From: Julien Moutinho Date: Fri, 22 Feb 2013 17:28:11 +0000 (+0100) Subject: Ajout : rule_mail_configure . X-Git-Url: https://git.cyclocoop.org/?p=lhc%2Fateliers.git;a=commitdiff_plain;h=f6488dca3163e1ca5870485351fdec671bec000f Ajout : rule_mail_configure . --- diff --git a/etc/aliases b/etc/aliases new file mode 100644 index 0000000..5aa17d0 --- /dev/null +++ b/etc/aliases @@ -0,0 +1,6 @@ +# See man 5 aliases for format +abuse: root +admin: root +contact: root +postmaster: root +root: julm lchevalier diff --git a/etc/dovecot/local.conf b/etc/dovecot/local.conf new file mode 100644 index 0000000..e69de29 diff --git a/etc/postfix/heureux-cyclage.org/header_checks b/etc/postfix/heureux-cyclage.org/header_checks new file mode 100644 index 0000000..e69de29 diff --git a/etc/postfix/heureux-cyclage.org/smtp/header_checks b/etc/postfix/heureux-cyclage.org/smtp/header_checks new file mode 100644 index 0000000..e69de29 diff --git a/etc/postfix/heureux-cyclage.org/smtp/policy b/etc/postfix/heureux-cyclage.org/smtp/policy new file mode 100644 index 0000000..e69de29 diff --git a/etc/postfix/heureux-cyclage.org/smtp/x509/policy b/etc/postfix/heureux-cyclage.org/smtp/x509/policy new file mode 100644 index 0000000..e69de29 diff --git a/etc/postfix/heureux-cyclage.org/smtpd/client_blacklist b/etc/postfix/heureux-cyclage.org/smtpd/client_blacklist new file mode 100644 index 0000000..e69de29 diff --git a/etc/postfix/heureux-cyclage.org/smtpd/relay_clientcerts b/etc/postfix/heureux-cyclage.org/smtpd/relay_clientcerts new file mode 100644 index 0000000..e69de29 diff --git a/etc/postfix/heureux-cyclage.org/smtpd/sender_access b/etc/postfix/heureux-cyclage.org/smtpd/sender_access new file mode 100644 index 0000000..e69de29 diff --git a/etc/postfix/heureux-cyclage.org/transport b/etc/postfix/heureux-cyclage.org/transport new file mode 100644 index 0000000..4255565 --- /dev/null +++ b/etc/postfix/heureux-cyclage.org/transport @@ -0,0 +1 @@ +ludovic.chevalier@heureux-cyclage.org smtp:[mx.lautre.net] diff --git a/etc/postfix/heureux-cyclage.org/virtual_alias b/etc/postfix/heureux-cyclage.org/virtual_alias new file mode 100644 index 0000000..e69de29 diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf new file mode 100644 index 0000000..3dac1ee --- /dev/null +++ b/etc/postfix/main.cf @@ -0,0 +1,205 @@ +# DOC: http://postfix.traduc.org/index.php/TLS_README.html + +alias_database = hash:/etc/aliases + # NOTE: fichier de hash contenant une table d’alias mail. + # Celle-ci est éditable dans /etc/aliases, puis (indispensable) + # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db +alias_maps = hash:/etc/aliases +append_dot_mydomain = no + # NOTE: appending .domain is the MUA's job. +biff = no + # NOTE: pas de notification dans la console en cas de réception de nouveaux courriels. +body_checks = +#content_filter = amavisfeed:[127.0.0.1]:10024 +#debug_peer_level = 4 +#debug_peer_list = .$myhostname +default_extra_recipient_limit = 5000 +#delay_warning_time = 4h + # NOTE: uncomment the previous line to generate "delayed mail" warnings +duplicate_filter_limit = 5000 +forward_path = $home/etc/mail/forward${recipient_delimiter}${extension}, $home/etc/mail/forward +header_checks = regexp:/etc/postfix/$mydomain/header_checks +inet_interfaces = all +inet_protocols = ipv4 + # NOTE: "all" to activate IPv6 +line_length_limit = 2048 +#local_header_rewrite_clients = +mailbox_command = /usr/bin/procmail -t -a "$SENDER" -a "$RECIPIENT" -a "$USER" -a "$EXTENSION" -a "$DOMAIN" -a "$ORIGINAL_RECIPIENT" "$HOME/etc/mail/delivery.procmailrc" +mailbox_size_limit = 0 +maximal_queue_lifetime = 5d +message_size_limit = 20480000 +mime_header_checks = +milter_header_checks = +mynetworks = 127.0.0.0/8 #, [::1]/128 +non_smtpd_milters = +nested_header_checks = +parent_domain_matches_subdomains = + #debug_peer_list + #fast_flush_domains + #mynetworks + #permit_mx_backup_networks + #qmqpd_authorized_clients + #smtpd_access_maps +permit_mx_backup_networks = +propagate_unmatched_extensions = canonical, virtual +queue_minfree = 0 +readme_directory = no +#receive_override_options = no_address_mappings + # no_unknown_recipient_checks + # Do not try to reject unknown recipients (SMTP server only). + # This