dépôts / lhc / ateliers.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Correction : vm_* : help toujours accessible.
[lhc/ateliers.git] / vm_hosted
1 #!/bin/sh
2 set -e -f ${DRY_RUN:+-n} -u
3 tool=${0%/*}
4 . "$tool"/lib/functions.sh
5 . "$tool"/etc/vm.sh
6
7 rule_help () {
8 cat >&2 <<-EOF
9 DESCRIPTION: ce script regroupe des fonctions utilitaires
10 pour gérer la VM _depuis_ la VM hébergée ;
11 il sert à la fois d'outil et de documentation.
12 Voir \`$tool/vm_host' pour les utilitaires côté machine hôte.
13 SYNTAX: $0 \$RULE \${RULE}_SYNTAX
14 RULES:
15 $(sed -ne 's/^rule_\([^_][^ ]*\) () {\( *#.*\|\)/\t\1\2/p' "$tool"/vm.sh "$0")
16 ENVIRONMENT:
17 TRACE # affiche les commandes avant leur exécution
18 $(sed -ne 's/^readonly \([^ ][^ =]*\).*}\( *#.*\|\)$/\t$\1\2/p' "$tool"/vm.sh "$0")
19 EOF
20 }
21
22 rule_git_reset () {
23 (
24 cd "$tool"
25 git checkout -f -B master origin
26 git clean -f -d -x
27 )
28 }
29
30 rule_chrooted () {
31 export LANG=C
32 export LC_CTYPE=C
33 . /etc/profile
34 }
35
36 rule__etckeeper_init () {
37 mk_reg mod=644 own=root:root /etc/etckeeper/etckeeper.conf <<-EOF
38 VCS=git
39 GIT_COMMIT_OPTIONS=""
40 AVOID_DAILY_AUTOCOMMITS=1
41 #AVOID_SPECIAL_FILE_WARNING=1
42 #AVOID_COMMIT_BEFORE_INSTALL=1
43 HIGHLEVEL_PACKAGE_MANAGER=apt
44 LOWLEVEL_PACKAGE_MANAGER=dpkg
45 EOF
46 }
47 rule__locale_init () {
48 mk_reg mod=644 own=root:root /etc/locale.gen <<-EOF
49 fr_FR.UTF-8 UTF-8
50 EOF
51 sudo update-locale
52 }
53 rule__network_init () {
54 mk_reg mod= own= /etc/hostname <<-EOF
55 $vm
56 EOF
57 grep -q " $vm\$" /etc/hosts ||
58 mk_reg mod= own= --append /etc/hosts <<-EOF
59 127.0.0.1 $vm_fqdn $vm
60 EOF
61 mk_reg mod= own= /etc/network/interfaces <<-EOF
62 auto lo
63 iface lo inet loopback
64
65 auto eth0=grenode
66 iface grenode inet static
67 address $vm_ipv4
68 gateway $vm_ipv4 # NOTE: proxy_arp sur la passerelle permet d'utiliser la même adresse
69 network $vm_ipv4
70 broadcast $vm_ipv4
71 netmask 255.255.255.255
72 mtu 1300 # TODO: voir si c'est nécessaire à Lyon
73 post-up ip address add $vm_ipv4/32 dev \$IFACE
74 pre-down ip address delete $vm_ipv4/32 dev \$IFACE
75 EOF
76 }
77 rule__apt_init () {
78 mk_reg mod= own= /etc/apt/sources.list <<-EOF
79 deb http://ftp.fr.debian.org/debian $vm_lsb_name main contrib non-free
80 EOF
81 mk_reg mod= own= /etc/apt/sources.list.d/$vm_lsb_name-backports.list <<-EOF
82 deb http://backports.debian.org/debian-backports $vm_lsb_name-backports main contrib non-free
83 EOF
84 mk_reg mod= own= /etc/apt/preferences <<-EOF
85 Package: *
86 Pin: release a=$vm_lsb_name
87 Pin-Priority: 170
88
89 Package: *
90 Pin: release a=$vm_lsb_name-backports
91 Pin-Priority: 200
92 EOF
93 mk_reg mod= own= /etc/apt/sources.list.d/openerp.list <<-EOF
94 deb http://nightly.openerp.com/trunk/nightly/deb/ ./
95 EOF
96 }
97 rule__filesystem_init () {
