X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=blobdiff_plain;f=vm_hosted;h=cbc6776a254117a7392cce1fbec95579bb6ca526;hp=0f900aa91d0176c107fe079b0b2b06e50c6021c6;hb=f6488dca3163e1ca5870485351fdec671bec000f;hpb=ced74ab27db05f2203dc1c3d80ee6b0cf1dbc5d4

diff --git a/vm_hosted b/vm_hosted
index 0f900aa..cbc6776 100755
--- a/vm_hosted
+++ b/vm_hosted
@@ -38,12 +38,13 @@ rule_git_reset () {
  }
 
 rule_apt_get_install () { # SYNTAX: $package
-	case $(dpkg -s "$1" | grep '^Status: ') in
+	case $(dpkg -s "$1" 2>/dev/null | grep '^Status: ') in
 		("Status: install ok installed");;
 		(*)
 		test ! -x /usr/bin/etckeeper ||
-		assert 'sudo etckeeper unclean'
-		sudo apt-get "$@";;
+		! sudo etckeeper unclean ||
+		warn "/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again."
+		sudo apt-get install "$@";;
 	 esac
  }
 
@@ -92,7 +93,7 @@ rule_apticron_configure () {
 		EOF
  }
 rule_boot_configure () {
-	warn "attention Ã  n'installer GRUB sur AUCUN disque proposÃ© !"
+	warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposÃ© !"
 	rule apt_get_install grub-pc
 	sudo install -d -m 644 -u root -g root /boot/grub
 	rule apt_get_install linux-image-$vm_arch
@@ -112,6 +113,87 @@ rule_boot_configure () {
 	sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map
 	rule initramfs_configure
  }
+rule_dovecot_configure () {
+	rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve
+	local hint="run vm_remote dovecot_key_send before"
+	assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint
+	sudo install -m 400 -o root -g root \
+	     "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \
+	 /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
+	sudo install -d -m 770 -o root -g adm \
+	 /etc/skel/etc/mail \
+	 /etc/skel/etc/sieve
+	sudo install -d -m 1777 -o root -g root \
+	 /var/lib/dovecot-control \
+	 /var/lib/dovecot-index
+	sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF
+		auth_ssl_username_from_cert = yes
+		listen = *
+		log_timestamp = "%Y-%m-%d %H:%M:%S "
+		mail_debug = yes
+		mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u
+		# NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc
+		# VOIR: http://wiki2.dovecot.org/Quota/FS
+		mail_plugins = \$mail_plugins quota
+		mail_privileged_group = mail
+		passdb {
+			args = /home/%u/etc/dovecot/passwd
+			driver = passwd-file
+		 }
+		plugin {
+			quota = fs:user
+			recipient_delimiter = +
+			sieve = ~/etc/mail/filter.sieve
+			sieve_dir = ~/etc/mail/sieve
+			sieve_global_dir = /var/lib/dovecot/sieve/global/
+			sieve_max_script_size = 1M
+			sieve_quota_max_scripts = 0
+			sieve_quota_max_storage = 10M
+			sieve_user_log = ~/var/log/mail/sieve.log
+		 }
+		protocol imap {
+			mail_plugins = \$mail_plugins imap_quota
+		 }
+		protocol lda {
+			auth_socket_path = /var/run/dovecot/auth-master
+			hostname = $vm_domainname
+			info_log_path =
+			log_path =
+			mail_plugins = \$mail_plugins sieve
+			postmaster_address = contact+dovecot+lda@$vm_domainname
+			syslog_facility = mail
+		 }
+		protocols = imap sieve
+		service auth {
+			user = root
+			unix_listener /var/spool/postfix/private/auth {
+				mode  = 0660
+				user  = postfix
+				group = postfix
+			 }
+		 }
+		ssl_ca = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
+		ssl_cert = </etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem
+		ssl_cipher_list = AES256-SHA
+		ssl_key = </etc/dovecot/$vm_domainname/imap/x509/key.pem
+		ssl_verify_client_cert = yes
+		userdb {
+			driver = passwd
+		 }
+		verbose_ssl = no
+		EOF
+	sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/dovecot-passwd <<-EOF
+		#!/bin/sh -efux
+		# DESCRIPTION: permet Ã  un-e utilisateurice d'initialiser ellui-mÃªme son mot-de-passe dovecot.
