dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : vm_hosted : rule_initramfs_configure : clés de dropbear.
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () { # SYNTAX: [--hidden]
8 local hidden; [ ${1:+set} ] || hidden=set
9 cat >&2 <<-EOF
10 DESCRIPTION:
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
17 RULES:
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
19 ENVIRONMENT:
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
22 EOF
23 }
24
25 rule_git_config () {
26 (
27 cd "$tool"
28 git config --replace branch.master.remote .
29 git config --replace branch.master.merge refs/remotes/master
30 )
31 }
32 rule_git_reset () {
33 (
34 cd "$tool"
35 git checkout -f -B master remotes/master
36 git clean -f -d -x
37 )
38 }
39
40 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
41 export LANG=C
42 export LC_CTYPE=C
43 . /etc/profile
44 }
45
46 rule_apt_configure () {
47 mk_reg mod= own= /etc/apt/sources.list <<-EOF
48 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
49 EOF
50 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
51 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
52 EOF
53 mk_reg mod= own= /etc/apt/preferences <<-EOF
54 Package: *
55 Pin: release a=$vm_lsb_name
56 Pin-Priority: 170
57
58 Package: *
59 Pin: release a=$vm_lsb_name-backports
60 Pin-Priority: 200
61 EOF
62 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
63 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
64 EOF
65 }
66 rule_apticron_configure () {
67 sudo apt-get install --reinstall apticron
68 mk_reg mod=644 own=root:root /etc/apticron/apticron.conf <<-EOF
69 EMAIL="admin@heureux-cyclage.org"
70 # DIFF_ONLY="1"
71 # LISTCHANGES_PROFILE="apticron"
72 # ALL_FQDNS="1"
73 # SYSTEM="foobar.example.com"
74 # IPADDRESSNUM="1"
75 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
76 # NOTIFY_HOLDS="0"
77 # NOTIFY_NEW="0"
78 # NOTIFY_NO_UPDATES="0"
79 # CUSTOM_SUBJECT=""
80 # CUSTOM_NO_UPDATES_SUBJECT=""
81 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
82 EOF
83 sudo service apticron restart
84 }
85 rule_boot_configure () {
86 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
87 mk_dir mod=644 own=root:root /boot/grub
88 sudo apt-get install --reinstall linux-image-$vm_arch
89 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
90 GRUB_DEFAULT=0
91 GRUB_TIMEOUT=5
92 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
93 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
94 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
95 GRUB_DISABLE_RECOVERY="true"
96 #GRUB_PRELOAD_MODULES="lvm"
97 EOF
98 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
99 (hd0) /dev/xvda
100 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
101 EOF
102 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
103 rule initramfs_configure
104 }
105 rule_etckeeper_configure () {
106 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
107 VCS=git
108 GIT_COMMIT_OPTIONS=""
109 AVOID_DAILY_AUTOCOMMITS=1
110 #AVOID_SPECIAL_FILE_WARNING=1
111 AVOID_COMMIT_BEFORE_INSTALL=1
112 HIGHLEVEL_PACKAGE_MANAGER=apt
113 LOWLEVEL_PACKAGE_MANAGER=dpkg
114 EOF
115 }
116 rule_filesystem_configure () {
117 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
118 # <file system> <mount point> <type> <options> <dump> <pass>
119 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
120 proc /proc proc defaults 0 0
121 sysfs /sys sysfs defaults 0 0
122 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
123 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
124 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
125 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
126 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
127 EOF
128 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
129 # <target name> <source device> <key file> <options>
130 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
131 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
132 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
133 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
134 EOF
135 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
136 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
