summaryrefslogtreecommitdiffstats
path: root/server
diff options
context:
space:
mode:
authorSven Gothel <[email protected]>2013-06-06 02:11:24 +0200
committerSven Gothel <[email protected]>2013-06-06 02:11:24 +0200
commit37e89102f700a8187f994098b7944c5ec236bc97 (patch)
treea4fce6b084028867af4fb8c9756d6b6b4919efc0 /server
parent2b17b948cd81e1cb945d5a057bd96316e904e3f3 (diff)
server config part-1: logging, move backup files and users, mysql, procmail, bogofilter, sasl2, dovecot, sendmail
Diffstat (limited to 'server')
-rw-r--r--server/setup/05-service-settings/README.txt108
-rw-r--r--server/setup/05-service-settings/backup-mysql.sh8
-rw-r--r--server/setup/05-service-settings/etc/bogofilter.cf282
-rw-r--r--server/setup/05-service-settings/etc/dovecot/conf.d.diff355
-rw-r--r--server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff19
-rw-r--r--server/setup/05-service-settings/etc/logrotate.conf32
-rw-r--r--server/setup/05-service-settings/etc/logrotate.d/rsyslog39
-rw-r--r--server/setup/05-service-settings/etc/mail/access145
-rw-r--r--server/setup/05-service-settings/etc/mail/local-host-names10
-rw-r--r--server/setup/05-service-settings/etc/mail/mail.diff213
-rw-r--r--server/setup/05-service-settings/etc/mail/sendmail.mc228
-rw-r--r--server/setup/05-service-settings/etc/mail/submit.mc58
-rw-r--r--server/setup/05-service-settings/etc/mail/virtusertable33
-rw-r--r--server/setup/05-service-settings/etc/procmailrc29
-rw-r--r--server/setup/05-service-settings/etc/rsyslog.conf123
-rw-r--r--server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve1
-rw-r--r--server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve11
17 files changed, 1694 insertions, 0 deletions
diff --git a/server/setup/05-service-settings/README.txt b/server/setup/05-service-settings/README.txt
new file mode 100644
index 0000000..2cf28cc
--- /dev/null
+++ b/server/setup/05-service-settings/README.txt
@@ -0,0 +1,108 @@
+All template files are .. underneath in ./etc
+
+Debian 7.00 (Wheezy)
+
+01 stop all running services ..
+ /etc/init.d/apache2 stop
+ /etc/init.d/sendmail stop
+ /etc/init.d/dovecot stop
+ /etc/init.d/mysql stop
+ /etc/init.d/saslauthd stop
+
+01 logging
+ - firewall logging:
+ /etc/rsyslog.conf: firewall rules, kern.debug / kern.=!debug
+ /etc/init.d/rsyslog restart
+
+ - logrotate
+ /etc/logrotate.conf: compress, 48 weeks
+ /etc/logrotate.d/rsyslog: Add /var/log/firewall and /var/log/dovecot.log
+
+03 move all users
+ - mv /data/backup/home/* /home/
+ - for all groups: groupadd -g GID groupname
+ - for all users: useradd -M -N -u UID -g GID username
+ - for all users: usermod -a -G GID1,GID2,.. username
+ - cd /data/backup/var/spool/mail ; (check names, remove unused ..) ; mv * /var/spool/mail/
+
+04 move other stuff
+ - Old Logs
+ - mv /data/backup/var/log /var/log/old_logs
+
+ - MySQL
+ - old server: backup DB
+ - run backup-mysql.sh on old server, result is e.g. backup-mysqldb-20130605162509.sql
+
+ - new server: import DB
+ - get backup backup-mysqldb-20130605162509.sql
+ - /etc/init.d/mysql start
+ - backup-1: backup-mysql.sh
+ - mysql --user=root --password < backup-mysqldb-20130605162509.sql
+ - backup-2: backup-mysql.sh
+ - mysqlcheck --user=root --password --all-databases
+
+ - Services
+ - mv /data/backup/srv/* /srv/
+
+05 config procmail
+ copy /etc/procmailrc
+
+06 bogofilter
+ copy /etc/bogofilter.cf
+ Init empty wordlist.db:
+ touch nope
+ cat nope | bogoutil -l /var/spool/bogofilter/wordlist.db
+ rm nope
+
+07 sasl2
+ /etc/sasl2/Sendmail.conf
+ /etc/default/saslauthd: start=yes
+ /etc/init.d/saslauthd start
+
+08 dovecot 2.1.7-7
+ - features:
+ - requires ssl
+ - ipv4 / ipv6
+ - smtps
+ - pop3s
+ - sieve (tls)
+
+ - Sync config files in /etc/dovecot/
+ with etc/dovecot/dovecot.conf.diff and etc/dovecot/conf.d.diff
+
+ - mkdir -p /var/lib/dovecot/sieve/global/
+ - chmod ugo+rx /var/lib/dovecot
+ - copy /var/lib/dovecot/sieve/global/default.sieve
+ - cd /var/lib/dovecot/sieve/global ; sievec default.sieve
+ - copy /var/lib/dovecot/sieve/prologue.sieve
+ - cd /var/lib/dovecot/sieve ; sievec prologue.sieve
+
+ - migrate old INBOX:
+ for each user:
+ dsync mirror mbox:~/mail:INBOX=/var/mail/USERNAME
+ su dstrohlein -c "dsync mirror mbox:~/mail:INBOX=/var/mail/dstrohlein ; echo OK"
+
+ - /etc/init.d/dovecot start
+
+
+09 sendmail 8.14.4-4
+ - features:
+ - requires ssl for auth
+ - ipv4 / ipv6
+
+ - /etc/mail
+ - Sync config files in /etc/mail with: etc/mail/mail.diff
+ - sendmail.mc
+ - submit.mc
+ - access
+ - local-host-names
+ - virtusertable
+
+ - /etc
+ - aliases
+
+ - cd /etc/mail
+ - make
+
+ /etc/init.d/sendmail start
+
diff --git a/server/setup/05-service-settings/backup-mysql.sh b/server/setup/05-service-settings/backup-mysql.sh
new file mode 100644
index 0000000..0490e3b
--- /dev/null
+++ b/server/setup/05-service-settings/backup-mysql.sh
@@ -0,0 +1,8 @@
+#! /bin/sh
+
+fname="/data/backup/backup-mysqldb-`date +%Y%m%d%H%M%S`.sql"
+mysqldump --verbose --user=root --password --all-databases > $fname
+echo dumped to $fname
+
+# 1076 mysql --user=root --password < bugzilla_db_clean.sql
+
diff --git a/server/setup/05-service-settings/etc/bogofilter.cf b/server/setup/05-service-settings/etc/bogofilter.cf
new file mode 100644
index 0000000..84ac4bc
--- /dev/null
+++ b/server/setup/05-service-settings/etc/bogofilter.cf
@@ -0,0 +1,282 @@
+########### Sample BOGOFILTER Configuration File ###########################
+
+# $Id: bogofilter.cf.example 6811 2009-02-21 20:32:50Z relson $
+
+# Default settings (as defined in the bogofilter source code)
+# have a single hash mark at the beginning of the line.
+
+# Alternate values have two hash marks.
+
+# Comment lines MUST have their hash mark in the leftmost column.
+# Comments can be added at the end of any line (after whitespace and a '#').
+# Blank lines are allowed.
