+#!/bin/sh
+set -e -f ${DRY_RUN:+-n} -u
+tool=${0%/*}
+. "$tool"/functions.sh
+. "$tool"/vm.sh
+test "$(hostname --fqdn)" = "$vm_fqdn"
+
+rule_help () {
+ cat >&2 <<-EOF
+ DESCRIPTION: ce script regroupe des fonctions utilitaires
+ pour gérer la VM _depuis_ la VM hébergée ;
+ il sert à la fois d'outil et de documentation.
+ Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
+ SYNTAX: $0 \$RULE \${RULE}_SYNTAX
+ RULES:
+ $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0")
+ ENVIRONMENT:
+ TRACE # affiche les commandes avant leur exécution
+ $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0")
+ EOF
+ }
+
+rule_git_reset () {
+ (
+ cd "$tool"
+ git checkout -f -B master origin
+ git clean -f -d -x
+ )
+ }
+
+rule_chrooted () {
+ export LANG=C
+ export LC_CTYPE=C
+ . /etc/profile
+ }
+
+rule__etckeeper_init () {
+ mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
+ VCS=git
+ GIT_COMMIT_OPTIONS=""
+ AVOID_DAILY_AUTOCOMMITS=1
+ #AVOID_SPECIAL_FILE_WARNING=1
+ #AVOID_COMMIT_BEFORE_INSTALL=1
+ HIGHLEVEL_PACKAGE_MANAGER=apt
+ LOWLEVEL_PACKAGE_MANAGER=dpkg
+ EOF
+ }
+rule__locale_init () {
+ mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
+ fr_FR.UTF-8 UTF-8
+ EOF
+ sudo update-locale
+ }
+rule__network_init () {
+ mk_reg mod= own= /etc/hostname <<-EOF
+ $vm
+ EOF
+ grep -q " $vm\$" /etc/hosts ||
+ mk_reg mod= own= --append /etc/hosts <<-EOF
+ 127.0.0.1 $vm_fqdn $vm
+ EOF
+ mk_reg mod= own= /etc/network/interfaces <<-EOF
+ auto lo
+ iface lo inet loopback
+
+ auto eth0=grenode
+ iface grenode inet static
+ address $vm_ipv4
+ gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
+ network $vm_ipv4
+ broadcast $vm_ipv4
+ netmask 255.255.255.255
+ mtu 1300 # TODO: voir si c'est nécessaire à Lyon
+ post-up ip address add $vm_ipv4/32 dev \$IFACE
+ pre-down ip address delete $vm_ipv4/32 dev \$IFACE
+ EOF
+ }
+rule__apt_init () {
+ mk_reg mod= own= /etc/apt/sources.list <<-EOF
+ deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
+ EOF
+ mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
+ deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
+ EOF
+ mk_reg mod= own= /etc/apt/preferences <<-EOF
+ Package: *
+ Pin: release a=$vm_lsb_name
+ Pin-Priority: 170
+
+ Package: *
+ Pin: release a=$vm_lsb_name-backports
+ Pin-Priority: 200
+ EOF
+ mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
+ deb http://nightly.openerp.com/trunk/nightly/deb/ ./
+ EOF
+ }
+rule__filesystem_init () {
+ mk_reg mod=644 own=root:root /etc/fstab <<-EOF
+ # <file system> <mount point> <type> <options> <dump> <pass>
+ LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
+ proc /proc proc defaults 0 0
+ sysfs /sys sysfs defaults 0 0
+ tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
+ /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
+ /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
+ /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
+ /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
+ EOF
+ mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
+ # <target name> <source device> <key file> <options>
+ ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
+ ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
+ ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
+ ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
+ EOF
+ mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
+ vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
+ vm.vfs_cache_pressure=50
+ EOF
+ }
+rule__login_init () {
+ grep -q hvc0 /etc/securetty ||
+ mk_reg mod= own= --append /etc/securetty <<-EOF
+ hvc0
+ EOF
+ grep -q xvc0 /etc/securetty ||
+ mk_reg mod= own= --append /etc/securetty <<-EOF
+ xvc0
+ EOF
+ mk_reg mod=644 own=root:root /etc/inittab <<-EOF
+ # /etc/inittab: init(8) configuration.