+		install -d -m 770 ~/etc/dovecot
+		install -m 640 /dev/stdin ~/etc/dovecot/passwd <<_EOF
+		\$USER:\$(/usr/bin/doveadm pw -s SHA512-CRYPT):::::::
+		_EOF
+		EOF
+	sudo install -m 664 -o root -g root /dev/stdin /etc/postgrey/whitelist_recipients.local <<-EOF
+		EOF
+	sudo service dovecot restart
+ }
 rule_etckeeper_configure () {
 	sudo install -m 644 -u root -g root /dev/stdin /etc/etckeeper/etckeeper.conf <<-EOF
 		VCS=git
@@ -310,6 +392,111 @@ rule_login_configure () {
 		session optional pam_umask.so
 		EOF
  }
+rule_procmail_configure () {
+	rule apt_get_install procmail
+	sudo install -d -m 770 -o root -g adm \
+	 /etc/skel/etc/mail \
+	 /etc/skel/var/cache/mail \
+	 /etc/skel/var/log/mail \
+	 /etc/skel/var/mail
+	sudo install -m 660 -o root -g adm \
+	 "$tool"/etc/skel/etc/mail/delivery.procmailrc \
+	        /etc/skel/etc/mail/delivery.procmailrc
+ }
+rule_postgrey_configure () {
+	rule apt_get_install postgrey
+	sudo service postgrey restart
+ }
+rule_postfix_configure () {
+	local hint="run vm_remote postfix_key_send before"
+	assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint
+	warn "lors de l'installation Debian, ne sÃ©lectionner aucune configuration pour postfix"
+	rule apt_get_install postfix
+	sudo install -d -m 770 -o root -g root \
+	 /etc/postfix/$vm_domainname/ \
+	 /etc/postfix/$vm_domainname/smtp \
+	 /etc/postfix/$vm_domainname/smtp/x509 \
+	 /etc/postfix/$vm_domainname/smtp/x509/ca \
+	 /etc/postfix/$vm_domainname/smtpd \
+	 /etc/postfix/$vm_domainname/smtpd/x509 \
+	 /etc/postfix/$vm_domainname/smtpd/x509/ca
+	sudo install -d -m 770 -o root -g root \
+	 /etc/postfix/$vm_domainname/ \
+	 /etc/postfix/$vm_domainname/smtp \
+	 /etc/postfix/$vm_domainname/smtp/x509 \
+	 /etc/postfix/$vm_domainname/smtp/x509/ca \
+	 /etc/postfix/$vm_domainname/smtpd \
+	 /etc/postfix/$vm_domainname/smtpd/x509 \
+	 /etc/postfix/$vm_domainname/smtpd/x509/ca
+	sudo ln -fns \
+	 ../crt+crl.self-signed.pem \
+	 /etc/postfix/$vm_domainname/smtpd/x509/ca/crt.pem
+	sudo install -m 400 -o root -g root \
+	           var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
+	 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+	sudo install -m 400 -o root -g root \
+	           var/pub/x509/service/smtpd/crt.pem \
+	 /etc/postfix/$vm_domainname/smtpd/x509/crt.pem
+	sudo install -m 400 -o root -g root \
+	     var/pub/x509/service/smtpd/crt+root.pem \
+	 /etc/postfix/$vm_domainname/smtpd/x509/crt+root.pem
+	sudo install -m 400 -o root -g root \
+	           var/pub/x509/service/smtpd/crt+crl.self-signed.pem \
+	 /etc/postfix/$vm_domainname/smtpd/x509/crt+crl.self-signed.pem
+	sudo install -m 660 -o root -g root \
+	  etc/postfix/$vm_domainname/header_checks \
+	 /etc/postfix/$vm_domainname/header_checks
+	sudo install -m 664 -o root -g root \
+	  etc/aliases \
+	 /etc/aliases
+	sudo newaliases
+	cat /dev/stdin etc/postfix/main.cf <<-EOF |
+		mydomain      = $vm_domainname
+		myorigin      = \$mydomain
+		myhostname    = $vm_hostname.\$mydomain
+		mail_name     = \$myhostname
+		mydestination = $vm_hostname \$myhostname \$myorigin
+		EOF
+	sudo install -m 664 -o root -g root /dev/stdin \
+	 /etc/postfix/main.cf
+	sudo install -m 664 -o root -g root \
+	  etc/postfix/master.cf \
+	 /etc/postfix/master.cf
+	sudo install -m 660 -o root -g root \
+	  etc/postfix/$vm_domainname/smtp/x509/policy \
+	 /etc/postfix/$vm_domainname/smtp/x509/policy
+	sudo postmap hash:/etc/postfix/$vm_domainname/smtp/x509/policy
+	sudo install -m 660 -o root -g root \
+	  etc/postfix/$vm_domainname/smtp/header_checks \
