From f1ea1df6ff4652bb89b232cb5fd5762c6fea4dcf Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Tue, 16 Apr 2013 13:09:14 +0200 Subject: [PATCH] Correction : etc/sv/sympa/ . --- etc/nginx/site.d/sympa/site.conf | 2 +- etc/nsd3/nsd.conf | 3 ++- etc/nsd3/zone.d/heureux-cyclage.org.zone.m4 | 7 +++--- etc/postfix/aliases.m4 | 14 +++++++----- etc/postfix/main.cf | 13 +++++------ etc/postfix/master.cf | 10 +++++---- etc/shorewall/rules | 6 +++-- etc/sv/nginx/configure.sh | 4 ++-- etc/sv/nsd3/run | 8 ++++--- etc/sv/php5-fpm/configure.sh | 6 ++--- etc/sv/postfix/configure.sh | 19 +++++++++++++--- etc/sv/sympa/configure.sh | 22 +++++++++++++++++-- etc/sv/wwsympa/run | 2 +- etc/sympa/aliases | 0 .../host.d/heureux-cyclage.org/robot.conf.m4 | 3 +++ etc/sympa/sympa.conf.m4 | 12 +++++----- etc/sympa/transport | 4 ++-- etc/sympa/virtual_alias | 2 +- etc/sympa/wwsympa.conf.m4 | 2 +- vm_hosted | 2 +- 20 files changed, 93 insertions(+), 48 deletions(-) delete mode 100644 etc/sympa/aliases create mode 100644 etc/sympa/host.d/heureux-cyclage.org/robot.conf.m4 diff --git a/etc/nginx/site.d/sympa/site.conf b/etc/nginx/site.d/sympa/site.conf index 33a0863..370514c 100644 --- a/etc/nginx/site.d/sympa/site.conf +++ b/etc/nginx/site.d/sympa/site.conf @@ -11,7 +11,6 @@ location ~ /\. { log_not_found off; } location / { - index index.html index.htm; include /etc/nginx/conf.d/fastcgi.conf; set $no_cache "0"; if ($request_method !~ ^(GET|HEAD)$) { @@ -35,6 +34,7 @@ location / { fastcgi_max_temp_file_size 2M; fastcgi_no_cache $no_cache; fastcgi_param PATH_INFO $uri; + fastcgi_param SCRIPT_NAME ''; fastcgi_pass_header Cookie; fastcgi_pass_header Set-Cookie; diff --git a/etc/nsd3/nsd.conf b/etc/nsd3/nsd.conf index 67d5da7..34be06a 100644 --- a/etc/nsd3/nsd.conf +++ b/etc/nsd3/nsd.conf @@ -10,9 +10,10 @@ ipv4-edns-size: 4096 # ipv6-edns-size: 4096 # logfile: "/var/log/nsd.log" # nsid: "aabbccdd" -pidfile: "/run/nsd3.pid" +pidfile: "/run/nsd3/nsd.pid" # NOTE: utilisé par nsdc reload pour envoyer SIGHUP ou SIGUSR1, # attention que SIGHUP fait changer le pid, et du coup fonctionne mal avec runsv + # XXX: username doit pouvoir le supprimer. port: 53 rrl-ratelimit: 200 rrl-size: 10000 diff --git a/etc/nsd3/zone.d/heureux-cyclage.org.zone.m4 b/etc/nsd3/zone.d/heureux-cyclage.org.zone.m4 index 489d2b8..659ba8d 100644 --- a/etc/nsd3/zone.d/heureux-cyclage.org.zone.m4 +++ b/etc/nsd3/zone.d/heureux-cyclage.org.zone.m4 @@ -18,6 +18,7 @@ define(`KIMSUFI_IP4', `91.121.198.103') define(`LAUTRENET_IP4', `80.67.160.70') define(`LAUTRENET_MX_NAME', `mx.lautre.net.') define(`LAUTRENET_MX2_NAME', `mx2.lautre.net.') +define(`LAUTRENET_SPF_NAME', `mx1a.lautre.net') divert(0)dnl $TTL 1d ; TTL (Time To Live) par défaut pour les enregistrements @@ -83,11 +84,11 @@ ra CNAME remorque ; http://tools.ietf.org/html/draft-ietf-dnsop-reverse-mapping-considerations ; ENREGISTREMENTS "SPF" (Sender Policy Framework) -@ 3600 IN SPF "v=spf1 mx a:mail.ZONE_DOMAIN -all" -@ 3600 IN TXT "v=spf1 mx a:mail.ZONE_DOMAIN -all" +@ 3600 IN SPF "v=spf1 mx ip4:IP4(GRESILLE) a:NAME(LAUTRENET_SPF) -all" +@ 3600 IN TXT "v=spf1 mx ip4:IP4(GRESILLE) a:NAME(LAUTRENET_SPF) -all" ; ENREGISTREMENTS « SRV » (SeRVice) _git._tcp.git 