tool=${0%/*}
. "$tool"/env.sh
+. "$tool"/inc.sh
rule_help () {
cat >&2 <<-EOF
Voir \`$tool/ateliers_hosted' pour les utilitaires côté VM hébergée.
SYNTAX: $0 \$RULE \${RULE}_SYNTAX
RULES:
- $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$0")
+ $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/env.sh "$0")
ENVIRONMENT:
TRACE # affiche les commandes avant leur exécution
$(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0")
EOF
}
-readonly vm_dev_disk="/dev/xvda"
+readonly vm_dev_disk=/dev/mapper/domU-$(printf %s "$vm_fqdn-disk" | sed -e 's/-/--/g')
readonly vm_dev_disk_boot="${vm_dev_disk}1"
rule_xen_config_init () {
}
rule_disk_mount () { # DESCRIPTION: montage du disque de la VM depuis l'hôte
- sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w
- # NOTE: on pourrait utiliser kpartx à la place je pense ; détail.
+ sudo kpartx -a -v /dev/domU/$vm_fqdn-disk
+ #sudo xm block-attach 0 phy:/dev/domU/$vm_fqdn-disk $vm_dev_disk w
}
rule_disk_umount () { # DESCRIPTION: démontage du disque de la VM depuis l'hôte
rule_part_boot_umount
;;
(*) exit 1;;
esac
- sudo xm block-detach 0 $vm_dev_disk
+ sudo kpartx -d -v /dev/domU/$vm_fqdn-disk
+ #sudo xm block-detach 0 $vm_dev_disk
+ # XXX: DANGEREUX ; si jamais il bloque parce que le disque était encore utilisé :
+ # utiliser xm block-detach 0 $vm_dev_disk --force ;
+ # ôter les éventuels mappages LVM concernés avec dmsetup table et dmsetup remove --force ;
+ # ôter les mappages concernés dans /etc/lvm/cache/.cache,
+ # et pour bien trouver tous les mappages :
+ # % sudo find /dev -type l -exec sh -c 'printf "%s -> " "$@"; readlink "$@"' - {} \; | grep $vm_dev_disk
+ # enfin, ôter l'éventuel verrou dans /var/lock/lvm/
}
case $vm_use_lvm in
-(no)
+ (no)
readonly vm_dev_disk_swap="${vm_dev_disk}5"
readonly vm_dev_disk_root="${vm_dev_disk}6"
readonly vm_dev_disk_var="${vm_dev_disk}7"
readonly vm_dev_disk_home="${vm_dev_disk}8"
;;
-(yes)
+ (yes)
readonly vm_lvm_pv="${vm_dev_disk}2"
- readonly vm_lvm_vg=$vm
- readonly vm_lvm_dev=$(printf %s $vm_lvm_vg | sed -e 's/-/--/g')
- readonly vm_lvm_lv=$vm
- readonly vm_dev_disk_swap=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}_swap
- readonly vm_dev_disk_root=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}_root
- readonly vm_dev_disk_var=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}_var
- readonly vm_dev_disk_home=/dev/mapper/$vm_lvm_dev-${vm_lvm_lv}home
+ readonly vm_dev_disk_swap=/dev/$vm_lvm_vg/${vm_lvm_lv}_swap
+ readonly vm_dev_disk_root=/dev/$vm_lvm_vg/${vm_lvm_lv}_root
+ readonly vm_dev_disk_var=/dev/$vm_lvm_vg/${vm_lvm_lv}_var
+ readonly vm_dev_disk_home=/dev/$vm_lvm_vg/${vm_lvm_lv}_home
;;
-(*)
+ (*)
exit 1;;
esac
;;
(*) exit 1;;
esac
- sudo partprobe $vm_dev_disk
+ #sudo partprobe $vm_dev_disk
