dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Modification : polissage et log
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () {
8 cat >&2 <<-EOF
9 DESCRIPTION: ce script regroupe des fonctions utilitaires
10 pour gérer la VM _depuis_ la VM hébergée ;
11 il sert à la fois d'outil et de documentation.
12 Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
13 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
14 RULES:
15 $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/etc/vm.sh "$0")
16 ENVIRONMENT:
17 TRACE # affiche les commandes avant leur exécution
18 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
19 EOF
20 }
21
22 rule_git_reset () {
23 (
24 cd "$tool"
25 git checkout -f -B master origin
26 git clean -f -d -x
27 )
28 }
29
30 rule_chrooted () {
31 export LANG=C
32 export LC_CTYPE=C
33 . /etc/profile
34 }
35
36 rule_apt_init () {
37 mk_reg mod= own= /etc/apt/sources.list <<-EOF
38 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
39 EOF
40 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
41 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
42 EOF
43 mk_reg mod= own= /etc/apt/preferences <<-EOF
44 Package: *
45 Pin: release a=$vm_lsb_name
46 Pin-Priority: 170
47
48 Package: *
49 Pin: release a=$vm_lsb_name-backports
50 Pin-Priority: 200
51 EOF
52 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
53 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
54 EOF
55 }
56 rule_apticron_init () {
57 sudo apt-get install --reinstall apticron
58 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
59 EMAIL="admin@heureux-cyclage.org"
60 # DIFF_ONLY="1"
61 # LISTCHANGES_PROFILE="apticron"
62 # ALL_FQDNS="1"
63 # SYSTEM="foobar.example.com"
64 # IPADDRESSNUM="1"
65 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
66 # NOTIFY_HOLDS="0"
67 # NOTIFY_NEW="0"
68 # NOTIFY_NO_UPDATES="0"
69 # CUSTOM_SUBJECT=""
70 # CUSTOM_NO_UPDATES_SUBJECT=""
71 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
72 EOF
73 sudo service apticron restart
74 }
75 rule_boot_init () {
76 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
77 mk_dir mod=644 own=root:root /boot/grub
78 sudo apt-get install --reinstall linux-image-$vm_arch
79 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
80 GRUB_DEFAULT=0
81 GRUB_TIMEOUT=5
82 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
83 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
84 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
85 GRUB_DISABLE_RECOVERY="true"
86 #GRUB_PRELOAD_MODULES="lvm"
87 EOF
88 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
89 (hd0) /dev/xvda
90 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
91 EOF
92 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
93 rule initramfs_init
94 }
95 rule_etckeeper_init () {
96 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
97 VCS=git
98 GIT_COMMIT_OPTIONS=""
99 AVOID_DAILY_AUTOCOMMITS=1
100 #AVOID_SPECIAL_FILE_WARNING=1
101 AVOID_COMMIT_BEFORE_INSTALL=1
102 HIGHLEVEL_PACKAGE_MANAGER=apt
103 LOWLEVEL_PACKAGE_MANAGER=dpkg
104 EOF
105 }
106 rule_filesystem_init () {
107 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
108 # <file system> <mount point> <type> <options> <dump> <pass>
109 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
110 proc /proc proc defaults 0 0
111 sysfs /sys sysfs defaults 0 0
112 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
113 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
114 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
115 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
116 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
117 EOF
118 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
119 # <target name> <source device> <key file> <options>
120 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
121 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
122 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
123 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
124 EOF
125 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
126 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
127 vm.vfs_cache_pressure=50
128 EOF
129 }
130 rule_initramfs_init () {
131 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
132 MODULES=most
133 BUSYBOX=y
134 KEYMAP=y
135 COMPRESS=gzip
