dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Polissage.
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/rule.sh
5 . "$tool"/etc/vm.sh
6 . "$tool"/lib/mk.sh
7
8 rule_help () { # SYNTAX: [--hidden]
9 local hidden; [ ${1:+set} ] || hidden=set
10 cat >&2 <<-EOF
11 DESCRIPTION:
12 ce script regroupe des règles pour administrer la VM ($vm_fqdn)
13 _depuis_ la VM hébergée ($vm_fqdn) ;
14 il sert à la fois d'outil (aisément bidouillable)
15 et de documentation (préçise).
16 Voir \`$tool/vm_host' pour les règles côté machine hôte ($vm_host).
17 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
18 RULES:
19 $(sed -ne "s/^rule_\(${hidden:+[^_]}[^ ]*\) () {\( *#.*\|\)/ \1\2/p" "$tool"/etc/vm.sh "$0")
20 ENVIRONMENT:
21 TRACE # affiche les commandes avant leur exécution
22 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/etc/vm.sh "$0")
23 EOF
24 }
25
26 rule_git_config () {
27 (
28 cd "$tool"
29 git config --replace branch.master.remote .
30 git config --replace branch.master.merge refs/remotes/master
31 )
32 }
33 rule_git_reset () {
34 (
35 cd "$tool"
36 git checkout -f -B master remotes/master
37 git clean -f -d -x
38 )
39 }
40
41 rule_apt_get_install () { # SYNTAX: $package
42 case $(dpkg -s "$1" | grep '^Status: ') in
43 ("Status: install ok installed");;
44 (*)
45 test ! -x /usr/bin/etckeeper ||
46 assert 'sudo etckeeper unclean'
47 sudo apt-get "$@";;
48 esac
49 }
50
51 rule__chrooted_configure () { # NOTE: est-ce bien utile à un moment ?
52 export LANG=C
53 export LC_CTYPE=C
54 . /etc/profile
55 }
56
57 rule_apt_configure () {
58 mk_reg mod= own= /etc/apt/sources.list <<-EOF
59 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
60 EOF
61 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
62 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
63 EOF
64 mk_reg mod= own= /etc/apt/preferences <<-EOF
65 Package: *
66 Pin: release a=$vm_lsb_name
67 Pin-Priority: 170
68
69 Package: *
70 Pin: release a=$vm_lsb_name-backports
71 Pin-Priority: 200
72 EOF
73 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
74 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
75 EOF
76 }
77 rule_apticron_configure () {
78 rule apt_get_install apticron
79 mk_reg mod=644 own=root:root /etc/apticron/apticron.conf <<-EOF
80 EMAIL="admin@heureux-cyclage.org"
81 # DIFF_ONLY="1"
82 # LISTCHANGES_PROFILE="apticron"
83 # ALL_FQDNS="1"
84 # SYSTEM="foobar.example.com"
85 # IPADDRESSNUM="1"
86 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
87 # NOTIFY_HOLDS="0"
88 # NOTIFY_NEW="0"
89 # NOTIFY_NO_UPDATES="0"
90 # CUSTOM_SUBJECT=""
91 # CUSTOM_NO_UPDATES_SUBJECT=""
92 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
93 EOF
94 }
95 rule_boot_configure () {
96 warn "attention à n'installer GRUB sur AUCUN disque proposé !"