98 mk_reg mod=644 own=root:root /etc/fstab <<-EOF
99 # <file system> <mount point> <type> <options> <dump> <pass>
100 LABEL=${vm_lvm_lv}_boot /boot ext2 defaults 0 0
101 proc /proc proc defaults 0 0
102 sysfs /sys sysfs defaults 0 0
103 tmpfs /tmp tmpfs rw,nosuid,nodev,auto,size=200m,nr_inodes=1000k,mode=1777,noatime,nodiratime 0 0
104 /dev/mapper/${vm_lvm_lv}_root_deciphered / ext4 defaults,errors=remount-ro,acl,noatime 0 1
105 /dev/mapper/${vm_lvm_lv}_var_deciphered /var ext4 defaults,errors=remount-ro,acl,noatime 0 1
106 /dev/mapper/${vm_lvm_lv}_home_deciphered /home ext4 defaults,errors=remount-ro,acl,noatime,usrquota,grpquota 0 0
107 /dev/mapper/${vm_lvm_lv}_swap_deciphered swap swap sw 0 0
108 EOF
109 mk_reg mod=644 own=root:root /etc/crypttab <<-EOF
110 # <target name> <source device> <key file> <options>
111 ${vm_lvm_lv}_root_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_root none luks,lvm=$vm_lvm_vg
112 ${vm_lvm_lv}_var_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_var ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
113 ${vm_lvm_lv}_home_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_home ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
114 ${vm_lvm_lv}_swap_deciphered /dev/$vm_lvm_vg/${vm_lvm_lv}_swap ${vm_lvm_lv}_root_deciphered luks,lvm=$vm_lvm_vg,keyscript=/lib/cryptsetup/scripts/decrypt_derived
115 EOF
116 mk_reg mod=644 own=root:root /etc/sysctl.d/local-swap.conf <<-EOF
117 vm.swappiness = 10 # NOTE: n'utilise le swap qu'en cas d'absolue nécessité
118 vm.vfs_cache_pressure=50
119 EOF
120 }
121 rule__login_init () {
122 grep -q hvc0 /etc/securetty ||
123 mk_reg mod= own= --append /etc/securetty <<-EOF
124 hvc0
125 EOF
126 grep -q xvc0 /etc/securetty ||
127 mk_reg mod= own= --append /etc/securetty <<-EOF
128 xvc0
129 EOF
130 mk_reg mod=644 own=root:root /etc/inittab <<-EOF
131 # /etc/inittab: init(8) configuration.
132
133 # The default runlevel.
134 id:2:initdefault:
135
136 # Boot-time system configuration/initialization script.
137 # This is run first except when booting in emergency (-b) mode.
138 si::sysinit:/etc/init.d/rcS
139
140 # What to do in single-user mode.
141 ~~:S:wait:/sbin/sulogin
142
143 # /etc/init.d executes the S and K scripts upon change
144 # of runlevel.
145 #
146 # Runlevel 0 is halt.
147 # Runlevel 1 is single-user.
148 # Runlevels 2-5 are multi-user.
149 # Runlevel 6 is reboot.
150
151 l0:0:wait:/etc/init.d/rc 0
152 l1:1:wait:/etc/init.d/rc 1
153 l2:2:wait:/etc/init.d/rc 2
154 l3:3:wait:/etc/init.d/rc 3
155 l4:4:wait:/etc/init.d/rc 4
156 l5:5:wait:/etc/init.d/rc 5
157 l6:6:wait:/etc/init.d/rc 6
158 # Normally not reached, but fallthrough in case of emergency.
159 z6:6:respawn:/sbin/sulogin
160
161 # What to do when CTRL-ALT-DEL is pressed.
162 ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
163
164 # What to do when the power fails/returns.