+	 /etc/postfix/$vm_domainname/smtp/header_checks
+	sudo install -m 660 -o root -g root \
+	  etc/postfix/$vm_domainname/smtpd/sender_access \
+	 /etc/postfix/$vm_domainname/smtpd/sender_access
+	sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/sender_access
+	sudo install -m 660 -o root -g root \
+	  etc/postfix/$vm_domainname/smtpd/client_blacklist \
+	 /etc/postfix/$vm_domainname/smtpd/client_blacklist
+	sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/client_blacklist
+	sudo install -m 660 -o root -g root \
+	  etc/postfix/$vm_domainname/smtpd/relay_clientcerts \
+	 /etc/postfix/$vm_domainname/smtpd/relay_clientcerts
+	sudo postmap hash:/etc/postfix/$vm_domainname/smtpd/relay_clientcerts
+	sudo install -m 660 -o root -g root \
+	  etc/postfix/$vm_domainname/transport \
+	 /etc/postfix/$vm_domainname/transport
+	sudo postmap hash:/etc/postfix/$vm_domainname/transport
+	sudo install -m 660 -o root -g root \
+	  etc/postfix/$vm_domainname/virtual_alias \
+	 /etc/postfix/$vm_domainname/virtual_alias
+	sudo postmap hash:/etc/postfix/$vm_domainname/virtual_alias
+	sudo service postfix restart
+ }
+rule_mail_configure () {
+	rule postfix_configure
+	rule postgrey_configure
+	rule procmail_configure
+	rule dovecot_configure
+ }
 rule_network_configure () {
 	sudo install -m 644 -u root -g root /dev/stdin /etc/hostname <<-EOF
 		$vm
@@ -413,7 +600,40 @@ rule_user_configure () {
 		UsePAM yes
 		EOF
 	sudo service ssh restart
-	sudo install -m 640 -u root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
+ }
+rule_user_admin_add () { # SYNTAX: $user
+	local user=$1
+	id "$user" >/dev/null ||
+	sudo adduser --disabled-password "$user"
+		# NOTE: le mot-de-passe doit Ãªtre initialisÃ© par l'utilisateur Ã  l'aide de passwd-init .
+	eval local home\; home="~$user"
+	sudo adduser "$user" sudo
+	sudo install -m 640 -o root -g root \
+	 "$tool"/var/pub/ssh/"$user".key \
+	 "$home"/etc/ssh/authorized_keys
+	local key; local -; set +f
+	for key in "$tool"/var/pub/openpgp/*.key
+	 do sudo -u "$user" gpg --import "$key"
+	 done
+	rule user_admin_configure
+ }
+rule_user_admin_configure () {
+	rule initramfs_configure
+	rule user_root_configure
+ }
+rule_user_configure () {
+	sudo install -d -m 750 -o root -g adm \
+	 /etc/skel/etc \
+	 /etc/skel/etc/ssh
+	sudo install -d -m 770 -o root -g adm \
+	 /etc/skel/etc/apache2 \
+	 /etc/skel/var \
+	 /etc/skel/var/log \
+	 /etc/skel/var/cache \
+	 /etc/skel/var/cache/ssh
+	sudo ln -fns etc/ssh /etc/skel/.ssh
+	sudo ln -fns etc/gpg /etc/skel/.gnupg
+	sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF
 		%sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\
 		  case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\
 		    ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac
@@ -430,7 +650,7 @@ rule_user_configure () {
 		  GIT_COMMITTER_EMAIL \\
 		 "
 		EOF
-	sudo install -m 755 -u root -g root /dev/stdin /usr/local/sbin/passwd-init <<-EOF
+	sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF
 		#!/bin/sh -efu
 		# DESCRIPTION: permet Ã  un-e utilisateurice d'initialiser ellui-mÃªme son mot-de-passe systÃ¨me.
 		sudo /bin/sh -e -f -u -c \
@@ -479,391 +699,6 @@ rule_luks_key_change () {
 	sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root
  }
 
-rule_user_admin_configure () {
-	rule initramfs_configure
-	rule user_root_configure
- }
-rule_user_admin_add () { # SYNTAX: $user
-	local user=$1
-	id "$user" >/dev/null ||
-	sudo adduser --disabled-password "$user"
-		# NOTE: le mot-de-passe doit Ãªtre initialisÃ© par l'utilisateur Ã  l'aide de passwd-init .
