2 set -e -f ${DRY_RUN:+-n} -u
4 .
"$tool"/lib
/functions.sh
6 test "$(hostname --fqdn)" = "$vm_fqdn"
10 DESCRIPTION: ce script regroupe des fonctions utilitaires
11 pour gérer la VM _depuis_ la VM hébergée ;
12 il sert à la fois d'outil et de documentation.
13 Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
14 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
16 $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0")
18 TRACE # affiche les commandes avant leur exécution
19 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0")
26 git checkout
-f -B master origin
37 rule__etckeeper_init
() {
38 mk_reg mod
=644 own
=root
:root
/etc
/etckeeper
/etckeeper.conf
<<-EOF
41 AVOID_DAILY_AUTOCOMMITS=1
42 #AVOID_SPECIAL_FILE_WARNING=1
43 #AVOID_COMMIT_BEFORE_INSTALL=1
44 HIGHLEVEL_PACKAGE_MANAGER=apt
45 LOWLEVEL_PACKAGE_MANAGER=dpkg
48 rule__locale_init
() {
49 mk_reg mod
=644 own
=root
:root
/etc
/locale.gen
<<-EOF
54 rule__network_init
() {
55 mk_reg mod
= own
= /etc
/hostname
<<-EOF
58 grep -q " $vm\$" /etc
/hosts ||
59 mk_reg mod
= own
= --append /etc
/hosts
<<-EOF
60 127.0.0.1 $vm_fqdn $vm
62 mk_reg mod
= own
= /etc
/network
/interfaces
<<-EOF
64 iface lo inet loopback
67 iface grenode inet static
69 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
72 netmask 255.255.255.255
73 mtu 1300 # TODO: voir si c'est nécessaire à Lyon
74 post-up ip address add $vm_ipv4/32 dev \$IFACE
75 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
79 mk_reg mod
= own
= /etc
/apt
/sources.list
<<-EOF
80 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
82 mk_reg mod
= own
= /etc
/apt
/sources.list.d
/$vm_lsb_name-backports.list
<<-EOF
83 deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
85 mk_reg mod
= own
= /etc
/apt
/preferences
<<-EOF
87 Pin: release a=$vm_lsb_name
91 Pin: release a=$vm_lsb_name-backports
94 mk_reg mod
= own
= /etc
/apt
/sources.list.d
/openerp.list
<<-EOF
95 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
98 rule__filesystem_init
() {
99 mk_reg mod
=644 own
=root
:root
/etc
/fstab
<<-EOF
100 # <file system> <mount point> <type> <options> <dump> <pass>
101 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
102 proc /proc proc defaults 0 0
103 sysfs /sys sysfs defaults 0 0
104 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
105 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
106 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
107 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
108 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
110 mk_reg mod
=644 own
=root
:root
/etc
/crypttab
<<-EOF
111 # <target name> <source device> <key file> <options>
112 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
113 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
114 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
115 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
117 mk_reg mod
=644 own
=root
:root
/etc
/sysctl.d
/local-swap.conf
<<-EOF
118 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
119 vm.vfs_cache_pressure=50
122 rule__login_init
() {
123 grep -q hvc0
/etc
/securetty ||
124 mk_reg mod
= own
= --append /etc
/securetty
<<-EOF
127 grep -q xvc0
/etc
/securetty ||
128 mk_reg mod
= own
= --append /etc
/securetty
<<-EOF
131 mk_reg mod
=644 own
=root
:root
/etc
/inittab
<<-EOF
132 # /etc/inittab: init(8) configuration.
134 # The default runlevel.
137 # Boot-time system configuration/initialization script.
138 # This is run first except when booting in emergency (-b) mode.
139 si::sysinit:/etc/init.d/rcS
141 # What to do in single-user mode.
142 ~~:S:wait:/sbin/sulogin
144 # /etc/init.d executes the S and K scripts upon change
147 # Runlevel 0 is halt.
148 # Runlevel 1 is single-user.
149 # Runlevels 2-5 are multi-user.