+ sudo kpartx -u -v /dev/domU/$vm_fqdn-disk
}
rule_part_lvm_format () {
local part=$1
eval "local dev=\$vm_dev_disk_$part"
test ! -e /dev/mapper/${vm}_root_deciphered ||
- sudo /lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered |
- sudo cryptsetup luksFormat --hash=sha512 --key-size=512 \
- --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev
+ sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered |
+ cryptsetup luksFormat --hash=sha512 --key-size=512 \
+ --cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $dev"
}
rule__part_encrypted_mount () { # SYNTAX: $part
local part=$1
eval "local dev=\$vm_dev_disk_$part"
- test ! -e /dev/mapper/${vm}_root_deciphered ||
- sudo /lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered |
- sudo cryptsetup luksOpen --key-file=- $dev ${vm}_${part}_deciphered
+ test -e /dev/mapper/${vm}_${part}_deciphered ||
+ sudo /bin/sh -c "/lib/cryptsetup/scripts/decrypt_derived ${vm}_root_deciphered |
+ cryptsetup luksOpen --key-file=- $dev ${vm}_${part}_deciphered"
}
rule__part_encrypted_umount () { # SYNTAX: $part
local part=$1
--cipher=aes-xts-essiv:sha256 --key-file=- --align-payload=8 $vm_dev_disk_root
sudo cryptsetup luksOpen --key-file=- $vm_dev_disk_root ${vm}_root_deciphered
sudo mke2fs -t ext4 -c -c -m 5 -T ext4 -b $vm_e2fs_block_size \
- -E resize=15G${vm_e2fs_extended_options} \
+ -E resize=30G${vm_e2fs_extended_options} \
-L ${vm}_root \
/dev/mapper/${vm}_root_deciphered
! mountpoint -q /mnt/$vm_fqdn
mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/proc
mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/sys
mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/var
+ mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/root
+ mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/root/tool
+ mk_dir mod=0770 own=root:root /mnt/$vm_fqdn/root/tool/ateliers
sudo umount -v /mnt/$vm_fqdn
+ sudo cryptsetup luksClose ${vm}_root_deciphered
fi
}
rule_part_root_mount () {
test -e /dev/mapper/${vm}_root_deciphered ||
sudo cryptsetup luksOpen $vm_dev_disk_root ${vm}_root_deciphered
- ! mountpoint -q /mnt/$vm_fqdn ||
- sudo mount -v /dev/mapper/${vm}_root_deciphered /mnt/$vm_fqdn
+ mountpoint -q /mnt/$vm_fqdn ||
+ sudo mount -v -t ext4 /dev/mapper/${vm}_root_deciphered /mnt/$vm_fqdn
}
rule_part_root_umount () {
! mountpoint -q /mnt/$vm_fqdn ||
! test -e /dev/mapper/${vm}_root_deciphered ||
sudo cryptsetup luksClose ${vm}_root_deciphered
}
+rule_part_root_backup_luks () {
+ sudo cryptsetup luksHeaderBackup $vm_dev_disk_root --header-backup-file ./root.luks
+ }
rule_part_swap_format () {
rule__part_encrypted_format swap
rule__part_encrypted_mount swap
rule_part_boot_mount () {
mountpoint -q /mnt/$vm_fqdn
test -d /mnt/$vm_fqdn/boot
- mountpoint -q /mnt/$vm_fqdn/boot ||
