wildduck/setup/15_install_deploy.sh

#! /bin/bash

OURNAME=15_install_deploy.sh

echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"

cd "$INSTALLDIR"

echo "DEPLOY SETUP

1. Add your ssh key to /home/deploy/.ssh/authorized_keys

2. Clone application code
\$ git clone deploy@$HOSTNAME:/var/opt/wildduck.git
\$ git clone deploy@$HOSTNAME:/var/opt/zone-mta.git
\$ git clone deploy@$HOSTNAME:/var/opt/wildduck-webmail.git
\$ git clone deploy@$HOSTNAME:/var/opt/haraka-plugin-wildduck.git
\$ git clone deploy@$HOSTNAME:/var/opt/zonemta-wildduck.git

3. After making a change in local copy deploy to server
\$ git push origin master
(you might need to use -f when pushing first time)

NAMESERVER SETUP
================

MX
--
Add this MX record to the $MAILDOMAIN DNS zone:

$MAILDOMAIN. IN MX 5 $HOSTNAME.

SPF
---
Add this TXT record to the $MAILDOMAIN DNS zone:

$MAILDOMAIN. IN TXT \"v=spf1 a:$HOSTNAME a:$MAILDOMAIN ip4:$PUBLIC_IP ~all\"

Or:
$MAILDOMAIN. IN TXT \"v=spf1 a:$HOSTNAME ip4:$PUBLIC_IP ~all\"
$MAILDOMAIN. IN TXT \"v=spf1 ip4:$PUBLIC_IP ~all\"

Some explanation:
SPF is basically a DNS entry (TXT), where you can define,
which server hosts (a:[HOSTNAME]) or ip address (ip4:[IP_ADDRESS])
are allowed to send emails.
So the receiver server (eg. gmail's server) can look up this entry
and decide if you(as a sender server) is allowed to send emails as
this email address.

If you are unsure, list more a:, ip4 entries, rather then fewer.

Example:
company website: awesome.com
company's email server: mail.awesome.com
company's reverse dns entry for this email server: mail.awesome.com -> 11.22.33.44

SPF record in this case would be:
awesome.com. IN TXT \"v=spf1 a:mail.awesome.com a:awesome.com ip4:11.22.33.44 ~all\"

The following servers can send emails for *@awesome.com email addresses:
awesome.com (company's website handling server)
mail.awesome.com (company's mail server)
11.22.33.44 (company's mail server's ip address)

Please note, that a:mail.awesome.com is the same as ip4:11.22.33.44, so it is
redundant. But better safe than sorry.
And in this example, the company's website handling server can also send
emails and in general it is an outbound only server.
If a website handles email sending (confirmation emails, contact form, etc).

DKIM
----
Add this TXT record to the $MAILDOMAIN DNS zone:

$DKIM_SELECTOR._domainkey.$MAILDOMAIN. IN TXT \"$DKIM_DNS\"

The DKIM .json text we added to wildduck server:
    curl -i -XPOST http://localhost:8080/dkim \\
    -H 'Content-type: application/json' \\
    -d '$DKIM_JSON'


Please refer to the manual how to change/delete/update DKIM keys
via the REST api (with curl on localhost) for the newest version.

List DKIM keys:
    curl -i http://localhost:8080/dkim
Delete DKIM:
    curl -i -XDELETE http://localhost:8080/dkim/59ef21aef255ed1d9d790e81

Move DKIM keys to another machine:

Save the above curl command and dns entry.
Also copy the following two files too:
/opt/zone-mta/keys/[MAILDOMAIN]-dkim.cert
/opt/zone-mta/keys/[MAILDOMAIN]-dkim.pem

pem: private key (guard it well)
cert: public key


PTR
---
Make sure that your public IP has a PTR record set to $HOSTNAME.
If your hosting provider does not allow you to set PTR records but has
assigned their own hostname, then edit /etc/zone-mta/pools.toml and replace
the hostname $HOSTNAME with the actual hostname of this server.

