dépôts / lhc / ateliers.git / blob
? search:


56e1ee06dbf4b56a6c7f2cf6c2e709e5e184339f
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/functions.sh
5 . "$tool"/vm.sh
6 test "$(hostname --fqdn)" = "$vm_fqdn"
7
8 rule_help () {
9 cat >&2 <<-EOF
10 DESCRIPTION: ce script regroupe des fonctions utilitaires
11 pour gérer la VM _depuis_ la VM hébergée ;
12 il sert à la fois d'outil et de documentation.
13 Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
14 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
15 RULES:
16 $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0")
17 ENVIRONMENT:
18 TRACE # affiche les commandes avant leur exécution
19 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0")
20 EOF
21 }
22
23 rule_git_reset () {
24 (
25 cd "$tool"
26 git checkout -f -B master origin
27 git clean -f -d -x
28 )
29 }
30
31 rule_chrooted () {
32 export LANG=C
33 export LC_CTYPE=C
34 . /etc/profile
35 }
36
37 rule__etckeeper_init () {
38 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
39 VCS=git
40 GIT_COMMIT_OPTIONS=""
41 AVOID_DAILY_AUTOCOMMITS=1
42 #AVOID_SPECIAL_FILE_WARNING=1
43 #AVOID_COMMIT_BEFORE_INSTALL=1
44 HIGHLEVEL_PACKAGE_MANAGER=apt
45 LOWLEVEL_PACKAGE_MANAGER=dpkg
46 EOF
47 }
48 rule__locale_init () {
49 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
50 fr_FR.UTF-8 UTF-8
51 EOF
52 sudo update-locale
53 }
54 rule__network_init () {
55 mk_reg mod= own= /etc/hostname <<-EOF
56 $vm
57 EOF
58 grep -q " $vm\$" /etc/hosts ||
59 mk_reg mod= own= --append /etc/hosts <<-EOF
60 127.0.0.1 $vm_fqdn $vm
61 EOF
62 mk_reg mod= own= /etc/network/interfaces <<-EOF
63 auto lo
64 iface lo inet loopback
65
66 auto eth0=grenode
67 iface grenode inet static
68 address $vm_ipv4
69 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
70 network $vm_ipv4
71 broadcast $vm_ipv4
72 netmask 255.255.255.255
73 mtu 1300 # TODO: voir si c'est nécessaire à Lyon
74 post-up ip address add $vm_ipv4/32 dev \$IFACE
75 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
76 EOF
77 }
78 rule__apt_init () {
79 mk_reg mod= own= /etc/apt/sources.list <<-EOF
80 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
81 EOF
82 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
83 deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
84 EOF
85 mk_reg mod= own= /etc/apt/preferences <<-EOF
86 Package: *
87 Pin: release a=$vm_lsb_name
88 Pin-Priority: 170
89
90 Package: *
91 Pin: release a=$vm_lsb_name-backports
92 Pin-Priority: 200
93 EOF
94 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
95 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
96 EOF
97 }
98 rule__filesystem_init () {
99 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
100 # <file system> <mount point> <type> <options> <dump> <pass>
101 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
102 proc /proc proc defaults 0 0
103 sysfs /sys sysfs defaults 0 0
104 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
105 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
106 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
107 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
108 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
109 EOF
110 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
111 # <target name> <source device> <key file> <options>
112 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
113 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
114 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
115 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
116 EOF
117 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
118 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
119 vm.vfs_cache_pressure=50
120 EOF
121 }
122 rule__login_init () {
123 grep -q hvc0 /etc/securetty ||
124 mk_reg mod= own= --append /etc/securetty <<-EOF
125 hvc0
126 EOF
127 grep -q xvc0 /etc/securetty ||
128 mk_reg mod= own= --append /etc/securetty <<-EOF
129 xvc0
130 EOF
131 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
132 # /etc/inittab: init(8) configuration.
133
134 # The default runlevel.
135 id:2:initdefault:
136
137 # Boot-time system configuration/initialization script.
138 # This is run first except when booting in emergency (-b) mode.
139 si::sysinit:/etc/init.d/rcS
140
141 # What to do in single-user mode.
142 ~~:S:wait:/sbin/sulogin
143
144 # /etc/init.d executes the S and K scripts upon change
145 # of runlevel.
146 #
147 # Runlevel 0 is halt.
148 # Runlevel 1 is single-user.
149 # Runlevels 2-5 are multi-user.
