cd /
;
apropos
;
find *
;
# listen both ipv4 and ipv6 listen = *, [::] # imap c'est mieux que pop protocols = imap # securisation via ssl ssl = yes ssl_cert = </etc/ssl/chezmoi.tld.crt ssl_key = </etc/ssl/private/chezmoi.tld.key # pas de plaintext disable_plaintext_auth = yes # Modification des permissions pour limiter la lecture du fichier des mots de passe # au groupe _maildaemons service auth { user = $default_internal_user group = _maildaemons } # Identification par fichier passdb { args = scheme=blf-crypt /etc/mail/passwd driver = passwd-file } userdb { driver = static args = uid=_vmail gid=_vmail home=/mnt/bigstorage/_vmail/%d/%n/ } # Plugins mail_plugins = $mail_plugins quota zlib # Activation des plugins : # - Support des quotas # - zlib limite la bande passante par compression # - sieve pour filtres personalises. **Il faut le paquet dovecot-pigeonhole** protocol imap { mail_plugins = $mail_plugins imap_quota imap_zlib imap_sieve } # Configuration des plugins plugin { #plugin quota quota = maildir:User quota quota_rule = *:storage=1G quota_rule2 = Trash:storage=+100M quota_grace = 50%% quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full" # Compression maxi zlib_save_level = 9 # 1..9; default is 6 zlib_save = gz # or bz2, xz or lz4 # Sieve sieve_plugins = sieve_imapsieve sieve_extprograms # Script sieve exécute par defaut (antispam) sieve_default = /usr/local/lib/dovecot/sieve/default.sieve # Scripte pour enregistrer comme spam quand mails deplace dans dossier Junk imapsieve_mailbox1_name = Junk imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve # Enregistrer mail comme pas-spam si retire du dossier Junk imapsieve_mailbox2_name = * imapsieve_mailbox2_from = Junk imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment }
types { include "/usr/share/misc/mime.types" } default type text/plain server "default" { listen on * port 80 root "/htdocs/chezmoi.tld" } server "chezmoi.tld" { listen on * port 80 block return 301 "https://$SERVER_NAME$REQUEST_URI" } server "chezmoi.tld" { alias "www.chezmoi.tld" listen on * tls port 443 root "/htdocs/chezmoi.tld" directory index index.html log style combined hsts preload tls { certificate "/etc/ssl/chezmoi.tld.crt" key "/etc/ssl/private/chezmoi.tld.key" } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location "/Blog/" { directory index index.php } location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/DL/PDF/" { directory auto index } location "/private/" { authenticate "education" with "/htdocs/private.htpw" directory auto index } } server "site2.chezmoi.tld" { alias "www.site2.chezmoi.tld" listen on * port 80 listen on * tls port 443 root "/htdocs/site2" directory index index.html log access "site2.log" hsts tls { certificate "/etc/ssl/chezmoi.tld.crt" key "/etc/ssl/private/chezmoi.tld.key" } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } location "*.php" { fastcgi socket "/run/php-fpm.sock" } location "/downloads/" { directory index index.php } }
server: hide-version: yes verbosity: 2 database: "" # disable database zonesdir: "/var/nsd/zones/" ip-address: 46.23.92.148 ip-address: 2a03:6000:9137::148 remote-control: control-enable: yes key: name: "secretkey" algorithm: hmac-sha256 secret: "i8f4FgDsldD11pHAqo9Ko=" zone: name: "reiva.xyz" zonefile: "signed/reiva.xyz" provide-xfr: 109.190.128.23 secretkey notify: 109.190.128.23 secretkey # GANDI provide-xfr: 217.70.177.40 NOKEY notify: 217.70.177.40 NOKEY # slaves zone: name: "chezmoi.tld" zonefile: "slave/chezmoi.tld" allow-notify: 109.190.128.23 secretkey request-xfr: 109.190.128.23 secretkey zone: name: "ouaf.xyz" zonefile: "slave/ouaf.xyz" allow-notify: 109.190.128.23 secretkey request-xfr: 109.190.128.23 secretkey zone: name: "3hg.fr" zonefile: "slave/3hg.fr" allow-notify: 109.190.128.23 secretkey request-xfr: 109.190.128.23 secretkey