137 vm.vfs_cache_pressure=50
138 EOF
139 }
140 rule_initramfs_configure () {
141 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
142 MODULES=most
143 BUSYBOX=y
144 KEYMAP=y
145 COMPRESS=gzip
146 DEVICE=eth0
147 EOF
148 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
149 alias eth0 xennet
150 alias scsi_hostadapter xenblk
151 EOF
152 mk_reg mod=644 own=root:root /etc/modules <<-EOF
153 sha1_generic
154 sha256_generic
155 sha512_generic
156 aes-x86_64
157 xts
158 # NOTE: pour Xen en mode HVM :
159 #modprobe xen-platform-pci
160 EOF
161 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
162 EOF
163 sudo sed -e '/^configure_networking /s/ &$//' \
164 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
165 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
166 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
167 ( while IFS= read -r line
168 do case $line in (*" RSA") return 0; break;; esac
169 done; return 1 ) ||
170 {
171 sudo rm -f \
172 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
173 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
174 sudo dropbearkey -t rsa -s 4096 -f \
175 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
176 }
177 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
178 mk_dir mod=640 own=root:root \
179 /etc/initramfs-tools/root \
180 /etc/initramfs-tools/root/.ssh
181 getent group sudo |
182 while IFS=: read -r group x x users
183 do while test -n "$users" && IFS=, read -r user users <<-EOF
184 $users
185 EOF
186 do eval local home\; home="~$user"
187 cat "$home"/etc/ssh/authorized_keys
188 done
189 done |
190 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
191 sudo rm -f \
192 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
193 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
194 /etc/initramfs-tools/root/.ssh/id_rsa
195 # NOTE: clefs générées par Debian
196 sudo update-initramfs -u
197 }
198 rule_locale_configure () {
199 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
200 fr_FR.UTF-8 UTF-8
201 EOF
202 sudo update-locale
203 }
204 rule_login_configure () {
205 grep -q '^hvc0$' /etc/securetty ||
206 mk_reg mod= own= --append /etc/securetty <<-EOF
207 hvc0
208 EOF
209 grep -q '^xvc0$' /etc/securetty ||
210 mk_reg mod= own= --append /etc/securetty <<-EOF
211 xvc0
212 EOF
213 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
214 # /etc/inittab: init(8) configuration.
215
216 # The default runlevel.
217 id:2:initdefault:
218
219 # Boot-time system configuration/initialization script.
220 # This is run first except when booting in emergency (-b) mode.
221 si::sysinit:/etc/init.d/rcS
222
223 # What to do in single-user mode.
224 ~~:S:wait:/sbin/sulogin
225
226 # /etc/init.d executes the S and K scripts upon change
227 # of runlevel.
228 #
229 # Runlevel 0 is halt.
230 # Runlevel 1 is single-user.
231 # Runlevels 2-5 are multi-user.
232 # Runlevel 6 is reboot.
233
234 l0:0:wait:/etc/init.d/rc 0
235 l1:1:wait:/etc/init.d/rc 1
236 l2:2:wait:/etc/init.d/rc 2
237 l3:3:wait:/etc/init.d/rc 3
238 l4:4:wait:/etc/init.d/rc 4
239 l5:5:wait:/etc/init.d/rc 5
240 l6:6:wait:/etc/init.d/rc 6
241 # Normally not reached, but fallthrough in case of emergency.
242 z6:6:respawn:/sbin/sulogin
243
244 # What to do when CTRL-ALT-DEL is pressed.
245 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
246
247 # What to do when the power fails/returns.
248 pf::powerwait:/etc/init.d/powerfail start
249 pn::powerfailnow:/etc/init.d/powerfail now
250 po::powerokwait:/etc/init.d/powerfail stop
251
252 # Xen hypervisor console
253 hvc:2345:respawn:/sbin/getty 38400 hvc0
254 #xvc:2345:respawn:/sbin/getty 38400 xvc0
255 EOF
256 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
257 MAIL_DIR /var/mail
258 FAILLOG_ENAB yes
259 LOG_UNKFAIL_ENAB no
260 LOG_OK_LOGINS no
261 SYSLOG_SU_ENAB yes
262 SYSLOG_SG_ENAB yes
263 FTMP_FILE /var/log/btmp
264 SU_NAME su
265 HUSHLOGIN_FILE .hushlogin
266 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
267 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
268 # NOTE: met les sbin/ dans ENV_PATH ;
269 # - ça n'apporte aucune protection de ne pas les mettre ;
270 # - ça frustre de ne pas les trouver.