150 # Runlevel 6 is reboot.
151
152 l0:0:wait:/etc/init.d/rc 0
153 l1:1:wait:/etc/init.d/rc 1
154 l2:2:wait:/etc/init.d/rc 2
155 l3:3:wait:/etc/init.d/rc 3
156 l4:4:wait:/etc/init.d/rc 4
157 l5:5:wait:/etc/init.d/rc 5
158 l6:6:wait:/etc/init.d/rc 6
159 # Normally not reached, but fallthrough in case of emergency.
160 z6:6:respawn:/sbin/sulogin
161
162 # What to do when CTRL-ALT-DEL is pressed.
163 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
164
165 # What to do when the power fails/returns.
166 pf::powerwait:/etc/init.d/powerfail start
167 pn::powerfailnow:/etc/init.d/powerfail now
168 po::powerokwait:/etc/init.d/powerfail stop
169
170 # Xen hypervisor console
171 hvc:2345:respawn:/sbin/getty 38400 hvc0
172 #xvc:2345:respawn:/sbin/getty 38400 xvc0
173 EOF
174 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
175 MAIL_DIR /var/mail
176 FAILLOG_ENAB yes
177 LOG_UNKFAIL_ENAB no
178 LOG_OK_LOGINS no
179 SYSLOG_SU_ENAB yes
180 SYSLOG_SG_ENAB yes
181 FTMP_FILE /var/log/btmp
182 SU_NAME su
183 HUSHLOGIN_FILE .hushlogin
184 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
185 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
186 # NOTE: met les sbin/ dans ENV_PATH ;
187 # - ça n'apporte aucune protection de ne pas les mettre ;
188 # - ça frustre de ne pas les trouver.
189 TTYGROUP tty
190 TTYPERM 0600
191 ERASECHAR 0177
192 KILLCHAR 025
193 # NOTE: rwxrwx--- ;
194 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
195 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
196 UMASK 007
197 PASS_MAX_DAYS 99999
198 PASS_MIN_DAYS 0
199 PASS_WARN_AGE 7
200 UID_MIN 1000
201 UID_MAX 60000
202 GID_MIN 1000
203 GID_MAX 60000
204 LOGIN_RETRIES 3
205 LOGIN_TIMEOUT 60
206 CHFN_RESTRICT rwh
207 DEFAULT_HOME yes
208 USERGROUPS_ENAB yes
209 ENCRYPT_METHOD SHA512
210 EOF
211 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
212 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
213 session optional pam_umask.so
214 EOF
215 }
216 rule__user_root_init () {
217 mk_dir mod=750 own=root:root /root/etc
218 mk_dir mod=750 own=root:root /root/etc/ssh
219 mk_dir mod=750 own=root:root /root/etc/gpg
220 mk_lnk etc/gpg /root/.gnupg
221 mk_lnk etc/ssh /root/.ssh
222 getent group sudo |
223 while IFS=: read -r group x x users
224 do while IFS=, read -r user
225 do eval local home\; home="~$user"
226 cat "$home"/etc/ssh/authorized_keys
227 done <<-EOF
228 $users
229 EOF
230 done |
231 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
232 sudo find "$tool"/key -type f -name '*.gpg.pub' -exec gpg --import {} \;
233 }
234 rule__initramfs_init () {
235 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
236 MODULES=most
237 BUSYBOX=y
238 KEYMAP=y
239 COMPRESS=gzip
240 DEVICE=eth0
241 EOF
242 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
243 alias eth0 xennet
244 alias scsi_hostadapter xenblk
245 EOF
246 mk_reg mod=644 own=root:root /etc/modules <<-EOF
247 sha1_generic
248 sha256_generic
249 sha512_generic
250 aes-x86_64
251 xts
252 # NOTE: pour Xen en mode HVM :
253 #modprobe xen-platform-pci
254 EOF
255 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
256 EOF
257 sudo sed -e '/^configure_networking /s/ &$//' \
258 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
259 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
260 sudo rm -f \
261 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
262 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
263 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
264 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
265 #mk_reg mod=640 own=root:root </dev/null \
266 # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
267 # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub
268 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/key/ssh.known_hosts |
269 ( while IFS= read -r line
270 do case $line in (*" RSA") return 0; break;; esac
271 done; return 1 ) ||
272 sudo dropbearkey -t rsa -s 4096 -f \
273 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
274 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/key/ssh.known_hosts |
275 ( while IFS= read -r line
276 do case $line in (*" DSA") return 0; break;; esac
277 done; return 1 ) ||
278 sudo dropbearkey -t dss -s 1024 -f \
279 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
280 mk_dir mod=640 own=root:root \
281 /etc/initramfs-tools/root \