# See pf.conf(5) and /etc/examples/pf.conf # Macros ## Interfaces to take care. egress should be enough ## but it's an example ^^ ifaces = "{ egress em0 em1 }" ## various ports mail_ports = "{ submission imaps smtp }" tcp_pass = "{ www https domain 1965 xmpp-client xmpp-server 5280 5281 62882 }" # 5280-5281 are xmpp-http, 62882 transmission udp_pass = "{ domain 62882 }" # 62882 dht rtorrent blocking_tcp="{ ftp ftp-data telnet finger sunrpc epmap netbios-ns netbios-dgm netbios-ssn microsoft-ds ipp ldaps ldp ms-sql-s ms-sql-m pptp mysql postgresql rfb rdp 27019 1194 ldap 8080 kerberos socks }" # Tables table <evils> persist table <bruteforce> persist table <sshguard> persist table <pfbadhost> persist file "/etc/pf-badhost.txt" table <solene> persist file "/etc/solene-block.txt" table <spamd> persist # Options ## increase limit for huge blocking table files set limit table-entries 409600 ## no not filter local set skip on { lo } # Avoid spoofing antispoof for $ifaces # Rules ## block by default block anchor "relayd/*" # so relayd works properly ## "quick" rules : the rest won't be read if it matches. ## This filter bad ip ### block unwanted sources, and don't go further block log quick from <bruteforce> label "BRUTES" block log quick from <evils> label "EVILS" block log quick from <sshguard> label "SSHGUARD" block log quick on $ifaces from <pfbadhost> label "PFBADHOST" block log quick on $ifaces from <solene> label "SOLENE" ### Let in local network, or it is blocked by pfbadhost pass in quick from 192.168.1.0/24 modulate state ### iblock : everything else is banned pass in quick on $ifaces inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507 pass in quick on $ifaces inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507 ## Allow some incoming traffic ### spamd traps in blacklist only pass in on $ifaces inet proto tcp from <spamd> to any port smtp \ divert-to 127.0.0.1 port spamd modulate state ### let ssh in, with anti bruteforce pass in on $ifaces proto tcp to port ssh modulate state \ (source-track rule, \ max-src-conn 8, max-src-conn-rate 15/5, \ overload <bruteforce> flush global) ### same with email pass in on $ifaces proto tcp to port $mail_ports modulate state \ (source-track rule, \ max-src-conn 100, max-src-conn-rate 50/100, \ overload <bruteforce> flush global) ### let some ports in pass in on $ifaces proto tcp to port $tcp_pass modulate state pass in on $ifaces proto udp to port $udp_pass ### allow ping, in and out pass on $ifaces inet6 proto ipv6-icmp all icmp6-type echoreq pass on $ifaces inet proto icmp all icmp-type echoreq ### Let all out pass out on $ifaces proto { tcp udp }
Fichier /etc/relayd.conf :
ext_ip4 = "192.0.2.2" ext_ip6 = "2001:db8::2 tcp protocol "gemini" { tls keypair chezmoi.tld-self } relay "gemini4" { listen on $ext_ip4 port 1965 tls protocol "gemini" forward to localhost port 11965 } relay "gemini6" { listen on $ext_ip6 port 1965 tls protocol "gemini" forward to localhost port 11965 } # in /etc/torrc: # HiddenServiceDir /var/tor/hidden-gemini/ # HiddenServicePort 1965 localhost:11966 # relay tor hidden onion relay "geminitor" { listen on localhost port 11966 tls protocol "gemini" forward to localhost port 11965 } http protocol "https" { include "/etc/relayd.proxy.conf" tls keypair chezmoi.tld } http protocol "http" { include "/etc/relayd.proxy.conf" } relay "www" { listen on $ext_ip4 port 80 protocol "http" forward to localhost port 8080 } relay "www6" { listen on $ext_ip6 port 80 protocol "http" forward to localhost port 8080 } relay "wwwtls" { listen on $ext_ip4 port 443 tls protocol "https" forward to localhost port 8080 } relay "wwwtls6" { listen on $ext_ip6 port 443 tls protocol "https" forward to localhost port 8080 }
Fichier /etc/relayd.proxy.conf :