+
+ # The default runlevel.
+ id:2:initdefault:
+
+ # Boot-time system configuration/initialization script.
+ # This is run first except when booting in emergency (-b) mode.
+ si::sysinit:/etc/init.d/rcS
+
+ # What to do in single-user mode.
+ ~~:S:wait:/sbin/sulogin
+
+ # /etc/init.d executes the S and K scripts upon change
+ # of runlevel.
+ #
+ # Runlevel 0 is halt.
+ # Runlevel 1 is single-user.
+ # Runlevels 2-5 are multi-user.
+ # Runlevel 6 is reboot.
+
+ l0:0:wait:/etc/init.d/rc 0
+ l1:1:wait:/etc/init.d/rc 1
+ l2:2:wait:/etc/init.d/rc 2
+ l3:3:wait:/etc/init.d/rc 3
+ l4:4:wait:/etc/init.d/rc 4
+ l5:5:wait:/etc/init.d/rc 5
+ l6:6:wait:/etc/init.d/rc 6
+ # Normally not reached, but fallthrough in case of emergency.
+ z6:6:respawn:/sbin/sulogin
+
+ # What to do when CTRL-ALT-DEL is pressed.
+ ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
+
+ # What to do when the power fails/returns.
+ pf::powerwait:/etc/init.d/powerfail start
+ pn::powerfailnow:/etc/init.d/powerfail now
+ po::powerokwait:/etc/init.d/powerfail stop
+
+ # Xen hypervisor console
+ hvc:2345:respawn:/sbin/getty 38400 hvc0
+ #xvc:2345:respawn:/sbin/getty 38400 xvc0
+ EOF
+ mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
+ MAIL_DIR /var/mail
+ FAILLOG_ENAB yes
+ LOG_UNKFAIL_ENAB no
+ LOG_OK_LOGINS no
+ SYSLOG_SU_ENAB yes
+ SYSLOG_SG_ENAB yes
+ FTMP_FILE /var/log/btmp
+ SU_NAME su
+ HUSHLOGIN_FILE .hushlogin
+ ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ # NOTE: met les sbin/ dans ENV_PATH ;
+ # - ça n'apporte aucune protection de ne pas les mettre ;
+ # - ça frustre de ne pas les trouver.
+ TTYGROUP tty
+ TTYPERM 0600
+ ERASECHAR 0177
+ KILLCHAR 025
+ # NOTE: rwxrwx--- ;
+ # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
+ # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
+ UMASK 007
+ PASS_MAX_DAYS 99999
+ PASS_MIN_DAYS 0
+ PASS_WARN_AGE 7
+ UID_MIN 1000
+ UID_MAX 60000
+ GID_MIN 1000
+ GID_MAX 60000
+ LOGIN_RETRIES 3
+ LOGIN_TIMEOUT 60
+ CHFN_RESTRICT rwh
+ DEFAULT_HOME yes
+ USERGROUPS_ENAB yes
+ ENCRYPT_METHOD SHA512
+ EOF
+ grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
+ mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
+ session optional pam_umask.so
+ EOF
+ }
+rule__user_root_init () {
+ mk_dir mod=750 own=root:root /root/etc
+ mk_dir mod=750 own=root:root /root/etc/ssh
+ mk_dir mod=750 own=root:root /root/etc/gpg
+ mk_lnk etc/gpg /root/.gnupg
+ mk_lnk etc/ssh /root/.ssh
+ getent group sudo |
+ while IFS=: read -r group x x users
+ do while IFS=, read -r user
+ do eval local home\; home="~$user"
+ cat "$home"/etc/ssh/authorized_keys
+ done <<-EOF
+ $users
+ EOF
+ done |
+ mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
+ sudo find "$tool"/key -type f -name '*.gpg.pub' -exec gpg --import {} \;
+ }
+rule__initramfs_init () {
+ mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
+ MODULES=most
+ BUSYBOX=y
+ KEYMAP=y
+ COMPRESS=gzip
+ DEVICE=eth0
+ EOF
+ mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
+ alias eth0 xennet
+ alias scsi_hostadapter xenblk
+ EOF
+ mk_reg mod=644 own=root:root /etc/modules <<-EOF
+ sha1_generic
+ sha256_generic
+ sha512_generic
+ aes-x86_64
+ xts
+ # NOTE: pour Xen en mode HVM :
+ #modprobe xen-platform-pci
+ EOF
+ mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
+ EOF
+ sudo sed -e '/^configure_networking /s/ &$//' \
