cd / ; apropos ; find * ;
Table des matières

Exemples de configuration #

/etc/dovecot/local.conf #

# listen both ipv4 and ipv6
listen = *, [::]

# imap c'est mieux que pop
protocols = imap 

# securisation via ssl
ssl = yes
ssl_cert = </etc/ssl/chezmoi.tld.crt
ssl_key = </etc/ssl/private/chezmoi.tld.key
# pas de plaintext
disable_plaintext_auth = yes

# Modification des permissions pour limiter la lecture du fichier des mots de passe
# au groupe _maildaemons
service auth {
  user = $default_internal_user
  group = _maildaemons
}

# Identification par fichier
passdb {
    args = scheme=blf-crypt /etc/mail/passwd
    driver = passwd-file
}

userdb {
    driver = static
    args = uid=_vmail gid=_vmail home=/mnt/bigstorage/_vmail/%d/%n/ 
}

# Plugins
mail_plugins = $mail_plugins quota zlib
# Activation des plugins : 
# - Support des quotas
# - zlib limite la bande passante par compression
# - sieve pour filtres personalises. **Il faut le paquet dovecot-pigeonhole**
protocol imap {
    mail_plugins = $mail_plugins imap_quota imap_zlib imap_sieve
}


# Configuration des plugins
plugin {
  #plugin quota
  quota = maildir:User quota
  quota_rule = *:storage=1G
  quota_rule2 = Trash:storage=+100M
  quota_grace = 50%%
  quota_status_success = DUNNO
  quota_status_nouser = DUNNO
  quota_status_overquota = "552 5.2.2 Mailbox is full"

  # Compression maxi
  zlib_save_level = 9 # 1..9; default is 6
  zlib_save = gz # or bz2, xz or lz4

  # Sieve
  sieve_plugins = sieve_imapsieve sieve_extprograms

  # Script sieve exécute par defaut (antispam)
  sieve_default = /usr/local/lib/dovecot/sieve/default.sieve

  # Scripte pour enregistrer comme spam quand mails deplace dans dossier Junk
  imapsieve_mailbox1_name = Junk
  imapsieve_mailbox1_causes = COPY
  imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve

  # Enregistrer mail comme pas-spam si retire du dossier Junk
  imapsieve_mailbox2_name = *
  imapsieve_mailbox2_from = Junk
  imapsieve_mailbox2_causes = COPY
  imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve

  sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve

  sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
}

/etc/httpd.conf #

types { include "/usr/share/misc/mime.types" }
default type text/plain

server "default" {
    listen on * port 80 
    root "/htdocs/chezmoi.tld" 
} 

server "chezmoi.tld" {
    listen on * port 80
    block return 301 "https://$SERVER_NAME$REQUEST_URI"
}

server "chezmoi.tld" { 
    alias "www.chezmoi.tld"
    listen on * tls port 443 
    root "/htdocs/chezmoi.tld" 
    directory index index.html
    log style combined

    hsts preload
    tls {
        certificate "/etc/ssl/chezmoi.tld.crt"
        key "/etc/ssl/private/chezmoi.tld.key"
    }

    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }

    location "/Blog/" {
        directory index index.php
    }

    location "*.php" {
        fastcgi socket "/run/php-fpm.sock"
    }

    location "/DL/PDF/" {
        directory auto index
    }

    location "/private/" {
        authenticate "education" with "/htdocs/private.htpw"
        directory auto index
    }
}

server "site2.chezmoi.tld" { 
    alias "www.site2.chezmoi.tld"
    listen on * port 80 
    listen on * tls port 443 
    root "/htdocs/site2" 
    directory index index.html
    log access "site2.log"

    hsts 
    tls {
        certificate "/etc/ssl/chezmoi.tld.crt"
        key "/etc/ssl/private/chezmoi.tld.key"
    }

    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }

    location "*.php" {
        fastcgi socket "/run/php-fpm.sock"
    }
    location "/downloads/" {
        directory index index.php
    }
} 