# block par défaut, puis ouvre cas par cas return error # apparence de l'erreur return error style "body { background: silver; color: black; text-align:center } hr {border:0; background-color:silver; color:silver; height:1px; width:30%; margin-top:50px;}" # Pour garder l'IP source match request header set "X-Forwarded-For" \ value "$REMOTE_ADDR" match request header set "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" # Pour https match header set "Keep-Alive" value "$TIMEOUT" # anti robots sur wordpress que je n'ai pas block quick path "/wp-*" label '<em>Stop scanning for wordpress</em>.' # Securite match request header remove "Proxy" match response header set "Frame-Options" value "SAMEORIGIN" match response header set "X-Xss-Protection" value "1; mode=block" match response header set "X-Frame-Options" value "SAMEORIGIN" match response header set "X-Robots-Tag" value "index,nofollow" match response header set "X-Permitted-Cross-Domain-Policies" value "none" match response header set "X-Download-Options" value "noopen" match response header set "X-Content-Type-Options" value "nosniff" match response header set "Referrer-Policy" value "no-referrer" match response header set "Permissions-Policy" value "interest-cohort=()" match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains" match response header set "Content-Security-Policy" value "default-src 'self';" # fun match response header set "X-Powered-By" value "Powered by OpenBSD" # etiquettes pour gestion du cache match request path "/*.css" tag "CACHE" match request path "/*.js" tag "CACHE" match request path "/*.atom" tag "CACHE" match request path "/*.rss" tag "CACHE" match request path "/*.xml" tag "CACHE" match request path "/*.jpg" tag "CACHE" match request path "/*.png" tag "CACHE" match request path "/*.svg" tag "CACHE" match request path "/*.gif" tag "CACHE" match request path "/*.ico" tag "CACHE" match request path "/*.html" tag "CACHE" match request path "/*.gmi" tag "CACHE" match request path "*/" tag "CACHE" match response tagged "CACHE" header set "Cache-Control" value \ "public, max-age=86400" # etiquette pour utf-8 match request path "/*.html" tag "HTML" match response tagged "HTML" header set "Content-Type" value "text/html; charset=utf-8" match request path "/*.txt" tag "TXT" match request path "/*.md" tag "TXT" match request path "/*.gmi" tag "TXT" match response tagged "TXT" header set "Content-Type" value "text/plain; charset=utf-8" pass
Exemple de configuration avec gestion de plusieurs domaines.
# install : # opensmtpd-filter-rspamd # opensmtpd-filter-senderscore table aliases "/etc/mail/aliases" table domains "/etc/mail/domains" table passwd "/etc/mail/passwd" table virtuals "/etc/mail/virtuals" pki chezmoi.tld key "/etc/ssl/private/chezmoi.tld.key" pki chezmoi.tld cert "/etc/ssl/chezmoi.tld.crt" pki domaine2.net key "/etc/ssl/private/domaine2.net.key" pki domaine2.net cert "/etc/ssl/domaine2.net.crt" pki autredomaine.xyz key "/etc/ssl/private/autredomaine.xyz.key" pki autredomaine.xyz cert "/etc/ssl/autredomaine.xyz.crt" # certificat par defaut pki "*" key "/etc/ssl/private/chezmoi.tld.key" pki "*" cert "/etc/ssl/chezmoi.tld.crt" filter senderscore \ proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000" filter rspamd proc-exec "filter-rspamd" # LISTEN ## # RECEPTION DE MESSAGES listen on all tls pki chezmoi.tld \ filter { senderscore, rspamd } # ENVOI DE MESSAGES # listen on all port submission tls-require pki chezmoi.tld auth <passwd> \ filter rspamd # ACTIONS ## action "relay" relay action relaybackup relay backup tls helo "chezmoi.tld" action "local_mail" maildir alias <aliases> action virtual_maildir maildir "/home/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals> # MATCH ## # RECEPTION match from any for domain <domains> action virtual_maildir match from any for local action local_mail # ENVOI # backup match from any for domain friend.eu action relaybackup match auth from any for any action "relay" match for any action "relay"
Tous les domaines sont gérés par un seul certificat ici, pour plus de simplicité.
On ajoute des options sur la file d'attente, parce que.