150 # Runlevel 6 is reboot.
152 l0:0:wait:/etc/init.d/rc 0
153 l1:1:wait:/etc/init.d/rc 1
154 l2:2:wait:/etc/init.d/rc 2
155 l3:3:wait:/etc/init.d/rc 3
156 l4:4:wait:/etc/init.d/rc 4
157 l5:5:wait:/etc/init.d/rc 5
158 l6:6:wait:/etc/init.d/rc 6
159 # Normally not reached, but fallthrough in case of emergency.
160 z6:6:respawn:/sbin/sulogin
162 # What to do when CTRL-ALT-DEL is pressed.
163 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
165 # What to do when the power fails/returns.
166 pf::powerwait:/etc/init.d/powerfail start
167 pn::powerfailnow:/etc/init.d/powerfail now
168 po::powerokwait:/etc/init.d/powerfail stop
170 # Xen hypervisor console
171 hvc:2345:respawn:/sbin/getty 38400 hvc0
172 #xvc:2345:respawn:/sbin/getty 38400 xvc0
174 mk_reg mod
=644 own
=root
:root
/etc
/login.defs
<<-EOF
181 FTMP_FILE /var/log/btmp
183 HUSHLOGIN_FILE .hushlogin
184 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
185 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
186 # NOTE: met les sbin/ dans ENV_PATH ;
187 # - ça n'apporte aucune protection de ne pas les mettre ;
188 # - ça frustre de ne pas les trouver.
194 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
195 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
209 ENCRYPT_METHOD SHA512
211 grep -q '^session optional pam_umask.so\>' /etc
/pam.d
/common-session ||
212 mk_reg mod
= own
= --append /etc
/pam.d
/common-session
<<-EOF
213 session optional pam_umask.so
216 rule__user_root_init
() {
217 mk_dir mod
=750 own
=root
:root
/root
/etc
218 mk_dir mod
=750 own
=root
:root
/root
/etc
/ssh
219 mk_dir mod
=750 own
=root
:root
/root
/etc
/gpg
220 mk_lnk etc
/gpg
/root
/.gnupg
221 mk_lnk etc
/ssh /root
/.
ssh
223 while IFS
=: read -r group x x users
224 do while IFS
=, read -r user
225 do eval local home\
; home
="~$user"
226 cat "$home"/etc
/ssh
/authorized_keys
231 mk_reg mod
=640 own
=root
:root
/root
/etc
/ssh
/authorized_keys
232 sudo
find "$tool"/var
/pub
/openpgp
-type f
-name '*.key' -exec gpg
--import {} \
;
234 rule__initramfs_init
() {
235 mk_reg mod
=644 own
=root
:root
/etc
/initramfs-tools
/initramfs.conf
<<-EOF
242 mk_reg mod
=644 own
=root
:root
/etc
/modprobe.d
/xen-pv.conf
<<-EOF
244 alias scsi_hostadapter xenblk
246 mk_reg mod
=644 own
=root
:root
/etc
/modules
<<-EOF
252 # NOTE: pour Xen en mode HVM :
253 #modprobe xen-platform-pci
255 mk_reg mod
=644 own
=root
:root
/etc
/initramfs-tools
/modules
<<-EOF
257 sudo
sed -e '/^configure_networking /s/ &$//' \
258 -i /usr
/share
/initramfs-tools
/scripts
/init-premount
/dropbear
259 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
261 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_dss_host_key \
262 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_dss_host_key.pub \
263 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key \
264 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key.pub
265 #mk_reg mod=640 own=root:root </dev/null \
266 # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
267 # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub
268 ssh-keygen
-F "init.$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
269 ( while IFS
= read -r line
270 do case $line in (*" RSA") return 0; break;; esac
272 sudo dropbearkey
-t rsa
-s 4096 -f \
273 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key
274 ssh-keygen
-F "init.$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
275 ( while IFS
= read -r line
276 do case $line in (*" DSA") return 0; break;; esac
278 sudo dropbearkey
-t dss
-s 1024 -f \
279 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_dss_host_key
280 mk_dir mod
=640 own
=root
:root \
281 /etc
/initramfs-tools
/root \
282 /etc
/initramfs-tools
/root
/.