+
+########### General Settings ########################################
+
+#### BOGOFILTER_DIR
+#
+# directory for wordlists
+#
+#bogofilter_dir=~/.bogofilter
+bogofilter_dir=/var/spool/bogofilter
+
+#### name/location of user config file
+#
+#user_config_file=~/.bogofilter.cf
+##user_config_file=~/.bogofilterrc
+user_config_file=~/.bogofilter/config
+
+#### TRANSACTIONS: enable/disable database transactions
+#
+# boolean indicating whether transactions
+# should be enabled (yes) or disabled (no)
+#
+db_transaction=no # default
+##db_transaction=yes # (alternate)
+
+#### WORDLIST: define additional word lists
+#
+# char type: 'r' (regular) or 'i' (ignore)
+# char *name: name of list, e.g. "system", "user", "ignore"
+# char *path: absolute path to file or
+# file name (relative to bogofilter_dir)
+# int order - once found, skip higher numbered lists
+#
+##wordlist i,ignore,~/ignorelist.db,1
+##wordlist r,wordlist,~/wordlist.db,2
+
+#### SPAM_HEADER_NAME
+#
+# used in reporting spamicity and
+# in removing already existing headers
+#
+spam_header_name=X-Bogosity
+
+#### SPAM_HEADER_PLACE
+#
+# used in placing the SPAM_HEADER_NAME line
+#
+#spam_header_place=DomainKey-Signature
+
+#### SPAM_SUBJECT_TAG
+#
+# tag added to "Subject: " line for identifying spam or unsure
+# default is to add nothing.
+#
+##spam_subject_tag=***SPAM***
+##unsure_subject_tag=???UNSURE???
+
+#### STATS_IN_HEADER
+#
+# non-zero (default): put spamicity info in message header
+# zero: put spamicity info in message body
+# can use "bool" values of True, False, Yes, No, 1, or 0
+#
+stats_in_header=Yes # default
+##stats_in_header=No # (alternate)
+
+#### DB_CACHESIZE
+#
+# non-zero: set this as DB cache size (in Mbytes)
+# zero: use DB default cache size (.25 Mbyte in 4.0.14)
+#
+# note that Berkeley DB increases any buffer size below 500 MB
+# by 25%!
+# This helps most when doing massive changes to the data base that
+# involve a lot of overwrites, such as registering mail boxes,
+# whereas it is mostly a waste of memory for read-only
+# applications such as scoring.
+# WARNING: If you set this too large, bogofilter will fail.
+#
+db_cachesize=0 # default
+##db_cachesize=16 # (alternate)
+
+#### DB_LOG_AUTOREMOVE
+#
+# boolean indicating whether auto-removing of
+# logs should be enabled (yes) or disabled (no)
+#
+#db_log_autoremove=yes # default
+##db_log_autoremove=no # (alternate)
+
+#### TIMESTAMP
+#
+# enables or disables token timestamps
+#
+timestamp=Yes
+
+#### Format of spamicity output
+#
+# for two-state output the third entry is not needed and not used
+#
+spamicity_tags = Spam, Ham, Unsure
+spamicity_formats = %0.6f, %0.6f, %0.6f
+#
+##spamicity_tags = Yes, No, Unsure
+##spamicity_formats = %0.6f, %0.6f, %0.6f
+
+#### Format of SPAM_HEADER
+#
+# formatting characters:
+#
+# h - spam_header_name, e.g. "X-Bogosity"
+#
+# c - classification, e.g. Yes/No, Spam/Ham/Unsure, +/-/?
+#
+# D - date, fixed ISO-8601 format for Universal Time ("GMT")
+#
+# e - spamicity as 'e' format
+# f - spamicity as 'f' format
+# g - spamicity as 'g' format
+#
+# A - IP address (from first Received: statement having one)
+# Not guaranteed to be the originating address of the message.
+# I - Message ID
+# Q - Queue ID (from first id tag found in Received: headers)
+#
+# l - logging tag (from '-l' option)
+#
+# o - spam_cutoff, ex. cutoff=%o
+#
+# p - spamicity value
+# d - if ham or unsure, the spamicity
+# if spam, difference of spamicity from 1.0
+#
+# r - runtype
+# w - word count
+# m - message count
+#
+# u - username - this will either be the login from getlogin(),
+# if that is empty, the pw_name obtained from
+# the password database, or the user id
+# prefixed by #, for instance, #1003
+#
+# v - version
+#
+# customizable messages:
+#
+# header_format - the "X-Bogosity" line that '-p' adds to
+# the message header and '-v' outputs.
+# terse_format - an abbreviated form of header_format;
+# selected by command line option '-t'
+# log_header_format - written to syslog by '-u' option
+# when classifying messages.
+# log_update_format - written to syslog by '-u' option
+# when registering messages.
+#
+#
+header_format = %h: %c, tests=bogofilter, spamicity=%p, version=%v
+terse_format = %1.1c %f
+#log_header_format = %h: %c, spamicity=%p, version=%v
+#log_update_format = register-%r, %w words, %m messages
+##log_header_format = %h: %c, spamicity=%f, ipaddr=%A, queueID=%Q, msgID=%I, version=%v
+
+#### TERSE
+#
+# if enabled, format the X-Bogosity using the 'terse_format' specificaton.
+#
+terse=no # default
+##terse=yes # (alternate)
+
+
+########### Tokenizer Settings ######################################
+
+#### BLOCK ON SUBNETS
+#
+# convert IPADDRs into a special token, url:1.2.3.4,
+# and also return url:1.2.3, url:1.2, and url:1
+# to allow identifying spammers by ip address / subnets.
+#
+#block_on_subnets=no
+
+#### CHARSET handling
+#
+# specify default charset
+#
+charset_default=iso-8859-1 # default
+#charset_default=us-ascii # (alternate)
+##charset_default=cp866 # for Russian
+
+#### REPLACE_NONASCII_CHARACTERS
+#
+# replace non-7bit chars with '?'
+#
+#replace_nonascii_characters=N # default
+##replace_nonascii_characters=Y # (alternate)
+
+#### UNICODE handling
+#
+# boolean indicating whether raw storage (no) or unicode (yes)
+# is the default encoding for the wordlist
+#
+#unicode=yes # default
+##unicode=no # (alternate)
+
+#### lexer parameters
+#
+# minimum and maximum lengths for single tokens
+#
+#min-token-len=3 # default
+#max-token-len=30 # default
+#
+# count and length for multi-word tokens
+# Note: if length not specified, defaults to
+# multi-token-count * max-token-len (approx)
+#
+#multi-token-count=1 # default
+#max-multi-token-len=0 # default
+
+########### Classification Constants Settings #######################
+#
+# See man page for a more detailled description of the parameters.
+
+#### MINIMUM DEVIATION
+#
+# if token spamicity closer to EVEN_ODDS (0.5)
+# than MIN_DEV, don't use the word in the
+# spamicity calculation
+#
+#min_dev=0.375 # default
+
+#### Robinson Constants
+#
+# floating point values for
+# Robinson S and X coefficients.
+#
+#robs=0.0178 # default
+#robx=0.52 # default
+
+#### CUTOFF Values
+#
+# both ham_cutoff and spam_cutoff are allowed.
+# setting ham_cutoff to a non-zero value will
+# enable tri-state results (Spam/Ham/Unsure).
+#
+#ham_cutoff = 0.45 # default
+#spam_cutoff= 0.99 # default
+#
+# for two-state classification:
+#
+##ham_cutoff = 0.00 # default
+##spam_cutoff = 0.99 # default
+
+#### Effective Size Factor Values
+#
+#ns_esf = 1.000 # default
+#sp_esf = 1.000 # default
+
+#### Auto-update threshold
+#
+# Skip autoupdating if the spamicity is within this value
+# of 0.000000 (surely ham) or 1.000000 (surely spam).
+#
+## thresh_update=0.01 # (optional)
+
+#### token count parameters
+#
+# coerce the number of tokens used to score a message
+# Note: zero means no coercing
+#
+##token_count=0 # default
+##token_count_min=0 # default
+##token_count_max=0 # default
diff --git a/server/setup/05-service-settings/etc/dovecot/conf.d.diff b/server/setup/05-service-settings/etc/dovecot/conf.d.diff
new file mode 100644
index 0000000..2e617cf
--- /dev/null
+++ b/server/setup/05-service-settings/etc/dovecot/conf.d.diff
@@ -0,0 +1,355 @@
+diff -Nur conf.d.orig/10-auth.conf conf.d/10-auth.conf
+--- conf.d.orig/10-auth.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-auth.conf 2013-06-05 22:38:44.722493000 +0200
+@@ -6,20 +6,20 @@
+ # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+ # matches the local IP (ie. you're connecting from the same computer), the
+ # connection is considered secure and plaintext authentication is allowed.