97 rule apt_get_install grub-pc
98 mk_dir mod=644 own=root:root /boot/grub
99 rule apt_get_install linux-image-$vm_arch
100 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
101 GRUB_DEFAULT=0
102 GRUB_TIMEOUT=5
103 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
104 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
105 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
106 GRUB_DISABLE_RECOVERY="true"
107 #GRUB_PRELOAD_MODULES="lvm"
108 EOF
109 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
110 (hd0) /dev/xvda
111 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
112 EOF
113 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
114 rule initramfs_configure
115 }
116 rule_etckeeper_configure () {
117 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
118 VCS=git
119 GIT_COMMIT_OPTIONS=""
120 AVOID_DAILY_AUTOCOMMITS=1
121 #AVOID_SPECIAL_FILE_WARNING=1
122 AVOID_COMMIT_BEFORE_INSTALL=1
123 HIGHLEVEL_PACKAGE_MANAGER=apt
124 LOWLEVEL_PACKAGE_MANAGER=dpkg
125 EOF
126 rule apt_get_install etckeeper
127 }
128 rule_filesystem_configure () {
129 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
130 # <file system> <mount point> <type> <options> <dump> <pass>
131 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
132 proc /proc proc defaults 0 0
133 sysfs /sys sysfs defaults 0 0
134 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
135 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
136 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
137 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
138 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
139 EOF
140 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
141 # <target name> <source device> <key file> <options>
142 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
143 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
144 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
145 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
146 EOF
147 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
148 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
149 vm.vfs_cache_pressure=50
150 EOF
151 }
152 rule_initramfs_configure () {
153 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
154 MODULES=most
155 BUSYBOX=y
156 KEYMAP=y
157 COMPRESS=gzip
158 DEVICE=eth0
159 EOF
160 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
161 alias eth0 xennet
162 alias scsi_hostadapter xenblk
163 EOF
164 mk_reg mod=644 own=root:root /etc/modules <<-EOF
165 sha1_generic
166 sha256_generic
167 sha512_generic
168 aes-x86_64
169 xts
170 # NOTE: pour Xen en mode HVM :
171 #modprobe xen-platform-pci
172 EOF
173 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
174 EOF
175 sudo sed -e '/^configure_networking /s/ &$//' \
176 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
177 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
178 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
179 ( while IFS= read -r line
180 do case $line in (*" RSA") return 0; break;; esac
181 done; return 1 ) ||
182 {
183 sudo rm -f \
184 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
185 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
186 sudo dropbearkey -t rsa -s 4096 -f \
187 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
188 }
189 # NOTE: ne se préoccupe pas de dropbear_dss_host_key ; Debian la génère et l'utilise néamoins.
190 mk_dir mod=640 own=root:root \
191 /etc/initramfs-tools/root \
192 /etc/initramfs-tools/root/.ssh
193 getent group sudo |
194 while IFS=: read -r group x x users
195 do while test -n "$users" && IFS=, read -r user users <<-EOF
196 $users
197 EOF
198 do eval local home\; home="~$user"
199 cat "$home"/etc/ssh/authorized_keys
200 done
201 done |
202 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
203 sudo rm -f \
204 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
205 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
206 /etc/initramfs-tools/root/.ssh/id_rsa
207 # NOTE: clefs générées par Debian
208 sudo update-initramfs -u
209 }
210 rule_locale_configure () {
211 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
212 fr_FR.UTF-8 UTF-8
213 EOF
214 sudo update-locale
215 }
216 rule_login_configure () {
217 grep -q '^hvc0$' /etc/securetty ||
218 mk_reg mod= own= --append /etc/securetty <<-EOF
219 hvc0
220 EOF
221 grep -q '^xvc0$' /etc/securetty ||
222 mk_reg mod= own= --append /etc/securetty <<-EOF
223 xvc0
224 EOF
225 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
226 # /etc/inittab: init(8) configuration.
227
228 # The default runlevel.
229 id:2:initdefault:
230
231 # Boot-time system configuration/initialization script.
232 # This is run first except when booting in emergency (-b) mode.
233 si::sysinit:/etc/init.d/rcS
234
235 # What to do in single-user mode.
236 ~~:S:wait:/sbin/sulogin
237
238 # /etc/init.d executes the S and K scripts upon change
239 # of runlevel.
240 #
241 # Runlevel 0 is halt.
242 # Runlevel 1 is single-user.
243 # Runlevels 2-5 are multi-user.
244 # Runlevel 6 is reboot.
245
246 l0:0:wait:/etc/init.d/rc 0
247 l1:1:wait:/etc/init.d/rc 1
248 l2:2:wait:/etc/init.d/rc 2
249 l3:3:wait:/etc/init.d/rc 3
250 l4:4:wait:/etc/init.d/rc 4
251 l5:5:wait:/etc/init.d/rc 5
252 l6:6:wait:/etc/init.d/rc 6
253 # Normally not reached, but fallthrough in case of emergency.