ssh
284 while IFS
=: read -r group x x users
285 do while IFS
=, read -r user
286 do eval local home\
; home
="~$user"
287 cat "$home"/etc
/ssh
/authorized_keys
292 mk_reg mod
=644 own
=root
:root
/etc
/initramfs-tools
/root
/.ssh
/authorized_keys
294 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.dropbear \
295 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.pub \
296 /etc
/initramfs-tools
/root
/.ssh
/id_rsa
297 # NOTE: clefs générées par Debian
298 sudo update-initramfs
-u
301 sudo apt-get
install --reinstall grub-pc
# XXX: attention à n'installer GRUB sur AUCUN disque proposé !
302 mk_dir mod
=644 own
=root
:root
/boot
/grub
303 sudo apt-get
install --reinstall linux-image-
$vm_arch
304 mk_reg mod
=644 own
=root
:root
/etc
/default
/grub
<<-EOF
307 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
308 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
309 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
310 GRUB_DISABLE_RECOVERY="true"
311 #GRUB_PRELOAD_MODULES="lvm"
313 mk_reg mod
=644 own
=root
:root
/boot
/grub
/device.map
<<-EOF
315 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
317 sudo update-grub2
# NOTE: prend en compte /boot/grub/device.map
321 mk_lnk
"$tool"/vm_hosted
/usr
/local
/sbin
/
328 rule__filesystem_init
335 rule_disk_key_change
() {
336 sudo cryptsetup luksChangeKey
/dev
/$vm_lvm_vg/${vm_lvm_lv}_root
340 mk_dir mod
=750 own
="root:adm" /etc
/skel
/etc
341 mk_dir mod
=770 own
="root:adm" /etc
/skel
/etc
/apache2
342 mk_dir mod
=770 own
="root:adm" /etc
/skel
/etc
/ssh
343 mk_dir mod
=700 own
="root:adm" /etc
/skel
/var
344 mk_dir mod
=700 own
="root:adm" /etc
/skel
/var
/log
345 mk_dir mod
=700 own
="root:adm" /etc
/skel
/var
/cache
346 mk_dir mod
=700 own
="root:adm" /etc
/skel
/var
/cache
/ssh
347 mk_dir mod
=700 own
="root:adm" /etc
/skel
/tmp
348 mk_dir mod
=700 own
="root:adm" /etc
/skel
/tmp
349 mk_lnk etc
/ssh /etc
/skel
/.
ssh
350 mk_lnk etc
/gpg
/etc
/skel
/.gnupg
351 ssh-keygen
-F "$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
352 ( while IFS
= read -r line
353 do case $line in (*" RSA") return 0; break;; esac
355 sudo ssh-keygen
-t rsa
-b 4096 -N '' -f /etc
/ssh
/ssh_host_rsa_key
357 /etc
/ssh
/ssh_host_dsa_key \
358 /etc
/ssh
/ssh_host_dsa_key.pub \
359 /etc
/ssh
/ssh_host_ecdsa_key \
360 /etc
/ssh
/ssh_host_ecdsa_key.pub
361 # NOTE: clefs générées par Debian
362 mk_reg mod
=664 own
=root
:root
/etc
/ssh
/sshd_config
<<-EOF
364 ListenAddress $vm_ipv4
368 HostKey /etc/ssh/ssh_host_rsa_key
369 UsePrivilegeSeparation yes
370 KeyRegenerationInterval 3600
377 RSAAuthentication yes
378 PubkeyAuthentication yes
379 AuthorizedKeysFile %h/etc/ssh/authorized_keys
381 RhostsRSAAuthentication no
382 HostbasedAuthentication no
383 IgnoreUserKnownHosts no
384 PermitEmptyPasswords no
385 ChallengeResponseAuthentication no
386 PasswordAuthentication no
387 KerberosAuthentication no
388 GSSAPIAuthentication no
395 ClientAliveInterval 0
397 Subsystem sftp /usr/lib/openssh/sftp-server
400 sudo service
ssh restart
401 mk_reg mod
=440 own
=root
:root
/etc
/sudoers.d
/passwd-init
<<-EOF
402 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
403 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
404 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
406 mk_reg mod
=440 own
=root
:root
/etc
/sudoers.d
/etckeeper-unclean
<<-EOF
407 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
409 mk_reg mod
=440 own
=root
:root
/etc
/sudoers.d
/env_keep
<<-EOF
410 Defaults env_keep = " \\
414 GIT_COMMITTER_NAME \\
