dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : gpg --import .
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () {
8 cat >&2 <<-EOF
9 DESCRIPTION: ce script regroupe des fonctions utilitaires
10 pour gérer la VM _depuis_ la VM hébergée ;
11 il sert à la fois d'outil et de documentation.
12 Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
13 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
14 RULES:
15 $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0")
16 ENVIRONMENT:
17 TRACE # affiche les commandes avant leur exécution
18 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0")
19 EOF
20 }
21
22 rule_git_reset () {
23 (
24 cd "$tool"
25 git checkout -f -B master origin
26 git clean -f -d -x
27 )
28 }
29
30 rule_chrooted () {
31 export LANG=C
32 export LC_CTYPE=C
33 . /etc/profile
34 }
35
36 rule__etckeeper_init () {
37 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
38 VCS=git
39 GIT_COMMIT_OPTIONS=""
40 AVOID_DAILY_AUTOCOMMITS=1
41 #AVOID_SPECIAL_FILE_WARNING=1
42 AVOID_COMMIT_BEFORE_INSTALL=1
43 HIGHLEVEL_PACKAGE_MANAGER=apt
44 LOWLEVEL_PACKAGE_MANAGER=dpkg
45 EOF
46 }
47 rule__locale_init () {
48 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
49 fr_FR.UTF-8 UTF-8
50 EOF
51 sudo update-locale
52 }
53 rule__network_init () {
54 mk_reg mod= own= /etc/hostname <<-EOF
55 $vm
56 EOF
57 grep -q " $vm\$" /etc/hosts ||
58 mk_reg mod= own= --append /etc/hosts <<-EOF
59 127.0.0.1 $vm_fqdn $vm
60 EOF
61 mk_reg mod= own= /etc/network/interfaces <<-EOF
62 auto lo
63 iface lo inet loopback
64
65 auto eth0=grenode
66 iface grenode inet static
67 address $vm_ipv4
68 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
69 network $vm_ipv4
70 broadcast $vm_ipv4
71 netmask 255.255.255.255
72 #mtu 1300
73 post-up ip address add $vm_ipv4/32 dev \$IFACE
74 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
75 EOF
76 }
77 rule__apt_init () {
78 mk_reg mod= own= /etc/apt/sources.list <<-EOF
79 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
80 EOF
81 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
82 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
83 EOF
84 mk_reg mod= own= /etc/apt/preferences <<-EOF
85 Package: *
86 Pin: release a=$vm_lsb_name
87 Pin-Priority: 170
88
89 Package: *
90 Pin: release a=$vm_lsb_name-backports
91 Pin-Priority: 200
92 EOF
93 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
94 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
95 EOF
96 }
97 rule__filesystem_init () {
98 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
99 # <file system> <mount point> <type> <options> <dump> <pass>
100 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
101 proc /proc proc defaults 0 0
102 sysfs /sys sysfs defaults 0 0
103 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
104 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
105 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
106 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
107 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
108 EOF
109 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
110 # <target name> <source device> <key file> <options>
111 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
112 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
113 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
114 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
115 EOF
116 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
117 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
118 vm.vfs_cache_pressure=50
119 EOF
120 }
121 rule__login_init () {
122 grep -q hvc0 /etc/securetty ||
123 mk_reg mod= own= --append /etc/securetty <<-EOF
124 hvc0
125 EOF
126 grep -q xvc0 /etc/securetty ||
127 mk_reg mod= own= --append /etc/securetty <<-EOF
128 xvc0
129 EOF
130 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
131 # /etc/inittab: init(8) configuration.
132
133 # The default runlevel.
134 id:2:initdefault:
135
136 # Boot-time system configuration/initialization script.
137 # This is run first except when booting in emergency (-b) mode.
138 si::sysinit:/etc/init.d/rcS
139
140 # What to do in single-user mode.
141 ~~:S:wait:/sbin/sulogin
142
143 # /etc/init.d executes the S and K scripts upon change
144 # of runlevel.
145 #
146 # Runlevel 0 is halt.
147 # Runlevel 1 is single-user.
148 # Runlevels 2-5 are multi-user.
149 # Runlevel 6 is reboot.
150
151 l0:0:wait:/etc/init.d/rc 0
152 l1:1:wait:/etc/init.d/rc 1
153 l2:2:wait:/etc/init.d/rc 2
154 l3:3:wait:/etc/init.d/rc 3
155 l4:4:wait:/etc/init.d/rc 4
156 l5:5:wait:/etc/init.d/rc 5
157 l6:6:wait:/etc/init.d/rc 6
158 # Normally not reached, but fallthrough in case of emergency.
