2 set -e -f ${DRY_RUN:+-n} -u
7 rule_help
() { # SYNTAX: [--hidden]
8 local hidden
; [ ${1:+set} ] || hidden
=set
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
28 git config
--replace branch.master.remote .
29 git config
--replace branch.master.merge refs
/remotes
/master
35 git checkout
-f -B master remotes
/master
40 rule_apt_get_install
() { # SYNTAX: $package
41 case $
(dpkg
-s "$1" |
grep '^Status: ') in
42 ("Status: install ok installed");;
44 test ! -x /usr
/bin
/etckeeper ||
45 assert
'sudo etckeeper unclean'
50 rule__chrooted_configure
() { # NOTE: est-ce bien utile à un moment ?
56 rule_apt_configure
() {
57 sudo
install -m 660 -u root
-g root
/dev
/stdin
/etc
/apt
/sources.list
<<-EOF
58 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
60 sudo
install -m 660 -u root
-g root
/dev
/stdin
/etc
/apt
/$vm_lsb_name-backports.list
<<-EOF
61 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
63 sudo
install -m 660 -u root
-g root
/dev
/stdin
/etc
/apt
/preferences
<<-EOF
65 Pin: release a=$vm_lsb_name
69 Pin: release a=$vm_lsb_name-backports
72 sudo
install -m 660 -u root
-g root
/dev
/stdin
/etc
/apt
/sources.list.d
/openerp.list
<<-EOF
73 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
76 rule_apticron_configure
() {
77 rule apt_get_install apticron
78 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/apticron
/apticron.conf
<<-EOF
79 EMAIL="admin@$vm_domainname"
81 # LISTCHANGES_PROFILE="apticron"
83 # SYSTEM="foobar.example.com"
85 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
88 # NOTIFY_NO_UPDATES="0"
90 # CUSTOM_NO_UPDATES_SUBJECT=""
91 # CUSTOM_FROM="root@$vm_fqdn"
94 rule_boot_configure
() {
95 warn
"attention à n'installer GRUB sur AUCUN disque proposé !"
96 rule apt_get_install grub-pc
97 sudo
install -d -m 644 -u root
-g root
/boot
/grub
98 rule apt_get_install linux-image-
$vm_arch
99 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/default
/grub
<<-EOF
102 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
103 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
104 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
105 GRUB_DISABLE_RECOVERY="true"
106 #GRUB_PRELOAD_MODULES="lvm"
108 sudo
install -m 644 -u root
-g root
/dev
/stdin
/boot
/grub
/device.map
<<-EOF
110 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
112 sudo update-grub2
# NOTE: prend en compte /boot/grub/device.map
113 rule initramfs_configure
115 rule_etckeeper_configure
() {
116 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/etckeeper
/etckeeper.conf
<<-EOF
118 GIT_COMMIT_OPTIONS=""
119 AVOID_DAILY_AUTOCOMMITS=1
120 #AVOID_SPECIAL_FILE_WARNING=1
121 AVOID_COMMIT_BEFORE_INSTALL=1
122 HIGHLEVEL_PACKAGE_MANAGER=apt
123 LOWLEVEL_PACKAGE_MANAGER=dpkg
125 rule apt_get_install etckeeper
127 rule_filesystem_configure
() {
128 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/fstab
<<-EOF
129 # <file system> <mount point> <type> <options> <dump> <pass>
130 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
131 proc /proc proc defaults 0 0
132 sysfs /sys sysfs defaults 0 0
133 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
134 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
135 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,barrier=1,noatime 0 1
136 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,barrier=1,noatime,usrquota,grpquota 0 0
137 # NOTE: barrier=1 réduit drastiquement les performances d'écriture, mais garantit la cohérence du système de fichiers.