is typically specified AFTER an external content filter. + # no_address_mappings + # Disable canonical address mapping, virtual alias map expansion, + # address masquerading, and automatic BCC (blind carbon-copy) recipients. + # This is typically specified BEFORE an external content filter (eg. amavis). + # no_header_body_checks + # Disable header/body_checks. This is typically specified AFTER an external content filter. + # no_milters + # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter. +recipient_delimiter = + + # NOTE: séparateur entre le nom d’utilisateur et les extensions d’adresse. +#relayhost = +relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts +relay_domains = $mydestination + # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias... +smtp_body_checks = +#smtp_cname_overrides_servername = no +smtp_connect_timeout = 60s +smtp_header_checks = regexp:/etc/postfix/$mydomain/smtp/header_checks +smtp_mime_header_checks = +smtp_nested_header_checks = +#smtp_tls_CAfile = /etc/postfix/$mydomain/smtp/x509/ca/crt.pem +#smtp_tls_CApath = /etc/postfix/$mydomain/smtp/x509/ca/ +#smtp_tls_cert_file = /etc/postfix/$mydomain/smtp/x509/crt.pem +smtp_tls_fingerprint_digest = sha1 +#smtp_tls_key_file = /etc/postfix/$mydomain/smtp/x509/key.pem +smtp_tls_loglevel = 1 +#smtp_tls_note_starttls_offer = yes +smtp_tls_policy_maps = hash:/etc/postfix/$mydomain/smtp/x509/policy +smtp_tls_protocols = !SSLv2, !SSLv3 + # NOTE: only allow TLSv* +smtp_tls_scert_verifydepth = 5 +#smtp_tls_secure_cert_match = nexthop, dot-nexthop +smtp_tls_security_level = may +smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache +#smtp_tls_session_cache_timeout = 3600s +#smtp_tls_verify_cert_match = hostname +smtpd_authorized_xclient_hosts = 127.0.0.1 + # NOTE: utile pour tester les restrictions +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +smtpd_client_connection_count_limit = 50 +smtpd_client_connection_rate_limit = 0 +smtpd_client_event_limit_exceptions = $mynetworks +smtpd_client_message_rate_limit = 0 +smtpd_client_new_tls_session_rate_limit = 0 +smtpd_client_port_logging = no +smtpd_client_recipient_rate_limit = 0 +smtpd_client_restrictions = + check_client_access hash:/etc/postfix/$mydomain/smtpd/client_blacklist +smtpd_data_restrictions = + reject_unauth_pipelining + # NOTE: oblige le client smtp en face à attendre qu'on lui aie dit OK + permit +smtpd_discard_ehlo_keywords = starttls + # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste se mangent une erreur en tentant un starttls +#smtpd_end_of_data_restrictions = +smtpd_error_sleep_time = 5 + # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes. +smtpd_helo_required = yes +smtpd_helo_restrictions = + reject_invalid_helo_hostname + reject_non_fqdn_helo_hostname + #reject_unknown_helo_hostname + # NOTE: pourrait pourtant être utile pour lutter contre le spam + permit +smtpd_milters = +smtpd_peername_lookup = yes + # NOTE: nécessaire pour postgrey +smtpd_recipient_limit = 5000 +smtpd_recipient_overshoot_limit = 5000 +smtpd_recipient_restrictions = + reject_non_fqdn_recipient + #reject_invalid_hostname + # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname dans smtpd_helo_restrictions + reject_unknown_recipient_domain + #reject_non_fqdn_sender + # NOTE: dans smtpd_sender_restrictions + reject_unauth_pipelining + # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions + permit_mynetworks + permit_tls_clientcerts + permit_sasl_authenticated + reject_unauth_destination + # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous ou quelqu'un pour lequel on tient lieu de backup_mx + check_policy_service inet:127.0.0.1:10023 + # NOTE: Postgrey (greylisting) + check_policy_service unix:private/spfcheck + permit_auth_destination + # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné (voir permit_auth_destination) ; sans doute redondant + reject + #reject_unknown_sender_domain + # NOTE: probablement mieux dans smtpd_sender_restrictions + #reject_rbl_client bl.spamcop.net + #reject_rbl_client list.dsbl.org + #reject_rbl_client zen.spamhaus.org + #reject_rbl_client dnsbl.sorbs.net +#smtpd_restriction_classes = +smtpd_sasl_auth_enable = yes +smtpd_sasl_path = private/auth +smtpd_sasl_security_options = noanonymous +smtpd_sasl_type = dovecot +smtpd_sender_restrictions = + permit_mynetworks + permit_tls_clientcerts + permit_sasl_authenticated + check_sender_access hash:/etc/postfix/$mydomain/smtpd/sender_access + reject_unauth_pipelining + reject_non_fqdn_sender + #reject_unknown_sender_domain + permit +smtpd_starttls_timeout = 300s +#smtpd_tls_always_issue_session_ids = yes +smtpd_tls_CAfile = /etc/postfix/$mydomain/x509/smtpd/ca/crt.pem +smtpd_tls_CApath = /etc/postfix/$mydomain/x509/smtpd/ca/ +smtpd_tls_ask_ccert = no +smtpd_tls_auth_only = yes + # NOTE: pas d'AUTH SASL sans TLS +smtpd_tls_ccert_verifydepth = 5 +smtpd_tls_cert_file = /etc/postfix/$mydomain/x509/smtpd/crt+crl.self-signed.pem +smtpd_tls_ciphers = high +smtpd_tls_fingerprint_digest = sha512 +smtpd_tls_key_file = /etc/postfix/$mydomain/x509/smtpd/key.pem +smtpd_tls_loglevel = 1 +smtpd_tls_mandatory_ciphers = high +smtpd_tls_mandatory_protocols = TLSv1 +#smtpd_tls_received_header = no +smtpd_tls_req_ccert = no +smtpd_tls_security_level = may + # Postfix 2.3 and later + # encrypt + # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS + # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced + # SMTP server. Instead, this option should be used only on dedicated servers. +smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache +#smtpd_tls_session_cache_timeout = 3600s +strict_rfc821_envelopes = yes +#tls_high_cipherlist = AES256-SHA + # NOTE: postconf(5) déconseille de changer ceci +#tls_random_bytes = 32 +#tls_random_exchange_name = ${data_directory}/prng_exch + # NOTE: à ne pas mettre dans la cage chroot +#tls_random_prng_update_period = 3600s +#tls_random_reseed_period = 3600s +#tls_random_source = dev:/dev/urandom + # NOTE: non-blocking +transport_maps = hash:/etc/postfix/$mydomain/transport +#virtual_alias_domains = +virtual_alias_maps = + hash:/etc/postfix/$mydomain/virtual_alias + # NOTE: do not specify virtual alias domain names in the main.cf + # mydestination or relay_domains configuration parameters. + # + # With a virtual alias domain, the Postfix SMTP server + # accepts mail for known-user@virtual-alias.domain, and + # rejects mail for unknown-user@virtual-alias.domain as + # undeliverable. diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf new file mode 100644 index 0000000..de2d283 --- /dev/null +++ b/etc/postfix/master.cf @@ -0,0 +1,92 @@ +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - - - - smtpd +submission inet n - - - - smtpd + -o smtpd_tls_security_level=encrypt + -o milter_macro_daemon_name=ORIGINATING +# -o smtpd_tls_req_ccert=yes + -o smtpd_tls_ask_ccert=yes + -o smtpd_tls_loglevel=1 + -o smtpd_tls_ccert_verifydepth=2 + -o smtpd_tls_auth_only=yes + -o smtpd_sasl_auth_enable=yes +smtps inet n - - - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING + -o smtpd_tls_req_ccert=no + -o smtpd_tls_ask_ccert=yes + -o smtpd_tls_loglevel=1 + -o smtpd_tls_ccert_verifydepth=2 + -o smtpd_tls_auth_only=yes +#628 inet n - - - - qmqpd +pickup fifo n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - - 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +# NOTE: when relaying mail as backup MX, disable fallback_relay to avoid MX loops +relay unix - - - - - smtp + -o smtp_fallback_relay= +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} +spfcheck unix - n n - 0 spawn + user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl +noclue unix - n n - - pipe + flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender} diff --git a/etc/skel/etc/mail/delivery.procmailrc b/etc/skel/etc/mail/delivery.procmailrc new file mode 100644 index 0000000..80bb55d --- /dev/null +++ b/etc/skel/etc/mail/delivery.procmailrc @@ -0,0 +1,47 @@ +# vim: ft=procmail + +# NOTE: paramètres passés par postfix +SENDER=$1 +RECIPIENT=$2 +USER=$3 +EXTENSION=$4 +DOMAIN=$5 +ORIGINAL_RECIPIENT=$6 + +PATH="$HOME/bin:/usr/local/bin:/usr/bin:/bin" +MAILDIR="$HOME/var/mail/" +DEFAULT="$MAILDIR" +#LOGFILE=`cd="$HOME/var/log/mail/" d=$(date +"%Y-%m-%d"); ln -fns "$d.log" "$cd/current.log"; printf %s "$cd/$d.log"` +LOGFILE="/dev/null" +LOGABSTRACT=all +LOGABSTRACT +VERBOSE +SHELL=/bin/sh +SHELLMETAS=&|<>~;?