dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : find.
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () {
8 cat >&2 <<-EOF
9 DESCRIPTION: ce script regroupe des fonctions utilitaires
10 pour gérer la VM _depuis_ la VM hébergée ;
11 il sert à la fois d'outil et de documentation.
12 Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
13 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
14 RULES:
15 $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0")
16 ENVIRONMENT:
17 TRACE # affiche les commandes avant leur exécution
18 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0")
19 EOF
20 }
21
22 rule_git_reset () {
23 (
24 cd "$tool"
25 git checkout -f -B master origin
26 git clean -f -d -x
27 )
28 }
29
30 rule_chrooted () {
31 export LANG=C
32 export LC_CTYPE=C
33 . /etc/profile
34 }
35
36 rule__etckeeper_init () {
37 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
38 VCS=git
39 GIT_COMMIT_OPTIONS=""
40 AVOID_DAILY_AUTOCOMMITS=1
41 #AVOID_SPECIAL_FILE_WARNING=1
42 AVOID_COMMIT_BEFORE_INSTALL=1
43 HIGHLEVEL_PACKAGE_MANAGER=apt
44 LOWLEVEL_PACKAGE_MANAGER=dpkg
45 EOF
46 }
47 rule__locale_init () {
48 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
49 fr_FR.UTF-8 UTF-8
50 EOF
51 sudo update-locale
52 }
53 rule__network_init () {
54 mk_reg mod= own= /etc/hostname <<-EOF
55 $vm
56 EOF
57 grep -q " $vm\$" /etc/hosts ||
58 mk_reg mod= own= --append /etc/hosts <<-EOF
59 127.0.0.1 $vm_fqdn $vm
60 EOF
61 mk_reg mod= own= /etc/network/interfaces <<-EOF
62 auto lo
63 iface lo inet loopback
64
65 auto eth0=grenode
66 iface grenode inet static
67 address $vm_ipv4
68 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
69 network $vm_ipv4
70 broadcast $vm_ipv4
71 netmask 255.255.255.255
72 #mtu 1300
73 post-up ip address add $vm_ipv4/32 dev \$IFACE
74 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
75 EOF
76 }
77 rule__apt_init () {
78 mk_reg mod= own= /etc/apt/sources.list <<-EOF
79 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
80 EOF
81 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
82 #deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
83 EOF
84 mk_reg mod= own= /etc/apt/preferences <<-EOF
85 Package: *
86 Pin: release a=$vm_lsb_name
87 Pin-Priority: 170
88
89 Package: *
90 Pin: release a=$vm_lsb_name-backports
91 Pin-Priority: 200
92 EOF
93 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
94 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
95 EOF
96 }
97 rule__filesystem_init () {
98 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
99 # <file system> <mount point> <type> <options> <dump> <pass>
100 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
101 proc /proc proc defaults 0 0
102 sysfs /sys sysfs defaults 0 0
103 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
104 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
105 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
106 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
107 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
108 EOF
109 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
110 # <target name> <source device> <key file> <options>
111 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
112 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
113 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
114 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
115 EOF
116 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
117 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
118 vm.vfs_cache_pressure=50
119 EOF
120 }
121 rule__login_init () {
122 grep -q hvc0 /etc/securetty ||
123 mk_reg mod= own= --append /etc/securetty <<-EOF
124 hvc0
125 EOF
126 grep -q xvc0 /etc/securetty ||
127 mk_reg mod= own= --append /etc/securetty <<-EOF
128 xvc0
129 EOF
130 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
131 # /etc/inittab: init(8) configuration.
132
133 # The default runlevel.
134 id:2:initdefault:
135
136 # Boot-time system configuration/initialization script.
137 # This is run first except when booting in emergency (-b) mode.
138 si::sysinit:/etc/init.d/rcS
139
140 # What to do in single-user mode.
141 ~~:S:wait:/sbin/sulogin
142
143 # /etc/init.d executes the S and K scripts upon change
144 # of runlevel.
