dépôts / lhc / ateliers.git / blob
? search:


7934de660b59207d92317eb697d60e663b47447c
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () { # SYNTAX: [--hidden]
8 local hidden; [ ${1:+set} ] || hidden=set
9 cat >&2 <<-EOF
10 DESCRIPTION:
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
17 RULES:
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
19 ENVIRONMENT:
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
22 EOF
23 }
24
25 rule_git_config () {
26 (
27 cd "$tool"
28 git config --replace branch.master.remote .
29 git config --replace branch.master.merge refs/remotes/master
30 )
31 }
32 rule_git_reset () {
33 (
34 cd "$tool"
35 git checkout -f -B master remotes/master
36 git clean -f -d -x
37 )
38 }
39
40 rule_apt_get_install () { # SYNTAX: $package
41 case $(dpkg -s "$1" | grep '^Status: ') in
42 ("Status: install ok installed");;
43 (*)
44 test ! -x /usr/bin/etckeeper ||
45 assert 'sudo etckeeper unclean'
46 sudo apt-get "$@";;
47 esac
48 }
49
50 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
51 export LANG=C
52 export LC_CTYPE=C
53 . /etc/profile
54 }
55
56 rule_apt_configure () {
57 mk_reg mod= own= /etc/apt/sources.list <<-EOF
58 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
59 EOF
60 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
61 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
62 EOF
63 mk_reg mod= own= /etc/apt/preferences <<-EOF
64 Package: *
65 Pin: release a=$vm_lsb_name
66 Pin-Priority: 170
67
68 Package: *
69 Pin: release a=$vm_lsb_name-backports
70 Pin-Priority: 200
71 EOF
72 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
73 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
74 EOF
75 }
76 rule_apticron_configure () {
77 rule apt_get_install apticron
78 mk_reg mod=644 own=root:root /etc/apticron/apticron.conf <<-EOF
79 EMAIL="admin@heureux-cyclage.org"
80 # DIFF_ONLY="1"
81 # LISTCHANGES_PROFILE="apticron"
82 # ALL_FQDNS="1"
83 # SYSTEM="foobar.example.com"
84 # IPADDRESSNUM="1"
85 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
86 # NOTIFY_HOLDS="0"
87 # NOTIFY_NEW="0"
88 # NOTIFY_NO_UPDATES="0"
89 # CUSTOM_SUBJECT=""
90 # CUSTOM_NO_UPDATES_SUBJECT=""
91 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
92 EOF
93 sudo service apticron restart
94 }
95 rule_boot_configure () {
96 rule apt_get_install grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
97 mk_dir mod=644 own=root:root /boot/grub
98 rule apt_get_install linux-image-$vm_arch
99 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
100 GRUB_DEFAULT=0
101 GRUB_TIMEOUT=5
102 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
103 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
104 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
105 GRUB_DISABLE_RECOVERY="true"
106 #GRUB_PRELOAD_MODULES="lvm"
107 EOF
108 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
109 (hd0) /dev/xvda
110 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
111 EOF
112 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
113 rule initramfs_configure
114 }
115 rule_etckeeper_configure () {
116 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
117 VCS=git
118 GIT_COMMIT_OPTIONS=""
119 AVOID_DAILY_AUTOCOMMITS=1
120 #AVOID_SPECIAL_FILE_WARNING=1
121 AVOID_COMMIT_BEFORE_INSTALL=1
122 HIGHLEVEL_PACKAGE_MANAGER=apt
123 LOWLEVEL_PACKAGE_MANAGER=dpkg
124 EOF
125 rule apt_get_install etckeeper
126 }
127 rule_filesystem_configure () {
128 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
129 # <file system> <mount point> <type> <options> <dump> <pass>
130 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
131 proc /proc proc defaults 0 0
132 sysfs /sys sysfs defaults 0 0
133 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
134 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
135 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
136 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