282 /etc/initramfs-tools/root/.ssh
283 getent group sudo |
284 while IFS=: read -r group x x users
285 do while IFS=, read -r user
286 do eval local home\; home="~$user"
287 cat "$home"/etc/ssh/authorized_keys
288 done <<-EOF
289 $users
290 EOF
291 done |
292 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
293 sudo rm -f \
294 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
295 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
296 /etc/initramfs-tools/root/.ssh/id_rsa
297 # NOTE: clefs générées par Debian
298 sudo update-initramfs -u
299 }
300 rule__boot_init () {
301 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
302 mk_dir mod=644 own=root:root /boot/grub
303 sudo apt-get install --reinstall linux-image-$vm_arch
304 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
305 GRUB_DEFAULT=0
306 GRUB_TIMEOUT=5
307 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
308 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
309 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
310 GRUB_DISABLE_RECOVERY="true"
311 #GRUB_PRELOAD_MODULES="lvm"
312 EOF
313 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
314 (hd0) /dev/xvda
315 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
316 EOF
317 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
318 rule__initramfs_init
319 }
320 rule__bin_init () {
321 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
322 }
323 rule_init () {
324 rule__etckeeper_init
325 rule__locale_init
326 rule__network_init
327 rule__apt_init
328 rule__filesystem_init
329 rule__login_init
330 rule__user_root_init
331 rule__boot_init
332 rule__bin_init
333 }
334
335 rule_disk_key_change () {
336 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
337 }
338
339 rule_user_init () {
340 mk_dir mod=750 own="root:adm" /etc/skel/etc
341 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
342 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
343 mk_dir mod=700 own="root:adm" /etc/skel/var
344 mk_dir mod=700 own="root:adm" /etc/skel/var/log
345 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
346 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
347 mk_dir mod=700 own="root:adm" /etc/skel/tmp
348 mk_dir mod=700 own="root:adm" /etc/skel/tmp
349 mk_lnk etc/ssh /etc/skel/.ssh
350 mk_lnk etc/gpg /etc/skel/.gnupg
351 ssh-keygen -F "$vm_fqdn" -f "$tool"/key/ssh.known_hosts |
352 ( while IFS= read -r line
353 do case $line in (*" RSA") return 0; break;; esac
354 done; return 1 ) ||
355 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
356 sudo rm -f \
357 /etc/ssh/ssh_host_dsa_key \
358 /etc/ssh/ssh_host_dsa_key.pub \
359 /etc/ssh/ssh_host_ecdsa_key \
360 /etc/ssh/ssh_host_ecdsa_key.pub
361 # NOTE: clefs générées par Debian
362 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
363 Port 22
364 ListenAddress $vm_ipv4
365 #ListenAddress ::
366 Protocol 2
367 Compression yes
368 HostKey /etc/ssh/ssh_host_rsa_key
369 UsePrivilegeSeparation yes
370 KeyRegenerationInterval 3600
371 ServerKeyBits 768
372 SyslogFacility AUTH
373 LogLevel INFO
374 LoginGraceTime 120
375 PermitRootLogin yes
376 StrictModes yes
377 RSAAuthentication yes
378 PubkeyAuthentication yes
379 AuthorizedKeysFile %h/etc/ssh/authorized_keys
380 IgnoreRhosts yes
381 RhostsRSAAuthentication no
382 HostbasedAuthentication no
383 IgnoreUserKnownHosts no
384 PermitEmptyPasswords no
385 ChallengeResponseAuthentication no
386 PasswordAuthentication no
387 KerberosAuthentication no
388 GSSAPIAuthentication no
389 X11Forwarding no
390 X11DisplayOffset 10
391 PrintMotd no
392 DebianBanner no
393 PrintLastLog yes
394 TCPKeepAlive yes
395 ClientAliveInterval 0
396 AcceptEnv LANG LC_*
397 Subsystem sftp /usr/lib/openssh/sftp-server
398 UsePAM yes
399 EOF
400 sudo service ssh restart
401 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
402 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
403 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
404 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
405 EOF
406 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
407 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
408 EOF
409 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
410 Defaults env_keep = " \\
411 EDITOR \\
412 GIT_AUTHOR_NAME \\
413 GIT_AUTHOR_EMAIL \\
414 GIT_COMMITTER_NAME \\
415 GIT_COMMITTER_EMAIL \\
416 "
417 EOF