+ -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
+ # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
+ sudo rm -f \
+ /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
+ /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
+ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
+ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
+ #mk_reg mod=640 own=root:root </dev/null \
+ # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
+ # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub
+ ssh-keygen -F "init.$vm_fqdn" -f "$tool"/key/ssh.known_hosts |
+ ( while IFS= read -r line
+ do case $line in (*" RSA") return 0; break;; esac
+ done; return 1 ) ||
+ sudo dropbearkey -t rsa -s 4096 -f \
+ /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
+ ssh-keygen -F "init.$vm_fqdn" -f "$tool"/key/ssh.known_hosts |
+ ( while IFS= read -r line
+ do case $line in (*" DSA") return 0; break;; esac
+ done; return 1 ) ||
+ sudo dropbearkey -t dss -s 1024 -f \
+ /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
+ mk_dir mod=640 own=root:root \
+ /etc/initramfs-tools/root \
+ /etc/initramfs-tools/root/.ssh
+ getent group sudo |
+ while IFS=: read -r group x x users
+ do while IFS=, read -r user
+ do eval local home\; home="~$user"
+ cat "$home"/etc/ssh/authorized_keys
+ done <<-EOF
+ $users
+ EOF
+ done |
+ mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
+ sudo rm -f \
+ /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
+ /etc/initramfs-tools/root/.ssh/id_rsa.pub \
+ /etc/initramfs-tools/root/.ssh/id_rsa
+ # NOTE: clefs générées par Debian
+ sudo update-initramfs -u
+ }
+rule__boot_init () {
+ sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
+ mk_dir mod=644 own=root:root /boot/grub
+ sudo apt-get install --reinstall linux-image-$vm_arch
+ mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
+ GRUB_DEFAULT=0
+ GRUB_TIMEOUT=5
+ GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
+ GRUB_CMDLINE_LINUX_DEFAULT="quiet"
+ GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
+ GRUB_DISABLE_RECOVERY="true"
+ #GRUB_PRELOAD_MODULES="lvm"
+ EOF
+ mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
+ (hd0) /dev/xvda
+ (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
+ EOF
+ sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
+ rule__initramfs_init
+ }
+rule__bin_init () {
+ mk_lnk "$tool"/vm_hosted /usr/local/sbin/
+ }
+rule_init () {
+ rule__etckeeper_init
+ rule__locale_init
+ rule__network_init
+ rule__apt_init
+ rule__filesystem_init
+ rule__login_init
+ rule__user_root_init
+ rule__boot_init
+ rule__bin_init
+ }
+
+rule_disk_key_change () {
+ sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
+ }
+
+rule_user_init () {
+ mk_dir mod=750 own="root:adm" /etc/skel/etc
+ mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
+ mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
+ mk_dir mod=700 own="root:adm" /etc/skel/var
+ mk_dir mod=700 own="root:adm" /etc/skel/var/log
+ mk_dir mod=700 own="root:adm" /etc/skel/var/cache
+ mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
+ mk_dir mod=700 own="root:adm" /etc/skel/tmp
+ mk_dir mod=700 own="root:adm" /etc/skel/tmp
+ mk_lnk etc/ssh /etc/skel/.ssh
+ mk_lnk etc/gpg /etc/skel/.gnupg
+ ssh-keygen -F "$vm_fqdn" -f "$tool"/key/ssh.known_hosts |
+ ( while IFS= read -r line
+ do case $line in (*" RSA") return 0; break;; esac