137 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
138 EOF
139 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
140 # <target name> <source device> <key file> <options>
141 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
142 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
143 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
144 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
145 EOF
146 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
147 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
148 vm.vfs_cache_pressure=50
149 EOF
150 }
151 rule_initramfs_configure () {
152 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
153 MODULES=most
154 BUSYBOX=y
155 KEYMAP=y
156 COMPRESS=gzip
157 DEVICE=eth0
158 EOF
159 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
160 alias eth0 xennet
161 alias scsi_hostadapter xenblk
162 EOF
163 mk_reg mod=644 own=root:root /etc/modules <<-EOF
164 sha1_generic
165 sha256_generic
166 sha512_generic
167 aes-x86_64
168 xts
169 # NOTE: pour Xen en mode HVM :
170 #modprobe xen-platform-pci
171 EOF
172 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
173 EOF
174 sudo sed -e '/^configure_networking /s/ &$//' \
175 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
176 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
177 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
178 ( while IFS= read -r line
179 do case $line in (*" RSA") return 0; break;; esac
180 done; return 1 ) ||
181 {
182 sudo rm -f \
183 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
184 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
185 sudo dropbearkey -t rsa -s 4096 -f \
186 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
187 }
188 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
189 mk_dir mod=640 own=root:root \
190 /etc/initramfs-tools/root \
191 /etc/initramfs-tools/root/.ssh
192 getent group sudo |
193 while IFS=: read -r group x x users
194 do while test -n "$users" && IFS=, read -r user users <<-EOF
195 $users
196 EOF
197 do eval local home\; home="~$user"
198 cat "$home"/etc/ssh/authorized_keys
199 done
200 done |
201 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
202 sudo rm -f \
203 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
204 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
205 /etc/initramfs-tools/root/.ssh/id_rsa
206 # NOTE: clefs générées par Debian
207 sudo update-initramfs -u
208 }
209 rule_locale_configure () {
210 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
211 fr_FR.UTF-8 UTF-8
212 EOF
213 sudo update-locale
214 }
215 rule_login_configure () {
216 grep -q '^hvc0$' /etc/securetty ||
217 mk_reg mod= own= --append /etc/securetty <<-EOF
218 hvc0
219 EOF
220 grep -q '^xvc0$' /etc/securetty ||
221 mk_reg mod= own= --append /etc/securetty <<-EOF
222 xvc0
223 EOF
224 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
225 # /etc/inittab: init(8) configuration.
226
227 # The default runlevel.
228 id:2:initdefault:
229
230 # Boot-time system configuration/initialization script.
231 # This is run first except when booting in emergency (-b) mode.
232 si::sysinit:/etc/init.d/rcS
233
234 # What to do in single-user mode.
235 ~~:S:wait:/sbin/sulogin
236
237 # /etc/init.d executes the S and K scripts upon change
238 # of runlevel.
239 #
240 # Runlevel 0 is halt.
241 # Runlevel 1 is single-user.
242 # Runlevels 2-5 are multi-user.
243 # Runlevel 6 is reboot.
244
245 l0:0:wait:/etc/init.d/rc 0
246 l1:1:wait:/etc/init.d/rc 1
247 l2:2:wait:/etc/init.d/rc 2
248 l3:3:wait:/etc/init.d/rc 3
249 l4:4:wait:/etc/init.d/rc 4
250 l5:5:wait:/etc/init.d/rc 5
251 l6:6:wait:/etc/init.d/rc 6
252 # Normally not reached, but fallthrough in case of emergency.
253 z6:6:respawn:/sbin/sulogin
254
255 # What to do when CTRL-ALT-DEL is pressed.
256 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
257
258 # What to do when the power fails/returns.