145 #
146 # Runlevel 0 is halt.
147 # Runlevel 1 is single-user.
148 # Runlevels 2-5 are multi-user.
149 # Runlevel 6 is reboot.
150
151 l0:0:wait:/etc/init.d/rc 0
152 l1:1:wait:/etc/init.d/rc 1
153 l2:2:wait:/etc/init.d/rc 2
154 l3:3:wait:/etc/init.d/rc 3
155 l4:4:wait:/etc/init.d/rc 4
156 l5:5:wait:/etc/init.d/rc 5
157 l6:6:wait:/etc/init.d/rc 6
158 # Normally not reached, but fallthrough in case of emergency.
159 z6:6:respawn:/sbin/sulogin
160
161 # What to do when CTRL-ALT-DEL is pressed.
162 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
163
164 # What to do when the power fails/returns.
165 pf::powerwait:/etc/init.d/powerfail start
166 pn::powerfailnow:/etc/init.d/powerfail now
167 po::powerokwait:/etc/init.d/powerfail stop
168
169 # Xen hypervisor console
170 hvc:2345:respawn:/sbin/getty 38400 hvc0
171 #xvc:2345:respawn:/sbin/getty 38400 xvc0
172 EOF
173 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
174 MAIL_DIR /var/mail
175 FAILLOG_ENAB yes
176 LOG_UNKFAIL_ENAB no
177 LOG_OK_LOGINS no
178 SYSLOG_SU_ENAB yes
179 SYSLOG_SG_ENAB yes
180 FTMP_FILE /var/log/btmp
181 SU_NAME su
182 HUSHLOGIN_FILE .hushlogin
183 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
184 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
185 # NOTE: met les sbin/ dans ENV_PATH ;
186 # - ça n'apporte aucune protection de ne pas les mettre ;
187 # - ça frustre de ne pas les trouver.
188 TTYGROUP tty
189 TTYPERM 0600
190 ERASECHAR 0177
191 KILLCHAR 025
192 UMASK 007
193 # NOTE: rwxrwx--- ;
194 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
195 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
196 PASS_MAX_DAYS 99999
197 PASS_MIN_DAYS 0
198 PASS_WARN_AGE 7
199 UID_MIN 1000
200 UID_MAX 60000
201 GID_MIN 1000
202 GID_MAX 60000
203 LOGIN_RETRIES 3
204 LOGIN_TIMEOUT 60
205 CHFN_RESTRICT rwh
206 DEFAULT_HOME yes
207 USERGROUPS_ENAB yes
208 ENCRYPT_METHOD SHA512
209 EOF
210 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
211 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
212 session optional pam_umask.so
213 EOF
214 }
215 rule__user_root_init () {
216 mk_dir mod=750 own=root:root /root/etc
217 mk_dir mod=750 own=root:root /root/etc/ssh
218 mk_dir mod=750 own=root:root /root/etc/gpg
219 mk_lnk etc/gpg /root/.gnupg
220 mk_lnk etc/ssh /root/.ssh
221 getent group sudo |
222 while test -n "$users" && IFS=: read -r group x x users
223 do while IFS=, read -r user users <<-EOF
224 $users
225 EOF
226 do eval local home\; home="~$user"
227 cat "$home"/etc/ssh/authorized_keys
228 done
229 done |
230 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
231 sudo find "$tool"/var/pub/openpgp -type f -name '*.key' -exec gpg --import {} \;
232 }
233 rule__initramfs_init () {
234 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
235 MODULES=most
236 BUSYBOX=y
237 KEYMAP=y
238 COMPRESS=gzip
239 DEVICE=eth0
240 EOF
241 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
242 alias eth0 xennet
243 alias scsi_hostadapter xenblk
244 EOF
245 mk_reg mod=644 own=root:root /etc/modules <<-EOF
246 sha1_generic
247 sha256_generic
248 sha512_generic
249 aes-x86_64
250 xts
251 # NOTE: pour Xen en mode HVM :
252 #modprobe xen-platform-pci
253 EOF
254 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
255 EOF
256 sudo sed -e '/^configure_networking /s/ &$//' \
257 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
258 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
259 sudo rm -f \
260 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
261 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
262 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