136 DEVICE=eth0
137 EOF
138 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
139 alias eth0 xennet
140 alias scsi_hostadapter xenblk
141 EOF
142 mk_reg mod=644 own=root:root /etc/modules <<-EOF
143 sha1_generic
144 sha256_generic
145 sha512_generic
146 aes-x86_64
147 xts
148 # NOTE: pour Xen en mode HVM :
149 #modprobe xen-platform-pci
150 EOF
151 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
152 EOF
153 sudo sed -e '/^configure_networking /s/ &$//' \
154 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
155 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
156 sudo rm -f \
157 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
158 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
159 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
160 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
161 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
162 ( while IFS= read -r line
163 do case $line in (*" RSA") return 0; break;; esac
164 done; return 1 ) ||
165 sudo dropbearkey -t rsa -s 4096 -f \
166 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
167 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
168 ( while IFS= read -r line
169 do case $line in (*" DSA") return 0; break;; esac
170 done; return 1 ) ||
171 sudo dropbearkey -t dss -s 1024 -f \
172 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
173 mk_dir mod=640 own=root:root \
174 /etc/initramfs-tools/root \
175 /etc/initramfs-tools/root/.ssh
176 getent group sudo |
177 while IFS=: read -r group x x users
178 do while test -n "$users" && IFS=, read -r user users <<-EOF
179 $users
180 EOF
181 do eval local home\; home="~$user"
182 cat "$home"/etc/ssh/authorized_keys
183 done
184 done |
185 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
186 sudo rm -f \
187 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
188 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
189 /etc/initramfs-tools/root/.ssh/id_rsa
190 # NOTE: clefs générées par Debian
191 sudo update-initramfs -u
192 }
193 rule_locale_init () {
194 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
195 fr_FR.UTF-8 UTF-8
196 EOF
197 sudo update-locale
198 }
199 rule_login_init () {
200 grep -q '^hvc0$' /etc/securetty ||
201 mk_reg mod= own= --append /etc/securetty <<-EOF
202 hvc0
203 EOF
204 grep -q '^xvc0$' /etc/securetty ||
205 mk_reg mod= own= --append /etc/securetty <<-EOF
206 xvc0
207 EOF
208 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
209 # /etc/inittab: init(8) configuration.
210
211 # The default runlevel.
212 id:2:initdefault:
213
214 # Boot-time system configuration/initialization script.
215 # This is run first except when booting in emergency (-b) mode.
216 si::sysinit:/etc/init.d/rcS
217
218 # What to do in single-user mode.
219 ~~:S:wait:/sbin/sulogin
220
221 # /etc/init.d executes the S and K scripts upon change
222 # of runlevel.
223 #
224 # Runlevel 0 is halt.
225 # Runlevel 1 is single-user.
226 # Runlevels 2-5 are multi-user.
227 # Runlevel 6 is reboot.
228
229 l0:0:wait:/etc/init.d/rc 0
230 l1:1:wait:/etc/init.d/rc 1
231 l2:2:wait:/etc/init.d/rc 2
232 l3:3:wait:/etc/init.d/rc 3
233 l4:4:wait:/etc/init.d/rc 4
234 l5:5:wait:/etc/init.d/rc 5
235 l6:6:wait:/etc/init.d/rc 6
236 # Normally not reached, but fallthrough in case of emergency.
237 z6:6:respawn:/sbin/sulogin
238
239 # What to do when CTRL-ALT-DEL is pressed.
240 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
241
242 # What to do when the power fails/returns.
243 pf::powerwait:/etc/init.d/powerfail start
244 pn::powerfailnow:/etc/init.d/powerfail now
245 po::powerokwait:/etc/init.d/powerfail stop
246
247 # Xen hypervisor console
248 hvc:2345:respawn:/sbin/getty 38400 hvc0
249 #xvc:2345:respawn:/sbin/getty 38400 xvc0
250 EOF
251 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
252 MAIL_DIR /var/mail
253 FAILLOG_ENAB yes
254 LOG_UNKFAIL_ENAB no
255 LOG_OK_LOGINS no
256 SYSLOG_SU_ENAB yes
257 SYSLOG_SG_ENAB yes
258 FTMP_FILE /var/log/btmp
259 SU_NAME su
260 HUSHLOGIN_FILE .hushlogin
261 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
262 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
263 # NOTE: met les sbin/ dans ENV_PATH ;
264 # - ça n'apporte aucune protection de ne pas les mettre ;
265 # - ça frustre de ne pas les trouver.
