cd /
;
apropos
;
find *
;
# listen both ipv4 and ipv6 listen = *, [::] # imap better than pop protocols = imap ssl = yes ssl_cert = </etc/ssl/athome.tld.crt ssl_key = </etc/ssl/private/athome.tld.key disable_plaintext_auth = yes service auth { user = $default_internal_user group = _maildaemons } passdb { args = scheme=blf-crypt /etc/mail/passwd driver = passwd-file } userdb { driver = static args = uid=_vmail gid=_vmail home=/mnt/bigstorage/_vmail/%d/%n/ } # Plugins mail_plugins = $mail_plugins quota zlib protocol imap { mail_plugins = $mail_plugins imap_quota imap_zlib imap_sieve } plugin { quota = maildir:User quota quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M quota_grace = 50%% quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full" zlib_save_level = 9 # 1..9; default is 6 zlib_save = gz # or bz2, xz or lz4 sieve_plugins = sieve_imapsieve sieve_extprograms sieve_default = /usr/local/lib/dovecot/sieve/default.sieve imapsieve_mailbox1_name = Junk imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve imapsieve_mailbox2_name = * imapsieve_mailbox2_from = Junk imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment }
types { include "/usr/share/misc/mime.types" } server "default" { listen on * port 80 root "/htdocs/athome.tld" } server "athome.tld" { listen on * port 80 block return 301 "https://$SERVER_NAME$REQUEST_URI" } server "athome.tld" { alias "www.athome.tld" listen on * tls port 443 root "/htdocs/athome.tld" directory index index.html log style combined hsts preload tls { certificate "/etc/ssl/athome.tld.crt" key "/etc/ssl/private/athome.tld.key" } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location "/Blog/" { directory index index.php } location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/DL/PDF/" { directory auto index } location "/private/" { authenticate "education" with "/htdocs/private.htpw" directory auto index } } server "site2.athome.tld" { alias "www.site2.athome.tld" listen on * port 80 listen on * tls port 443 root "/htdocs/site2" directory index index.html log access "site2.log" hsts tls { certificate "/etc/ssl/athome.tld.crt" key "/etc/ssl/private/athome.tld.key" } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/downloads/" { directory index index.php } }
server: hide-version: yes verbosity: 2 database: "" # disable database zonesdir: "/var/nsd/zones/" ip-address: 46.23.92.148 ip-address: 2a03:6000:9137::148 remote-control: control-enable: yes key: name: "secretkey" algorithm: hmac-sha256 secret: "i8f4FgDsldD11pHAqo9Ko=" zone: name: "reiva.xyz" zonefile: "signed/reiva.xyz" provide-xfr: 109.190.128.23 secretkey notify: 109.190.128.23 secretkey # GANDI provide-xfr: 217.70.177.40 NOKEY notify: 217.70.177.40 NOKEY # slaves zone: name: "athome.tld" zonefile: "slave/athome.tld" allow-notify: 109.190.128.23 secretkey request-xfr: 109.190.128.23 secretkey zone: name: "ouaf.xyz" zonefile: "slave/ouaf.xyz" allow-notify: 109.190.128.23 secretkey request-xfr: 109.190.128.23 secretkey zone: name: "3hg.fr" zonefile: "slave/3hg.fr" allow-notify: 109.190.128.23 secretkey request-xfr: 109.190.128.23 secretkey