259 pf::powerwait:/etc/init.d/powerfail start
260 pn::powerfailnow:/etc/init.d/powerfail now
261 po::powerokwait:/etc/init.d/powerfail stop
262
263 # Xen hypervisor console
264 hvc:2345:respawn:/sbin/getty 38400 hvc0
265 #xvc:2345:respawn:/sbin/getty 38400 xvc0
266 EOF
267 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
268 MAIL_DIR /var/mail
269 FAILLOG_ENAB yes
270 LOG_UNKFAIL_ENAB no
271 LOG_OK_LOGINS no
272 SYSLOG_SU_ENAB yes
273 SYSLOG_SG_ENAB yes
274 FTMP_FILE /var/log/btmp
275 SU_NAME su
276 HUSHLOGIN_FILE .hushlogin
277 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
278 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
279 # NOTE: met les sbin/ dans ENV_PATH ;
280 # - ça n'apporte aucune protection de ne pas les mettre ;
281 # - ça frustre de ne pas les trouver.
282 TTYGROUP tty
283 TTYPERM 0600
284 ERASECHAR 0177
285 KILLCHAR 025
286 UMASK 007
287 # NOTE: rwxrwx--- ;
288 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
289 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
290 PASS_MAX_DAYS 99999
291 PASS_MIN_DAYS 0
292 PASS_WARN_AGE 7
293 UID_MIN 1000
294 UID_MAX 60000
295 GID_MIN 1000
296 GID_MAX 60000
297 LOGIN_RETRIES 3
298 LOGIN_TIMEOUT 60
299 CHFN_RESTRICT rwh
300 DEFAULT_HOME yes
301 USERGROUPS_ENAB yes
302 ENCRYPT_METHOD SHA512
303 EOF
304 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
305 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
306 session optional pam_umask.so
307 EOF
308 }
309 rule_network_configure () {
310 mk_reg mod= own= /etc/hostname <<-EOF
311 $vm
312 EOF
313 grep -q " $vm\$" /etc/hosts ||
314 mk_reg mod= own= --append /etc/hosts <<-EOF
315 127.0.0.1 $vm_fqdn $vm
316 EOF
317 mk_reg mod= own= /etc/network/interfaces <<-EOF
318 auto lo
319 iface lo inet loopback
320
321 auto eth0=grenode
322 iface grenode inet static
323 address $vm_ipv4
324 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
325 network $vm_ipv4
326 broadcast $vm_ipv4
327 netmask 255.255.255.255
328 #mtu 1300
329 post-up ip address add $vm_ipv4/32 dev \$IFACE
330 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
331 EOF
332 }
333 rule_user_configure () {
334 mk_dir mod=750 own="root:adm" /etc/skel/etc
335 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
336 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
337 mk_dir mod=700 own="root:adm" /etc/skel/var
338 mk_dir mod=700 own="root:adm" /etc/skel/var/log
339 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
340 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
341 mk_dir mod=700 own="root:adm" /etc/skel/tmp
342 mk_dir mod=700 own="root:adm" /etc/skel/tmp
343 mk_lnk etc/ssh /etc/skel/.ssh
344 mk_lnk etc/gpg /etc/skel/.gnupg
345 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
346 ( while IFS= read -r line
347 do case $line in (*" RSA") return 0; break;; esac
348 done; return 1 ) ||
349 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
350 sudo rm -f \
351 /etc/ssh/ssh_host_dsa_key \
352 /etc/ssh/ssh_host_dsa_key.pub \
353 /etc/ssh/ssh_host_ecdsa_key \
354 /etc/ssh/ssh_host_ecdsa_key.pub
355 # NOTE: clefs générées par Debian
356 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
357 Port 22
358 ListenAddress $vm_ipv4
359 #ListenAddress ::
360 Protocol 2
361 Compression yes
362 HostKey /etc/ssh/ssh_host_rsa_key
363 UsePrivilegeSeparation yes
364 KeyRegenerationInterval 3600
365 ServerKeyBits 768
366 SyslogFacility AUTH
367 LogLevel INFO
368 LoginGraceTime 120
369 PermitRootLogin yes
370 StrictModes yes
371 RSAAuthentication yes
372 PubkeyAuthentication yes
373 AuthorizedKeysFile %h/etc/ssh/authorized_keys
374 IgnoreRhosts yes
375 RhostsRSAAuthentication no
376 HostbasedAuthentication no
377 IgnoreUserKnownHosts no
378 PermitEmptyPasswords no