-	eval local home\; home="~$user"
-	sudo adduser "$user" sudo
-	sudo install -m 640 -u root -g root \
-	 "$tool"/var/pub/ssh/"$user".key \
-	 "$home"/etc/ssh/authorized_keys
-	local key; local -; set +f
-	for key in "$tool"/var/pub/openpgp/*.key
-	 do sudo -u "$user" gpg --import "$key"
-	 done
-	rule user_admin_configure
- }
-rule_user_mail_format () {
-	mk_dir mod=770 own=root:adm /etc/skel/etc/procmail
-	mk_dir mod=770 own=root:adm /etc/skel/var/mail
-	mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail
-	mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF
-		# vim: ft=procmail
-		
-		# NOTE: paramÃ¨tres passÃ©s par postfix
-		SENDER=\$1
-		RECIPIENT=\$2
-		USER=\$3
-		EXTENSION=\$4
-		DOMAIN=\$5
-		ORIGINAL_RECIPIENT=\$6
-		
-		PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin"
-		MAILDIR="\$HOME/var/mail/"
-		DEFAULT="\$MAILDIR"
-		#LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"`
-		LOGFILE="/dev/null"
-		LOGABSTRACT=all
-		LOGABSTRACT
-		VERBOSE
-		SHELL=/bin/sh
-		SHELLMETAS=&|<>~;?*%{}
-		
-		# DESCRIPTION: supprime les doublons en fonction du champ Message-Id
-		#:0 Wh:            "\$HOME/var/cache/procmail/msgid\$LOCKEXT"
-		#| formail -D 8192 "\$HOME/var/cache/procmail/msgid"
-		
-		# DESCRIPTION: fait suivre Ã  l'adresse configurÃ©e dans /etc/passwd ; on peut aussi utiliser ~/.forward
-		EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"`
-		 # NOTE: rÃ©cupÃ¨re lâadresse courriel dans le champ GECOS
-		FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'`
-		 # NOTE: rÃ©cupÃ¨re lâexpÃ©diteur inscrit sur lâenveloppe
-		:0
-		| \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}"
-		
-		# DESCRIPTION: IMAP
-		#:0
-		#| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT"
-		
-		# DESCRIPTION: UUCP
-		#:0
-		#| /usr/bin/uux \
-		# -I "\$HOME/etc/uucp/uucp.cfg" \
-		# --nouucico \
-		# --notification=error \
-		# --requestor "\$USER" \
-		# - "\$USER!rmail" "(\$USER)"
-		EOF
-	mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF
-		# /etc/postfix/main.cf
-		# SEE: http://postfix.traduc.org/index.php/TLS_README.html
-		
-		parent_domain_matches_subdomains =
-		        #debug_peer_list
-		        #fast_flush_domains
-		        #mynetworks
-		        #permit_mx_backup_networks
-		        #qmqpd_authorized_clients
-		        #smtpd_access_maps
-		mydomain                         = $vm_domainname
-		myorigin                         = \$mydomain
-		myhostname                       = $vm_hostname.\$mydomain
-		mail_name                        = \$myhostname
-		mydestination                    =
-		        $vm_hostname
-		        \$myhostname
-		        \$myorigin
-		mynetworks                       =
-		        127.0.0.0/8
-		        #[::1]/128
-		inet_protocols = ipv4
-		        # "all" to activate IPv6
-		inet_interfaces                  = all
-		permit_mx_backup_networks        =
-		
-		alias_database         =
-		        hash:/etc/aliases
-		        # NOTE: fichier de hash contenant une table dâalias mail.