159 z6:6:respawn:/sbin/sulogin
160
161 # What to do when CTRL-ALT-DEL is pressed.
162 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
163
164 # What to do when the power fails/returns.
165 pf::powerwait:/etc/init.d/powerfail start
166 pn::powerfailnow:/etc/init.d/powerfail now
167 po::powerokwait:/etc/init.d/powerfail stop
168
169 # Xen hypervisor console
170 hvc:2345:respawn:/sbin/getty 38400 hvc0
171 #xvc:2345:respawn:/sbin/getty 38400 xvc0
172 EOF
173 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
174 MAIL_DIR /var/mail
175 FAILLOG_ENAB yes
176 LOG_UNKFAIL_ENAB no
177 LOG_OK_LOGINS no
178 SYSLOG_SU_ENAB yes
179 SYSLOG_SG_ENAB yes
180 FTMP_FILE /var/log/btmp
181 SU_NAME su
182 HUSHLOGIN_FILE .hushlogin
183 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
184 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
185 # NOTE: met les sbin/ dans ENV_PATH ;
186 # - ça n'apporte aucune protection de ne pas les mettre ;
187 # - ça frustre de ne pas les trouver.
188 TTYGROUP tty
189 TTYPERM 0600
190 ERASECHAR 0177
191 KILLCHAR 025
192 UMASK 007
193 # NOTE: rwxrwx--- ;
194 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
195 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
196 PASS_MAX_DAYS 99999
197 PASS_MIN_DAYS 0
198 PASS_WARN_AGE 7
199 UID_MIN 1000
200 UID_MAX 60000
201 GID_MIN 1000
202 GID_MAX 60000
203 LOGIN_RETRIES 3
204 LOGIN_TIMEOUT 60
205 CHFN_RESTRICT rwh
206 DEFAULT_HOME yes
207 USERGROUPS_ENAB yes
208 ENCRYPT_METHOD SHA512
209 EOF
210 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
211 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
212 session optional pam_umask.so
213 EOF
214 }
215 rule__user_root_init () {
216 mk_dir mod=750 own=root:root /root/etc
217 mk_dir mod=750 own=root:root /root/etc/ssh
218 mk_dir mod=750 own=root:root /root/etc/gpg
219 mk_lnk etc/gpg /root/.gnupg
220 mk_lnk etc/ssh /root/.ssh
221 getent group sudo |
222 while test -n "$users" && IFS=: read -r group x x users
223 do while IFS=, read -r user users <<-EOF
224 $users
225 EOF
226 do eval local home\; home="~$user"
227 cat "$home"/etc/ssh/authorized_keys
228 done
229 done |
230 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
231 local key
232 for key in "$tool"/var/pub/openpgp/*.key
233 do sudo gpg --import "$key"
234 done
235 }
236 rule__initramfs_init () {
237 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
238 MODULES=most
239 BUSYBOX=y
240 KEYMAP=y
241 COMPRESS=gzip
242 DEVICE=eth0
243 EOF
244 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
245 alias eth0 xennet
246 alias scsi_hostadapter xenblk
247 EOF
248 mk_reg mod=644 own=root:root /etc/modules <<-EOF
249 sha1_generic
250 sha256_generic
251 sha512_generic
252 aes-x86_64
253 xts
254 # NOTE: pour Xen en mode HVM :
255 #modprobe xen-platform-pci
256 EOF
257 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
258 EOF
259 sudo sed -e '/^configure_networking /s/ &$//' \
260 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
261 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
262 sudo rm -f \
263 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
264 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
265 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
266 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
267 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
268 ( while IFS= read -r line
269 do case $line in (*" RSA") return 0; break;; esac
270 done; return 1 ) ||
271 sudo dropbearkey -t rsa -s 4096 -f \
272 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
273 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
274 ( while IFS= read -r line
275 do case $line in (*" DSA") return 0; break;; esac
276 done; return 1 ) ||
277 sudo dropbearkey -t dss -s 1024 -f \
278 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
279 mk_dir mod=640 own=root:root \
280 /etc/initramfs-tools/root \
281 /etc/initramfs-tools/root/.ssh
282 getent group sudo |
283 while IFS=: read -r group x x users
284 do while test -n "$users" && IFS=, read -r user users <<-EOF
285 $users
286 EOF
287 do eval local home\; home="~$user"
288 cat "$home"/etc/ssh/authorized_keys
289 done
290 done |
291 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
292 sudo rm -f \
293 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
294 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
295 /etc/initramfs-tools/root/.ssh/id_rsa
296 # NOTE: clefs générées par Debian
297 sudo update-initramfs -u