/var/nsd/etc/nsd.conf #

server:
        hide-version: yes
        verbosity: 2
        database: "" # disable database
        zonesdir: "/var/nsd/zones/"
        ip-address: 46.23.92.148
        ip-address: 2a03:6000:9137::148 

remote-control:
        control-enable: yes

key:
        name: "secretkey"
        algorithm: hmac-sha256
        secret: "i8f4FgDsldD11pHAqo9Ko="

zone:
        name: "reiva.xyz"
        zonefile: "signed/reiva.xyz"
        provide-xfr: 109.190.128.23 secretkey
        notify: 109.190.128.23 secretkey

        # GANDI
        provide-xfr: 217.70.177.40 NOKEY
        notify: 217.70.177.40 NOKEY


# slaves
zone:
        name: "chezmoi.tld"
        zonefile: "slave/chezmoi.tld"
        allow-notify: 109.190.128.23 secretkey
        request-xfr:  109.190.128.23 secretkey

zone:
        name: "ouaf.xyz"
        zonefile: "slave/ouaf.xyz"
        allow-notify: 109.190.128.23 secretkey
        request-xfr:  109.190.128.23 secretkey

zone:
        name: "3hg.fr"
        zonefile: "slave/3hg.fr"
        allow-notify: 109.190.128.23 secretkey
        request-xfr:  109.190.128.23 secretkey

/etc/pf.conf #

# See pf.conf(5) and /etc/examples/pf.conf

# Macros
## Interfaces to take care. egress should be enough
## but it's an example ^^
ifaces = "{ egress em0 em1 }"
## various ports
mail_ports = "{ submission imaps smtp }"
tcp_pass = "{ www https domain 1965 xmpp-client xmpp-server 5280 5281 62882 }" # 5280-5281 are xmpp-http, 62882 transmission
udp_pass = "{ domain 62882 }" # 62882 dht rtorrent
blocking_tcp="{ ftp ftp-data telnet finger sunrpc epmap netbios-ns netbios-dgm netbios-ssn microsoft-ds ipp ldaps ldp ms-sql-s ms-sql-m pptp mysql postgresql rfb rdp 27019 1194 ldap 8080 kerberos socks }"

# Tables
table <evils> persist
table <bruteforce> persist
table <sshguard> persist
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <solene> persist file "/etc/solene-block.txt"
table <spamd> persist

# Options
## increase limit for huge blocking table files
set limit table-entries 409600
## no not filter local
set skip on { lo }

# Avoid spoofing
antispoof for $ifaces

# Rules
## block by default 
block
anchor "relayd/*" # so relayd works properly

## "quick" rules : the rest won't be read if it matches.
## This filter bad ip
### block unwanted sources, and don't go further
block log quick from <bruteforce> label "BRUTES"
block log quick from <evils>  label "EVILS"
block log quick from <sshguard> label "SSHGUARD"
block log quick on $ifaces from <pfbadhost> label "PFBADHOST"
block log quick on $ifaces from <solene> label "SOLENE"

### Let in local network, or it is blocked by pfbadhost 
pass in quick from 192.168.1.0/24 modulate state

### iblock : everything else is banned
pass in quick on $ifaces inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507
pass in quick on $ifaces inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507

## Allow some incoming traffic
### spamd traps in blacklist only
pass in on $ifaces inet proto tcp from <spamd> to any port smtp \
    divert-to 127.0.0.1 port spamd modulate state

### let ssh in, with anti bruteforce
pass in on $ifaces proto tcp to port ssh modulate state \
    (source-track rule, \
    max-src-conn 8, max-src-conn-rate 15/5, \
    overload <bruteforce> flush global)

### same with email
pass in on $ifaces proto tcp to port $mail_ports modulate state \
    (source-track rule, \
    max-src-conn 100, max-src-conn-rate 50/100, \
    overload <bruteforce> flush global)


### let some ports in 
pass in on $ifaces proto tcp to port $tcp_pass modulate state
pass in on $ifaces proto udp to port $udp_pass