*%{} + +# DESCRIPTION: supprime les doublons en fonction du champ Message-Id +#:0 Wh: "$HOME/var/cache/mail/msgid$LOCKEXT" +#| formail -D 8192 "$HOME/var/cache/mail/msgid" + +# DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/etc/mail/forward +EMAIL=`getent passwd "$USER" | cut -f 5 -d : | cut -f 4 -d ,` + # NOTE: récupère l’adresse courriel dans le champ GECOS +FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'` + # NOTE: récupère l’expéditeur inscrit sur l’enveloppe +TO=`printf %s "$EMAIL" | sed -e "s/@/${EXTENSION:++$EXTENSION}@/"` + # NOTE: rajoute l'éventuelle extension au destinataire +:0 +| $SENDMAIL -i -bm -f "$FROM_" "$TO" + +# DESCRIPTION: IMAP +#:0 +#| /usr/lib/dovecot/deliver -f "$SENDER" -a "$RECIPIENT" + +# DESCRIPTION: UUCP +#:0 +#| /usr/bin/uux \ +# -I "$HOME/etc/uucp/uucp.cfg" \ +# --nouucico \ +# --notification=error \ +# --requestor "$USER" \ +# - "$USER!rmail" "($USER)" diff --git a/etc/skel/etc/mail/delivery.rc b/etc/skel/etc/mail/delivery.rc new file mode 100644 index 0000000..d97cf01 --- /dev/null +++ b/etc/skel/etc/mail/delivery.rc @@ -0,0 +1,47 @@ +# vim: ft=procmail + +# NOTE: paramètres passés par postfix +SENDER=$1 +RECIPIENT=$2 +USER=$3 +EXTENSION=$4 +DOMAIN=$5 +ORIGINAL_RECIPIENT=$6 + +PATH="$HOME/bin:/usr/local/bin:/usr/bin:/bin" +MAILDIR="$HOME/var/mail/" +DEFAULT="$MAILDIR" +#LOGFILE=`cd="$HOME/var/log/procmail/" d=$(date +"%Y-%m-%d"); ln -fns "$d.log" "$cd/current.log"; printf %s "$cd/$d.log"` +LOGFILE="/dev/null" +LOGABSTRACT=all +LOGABSTRACT +VERBOSE +SHELL=/bin/sh +SHELLMETAS=&|<>~;?*%{} + +# DESCRIPTION: supprime les doublons en fonction du champ Message-Id +#:0 Wh: "$HOME/var/cache/procmail/msgid$LOCKEXT" +#| formail -D 8192 "$HOME/var/cache/procmail/msgid" + +# DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/etc/mail/forward +EMAIL=`getent passwd "$USER" | cut -f 5 -d : | cut -f 4 -d ,` + # NOTE: récupère l’adresse courriel dans le champ GECOS +FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'` + # NOTE: récupère l’expéditeur inscrit sur l’enveloppe +TO=`printf %s "$EMAIL" | sed -e "s/@/${EXTENSION:++$EXTENSION}@/"` + # NOTE: rajoute l'éventuelle extension au destinataire +:0 +| $SENDMAIL -i -bm -f "$FROM_" "$TO" + +# DESCRIPTION: IMAP +#:0 +#| /usr/lib/dovecot/deliver -f "$SENDER" -a "$RECIPIENT" + +# DESCRIPTION: UUCP +#:0 +#| /usr/bin/uux \ +# -I "$HOME/etc/uucp/uucp.cfg" \ +# --nouucico \ +# --notification=error \ +# --requestor "$USER" \ +# - "$USER!rmail" "($USER)" diff --git a/vm_hosted b/vm_hosted index 0f900aa..cbc6776 100755 --- a/vm_hosted +++ b/vm_hosted @@ -38,12 +38,13 @@ rule_git_reset () { } rule_apt_get_install () { # SYNTAX: $package - case $(dpkg -s "$1" | grep '^Status: ') in + case $(dpkg -s "$1" 2>/dev/null | grep '^Status: ') in ("Status: install ok installed");; (*) test ! -x /usr/bin/etckeeper || - assert 'sudo etckeeper unclean' - sudo apt-get "$@";; + ! sudo etckeeper unclean || + warn "/etc unclean: etckeeper may force you to \`etckeeper commit'; then you can run your $0 command again." + sudo apt-get install "$@";; esac } @@ -92,7 +93,7 @@ rule_apticron_configure () { EOF } rule_boot_configure () { - warn "attention à n'installer GRUB sur AUCUN disque proposé !" + warn "lors de l'installation Debian, surtout n'installer GRUB sur AUCUN disque proposé !" rule apt_get_install grub-pc sudo install -d -m 644 -u root -g root /boot/grub rule apt_get_install linux-image-$vm_arch @@ -112,6 +113,87 @@ rule_boot_configure () { sudo update-grub2 # NOTE: prend en compte /boot/grub/device.map rule initramfs_configure } +rule_dovecot_configure () { + rule apt_get_install dovecot-imapd dovecot-managesieved dovecot-sieve + local hint="run vm_remote dovecot_key_send before" + assert "test -f /etc/dovecot/$vm_domainname/imap/x509/key.pem" hint + sudo install -m 400 -o root -g root \ + "$tool"/var/pub/x509/service/imap/crt+crl.self-signed.pem \ + /etc/dovecot/$vm_domainname/imap/x509/crt+crl.self-signed.pem + sudo install -d -m 770 -o root -g adm \ + /etc/skel/etc/mail \ + /etc/skel/etc/sieve + sudo install -d -m 1777 -o root -g root \ + /var/lib/dovecot-control \ + /var/lib/dovecot-index + sudo install -m 664 -o root -g root /dev/stdin /etc/dovecot/local.conf <<-EOF + auth_ssl_username_from_cert = yes + listen = * + log_timestamp = "%Y-%m-%d %H:%M:%S " + mail_debug = yes + mail_location = maildir:~/var/mail:INDEX=/var/lib/dovecot-index/%u:CONTROL=/var/lib/dovecot-control/%u + # NOTE: INDEX et CONTROL sont sur une partition sans quota comme le demande la doc + # VOIR: http://wiki2.dovecot.org/Quota/FS + mail_plugins = \$mail_plugins quota + mail_privileged_group = mail + passdb { + args = /home/%u/etc/dovecot/passwd + driver = passwd-file + } + plugin { + quota = fs:user + recipient_delimiter = + + sieve = ~/etc/mail/filter.sieve + sieve_dir = ~/etc/mail/sieve + sieve_global_dir = /var/lib/dovecot/sieve/global/ + sieve_max_script_size = 1M + sieve_quota_max_scripts = 0 + sieve_quota_max_storage = 10M + sieve_user_log = ~/var/log/mail/sieve.log + } + protocol imap { + mail_plugins = \$mail_plugins imap_quota + } + protocol lda { + auth_socket_path = /var/run/dovecot/auth-master + hostname = $vm_domainname + info_log_path = + log_path = + mail_plugins = \$mail_plugins sieve + postmaster_address = contact+dovecot+lda@$vm_domainname + syslog_facility = mail + } + protocols = imap sieve + service auth { + user = root + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + } + } + ssl_ca = /dev/null || + sudo adduser --disabled-password "$user" + # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init . + eval local home\; home="~$user" + sudo adduser "$user" sudo + sudo install -m 640 -o root -g root \ + "$tool"/var/pub/ssh/"$user".key \ + "$home"/etc/ssh/authorized_keys + local key; local -; set +f + for key in "$tool"/var/pub/openpgp/*.key + do sudo -u "$user" gpg --import "$key" + done + rule user_admin_configure + } +rule_user_admin_configure () { + rule initramfs_configure + rule user_root_configure + } +rule_user_configure () { + sudo install -d -m 750 -o root -g adm \ + /etc/skel/etc \ + /etc/skel/etc/ssh + sudo install -d -m 770 -o root -g adm \ + /etc/skel/etc/apache2 \ + /etc/skel/var \ + /etc/skel/var/log \ + /etc/skel/var/cache \ + /etc/skel/var/cache/ssh + sudo ln -fns etc/ssh /etc/skel/.ssh + sudo ln -fns etc/gpg /etc/skel/.gnupg + sudo install -m 640 -o root -g root /dev/stdin /etc/sudoers.d/passwd-init <<-EOF %sudo ALL=(ALL) NOPASSWD: /bin/sh -e -f -u -c \\ case \$(/usr/bin/passwd --status "\$SUDO_USER") in \\ ("\$SUDO_USER L "*) /usr/bin/passwd \$SUDO_USER;; esac @@ -430,7 +650,7 @@ rule_user_configure () { GIT_COMMITTER_EMAIL \\ " EOF - sudo install -m 755 -u root -g root /dev/stdin /usr/local/sbin/passwd-init <<-EOF + sudo install -m 755 -o root -g root /dev/stdin /usr/local/bin/passwd-init <<-EOF #!/bin/sh -efu # DESCRIPTION: permet à un-e utilisateurice d'initialiser ellui-même son mot-de-passe système. sudo /bin/sh -e -f -u -c \ @@ -479,391 +699,6 @@ rule_luks_key_change () { sudo cryptsetup luksChangeKey /dev/$vm_lvm_vg/${vm_lvm_lv}_root } -rule_user_admin_configure () { - rule initramfs_configure - rule user_root_configure - } -rule_user_admin_add () { # SYNTAX: $user - local user=$1 - id "$user" >/dev/null || - sudo adduser --disabled-password "$user" - # NOTE: le mot-de-passe doit être initialisé par l'utilisateur à l'aide de passwd-init . - eval local home\; home="~$user" - sudo adduser "$user" sudo - sudo install -m 640 -u root -g root \ - "$tool"/var/pub/ssh/"$user".key \ - "$home"/etc/ssh/authorized_keys - local key; local -; set +f - for key in "$tool"/var/pub/openpgp/*.key - do sudo -u "$user" gpg --import "$key" - done - rule user_admin_configure - } -rule_user_mail_format () { - mk_dir mod=770 own=root:adm /etc/skel/etc/procmail - mk_dir mod=770 own=root:adm /etc/skel/var/mail - mk_dir mod=770 own=root:adm /etc/skel/var/cache/procmail - mk_reg mod=660 own=root:adm /etc/skel/etc/procmail/delivery.rc <<-EOF - # vim: ft=procmail - - # NOTE: paramètres passés par postfix - SENDER=\$1 - RECIPIENT=\$2 - USER=\$3 - EXTENSION=\$4 - DOMAIN=\$5 - ORIGINAL_RECIPIENT=\$6 - - PATH="\$HOME/bin:/usr/local/bin:/usr/bin:/bin" - MAILDIR="\$HOME/var/mail/" - DEFAULT="\$MAILDIR" - #LOGFILE=`cd="\$HOME/var/log/procmail/" d=\$(date +"%Y-%m-%d"); ln -fns "\$d.log" "\$cd/current.log"; printf %s "\$cd/\$d.log"` - LOGFILE="/dev/null" - LOGABSTRACT=all - LOGABSTRACT - VERBOSE - SHELL=/bin/sh - SHELLMETAS=&|<>~;?