+-#disable_plaintext_auth = yes
++disable_plaintext_auth = yes
+
+ # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+ # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
+-#auth_cache_size = 0
++auth_cache_size = 10M
+ # Time to live for cached data. After TTL expires the cached record is no
+ # longer used, *except* if the main database lookup returns internal failure.
+ # We also try to handle password changes automatically: If user's previous
+ # authentication was successful, but this one wasn't, the cache isn't used.
+ # For now this works only with plaintext authentication.
+-#auth_cache_ttl = 1 hour
++auth_cache_ttl = 1 hour
+ # TTL for negative hits (user not found, password mismatch).
+ # 0 disables caching them completely.
+-#auth_cache_negative_ttl = 1 hour
++auth_cache_negative_ttl = 1 hour
+
+ # Space separated list of realms for SASL authentication mechanisms that need
+ # them. You can leave it empty if you don't want to support multiple realms.
+diff -Nur conf.d.orig/10-logging.conf conf.d/10-logging.conf
+--- conf.d.orig/10-logging.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-logging.conf 2013-06-05 22:38:44.722879000 +0200
+@@ -5,6 +5,7 @@
+ # Log file to use for error messages. "syslog" logs to syslog,
+ # /dev/stderr logs to stderr.
+ #log_path = syslog
++log_path = /var/log/dovecot.log
+
+ # Log file to use for informational messages. Defaults to log_path.
+ #info_log_path =
+@@ -14,14 +15,14 @@
+ # Syslog facility to use if you're logging to syslog. Usually if you don't
+ # want to use "mail", you'll use local0..local7. Also other standard
+ # facilities are supported.
+-#syslog_facility = mail
++syslog_facility = mail
+
+ ##
+ ## Logging verbosity and debugging.
+ ##
+
+ # Log unsuccessful authentication attempts and the reasons why they failed.
+-#auth_verbose = no
++auth_verbose = yes
+
+ # In case of password mismatches, log the attempted password. Valid values are
+ # no, plain and sha1. sha1 can be useful for detecting brute force password
+diff -Nur conf.d.orig/10-mail.conf conf.d/10-mail.conf
+--- conf.d.orig/10-mail.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-mail.conf 2013-06-05 22:44:18.646267000 +0200
+@@ -27,7 +27,10 @@
+ #
+ # <doc/wiki/MailLocation.txt>
+ #
+-mail_location = mbox:~/mail:INBOX=/var/mail/%u
++# mail_location = mbox:~/mail:INBOX=/var/mail/%u
++# mail_location =
++# mail_location = mbox:~/mail:INBOX=/var/mail/%u
++mail_location = mdbox:~/mdbox
+
+ # If you need to set multiple mailbox locations or want to change default
+ # namespace settings, you can do it by defining namespace sections.
+@@ -41,7 +44,7 @@
+ # on filesystem level to do so.
+ namespace inbox {
+ # Namespace type: private, shared or public
+- #type = private
++ type = private
+
+ # Hierarchy separator to use. You should use the same separator for all
+ # namespaces or some clients get confused. '/' is usually a good one.
+@@ -65,38 +68,51 @@
+ # useful when converting from another server with different namespaces which
+ # you want to deprecate but still keep working. For example you can create
+ # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
+- #hidden = no
++ hidden = no
+
+ # Show the mailboxes under this namespace with LIST command. This makes the
+ # namespace visible for clients that don't support NAMESPACE extension.
+ # "children" value lists child mailboxes, but hides the namespace prefix.
+- #list = yes
++ list = yes
+
+ # Namespace handles its own subscriptions. If set to "no", the parent
+ # namespace handles them (empty prefix should always have this as "yes")
+- #subscriptions = yes
++ subscriptions = yes
++}
++
++namespace local {
++ type = private
++ separator = /
++ prefix = Maildir/
++ location = maildir:~/Maildir
++ inbox = no
++ hidden = no
++ list = yes
++ subscriptions = no
+ }
+
+ # Example shared namespace configuration
+-#namespace {
+- #type = shared
+- #separator = /
++namespace {
++ type = shared
++ separator = /
+
+ # Mailboxes are visible under "shared/user@domain/"
+ # %%n, %%d and %%u are expanded to the destination user.
+- #prefix = shared/%%u/
++ prefix = shared/%%u/
+
+ # Mail location for other users' mailboxes. Note that %variables and ~/
+ # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
+ # destination user's data.
+ #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
++ location = mdbox:%%h/mdbox/
+
+ # Use the default namespace for saving subscriptions.
+- #subscriptions = no
++ subscriptions = no
+
+ # List the shared/ namespace only if there are visible shared mailboxes.
+- #list = children
+-#}
++ list = children
++}
++
+ # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
+ #mail_shared_explicit_inbox = yes
+
+@@ -116,7 +132,7 @@
+ # dangerous to set these if users can create symlinks (e.g. if "mail" group is
+ # set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
+ # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
+-#mail_access_groups =
++mail_access_groups = mail
+
+ # Allow full filesystem access to clients. There's no access checks other than
+ # what the operating system does for the active UID/GID. It works with both
+@@ -194,14 +210,14 @@
+
+ # UNIX socket path to master authentication server to find users.
+ # This is used by imap (for shared users) and lda.
+-#auth_socket_path = /var/run/dovecot/auth-userdb
++auth_socket_path = /var/run/dovecot/auth-userdb
+
+ # Directory where to look up mail plugins.
+ #mail_plugin_dir = /usr/lib/dovecot/modules
+
+ # Space separated list of plugins to load for all services. Plugins specific to
+ # IMAP, LDA, etc. are added to this list in their own .conf files.
+-#mail_plugins =
++mail_plugins = acl
+
+ ##
+ ## Mailbox handling optimizations
+diff -Nur conf.d.orig/10-master.conf conf.d/10-master.conf
+--- conf.d.orig/10-master.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-master.conf 2013-06-06 00:25:02.628967000 +0200
+@@ -17,10 +17,11 @@
+ service imap-login {
+ inet_listener imap {
+ #port = 143
++ port = 0
+ }
+ inet_listener imaps {
+- #port = 993
+- #ssl = yes
++ port = 993
++ ssl = yes
+ }
+
+ # Number of connections to handle before starting a new process. Typically
+@@ -38,10 +39,11 @@
+ service pop3-login {
+ inet_listener pop3 {
+ #port = 110
++ port = 0
+ }
+ inet_listener pop3s {
+- #port = 995
+- #ssl = yes
++ port = 995
++ ssl = yes
+ }
+ }
+
+@@ -62,6 +64,7 @@
+ # Most of the memory goes to mmap()ing files. You may need to increase this
+ # limit if you have huge mailboxes.
+ #vsz_limit = $default_vsz_limit
++ vsz_limit = 2048M
+
+ # Max. number of IMAP processes (connections)
+ #process_limit = 1024
+diff -Nur conf.d.orig/10-ssl.conf conf.d/10-ssl.conf
+--- conf.d.orig/10-ssl.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/10-ssl.conf 2013-06-06 00:30:58.227832000 +0200
+@@ -4,13 +4,16 @@
+
+ # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+ #ssl = yes
++ssl = required
+
+ # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+ # dropping root privileges, so keep the key file unreadable by anyone but
+ # root. Included doc/mkcert.sh can be used to easily generate self-signed
+ # certificate, just make sure to update the domains in dovecot-openssl.cnf
+-ssl_cert = </etc/dovecot/dovecot.pem
+-ssl_key = </etc/dovecot/private/dovecot.pem
++#ssl_cert = </etc/dovecot/dovecot.pem
++#ssl_key = </etc/dovecot/private/dovecot.pem
++ssl_cert = </etc/ssl/local/jogamp2013-hostcert.pem
++ssl_key = </etc/ssl/local/jogamp2013-hostkey.mail.pem
+
+ # If key file is password protected, give the password here. Alternatively
+ # give it when starting dovecot with -p parameter. Since this file is often
+@@ -22,6 +25,7 @@
+ # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+ # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
+ #ssl_ca =
++ssl_ca = </etc/ssl/local/thawte-SSL123_CA_Bundle.pem
+
+ # Require that CRL check succeeds for client certificates.