263 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
264 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
265 ( while IFS= read -r line
266 do case $line in (*" RSA") return 0; break;; esac
267 done; return 1 ) ||
268 sudo dropbearkey -t rsa -s 4096 -f \
269 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
270 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
271 ( while IFS= read -r line
272 do case $line in (*" DSA") return 0; break;; esac
273 done; return 1 ) ||
274 sudo dropbearkey -t dss -s 1024 -f \
275 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
276 mk_dir mod=640 own=root:root \
277 /etc/initramfs-tools/root \
278 /etc/initramfs-tools/root/.ssh
279 getent group sudo |
280 while IFS=: read -r group x x users
281 do while test -n "$users" && IFS=, read -r user users <<-EOF
282 $users
283 EOF
284 do eval local home\; home="~$user"
285 cat "$home"/etc/ssh/authorized_keys
286 done
287 done |
288 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
289 sudo rm -f \
290 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
291 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
292 /etc/initramfs-tools/root/.ssh/id_rsa
293 # NOTE: clefs générées par Debian
294 sudo update-initramfs -u
295 }
296 rule__boot_init () {
297 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
298 mk_dir mod=644 own=root:root /boot/grub
299 sudo apt-get install --reinstall linux-image-$vm_arch
300 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
301 GRUB_DEFAULT=0
302 GRUB_TIMEOUT=5
303 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
304 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
305 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
306 GRUB_DISABLE_RECOVERY="true"
307 #GRUB_PRELOAD_MODULES="lvm"
308 EOF
309 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
310 (hd0) /dev/xvda
311 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
312 EOF
313 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
314 rule__initramfs_init
315 }
316 rule_apticron_init () {
317 sudo apt-get install --reinstall apticron
318 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
319 EMAIL="admin@heureux-cyclage.org"
320 # DIFF_ONLY="1"
321 # LISTCHANGES_PROFILE="apticron"
322 # ALL_FQDNS="1"
323 # SYSTEM="foobar.example.com"
324 # IPADDRESSNUM="1"
325 # IPADDRESSES="192.0.2.1 2001:db8:1:2:3::1"
326 # NOTIFY_HOLDS="0"
327 # NOTIFY_NEW="0"
328 # NOTIFY_NO_UPDATES="0"
329 # CUSTOM_SUBJECT=""
330 # CUSTOM_NO_UPDATES_SUBJECT=""
331 # CUSTOM_FROM="root@ateliers.heureux-cyclage.org"
332 EOF
333 sudo service apticron restart
334 }
335 rule__bin_init () {
336 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
337 }
338 rule_init () {
339 rule__etckeeper_init
340 rule__locale_init
341 rule__network_init
342 rule__apt_init
343 rule__filesystem_init
344 rule__login_init
345 rule__user_root_init
346 rule__boot_init
347 rule__bin_init
348 }
349
350 rule_disk_key_change () {
351 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
352 }
353
354 rule_user_init () {
355 mk_dir mod=750 own="root:adm" /etc/skel/etc
356 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
357 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
358 mk_dir mod=700 own="root:adm" /etc/skel/var
359 mk_dir mod=700 own="root:adm" /etc/skel/var/log
360 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
361 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
362 mk_dir mod=700 own="root:adm" /etc/skel/tmp
363 mk_dir mod=700 own="root:adm" /etc/skel/tmp
364 mk_lnk etc/ssh /etc/skel/.ssh
365 mk_lnk etc/gpg /etc/skel/.gnupg
366 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
367 ( while IFS= read -r line