# See pf.conf(5) and /etc/examples/pf.conf # Macros ## Interfaces to take care. egress should be enough ## but it's an example ^^ ifaces = "{ egress em0 em1 }" ## various ports mail_ports = "{ submission imaps smtp }" tcp_pass = "{ www https domain 1965 xmpp-client xmpp-server 5280 5281 62882 }" # 5280-5281 are xmpp-http, 62882 transmission udp_pass = "{ domain 62882 }" # 62882 dht rtorrent blocking_tcp="{ ftp ftp-data telnet finger sunrpc epmap netbios-ns netbios-dgm netbios-ssn microsoft-ds ipp ldaps ldp ms-sql-s ms-sql-m pptp mysql postgresql rfb rdp 27019 1194 ldap 8080 kerberos socks }" # Tables table <evils> persist table <bruteforce> persist table <sshguard> persist table <pfbadhost> persist file "/etc/pf-badhost.txt" table <solene> persist file "/etc/solene-block.txt" table <spamd> persist # Options ## increase limit for huge blocking table files set limit table-entries 409600 ## no not filter local set skip on { lo } # Avoid spoofing antispoof for $ifaces # Rules ## block by default block anchor "relayd/*" # so relayd works properly ## "quick" rules : the rest won't be read if it matches. ## This filter bad ip ### block unwanted sources, and don't go further block log quick from <bruteforce> label "BRUTES" block log quick from <evils> label "EVILS" block log quick from <sshguard> label "SSHGUARD" block log quick on $ifaces from <pfbadhost> label "PFBADHOST" block log quick on $ifaces from <solene> label "SOLENE" ### Let in local network, or it is blocked by pfbadhost pass in quick from 192.168.1.0/24 modulate state ### iblock : everything else is banned pass in quick on $ifaces inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507 pass in quick on $ifaces inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507 ## Allow some incoming traffic ### spamd traps in blacklist only pass in on $ifaces inet proto tcp from <spamd> to any port smtp \ divert-to 127.0.0.1 port spamd modulate state ### let ssh in, with anti bruteforce pass in on $ifaces proto tcp to port ssh modulate state \ (source-track rule, \ max-src-conn 8, max-src-conn-rate 15/5, \ overload <bruteforce> flush global) ### same with email pass in on $ifaces proto tcp to port $mail_ports modulate state \ (source-track rule, \ max-src-conn 100, max-src-conn-rate 50/100, \ overload <bruteforce> flush global) ### let some ports in pass in on $ifaces proto tcp to port $tcp_pass modulate state pass in on $ifaces proto udp to port $udp_pass ### allow ping, in and out pass on $ifaces inet6 proto ipv6-icmp all icmp6-type echoreq pass on $ifaces inet proto icmp all icmp-type echoreq ### Let all out pass out on $ifaces proto { tcp udp }
ext_ip4 = "192.0.2.2" ext_ip6 = "2001:db8::2 tcp protocol "gemini" { tls keypair athome.tld-self } relay "gemini4" { listen on $ext_ip4 port 1965 tls protocol "gemini" forward to localhost port 11965 } relay "gemini6" { listen on $ext_ip6 port 1965 tls protocol "gemini" forward to localhost port 11965 } # in /etc/torrc: # HiddenServiceDir /var/tor/hidden-gemini/ # HiddenServicePort 1965 localhost:11966 # relay tor hidden onion relay "geminitor" { listen on localhost port 11966 tls protocol "gemini" forward to localhost port 11965 } http protocol "https" { include "/etc/relayd.proxy.conf" tls keypair athome.tld } http protocol "http" { include "/etc/relayd.proxy.conf" } relay "www" { listen on $ext_ip4 port 80 protocol "http" forward to localhost port 8080 } relay "www6" { listen on $ext_ip6 port 80 protocol "http" forward to localhost port 8080 } relay "wwwtls" { listen on $ext_ip4 port 443 tls protocol "https" forward to localhost port 8080 } relay "wwwtls6" { listen on $ext_ip6 port 443 tls protocol "https" forward to localhost port 8080 }
/etc/relayd.proxy.conf :
