Merge branch 'stretch' of https://github.com/bashrc/freedombone

src/freedombone-base-email

@@ -119,33 +119,6 @@ function email_create_template {
     fi
 }
 
-function email_install_tls {
-    # make a tls certificate for email
-    if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
-        ${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH
-        check_certificates exim
-    fi
-    cp /etc/ssl/private/exim.key /etc/exim4
-    cp /etc/ssl/certs/exim.crt /etc/exim4
-    cp /etc/ssl/certs/exim.dhparam /etc/exim4
-    chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
-    chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
-
-    sed -i '/login_saslauthd_server/,/.endif/ s/# *//' /etc/exim4/exim4.conf.template
-    if ! grep -q "MAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template; then
-        sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME =\nMAIN_TLS_ENABLE = true" /etc/exim4/exim4.conf.template
-    else
-        sed -i "s|MAIN_HARDCODE_PRIMARY_HOSTNAME =.*|MAIN_HARDCODE_PRIMARY_HOSTNAME =|g" /etc/exim4/exim4.conf.template
-    fi
-    sed -i "s|SMTPLISTENEROPTIONS=''|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4
-    if ! grep -q "tls_on_connect_ports=465" /etc/exim4/exim4.conf.template; then
-        sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' /etc/exim4/exim4.conf.template
-    fi
-    if ! grep -q "# don't send system passwords" /etc/exim4/exim4.conf.template; then
-        sed -i "s|don't send system passwords.*|# don't send system passwords unencrypted|g" /etc/exim4/exim4.conf.template
-    fi
-}
-
 function configure_email_onion {
     if [[ $(is_completed $FUNCNAME) == "1" ]]; then
         return
@@ -832,179 +805,6 @@ function remove_email {
     echo ''
 }
 