379 ChallengeResponseAuthentication no
380 PasswordAuthentication no
381 KerberosAuthentication no
382 GSSAPIAuthentication no
383 X11Forwarding no
384 X11DisplayOffset 10
385 PrintMotd no
386 DebianBanner no
387 PrintLastLog yes
388 TCPKeepAlive yes
389 ClientAliveInterval 0
390 AcceptEnv LANG LC_*
391 Subsystem sftp /usr/lib/openssh/sftp-server
392 UsePAM yes
393 EOF
394 sudo service ssh restart
395 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
396 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
397 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
398 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
399 EOF
400 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
401 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
402 EOF
403 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
404 Defaults env_keep = " \\
405 EDITOR \\
406 GIT_AUTHOR_NAME \\
407 GIT_AUTHOR_EMAIL \\
408 GIT_COMMITTER_NAME \\
409 GIT_COMMITTER_EMAIL \\
410 "
411 EOF
412 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
413 #!/bin/sh
414 sudo /bin/sh -e -f -u -c \
415 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
416 EOF
417 }
418 rule_user_root_configure () {
419 mk_dir mod=750 own=root:root /root/etc
420 mk_dir mod=750 own=root:root /root/etc/ssh
421 mk_dir mod=750 own=root:root /root/etc/gpg
422 mk_lnk etc/gpg /root/.gnupg
423 mk_lnk etc/ssh /root/.ssh
424 getent group sudo |
425 while IFS=: read -r group x x users
426 do while test -n "$users" && IFS=, read -r user users <<-EOF
427 $users
428 EOF
429 do eval local home\; home="~$user"
430 cat "$home"/etc/ssh/authorized_keys
431 done
432 done |
433 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
434 local key; local -; set +f
435 for key in "$tool"/var/pub/openpgp/*.key
436 do sudo gpg --import "$key"
437 done
438 }
439 rule_bin_configure () {
440 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
441 }
442 rule_configure () {
443 rule etckeeper_configure
444 rule locale_configure
445 rule network_configure
446 rule apt_configure
447 rule filesystem_configure
448 rule login_configure
449 rule user_root_configure
450 rule boot_configure
451 rule bin_configure
452 }
453
454 rule_disk_key_change () {
455 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
456 }
457
458 rule_user_admin_configure () {
459 rule initramfs_configure
460 rule user_root_configure
461 }
462 rule_user_admin_add () { # SYNTAX: $user
463 local user=$1
464 id "$user" >/dev/null ||
465 sudo adduser --disabled-password "$user"
466 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
467 eval local home\; home="~$user"
468 sudo adduser "$user" sudo
469 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
470 <"$tool"/var/pub/ssh/"$user".key
471 local key; local -; set +f
472 for key in "$tool"/var/pub/openpgp/*.key
473 do sudo -u "$user" gpg --import "$key"
474 done
475 rule user_admin_configure
476 }
477 rule_user_mail_format () {
478 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
479 mk_dir mod=770 own=root:adm /etc/skel/var/mail
480 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
481 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
482 # vim: ft=procmail
483
484 # NOTE: paramètres passés par postfix
485 SENDER=\$1
486 RECIPIENT=\$2
487 USER=\$3
488 EXTENSION=\$4
489 DOMAIN=\$5
490 ORIGINAL_RECIPIENT=\$6
491
492 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
493 MAILDIR="\$HOME/var/mail/"
494 DEFAULT="\$MAILDIR"
495 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
496 LOGFILE="/dev/null"
497 LOGABSTRACT=all
498 LOGABSTRACT
499 VERBOSE
500 SHELL=/bin/sh
501 SHELLMETAS=&|<>~;?*%{}
502
503 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
504 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