298 }
299 rule__boot_init () {
300 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
301 mk_dir mod=644 own=root:root /boot/grub
302 sudo apt-get install --reinstall linux-image-$vm_arch
303 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
304 GRUB_DEFAULT=0
305 GRUB_TIMEOUT=5
306 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
307 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
308 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
309 GRUB_DISABLE_RECOVERY="true"
310 #GRUB_PRELOAD_MODULES="lvm"
311 EOF
312 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
313 (hd0) /dev/xvda
314 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
315 EOF
316 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
317 rule__initramfs_init
318 }
319 rule_apticron_init () {
320 sudo apt-get install --reinstall apticron
321 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
322 EMAIL="admin@heureux-cyclage.org"
323 # DIFF_ONLY="1"
324 # LISTCHANGES_PROFILE="apticron"
325 # ALL_FQDNS="1"
326 # SYSTEM="foobar.example.com"
327 # IPADDRESSNUM="1"
328 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
329 # NOTIFY_HOLDS="0"
330 # NOTIFY_NEW="0"
331 # NOTIFY_NO_UPDATES="0"
332 # CUSTOM_SUBJECT=""
333 # CUSTOM_NO_UPDATES_SUBJECT=""
334 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
335 EOF
336 sudo service apticron restart
337 }
338 rule__bin_init () {
339 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
340 }
341 rule_init () {
342 rule__etckeeper_init
343 rule__locale_init
344 rule__network_init
345 rule__apt_init
346 rule__filesystem_init
347 rule__login_init
348 rule__user_root_init
349 rule__boot_init
350 rule__bin_init
351 }
352
353 rule_disk_key_change () {
354 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
355 }
356
357 rule_user_init () {
358 mk_dir mod=750 own="root:adm" /etc/skel/etc
359 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
360 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
361 mk_dir mod=700 own="root:adm" /etc/skel/var
362 mk_dir mod=700 own="root:adm" /etc/skel/var/log
363 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
364 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
365 mk_dir mod=700 own="root:adm" /etc/skel/tmp
366 mk_dir mod=700 own="root:adm" /etc/skel/tmp
367 mk_lnk etc/ssh /etc/skel/.ssh
368 mk_lnk etc/gpg /etc/skel/.gnupg
369 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
370 ( while IFS= read -r line
371 do case $line in (*" RSA") return 0; break;; esac
372 done; return 1 ) ||
373 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
374 sudo rm -f \
375 /etc/ssh/ssh_host_dsa_key \
376 /etc/ssh/ssh_host_dsa_key.pub \
377 /etc/ssh/ssh_host_ecdsa_key \
378 /etc/ssh/ssh_host_ecdsa_key.pub
379 # NOTE: clefs générées par Debian
380 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
381 Port 22
382 ListenAddress $vm_ipv4
383 #ListenAddress ::
384 Protocol 2
385 Compression yes
386 HostKey /etc/ssh/ssh_host_rsa_key
387 UsePrivilegeSeparation yes
388 KeyRegenerationInterval 3600
389 ServerKeyBits 768
390 SyslogFacility AUTH
391 LogLevel INFO
392 LoginGraceTime 120
393 PermitRootLogin yes
394 StrictModes yes
395 RSAAuthentication yes
396 PubkeyAuthentication yes
397 AuthorizedKeysFile %h/etc/ssh/authorized_keys
398 IgnoreRhosts yes
399 RhostsRSAAuthentication no
400 HostbasedAuthentication no
401 IgnoreUserKnownHosts no
402 PermitEmptyPasswords no
403 ChallengeResponseAuthentication no
404 PasswordAuthentication no
405 KerberosAuthentication no
406 GSSAPIAuthentication no
407 X11Forwarding no
408 X11DisplayOffset 10
409 PrintMotd no
410 DebianBanner no
411 PrintLastLog yes
412 TCPKeepAlive yes
413 ClientAliveInterval 0
414 AcceptEnv LANG LC_*
415 Subsystem sftp /usr/lib/openssh/sftp-server
416 UsePAM yes
417 EOF
418 sudo service ssh restart
419 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
420 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
421 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
422 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
423 EOF
424 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
425 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
426 EOF
427 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
428 Defaults env_keep = " \\
429 EDITOR \\
430 GIT_AUTHOR_NAME \\
431 GIT_AUTHOR_EMAIL \\
432 GIT_COMMITTER_NAME \\
433 GIT_COMMITTER_EMAIL \\
434 "
435 EOF
436 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
437 #!/bin/sh
