dépôts / lhc / ateliers.git / blob
? search:


8d2470f2af4828c2c190657bd88f15c808cd4eac
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () { # SYNTAX: [--hidden]
8 local hidden; [ ${1:+set} ] || hidden=set
9 cat >&2 <<-EOF
10 DESCRIPTION:
11 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
12 _depuis_ la VM hébergée ($vm_fqdn) ;
13 il sert à la fois d'outil (aisément bidouillable)
14 et de documentation (préçise).
15 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
16 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
17 RULES:
18 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
19 ENVIRONMENT:
20 TRACE # affiche les commandes avant leur exécution
21 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
22 EOF
23 }
24
25 rule_git_config () {
26 (
27 cd "$tool"
28 git config --replace branch.master.remote .
29 git config --replace branch.master.merge refs/remotes/master
30 )
31 }
32 rule_git_reset () {
33 (
34 cd "$tool"
35 git checkout -f -B master remotes/master
36 git clean -f -d -x
37 )
38 }
39
40 rule__chrooted_init () { # NOTE: est-ce bien utile à un moment ?
41 export LANG=C
42 export LC_CTYPE=C
43 . /etc/profile
44 }
45
46 rule_apt_init () {
47 mk_reg mod= own= /etc/apt/sources.list <<-EOF
48 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
49 EOF
50 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
51 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
52 EOF
53 mk_reg mod= own= /etc/apt/preferences <<-EOF
54 Package: *
55 Pin: release a=$vm_lsb_name
56 Pin-Priority: 170
57
58 Package: *
59 Pin: release a=$vm_lsb_name-backports
60 Pin-Priority: 200
61 EOF
62 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
63 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
64 EOF
65 }
66 rule_apticron_init () {
67 sudo apt-get install --reinstall apticron
68 mk_reg mod=644 own=root:root /etc/apticron/apticron.conf <<-EOF
69 EMAIL="admin@heureux-cyclage.org"
70 # DIFF_ONLY="1"
71 # LISTCHANGES_PROFILE="apticron"
72 # ALL_FQDNS="1"
73 # SYSTEM="foobar.example.com"
74 # IPADDRESSNUM="1"
75 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
76 # NOTIFY_HOLDS="0"
77 # NOTIFY_NEW="0"
78 # NOTIFY_NO_UPDATES="0"
79 # CUSTOM_SUBJECT=""
80 # CUSTOM_NO_UPDATES_SUBJECT=""
81 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
82 EOF
83 sudo service apticron restart
84 }
85 rule_boot_init () {
86 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
87 mk_dir mod=644 own=root:root /boot/grub
88 sudo apt-get install --reinstall linux-image-$vm_arch
89 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
90 GRUB_DEFAULT=0
91 GRUB_TIMEOUT=5
92 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
93 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
94 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
95 GRUB_DISABLE_RECOVERY="true"
96 #GRUB_PRELOAD_MODULES="lvm"
97 EOF
98 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
99 (hd0) /dev/xvda
100 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
101 EOF
102 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
103 rule initramfs_init
104 }
105 rule_etckeeper_init () {
106 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
107 VCS=git
108 GIT_COMMIT_OPTIONS=""
109 AVOID_DAILY_AUTOCOMMITS=1
110 #AVOID_SPECIAL_FILE_WARNING=1
111 AVOID_COMMIT_BEFORE_INSTALL=1
112 HIGHLEVEL_PACKAGE_MANAGER=apt
113 LOWLEVEL_PACKAGE_MANAGER=dpkg
114 EOF
115 }
116 rule_filesystem_init () {
117 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
118 # <file system> <mount point> <type> <options> <dump> <pass>
119 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
120 proc /proc proc defaults 0 0
121 sysfs /sys sysfs defaults 0 0
122 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
123 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
124 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
125 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
126 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
127 EOF
128 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
129 # <target name> <source device> <key file> <options>