*%{} - - # DESCRIPTION: supprime les doublons en fonction du champ Message-Id - #:0 Wh: "\$HOME/var/cache/procmail/msgid\$LOCKEXT" - #| formail -D 8192 "\$HOME/var/cache/procmail/msgid" - - # DESCRIPTION: fait suivre à l'adresse configurée dans /etc/passwd ; on peut aussi utiliser ~/.forward - EMAIL=`sed /etc/passwd -ne "/^\$USER:/s/[^:]*:[^:]*:[^:]*:[^:]*:[^,]*,[^,]*,[^,]*,[^,]*,\([^:]*\):.*/\1/p"` - # NOTE: récupère l’adresse courriel dans le champ GECOS - FROM_=`formail -c -x "From " | sed -e 's/^\s*\([^ \t]*\).*/\1/g'` - # NOTE: récupère l’expéditeur inscrit sur l’enveloppe - :0 - | \$SENDMAIL -i -bm -f "\$FROM_" "\${EMAIL/@/\${EXTENSION:++\${EXTENSION}}@}" - - # DESCRIPTION: IMAP - #:0 - #| /usr/lib/dovecot/deliver -f "\$SENDER" -a "\$RECIPIENT" - - # DESCRIPTION: UUCP - #:0 - #| /usr/bin/uux \ - # -I "\$HOME/etc/uucp/uucp.cfg" \ - # --nouucico \ - # --notification=error \ - # --requestor "\$USER" \ - # - "\$USER!rmail" "(\$USER)" - EOF - mk_reg mod=664 own=root:root /etc/postfix/main.cf <<-EOF - # /etc/postfix/main.cf - # SEE: http://postfix.traduc.org/index.php/TLS_README.html - - parent_domain_matches_subdomains = - #debug_peer_list - #fast_flush_domains - #mynetworks - #permit_mx_backup_networks - #qmqpd_authorized_clients - #smtpd_access_maps - mydomain = $vm_domainname - myorigin = \$mydomain - myhostname = $vm_hostname.\$mydomain - mail_name = \$myhostname - mydestination = - $vm_hostname - \$myhostname - \$myorigin - mynetworks = - 127.0.0.0/8 - #[::1]/128 - inet_protocols = ipv4 - # "all" to activate IPv6 - inet_interfaces = all - permit_mx_backup_networks = - - alias_database = - hash:/etc/aliases - # NOTE: fichier de hash contenant une table d’alias mail. - # Celle-ci est éditable dans /etc/aliases, puis (indispensable) - # regénérée en hash grâce à la commande newaliases qui produit /etc/aliases.db - alias_maps = - hash:/etc/aliases - recipient_delimiter = + - # NOTE: séparateur entre le nom d’utilisateur - # et les extensions d’adresse (par défaut le signe +). - #virtual_alias_domains = - virtual_alias_maps = - hash:/etc/postfix/\$mydomain/virtual - # NOTE: do not specify virtual alias domain names in the main.cf - # mydestination or relay_domains configuration parameters. - # - # With a virtual alias domain, the Postfix SMTP server - # accepts mail for known-user@virtual-alias.domain, and - # rejects mail for unknown-user@virtual-alias.domain as - # undeliverable. - #relayhost = - relay_clientcerts = - hash:/etc/postfix/\$mydomain/smtpd/tls/relay_clientcerts - relay_domains = - \$mydestination - # NOTE: ajouter les domaines pour lesquels on est backup MX ici, - # pas dans mydestination ou virtual_alias... - - maximal_queue_lifetime = 5d - - header_checks = - regexp:/etc/postfix/\$mydomain/header_checks - mime_header_checks = - nested_header_checks = - milter_header_checks = - body_checks = - - #content_filter = amavisfeed:[127.0.0.1]:10024 - #receive_override_options = no_address_mappings - # no_unknown_recipient_checks - # Do not try to reject unknown recipients (SMTP server only). - # This is typically specified AFTER an external content filter. - # no_address_mappings - # Disable canonical address mapping, virtual alias map expansion, - # address masquerading, and automatic BCC (blind carbon-copy) recipients. - # This is typically specified BEFORE an external content filter (eg. amavis). - # no_header_body_checks - # Disable header/body_checks. This is typically specified AFTER an external content filter. - # no_milters - # Disable Milter (mail filter) applications. This is typically specified AFTER an external content filter. - #local_header_rewrite_clients = - transport_maps = - hash:/etc/postfix/\$mydomain/transport_maps - mailbox_command = - /usr/bin/procmail -t -a "\$SENDER" -a "\$RECIPIENT" -a "\$USER" -a "\$EXTENSION" -a "\$DOMAIN" -a "\$ORIGINAL_RECIPIENT" "\$HOME/etc/procmail/delivery.rc" - mailbox_size_limit = 0 - biff = no - # Activer la notification en cas de réception de nouveaux e-mails dans la console (yes / no). - append_dot_mydomain = no - # appending .domain is the MUA's job. - - #tls_random_source = - # dev:/dev/urandom - # Non-blocking - #tls_random_reseed_period = 3600s - #tls_random_exchange_name = - # \${data_directory}/prng_exch - # NOTE: à ne pas mettre dans la cage chroot - #tls_random_bytes = 32 - #tls_random_prng_update_period = 3600s - #tls_high_cipherlist = AES256-SHA - # NOTE: postconf(5) déconseille de changer ceci - - #smtp_cname_overrides_servername = no - smtp_connect_timeout = 60s - #smtp_tls_CAfile = /etc/postfix/\$mydomain/smtp/tls/ca/crt.pem - #smtp_tls_CApath = /etc/postfix/\$mydomain/smtp/tls/ca/ - #smtp_tls_cert_file = /etc/postfix/\$mydomain/smtp/tls/crt.pem - #smtp_tls_key_file = /etc/postfix/\$mydomain/smtp/tls/key.pem - #smtp_tls_per_site = hash:/etc/postfix/\$mydomain/smtp/tls/per_site - # NOTE: déprécié en faveur de smtp_tls_policy_maps - smtp_tls_policy_maps = hash:/etc/postfix/\$mydomain/smtp/tls/policy - smtp_tls_fingerprint_digest = sha1 - smtp_tls_scert_verifydepth = 5 - #smtp_tls_secure_cert_match = nexthop, dot-nexthop - #smtp_tls_verify_cert_match = hostname - #smtp_tls_note_starttls_offer = yes - smtp_tls_loglevel = 1 - smtp_tls_protocols = !SSLv2, !SSLv3 - # Only allow TLSv* - smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache - #smtp_tls_session_cache_timeout = 3600s - smtp_tls_security_level = may - smtp_header_checks = regexp:/etc/postfix/\$mydomain/smtp/header_checks - smtp_body_checks = - smtp_mime_header_checks = - smtp_nested_header_checks = - - smtpd_starttls_timeout = 300s - smtpd_banner = - \$myhostname ESMTP \$mail_name (Debian/GNU) - - # Restrictions - smtpd_helo_required = yes - strict_rfc821_envelopes = yes - smtpd_authorized_xclient_hosts = 127.0.0.1 - # NOTE: utile pour tester les restrictions - - smtpd_helo_restrictions = - reject_invalid_helo_hostname - reject_non_fqdn_helo_hostname - #reject_unknown_helo_hostname - # NOTE: pourrait pourtant être utile pour lutter contre le spam - permit - - smtpd_sender_restrictions = - permit_mynetworks - permit_tls_clientcerts - permit_sasl_authenticated - check_sender_access hash:/etc/postfix/\$mydomain/smtpd/sender_access - check_sender_access hash:/etc/postfix/sender_blacklist - reject_unauth_pipelining - reject_non_fqdn_sender - #reject_unknown_sender_domain - # NOTE: temporaire - permit - - smtpd_client_new_tls_session_rate_limit = 0 - smtpd_client_event_limit_exceptions = \$mynetworks - smtpd_client_recipient_rate_limit = 0 - smtpd_client_connection_count_limit = 50 - smtpd_client_connection_rate_limit = 0 - smtpd_client_message_rate_limit = 0 - smtpd_client_port_logging = no - - smtpd_client_restrictions = - check_client_access hash:/etc/postfix/client_blacklist - - policy_time_limit = 3600 - default_extra_recipient_limit = 5000 - duplicate_filter_limit = 5000 - smtpd_recipient_limit = 5000 - smtpd_recipient_overshoot_limit = 5000 - smtpd_recipient_restrictions = - reject_non_fqdn_recipient - #reject_invalid_hostname - # NOTE: postfix < 2.3. voir reject_invalid_helo_hostname - # dans smtpd_helo_restrictions - reject_unknown_recipient_domain - #reject_non_fqdn_sender - # NOTE: dans smtpd_sender_restrictions - reject_unauth_pipelining - # NOTE: dans smtpd_client_restrictions ou smtpd_data_restrictions - permit_mynetworks - permit_tls_clientcerts - permit_sasl_authenticated - reject_unauth_destination - # NOTE: ne pas passer par SPFCheck / Postgrey si le mail n'est pas pour nous - # ou quelqu'un pour lequel on tient lieu de backup_mx - check_policy_service inet:127.0.0.1:10023 - # NOTE: Postgrey (greylisting) - check_policy_service unix:private/spfcheck - permit_auth_destination - # NOTE: une fois Postgrey passé, on accepte ce qui nous est destiné - # (voir permit_auth_destination) ; sans doute redondant - reject - #check_relay_domains <- removed from postfix - #reject_unknown_sender_domain - # aurait probablement été mieux dans smtpd_sender_restrictions - #reject_rbl_client bl.spamcop.net - #reject_rbl_client list.dsbl.org - #reject_rbl_client zen.spamhaus.org - #reject_rbl_client dnsbl.sorbs.net - - smtpd_data_restrictions = - reject_unauth_pipelining - # NOTE: obliger le serveur en face à attendre qu'on lui aie dit OK - permit - - #smtpd_end_of_data_restrictions = - - #smtpd_restriction_classes = - - smtpd_error_sleep_time = 5 - # NOTE: forcer quelqu'un qui nous embête à attendre cinq secondes. - - # SASL - smtpd_sasl_auth_enable = yes - smtpd_sasl_type = dovecot - smtpd_sasl_path = private/auth - smtpd_sasl_security_options = noanonymous - smtpd_sasl_domain = \$mydomain - - # SMTPD TLS - smtpd_discard_ehlo_keywords = starttls - # NOTE: les clients mails tentant d'utiliser le chiffrement opportuniste - # se mangent une erreur en tentant un starttls - smtpd_tls_fingerprint_digest = sha1 - # sha512 ? - smtpd_tls_mandatory_protocols = TLSv1 - smtpd_tls_mandatory_ciphers = high - smtpd_tls_ciphers = high - # restrictif. s/high/medium/ ? - smtpd_tls_CAfile = /etc/postfix/\$mydomain/smtpd/tls/ca/crt+crl.slf.pem - smtpd_tls_CApath = /etc/postfix/\$mydomain/smtpd/tls/ca/ - smtpd_tls_cert_file = /etc/postfix/\$mydomain/smtpd/tls/crt+crl.slf.pem - smtpd_tls_key_file = /etc/postfix/\$mydomain/smtpd/tls/key.pem - ## - #smtpd_tls_received_header = no - smtpd_tls_session_cache_database = - btree:/var/lib/postfix/smtpd_tls_session_cache - #smtpd_tls_session_cache_timeout = 3600s - smtpd_tls_security_level = may - # Postfix 2.3 and later - # encrypt - # Mandatory TLS encryption: announce STARTTLS support to SMTP clients, and require that clients use TLS - # encryption. According to [1720]RFC 2487 this MUST NOT be applied in case of a publicly-referenced - # SMTP server. Instead, this option should be used only on dedicated servers. - smtpd_tls_loglevel = 1 - smtpd_tls_ccert_verifydepth = 5 - smtpd_tls_auth_only = yes - # Pas d'AUTH SASL sans TLS - smtpd_tls_ask_ccert = no - smtpd_tls_req_ccert = no - #smtpd_tls_always_issue_session_ids = yes - smtpd_peername_lookup = yes - # Nécessaire pour postgrey, etc - smtpd_milters = - non_smtpd_milters = - line_length_limit = 2048 - queue_minfree = 0 - message_size_limit = 20480000 - #smtpd_enforce_tls # NOTE: obsolète - #smtpd_use_tls # NOTE: obsolète - #smtpd_tls_cipherlist # NOTE: obsolète - - readme_directory = no - #delay_warning_time = 4h - # NOTE: uncomment the previous line to generate "delayed mail" warnings - #debug_peer_level = 4 - #debug_peer_list = .\$myhostname - EOF - mk_reg mod=664 own=root:root /etc/dovecot/dovecot.conf <<-EOF - auth_ssl_username_from_cert = yes - listen = * - log_timestamp = "%Y-%m-%d %H:%M:%S " - mail_debug = yes - mail_location = maildir:~/var/mail - mail_privileged_group = mail - passdb { - args = /home/%u/etc/dovecot/passwd - driver = passwd-file - } - protocols = imap - service auth { - unix_listener /var/spool/postfix/private/auth { - group = postfix - mode = 0660 - user = postfix - } - user = root - } - ssl_ca = /dev/null } -rule_luks_key_backup () { # NOTE: sauvegarde localement les entêtes des partitions chiffrées. ENVIRONMENT: $gpg_recipient +rule_luks_key_backup () { # SYNTAX: ${gpg_options:---recipient $USER@} DESCRIPTION: sauvegarde localement les entêtes des partitions chiffrées. + test "${*+set}" || set -- --recipient "$USER@" for part in root var home do mkdir -p var/sec/luks @@ -78,10 +94,42 @@ rule_luks_key_backup () { # NOTE: sauvegarde localement les entêtes des partiti cat "$tmp"; shred >/dev/null --remove "$tmp"; \ ' | - gpg --encrypt --recipient "${gpg_recipient:-$USER@}" \ + gpg "$@" --encrypt \ -o var/sec/luks/${vm_lvm_lv}_${part}.luks.gpg done } +rule_dovecot_key_send () { + rule ssh -l root ' \ + sudo install -d -m 770 -o root -g root \ + /etc/dovecot/'"$vm_domainname"'/ \ + /etc/dovecot/'"$vm_domainname"'/imap \ + /etc/dovecot/'"$vm_domainname"'/imap/x509 ; \ + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/dovecot/'"$vm_domainname"'/imap/x509/.gitignore <<-EOF + key.pem + EOF + ' + rule _x509_service_key_send_deciphered imap \ + /etc/dovecot/$vm_domainname/imap/x509/key.pem -l root "$@" + } +rule_postfix_key_send () { + rule ssh -l root ' \ + sudo install -d -m 770 -o root -g root \ + /etc/postfix/'"$vm_domainname"'/ \ + /etc/postfix/'"$vm_domainname"'/smptd \ + /etc/postfix/'"$vm_domainname"'/smptd/x509; \ + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/postfix/'"$vm_domainname"'/smtp/x509/.gitignore <<-EOF + key.pem + EOF + sudo install -m 644 -o root -g root /dev/stdin \ + /etc/postfix/'"$vm_domainname"'/smtpd/x509/.gitignore <<-EOF + key.pem + EOF + ' + rule _x509_service_key_send_deciphered smtpd \ + /etc/postfix/$vm_domainname/smtpd/x509/key.pem -l root "$@" + } rule=${1:-help} ${1+shift}