438 sudo /bin/sh -e -f -u -c \
439 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
440 EOF
441 }
442 rule_user_admin_add () { # SYNTAX: $user
443 local user=$1
444 id "$user" >/dev/null ||
445 sudo adduser --disabled-password "$user"
446 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
447 eval local home\; home="~$user"
448 sudo adduser "$user" sudo
449 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
450 <"$tool"/var/pub/ssh/"$user".key
451 rule__initramfs_init
452 rule__user_root_init
453 local key; local -; set +f
454 for key in "$tool"/var/pub/openpgp/*.key
455 do sudo -u "$user" gpg --import "$key"
456 done
457 }
458 rule_user_mail_format () {
459 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
460 mk_dir mod=770 own=root:adm /etc/skel/var/mail
461 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
462 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
463 # vim: ft=procmail
464
465 # NOTE: paramètres passés par postfix
466 SENDER=\$1
467 RECIPIENT=\$2
468 USER=\$3
469 EXTENSION=\$4
470 DOMAIN=\$5
471 ORIGINAL_RECIPIENT=\$6
472
473 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
474 MAILDIR="\$HOME/var/mail/"
475 DEFAULT="\$MAILDIR"
476 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
477 LOGFILE="/dev/null"
478 LOGABSTRACT=all
479 LOGABSTRACT
480 VERBOSE
481 SHELL=/bin/sh
482 SHELLMETAS=&|<>~;?*%{}
483
484 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
485 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
486 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
487
488 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
489 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
490 # NOTE: récupère l’adresse courriel dans le champ GECOS
491 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
492 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
493 :0
494 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
495
496 # DESCRIPTION: IMAP
497 #:0
498 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
499
500 # DESCRIPTION: UUCP
501 #:0
502 #| /usr/bin/uux \
503 # -I "\$HOME/etc/uucp/uucp.cfg" \
504 # --nouucico \
505 # --notification=error \
506 # --requestor "\$USER" \
507 # - "\$USER!rmail" "(\$USER)"
508 EOF
509 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
510 # /etc/postfix/main.cf
511 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
512
513 parent_domain_matches_subdomains =
514 #debug_peer_list
515 #fast_flush_domains
516 #mynetworks
517 #permit_mx_backup_networks
518 #qmqpd_authorized_clients
519 #smtpd_access_maps
520 mydomain = $vm_domainname
521 myorigin = \$mydomain
522 myhostname = $vm_hostname.\$mydomain
523 mail_name = \$myhostname
524 mydestination =
525 $vm_hostname
526 \$myhostname
527 \$myorigin
528 mynetworks =
529 127.0.0.0/8
530 #[::1]/128
531 inet_protocols = ipv4
532 # "all" to activate IPv6
533 inet_interfaces = all
534 permit_mx_backup_networks =
535
536 alias_database =
537 hash:/etc/aliases
538 # NOTE: fichier de hash contenant une table d’alias mail.
539 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
540 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
541 alias_maps =
542 hash:/etc/aliases
543 recipient_delimiter = +
544 # NOTE: séparateur entre le nom d’utilisateur
545 # et les extensions d’adresse (par défaut le signe +).
546 #virtual_alias_domains =
547 virtual_alias_maps =
548 hash:/etc/postfix/\$mydomain/virtual
549 # NOTE: do not specify virtual alias domain names in the main.cf
550 # mydestination or relay_domains configuration parameters.
551 #
552 # With a virtual alias domain, the Postfix SMTP server
553 # accepts mail for known-user@virtual-alias.domain, and
554 # rejects mail for unknown-user@virtual-alias.domain as
555 # undeliverable.
556 #relayhost =
557 relay_clientcerts =
558 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
559 relay_domains =
560 \$mydestination
561 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
562 # pas dans mydestination ou virtual_alias...
563
564 maximal_queue_lifetime = 5d
565
566 header_checks =
567 regexp:/etc/postfix/\$mydomain/header_checks
568 mime_header_checks =
569 nested_header_checks =
570 milter_header_checks =
571 body_checks =
572
573 #content_filter = amavisfeed:[127.0.0.1]:10024
574 #receive_override_options = no_address_mappings
575 # no_unknown_recipient_checks
576 # Do not try to reject unknown recipients (SMTP server only).
577 # This is typically specified AFTER an external content filter.