130 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
131 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
132 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
133 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
134 EOF
135 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
136 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
137 vm.vfs_cache_pressure=50
138 EOF
139 }
140 rule_initramfs_init () {
141 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
142 MODULES=most
143 BUSYBOX=y
144 KEYMAP=y
145 COMPRESS=gzip
146 DEVICE=eth0
147 EOF
148 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
149 alias eth0 xennet
150 alias scsi_hostadapter xenblk
151 EOF
152 mk_reg mod=644 own=root:root /etc/modules <<-EOF
153 sha1_generic
154 sha256_generic
155 sha512_generic
156 aes-x86_64
157 xts
158 # NOTE: pour Xen en mode HVM :
159 #modprobe xen-platform-pci
160 EOF
161 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
162 EOF
163 sudo sed -e '/^configure_networking /s/ &$//' \
164 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
165 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
166 sudo rm -f \
167 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
168 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
169 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
170 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
171 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
172 ( while IFS= read -r line
173 do case $line in (*" RSA") return 0; break;; esac
174 done; return 1 ) ||
175 sudo dropbearkey -t rsa -s 4096 -f \
176 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
177 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
178 ( while IFS= read -r line
179 do case $line in (*" DSA") return 0; break;; esac
180 done; return 1 ) ||
181 sudo dropbearkey -t dss -s 1024 -f \
182 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
183 mk_dir mod=640 own=root:root \
184 /etc/initramfs-tools/root \
185 /etc/initramfs-tools/root/.ssh
186 getent group sudo |
187 while IFS=: read -r group x x users
188 do while test -n "$users" && IFS=, read -r user users <<-EOF
189 $users
190 EOF
191 do eval local home\; home="~$user"
192 cat "$home"/etc/ssh/authorized_keys
193 done
194 done |
195 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
196 sudo rm -f \
197 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
198 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
199 /etc/initramfs-tools/root/.ssh/id_rsa
200 # NOTE: clefs générées par Debian
201 sudo update-initramfs -u
202 }
203 rule_locale_init () {
204 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
205 fr_FR.UTF-8 UTF-8
206 EOF
207 sudo update-locale
208 }
209 rule_login_init () {
210 grep -q '^hvc0$' /etc/securetty ||
211 mk_reg mod= own= --append /etc/securetty <<-EOF
212 hvc0
213 EOF
214 grep -q '^xvc0$' /etc/securetty ||
215 mk_reg mod= own= --append /etc/securetty <<-EOF
216 xvc0
217 EOF
218 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
219 # /etc/inittab: init(8) configuration.
220
221 # The default runlevel.
222 id:2:initdefault:
223
224 # Boot-time system configuration/initialization script.
225 # This is run first except when booting in emergency (-b) mode.
226 si::sysinit:/etc/init.d/rcS
227
228 # What to do in single-user mode.
229 ~~:S:wait:/sbin/sulogin
230
231 # /etc/init.d executes the S and K scripts upon change
232 # of runlevel.
233 #
234 # Runlevel 0 is halt.
235 # Runlevel 1 is single-user.
236 # Runlevels 2-5 are multi-user.
237 # Runlevel 6 is reboot.
238
239 l0:0:wait:/etc/init.d/rc 0
240 l1:1:wait:/etc/init.d/rc 1
241 l2:2:wait:/etc/init.d/rc 2
242 l3:3:wait:/etc/init.d/rc 3
243 l4:4:wait:/etc/init.d/rc 4
244 l5:5:wait:/etc/init.d/rc 5
245 l6:6:wait:/etc/init.d/rc 6
246 # Normally not reached, but fallthrough in case of emergency.
247 z6:6:respawn:/sbin/sulogin
248
249 # What to do when CTRL-ALT-DEL is pressed.
250 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
251
252 # What to do when the power fails/returns.
