183 lines
7.2 KiB
Bash
Executable file
183 lines
7.2 KiB
Bash
Executable file
#!/bin/bash
|
|
# =================================================================
|
|
# setup-mail.sh — Postfix (relay Brevo) + opendkim para resetea.net
|
|
# Uso: sudo bash /var/www/resetea.net/infra/setup-mail.sh
|
|
# =================================================================
|
|
set -e
|
|
|
|
DOMAIN="resetea.net"
|
|
SELECTOR="mail"
|
|
DKIM_DIR="/etc/opendkim/keys/${DOMAIN}"
|
|
NODE_BIN="/home/capitansito/.nvm/versions/node/v18.20.8/bin/node"
|
|
APP_DIR="/var/www/resetea.net/api"
|
|
APP_USER="capitansito"
|
|
|
|
# ── Verificaciones previas ────────────────────────────────────────
|
|
if [[ $EUID -ne 0 ]]; then
|
|
echo "ERROR: Ejecuta como root: sudo bash $0"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ ! -f "${NODE_BIN}" ]]; then
|
|
echo "ERROR: node no encontrado en ${NODE_BIN}"
|
|
echo "Ajusta NODE_BIN al inicio del script."
|
|
exit 1
|
|
fi
|
|
|
|
echo ""
|
|
echo "╔══════════════════════════════════════════════╗"
|
|
echo "║ SETUP MAIL — resetea.net ║"
|
|
echo "╚══════════════════════════════════════════════╝"
|
|
|
|
# ── [1/6] Instalar paquetes ───────────────────────────────────────
|
|
echo ""
|
|
echo "[1/6] Instalando postfix, opendkim, opendkim-tools..."
|
|
DEBIAN_FRONTEND=noninteractive apt-get install -y \
|
|
postfix libsasl2-modules opendkim opendkim-tools
|
|
|
|
# ── [2/6] Configurar Postfix ──────────────────────────────────────
|
|
echo ""
|
|
echo "[2/6] Configurando Postfix..."
|
|
|
|
postconf -e "myhostname = ${DOMAIN}"
|
|
postconf -e "myorigin = ${DOMAIN}"
|
|
postconf -e "inet_interfaces = loopback-only"
|
|
postconf -e "mydestination = localhost"
|
|
postconf -e "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128"
|
|
|
|
# Relay Brevo — credenciales se añaden con set-relay-credentials.sh
|
|
postconf -e "relayhost = [smtp-relay.brevo.com]:587"
|
|
postconf -e "smtp_sasl_auth_enable = yes"
|
|
postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd"
|
|
postconf -e "smtp_sasl_security_options = noanonymous"
|
|
postconf -e "smtp_tls_security_level = encrypt"
|
|
postconf -e "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt"
|
|
postconf -e "smtp_use_tls = yes"
|
|
|
|
# Integración opendkim via milter
|
|
postconf -e "milter_protocol = 6"
|
|
postconf -e "milter_default_action = accept"
|
|
postconf -e "smtpd_milters = inet:localhost:12301"
|
|
postconf -e "non_smtpd_milters = inet:localhost:12301"
|
|
|
|
# Placeholder de credenciales (vacío hasta ejecutar set-relay-credentials.sh)
|
|
if [[ ! -f /etc/postfix/sasl_passwd ]]; then
|
|
echo "[smtp-relay.brevo.com]:587 BREVO_LOGIN:BREVO_SMTP_KEY" > /etc/postfix/sasl_passwd
|
|
chmod 600 /etc/postfix/sasl_passwd
|
|
postmap /etc/postfix/sasl_passwd
|
|
fi
|
|
|
|
# ── [3/6] Generar claves DKIM ─────────────────────────────────────
|
|
echo ""
|
|
echo "[3/6] Generando claves DKIM (2048 bits)..."
|
|
|
|
mkdir -p "${DKIM_DIR}"
|
|
|
|
if [[ -f "${DKIM_DIR}/${SELECTOR}.private" ]]; then
|
|
echo " → Clave ya existente, se mantiene (no se regenera)."
|
|
else
|
|
opendkim-genkey -b 2048 -d "${DOMAIN}" -D "${DKIM_DIR}" -s "${SELECTOR}" -v
|
|
echo " → Clave generada en ${DKIM_DIR}/"
|
|
fi
|
|
|
|
chown -R opendkim:opendkim /etc/opendkim/
|
|
chmod 711 "${DKIM_DIR}" # traversable pero no listable por otros
|
|
chmod 600 "${DKIM_DIR}/${SELECTOR}.private"
|
|
chmod 644 "${DKIM_DIR}/${SELECTOR}.txt" # clave pública — legible por el script
|
|
|
|
# ── [4/6] Configurar opendkim ─────────────────────────────────────
|
|
echo ""
|
|
echo "[4/6] Configurando opendkim..."