- sudo mount -v $vm_dev_disk_boot /mnt/$vm_fqdn/boot
+ mountpoint -q /mnt/$vm_fqdn/boot ||
+ sudo mount -v -t ext2 $vm_dev_disk_boot /mnt/$vm_fqdn/boot
}
rule_part_boot_umount () {
! mountpoint -q /mnt/$vm_fqdn/boot ||
rule_part_var_mount () {
rule__part_encrypted_mount var
mountpoint -q /mnt/$vm_fqdn/var ||
- sudo mount -v /dev/mapper/${vm}_var_deciphered /mnt/$vm_fqdn/var
+ sudo mount -v -t ext4 /dev/mapper/${vm}_var_deciphered /mnt/$vm_fqdn/var
}
rule_part_var_umount () {
! mountpoint -q /mnt/$vm_fqdn/var ||
rule__part_encrypted_mount home
sudo mke2fs -t ext4 -c -c -m 0 -T ext4 -b $vm_e2fs_block_size \
-E resize=400G${vm_e2fs_extended_options} \
- -O quota \
-L ${vm}_home \
/dev/mapper/${vm}_home_deciphered
+ # NOTE: -O quota pas supporté par e2fsprogs/squeeze
rule__part_encrypted_umount home
}
rule_part_home_mount () {
rule__part_encrypted_mount home
mountpoint -q /mnt/$vm_fqdn/home ||
- sudo mount -v /dev/mapper/${vm}_home_deciphered /mnt/$vm_fqdn/home
+ sudo mount -v -t ext4 /dev/mapper/${vm}_home_deciphered /mnt/$vm_fqdn/home
}
rule_part_home_umount () {
! mountpoint -q /mnt/$vm_fqdn/home ||
}
rule_debian_install () {
+ rule_part_root_mount
+ rule_part_boot_mount
+ rule_part_var_mount
sudo DEBOOTSTRAP_DIR=/usr/share/debootstrap/ debootstrap \
--arch=$vm_arch --verbose --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \
--exclude=vim-tiny \
http://ftp.fr.debian.org/debian/
}
rule_chroot () {
- rule_part_boot_mount
rule_part_root_mount
+ rule_part_boot_mount
rule_part_var_mount
#rule_part_home_mount
mountpoint -q /mnt/$vm_fqdn/proc ||
- mount -t proc proc /mnt/$vm_fqdn/proc
+ sudo mount -t proc proc /mnt/$vm_fqdn/proc
mountpoint -q /mnt/$vm_fqdn/sys ||
- mount -t sysfs sys /mnt/$vm_fqdn/sys
+ sudo mount -t sysfs sys /mnt/$vm_fqdn/sys
mountpoint -q /mnt/$vm_fqdn/dev ||
- mount --bind /dev /mnt/$vm_fqdn/dev
- sudo chroot /mnt/$vm_fqdn /bin/bash || true
+ sudo mount --bind /dev /mnt/$vm_fqdn/dev
+ mountpoint -q /mnt/$vm_fqdn/root/tool/ateliers ||
+ sudo mount --bind "$tool" /mnt/$vm_fqdn/root/tool/ateliers
+ sudo chroot /mnt/$vm_fqdn /bin/dash || true
rule__chroot_clean
}
rule__chroot_clean () {
- umount -v /mnt/$vm_fqdn/dev
- umount -v /mnt/$vm_fqdn/sys
- umount -v /mnt/$vm_fqdn/proc
- #rule_part_home_umount
+ ! sudo mountpoint -q /mnt/$vm_fqdn/root/tool/ateliers ||
+ sudo umount -v /mnt/$vm_fqdn/root/tool/ateliers
+ ! mountpoint -q /mnt/$vm_fqdn/dev ||
+ sudo umount -v /mnt/$vm_fqdn/dev
+ ! mountpoint -q /mnt/$vm_fqdn/sys ||
+ sudo umount -v /mnt/$vm_fqdn/sys
+ ! mountpoint -q /mnt/$vm_fqdn/proc ||
+ sudo umount -v /mnt/$vm_fqdn/proc
+ rule_part_home_umount
rule_part_var_umount
- rule_part_root_umount
rule_part_boot_umount
+ rule_part_root_umount
}
rule=${1:-help}
Voir \`$tool/ateliers_host' pour les utilitaires côté machine hôte.
