dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Polissage.
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () {
8 cat >&2 <<-EOF
9 DESCRIPTION: ce script regroupe des fonctions utilitaires
10 pour gérer la VM _depuis_ la VM hébergée ;
11 il sert à la fois d'outil et de documentation.
12 Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
13 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
14 RULES:
15 $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0")
16 ENVIRONMENT:
17 TRACE # affiche les commandes avant leur exécution
18 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0")
19 EOF
20 }
21
22 rule_git_reset () {
23 (
24 cd "$tool"
25 git checkout -f -B master origin
26 git clean -f -d -x
27 )
28 }
29
30 rule_chrooted () {
31 export LANG=C
32 export LC_CTYPE=C
33 . /etc/profile
34 }
35
36 rule__etckeeper_init () {
37 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
38 VCS=git
39 GIT_COMMIT_OPTIONS=""
40 AVOID_DAILY_AUTOCOMMITS=1
41 #AVOID_SPECIAL_FILE_WARNING=1
42 AVOID_COMMIT_BEFORE_INSTALL=1
43 HIGHLEVEL_PACKAGE_MANAGER=apt
44 LOWLEVEL_PACKAGE_MANAGER=dpkg
45 EOF
46 }
47 rule__locale_init () {
48 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
49 fr_FR.UTF-8 UTF-8
50 EOF
51 sudo update-locale
52 }
53 rule__network_init () {
54 mk_reg mod= own= /etc/hostname <<-EOF
55 $vm
56 EOF
57 grep -q " $vm\$" /etc/hosts ||
58 mk_reg mod= own= --append /etc/hosts <<-EOF
59 127.0.0.1 $vm_fqdn $vm
60 EOF
61 mk_reg mod= own= /etc/network/interfaces <<-EOF
62 auto lo
63 iface lo inet loopback
64
65 auto eth0=grenode
66 iface grenode inet static
67 address $vm_ipv4
68 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
69 network $vm_ipv4
70 broadcast $vm_ipv4
71 netmask 255.255.255.255
72 #mtu 1300
73 post-up ip address add $vm_ipv4/32 dev \$IFACE
74 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
75 EOF
76 }
77 rule__apt_init () {
78 mk_reg mod= own= /etc/apt/sources.list <<-EOF
79 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
80 EOF
81 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
82 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
83 EOF
84 mk_reg mod= own= /etc/apt/preferences <<-EOF
85 Package: *
86 Pin: release a=$vm_lsb_name
87 Pin-Priority: 170
88
89 Package: *
90 Pin: release a=$vm_lsb_name-backports
91 Pin-Priority: 200
92 EOF
93 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
94 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
95 EOF
96 }
97 rule__filesystem_init () {
98 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
99 # <file system> <mount point> <type> <options> <dump> <pass>
100 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
101 proc /proc proc defaults 0 0
102 sysfs /sys sysfs defaults 0 0
103 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
104 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
105 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
106 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
107 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
108 EOF
109 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
110 # <target name> <source device> <key file> <options>
111 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
112 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
113 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
114 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
115 EOF
116 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
117 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
118 vm.vfs_cache_pressure=50
119 EOF
120 }
121 rule__login_init () {
122 grep -q hvc0 /etc/securetty ||
123 mk_reg mod= own= --append /etc/securetty <<-EOF
124 hvc0
125 EOF
126 grep -q xvc0 /etc/securetty ||
127 mk_reg mod= own= --append /etc/securetty <<-EOF
128 xvc0
129 EOF
130 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
131 # /etc/inittab: init(8) configuration.
132
133 # The default runlevel.
134 id:2:initdefault:
135
136 # Boot-time system configuration/initialization script.
137 # This is run first except when booting in emergency (-b) mode.
138 si::sysinit:/etc/init.d/rcS
139
140 # What to do in single-user mode.
141 ~~:S:wait:/sbin/sulogin
142
143 # /etc/init.d executes the S and K scripts upon change
144 # of runlevel.
145 #
146 # Runlevel 0 is halt.
147 # Runlevel 1 is single-user.
148 # Runlevels 2-5 are multi-user.
149 # Runlevel 6 is reboot.