-		        #       Celle-ci est Ã©ditable dans /etc/aliases, puis (indispensable)
-		        #       regÃ©nÃ©rÃ©e en hash grÃ¢ce Ã  la commande newaliases qui produit /etc/aliases.db
-		alias_maps             =
-		        hash:/etc/aliases
-		recipient_delimiter    = +
-		        # NOTE: sÃ©parateur entre le nom dâutilisateur
-		        #       et les extensions dâadresse (par dÃ©faut le signe +).
-		#virtual_alias_domains  =
-		virtual_alias_maps     =
-		        hash:/etc/postfix/\$mydomain/virtual
-		        # NOTE: do not specify virtual alias domain names in  the  main.cf
-		        #       mydestination or relay_domains configuration parameters.
-		        #
-		        # With  a  virtual  alias  domain,  the  Postfix SMTP server
-		        # accepts  mail  for  known-user@virtual-alias.domain,   and
-		        # rejects   mail  for  unknown-user@virtual-alias.domain  as
-		        # undeliverable.
-		#relayhost              =
-		relay_clientcerts      =
-		        hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts
-		relay_domains          =
-		        \$mydestination
-		                # NOTE: ajouter les domaines pour lesquels on est backup MX ici,
-		                #       pas dans mydestination ou virtual_alias...
-		
-		maximal_queue_lifetime = 5d
-		
-		header_checks        =
-		        regexp:/etc/postfix/\$mydomain/header_checks
-		mime_header_checks   =
-		nested_header_checks =
-		milter_header_checks =
-		body_checks          =
-		
-		#content_filter               = amavisfeed:[127.0.0.1]:10024
-		#receive_override_options     = no_address_mappings
-		        # no_unknown_recipient_checks
-		        #         Do not try to reject unknown recipients (SMTP server only).
-		        #         This is typically specified AFTER an external content filter.
-		        # no_address_mappings
-		        #         Disable canonical address mapping, virtual alias map expansion,
-		        #         address masquerading, and automatic BCC (blind carbon-copy) recipients.
-		        #         This is typically specified BEFORE an external content filter (eg. amavis).
-		        # no_header_body_checks
-		        #         Disable header/body_checks. This is typically specified AFTER an external content filter.
-		        # no_milters
-		        #         Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter.
-		#local_header_rewrite_clients =
-		transport_maps                =
-		        hash:/etc/postfix/\$mydomain/transport_maps
-		mailbox_command               =
-		        /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc"
-		mailbox_size_limit            = 0
-		biff                          = no
-		        # Activer la notification en cas de rÃ©ception de nouveaux e-mails dans la console (yes / no).
-		append_dot_mydomain           = no
-		        # appending .domain is the MUA's job.
-		
-		#tls_random_source             =
-		#       dev:/dev/urandom
-		        # Non-blocking
-		#tls_random_reseed_period      = 3600s
-		#tls_random_exchange_name      =
-		#       \${data_directory}/prng_exch
-		        # NOTE: Ã  ne pas mettre dans la cage chroot
-		#tls_random_bytes              = 32
-		#tls_random_prng_update_period = 3600s
-		#tls_high_cipherlist           = AES256-SHA
-		        # NOTE: postconf(5) dÃ©conseille de changer ceci
-		
-		#smtp_cname_overrides_servername = no
-		smtp_connect_timeout            = 60s
-		#smtp_tls_CAfile                 = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem
-		#smtp_tls_CApath                 = /etc/postfix/\$mydomain/smtp/tls/ca/
-		#smtp_tls_cert_file              = /etc/postfix/\$mydomain/smtp/tls/crt.pem
-		#smtp_tls_key_file               = /etc/postfix/\$mydomain/smtp/tls/key.pem
-		#smtp_tls_per_site               = hash:/etc/postfix/\$mydomain/smtp/tls/per_site
-		        # NOTE: dÃ©prÃ©ciÃ© en faveur de smtp_tls_policy_maps
-		smtp_tls_policy_maps            = hash:/etc/postfix/\$mydomain/smtp/tls/policy
-		smtp_tls_fingerprint_digest     = sha1
-		smtp_tls_scert_verifydepth      = 5
-		#smtp_tls_secure_cert_match      = nexthop, dot-nexthop
-		#smtp_tls_verify_cert_match      = hostname
-		#smtp_tls_note_starttls_offer    = yes