(this text is also stored to $INSTALLDIR/$MAILDOMAIN-nameserver.txt)" > "$INSTALLDIR/$MAILDOMAIN-nameserver.txt"

printf "Waiting for the server to start up.."

until $(curl --output /dev/null --silent --fail http://localhost:8080/users); do
    printf '.'
    sleep 2
done
echo "."

# Ensure DKIM key
echo "Registering DKIM key for $MAILDOMAIN"
echo $DKIM_JSON

curl -i -XPOST http://localhost:8080/dkim \
-H 'Content-type: application/json' \
-d "$DKIM_JSON"

echo ""
cat "$INSTALLDIR/$MAILDOMAIN-nameserver.txt"
echo ""
echo "All done, open https://$HOSTNAME/ in your browser"
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00			`#! /bin/bash`

			`OURNAME=15_install_deploy.sh`

			`echo -e "\n-- Executing ${ORANGE}${OURNAME}${NC} subscript --"`

			`cd "$INSTALLDIR"`

			`echo "DEPLOY SETUP`

			`1. Add your ssh key to /home/deploy/.ssh/authorized_keys`

			`2. Clone application code`
			`\$ git clone deploy@$HOSTNAME:/var/opt/wildduck.git`
			`\$ git clone deploy@$HOSTNAME:/var/opt/zone-mta.git`
			`\$ git clone deploy@$HOSTNAME:/var/opt/wildduck-webmail.git`
			`\$ git clone deploy@$HOSTNAME:/var/opt/haraka-plugin-wildduck.git`
			`\$ git clone deploy@$HOSTNAME:/var/opt/zonemta-wildduck.git`

			`3. After making a change in local copy deploy to server`
			`\$ git push origin master`
			`(you might need to use -f when pushing first time)`

			`NAMESERVER SETUP`
			`================`

			`MX`
			`--`
			`Add this MX record to the $MAILDOMAIN DNS zone:`

			`$MAILDOMAIN. IN MX 5 $HOSTNAME.`

			`SPF`
			`---`
			`Add this TXT record to the $MAILDOMAIN DNS zone:`

DKIM and SPF correction, some renaming I renamed some install scripts to be more clear. SPF: Suggest [MAILDOMAIN], [HOSTNAME] and [IP ADDRESS] Its a better practice to be more inclusive when it comes to dns SPF records. DKIM: Some dns registrars truncate dns TXT records at 255 chars. So 2048bit do not fit (about 390 vs. 230 chars). So 1024bit keys are a good choice, after all it is only a mail verification mechanism, do not encrypt the mail... Show tip how to stop systemd service (03_install_check_running_services.sh) sudo su prefered to become root, sudo su fails with npm permission errors when installing (dunno why). A mini tutorial is shown at the end about SPF, DKIM and how to add/remove/modify DKIM keys. This pull request closes issue 85,86. 2018-06-08 20:30:09 +08:00			`$MAILDOMAIN. IN TXT \"v=spf1 a:$HOSTNAME a:$MAILDOMAIN ip4:$PUBLIC_IP ~all\"`

			`Or:`
			`$MAILDOMAIN. IN TXT \"v=spf1 a:$HOSTNAME ip4:$PUBLIC_IP ~all\"`
			`$MAILDOMAIN. IN TXT \"v=spf1 ip4:$PUBLIC_IP ~all\"`

			`Some explanation:`
			`SPF is basically a DNS entry (TXT), where you can define,`
			`which server hosts (a:[HOSTNAME]) or ip address (ip4:[IP_ADDRESS])`
			`are allowed to send emails.`
			`So the receiver server (eg. gmail's server) can look up this entry`
			`and decide if you(as a sender server) is allowed to send emails as`
			`this email address.`

			`If you are unsure, list more a:, ip4 entries, rather then fewer.`

			`Example:`
			`company website: awesome.com`
			`company's email server: mail.awesome.com`
			`company's reverse dns entry for this email server: mail.awesome.com -> 11.22.33.44`

			`SPF record in this case would be:`
			`awesome.com. IN TXT \"v=spf1 a:mail.awesome.com a:awesome.com ip4:11.22.33.44 ~all\"`