253 pf::powerwait:/etc/init.d/powerfail start
254 pn::powerfailnow:/etc/init.d/powerfail now
255 po::powerokwait:/etc/init.d/powerfail stop
256
257 # Xen hypervisor console
258 hvc:2345:respawn:/sbin/getty 38400 hvc0
259 #xvc:2345:respawn:/sbin/getty 38400 xvc0
260 EOF
261 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
262 MAIL_DIR /var/mail
263 FAILLOG_ENAB yes
264 LOG_UNKFAIL_ENAB no
265 LOG_OK_LOGINS no
266 SYSLOG_SU_ENAB yes
267 SYSLOG_SG_ENAB yes
268 FTMP_FILE /var/log/btmp
269 SU_NAME su
270 HUSHLOGIN_FILE .hushlogin
271 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
272 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
273 # NOTE: met les sbin/ dans ENV_PATH ;
274 # - ça n'apporte aucune protection de ne pas les mettre ;
275 # - ça frustre de ne pas les trouver.
276 TTYGROUP tty
277 TTYPERM 0600
278 ERASECHAR 0177
279 KILLCHAR 025
280 UMASK 007
281 # NOTE: rwxrwx--- ;
282 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
283 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
284 PASS_MAX_DAYS 99999
285 PASS_MIN_DAYS 0
286 PASS_WARN_AGE 7
287 UID_MIN 1000
288 UID_MAX 60000
289 GID_MIN 1000
290 GID_MAX 60000
291 LOGIN_RETRIES 3
292 LOGIN_TIMEOUT 60
293 CHFN_RESTRICT rwh
294 DEFAULT_HOME yes
295 USERGROUPS_ENAB yes
296 ENCRYPT_METHOD SHA512
297 EOF
298 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
299 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
300 session optional pam_umask.so
301 EOF
302 }
303 rule_network_init () {
304 mk_reg mod= own= /etc/hostname <<-EOF
305 $vm
306 EOF
307 grep -q " $vm\$" /etc/hosts ||
308 mk_reg mod= own= --append /etc/hosts <<-EOF
309 127.0.0.1 $vm_fqdn $vm
310 EOF
311 mk_reg mod= own= /etc/network/interfaces <<-EOF
312 auto lo
313 iface lo inet loopback
314
315 auto eth0=grenode
316 iface grenode inet static
317 address $vm_ipv4
318 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
319 network $vm_ipv4
320 broadcast $vm_ipv4
321 netmask 255.255.255.255
322 #mtu 1300
323 post-up ip address add $vm_ipv4/32 dev \$IFACE
324 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
325 EOF
326 }
327 rule_user_init () {
328 mk_dir mod=750 own="root:adm" /etc/skel/etc
329 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
330 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
331 mk_dir mod=700 own="root:adm" /etc/skel/var
332 mk_dir mod=700 own="root:adm" /etc/skel/var/log
333 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
334 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
335 mk_dir mod=700 own="root:adm" /etc/skel/tmp
336 mk_dir mod=700 own="root:adm" /etc/skel/tmp
337 mk_lnk etc/ssh /etc/skel/.ssh
338 mk_lnk etc/gpg /etc/skel/.gnupg
339 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
340 ( while IFS= read -r line
341 do case $line in (*" RSA") return 0; break;; esac
342 done; return 1 ) ||
343 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
344 sudo rm -f \
345 /etc/ssh/ssh_host_dsa_key \
346 /etc/ssh/ssh_host_dsa_key.pub \
347 /etc/ssh/ssh_host_ecdsa_key \
348 /etc/ssh/ssh_host_ecdsa_key.pub
349 # NOTE: clefs générées par Debian
350 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
351 Port 22
352 ListenAddress $vm_ipv4
353 #ListenAddress ::
354 Protocol 2
355 Compression yes
356 HostKey /etc/ssh/ssh_host_rsa_key
357 UsePrivilegeSeparation yes
358 KeyRegenerationInterval 3600
359 ServerKeyBits 768
360 SyslogFacility AUTH
361 LogLevel INFO
362 LoginGraceTime 120
363 PermitRootLogin yes
364 StrictModes yes
365 RSAAuthentication yes
366 PubkeyAuthentication yes
367 AuthorizedKeysFile %h/etc/ssh/authorized_keys
368 IgnoreRhosts yes
369 RhostsRSAAuthentication no
370 HostbasedAuthentication no
371 IgnoreUserKnownHosts no