18000 IN SRV 0 0 9418 git ; ENREGISTREMENTS « SSHFP » (Secure SHell FingerPrint) -esyscmd(sudo ssh-keygen -r $(hostname)) +esyscmd(sudo ssh-keygen -r @) diff --git a/etc/postfix/aliases.m4 b/etc/postfix/aliases.m4 index 3e7f975..ac569ec 100644 --- a/etc/postfix/aliases.m4 +++ b/etc/postfix/aliases.m4 @@ -8,16 +8,18 @@ postmaster: root root: esyscmd(getent group sudo | cut -f 4 -d : | tr '\054' ' ') #-- SYMPA begin -abuse-feedback-report: "| /usr/lib/sympa/bin/bouncequeue sympa@heureux-cyclage.org" -bounce+*: "| /usr/lib/sympa/bin/bouncequeue sympa@heureux-cyclage.org" -listmaster: "| /usr/lib/sympa/bin/queue listmaster@heureux-cyclage.org" -sympa: "| /usr/lib/sympa/bin/queue sympa@heureux-cyclage.org" -sympa-owner: postmaster@heureux-cyclage.org -sympa-request: postmaster@heureux-cyclage.org +sympa-owner: postmaster +sympa-request: postmaster + +abuse-feedback-report: "| /usr/lib/sympa/bin/bouncequeue sympa@VM_DOMAINNAME" +bounce+*: "| /usr/lib/sympa/bin/bouncequeue sympa@VM_DOMAINNAME" +listmaster: "| /usr/lib/sympa/bin/queue listmaster@VM_DOMAINNAME" +sympa: "| /usr/lib/sympa/bin/queue sympa@VM_DOMAINNAME" # NOTE: compatibilité avec d'autres gestionnaires de listes listserv: sympa listserv-request: sympa-request majordomo: sympa listserv-owner: sympa-owner + #-- SYMPA end diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index 58edb3e..6325085 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -63,7 +63,6 @@ recipient_delimiter = + relay_clientcerts = hash:/etc/postfix/$mydomain/smtpd/relay_clientcerts relay_domains = $mydestination - sympa.$mydomain # NOTE: ajouter les domaines pour lesquels on est backup MX ici, pas dans mydestination ou virtual_alias... smtp_body_checks = #smtp_cname_overrides_servername = no @@ -162,16 +161,16 @@ smtpd_sender_restrictions = permit smtpd_starttls_timeout = 300s #smtpd_tls_always_issue_session_ids = yes -smtpd_tls_CAfile = /etc/postfix/$mydomain/x509/smtpd/ca/crt.pem -smtpd_tls_CApath = /etc/postfix/$mydomain/x509/smtpd/ca/ +smtpd_tls_CAfile = /etc/postfix/$mydomain/smtpd/x509/ca/crt.pem +smtpd_tls_CApath = /etc/postfix/$mydomain/smtpd/x509/ca/ smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes # NOTE: pas d'AUTH SASL sans TLS smtpd_tls_ccert_verifydepth = 5 -smtpd_tls_cert_file = /etc/postfix/$mydomain/x509/smtpd/crt+crl.self-signed.pem +smtpd_tls_cert_file = /etc/postfix/$mydomain/smtpd/x509/crt+crl.self-signed.pem smtpd_tls_ciphers = high smtpd_tls_fingerprint_digest = sha512 -smtpd_tls_key_file = /etc/postfix/$mydomain/x509/smtpd/key.pem +smtpd_tls_key_file = /etc/postfix/$mydomain/smtpd/x509/key.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = TLSv1 @@ -199,11 +198,11 @@ sympabounce_destination_recipient_limit = 1 # NOTE: non-blocking transport_maps = hash:/etc/postfix/$mydomain/transport - #regexp:/etc/sympa/transport + regexp:/etc/sympa/transport #virtual_alias_domains = virtual_alias_maps = hash:/etc/postfix/$mydomain/virtual_alias - #regexp:/etc/sympa/virtual_alias + regexp:/etc/sympa/virtual_alias # NOTE: do not specify virtual alias domain names in the main.cf # mydestination or relay_domains configuration parameters. # diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf index 8c5c565..860b67f 100644 --- a/etc/postfix/master.cf +++ b/etc/postfix/master.cf @@ -90,7 +90,9 @@ spfcheck unix - n n - 0 spawn user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl noclue unix - n n - - pipe flags=q user=noclue argv=/usr/local/bin/noclue-delivery ${recipient} ${sender} -sympa unix - n n - - pipe - flags=R user=sympa argv=/usr/lib/sympa/bin/queue ${recipient} -sympabounce unix - n n - - pipe - flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ${recipient} +#-- SYMPA begin +#sympa unix - n n - - pipe +# flags=R user=sympa argv=/usr/lib/sympa/bin/queue ${recipient} +#sympabounce unix - n n - - pipe +# flags=R user=sympa argv=/usr/lib/sympa/bin/bouncequeue ${recipient} +#-- SYMPA end diff --git a/etc/shorewall/rules b/etc/shorewall/rules index 008765f..aaed7e5 100644 --- a/etc/shorewall/rules +++ b/etc/shorewall/rules @@ -15,10 +15,11 @@ Limit(IMAPS,5,60):info net $FW tcp imaps IMAPS(ACCEPT) net $FW Managesieve(ACCEPT) net $FW Mosh(ACCEPT) net $FW -SMTP(ACCEPT) net $FW Ping(ACCEPT) net $FW -Limit(SSH,10,60):info net $FW tcp ssh +SMTP(ACCEPT) net $FW +SMTPS(ACCEPT) net $FW SSH(ACCEPT) net $FW +Limit(SSH,10,60):info net $FW tcp ssh Submission(ACCEPT) net $FW Limit(Submission,10,60):info net $FW tcp submission @@ -29,4 +30,5 @@ HTTP(ACCEPT) $FW net HTTPS(ACCEPT) $FW net NTP(ACCEPT) $FW net SMTP(ACCEPT) $FW net +SMTPS(ACCEPT) $FW net SSH(ACCEPT) $FW net diff --git a/etc/sv/nginx/configure.sh b/etc/sv/nginx/configure.sh index 7c2943a..ad988a2 100644 --- a/etc/sv/nginx/configure.sh +++ b/etc/sv/nginx/configure.sh @@ -1,5 +1,5 @@ -rule runit_sv_configure php5-fpm "$@" -rule runit_sv_restart php5-fpm "$@" +rule runit_sv_configure php5-fpm '*' +rule runit_sv_restart php5-fpm rule apt_get_install nginx spawn-fcgi fcgiwrap rule insserv_remove nginx rule insserv_remove fcgiwrap diff --git a/etc/sv/nsd3/run b/etc/sv/nsd3/run index f835c40..bf28183 100755 --- a/etc/sv/nsd3/run +++ b/etc/sv/nsd3/run @@ -2,9 +2,11 @@ exec 2>&1 sv=${PWD#/etc/sv/} -! nsdc running || -pkill -TERM -F /run/nsd3.pid -rm -f /run/nsd3.pid +install -d -m 770 -o nsd -g nsd \ + /run/nsd3 + +pkill -TERM -F /run/nsd3/nsd.pid || true +rm -f /run/nsd3/nsd.pid # XXX: sv reload ou nsdc reload envoient SIGHUP à nsd # ce qui le détache de runsv et du coup il n'est plus suivi.. # comme on ne peut pas se rattacher à un processus, diff --git a/etc/sv/php5-fpm/configure.sh b/etc/sv/php5-fpm/configure.sh index be0c15b..1d40c7c 100644 --- a/etc/sv/php5-fpm/configure.sh +++ b/etc/sv/php5-fpm/configure.sh @@ -26,6 +26,9 @@ sudo install -d -m 770 -o php5 -g php5 \ sudo install -m 440 -o php5 -g php5 \ "$tool"/etc/php5/fpm/php-fpm.conf \ /etc/php5/fpm/php-fpm.conf +sudo install -m 664 -o php5 -g php5 \ + "$tool"/etc/php5/fpm/php.ini \ + /etc/php5/fpm/php.ini for conf in $(find "$tool"/etc/php5/fpm/conf.d \ -mindepth 1 -maxdepth 1 -type f \ -name '*.conf' \ @@ -94,7 +97,4 @@ for pool in $(find "$tool"/etc/php5/fpm/pool.d/ \ user = ${pool}__php5 $(cat "$tool"/etc/php5/fpm/pool.d/"$conf") EOF - sudo install -m 664 -o php5 -g php5 \ - "$tool"/etc/php5/fpm/php.ini \ - /etc/php5/fpm/php.ini done diff --git a/etc/sv/postfix/configure.sh b/etc/sv/postfix/configure.sh