+ #ssl_require_crl = yes
+diff -Nur conf.d.orig/15-lda.conf conf.d/15-lda.conf
+--- conf.d.orig/15-lda.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/15-lda.conf 2013-06-05 22:38:44.724403000 +0200
+@@ -37,12 +37,12 @@
+ #lda_original_recipient_header =
+
+ # Should saving a mail to a nonexistent mailbox automatically create it?
+-#lda_mailbox_autocreate = no
++lda_mailbox_autocreate = yes
+
+ # Should automatically created mailboxes be also automatically subscribed?
+-#lda_mailbox_autosubscribe = no
++lda_mailbox_autosubscribe = yes
+
+ protocol lda {
+ # Space separated list of plugins to load (default is global mail_plugins).
+- #mail_plugins = $mail_plugins
++ mail_plugins = $mail_plugins sieve
+ }
+diff -Nur conf.d.orig/20-imap.conf conf.d/20-imap.conf
+--- conf.d.orig/20-imap.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/20-imap.conf 2013-06-05 22:38:44.724715000 +0200
+@@ -14,6 +14,7 @@
+
+ # Space separated list of plugins to load (default is global mail_plugins).
+ #mail_plugins = $mail_plugins
++ mail_plugins = $mail_plugins imap_acl
+
+ # IMAP logout format string:
+ # %i - total number of bytes read from client
+diff -Nur conf.d.orig/20-lmtp.conf conf.d/20-lmtp.conf
+--- conf.d.orig/20-lmtp.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/20-lmtp.conf 2013-06-05 22:38:44.725026000 +0200
+@@ -12,5 +12,5 @@
+
+ protocol lmtp {
+ # Space separated list of plugins to load (default is global mail_plugins).
+- #mail_plugins = $mail_plugins
++ mail_plugins = $mail_plugins sieve
+ }
+diff -Nur conf.d.orig/20-managesieve.conf conf.d/20-managesieve.conf
+--- conf.d.orig/20-managesieve.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/20-managesieve.conf 2013-06-06 01:10:53.662647000 +0200
+@@ -4,7 +4,7 @@
+
+ # Service definitions
+
+-#service managesieve-login {
++service managesieve-login {
+ #inet_listener sieve {
+ # port = 4190
+ #}
+@@ -23,16 +23,16 @@
+
+ # If you set service_count=0, you probably need to grow this.
+ #vsz_limit = 64M
+-#}
++}
+
+-#service managesieve {
++service managesieve {
+ # Max. number of ManageSieve processes (connections)
+ #process_count = 1024
+-#}
++}
+
+ # Service configuration
+
+-#protocol sieve {
++protocol sieve {
+ # Maximum ManageSieve command line length in bytes. ManageSieve usually does
+ # not involve overly long command lines, so this setting will not normally
+ # need adjustment
+@@ -70,4 +70,4 @@
+
+ # Refer to 90-sieve.conf for script quota configuration and configuration of
+ # Sieve execution limits.
+-#}
++}
+diff -Nur conf.d.orig/90-acl.conf conf.d/90-acl.conf
+--- conf.d.orig/90-acl.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/90-acl.conf 2013-06-05 23:41:19.326258000 +0200
+@@ -9,7 +9,7 @@
+ # specifies how many seconds to wait between stat()ing dovecot-acl file
+ # to see if it changed.
+ plugin {
+- #acl = vfile:/etc/dovecot/global-acls:cache_secs=300
++ acl = vfile:/etc/dovecot/global-acls:cache_secs=300
+ }
+
+ # To let users LIST mailboxes shared by other users, Dovecot needs a
+diff -Nur conf.d.orig/90-sieve.conf conf.d/90-sieve.conf
+--- conf.d.orig/90-sieve.conf 2013-02-05 02:03:27.000000000 +0100
++++ conf.d/90-sieve.conf 2013-06-05 22:38:44.726032000 +0200
+@@ -17,6 +17,7 @@
+ # --> See sieve_before fore executing scripts before the user's personal
+ # script.
+ #sieve_default = /var/lib/dovecot/sieve/default.sieve
++ sieve_default = /var/lib/dovecot/sieve/global/default.sieve
+
+ # Directory for :personal include scripts for the include extension. This
+ # is also where the ManageSieve service stores the user's scripts.
+@@ -24,6 +25,7 @@
+
+ # Directory for :global include scripts for the include extension.
+ #sieve_global_dir =
++ sieve_global_dir = /var/lib/dovecot/sieve/global/
+
+ # Path to a script file or a directory containing script files that need to be
+ # executed before the user's script. If the path points to a directory, all
+@@ -34,6 +36,7 @@
+ #sieve_before =
+ #sieve_before2 =
+ #sieve_before3 = (etc...)
++ sieve_before = /var/lib/dovecot/sieve/prologue.sieve
+
+ # Identical to sieve_before, only the specified scripts are executed after the
+ # user's script (only when keep is still in effect!). Multiple script file or
diff --git a/server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff b/server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff
new file mode 100644
index 0000000..d37ff28
--- /dev/null
+++ b/server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff
@@ -0,0 +1,19 @@
+--- dovecot.conf.orig 2013-02-05 02:03:27.000000000 +0100
++++ dovecot.conf 2013-06-05 22:36:52.290033000 +0200
+@@ -18,6 +18,7 @@
+
+ # Enable installed protocols
+ !include_try /usr/share/dovecot/protocols.d/*.protocol
++# protocols = imaps pop3s sieve lmtp
+
+ # A comma separated list of IPs or hosts where to listen in for connections.
+ # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
+@@ -35,7 +36,7 @@
+ #instance_name = dovecot
+
+ # Greeting message for clients.
+-#login_greeting = Dovecot ready.
++login_greeting = jogamp.org is ready.
+
+ # Space separated list of trusted network ranges. Connections from these
+ # IPs are allowed to override their IP addresses and ports (for logging and
diff --git a/server/setup/05-service-settings/etc/logrotate.conf b/server/setup/05-service-settings/etc/logrotate.conf
new file mode 100644
index 0000000..3860fd4
--- /dev/null
+++ b/server/setup/05-service-settings/etc/logrotate.conf
@@ -0,0 +1,32 @@
+# see "man logrotate" for details
+# rotate log files weekly
+weekly
+
+# keep 48 weeks (a year) worth of backlogs
+rotate 48
+
+# create new (empty) log files after rotating old ones
+create
+
+# uncomment this if you want your log files compressed
+compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# no packages own wtmp, or btmp -- we'll rotate them here
+/var/log/wtmp {
+ missingok
+ monthly
+ create 0664 root utmp
+ rotate 1
+}
+
+/var/log/btmp {
+ missingok
+ monthly
+ create 0660 root utmp
+ rotate 1
+}
+
+# system-specific logs may be configured here
diff --git a/server/setup/05-service-settings/etc/logrotate.d/rsyslog b/server/setup/05-service-settings/etc/logrotate.d/rsyslog
new file mode 100644
index 0000000..cb5d25f
--- /dev/null
+++ b/server/setup/05-service-settings/etc/logrotate.d/rsyslog
@@ -0,0 +1,39 @@
+/var/log/syslog
+{
+ rotate 7
+ daily
+ missingok
+ notifempty
+ delaycompress
+ compress
+ postrotate
+ invoke-rc.d rsyslog rotate > /dev/null
+ endscript
+}
+
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+/var/log/firewall
+/var/log/dovecot.log
+{
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+ delaycompress
+ sharedscripts
+ postrotate
+ invoke-rc.d rsyslog rotate > /dev/null
+ endscript
+}
diff --git a/server/setup/05-service-settings/etc/mail/access b/server/setup/05-service-settings/etc/mail/access
new file mode 100644
index 0000000..b5f0643
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/access
@@ -0,0 +1,145 @@
+# /etc/mail/access
+# Copyright (c) 1998,2004 Richard Nelson <[email protected]>.