505 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
506
507 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
508 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
509 # NOTE: récupère l’adresse courriel dans le champ GECOS
510 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
511 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
512 :0
513 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
514
515 # DESCRIPTION: IMAP
516 #:0
517 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
518
519 # DESCRIPTION: UUCP
520 #:0
521 #| /usr/bin/uux \
522 # -I "\$HOME/etc/uucp/uucp.cfg" \
523 # --nouucico \
524 # --notification=error \
525 # --requestor "\$USER" \
526 # - "\$USER!rmail" "(\$USER)"
527 EOF
528 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
529 # /etc/postfix/main.cf
530 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
531
532 parent_domain_matches_subdomains =
533 #debug_peer_list
534 #fast_flush_domains
535 #mynetworks
536 #permit_mx_backup_networks
537 #qmqpd_authorized_clients
538 #smtpd_access_maps
539 mydomain = $vm_domainname
540 myorigin = \$mydomain
541 myhostname = $vm_hostname.\$mydomain
542 mail_name = \$myhostname
543 mydestination =
544 $vm_hostname
545 \$myhostname
546 \$myorigin
547 mynetworks =
548 127.0.0.0/8
549 #[::1]/128
550 inet_protocols = ipv4
551 # "all" to activate IPv6
552 inet_interfaces = all
553 permit_mx_backup_networks =
554
555 alias_database =
556 hash:/etc/aliases
557 # NOTE: fichier de hash contenant une table d’alias mail.
558 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
559 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
560 alias_maps =
561 hash:/etc/aliases
562 recipient_delimiter = +
563 # NOTE: séparateur entre le nom d’utilisateur
564 # et les extensions d’adresse (par défaut le signe +).
565 #virtual_alias_domains =
566 virtual_alias_maps =
567 hash:/etc/postfix/\$mydomain/virtual
568 # NOTE: do not specify virtual alias domain names in the main.cf
569 # mydestination or relay_domains configuration parameters.
570 #
571 # With a virtual alias domain, the Postfix SMTP server
572 # accepts mail for known-user@virtual-alias.domain, and
573 # rejects mail for unknown-user@virtual-alias.domain as
574 # undeliverable.
575 #relayhost =
576 relay_clientcerts =
577 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
578 relay_domains =
579 \$mydestination
580 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
581 # pas dans mydestination ou virtual_alias...
582
583 maximal_queue_lifetime = 5d
584
585 header_checks =
586 regexp:/etc/postfix/\$mydomain/header_checks
587 mime_header_checks =
588 nested_header_checks =
589 milter_header_checks =
590 body_checks =
591
592 #content_filter = amavisfeed:[127.0.0.1]:10024
593 #receive_override_options = no_address_mappings
594 # no_unknown_recipient_checks
595 # Do not try to reject unknown recipients (SMTP server only).
596 # This is typically specified AFTER an external content filter.
597 # no_address_mappings
598 # Disable canonical address mapping, virtual alias map expansion,
599 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
600 # This is typically specified BEFORE an external content filter (eg. amavis).
601 # no_header_body_checks
602 # Disable header/body_checks. This is typically specified AFTER an external content filter.
603 # no_milters
604 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
605 #local_header_rewrite_clients =
606 transport_maps =
607 hash:/etc/postfix/\$mydomain/transport_maps
608 mailbox_command =
609 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
610 mailbox_size_limit = 0
611 biff = no
612 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
613 append_dot_mydomain = no
614 # appending .domain is the MUA's job.