150
151 l0:0:wait:/etc/init.d/rc 0
152 l1:1:wait:/etc/init.d/rc 1
153 l2:2:wait:/etc/init.d/rc 2
154 l3:3:wait:/etc/init.d/rc 3
155 l4:4:wait:/etc/init.d/rc 4
156 l5:5:wait:/etc/init.d/rc 5
157 l6:6:wait:/etc/init.d/rc 6
158 # Normally not reached, but fallthrough in case of emergency.
159 z6:6:respawn:/sbin/sulogin
160
161 # What to do when CTRL-ALT-DEL is pressed.
162 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
163
164 # What to do when the power fails/returns.
165 pf::powerwait:/etc/init.d/powerfail start
166 pn::powerfailnow:/etc/init.d/powerfail now
167 po::powerokwait:/etc/init.d/powerfail stop
168
169 # Xen hypervisor console
170 hvc:2345:respawn:/sbin/getty 38400 hvc0
171 #xvc:2345:respawn:/sbin/getty 38400 xvc0
172 EOF
173 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
174 MAIL_DIR /var/mail
175 FAILLOG_ENAB yes
176 LOG_UNKFAIL_ENAB no
177 LOG_OK_LOGINS no
178 SYSLOG_SU_ENAB yes
179 SYSLOG_SG_ENAB yes
180 FTMP_FILE /var/log/btmp
181 SU_NAME su
182 HUSHLOGIN_FILE .hushlogin
183 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
184 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
185 # NOTE: met les sbin/ dans ENV_PATH ;
186 # - ça n'apporte aucune protection de ne pas les mettre ;
187 # - ça frustre de ne pas les trouver.
188 TTYGROUP tty
189 TTYPERM 0600
190 ERASECHAR 0177
191 KILLCHAR 025
192 UMASK 007
193 # NOTE: rwxrwx--- ;
194 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
195 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
196 PASS_MAX_DAYS 99999
197 PASS_MIN_DAYS 0
198 PASS_WARN_AGE 7
199 UID_MIN 1000
200 UID_MAX 60000
201 GID_MIN 1000
202 GID_MAX 60000
203 LOGIN_RETRIES 3
204 LOGIN_TIMEOUT 60
205 CHFN_RESTRICT rwh
206 DEFAULT_HOME yes
207 USERGROUPS_ENAB yes
208 ENCRYPT_METHOD SHA512
209 EOF
210 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
211 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
212 session optional pam_umask.so
213 EOF
214 }
215 rule__user_root_init () {
216 mk_dir mod=750 own=root:root /root/etc
217 mk_dir mod=750 own=root:root /root/etc/ssh
218 mk_dir mod=750 own=root:root /root/etc/gpg
219 mk_lnk etc/gpg /root/.gnupg
220 mk_lnk etc/ssh /root/.ssh
221 getent group sudo |
222 while IFS=: read -r group x x users
223 do while IFS=, read -r user
224 do eval local home\; home="~$user"
225 cat "$home"/etc/ssh/authorized_keys
226 done <<-EOF
227 $users
228 EOF
229 done |
230 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
231 sudo find "$tool"/var/pub/openpgp -type f -name '*.key' -exec gpg --import {} \;
232 }
233 rule__initramfs_init () {
234 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
235 MODULES=most
236 BUSYBOX=y
237 KEYMAP=y
238 COMPRESS=gzip
239 DEVICE=eth0
240 EOF
241 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
242 alias eth0 xennet
243 alias scsi_hostadapter xenblk
244 EOF
245 mk_reg mod=644 own=root:root /etc/modules <<-EOF
246 sha1_generic
247 sha256_generic
248 sha512_generic
249 aes-x86_64
250 xts
251 # NOTE: pour Xen en mode HVM :
252 #modprobe xen-platform-pci
253 EOF
254 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
255 EOF
256 sudo sed -e '/^configure_networking /s/ &$//' \
257 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
258 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
259 sudo rm -f \
260 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
261 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
262 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
263 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
264 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
265 ( while IFS= read -r line
266 do case $line in (*" RSA") return 0; break;; esac
267 done; return 1 ) ||
268 sudo dropbearkey -t rsa -s 4096 -f \
269 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
270 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
271 ( while IFS= read -r line
272 do case $line in (*" DSA") return 0; break;; esac
273 done; return 1 ) ||
274 sudo dropbearkey -t dss -s 1024 -f \
275 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
276 mk_dir mod=640 own=root:root \
277 /etc/initramfs-tools/root \
278 /etc/initramfs-tools/root/.ssh
279 getent group sudo |
280 while IFS=: read -r group x x users
281 do while IFS=, read -r user
282 do eval local home\; home="~$user"
283 cat "$home"/etc/ssh/authorized_keys
284 done <<-EOF
285 $users
286 EOF
287 done |
288 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
289 sudo rm -f \