			`The following servers can send emails for *@awesome.com email addresses:`
			`awesome.com (company's website handling server)`
			`mail.awesome.com (company's mail server)`
			`11.22.33.44 (company's mail server's ip address)`

			`Please note, that a:mail.awesome.com is the same as ip4:11.22.33.44, so it is`
			`redundant. But better safe than sorry.`
			`And in this example, the company's website handling server can also send`
			`emails and in general it is an outbound only server.`
			`If a website handles email sending (confirmation emails, contact form, etc).`
Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00
			`DKIM`
			`----`
			`Add this TXT record to the $MAILDOMAIN DNS zone:`

DKIM and SPF correction, some renaming I renamed some install scripts to be more clear. SPF: Suggest [MAILDOMAIN], [HOSTNAME] and [IP ADDRESS] Its a better practice to be more inclusive when it comes to dns SPF records. DKIM: Some dns registrars truncate dns TXT records at 255 chars. So 2048bit do not fit (about 390 vs. 230 chars). So 1024bit keys are a good choice, after all it is only a mail verification mechanism, do not encrypt the mail... Show tip how to stop systemd service (03_install_check_running_services.sh) sudo su prefered to become root, sudo su fails with npm permission errors when installing (dunno why). A mini tutorial is shown at the end about SPF, DKIM and how to add/remove/modify DKIM keys. This pull request closes issue 85,86. 2018-06-08 20:30:09 +08:00			`$DKIM_SELECTOR._domainkey.$MAILDOMAIN. IN TXT \"$DKIM_DNS\"`

			`The DKIM .json text we added to wildduck server:`
			`curl -i -XPOST http://localhost:8080/dkim \\`
			`-H 'Content-type: application/json' \\`
			`-d '$DKIM_JSON'`


			`Please refer to the manual how to change/delete/update DKIM keys`
			`via the REST api (with curl on localhost) for the newest version.`

			`List DKIM keys:`
			`curl -i http://localhost:8080/dkim`
			`Delete DKIM:`
			`curl -i -XDELETE http://localhost:8080/dkim/59ef21aef255ed1d9d790e81`

			`Move DKIM keys to another machine:`

			`Save the above curl command and dns entry.`
			`Also copy the following two files too:`
			`/opt/zone-mta/keys/[MAILDOMAIN]-dkim.cert`
			`/opt/zone-mta/keys/[MAILDOMAIN]-dkim.pem`

			`pem: private key (guard it well)`
			`cert: public key`

Breaking up install.sh into chapters Fixed two issues: 82: need to install npm globally to get around permission problems 83: need to start nginx service before restarting it Better executable requirements (lsof, ps). It may be not installed on minimal systems. Better service detection on given port. It is especially useful, if the installation.sh got interrupted for some reason, and already installed some services. Minor doc update, so a single line is required to paste in terminal. curl vs. wget -> stayed with wget, it is installed by default on ubuntu Colors: added color support for the terminal output:) 2018-06-08 04:09:57 +08:00
			`PTR`
			`---`
			`Make sure that your public IP has a PTR record set to $HOSTNAME.`
			`If your hosting provider does not allow you to set PTR records but has`
			`assigned their own hostname, then edit /etc/zone-mta/pools.toml and replace`
			`the hostname $HOSTNAME with the actual hostname of this server.`

			`(this text is also stored to $INSTALLDIR/$MAILDOMAIN-nameserver.txt)" > "$INSTALLDIR/$MAILDOMAIN-nameserver.txt"`

			`printf "Waiting for the server to start up.."`

			`until $(curl --output /dev/null --silent --fail http://localhost:8080/users); do`
			`printf '.'`
			`sleep 2`
			`done`
			`echo "."`

			`# Ensure DKIM key`
			`echo "Registering DKIM key for $MAILDOMAIN"`
			`echo $DKIM_JSON`

			`curl -i -XPOST http://localhost:8080/dkim \`
			`-H 'Content-type: application/json' \`
			`-d "$DKIM_JSON"`

			`echo ""`
			`cat "$INSTALLDIR/$MAILDOMAIN-nameserver.txt"`
			`echo ""`
			`echo "All done, open https://$HOSTNAME/ in your browser"`