165 pf::powerwait:/etc/init.d/powerfail start
166 pn::powerfailnow:/etc/init.d/powerfail now
167 po::powerokwait:/etc/init.d/powerfail stop
168
169 # Xen hypervisor console
170 hvc:2345:respawn:/sbin/getty 38400 hvc0
171 #xvc:2345:respawn:/sbin/getty 38400 xvc0
172 EOF
173 mk_reg mod=644 own=root:root /etc/login.defs <<-EOF
174 MAIL_DIR /var/mail
175 FAILLOG_ENAB yes
176 LOG_UNKFAIL_ENAB no
177 LOG_OK_LOGINS no
178 SYSLOG_SU_ENAB yes
179 SYSLOG_SG_ENAB yes
180 FTMP_FILE /var/log/btmp
181 SU_NAME su
182 HUSHLOGIN_FILE .hushlogin
183 ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
184 ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
185 # NOTE: met les sbin/ dans ENV_PATH ;
186 # - ça n'apporte aucune protection de ne pas les mettre ;
187 # - ça frustre de ne pas les trouver.
188 TTYGROUP tty
189 TTYPERM 0600
190 ERASECHAR 0177
191 KILLCHAR 025
192 # NOTE: rwxrwx--- ;
193 # - donne une même confiance au groupe propriétaire qu'au propriétaire ;
194 # - facilite l'utilisation des ACL, qui sont dépendantes des droits du groupe propriétaire.
195 UMASK 007
196 PASS_MAX_DAYS 99999
197 PASS_MIN_DAYS 0
198 PASS_WARN_AGE 7
199 UID_MIN 1000
200 UID_MAX 60000
201 GID_MIN 1000
202 GID_MAX 60000
203 LOGIN_RETRIES 3
204 LOGIN_TIMEOUT 60
205 CHFN_RESTRICT rwh
206 DEFAULT_HOME yes
207 USERGROUPS_ENAB yes
208 ENCRYPT_METHOD SHA512
209 EOF
210 grep -q '^session optional pam_umask.so\>' /etc/pam.d/common-session ||
211 mk_reg mod= own= --append /etc/pam.d/common-session <<-EOF
212 session optional pam_umask.so
213 EOF
214 }
215 rule__user_root_init () {
216 mk_dir mod=750 own=root:root /root/etc
217 mk_dir mod=750 own=root:root /root/etc/ssh
218 mk_dir mod=750 own=root:root /root/etc/gpg
219 mk_lnk etc/gpg /root/.gnupg
220 mk_lnk etc/ssh /root/.ssh
221 getent group sudo |
222 while IFS=: read -r group x x users
223 do while IFS=, read -r user
224 do eval local home\; home="~$user"
225 cat "$home"/etc/ssh/authorized_keys
226 done <<-EOF
227 $users
228 EOF
229 done |
230 mk_reg mod=640 own=root:root /root/etc/ssh/authorized_keys
231 sudo find "$tool"/var/pub/openpgp -type f -name '*.key' -exec gpg --import {} \;
232 }
233 rule__initramfs_init () {
234 mk_reg mod=644 own=root:root /etc/initramfs-tools/initramfs.conf <<-EOF
235 MODULES=most
236 BUSYBOX=y
237 KEYMAP=y
238 COMPRESS=gzip
239 DEVICE=eth0
240 EOF
241 mk_reg mod=644 own=root:root /etc/modprobe.d/xen-pv.conf <<-EOF
242 alias eth0 xennet
243 alias scsi_hostadapter xenblk
244 EOF
245 mk_reg mod=644 own=root:root /etc/modules <<-EOF
246 sha1_generic
247 sha256_generic
248 sha512_generic
249 aes-x86_64
250 xts
251 # NOTE: pour Xen en mode HVM :
252 #modprobe xen-platform-pci
253 EOF
254 mk_reg mod=644 own=root:root /etc/initramfs-tools/modules <<-EOF
255 EOF
256 sudo sed -e '/^configure_networking /s/ &$//' \
257 -i /usr/share/initramfs-tools/scripts/init-premount/dropbear
258 # NOTE: corrige une vermine : dropbear doit attendre que le réseau soit configuré..
