wildduck/setup/09_install_zone_mta.sh

#! /bin/bash

OURNAME=09_install_zone_mta.sh

echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"


#### ZoneMTA ####

# clear previous install
if [ -f "/etc/systemd/system/zone-mta.service" ]
then
    $SYSTEMCTL_PATH stop zone-mta || true
    $SYSTEMCTL_PATH disable zone-mta || true
    rm -rf /etc/systemd/system/zone-mta.service
fi
rm -rf /var/opt/zone-mta.git
rm -rf /var/opt/zonemta-wildduck.git
rm -rf /opt/zone-mta
rm -rf /etc/zone-mta

# fresh install
cd /var/opt
git clone --bare https://github.com/zone-eu/zone-mta-template.git zone-mta.git
git clone --bare https://github.com/nodemailer/zonemta-wildduck.git

# create update hooks so we can later deploy to this location
hook_script zone-mta
echo "#!/bin/bash
git --git-dir=/var/opt/zonemta-wildduck.git --work-tree=/opt/zone-mta/plugins/wildduck checkout "\$3" -f
cd /opt/zone-mta/plugins/wildduck
rm -rf package-lock.json
npm install --production --no-optional --no-package-lock --no-audit --ignore-scripts --no-shrinkwrap --progress=false
sudo $SYSTEMCTL_PATH restart zone-mta || echo \"Failed restarting service\"" > "/var/opt/zonemta-wildduck.git/hooks/update"
chmod +x "/var/opt/zonemta-wildduck.git/hooks/update"

# allow deploy user to restart zone-mta service
echo "deploy ALL = (root) NOPASSWD: $SYSTEMCTL_PATH restart zone-mta" >> /etc/sudoers.d/zone-mta

# checkout files from git to working directory
mkdir -p /opt/zone-mta
git --git-dir=/var/opt/zone-mta.git --work-tree=/opt/zone-mta checkout "$ZONEMTA_COMMIT"

mkdir -p /opt/zone-mta/plugins/wildduck
git --git-dir=/var/opt/zonemta-wildduck.git --work-tree=/opt/zone-mta/plugins/wildduck checkout "$WILDDUCK_ZONEMTA_COMMIT"

cp -r /opt/zone-mta/config /etc/zone-mta
sed -i -e 's/port=2525/port=587/g;s/host="127.0.0.1"/host="0.0.0.0"/g;s/authentication=false/authentication=true/g' /etc/zone-mta/interfaces/feeder.toml
rm -rf /etc/zone-mta/plugins/dkim.toml
echo '# @include "/etc/wildduck/dbs.toml"' > /etc/zone-mta/dbs-production.toml
echo 'user="wildduck"
group="wildduck"' | cat - /etc/zone-mta/zonemta.toml > temp && mv temp /etc/zone-mta/zonemta.toml

echo "[[default]]
address=\"0.0.0.0\"
name=\"$HOSTNAME\"" > /etc/zone-mta/pools.toml

echo "[\"modules/zonemta-loop-breaker\"]
enabled=\"sender\"
secret=\"$ZONEMTA_SECRET\"
algo=\"md5\"" > /etc/zone-mta/plugins/loop-breaker.toml

echo "[wildduck]
enabled=[\"receiver\", \"sender\"]

# which interfaces this plugin applies to
interfaces=[\"feeder\"]

# optional hostname to be used in headers
# defaults to os.hostname()
hostname=\"$HOSTNAME\"

# SRS settings for forwarded emails

[wildduck.srs]
    # Handle rewriting of forwarded emails
    enabled=true
    # SRS secret value. Must be the same as in the MX side
    secret=\"$SRS_SECRET\"
    # SRS domain, must resolve back to MX
    rewriteDomain=\"$MAILDOMAIN\"