138 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
140 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/crypttab
<<-EOF
141 # <target name> <source device> <key file> <options>
142 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
143 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
144 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
145 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
147 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/sysctl.d
/local-swap.conf
<<-EOF
148 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
149 vm.vfs_cache_pressure=50
152 rule_initramfs_configure
() {
153 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/initramfs-tools
/initramfs.conf
<<-EOF
160 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/modprobe.d
/xen-pv.conf
<<-EOF
162 alias scsi_hostadapter xenblk
164 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/modules
<<-EOF
170 # NOTE: pour Xen en mode HVM :
171 #modprobe xen-platform-pci
173 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/initramfs-tools
/modules
<<-EOF
175 sudo
sed -e '/^configure_networking /s/ &$//' \
176 -i /usr
/share
/initramfs-tools
/scripts
/init-premount
/dropbear
177 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
178 ssh-keygen
-F "init.$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
179 ( while IFS
= read -r line
180 do case $line in (*" RSA") return 0; break;; esac
184 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key \
185 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key.pub
186 sudo dropbearkey
-t rsa
-s 4096 -f \
187 /etc
/initramfs-tools
/etc
/dropbear
/dropbear_rsa_host_key
189 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
190 sudo
install -d -m 640 -u root
-g root \
191 /etc
/initramfs-tools
/root \
192 /etc
/initramfs-tools
/root
/.
ssh
194 while IFS
=: read -r group x x users
195 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
198 do eval local home\
; home
="~$user"
199 cat "$home"/etc
/ssh
/authorized_keys
202 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/initramfs-tools
/root
/.ssh
/authorized_keys
204 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.dropbear \
205 /etc
/initramfs-tools
/root
/.ssh
/id_rsa.pub \
206 /etc
/initramfs-tools
/root
/.ssh
/id_rsa
207 # NOTE: clefs générées par Debian
208 sudo update-initramfs
-u
210 rule_locale_configure
() {
211 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/locale.gen
<<-EOF
216 rule_login_configure
() {
217 grep -q '^hvc0$' /etc
/securetty ||
218 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
219 $(cat /etc/securetty)
222 grep -q '^xvc0$' /etc
/securetty ||
223 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/securetty
<<-EOF
224 $(cat /etc/securetty)
227 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/inittab
<<-EOF
228 # /etc/inittab: init(8) configuration.
230 # The default runlevel.
233 # Boot-time system configuration/initialization script.
234 # This is run first except when booting in emergency (-b) mode.
235 si::sysinit:/etc/init.d/rcS
237 # What to do in single-user mode.
238 ~~:S:wait:/sbin/sulogin
240 # /etc/init.d executes the S and K scripts upon change
243 # Runlevel 0 is halt.
244 # Runlevel 1 is single-user.
245 # Runlevels 2-5 are multi-user.
246 # Runlevel 6 is reboot.
248 l0:0:wait:/etc/init.d/rc 0
249 l1:1:wait:/etc/init.d/rc 1
250 l2:2:wait:/etc/init.d/rc 2
251 l3:3:wait:/etc/init.d/rc 3
252 l4:4:wait:/etc/init.d/rc 4
253 l5:5:wait:/etc/init.d/rc 5
254 l6:6:wait:/etc/init.d/rc 6
255 # Normally not reached, but fallthrough in case of emergency.
256 z6:6:respawn:/sbin/sulogin
258 # What to do when CTRL-ALT-DEL is pressed.
259 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
261 # What to do when the power fails/returns.
262 pf::powerwait:/etc/init.d/powerfail start
263 pn::powerfailnow:/etc/init.d/powerfail now
264 po::powerokwait:/etc/init.d/powerfail stop
266 # Xen hypervisor console
267 hvc:2345:respawn:/sbin/getty 38400 hvc0
268 #xvc:2345:respawn:/sbin/getty 38400 xvc0
270 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/login.defs
<<-EOF
277 FTMP_FILE /var/log/btmp
279 HUSHLOGIN_FILE .hushlogin
280 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
281 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
282 # NOTE: met les sbin/ dans ENV_PATH ;
283 # - ça n'apporte aucune protection de ne pas les mettre ;
284 # - ça frustre de ne pas les trouver.
291 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
292 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
305 ENCRYPT_METHOD SHA512
307 grep -q '^session optional pam_umask.so\>' /etc
/pam.d
/common-session ||
308 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/pam.d
/common-session
<<-EOF
309 $(cat /etc/pam.d/common-session)
310 session optional pam_umask.so
313 rule_network_configure
() {
314 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/hostname
<<-EOF
317 grep -q " $vm\$" /etc
/hosts ||
318 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/hosts
<<-EOF
320 127.0.0.1 $vm_fqdn $vm
322 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/network
/interfaces
<<-EOF
324 iface lo inet loopback
327 iface grenode inet static
329 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
332 netmask 255.255.255.255
334 # NOTE: il y a besoin de ça en l'état actuel du réseau de Grenode
335 # car la MTU des tunnels GRE/IPsec entre les routeurs de Grenode l'impose.