271 TTYGROUP tty
272 TTYPERM 0600
273 ERASECHAR 0177
274 KILLCHAR 025
275 UMASK 007
276 # NOTE: rwxrwx--- ;
277 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
278 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
279 PASS_MAX_DAYS 99999
280 PASS_MIN_DAYS 0
281 PASS_WARN_AGE 7
282 UID_MIN 1000
283 UID_MAX 60000
284 GID_MIN 1000
285 GID_MAX 60000
286 LOGIN_RETRIES 3
287 LOGIN_TIMEOUT 60
288 CHFN_RESTRICT rwh
289 DEFAULT_HOME yes
290 USERGROUPS_ENAB yes
291 ENCRYPT_METHOD SHA512
292 EOF
293 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
294 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
295 session optional pam_umask.so
296 EOF
297 }
298 rule_network_configure () {
299 mk_reg mod= own= /etc/hostname <<-EOF
300 $vm
301 EOF
302 grep -q " $vm\$" /etc/hosts ||
303 mk_reg mod= own= --append /etc/hosts <<-EOF
304 127.0.0.1 $vm_fqdn $vm
305 EOF
306 mk_reg mod= own= /etc/network/interfaces <<-EOF
307 auto lo
308 iface lo inet loopback
309
310 auto eth0=grenode
311 iface grenode inet static
312 address $vm_ipv4
313 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
314 network $vm_ipv4
315 broadcast $vm_ipv4
316 netmask 255.255.255.255
317 #mtu 1300
318 post-up ip address add $vm_ipv4/32 dev \$IFACE
319 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
320 EOF
321 }
322 rule_user_configure () {
323 mk_dir mod=750 own="root:adm" /etc/skel/etc
324 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
325 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
326 mk_dir mod=700 own="root:adm" /etc/skel/var
327 mk_dir mod=700 own="root:adm" /etc/skel/var/log
328 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
329 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
330 mk_dir mod=700 own="root:adm" /etc/skel/tmp
331 mk_dir mod=700 own="root:adm" /etc/skel/tmp
332 mk_lnk etc/ssh /etc/skel/.ssh
333 mk_lnk etc/gpg /etc/skel/.gnupg
334 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
335 ( while IFS= read -r line
336 do case $line in (*" RSA") return 0; break;; esac
337 done; return 1 ) ||
338 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
339 sudo rm -f \
340 /etc/ssh/ssh_host_dsa_key \
341 /etc/ssh/ssh_host_dsa_key.pub \
342 /etc/ssh/ssh_host_ecdsa_key \
343 /etc/ssh/ssh_host_ecdsa_key.pub
344 # NOTE: clefs générées par Debian
345 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
346 Port 22
347 ListenAddress $vm_ipv4
348 #ListenAddress ::
349 Protocol 2
350 Compression yes
351 HostKey /etc/ssh/ssh_host_rsa_key
352 UsePrivilegeSeparation yes
353 KeyRegenerationInterval 3600
354 ServerKeyBits 768
355 SyslogFacility AUTH
356 LogLevel INFO
357 LoginGraceTime 120
358 PermitRootLogin yes
359 StrictModes yes
360 RSAAuthentication yes
361 PubkeyAuthentication yes
362 AuthorizedKeysFile %h/etc/ssh/authorized_keys
363 IgnoreRhosts yes
364 RhostsRSAAuthentication no
365 HostbasedAuthentication no
366 IgnoreUserKnownHosts no
367 PermitEmptyPasswords no
368 ChallengeResponseAuthentication no
369 PasswordAuthentication no
370 KerberosAuthentication no
371 GSSAPIAuthentication no
372 X11Forwarding no
373 X11DisplayOffset 10
374 PrintMotd no
375 DebianBanner no
376 PrintLastLog yes
377 TCPKeepAlive yes
378 ClientAliveInterval 0
379 AcceptEnv LANG LC_*
380 Subsystem sftp /usr/lib/openssh/sftp-server
381 UsePAM yes
382 EOF
383 sudo service ssh restart
384 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
385 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
386 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
387 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
388 EOF
389 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
390 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
391 EOF
392 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
393 Defaults env_keep = " \\
394 EDITOR \\
395 GIT_AUTHOR_NAME \\
396 GIT_AUTHOR_EMAIL \\
397 GIT_COMMITTER_NAME \\
398 GIT_COMMITTER_EMAIL \\
399 "
400 EOF
401 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
402 #!/bin/sh
403 sudo /bin/sh -e -f -u -c \
404 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
405 EOF
406 }
407 rule_user_root_configure () {
408 mk_dir mod=750 own=root:root /root/etc
409 mk_dir mod=750 own=root:root /root/etc/ssh
410 mk_dir mod=750 own=root:root /root/etc/gpg
411 mk_lnk etc/gpg /root/.gnupg
412 mk_lnk etc/ssh /root/.ssh
413 getent group sudo |
414 while IFS=: read -r group x x users
415 do while test -n "$users" && IFS=, read -r user users <<-EOF
416 $users
417 EOF
418 do eval local home\; home="~$user"
419 cat "$home"/etc/ssh/authorized_keys
420 done
421 done |
422 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
423 local key; local -; set +f
424 for key in "$tool"/var/pub/openpgp/*.key
425 do sudo gpg --import "$key"
426 done
427 }
428 rule_bin_configure () {