254 z6:6:respawn:/sbin/sulogin
255
256 # What to do when CTRL-ALT-DEL is pressed.
257 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
258
259 # What to do when the power fails/returns.
260 pf::powerwait:/etc/init.d/powerfail start
261 pn::powerfailnow:/etc/init.d/powerfail now
262 po::powerokwait:/etc/init.d/powerfail stop
263
264 # Xen hypervisor console
265 hvc:2345:respawn:/sbin/getty 38400 hvc0
266 #xvc:2345:respawn:/sbin/getty 38400 xvc0
267 EOF
268 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
269 MAIL_DIR /var/mail
270 FAILLOG_ENAB yes
271 LOG_UNKFAIL_ENAB no
272 LOG_OK_LOGINS no
273 SYSLOG_SU_ENAB yes
274 SYSLOG_SG_ENAB yes
275 FTMP_FILE /var/log/btmp
276 SU_NAME su
277 HUSHLOGIN_FILE .hushlogin
278 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
279 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
280 # NOTE: met les sbin/ dans ENV_PATH ;
281 # - ça n'apporte aucune protection de ne pas les mettre ;
282 # - ça frustre de ne pas les trouver.
283 TTYGROUP tty
284 TTYPERM 0600
285 ERASECHAR 0177
286 KILLCHAR 025
287 UMASK 007
288 # NOTE: rwxrwx--- ;
289 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
290 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
291 PASS_MAX_DAYS 99999
292 PASS_MIN_DAYS 0
293 PASS_WARN_AGE 7
294 UID_MIN 1000
295 UID_MAX 60000
296 GID_MIN 1000
297 GID_MAX 60000
298 LOGIN_RETRIES 3
299 LOGIN_TIMEOUT 60
300 CHFN_RESTRICT rwh
301 DEFAULT_HOME yes
302 USERGROUPS_ENAB yes
303 ENCRYPT_METHOD SHA512
304 EOF
305 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
306 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
307 session optional pam_umask.so
308 EOF
309 }
310 rule_network_configure () {
311 mk_reg mod= own= /etc/hostname <<-EOF
312 $vm
313 EOF
314 grep -q " $vm\$" /etc/hosts ||
315 mk_reg mod= own= --append /etc/hosts <<-EOF
316 127.0.0.1 $vm_fqdn $vm
317 EOF
318 mk_reg mod= own= /etc/network/interfaces <<-EOF
319 auto lo
320 iface lo inet loopback
321
322 auto eth0=grenode
323 iface grenode inet static
324 address $vm_ipv4
325 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
326 network $vm_ipv4
327 broadcast $vm_ipv4
328 netmask 255.255.255.255
329 #mtu 1300
330 post-up ip address add $vm_ipv4/32 dev \$IFACE
331 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
332 EOF
333 }
334 rule_user_configure () {
335 mk_dir mod=750 own="root:adm" /etc/skel/etc
336 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
337 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
338 mk_dir mod=700 own="root:adm" /etc/skel/var
339 mk_dir mod=700 own="root:adm" /etc/skel/var/log
340 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
341 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
342 mk_dir mod=700 own="root:adm" /etc/skel/tmp
343 mk_dir mod=700 own="root:adm" /etc/skel/tmp
344 mk_lnk etc/ssh /etc/skel/.ssh
345 mk_lnk etc/gpg /etc/skel/.gnupg
346 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
347 ( while IFS= read -r line
348 do case $line in (*" RSA") return 0; break;; esac
349 done; return 1 ) ||
350 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
351 sudo rm -f \
352 /etc/ssh/ssh_host_dsa_key \
353 /etc/ssh/ssh_host_dsa_key.pub \
354 /etc/ssh/ssh_host_ecdsa_key \
355 /etc/ssh/ssh_host_ecdsa_key.pub
356 # NOTE: clefs générées par Debian
357 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
358 Port 22
359 ListenAddress $vm_ipv4
360 #ListenAddress ::
361 Protocol 2
362 Compression yes
363 HostKey /etc/ssh/ssh_host_rsa_key
364 UsePrivilegeSeparation yes
365 KeyRegenerationInterval 3600
366 ServerKeyBits 768
367 SyslogFacility AUTH
368 LogLevel INFO
369 LoginGraceTime 120
370 PermitRootLogin yes
371 StrictModes yes
372 RSAAuthentication yes
373 PubkeyAuthentication yes
374 AuthorizedKeysFile %h/etc/ssh/authorized_keys
375 IgnoreRhosts yes
376 RhostsRSAAuthentication no