368 do case $line in (*" RSA") return 0; break;; esac
369 done; return 1 ) ||
370 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
371 sudo rm -f \
372 /etc/ssh/ssh_host_dsa_key \
373 /etc/ssh/ssh_host_dsa_key.pub \
374 /etc/ssh/ssh_host_ecdsa_key \
375 /etc/ssh/ssh_host_ecdsa_key.pub
376 # NOTE: clefs générées par Debian
377 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
378 Port 22
379 ListenAddress $vm_ipv4
380 #ListenAddress ::
381 Protocol 2
382 Compression yes
383 HostKey /etc/ssh/ssh_host_rsa_key
384 UsePrivilegeSeparation yes
385 KeyRegenerationInterval 3600
386 ServerKeyBits 768
387 SyslogFacility AUTH
388 LogLevel INFO
389 LoginGraceTime 120
390 PermitRootLogin yes
391 StrictModes yes
392 RSAAuthentication yes
393 PubkeyAuthentication yes
394 AuthorizedKeysFile %h/etc/ssh/authorized_keys
395 IgnoreRhosts yes
396 RhostsRSAAuthentication no
397 HostbasedAuthentication no
398 IgnoreUserKnownHosts no
399 PermitEmptyPasswords no
400 ChallengeResponseAuthentication no
401 PasswordAuthentication no
402 KerberosAuthentication no
403 GSSAPIAuthentication no
404 X11Forwarding no
405 X11DisplayOffset 10
406 PrintMotd no
407 DebianBanner no
408 PrintLastLog yes
409 TCPKeepAlive yes
410 ClientAliveInterval 0
411 AcceptEnv LANG LC_*
412 Subsystem sftp /usr/lib/openssh/sftp-server
413 UsePAM yes
414 EOF
415 sudo service ssh restart
416 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
417 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
418 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
419 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
420 EOF
421 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
422 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
423 EOF
424 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
425 Defaults env_keep = " \\
426 EDITOR \\
427 GIT_AUTHOR_NAME \\
428 GIT_AUTHOR_EMAIL \\
429 GIT_COMMITTER_NAME \\
430 GIT_COMMITTER_EMAIL \\
431 "
432 EOF
433 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
434 #!/bin/sh
435 sudo /bin/sh -e -f -u -c \
436 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
437 EOF
438 }
439 rule_user_admin_add () { # SYNTAX: $user
440 local user=$1
441 id "$user" >/dev/null ||
442 sudo adduser --disabled-password "$user"
443 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
444 eval local home\; home="~$user"
445 sudo adduser "$user" sudo
446 mk_reg mod=640 own=$user:$user "$home"/etc/ssh/authorized_keys \
447 <"$tool"/var/pub/ssh/"$user".key
448 rule__initramfs_init
449 rule__user_root_init
450 find "$tool"/var/pub/openpgp \
451 -type f -name '*.key' -exec \
452 sudo -u "$user" gpg --import {} \;
453 }
454 rule_user_mail_format () {
455 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
456 mk_dir mod=770 own=root:adm /etc/skel/var/mail
457 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
458 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
459 # vim: ft=procmail
460
461 # NOTE: paramètres passés par postfix
462 SENDER=\$1
463 RECIPIENT=\$2
464 USER=\$3
465 EXTENSION=\$4
466 DOMAIN=\$5
467 ORIGINAL_RECIPIENT=\$6
468
469 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
470 MAILDIR="\$HOME/var/mail/"
471 DEFAULT="\$MAILDIR"
472 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
473 LOGFILE="/dev/null"
474 LOGABSTRACT=all
475 LOGABSTRACT
476 VERBOSE
477 SHELL=/bin/sh
478 SHELLMETAS=&|<>~;?*%{}
479
480 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
481 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
482 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
483
484 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