[wildduck.dkim]
# share config with WildDuck installation
# @include \"/etc/wildduck/dkim.toml\"
" > /etc/zone-mta/plugins/wildduck.toml

cd /opt/zone-mta/keys
# Many registrar limits dns TXT fields to 255 char. 1024bit is almost too long:-\
openssl genrsa -out "$MAILDOMAIN-dkim.pem" 1024
chmod 400 "$MAILDOMAIN-dkim.pem"
openssl rsa -in "$MAILDOMAIN-dkim.pem" -out "$MAILDOMAIN-dkim.cert" -pubout
DKIM_DNS="v=DKIM1;k=rsa;p=$(grep -v -e '^-' $MAILDOMAIN-dkim.cert | tr -d "\n")"

DKIM_JSON=`DOMAIN="$MAILDOMAIN" SELECTOR="$DKIM_SELECTOR" node -e 'console.log(JSON.stringify({
  domain: process.env.DOMAIN,
  selector: process.env.SELECTOR,
  description: "Default DKIM key for "+process.env.DOMAIN,
  privateKey: fs.readFileSync("/opt/zone-mta/keys/"+process.env.DOMAIN+"-dkim.pem", "UTF-8")
}))'`

cd /opt/zone-mta
npm install --production --no-optional --no-package-lock --no-audit --ignore-scripts --no-shrinkwrap --unsafe-perm

cd /opt/zone-mta/plugins/wildduck
npm install --production --no-optional --no-package-lock --no-audit --ignore-scripts --no-shrinkwrap --unsafe-perm

chown -R deploy:deploy /var/opt/zone-mta.git
chown -R deploy:deploy /var/opt/zonemta-wildduck.git
chown -R deploy:deploy /opt/zone-mta
chown -R wildduck:wildduck /etc/zone-mta

# Ensure required files and permissions
echo "d /opt/zone-mta 0755 deploy deploy
d /etc/zone-mta 0755 wildduck wildduck" > /etc/tmpfiles.d/zone-mta.conf
log_script "zone-mta"

echo '[Unit]
Description=Zone Mail Transport Agent
Conflicts=sendmail.service exim.service postfix.service
After=mongod.service redis.service

[Service]
Environment="NODE_ENV=production"
WorkingDirectory=/opt/zone-mta
ExecStart=/usr/bin/node index.js --config="/etc/zone-mta/zonemta.toml"
ExecReload=/bin/kill -HUP $MAINPID
Type=simple
Restart=always
SyslogIdentifier=zone-mta

[Install]
WantedBy=multi-user.target' > /etc/systemd/system/zone-mta.service

$SYSTEMCTL_PATH enable zone-mta.service
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`#! /bin/bash`

Update 09_install_zone_mta.sh changed OURNAME to "09_install_zone_mta.sh" 2020-02-27 20:15:23 +08:00			`OURNAME=09_install_zone_mta.sh`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00
			`echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"`


			`#### ZoneMTA ####`

			`# clear previous install`
			`if [ -f "/etc/systemd/system/zone-mta.service" ]`
			`then`
			`$SYSTEMCTL_PATH stop zone-mta \|\| true`
			`$SYSTEMCTL_PATH disable zone-mta \|\| true`
			`rm -rf /etc/systemd/system/zone-mta.service`
			`fi`
			`rm -rf /var/opt/zone-mta.git`
			`rm -rf /var/opt/zonemta-wildduck.git`
			`rm -rf /opt/zone-mta`
			`rm -rf /etc/zone-mta`

			`# fresh install`
			`cd /var/opt`
Update 09_install_zone_mta.sh 2022-03-30 21:07:03 +08:00			`git clone --bare https://github.com/zone-eu/zone-mta-template.git zone-mta.git`
			`git clone --bare https://github.com/nodemailer/zonemta-wildduck.git`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00
			`# create update hooks so we can later deploy to this location`
			`hook_script zone-mta`
			`echo "#!/bin/bash`
			`git --git-dir=/var/opt/zonemta-wildduck.git --work-tree=/opt/zone-mta/plugins/wildduck checkout "\$3" -f`
			`cd /opt/zone-mta/plugins/wildduck`
			`rm -rf package-lock.json`
do not install otpional deps 2020-07-16 22:08:04 +08:00			`npm install --production --no-optional --no-package-lock --no-audit --ignore-scripts --no-shrinkwrap --progress=false`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`sudo $SYSTEMCTL_PATH restart zone-mta \|\| echo \"Failed restarting service\"" > "/var/opt/zonemta-wildduck.git/hooks/update"`
			`chmod +x "/var/opt/zonemta-wildduck.git/hooks/update"`