415 GIT_COMMITTER_EMAIL \\
418 mk_reg mod
=555 own
=root
:root
/usr
/local
/sbin
/passwd-init
<<-EOF
420 sudo /bin/sh -e -f -u -c \
421 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
424 rule_user_admin_add
() { # SYNTAX: $user
426 id
"$user" >/dev
/null ||
427 sudo adduser
--disabled-password "$user"
428 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
429 eval local home\
; home
="~$user"
430 sudo adduser
"$user" sudo
431 ssh_key_add user
=$user "$tool"/var
/pub
/ssh
/"$user".key
"$home"/etc
/ssh
/authorized_keys
434 sudo gpg
--import "$tool"/var
/pub
/opengpg
/"$user".key
436 rule_user_mail_format
() {
437 mk_dir mod
=770 own
=root
:adm
/etc
/skel
/etc
/procmail
438 mk_dir mod
=770 own
=root
:adm
/etc
/skel
/var
/mail
439 mk_dir mod
=770 own
=root
:adm
/etc
/skel
/var
/cache
/procmail
440 mk_reg mod
=660 own
=root
:adm
/etc
/skel
/etc
/procmail
/delivery.rc
<<-EOF
443 # NOTE: paramètres passés par postfix
449 ORIGINAL_RECIPIENT=\$6
451 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
452 MAILDIR="\$HOME/var/mail/"
454 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
460 SHELLMETAS=&|<>~;?*%{}
462 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
463 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
464 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
466 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
467 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
468 # NOTE: récupère l’adresse courriel dans le champ GECOS
469 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
470 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
472 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
476 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
481 # -I "\$HOME/etc/uucp/uucp.cfg" \
483 # --notification=error \
484 # --requestor "\$USER" \
485 # - "\$USER!rmail" "(\$USER)"
487 mk_reg mod
=664 own
=root
:root
/etc
/postfix
/main.cf
<<-EOF
488 # /etc/postfix/main.cf
489 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
491 parent_domain_matches_subdomains =
495 #permit_mx_backup_networks
496 #qmqpd_authorized_clients
498 mydomain = $vm_domainname
499 myorigin = \$mydomain
500 myhostname = $vm_hostname.\$mydomain
501 mail_name = \$myhostname
509 inet_protocols = ipv4
510 # "all" to activate IPv6
511 inet_interfaces = all
512 permit_mx_backup_networks =
516 # NOTE: fichier de hash contenant une table d’alias mail.
517 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
518 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
521 recipient_delimiter = +
522 # NOTE: séparateur entre le nom d’utilisateur
523 # et les extensions d’adresse (par défaut le signe +).
524 #virtual_alias_domains =
526 hash:/etc/postfix/\$mydomain/virtual
527 # NOTE: do not specify virtual alias domain names in the main.cf
528 # mydestination or relay_domains configuration parameters.
530 # With a virtual alias domain, the Postfix SMTP server
531 # accepts mail for known-user@virtual-alias.domain, and
532 # rejects mail for unknown-user@virtual-alias.domain as
536 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
539 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
540 # pas dans mydestination ou virtual_alias...
542 maximal_queue_lifetime = 5d
545 regexp:/etc/postfix/\$mydomain/header_checks
547 nested_header_checks =
548 milter_header_checks =
551 #content_filter = amavisfeed:[127.0.0.1]:10024
552 #receive_override_options = no_address_mappings
553 # no_unknown_recipient_checks
554 # Do not try to reject unknown recipients (SMTP server only).