+ done; return 1 ) ||
+ sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
+ sudo rm -f \
+ /etc/ssh/ssh_host_dsa_key \
+ /etc/ssh/ssh_host_dsa_key.pub \
+ /etc/ssh/ssh_host_ecdsa_key \
+ /etc/ssh/ssh_host_ecdsa_key.pub
+ # NOTE: clefs générées par Debian
+ mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
+ Port 22
+ ListenAddress $vm_ipv4
+ #ListenAddress ::
+ Protocol 2
+ Compression yes
+ HostKey /etc/ssh/ssh_host_rsa_key
+ UsePrivilegeSeparation yes
+ KeyRegenerationInterval 3600
+ ServerKeyBits 768
+ SyslogFacility AUTH
+ LogLevel INFO
+ LoginGraceTime 120
+ PermitRootLogin yes
+ StrictModes yes
+ RSAAuthentication yes
+ PubkeyAuthentication yes
+ AuthorizedKeysFile %h/etc/ssh/authorized_keys
+ IgnoreRhosts yes
+ RhostsRSAAuthentication no
+ HostbasedAuthentication no
+ IgnoreUserKnownHosts no
+ PermitEmptyPasswords no
+ ChallengeResponseAuthentication no
+ PasswordAuthentication no
+ KerberosAuthentication no
+ GSSAPIAuthentication no
+ X11Forwarding no
+ X11DisplayOffset 10
+ PrintMotd no
+ DebianBanner no
+ PrintLastLog yes
+ TCPKeepAlive yes
+ ClientAliveInterval 0
+ AcceptEnv LANG LC_*
+ Subsystem sftp /usr/lib/openssh/sftp-server
+ UsePAM yes
+ EOF
+ sudo service ssh restart
+ mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
+ %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
+ case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
+ ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
+ EOF
+ mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
+ %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
+ EOF
+ mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
+ Defaults env_keep = " \\
+ EDITOR \\
+ GIT_AUTHOR_NAME \\
+ GIT_AUTHOR_EMAIL \\
+ GIT_COMMITTER_NAME \\
+ GIT_COMMITTER_EMAIL \\
+ "
+ EOF
+ mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
+ #!/bin/sh
+ sudo /bin/sh -e -f -u -c \
+ 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
+ EOF
+ }
+rule_user_admin_add () { # SYNTAX: $user
+ local user=$1
+ id "$user" >/dev/null ||
+ sudo adduser --disabled-password "$user"
+ # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
+ eval local home\; home="~$user"
+ sudo adduser "$user" sudo
+ ssh_key_add user=$user "$tool"/key/"$user".ssh.pub "$home"/etc/ssh/authorized_keys
+ rule__initramfs_init
+ rule__user_root_init
+ sudo gpg --import "$tool"/key/"$user".gpg.pub
+ }
+rule_user_mail_format () {
+ mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
+ mk_dir mod=770 own=root:adm /etc/skel/var/mail
+ mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
+ mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
+ # vim: ft=procmail
+
+ # NOTE: paramètres passés par postfix
+ SENDER=\$1
+ RECIPIENT=\$2
+ USER=\$3
+ EXTENSION=\$4
+ DOMAIN=\$5
+ ORIGINAL_RECIPIENT=\$6
+
+ PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
+ MAILDIR="\$HOME/var/mail/"
+ DEFAULT="\$MAILDIR"
+ #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
+ LOGFILE="/dev/null"
+ LOGABSTRACT=all
+ LOGABSTRACT
+ VERBOSE
+ SHELL=/bin/sh
+ SHELLMETAS=&|<>~;?*%{}
+
+ # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
+ #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
+ #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
+
+ # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
+ EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
+ # NOTE: récupère l’adresse courriel dans le champ GECOS
+ FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
+ # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
+ :0
+ | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
+
+ # DESCRIPTION: IMAP
+ #:0
+ #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
+
+ # DESCRIPTION: UUCP
+ #:0
+ #| /usr/bin/uux \
+ # -I "\$HOME/etc/uucp/uucp.cfg" \
+ # --nouucico \
+ # --notification=error \
+ # --requestor "\$USER" \
+ # - "\$USER!rmail" "(\$USER)"
+ EOF
+ mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
+ # /etc/postfix/main.cf
+ # SEE: http://postfix.traduc.org/index.php/TLS_README.html
+
+ parent_domain_matches_subdomains =
+ #debug_peer_list
+ #fast_flush_domains
+ #mynetworks
+ #permit_mx_backup_networks
+ #qmqpd_authorized_clients
+ #smtpd_access_maps
+ mydomain = $vm_domainname
+ myorigin = \$mydomain
+ myhostname = $vm_hostname.\$mydomain
+ mail_name = \$myhostname
+ mydestination =
+ $vm_hostname
+ \$myhostname
+ \$myorigin
+ mynetworks =
+ 127.0.0.0/8
+ #[::1]/128
+ inet_protocols = ipv4
+ # "all" to activate IPv6
+ inet_interfaces = all
+ permit_mx_backup_networks =
+
+ alias_database =
+ hash:/etc/aliases
+ # NOTE: fichier de hash contenant une table d’alias mail.
+ # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
+ # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
+ alias_maps =
+ hash:/etc/aliases
+ recipient_delimiter = +
+ # NOTE: séparateur entre le nom d’utilisateur
+ # et les extensions d’adresse (par défaut le signe +).
+ #virtual_alias_domains =
+ virtual_alias_maps =
+ hash:/etc/postfix/\$mydomain/virtual
+ # NOTE: do not specify virtual alias domain names in the main.cf
+ # mydestination or relay_domains configuration parameters.
+ #
+ # With a virtual alias domain, the Postfix SMTP server
+ # accepts mail for known-user@virtual-alias.domain, and
+ # rejects mail for unknown-user@virtual-alias.domain as
+ # undeliverable.
+ #relayhost =
+ relay_clientcerts =
+ hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
+ relay_domains =
+ \$mydestination
+ # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
+ # pas dans mydestination ou virtual_alias...
+
+ maximal_queue_lifetime = 5d
+
+ header_checks =
+ regexp:/etc/postfix/\$mydomain/header_checks
+ mime_header_checks =
+ nested_header_checks =
+ milter_header_checks =
+ body_checks =
+
+ #content_filter = amavisfeed:[127.0.0.1]:10024
+ #receive_override_options = no_address_mappings
+ # no_unknown_recipient_checks
+ # Do not try to reject unknown recipients (SMTP server only).
+ # This is typically specified AFTER an external content filter.
+ # no_address_mappings
+ # Disable canonical address mapping, virtual alias map expansion,
+ # address masquerading, and automatic BCC (blind carbon-copy) recipients.
+ # This is typically specified BEFORE an external content filter (eg. amavis).
+ # no_header_body_checks
+ # Disable header/body_checks. This is typically specified AFTER an external content filter.
+ # no_milters
+ # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
+ #local_header_rewrite_clients =
+ transport_maps =
+ hash:/etc/postfix/\$mydomain/transport_maps
+ mailbox_command =
+ /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
+ mailbox_size_limit = 0
+ biff = no
+ # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
+ append_dot_mydomain = no
+ # appending .domain is the MUA's job.
