# Configuration examples ## /etc/dovecot/local.conf ``` # listen both ipv4 and ipv6 listen = *, [::] # imap better than pop protocols = imap ssl = yes ssl_cert = persist table persist table persist table persist file "/etc/pf-badhost.txt" table persist file "/etc/solene-block.txt" table persist # Options ## increase limit for huge blocking table files set limit table-entries 409600 ## no not filter local set skip on { lo } # Avoid spoofing antispoof for $ifaces # Rules ## block by default block anchor "relayd/*" # so relayd works properly ## "quick" rules : the rest won't be read if it matches. ## This filter bad ip ### block unwanted sources, and don't go further block log quick from label "BRUTES" block log quick from label "EVILS" block log quick from label "SSHGUARD" block log quick on $ifaces from label "PFBADHOST" block log quick on $ifaces from label "SOLENE" ### Let in local network, or it is blocked by pfbadhost pass in quick from 192.168.1.0/24 modulate state ### iblock : everything else is banned pass in quick on $ifaces inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507 pass in quick on $ifaces inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507 ## Allow some incoming traffic ### spamd traps in blacklist only pass in on $ifaces inet proto tcp from to any port smtp \ divert-to 127.0.0.1 port spamd modulate state ### let ssh in, with anti bruteforce pass in on $ifaces proto tcp to port ssh modulate state \ (source-track rule, \ max-src-conn 8, max-src-conn-rate 15/5, \ overload flush global) ### same with email pass in on $ifaces proto tcp to port $mail_ports modulate state \ (source-track rule, \ max-src-conn 100, max-src-conn-rate 50/100, \ overload flush global) ### let some ports in pass in on $ifaces proto tcp to port $tcp_pass modulate state pass in on $ifaces proto udp to port $udp_pass ### allow ping, in and out pass on $ifaces inet6 proto ipv6-icmp all icmp6-type echoreq pass on $ifaces inet proto icmp all icmp-type echoreq ### Let all out pass out on $ifaces proto { tcp udp } ``` ## /etc/relayd.conf ``` ext_ip4 = "192.0.2.2" ext_ip6 = "2001:db8::2 tcp protocol "gemini" { tls keypair athome.tld-self } relay "gemini4" { listen on $ext_ip4 port 1965 tls protocol "gemini" forward to localhost port 11965 } relay "gemini6" { listen on $ext_ip6 port 1965 tls protocol "gemini" forward to localhost port 11965 } # in /etc/torrc: # HiddenServiceDir /var/tor/hidden-gemini/ # HiddenServicePort 1965 localhost:11966 # relay tor hidden onion relay "geminitor" { listen on localhost port 11966 tls protocol "gemini" forward to localhost port 11965 } http protocol "https" { include "/etc/relayd.proxy.conf" tls keypair athome.tld } http protocol "http" { include "/etc/relayd.proxy.conf" } relay "www" { listen on $ext_ip4 port 80 protocol "http" forward to localhost port 8080 } relay "www6" { listen on $ext_ip6 port 80 protocol "http" forward to localhost port 8080 } relay "wwwtls" { listen on $ext_ip4 port 443 tls protocol "https" forward to localhost port 8080 } relay "wwwtls6" { listen on $ext_ip6 port 443 tls protocol "https" forward to localhost port 8080 } ``` /etc/relayd.proxy.conf : ``` return error return error style "body { background: silver; color: black; text-align:center } hr {border:0; background-color:silver; color:silver; height:1px; width:30%; margin-top:50px;}" match request header set "X-Forwarded-For" \ value "$REMOTE_ADDR" match request header set "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match header set "Keep-Alive" value "$TIMEOUT" block quick path "/wp-*" label 'Stop scanning for wordpress.' match request header remove "Proxy" match response header set "Frame-Options" value "SAMEORIGIN" match response header set "X-Xss-Protection" value "1; mode=block" match response header set "X-Frame-Options" value "SAMEORIGIN" match response header set "X-Robots-Tag" value "index,nofollow" match response header set "X-Permitted-Cross-Domain-Policies" value "none" match response header set "X-Download-Options" value "noopen" match response header set "X-Content-Type-Options" value "nosniff" match response header set "Referrer-Policy" value "no-referrer" match response header set "Permissions-Policy" value "interest-cohort=()" match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" match response header set "Content-Security-Policy" value "default-src 'self';" match response header set "X-Powered-By" value "Powered by OpenBSD" match request path "/*.css" tag "CACHE" match request path "/*.js" tag "CACHE" match request path "/*.atom" tag "CACHE" match request path "/*.rss" tag "CACHE" match request path "/*.xml" tag "CACHE" match request path "/*.jpg" tag "CACHE" match request path "/*.png" tag "CACHE" match request path "/*.svg" tag "CACHE" match request path "/*.gif" tag "CACHE" match request path "/*.ico" tag "CACHE" match request path "/*.html" tag "CACHE" match request path "/*.gmi" tag "CACHE" match request path "*/" tag "CACHE" match response tagged "CACHE" header set "Cache-Control" value \ "public, max-age=86400" match request path "/*.html" tag "HTML" match response tagged "HTML" header set "Content-Type" value "text/html; charset=utf-8" match request path "/*.txt" tag "TXT" match request path "/*.md" tag "TXT" match request path "/*.gmi" tag "TXT" match response tagged "TXT" header set "Content-Type" value "text/plain; charset=utf-8" pass ``` ## /etc/mail/smtpd.conf Example for multiple domains ### Example 1 (rspamd) ``` # install : # opensmtpd-filter-rspamd # opensmtpd-filter-senderscore table aliases "/etc/mail/aliases" table domains "/etc/mail/domains" table passwd "/etc/mail/passwd" table virtuals "/etc/mail/virtuals" pki athome.tld key "/etc/ssl/private/athome.tld.key" pki athome.tld cert "/etc/ssl/athome.tld.crt" pki domaine2.net key "/etc/ssl/private/domaine2.net.key" pki domaine2.net cert "/etc/ssl/domaine2.net.crt" pki autredomaine.xyz key "/etc/ssl/private/autredomaine.xyz.key" pki autredomaine.xyz cert "/etc/ssl/autredomaine.xyz.crt" # certificat par defaut pki "*" key "/etc/ssl/private/athome.tld.key" pki "*" cert "/etc/ssl/athome.tld.crt" filter senderscore \ proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000" filter rspamd proc-exec "filter-rspamd" listen on all tls pki athome.tld \ filter { senderscore, rspamd } listen on all port submission tls-require pki athome.tld auth \ filter rspamd action "relay" relay action relaybackup relay backup tls helo "athome.tld" action "local_mail" maildir alias action virtual_maildir maildir "/home/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual match from any for domain action virtual_maildir match from any for local action local_mail match from any for domain friend.eu action relaybackup match auth from any for any action "relay" match for any action "relay" ``` ### Example 2 (spamassassin + dkimproxy) Only one certificate matching all domains is used here. We add some options on queue, because. ``` table aliases "/etc/mail/aliases" table passwd "/etc/mail/passwd" table virtuals "/etc/mail/virtuals" table domains "/etc/mail/domains" pki athome.tld key "/etc/ssl/private/athome.tld.key" pki athome.tld cert "/etc/ssl/athome.tld.crt" queue compression # less disk space queue encryption 7dbecabecabeca45bce4aebc # encrypt all o/ filter senderscore \ proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000" listen on lo0 port 10028 tag DKIM listen on lo0 port 10026 tag SPAMASSASSIN listen on all tls pki athome.tld filter { senderscore } listen on all port submission tls-require pki athome.tld auth action "envoi" relay action dkimproxy relay host smtp://127.0.0.1:10027 action spamassassin relay host smtp://127.0.0.1:10025 action local_mail maildir alias action relaybackup relay backup mx "athome.tld" helo "athome.tld" action virtual_maildir maildir "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual match for local action local_mail match tag SPAMASSASSIN from any for domain action virtual_maildir match from any for domain action spamassassin match tag DKIM for any action "envoi" match auth tag DKIM from any for any action "envoi" match from any for domain copain.eu action relaybackup match auth from any for any action dkimproxy match for any action dkimproxy ``` ### Example 3 (spamassassin + senderscore + opensptmd-filters) ``` table aliases "/etc/mail/aliases" pki athome.tld.pki key "/etc/ssl/private/athome.tld.key" pki athome.tld.pki cert "/etc/ssl/athome.tld.crt" filter senderscore \ proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000" filter "spamassassin" proc-exec "filter-spamassassin" filter "dkimsign" proc-exec "filter-dkimsign \ -d athome.tld \ -s pubkey \ -k /etc/dkim/private.key" \ user _dkimsign group _dkimsign listen on all tls pki athome.tld.pki filter { spamassassin senderscore } listen on all port submission tls-require pki athome.tld.pki auth \ filter dkimsign action relayout relay action relaybackup relay backup action distribute maildir junk alias match for local action distribute match from any for domain athome.tld action distribute # backup for friends match from any for domain friend.tld action relaybackup match auth from any for any action relayout match for any action relayout ``` ### /etc/mail/domains All MX records ``` athome.tld domaine2.net other.xyz ``` ## /etc/mail/spamd.conf ``` all:\ :nixspam:bgp-spamd:bsdlyblack:whitelist: # Nixspam recent sources list. # Mirrored from http://www.heise.de/ix/nixspam nixspam:\ :black:\ :msg="Your address %A is in the nixspam list\n\ See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\ :method=http:\ :file=www.openbsd.org/spamd/nixspam.gz bsdlyblack:\ :black:\ :msg="Your address %A is in the bsdly.net list":\ :method=http:\ :file=www.bsdly.net/~peter/bsdly.net.traplist bgp-spamd:\ :black:\ :msg="Your address %A has sent mail to a spamtrap\n\ within the last 24 hours":\ :method=file:\ :file=/var/spamd.black whitelist:\ :white:\ :method=file:\ :file=/etc/mail/whitelist.txt ``` ## /etc/webalizer.conf ``` LogFile /var/www/logs/access.log OutputDir /var/www/htdocs/chezmoi.tld/stats ReportTitle Statistiques pour HostName chezmoi.tld LinkReferrer yes HTMLHead TopSites 75 TopURLs 50 TopReferrers 100 AllSites yes AllURLs yes AllReferrers yes AllSearchStr yes AllErrors yes HideSite *chezmoi.tld HideReferrer chezmoi.tld HideURL *.gif HideURL *.GIF HideURL *.jpg HideURL *.JPG HideURL *.png HideURL *.PNG HideURL *.css HideURL *.woff GroupReferrer google. Google Intl HideReferrer google. IgnoreURL /atom.xml IgnoreURL /sitemap.* IgnoreURL /favicon.* IgnoreURL /robots.txt ColorBackground eceff4 ColorText 2e3440 ColorLink 5e81ac ColorVLink 81a1c1 ColorALink 88c0d0 ColorHeadline d8dee9 ColorCounter 4c566a ColorHit 5e81ac ColorFile bf616a ColorSite d08770 ColorKbyte ebcb8b ColorPage a3be8c ColorVisit b48ead ColorMisc 8fbcbb ChartBackgroundColor eceff4 ChartLegendColor 2e3440 ChartShadowColor1 eceff4 ChartShadowColor2 d8dee9 TableBorder 0 ChartBorder 0 ``` --- => ../ Table of contents => /thanks/ Donate