cd / ;
apropos ;
# listen both ipv4 and ipv6
listen = *, [::]
# imap c'est mieux que pop
protocols = imap
# securisation via ssl
ssl = yes
ssl_cert = </etc/ssl/chezmoi.tld.crt
ssl_key = </etc/ssl/private/chezmoi.tld.key
# pas de plaintext
disable_plaintext_auth = yes
# Modification des permissions pour limiter la lecture du fichier des mots de passe
# au groupe _maildaemons
service auth {
user = $default_internal_user
group = _maildaemons
}
# Identification par fichier
passdb {
args = scheme=blf-crypt /etc/mail/passwd
driver = passwd-file
}
userdb {
driver = static
args = uid=_vmail gid=_vmail home=/mnt/bigstorage/_vmail/%d/%n/
}
# Plugins
mail_plugins = $mail_plugins quota zlib
# Activation des plugins :
# - Support des quotas
# - zlib limite la bande passante par compression
# - sieve pour filtres personalises. **Il faut le paquet dovecot-pigeonhole**
protocol imap {
mail_plugins = $mail_plugins imap_quota imap_zlib imap_sieve
}
# Configuration des plugins
plugin {
#plugin quota
quota = maildir:User quota
quota_rule = *:storage=1G
quota_rule2 = Trash:storage=+100M
quota_grace = 50%%
quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"
# Compression maxi
zlib_save_level = 9 # 1..9; default is 6
zlib_save = gz # or bz2, xz or lz4
# Sieve
sieve_plugins = sieve_imapsieve sieve_extprograms
# Script sieve exécute par defaut (antispam)
sieve_default = /usr/local/lib/dovecot/sieve/default.sieve
# Scripte pour enregistrer comme spam quand mails deplace dans dossier Junk
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
# Enregistrer mail comme pas-spam si retire du dossier Junk
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
}
types { include "/usr/share/misc/mime.types" }
default type text/plain
server "default" {
listen on * port 80
root "/htdocs/chezmoi.tld"
}
server "chezmoi.tld" {
listen on * port 80
block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
server "chezmoi.tld" {
alias "www.chezmoi.tld"
listen on * tls port 443
root "/htdocs/chezmoi.tld"
directory index index.html
log style combined
hsts preload
tls {
certificate "/etc/ssl/chezmoi.tld.crt"
key "/etc/ssl/private/chezmoi.tld.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "/Blog/" {
directory index index.php
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/DL/PDF/" {
directory auto index
}
location "/private/" {
authenticate "education" with "/htdocs/private.htpw"
directory auto index
}
}
server "site2.chezmoi.tld" {
alias "www.site2.chezmoi.tld"
listen on * port 80
listen on * tls port 443
root "/htdocs/site2"
directory index index.html
log access "site2.log"
hsts
tls {
certificate "/etc/ssl/chezmoi.tld.crt"
key "/etc/ssl/private/chezmoi.tld.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/downloads/" {
directory index index.php
}
}
server:
hide-version: yes
verbosity: 2
database: "" # disable database
zonesdir: "/var/nsd/zones/"
ip-address: 46.23.92.148
ip-address: 2a03:6000:9137::148
remote-control:
control-enable: yes
key:
name: "secretkey"
algorithm: hmac-sha256
secret: "i8f4FgDsldD11pHAqo9Ko="
zone:
name: "reiva.xyz"
zonefile: "signed/reiva.xyz"
provide-xfr: 109.190.128.23 secretkey
notify: 109.190.128.23 secretkey
# GANDI
provide-xfr: 217.70.177.40 NOKEY
notify: 217.70.177.40 NOKEY
# slaves
zone:
name: "chezmoi.tld"
zonefile: "slave/chezmoi.tld"
allow-notify: 109.190.128.23 secretkey
request-xfr: 109.190.128.23 secretkey
zone:
name: "ouaf.xyz"
zonefile: "slave/ouaf.xyz"
allow-notify: 109.190.128.23 secretkey
request-xfr: 109.190.128.23 secretkey
zone:
name: "3hg.fr"
zonefile: "slave/3hg.fr"
allow-notify: 109.190.128.23 secretkey
request-xfr: 109.190.128.23 secretkey
# See pf.conf(5) and /etc/examples/pf.conf
# Macros
## Interfaces to take care. egress should be enough
## but it's an example ^^
ifaces = "{ egress em0 em1 }"
## various ports
mail_ports = "{ submission imaps smtp }"
tcp_pass = "{ www https domain 1965 xmpp-client xmpp-server 5280 5281 62882 }" # 5280-5281 are xmpp-http, 62882 transmission
udp_pass = "{ domain 62882 }" # 62882 dht rtorrent
blocking_tcp="{ ftp ftp-data telnet finger sunrpc epmap netbios-ns netbios-dgm netbios-ssn microsoft-ds ipp ldaps ldp ms-sql-s ms-sql-m pptp mysql postgresql rfb rdp 27019 1194 ldap 8080 kerberos socks }"
# Tables
table <evils> persist
table <bruteforce> persist
table <sshguard> persist
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <solene> persist file "/etc/solene-block.txt"