|
|
|
|
cat > /etc/opendkim.conf << EOF
|
|
AutoRestart Yes
|
|
AutoRestartRate 10/1h
|
|
UMask 002
|
|
Syslog yes
|
|
SyslogSuccess Yes
|
|
LogWhy Yes
|
|
Canonicalization relaxed/simple
|
|
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
|
|
InternalHosts refile:/etc/opendkim/TrustedHosts
|
|
KeyTable refile:/etc/opendkim/KeyTable
|
|
SigningTable refile:/etc/opendkim/SigningTable
|
|
Mode sv
|
|
PidFile /run/opendkim/opendkim.pid
|
|
SignatureAlgorithm rsa-sha256
|
|
UserID opendkim
|
|
Socket inet:12301@localhost
|
|
EOF
|
|
|
|
cat > /etc/opendkim/TrustedHosts << EOF
|
|
127.0.0.1
|
|
localhost
|
|
${DOMAIN}
|
|
EOF
|
|
|
|
cat > /etc/opendkim/KeyTable << EOF
|
|
${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${DKIM_DIR}/${SELECTOR}.private
|
|
EOF
|
|
|
|
cat > /etc/opendkim/SigningTable << EOF
|
|
*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}
|
|
EOF
|
|
|
|
# ── [5/6] Servicio systemd para resetea backend ───────────────────
|
|
echo ""
|
|
echo "[5/6] Creando servicio systemd resetea..."
|
|
|
|
cat > /etc/systemd/system/resetea.service << EOF
|
|
[Unit]
|
|
Description=RESETEA.NET backend Node.js
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=${APP_USER}
|
|
WorkingDirectory=${APP_DIR}
|
|
ExecStart=${NODE_BIN} app.js
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
EnvironmentFile=${APP_DIR}/.env
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
|
|
systemctl daemon-reload
|
|
systemctl enable resetea
|
|
systemctl start resetea && echo " → resetea backend arrancado" || echo " ⚠ Error arrancando resetea — revisa: journalctl -u resetea -n 20"
|
|
|
|
# ── [6/6] Arrancar opendkim y postfix ─────────────────────────────
|
|
echo ""
|
|
echo "[6/6] Arrancando opendkim y postfix..."
|
|
|
|
systemctl enable opendkim
|
|
systemctl restart opendkim && echo " → opendkim OK" || echo " ⚠ Error en opendkim"
|
|
sleep 1
|
|
|
|
# Postfix NO se arranca hasta que haya credenciales reales en sasl_passwd
|
|
echo " → Postfix: esperando credenciales Brevo antes de arrancar."
|
|
echo " Ejecuta set-relay-credentials.sh cuando tengas las credenciales."
|
|
|
|
# ── Resumen final ─────────────────────────────────────────────────
|
|
echo ""
|
|
echo "════════════════════════════════════════════════════════"
|
|
echo " REGISTRO DKIM — añadir en DNS de Gandi:"
|
|
echo "────────────────────────────────────────────────────────"
|
|
echo " Nombre: ${SELECTOR}._domainkey"
|
|
echo " Tipo: TXT"
|
|
DKIM_P=$(cat "${DKIM_DIR}/${SELECTOR}.txt" | grep -o '"p=.*"' | tr -d '"' | tr -d ' ')
|
|
echo " Valor: v=DKIM1; k=rsa; ${DKIM_P}"
|
|
echo ""
|
|
echo " (archivo completo en ${DKIM_DIR}/${SELECTOR}.txt)"
|
|
echo "════════════════════════════════════════════════════════"
|
|
echo ""
|
|
echo "SIGUIENTE PASO:"
|
|
echo " 1. Crea cuenta gratis en https://app.brevo.com"
|
|
echo " 2. Ve a: SMTP & API → SMTP → 'Generate a new SMTP Key'"
|
|
echo " 3. Ejecuta:"
|
|
echo " sudo bash /var/www/resetea.net/infra/set-relay-credentials.sh TU_EMAIL_BREVO TU_SMTP_KEY"
|
|
echo " 4. Añade el registro DKIM de arriba en Gandi"
|
|
echo " 5. Ejecuta el managedns.sh setup-mail-dns para SPF y DMARC"
|
|
echo ""
|