return error return error style "body { background: silver; color: black; text-align:center } hr {border:0; background-color:silver; color:silver; height:1px; width:30%; margin-top:50px;}" match request header set "X-Forwarded-For" \ value "$REMOTE_ADDR" match request header set "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match header set "Keep-Alive" value "$TIMEOUT" block quick path "/wp-*" label '<em>Stop scanning for wordpress</em>.' match request header remove "Proxy" match response header set "Frame-Options" value "SAMEORIGIN" match response header set "X-Xss-Protection" value "1; mode=block" match response header set "X-Frame-Options" value "SAMEORIGIN" match response header set "X-Robots-Tag" value "index,nofollow" match response header set "X-Permitted-Cross-Domain-Policies" value "none" match response header set "X-Download-Options" value "noopen" match response header set "X-Content-Type-Options" value "nosniff" match response header set "Referrer-Policy" value "no-referrer" match response header set "Permissions-Policy" value "interest-cohort=()" match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" match response header set "Content-Security-Policy" value "default-src 'self';" match response header set "X-Powered-By" value "Powered by OpenBSD" match request path "/*.css" tag "CACHE" match request path "/*.js" tag "CACHE" match request path "/*.atom" tag "CACHE" match request path "/*.rss" tag "CACHE" match request path "/*.xml" tag "CACHE" match request path "/*.jpg" tag "CACHE" match request path "/*.png" tag "CACHE" match request path "/*.svg" tag "CACHE" match request path "/*.gif" tag "CACHE" match request path "/*.ico" tag "CACHE" match request path "/*.html" tag "CACHE" match request path "/*.gmi" tag "CACHE" match request path "*/" tag "CACHE" match response tagged "CACHE" header set "Cache-Control" value \ "public, max-age=86400" match request path "/*.html" tag "HTML" match response tagged "HTML" header set "Content-Type" value "text/html; charset=utf-8" match request path "/*.txt" tag "TXT" match request path "/*.md" tag "TXT" match request path "/*.gmi" tag "TXT" match response tagged "TXT" header set "Content-Type" value "text/plain; charset=utf-8" pass
Example for multiple domains
# install : # opensmtpd-filter-rspamd # opensmtpd-filter-senderscore table aliases "/etc/mail/aliases" table domains "/etc/mail/domains" table passwd "/etc/mail/passwd" table virtuals "/etc/mail/virtuals" pki athome.tld key "/etc/ssl/private/athome.tld.key" pki athome.tld cert "/etc/ssl/athome.tld.crt" pki domaine2.net key "/etc/ssl/private/domaine2.net.key" pki domaine2.net cert "/etc/ssl/domaine2.net.crt" pki autredomaine.xyz key "/etc/ssl/private/autredomaine.xyz.key" pki autredomaine.xyz cert "/etc/ssl/autredomaine.xyz.crt" # certificat par defaut pki "*" key "/etc/ssl/private/athome.tld.key" pki "*" cert "/etc/ssl/athome.tld.crt" filter senderscore \ proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000" filter rspamd proc-exec "filter-rspamd" listen on all tls pki athome.tld \ filter { senderscore, rspamd } listen on all port submission tls-require pki athome.tld auth <passwd> \ filter rspamd action "relay" relay action relaybackup relay backup tls helo "athome.tld" action "local_mail" maildir alias <aliases> action virtual_maildir maildir "/home/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals> match from any for domain <domains> action virtual_maildir match from any for local action local_mail match from any for domain friend.eu action relaybackup match auth from any for any action "relay" match for any action "relay"
Only one certificate matching all domains is used here.
We add some options on queue, because.