377 HostbasedAuthentication no
378 IgnoreUserKnownHosts no
379 PermitEmptyPasswords no
380 ChallengeResponseAuthentication no
381 PasswordAuthentication no
382 KerberosAuthentication no
383 GSSAPIAuthentication no
384 X11Forwarding no
385 X11DisplayOffset 10
386 PrintMotd no
387 DebianBanner no
388 PrintLastLog yes
389 TCPKeepAlive yes
390 ClientAliveInterval 0
391 AcceptEnv LANG LC_*
392 Subsystem sftp /usr/lib/openssh/sftp-server
393 UsePAM yes
394 EOF
395 sudo service ssh restart
396 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
397 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
398 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
399 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
400 EOF
401 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
402 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
403 EOF
404 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
405 Defaults env_keep = " \\
406 EDITOR \\
407 GIT_AUTHOR_NAME \\
408 GIT_AUTHOR_EMAIL \\
409 GIT_COMMITTER_NAME \\
410 GIT_COMMITTER_EMAIL \\
411 "
412 EOF
413 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
414 #!/bin/sh
415 sudo /bin/sh -e -f -u -c \
416 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
417 EOF
418 }
419 rule_user_root_configure () {
420 mk_dir mod=750 own=root:root /root/etc
421 mk_dir mod=750 own=root:root /root/etc/ssh
422 mk_dir mod=750 own=root:root /root/etc/gpg
423 mk_lnk etc/gpg /root/.gnupg
424 mk_lnk etc/ssh /root/.ssh
425 getent group sudo |
426 while IFS=: read -r group x x users
427 do while test -n "$users" && IFS=, read -r user users <<-EOF
428 $users
429 EOF
430 do eval local home\; home="~$user"
431 cat "$home"/etc/ssh/authorized_keys
432 done
433 done |
434 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
435 local key; local -; set +f
436 for key in "$tool"/var/pub/openpgp/*.key
437 do sudo gpg --import "$key"
438 done
439 }
440 rule_bin_configure () {
441 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
442 }
443 rule_configure () {
444 rule etckeeper_configure
445 rule locale_configure
446 rule network_configure
447 rule apt_configure
448 rule filesystem_configure
449 rule login_configure
450 rule user_root_configure
451 rule boot_configure
452 rule apticron_configure
453 rule bin_configure
454 }
455
456 rule_luks_key_change () {
457 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
458 }
459
460 rule_user_admin_configure () {
461 rule initramfs_configure
462 rule user_root_configure
463 }
464 rule_user_admin_add () { # SYNTAX: $user
465 local user=$1
466 id "$user" >/dev/null ||
467 sudo adduser --disabled-password "$user"
468 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
469 eval local home\; home="~$user"
470 sudo adduser "$user" sudo
471 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
472 <"$tool"/var/pub/ssh/"$user".key
473 local key; local -; set +f
474 for key in "$tool"/var/pub/openpgp/*.key
475 do sudo -u "$user" gpg --import "$key"
476 done
477 rule user_admin_configure
478 }
479 rule_user_mail_format () {
480 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
481 mk_dir mod=770 own=root:adm /etc/skel/var/mail
482 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
483 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
484 # vim: ft=procmail
485
486 # NOTE: paramètres passés par postfix
487 SENDER=\$1
488 RECIPIENT=\$2
489 USER=\$3
490 EXTENSION=\$4
491 DOMAIN=\$5
492 ORIGINAL_RECIPIENT=\$6
493
494 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
495 MAILDIR="\$HOME/var/mail/"
496 DEFAULT="\$MAILDIR"
497 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
498 LOGFILE="/dev/null"
499 LOGABSTRACT=all
500 LOGABSTRACT
501 VERBOSE
502 SHELL=/bin/sh
503 SHELLMETAS=&|<>~;?*%{}
504
505 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