290 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
291 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
292 /etc/initramfs-tools/root/.ssh/id_rsa
293 # NOTE: clefs générées par Debian
294 sudo update-initramfs -u
295 }
296 rule__boot_init () {
297 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
298 mk_dir mod=644 own=root:root /boot/grub
299 sudo apt-get install --reinstall linux-image-$vm_arch
300 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
301 GRUB_DEFAULT=0
302 GRUB_TIMEOUT=5
303 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
304 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
305 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
306 GRUB_DISABLE_RECOVERY="true"
307 #GRUB_PRELOAD_MODULES="lvm"
308 EOF
309 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
310 (hd0) /dev/xvda
311 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
312 EOF
313 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
314 rule__initramfs_init
315 }
316 rule__bin_init () {
317 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
318 }
319 rule_init () {
320 rule__etckeeper_init
321 rule__locale_init
322 rule__network_init
323 rule__apt_init
324 rule__filesystem_init
325 rule__login_init
326 rule__user_root_init
327 rule__boot_init
328 rule__bin_init
329 }
330
331 rule_disk_key_change () {
332 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
333 }
334
335 rule_user_init () {
336 mk_dir mod=750 own="root:adm" /etc/skel/etc
337 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
338 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
339 mk_dir mod=700 own="root:adm" /etc/skel/var
340 mk_dir mod=700 own="root:adm" /etc/skel/var/log
341 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
342 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
343 mk_dir mod=700 own="root:adm" /etc/skel/tmp
344 mk_dir mod=700 own="root:adm" /etc/skel/tmp
345 mk_lnk etc/ssh /etc/skel/.ssh
346 mk_lnk etc/gpg /etc/skel/.gnupg
347 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
348 ( while IFS= read -r line
349 do case $line in (*" RSA") return 0; break;; esac
350 done; return 1 ) ||
351 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
352 sudo rm -f \
353 /etc/ssh/ssh_host_dsa_key \
354 /etc/ssh/ssh_host_dsa_key.pub \
355 /etc/ssh/ssh_host_ecdsa_key \
356 /etc/ssh/ssh_host_ecdsa_key.pub
357 # NOTE: clefs générées par Debian
358 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
359 Port 22
360 ListenAddress $vm_ipv4
361 #ListenAddress ::
362 Protocol 2
363 Compression yes
364 HostKey /etc/ssh/ssh_host_rsa_key
365 UsePrivilegeSeparation yes
366 KeyRegenerationInterval 3600
367 ServerKeyBits 768
368 SyslogFacility AUTH
369 LogLevel INFO
370 LoginGraceTime 120
371 PermitRootLogin yes
372 StrictModes yes
373 RSAAuthentication yes
374 PubkeyAuthentication yes
375 AuthorizedKeysFile %h/etc/ssh/authorized_keys
376 IgnoreRhosts yes
377 RhostsRSAAuthentication no
378 HostbasedAuthentication no
379 IgnoreUserKnownHosts no
380 PermitEmptyPasswords no
381 ChallengeResponseAuthentication no
382 PasswordAuthentication no
383 KerberosAuthentication no
384 GSSAPIAuthentication no
385 X11Forwarding no
386 X11DisplayOffset 10
387 PrintMotd no
388 DebianBanner no
389 PrintLastLog yes
390 TCPKeepAlive yes
391 ClientAliveInterval 0
392 AcceptEnv LANG LC_*
393 Subsystem sftp /usr/lib/openssh/sftp-server
394 UsePAM yes
395 EOF
396 sudo service ssh restart
397 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
398 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
399 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
400 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
401 EOF
402 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
403 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
404 EOF
405 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
406 Defaults env_keep = " \\
407 EDITOR \\
408 GIT_AUTHOR_NAME \\
409 GIT_AUTHOR_EMAIL \\
410 GIT_COMMITTER_NAME \\
411 GIT_COMMITTER_EMAIL \\
412 "
413 EOF
414 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
415 #!/bin/sh
416 sudo /bin/sh -e -f -u -c \
417 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
418 EOF
419 }
420 rule_user_admin_add () { # SYNTAX: $user
421 local user=$1
422 id "$user" >/dev/null ||
423 sudo adduser --disabled-password "$user"
424 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
425 eval local home\; home="~$user"
426 sudo adduser "$user" sudo
427 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
428 <"$tool"/var/pub/ssh/"$user".key
429 rule__initramfs_init
430 rule__user_root_init
431 sudo gpg --import "$tool"/var/pub/opengpg/"$user".key
432 # TODO: importer toutes les clefs des utilisateurices
433 }
434 rule_user_mail_format () {
435 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
436 mk_dir mod=770 own=root:adm /etc/skel/var/mail
437 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
438 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
439 # vim: ft=procmail
440
441 # NOTE: paramètres passés par postfix
442 SENDER=\$1
443 RECIPIENT=\$2
444 USER=\$3
445 EXTENSION=\$4
446 DOMAIN=\$5
447 ORIGINAL_RECIPIENT=\$6
448
449 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
450 MAILDIR="\$HOME/var/mail/"
451 DEFAULT="\$MAILDIR"
452 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
453 LOGFILE="/dev/null"
454 LOGABSTRACT=all
455 LOGABSTRACT
456 VERBOSE
457 SHELL=/bin/sh
458 SHELLMETAS=&|<>~;?*%{}
459
460 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
461 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
462 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
463
464 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
465 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
466 # NOTE: récupère l’adresse courriel dans le champ GECOS
467 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
468 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
469 :0
470 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
471
472 # DESCRIPTION: IMAP
473 #:0
474 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
475
476 # DESCRIPTION: UUCP
477 #:0
478 #| /usr/bin/uux \
479 # -I "\$HOME/etc/uucp/uucp.cfg" \
480 # --nouucico \
481 # --notification=error \
482 # --requestor "\$USER" \
483 # - "\$USER!rmail" "(\$USER)"
484 EOF
485 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
486 # /etc/postfix/main.cf
487 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
488
489 parent_domain_matches_subdomains =
490 #debug_peer_list
491 #fast_flush_domains
492 #mynetworks
493 #permit_mx_backup_networks
494 #qmqpd_authorized_clients
495 #smtpd_access_maps
496 mydomain = $vm_domainname
497 myorigin = \$mydomain
498 myhostname = $vm_hostname.\$mydomain
499 mail_name = \$myhostname
500 mydestination =
501 $vm_hostname
502 \$myhostname
503 \$myorigin
504 mynetworks =
505 127.0.0.0/8
506 #[::1]/128
507 inet_protocols = ipv4
508 # "all" to activate IPv6
509 inet_interfaces = all
510 permit_mx_backup_networks =
511
512 alias_database =
513 hash:/etc/aliases
514 # NOTE: fichier de hash contenant une table d’alias mail.
515 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
516 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
517 alias_maps =
518 hash:/etc/aliases
519 recipient_delimiter = +
520 # NOTE: séparateur entre le nom d’utilisateur
521 # et les extensions d’adresse (par défaut le signe +).
522 #virtual_alias_domains =
523 virtual_alias_maps =
524 hash:/etc/postfix/\$mydomain/virtual
525 # NOTE: do not specify virtual alias domain names in the main.cf
526 # mydestination or relay_domains configuration parameters.
527 #
528 # With a virtual alias domain, the Postfix SMTP server
529 # accepts mail for known-user@virtual-alias.domain, and
530 # rejects mail for unknown-user@virtual-alias.domain as
531 # undeliverable.
532 #relayhost =
533 relay_clientcerts =
534 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
535 relay_domains =
536 \$mydestination
537 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
538 # pas dans mydestination ou virtual_alias...
539
540 maximal_queue_lifetime = 5d
541
542 header_checks =
543 regexp:/etc/postfix/\$mydomain/header_checks
544 mime_header_checks =
545 nested_header_checks =
546 milter_header_checks =
547 body_checks =
548
549 #content_filter = amavisfeed:[127.0.0.1]:10024
550 #receive_override_options = no_address_mappings
551 # no_unknown_recipient_checks
552 # Do not try to reject unknown recipients (SMTP server only).
553 # This is typically specified AFTER an external content filter.
554 # no_address_mappings
555 # Disable canonical address mapping, virtual alias map expansion,
556 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
557 # This is typically specified BEFORE an external content filter (eg. amavis).
558 # no_header_body_checks
559 # Disable header/body_checks. This is typically specified AFTER an external content filter.
