diff options
17 files changed, 1694 insertions, 0 deletions
diff --git a/server/setup/05-service-settings/README.txt b/server/setup/05-service-settings/README.txt new file mode 100644 index 0000000..2cf28cc --- /dev/null +++ b/server/setup/05-service-settings/README.txt @@ -0,0 +1,108 @@ +All template files are .. underneath in ./etc + +Debian 7.00 (Wheezy) + +01 stop all running services .. + /etc/init.d/apache2 stop + /etc/init.d/sendmail stop + /etc/init.d/dovecot stop + /etc/init.d/mysql stop + /etc/init.d/saslauthd stop + +01 logging + - firewall logging: + /etc/rsyslog.conf: firewall rules, kern.debug / kern.=!debug + /etc/init.d/rsyslog restart + + - logrotate + /etc/logrotate.conf: compress, 48 weeks + /etc/logrotate.d/rsyslog: Add /var/log/firewall and /var/log/dovecot.log + +03 move all users + - mv /data/backup/home/* /home/ + - for all groups: groupadd -g GID groupname + - for all users: useradd -M -N -u UID -g GID username + - for all users: usermod -a -G GID1,GID2,.. username + - cd /data/backup/var/spool/mail ; (check names, remove unused ..) ; mv * /var/spool/mail/ + +04 move other stuff + - Old Logs + - mv /data/backup/var/log /var/log/old_logs + + - MySQL + - old server: backup DB + - run backup-mysql.sh on old server, result is e.g. backup-mysqldb-20130605162509.sql + + - new server: import DB + - get backup backup-mysqldb-20130605162509.sql + - /etc/init.d/mysql start + - backup-1: backup-mysql.sh + - mysql --user=root --password < backup-mysqldb-20130605162509.sql + - backup-2: backup-mysql.sh + - mysqlcheck --user=root --password --all-databases + + - Services + - mv /data/backup/srv/* /srv/ + +05 config procmail + copy /etc/procmailrc + +06 bogofilter + copy /etc/bogofilter.cf + Init empty wordlist.db: + touch nope + cat nope | bogoutil -l /var/spool/bogofilter/wordlist.db + rm nope + +07 sasl2 + /etc/sasl2/Sendmail.conf + /etc/default/saslauthd: start=yes + /etc/init.d/saslauthd start + +08 dovecot 2.1.7-7 + - features: + - requires ssl + - ipv4 / ipv6 + - smtps + - pop3s + - sieve (tls) + + - Sync config files in /etc/dovecot/ + with etc/dovecot/dovecot.conf.diff and etc/dovecot/conf.d.diff + + - mkdir -p /var/lib/dovecot/sieve/global/ + - chmod ugo+rx /var/lib/dovecot + - copy /var/lib/dovecot/sieve/global/default.sieve + - cd /var/lib/dovecot/sieve/global ; sievec default.sieve + - copy /var/lib/dovecot/sieve/prologue.sieve + - cd /var/lib/dovecot/sieve ; sievec prologue.sieve + + - migrate old INBOX: + for each user: + dsync mirror mbox:~/mail:INBOX=/var/mail/USERNAME + su dstrohlein -c "dsync mirror mbox:~/mail:INBOX=/var/mail/dstrohlein ; echo OK" + + - /etc/init.d/dovecot start + + +09 sendmail 8.14.4-4 + - features: + - requires ssl for auth + - ipv4 / ipv6 + + - /etc/mail + - Sync config files in /etc/mail with: etc/mail/mail.diff + - sendmail.mc + - submit.mc + - access + - local-host-names + - virtusertable + + - /etc + - aliases + + - cd /etc/mail + - make + + /etc/init.d/sendmail start + diff --git a/server/setup/05-service-settings/backup-mysql.sh b/server/setup/05-service-settings/backup-mysql.sh new file mode 100644 index 0000000..0490e3b --- /dev/null +++ b/server/setup/05-service-settings/backup-mysql.sh @@ -0,0 +1,8 @@ +#! /bin/sh + +fname="/data/backup/backup-mysqldb-`date +%Y%m%d%H%M%S`.sql" +mysqldump --verbose --user=root --password --all-databases > $fname +echo dumped to $fname + +# 1076 mysql --user=root --password < bugzilla_db_clean.sql + diff --git a/server/setup/05-service-settings/etc/bogofilter.cf b/server/setup/05-service-settings/etc/bogofilter.cf new file mode 100644 index 0000000..84ac4bc --- /dev/null +++ b/server/setup/05-service-settings/etc/bogofilter.cf @@ -0,0 +1,282 @@ +########### Sample BOGOFILTER Configuration File ########################### + +# $Id: bogofilter.cf.example 6811 2009-02-21 20:32:50Z relson $ + +# Default settings (as defined in the bogofilter source code) +# have a single hash mark at the beginning of the line. + +# Alternate values have two hash marks. + +# Comment lines MUST have their hash mark in the leftmost column. +# Comments can be added at the end of any line (after whitespace and a '#'). +# Blank lines are allowed. + +########### General Settings ######################################## + +#### BOGOFILTER_DIR +# +# directory for wordlists +# +#bogofilter_dir=~/.bogofilter +bogofilter_dir=/var/spool/bogofilter + +#### name/location of user config file +# +#user_config_file=~/.bogofilter.cf +##user_config_file=~/.bogofilterrc +user_config_file=~/.bogofilter/config + +#### TRANSACTIONS: enable/disable database transactions +# +# boolean indicating whether transactions +# should be enabled (yes) or disabled (no) +# +db_transaction=no # default +##db_transaction=yes # (alternate) + +#### WORDLIST: define additional word lists +# +# char type: 'r' (regular) or 'i' (ignore) +# char *name: name of list, e.g. "system", "user", "ignore" +# char *path: absolute path to file or +# file name (relative to bogofilter_dir) +# int order - once found, skip higher numbered lists +# +##wordlist i,ignore,~/ignorelist.db,1 +##wordlist r,wordlist,~/wordlist.db,2 + +#### SPAM_HEADER_NAME +# +# used in reporting spamicity and +# in removing already existing headers +# +spam_header_name=X-Bogosity + +#### SPAM_HEADER_PLACE +# +# used in placing the SPAM_HEADER_NAME line +# +#spam_header_place=DomainKey-Signature + +#### SPAM_SUBJECT_TAG +# +# tag added to "Subject: " line for identifying spam or unsure +# default is to add nothing. +# +##spam_subject_tag=***SPAM*** +##unsure_subject_tag=???UNSURE??? + +#### STATS_IN_HEADER +# +# non-zero (default): put spamicity info in message header +# zero: put spamicity info in message body +# can use "bool" values of True, False, Yes, No, 1, or 0 +# +stats_in_header=Yes # default +##stats_in_header=No # (alternate) + +#### DB_CACHESIZE +# +# non-zero: set this as DB cache size (in Mbytes) +# zero: use DB default cache size (.25 Mbyte in 4.0.14) +# +# note that Berkeley DB increases any buffer size below 500 MB +# by 25%! +# This helps most when doing massive changes to the data base that +# involve a lot of overwrites, such as registering mail boxes, +# whereas it is mostly a waste of memory for read-only +# applications such as scoring. +# WARNING: If you set this too large, bogofilter will fail. +# +db_cachesize=0 # default +##db_cachesize=16 # (alternate) + +#### DB_LOG_AUTOREMOVE +# +# boolean indicating whether auto-removing of +# logs should be enabled (yes) or disabled (no) +# +#db_log_autoremove=yes # default +##db_log_autoremove=no # (alternate) + +#### TIMESTAMP +# +# enables or disables token timestamps +# +timestamp=Yes + +#### Format of spamicity output +# +# for two-state output the third entry is not needed and not used +# +spamicity_tags = Spam, Ham, Unsure +spamicity_formats = %0.6f, %0.6f, %0.6f +# +##spamicity_tags = Yes, No, Unsure +##spamicity_formats = %0.6f, %0.6f, %0.6f + +#### Format of SPAM_HEADER +# +# formatting characters: +# +# h - spam_header_name, e.g. "X-Bogosity" +# +# c - classification, e.g. Yes/No, Spam/Ham/Unsure, +/-/? +# +# D - date, fixed ISO-8601 format for Universal Time ("GMT") +# +# e - spamicity as 'e' format +# f - spamicity as 'f' format +# g - spamicity as 'g' format +# +# A - IP address (from first Received: statement having one) +# Not guaranteed to be the originating