/ssl_cleanup
+#!/bin/bash
+# Cleanup SSL certificates which expired more than 7 days ago from $STORAGE_ROOT/ssl and move them to $STORAGE_ROOT/ssl.expired
+
+source /etc/mailinabox.conf
+shopt -s extglob nullglob
+
+retain_after="$(date --date="7 days ago" +%Y%m%d)"
+
+mkdir -p $STORAGE_ROOT/ssl.expired
+for file in $STORAGE_ROOT/ssl/*-+([0-9])-+([0-9a-f]).pem; do
+  pem="$(basename "$file")"
+  not_valid_after="$(cut -d- -f1 <<< "${pem: -21}")"
+
+  if [ "$not_valid_after" -lt "$retain_after" ]; then
+    mv "$file" "$STORAGE_ROOT/ssl.expired/${pem}"
+  fi
+done
--- a/distros/debian12/install_mta.sh
+++ b/distros/debian12/install_mta.sh
@@ -75,7 +75,7 @@ InstallMTA() {
 	    # A reboot is required for this to take effect (which we don't do as
 	    # as a part of setup). Test with `cat /proc/sys/fs/inotify/max_user_instances`.
 	    #sed -i "/^#*\s*fs\.inotify\.max_user_instances\s*=/d; $a\fs.inotify.max_user_instances=1024" /etc/sysctl.conf
-	    echo "fs.inotify.max_user_instances=1024" | sudo tee -a /etc/sysctl.conf
+	    echo "fs.inotify.max_user_instances=1024" | sudo tee -a /etc/sysctl.conf >> $PROGRAMS_INSTALL_LOG_FILES 2>&1
 	    
 	    # Set the location where we'll store user mailboxes. '%d' is the domain name and '%n' is the
 	    # username part of the user's email address. We'll ensure that no bad domains or email addresses
@@ -189,6 +189,33 @@ EOF
 	    # https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
 	    cp -f $APWD/conf/dh4096.pem $STORAGE_ROOT/ssl/

+	    # Cleanup expired SSL certificates from $STORAGE_ROOT/ssl daily
+	    cat > /etc/cron.daily/mail-server-ssl-cleanup << EOF;
+#!/bin/bash
+# Cleanup expired SSL certificates
+$APWD/tools/ssl_cleanup
+EOF
+	    chmod +x /etc/cron.daily/mail-server-ssl-cleanup
+
+	    # Save the global options in /etc/mailinabox.conf so that standalone
+	    # tools know where to look for data. The default MTA_STS_MODE setting
+	    # is blank unless set by an environment variable, but see web.sh for
+	    # how that is interpreted.
+cat > /etc/wtserverbox.conf << EOF;
+STORAGE_USER=www-data
+STORAGE_ROOT=/var/www
+BACKUP_ROOT=$BACKUP_ROOT
+PRIMARY_HOSTNAME=$CFG_HOSTNAME_DOMAIN
+PUBLIC_IP=$PUBLIC_IP
+PUBLIC_IPV6=$PUBLIC_IPV6
+PRIVATE_IP=$PRIVATE_IP
+PRIVATE_IPV6=$PRIVATE_IPV6
+MTA_STS_MODE=${DEFAULT_MTA_STS_MODE:-enforce}
+ADMIN_HOME_IP=$ADMIN_HOME_IP
+ADMIN_HOME_IPV6=$ADMIN_HOME_IPV6
+ABUSEIPDB_API_KEY=${DEFAULT_ABUSEIPDB_API_KEY:-}
+EOF  
+
 	    # Enable SSL, specify the location of the SSL certificate and private key files.
 	    # Use Mozilla's "Intermediate" recommendations at https://ssl-config.mozilla.org/#server=dovecot&server-version=2.3.7.2&config=intermediate&openssl-version=1.1.1,
 	    # except that the current version of Dovecot does not have a TLSv1.3 setting, so we only use TLSv1.2.
@@ -359,7 +386,7 @@ EOF
 	    fi

 	    # Install cronjobs to keep FTS up to date
-	    hide_output install -m 755 conf/cron/miab_dovecot /etc/cron.daily/
+	    hide_output install -m 755 $APWD/conf/cron/miab_dovecot /etc/cron.daily/

 	    # Install files
 	    if [ ! -f /usr/lib/dovecot/decode2text.sh ]; then
@@ -417,6 +444,65 @@ EOF
 	    # * `'*'`: All folders
 	    doveadm index -A -q \*