555 # This is typically specified AFTER an external content filter.
556 # no_address_mappings
557 # Disable canonical address mapping, virtual alias map expansion,
558 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
559 # This is typically specified BEFORE an external content filter (eg. amavis).
560 # no_header_body_checks
561 # Disable header/body_checks. This is typically specified AFTER an external content filter.
563 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
564 #local_header_rewrite_clients =
566 hash:/etc/postfix/\$mydomain/transport_maps
568 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
569 mailbox_size_limit = 0
571 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
572 append_dot_mydomain = no
573 # appending .domain is the MUA's job.
578 #tls_random_reseed_period = 3600s
579 #tls_random_exchange_name =
580 # \${data_directory}/prng_exch
581 # NOTE: à ne pas mettre dans la cage chroot
582 #tls_random_bytes = 32
583 #tls_random_prng_update_period = 3600s
584 #tls_high_cipherlist = AES256-SHA
585 # NOTE: postconf(5) déconseille de changer ceci
587 #smtp_cname_overrides_servername = no
588 smtp_connect_timeout = 60s
589 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
590 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
591 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
592 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
593 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
594 # NOTE: déprécié en faveur de smtp_tls_policy_maps
595 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
596 smtp_tls_fingerprint_digest = sha1
597 smtp_tls_scert_verifydepth = 5
598 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
599 #smtp_tls_verify_cert_match = hostname
600 #smtp_tls_note_starttls_offer = yes
601 smtp_tls_loglevel = 1
602 smtp_tls_protocols = !SSLv2, !SSLv3
604 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
605 #smtp_tls_session_cache_timeout = 3600s
606 smtp_tls_security_level = may
607 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
609 smtp_mime_header_checks =
610 smtp_nested_header_checks =
612 smtpd_starttls_timeout = 300s
614 \$myhostname ESMTP \$mail_name (Debian/GNU)
617 smtpd_helo_required = yes
618 strict_rfc821_envelopes = yes
619 smtpd_authorized_xclient_hosts = 127.0.0.1
620 # NOTE: utile pour tester les restrictions
622 smtpd_helo_restrictions =
623 reject_invalid_helo_hostname
624 reject_non_fqdn_helo_hostname
625 #reject_unknown_helo_hostname
626 # NOTE: pourrait pourtant être utile pour lutter contre le spam
629 smtpd_sender_restrictions =
631 permit_tls_clientcerts
632 permit_sasl_authenticated
633 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
634 check_sender_access hash:/etc/postfix/sender_blacklist
635 reject_unauth_pipelining
636 reject_non_fqdn_sender
637 #reject_unknown_sender_domain
641 smtpd_client_new_tls_session_rate_limit = 0
642 smtpd_client_event_limit_exceptions = \$mynetworks
643 smtpd_client_recipient_rate_limit = 0
644 smtpd_client_connection_count_limit = 50
645 smtpd_client_connection_rate_limit = 0
646 smtpd_client_message_rate_limit = 0
647 smtpd_client_port_logging = no
649 smtpd_client_restrictions =
650 check_client_access hash:/etc/postfix/client_blacklist
652 policy_time_limit = 3600
653 default_extra_recipient_limit = 5000
654 duplicate_filter_limit = 5000
655 smtpd_recipient_limit = 5000
656 smtpd_recipient_overshoot_limit = 5000
657 smtpd_recipient_restrictions =
658 reject_non_fqdn_recipient
659 #reject_invalid_hostname
660 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
661 # dans smtpd_helo_restrictions
662 reject_unknown_recipient_domain
663 #reject_non_fqdn_sender
664 # NOTE: dans smtpd_sender_restrictions
665 reject_unauth_pipelining
666 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
668 permit_tls_clientcerts