337 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200)) soupirail.grenode.net
338 # PING soupirail.grenode.net (91.216.110.1) 1272(1300) bytes of data.
339 # 1280 bytes from soupirail.grenode.net (91.216.110.1): icmp_req=1 ttl=63 time=18.0 ms
341 # --- soupirail.grenode.net ping statistics ---
342 # 1 packets transmitted, 1 received, 0% packet loss, time 0ms
343 # rtt min/avg/max/mdev = 18.027/18.027/18.027/0.000 ms
344 # root@ateliers:~# ping -M do -c 1 -s \$((1500-20-8-200+1)) soupirail.grenode.net
345 # PING soupirail.grenode.net (91.216.110.1) 1273(1301) bytes of data.
346 # From estran.grenode.net (91.216.110.6) icmp_seq=1 Frag needed and DF set (mtu = 1300)
348 # --- soupirail.grenode.net ping statistics ---
349 # 0 packets transmitted, 0 received, +1 errors
350 post-up ip address add $vm_ipv4/32 dev \$IFACE
351 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
354 rule_user_configure
() {
355 sudo
install -d -m 750 -u root
-g adm \
358 sudo
install -d -m 770 -u root
-g adm \
359 /etc
/skel
/etc
/apache2 \
362 /etc
/skel
/var
/cache \
363 /etc
/skel
/var
/cache
/ssh
364 sudo
ln -fns etc
/ssh /etc
/skel
/.
ssh
365 sudo
ln -fns etc
/gpg
/etc
/skel
/.gnupg
366 ssh-keygen
-F "$vm_fqdn" -f "$tool"/etc
/openssh
/known_hosts |
367 ( while IFS
= read -r line
368 do case $line in (*" RSA") return 0; break;; esac
370 sudo ssh-keygen
-t rsa
-b 4096 -N '' -f /etc
/ssh
/ssh_host_rsa_key
372 /etc
/ssh
/ssh_host_dsa_key \
373 /etc
/ssh
/ssh_host_dsa_key.pub \
374 /etc
/ssh
/ssh_host_ecdsa_key \
375 /etc
/ssh
/ssh_host_ecdsa_key.pub
376 # NOTE: clefs générées par Debian
377 sudo
install -m 644 -u root
-g root
/dev
/stdin
/etc
/ssh
/sshd_config
<<-EOF
379 ListenAddress $vm_ipv4
383 HostKey /etc/ssh/ssh_host_rsa_key
384 UsePrivilegeSeparation yes
385 KeyRegenerationInterval 3600
392 RSAAuthentication yes
393 PubkeyAuthentication yes
394 AuthorizedKeysFile %h/etc/ssh/authorized_keys
396 RhostsRSAAuthentication no
397 HostbasedAuthentication no
398 IgnoreUserKnownHosts no
399 PermitEmptyPasswords no
400 ChallengeResponseAuthentication no
401 PasswordAuthentication no
402 KerberosAuthentication no
403 GSSAPIAuthentication no
410 ClientAliveInterval 0
412 Subsystem sftp /usr/lib/openssh/sftp-server
415 sudo service
ssh restart
416 sudo
install -m 640 -u root
-g root
/dev
/stdin
/etc
/sudoers.d
/passwd-init
<<-EOF
417 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
418 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
419 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
421 sudo
install -m 640 -u root
-g root
/dev
/stdin
/etc
/sudoers.d
/etckeeper-unclean
<<-EOF
422 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
424 sudo
install -m 640 -u root
-g root
/dev
/stdin
/etc
/sudoers.d
/env_keep
<<-EOF
425 Defaults env_keep = " \\
429 GIT_COMMITTER_NAME \\
430 GIT_COMMITTER_EMAIL \\
433 sudo
install -m 755 -u root
-g root
/dev
/stdin
/usr
/local
/sbin
/passwd-init
<<-EOF
435 # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
436 sudo /bin/sh -e -f -u -c \
437 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
440 rule_user_root_configure
() {
441 sudo
install -d -m 750 -u root
-g adm \
445 sudo
ln -fns etc
/gpg
/root
/.gnupg
446 sudo
ln -fns etc
/ssh /root
/.