SYNTAX: $0 \$RULE \${RULE}_SYNTAX
RULES:
- $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$0")
+ $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/env.sh "$0")
ENVIRONMENT:
TRACE # affiche les commandes avant leur exécution
$(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/env.sh "$0")
vm.vfs_cache_pressure=50
EOF
}
-rule_filesystem_unmount () {
- }
rule_shell_source () {
. /etc/profile
}
EOF
grep -q " $vm\$" /etc/hosts ||
mk_reg mod= own= --append /etc/hosts <<-EOF
- 127.0.0.1 $vm.local $vm
+ 127.0.0.1 $vm_fqdn $vm
EOF
mk_reg mod= own= /etc/network/interfaces <<-EOF
auto lo
mk_reg mod= own= /etc/crypttab <<-EOF
# <target name> <source device> <key file> <options>
${vm}_root_deciphered LABEL=${vm}_root ${vm}_root luks
- ${vm}_var_deciphered LABEL=${vm}_var ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
- ${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
- ${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
+ ${vm}_var_deciphered LABEL=${vm}_var ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
+ ${vm}_swap_deciphered LABEL=${vm}_swap ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
+ ${vm}_home_deciphered LABEL=${vm}_home ${vm}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
EOF
mk_reg mod= own= /etc/initramfs-tools/modules <<-EOF
#loop
! id "$admin" || adduser "$admin"
eval home="~$admin"
adduser "$admin" sudo
- mk_dir mod=0750 own="$admin:$admin" "$home"/etc
- mk_dir mod=0700 own="$admin:$admin" "$home"/etc/ssh
mk_reg mod=0400 own="$admin:$admin" "$home"/etc/ssh/authorized_keys <"$tool"/key/"$admin".ssh.pub
}
-rule_users_init () {
+rule_user_mail_format () {
+ mk_dir mod=0770 own=root:adm /etc/skel/etc/procmail
+ mk_dir mod=0770 own=root:adm /etc/skel/var/mail
+ mk_dir mod=0770 own=root:adm /etc/skel/var/cache/procmail
+ mk_reg mod=0660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
+ # vim: ft=procmail
+
+ # NOTE: paramètres passés par postfix
+ SENDER=\$1
+ RECIPIENT=\$2
+ USER=\$3
+ EXTENSION=\$4
+ DOMAIN=\$5
+ ORIGINAL_RECIPIENT=\$6
+
+ PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
+ MAILDIR="\$HOME/var/mail/"
+ DEFAULT="\$MAILDIR"
+ #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
+ LOGFILE="/dev/null"
+ LOGABSTRACT=all
+ LOGABSTRACT
+ VERBOSE
+ SHELL=/bin/sh
+ SHELLMETAS=&|<>~;?*%{}
+
+ # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
+ #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
+ #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
+
+ # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
+ EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
+ # NOTE: récupère l’adresse courriel dans le champ GECOS
+ FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
+ # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
+ :0
+ | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
+
+ # DESCRIPTION: IMAP
+ #:0
+ #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
+
+ # DESCRIPTION: UUCP
+ #:0
+ #| /usr/bin/uux \
+ # -I "\$HOME/etc/uucp/uucp.cfg" \
+ # --nouucico \
+ # --notification=error \
+ # --requestor "\$USER" \
+ # - "\$USER!rmail" "(\$USER)"
+ EOF
+ mk_reg mod=0664 own=root:root /etc/postfix/main.cf <<-EOF
+ # /etc/postfix/main.cf
+ # SEE: http://postfix.traduc.org/index.php/TLS_README.html
+
+ parent_domain_matches_subdomains =
+ #debug_peer_list
+ #fast_flush_domains
+ #mynetworks
+ #permit_mx_backup_networks
+ #qmqpd_authorized_clients
+ #smtpd_access_maps
+ mydomain = $vm_domainname
+ myorigin = \$mydomain
+ myhostname = $vm_hostname.\$mydomain
+ mail_name = \$myhostname
+ mydestination =
+ $vm_hostname
+ \$myhostname
+ \$myorigin
+ mynetworks =
+ 127.0.0.0/8
+ #[::1]/128
+ inet_protocols = ipv4
+ # "all" to activate IPv6
+ inet_interfaces = all
+ permit_mx_backup_networks =
+
+ alias_database =
+ hash:/etc/aliases
+ # NOTE: fichier de hash contenant une table d’alias mail.
+ # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
+ # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
+ alias_maps =
+ hash:/etc/aliases
+ recipient_delimiter = +
+ # NOTE: séparateur entre le nom d’utilisateur
+ # et les extensions d’adresse (par défaut le signe +).
+ #virtual_alias_domains =
+ virtual_alias_maps =
+ hash:/etc/postfix/\$mydomain/virtual
+ # NOTE: do not specify virtual alias domain names in the main.cf
+ # mydestination or relay_domains configuration parameters.
+ #
+ # With a virtual alias domain, the Postfix SMTP server
+ # accepts mail for known-user@virtual-alias.domain, and
+ # rejects mail for unknown-user@virtual-alias.domain as
+ # undeliverable.
+ #relayhost =
+ relay_clientcerts =
+ hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
+ relay_domains =
+ \$mydestination
+ # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
+ # pas dans mydestination ou virtual_alias...
+
+ maximal_queue_lifetime = 5d
+
+ header_checks =
+ regexp:/etc/postfix/\$mydomain/header_checks
+ mime_header_checks =
+ nested_header_checks =
+ milter_header_checks =
+ body_checks =
+
+ #content_filter = amavisfeed:[127.0.0.1]:10024
+ #receive_override_options = no_address_mappings
+ # no_unknown_recipient_checks
+ # Do not try to reject unknown recipients (SMTP server only).
+ # This is typically specified AFTER an external content filter.
+ # no_address_mappings
+ # Disable canonical address mapping, virtual alias map expansion,
+ # address masquerading, and automatic BCC (blind carbon-copy) recipients.
+ # This is typically specified BEFORE an external content filter (eg. amavis).
+ # no_header_body_checks
+ # Disable header/body_checks. This is typically specified AFTER an external content filter.
+ # no_milters
+ # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
+ #local_header_rewrite_clients =
+ transport_maps =
+ hash:/etc/postfix/\$mydomain/transport_maps
+ mailbox_command =
+ /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
+ mailbox_size_limit = 0
+ biff = no
+ # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
+ append_dot_mydomain = no
+ # appending .domain is the MUA's job.
+
+ #tls_random_source =
+ # dev:/dev/urandom
+ # Non-blocking
+ #tls_random_reseed_period = 3600s
+ #tls_random_exchange_name =
+ # \${data_directory}/prng_exch
+ # NOTE: à ne pas mettre dans la cage chroot
+ #tls_random_bytes = 32
+ #tls_random_prng_update_period = 3600s
+ #tls_high_cipherlist = AES256-SHA
+ # NOTE: postconf(5) déconseille de changer ceci
+
+ #smtp_cname_overrides_servername = no
+ smtp_connect_timeout = 60s
+ #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
+ #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
+ #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
+ #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
+ #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
+ # NOTE: déprécié en faveur de smtp_tls_policy_maps
+ smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
+ smtp_tls_fingerprint_digest = sha1
+ smtp_tls_scert_verifydepth = 5
+ #smtp_tls_secure_cert_match = nexthop, dot-nexthop
+ #smtp_tls_verify_cert_match = hostname
+ #smtp_tls_note_starttls_offer = yes
+ smtp_tls_loglevel = 1
+ smtp_tls_protocols = !SSLv2, !SSLv3
+ # Only allow TLSv*
+ smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
+ #smtp_tls_session_cache_timeout = 3600s
+ smtp_tls_security_level = may
+ smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
+ smtp_body_checks =
+ smtp_mime_header_checks =
+ smtp_nested_header_checks =
+
+ smtpd_starttls_timeout = 300s
+ smtpd_banner =
+ \$myhostname ESMTP \$mail_name (Debian/GNU)
+
+ # Restrictions
+ smtpd_helo_required = yes
+ strict_rfc821_envelopes = yes
+ smtpd_authorized_xclient_hosts = 127.0.0.1