560 # no_milters
561 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
562 #local_header_rewrite_clients =
563 transport_maps =
564 hash:/etc/postfix/\$mydomain/transport_maps
565 mailbox_command =
566 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
567 mailbox_size_limit = 0
568 biff = no
569 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
570 append_dot_mydomain = no
571 # appending .domain is the MUA's job.
572
573 #tls_random_source =
574 # dev:/dev/urandom
575 # Non-blocking
576 #tls_random_reseed_period = 3600s
577 #tls_random_exchange_name =
578 # \${data_directory}/prng_exch
579 # NOTE: à ne pas mettre dans la cage chroot
580 #tls_random_bytes = 32
581 #tls_random_prng_update_period = 3600s
582 #tls_high_cipherlist = AES256-SHA
583 # NOTE: postconf(5) déconseille de changer ceci
584
585 #smtp_cname_overrides_servername = no
586 smtp_connect_timeout = 60s
587 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
588 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
589 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
590 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
591 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
592 # NOTE: déprécié en faveur de smtp_tls_policy_maps
593 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
594 smtp_tls_fingerprint_digest = sha1
595 smtp_tls_scert_verifydepth = 5
596 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
597 #smtp_tls_verify_cert_match = hostname
598 #smtp_tls_note_starttls_offer = yes
599 smtp_tls_loglevel = 1
600 smtp_tls_protocols = !SSLv2, !SSLv3
601 # Only allow TLSv*
602 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
603 #smtp_tls_session_cache_timeout = 3600s
604 smtp_tls_security_level = may
605 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
606 smtp_body_checks =
607 smtp_mime_header_checks =
608 smtp_nested_header_checks =
609
610 smtpd_starttls_timeout = 300s
611 smtpd_banner =
612 \$myhostname ESMTP \$mail_name (Debian/GNU)
613
614 # Restrictions
615 smtpd_helo_required = yes
616 strict_rfc821_envelopes = yes
617 smtpd_authorized_xclient_hosts = 127.0.0.1
618 # NOTE: utile pour tester les restrictions
619
620 smtpd_helo_restrictions =
621 reject_invalid_helo_hostname
622 reject_non_fqdn_helo_hostname
623 #reject_unknown_helo_hostname
624 # NOTE: pourrait pourtant être utile pour lutter contre le spam
625 permit
626
627 smtpd_sender_restrictions =
628 permit_mynetworks
629 permit_tls_clientcerts
630 permit_sasl_authenticated
631 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
632 check_sender_access hash:/etc/postfix/sender_blacklist
633 reject_unauth_pipelining
634 reject_non_fqdn_sender
635 #reject_unknown_sender_domain
636 # NOTE: temporaire
637 permit
638
639 smtpd_client_new_tls_session_rate_limit = 0
640 smtpd_client_event_limit_exceptions = \$mynetworks
641 smtpd_client_recipient_rate_limit = 0
642 smtpd_client_connection_count_limit = 50
643 smtpd_client_connection_rate_limit = 0
644 smtpd_client_message_rate_limit = 0
645 smtpd_client_port_logging = no
646
647 smtpd_client_restrictions =
648 check_client_access hash:/etc/postfix/client_blacklist
649
650 policy_time_limit = 3600
651 default_extra_recipient_limit = 5000
652 duplicate_filter_limit = 5000
653 smtpd_recipient_limit = 5000
654 smtpd_recipient_overshoot_limit = 5000
655 smtpd_recipient_restrictions =
656 reject_non_fqdn_recipient
657 #reject_invalid_hostname
658 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
659 # dans smtpd_helo_restrictions
660 reject_unknown_recipient_domain
661 #reject_non_fqdn_sender
662 # NOTE: dans smtpd_sender_restrictions
663 reject_unauth_pipelining
664 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
665 permit_mynetworks
666 permit_tls_clientcerts
667 permit_sasl_authenticated
668 reject_unauth_destination
669 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
670 # ou quelqu'un pour lequel on tient lieu de backup_mx
671 check_policy_service inet:127.0.0.1:10023
672 # NOTE: Postgrey (greylisting)
673 check_policy_service unix:private/spfcheck
674 permit_auth_destination
675 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
676 # (voir permit_auth_destination) ; sans doute redondant
677 reject
678 #check_relay_domains <- removed from postfix
679 #reject_unknown_sender_domain
680 # aurait probablement été mieux dans smtpd_sender_restrictions
681 #reject_rbl_client bl.spamcop.net
682 #reject_rbl_client list.dsbl.org
683 #reject_rbl_client zen.spamhaus.org
684 #reject_rbl_client dnsbl.sorbs.net
685
686 smtpd_data_restrictions =
687 reject_unauth_pipelining
688 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
689 permit
690
691 #smtpd_end_of_data_restrictions =
692
693 #smtpd_restriction_classes =
694
695 smtpd_error_sleep_time = 5
696 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
697
698 # SASL
699 smtpd_sasl_auth_enable = yes
700 smtpd_sasl_type = dovecot
701 smtpd_sasl_path = private/auth
702 smtpd_sasl_security_options = noanonymous
703 smtpd_sasl_domain = \$mydomain
704
705 # SMTPD TLS
706 smtpd_discard_ehlo_keywords = starttls
707 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
708 # se mangent une erreur en tentant un starttls
709 smtpd_tls_fingerprint_digest = sha1
710 # sha512 ?