table <spamd> persist
# Options
## increase limit for huge blocking table files
set limit table-entries 409600
## no not filter local
set skip on { lo }
# Avoid spoofing
antispoof for $ifaces
# Rules
## block by default
block
anchor "relayd/*" # so relayd works properly
## "quick" rules : the rest won't be read if it matches.
## This filter bad ip
### block unwanted sources, and don't go further
block log quick from <bruteforce> label "BRUTES"
block log quick from <evils> label "EVILS"
block log quick from <sshguard> label "SSHGUARD"
block log quick on $ifaces from <pfbadhost> label "PFBADHOST"
block log quick on $ifaces from <solene> label "SOLENE"
### Let in local network, or it is blocked by pfbadhost
pass in quick from 192.168.1.0/24 modulate state
### iblock : everything else is banned
pass in quick on $ifaces inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507
pass in quick on $ifaces inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507
## Allow some incoming traffic
### spamd traps in blacklist only
pass in on $ifaces inet proto tcp from <spamd> to any port smtp \
divert-to 127.0.0.1 port spamd modulate state
### let ssh in, with anti bruteforce
pass in on $ifaces proto tcp to port ssh modulate state \
(source-track rule, \
max-src-conn 8, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
### same with email
pass in on $ifaces proto tcp to port $mail_ports modulate state \
(source-track rule, \
max-src-conn 100, max-src-conn-rate 50/100, \
overload <bruteforce> flush global)
### let some ports in
pass in on $ifaces proto tcp to port $tcp_pass modulate state
pass in on $ifaces proto udp to port $udp_pass
### allow ping, in and out
pass on $ifaces inet6 proto ipv6-icmp all icmp6-type echoreq
pass on $ifaces inet proto icmp all icmp-type echoreq
### Let all out
pass out on $ifaces proto { tcp udp }
Fichier /etc/relayd.conf :
ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2
tcp protocol "gemini" {
tls keypair chezmoi.tld-self
}
relay "gemini4" {
listen on $ext_ip4 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
relay "gemini6" {
listen on $ext_ip6 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
# in /etc/torrc:
# HiddenServiceDir /var/tor/hidden-gemini/
# HiddenServicePort 1965 localhost:11966
# relay tor hidden onion
relay "geminitor" {
listen on localhost port 11966 tls
protocol "gemini"
forward to localhost port 11965
}
http protocol "https" {
include "/etc/relayd.proxy.conf"
tls keypair chezmoi.tld
}
http protocol "http" {
include "/etc/relayd.proxy.conf"
}
relay "www" {
listen on $ext_ip4 port 80
protocol "http"
forward to localhost port 8080
}
relay "www6" {
listen on $ext_ip6 port 80
protocol "http"
forward to localhost port 8080
}
relay "wwwtls" {
listen on $ext_ip4 port 443 tls
protocol "https"
forward to localhost port 8080
}
relay "wwwtls6" {
listen on $ext_ip6 port 443 tls
protocol "https"
forward to localhost port 8080
}
Fichier /etc/relayd.proxy.conf :
# block par défaut, puis ouvre cas par cas
return error
# apparence de l'erreur
return error style "body { background: silver; color: black; text-align:center } hr {border:0;
background-color:silver; color:silver; height:1px; width:30%; margin-top:50px;}"
# Pour garder l'IP source
match request header set "X-Forwarded-For" \
value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
# Pour https
match header set "Keep-Alive" value "$TIMEOUT"
# anti robots sur wordpress que je n'ai pas
block quick path "/wp-*" label '<em>Stop scanning for wordpress</em>.'