266 TTYGROUP tty
267 TTYPERM 0600
268 ERASECHAR 0177
269 KILLCHAR 025
270 UMASK 007
271 # NOTE: rwxrwx--- ;
272 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
273 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
274 PASS_MAX_DAYS 99999
275 PASS_MIN_DAYS 0
276 PASS_WARN_AGE 7
277 UID_MIN 1000
278 UID_MAX 60000
279 GID_MIN 1000
280 GID_MAX 60000
281 LOGIN_RETRIES 3
282 LOGIN_TIMEOUT 60
283 CHFN_RESTRICT rwh
284 DEFAULT_HOME yes
285 USERGROUPS_ENAB yes
286 ENCRYPT_METHOD SHA512
287 EOF
288 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
289 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
290 session optional pam_umask.so
291 EOF
292 }
293 rule_network_init () {
294 mk_reg mod= own= /etc/hostname <<-EOF
295 $vm
296 EOF
297 grep -q " $vm\$" /etc/hosts ||
298 mk_reg mod= own= --append /etc/hosts <<-EOF
299 127.0.0.1 $vm_fqdn $vm
300 EOF
301 mk_reg mod= own= /etc/network/interfaces <<-EOF
302 auto lo
303 iface lo inet loopback
304
305 auto eth0=grenode
306 iface grenode inet static
307 address $vm_ipv4
308 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
309 network $vm_ipv4
310 broadcast $vm_ipv4
311 netmask 255.255.255.255
312 #mtu 1300
313 post-up ip address add $vm_ipv4/32 dev \$IFACE
314 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
315 EOF
316 }
317 rule_user_init () {
318 mk_dir mod=750 own="root:adm" /etc/skel/etc
319 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
320 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
321 mk_dir mod=700 own="root:adm" /etc/skel/var
322 mk_dir mod=700 own="root:adm" /etc/skel/var/log
323 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
324 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
325 mk_dir mod=700 own="root:adm" /etc/skel/tmp
326 mk_dir mod=700 own="root:adm" /etc/skel/tmp
327 mk_lnk etc/ssh /etc/skel/.ssh
328 mk_lnk etc/gpg /etc/skel/.gnupg
329 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
330 ( while IFS= read -r line
331 do case $line in (*" RSA") return 0; break;; esac
332 done; return 1 ) ||
333 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
334 sudo rm -f \
335 /etc/ssh/ssh_host_dsa_key \
336 /etc/ssh/ssh_host_dsa_key.pub \
337 /etc/ssh/ssh_host_ecdsa_key \
338 /etc/ssh/ssh_host_ecdsa_key.pub
339 # NOTE: clefs générées par Debian
340 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
341 Port 22
342 ListenAddress $vm_ipv4
343 #ListenAddress ::
344 Protocol 2
345 Compression yes
346 HostKey /etc/ssh/ssh_host_rsa_key
347 UsePrivilegeSeparation yes
348 KeyRegenerationInterval 3600
349 ServerKeyBits 768
350 SyslogFacility AUTH
351 LogLevel INFO
352 LoginGraceTime 120
353 PermitRootLogin yes
354 StrictModes yes
355 RSAAuthentication yes
356 PubkeyAuthentication yes
357 AuthorizedKeysFile %h/etc/ssh/authorized_keys
358 IgnoreRhosts yes
359 RhostsRSAAuthentication no
360 HostbasedAuthentication no
361 IgnoreUserKnownHosts no
362 PermitEmptyPasswords no
363 ChallengeResponseAuthentication no
364 PasswordAuthentication no
365 KerberosAuthentication no
366 GSSAPIAuthentication no
367 X11Forwarding no
368 X11DisplayOffset 10
369 PrintMotd no
370 DebianBanner no
371 PrintLastLog yes
372 TCPKeepAlive yes
373 ClientAliveInterval 0
374 AcceptEnv LANG LC_*
375 Subsystem sftp /usr/lib/openssh/sftp-server
376 UsePAM yes
377 EOF
378 sudo service ssh restart
379 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
380 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
381 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
382 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
383 EOF
384 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
385 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
386 EOF
387 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
388 Defaults env_keep = " \\
389 EDITOR \\
390 GIT_AUTHOR_NAME \\
391 GIT_AUTHOR_EMAIL \\
392 GIT_COMMITTER_NAME \\
393 GIT_COMMITTER_EMAIL \\
394 "
395 EOF
396 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
397 #!/bin/sh
398 sudo /bin/sh -e -f -u -c \
399 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
400 EOF
401 }
402 rule_user_root_init () {
403 mk_dir mod=750 own=root:root /root/etc
404 mk_dir mod=750 own=root:root /root/etc/ssh
405 mk_dir mod=750 own=root:root /root/etc/gpg
406 mk_lnk etc/gpg /root/.gnupg
407 mk_lnk etc/ssh /root/.ssh
408 getent group sudo |
409 while test -n "$users" && IFS=: read -r group x x users
410 do while IFS=, read -r user users <<-EOF
411 $users
412 EOF
413 do eval local home\; home="~$user"
414 cat "$home"/etc/ssh/authorized_keys
415 done
416 done |
417 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
418 local key
419 for key in "$tool"/var/pub/openpgp/*.key
420 do sudo gpg --import "$key"
421 done