### allow ping, in and out
pass on $ifaces inet6 proto ipv6-icmp all icmp6-type echoreq
pass on $ifaces inet proto icmp all icmp-type echoreq

### Let all out 
pass out on $ifaces proto { tcp udp }

/etc/relayd.conf #

Fichier /etc/relayd.conf :

ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2

tcp protocol "gemini" {
        tls keypair chezmoi.tld-self
}

relay "gemini4" {
        listen on $ext_ip4 port 1965 tls
        protocol "gemini"
        forward to localhost port 11965
}
relay "gemini6" {
        listen on $ext_ip6 port 1965 tls
        protocol "gemini"
        forward to localhost port 11965
}
# in /etc/torrc:
# HiddenServiceDir /var/tor/hidden-gemini/
# HiddenServicePort 1965 localhost:11966
# relay tor hidden onion
relay "geminitor" {
        listen on localhost port 11966 tls
        protocol "gemini"
        forward to localhost port 11965
}
http protocol "https" {
        include "/etc/relayd.proxy.conf"
        tls keypair chezmoi.tld
}
http protocol "http" {
        include "/etc/relayd.proxy.conf"
}

relay "www" {
        listen on $ext_ip4 port 80
        protocol "http"
        forward to localhost port 8080
}
relay "www6" {
        listen on $ext_ip6 port 80
        protocol "http"
        forward to localhost port 8080
}

relay "wwwtls" {
        listen on $ext_ip4 port 443 tls
        protocol "https"
        forward to localhost port 8080
}
relay "wwwtls6" {
        listen on $ext_ip6 port 443 tls
        protocol "https"
        forward to localhost port 8080
}

Fichier /etc/relayd.proxy.conf :

# block par défaut, puis ouvre cas par cas
return error

# apparence de l'erreur
return error style "body { background: silver; color: black; text-align:center } hr {border:0;
background-color:silver; color:silver; height:1px; width:30%; margin-top:50px;}"

# Pour garder l'IP source
match request header set "X-Forwarded-For" \
    value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" \
    value "$SERVER_ADDR:$SERVER_PORT"

# Pour https
match header set "Keep-Alive" value "$TIMEOUT"

# anti robots sur wordpress que je n'ai pas
block quick path "/wp-*" label '<em>Stop scanning for wordpress</em>.'

# Securite
match request header remove "Proxy"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Robots-Tag" value "index,nofollow"
match response header set "X-Permitted-Cross-Domain-Policies" value "none"
match response header set "X-Download-Options" value "noopen"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "Referrer-Policy" value "no-referrer"
match response header set "Permissions-Policy" value "interest-cohort=()"
match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match response header set "Content-Security-Policy" value "default-src 'self';"

# fun
match response header set "X-Powered-By" value "Powered by OpenBSD"

# etiquettes pour gestion du cache
match request path "/*.css" tag "CACHE"
match request path "/*.js" tag "CACHE"
match request path "/*.atom" tag "CACHE"
match request path "/*.rss" tag "CACHE"
match request path "/*.xml" tag "CACHE"
match request path "/*.jpg" tag "CACHE"
match request path "/*.png" tag "CACHE"
match request path "/*.svg" tag "CACHE"
match request path "/*.gif" tag "CACHE"
match request path "/*.ico" tag "CACHE"
match request path "/*.html" tag "CACHE"
match request path "/*.gmi" tag "CACHE"
match request path "*/" tag "CACHE"

match response tagged "CACHE" header set "Cache-Control" value \
    "public, max-age=86400"

# etiquette pour utf-8 
match request path "/*.html" tag "HTML"
match response tagged "HTML" header set "Content-Type" value "text/html; charset=utf-8"

match request path "/*.txt" tag "TXT"
match request path "/*.md" tag "TXT"
match request path "/*.gmi" tag "TXT"
match response tagged "TXT" header set "Content-Type" value "text/plain; charset=utf-8"


pass

/etc/mail/smtpd.conf #

Exemple de configuration avec gestion de plusieurs domaines.

Exemple 1 (rspamd) #

# install :
#   opensmtpd-filter-rspamd
#   opensmtpd-filter-senderscore

table aliases "/etc/mail/aliases"
table domains "/etc/mail/domains"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"

pki chezmoi.tld key "/etc/ssl/private/chezmoi.tld.key"
pki chezmoi.tld cert "/etc/ssl/chezmoi.tld.crt"
pki domaine2.net key "/etc/ssl/private/domaine2.net.key"
pki domaine2.net cert "/etc/ssl/domaine2.net.crt"
pki autredomaine.xyz key "/etc/ssl/private/autredomaine.xyz.key"
pki autredomaine.xyz cert "/etc/ssl/autredomaine.xyz.crt"
# certificat par defaut
pki "*" key "/etc/ssl/private/chezmoi.tld.key"
pki "*" cert "/etc/ssl/chezmoi.tld.crt"

filter senderscore \
         proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter rspamd proc-exec "filter-rspamd"

# LISTEN ##
# RECEPTION DE MESSAGES
listen on all tls pki chezmoi.tld \
    filter { senderscore, rspamd }
# ENVOI DE MESSAGES #
listen on all port submission tls-require pki chezmoi.tld auth <passwd> \
    filter rspamd

# ACTIONS ##
action "relay" relay
action relaybackup relay backup tls helo "chezmoi.tld"
action "local_mail" maildir alias <aliases>
action virtual_maildir maildir "/home/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>

# MATCH ##
# RECEPTION
match from any for domain <domains> action virtual_maildir
match from any for local action local_mail

# ENVOI
# backup
match from any for domain friend.eu action relaybackup

match auth from any for any action "relay"
match for any action "relay"

Exemple 2 (spamassassin + dkimproxy) #

Tous les domaines sont gérés par un seul certificat ici, pour plus de simplicité.

On ajoute des options sur la file d'attente, parce que.

# Configuration generale
# Tables 
table aliases "/etc/mail/aliases"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"
table domains "/etc/mail/domains"

# Certificats
pki chezmoi.tld key "/etc/ssl/private/chezmoi.tld.key"
pki chezmoi.tld cert "/etc/ssl/chezmoi.tld.crt"

# options sur la file d'attente
queue compression # less disk space
queue encryption 7dbecabecabeca45bce4aebc # encrypt all o/

filter senderscore \
         proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"

# Ecoute pour messages signes avec dkimproxy
listen on lo0 port 10028 tag DKIM   
# Messages verifies par spamassassin
listen on lo0 port 10026 tag SPAMASSASSIN

# Reception
listen on all tls pki chezmoi.tld filter { senderscore }
# Envoi avec client de messagerie
listen on all port submission tls-require pki chezmoi.tld auth <passwd> 

# ACTIONS
action "envoi" relay 
action dkimproxy relay host smtp://127.0.0.1:10027 
action spamassassin relay host smtp://127.0.0.1:10025 

action local_mail maildir alias <aliases>

action relaybackup relay backup mx "chezmoi.tld" helo "chezmoi.tld"

action virtual_maildir maildir "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>

# Correspondances
# Reception
# Message pour les utilisateurs locaux
match for local action local_mail
# Message pour les utilisateurs virtuels
match tag SPAMASSASSIN from any for domain <domains> action virtual_maildir
# Messages a faire verifier par spamassassin
match from any for domain <domains> action spamassassin

# Envoi
# Mail sortant portant une signature DKIM
match tag DKIM for any action "envoi"
match auth tag DKIM from any for any action "envoi"

# backup pour les copains
match from any for domain copain.eu action relaybackup

# Mail en envoi pas encore signe avec DKIM
match auth from any for any action dkimproxy
match for any action dkimproxy

Exemple 3 (spamassassin + senderscore + opensptmd-filters) #

table aliases "/etc/mail/aliases"

pki chezmoi.tld.g.pki key "/etc/ssl/private/athome.tld.key"
pki chezmoi.tld.g.pki cert "/etc/ssl/athome.tld.crt"

filter senderscore \
         proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter "spamassassin" proc-exec "filter-spamassassin"
filter "dkimsign" proc-exec "filter-dkimsign \
	-d chezmoi.tld.g \
	-s pubkey \
	-k /etc/dkim/private.key" \
	user _dkimsign group _dkimsign

listen on all tls pki chezmoi.tld.g.pki filter { spamassassin senderscore }
    
listen on all port submission tls-require pki chezmoi.tld.g.pki auth \
    filter dkimsign 

action relayout relay
action relaybackup relay backup
action distribute maildir junk alias <aliases>

match for local action distribute
match from any for domain chezmoi.tld.g action distribute

# backup for friends
match from any for domain friend.tld action relaybackup

match auth from any for any action relayout
match for any action relayout

/etc/mail/domains #

Indiquez ici tous vos enregistrements MX.

chezmoi.tld 
domaine2.net 
autredomaine.xyz 

/etc/mail/spamd.conf #

all:\
        :nixspam:bgp-spamd:bsdlyblack:whitelist:

# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
        :black:\
        :msg="Your address %A is in the nixspam list\n\
        See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
        :method=http:\
        :file=www.openbsd.org/spamd/nixspam.gz

bsdlyblack:\
        :black:\
        :msg="Your address %A is in the bsdly.net list":\
        :method=http:\
        :file=www.bsdly.net/~peter/bsdly.net.traplist

bgp-spamd:\
         :black:\
         :msg="Your address %A has sent mail to a spamtrap\n\
          within the last 24 hours":\
         :method=file:\
         :file=/var/spamd.black

whitelist:\
        :white:\
        :method=file:\
        :file=/etc/mail/whitelist.txt

/etc/webalizer.conf #

# With nord colorscheme : 
LogFile     /var/www/logs/access.log
OutputDir   /var/www/htdocs/chezmoi.tld/stats
ReportTitle Statistiques pour 
HostName    chezmoi.tld
LinkReferrer    yes
HTMLHead    <style type="text/css">
HTMLHead    body {background:#eceff4;color:#2e3440;line-height:1.4;margin:auto}
HTMLHead    table {border: 1px solid; padding:1ex}
HTMLHead    a {color:#5e81ac}
HTMLHead    th, td {border: 0}
HTMLHead    tr:nth-child(even){background-color: #e5e9f0;}
HTMLHead    tr:hover {background-color: #d8dee9;}
HTMLHead    </style>
TopSites    75
TopURLs     50
TopReferrers    100
AllSites    yes
AllURLs     yes
AllReferrers    yes
AllSearchStr    yes
AllErrors   yes
HideSite    *chezmoi.tld
HideReferrer    chezmoi.tld
HideURL       *.gif
HideURL       *.GIF
HideURL       *.jpg
HideURL       *.JPG
HideURL       *.png
HideURL       *.PNG
HideURL       *.css
HideURL       *.woff
GroupReferrer google. Google Intl
HideReferrer google.
IgnoreURL   /atom.xml
IgnoreURL   /sitemap.*
IgnoreURL   /favicon.*
IgnoreURL   /robots.txt
ColorBackground eceff4
ColorText       2e3440
ColorLink       5e81ac
ColorVLink      81a1c1
ColorALink      88c0d0
ColorHeadline   d8dee9
ColorCounter    4c566a
ColorHit        5e81ac
ColorFile       bf616a
ColorSite       d08770
ColorKbyte      ebcb8b
ColorPage       a3be8c
ColorVisit      b48ead
ColorMisc       8fbcbb
ChartBackgroundColor    eceff4
ChartLegendColor        2e3440
ChartShadowColor1       eceff4
ChartShadowColor2       d8dee9
TableBorder     0
ChartBorder     0

Table des matières

Donate