--- /dev/null
+# DOC: http://postfix.traduc.org/index.php/TLS_README.html
+
+alias_database = hash:/etc/aliases
+ # NOTE: fichier de hash contenant une table d’alias mail.
+ # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
+ # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
+alias_maps = hash:/etc/aliases
+append_dot_mydomain = no
+ # NOTE: appending .domain is the MUA's job.
+biff = no
+ # NOTE: pas de notification dans la console en cas de réception de nouveaux courriels.
+body_checks =
+#content_filter = amavisfeed:[127.0.0.1]:10024
+#debug_peer_level = 4
+#debug_peer_list = .$myhostname
+default_extra_recipient_limit = 5000
+#delay_warning_time = 4h
+ # NOTE: uncomment the previous line to generate "delayed mail" warnings
+duplicate_filter_limit = 5000
+forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward
+header_checks = regexp:/etc/postfix/$mydomain/header_checks
+inet_interfaces = all
+inet_protocols = ipv4
+ # NOTE: "all" to activate IPv6
+line_length_limit = 2048
+#local_header_rewrite_clients =
+mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc"
+mailbox_size_limit = 0
+maximal_queue_lifetime = 5d
+message_size_limit = 20480000
+mime_header_checks =
+milter_header_checks =
+mynetworks = 127.0.0.0/8 #, [::1]/128
+non_smtpd_milters =
+nested_header_checks =
+parent_domain_matches_subdomains =
+ #debug_peer_list
+ #fast_flush_domains
+ #mynetworks
+ #permit_mx_backup_networks
+ #qmqpd_authorized_clients
+ #smtpd_access_maps
+permit_mx_backup_networks =
+propagate_unmatched_extensions = canonical, virtual
+queue_minfree = 0
+readme_directory = no
+#receive_override_options = no_address_mappings
+ # no_unknown_recipient_checks
+ # Do not try to reject unknown recipients (SMTP server only).
+ # This is typically specified AFTER an external content filter.
+ # no_address_mappings
+ # Disable canonical address mapping, virtual alias map expansion,
+ # address masquerading, and automatic BCC (blind carbon-copy) recipients.
+ # This is typically specified BEFORE an external content filter (eg. amavis).
+ # no_header_body_checks
+ # Disable header/body_checks. This is typically specified AFTER an external content filter.
+ # no_milters
+ # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
+recipient_delimiter = +
+ # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse.
+#relayhost =
+relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts
+relay_domains = $mydestination
+ # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias...
+smtp_body_checks =
+#smtp_cname_overrides_servername = no
+smtp_connect_timeout = 60s
+smtp_header_checks = regexp:/etc/postfix/$mydomain/smtp/header_checks
+smtp_mime_header_checks =
+smtp_nested_header_checks =
+#smtp_tls_CAfile = /etc/postfix/$mydomain/smtp/x509/ca/crt.pem
+#smtp_tls_CApath = /etc/postfix/$mydomain/smtp/x509/ca/
+#smtp_tls_cert_file = /etc/postfix/$mydomain/smtp/x509/crt.pem
+smtp_tls_fingerprint_digest = sha1
+#smtp_tls_key_file = /etc/postfix/$mydomain/smtp/x509/key.pem
+smtp_tls_loglevel = 1
+#smtp_tls_note_starttls_offer = yes
+smtp_tls_policy_maps = hash:/etc/postfix/$mydomain/smtp/x509/policy
+smtp_tls_protocols = !SSLv2, !SSLv3
+ # NOTE: only allow TLSv*
+smtp_tls_scert_verifydepth = 5
+#smtp_tls_secure_cert_match = nexthop, dot-nexthop
+smtp_tls_security_level = may
+smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
+#smtp_tls_session_cache_timeout = 3600s
+#smtp_tls_verify_cert_match = hostname
+smtpd_authorized_xclient_hosts = 127.0.0.1
+ # NOTE: utile pour tester les restrictions