578 # no_address_mappings
579 # Disable canonical address mapping, virtual alias map expansion,
580 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
581 # This is typically specified BEFORE an external content filter (eg. amavis).
582 # no_header_body_checks
583 # Disable header/body_checks. This is typically specified AFTER an external content filter.
584 # no_milters
585 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
586 #local_header_rewrite_clients =
587 transport_maps =
588 hash:/etc/postfix/\$mydomain/transport_maps
589 mailbox_command =
590 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
591 mailbox_size_limit = 0
592 biff = no
593 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
594 append_dot_mydomain = no
595 # appending .domain is the MUA's job.
596
597 #tls_random_source =
598 # dev:/dev/urandom
599 # Non-blocking
600 #tls_random_reseed_period = 3600s
601 #tls_random_exchange_name =
602 # \${data_directory}/prng_exch
603 # NOTE: à ne pas mettre dans la cage chroot
604 #tls_random_bytes = 32
605 #tls_random_prng_update_period = 3600s
606 #tls_high_cipherlist = AES256-SHA
607 # NOTE: postconf(5) déconseille de changer ceci
608
609 #smtp_cname_overrides_servername = no
610 smtp_connect_timeout = 60s
611 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
612 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
613 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
614 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
615 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
616 # NOTE: déprécié en faveur de smtp_tls_policy_maps
617 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
618 smtp_tls_fingerprint_digest = sha1
619 smtp_tls_scert_verifydepth = 5
620 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
621 #smtp_tls_verify_cert_match = hostname
622 #smtp_tls_note_starttls_offer = yes
623 smtp_tls_loglevel = 1
624 smtp_tls_protocols = !SSLv2, !SSLv3
625 # Only allow TLSv*
626 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
627 #smtp_tls_session_cache_timeout = 3600s
628 smtp_tls_security_level = may
629 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
630 smtp_body_checks =
631 smtp_mime_header_checks =
632 smtp_nested_header_checks =
633
634 smtpd_starttls_timeout = 300s
635 smtpd_banner =
636 \$myhostname ESMTP \$mail_name (Debian/GNU)
637
638 # Restrictions
639 smtpd_helo_required = yes
640 strict_rfc821_envelopes = yes
641 smtpd_authorized_xclient_hosts = 127.0.0.1
642 # NOTE: utile pour tester les restrictions
643
644 smtpd_helo_restrictions =
645 reject_invalid_helo_hostname
646 reject_non_fqdn_helo_hostname
647 #reject_unknown_helo_hostname
648 # NOTE: pourrait pourtant être utile pour lutter contre le spam
649 permit
650
651 smtpd_sender_restrictions =
652 permit_mynetworks
653 permit_tls_clientcerts
654 permit_sasl_authenticated
655 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
656 check_sender_access hash:/etc/postfix/sender_blacklist
657 reject_unauth_pipelining
658 reject_non_fqdn_sender
659 #reject_unknown_sender_domain
660 # NOTE: temporaire
661 permit
662
663 smtpd_client_new_tls_session_rate_limit = 0
664 smtpd_client_event_limit_exceptions = \$mynetworks
665 smtpd_client_recipient_rate_limit = 0
666 smtpd_client_connection_count_limit = 50
667 smtpd_client_connection_rate_limit = 0
668 smtpd_client_message_rate_limit = 0
669 smtpd_client_port_logging = no
670
671 smtpd_client_restrictions =
672 check_client_access hash:/etc/postfix/client_blacklist
673
674 policy_time_limit = 3600
675 default_extra_recipient_limit = 5000
676 duplicate_filter_limit = 5000
677 smtpd_recipient_limit = 5000
678 smtpd_recipient_overshoot_limit = 5000
679 smtpd_recipient_restrictions =
680 reject_non_fqdn_recipient
681 #reject_invalid_hostname
682 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
683 # dans smtpd_helo_restrictions
684 reject_unknown_recipient_domain
685 #reject_non_fqdn_sender
686 # NOTE: dans smtpd_sender_restrictions
687 reject_unauth_pipelining
688 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
689 permit_mynetworks
690 permit_tls_clientcerts
691 permit_sasl_authenticated
692 reject_unauth_destination
693 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
694 # ou quelqu'un pour lequel on tient lieu de backup_mx
695 check_policy_service inet:127.0.0.1:10023
696 # NOTE: Postgrey (greylisting)
697 check_policy_service unix:private/spfcheck
698 permit_auth_destination
699 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
700 # (voir permit_auth_destination) ; sans doute redondant
701 reject
702 #check_relay_domains <- removed from postfix
703 #reject_unknown_sender_domain
704 # aurait probablement été mieux dans smtpd_sender_restrictions
705 #reject_rbl_client bl.spamcop.net
706 #reject_rbl_client list.dsbl.org
707 #reject_rbl_client zen.spamhaus.org
708 #reject_rbl_client dnsbl.sorbs.net
709
710 smtpd_data_restrictions =
711 reject_unauth_pipelining
712 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
713 permit
714
715 #smtpd_end_of_data_restrictions =
716
717 #smtpd_restriction_classes =
718
719 smtpd_error_sleep_time = 5
720 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
721
722 # SASL
723 smtpd_sasl_auth_enable = yes
724 smtpd_sasl_type = dovecot
725 smtpd_sasl_path = private/auth
726 smtpd_sasl_security_options = noanonymous
727 smtpd_sasl_domain = \$mydomain
728
729 # SMTPD TLS
730 smtpd_discard_ehlo_keywords = starttls
731 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
732 # se mangent une erreur en tentant un starttls
733 smtpd_tls_fingerprint_digest = sha1
734 # sha512 ?