615
616 #tls_random_source =
617 # dev:/dev/urandom
618 # Non-blocking
619 #tls_random_reseed_period = 3600s
620 #tls_random_exchange_name =
621 # \${data_directory}/prng_exch
622 # NOTE: à ne pas mettre dans la cage chroot
623 #tls_random_bytes = 32
624 #tls_random_prng_update_period = 3600s
625 #tls_high_cipherlist = AES256-SHA
626 # NOTE: postconf(5) déconseille de changer ceci
627
628 #smtp_cname_overrides_servername = no
629 smtp_connect_timeout = 60s
630 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
631 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
632 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
633 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
634 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
635 # NOTE: déprécié en faveur de smtp_tls_policy_maps
636 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
637 smtp_tls_fingerprint_digest = sha1
638 smtp_tls_scert_verifydepth = 5
639 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
640 #smtp_tls_verify_cert_match = hostname
641 #smtp_tls_note_starttls_offer = yes
642 smtp_tls_loglevel = 1
643 smtp_tls_protocols = !SSLv2, !SSLv3
644 # Only allow TLSv*
645 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
646 #smtp_tls_session_cache_timeout = 3600s
647 smtp_tls_security_level = may
648 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
649 smtp_body_checks =
650 smtp_mime_header_checks =
651 smtp_nested_header_checks =
652
653 smtpd_starttls_timeout = 300s
654 smtpd_banner =
655 \$myhostname ESMTP \$mail_name (Debian/GNU)
656
657 # Restrictions
658 smtpd_helo_required = yes
659 strict_rfc821_envelopes = yes
660 smtpd_authorized_xclient_hosts = 127.0.0.1
661 # NOTE: utile pour tester les restrictions
662
663 smtpd_helo_restrictions =
664 reject_invalid_helo_hostname
665 reject_non_fqdn_helo_hostname
666 #reject_unknown_helo_hostname
667 # NOTE: pourrait pourtant être utile pour lutter contre le spam
668 permit
669
670 smtpd_sender_restrictions =
671 permit_mynetworks
672 permit_tls_clientcerts
673 permit_sasl_authenticated
674 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
675 check_sender_access hash:/etc/postfix/sender_blacklist
676 reject_unauth_pipelining
677 reject_non_fqdn_sender
678 #reject_unknown_sender_domain
679 # NOTE: temporaire
680 permit
681
682 smtpd_client_new_tls_session_rate_limit = 0
683 smtpd_client_event_limit_exceptions = \$mynetworks
684 smtpd_client_recipient_rate_limit = 0
685 smtpd_client_connection_count_limit = 50
686 smtpd_client_connection_rate_limit = 0
687 smtpd_client_message_rate_limit = 0
688 smtpd_client_port_logging = no
689
690 smtpd_client_restrictions =
691 check_client_access hash:/etc/postfix/client_blacklist
692
693 policy_time_limit = 3600
694 default_extra_recipient_limit = 5000
695 duplicate_filter_limit = 5000
696 smtpd_recipient_limit = 5000
697 smtpd_recipient_overshoot_limit = 5000
698 smtpd_recipient_restrictions =
699 reject_non_fqdn_recipient
700 #reject_invalid_hostname
701 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
702 # dans smtpd_helo_restrictions
703 reject_unknown_recipient_domain
704 #reject_non_fqdn_sender
705 # NOTE: dans smtpd_sender_restrictions
706 reject_unauth_pipelining
707 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
708 permit_mynetworks
709 permit_tls_clientcerts
710 permit_sasl_authenticated
711 reject_unauth_destination
712 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
713 # ou quelqu'un pour lequel on tient lieu de backup_mx
714 check_policy_service inet:127.0.0.1:10023
715 # NOTE: Postgrey (greylisting)
716 check_policy_service unix:private/spfcheck
717 permit_auth_destination
718 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
719 # (voir permit_auth_destination) ; sans doute redondant
720 reject
721 #check_relay_domains <- removed from postfix
722 #reject_unknown_sender_domain
723 # aurait probablement été mieux dans smtpd_sender_restrictions
724 #reject_rbl_client bl.spamcop.net
725 #reject_rbl_client list.dsbl.org
726 #reject_rbl_client zen.spamhaus.org
727 #reject_rbl_client dnsbl.sorbs.net
728
729 smtpd_data_restrictions =
730 reject_unauth_pipelining
731 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
732 permit
733
734 #smtpd_end_of_data_restrictions =
735
736 #smtpd_restriction_classes =
737
738 smtpd_error_sleep_time = 5
739 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
740
741 # SASL
742 smtpd_sasl_auth_enable = yes
743 smtpd_sasl_type = dovecot
744 smtpd_sasl_path = private/auth
745 smtpd_sasl_security_options = noanonymous
746 smtpd_sasl_domain = \$mydomain
747
748 # SMTPD TLS
749 smtpd_discard_ehlo_keywords = starttls
750 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
751 # se mangent une erreur en tentant un starttls
752 smtpd_tls_fingerprint_digest = sha1
753 # sha512 ?