372 PermitEmptyPasswords no
373 ChallengeResponseAuthentication no
374 PasswordAuthentication no
375 KerberosAuthentication no
376 GSSAPIAuthentication no
377 X11Forwarding no
378 X11DisplayOffset 10
379 PrintMotd no
380 DebianBanner no
381 PrintLastLog yes
382 TCPKeepAlive yes
383 ClientAliveInterval 0
384 AcceptEnv LANG LC_*
385 Subsystem sftp /usr/lib/openssh/sftp-server
386 UsePAM yes
387 EOF
388 sudo service ssh restart
389 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
390 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
391 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
392 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
393 EOF
394 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
395 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
396 EOF
397 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
398 Defaults env_keep = " \\
399 EDITOR \\
400 GIT_AUTHOR_NAME \\
401 GIT_AUTHOR_EMAIL \\
402 GIT_COMMITTER_NAME \\
403 GIT_COMMITTER_EMAIL \\
404 "
405 EOF
406 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
407 #!/bin/sh
408 sudo /bin/sh -e -f -u -c \
409 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
410 EOF
411 }
412 rule_user_root_init () {
413 mk_dir mod=750 own=root:root /root/etc
414 mk_dir mod=750 own=root:root /root/etc/ssh
415 mk_dir mod=750 own=root:root /root/etc/gpg
416 mk_lnk etc/gpg /root/.gnupg
417 mk_lnk etc/ssh /root/.ssh
418 getent group sudo |
419 while IFS=: read -r group x x users
420 do while test -n "$users" && IFS=, read -r user users <<-EOF
421 $users
422 EOF
423 do eval local home\; home="~$user"
424 cat "$home"/etc/ssh/authorized_keys
425 done
426 done |
427 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
428 local key
429 for key in "$tool"/var/pub/openpgp/*.key
430 do sudo gpg --import "$key"
431 done
432 }
433 rule_bin_init () {
434 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
435 }
436 rule_init () {
437 rule etckeeper_init
438 rule locale_init
439 rule network_init
440 rule apt_init
441 rule filesystem_init
442 rule login_init
443 rule user_root_init
444 rule boot_init
445 rule bin_init
446 }
447
448 rule_disk_key_change () {
449 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
450 }
451
452 rule_user_admin_add () { # SYNTAX: $user
453 local user=$1
454 id "$user" >/dev/null ||
455 sudo adduser --disabled-password "$user"
456 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
457 eval local home\; home="~$user"
458 sudo adduser "$user" sudo
459 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
460 <"$tool"/var/pub/ssh/"$user".key
461 rule initramfs_init
462 rule user_root_init
463 local key; local -; set +f
464 for key in "$tool"/var/pub/openpgp/*.key
465 do sudo -u "$user" gpg --import "$key"
466 done
467 }
468 rule_user_mail_format () {
469 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
470 mk_dir mod=770 own=root:adm /etc/skel/var/mail
471 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
472 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
473 # vim: ft=procmail
474
475 # NOTE: paramètres passés par postfix
476 SENDER=\$1
477 RECIPIENT=\$2
478 USER=\$3
479 EXTENSION=\$4
480 DOMAIN=\$5
481 ORIGINAL_RECIPIENT=\$6
482
483 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
484 MAILDIR="\$HOME/var/mail/"
485 DEFAULT="\$MAILDIR"
486 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
487 LOGFILE="/dev/null"
488 LOGABSTRACT=all
489 LOGABSTRACT
490 VERBOSE
491 SHELL=/bin/sh
492 SHELLMETAS=&|<>~;?*%{}
493
494 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
495 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
496 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
497
