Misc (#609)

- haraka: update to configure dns-list - rspamd: surbl is replaced by rbl - webmail: nginx tls cert should match hostname.
msimerson · Feb 2, 2025 · cc92d40 · cc92d40
1 parent 9d8eb7c
commit cc92d40
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 31 deletions.
diff --git a/include/nginx.sh b/include/nginx.sh
@@ -74,14 +74,14 @@ configure_nginx_server_d()
 	local _prefix
 	if [ "$TOASTER_WEBMAIL_PROXY" = "haproxy" ]; then
 		_prefix='server {
-			listen       80;
-			listen  [::]:80;
+		listen       80;
+		listen  [::]:80;
 '
 	else
 		# nginx can't send proxy protocol AND route URIs at the same time
 		_prefix='server {
-			listen       80;
-			listen  [::]:80;
+		listen       80;
+		listen  [::]:80;
 '
 	fi
 

diff --git a/provision/dovecot.sh b/provision/dovecot.sh
@@ -59,6 +59,7 @@ mail_privileged_group = 89
 login_greeting = Mail Toaster (Dovecot) ready.
 mail_plugins = $mail_plugins quota
 protocols = imap pop3 lmtp sieve
+
 service auth {
   unix_listener auth-client {
     mode = 0660
@@ -95,6 +96,11 @@ service lmtp {
     #mode = 0666
   }
 }
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+}
 service tcpwrap {
   unix_listener login/tcpwrap {
     mode = 0600
@@ -103,11 +109,6 @@ service tcpwrap {
   }
   user = root
 }
-service managesieve-login {
-  inet_listener sieve {
-    port = 4190
-  }
-}
 
 passdb {
   driver = sql
@@ -124,6 +125,7 @@ userdb {
 
 shutdown_clients = no
 verbose_proctitle = yes
+
 protocol imap {
   imap_client_workarounds = delay-newmail  tb-extra-mailbox-sep
   mail_max_userip_connections = 45

diff --git a/provision/haraka.sh b/provision/haraka.sh
@@ -123,7 +123,7 @@ EO_DLF
 file=/var/log/maillog
 EO_LRC
 
-	# absense of mailogs in jail prevents log-reader from working
+	# absence of mailogs in jail prevents log-reader from working
 	if ! grep -qs always_ok "$HARAKA_CONF/syslog.ini"; then
 		# don't write to daemon_log_file if syslog write was successful
 		echo "[general]
@@ -336,13 +336,9 @@ configure_haraka_tls() {
 
 configure_haraka_dnsbl()
 {
-	if ! grep -qs ^reject "$HARAKA_CONF/dnsbl.ini"; then
-		tell_status "configuring dnsbls"
-		echo 'reject=false
-search=all
-enable_stats=false
-zones=b.barracudacentral.org, truncate.gbudb.net, psbl.surriel.com, bl.spamcop.net, dnsbl-1.uceprotect.net, zen.spamhaus.org, dnsbl.sorbs.net, dnsbl.justspam.org
-' | tee -a "$HARAKA_CONF/dnsbl.ini"
+	if ! grep -qs ^reject "$HARAKA_CONF/dns-list.ini"; then
+		tell_status "configuring dns-list"
+		configure_install_default dns-list.ini
 	fi
 }
 
@@ -589,7 +585,7 @@ order=fail,pass,msg
 [uribl]
 hide=skip
 
-[dnsbl]
+[dns-list]
 hide=pass
 
 [dns-list]

diff --git a/provision/host.sh b/provision/host.sh
@@ -111,6 +111,7 @@ monthly_output="$TOASTER_ADMIN_EMAIL"
 
 security_show_success="NO"
 security_show_info="YES"
+security_status_baseaudit_enable="NO"
 security_status_chksetuid_enable="NO"
 security_status_neggrpperm_enable="NO"
 security_status_pkgaudit_enable="YES"

diff --git a/provision/rspamd.sh b/provision/rspamd.sh
@@ -148,11 +148,11 @@ EO_SYSLOG
 	fi
 }
 
-configure_surbl()
+configure_rbl()
 {
-	store_config "$RSPAMD_ETC/local.d/surbl.conf" <<EO_SURBL
+	store_config "$RSPAMD_ETC/local.d/rbl.conf" <<EO_RBL
 redirector_hosts_map = "/usr/local/etc/rspamd/redirectors.inc";
-EO_SURBL
+EO_RBL
 }
 
 configure_worker()
@@ -193,7 +193,7 @@ configure_rspamd()
 	configure_phishing
 	configure_enable url_reputation
 	configure_enable url_tags
-	configure_surbl
+	configure_rbl
 	configure_worker
 	configure_controller
 

diff --git a/provision/webmail.sh b/provision/webmail.sh
@@ -48,9 +48,19 @@ configure_nginx_server()
 
 		server_name  $TOASTER_HOSTNAME;
 
-		ssl_certificate	/data/etc/tls/certs/$TOASTER_MAIL_DOMAIN.pem;
-		ssl_certificate_key /data/etc/tls/private/$TOASTER_MAIL_DOMAIN.pem;
+		ssl_certificate	/data/etc/tls/certs/$TOASTER_HOSTNAME.pem;
+		ssl_certificate_key /data/etc/tls/private/$TOASTER_HOSTNAME.pem;
 
+		include /data/etc/nginx/webmail.conf;
+	}
+"
+		# shellcheck disable=SC2090
+		export _NGINX_SERVER
+
+		configure_nginx_server_d webmail $TOASTER_HOSTNAME
+	fi
+
+	tee "$ZFS_DATA_MNT/webmail/etc/nginx/webmail.conf" <<EO_WEBMAIL_INCLUDE
 		proxy_set_header X-Forwarded-For \$remote_addr;
 		proxy_set_header X-Forwarded-Proto \$scheme;
 		proxy_set_header Host \$host;
@@ -121,13 +131,7 @@ configure_nginx_server()
 		location = /50x.html {
 			root   /usr/local/www/nginx-dist;
 		}
-	}
-"
-		# shellcheck disable=SC2090
-		export _NGINX_SERVER
-
-		configure_nginx_server_d webmail webmail-tls
-	fi
+EO_WEBMAIL_INCLUDE
 }
 
 install_lighttpd()