429 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
430 }
431 rule_configure () {
432 rule etckeeper_configure
433 rule locale_configure
434 rule network_configure
435 rule apt_configure
436 rule filesystem_configure
437 rule login_configure
438 rule user_root_configure
439 rule boot_configure
440 rule bin_configure
441 }
442
443 rule_disk_key_change () {
444 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
445 }
446
447 rule_user_admin_configure () {
448 rule initramfs_configure
449 rule user_root_configure
450 }
451 rule_user_admin_add () { # SYNTAX: $user
452 local user=$1
453 id "$user" >/dev/null ||
454 sudo adduser --disabled-password "$user"
455 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
456 eval local home\; home="~$user"
457 sudo adduser "$user" sudo
458 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
459 <"$tool"/var/pub/ssh/"$user".key
460 local key; local -; set +f
461 for key in "$tool"/var/pub/openpgp/*.key
462 do sudo -u "$user" gpg --import "$key"
463 done
464 rule user_admin_configure
465 }
466 rule_user_mail_format () {
467 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
468 mk_dir mod=770 own=root:adm /etc/skel/var/mail
469 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
470 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
471 # vim: ft=procmail
472
473 # NOTE: paramètres passés par postfix
474 SENDER=\$1
475 RECIPIENT=\$2
476 USER=\$3
477 EXTENSION=\$4
478 DOMAIN=\$5
479 ORIGINAL_RECIPIENT=\$6
480
481 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
482 MAILDIR="\$HOME/var/mail/"
483 DEFAULT="\$MAILDIR"
484 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
485 LOGFILE="/dev/null"
486 LOGABSTRACT=all
487 LOGABSTRACT
488 VERBOSE
489 SHELL=/bin/sh
490 SHELLMETAS=&|<>~;?*%{}
491
492 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
493 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
494 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
495
496 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
497 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
498 # NOTE: récupère l’adresse courriel dans le champ GECOS
499 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
500 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
501 :0
502 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
503
504 # DESCRIPTION: IMAP
505 #:0
506 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
507
508 # DESCRIPTION: UUCP
509 #:0
510 #| /usr/bin/uux \
511 # -I "\$HOME/etc/uucp/uucp.cfg" \
512 # --nouucico \
513 # --notification=error \
514 # --requestor "\$USER" \
515 # - "\$USER!rmail" "(\$USER)"
516 EOF
517 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
518 # /etc/postfix/main.cf
519 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
520
521 parent_domain_matches_subdomains =
522 #debug_peer_list
523 #fast_flush_domains
524 #mynetworks
525 #permit_mx_backup_networks
526 #qmqpd_authorized_clients
527 #smtpd_access_maps
528 mydomain = $vm_domainname
529 myorigin = \$mydomain
530 myhostname = $vm_hostname.\$mydomain
531 mail_name = \$myhostname
532 mydestination =
533 $vm_hostname
534 \$myhostname
535 \$myorigin
536 mynetworks =
537 127.0.0.0/8
538 #[::1]/128
539 inet_protocols = ipv4
540 # "all" to activate IPv6
541 inet_interfaces = all
542 permit_mx_backup_networks =
543
544 alias_database =
545 hash:/etc/aliases
546 # NOTE: fichier de hash contenant une table d’alias mail.
547 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
548 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
549 alias_maps =
550 hash:/etc/aliases
551 recipient_delimiter = +
552 # NOTE: séparateur entre le nom d’utilisateur
553 # et les extensions d’adresse (par défaut le signe +).
554 #virtual_alias_domains =
555 virtual_alias_maps =
556 hash:/etc/postfix/\$mydomain/virtual
557 # NOTE: do not specify virtual alias domain names in the main.cf
558 # mydestination or relay_domains configuration parameters.
559 #
560 # With a virtual alias domain, the Postfix SMTP server
561 # accepts mail for known-user@virtual-alias.domain, and
562 # rejects mail for unknown-user@virtual-alias.domain as
563 # undeliverable.
564 #relayhost =
565 relay_clientcerts =
566 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
567 relay_domains =
568 \$mydestination
569 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
570 # pas dans mydestination ou virtual_alias...
571
572 maximal_queue_lifetime = 5d
573
574 header_checks =
575 regexp:/etc/postfix/\$mydomain/header_checks
576 mime_header_checks =
577 nested_header_checks =
578 milter_header_checks =
579 body_checks =
580
581 #content_filter = amavisfeed:[127.0.0.1]:10024
582 #receive_override_options = no_address_mappings
583 # no_unknown_recipient_checks
584 # Do not try to reject unknown recipients (SMTP server only).