ssh
448 while IFS
=: read -r group x x users
449 do while test -n "$users" && IFS
=, read -r user users
<<-EOF
452 do eval local home\
; home
="~$user"
453 cat "$home"/etc
/ssh
/authorized_keys
456 sudo
install -m 640 -u root
-g root
/dev
/stdin
/root
/etc
/ssh
/authorized_keys
457 local key
; local -; set +f
458 for key
in "$tool"/var
/pub
/openpgp
/*.key
459 do sudo gpg
--import "$key"
462 rule_bin_configure
() {
463 sudo
ln -fns "$tool"/vm_hosted
/usr
/local
/sbin
/
466 rule etckeeper_configure
467 rule locale_configure
468 rule network_configure
470 rule filesystem_configure
472 rule user_root_configure
474 rule apticron_configure
478 rule_luks_key_change
() {
479 sudo cryptsetup luksChangeKey
/dev
/$vm_lvm_vg/${vm_lvm_lv}_root
482 rule_user_admin_configure
() {
483 rule initramfs_configure
484 rule user_root_configure
486 rule_user_admin_add
() { # SYNTAX: $user
488 id
"$user" >/dev
/null ||
489 sudo adduser
--disabled-password "$user"
490 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
491 eval local home\
; home
="~$user"
492 sudo adduser
"$user" sudo
493 sudo
install -m 640 -u root
-g root \
494 "$tool"/var
/pub
/ssh
/"$user".key \
495 "$home"/etc
/ssh
/authorized_keys
496 local key
; local -; set +f
497 for key
in "$tool"/var
/pub
/openpgp
/*.key
498 do sudo
-u "$user" gpg
--import "$key"
500 rule user_admin_configure
502 rule_user_mail_format
() {
503 mk_dir mod
=770 own
=root
:adm
/etc
/skel
/etc
/procmail
504 mk_dir mod
=770 own
=root
:adm
/etc
/skel
/var
/mail
505 mk_dir mod
=770 own
=root
:adm
/etc
/skel
/var
/cache
/procmail
506 mk_reg mod
=660 own
=root
:adm
/etc
/skel
/etc
/procmail
/delivery.rc
<<-EOF
509 # NOTE: paramètres passés par postfix
515 ORIGINAL_RECIPIENT=\$6
517 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
518 MAILDIR="\$HOME/var/mail/"
520 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
526 SHELLMETAS=&|<>~;?*%{}
528 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
529 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
530 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
532 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
533 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
534 # NOTE: récupère l’adresse courriel dans le champ GECOS
535 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
536 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
538 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
542 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
547 # -I "\$HOME/etc/uucp/uucp.cfg" \
549 # --notification=error \
550 # --requestor "\$USER" \
551 # - "\$USER!rmail" "(\$USER)"
553 mk_reg mod
=664 own
=root
:root
/etc
/postfix
/main.cf
<<-EOF
554 # /etc/postfix/main.cf
555 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
557 parent_domain_matches_subdomains =
561 #permit_mx_backup_networks
562 #qmqpd_authorized_clients
564 mydomain = $vm_domainname
565 myorigin = \$mydomain
566 myhostname = $vm_hostname.\$mydomain
567 mail_name = \$myhostname
575 inet_protocols = ipv4
576 # "all" to activate IPv6
577 inet_interfaces = all
578 permit_mx_backup_networks =
582 # NOTE: fichier de hash contenant une table d’alias mail.
583 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
584 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
587 recipient_delimiter = +
588 # NOTE: séparateur entre le nom d’utilisateur
589 # et les extensions d’adresse (par défaut le signe +).
590 #virtual_alias_domains =
592 hash:/etc/postfix/\$mydomain/virtual
593 # NOTE: do not specify virtual alias domain names in the main.cf
594 # mydestination or relay_domains configuration parameters.