index 803798d..690f9a6 100644 --- a/etc/sv/postfix/configure.sh +++ b/etc/sv/postfix/configure.sh @@ -1,10 +1,10 @@ local hint="run vm_remote postfix_key_send before" -assert "test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint +assert "sudo test -f /etc/postfix/$vm_domainname/smtpd/x509/key.pem" hint #warn "lors de l'installation Debian, ne sélectionner aucune configuration pour postfix" sudo debconf-set-selections <<-EOF postfix postfix/main_mailer_type select No configuration EOF -#rule apt_get_install postfix procmail +rule apt_get_install postfix procmail postfix-pcre rule insserv_remove postfix sudo install -m 640 -o root -g root /dev/stdin /etc/postfix/.gitignore <<-EOF *.db @@ -36,7 +36,9 @@ sudo install -m 400 -o root -g root \ sudo install -m 640 -o root -g root \ "$tool"/etc/postfix/$vm_domainname/header_checks \ /etc/postfix/$vm_domainname/header_checks -m4 <"$tool"/etc/postfix/aliases.m4 | +m4 \ + --define=VM_DOMAINNAME="$vm_domainname" \ + <"$tool"/etc/postfix/aliases.m4 | sudo install -m 644 -o root -g root /dev/stdin \ /etc/postfix/aliases sudo newaliases -oA/etc/postfix/aliases @@ -90,3 +92,14 @@ sudo install -d -m 770 -o root -g root \ sudo install -m 660 -o root -g root \ "$tool"/etc/skel/etc/mail/delivery.procmailrc \ /etc/skel/etc/mail/delivery.procmailrc +#-- SYMPA begin +sudo install -d -m 755 -o root -g root \ + /etc/sympa +#sudo -u sympa newaliases -oA/etc/mail/sympa/aliases +sudo install -m 640 -o "$sv" -g sympa \ + "$tool"/etc/sympa/transport \ + /etc/sympa/transport +sudo install -m 640 -o "$sv" -g sympa \ + "$tool"/etc/sympa/virtual_alias \ + /etc/sympa/virtual_alias +#-- SYMPA end diff --git a/etc/sv/sympa/configure.sh b/etc/sv/sympa/configure.sh index be2e62b..02b2882 100644 --- a/etc/sv/sympa/configure.sh +++ b/etc/sv/sympa/configure.sh @@ -41,7 +41,6 @@ sudo install -d -m 755 -o root -g root \ sudo install -m 644 -o root -g root \ /dev/stdin \ /etc/sympa/.gitignore <<-EOF - cookie key_passwd EOF m4 \ @@ -50,6 +49,25 @@ m4 \ "$tool"/etc/sympa/sympa.conf.m4 | sudo install -m 640 -o "$sv" -g "$sv" /dev/stdin \ /etc/sympa/sympa.conf +sudo install -m 644 -o "$sv" -g "$sv" /dev/stdin \ + /etc/sympa/facility <<-EOF + mail + EOF + +for host in $(find "$tool"/etc/sympa/host.d \ + -mindepth 1 -maxdepth 1 -type d \ + -printf '%f\n') + do + sudo install -d -m 770 -o "$sv" -g "$sv" \ + /etc/sympa/"$host" + m4 \ + --define=HOST="$host" \ + "$tool"/etc/sympa/host.d/"$host"/robot.conf.m4 | + sudo install -m 440 -o "$sv" -g "$sv" /dev/stdin \ + /etc/sympa/"$host"/robot.conf + sudo install -d -m 770 -o "$sv" -g "$sv" \ + "$home"/list_data/"$host" + done sudo debconf-set-selections <<-EOF || true sympa sympa/app-password-confirm password @@ -65,7 +83,7 @@ sudo debconf-set-selections <<-EOF || true sympa sympa/dbconfig-install boolean true # Nom d'hôte du serveur pour sympa : sympa sympa/remote/newhost string - sympa sympa/listmaster string listmaster@$vm_domainname + sympa sympa/listmaster string postmaster@$vm_domainname sympa wwsympa/wwsympa_url string https://$sv.