585 # This is typically specified AFTER an external content filter.
586 # no_address_mappings
587 # Disable canonical address mapping, virtual alias map expansion,
588 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
589 # This is typically specified BEFORE an external content filter (eg. amavis).
590 # no_header_body_checks
591 # Disable header/body_checks. This is typically specified AFTER an external content filter.
592 # no_milters
593 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
594 #local_header_rewrite_clients =
595 transport_maps =
596 hash:/etc/postfix/\$mydomain/transport_maps
597 mailbox_command =
598 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
599 mailbox_size_limit = 0
600 biff = no
601 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
602 append_dot_mydomain = no
603 # appending .domain is the MUA's job.
604
605 #tls_random_source =
606 # dev:/dev/urandom
607 # Non-blocking
608 #tls_random_reseed_period = 3600s
609 #tls_random_exchange_name =
610 # \${data_directory}/prng_exch
611 # NOTE: à ne pas mettre dans la cage chroot
612 #tls_random_bytes = 32
613 #tls_random_prng_update_period = 3600s
614 #tls_high_cipherlist = AES256-SHA
615 # NOTE: postconf(5) déconseille de changer ceci
616
617 #smtp_cname_overrides_servername = no
618 smtp_connect_timeout = 60s
619 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
620 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
621 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
622 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
623 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
624 # NOTE: déprécié en faveur de smtp_tls_policy_maps
625 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
626 smtp_tls_fingerprint_digest = sha1
627 smtp_tls_scert_verifydepth = 5
628 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
629 #smtp_tls_verify_cert_match = hostname
630 #smtp_tls_note_starttls_offer = yes
631 smtp_tls_loglevel = 1
632 smtp_tls_protocols = !SSLv2, !SSLv3
633 # Only allow TLSv*
634 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
635 #smtp_tls_session_cache_timeout = 3600s
636 smtp_tls_security_level = may
637 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
638 smtp_body_checks =
639 smtp_mime_header_checks =
640 smtp_nested_header_checks =
641
642 smtpd_starttls_timeout = 300s
643 smtpd_banner =
644 \$myhostname ESMTP \$mail_name (Debian/GNU)
645
646 # Restrictions
647 smtpd_helo_required = yes
648 strict_rfc821_envelopes = yes
649 smtpd_authorized_xclient_hosts = 127.0.0.1
650 # NOTE: utile pour tester les restrictions
651
652 smtpd_helo_restrictions =
653 reject_invalid_helo_hostname
654 reject_non_fqdn_helo_hostname
655 #reject_unknown_helo_hostname
656 # NOTE: pourrait pourtant être utile pour lutter contre le spam
657 permit
658
659 smtpd_sender_restrictions =
660 permit_mynetworks
661 permit_tls_clientcerts
662 permit_sasl_authenticated
663 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
664 check_sender_access hash:/etc/postfix/sender_blacklist
665 reject_unauth_pipelining
666 reject_non_fqdn_sender
667 #reject_unknown_sender_domain
668 # NOTE: temporaire
669 permit
670
671 smtpd_client_new_tls_session_rate_limit = 0
672 smtpd_client_event_limit_exceptions = \$mynetworks
673 smtpd_client_recipient_rate_limit = 0
674 smtpd_client_connection_count_limit = 50
675 smtpd_client_connection_rate_limit = 0
676 smtpd_client_message_rate_limit = 0
677 smtpd_client_port_logging = no
678
679 smtpd_client_restrictions =
680 check_client_access hash:/etc/postfix/client_blacklist
681
682 policy_time_limit = 3600
683 default_extra_recipient_limit = 5000
684 duplicate_filter_limit = 5000
685 smtpd_recipient_limit = 5000
686 smtpd_recipient_overshoot_limit = 5000
687 smtpd_recipient_restrictions =
688 reject_non_fqdn_recipient
689 #reject_invalid_hostname
690 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
691 # dans smtpd_helo_restrictions
692 reject_unknown_recipient_domain
693 #reject_non_fqdn_sender
694 # NOTE: dans smtpd_sender_restrictions
695 reject_unauth_pipelining
696 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
697 permit_mynetworks
698 permit_tls_clientcerts
699 permit_sasl_authenticated
700 reject_unauth_destination
701 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
702 # ou quelqu'un pour lequel on tient lieu de backup_mx
703 check_policy_service inet:127.0.0.1:10023
704 # NOTE: Postgrey (greylisting)
705 check_policy_service unix:private/spfcheck
706 permit_auth_destination
707 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
708 # (voir permit_auth_destination) ; sans doute redondant
709 reject
710 #check_relay_domains <- removed from postfix
711 #reject_unknown_sender_domain
712 # aurait probablement été mieux dans smtpd_sender_restrictions
713 #reject_rbl_client bl.spamcop.net
714 #reject_rbl_client list.dsbl.org
715 #reject_rbl_client zen.spamhaus.org
716 #reject_rbl_client dnsbl.sorbs.net
717
718 smtpd_data_restrictions =
719 reject_unauth_pipelining
720 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
721 permit
722
723 #smtpd_end_of_data_restrictions =
724
725 #smtpd_restriction_classes =
726
727 smtpd_error_sleep_time = 5
728 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
729
730 # SASL
731 smtpd_sasl_auth_enable = yes
732 smtpd_sasl_type = dovecot
733 smtpd_sasl_path = private/auth
734 smtpd_sasl_security_options = noanonymous
735 smtpd_sasl_domain = \$mydomain
736
737 # SMTPD TLS
738 smtpd_discard_ehlo_keywords = starttls
739 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
740 # se mangent une erreur en tentant un starttls
741 smtpd_tls_fingerprint_digest = sha1
742 # sha512 ?