485 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
486 # NOTE: récupère l’adresse courriel dans le champ GECOS
487 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
488 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
489 :0
490 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
491
492 # DESCRIPTION: IMAP
493 #:0
494 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
495
496 # DESCRIPTION: UUCP
497 #:0
498 #| /usr/bin/uux \
499 # -I "\$HOME/etc/uucp/uucp.cfg" \
500 # --nouucico \
501 # --notification=error \
502 # --requestor "\$USER" \
503 # - "\$USER!rmail" "(\$USER)"
504 EOF
505 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
506 # /etc/postfix/main.cf
507 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
508
509 parent_domain_matches_subdomains =
510 #debug_peer_list
511 #fast_flush_domains
512 #mynetworks
513 #permit_mx_backup_networks
514 #qmqpd_authorized_clients
515 #smtpd_access_maps
516 mydomain = $vm_domainname
517 myorigin = \$mydomain
518 myhostname = $vm_hostname.\$mydomain
519 mail_name = \$myhostname
520 mydestination =
521 $vm_hostname
522 \$myhostname
523 \$myorigin
524 mynetworks =
525 127.0.0.0/8
526 #[::1]/128
527 inet_protocols = ipv4
528 # "all" to activate IPv6
529 inet_interfaces = all
530 permit_mx_backup_networks =
531
532 alias_database =
533 hash:/etc/aliases
534 # NOTE: fichier de hash contenant une table d’alias mail.
535 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
536 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
537 alias_maps =
538 hash:/etc/aliases
539 recipient_delimiter = +
540 # NOTE: séparateur entre le nom d’utilisateur
541 # et les extensions d’adresse (par défaut le signe +).
542 #virtual_alias_domains =
543 virtual_alias_maps =
544 hash:/etc/postfix/\$mydomain/virtual
545 # NOTE: do not specify virtual alias domain names in the main.cf
546 # mydestination or relay_domains configuration parameters.
547 #
548 # With a virtual alias domain, the Postfix SMTP server
549 # accepts mail for known-user@virtual-alias.domain, and
550 # rejects mail for unknown-user@virtual-alias.domain as
551 # undeliverable.
552 #relayhost =
553 relay_clientcerts =
554 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
555 relay_domains =
556 \$mydestination
557 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
558 # pas dans mydestination ou virtual_alias...
559
560 maximal_queue_lifetime = 5d
561
562 header_checks =
563 regexp:/etc/postfix/\$mydomain/header_checks
564 mime_header_checks =
565 nested_header_checks =
566 milter_header_checks =
567 body_checks =
568
569 #content_filter = amavisfeed:[127.0.0.1]:10024
570 #receive_override_options = no_address_mappings
571 # no_unknown_recipient_checks
572 # Do not try to reject unknown recipients (SMTP server only).
573 # This is typically specified AFTER an external content filter.
574 # no_address_mappings
575 # Disable canonical address mapping, virtual alias map expansion,
576 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
577 # This is typically specified BEFORE an external content filter (eg. amavis).
578 # no_header_body_checks
579 # Disable header/body_checks. This is typically specified AFTER an external content filter.
580 # no_milters
581 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
582 #local_header_rewrite_clients =
583 transport_maps =
584 hash:/etc/postfix/\$mydomain/transport_maps
585 mailbox_command =
586 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
587 mailbox_size_limit = 0
588 biff = no
589 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
590 append_dot_mydomain = no
591 # appending .domain is the MUA's job.