table aliases "/etc/mail/aliases" table passwd "/etc/mail/passwd" table virtuals "/etc/mail/virtuals" table domains "/etc/mail/domains" pki athome.tld key "/etc/ssl/private/athome.tld.key" pki athome.tld cert "/etc/ssl/athome.tld.crt" queue compression # less disk space queue encryption 7dbecabecabeca45bce4aebc # encrypt all o/ filter senderscore \ proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000" listen on lo0 port 10028 tag DKIM listen on lo0 port 10026 tag SPAMASSASSIN listen on all tls pki athome.tld filter { senderscore } listen on all port submission tls-require pki athome.tld auth <passwd> action "envoi" relay action dkimproxy relay host smtp://127.0.0.1:10027 action spamassassin relay host smtp://127.0.0.1:10025 action local_mail maildir alias <aliases> action relaybackup relay backup mx "athome.tld" helo "athome.tld" action virtual_maildir maildir "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals> match for local action local_mail match tag SPAMASSASSIN from any for domain <domains> action virtual_maildir match from any for domain <domains> action spamassassin match tag DKIM for any action "envoi" match auth tag DKIM from any for any action "envoi" match from any for domain copain.eu action relaybackup match auth from any for any action dkimproxy match for any action dkimproxy
table aliases "/etc/mail/aliases" pki athome.tld.pki key "/etc/ssl/private/athome.tld.key" pki athome.tld.pki cert "/etc/ssl/athome.tld.crt" filter senderscore \ proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000" filter "spamassassin" proc-exec "filter-spamassassin" filter "dkimsign" proc-exec "filter-dkimsign \ -d athome.tld \ -s pubkey \ -k /etc/dkim/private.key" \ user _dkimsign group _dkimsign listen on all tls pki athome.tld.pki filter { spamassassin senderscore } listen on all port submission tls-require pki athome.tld.pki auth \ filter dkimsign action relayout relay action relaybackup relay backup action distribute maildir junk alias <aliases> match for local action distribute match from any for domain athome.tld action distribute # backup for friends match from any for domain friend.tld action relaybackup match auth from any for any action relayout match for any action relayout
All MX records
athome.tld domaine2.net other.xyz
all:\ :nixspam:bgp-spamd:bsdlyblack:whitelist: # Nixspam recent sources list. # Mirrored from http://www.heise.de/ix/nixspam nixspam:\ :black:\ :msg="Your address %A is in the nixspam list\n\ See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\ :method=http:\ :file=www.openbsd.org/spamd/nixspam.gz bsdlyblack:\ :black:\ :msg="Your address %A is in the bsdly.net list":\ :method=http:\ :file=www.bsdly.net/~peter/bsdly.net.traplist bgp-spamd:\ :black:\ :msg="Your address %A has sent mail to a spamtrap\n\ within the last 24 hours":\ :method=file:\ :file=/var/spamd.black whitelist:\ :white:\ :method=file:\ :file=/etc/mail/whitelist.txt
LogFile /var/www/logs/access.log OutputDir /var/www/htdocs/chezmoi.tld/stats ReportTitle Statistiques pour HostName chezmoi.tld LinkReferrer yes HTMLHead <style type="text/css"> HTMLHead body {background:#eceff4;color:#2e3440;line-height:1.4;margin:auto} HTMLHead table {border: 1px solid; padding:1ex} HTMLHead a {color:#5e81ac} HTMLHead th, td {border: 0} HTMLHead tr:nth-child(even){background-color: #e5e9f0;} HTMLHead tr:hover {background-color: #d8dee9;} HTMLHead </style> TopSites 75 TopURLs 50 TopReferrers 100 AllSites yes AllURLs yes AllReferrers yes AllSearchStr yes AllErrors yes HideSite *chezmoi.tld HideReferrer chezmoi.tld HideURL *.gif HideURL *.GIF HideURL *.jpg HideURL *.JPG HideURL *.png HideURL *.PNG HideURL *.css HideURL *.woff GroupReferrer google. Google Intl HideReferrer google. IgnoreURL /atom.xml IgnoreURL /sitemap.* IgnoreURL /favicon.* IgnoreURL /robots.txt ColorBackground eceff4 ColorText 2e3440 ColorLink 5e81ac ColorVLink 81a1c1 ColorALink 88c0d0 ColorHeadline d8dee9 ColorCounter 4c566a ColorHit 5e81ac ColorFile bf616a ColorSite d08770 ColorKbyte ebcb8b ColorPage a3be8c ColorVisit b48ead ColorMisc 8fbcbb ChartBackgroundColor eceff4 ChartLegendColor 2e3440 ChartShadowColor1 eceff4 ChartShadowColor2 d8dee9 TableBorder 0 ChartBorder 0