+# Time-stamp: <1998/10/27 10:00:00 cowboy>
+# GPL'd config file, please feed any gripes, suggestions, etc. to me
+#
+# Function:
+# Access Control for this smtp server - determines:
+# * Who we accept mail from
+# * Who we accept relaying from
+# * Who we will not send to
+#
+# Usage:
+# FEATURE(access_db[, type [-o] /etc/mail/access])dnl
+# makemap hash access < access
+#
+# Format:
+# lhs:
+# email addr <user@[host.domain]>
+# domain name unless FEATURE(relay_hosts_only) is used,
+# then this is a fqdn - and relay-domains ($=R)
+# must also be fqdns.
+# network number must end on an octet boundary, or
+# you're stuck going the longwinded way ;-{
+# rhs:
+# OK accept mail even if other rules in the
+# running ruleset would reject it.
+# RELAY Allow domain to relay through your SMTP
+# server. RELAY also serves an implicit
+# OK for the other checks.
+# REJECT reject the sender/recipient with a general
+# purpose message that can be customized.
+# confREJECT_MSG [550 Access denied] will be issued
+# DISCARD discard the message completely using
+# the $#discard mailer.
+# ### any text where ### is an RFC 821 compliant error code
+# and "any text" is a message to return for
+# the command
+# Examples:
+# FREE.STEALTH.MAILER@ 550 Spam not accepted
+#
+# Notes:
+# With FEATURE(blacklist_recipients) this is also possible:
+# badlocaluser 550 Mailbox disabled for this username
+# host.mydomain.com 550 That host does not accept mail
+# [email protected] 550 Mailbox disabled for this recipient
+#
+# Related:
+# define(`confREJECT_MSG', `550 Access denied')dnl
+# define(`confCR_FILE', `-o /etc/mail/relay-domains')dnl <<- $=R
+# FEATURE(relay_hosts_only)dnl
+# FEATURE(relay_entire_domain)dnl <<- relays any host in the $=m class
+# FEATURE(relay_based_on_MX)dnl <<- relaying for boxes MX'd to you
+# FEATURE(blacklist_recipients)dnl
+# FEATURE(rbl[,alternate server])dnl
+# FEATURE(orbs[,alternate server])dnl <<- Debian addition
+# FEATURE(orca[,alternate server])dnl <<- Debian addition
+# FEATURE(accept_unqualified_senders)dnl
+# FEATURE(accept_unresolvable_domains)dnl
+#
+# Local addresses 10.x.x.x, 127.x.x.x, 172.16-31.x.x 192.168.x.x can relay
+# Note Well! You *must* make sure these address can't be spoofed externally
+# Note, outbound relaying is controlled by connection and/or auth
+# If you're not firewalled, and you don't have a lan, comment these out
+# If you're not firewalled, and you have a lan, get firewalled *NOW*
+# GreetPause - delay to check for spammers
+# Client Connection rate (and #) control
+Connect:localhost RELAY
+GreetPause:localhost 0
+ClientRate:localhost 0
+ClientConn:localhost 0
+#Connect:10 RELAY
+#GreetPause:10 0
+#ClientRate:10 0
+#ClientConn:10 0
+Connect:127 RELAY
+GreetPause:127 0
+ClientRate:127 0
+ClientConn:127 0
+Connect:IPv6:::1 RELAY
+GreetPause:IPv6:::1 0
+ClientRate:IPv6:::1 0
+ClientConn:IPv6:::1 0
+#Connect:172.16 RELAY
+#Connect:172.17 RELAY
+#Connect:172.18 RELAY
+#Connect:172.19 RELAY
+#Connect:172.20 RELAY
+#Connect:172.21 RELAY
+#Connect:172.22 RELAY
+#Connect:172.23 RELAY
+#Connect:172.24 RELAY
+#Connect:172.25 RELAY
+#Connect:172.26 RELAY
+#Connect:172.27 RELAY
+#Connect:172.28 RELAY
+#Connect:172.29 RELAY
+#Connect:172.30 RELAY
+#Connect:172.31 RELAY
+#Connect:192.168 RELAY
+#GreetPause:192.168 0
+#ClientRate:192.168 0
+#ClientConn:192.168 0
+
+Connect:144.76.84.102 RELAY
+Connect:2a01:4f8:192:1165::2 RELAY
+GreetPause:144.76.84.102 0
+GreetPause:2a01:4f8:192:1165::2 0
+
+# Defaults
+GreetPause: 5000
+ClientRate: 10
+ClientConn: 10
+#
+# Don't offer AUTH on local network
+#SRV_Features:192.168.1 A
+#
+# Hosts with to allow relaying
+#
+#
+# Hosts that validly forward to me
+#GreetPause:<ip> 0
+#ClientRate:<ip> 30
+#ClientConn:<ip> 0
+#
+# Whitelisted users
+#
+Spam:postmaster@ FRIEND
+Spam:abuse@ FRIEND
+Spam:spam@ FRIEND
+#
+# Blacklisted users
+#
+#Connect:rampellsoft.com 554 Email directly, not through didtheyreadit.com
+reject@ REJECT
+#cyberpromo.com REJECT
+#From:[email protected] REJECT
+#
+# Block invalid IPs
+#
+#Connect:0 REJECT whilst invalid, this also blocks sendmail -bs -Am
+Connect:169.254 REJECT
+Connect:192.0.2 REJECT
+Connect:224 REJECT
+Connect:255 REJECT
diff --git a/server/setup/05-service-settings/etc/mail/local-host-names b/server/setup/05-service-settings/etc/mail/local-host-names
new file mode 100644
index 0000000..5261b0b
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/local-host-names
@@ -0,0 +1,10 @@
+localhost
+jausoft.com
+mail.jausoft.com
+mcp.jausoft.com
+www.jausoft.com
+www.jausoft.org
+www.jausoft.net
+jausoft.com
+jausoft.org
+jausoft.net
diff --git a/server/setup/05-service-settings/etc/mail/mail.diff b/server/setup/05-service-settings/etc/mail/mail.diff
new file mode 100644
index 0000000..f8d0331
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/mail.diff
@@ -0,0 +1,213 @@
+--- mail.orig/access 2013-06-05 13:30:08.812083000 +0200
++++ mail/access 2013-06-06 01:52:31.460642000 +0200
+@@ -101,6 +101,12 @@
+ #GreetPause:192.168 0
+ #ClientRate:192.168 0
+ #ClientConn:192.168 0
++
++Connect:144.76.84.101 RELAY
++Connect:2a01:4f8:192:1164::2 RELAY
++GreetPause:144.76.84.101 0
++GreetPause:2a01:4f8:192:1164::2 0
++
+ # Defaults
+ GreetPause: 5000
+ ClientRate: 10
+--- mail.orig/local-host-names 2013-06-05 13:30:08.803772000 +0200
++++ mail/local-host-names 2013-06-06 00:06:50.857480000 +0200
+@@ -1,2 +1,4 @@
+ localhost
++mail.jogamp.org
++www.jogamp.org
+ jogamp.org
+--- mail.orig/sendmail.mc 2013-06-05 13:30:07.254441000 +0200
++++ mail/sendmail.mc 2013-06-06 01:51:45.426125000 +0200
+@@ -40,6 +40,34 @@
+ undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS=
+ dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
+ dnl #
++
++dnl # default logging level is 9, you might want to set it higher to
++dnl # debug the configuration
++dnl #
++dnl define(`confLOG_LEVEL', `9')dnl
++dnl define(`confLOG_LEVEL', `22')dnl
++dnl #
++
++dnl #
++dnl # Uncomment and edit the following line if your outgoing mail needs to
++dnl # be sent out through an external mail server:
++dnl #
++dnl define(`SMART_HOST', `smtp.your.provider')dnl
++dnl define(`SMART_HOST', `smtp:mail.jogamp.org')dnl
++dnl define(`RELAY_MAILER_ARGS', `TCP $h 26')dnl
++dnl #
++define(`confDEF_USER_ID', ``8:12'')dnl
++dnl define(`confAUTO_REBUILD')dnl
++define(`confTO_CONNECT', `1m')dnl
++define(`confTO_COMMAND', `2m')dnl
++define(`confTRY_NULL_MX_LIST', `True')dnl
++define(`confDONT_PROBE_INTERFACES', `True')dnl
++define(`UUCP_MAILER_MAX', `2000000')dnl
++define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
++dnl #
++define(`ALIAS_FILE', `/etc/aliases')dnl
++define(`STATUS_FILE', `/var/log/mail/statistics')dnl