418 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
419 #!/bin/sh
420 sudo /bin/sh -e -f -u -c \
421 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
422 EOF
423 }
424 rule_user_admin_add () { # SYNTAX: $user
425 local user=$1
426 id "$user" >/dev/null ||
427 sudo adduser --disabled-password "$user"
428 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
429 eval local home\; home="~$user"
430 sudo adduser "$user" sudo
431 ssh_key_add user=$user "$tool"/key/"$user".ssh.pub "$home"/etc/ssh/authorized_keys
432 rule__initramfs_init
433 rule__user_root_init
434 sudo gpg --import "$tool"/key/"$user".gpg.pub
435 }
436 rule_user_mail_format () {
437 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
438 mk_dir mod=770 own=root:adm /etc/skel/var/mail
439 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
440 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
441 # vim: ft=procmail
442
443 # NOTE: paramètres passés par postfix
444 SENDER=\$1
445 RECIPIENT=\$2
446 USER=\$3
447 EXTENSION=\$4
448 DOMAIN=\$5
449 ORIGINAL_RECIPIENT=\$6
450
451 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
452 MAILDIR="\$HOME/var/mail/"
453 DEFAULT="\$MAILDIR"
454 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
455 LOGFILE="/dev/null"
456 LOGABSTRACT=all
457 LOGABSTRACT
458 VERBOSE
459 SHELL=/bin/sh
460 SHELLMETAS=&|<>~;?*%{}
461
462 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
463 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
464 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
465
466 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
467 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
468 # NOTE: récupère l’adresse courriel dans le champ GECOS
469 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
470 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
471 :0
472 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
473
474 # DESCRIPTION: IMAP
475 #:0
476 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
477
478 # DESCRIPTION: UUCP
479 #:0
480 #| /usr/bin/uux \
481 # -I "\$HOME/etc/uucp/uucp.cfg" \
482 # --nouucico \
483 # --notification=error \
484 # --requestor "\$USER" \
485 # - "\$USER!rmail" "(\$USER)"
486 EOF
487 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
488 # /etc/postfix/main.cf
489 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
490
491 parent_domain_matches_subdomains =
492 #debug_peer_list
493 #fast_flush_domains
494 #mynetworks
495 #permit_mx_backup_networks
496 #qmqpd_authorized_clients
497 #smtpd_access_maps
498 mydomain = $vm_domainname
499 myorigin = \$mydomain
500 myhostname = $vm_hostname.\$mydomain
501 mail_name = \$myhostname
502 mydestination =
503 $vm_hostname
504 \$myhostname
505 \$myorigin
506 mynetworks =
507 127.0.0.0/8
508 #[::1]/128
509 inet_protocols = ipv4
510 # "all" to activate IPv6
511 inet_interfaces = all
512 permit_mx_backup_networks =
513
514 alias_database =
515 hash:/etc/aliases
516 # NOTE: fichier de hash contenant une table d’alias mail.
517 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
518 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
519 alias_maps =
520 hash:/etc/aliases
521 recipient_delimiter = +
522 # NOTE: séparateur entre le nom d’utilisateur
523 # et les extensions d’adresse (par défaut le signe +).
524 #virtual_alias_domains =
525 virtual_alias_maps =
526 hash:/etc/postfix/\$mydomain/virtual
527 # NOTE: do not specify virtual alias domain names in the main.cf
528 # mydestination or relay_domains configuration parameters.
529 #
530 # With a virtual alias domain, the Postfix SMTP server
531 # accepts mail for known-user@virtual-alias.domain, and
532 # rejects mail for unknown-user@virtual-alias.domain as
533 # undeliverable.
534 #relayhost =
535 relay_clientcerts =
536 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
537 relay_domains =
538 \$mydestination
539 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
540 # pas dans mydestination ou virtual_alias...
541
542 maximal_queue_lifetime = 5d
543
544 header_checks =
545 regexp:/etc/postfix/\$mydomain/header_checks
546 mime_header_checks =
547 nested_header_checks =
548 milter_header_checks =
549 body_checks =
550
551 #content_filter = amavisfeed:[127.0.0.1]:10024
552 #receive_override_options = no_address_mappings
553 # no_unknown_recipient_checks
554 # Do not try to reject unknown recipients (SMTP server only).