+ # NOTE: utile pour tester les restrictions
+
+ smtpd_helo_restrictions =
+ reject_invalid_helo_hostname
+ reject_non_fqdn_helo_hostname
+ #reject_unknown_helo_hostname
+ # NOTE: pourrait pourtant être utile pour lutter contre le spam
+ permit
+
+ smtpd_sender_restrictions =
+ permit_mynetworks
+ permit_tls_clientcerts
+ permit_sasl_authenticated
+ check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
+ check_sender_access hash:/etc/postfix/sender_blacklist
+ reject_unauth_pipelining
+ reject_non_fqdn_sender
+ #reject_unknown_sender_domain
+ # NOTE: temporaire
+ permit
+
+ smtpd_client_new_tls_session_rate_limit = 0
+ smtpd_client_event_limit_exceptions = \$mynetworks
+ smtpd_client_recipient_rate_limit = 0
+ smtpd_client_connection_count_limit = 50
+ smtpd_client_connection_rate_limit = 0
+ smtpd_client_message_rate_limit = 0
+ smtpd_client_port_logging = no
+
+ smtpd_client_restrictions =
+ check_client_access hash:/etc/postfix/client_blacklist
+
+ policy_time_limit = 3600
+ default_extra_recipient_limit = 5000
+ duplicate_filter_limit = 5000
+ smtpd_recipient_limit = 5000
+ smtpd_recipient_overshoot_limit = 5000
+ smtpd_recipient_restrictions =
+ reject_non_fqdn_recipient
+ #reject_invalid_hostname
+ # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
+ # dans smtpd_helo_restrictions
+ reject_unknown_recipient_domain
+ #reject_non_fqdn_sender
+ # NOTE: dans smtpd_sender_restrictions
+ reject_unauth_pipelining
+ # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
+ permit_mynetworks
+ permit_tls_clientcerts
+ permit_sasl_authenticated
+ reject_unauth_destination
+ # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
+ # ou quelqu'un pour lequel on tient lieu de backup_mx
+ check_policy_service inet:127.0.0.1:10023
+ # NOTE: Postgrey (greylisting)
+ check_policy_service unix:private/spfcheck
+ permit_auth_destination
+ # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
+ # (voir permit_auth_destination) ; sans doute redondant
+ reject
+ #check_relay_domains <- removed from postfix
+ #reject_unknown_sender_domain
+ # aurait probablement été mieux dans smtpd_sender_restrictions
+ #reject_rbl_client bl.spamcop.net
+ #reject_rbl_client list.dsbl.org
+ #reject_rbl_client zen.spamhaus.org
+ #reject_rbl_client dnsbl.sorbs.net
+
+ smtpd_data_restrictions =
+ reject_unauth_pipelining
+ # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
+ permit
+
+ #smtpd_end_of_data_restrictions =
+
+ #smtpd_restriction_classes =
+
+ smtpd_error_sleep_time = 5
+ # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
+
+ # SASL
+ smtpd_sasl_auth_enable = yes
+ smtpd_sasl_type = dovecot
+ smtpd_sasl_path = private/auth
+ smtpd_sasl_security_options = noanonymous
+ smtpd_sasl_domain = \$mydomain
+
+ # SMTPD TLS
+ smtpd_discard_ehlo_keywords = starttls
+ # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
+ # se mangent une erreur en tentant un starttls
+ smtpd_tls_fingerprint_digest = sha1
+ # sha512 ?
+ smtpd_tls_mandatory_protocols = TLSv1
+ smtpd_tls_mandatory_ciphers = high
+ smtpd_tls_ciphers = high
+ # restrictif. s/high/medium/ ?
+ smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
+ smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
+ smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
+ smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
+ ##
+ #smtpd_tls_received_header = no
+ smtpd_tls_session_cache_database =
+ btree:/var/lib/postfix/smtpd_tls_session_cache
+ #smtpd_tls_session_cache_timeout = 3600s
+ smtpd_tls_security_level = may
+ # Postfix 2.3 and later
+ # encrypt
+ # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
+ # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
+ # SMTP server. Instead, this option should be used only on dedicated servers.