++
+ dnl # General defines
+ dnl #
+ dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
+@@ -52,15 +80,72 @@
+ dnl # Remove `, Addr=' clauses to receive from any interface
+ dnl # If you want to support IPv6, switch the commented/uncommentd lines
+ dnl #
++
+ FEATURE(`no_default_msa')dnl
+-dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
++
++DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
++DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=2a01:4f8:192:1164::2')dnl
+ DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl
+-dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl
++DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=144.76.84.101')dnl
++
++DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl
+ DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl
++
++DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=::1')dnl
++DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=2a01:4f8:192:1164::2')dnl
++DAEMON_OPTIONS(`Family=inet, Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=127.0.0.1')dnl
++DAEMON_OPTIONS(`Family=inet, Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=144.76.84.101')dnl
++
+ dnl #
+ dnl # Be somewhat anal in what we allow
+ define(`confPRIVACY_FLAGS',dnl
+ `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
++dnl # define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,novrfy,noexpn,noetrn,noverb,restrictqrun')dnl
++
++dnl define(`confAUTH_OPTIONS', `A')dnl
++dnl #
++dnl # The following allows relaying if the user authenticates, and disallows
++dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
++dnl #
++dnl define(`confAUTH_OPTIONS', `A p')dnl
++define(`confAUTH_OPTIONS', `Apy')dnl
++dnl #
++dnl # PLAIN is the preferred plaintext authentication method and used by
++dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
++dnl # use LOGIN. Other mechanisms should be used if the connection is not
++dnl # guaranteed secure.
++dnl # Please remember that saslauthd needs to be running for AUTH.
++dnl #
++dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
++dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
++TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
++define(`confAUTH_MECHANISMS', `GSSAPI LOGIN PLAIN')dnl
++
++dnl #
++dnl # Rudimentary information on creating certificates for sendmail TLS:
++dnl # cd /usr/share/ssl/certs; make sendmail.pem
++dnl # Complete usage:
++dnl # make -C /usr/share/ssl/certs usage
++dnl #
++define(`confCACERT_PATH', `/etc/ssl/local')dnl
++dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl
++dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl
++dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
++dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
++define(`confCACERT', `/etc/ssl/local/thawte-SSL123_CA_Bundle.pem')dnl
++define(`confSERVER_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl
++define(`confSERVER_KEY', `/etc/ssl/local/jogamp2013-hostkey.mail.pem')dnl
++define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl
++define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl
++dnl #
++dnl define(`confTO_QUEUEWARN', `4h')dnl
++dnl define(`confTO_QUEUERETURN', `5d')dnl
++dnl define(`confQUEUE_LA', `12')dnl
++dnl define(`confREFUSE_LA', `18')dnl
++define(`confQUEUE_LA', `12')dnl
++define(`confREFUSE_LA', `18')dnl
++define(`confTO_IDENT', `0')dnl
++
+ dnl #
+ dnl # Define connection throttling and window length
+ define(`confCONNECTION_RATE_THROTTLE', `15')dnl
+@@ -68,15 +153,43 @@
+ dnl #
+ dnl # Features
+ dnl #
++
++dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
++FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
++FEATURE(redirect)dnl
++FEATURE(always_add_domain)dnl
++dnl # Masquerading options
++MASQUERADE_AS(`jogamp.org')dnl
++dnl FEATURE(`allmasquerade')dnl
++FEATURE(`masquerade_envelope')dnl
++FEATURE(`masquerade_entire_domain')dnl
++
+ dnl # use /etc/mail/local-host-names
+ FEATURE(`use_cw_file')dnl
++dnl
++dnl # use /etc/mail/trusted-users
++dnl
++FEATURE(use_ct_file)dnl
++dnl #
++
++# define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
++# FEATURE(local_procmail, `', `/usr/bin/procmail -t -Y -a $h -d $u')dnl
++dnl #
++dnl # dovecot
++dnl #
++dnl FEATURE(local_procmail, `/usr/lib/dovecot/dovecot-lda', `/usr/lib/dovecot/dovecot-lda -d $u')dnl
++dnl MODIFY_MAILER_FLAGS(`LOCAL', `-f')dnl
++
+ dnl #
+ dnl # The access db is the basis for most of sendmail's checking
+-FEATURE(`access_db', , `skip')dnl
++dnl # FEATURE(`access_db', , `skip')dnl
++FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
+ dnl #
+ dnl # The greet_pause feature stops some automail bots - but check the
+ dnl # provided access db for details on excluding localhosts...
+-FEATURE(`greet_pause', `1000')dnl 1 seconds
++dnl # configured in file: access
++dnl FEATURE(`greet_pause', `1000')dnl 1 seconds
++FEATURE(`blacklist_recipients')dnl
+ dnl #
+ dnl # Delay_checks allows sender<->recipient checking
+ FEATURE(`delay_checks', `friend', `n')dnl
+@@ -97,8 +210,16 @@
+ include(`/etc/mail/m4/dialup.m4')dnl
+ include(`/etc/mail/m4/provider.m4')dnl
+ dnl #
++dnl # The following example makes mail from this host and any additional
++dnl # specified domains appear to be sent from mydomain.com
++dnl #
+ dnl # Default Mailer setup
+ MAILER_DEFINITIONS
+ MAILER(`local')dnl
+ MAILER(`smtp')dnl
++MAILER(`procmail')dnl
+
++dnl define(`FAX_MAILER_PATH',`/usr/bin/faxmail')dnl
++dnl define(`FAX_MAILER_ARGS',`faxmail -d -n -t done -R -s a4 -p 12pt $u@$h $f')dnl
++dnl define(`FAX_MAILER_MAX',`100000000')dnl
++dnl MAILER(`fax')dnl
+--- mail.orig/submit.mc 2013-06-05 13:30:07.256640000 +0200
++++ mail/submit.mc 2013-06-06 00:05:36.459064992 +0200
+@@ -44,6 +44,7 @@
+ dnl MASQUERADE_AS()dnl
+ dnl FEATURE(`masquerade_envelope')dnl
+ dnl #
++FEATURE(`use_ct_file')dnl
+ dnl #---------------------------------------------------------------------
+ dnl # The real reason we're here: the FEATURE(msp)
+ dnl # NOTE WELL: MSA (587) should have M=Ea, so we need to use stock 25
+--- mail.orig/virtusertable 1970-01-01 01:00:00.000000000 +0100
++++ mail/virtusertable 2013-06-06 02:02:58.162920000 +0200
+@@ -0,0 +1,3 @@
[email protected] mediastream
++
diff --git a/server/setup/05-service-settings/etc/mail/sendmail.mc b/server/setup/05-service-settings/etc/mail/sendmail.mc
new file mode 100644
index 0000000..32ec569
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/sendmail.mc
@@ -0,0 +1,228 @@
+divert(-1)dnl
+#-----------------------------------------------------------------------------
+# $Sendmail: debproto.mc,v 8.14.4 2013-02-11 11:12:33 cowboy Exp $
+#
+# Copyright (c) 1998-2010 Richard Nelson. All Rights Reserved.