596 # With a virtual alias domain, the Postfix SMTP server
597 # accepts mail for known-user@virtual-alias.domain, and
598 # rejects mail for unknown-user@virtual-alias.domain as
602 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
605 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
606 # pas dans mydestination ou virtual_alias...
608 maximal_queue_lifetime = 5d
611 regexp:/etc/postfix/\$mydomain/header_checks
613 nested_header_checks =
614 milter_header_checks =
617 #content_filter = amavisfeed:[127.0.0.1]:10024
618 #receive_override_options = no_address_mappings
619 # no_unknown_recipient_checks
620 # Do not try to reject unknown recipients (SMTP server only).
621 # This is typically specified AFTER an external content filter.
622 # no_address_mappings
623 # Disable canonical address mapping, virtual alias map expansion,
624 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
625 # This is typically specified BEFORE an external content filter (eg. amavis).
626 # no_header_body_checks
627 # Disable header/body_checks. This is typically specified AFTER an external content filter.
629 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
630 #local_header_rewrite_clients =
632 hash:/etc/postfix/\$mydomain/transport_maps
634 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
635 mailbox_size_limit = 0
637 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
638 append_dot_mydomain = no
639 # appending .domain is the MUA's job.
644 #tls_random_reseed_period = 3600s
645 #tls_random_exchange_name =
646 # \${data_directory}/prng_exch
647 # NOTE: à ne pas mettre dans la cage chroot
648 #tls_random_bytes = 32
649 #tls_random_prng_update_period = 3600s
650 #tls_high_cipherlist = AES256-SHA
651 # NOTE: postconf(5) déconseille de changer ceci
653 #smtp_cname_overrides_servername = no
654 smtp_connect_timeout = 60s
655 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
656 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
657 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
658 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
659 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
660 # NOTE: déprécié en faveur de smtp_tls_policy_maps
661 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
662 smtp_tls_fingerprint_digest = sha1
663 smtp_tls_scert_verifydepth = 5
664 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
665 #smtp_tls_verify_cert_match = hostname
666 #smtp_tls_note_starttls_offer = yes
667 smtp_tls_loglevel = 1
668 smtp_tls_protocols = !SSLv2, !SSLv3
670 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
671 #smtp_tls_session_cache_timeout = 3600s
672 smtp_tls_security_level = may
673 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
675 smtp_mime_header_checks =
676 smtp_nested_header_checks =
678 smtpd_starttls_timeout = 300s
680 \$myhostname ESMTP \$mail_name (Debian/GNU)
683 smtpd_helo_required = yes
684 strict_rfc821_envelopes = yes
685 smtpd_authorized_xclient_hosts = 127.0.0.1
686 # NOTE: utile pour tester les restrictions
688 smtpd_helo_restrictions =
689 reject_invalid_helo_hostname
690 reject_non_fqdn_helo_hostname
691 #reject_unknown_helo_hostname
692 # NOTE: pourrait pourtant être utile pour lutter contre le spam
695 smtpd_sender_restrictions =
697 permit_tls_clientcerts
698 permit_sasl_authenticated
699 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
700 check_sender_access hash:/etc/postfix/sender_blacklist
701 reject_unauth_pipelining
702 reject_non_fqdn_sender
703 #reject_unknown_sender_domain
707 smtpd_client_new_tls_session_rate_limit = 0
708 smtpd_client_event_limit_exceptions = \$mynetworks
709 smtpd_client_recipient_rate_limit = 0
710 smtpd_client_connection_count_limit = 50
711 smtpd_client_connection_rate_limit = 0
712 smtpd_client_message_rate_limit = 0
713 smtpd_client_port_logging = no
715 smtpd_client_restrictions =
716 check_client_access hash:/etc/postfix/client_blacklist
718 policy_time_limit = 3600
719 default_extra_recipient_limit = 5000
720 duplicate_filter_limit = 5000
721 smtpd_recipient_limit = 5000
722 smtpd_recipient_overshoot_limit = 5000
723 smtpd_recipient_restrictions =
724 reject_non_fqdn_recipient
725 #reject_invalid_hostname