$vm_domainname/wws sympa wwsympa/webserver_restart boolean false sympa sympa/remote/port string diff --git a/etc/sv/wwsympa/run b/etc/sv/wwsympa/run index de1f498..8e624a9 100755 --- a/etc/sv/wwsympa/run +++ b/etc/sv/wwsympa/run @@ -24,5 +24,5 @@ exec /usr/bin/spawn-fcgi \ -n \ -s /run/spawn-fcgi/"$sv" \ -- /usr/bin/multiwatch \ - --forks 3 \ + --forks 1 \ -- /usr/lib/cgi-bin/sympa/wwsympa.fcgi diff --git a/etc/sympa/aliases b/etc/sympa/aliases deleted file mode 100644 index e69de29..0000000 diff --git a/etc/sympa/host.d/heureux-cyclage.org/robot.conf.m4 b/etc/sympa/host.d/heureux-cyclage.org/robot.conf.m4 new file mode 100644 index 0000000..5d7ce64 --- /dev/null +++ b/etc/sympa/host.d/heureux-cyclage.org/robot.conf.m4 @@ -0,0 +1,3 @@ +host HOST +http_host sympa.HOST +wwsympa_url https://sympa.HOST diff --git a/etc/sympa/sympa.conf.m4 b/etc/sympa/sympa.conf.m4 index 4468c34..514190f 100644 --- a/etc/sympa/sympa.conf.m4 +++ b/etc/sympa/sympa.conf.m4 @@ -1,8 +1,7 @@ -changequote(,) +changequote(,)dnl ###\\\\ Directories and file location ////### etc /etc/sympa home HOME/list_data -http_host https://VM_DOMAINNAME pidfile /run/sympa/sympa.pid pidfile_bulk /run/sympa/bulk.pid pidfile_creation /run/sympa/sympa-creation.pid @@ -32,10 +31,13 @@ syslog `cat /etc/sympa/facility` ###\\\\ General definition ////### create_list public_listmaster -domain sympa.VM_DOMAINNAME +domain VM_DOMAINNAME edit_list owner email sympa -listmaster listmaster@VM_DOMAINNAME +#host VM_DOMAINNAME +#http_host sympa.VM_DOMAINNAME +listmaster esyscmd(getent passwd $(getent group sudo | cut -d : -f 4 | tr '\054' ' ') | + cut -d : -f 5 | cut -d $(printf '\054') -f 5 | tr '\n' '\054' | sed -e 's/\x2C$//') ###\\\\ Tuning ////### bulk_fork_threshold 1 @@ -112,4 +114,4 @@ antispam_tag_header_spam_regexp ^\s*Yes max_wrong_password 19 soap_url http://--HOST--/sympasoap spam_status x-spam-status -wwsympa_url https://sympa.VM_DOMAINNAME/wws +#wwsympa_url https://sympa.VM_DOMAINNAME diff --git a/etc/sympa/transport b/etc/sympa/transport index f11ffe3..7492637 100644 --- a/etc/sympa/transport +++ b/etc/sympa/transport @@ -1,2 +1,2 @@ -/^.*+owner\@sympa\.heureux-cyclage\.org$/ sympabounce: -/^.*\@sympa\.heureux-cyclage\.org$/ sympa: +#/^.*+owner\@heureux-cyclage\.org$/ sympabounce: +#/^.*\@heureux-cyclage\.org$/ sympa: diff --git a/etc/sympa/virtual_alias b/etc/sympa/virtual_alias index fd8965e..ab7bb5d 100644 --- a/etc/sympa/virtual_alias +++ b/etc/sympa/virtual_alias @@ -1 +1 @@ -/^(.*)-owner\@heureux-cyclage\.org$/ $1+owner@heureux-cyclage.org +#/^(.*)-owner\@heureux-cyclage\.org$/ $1+owner@heureux-cyclage.org diff --git a/etc/sympa/wwsympa.conf.m4 b/etc/sympa/wwsympa.conf.m4 index 9fbbb79..30a6239 100644 --- a/etc/sympa/wwsympa.conf.m4 +++ b/etc/sympa/wwsympa.conf.m4 @@ -1,4 +1,4 @@ -changequote(,) +changequote(,)dnl ###\\\\ Directories and file location ////### archived_pidfile /run/sympa/archived.pid bounced_pidfile /run/sympa/bounced.pid diff --git a/vm_hosted b/vm_hosted index 9e04d2a..ec1dc33 100755 --- a/vm_hosted +++ b/vm_hosted @@ -557,7 +557,7 @@ rule_network_configure () { sudo install -m 640 -o root -g root /dev/stdin \ /etc/network/interfaces } -rule_runit_configure () { # SYNTAX: $sv +rule_runit_configure () { # SYNTAX: $sv -- $configure_options #rule apt_get_install runit if test $# = 0 then -- 2.20.1