-function install_email_with_tor {
-    apt-get -yq remove postfix
-    apt-get -yq install exim4 sasl2-bin swaks libnet-ssleay-perl procmail xinetd
-
-    if [ ! -d /etc/exim4 ]; then
-        echo $"ERROR: Exim does not appear to have installed. $CHECK_MESSAGE"
-        exit 48
-    fi
-
-    onion_service_name='email'
-    if [ ! -d /var/lib/tor ]; then
-        echo $"No Tor installation found. ${onion_service_name} onion site cannot be configured."
-        exit 877367
-    fi
-    if ! grep -q "hidden_service_${onion_service_name}" /etc/tor/torrc; then
-        echo "HiddenServiceDir /var/lib/tor/hidden_service_${onion_service_name}/" >> /etc/tor/torrc
-        echo 'HiddenServicePort 25 127.0.0.1:25' >> /etc/tor/torrc
-        echo 'HiddenServicePort 587 127.0.0.1:587' >> /etc/tor/torrc
-        echo 'HiddenServicePort 465 127.0.0.1:465' >> /etc/tor/torrc
-        echo 'HiddenServicePort 993 127.0.0.1:993' >> /etc/tor/torrc
-        echo $"Added onion site for ${onion_service_name}"
-    fi
-
-    onion_update
-    function_check wait_for_onion_service
-    wait_for_onion_service ${onion_service_name}
-
-    if [ ! -f /var/lib/tor/hidden_service_${onion_service_name}/hostname ]; then
-        echo $"${onion_service_name} onion site hostname not found"
-        exit 76362
-    fi
-    EMAIL_ONION_HOSTNAME=$(cat /var/lib/tor/hidden_service_${onion_service_name}/hostname)
-
-    if [[ $ONION_ONLY != "no" ]]; then
-        function_check set_hostname
-        set_hostname ${EMAIL_ONION_HOSTNAME}
-        MY_EMAIL_ADDRESS=${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}
-    fi
-    set_completion_param "email onion domain" "${EMAIL_ONION_HOSTNAME}"
-
-    # see https://github.com/petterreinholdtsen/exim4-smtorp
-    echo '# tor stuff first' > /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '#' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '# if were submitting mail *from* a .tor/.onion address,' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '# make sure any header lines that may give us away is' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '# stripped out, and add a new, cryptic Message-ID.' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '# In address_data we store the name we should HELO as.' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo 'tor_to_any:' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        debug_print     = "R: manualroute from .onion to $local_part@$domain"' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        driver          = manualroute' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        domains         = ! +local_domains' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        condition       = ${if match {$sender_address_domain}{\N.*\.(onion|tor)$\N}}' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        address_data    = $sender_address_domain' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        transport       = remote_smtp_onion' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        self            = send' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        route_list      = * localhost' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        headers_remove  = Received:Message-ID:X-Mailer:User-Agent' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        headers_add     = Message-ID: <${lc:${sha1:$message_id}}@$sender_address_domain>' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '# this catches the case where were submitting mail' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '# from a regular email address where we dont need to' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '# rewrite any headers' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo 'any_to_tor:' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        debug_print     = "R: manualroute for $local_part@$domain"' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        driver          = manualroute' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        domains         = ! +local_domains' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        transport       = remote_smtp_onion' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        self            = send' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        route_list      = *.onion localhost ; *.tor localhost' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-    echo '        address_data    = $smtp_active_hostname' >> /etc/exim4/conf.d/router/100_exim4-smtorp
-
-    echo 'remote_smtp_onion:' > /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '        debug_print = "T: remote_smtp_onion for $local_part@$original_domain"' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '        driver = smtp' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '        # set helo_data to where we want to connect to,' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '        # for the proxy program tor-smtp' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '        helo_data = "$address_data $original_domain"' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '        # wherever we configured our script at' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '        port = 12668' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '        # cannot use TLS otherwise it will EHLO again!!' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-    echo '        hosts_avoid_tls = *' >> /etc/exim4/conf.d/transport/100_exim4-smtorp
-
-    if [ ! -d $INSTALL_DIR ]; then
-        mkdir -p $INSTALL_DIR
-    fi
-    cd $INSTALL_DIR
-    function_check git_clone
-    git_clone $EXIM_ONION_REPO $INSTALL_DIR/exim4-smtorp
-    cd $INSTALL_DIR/exim4-smtorp/tor-smtp
-    make
-    if [ ! -f $INSTALL_DIR/exim4-smtorp/tor-smtp/tor-smtp ]; then
-        echo $'Unable to make tor smtp transport'
-        exit 52629
-    fi
-    if [ ! -d /usr/lib/exim4-smtorp ]; then
-        mkdir /usr/lib/exim4-smtorp
-    fi
-    cp $INSTALL_DIR/exim4-smtorp/tor-smtp/tor-smtp /usr/lib/exim4-smtorp/tor-smtp
-    if [ ! -f /usr/lib/exim4-smtorp/tor-smtp ]; then
-        echo $'Unable to copy tor-smtp'
-        exit 83503
-    fi
-    cp $INSTALL_DIR/exim4-smtorp/xinetd /etc/xinetd.d/tor-smtp
-    if [ ! -f /etc/xinetd.d/tor-smtp ]; then
-        echo $'Unable to copy to xinetd.d'
-        exit 835954
-    fi
-    systemctl restart xinetd
-
-    # configure for Maildir format
-    sed -i 's/MAIL_DIR/#MAIL_DIR/g' /etc/login.defs
-    sed -i 's|#MAIL_FILE.*|MAIL_FILE Maildir/|g' /etc/login.defs
-
-    if ! grep -q "export MAIL" /etc/profile; then
-        echo 'export MAIL=~/Maildir' >> /etc/profile
-    fi
-
-    sed -i 's|pam_mail.so standard|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/login
-    sed -i 's|pam_mail.so standard noenv|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/sshd
-    sed -i 's|pam_mail.so nopen|pam_mail.so dir=~/Maildir nopen|g' /etc/pam.d/su
-
-    echo "dc_eximconfig_configtype='internet'" > /etc/exim4/update-exim4.conf.conf
-    if [[ $ONION_ONLY == "no" ]]; then
-        # both ICANN and onion domains
-        echo "dc_other_hostnames='${DEFAULT_DOMAIN_NAME};mail.${DEFAULT_DOMAIN_NAME};${EMAIL_ONION_HOSTNAME}'" >> /etc/exim4/update-exim4.conf.conf
-    else
-        echo "dc_other_hostnames='${EMAIL_ONION_HOSTNAME}'" >> /etc/exim4/update-exim4.conf.conf
-    fi
-    echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf
-    echo "dc_readhost=''" >> /etc/exim4/update-exim4.conf.conf
-    echo "dc_relay_domains=''" >> /etc/exim4/update-exim4.conf.conf
-    echo "dc_minimaldns='false'" >> /etc/exim4/update-exim4.conf.conf
-    IPv4_address=$(get_ipv4_address)
-    IPv4_address_base=$(echo "$IPv4_address" | awk -F '.' '{print $1"."$2"."$3}')
-    RELAY_NETS="${IPv4_address_base}.0/24"
-    if [ $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then
-        RELAY_NETS=$(echo $LOCAL_NETWORK_STATIC_IP_ADDRESS | awk -F '.' '{print $1 "." $2 "." $3 ".0/24"}')
-    fi
-    echo "dc_relay_nets='$RELAY_NETS'" >> /etc/exim4/update-exim4.conf.conf
-    echo "dc_smarthost=''" >> /etc/exim4/update-exim4.conf.conf
-    echo "CFILEMODE='644'" >> /etc/exim4/update-exim4.conf.conf
-    echo "dc_use_split_config='false'" >> /etc/exim4/update-exim4.conf.conf
-    echo "dc_hide_mailname=''" >> /etc/exim4/update-exim4.conf.conf
-    echo "dc_mailname_in_oh='true'" >> /etc/exim4/update-exim4.conf.conf
-    echo "dc_localdelivery='maildir_home'" >> /etc/exim4/update-exim4.conf.conf
-    echo "dc_main_log_selector=-all" >> /etc/exim4/update-exim4.conf.conf
-    update-exim4.conf
-    sed -i "s/START=no/START=yes/g" /etc/default/saslauthd
-    systemctl start saslauthd
-
-    email_install_tls
-
-    adduser $MY_USERNAME sasl
-    addgroup Debian-exim sasl
-    systemctl restart exim4
-
-    email_create_template
-
-    if [ -f /usr/sbin/exim ]; then
-        chmod u+s /usr/sbin/exim
-    fi
-    if [ -f /usr/sbin/exim4 ]; then
-        chmod u+s /usr/sbin/exim4
-    fi
-
-    function_check configure_firewall_for_email
-    configure_firewall_for_email
-    dpkg-reconfigure --frontend noninteractive exim4-config
-}
-
 function install_email_basic {
     apt-get -yq remove postfix
     apt-get -yq install exim4 sasl2-bin swaks libnet-ssleay-perl procmail
@@ -1710,7 +1510,6 @@ function install_email {
     check_email_address_exists
     install_email_basic
     configure_email_onion
-    #install_email_with_tor
 