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+smtpd_client_connection_count_limit = 50
+smtpd_client_connection_rate_limit = 0
+smtpd_client_event_limit_exceptions = $mynetworks
+smtpd_client_message_rate_limit = 0
+smtpd_client_new_tls_session_rate_limit = 0
+smtpd_client_port_logging = no
+smtpd_client_recipient_rate_limit = 0
+smtpd_client_restrictions =
+ check_client_access hash:/etc/postfix/$mydomain/smtpd/client_blacklist
+smtpd_data_restrictions =
+ reject_unauth_pipelining
+ # NOTE: oblige le client smtp en face à attendre qu'on lui aie dit OK
+ permit
+smtpd_discard_ehlo_keywords = starttls
+ # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste se mangent une erreur en tentant un starttls
+#smtpd_end_of_data_restrictions =
+smtpd_error_sleep_time = 5
+ # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
+smtpd_helo_required = yes
+smtpd_helo_restrictions =
+ reject_invalid_helo_hostname
+ reject_non_fqdn_helo_hostname
+ #reject_unknown_helo_hostname
+ # NOTE: pourrait pourtant être utile pour lutter contre le spam
+ permit
+smtpd_milters =
+smtpd_peername_lookup = yes
+ # NOTE: nécessaire pour postgrey
+smtpd_recipient_limit = 5000
+smtpd_recipient_overshoot_limit = 5000
+smtpd_recipient_restrictions =
+ reject_non_fqdn_recipient
+ #reject_invalid_hostname
+ # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname dans smtpd_helo_restrictions
+ reject_unknown_recipient_domain
+ #reject_non_fqdn_sender
+ # NOTE: dans smtpd_sender_restrictions
+ reject_unauth_pipelining
+ # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
+ permit_mynetworks
+ permit_tls_clientcerts
+ permit_sasl_authenticated
+ reject_unauth_destination
+ # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx
+ check_policy_service inet:127.0.0.1:10023
+ # NOTE: Postgrey (greylisting)
+ check_policy_service unix:private/spfcheck
+ permit_auth_destination
+ # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant
+ reject
+ #reject_unknown_sender_domain
+ # NOTE: probablement mieux dans smtpd_sender_restrictions
+ #reject_rbl_client bl.spamcop.net
+ #reject_rbl_client list.dsbl.org
+ #reject_rbl_client zen.spamhaus.org
+ #reject_rbl_client dnsbl.sorbs.net
+#smtpd_restriction_classes =
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path = private/auth
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_type = dovecot
+smtpd_sender_restrictions =
+ permit_mynetworks
+ permit_tls_clientcerts
+ permit_sasl_authenticated
+ check_sender_access hash:/etc/postfix/$mydomain/smtpd/sender_access
+ reject_unauth_pipelining
+ reject_non_fqdn_sender
+ #reject_unknown_sender_domain
+ permit
+smtpd_starttls_timeout = 300s
+#smtpd_tls_always_issue_session_ids = yes
+smtpd_tls_CAfile = /etc/postfix/$mydomain/x509/smtpd/ca/crt.pem
+smtpd_tls_CApath = /etc/postfix/$mydomain/x509/smtpd/ca/
+smtpd_tls_ask_ccert = no
+smtpd_tls_auth_only = yes
+ # NOTE: pas d'AUTH SASL sans TLS
+smtpd_tls_ccert_verifydepth = 5
+smtpd_tls_cert_file = /etc/postfix/$mydomain/x509/smtpd/crt+crl.self-signed.pem
+smtpd_tls_ciphers = high
+smtpd_tls_fingerprint_digest = sha512
+smtpd_tls_key_file = /etc/postfix/$mydomain/x509/smtpd/key.pem
+smtpd_tls_loglevel = 1
+smtpd_tls_mandatory_ciphers = high
+smtpd_tls_mandatory_protocols = TLSv1
+#smtpd_tls_received_header = no
+smtpd_tls_req_ccert = no
+smtpd_tls_security_level = may
+ # Postfix 2.3 and later
+ # encrypt
+ # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
+ # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
+ # SMTP server. Instead, this option should be used only on dedicated servers.
+smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
+#smtpd_tls_session_cache_timeout = 3600s
+strict_rfc821_envelopes = yes
+#tls_high_cipherlist = AES256-SHA
+ # NOTE: postconf(5) déconseille de changer ceci
+#tls_random_bytes = 32
+#tls_random_exchange_name = ${data_directory}/prng_exch
+ # NOTE: à ne pas mettre dans la cage chroot
+#tls_random_prng_update_period = 3600s
+#tls_random_reseed_period = 3600s
+#tls_random_source = dev:/dev/urandom
+ # NOTE: non-blocking
+transport_maps = hash:/etc/postfix/$mydomain/transport
+#virtual_alias_domains =
+virtual_alias_maps =
+ hash:/etc/postfix/$mydomain/virtual_alias
+ # NOTE: do not specify virtual alias domain names in the main.cf
+ # mydestination or relay_domains configuration parameters.
+ #
+ # With a virtual alias domain, the Postfix SMTP server
+ # accepts mail for known-user@virtual-alias.domain, and
+ # rejects mail for unknown-user@virtual-alias.domain as
+ # undeliverable.
}
rule_apt_get_install () { # SYNTAX: $package
- case $(dpkg -s "$1" | grep '^Status: ') in
+ case $(dpkg -s "$1" 2>/dev/null | grep '^Status: ') in
("Status: install ok installed");;
(*)
test ! -x /usr/bin/etckeeper ||
- assert 'sudo etckeeper unclean'
- sudo apt-get "$@";;
+ ! sudo etckeeper unclean ||
+ warn "/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
+ sudo apt-get install "$@";;
esac
}
EOF
}
rule_boot_configure () {
- warn "attention à n'installer GRUB sur AUCUN disque proposé !"
+ warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !"
rule apt_get_install grub-pc
sudo install -d -m 644 -u root -g root /boot/grub
rule apt_get_install linux-image-$vm_arch
sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
rule initramfs_configure
}
+rule_dovecot_configure () {
+ rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
+ local hint="run vm_remote dovecot_key_send before"
+ assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
+ sudo install -m 400 -o root -g root \
+ "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
+ /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
+ sudo install -d -m 770 -o root -g adm \
+ /etc/skel/etc/mail \
+ /etc/skel/etc/sieve
+ sudo install -d -m 1777 -o root -g root \
+ /var/lib/dovecot-control \
+ /var/lib/dovecot-index
+ sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
+ auth_ssl_username_from_cert = yes
+ listen = *
+ log_timestamp = "%Y-%m-%d %H:%M:%S "
+ mail_debug = yes
+ mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
+ # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
+ # VOIR: http://wiki2.dovecot.org/Quota/FS
+ mail_plugins = \$mail_plugins quota
+ mail_privileged_group = mail
+ passdb {
+ args = /home/%u/etc/dovecot/passwd
+ driver = passwd-file
+ }
+ plugin {
+ quota = fs:user
+ recipient_delimiter = +
+ sieve = ~/etc/mail/filter.sieve
+ sieve_dir = ~/etc/mail/sieve
+ sieve_global_dir = /var/lib/dovecot/sieve/global/
+ sieve_max_script_size = 1M
+ sieve_quota_max_scripts = 0
+ sieve_quota_max_storage = 10M
+ sieve_user_log = ~/var/log/mail/sieve.log
+ }
+ protocol imap {
+ mail_plugins = \$mail_plugins imap_quota
+ }
+ protocol lda {
+ auth_socket_path = /var/run/dovecot/auth-master
+ hostname = $vm_domainname
+ info_log_path =
+ log_path =
+ mail_plugins = \$mail_plugins sieve
+ postmaster_address = contact+dovecot+lda@$vm_domainname
+ syslog_facility = mail
+ }
+ protocols = imap sieve
+ service auth {
+ user = root
+ unix_listener /var/spool/postfix/private/auth {
+ mode = 0660
+ user = postfix
+ group = postfix
+ }
+ }
+ ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
+ ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
+ ssl_cipher_list = AES256-SHA
+ ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
+ ssl_verify_client_cert = yes
+ userdb {
+ driver = passwd
+ }
+ verbose_ssl = no
+ EOF
+ sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
+ #!/bin/sh -efux
+ # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe dovecot.