259 sudo rm -f \
260 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
261 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub \
262 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key \
263 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key.pub
264 #mk_reg mod=640 own=root:root </dev/null \
265 # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key \
266 # /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key.pub
267 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
268 ( while IFS= read -r line
269 do case $line in (*" RSA") return 0; break;; esac
270 done; return 1 ) ||
271 sudo dropbearkey -t rsa -s 4096 -f \
272 /etc/initramfs-tools/etc/dropbear/dropbear_rsa_host_key
273 ssh-keygen -F "init.$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
274 ( while IFS= read -r line
275 do case $line in (*" DSA") return 0; break;; esac
276 done; return 1 ) ||
277 sudo dropbearkey -t dss -s 1024 -f \
278 /etc/initramfs-tools/etc/dropbear/dropbear_dss_host_key
279 mk_dir mod=640 own=root:root \
280 /etc/initramfs-tools/root \
281 /etc/initramfs-tools/root/.ssh
282 getent group sudo |
283 while IFS=: read -r group x x users
284 do while IFS=, read -r user
285 do eval local home\; home="~$user"
286 cat "$home"/etc/ssh/authorized_keys
287 done <<-EOF
288 $users
289 EOF
290 done |
291 mk_reg mod=644 own=root:root /etc/initramfs-tools/root/.ssh/authorized_keys
292 sudo rm -f \
293 /etc/initramfs-tools/root/.ssh/id_rsa.dropbear \
294 /etc/initramfs-tools/root/.ssh/id_rsa.pub \
295 /etc/initramfs-tools/root/.ssh/id_rsa
296 # NOTE: clefs générées par Debian
297 sudo update-initramfs -u
298 }
299 rule__boot_init () {
300 sudo apt-get install --reinstall grub-pc # XXX: attention à n'installer GRUB sur AUCUN disque proposé !
301 mk_dir mod=644 own=root:root /boot/grub
302 sudo apt-get install --reinstall linux-image-$vm_arch
303 mk_reg mod=644 own=root:root /etc/default/grub <<-EOF
304 GRUB_DEFAULT=0
305 GRUB_TIMEOUT=5
306 GRUB_DISTRIBUTOR=\`lsb_release -i -s 2> /dev/null || echo Debian\`
307 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
308 GRUB_CMDLINE_LINUX="vt.default_utf8=1 rootfstype=ext4 loglevel=5 console=hvc0 ip=$vm_ipv4::$vm_ipv4:255.255.255.254:$vm:eth0:off resume=/dev/mapper/${vm}_swap_deciphered"
309 GRUB_DISABLE_RECOVERY="true"
310 #GRUB_PRELOAD_MODULES="lvm"
311 EOF
312 mk_reg mod=644 own=root:root /boot/grub/device.map <<-EOF
313 (hd0) /dev/xvda
314 (hd0) /dev/mapper/domU-$(printf %s $vm_fqdn-disk | sed -e 's/-/--/g')
315 EOF
316 sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
317 rule__initramfs_init
318 }
319 rule__bin_init () {
320 mk_lnk "$tool"/vm_hosted /usr/local/sbin/
321 }
322 rule_init () {
323 rule__etckeeper_init
324 rule__locale_init
325 rule__network_init
326 rule__apt_init
327 rule__filesystem_init
328 rule__login_init
329 rule__user_root_init
330 rule__boot_init
331 rule__bin_init
332 }
333
334 rule_disk_key_change () {
335 sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
336 }
337
338 rule_user_init () {