669 permit_sasl_authenticated
670 reject_unauth_destination
671 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
672 # ou quelqu'un pour lequel on tient lieu de backup_mx
673 check_policy_service inet:127.0.0.1:10023
674 # NOTE: Postgrey (greylisting)
675 check_policy_service unix:private/spfcheck
676 permit_auth_destination
677 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
678 # (voir permit_auth_destination) ; sans doute redondant
680 #check_relay_domains <- removed from postfix
681 #reject_unknown_sender_domain
682 # aurait probablement été mieux dans smtpd_sender_restrictions
683 #reject_rbl_client bl.spamcop.net
684 #reject_rbl_client list.dsbl.org
685 #reject_rbl_client zen.spamhaus.org
686 #reject_rbl_client dnsbl.sorbs.net
688 smtpd_data_restrictions =
689 reject_unauth_pipelining
690 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
693 #smtpd_end_of_data_restrictions =
695 #smtpd_restriction_classes =
697 smtpd_error_sleep_time = 5
698 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
701 smtpd_sasl_auth_enable = yes
702 smtpd_sasl_type = dovecot
703 smtpd_sasl_path = private/auth
704 smtpd_sasl_security_options = noanonymous
705 smtpd_sasl_domain = \$mydomain
708 smtpd_discard_ehlo_keywords = starttls
709 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
710 # se mangent une erreur en tentant un starttls
711 smtpd_tls_fingerprint_digest = sha1
713 smtpd_tls_mandatory_protocols = TLSv1
714 smtpd_tls_mandatory_ciphers = high
715 smtpd_tls_ciphers = high
716 # restrictif. s/high/medium/ ?
717 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
718 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
719 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
720 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
722 #smtpd_tls_received_header = no
723 smtpd_tls_session_cache_database =
724 btree:/var/lib/postfix/smtpd_tls_session_cache
725 #smtpd_tls_session_cache_timeout = 3600s
726 smtpd_tls_security_level = may
727 # Postfix 2.3 and later
729 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
730 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
731 # SMTP server. Instead, this option should be used only on dedicated servers.
732 smtpd_tls_loglevel = 1
733 smtpd_tls_ccert_verifydepth = 5
734 smtpd_tls_auth_only = yes
735 # Pas d'AUTH SASL sans TLS
736 smtpd_tls_ask_ccert = no
737 smtpd_tls_req_ccert = no
738 #smtpd_tls_always_issue_session_ids = yes
739 smtpd_peername_lookup = yes
740 # Nécessaire pour postgrey, etc
743 line_length_limit = 2048
745 message_size_limit = 20480000
746 #smtpd_enforce_tls # NOTE: obsolète
747 #smtpd_use_tls # NOTE: obsolète
748 #smtpd_tls_cipherlist # NOTE: obsolète
750 readme_directory = no
751 #delay_warning_time = 4h
752 # NOTE: uncomment the previous line to generate "delayed mail" warnings
753 #debug_peer_level = 4
754 #debug_peer_list = .\$myhostname
756 mk_reg mod
=664 own
=root
:root
/etc
/dovecot
/dovecot.conf
<<-EOF
757 auth_ssl_username_from_cert = yes
759 log_timestamp = "%Y-%m-%d %H:%M:%S "
761 mail_location = maildir:~/var/mail
762 mail_privileged_group = mail
764 args = /home/%u/etc/dovecot/passwd
769 unix_listener /var/spool/postfix/private/auth {
776 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
777 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
778 ssl_cipher_list = AES256-SHA
779 ssl_key = </etc/dovecot/imap/tls/key.pem
780 ssl_verify_client_cert = yes
786 auth_socket_path = /var/run/dovecot/auth-master
787 hostname = $vm_domainname
788 info_log_path = /var/log/dovecot/lda/info.log
789 log_path = /var/log/dovecot/lda/error.log
791 postmaster_address = contact+dovecot+lda@$vm_domainname
794 mk_reg mod
=664 own
=root
:root
/etc
/postgrey
/whitelist_recipients.
local <<-EOF
797 rule_mail_install
() {
798 sudo apt-get
install postfix postgrey dovecot