address of the message. +# I - Message ID +# Q - Queue ID (from first id tag found in Received: headers) +# +# l - logging tag (from '-l' option) +# +# o - spam_cutoff, ex. cutoff=%o +# +# p - spamicity value +# d - if ham or unsure, the spamicity +# if spam, difference of spamicity from 1.0 +# +# r - runtype +# w - word count +# m - message count +# +# u - username - this will either be the login from getlogin(), +# if that is empty, the pw_name obtained from +# the password database, or the user id +# prefixed by #, for instance, #1003 +# +# v - version +# +# customizable messages: +# +# header_format - the "X-Bogosity" line that '-p' adds to +# the message header and '-v' outputs. +# terse_format - an abbreviated form of header_format; +# selected by command line option '-t' +# log_header_format - written to syslog by '-u' option +# when classifying messages. +# log_update_format - written to syslog by '-u' option +# when registering messages. +# +# +header_format = %h: %c, tests=bogofilter, spamicity=%p, version=%v +terse_format = %1.1c %f +#log_header_format = %h: %c, spamicity=%p, version=%v +#log_update_format = register-%r, %w words, %m messages +##log_header_format = %h: %c, spamicity=%f, ipaddr=%A, queueID=%Q, msgID=%I, version=%v + +#### TERSE +# +# if enabled, format the X-Bogosity using the 'terse_format' specificaton. +# +terse=no # default +##terse=yes # (alternate) + + +########### Tokenizer Settings ###################################### + +#### BLOCK ON SUBNETS +# +# convert IPADDRs into a special token, url:1.2.3.4, +# and also return url:1.2.3, url:1.2, and url:1 +# to allow identifying spammers by ip address / subnets. +# +#block_on_subnets=no + +#### CHARSET handling +# +# specify default charset +# +charset_default=iso-8859-1 # default +#charset_default=us-ascii # (alternate) +##charset_default=cp866 # for Russian + +#### REPLACE_NONASCII_CHARACTERS +# +# replace non-7bit chars with '?' +# +#replace_nonascii_characters=N # default +##replace_nonascii_characters=Y # (alternate) + +#### UNICODE handling +# +# boolean indicating whether raw storage (no) or unicode (yes) +# is the default encoding for the wordlist +# +#unicode=yes # default +##unicode=no # (alternate) + +#### lexer parameters +# +# minimum and maximum lengths for single tokens +# +#min-token-len=3 # default +#max-token-len=30 # default +# +# count and length for multi-word tokens +# Note: if length not specified, defaults to +# multi-token-count * max-token-len (approx) +# +#multi-token-count=1 # default +#max-multi-token-len=0 # default + +########### Classification Constants Settings ####################### +# +# See man page for a more detailled description of the parameters. + +#### MINIMUM DEVIATION +# +# if token spamicity closer to EVEN_ODDS (0.5) +# than MIN_DEV, don't use the word in the +# spamicity calculation +# +#min_dev=0.375 # default + +#### Robinson Constants +# +# floating point values for +# Robinson S and X coefficients. +# +#robs=0.0178 # default +#robx=0.52 # default + +#### CUTOFF Values +# +# both ham_cutoff and spam_cutoff are allowed. +# setting ham_cutoff to a non-zero value will +# enable tri-state results (Spam/Ham/Unsure). +# +#ham_cutoff = 0.45 # default +#spam_cutoff= 0.99 # default +# +# for two-state classification: +# +##ham_cutoff = 0.00 # default +##spam_cutoff = 0.99 # default + +#### Effective Size Factor Values +# +#ns_esf = 1.000 # default +#sp_esf = 1.000 # default + +#### Auto-update threshold +# +# Skip autoupdating if the spamicity is within this value +# of 0.000000 (surely ham) or 1.000000 (surely spam). +# +## thresh_update=0.01 # (optional) + +#### token count parameters +# +# coerce the number of tokens used to score a message +# Note: zero means no coercing +# +##token_count=0 # default +##token_count_min=0 # default +##token_count_max=0 # default diff --git a/server/setup/05-service-settings/etc/dovecot/conf.d.diff b/server/setup/05-service-settings/etc/dovecot/conf.d.diff new file mode 100644 index 0000000..2e617cf --- /dev/null +++ b/server/setup/05-service-settings/etc/dovecot/conf.d.diff @@ -0,0 +1,355 @@ +diff -Nur conf.d.orig/10-auth.conf conf.d/10-auth.conf +--- conf.d.orig/10-auth.