#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2018, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
#
# E-mail and messaging
#
#################################################################################
#
    InsertSection "Software: e-mail and messaging"
#
#################################################################################
#
    DOVECOT_RUNNING=0
    EXIM_RUNNING=0
    EXIM_TYPE=""
    IMAP_DAEMON=""
    OPENSMTPD_RUNNING=0
    POP3_DAEMON=""
    POSTFIX_RUNNING=0
    QMAIL_RUNNING=0
    SENDMAIL_RUNNING=0
    SMTP_DAEMON=""
#
#################################################################################
#
    # Test        : MAIL-8802
    # Description : Check Exim process status
    Register --test-no MAIL-8802 --weight L --network NO --category security --description "Check Exim status"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check Exim status"
        IsRunning exim4 || IsRunning exim
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found running Exim process"
            Display --indent 2 --text "- Exim status" --result "${STATUS_RUNNING}" --color GREEN
            EXIM_RUNNING=1
            SMTP_DAEMON="exim"
            Report "smtp_daemon[]=exim"
        else
            LogText "Result: no running Exim processes found"
            if IsVerbose; then Display --indent 2 --text "- Exim status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
        fi
    fi
#
#################################################################################
#
    # Test        : MAIL-8804
    # Description : Exim configuration options
    if [ ${EXIM_RUNNING} -eq 1 -a ! "${EXIMBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no MAIL-8803 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Exim configuration options"
    if [ ${SKIPTEST} -eq 0 -a ${EXIM_RUNNING} -eq 1 ]; then
        LogText "Test: Exim configuration options"

        EXIM_ROUTERS=$(exim -bP router_list)

        unset FIND FIND2 FIND3 FIND4

        # Local Only
        FIND=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^nonlocal')
        # Internet Host
        FIND2=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^dnslookup_relay_to_domains')
        # Smarthost or Satellite
        FIND3=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^smarthost')

        if [ ! -z "${FIND}" ]; then
            EXIM_TYPE="LOCAL ONLY"
        elif [ ! -z "${FIND2}" ]; then
            EXIM_TYPE="INTERNET HOST"
        elif [ ! -z "${FIND3}" ]; then
            FIND4=$(echo "${EXIM_ROUTERS}" | ${EGREPBINARY} '^hub_user_smarthost')
            if [ ! -z "${FIND4}" ]; then
                EXIM_TYPE="SATELLITE"
            else
                EXIM_TYPE="SMARTHOST"
            fi
        fi

        if [ ! -z "${EXIM_TYPE}" ]; then
            LogText "Result: Exim Type - ${EXIM_TYPE}"
            Display --indent 4 --text "- Type" --result "${EXIM_TYPE}" --color GREEN
        else
            LogText "Result: Exim Type - Not Configured"
            Display --indent 4 --text "- Type" --result "Not Configured" --color WHITE
        fi

        if [ "${EXIM_TYPE}" = "INTERNET HOST" -o "${EXIM_TYPE}" = "SMARTHOST" ]; then
            LogText "Test: Exim Public Interfaces"
            EXIM_IP=$(exim -bP local_interfaces | cut -d '=' -f2 | sed -e 's/\s*<\s*\;\?//' -e 's/\s*::0\s*\;\?//' -e 's/\s*127.0.0.1\s*\;\?//' -e 's/^\s*//' -e 's/\s*$//')
            if [ ! -z "${EXIM_IP}" ]; then
                LogText "Result: ${EXIM_IP}"
                Display --indent 4 --text "- Public Interface(s)" --result "${EXIM_IP}" --color GREEN
            else
                LogText "Result: None"
                Display --indent 4 --text "- Public Interface(s)" --result "NONE" --color WHITE
            fi