339 mk_dir mod=750 own="root:adm" /etc/skel/etc
340 mk_dir mod=770 own="root:adm" /etc/skel/etc/apache2
341 mk_dir mod=770 own="root:adm" /etc/skel/etc/ssh
342 mk_dir mod=700 own="root:adm" /etc/skel/var
343 mk_dir mod=700 own="root:adm" /etc/skel/var/log
344 mk_dir mod=700 own="root:adm" /etc/skel/var/cache
345 mk_dir mod=700 own="root:adm" /etc/skel/var/cache/ssh
346 mk_dir mod=700 own="root:adm" /etc/skel/tmp
347 mk_dir mod=700 own="root:adm" /etc/skel/tmp
348 mk_lnk etc/ssh /etc/skel/.ssh
349 mk_lnk etc/gpg /etc/skel/.gnupg
350 ssh-keygen -F "$vm_fqdn" -f "$tool"/etc/openssh/known_hosts |
351 ( while IFS= read -r line
352 do case $line in (*" RSA") return 0; break;; esac
353 done; return 1 ) ||
354 sudo ssh-keygen -t rsa -b 4096 -N '' -f /etc/ssh/ssh_host_rsa_key
355 sudo rm -f \
356 /etc/ssh/ssh_host_dsa_key \
357 /etc/ssh/ssh_host_dsa_key.pub \
358 /etc/ssh/ssh_host_ecdsa_key \
359 /etc/ssh/ssh_host_ecdsa_key.pub
360 # NOTE: clefs générées par Debian
361 mk_reg mod=664 own=root:root /etc/ssh/sshd_config <<-EOF
362 Port 22
363 ListenAddress $vm_ipv4
364 #ListenAddress ::
365 Protocol 2
366 Compression yes
367 HostKey /etc/ssh/ssh_host_rsa_key
368 UsePrivilegeSeparation yes
369 KeyRegenerationInterval 3600
370 ServerKeyBits 768
371 SyslogFacility AUTH
372 LogLevel INFO
373 LoginGraceTime 120
374 PermitRootLogin yes
375 StrictModes yes
376 RSAAuthentication yes
377 PubkeyAuthentication yes
378 AuthorizedKeysFile %h/etc/ssh/authorized_keys
379 IgnoreRhosts yes
380 RhostsRSAAuthentication no
381 HostbasedAuthentication no
382 IgnoreUserKnownHosts no
383 PermitEmptyPasswords no
384 ChallengeResponseAuthentication no
385 PasswordAuthentication no
386 KerberosAuthentication no
387 GSSAPIAuthentication no
388 X11Forwarding no
389 X11DisplayOffset 10
390 PrintMotd no
391 DebianBanner no
392 PrintLastLog yes
393 TCPKeepAlive yes
394 ClientAliveInterval 0
395 AcceptEnv LANG LC_*
396 Subsystem sftp /usr/lib/openssh/sftp-server
397 UsePAM yes
398 EOF
399 sudo service ssh restart
400 mk_reg mod=440 own=root:root /etc/sudoers.d/passwd-init <<-EOF
401 %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
402 case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
403 ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
404 EOF
405 mk_reg mod=440 own=root:root /etc/sudoers.d/etckeeper-unclean <<-EOF
406 %sudo ALL=(ALL) NOPASSWD: /usr/sbin/etckeeper unclean
407 EOF
408 mk_reg mod=440 own=root:root /etc/sudoers.d/env_keep <<-EOF
409 Defaults env_keep = " \\
410 EDITOR \\
411 GIT_AUTHOR_NAME \\
412 GIT_AUTHOR_EMAIL \\
413 GIT_COMMITTER_NAME \\
414 GIT_COMMITTER_EMAIL \\
415 "
416 EOF
417 mk_reg mod=555 own=root:root /usr/local/sbin/passwd-init <<-EOF
418 #!/bin/sh
419 sudo /bin/sh -e -f -u -c \
420 'case \$(/usr/bin/passwd --status "\$SUDO_USER") in ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac'
421 EOF
422 }
423 rule_user_admin_add () { # SYNTAX: $user
424 local user=$1
425 id "$user" >/dev/null ||
426 sudo adduser --disabled-password "$user"
427 # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init .