726 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
727 # dans smtpd_helo_restrictions
728 reject_unknown_recipient_domain
729 #reject_non_fqdn_sender
730 # NOTE: dans smtpd_sender_restrictions
731 reject_unauth_pipelining
732 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
734 permit_tls_clientcerts
735 permit_sasl_authenticated
736 reject_unauth_destination
737 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
738 # ou quelqu'un pour lequel on tient lieu de backup_mx
739 check_policy_service inet:127.0.0.1:10023
740 # NOTE: Postgrey (greylisting)
741 check_policy_service unix:private/spfcheck
742 permit_auth_destination
743 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
744 # (voir permit_auth_destination) ; sans doute redondant
746 #check_relay_domains <- removed from postfix
747 #reject_unknown_sender_domain
748 # aurait probablement été mieux dans smtpd_sender_restrictions
749 #reject_rbl_client bl.spamcop.net
750 #reject_rbl_client list.dsbl.org
751 #reject_rbl_client zen.spamhaus.org
752 #reject_rbl_client dnsbl.sorbs.net
754 smtpd_data_restrictions =
755 reject_unauth_pipelining
756 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
759 #smtpd_end_of_data_restrictions =
761 #smtpd_restriction_classes =
763 smtpd_error_sleep_time = 5
764 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
767 smtpd_sasl_auth_enable = yes
768 smtpd_sasl_type = dovecot
769 smtpd_sasl_path = private/auth
770 smtpd_sasl_security_options = noanonymous
771 smtpd_sasl_domain = \$mydomain
774 smtpd_discard_ehlo_keywords = starttls
775 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
776 # se mangent une erreur en tentant un starttls
777 smtpd_tls_fingerprint_digest = sha1
779 smtpd_tls_mandatory_protocols = TLSv1
780 smtpd_tls_mandatory_ciphers = high
781 smtpd_tls_ciphers = high
782 # restrictif. s/high/medium/ ?
783 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
784 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
785 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
786 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
788 #smtpd_tls_received_header = no
789 smtpd_tls_session_cache_database =
790 btree:/var/lib/postfix/smtpd_tls_session_cache
791 #smtpd_tls_session_cache_timeout = 3600s
792 smtpd_tls_security_level = may
793 # Postfix 2.3 and later
795 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
796 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
797 # SMTP server. Instead, this option should be used only on dedicated servers.
798 smtpd_tls_loglevel = 1
799 smtpd_tls_ccert_verifydepth = 5
800 smtpd_tls_auth_only = yes
801 # Pas d'AUTH SASL sans TLS
802 smtpd_tls_ask_ccert = no
803 smtpd_tls_req_ccert = no
804 #smtpd_tls_always_issue_session_ids = yes
805 smtpd_peername_lookup = yes
806 # Nécessaire pour postgrey, etc
809 line_length_limit = 2048
811 message_size_limit = 20480000
812 #smtpd_enforce_tls # NOTE: obsolète
813 #smtpd_use_tls # NOTE: obsolète
814 #smtpd_tls_cipherlist # NOTE: obsolète
816 readme_directory = no
817 #delay_warning_time = 4h
818 # NOTE: uncomment the previous line to generate "delayed mail" warnings
819 #debug_peer_level = 4
820 #debug_peer_list = .\$myhostname
822 mk_reg mod
=664 own
=root
:root
/etc
/dovecot
/dovecot.conf
<<-EOF
823 auth_ssl_username_from_cert = yes
825 log_timestamp = "%Y-%m-%d %H:%M:%S "
827 mail_location = maildir:~/var/mail
828 mail_privileged_group = mail
830 args = /home/%u/etc/dovecot/passwd
835 unix_listener /var/spool/postfix/private/auth {
842 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
843 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
844 ssl_cipher_list = AES256-SHA
845 ssl_key = </etc/dovecot/imap/tls/key.pem
846 ssl_verify_client_cert = yes
852 auth_socket_path = /var/run/dovecot/auth-master
853 hostname = $vm_domainname
854 info_log_path = /var/log/dovecot/lda/info.log
855 log_path = /var/log/dovecot/lda/error.log
857 postmaster_address = contact+dovecot+lda@$vm_domainname
860 mk_reg mod
=664 own
=root
:root
/etc
/postgrey
/whitelist_recipients.
local <<-EOF
863 rule_mail_configure
() {
864 sudo apt-get
install postfix postgrey dovecot
872 assert
'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn