# listen both ipv4 and ipv6
listen = *, [::]
# imap better than pop
protocols = imap
ssl = yes
ssl_cert = </etc/ssl/athome.tld.crt
ssl_key = </etc/ssl/private/athome.tld.key
disable_plaintext_auth = yes
service auth {
user = $default_internal_user
group = _maildaemons
}
passdb {
args = scheme=blf-crypt /etc/mail/passwd
driver = passwd-file
}
userdb {
driver = static
args = uid=_vmail gid=_vmail home=/mnt/bigstorage/_vmail/%d/%n/
}
# Plugins
mail_plugins = $mail_plugins quota zlib
protocol imap {
mail_plugins = $mail_plugins imap_quota imap_zlib imap_sieve
}
plugin {
quota = maildir:User quota
quota_rule = *:storage=1G
quota_rule2 = Trash:storage=+100M
quota_grace = 50%%
quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"
zlib_save_level = 9 # 1..9; default is 6
zlib_save = gz # or bz2, xz or lz4
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_default = /usr/local/lib/dovecot/sieve/default.sieve
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
}
types { include "/usr/share/misc/mime.types" }
server "default" {
listen on * port 80
root "/htdocs/athome.tld"
}
server "athome.tld" {
listen on * port 80
block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
server "athome.tld" {
alias "www.athome.tld"
listen on * tls port 443
root "/htdocs/athome.tld"
directory index index.html
log style combined
hsts preload
tls {
certificate "/etc/ssl/athome.tld.crt"
key "/etc/ssl/private/athome.tld.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "/Blog/" {
directory index index.php
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/DL/PDF/" {
directory auto index
}
location "/private/" {
authenticate "education" with "/htdocs/private.htpw"
directory auto index
}
}
server "site2.athome.tld" {
alias "www.site2.athome.tld"
listen on * port 80
listen on * tls port 443
root "/htdocs/site2"
directory index index.html
log access "site2.log"
hsts
tls {
certificate "/etc/ssl/athome.tld.crt"
key "/etc/ssl/private/athome.tld.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/downloads/" {
directory index index.php
}
}
server:
hide-version: yes
verbosity: 2
database: "" # disable database
zonesdir: "/var/nsd/zones/"
ip-address: 46.23.92.148
ip-address: 2a03:6000:9137::148
remote-control:
control-enable: yes
key:
name: "secretkey"
algorithm: hmac-sha256
secret: "i8f4FgDsldD11pHAqo9Ko="
zone:
name: "reiva.xyz"
zonefile: "signed/reiva.xyz"
provide-xfr: 109.190.128.23 secretkey
notify: 109.190.128.23 secretkey
# GANDI
provide-xfr: 217.70.177.40 NOKEY
notify: 217.70.177.40 NOKEY
# slaves
zone:
name: "athome.tld"
zonefile: "slave/athome.tld"
allow-notify: 109.190.128.23 secretkey
request-xfr: 109.190.128.23 secretkey
zone:
name: "ouaf.xyz"
zonefile: "slave/ouaf.xyz"
allow-notify: 109.190.128.23 secretkey
request-xfr: 109.190.128.23 secretkey
zone:
name: "3hg.fr"
zonefile: "slave/3hg.fr"
allow-notify: 109.190.128.23 secretkey
request-xfr: 109.190.128.23 secretkey
# See pf.conf(5) and /etc/examples/pf.conf
# Macros
## Interfaces to take care. egress should be enough
## but it's an example ^^
ifaces = "{ egress em0 em1 }"
## various ports
mail_ports = "{ submission imaps smtp }"
tcp_pass = "{ www https domain 1965 xmpp-client xmpp-server 5280 5281 62882 }" # 5280-5281 are xmpp-http, 62882 transmission
udp_pass = "{ domain 62882 }" # 62882 dht rtorrent
blocking_tcp="{ ftp ftp-data telnet finger sunrpc epmap netbios-ns netbios-dgm netbios-ssn microsoft-ds ipp ldaps ldp ms-sql-s ms-sql-m pptp mysql postgresql rfb rdp 27019 1194 ldap 8080 kerberos socks }"
# Tables
table <evils> persist
table <bruteforce> persist
table <sshguard> persist
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <solene> persist file "/etc/solene-block.txt"