506 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
507 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
508
509 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
510 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
511 # NOTE: récupère l’adresse courriel dans le champ GECOS
512 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
513 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
514 :0
515 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
516
517 # DESCRIPTION: IMAP
518 #:0
519 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
520
521 # DESCRIPTION: UUCP
522 #:0
523 #| /usr/bin/uux \
524 # -I "\$HOME/etc/uucp/uucp.cfg" \
525 # --nouucico \
526 # --notification=error \
527 # --requestor "\$USER" \
528 # - "\$USER!rmail" "(\$USER)"
529 EOF
530 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
531 # /etc/postfix/main.cf
532 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
533
534 parent_domain_matches_subdomains =
535 #debug_peer_list
536 #fast_flush_domains
537 #mynetworks
538 #permit_mx_backup_networks
539 #qmqpd_authorized_clients
540 #smtpd_access_maps
541 mydomain = $vm_domainname
542 myorigin = \$mydomain
543 myhostname = $vm_hostname.\$mydomain
544 mail_name = \$myhostname
545 mydestination =
546 $vm_hostname
547 \$myhostname
548 \$myorigin
549 mynetworks =
550 127.0.0.0/8
551 #[::1]/128
552 inet_protocols = ipv4
553 # "all" to activate IPv6
554 inet_interfaces = all
555 permit_mx_backup_networks =
556
557 alias_database =
558 hash:/etc/aliases
559 # NOTE: fichier de hash contenant une table d’alias mail.
560 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
561 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
562 alias_maps =
563 hash:/etc/aliases
564 recipient_delimiter = +
565 # NOTE: séparateur entre le nom d’utilisateur
566 # et les extensions d’adresse (par défaut le signe +).
567 #virtual_alias_domains =
568 virtual_alias_maps =
569 hash:/etc/postfix/\$mydomain/virtual
570 # NOTE: do not specify virtual alias domain names in the main.cf
571 # mydestination or relay_domains configuration parameters.
572 #
573 # With a virtual alias domain, the Postfix SMTP server
574 # accepts mail for known-user@virtual-alias.domain, and
575 # rejects mail for unknown-user@virtual-alias.domain as
576 # undeliverable.
577 #relayhost =
578 relay_clientcerts =
579 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
580 relay_domains =
581 \$mydestination
582 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
583 # pas dans mydestination ou virtual_alias...
584
585 maximal_queue_lifetime = 5d
586
587 header_checks =
588 regexp:/etc/postfix/\$mydomain/header_checks
589 mime_header_checks =
590 nested_header_checks =
591 milter_header_checks =
592 body_checks =
593
594 #content_filter = amavisfeed:[127.0.0.1]:10024
595 #receive_override_options = no_address_mappings
596 # no_unknown_recipient_checks
597 # Do not try to reject unknown recipients (SMTP server only).
598 # This is typically specified AFTER an external content filter.
599 # no_address_mappings
600 # Disable canonical address mapping, virtual alias map expansion,
601 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
602 # This is typically specified BEFORE an external content filter (eg. amavis).
603 # no_header_body_checks
604 # Disable header/body_checks. This is typically specified AFTER an external content filter.
605 # no_milters
606 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
607 #local_header_rewrite_clients =
608 transport_maps =
609 hash:/etc/postfix/\$mydomain/transport_maps
610 mailbox_command =
611 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
612 mailbox_size_limit = 0
613 biff = no
614 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
615 append_dot_mydomain = no
616 # appending .domain is the MUA's job.