+#
+# cf/debian/sendmail.mc. Generated from sendmail.mc.in by configure.
+#
+# sendmail.mc prototype config file for building Sendmail 8.14.4
+#
+# Note: the .in file supports 8.7.6 - 9.0.0, but the generated
+# file is customized to the version noted above.
+#
+# This file is used to configure Sendmail for use with Debian systems.
+#
+# If you modify this file, you will have to regenerate /etc/mail/sendmail.cf
+# by running this file through the m4 preprocessor via one of the following:
+# * make (or make -C /etc/mail)
+# * sendmailconfig
+# * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
+# The first two options are preferred as they will also update other files
+# that depend upon the contents of this file.
+#
+# The best documentation for this .mc file is:
+# /usr/share/doc/sendmail-doc/cf.README.gz
+#
+#-----------------------------------------------------------------------------
+divert(0)dnl
+#
+# Copyright (c) 1998-2005 Richard Nelson. All Rights Reserved.
+#
+# This file is used to configure Sendmail for use with Debian systems.
+#
+define(`_USE_ETC_MAIL_')dnl
+include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
+VERSIONID(`$Id: sendmail.mc, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $')
+OSTYPE(`debian')dnl
+DOMAIN(`debian-mta')dnl
+dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
+undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS=
+dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
+dnl #
+
+dnl # default logging level is 9, you might want to set it higher to
+dnl # debug the configuration
+dnl #
+dnl define(`confLOG_LEVEL', `9')dnl
+dnl define(`confLOG_LEVEL', `22')dnl
+dnl #
+
+dnl #
+dnl # Uncomment and edit the following line if your outgoing mail needs to
+dnl # be sent out through an external mail server:
+dnl #
+dnl define(`SMART_HOST', `smtp.your.provider')dnl
+dnl define(`SMART_HOST', `smtp:mail.jausoft.com')dnl
+dnl define(`RELAY_MAILER_ARGS', `TCP $h 26')dnl
+dnl #
+define(`confDEF_USER_ID', ``8:12'')dnl
+dnl define(`confAUTO_REBUILD')dnl
+define(`confTO_CONNECT', `1m')dnl
+define(`confTO_COMMAND', `2m')dnl
+define(`confTRY_NULL_MX_LIST', `True')dnl
+define(`confDONT_PROBE_INTERFACES', `True')dnl
+define(`UUCP_MAILER_MAX', `2000000')dnl
+define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
+dnl #
+define(`ALIAS_FILE', `/etc/aliases')dnl
+define(`STATUS_FILE', `/var/log/mail/statistics')dnl
+
+dnl # General defines
+dnl #
+dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
+dnl # into this directory before writing files.
+dnl # If *all* your user accounts are under /home then use that
+dnl # instead - it will prevent any writes outside of /home !
+dnl # define(`confSAFE_FILE_ENV', `')dnl
+dnl #
+dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
+dnl # Remove `, Addr=' clauses to receive from any interface
+dnl # If you want to support IPv6, switch the commented/uncommentd lines
+dnl #
+
+FEATURE(`no_default_msa')dnl
+
+DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
+DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=2a01:4f8:192:1165::2')dnl
+DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl
+DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=144.76.84.102')dnl
+
+DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl
+DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl
+
+DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=::1')dnl
+DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=2a01:4f8:192:1165::2')dnl
+DAEMON_OPTIONS(`Family=inet, Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=127.0.0.1')dnl
+DAEMON_OPTIONS(`Family=inet, Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=144.76.84.102')dnl
+
+dnl #
+dnl # Be somewhat anal in what we allow
+define(`confPRIVACY_FLAGS',dnl
+`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
+dnl # define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,novrfy,noexpn,noetrn,noverb,restrictqrun')dnl
+
+dnl define(`confAUTH_OPTIONS', `A')dnl
+dnl #
+dnl # The following allows relaying if the user authenticates, and disallows
+dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
+dnl #
+dnl define(`confAUTH_OPTIONS', `A p')dnl
+define(`confAUTH_OPTIONS', `Apy')dnl
+dnl #
+dnl # PLAIN is the preferred plaintext authentication method and used by
+dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
+dnl # use LOGIN. Other mechanisms should be used if the connection is not
+dnl # guaranteed secure.
+dnl # Please remember that saslauthd needs to be running for AUTH.
+dnl #
+dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+define(`confAUTH_MECHANISMS', `GSSAPI LOGIN PLAIN')dnl
+
+dnl #
+dnl # Rudimentary information on creating certificates for sendmail TLS:
+dnl # cd /usr/share/ssl/certs; make sendmail.pem
+dnl # Complete usage:
+dnl # make -C /usr/share/ssl/certs usage
+dnl #
+define(`confCACERT_PATH', `/etc/ssl/local')dnl
+dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl
+dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl
+dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
+dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confCACERT', `/etc/ssl/local/thawte-SSL123_CA_Bundle.pem')dnl
+define(`confSERVER_CERT', `/etc/ssl/local/jausoft2013-hostcert.pem')dnl
+define(`confSERVER_KEY', `/etc/ssl/local/jausoft2013-hostkey.mail.pem')dnl
+define(`confCLIENT_CERT', `/etc/ssl/local/jausoft2013-hostcert.pem')dnl
+define(`confCLIENT_KEY', `/etc/ssl/local/jausoft2013-hostcert.pem')dnl
+dnl #
+dnl define(`confTO_QUEUEWARN', `4h')dnl
+dnl define(`confTO_QUEUERETURN', `5d')dnl
+dnl define(`confQUEUE_LA', `12')dnl
+dnl define(`confREFUSE_LA', `18')dnl
+define(`confQUEUE_LA', `12')dnl
+define(`confREFUSE_LA', `18')dnl
+define(`confTO_IDENT', `0')dnl
+
+dnl #
+dnl # Define connection throttling and window length
+define(`confCONNECTION_RATE_THROTTLE', `15')dnl
+define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
+dnl #
+dnl # Features
+dnl #
+
+dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
+FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
+FEATURE(redirect)dnl
+FEATURE(always_add_domain)dnl
+dnl # Masquerading options
+MASQUERADE_AS(`jausoft.com')dnl
+dnl MASQUERADE_AS(`jausoft.net')dnl
+dnl MASQUERADE_DOMAIN(`jordan.goethel.localnet')dnl
+dnl MASQUERADE_DOMAIN(`goethel.localnet')dnl
+dnl FEATURE(`allmasquerade')dnl
+FEATURE(`masquerade_envelope')dnl
+FEATURE(`masquerade_entire_domain')dnl
+
+dnl # use /etc/mail/local-host-names
+FEATURE(`use_cw_file')dnl
+dnl
+dnl # use /etc/mail/trusted-users
+dnl
+FEATURE(use_ct_file)dnl
+dnl #
+
+# define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
+# FEATURE(local_procmail, `', `/usr/bin/procmail -t -Y -a $h -d $u')dnl
+dnl #
+dnl # dovecot
+dnl #
+dnl FEATURE(local_procmail, `/usr/lib/dovecot/dovecot-lda', `/usr/lib/dovecot/dovecot-lda -d $u')dnl
+dnl MODIFY_MAILER_FLAGS(`LOCAL', `-f')dnl
+
+dnl #
+dnl # The access db is the basis for most of sendmail's checking
+dnl # FEATURE(`access_db', , `skip')dnl
+FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
+dnl #
+dnl # The greet_pause feature stops some automail bots - but check the
+dnl # provided access db for details on excluding localhosts...
+dnl # configured in file: access
+dnl FEATURE(`greet_pause', `1000')dnl 1 seconds
+FEATURE(`blacklist_recipients')dnl
+dnl #
+dnl # Delay_checks allows sender<->recipient checking
+FEATURE(`delay_checks', `friend', `n')dnl
+dnl #
+dnl # If we get too many bad recipients, slow things down...