			`# allow deploy user to restart zone-mta service`
			`echo "deploy ALL = (root) NOPASSWD: $SYSTEMCTL_PATH restart zone-mta" >> /etc/sudoers.d/zone-mta`

			`# checkout files from git to working directory`
			`mkdir -p /opt/zone-mta`
			`git --git-dir=/var/opt/zone-mta.git --work-tree=/opt/zone-mta checkout "$ZONEMTA_COMMIT"`

			`mkdir -p /opt/zone-mta/plugins/wildduck`
			`git --git-dir=/var/opt/zonemta-wildduck.git --work-tree=/opt/zone-mta/plugins/wildduck checkout "$WILDDUCK_ZONEMTA_COMMIT"`

			`cp -r /opt/zone-mta/config /etc/zone-mta`
			`sed -i -e 's/port=2525/port=587/g;s/host="127.0.0.1"/host="0.0.0.0"/g;s/authentication=false/authentication=true/g' /etc/zone-mta/interfaces/feeder.toml`
			`rm -rf /etc/zone-mta/plugins/dkim.toml`
			`echo '# @include "/etc/wildduck/dbs.toml"' > /etc/zone-mta/dbs-production.toml`
			`echo 'user="wildduck"`
			`group="wildduck"' \| cat - /etc/zone-mta/zonemta.toml > temp && mv temp /etc/zone-mta/zonemta.toml`

			`echo "[[default]]`
			`address=\"0.0.0.0\"`
			`name=\"$HOSTNAME\"" > /etc/zone-mta/pools.toml`

			`echo "[\"modules/zonemta-loop-breaker\"]`
			`enabled=\"sender\"`
			`secret=\"$ZONEMTA_SECRET\"`
			`algo=\"md5\"" > /etc/zone-mta/plugins/loop-breaker.toml`

fixed zonemta config 2018-09-10 16:15:46 +08:00			`echo "[wildduck]`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`enabled=[\"receiver\", \"sender\"]`

			`# which interfaces this plugin applies to`
			`interfaces=[\"feeder\"]`

			`# optional hostname to be used in headers`
			`# defaults to os.hostname()`
			`hostname=\"$HOSTNAME\"`

			`# SRS settings for forwarded emails`

fixed zonemta config 2018-09-10 16:15:46 +08:00			`[wildduck.srs]`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`# Handle rewriting of forwarded emails`
			`enabled=true`
			`# SRS secret value. Must be the same as in the MX side`
			`secret=\"$SRS_SECRET\"`
			`# SRS domain, must resolve back to MX`
			`rewriteDomain=\"$MAILDOMAIN\"`

fixed zonemta config 2018-09-10 16:15:46 +08:00			`[wildduck.dkim]`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`# share config with WildDuck installation`
			`# @include \"/etc/wildduck/dkim.toml\"`
			`" > /etc/zone-mta/plugins/wildduck.toml`