+	    ### Additional modifications
+
+	    # Add additional packages
+	    apt_install pflogsumm rkhunter
+
+	    # Cleanup old spam and trash email
+	    hide_output install -m 755 $APWD/conf/cron/miab_clean_mail /etc/cron.weekly/
+
+	    # Reduce logs by not logging mail output in syslog
+	    sed -i "s/\*\.\*;auth,authpriv.none.*\-\/var\/log\/syslog/\*\.\*;mail,auth,authpriv.none    \-\/var\/log\/syslog/g" /etc/rsyslog.d/50-default.conf
+
+	    # Reduce logs by only logging ufw in ufw.log
+	    sed -i "s/#\& stop/\& stop/g" /etc/rsyslog.d/20-ufw.conf
+
+	    restart_service rsyslog
+
+	    # Create forward for root emails
+	    cat > /root/.forward << EOF;
+administrator@$CFG_HOSTNAME_DOMAIN
+EOF
+
+	    # Adapt rkhunter cron job to reduce log file production
+	    sed -i "s/--cronjob --report-warnings-only --appendlog/--cronjob --report-warnings-only --no-verbose-logging --appendlog/g" /etc/cron.daily/rkhunter
+
+	    # Install fake mail script
+	    if [ ! -f /usr/local/bin/mail ]; then
+		hide_output install -m 755 $APWD/tools/fake_mail /usr/local/bin
+		mv -f /usr/local/bin/fake_mail /usr/local/bin/mail
+	   fi
+
+	   sed -i 's/^UPDATE_MIRRORS=0/UPDATE_MIRRORS=1/' /etc/rkhunter.conf
+	   sed -i 's/^MIRRORS_MODE=1/MIRRORS_MODE=0/' /etc/rkhunter.conf
+	   sed -i 's|^WEB_CMD="/bin/false"|WEB_CMD=""|' /etc/rkhunter.conf
+	   sed -i 's/^#APPEND_LOG=0/APPEND_LOG=1/' /etc/rkhunter.conf
+	   sed -i 's|^#ALLOWHIDDENDIR=/etc/.java|ALLOWHIDDENDIR=/etc/.java|' /etc/rkhunter.conf
+
+	   # Check presence of whitelist
+	   if ! grep -Fxq "SCRIPTWHITELIST=/usr/local/bin/mail" /etc/rkhunter.conf > /dev/null; then
+		echo "SCRIPTWHITELIST=/usr/local/bin/mail" >> /etc/rkhunter.conf
+	   fi
+
+	   sed -i 's/^CRON_DAILY_RUN=""/CRON_DAILY_RUN="true"/' /etc/default/rkhunter
+	   sed -i 's/^CRON_DB_UPDATE=""/CRON_DB_UPDATE="true"/' /etc/default/rkhunter
+	   sed -i 's/^APT_AUTOGEN="false"/APT_AUTOGEN="true"/' /etc/default/rkhunter
+
+	   # Should be last, update expected output
+	   rkhunter --propupd
+
+	   # ### Install Subnetblocker
+	   # Regularly scan fail2ban log to capture whole subnets to block
+	   #hide_output install -m 755 tools/fail2ban-block-ip-range.py /usr/local/bin
+	   #cp -f conf/cron/miab-fail2ban-subnet-blocker /etc/cron.d/
+	   # Logrotation is done via generic mail in a box logrotate config
+
+	   # ### Install additional tools
+
+	   # Install combine_certs.sh tool
+	   #hide_output install -m 755 tools/combine_certs.sh /usr/local/bin  
+
 	;;
    esac


--- a/distros/debian12/install_owncloud.sh
+++ b/distros/debian12/install_owncloud.sh
@@ -4,7 +4,7 @@
 #---------------------------------------------------------------------
 InstallCloud() {
    local START_TIME=$SECONDS
-    STORAGE_ROOT="/var/www"
+    local STORAGE_ROOT="/var/www"

    case $CFG_CLOUDTYPE in
 	"nextcloud")

--- a/tools/fake_mail
+++ b/tools/fake_mail
+#!/bin/bash
+# Save the command-line information passed to the function
+# so that I can translate info to call sendmail
+if read -t 0; then
+  message=`cat`
+fi
+script="$0"
+
+for arg in "$@"; do
+  if [ "$lastarg" == "-s" ]; then
+    subject="$arg"
+  fi
+  if [[ $arg =~ [[:space:]] ]]; then
+    arg=\"$arg\"
+  fi
+  lastarg="$arg"
+done
+
+# send message using sendmail
+echo "Subject: $subject
+
+$message" | sendmail -F "`hostname -f`" "$lastarg"