428 eval local home\; home="~$user"
429 sudo adduser "$user" sudo
430 ssh_key_add user=$user "$tool"/var/pub/ssh/"$user".key "$home"/etc/ssh/authorized_keys
431 rule__initramfs_init
432 rule__user_root_init
433 sudo gpg --import "$tool"/var/pub/opengpg/"$user".key
434 }
435 rule_user_mail_format () {
436 mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
437 mk_dir mod=770 own=root:adm /etc/skel/var/mail
438 mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
439 mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
440 # vim: ft=procmail
441
442 # NOTE: paramètres passés par postfix
443 SENDER=\$1
444 RECIPIENT=\$2
445 USER=\$3
446 EXTENSION=\$4
447 DOMAIN=\$5
448 ORIGINAL_RECIPIENT=\$6
449
450 PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
451 MAILDIR="\$HOME/var/mail/"
452 DEFAULT="\$MAILDIR"
453 #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
454 LOGFILE="/dev/null"
455 LOGABSTRACT=all
456 LOGABSTRACT
457 VERBOSE
458 SHELL=/bin/sh
459 SHELLMETAS=&|<>~;?*%{}
460
461 # DESCRIPTION: supprime les doublons en fonction du champ Message-Id
462 #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
463 #| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
464
465 # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward
466 EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
467 # NOTE: récupère l’adresse courriel dans le champ GECOS
468 FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
469 # NOTE: récupère l’expéditeur inscrit sur l’enveloppe
470 :0
471 | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
472
473 # DESCRIPTION: IMAP
474 #:0
475 #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
476
477 # DESCRIPTION: UUCP
478 #:0
479 #| /usr/bin/uux \
480 # -I "\$HOME/etc/uucp/uucp.cfg" \
481 # --nouucico \
482 # --notification=error \
483 # --requestor "\$USER" \
484 # - "\$USER!rmail" "(\$USER)"
485 EOF
486 mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
487 # /etc/postfix/main.cf
488 # SEE: http://postfix.traduc.org/index.php/TLS_README.html
489
490 parent_domain_matches_subdomains =
491 #debug_peer_list
492 #fast_flush_domains
493 #mynetworks
494 #permit_mx_backup_networks
495 #qmqpd_authorized_clients
496 #smtpd_access_maps
497 mydomain = $vm_domainname
498 myorigin = \$mydomain
499 myhostname = $vm_hostname.\$mydomain
500 mail_name = \$myhostname
501 mydestination =
502 $vm_hostname
503 \$myhostname
504 \$myorigin
505 mynetworks =
506 127.0.0.0/8
507 #[::1]/128
508 inet_protocols = ipv4
509 # "all" to activate IPv6
510 inet_interfaces = all
511 permit_mx_backup_networks =
512
513 alias_database =
514 hash:/etc/aliases
515 # NOTE: fichier de hash contenant une table d’alias mail.
516 # Celle-ci est éditable dans /etc/aliases, puis (indispensable)
517 # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db
518 alias_maps =
519 hash:/etc/aliases
520 recipient_delimiter = +
521 # NOTE: séparateur entre le nom d’utilisateur
522 # et les extensions d’adresse (par défaut le signe +).
523 #virtual_alias_domains =
524 virtual_alias_maps =
525 hash:/etc/postfix/\$mydomain/virtual
526 # NOTE: do not specify virtual alias domain names in the main.cf
527 # mydestination or relay_domains configuration parameters.
528 #
529 # With a virtual alias domain, the Postfix SMTP server
530 # accepts mail for known-user@virtual-alias.domain, and
531 # rejects mail for unknown-user@virtual-alias.domain as
532 # undeliverable.
533 #relayhost =
534 relay_clientcerts =
535 hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
536 relay_domains =
537 \$mydestination
538 # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
539 # pas dans mydestination ou virtual_alias...
540
541 maximal_queue_lifetime = 5d
542
543 header_checks =
544 regexp:/etc/postfix/\$mydomain/header_checks
545 mime_header_checks =
546 nested_header_checks =
547 milter_header_checks =
548 body_checks =
549
550 #content_filter = amavisfeed:[127.0.0.1]:10024
551 #receive_override_options = no_address_mappings
552 # no_unknown_recipient_checks
553 # Do not try to reject unknown recipients (SMTP server only).
554 # This is typically specified AFTER an external content filter.
555 # no_address_mappings
556 # Disable canonical address mapping, virtual alias map expansion,
557 # address masquerading, and automatic BCC (blind carbon-copy) recipients.
558 # This is typically specified BEFORE an external content filter (eg. amavis).
559 # no_header_body_checks
560 # Disable header/body_checks. This is typically specified AFTER an external content filter.
561 # no_milters
562 # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
563 #local_header_rewrite_clients =
564 transport_maps =
565 hash:/etc/postfix/\$mydomain/transport_maps
566 mailbox_command =
567 /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
568 mailbox_size_limit = 0
569 biff = no
570 # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no).
571 append_dot_mydomain = no
572 # appending .domain is the MUA's job.