422 }
423 rule__bin_init () {
424 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
425 }
426 rule_init () {
427 rule etckeeper_init
428 rule locale_init
429 rule network_init
430 rule apt_init
431 rule filesystem_init
432 rule login_init
433 rule user_root_init
434 rule boot_init
435 rule bin_init
436 }
437
438 rule_disk_key_change () {
439 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
440 }
441
442 rule_user_admin_add () { # SYNTAX: $user
443 local user=$1
444 id "$user" >/dev/null ||
445 sudo adduser --disabled-password "$user"
446 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
447 eval local home\; home="~$user"
448 sudo adduser "$user" sudo
449 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
450 <"$tool"/var/pub/ssh/"$user".key
451 rule initramfs_init
452 rule user_root_init
453 local key; local -; set +f
454 for key in "$tool"/var/pub/openpgp/*.key
455 do sudo -u "$user" gpg --import "$key"
456 done
457 }
458 rule_user_mail_format () {
459 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
460 mk_dir mod=770 own=root:adm /etc/skel/var/mail
461 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
462 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
463 # vim: ft=procmail
464
465 # NOTE: paramètres passés par postfix
466 SENDER=\$1
467 RECIPIENT=\$2
468 USER=\$3
469 EXTENSION=\$4
470 DOMAIN=\$5
471 ORIGINAL_RECIPIENT=\$6
472
473 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
474 MAILDIR="\$HOME/var/mail/"
475 DEFAULT="\$MAILDIR"
476 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
477 LOGFILE="/dev/null"
478 LOGABSTRACT=all
479 LOGABSTRACT
480 VERBOSE
481 SHELL=/bin/sh
482 SHELLMETAS=&|<>~;?*%{}
483
484 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
485 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
486 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
487
488 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
489 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
490 # NOTE: récupère l’adresse courriel dans le champ GECOS
491 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
492 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
493 :0
494 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
495
496 # DESCRIPTION: IMAP
497 #:0
498 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
499
500 # DESCRIPTION: UUCP
501 #:0
502 #| /usr/bin/uux \
503 # -I "\$HOME/etc/uucp/uucp.cfg" \
504 # --nouucico \
505 # --notification=error \
506 # --requestor "\$USER" \
507 # - "\$USER!rmail" "(\$USER)"
508 EOF
509 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
510 # /etc/postfix/main.cf
511 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
512
513 parent_domain_matches_subdomains =
514 #debug_peer_list
515 #fast_flush_domains
516 #mynetworks
517 #permit_mx_backup_networks
518 #qmqpd_authorized_clients
519 #smtpd_access_maps
520 mydomain = $vm_domainname
521 myorigin = \$mydomain
522 myhostname = $vm_hostname.\$mydomain
523 mail_name = \$myhostname
524 mydestination =
525 $vm_hostname
526 \$myhostname
527 \$myorigin
528 mynetworks =
529 127.0.0.0/8
530 #[::1]/128
531 inet_protocols = ipv4
532 # "all" to activate IPv6
533 inet_interfaces = all
534 permit_mx_backup_networks =
535
536 alias_database =
537 hash:/etc/aliases
538 # NOTE: fichier de hash contenant une table d’alias mail.
539 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
540 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
541 alias_maps =
542 hash:/etc/aliases
543 recipient_delimiter = +
544 # NOTE: séparateur entre le nom d’utilisateur
545 # et les extensions d’adresse (par défaut le signe +).
546 #virtual_alias_domains =
547 virtual_alias_maps =
548 hash:/etc/postfix/\$mydomain/virtual
549 # NOTE: do not specify virtual alias domain names in the main.cf
550 # mydestination or relay_domains configuration parameters.
551 #
552 # With a virtual alias domain, the Postfix SMTP server
553 # accepts mail for known-user@virtual-alias.domain, and
554 # rejects mail for unknown-user@virtual-alias.domain as
555 # undeliverable.
556 #relayhost =
557 relay_clientcerts =
558 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
559 relay_domains =
560 \$mydestination
561 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
562 # pas dans mydestination ou virtual_alias...
563
564 maximal_queue_lifetime = 5d
565
566 header_checks =
567 regexp:/etc/postfix/\$mydomain/header_checks
568 mime_header_checks =
569 nested_header_checks =
570 milter_header_checks =
571 body_checks =
572
573 #content_filter = amavisfeed:[127.0.0.1]:10024
574 #receive_override_options = no_address_mappings
575 # no_unknown_recipient_checks
576 # Do not try to reject unknown recipients (SMTP server only).