table <spamd> persist
# Options
## increase limit for huge blocking table files
set limit table-entries 409600
## no not filter local
set skip on { lo }
# Avoid spoofing
antispoof for $ifaces
# Rules
## block by default
block
anchor "relayd/*" # so relayd works properly
## "quick" rules : the rest won't be read if it matches.
## This filter bad ip
### block unwanted sources, and don't go further
block log quick from <bruteforce> label "BRUTES"
block log quick from <evils> label "EVILS"
block log quick from <sshguard> label "SSHGUARD"
block log quick on $ifaces from <pfbadhost> label "PFBADHOST"
block log quick on $ifaces from <solene> label "SOLENE"
### Let in local network, or it is blocked by pfbadhost
pass in quick from 192.168.1.0/24 modulate state
### iblock : everything else is banned
pass in quick on $ifaces inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507
pass in quick on $ifaces inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507
## Allow some incoming traffic
### spamd traps in blacklist only
pass in on $ifaces inet proto tcp from <spamd> to any port smtp \
divert-to 127.0.0.1 port spamd modulate state
### let ssh in, with anti bruteforce
pass in on $ifaces proto tcp to port ssh modulate state \
(source-track rule, \
max-src-conn 8, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
### same with email
pass in on $ifaces proto tcp to port $mail_ports modulate state \
(source-track rule, \
max-src-conn 100, max-src-conn-rate 50/100, \
overload <bruteforce> flush global)
### let some ports in
pass in on $ifaces proto tcp to port $tcp_pass modulate state
pass in on $ifaces proto udp to port $udp_pass
### allow ping, in and out
pass on $ifaces inet6 proto ipv6-icmp all icmp6-type echoreq
pass on $ifaces inet proto icmp all icmp-type echoreq
### Let all out
pass out on $ifaces proto { tcp udp }
ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2
tcp protocol "gemini" {
tls keypair athome.tld-self
}
relay "gemini4" {
listen on $ext_ip4 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
relay "gemini6" {
listen on $ext_ip6 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
# in /etc/torrc:
# HiddenServiceDir /var/tor/hidden-gemini/
# HiddenServicePort 1965 localhost:11966
# relay tor hidden onion
relay "geminitor" {
listen on localhost port 11966 tls
protocol "gemini"
forward to localhost port 11965
}
http protocol "https" {
include "/etc/relayd.proxy.conf"
tls keypair athome.tld
}
http protocol "http" {
include "/etc/relayd.proxy.conf"
}
relay "www" {
listen on $ext_ip4 port 80
protocol "http"
forward to localhost port 8080
}
relay "www6" {
listen on $ext_ip6 port 80
protocol "http"
forward to localhost port 8080
}
relay "wwwtls" {
listen on $ext_ip4 port 443 tls
protocol "https"
forward to localhost port 8080
}
relay "wwwtls6" {
listen on $ext_ip6 port 443 tls
protocol "https"
forward to localhost port 8080
}
/etc/relayd.proxy.conf :
return error
return error style "body { background: silver; color: black; text-align:center } hr {border:0;
background-color:silver; color:silver; height:1px; width:30%; margin-top:50px;}"
match request header set "X-Forwarded-For" \
value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
block quick path "/wp-*" label '<em>Stop scanning for wordpress</em>.'
match request header remove "Proxy"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Robots-Tag" value "index,nofollow"
match response header set "X-Permitted-Cross-Domain-Policies" value "none"
match response header set "X-Download-Options" value "noopen"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "Referrer-Policy" value "no-referrer"
match response header set "Permissions-Policy" value "interest-cohort=()"
match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match response header set "Content-Security-Policy" value "default-src 'self';"
match response header set "X-Powered-By" value "Powered by OpenBSD"
match request path "/*.css" tag "CACHE"
match request path "/*.js" tag "CACHE"
match request path "/*.atom" tag "CACHE"
match request path "/*.rss" tag "CACHE"
match request path "/*.xml" tag "CACHE"
match request path "/*.jpg" tag "CACHE"
match request path "/*.png" tag "CACHE"
match request path "/*.svg" tag "CACHE"
match request path "/*.gif" tag "CACHE"
match request path "/*.ico" tag "CACHE"
match request path "/*.html" tag "CACHE"
match request path "/*.gmi" tag "CACHE"
match request path "*/" tag "CACHE"
match response tagged "CACHE" header set "Cache-Control" value \
"public, max-age=86400"
match request path "/*.html" tag "HTML"
match response tagged "HTML" header set "Content-Type" value "text/html; charset=utf-8"
match request path "/*.txt" tag "TXT"
match request path "/*.md" tag "TXT"
match request path "/*.gmi" tag "TXT"
match response tagged "TXT" header set "Content-Type" value "text/plain; charset=utf-8"
pass
Example for multiple domains
# install :
# opensmtpd-filter-rspamd
# opensmtpd-filter-senderscore
table aliases "/etc/mail/aliases"
table domains "/etc/mail/domains"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"
pki athome.tld key "/etc/ssl/private/athome.tld.key"
pki athome.tld cert "/etc/ssl/athome.tld.crt"
pki domaine2.net key "/etc/ssl/private/domaine2.net.key"
pki domaine2.net cert "/etc/ssl/domaine2.net.crt"
pki autredomaine.xyz key "/etc/ssl/private/autredomaine.xyz.key"
pki autredomaine.xyz cert "/etc/ssl/autredomaine.xyz.crt"
# certificat par defaut
pki "*" key "/etc/ssl/private/athome.tld.key"
pki "*" cert "/etc/ssl/athome.tld.crt"
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter rspamd proc-exec "filter-rspamd"
listen on all tls pki athome.tld \
filter { senderscore, rspamd }
listen on all port submission tls-require pki athome.tld auth <passwd> \
filter rspamd
action "relay" relay
action relaybackup relay backup tls helo "athome.tld"
action "local_mail" maildir alias <aliases>
action virtual_maildir maildir "/home/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>
match from any for domain <domains> action virtual_maildir
match from any for local action local_mail
match from any for domain friend.eu action relaybackup
match auth from any for any action "relay"
match for any action "relay"
Only one certificate matching all domains is used here.