     mark_completed $FUNCNAME
 }

src/freedombone-tests

@@ -131,10 +131,20 @@ function stig_spinner {
     wait $1
 }
 
+function disallow_package {
+    package_name=$1
+
+    if service --status-all | grep "+.*${package_name}";then
+        apt-get -yq remove --purge ${package_name}
+        apt -yq autoremove
+    fi
+}
+
 function fix_stig {
     if [[ $RUN_STIG != 'fix' ]]; then
         return
     fi
+    disallow_package xinetd
     lockdown_permissions
 }
 

src/freedombone-upgrade

@@ -50,6 +50,7 @@ done
 
 read_config_param PROJECT_REPO
 read_config_param DEVELOPMENT_BRANCH
+read_config_param DEFAULT_DOMAIN_NAME
 
 DEVELOPMENT_BRANCH=master
 write_config_param "DEVELOPMENT_BRANCH" "$DEVELOPMENT_BRANCH"
@@ -92,6 +93,7 @@ if [ -d $PROJECT_DIR ]; then
             exit 453536
         fi
 
+        email_install_tls
         defrag_filesystem
     fi
 fi

src/freedombone-utils-web

@@ -968,4 +968,55 @@ function install_composer {
     fi
 }
 
+function email_install_tls {
+    tls_config_file=/etc/exim4/conf.d/main/03_exim4-config_tlsoptions
+    tls_auth_config_file=/etc/exim4/conf.d/auth/30_exim4-config_examples
+    email_config_changed=
+
+    if [ ! -f $tls_config_file ]; then
+        tls_config_file=/etc/exim4/exim4.conf.template
+        tls_auth_config_file=$tls_config_file
+    fi
+    if [ ! -f /etc/ssl/certs/exim.dhparam ]; then
+        ${PROJECT_NAME}-addcert -h exim --dhkey $DH_KEYLENGTH
+        check_certificates exim
+        cp /etc/ssl/certs/exim.dhparam /etc/exim4
+        chown root:Debian-exim /etc/exim4/exim.dhparam
+        chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
+        email_config_changed=1
+    fi
+    if ! grep -q 'MAIN_TLS_ENABLE = true' $tls_config_file; then
+        sed -i "/.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME/i\MAIN_HARDCODE_PRIMARY_HOSTNAME =\nMAIN_TLS_ENABLE = true" $tls_config_file
+        email_config_changed=1
+    fi
+    if ! grep -q "tls_on_connect_ports=465" $tls_config_file; then
+        sed -i '/SSL configuration for exim/i\tls_on_connect_ports=465' $tls_config_file
+        email_config_changed=1
+    fi
+    if grep -q '# login_saslauthd_server' $tls_auth_config_file; then
+        sed -i '/login_saslauthd_server/,/.endif/ s/# *//' $tls_auth_config_file
+        email_config_changed=1
+    fi
+    if [ -f /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
+        if ! grep -q "MAIN_TLS_CERTKEY = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" $tls_config_file; then
+            sed -i "/.ifdef MAIN_TLS_CERTKEY/i\MAIN_TLS_CERTKEY = /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem" $tls_config_file
+            email_config_changed=1
+        fi
+    fi
+    if [ -f /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key ]; then
+        if ! grep -q "MAIN_TLS_PRIVATEKEY = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" $tls_config_file; then
+            sed -i "/.ifndef MAIN_TLS_PRIVATEKEY/i\MAIN_TLS_PRIVATEKEY = /etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key" $tls_config_file
+            email_config_changed=1
+        fi
+    fi
+    if ! grep -q "SMTPLISTENEROPTIONS='-oX 465:25:587" /etc/default/exim4; then
+        sed -i "s|SMTPLISTENEROPTIONS=.*|SMTPLISTENEROPTIONS='-oX 465:25:587 -oP /var/run/exim4/exim.pid'|g" /etc/default/exim4
+        email_config_changed=1
+    fi
+    if [ $email_config_changed ]; then
+        systemctl restart saslauthd
+        systemctl restart exim4
+    fi
+}
+
 # NOTE: deliberately no exit 0