            LogText "Test: Exim TLS State"
            EXIM_TLS=$(exim -bP tls_advertise_hosts | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
            if [ ! -z "${EXIM_TLS}" ]; then
                LogText "Result: Enabled"
                Display --indent 4 --text "- TLS" --result "ENABLED" --color GREEN
            else
                LogText "Result: Not enabled"
                Display --indent 4 --text "- TLS" --result "NOT ENABLED" --color WHITE
            fi
        fi

        if [ ! -z "${EXIM_TYPE}" -a "${EXIM_TYPE}" != "LOCAL ONLY" ]; then
            LogText "Test: Exim Certificate and Private Key"

            case "${EXIM_TYPE}" in
                "INTERNET HOST" | "SMARTHOST" )
                    EXIM_CERTIFICATE=$(exim -bP tls_certificate | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
                    EXIM_PRIVATEKEY=$(exim -bP tls_privatekey | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
                    ;;
                "SATELLITE" )
                    EXIM_CERTIFICATE=$(exim -bP transport remote_smtp_smarthost | grep tls_certificate | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
                    EXIM_PRIVATEKEY=$(exim -bP transport remote_smtp_smarthost | grep tls_privatekey | cut -d '=' -f2 | sed -e 's/^\s*//' -e 's/\s*$//')
                    ;;
            esac

            if [ ! -z "${EXIM_CERTIFICATE}" ]; then
                LogText "Result: ${EXIM_CERTIFICATE}"
                if [ -f "${EXIM_CERTIFICATE}" ]; then
                    Display --indent 4 --text "- Certificate" --result "${STATUS_FOUND}" --color GREEN
                    LogText "Result: Certificate found."
                else
                    Display --indent 4 --text "- Certificate" --result "${STATUS_NOT_FOUND}" --color YELLOW
                    LogText "Result: Certificate not found."
                fi
            else
                LogText "Result: Certificate not set."
                Display --indent 4 --text "- Certificate not set" --result "${STATUS_WARNING}" --color WHITE
            fi

            if [ ! -z "${EXIM_PRIVATEKEY}" ]; then
                LogText "Result: ${EXIM_PRIVATEKEY}"
                if [ -f "${EXIM_PRIVATEKEY}" ]; then
                    LogText "Result: Private Key found."
                    Display --indent 4 --text "- Private Key" --result "${STATUS_FOUND}" --color GREEN
                else
                    Display --indent 4 --text "- Private Key" --result "${STATUS_NOT_FOUND}" --color YELLOW
                    LogText "Result: Private Key not found."
                fi
            else
                LogText "Result: Private Key not set."
                Display --indent 4 --text "- Private Key not set" --result "${STATUS_WARNING}" --color WHITE
            fi
        fi
    fi