# Securite
match request header remove "Proxy"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Robots-Tag" value "index,nofollow"
match response header set "X-Permitted-Cross-Domain-Policies" value "none"
match response header set "X-Download-Options" value "noopen"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "Referrer-Policy" value "no-referrer"
match response header set "Permissions-Policy" value "interest-cohort=()"
match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match response header set "Content-Security-Policy" value "default-src 'self';"
# fun
match response header set "X-Powered-By" value "Powered by OpenBSD"
# etiquettes pour gestion du cache
match request path "/*.css" tag "CACHE"
match request path "/*.js" tag "CACHE"
match request path "/*.atom" tag "CACHE"
match request path "/*.rss" tag "CACHE"
match request path "/*.xml" tag "CACHE"
match request path "/*.jpg" tag "CACHE"
match request path "/*.png" tag "CACHE"
match request path "/*.svg" tag "CACHE"
match request path "/*.gif" tag "CACHE"
match request path "/*.ico" tag "CACHE"
match request path "/*.html" tag "CACHE"
match request path "/*.gmi" tag "CACHE"
match request path "*/" tag "CACHE"
match response tagged "CACHE" header set "Cache-Control" value \
"public, max-age=86400"
# etiquette pour utf-8
match request path "/*.html" tag "HTML"
match response tagged "HTML" header set "Content-Type" value "text/html; charset=utf-8"
match request path "/*.txt" tag "TXT"
match request path "/*.md" tag "TXT"
match request path "/*.gmi" tag "TXT"
match response tagged "TXT" header set "Content-Type" value "text/plain; charset=utf-8"
pass
Exemple de configuration avec gestion de plusieurs domaines.
# install :
# opensmtpd-filter-rspamd
# opensmtpd-filter-senderscore
table aliases "/etc/mail/aliases"
table domains "/etc/mail/domains"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"
pki chezmoi.tld key "/etc/ssl/private/chezmoi.tld.key"
pki chezmoi.tld cert "/etc/ssl/chezmoi.tld.crt"
pki domaine2.net key "/etc/ssl/private/domaine2.net.key"
pki domaine2.net cert "/etc/ssl/domaine2.net.crt"
pki autredomaine.xyz key "/etc/ssl/private/autredomaine.xyz.key"
pki autredomaine.xyz cert "/etc/ssl/autredomaine.xyz.crt"
# certificat par defaut
pki "*" key "/etc/ssl/private/chezmoi.tld.key"
pki "*" cert "/etc/ssl/chezmoi.tld.crt"
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter rspamd proc-exec "filter-rspamd"
# LISTEN ##
# RECEPTION DE MESSAGES
listen on all tls pki chezmoi.tld \
filter { senderscore, rspamd }
# ENVOI DE MESSAGES #
listen on all port submission tls-require pki chezmoi.tld auth <passwd> \
filter rspamd
# ACTIONS ##
action "relay" relay
action relaybackup relay backup tls helo "chezmoi.tld"
action "local_mail" maildir alias <aliases>
action virtual_maildir maildir "/home/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>
# MATCH ##
# RECEPTION
match from any for domain <domains> action virtual_maildir
match from any for local action local_mail
# ENVOI
# backup
match from any for domain friend.eu action relaybackup
match auth from any for any action "relay"
match for any action "relay"
Tous les domaines sont gérés par un seul certificat ici, pour plus de simplicité.
On ajoute des options sur la file d'attente, parce que.
