cd / ; apropos ; find * ;
Table des matières

Configuration examples #

/etc/dovecot/local.conf #

# listen both ipv4 and ipv6
listen = *, [::]

# imap better than pop
protocols = imap 

ssl = yes
ssl_cert = </etc/ssl/athome.tld.crt
ssl_key = </etc/ssl/private/athome.tld.key
disable_plaintext_auth = yes

service auth {
  user = $default_internal_user
  group = _maildaemons
}

passdb {
    args = scheme=blf-crypt /etc/mail/passwd
    driver = passwd-file
}

userdb {
    driver = static
    args = uid=_vmail gid=_vmail home=/mnt/bigstorage/_vmail/%d/%n/ 
}

# Plugins
mail_plugins = $mail_plugins quota zlib
protocol imap {
    mail_plugins = $mail_plugins imap_quota imap_zlib imap_sieve
}


plugin {
  quota = maildir:User quota
  quota_rule = *:storage=1G
  quota_rule2 = Trash:storage=+100M
  quota_grace = 50%%
  quota_status_success = DUNNO
  quota_status_nouser = DUNNO
  quota_status_overquota = "552 5.2.2 Mailbox is full"

  zlib_save_level = 9 # 1..9; default is 6
  zlib_save = gz # or bz2, xz or lz4

  sieve_plugins = sieve_imapsieve sieve_extprograms

  sieve_default = /usr/local/lib/dovecot/sieve/default.sieve

  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve

  imapsieve_mailbox2_name = *
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve

  sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve

  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
}

/etc/httpd.conf #

types { include "/usr/share/misc/mime.types" }

server "default" {
    listen on * port 80 
    root "/htdocs/athome.tld" 
} 

server "athome.tld" {
    listen on * port 80
    block return 301 "https://$SERVER_NAME$REQUEST_URI"
}

server "athome.tld" { 
    alias "www.athome.tld"
    listen on * tls port 443 
    root "/htdocs/athome.tld" 
    directory index index.html
    log style combined

    hsts preload
    tls {
        certificate "/etc/ssl/athome.tld.crt"
        key "/etc/ssl/private/athome.tld.key"
    }

    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }

    location "/Blog/" {
        directory index index.php
    }

    location "*.php" {
        fastcgi socket "/run/php-fpm.sock"
    }

    location "/DL/PDF/" {
        directory auto index
    }

    location "/private/" {
        authenticate "education" with "/htdocs/private.htpw"
        directory auto index
    }
}

server "site2.athome.tld" { 
    alias "www.site2.athome.tld"
    listen on * port 80 
    listen on * tls port 443 
    root "/htdocs/site2" 
    directory index index.html
    log access "site2.log"

    hsts 
    tls {
        certificate "/etc/ssl/athome.tld.crt"
        key "/etc/ssl/private/athome.tld.key"
    }

    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }

    location "*.php" {
        fastcgi socket "/run/php-fpm.sock"
    }
    location "/downloads/" {
        directory index index.php
    }
} 

/var/nsd/etc/nsd.conf #

server:
        hide-version: yes
        verbosity: 2
        database: "" # disable database
        zonesdir: "/var/nsd/zones/"
        ip-address: 46.23.92.148
        ip-address: 2a03:6000:9137::148 

remote-control:
        control-enable: yes

key:
        name: "secretkey"
        algorithm: hmac-sha256
        secret: "i8f4FgDsldD11pHAqo9Ko="

zone:
        name: "reiva.xyz"
        zonefile: "signed/reiva.xyz"
        provide-xfr: 109.190.128.23 secretkey
        notify: 109.190.128.23 secretkey

        # GANDI
        provide-xfr: 217.70.177.40 NOKEY
        notify: 217.70.177.40 NOKEY


# slaves
zone:
        name: "athome.tld"
        zonefile: "slave/athome.tld"
        allow-notify: 109.190.128.23 secretkey
        request-xfr:  109.190.128.23 secretkey

zone:
        name: "ouaf.xyz"
        zonefile: "slave/ouaf.xyz"
        allow-notify: 109.190.128.23 secretkey
        request-xfr:  109.190.128.23 secretkey

zone:
        name: "3hg.fr"
        zonefile: "slave/3hg.fr"
        allow-notify: 109.190.128.23 secretkey
        request-xfr:  109.190.128.23 secretkey