+ smtpd_tls_loglevel = 1
+ smtpd_tls_ccert_verifydepth = 5
+ smtpd_tls_auth_only = yes
+ # Pas d'AUTH SASL sans TLS
+ smtpd_tls_ask_ccert = no
+ smtpd_tls_req_ccert = no
+ #smtpd_tls_always_issue_session_ids = yes
+ smtpd_peername_lookup = yes
+ # Nécessaire pour postgrey, etc
+ smtpd_milters =
+ non_smtpd_milters =
+ line_length_limit = 2048
+ queue_minfree = 0
+ message_size_limit = 20480000
+ #smtpd_enforce_tls # NOTE: obsolète
+ #smtpd_use_tls # NOTE: obsolète
+ #smtpd_tls_cipherlist # NOTE: obsolète
+
+ readme_directory = no
+ #delay_warning_time = 4h
+ # NOTE: uncomment the previous line to generate "delayed mail" warnings
+ #debug_peer_level = 4
+ #debug_peer_list = .\$myhostname
+ EOF
+ mk_reg mod=0664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
+ auth_ssl_username_from_cert = yes
+ listen = *
+ log_timestamp = "%Y-%m-%d %H:%M:%S "
+ mail_debug = yes
+ mail_location = maildir:~/var/mail
+ mail_privileged_group = mail
+ passdb {
+ args = /home/%u/etc/dovecot/passwd
+ driver = passwd-file
+ }
+ protocols = imap
+ service auth {
+ unix_listener /var/spool/postfix/private/auth {
+ group = postfix
+ mode = 0660
+ user = postfix
+ }
+ user = root
+ }
+ ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
+ ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
+ ssl_cipher_list = AES256-SHA
+ ssl_key = </etc/dovecot/imap/tls/key.pem
+ ssl_verify_client_cert = yes
+ userdb {
+ driver = passwd
+ }
+ verbose_ssl = yes
+ protocol lda {
+ auth_socket_path = /var/run/dovecot/auth-master
+ hostname = $vm_domainname
+ info_log_path = /var/log/dovecot/lda/info.log
+ log_path = /var/log/dovecot/lda/error.log
+ mail_plugins = sieve
+ postmaster_address = contact+dovecot+lda@$vm_domainname
+ }
+ EOF
+ mk_reg mod=0664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
+
+ EOF
+ }
+rule_mail_install () {
+ sudo apt-get install postfix postgrey dovecot
+ }
+rule_user_format () {
+ mk_dir mod=0750 own="root:adm" /etc/skel/etc
+ mk_dir mod=0770 own="root:adm" /etc/skel/etc/apache2
+ mk_dir mod=0770 own="root:adm" /etc/skel/etc/ssh
+ mk_dir mod=0700 own="root:adm" /etc/skel/var
+ mk_dir mod=0700 own="root:adm" /etc/skel/var/log
+ mk_dir mod=0700 own="root:adm" /etc/skel/var/cache
+ mk_dir mod=0700 own="root:adm" /etc/skel/var/cache/ssh
+ mk_dir mod=0700 own="root:adm" /etc/skel/tmp
+ mk_dir mod=0700 own="root:adm" /etc/skel/tmp
mk_reg mod=0664 own=root:root /etc/ssh/sshd_config <<-EOF
ListenAddress $vm_ipv4
#ListenAddress ::
mk_reg mod=0440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
%sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
EOF
+ mk_reg mod=0440 own=root:root /etc/sudoers.d/env_keep <<-EOF
+ Defaults env_keep = " \
+ EDITOR \
+ GIT_AUTHOR_NAME \
+ GIT_AUTHOR_EMAIL \
+ GIT_COMMITTER_NAME \
+ GIT_COMMITTER_EMAIL \
+ "
+ EOF
mk_reg mod=0555 own=root:root /usr/local/sbin/passwd-init <<-EOF
#!/bin/sh
sudo /bin/sh -e -f -u -c \