573
574 #tls_random_source =
575 # dev:/dev/urandom
576 # Non-blocking
577 #tls_random_reseed_period = 3600s
578 #tls_random_exchange_name =
579 # \${data_directory}/prng_exch
580 # NOTE: à ne pas mettre dans la cage chroot
581 #tls_random_bytes = 32
582 #tls_random_prng_update_period = 3600s
583 #tls_high_cipherlist = AES256-SHA
584 # NOTE: postconf(5) déconseille de changer ceci
585
586 #smtp_cname_overrides_servername = no
587 smtp_connect_timeout = 60s
588 #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
589 #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/
590 #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem
591 #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem
592 #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
593 # NOTE: déprécié en faveur de smtp_tls_policy_maps
594 smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy
595 smtp_tls_fingerprint_digest = sha1
596 smtp_tls_scert_verifydepth = 5
597 #smtp_tls_secure_cert_match = nexthop, dot-nexthop
598 #smtp_tls_verify_cert_match = hostname
599 #smtp_tls_note_starttls_offer = yes
600 smtp_tls_loglevel = 1
601 smtp_tls_protocols = !SSLv2, !SSLv3
602 # Only allow TLSv*
603 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
604 #smtp_tls_session_cache_timeout = 3600s
605 smtp_tls_security_level = may
606 smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks
607 smtp_body_checks =
608 smtp_mime_header_checks =
609 smtp_nested_header_checks =
610
611 smtpd_starttls_timeout = 300s
612 smtpd_banner =
613 \$myhostname ESMTP \$mail_name (Debian/GNU)
614
615 # Restrictions
616 smtpd_helo_required = yes
617 strict_rfc821_envelopes = yes
618 smtpd_authorized_xclient_hosts = 127.0.0.1
619 # NOTE: utile pour tester les restrictions
620
621 smtpd_helo_restrictions =
622 reject_invalid_helo_hostname
623 reject_non_fqdn_helo_hostname
624 #reject_unknown_helo_hostname
625 # NOTE: pourrait pourtant être utile pour lutter contre le spam
626 permit
627
628 smtpd_sender_restrictions =
629 permit_mynetworks
630 permit_tls_clientcerts
631 permit_sasl_authenticated
632 check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
633 check_sender_access hash:/etc/postfix/sender_blacklist
634 reject_unauth_pipelining
635 reject_non_fqdn_sender
636 #reject_unknown_sender_domain
637 # NOTE: temporaire
638 permit
639
640 smtpd_client_new_tls_session_rate_limit = 0
641 smtpd_client_event_limit_exceptions = \$mynetworks
642 smtpd_client_recipient_rate_limit = 0
643 smtpd_client_connection_count_limit = 50
644 smtpd_client_connection_rate_limit = 0
645 smtpd_client_message_rate_limit = 0
646 smtpd_client_port_logging = no
647
648 smtpd_client_restrictions =
649 check_client_access hash:/etc/postfix/client_blacklist
650
651 policy_time_limit = 3600
652 default_extra_recipient_limit = 5000
653 duplicate_filter_limit = 5000
654 smtpd_recipient_limit = 5000
655 smtpd_recipient_overshoot_limit = 5000
656 smtpd_recipient_restrictions =
657 reject_non_fqdn_recipient
658 #reject_invalid_hostname
659 # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
660 # dans smtpd_helo_restrictions
661 reject_unknown_recipient_domain
662 #reject_non_fqdn_sender
663 # NOTE: dans smtpd_sender_restrictions
664 reject_unauth_pipelining
665 # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
666 permit_mynetworks
667 permit_tls_clientcerts
668 permit_sasl_authenticated
669 reject_unauth_destination
670 # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
671 # ou quelqu'un pour lequel on tient lieu de backup_mx
672 check_policy_service inet:127.0.0.1:10023
673 # NOTE: Postgrey (greylisting)
674 check_policy_service unix:private/spfcheck
675 permit_auth_destination
676 # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné
677 # (voir permit_auth_destination) ; sans doute redondant
678 reject
679 #check_relay_domains <- removed from postfix
680 #reject_unknown_sender_domain
681 # aurait probablement été mieux dans smtpd_sender_restrictions
682 #reject_rbl_client bl.spamcop.net
683 #reject_rbl_client list.dsbl.org
684 #reject_rbl_client zen.spamhaus.org
685 #reject_rbl_client dnsbl.sorbs.net
686
687 smtpd_data_restrictions =
688 reject_unauth_pipelining
689 # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK
690 permit
691
692 #smtpd_end_of_data_restrictions =
693
694 #smtpd_restriction_classes =
695
696 smtpd_error_sleep_time = 5
697 # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes.