+ install -d -m 770 ~/etc/dovecot
+ install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
+ \$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
+ _EOF
+ EOF
+ sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
+ EOF
+ sudo service dovecot restart
+ }
rule_etckeeper_configure () {
sudo install -m 644 -u root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
VCS=git
session optional pam_umask.so
EOF
}
+rule_procmail_configure () {
+ rule apt_get_install procmail
+ sudo install -d -m 770 -o root -g adm \
+ /etc/skel/etc/mail \
+ /etc/skel/var/cache/mail \
+ /etc/skel/var/log/mail \
+ /etc/skel/var/mail
+ sudo install -m 660 -o root -g adm \
+ "$tool"/etc/skel/etc/mail/delivery.procmailrc \
+ /etc/skel/etc/mail/delivery.procmailrc
+ }
+rule_postgrey_configure () {
+ rule apt_get_install postgrey
+ sudo service postgrey restart
+ }
+rule_postfix_configure () {
+ local hint="run vm_remote postfix_key_send before"
+ assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
+ warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix"
+ rule apt_get_install postfix
+ sudo install -d -m 770 -o root -g root \
+ /etc/postfix/$vm_domainname/ \
+ /etc/postfix/$vm_domainname/smtp \
+ /etc/postfix/$vm_domainname/smtp/x509 \
+ /etc/postfix/$vm_domainname/smtp/x509/ca \
+ /etc/postfix/$vm_domainname/smtpd \
+ /etc/postfix/$vm_domainname/smtpd/x509 \
+ /etc/postfix/$vm_domainname/smtpd/x509/ca
+ sudo install -d -m 770 -o root -g root \
+ /etc/postfix/$vm_domainname/ \
+ /etc/postfix/$vm_domainname/smtp \
+ /etc/postfix/$vm_domainname/smtp/x509 \
+ /etc/postfix/$vm_domainname/smtp/x509/ca \
+ /etc/postfix/$vm_domainname/smtpd \
+ /etc/postfix/$vm_domainname/smtpd/x509 \
+ /etc/postfix/$vm_domainname/smtpd/x509/ca
+ sudo ln -fns \
+ ../crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
+ sudo install -m 400 -o root -g root \
+ var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+ sudo install -m 400 -o root -g root \
+ var/pub/x509/service/smtpd/crt.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
+ sudo install -m 400 -o root -g root \
+ var/pub/x509/service/smtpd/crt+root.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
+ sudo install -m 400 -o root -g root \
+ var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
+ /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+ sudo install -m 660 -o root -g root \
+ etc/postfix/$vm_domainname/header_checks \
+ /etc/postfix/$vm_domainname/header_checks
+ sudo install -m 664 -o root -g root \
+ etc/aliases \
+ /etc/aliases
+ sudo newaliases
+ cat /dev/stdin etc/postfix/main.cf <<-EOF |
+ mydomain = $vm_domainname
+ myorigin = \$mydomain
+ myhostname = $vm_hostname.\$mydomain
+ mail_name = \$myhostname
+ mydestination = $vm_hostname \$myhostname \$myorigin
+ EOF
+ sudo install -m 664 -o root -g root /dev/stdin \
+ /etc/postfix/main.cf
+ sudo install -m 664 -o root -g root \
+ etc/postfix/master.cf \
+ /etc/postfix/master.cf
+ sudo install -m 660 -o root -g root \
+ etc/postfix/$vm_domainname/smtp/x509/policy \
+ /etc/postfix/$vm_domainname/smtp/x509/policy
+ sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
+ sudo install -m 660 -o root -g root \
+ etc/postfix/$vm_domainname/smtp/header_checks \
+ /etc/postfix/$vm_domainname/smtp/header_checks
+ sudo install -m 660 -o root -g root \
+ etc/postfix/$vm_domainname/smtpd/sender_access \
+ /etc/postfix/$vm_domainname/smtpd/sender_access
+ sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
+ sudo install -m 660 -o root -g root \
+ etc/postfix/$vm_domainname/smtpd/client_blacklist \
+ /etc/postfix/$vm_domainname/smtpd/client_blacklist
+ sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
+ sudo install -m 660 -o root -g root \
+ etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
+ /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
+ sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
+ sudo install -m 660 -o root -g root \
+ etc/postfix/$vm_domainname/transport \
+ /etc/postfix/$vm_domainname/transport
+ sudo postmap hash:/etc/postfix/$vm_domainname/transport
+ sudo install -m 660 -o root -g root \
+ etc/postfix/$vm_domainname/virtual_alias \
+ /etc/postfix/$vm_domainname/virtual_alias
+ sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
+ sudo service postfix restart
+ }
+rule_mail_configure () {
+ rule postfix_configure
+ rule postgrey_configure
+ rule procmail_configure
+ rule dovecot_configure
+ }
rule_network_configure () {
sudo install -m 644 -u root -g root /dev/stdin /etc/hostname <<-EOF
$vm
UsePAM yes
EOF
sudo service ssh restart
- sudo install -m 640 -u root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
+ }
+rule_user_admin_add () { # SYNTAX: $user
+ local user=$1
+ id "$user" >/dev/null ||
+ sudo adduser --disabled-password "$user"
+ # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
+ eval local home\; home="~$user"
+ sudo adduser "$user" sudo
+ sudo install -m 640 -o root -g root \
+ "$tool"/var/pub/ssh/"$user".key \
+ "$home"/etc/ssh/authorized_keys
+ local key; local -; set +f
+ for key in "$tool"/var/pub/openpgp/*.key
+ do sudo -u "$user" gpg --import "$key"
+ done
+ rule user_admin_configure
+ }
+rule_user_admin_configure () {
+ rule initramfs_configure
+ rule user_root_configure
+ }
+rule_user_configure () {
+ sudo install -d -m 750 -o root -g adm \
+ /etc/skel/etc \
+ /etc/skel/etc/ssh
+ sudo install -d -m 770 -o root -g adm \
+ /etc/skel/etc/apache2 \
+ /etc/skel/var \
+ /etc/skel/var/log \
+ /etc/skel/var/cache \
+ /etc/skel/var/cache/ssh
+ sudo ln -fns etc/ssh /etc/skel/.ssh
+ sudo ln -fns etc/gpg /etc/skel/.gnupg
+ sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
%sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
GIT_COMMITTER_EMAIL \\
"
EOF
- sudo install -m 755 -u root -g root /dev/stdin /usr/local/sbin/passwd-init <<-EOF
+ sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
#!/bin/sh -efu
# DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système.
sudo /bin/sh -e -f -u -c \
sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
}
-rule_user_admin_configure () {
- rule initramfs_configure
- rule user_root_configure
- }
-rule_user_admin_add () { # SYNTAX: $user
- local user=$1
- id "$user" >/dev/null ||
- sudo adduser --disabled-password "$user"
- # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
- eval local home\; home="~$user"
- sudo adduser "$user" sudo
- sudo install -m 640 -u root -g root \
- "$tool"/var/pub/ssh/"$user".key \
- "$home"/etc/ssh/authorized_keys
- local key; local -; set +f
- for key in "$tool"/var/pub/openpgp/*.key
- do sudo -u "$user" gpg --import "$key"
- done
- rule user_admin_configure
- }
-rule_user_mail_format () {
- mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
- mk_dir mod=770 own=root:adm /etc/skel/var/mail
- mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
- mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
- # vim: ft=procmail
-
- # NOTE: paramètres passés par postfix
- SENDER=\$1
- RECIPIENT=\$2
- USER=\$3
- EXTENSION=\$4
- DOMAIN=\$5
- ORIGINAL_RECIPIENT=\$6
-
- PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
- MAILDIR="\$HOME/var/mail/"
- DEFAULT="\$MAILDIR"
- #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
- LOGFILE="/dev/null"
- LOGABSTRACT=all
- LOGABSTRACT
- VERBOSE
- SHELL=/bin/sh
- SHELLMETAS=&|<>~;?*%{}
-
- # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
- #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
- #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
-
- # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
- EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
- # NOTE: récupère l’adresse courriel dans le champ GECOS
- FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
- # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
- :0
- | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
-
- # DESCRIPTION: IMAP
- #:0
- #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
-
- # DESCRIPTION: UUCP
- #:0
- #| /usr/bin/uux \
- # -I "\$HOME/etc/uucp/uucp.cfg" \
- # --nouucico \
- # --notification=error \
- # --requestor "\$USER" \
- # - "\$USER!rmail" "(\$USER)"
- EOF
- mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
- # /etc/postfix/main.cf
- # SEE: http://postfix.traduc.org/index.php/TLS_README.html
-
- parent_domain_matches_subdomains =
- #debug_peer_list
- #fast_flush_domains
- #mynetworks
- #permit_mx_backup_networks
- #qmqpd_authorized_clients
- #smtpd_access_maps
- mydomain = $vm_domainname
- myorigin = \$mydomain
- myhostname = $vm_hostname.\$mydomain
- mail_name = \$myhostname
- mydestination =
- $vm_hostname
- \$myhostname
- \$myorigin
- mynetworks =
- 127.0.0.0/8
- #[::1]/128
- inet_protocols = ipv4
- # "all" to activate IPv6
- inet_interfaces = all
- permit_mx_backup_networks =
-
- alias_database =
- hash:/etc/aliases
- # NOTE: fichier de hash contenant une table d’alias mail.
- # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
- # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
- alias_maps =
- hash:/etc/aliases
- recipient_delimiter = +
- # NOTE: séparateur entre le nom d’utilisateur
- # et les extensions d’adresse (par défaut le signe +).
- #virtual_alias_domains =
- virtual_alias_maps =
- hash:/etc/postfix/\$mydomain/virtual
- # NOTE: do not specify virtual alias domain names in the main.cf
- # mydestination or relay_domains configuration parameters.
- #
- # With a virtual alias domain, the Postfix SMTP server
- # accepts mail for known-user@virtual-alias.domain, and
- # rejects mail for unknown-user@virtual-alias.domain as
- # undeliverable.
- #relayhost =
- relay_clientcerts =
- hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
- relay_domains =
- \$mydestination
- # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
- # pas dans mydestination ou virtual_alias...
-
- maximal_queue_lifetime = 5d
-
- header_checks =
- regexp:/etc/postfix/\$mydomain/header_checks
- mime_header_checks =
- nested_header_checks =
- milter_header_checks =
- body_checks =
-
- #content_filter = amavisfeed:[127.0.0.1]:10024
- #receive_override_options = no_address_mappings
- # no_unknown_recipient_checks
- # Do not try to reject unknown recipients (SMTP server only).
- # This is typically specified AFTER an external content filter.
- # no_address_mappings
- # Disable canonical address mapping, virtual alias map expansion,
- # address masquerading, and automatic BCC (blind carbon-copy) recipients.
- # This is typically specified BEFORE an external content filter (eg. amavis).
- # no_header_body_checks
- # Disable header/body_checks. This is typically specified AFTER an external content filter.
- # no_milters
- # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
- #local_header_rewrite_clients =
- transport_maps =
- hash:/etc/postfix/\$mydomain/transport_maps
- mailbox_command =
- /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
- mailbox_size_limit = 0
- biff = no
- # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
- append_dot_mydomain = no
- # appending .domain is the MUA's job.
-
- #tls_random_source =
- # dev:/dev/urandom
- # Non-blocking
- #tls_random_reseed_period = 3600s
- #tls_random_exchange_name =
- # \${data_directory}/prng_exch
- # NOTE: à ne pas mettre dans la cage chroot
- #tls_random_bytes = 32
- #tls_random_prng_update_period = 3600s
- #tls_high_cipherlist = AES256-SHA
- # NOTE: postconf(5) déconseille de changer ceci
-
- #smtp_cname_overrides_servername = no
- smtp_connect_timeout = 60s
- #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
- #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
- #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
- #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
- #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
- # NOTE: déprécié en faveur de smtp_tls_policy_maps
- smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
- smtp_tls_fingerprint_digest = sha1
- smtp_tls_scert_verifydepth = 5
- #smtp_tls_secure_cert_match = nexthop, dot-nexthop
- #smtp_tls_verify_cert_match = hostname
- #smtp_tls_note_starttls_offer = yes
- smtp_tls_loglevel = 1
- smtp_tls_protocols = !SSLv2, !SSLv3
- # Only allow TLSv*
- smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
- #smtp_tls_session_cache_timeout = 3600s
- smtp_tls_security_level = may
- smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
- smtp_body_checks =
- smtp_mime_header_checks =
- smtp_nested_header_checks =
-
- smtpd_starttls_timeout = 300s
- smtpd_banner =
- \$myhostname ESMTP \$mail_name (Debian/GNU)
-
- # Restrictions
- smtpd_helo_required = yes
- strict_rfc821_envelopes = yes
- smtpd_authorized_xclient_hosts = 127.0.0.1
- # NOTE: utile pour tester les restrictions
-
- smtpd_helo_restrictions =
- reject_invalid_helo_hostname
- reject_non_fqdn_helo_hostname
- #reject_unknown_helo_hostname
- # NOTE: pourrait pourtant être utile pour lutter contre le spam
- permit
-
- smtpd_sender_restrictions =
- permit_mynetworks
- permit_tls_clientcerts
- permit_sasl_authenticated
- check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
- check_sender_access hash:/etc/postfix/sender_blacklist
- reject_unauth_pipelining
- reject_non_fqdn_sender
- #reject_unknown_sender_domain
- # NOTE: temporaire
- permit
-
- smtpd_client_new_tls_session_rate_limit = 0
- smtpd_client_event_limit_exceptions = \$mynetworks
- smtpd_client_recipient_rate_limit = 0
- smtpd_client_connection_count_limit = 50
- smtpd_client_connection_rate_limit = 0
- smtpd_client_message_rate_limit = 0
- smtpd_client_port_logging = no
-
- smtpd_client_restrictions =
- check_client_access hash:/etc/postfix/client_blacklist
-
- policy_time_limit = 3600
- default_extra_recipient_limit = 5000
- duplicate_filter_limit = 5000
- smtpd_recipient_limit = 5000
- smtpd_recipient_overshoot_limit = 5000
- smtpd_recipient_restrictions =
- reject_non_fqdn_recipient
- #reject_invalid_hostname
- # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
- # dans smtpd_helo_restrictions
- reject_unknown_recipient_domain
- #reject_non_fqdn_sender
- # NOTE: dans smtpd_sender_restrictions
- reject_unauth_pipelining
- # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
- permit_mynetworks
- permit_tls_clientcerts
- permit_sasl_authenticated
- reject_unauth_destination
- # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
- # ou quelqu'un pour lequel on tient lieu de backup_mx
- check_policy_service inet:127.0.0.1:10023
- # NOTE: Postgrey (greylisting)
- check_policy_service unix:private/spfcheck
- permit_auth_destination
- # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
- # (voir permit_auth_destination) ; sans doute redondant
- reject
- #check_relay_domains <- removed from postfix
- #reject_unknown_sender_domain
- # aurait probablement été mieux dans smtpd_sender_restrictions
- #reject_rbl_client bl.spamcop.net
- #reject_rbl_client list.dsbl.org
- #reject_rbl_client zen.spamhaus.org
- #reject_rbl_client dnsbl.sorbs.net
-
- smtpd_data_restrictions =
- reject_unauth_pipelining
- # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
- permit
-
- #smtpd_end_of_data_restrictions =
-
- #smtpd_restriction_classes =
-
- smtpd_error_sleep_time = 5
- # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
-
- # SASL
- smtpd_sasl_auth_enable = yes
- smtpd_sasl_type = dovecot
- smtpd_sasl_path = private/auth
- smtpd_sasl_security_options = noanonymous
- smtpd_sasl_domain = \$mydomain
-
- # SMTPD TLS
- smtpd_discard_ehlo_keywords = starttls
- # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
- # se mangent une erreur en tentant un starttls
- smtpd_tls_fingerprint_digest = sha1
- # sha512 ?
- smtpd_tls_mandatory_protocols = TLSv1
- smtpd_tls_mandatory_ciphers = high
- smtpd_tls_ciphers = high
- # restrictif. s/high/medium/ ?
- smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
- smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
- smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
- smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
- ##
- #smtpd_tls_received_header = no
- smtpd_tls_session_cache_database =
- btree:/var/lib/postfix/smtpd_tls_session_cache
- #smtpd_tls_session_cache_timeout = 3600s
- smtpd_tls_security_level = may
- # Postfix 2.3 and later
- # encrypt
- # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
- # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
- # SMTP server. Instead, this option should be used only on dedicated servers.
- smtpd_tls_loglevel = 1
- smtpd_tls_ccert_verifydepth = 5
- smtpd_tls_auth_only = yes
- # Pas d'AUTH SASL sans TLS
- smtpd_tls_ask_ccert = no
- smtpd_tls_req_ccert = no
- #smtpd_tls_always_issue_session_ids = yes
- smtpd_peername_lookup = yes
- # Nécessaire pour postgrey, etc
- smtpd_milters =
- non_smtpd_milters =
- line_length_limit = 2048
- queue_minfree = 0
- message_size_limit = 20480000
- #smtpd_enforce_tls # NOTE: obsolète
- #smtpd_use_tls # NOTE: obsolète
- #smtpd_tls_cipherlist # NOTE: obsolète
-
- readme_directory = no
- #delay_warning_time = 4h
- # NOTE: uncomment the previous line to generate "delayed mail" warnings
- #debug_peer_level = 4
- #debug_peer_list = .\$myhostname
- EOF
- mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
- auth_ssl_username_from_cert = yes
- listen = *
- log_timestamp = "%Y-%m-%d %H:%M:%S "
- mail_debug = yes
- mail_location = maildir:~/var/mail
- mail_privileged_group = mail
- passdb {
- args = /home/%u/etc/dovecot/passwd
- driver = passwd-file
- }
- protocols = imap
- service auth {
- unix_listener /var/spool/postfix/private/auth {
- group = postfix
- mode = 0660
- user = postfix
- }
- user = root
- }
- ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
- ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
- ssl_cipher_list = AES256-SHA
- ssl_key = </etc/dovecot/imap/tls/key.pem
- ssl_verify_client_cert = yes
- userdb {
- driver = passwd
- }
- verbose_ssl = yes
- protocol lda {
- auth_socket_path = /var/run/dovecot/auth-master
- hostname = $vm_domainname
- info_log_path = /var/log/dovecot/lda/info.log
- log_path = /var/log/dovecot/lda/error.log
- mail_plugins = sieve
- postmaster_address = contact+dovecot+lda@$vm_domainname
- }
- EOF
- mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
- EOF
- }
-rule_mail_configure () {
- sudo apt-get install postfix postgrey dovecot
- }
-
rule=${1:-help}
${1+shift}
case $rule in