577 # This is typically specified AFTER an external content filter.
578 # no_address_mappings
579 # Disable canonical address mapping, virtual alias map expansion,
580 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
581 # This is typically specified BEFORE an external content filter (eg. amavis).
582 # no_header_body_checks
583 # Disable header/body_checks. This is typically specified AFTER an external content filter.
584 # no_milters
585 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
586 #local_header_rewrite_clients =
587 transport_maps =
588 hash:/etc/postfix/\$mydomain/transport_maps
589 mailbox_command =
590 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
591 mailbox_size_limit = 0
592 biff = no
593 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
594 append_dot_mydomain = no
595 # appending .domain is the MUA's job.
596
597 #tls_random_source =
598 # dev:/dev/urandom
599 # Non-blocking
600 #tls_random_reseed_period = 3600s
601 #tls_random_exchange_name =
602 # \${data_directory}/prng_exch
603 # NOTE: à ne pas mettre dans la cage chroot
604 #tls_random_bytes = 32
605 #tls_random_prng_update_period = 3600s
606 #tls_high_cipherlist = AES256-SHA
607 # NOTE: postconf(5) déconseille de changer ceci
608
609 #smtp_cname_overrides_servername = no
610 smtp_connect_timeout = 60s
611 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
612 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
613 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
614 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
615 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
616 # NOTE: déprécié en faveur de smtp_tls_policy_maps
617 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
618 smtp_tls_fingerprint_digest = sha1
619 smtp_tls_scert_verifydepth = 5
620 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
621 #smtp_tls_verify_cert_match = hostname
622 #smtp_tls_note_starttls_offer = yes
623 smtp_tls_loglevel = 1
624 smtp_tls_protocols = !SSLv2, !SSLv3
625 # Only allow TLSv*
626 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
627 #smtp_tls_session_cache_timeout = 3600s
628 smtp_tls_security_level = may
629 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
630 smtp_body_checks =
631 smtp_mime_header_checks =
632 smtp_nested_header_checks =
633
634 smtpd_starttls_timeout = 300s
635 smtpd_banner =
636 \$myhostname ESMTP \$mail_name (Debian/GNU)
637
638 # Restrictions
639 smtpd_helo_required = yes
640 strict_rfc821_envelopes = yes
641 smtpd_authorized_xclient_hosts = 127.0.0.1
642 # NOTE: utile pour tester les restrictions
643
644 smtpd_helo_restrictions =
645 reject_invalid_helo_hostname
646 reject_non_fqdn_helo_hostname
647 #reject_unknown_helo_hostname
648 # NOTE: pourrait pourtant être utile pour lutter contre le spam
649 permit
650
651 smtpd_sender_restrictions =
652 permit_mynetworks
653 permit_tls_clientcerts
654 permit_sasl_authenticated
655 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
656 check_sender_access hash:/etc/postfix/sender_blacklist
657 reject_unauth_pipelining
658 reject_non_fqdn_sender
659 #reject_unknown_sender_domain
660 # NOTE: temporaire
661 permit
662
663 smtpd_client_new_tls_session_rate_limit = 0
664 smtpd_client_event_limit_exceptions = \$mynetworks
665 smtpd_client_recipient_rate_limit = 0
666 smtpd_client_connection_count_limit = 50
667 smtpd_client_connection_rate_limit = 0
668 smtpd_client_message_rate_limit = 0
669 smtpd_client_port_logging = no
670
671 smtpd_client_restrictions =
672 check_client_access hash:/etc/postfix/client_blacklist
673
674 policy_time_limit = 3600
675 default_extra_recipient_limit = 5000
676 duplicate_filter_limit = 5000
677 smtpd_recipient_limit = 5000
678 smtpd_recipient_overshoot_limit = 5000
679 smtpd_recipient_restrictions =
680 reject_non_fqdn_recipient
681 #reject_invalid_hostname
682 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
683 # dans smtpd_helo_restrictions
684 reject_unknown_recipient_domain
685 #reject_non_fqdn_sender
686 # NOTE: dans smtpd_sender_restrictions
687 reject_unauth_pipelining
688 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
689 permit_mynetworks
690 permit_tls_clientcerts
691 permit_sasl_authenticated
692 reject_unauth_destination
693 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
694 # ou quelqu'un pour lequel on tient lieu de backup_mx
695 check_policy_service inet:127.0.0.1:10023
696 # NOTE: Postgrey (greylisting)
697 check_policy_service unix:private/spfcheck
698 permit_auth_destination
699 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
700 # (voir permit_auth_destination) ; sans doute redondant
701 reject
702 #check_relay_domains <- removed from postfix
703 #reject_unknown_sender_domain
704 # aurait probablement été mieux dans smtpd_sender_restrictions
705 #reject_rbl_client bl.spamcop.net
706 #reject_rbl_client list.dsbl.org
707 #reject_rbl_client zen.spamhaus.org
708 #reject_rbl_client dnsbl.sorbs.net
709
710 smtpd_data_restrictions =
711 reject_unauth_pipelining
712 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
713 permit
714
715 #smtpd_end_of_data_restrictions =
716
717 #smtpd_restriction_classes =
718
719 smtpd_error_sleep_time = 5
720 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
721
722 # SASL
723 smtpd_sasl_auth_enable = yes
724 smtpd_sasl_type = dovecot
725 smtpd_sasl_path = private/auth
726 smtpd_sasl_security_options = noanonymous
727 smtpd_sasl_domain = \$mydomain
728
729 # SMTPD TLS
730 smtpd_discard_ehlo_keywords = starttls
731 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
732 # se mangent une erreur en tentant un starttls
733 smtpd_tls_fingerprint_digest = sha1
734 # sha512 ?