498 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
499 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
500 # NOTE: récupère l’adresse courriel dans le champ GECOS
501 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
502 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
503 :0
504 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
505
506 # DESCRIPTION: IMAP
507 #:0
508 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
509
510 # DESCRIPTION: UUCP
511 #:0
512 #| /usr/bin/uux \
513 # -I "\$HOME/etc/uucp/uucp.cfg" \
514 # --nouucico \
515 # --notification=error \
516 # --requestor "\$USER" \
517 # - "\$USER!rmail" "(\$USER)"
518 EOF
519 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
520 # /etc/postfix/main.cf
521 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
522
523 parent_domain_matches_subdomains =
524 #debug_peer_list
525 #fast_flush_domains
526 #mynetworks
527 #permit_mx_backup_networks
528 #qmqpd_authorized_clients
529 #smtpd_access_maps
530 mydomain = $vm_domainname
531 myorigin = \$mydomain
532 myhostname = $vm_hostname.\$mydomain
533 mail_name = \$myhostname
534 mydestination =
535 $vm_hostname
536 \$myhostname
537 \$myorigin
538 mynetworks =
539 127.0.0.0/8
540 #[::1]/128
541 inet_protocols = ipv4
542 # "all" to activate IPv6
543 inet_interfaces = all
544 permit_mx_backup_networks =
545
546 alias_database =
547 hash:/etc/aliases
548 # NOTE: fichier de hash contenant une table d’alias mail.
549 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
550 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
551 alias_maps =
552 hash:/etc/aliases
553 recipient_delimiter = +
554 # NOTE: séparateur entre le nom d’utilisateur
555 # et les extensions d’adresse (par défaut le signe +).
556 #virtual_alias_domains =
557 virtual_alias_maps =
558 hash:/etc/postfix/\$mydomain/virtual
559 # NOTE: do not specify virtual alias domain names in the main.cf
560 # mydestination or relay_domains configuration parameters.
561 #
562 # With a virtual alias domain, the Postfix SMTP server
563 # accepts mail for known-user@virtual-alias.domain, and
564 # rejects mail for unknown-user@virtual-alias.domain as
565 # undeliverable.
566 #relayhost =
567 relay_clientcerts =
568 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
569 relay_domains =
570 \$mydestination
571 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
572 # pas dans mydestination ou virtual_alias...
573
574 maximal_queue_lifetime = 5d
575
576 header_checks =
577 regexp:/etc/postfix/\$mydomain/header_checks
578 mime_header_checks =
579 nested_header_checks =
580 milter_header_checks =
581 body_checks =
582
583 #content_filter = amavisfeed:[127.0.0.1]:10024
584 #receive_override_options = no_address_mappings
585 # no_unknown_recipient_checks
586 # Do not try to reject unknown recipients (SMTP server only).
587 # This is typically specified AFTER an external content filter.
588 # no_address_mappings
589 # Disable canonical address mapping, virtual alias map expansion,
590 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
591 # This is typically specified BEFORE an external content filter (eg. amavis).
592 # no_header_body_checks
593 # Disable header/body_checks. This is typically specified AFTER an external content filter.
594 # no_milters
595 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
596 #local_header_rewrite_clients =
597 transport_maps =
598 hash:/etc/postfix/\$mydomain/transport_maps
599 mailbox_command =
600 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
601 mailbox_size_limit = 0
602 biff = no
603 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
604 append_dot_mydomain = no
605 # appending .domain is the MUA's job.