			`cd /opt/zone-mta/keys`
DKIM and SPF correction, some renaming I renamed some install scripts to be more clear. SPF: Suggest [MAILDOMAIN], [HOSTNAME] and [IP ADDRESS] Its a better practice to be more inclusive when it comes to dns SPF records. DKIM: Some dns registrars truncate dns TXT records at 255 chars. So 2048bit do not fit (about 390 vs. 230 chars). So 1024bit keys are a good choice, after all it is only a mail verification mechanism, do not encrypt the mail... Show tip how to stop systemd service (03_install_check_running_services.sh) sudo su prefered to become root, sudo su fails with npm permission errors when installing (dunno why). A mini tutorial is shown at the end about SPF, DKIM and how to add/remove/modify DKIM keys. This pull request closes issue 85,86. 2018-06-08 20:30:09 +08:00			`# Many registrar limits dns TXT fields to 255 char. 1024bit is almost too long:-\`
			`openssl genrsa -out "$MAILDOMAIN-dkim.pem" 1024`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`chmod 400 "$MAILDOMAIN-dkim.pem"`
			`openssl rsa -in "$MAILDOMAIN-dkim.pem" -out "$MAILDOMAIN-dkim.cert" -pubout`
DKIM and SPF correction, some renaming I renamed some install scripts to be more clear. SPF: Suggest [MAILDOMAIN], [HOSTNAME] and [IP ADDRESS] Its a better practice to be more inclusive when it comes to dns SPF records. DKIM: Some dns registrars truncate dns TXT records at 255 chars. So 2048bit do not fit (about 390 vs. 230 chars). So 1024bit keys are a good choice, after all it is only a mail verification mechanism, do not encrypt the mail... Show tip how to stop systemd service (03_install_check_running_services.sh) sudo su prefered to become root, sudo su fails with npm permission errors when installing (dunno why). A mini tutorial is shown at the end about SPF, DKIM and how to add/remove/modify DKIM keys. This pull request closes issue 85,86. 2018-06-08 20:30:09 +08:00			`DKIM_DNS="v=DKIM1;k=rsa;p=$(grep -v -e '^-' $MAILDOMAIN-dkim.cert \| tr -d "\n")"`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00
			DKIM_JSON=`DOMAIN="$MAILDOMAIN" SELECTOR="$DKIM_SELECTOR" node -e 'console.log(JSON.stringify({
			`domain: process.env.DOMAIN,`
			`selector: process.env.SELECTOR,`
			`description: "Default DKIM key for "+process.env.DOMAIN,`
			`privateKey: fs.readFileSync("/opt/zone-mta/keys/"+process.env.DOMAIN+"-dkim.pem", "UTF-8")`
			}))'`

			`cd /opt/zone-mta`
do not install otpional deps 2020-07-16 22:08:04 +08:00			`npm install --production --no-optional --no-package-lock --no-audit --ignore-scripts --no-shrinkwrap --unsafe-perm`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00
			`cd /opt/zone-mta/plugins/wildduck`
do not install otpional deps 2020-07-16 22:08:04 +08:00			`npm install --production --no-optional --no-package-lock --no-audit --ignore-scripts --no-shrinkwrap --unsafe-perm`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00
			`chown -R deploy:deploy /var/opt/zone-mta.git`
			`chown -R deploy:deploy /var/opt/zonemta-wildduck.git`
			`chown -R deploy:deploy /opt/zone-mta`
Set up separate log files for different services 2020-03-16 18:54:47 +08:00			`chown -R wildduck:wildduck /etc/zone-mta`

			`# Ensure required files and permissions`
			`echo "d /opt/zone-mta 0755 deploy deploy`
			`d /etc/zone-mta 0755 wildduck wildduck" > /etc/tmpfiles.d/zone-mta.conf`
			`log_script "zone-mta"`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00
			`echo '[Unit]`
			`Description=Zone Mail Transport Agent`
			`Conflicts=sendmail.service exim.service postfix.service`
			`After=mongod.service redis.service`

			`[Service]`
			`Environment="NODE_ENV=production"`
			`WorkingDirectory=/opt/zone-mta`
			`ExecStart=/usr/bin/node index.js --config="/etc/zone-mta/zonemta.toml"`
			`ExecReload=/bin/kill -HUP $MAINPID`
			`Type=simple`
			`Restart=always`
			`SyslogIdentifier=zone-mta`

			`[Install]`
			`WantedBy=multi-user.target' > /etc/systemd/system/zone-mta.service`

			`$SYSTEMCTL_PATH enable zone-mta.service`