+
+ #tls_random_source =
+ # dev:/dev/urandom
+ # Non-blocking
+ #tls_random_reseed_period = 3600s
+ #tls_random_exchange_name =
+ # \${data_directory}/prng_exch
+ # NOTE: à ne pas mettre dans la cage chroot
+ #tls_random_bytes = 32
+ #tls_random_prng_update_period = 3600s
+ #tls_high_cipherlist = AES256-SHA
+ # NOTE: postconf(5) déconseille de changer ceci
+
+ #smtp_cname_overrides_servername = no
+ smtp_connect_timeout = 60s
+ #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
+ #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
+ #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
+ #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
+ #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
+ # NOTE: déprécié en faveur de smtp_tls_policy_maps
+ smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
+ smtp_tls_fingerprint_digest = sha1
+ smtp_tls_scert_verifydepth = 5
+ #smtp_tls_secure_cert_match = nexthop, dot-nexthop
+ #smtp_tls_verify_cert_match = hostname
+ #smtp_tls_note_starttls_offer = yes
+ smtp_tls_loglevel = 1
+ smtp_tls_protocols = !SSLv2, !SSLv3
+ # Only allow TLSv*
+ smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
+ #smtp_tls_session_cache_timeout = 3600s
+ smtp_tls_security_level = may
+ smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
+ smtp_body_checks =
+ smtp_mime_header_checks =
+ smtp_nested_header_checks =
+
+ smtpd_starttls_timeout = 300s
+ smtpd_banner =
+ \$myhostname ESMTP \$mail_name (Debian/GNU)
+
+ # Restrictions
+ smtpd_helo_required = yes
+ strict_rfc821_envelopes = yes
+ smtpd_authorized_xclient_hosts = 127.0.0.1
+ # NOTE: utile pour tester les restrictions
+
+ smtpd_helo_restrictions =
+ reject_invalid_helo_hostname
+ reject_non_fqdn_helo_hostname
+ #reject_unknown_helo_hostname
+ # NOTE: pourrait pourtant être utile pour lutter contre le spam
+ permit
+
+ smtpd_sender_restrictions =
+ permit_mynetworks
+ permit_tls_clientcerts
+ permit_sasl_authenticated
+ check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
+ check_sender_access hash:/etc/postfix/sender_blacklist
+ reject_unauth_pipelining
+ reject_non_fqdn_sender
+ #reject_unknown_sender_domain
+ # NOTE: temporaire
+ permit
+
+ smtpd_client_new_tls_session_rate_limit = 0
+ smtpd_client_event_limit_exceptions = \$mynetworks
+ smtpd_client_recipient_rate_limit = 0
+ smtpd_client_connection_count_limit = 50
+ smtpd_client_connection_rate_limit = 0
+ smtpd_client_message_rate_limit = 0
+ smtpd_client_port_logging = no
+
+ smtpd_client_restrictions =
+ check_client_access hash:/etc/postfix/client_blacklist
+
+ policy_time_limit = 3600
+ default_extra_recipient_limit = 5000
+ duplicate_filter_limit = 5000
+ smtpd_recipient_limit = 5000
+ smtpd_recipient_overshoot_limit = 5000
+ smtpd_recipient_restrictions =
+ reject_non_fqdn_recipient
+ #reject_invalid_hostname
+ # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
+ # dans smtpd_helo_restrictions
+ reject_unknown_recipient_domain
+ #reject_non_fqdn_sender
+ # NOTE: dans smtpd_sender_restrictions
+ reject_unauth_pipelining
+ # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
+ permit_mynetworks
+ permit_tls_clientcerts
+ permit_sasl_authenticated
+ reject_unauth_destination
+ # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
+ # ou quelqu'un pour lequel on tient lieu de backup_mx
+ check_policy_service inet:127.0.0.1:10023
+ # NOTE: Postgrey (greylisting)
+ check_policy_service unix:private/spfcheck
+ permit_auth_destination
+ # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
+ # (voir permit_auth_destination) ; sans doute redondant
+ reject
+ #check_relay_domains <- removed from postfix
+ #reject_unknown_sender_domain
+ # aurait probablement été mieux dans smtpd_sender_restrictions
+ #reject_rbl_client bl.spamcop.net
+ #reject_rbl_client list.dsbl.org
+ #reject_rbl_client zen.spamhaus.org
+ #reject_rbl_client dnsbl.sorbs.net
+
+ smtpd_data_restrictions =
+ reject_unauth_pipelining
+ # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
+ permit
+
+ #smtpd_end_of_data_restrictions =
+
+ #smtpd_restriction_classes =
+
+ smtpd_error_sleep_time = 5
+ # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
+
+ # SASL
+ smtpd_sasl_auth_enable = yes
+ smtpd_sasl_type = dovecot
+ smtpd_sasl_path = private/auth
+ smtpd_sasl_security_options = noanonymous
+ smtpd_sasl_domain = \$mydomain
+
+ # SMTPD TLS
+ smtpd_discard_ehlo_keywords = starttls
+ # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
+ # se mangent une erreur en tentant un starttls
+ smtpd_tls_fingerprint_digest = sha1
+ # sha512 ?