555 # This is typically specified AFTER an external content filter.
556 # no_address_mappings
557 # Disable canonical address mapping, virtual alias map expansion,
558 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
559 # This is typically specified BEFORE an external content filter (eg. amavis).
560 # no_header_body_checks
561 # Disable header/body_checks. This is typically specified AFTER an external content filter.
562 # no_milters
563 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
564 #local_header_rewrite_clients =
565 transport_maps =
566 hash:/etc/postfix/\$mydomain/transport_maps
567 mailbox_command =
568 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
569 mailbox_size_limit = 0
570 biff = no
571 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
572 append_dot_mydomain = no
573 # appending .domain is the MUA's job.
574
575 #tls_random_source =
576 # dev:/dev/urandom
577 # Non-blocking
578 #tls_random_reseed_period = 3600s
579 #tls_random_exchange_name =
580 # \${data_directory}/prng_exch
581 # NOTE: à ne pas mettre dans la cage chroot
582 #tls_random_bytes = 32
583 #tls_random_prng_update_period = 3600s
584 #tls_high_cipherlist = AES256-SHA
585 # NOTE: postconf(5) déconseille de changer ceci
586
587 #smtp_cname_overrides_servername = no
588 smtp_connect_timeout = 60s
589 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
590 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
591 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
592 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
593 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
594 # NOTE: déprécié en faveur de smtp_tls_policy_maps
595 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
596 smtp_tls_fingerprint_digest = sha1
597 smtp_tls_scert_verifydepth = 5
598 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
599 #smtp_tls_verify_cert_match = hostname
600 #smtp_tls_note_starttls_offer = yes
601 smtp_tls_loglevel = 1
602 smtp_tls_protocols = !SSLv2, !SSLv3
603 # Only allow TLSv*
604 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
605 #smtp_tls_session_cache_timeout = 3600s
606 smtp_tls_security_level = may
607 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
608 smtp_body_checks =
609 smtp_mime_header_checks =
610 smtp_nested_header_checks =
611
612 smtpd_starttls_timeout = 300s
613 smtpd_banner =
614 \$myhostname ESMTP \$mail_name (Debian/GNU)
615
616 # Restrictions
617 smtpd_helo_required = yes
618 strict_rfc821_envelopes = yes
619 smtpd_authorized_xclient_hosts = 127.0.0.1
620 # NOTE: utile pour tester les restrictions
621
622 smtpd_helo_restrictions =
623 reject_invalid_helo_hostname
624 reject_non_fqdn_helo_hostname
625 #reject_unknown_helo_hostname
626 # NOTE: pourrait pourtant être utile pour lutter contre le spam
627 permit
628
629 smtpd_sender_restrictions =
630 permit_mynetworks
631 permit_tls_clientcerts
632 permit_sasl_authenticated
633 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
634 check_sender_access hash:/etc/postfix/sender_blacklist
635 reject_unauth_pipelining
636 reject_non_fqdn_sender
637 #reject_unknown_sender_domain
638 # NOTE: temporaire
639 permit
640
641 smtpd_client_new_tls_session_rate_limit = 0
642 smtpd_client_event_limit_exceptions = \$mynetworks
643 smtpd_client_recipient_rate_limit = 0
644 smtpd_client_connection_count_limit = 50
645 smtpd_client_connection_rate_limit = 0
646 smtpd_client_message_rate_limit = 0
647 smtpd_client_port_logging = no
648
649 smtpd_client_restrictions =
650 check_client_access hash:/etc/postfix/client_blacklist
651
652 policy_time_limit = 3600
653 default_extra_recipient_limit = 5000
654 duplicate_filter_limit = 5000
655 smtpd_recipient_limit = 5000
656 smtpd_recipient_overshoot_limit = 5000
657 smtpd_recipient_restrictions =
658 reject_non_fqdn_recipient
659 #reject_invalid_hostname
660 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
661 # dans smtpd_helo_restrictions
662 reject_unknown_recipient_domain
663 #reject_non_fqdn_sender
664 # NOTE: dans smtpd_sender_restrictions
665 reject_unauth_pipelining
666 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
667 permit_mynetworks
668 permit_tls_clientcerts
669 permit_sasl_authenticated
670 reject_unauth_destination
671 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
672 # ou quelqu'un pour lequel on tient lieu de backup_mx
673 check_policy_service inet:127.0.0.1:10023
674 # NOTE: Postgrey (greylisting)
675 check_policy_service unix:private/spfcheck
676 permit_auth_destination
677 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
678 # (voir permit_auth_destination) ; sans doute redondant
679 reject
680 #check_relay_domains <- removed from postfix
681 #reject_unknown_sender_domain
682 # aurait probablement été mieux dans smtpd_sender_restrictions
683 #reject_rbl_client bl.spamcop.net
684 #reject_rbl_client list.dsbl.org
685 #reject_rbl_client zen.spamhaus.org
686 #reject_rbl_client dnsbl.sorbs.net
687
688 smtpd_data_restrictions =
689 reject_unauth_pipelining
690 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
691 permit
692
693 #smtpd_end_of_data_restrictions =
694
695 #smtpd_restriction_classes =
696
697 smtpd_error_sleep_time = 5
698 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
699
700 # SASL
701 smtpd_sasl_auth_enable = yes
702 smtpd_sasl_type = dovecot
703 smtpd_sasl_path = private/auth
704 smtpd_sasl_security_options = noanonymous
705 smtpd_sasl_domain = \$mydomain
706
707 # SMTPD TLS
708 smtpd_discard_ehlo_keywords = starttls
709 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
710 # se mangent une erreur en tentant un starttls
711 smtpd_tls_fingerprint_digest = sha1
712 # sha512 ?