/etc/pf.conf #

# See pf.conf(5) and /etc/examples/pf.conf

# Macros
## Interfaces to take care. egress should be enough
## but it's an example ^^
ifaces = "{ egress em0 em1 }"
## various ports
mail_ports = "{ submission imaps smtp }"
tcp_pass = "{ www https domain 1965 xmpp-client xmpp-server 5280 5281 62882 }" # 5280-5281 are xmpp-http, 62882 transmission
udp_pass = "{ domain 62882 }" # 62882 dht rtorrent
blocking_tcp="{ ftp ftp-data telnet finger sunrpc epmap netbios-ns netbios-dgm netbios-ssn microsoft-ds ipp ldaps ldp ms-sql-s ms-sql-m pptp mysql postgresql rfb rdp 27019 1194 ldap 8080 kerberos socks }"

# Tables
table <evils> persist
table <bruteforce> persist
table <sshguard> persist
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <solene> persist file "/etc/solene-block.txt"
table <spamd> persist

# Options
## increase limit for huge blocking table files
set limit table-entries 409600
## no not filter local
set skip on { lo }

# Avoid spoofing
antispoof for $ifaces

# Rules
## block by default 
block
anchor "relayd/*" # so relayd works properly

## "quick" rules : the rest won't be read if it matches.
## This filter bad ip
### block unwanted sources, and don't go further
block log quick from <bruteforce> label "BRUTES"
block log quick from <evils>  label "EVILS"
block log quick from <sshguard> label "SSHGUARD"
block log quick on $ifaces from <pfbadhost> label "PFBADHOST"
block log quick on $ifaces from <solene> label "SOLENE"

### Let in local network, or it is blocked by pfbadhost 
pass in quick from 192.168.1.0/24 modulate state

### iblock : everything else is banned
pass in quick on $ifaces inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507
pass in quick on $ifaces inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507

## Allow some incoming traffic
### spamd traps in blacklist only
pass in on $ifaces inet proto tcp from <spamd> to any port smtp \
    divert-to 127.0.0.1 port spamd modulate state

### let ssh in, with anti bruteforce
pass in on $ifaces proto tcp to port ssh modulate state \
    (source-track rule, \
    max-src-conn 8, max-src-conn-rate 15/5, \
    overload <bruteforce> flush global)

### same with email
pass in on $ifaces proto tcp to port $mail_ports modulate state \
    (source-track rule, \
    max-src-conn 100, max-src-conn-rate 50/100, \
    overload <bruteforce> flush global)


### let some ports in 
pass in on $ifaces proto tcp to port $tcp_pass modulate state
pass in on $ifaces proto udp to port $udp_pass

### allow ping, in and out
pass on $ifaces inet6 proto ipv6-icmp all icmp6-type echoreq
pass on $ifaces inet proto icmp all icmp-type echoreq

### Let all out 
pass out on $ifaces proto { tcp udp }

/etc/relayd.conf #

ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2

tcp protocol "gemini" {
        tls keypair athome.tld-self
}

relay "gemini4" {
        listen on $ext_ip4 port 1965 tls
        protocol "gemini"
        forward to localhost port 11965
}
relay "gemini6" {
        listen on $ext_ip6 port 1965 tls
        protocol "gemini"
        forward to localhost port 11965
}
# in /etc/torrc:
# HiddenServiceDir /var/tor/hidden-gemini/
# HiddenServicePort 1965 localhost:11966
# relay tor hidden onion
relay "geminitor" {
        listen on localhost port 11966 tls
        protocol "gemini"
        forward to localhost port 11965
}

http protocol "https" {
        include "/etc/relayd.proxy.conf"
        tls keypair athome.tld
}
http protocol "http" {
        include "/etc/relayd.proxy.conf"
}

relay "www" {
        listen on $ext_ip4 port 80
        protocol "http"
        forward to localhost port 8080
}
relay "www6" {
        listen on $ext_ip6 port 80
        protocol "http"
        forward to localhost port 8080
}

relay "wwwtls" {
        listen on $ext_ip4 port 443 tls
        protocol "https"
        forward to localhost port 8080
}
relay "wwwtls6" {
        listen on $ext_ip6 port 443 tls
        protocol "https"
        forward to localhost port 8080
}