606
607 #tls_random_source =
608 # dev:/dev/urandom
609 # Non-blocking
610 #tls_random_reseed_period = 3600s
611 #tls_random_exchange_name =
612 # \${data_directory}/prng_exch
613 # NOTE: à ne pas mettre dans la cage chroot
614 #tls_random_bytes = 32
615 #tls_random_prng_update_period = 3600s
616 #tls_high_cipherlist = AES256-SHA
617 # NOTE: postconf(5) déconseille de changer ceci
618
619 #smtp_cname_overrides_servername = no
620 smtp_connect_timeout = 60s
621 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
622 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
623 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
624 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
625 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
626 # NOTE: déprécié en faveur de smtp_tls_policy_maps
627 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
628 smtp_tls_fingerprint_digest = sha1
629 smtp_tls_scert_verifydepth = 5
630 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
631 #smtp_tls_verify_cert_match = hostname
632 #smtp_tls_note_starttls_offer = yes
633 smtp_tls_loglevel = 1
634 smtp_tls_protocols = !SSLv2, !SSLv3
635 # Only allow TLSv*
636 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
637 #smtp_tls_session_cache_timeout = 3600s
638 smtp_tls_security_level = may
639 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
640 smtp_body_checks =
641 smtp_mime_header_checks =
642 smtp_nested_header_checks =
643
644 smtpd_starttls_timeout = 300s
645 smtpd_banner =
646 \$myhostname ESMTP \$mail_name (Debian/GNU)
647
648 # Restrictions
649 smtpd_helo_required = yes
650 strict_rfc821_envelopes = yes
651 smtpd_authorized_xclient_hosts = 127.0.0.1
652 # NOTE: utile pour tester les restrictions
653
654 smtpd_helo_restrictions =
655 reject_invalid_helo_hostname
656 reject_non_fqdn_helo_hostname
657 #reject_unknown_helo_hostname
658 # NOTE: pourrait pourtant être utile pour lutter contre le spam
659 permit
660
661 smtpd_sender_restrictions =
662 permit_mynetworks
663 permit_tls_clientcerts
664 permit_sasl_authenticated
665 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
666 check_sender_access hash:/etc/postfix/sender_blacklist
667 reject_unauth_pipelining
668 reject_non_fqdn_sender
669 #reject_unknown_sender_domain
670 # NOTE: temporaire
671 permit
672
673 smtpd_client_new_tls_session_rate_limit = 0
674 smtpd_client_event_limit_exceptions = \$mynetworks
675 smtpd_client_recipient_rate_limit = 0
676 smtpd_client_connection_count_limit = 50
677 smtpd_client_connection_rate_limit = 0
678 smtpd_client_message_rate_limit = 0
679 smtpd_client_port_logging = no
680
681 smtpd_client_restrictions =
682 check_client_access hash:/etc/postfix/client_blacklist
683
684 policy_time_limit = 3600
685 default_extra_recipient_limit = 5000
686 duplicate_filter_limit = 5000
687 smtpd_recipient_limit = 5000
688 smtpd_recipient_overshoot_limit = 5000
689 smtpd_recipient_restrictions =
690 reject_non_fqdn_recipient
691 #reject_invalid_hostname
692 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
693 # dans smtpd_helo_restrictions
694 reject_unknown_recipient_domain
695 #reject_non_fqdn_sender
696 # NOTE: dans smtpd_sender_restrictions
697 reject_unauth_pipelining
698 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
699 permit_mynetworks
700 permit_tls_clientcerts
701 permit_sasl_authenticated
702 reject_unauth_destination
703 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
704 # ou quelqu'un pour lequel on tient lieu de backup_mx
705 check_policy_service inet:127.0.0.1:10023
706 # NOTE: Postgrey (greylisting)
707 check_policy_service unix:private/spfcheck
708 permit_auth_destination
709 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
710 # (voir permit_auth_destination) ; sans doute redondant
711 reject
712 #check_relay_domains <- removed from postfix
713 #reject_unknown_sender_domain
714 # aurait probablement été mieux dans smtpd_sender_restrictions
715 #reject_rbl_client bl.spamcop.net
716 #reject_rbl_client list.dsbl.org
717 #reject_rbl_client zen.spamhaus.org
718 #reject_rbl_client dnsbl.sorbs.net
719
720 smtpd_data_restrictions =
721 reject_unauth_pipelining
722 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
723 permit
724
725 #smtpd_end_of_data_restrictions =
726
727 #smtpd_restriction_classes =
728
729 smtpd_error_sleep_time = 5
730 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
731
732 # SASL
733 smtpd_sasl_auth_enable = yes
734 smtpd_sasl_type = dovecot
735 smtpd_sasl_path = private/auth
736 smtpd_sasl_security_options = noanonymous
737 smtpd_sasl_domain = \$mydomain
738
739 # SMTPD TLS
740 smtpd_discard_ehlo_keywords = starttls
741 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
742 # se mangent une erreur en tentant un starttls
743 smtpd_tls_fingerprint_digest = sha1
744 # sha512 ?