We add some options on queue, because.
table aliases "/etc/mail/aliases"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"
table domains "/etc/mail/domains"
pki athome.tld key "/etc/ssl/private/athome.tld.key"
pki athome.tld cert "/etc/ssl/athome.tld.crt"
queue compression # less disk space
queue encryption 7dbecabecabeca45bce4aebc # encrypt all o/
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
listen on lo0 port 10028 tag DKIM
listen on lo0 port 10026 tag SPAMASSASSIN
listen on all tls pki athome.tld filter { senderscore }
listen on all port submission tls-require pki athome.tld auth <passwd>
action "envoi" relay
action dkimproxy relay host smtp://127.0.0.1:10027
action spamassassin relay host smtp://127.0.0.1:10025
action local_mail maildir alias <aliases>
action relaybackup relay backup mx "athome.tld" helo "athome.tld"
action virtual_maildir maildir "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>
match for local action local_mail
match tag SPAMASSASSIN from any for domain <domains> action virtual_maildir
match from any for domain <domains> action spamassassin
match tag DKIM for any action "envoi"
match auth tag DKIM from any for any action "envoi"
match from any for domain copain.eu action relaybackup
match auth from any for any action dkimproxy
match for any action dkimproxy
table aliases "/etc/mail/aliases"
pki athome.tld.pki key "/etc/ssl/private/athome.tld.key"
pki athome.tld.pki cert "/etc/ssl/athome.tld.crt"
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter "spamassassin" proc-exec "filter-spamassassin"
filter "dkimsign" proc-exec "filter-dkimsign \
-d athome.tld \
-s pubkey \
-k /etc/dkim/private.key" \
user _dkimsign group _dkimsign
listen on all tls pki athome.tld.pki filter { spamassassin senderscore }
listen on all port submission tls-require pki athome.tld.pki auth \
filter dkimsign
action relayout relay
action relaybackup relay backup
action distribute maildir junk alias <aliases>
match for local action distribute
match from any for domain athome.tld action distribute
# backup for friends
match from any for domain friend.tld action relaybackup
match auth from any for any action relayout
match for any action relayout
All MX records
athome.tld domaine2.net other.xyz
all:\
:nixspam:bgp-spamd:bsdlyblack:whitelist:
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz
bsdlyblack:\
:black:\
:msg="Your address %A is in the bsdly.net list":\
:method=http:\
:file=www.bsdly.net/~peter/bsdly.net.traplist
bgp-spamd:\
:black:\
:msg="Your address %A has sent mail to a spamtrap\n\
within the last 24 hours":\
:method=file:\
:file=/var/spamd.black
whitelist:\
:white:\
:method=file:\
:file=/etc/mail/whitelist.txt
LogFile /var/www/logs/access.log
OutputDir /var/www/htdocs/chezmoi.tld/stats
ReportTitle Statistiques pour
HostName chezmoi.tld
LinkReferrer yes
HTMLHead <style type="text/css">
HTMLHead body {background:#eceff4;color:#2e3440;line-height:1.4;margin:auto}
HTMLHead table {border: 1px solid; padding:1ex}
HTMLHead a {color:#5e81ac}
HTMLHead th, td {border: 0}
HTMLHead tr:nth-child(even){background-color: #e5e9f0;}
HTMLHead tr:hover {background-color: #d8dee9;}
HTMLHead </style>
TopSites 75
TopURLs 50
TopReferrers 100
AllSites yes
AllURLs yes
AllReferrers yes
AllSearchStr yes
AllErrors yes
HideSite *chezmoi.tld
HideReferrer chezmoi.tld
HideURL *.gif
HideURL *.GIF
HideURL *.jpg
HideURL *.JPG
HideURL *.png
HideURL *.PNG
HideURL *.css
HideURL *.woff
GroupReferrer google. Google Intl
HideReferrer google.
IgnoreURL /atom.xml
IgnoreURL /sitemap.*
IgnoreURL /favicon.*
IgnoreURL /robots.txt
ColorBackground eceff4
ColorText 2e3440
ColorLink 5e81ac
ColorVLink 81a1c1
ColorALink 88c0d0
ColorHeadline d8dee9
ColorCounter 4c566a
ColorHit 5e81ac
ColorFile bf616a
ColorSite d08770
ColorKbyte ebcb8b
ColorPage a3be8c
ColorVisit b48ead
ColorMisc 8fbcbb
ChartBackgroundColor eceff4
ChartLegendColor 2e3440
ChartShadowColor1 eceff4
ChartShadowColor2 d8dee9
TableBorder 0
ChartBorder 0