# Configuration generale # Tables table aliases "/etc/mail/aliases" table passwd "/etc/mail/passwd" table virtuals "/etc/mail/virtuals" table domains "/etc/mail/domains" # Certificats pki chezmoi.tld key "/etc/ssl/private/chezmoi.tld.key" pki chezmoi.tld cert "/etc/ssl/chezmoi.tld.crt" # options sur la file d'attente queue compression # less disk space queue encryption 7dbecabecabeca45bce4aebc # encrypt all o/ filter senderscore \ proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000" # Ecoute pour messages signes avec dkimproxy listen on lo0 port 10028 tag DKIM # Messages verifies par spamassassin listen on lo0 port 10026 tag SPAMASSASSIN # Reception listen on all tls pki chezmoi.tld filter { senderscore } # Envoi avec client de messagerie listen on all port submission tls-require pki chezmoi.tld auth <passwd> # ACTIONS action "envoi" relay action dkimproxy relay host smtp://127.0.0.1:10027 action spamassassin relay host smtp://127.0.0.1:10025 action local_mail maildir alias <aliases> action relaybackup relay backup mx "chezmoi.tld" helo "chezmoi.tld" action virtual_maildir maildir "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals> # Correspondances # Reception # Message pour les utilisateurs locaux match for local action local_mail # Message pour les utilisateurs virtuels match tag SPAMASSASSIN from any for domain <domains> action virtual_maildir # Messages a faire verifier par spamassassin match from any for domain <domains> action spamassassin # Envoi # Mail sortant portant une signature DKIM match tag DKIM for any action "envoi" match auth tag DKIM from any for any action "envoi" # backup pour les copains match from any for domain copain.eu action relaybackup # Mail en envoi pas encore signe avec DKIM match auth from any for any action dkimproxy match for any action dkimproxy
table aliases "/etc/mail/aliases" pki chezmoi.tld.g.pki key "/etc/ssl/private/athome.tld.key" pki chezmoi.tld.g.pki cert "/etc/ssl/athome.tld.crt" filter senderscore \ proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000" filter "spamassassin" proc-exec "filter-spamassassin" filter "dkimsign" proc-exec "filter-dkimsign \ -d chezmoi.tld.g \ -s pubkey \ -k /etc/dkim/private.key" \ user _dkimsign group _dkimsign listen on all tls pki chezmoi.tld.g.pki filter { spamassassin senderscore } listen on all port submission tls-require pki chezmoi.tld.g.pki auth \ filter dkimsign action relayout relay action relaybackup relay backup action distribute maildir junk alias <aliases> match for local action distribute match from any for domain chezmoi.tld.g action distribute # backup for friends match from any for domain friend.tld action relaybackup match auth from any for any action relayout match for any action relayout
Indiquez ici tous vos enregistrements MX.
chezmoi.tld domaine2.net autredomaine.xyz
all:\ :nixspam:bgp-spamd:bsdlyblack:whitelist: # Nixspam recent sources list. # Mirrored from http://www.heise.de/ix/nixspam nixspam:\ :black:\ :msg="Your address %A is in the nixspam list\n\ See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\ :method=http:\ :file=www.openbsd.org/spamd/nixspam.gz bsdlyblack:\ :black:\ :msg="Your address %A is in the bsdly.net list":\ :method=http:\ :file=www.bsdly.net/~peter/bsdly.net.traplist bgp-spamd:\ :black:\ :msg="Your address %A has sent mail to a spamtrap\n\ within the last 24 hours":\ :method=file:\ :file=/var/spamd.black whitelist:\ :white:\ :method=file:\ :file=/etc/mail/whitelist.txt
# With nord colorscheme : LogFile /var/www/logs/access.log OutputDir /var/www/htdocs/chezmoi.tld/stats ReportTitle Statistiques pour HostName chezmoi.tld LinkReferrer yes HTMLHead <style type="text/css"> HTMLHead body {background:#eceff4;color:#2e3440;line-height:1.4;margin:auto} HTMLHead table {border: 1px solid; padding:1ex} HTMLHead a {color:#5e81ac} HTMLHead th, td {border: 0} HTMLHead tr:nth-child(even){background-color: #e5e9f0;} HTMLHead tr:hover {background-color: #d8dee9;} HTMLHead </style> TopSites 75 TopURLs 50 TopReferrers 100 AllSites yes AllURLs yes AllReferrers yes AllSearchStr yes AllErrors yes HideSite *chezmoi.tld HideReferrer chezmoi.tld HideURL *.gif HideURL *.GIF HideURL *.jpg HideURL *.JPG HideURL *.png HideURL *.PNG HideURL *.css HideURL *.woff GroupReferrer google. Google Intl HideReferrer google. IgnoreURL /atom.xml IgnoreURL /sitemap.* IgnoreURL /favicon.* IgnoreURL /robots.txt ColorBackground eceff4 ColorText 2e3440 ColorLink 5e81ac ColorVLink 81a1c1 ColorALink 88c0d0 ColorHeadline d8dee9 ColorCounter 4c566a ColorHit 5e81ac ColorFile bf616a ColorSite d08770 ColorKbyte ebcb8b ColorPage a3be8c ColorVisit b48ead ColorMisc 8fbcbb ChartBackgroundColor eceff4 ChartLegendColor 2e3440 ChartShadowColor1 eceff4 ChartShadowColor2 d8dee9 TableBorder 0 ChartBorder 0