743 smtpd_tls_mandatory_protocols = TLSv1
744 smtpd_tls_mandatory_ciphers = high
745 smtpd_tls_ciphers = high
746 # restrictif. s/high/medium/ ?
747 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
748 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
749 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
750 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
751 ##
752 #smtpd_tls_received_header = no
753 smtpd_tls_session_cache_database =
754 btree:/var/lib/postfix/smtpd_tls_session_cache
755 #smtpd_tls_session_cache_timeout = 3600s
756 smtpd_tls_security_level = may
757 # Postfix 2.3 and later
758 # encrypt
759 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
760 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
761 # SMTP server. Instead, this option should be used only on dedicated servers.
762 smtpd_tls_loglevel = 1
763 smtpd_tls_ccert_verifydepth = 5
764 smtpd_tls_auth_only = yes
765 # Pas d'AUTH SASL sans TLS
766 smtpd_tls_ask_ccert = no
767 smtpd_tls_req_ccert = no
768 #smtpd_tls_always_issue_session_ids = yes
769 smtpd_peername_lookup = yes
770 # Nécessaire pour postgrey, etc
771 smtpd_milters =
772 non_smtpd_milters =
773 line_length_limit = 2048
774 queue_minfree = 0
775 message_size_limit = 20480000
776 #smtpd_enforce_tls # NOTE: obsolète
777 #smtpd_use_tls # NOTE: obsolète
778 #smtpd_tls_cipherlist # NOTE: obsolète
779
780 readme_directory = no
781 #delay_warning_time = 4h
782 # NOTE: uncomment the previous line to generate "delayed mail" warnings
783 #debug_peer_level = 4
784 #debug_peer_list = .\$myhostname
785 EOF
786 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
787 auth_ssl_username_from_cert = yes
788 listen = *
789 log_timestamp = "%Y-%m-%d %H:%M:%S "
790 mail_debug = yes
791 mail_location = maildir:~/var/mail
792 mail_privileged_group = mail
793 passdb {
794 args = /home/%u/etc/dovecot/passwd
795 driver = passwd-file
796 }
797 protocols = imap
798 service auth {
799 unix_listener /var/spool/postfix/private/auth {
800 group = postfix
801 mode = 0660
802 user = postfix
803 }
804 user = root
805 }
806 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
807 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
808 ssl_cipher_list = AES256-SHA
809 ssl_key = </etc/dovecot/imap/tls/key.pem
810 ssl_verify_client_cert = yes
811 userdb {
812 driver = passwd
813 }
814 verbose_ssl = yes
815 protocol lda {
816 auth_socket_path = /var/run/dovecot/auth-master
817 hostname = $vm_domainname
818 info_log_path = /var/log/dovecot/lda/info.log
819 log_path = /var/log/dovecot/lda/error.log
820 mail_plugins = sieve
821 postmaster_address = contact+dovecot+lda@$vm_domainname
822 }
823 EOF
824 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
825 EOF
826 }
827 rule_mail_configure () {
828 sudo apt-get install postfix postgrey dovecot
829 }
830
831 rule=${1:-help}
832 ${1+shift}
833 case $rule in
834 (help);;
835 (*)
836 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
837 ;;
838 esac
839 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org