745 smtpd_tls_mandatory_protocols = TLSv1
746 smtpd_tls_mandatory_ciphers = high
747 smtpd_tls_ciphers = high
748 # restrictif. s/high/medium/ ?
749 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
750 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
751 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
752 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
753 ##
754 #smtpd_tls_received_header = no
755 smtpd_tls_session_cache_database =
756 btree:/var/lib/postfix/smtpd_tls_session_cache
757 #smtpd_tls_session_cache_timeout = 3600s
758 smtpd_tls_security_level = may
759 # Postfix 2.3 and later
760 # encrypt
761 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
762 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
763 # SMTP server. Instead, this option should be used only on dedicated servers.
764 smtpd_tls_loglevel = 1
765 smtpd_tls_ccert_verifydepth = 5
766 smtpd_tls_auth_only = yes
767 # Pas d'AUTH SASL sans TLS
768 smtpd_tls_ask_ccert = no
769 smtpd_tls_req_ccert = no
770 #smtpd_tls_always_issue_session_ids = yes
771 smtpd_peername_lookup = yes
772 # Nécessaire pour postgrey, etc
773 smtpd_milters =
774 non_smtpd_milters =
775 line_length_limit = 2048
776 queue_minfree = 0
777 message_size_limit = 20480000
778 #smtpd_enforce_tls # NOTE: obsolète
779 #smtpd_use_tls # NOTE: obsolète
780 #smtpd_tls_cipherlist # NOTE: obsolète
781
782 readme_directory = no
783 #delay_warning_time = 4h
784 # NOTE: uncomment the previous line to generate "delayed mail" warnings
785 #debug_peer_level = 4
786 #debug_peer_list = .\$myhostname
787 EOF
788 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
789 auth_ssl_username_from_cert = yes
790 listen = *
791 log_timestamp = "%Y-%m-%d %H:%M:%S "
792 mail_debug = yes
793 mail_location = maildir:~/var/mail
794 mail_privileged_group = mail
795 passdb {
796 args = /home/%u/etc/dovecot/passwd
797 driver = passwd-file
798 }
799 protocols = imap
800 service auth {
801 unix_listener /var/spool/postfix/private/auth {
802 group = postfix
803 mode = 0660
804 user = postfix
805 }
806 user = root
807 }
808 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
809 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
810 ssl_cipher_list = AES256-SHA
811 ssl_key = </etc/dovecot/imap/tls/key.pem
812 ssl_verify_client_cert = yes
813 userdb {
814 driver = passwd
815 }
816 verbose_ssl = yes
817 protocol lda {
818 auth_socket_path = /var/run/dovecot/auth-master
819 hostname = $vm_domainname
820 info_log_path = /var/log/dovecot/lda/info.log
821 log_path = /var/log/dovecot/lda/error.log
822 mail_plugins = sieve
823 postmaster_address = contact+dovecot+lda@$vm_domainname
824 }
825 EOF
826 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
827 EOF
828 }
829 rule_mail_init () {
830 sudo apt-get install postfix postgrey dovecot
831 }
832
833 rule=${1:-help}
834 ${1+shift}
835 case $rule in
836 (help);;
837 (*)
838 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
839 ;;
840 esac
841 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org