+ smtpd_tls_mandatory_protocols = TLSv1
+ smtpd_tls_mandatory_ciphers = high
+ smtpd_tls_ciphers = high
+ # restrictif. s/high/medium/ ?
+ smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
+ smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
+ smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
+ smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
+ ##
+ #smtpd_tls_received_header = no
+ smtpd_tls_session_cache_database =
+ btree:/var/lib/postfix/smtpd_tls_session_cache
+ #smtpd_tls_session_cache_timeout = 3600s
+ smtpd_tls_security_level = may
+ # Postfix 2.3 and later
+ # encrypt
+ # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
+ # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
+ # SMTP server. Instead, this option should be used only on dedicated servers.
+ smtpd_tls_loglevel = 1
+ smtpd_tls_ccert_verifydepth = 5
+ smtpd_tls_auth_only = yes
+ # Pas d'AUTH SASL sans TLS
+ smtpd_tls_ask_ccert = no
+ smtpd_tls_req_ccert = no
+ #smtpd_tls_always_issue_session_ids = yes
+ smtpd_peername_lookup = yes
+ # Nécessaire pour postgrey, etc
+ smtpd_milters =
+ non_smtpd_milters =
+ line_length_limit = 2048
+ queue_minfree = 0
+ message_size_limit = 20480000
+ #smtpd_enforce_tls # NOTE: obsolète
+ #smtpd_use_tls # NOTE: obsolète
+ #smtpd_tls_cipherlist # NOTE: obsolète
+
+ readme_directory = no
+ #delay_warning_time = 4h
+ # NOTE: uncomment the previous line to generate "delayed mail" warnings
+ #debug_peer_level = 4
+ #debug_peer_list = .\$myhostname
+ EOF
+ mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
+ auth_ssl_username_from_cert = yes
+ listen = *
+ log_timestamp = "%Y-%m-%d %H:%M:%S "
+ mail_debug = yes
+ mail_location = maildir:~/var/mail
+ mail_privileged_group = mail
+ passdb {
+ args = /home/%u/etc/dovecot/passwd
+ driver = passwd-file
+ }
+ protocols = imap
+ service auth {
+ unix_listener /var/spool/postfix/private/auth {
+ group = postfix
+ mode = 0660
+ user = postfix
+ }
+ user = root
+ }
+ ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
+ ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
+ ssl_cipher_list = AES256-SHA
+ ssl_key = </etc/dovecot/imap/tls/key.pem
+ ssl_verify_client_cert = yes
+ userdb {
+ driver = passwd
+ }
+ verbose_ssl = yes
+ protocol lda {
+ auth_socket_path = /var/run/dovecot/auth-master
+ hostname = $vm_domainname
+ info_log_path = /var/log/dovecot/lda/info.log
+ log_path = /var/log/dovecot/lda/error.log
+ mail_plugins = sieve
+ postmaster_address = contact+dovecot+lda@$vm_domainname
+ }
+ EOF
+ mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
+ EOF
+ }
+rule_mail_install () {
+ sudo apt-get install postfix postgrey dovecot
+ }
+
+rule=${1:-help}
+${1+shift}
+set "${TRACE:+-x}"
+rule_$rule "$@"