-		smtp_tls_loglevel               = 1
-		smtp_tls_protocols              = !SSLv2, !SSLv3
-		        # Only allow TLSv*
-		smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
-		#smtp_tls_session_cache_timeout  = 3600s
-		smtp_tls_security_level         = may
-		smtp_header_checks              = regexp:/etc/postfix/\$mydomain/smtp/header_checks
-		smtp_body_checks                =
-		smtp_mime_header_checks         =
-		smtp_nested_header_checks       =
-		
-		smtpd_starttls_timeout                  = 300s
-		smtpd_banner                            =
-		 \$myhostname ESMTP \$mail_name (Debian/GNU)
-		
-		# Restrictions
-		smtpd_helo_required             = yes
-		strict_rfc821_envelopes         = yes
-		smtpd_authorized_xclient_hosts  = 127.0.0.1
-		        # NOTE: utile pour tester les restrictions
-		
-		smtpd_helo_restrictions         =
-		        reject_invalid_helo_hostname
-		        reject_non_fqdn_helo_hostname
-		        #reject_unknown_helo_hostname
-		                # NOTE: pourrait pourtant Ãªtre utile pour lutter contre le spam
-		        permit
-		
-		smtpd_sender_restrictions       =
-		        permit_mynetworks
-		        permit_tls_clientcerts
-		        permit_sasl_authenticated
-		        check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access
-		        check_sender_access hash:/etc/postfix/sender_blacklist
-		        reject_unauth_pipelining
-		        reject_non_fqdn_sender
-		        #reject_unknown_sender_domain
-		                # NOTE: temporaire
-		        permit
-		
-		smtpd_client_new_tls_session_rate_limit = 0
-		smtpd_client_event_limit_exceptions     = \$mynetworks
-		smtpd_client_recipient_rate_limit       = 0
-		smtpd_client_connection_count_limit     = 50
-		smtpd_client_connection_rate_limit      = 0
-		smtpd_client_message_rate_limit         = 0
-		smtpd_client_port_logging               = no
-		
-		smtpd_client_restrictions               =
-		        check_client_access hash:/etc/postfix/client_blacklist
-		
-		policy_time_limit                       = 3600
-		default_extra_recipient_limit           = 5000
-		duplicate_filter_limit                  = 5000
-		smtpd_recipient_limit                   = 5000
-		smtpd_recipient_overshoot_limit         = 5000
-		smtpd_recipient_restrictions            =
-		        reject_non_fqdn_recipient
-		        #reject_invalid_hostname
-		                # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname
-		                #       dans smtpd_helo_restrictions
-		        reject_unknown_recipient_domain
-		        #reject_non_fqdn_sender
-		                # NOTE: dans smtpd_sender_restrictions
-		        reject_unauth_pipelining
-		                # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions
-		        permit_mynetworks
-		        permit_tls_clientcerts
-		        permit_sasl_authenticated
-		        reject_unauth_destination
-		                # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous
-		                #       ou quelqu'un pour lequel on tient lieu de backup_mx
-		        check_policy_service inet:127.0.0.1:10023
-		                # NOTE: Postgrey (greylisting)
-		        check_policy_service unix:private/spfcheck
-		        permit_auth_destination
-		                # NOTE: une fois Postgrey passÃ©, on accepte ce qui nous est destinÃ©
-		                #       (voir permit_auth_destination) ; sans doute redondant
-		        reject
-		        #check_relay_domains <- removed from postfix
-		        #reject_unknown_sender_domain
-		                # aurait probablement Ã©tÃ© mieux dans smtpd_sender_restrictions
-		        #reject_rbl_client bl.spamcop.net
-		        #reject_rbl_client list.dsbl.org
-		        #reject_rbl_client zen.spamhaus.org
-		        #reject_rbl_client dnsbl.sorbs.net
-		
-		smtpd_data_restrictions                 =
-		        reject_unauth_pipelining
-		                # NOTE: obliger le serveur en face Ã  attendre qu'on lui aie dit OK
-		        permit
-		
-		#smtpd_end_of_data_restrictions          =
-		
-		#smtpd_restriction_classes               =
-		
-		smtpd_error_sleep_time                  = 5
-		        # NOTE: forcer quelqu'un qui nous embÃªte Ã  attendre cinq secondes.