/etc/relayd.proxy.conf :

return error

return error style "body { background: silver; color: black; text-align:center } hr {border:0;
background-color:silver; color:silver; height:1px; width:30%; margin-top:50px;}"

match request header set "X-Forwarded-For" \
    value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" \
    value "$SERVER_ADDR:$SERVER_PORT"

match header set "Keep-Alive" value "$TIMEOUT"

block quick path "/wp-*" label '<em>Stop scanning for wordpress</em>.'

match request header remove "Proxy"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Robots-Tag" value "index,nofollow"
match response header set "X-Permitted-Cross-Domain-Policies" value "none"
match response header set "X-Download-Options" value "noopen"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "Referrer-Policy" value "no-referrer"
match response header set "Permissions-Policy" value "interest-cohort=()"
match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match response header set "Content-Security-Policy" value "default-src 'self';"

match response header set "X-Powered-By" value "Powered by OpenBSD"

match request path "/*.css" tag "CACHE"
match request path "/*.js" tag "CACHE"
match request path "/*.atom" tag "CACHE"
match request path "/*.rss" tag "CACHE"
match request path "/*.xml" tag "CACHE"
match request path "/*.jpg" tag "CACHE"
match request path "/*.png" tag "CACHE"
match request path "/*.svg" tag "CACHE"
match request path "/*.gif" tag "CACHE"
match request path "/*.ico" tag "CACHE"
match request path "/*.html" tag "CACHE"
match request path "/*.gmi" tag "CACHE"
match request path "*/" tag "CACHE"

match response tagged "CACHE" header set "Cache-Control" value \
    "public, max-age=86400"

match request path "/*.html" tag "HTML"
match response tagged "HTML" header set "Content-Type" value "text/html; charset=utf-8"

match request path "/*.txt" tag "TXT"
match request path "/*.md" tag "TXT"
match request path "/*.gmi" tag "TXT"
match response tagged "TXT" header set "Content-Type" value "text/plain; charset=utf-8"

pass

/etc/mail/smtpd.conf #

Example for multiple domains

Example 1 (rspamd) #

# install :
#   opensmtpd-filter-rspamd
#   opensmtpd-filter-senderscore

table aliases "/etc/mail/aliases"
table domains "/etc/mail/domains"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"

pki athome.tld key "/etc/ssl/private/athome.tld.key"
pki athome.tld cert "/etc/ssl/athome.tld.crt"
pki domaine2.net key "/etc/ssl/private/domaine2.net.key"
pki domaine2.net cert "/etc/ssl/domaine2.net.crt"
pki autredomaine.xyz key "/etc/ssl/private/autredomaine.xyz.key"
pki autredomaine.xyz cert "/etc/ssl/autredomaine.xyz.crt"
# certificat par defaut
pki "*" key "/etc/ssl/private/athome.tld.key"
pki "*" cert "/etc/ssl/athome.tld.crt"

filter senderscore \
         proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter rspamd proc-exec "filter-rspamd"

listen on all tls pki athome.tld \
    filter { senderscore, rspamd }
listen on all port submission tls-require pki athome.tld auth <passwd> \
    filter rspamd

action "relay" relay
action relaybackup relay backup tls helo "athome.tld"
action "local_mail" maildir alias <aliases>
action virtual_maildir maildir "/home/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>

match from any for domain <domains> action virtual_maildir
match from any for local action local_mail

match from any for domain friend.eu action relaybackup

match auth from any for any action "relay"
match for any action "relay"

Example 2 (spamassassin + dkimproxy) #

Only one certificate matching all domains is used here.

We add some options on queue, because.

table aliases "/etc/mail/aliases"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"
table domains "/etc/mail/domains"

pki athome.tld key "/etc/ssl/private/athome.tld.key"
pki athome.tld cert "/etc/ssl/athome.tld.crt"

queue compression # less disk space
queue encryption 7dbecabecabeca45bce4aebc # encrypt all o/

filter senderscore \
         proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"

listen on lo0 port 10028 tag DKIM   
listen on lo0 port 10026 tag SPAMASSASSIN

listen on all tls pki athome.tld filter { senderscore }
listen on all port submission tls-require pki athome.tld auth <passwd> 

action "envoi" relay 
action dkimproxy relay host smtp://127.0.0.1:10027 
action spamassassin relay host smtp://127.0.0.1:10025 

action local_mail maildir alias <aliases>

action relaybackup relay backup mx "athome.tld" helo "athome.tld"