735 smtpd_tls_mandatory_protocols = TLSv1
736 smtpd_tls_mandatory_ciphers = high
737 smtpd_tls_ciphers = high
738 # restrictif. s/high/medium/ ?
739 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
740 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
741 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
742 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
743 ##
744 #smtpd_tls_received_header = no
745 smtpd_tls_session_cache_database =
746 btree:/var/lib/postfix/smtpd_tls_session_cache
747 #smtpd_tls_session_cache_timeout = 3600s
748 smtpd_tls_security_level = may
749 # Postfix 2.3 and later
750 # encrypt
751 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
752 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
753 # SMTP server. Instead, this option should be used only on dedicated servers.
754 smtpd_tls_loglevel = 1
755 smtpd_tls_ccert_verifydepth = 5
756 smtpd_tls_auth_only = yes
757 # Pas d'AUTH SASL sans TLS
758 smtpd_tls_ask_ccert = no
759 smtpd_tls_req_ccert = no
760 #smtpd_tls_always_issue_session_ids = yes
761 smtpd_peername_lookup = yes
762 # Nécessaire pour postgrey, etc
763 smtpd_milters =
764 non_smtpd_milters =
765 line_length_limit = 2048
766 queue_minfree = 0
767 message_size_limit = 20480000
768 #smtpd_enforce_tls # NOTE: obsolète
769 #smtpd_use_tls # NOTE: obsolète
770 #smtpd_tls_cipherlist # NOTE: obsolète
771
772 readme_directory = no
773 #delay_warning_time = 4h
774 # NOTE: uncomment the previous line to generate "delayed mail" warnings
775 #debug_peer_level = 4
776 #debug_peer_list = .\$myhostname
777 EOF
778 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
779 auth_ssl_username_from_cert = yes
780 listen = *
781 log_timestamp = "%Y-%m-%d %H:%M:%S "
782 mail_debug = yes
783 mail_location = maildir:~/var/mail
784 mail_privileged_group = mail
785 passdb {
786 args = /home/%u/etc/dovecot/passwd
787 driver = passwd-file
788 }
789 protocols = imap
790 service auth {
791 unix_listener /var/spool/postfix/private/auth {
792 group = postfix
793 mode = 0660
794 user = postfix
795 }
796 user = root
797 }
798 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
799 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
800 ssl_cipher_list = AES256-SHA
801 ssl_key = </etc/dovecot/imap/tls/key.pem
802 ssl_verify_client_cert = yes
803 userdb {
804 driver = passwd
805 }
806 verbose_ssl = yes
807 protocol lda {
808 auth_socket_path = /var/run/dovecot/auth-master
809 hostname = $vm_domainname
810 info_log_path = /var/log/dovecot/lda/info.log
811 log_path = /var/log/dovecot/lda/error.log
812 mail_plugins = sieve
813 postmaster_address = contact+dovecot+lda@$vm_domainname
814 }
815 EOF
816 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
817 EOF
818 }
819 rule_mail_install () {
820 sudo apt-get install postfix postgrey dovecot
821 }
822
823 rule=${1:-help}
824 ${1+shift}
825 case $rule in
826 (help);;
827 (*)
828 test "$(hostname --fqdn)" = "$vm_fqdn"
829 ${TRACE:+set -x}
830 ;;
831 esac
832 rule_$rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org