713 smtpd_tls_mandatory_protocols = TLSv1
714 smtpd_tls_mandatory_ciphers = high
715 smtpd_tls_ciphers = high
716 # restrictif. s/high/medium/ ?
717 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
718 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
719 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
720 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
721 ##
722 #smtpd_tls_received_header = no
723 smtpd_tls_session_cache_database =
724 btree:/var/lib/postfix/smtpd_tls_session_cache
725 #smtpd_tls_session_cache_timeout = 3600s
726 smtpd_tls_security_level = may
727 # Postfix 2.3 and later
728 # encrypt
729 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
730 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
731 # SMTP server. Instead, this option should be used only on dedicated servers.
732 smtpd_tls_loglevel = 1
733 smtpd_tls_ccert_verifydepth = 5
734 smtpd_tls_auth_only = yes
735 # Pas d'AUTH SASL sans TLS
736 smtpd_tls_ask_ccert = no
737 smtpd_tls_req_ccert = no
738 #smtpd_tls_always_issue_session_ids = yes
739 smtpd_peername_lookup = yes
740 # Nécessaire pour postgrey, etc
741 smtpd_milters =
742 non_smtpd_milters =
743 line_length_limit = 2048
744 queue_minfree = 0
745 message_size_limit = 20480000
746 #smtpd_enforce_tls # NOTE: obsolète
747 #smtpd_use_tls # NOTE: obsolète
748 #smtpd_tls_cipherlist # NOTE: obsolète
749
750 readme_directory = no
751 #delay_warning_time = 4h
752 # NOTE: uncomment the previous line to generate "delayed mail" warnings
753 #debug_peer_level = 4
754 #debug_peer_list = .\$myhostname
755 EOF
756 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
757 auth_ssl_username_from_cert = yes
758 listen = *
759 log_timestamp = "%Y-%m-%d %H:%M:%S "
760 mail_debug = yes
761 mail_location = maildir:~/var/mail
762 mail_privileged_group = mail
763 passdb {
764 args = /home/%u/etc/dovecot/passwd
765 driver = passwd-file
766 }
767 protocols = imap
768 service auth {
769 unix_listener /var/spool/postfix/private/auth {
770 group = postfix
771 mode = 0660
772 user = postfix
773 }
774 user = root
775 }
776 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
777 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
778 ssl_cipher_list = AES256-SHA
779 ssl_key = </etc/dovecot/imap/tls/key.pem
780 ssl_verify_client_cert = yes
781 userdb {
782 driver = passwd
783 }
784 verbose_ssl = yes
785 protocol lda {
786 auth_socket_path = /var/run/dovecot/auth-master
787 hostname = $vm_domainname
788 info_log_path = /var/log/dovecot/lda/info.log
789 log_path = /var/log/dovecot/lda/error.log
790 mail_plugins = sieve
791 postmaster_address = contact+dovecot+lda@$vm_domainname
792 }
793 EOF
794 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
795 EOF
796 }
797 rule_mail_install () {
798 sudo apt-get install postfix postgrey dovecot
799 }
800
801 rule=${1:-help}
802 ${1+shift}
803 set "${TRACE:+-x}"
804 rule_$rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org