+define(`confBAD_RCPT_THROTTLE',`3')dnl
+dnl #
+dnl # Stop connections that overflow our concurrent and time connection rates
+FEATURE(`conncontrol', `nodelay', `terminate')dnl
+FEATURE(`ratecontrol', `nodelay', `terminate')dnl
+dnl #
+dnl # If you're on a dialup link, you should enable this - so sendmail
+dnl # will not bring up the link (it will queue mail for later)
+dnl define(`confCON_EXPENSIVE',`True')dnl
+dnl #
+dnl # Dialup/LAN connection overrides
+dnl #
+include(`/etc/mail/m4/dialup.m4')dnl
+include(`/etc/mail/m4/provider.m4')dnl
+dnl #
+dnl # The following example makes mail from this host and any additional
+dnl # specified domains appear to be sent from mydomain.com
+dnl #
+dnl # Default Mailer setup
+MAILER_DEFINITIONS
+MAILER(`local')dnl
+MAILER(`smtp')dnl
+MAILER(`procmail')dnl
+
+dnl define(`FAX_MAILER_PATH',`/usr/bin/faxmail')dnl
+dnl define(`FAX_MAILER_ARGS',`faxmail -d -n -t done -R -s a4 -p 12pt $u@$h $f')dnl
+dnl define(`FAX_MAILER_MAX',`100000000')dnl
+dnl MAILER(`fax')dnl
diff --git a/server/setup/05-service-settings/etc/mail/submit.mc b/server/setup/05-service-settings/etc/mail/submit.mc
new file mode 100644
index 0000000..a304f44
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/submit.mc
@@ -0,0 +1,58 @@
+divert(-1)dnl
+#-----------------------------------------------------------------------------
+# $Sendmail: submit.mc,v 8.14.4 2013-02-11 11:12:33 cowboy Exp $
+#
+# Copyright (c) 2000-2010 Richard Nelson. All Rights Reserved.
+#
+# cf/debian/submit.mc. Generated from submit.mc.in by configure.
+#
+# submit.mc prototype config file for building Sendmail 8.14.4
+#
+# Note: the .in file supports 8.7.6 - 9.0.0, but the generated
+# file is customized to the version noted above.
+#
+# This file is used to configure Sendmail for use with Debian systems.
+#
+# If you modify this file, you will have to regenerate /etc/mail/submit.cf
+# by running this file through the m4 preprocessor via one of the following:
+# * make (or make -C /etc/mail)
+# * sendmailconfig
+# * m4 /etc/mail/submit.mc > /etc/mail/submit.cf
+# The first two options are preferred as they will also update other files
+# that depend upon the contents of this file.
+#
+# The best documentation for this .mc file is:
+# /usr/share/doc/sendmail-doc/cf.README.gz
+#
+#-----------------------------------------------------------------------------
+divert(0)dnl
+#
+# Copyright (c) 2000-2002 Richard Nelson. All Rights Reserved.
+#
+# This file is used to configure Sendmail for use with Debian systems.
+#
+define(`_USE_ETC_MAIL_')dnl
+include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
+VERSIONID(`$Id: submit.mc, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $')
+OSTYPE(`debian')dnl
+DOMAIN(`debian-msp')dnl
+dnl #
+dnl #---------------------------------------------------------------------
+dnl # Masquerading information, if needed, should go here
+dnl # You likely will not need this, as the MTA will do it
+dnl #---------------------------------------------------------------------
+dnl MASQUERADE_AS()dnl
+dnl FEATURE(`masquerade_envelope')dnl
+dnl #
+FEATURE(`use_ct_file')dnl
+dnl #---------------------------------------------------------------------
+dnl # The real reason we're here: the FEATURE(msp)
+dnl # NOTE WELL: MSA (587) should have M=Ea, so we need to use stock 25
+dnl #---------------------------------------------------------------------
+FEATURE(`msp', `[127.0.0.1]', `25')dnl
+dnl #
+dnl #---------------------------------------------------------------------
+dnl # Some minor cleanup from FEATURE(msp)
+dnl #---------------------------------------------------------------------
+dnl #
+dnl #---------------------------------------------------------------------
diff --git a/server/setup/05-service-settings/etc/mail/virtusertable b/server/setup/05-service-settings/etc/mail/virtusertable
new file mode 100644
index 0000000..af7dcd0
--- /dev/null
+++ b/server/setup/05-service-settings/etc/mail/virtusertable
@@ -0,0 +1,33 @@
+
+
+
+
+
diff --git a/server/setup/05-service-settings/etc/procmailrc b/server/setup/05-service-settings/etc/procmailrc
new file mode 100644
index 0000000..08c0492
--- /dev/null
+++ b/server/setup/05-service-settings/etc/procmailrc
@@ -0,0 +1,29 @@
+# file: /etc/procmailrc
+# system-wide settings for procmail
+SHELL="/bin/bash"
+SENDMAIL="/usr/sbin/sendmail -oi -t"
+LOGFILE="/var/log/procmail.log"
+DELIVER="/usr/lib/dovecot/deliver"
+
+# filter mail through bogofilter, tagging it as Ham, Spam, or Unsure,
+# and updating the wordlist
+:0fw
+| /usr/bin/bogofilter -uep
+
+# if bogofilter failed, return the mail to the queue;
+# the MTA will retry to deliver it later
+# 75 is the value for EX_TEMPFAIL in /usr/include/sysexits.h
+:0e
+{ EXITCODE=75 HOST }
+
+# deliver to dovecot
+#
+:0 w
+| $DELIVER -d $LOGNAME
+
+# if deliver failed, return the mail to the queue;
+# the MTA will retry to deliver it later
+# 75 is the value for EX_TEMPFAIL in /usr/include/sysexits.h
+:0e
+{ EXITCODE=75 HOST }
+
diff --git a/server/setup/05-service-settings/etc/rsyslog.conf b/server/setup/05-service-settings/etc/rsyslog.conf
new file mode 100644
index 0000000..e4bf2cd
--- /dev/null
+++ b/server/setup/05-service-settings/etc/rsyslog.conf
@@ -0,0 +1,123 @@
+# /etc/rsyslog.conf Configuration file for rsyslog.
+#
+# For more information see
+# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog # provides kernel logging support
+#$ModLoad immark # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+kern.debug -/var/log/firewall
+
+#
+# First some standard log files. Log by facility.
+#
+auth,authpriv.* /var/log/auth.log
+*.*;auth,authpriv.none;kern.!=debug;mail.none -/var/log/syslog
+#cron.* /var/log/cron.log
+daemon.* -/var/log/daemon.log
+kern.*;;kern.!=debug -/var/log/kern.log
+lpr.* -/var/log/lpr.log
+mail.* -/var/log/mail.log
+user.* -/var/log/user.log
+
+#
+# Logging for the mail system. Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info -/var/log/mail.info
+mail.warn -/var/log/mail.warn
+mail.err /var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit /var/log/news/news.crit
+news.err /var/log/news/news.err
+news.notice -/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;kern.!=debug;\
+ auth,authpriv.none;\
+ news.none;mail.none -/var/log/debug
+*.=info;*.=notice;*.=warn;\
+ auth,authpriv.none;\
+ cron,daemon.none;\
+ mail,news.none -/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg :omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+# news.=crit;news.=err;news.=notice;\
+# *.=debug;*.=info;\
+# *.=notice;*.=warn /dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+# $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+# busy site..
+#
+daemon.*;mail.*;\
+ news.err;\
+ *.=debug;*.=info;\
+ *.=notice;*.=warn |/dev/xconsole
diff --git a/server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve b/server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve
@@ -0,0 +1 @@
+
diff --git a/server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve b/server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve
new file mode 100644
index 0000000..c66db85
--- /dev/null
+++ b/server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve
@@ -0,0 +1,11 @@
+require ["copy", "fileinto", "mailbox"];
+
+#
+# Spam First
+#
+if header :matches "X-Bogosity" "Spam*" {
+ fileinto :create "0-Spam";
+} elsif header :matches "X-Bogosity" "Unsure*" {
+ fileinto :create :copy "0-Spam-unsure-copy";
+}
+