754 smtpd_tls_mandatory_protocols = TLSv1
755 smtpd_tls_mandatory_ciphers = high
756 smtpd_tls_ciphers = high
757 # restrictif. s/high/medium/ ?
758 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
759 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
760 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
761 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
762 ##
763 #smtpd_tls_received_header = no
764 smtpd_tls_session_cache_database =
765 btree:/var/lib/postfix/smtpd_tls_session_cache
766 #smtpd_tls_session_cache_timeout = 3600s
767 smtpd_tls_security_level = may
768 # Postfix 2.3 and later
769 # encrypt
770 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
771 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
772 # SMTP server. Instead, this option should be used only on dedicated servers.
773 smtpd_tls_loglevel = 1
774 smtpd_tls_ccert_verifydepth = 5
775 smtpd_tls_auth_only = yes
776 # Pas d'AUTH SASL sans TLS
777 smtpd_tls_ask_ccert = no
778 smtpd_tls_req_ccert = no
779 #smtpd_tls_always_issue_session_ids = yes
780 smtpd_peername_lookup = yes
781 # Nécessaire pour postgrey, etc
782 smtpd_milters =
783 non_smtpd_milters =
784 line_length_limit = 2048
785 queue_minfree = 0
786 message_size_limit = 20480000
787 #smtpd_enforce_tls # NOTE: obsolète
788 #smtpd_use_tls # NOTE: obsolète
789 #smtpd_tls_cipherlist # NOTE: obsolète
790
791 readme_directory = no
792 #delay_warning_time = 4h
793 # NOTE: uncomment the previous line to generate "delayed mail" warnings
794 #debug_peer_level = 4
795 #debug_peer_list = .\$myhostname
796 EOF
797 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
798 auth_ssl_username_from_cert = yes
799 listen = *
800 log_timestamp = "%Y-%m-%d %H:%M:%S "
801 mail_debug = yes
802 mail_location = maildir:~/var/mail
803 mail_privileged_group = mail
804 passdb {
805 args = /home/%u/etc/dovecot/passwd
806 driver = passwd-file
807 }
808 protocols = imap
809 service auth {
810 unix_listener /var/spool/postfix/private/auth {
811 group = postfix
812 mode = 0660
813 user = postfix
814 }
815 user = root
816 }
817 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
818 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
819 ssl_cipher_list = AES256-SHA
820 ssl_key = </etc/dovecot/imap/tls/key.pem
821 ssl_verify_client_cert = yes
822 userdb {
823 driver = passwd
824 }
825 verbose_ssl = yes
826 protocol lda {
827 auth_socket_path = /var/run/dovecot/auth-master
828 hostname = $vm_domainname
829 info_log_path = /var/log/dovecot/lda/info.log
830 log_path = /var/log/dovecot/lda/error.log
831 mail_plugins = sieve
832 postmaster_address = contact+dovecot+lda@$vm_domainname
833 }
834 EOF
835 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
836 EOF
837 }
838 rule_mail_configure () {
839 sudo apt-get install postfix postgrey dovecot
840 }
841
842 rule=${1:-help}
843 ${1+shift}
844 case $rule in
845 (help);;
846 (*)
847 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
848 ;;
849 esac
850 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org