#
#################################################################################
#
    # Test        : MAIL-8814
    # Description : Check Postfix process
    # Notes       : qmgr and pickup run under postfix uid, without full path to binary
    Register --test-no MAIL-8814 --weight L --network NO --category security --description "Check postfix process status"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check Postfix status"
        # Some other processes also use master, therefore it should include both master and postfix
        FIND1=$(${PSBINARY} ax | ${GREPBINARY} "master" | ${GREPBINARY} "postfix" | ${GREPBINARY} -v "grep")
        if [ ! -z "${FIND1}" ]; then
            LogText "Result: found running Postfix process"
            Display --indent 2 --text "- Postfix status" --result "${STATUS_RUNNING}" --color GREEN
            POSTFIX_RUNNING=1
            SMTP_DAEMON="postfix"
            Report "smtp_daemon[]=postfix"
        else
            LogText "Result: no running Postfix processes found"
            if IsVerbose; then Display --indent 2 --text "- Postfix status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
        fi
    fi
#
#################################################################################
#
    # Test        : MAIL-8816
    # Description : Check Postfix configuration
    if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no MAIL-8816 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration"
    if [ ${SKIPTEST} -eq 0  ]; then
        Display --indent 4 --text "- Postfix configuration" --result "${STATUS_FOUND}" --color GREEN
        POSTFIX_CONFIGDIR=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^config_directory' | ${AWKBINARY} '{ print $3 }')
        POSTFIX_CONFIGFILE="${POSTFIX_CONFIGDIR}/main.cf"
        LogText "Postfix configuration directory: ${POSTFIX_CONFIGDIR}"
        LogText "Postfix configuration file: ${POSTFIX_CONFIGFILE}"
    fi
#
#################################################################################
#
    # Test        : MAIL-8817
    # Description : Check Postfix configuration for error
    if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no MAIL-8817 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration errors"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: using postconf to see if Postfix configuration has errors"
        FIND=$(${POSTCONFBINARY} 2>&1 | ${GREPBINARY} "warning:")
        if [ ! -z "${FIND}" ]; then
            Report "postfix_config_error=1"
            Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_WARNING}" --color RED
            LogText "Result: found an error or warning in the Postfix configuration. Manual check suggested."
            ReportSuggestion ${TEST_NO} "Found a configuration error in Postfix" "${POSTFIX_CONFIGFILE}" "text:run postconf > /dev/null"
        else
            LogText "Result: all looks to be fine with Postfix configuration"
            if IsVerbose; then Display --indent 6 --text "- Postfix configuration errors" --result "${STATUS_OK}" --color GREEN; fi
        fi
    fi
#
#################################################################################
#
    # Test        : MAIL-8818
    # Description : Check Postfix configuration
    if [ ${POSTFIX_RUNNING} -eq 1 -a ! "${POSTFIXBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no MAIL-8818 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check Postfix configuration: banner"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: Checking Postfix banner"
        FIND1=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} 'postfix')
        FIND2=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} '$mail_name')
        FIND3=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^mail_name' | ${GREPBINARY} -i 'postfix')
        FIND4=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${OS}")
        if [ ! -z "${LINUX_VERSION}" ]; then
            FIND5=$(${POSTCONFBINARY} 2> /dev/null | ${GREPBINARY} '^smtpd_banner' | ${GREPBINARY} -i "${LINUX_VERSION}")
        fi
        SHOWWARNING=0

        if [ ! -z "${FIND1}" ]; then
            SHOWWARNING=1
            Report "banner_software_disclosure[]=${FIND1}"
        elif [ ! -z "${FIND2}" -a ! -z "${FIND3}" ]; then
            SHOWWARNING=1
            Report "banner_software_disclosure[]=${FIND2}"
        elif [ ! -z "${FIND4}" ]; then
            SHOWWARNING=1
            Report "banner_os_disclosure[]=${FIND4}"
        elif [ ! -z "${FIND5}" ]; then
            SHOWWARNING=1
            Report "banner_os_disclosure[]=${FIND5}"
        fi