action virtual_maildir maildir "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>

match for local action local_mail
match tag SPAMASSASSIN from any for domain <domains> action virtual_maildir
match from any for domain <domains> action spamassassin

match tag DKIM for any action "envoi"
match auth tag DKIM from any for any action "envoi"

match from any for domain copain.eu action relaybackup

match auth from any for any action dkimproxy
match for any action dkimproxy

Example 3 (spamassassin + senderscore + opensptmd-filters) #

table aliases "/etc/mail/aliases"

pki athome.tld.pki key "/etc/ssl/private/athome.tld.key"
pki athome.tld.pki cert "/etc/ssl/athome.tld.crt"

filter senderscore \
         proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter "spamassassin" proc-exec "filter-spamassassin"
filter "dkimsign" proc-exec "filter-dkimsign \
	-d athome.tld \
	-s pubkey \
	-k /etc/dkim/private.key" \
	user _dkimsign group _dkimsign

listen on all tls pki athome.tld.pki filter { spamassassin senderscore }
    
listen on all port submission tls-require pki athome.tld.pki auth \
    filter dkimsign 

action relayout relay
action relaybackup relay backup
action distribute maildir junk alias <aliases>

match for local action distribute
match from any for domain athome.tld action distribute

# backup for friends
match from any for domain friend.tld action relaybackup

match auth from any for any action relayout
match for any action relayout

/etc/mail/domains #

All MX records

athome.tld 
domaine2.net 
other.xyz 

/etc/mail/spamd.conf #

all:\
        :nixspam:bgp-spamd:bsdlyblack:whitelist:

# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
        :black:\
        :msg="Your address %A is in the nixspam list\n\
        See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
        :method=http:\
        :file=www.openbsd.org/spamd/nixspam.gz

bsdlyblack:\
        :black:\
        :msg="Your address %A is in the bsdly.net list":\
        :method=http:\
        :file=www.bsdly.net/~peter/bsdly.net.traplist

bgp-spamd:\
         :black:\
         :msg="Your address %A has sent mail to a spamtrap\n\
          within the last 24 hours":\
         :method=file:\
         :file=/var/spamd.black

whitelist:\
        :white:\
        :method=file:\
        :file=/etc/mail/whitelist.txt

/etc/webalizer.conf #

LogFile     /var/www/logs/access.log
OutputDir   /var/www/htdocs/chezmoi.tld/stats
ReportTitle Statistiques pour 
HostName    chezmoi.tld
LinkReferrer    yes
HTMLHead    <style type="text/css">
HTMLHead    body {background:#eceff4;color:#2e3440;line-height:1.4;margin:auto}
HTMLHead    table {border: 1px solid; padding:1ex}
HTMLHead    a {color:#5e81ac}
HTMLHead    th, td {border: 0}
HTMLHead    tr:nth-child(even){background-color: #e5e9f0;}
HTMLHead    tr:hover {background-color: #d8dee9;}
HTMLHead    </style>
TopSites    75
TopURLs     50
TopReferrers    100
AllSites    yes
AllURLs     yes
AllReferrers    yes
AllSearchStr    yes
AllErrors   yes
HideSite    *chezmoi.tld
HideReferrer    chezmoi.tld
HideURL       *.gif
HideURL       *.GIF
HideURL       *.jpg
HideURL       *.JPG
HideURL       *.png
HideURL       *.PNG
HideURL       *.css
HideURL       *.woff
GroupReferrer google. Google Intl
HideReferrer google.
IgnoreURL   /atom.xml
IgnoreURL   /sitemap.*
IgnoreURL   /favicon.*
IgnoreURL   /robots.txt
ColorBackground eceff4
ColorText       2e3440
ColorLink       5e81ac
ColorVLink      81a1c1
ColorALink      88c0d0
ColorHeadline   d8dee9
ColorCounter    4c566a
ColorHit        5e81ac
ColorFile       bf616a
ColorSite       d08770
ColorKbyte      ebcb8b
ColorPage       a3be8c
ColorVisit      b48ead
ColorMisc       8fbcbb
ChartBackgroundColor    eceff4
ChartLegendColor        2e3440
ChartShadowColor1       eceff4
ChartShadowColor2       d8dee9
TableBorder     0
ChartBorder     0

Table of contents

Donate