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/10-auth.conf 2013-06-05 22:38:44.722493000 +0200 +@@ -6,20 +6,20 @@ + # SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP + # matches the local IP (ie. you're connecting from the same computer), the + # connection is considered secure and plaintext authentication is allowed. +-#disable_plaintext_auth = yes ++disable_plaintext_auth = yes + + # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that + # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used. +-#auth_cache_size = 0 ++auth_cache_size = 10M + # Time to live for cached data. After TTL expires the cached record is no + # longer used, *except* if the main database lookup returns internal failure. + # We also try to handle password changes automatically: If user's previous + # authentication was successful, but this one wasn't, the cache isn't used. + # For now this works only with plaintext authentication. +-#auth_cache_ttl = 1 hour ++auth_cache_ttl = 1 hour + # TTL for negative hits (user not found, password mismatch). + # 0 disables caching them completely. +-#auth_cache_negative_ttl = 1 hour ++auth_cache_negative_ttl = 1 hour + + # Space separated list of realms for SASL authentication mechanisms that need + # them. You can leave it empty if you don't want to support multiple realms. +diff -Nur conf.d.orig/10-logging.conf conf.d/10-logging.conf +--- conf.d.orig/10-logging.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/10-logging.conf 2013-06-05 22:38:44.722879000 +0200 +@@ -5,6 +5,7 @@ + # Log file to use for error messages. "syslog" logs to syslog, + # /dev/stderr logs to stderr. + #log_path = syslog ++log_path = /var/log/dovecot.log + + # Log file to use for informational messages. Defaults to log_path. + #info_log_path = +@@ -14,14 +15,14 @@ + # Syslog facility to use if you're logging to syslog. Usually if you don't + # want to use "mail", you'll use local0..local7. Also other standard + # facilities are supported. +-#syslog_facility = mail ++syslog_facility = mail + + ## + ## Logging verbosity and debugging. + ## + + # Log unsuccessful authentication attempts and the reasons why they failed. +-#auth_verbose = no ++auth_verbose = yes + + # In case of password mismatches, log the attempted password. Valid values are + # no, plain and sha1. sha1 can be useful for detecting brute force password +diff -Nur conf.d.orig/10-mail.conf conf.d/10-mail.conf +--- conf.d.orig/10-mail.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/10-mail.conf 2013-06-05 22:44:18.646267000 +0200 +@@ -27,7 +27,10 @@ + # + # <doc/wiki/MailLocation.txt> + # +-mail_location = mbox:~/mail:INBOX=/var/mail/%u ++# mail_location = mbox:~/mail:INBOX=/var/mail/%u ++# mail_location = ++# mail_location = mbox:~/mail:INBOX=/var/mail/%u ++mail_location = mdbox:~/mdbox + + # If you need to set multiple mailbox locations or want to change default + # namespace settings, you can do it by defining namespace sections. +@@ -41,7 +44,7 @@ + # on filesystem level to do so. + namespace inbox { + # Namespace type: private, shared or public +- #type = private ++ type = private + + # Hierarchy separator to use. You