-		
-		# SASL
-		smtpd_sasl_auth_enable                  = yes
-		smtpd_sasl_type                         = dovecot
-		smtpd_sasl_path                         = private/auth
-		smtpd_sasl_security_options             = noanonymous
-		smtpd_sasl_domain                       = \$mydomain
-		
-		# SMTPD TLS
-		smtpd_discard_ehlo_keywords             = starttls
-		        # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste
-		        #       se mangent une erreur en tentant un starttls
-		smtpd_tls_fingerprint_digest            = sha1
-		        # sha512 ?
-		smtpd_tls_mandatory_protocols           = TLSv1
-		smtpd_tls_mandatory_ciphers             = high
-		smtpd_tls_ciphers                       = high
-		        # restrictif. s/high/medium/ ?
-		smtpd_tls_CAfile                        = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem
-		smtpd_tls_CApath                        = /etc/postfix/\$mydomain/smtpd/tls/ca/
-		smtpd_tls_cert_file                     = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem
-		smtpd_tls_key_file                      = /etc/postfix/\$mydomain/smtpd/tls/key.pem
-		##
-		#smtpd_tls_received_header               = no
-		smtpd_tls_session_cache_database        =
-		        btree:/var/lib/postfix/smtpd_tls_session_cache
-		#smtpd_tls_session_cache_timeout         = 3600s
-		smtpd_tls_security_level                = may
-		        # Postfix 2.3 and later
-		        # encrypt
-		        #  Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS
-		        #  encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced
-		        #  SMTP server. Instead, this option should be used only on dedicated servers.
-		smtpd_tls_loglevel                      = 1
-		smtpd_tls_ccert_verifydepth             = 5
-		smtpd_tls_auth_only                     = yes
-		        # Pas d'AUTH SASL sans TLS
-		smtpd_tls_ask_ccert                     = no
-		smtpd_tls_req_ccert                     = no
-		#smtpd_tls_always_issue_session_ids      = yes
-		smtpd_peername_lookup                   = yes
-		        # NÃ©cessaire pour postgrey, etc
-		smtpd_milters                           =
-		non_smtpd_milters                       =
-		line_length_limit                       = 2048
-		queue_minfree                           = 0
-		message_size_limit                      = 20480000
-		#smtpd_enforce_tls    # NOTE: obsolÃ¨te
-		#smtpd_use_tls        # NOTE: obsolÃ¨te
-		#smtpd_tls_cipherlist # NOTE: obsolÃ¨te
-		
-		readme_directory   = no
-		#delay_warning_time = 4h
-		        # NOTE: uncomment the previous line to generate "delayed mail" warnings
-		#debug_peer_level   = 4
-		#debug_peer_list    = .\$myhostname
-		EOF
-	mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF
-		auth_ssl_username_from_cert = yes
-		listen = *
-		log_timestamp = "%Y-%m-%d %H:%M:%S "
-		mail_debug = yes
-		mail_location = maildir:~/var/mail
-		mail_privileged_group = mail
-		passdb {
-		  args = /home/%u/etc/dovecot/passwd
-		  driver = passwd-file
-		}
-		protocols = imap
-		service auth {
-		  unix_listener /var/spool/postfix/private/auth {
-		    group = postfix
-		    mode = 0660
-		    user = postfix
-		  }
-		  user = root
-		}
-		ssl_ca = </etc/dovecot/imap/tls/crt+crl.slf.pem
-		ssl_cert = </etc/dovecot/imap/tls/crt+crl.slf.pem
-		ssl_cipher_list = AES256-SHA
-		ssl_key = </etc/dovecot/imap/tls/key.pem
-		ssl_verify_client_cert = yes
-		userdb {
-		  driver = passwd
-		}
-		verbose_ssl = yes
-		protocol lda {
-		  auth_socket_path = /var/run/dovecot/auth-master
-		  hostname = $vm_domainname
-		  info_log_path = /var/log/dovecot/lda/info.log
-		  log_path = /var/log/dovecot/lda/error.log
-		  mail_plugins = sieve
-		  postmaster_address = contact+dovecot+lda@$vm_domainname
-		}
-		EOF
-	mk_reg mod=664 own=root:root /etc/postgrey/whitelist_recipients.local <<-EOF
-		EOF
- }
-rule_mail_configure () {
-	sudo apt-get install postfix postgrey dovecot
- }
-
 rule=${1:-help}
 ${1+shift}
 case $rule in