711 smtpd_tls_mandatory_protocols = TLSv1
712 smtpd_tls_mandatory_ciphers = high
713 smtpd_tls_ciphers = high
714 # restrictif. s/high/medium/ ?
715 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
716 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
717 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
718 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
719 ##
720 #smtpd_tls_received_header = no
721 smtpd_tls_session_cache_database =
722 btree:/var/lib/postfix/smtpd_tls_session_cache
723 #smtpd_tls_session_cache_timeout = 3600s
724 smtpd_tls_security_level = may
725 # Postfix 2.3 and later
726 # encrypt
727 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
728 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
729 # SMTP server. Instead, this option should be used only on dedicated servers.
730 smtpd_tls_loglevel = 1
731 smtpd_tls_ccert_verifydepth = 5
732 smtpd_tls_auth_only = yes
733 # Pas d'AUTH SASL sans TLS
734 smtpd_tls_ask_ccert = no
735 smtpd_tls_req_ccert = no
736 #smtpd_tls_always_issue_session_ids = yes
737 smtpd_peername_lookup = yes
738 # Nécessaire pour postgrey, etc
739 smtpd_milters =
740 non_smtpd_milters =
741 line_length_limit = 2048
742 queue_minfree = 0
743 message_size_limit = 20480000
744 #smtpd_enforce_tls # NOTE: obsolète
745 #smtpd_use_tls # NOTE: obsolète
746 #smtpd_tls_cipherlist # NOTE: obsolète
747
748 readme_directory = no
749 #delay_warning_time = 4h
750 # NOTE: uncomment the previous line to generate "delayed mail" warnings
751 #debug_peer_level = 4
752 #debug_peer_list = .\$myhostname
753 EOF
754 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
755 auth_ssl_username_from_cert = yes
756 listen = *
757 log_timestamp = "%Y-%m-%d %H:%M:%S "
758 mail_debug = yes
759 mail_location = maildir:~/var/mail
760 mail_privileged_group = mail
761 passdb {
762 args = /home/%u/etc/dovecot/passwd
763 driver = passwd-file
764 }
765 protocols = imap
766 service auth {
767 unix_listener /var/spool/postfix/private/auth {
768 group = postfix
769 mode = 0660
770 user = postfix
771 }
772 user = root
773 }
774 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
775 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
776 ssl_cipher_list = AES256-SHA
777 ssl_key = </etc/dovecot/imap/tls/key.pem
778 ssl_verify_client_cert = yes
779 userdb {
780 driver = passwd
781 }
782 verbose_ssl = yes
783 protocol lda {
784 auth_socket_path = /var/run/dovecot/auth-master
785 hostname = $vm_domainname
786 info_log_path = /var/log/dovecot/lda/info.log
787 log_path = /var/log/dovecot/lda/error.log
788 mail_plugins = sieve
789 postmaster_address = contact+dovecot+lda@$vm_domainname
790 }
791 EOF
792 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
793 EOF
794 }
795 rule_mail_install () {
796 sudo apt-get install postfix postgrey dovecot
797 }
798
799 rule=${1:-help}
800 ${1+shift}
801 case $rule in
802 (help);;
803 (*)
804 test "$(hostname --fqdn)" = "$vm_fqdn"
805 set "${TRACE:+-x}"
806 ;;
807 esac
808 rule_$rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org