        if [ ${SHOWWARNING} -eq 1 ]; then
            Display --indent 6 --text "- Postfix banner" --result "${STATUS_WARNING}" --color RED
            LogText "Result: found OS, or mail_name in SMTP banner, and/or mail_name contains 'Postfix'."
            ReportWarning ${TEST_NO} "Found some information disclosure in SMTP banner (OS or software name)"
            ReportSuggestion ${TEST_NO} "You are advised to hide the mail_name (option: smtpd_banner) from your postfix configuration. Use postconf -e or change your main.cf file (${POSTFIX_CONFIGFILE})"
        else
            if IsVerbose; then Display --indent 6 --text "- Postfix banner" --result "${STATUS_OK}" --color GREEN; fi
        fi
    fi
#
#################################################################################
#
    # Test        : MAIL-8820
    Register --test-no MAIL-8820 --weight L --network NO --category security --description "Postfix configuration scan"
    if [ ${SKIPTEST} -eq 0  ]; then
        if [ "$(postconf -h inet_interfaces 2> /dev/null)" = "all" ]; then
            if ! SkipAtomicTest "${TEST_NO}:disable_vrfy_command"; then
                if [ "$(postconf -h disable_vrfy_command 2> /dev/null)" = "no" ]; then
                    ReportSuggestion "${TEST_NO}:disable_vrfy_command" "Disable the 'VRFY' command" "disable_vrfy_command=no" "text:run postconf -e disable_vrfy_command=yes to change the value"
                fi
            fi
        fi
    fi
#
#################################################################################
#
    # Test        : MAIL-8838
    # Description : Check Dovecot process
    Register --test-no MAIL-8838 --weight L --network NO --category security --description "Check dovecot process"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check dovecot status"
        IsRunning dovecot
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found running dovecot process"
            Display --indent 2 --text "- Dovecot status" --result "${STATUS_RUNNING}" --color GREEN
            DOVECOT_RUNNING=1
            IMAP_DAEMON="dovecot"
            POP3_DAEMON="dovecot"
            Report "pop3_daemon[]=dovecot"
            Report "imap_daemon[]=dovecot"
        else
            LogText "Result: dovecot not found"
            if IsVerbose; then Display --indent 2 --text "- Dovecot status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
        fi
    fi
#
#################################################################################
#
    # Test        : MAIL-8860
    # Description : Check Qmail process status
    Register --test-no MAIL-8860 --weight L --network NO --category security --description "Check Qmail status"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check Qmail status"
        IsRunning qmail-smtpd
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found running Qmail process"
            Display --indent 2 --text "- Qmail status" --result "${STATUS_RUNNING}" --color GREEN
            QMAIL_RUNNING=1
            SMTP_DAEMON="qmail"
            Report "smtp_daemon[]=qmail"
        else
            LogText "Result: no running Qmail processes found"
            if IsVerbose; then Display --indent 2 --text "- Qmail status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
        fi
    fi
#
#################################################################################
#
    # Test        : MAIL-8880
    # Description : Check Sendmail process status
    Register --test-no MAIL-8880 --weight L --network NO --category security --description "Check Sendmail status"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check sendmail status"
        IsRunning sendmail
        if [ ${RUNNING} -eq 1 ]; then
            LogText "Result: found running Sendmail process"
            Display --indent 2 --text "- Sendmail status" --result "${STATUS_RUNNING}" --color GREEN
            SENDMAIL_RUNNING=1
            SMTP_DAEMON="sendmail"
            Report "smtp_daemon[]=sendmail"
        else
            LogText "Result: no running Sendmail processes found"
            if IsVerbose; then Display --indent 2 --text "- Sendmail status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
        fi
    fi
#
#################################################################################
#
    # Test        : MAIL-8920
    # Description : Check OpenSMTPD process status
    if [ ! -z "${SMTPCTLBINARY}" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
    Register --test-no MAIL-8920 --preqs-met ${PREQS_MET} --weight L --network NO --category security --description "Check OpenSMTPD status"
    if [ ${SKIPTEST} -eq 0  ]; then
        LogText "Test: check smtpd status"
        FIND=$(${PSBINARY} ax | ${EGREPBINARY} "(/smtpd|smtpd: \[priv\]|smtpd: smtp)" | ${GREPBINARY} -v "grep")
        if [ ! "${FIND}" = "" ]; then
            LogText "Result: found running smtpd process"
            Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_RUNNING}" --color GREEN
            OPENSMTPD_RUNNING=1
            Report "smtp_daemon[]=opensmtpd"
        else
            LogText "Result: smtpd not found"
            if IsVerbose; then Display --indent 2 --text "- OpenSMTPD status" --result "${STATUS_NOT_FOUND}" --color WHITE; fi
        fi
    fi
#
#################################################################################
#

Report "imap_daemon=${IMAP_DAEMON}"
Report "pop3_daemon=${POP3_DAEMON}"
Report "smtp_daemon=${SMTP_DAEMON}"


WaitForKeyPress

#
#================================================================================
# Lynis - Security Auditing and System Hardening for Linux and UNIX - https://cisofy.com