# Configuration generale
# Tables
table aliases "/etc/mail/aliases"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"
table domains "/etc/mail/domains"
# Certificats
pki chezmoi.tld key "/etc/ssl/private/chezmoi.tld.key"
pki chezmoi.tld cert "/etc/ssl/chezmoi.tld.crt"
# options sur la file d'attente
queue compression # less disk space
queue encryption 7dbecabecabeca45bce4aebc # encrypt all o/
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
# Ecoute pour messages signes avec dkimproxy
listen on lo0 port 10028 tag DKIM
# Messages verifies par spamassassin
listen on lo0 port 10026 tag SPAMASSASSIN
# Reception
listen on all tls pki chezmoi.tld filter { senderscore }
# Envoi avec client de messagerie
listen on all port submission tls-require pki chezmoi.tld auth <passwd>
# ACTIONS
action "envoi" relay
action dkimproxy relay host smtp://127.0.0.1:10027
action spamassassin relay host smtp://127.0.0.1:10025
action local_mail maildir alias <aliases>
action relaybackup relay backup mx "chezmoi.tld" helo "chezmoi.tld"
action virtual_maildir maildir "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>
# Correspondances
# Reception
# Message pour les utilisateurs locaux
match for local action local_mail
# Message pour les utilisateurs virtuels
match tag SPAMASSASSIN from any for domain <domains> action virtual_maildir
# Messages a faire verifier par spamassassin
match from any for domain <domains> action spamassassin
# Envoi
# Mail sortant portant une signature DKIM
match tag DKIM for any action "envoi"
match auth tag DKIM from any for any action "envoi"
# backup pour les copains
match from any for domain copain.eu action relaybackup
# Mail en envoi pas encore signe avec DKIM
match auth from any for any action dkimproxy
match for any action dkimproxy
table aliases "/etc/mail/aliases"
pki chezmoi.tld.g.pki key "/etc/ssl/private/athome.tld.key"
pki chezmoi.tld.g.pki cert "/etc/ssl/athome.tld.crt"
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter "spamassassin" proc-exec "filter-spamassassin"
filter "dkimsign" proc-exec "filter-dkimsign \
-d chezmoi.tld.g \
-s pubkey \
-k /etc/dkim/private.key" \
user _dkimsign group _dkimsign
listen on all tls pki chezmoi.tld.g.pki filter { spamassassin senderscore }
listen on all port submission tls-require pki chezmoi.tld.g.pki auth \
filter dkimsign
action relayout relay
action relaybackup relay backup
action distribute maildir junk alias <aliases>
match for local action distribute
match from any for domain chezmoi.tld.g action distribute
# backup for friends
match from any for domain friend.tld action relaybackup
match auth from any for any action relayout
match for any action relayout
Indiquez ici tous vos enregistrements MX.
chezmoi.tld domaine2.net autredomaine.xyz
all:\
:nixspam:bgp-spamd:bsdlyblack:whitelist:
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz
bsdlyblack:\
:black:\
:msg="Your address %A is in the bsdly.net list":\
:method=http:\
:file=www.bsdly.net/~peter/bsdly.net.traplist
bgp-spamd:\
:black:\
:msg="Your address %A has sent mail to a spamtrap\n\
within the last 24 hours":\
:method=file:\
:file=/var/spamd.black
whitelist:\
:white:\
:method=file:\
:file=/etc/mail/whitelist.txt
# With nord colorscheme :
LogFile /var/www/logs/access.log
OutputDir /var/www/htdocs/chezmoi.tld/stats
ReportTitle Statistiques pour
HostName chezmoi.tld
LinkReferrer yes
HTMLHead <style type="text/css">
HTMLHead body {background:#eceff4;color:#2e3440;line-height:1.4;margin:auto}
HTMLHead table {border: 1px solid; padding:1ex}
HTMLHead a {color:#5e81ac}
HTMLHead th, td {border: 0}
HTMLHead tr:nth-child(even){background-color: #e5e9f0;}
HTMLHead tr:hover {background-color: #d8dee9;}
HTMLHead </style>
TopSites 75
TopURLs 50
TopReferrers 100
AllSites yes
AllURLs yes
AllReferrers yes
AllSearchStr yes
AllErrors yes
HideSite *chezmoi.tld
HideReferrer chezmoi.tld
HideURL *.gif
HideURL *.GIF
HideURL *.jpg
HideURL *.JPG
HideURL *.png
HideURL *.PNG
HideURL *.css
HideURL *.woff
GroupReferrer google. Google Intl
HideReferrer google.
IgnoreURL /atom.xml
IgnoreURL /sitemap.*
IgnoreURL /favicon.*
IgnoreURL /robots.txt
ColorBackground eceff4
ColorText 2e3440
ColorLink 5e81ac
ColorVLink 81a1c1
ColorALink 88c0d0
ColorHeadline d8dee9
ColorCounter 4c566a
ColorHit 5e81ac
ColorFile bf616a
ColorSite d08770
ColorKbyte ebcb8b
ColorPage a3be8c
ColorVisit b48ead
ColorMisc 8fbcbb
ChartBackgroundColor eceff4
ChartLegendColor 2e3440
ChartShadowColor1 eceff4
ChartShadowColor2 d8dee9
TableBorder 0
ChartBorder 0