592
593 #tls_random_source =
594 # dev:/dev/urandom
595 # Non-blocking
596 #tls_random_reseed_period = 3600s
597 #tls_random_exchange_name =
598 # \${data_directory}/prng_exch
599 # NOTE: à ne pas mettre dans la cage chroot
600 #tls_random_bytes = 32
601 #tls_random_prng_update_period = 3600s
602 #tls_high_cipherlist = AES256-SHA
603 # NOTE: postconf(5) déconseille de changer ceci
604
605 #smtp_cname_overrides_servername = no
606 smtp_connect_timeout = 60s
607 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
608 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
609 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
610 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
611 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
612 # NOTE: déprécié en faveur de smtp_tls_policy_maps
613 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
614 smtp_tls_fingerprint_digest = sha1
615 smtp_tls_scert_verifydepth = 5
616 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
617 #smtp_tls_verify_cert_match = hostname
618 #smtp_tls_note_starttls_offer = yes
619 smtp_tls_loglevel = 1
620 smtp_tls_protocols = !SSLv2, !SSLv3
621 # Only allow TLSv*
622 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
623 #smtp_tls_session_cache_timeout = 3600s
624 smtp_tls_security_level = may
625 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
626 smtp_body_checks =
627 smtp_mime_header_checks =
628 smtp_nested_header_checks =
629
630 smtpd_starttls_timeout = 300s
631 smtpd_banner =
632 \$myhostname ESMTP \$mail_name (Debian/GNU)
633
634 # Restrictions
635 smtpd_helo_required = yes
636 strict_rfc821_envelopes = yes
637 smtpd_authorized_xclient_hosts = 127.0.0.1
638 # NOTE: utile pour tester les restrictions
639
640 smtpd_helo_restrictions =
641 reject_invalid_helo_hostname
642 reject_non_fqdn_helo_hostname
643 #reject_unknown_helo_hostname
644 # NOTE: pourrait pourtant être utile pour lutter contre le spam
645 permit
646
647 smtpd_sender_restrictions =
648 permit_mynetworks
649 permit_tls_clientcerts
650 permit_sasl_authenticated
651 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
652 check_sender_access hash:/etc/postfix/sender_blacklist
653 reject_unauth_pipelining
654 reject_non_fqdn_sender
655 #reject_unknown_sender_domain
656 # NOTE: temporaire
657 permit
658
659 smtpd_client_new_tls_session_rate_limit = 0
660 smtpd_client_event_limit_exceptions = \$mynetworks
661 smtpd_client_recipient_rate_limit = 0
662 smtpd_client_connection_count_limit = 50
663 smtpd_client_connection_rate_limit = 0
664 smtpd_client_message_rate_limit = 0
665 smtpd_client_port_logging = no
666
667 smtpd_client_restrictions =
668 check_client_access hash:/etc/postfix/client_blacklist
669
670 policy_time_limit = 3600
671 default_extra_recipient_limit = 5000
672 duplicate_filter_limit = 5000
673 smtpd_recipient_limit = 5000
674 smtpd_recipient_overshoot_limit = 5000
675 smtpd_recipient_restrictions =
676 reject_non_fqdn_recipient
677 #reject_invalid_hostname
678 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
679 # dans smtpd_helo_restrictions
680 reject_unknown_recipient_domain
681 #reject_non_fqdn_sender
682 # NOTE: dans smtpd_sender_restrictions
683 reject_unauth_pipelining
684 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
685 permit_mynetworks
686 permit_tls_clientcerts
687 permit_sasl_authenticated
688 reject_unauth_destination
689 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
690 # ou quelqu'un pour lequel on tient lieu de backup_mx
691 check_policy_service inet:127.0.0.1:10023
692 # NOTE: Postgrey (greylisting)
693 check_policy_service unix:private/spfcheck
694 permit_auth_destination
695 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
696 # (voir permit_auth_destination) ; sans doute redondant
697 reject
698 #check_relay_domains <- removed from postfix
699 #reject_unknown_sender_domain
700 # aurait probablement été mieux dans smtpd_sender_restrictions
701 #reject_rbl_client bl.spamcop.net
702 #reject_rbl_client list.dsbl.org
703 #reject_rbl_client zen.spamhaus.org
704 #reject_rbl_client dnsbl.sorbs.net
705
706 smtpd_data_restrictions =
707 reject_unauth_pipelining
708 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
709 permit
710
711 #smtpd_end_of_data_restrictions =
712
713 #smtpd_restriction_classes =
714
715 smtpd_error_sleep_time = 5
716 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
717
718 # SASL
719 smtpd_sasl_auth_enable = yes
720 smtpd_sasl_type = dovecot
721 smtpd_sasl_path = private/auth
722 smtpd_sasl_security_options = noanonymous
723 smtpd_sasl_domain = \$mydomain
724
725 # SMTPD TLS
726 smtpd_discard_ehlo_keywords = starttls
727 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
728 # se mangent une erreur en tentant un starttls
729 smtpd_tls_fingerprint_digest = sha1
730 # sha512 ?