617
618 #tls_random_source =
619 # dev:/dev/urandom
620 # Non-blocking
621 #tls_random_reseed_period = 3600s
622 #tls_random_exchange_name =
623 # \${data_directory}/prng_exch
624 # NOTE: à ne pas mettre dans la cage chroot
625 #tls_random_bytes = 32
626 #tls_random_prng_update_period = 3600s
627 #tls_high_cipherlist = AES256-SHA
628 # NOTE: postconf(5) déconseille de changer ceci
629
630 #smtp_cname_overrides_servername = no
631 smtp_connect_timeout = 60s
632 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
633 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
634 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
635 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
636 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
637 # NOTE: déprécié en faveur de smtp_tls_policy_maps
638 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
639 smtp_tls_fingerprint_digest = sha1
640 smtp_tls_scert_verifydepth = 5
641 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
642 #smtp_tls_verify_cert_match = hostname
643 #smtp_tls_note_starttls_offer = yes
644 smtp_tls_loglevel = 1
645 smtp_tls_protocols = !SSLv2, !SSLv3
646 # Only allow TLSv*
647 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
648 #smtp_tls_session_cache_timeout = 3600s
649 smtp_tls_security_level = may
650 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
651 smtp_body_checks =
652 smtp_mime_header_checks =
653 smtp_nested_header_checks =
654
655 smtpd_starttls_timeout = 300s
656 smtpd_banner =
657 \$myhostname ESMTP \$mail_name (Debian/GNU)
658
659 # Restrictions
660 smtpd_helo_required = yes
661 strict_rfc821_envelopes = yes
662 smtpd_authorized_xclient_hosts = 127.0.0.1
663 # NOTE: utile pour tester les restrictions
664
665 smtpd_helo_restrictions =
666 reject_invalid_helo_hostname
667 reject_non_fqdn_helo_hostname
668 #reject_unknown_helo_hostname
669 # NOTE: pourrait pourtant être utile pour lutter contre le spam
670 permit
671
672 smtpd_sender_restrictions =
673 permit_mynetworks
674 permit_tls_clientcerts
675 permit_sasl_authenticated
676 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
677 check_sender_access hash:/etc/postfix/sender_blacklist
678 reject_unauth_pipelining
679 reject_non_fqdn_sender
680 #reject_unknown_sender_domain
681 # NOTE: temporaire
682 permit
683
684 smtpd_client_new_tls_session_rate_limit = 0
685 smtpd_client_event_limit_exceptions = \$mynetworks
686 smtpd_client_recipient_rate_limit = 0
687 smtpd_client_connection_count_limit = 50
688 smtpd_client_connection_rate_limit = 0
689 smtpd_client_message_rate_limit = 0
690 smtpd_client_port_logging = no
691
692 smtpd_client_restrictions =
693 check_client_access hash:/etc/postfix/client_blacklist
694
695 policy_time_limit = 3600
696 default_extra_recipient_limit = 5000
697 duplicate_filter_limit = 5000
698 smtpd_recipient_limit = 5000
699 smtpd_recipient_overshoot_limit = 5000
700 smtpd_recipient_restrictions =
701 reject_non_fqdn_recipient
702 #reject_invalid_hostname
703 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
704 # dans smtpd_helo_restrictions
705 reject_unknown_recipient_domain
706 #reject_non_fqdn_sender
707 # NOTE: dans smtpd_sender_restrictions
708 reject_unauth_pipelining
709 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
710 permit_mynetworks
711 permit_tls_clientcerts
712 permit_sasl_authenticated
713 reject_unauth_destination
714 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
715 # ou quelqu'un pour lequel on tient lieu de backup_mx
716 check_policy_service inet:127.0.0.1:10023
717 # NOTE: Postgrey (greylisting)
718 check_policy_service unix:private/spfcheck
719 permit_auth_destination
720 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
721 # (voir permit_auth_destination) ; sans doute redondant
722 reject
723 #check_relay_domains <- removed from postfix
724 #reject_unknown_sender_domain
725 # aurait probablement été mieux dans smtpd_sender_restrictions
726 #reject_rbl_client bl.spamcop.net
727 #reject_rbl_client list.dsbl.org
728 #reject_rbl_client zen.spamhaus.org
729 #reject_rbl_client dnsbl.sorbs.net
730
731 smtpd_data_restrictions =
732 reject_unauth_pipelining
733 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
734 permit
735
736 #smtpd_end_of_data_restrictions =
737
738 #smtpd_restriction_classes =
739
740 smtpd_error_sleep_time = 5
741 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
742
743 # SASL
744 smtpd_sasl_auth_enable = yes
745 smtpd_sasl_type = dovecot
746 smtpd_sasl_path = private/auth
747 smtpd_sasl_security_options = noanonymous
748 smtpd_sasl_domain = \$mydomain
749
750 # SMTPD TLS
751 smtpd_discard_ehlo_keywords = starttls
752 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
753 # se mangent une erreur en tentant un starttls
754 smtpd_tls_fingerprint_digest = sha1
755 # sha512 ?