735 smtpd_tls_mandatory_protocols = TLSv1
736 smtpd_tls_mandatory_ciphers = high
737 smtpd_tls_ciphers = high
738 # restrictif. s/high/medium/ ?
739 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
740 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
741 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
742 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
743 ##
744 #smtpd_tls_received_header = no
745 smtpd_tls_session_cache_database =
746 btree:/var/lib/postfix/smtpd_tls_session_cache
747 #smtpd_tls_session_cache_timeout = 3600s
748 smtpd_tls_security_level = may
749 # Postfix 2.3 and later
750 # encrypt
751 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
752 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
753 # SMTP server. Instead, this option should be used only on dedicated servers.
754 smtpd_tls_loglevel = 1
755 smtpd_tls_ccert_verifydepth = 5
756 smtpd_tls_auth_only = yes
757 # Pas d'AUTH SASL sans TLS
758 smtpd_tls_ask_ccert = no
759 smtpd_tls_req_ccert = no
760 #smtpd_tls_always_issue_session_ids = yes
761 smtpd_peername_lookup = yes
762 # Nécessaire pour postgrey, etc
763 smtpd_milters =
764 non_smtpd_milters =
765 line_length_limit = 2048
766 queue_minfree = 0
767 message_size_limit = 20480000
768 #smtpd_enforce_tls # NOTE: obsolète
769 #smtpd_use_tls # NOTE: obsolète
770 #smtpd_tls_cipherlist # NOTE: obsolète
771
772 readme_directory = no
773 #delay_warning_time = 4h
774 # NOTE: uncomment the previous line to generate "delayed mail" warnings
775 #debug_peer_level = 4
776 #debug_peer_list = .\$myhostname
777 EOF
778 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
779 auth_ssl_username_from_cert = yes
780 listen = *
781 log_timestamp = "%Y-%m-%d %H:%M:%S "
782 mail_debug = yes
783 mail_location = maildir:~/var/mail
784 mail_privileged_group = mail
785 passdb {
786 args = /home/%u/etc/dovecot/passwd
787 driver = passwd-file
788 }
789 protocols = imap
790 service auth {
791 unix_listener /var/spool/postfix/private/auth {
792 group = postfix
793 mode = 0660
794 user = postfix
795 }
796 user = root
797 }
798 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
799 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
800 ssl_cipher_list = AES256-SHA
801 ssl_key = </etc/dovecot/imap/tls/key.pem
802 ssl_verify_client_cert = yes
803 userdb {
804 driver = passwd
805 }
806 verbose_ssl = yes
807 protocol lda {
808 auth_socket_path = /var/run/dovecot/auth-master
809 hostname = $vm_domainname
810 info_log_path = /var/log/dovecot/lda/info.log
811 log_path = /var/log/dovecot/lda/error.log
812 mail_plugins = sieve
813 postmaster_address = contact+dovecot+lda@$vm_domainname
814 }
815 EOF
816 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
817 EOF
818 }
819 rule_mail_init () {
820 sudo apt-get install postfix postgrey dovecot
821 }
822
823 rule=${1:-help}
824 ${1+shift}
825 case $rule in
826 (help);;
827 (*)
828 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
829 ${TRACE:+set -x}
830 ;;
831 esac
832 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org