698
699 # SASL
700 smtpd_sasl_auth_enable = yes
701 smtpd_sasl_type = dovecot
702 smtpd_sasl_path = private/auth
703 smtpd_sasl_security_options = noanonymous
704 smtpd_sasl_domain = \$mydomain
705
706 # SMTPD TLS
707 smtpd_discard_ehlo_keywords = starttls
708 # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
709 # se mangent une erreur en tentant un starttls
710 smtpd_tls_fingerprint_digest = sha1
711 # sha512 ?
712 smtpd_tls_mandatory_protocols = TLSv1
713 smtpd_tls_mandatory_ciphers = high
714 smtpd_tls_ciphers = high
715 # restrictif. s/high/medium/ ?
716 smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
717 smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/
718 smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
719 smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem
720 ##
721 #smtpd_tls_received_header = no
722 smtpd_tls_session_cache_database =
723 btree:/var/lib/postfix/smtpd_tls_session_cache
724 #smtpd_tls_session_cache_timeout = 3600s
725 smtpd_tls_security_level = may
726 # Postfix 2.3 and later
727 # encrypt
728 # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
729 # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
730 # SMTP server. Instead, this option should be used only on dedicated servers.
731 smtpd_tls_loglevel = 1
732 smtpd_tls_ccert_verifydepth = 5
733 smtpd_tls_auth_only = yes
734 # Pas d'AUTH SASL sans TLS
735 smtpd_tls_ask_ccert = no
736 smtpd_tls_req_ccert = no
737 #smtpd_tls_always_issue_session_ids = yes
738 smtpd_peername_lookup = yes
739 # Nécessaire pour postgrey, etc
740 smtpd_milters =
741 non_smtpd_milters =
742 line_length_limit = 2048
743 queue_minfree = 0
744 message_size_limit = 20480000
745 #smtpd_enforce_tls # NOTE: obsolète
746 #smtpd_use_tls # NOTE: obsolète
747 #smtpd_tls_cipherlist # NOTE: obsolète
748
749 readme_directory = no
750 #delay_warning_time = 4h
751 # NOTE: uncomment the previous line to generate "delayed mail" warnings
752 #debug_peer_level = 4
753 #debug_peer_list = .\$myhostname
754 EOF
755 mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
756 auth_ssl_username_from_cert = yes
757 listen = *
758 log_timestamp = "%Y-%m-%d %H:%M:%S "
759 mail_debug = yes
760 mail_location = maildir:~/var/mail
761 mail_privileged_group = mail
762 passdb {
763 args = /home/%u/etc/dovecot/passwd
764 driver = passwd-file
765 }
766 protocols = imap
767 service auth {
768 unix_listener /var/spool/postfix/private/auth {
769 group = postfix
770 mode = 0660
771 user = postfix
772 }
773 user = root
774 }
775 ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
776 ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
777 ssl_cipher_list = AES256-SHA
778 ssl_key = </etc/dovecot/imap/tls/key.pem
779 ssl_verify_client_cert = yes
780 userdb {
781 driver = passwd
782 }
783 verbose_ssl = yes
784 protocol lda {
785 auth_socket_path = /var/run/dovecot/auth-master
786 hostname = $vm_domainname
787 info_log_path = /var/log/dovecot/lda/info.log
788 log_path = /var/log/dovecot/lda/error.log
789 mail_plugins = sieve
790 postmaster_address = contact+dovecot+lda@$vm_domainname
791 }
792 EOF
793 mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
794 EOF
795 }
796 rule_mail_install () {
797 sudo apt-get install postfix postgrey dovecot
798 }
799
800 rule=${1:-help}
801 ${1+shift}
802 case $rule in
803 (help);;
804 (*)
805 test "$(hostname --fqdn)" = "$vm_fqdn"
806 set "${TRACE:+-x}"
807 ;;
808 esac
809 rule_$rule "$@"
outils d'administration d'ateliers.heureux-cyclage.org