756 smtpd_tls_mandatory_protocols = TLSv1
757 smtpd_tls_mandatory_ciphers = high
758 smtpd_tls_ciphers = high
759 # restrictif. s/high/medium/ ?
760 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
761 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
762 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
763 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
764 ##
765 #smtpd_tls_received_header = no
766 smtpd_tls_session_cache_database =
767 btree:/var/lib/postfix/smtpd_tls_session_cache
768 #smtpd_tls_session_cache_timeout = 3600s
769 smtpd_tls_security_level = may
770 # Postfix 2.3 and later
771 # encrypt
772 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
773 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
774 # SMTP server. Instead, this option should be used only on dedicated servers.
775 smtpd_tls_loglevel = 1
776 smtpd_tls_ccert_verifydepth = 5
777 smtpd_tls_auth_only = yes
778 # Pas d'AUTH SASL sans TLS
779 smtpd_tls_ask_ccert = no
780 smtpd_tls_req_ccert = no
781 #smtpd_tls_always_issue_session_ids = yes
782 smtpd_peername_lookup = yes
783 # Nécessaire pour postgrey, etc
784 smtpd_milters =
785 non_smtpd_milters =
786 line_length_limit = 2048
787 queue_minfree = 0
788 message_size_limit = 20480000
789 #smtpd_enforce_tls # NOTE: obsolète
790 #smtpd_use_tls # NOTE: obsolète
791 #smtpd_tls_cipherlist # NOTE: obsolète
792
793 readme_directory = no
794 #delay_warning_time = 4h
795 # NOTE: uncomment the previous line to generate "delayed mail" warnings
796 #debug_peer_level = 4
797 #debug_peer_list = .\$myhostname
798 EOF
799 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
800 auth_ssl_username_from_cert = yes
801 listen = *
802 log_timestamp = "%Y-%m-%d %H:%M:%S "
803 mail_debug = yes
804 mail_location = maildir:~/var/mail
805 mail_privileged_group = mail
806 passdb {
807 args = /home/%u/etc/dovecot/passwd
808 driver = passwd-file
809 }
810 protocols = imap
811 service auth {
812 unix_listener /var/spool/postfix/private/auth {
813 group = postfix
814 mode = 0660
815 user = postfix
816 }
817 user = root
818 }
819 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
820 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
821 ssl_cipher_list = AES256-SHA
822 ssl_key = </etc/dovecot/imap/tls/key.pem
823 ssl_verify_client_cert = yes
824 userdb {
825 driver = passwd
826 }
827 verbose_ssl = yes
828 protocol lda {
829 auth_socket_path = /var/run/dovecot/auth-master
830 hostname = $vm_domainname
831 info_log_path = /var/log/dovecot/lda/info.log
832 log_path = /var/log/dovecot/lda/error.log
833 mail_plugins = sieve
834 postmaster_address = contact+dovecot+lda@$vm_domainname
835 }
836 EOF
837 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
838 EOF
839 }
840 rule_mail_configure () {
841 sudo apt-get install postfix postgrey dovecot
842 }
843
844 rule=${1:-help}
845 ${1+shift}
846 case $rule in
847 (help);;
848 (*)
849 assert 'test "$(hostname --fqdn)" = "$vm_fqdn"' vm_fqdn
850 ;;
851 esac
852 rule $rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org