731 smtpd_tls_mandatory_protocols = TLSv1
732 smtpd_tls_mandatory_ciphers = high
733 smtpd_tls_ciphers = high
734 # restrictif. s/high/medium/ ?
735 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
736 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
737 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
738 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
739 ##
740 #smtpd_tls_received_header = no
741 smtpd_tls_session_cache_database =
742 btree:/var/lib/postfix/smtpd_tls_session_cache
743 #smtpd_tls_session_cache_timeout = 3600s
744 smtpd_tls_security_level = may
745 # Postfix 2.3 and later
746 # encrypt
747 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
748 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
749 # SMTP server. Instead, this option should be used only on dedicated servers.
750 smtpd_tls_loglevel = 1
751 smtpd_tls_ccert_verifydepth = 5
752 smtpd_tls_auth_only = yes
753 # Pas d'AUTH SASL sans TLS
754 smtpd_tls_ask_ccert = no
755 smtpd_tls_req_ccert = no
756 #smtpd_tls_always_issue_session_ids = yes
757 smtpd_peername_lookup = yes
758 # Nécessaire pour postgrey, etc
759 smtpd_milters =
760 non_smtpd_milters =
761 line_length_limit = 2048
762 queue_minfree = 0
763 message_size_limit = 20480000
764 #smtpd_enforce_tls # NOTE: obsolète
765 #smtpd_use_tls # NOTE: obsolète
766 #smtpd_tls_cipherlist # NOTE: obsolète
767
768 readme_directory = no
769 #delay_warning_time = 4h
770 # NOTE: uncomment the previous line to generate "delayed mail" warnings
771 #debug_peer_level = 4
772 #debug_peer_list = .\$myhostname
773 EOF
774 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
775 auth_ssl_username_from_cert = yes
776 listen = *
777 log_timestamp = "%Y-%m-%d %H:%M:%S "
778 mail_debug = yes
779 mail_location = maildir:~/var/mail
780 mail_privileged_group = mail
781 passdb {
782 args = /home/%u/etc/dovecot/passwd
783 driver = passwd-file
784 }
785 protocols = imap
786 service auth {
787 unix_listener /var/spool/postfix/private/auth {
788 group = postfix
789 mode = 0660
790 user = postfix
791 }
792 user = root
793 }
794 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
795 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
796 ssl_cipher_list = AES256-SHA
797 ssl_key = </etc/dovecot/imap/tls/key.pem
798 ssl_verify_client_cert = yes
799 userdb {
800 driver = passwd
801 }
802 verbose_ssl = yes
803 protocol lda {
804 auth_socket_path = /var/run/dovecot/auth-master
805 hostname = $vm_domainname
806 info_log_path = /var/log/dovecot/lda/info.log
807 log_path = /var/log/dovecot/lda/error.log
808 mail_plugins = sieve
809 postmaster_address = contact+dovecot+lda@$vm_domainname
810 }
811 EOF
812 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
813 EOF
814 }
815 rule_mail_install () {
816 sudo apt-get install postfix postgrey dovecot
817 }
818
819 rule=${1:-help}
820 ${1+shift}
821 case $rule in
822 (help);;
823 (*)
824 test "$(hostname --fqdn)" = "$vm_fqdn"
825 ${TRACE:+set -x}
826 ;;
827 esac
828 rule_$rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org