should use the same separator for all + # namespaces or some clients get confused. '/' is usually a good one. +@@ -65,38 +68,51 @@ + # useful when converting from another server with different namespaces which + # you want to deprecate but still keep working. For example you can create + # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". +- #hidden = no ++ hidden = no + + # Show the mailboxes under this namespace with LIST command. This makes the + # namespace visible for clients that don't support NAMESPACE extension. + # "children" value lists child mailboxes, but hides the namespace prefix. +- #list = yes ++ list = yes + + # Namespace handles its own subscriptions. If set to "no", the parent + # namespace handles them (empty prefix should always have this as "yes") +- #subscriptions = yes ++ subscriptions = yes ++} ++ ++namespace local { ++ type = private ++ separator = / ++ prefix = Maildir/ ++ location = maildir:~/Maildir ++ inbox = no ++ hidden = no ++ list = yes ++ subscriptions = no + } + + # Example shared namespace configuration +-#namespace { +- #type = shared +- #separator = / ++namespace { ++ type = shared ++ separator = / + + # Mailboxes are visible under "shared/user@domain/" + # %%n, %%d and %%u are expanded to the destination user. +- #prefix = shared/%%u/ ++ prefix = shared/%%u/ + + # Mail location for other users' mailboxes. Note that %variables and ~/ + # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the + # destination user's data. + #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u ++ location = mdbox:%%h/mdbox/ + + # Use the default namespace for saving subscriptions. +- #subscriptions = no ++ subscriptions = no + + # List the shared/ namespace only if there are visible shared mailboxes. +- #list = children +-#} ++ list = children ++} ++ + # Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? + #mail_shared_explicit_inbox = yes + +@@ -116,7 +132,7 @@ + # dangerous to set these if users can create symlinks (e.g. if "mail" group is + # set here, ln -s /var/mail ~/mail/var could allow a user to delete others' + # mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). +-#mail_access_groups = ++mail_access_groups = mail + + # Allow full filesystem access to clients. There's no access checks other than + # what the operating system does for the active UID/GID. It works with both +@@ -194,14 +210,14 @@ + + # UNIX socket path to master authentication server to find users. + # This is used by imap (for shared users) and lda. +-#auth_socket_path = /var/run/dovecot/auth-userdb ++auth_socket_path = /var/run/dovecot/auth-userdb + + # Directory where to look up mail plugins. + #mail_plugin_dir = /usr/lib/dovecot/modules + + # Space separated list of plugins to load for all services. Plugins specific to + # IMAP, LDA, etc. are added to this list in their own .conf files. +-#mail_plugins = ++mail_plugins = acl + + ## + ## Mailbox handling optimizations +diff -Nur conf.d.orig/10-master.conf conf.d/10-master.conf +--- conf.d.orig/10-master.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/10-master.conf 2013-06-06 00:25:02.628967000 +0200 +@@ -17,10 +17,11 @@ + service imap-login { + inet_listener imap { + #port = 143 ++ port = 0 + } + inet_listener imaps { +- #port = 993 +- #ssl = yes ++ port = 993 ++ ssl = yes + } + + # Number of connections to handle before starting a new process. Typically +@@ -38,10 +39,11 @@ + service pop3-login { + inet_listener pop3 { + #port = 110 ++ port = 0 + } + inet_listener pop3s { +- #port = 995 +- #ssl = yes ++ port = 995 ++ ssl = yes + } + } + +@@ -62,6 +64,7 @@ + # Most of the memory goes to mmap()ing files. You may need to increase this + # limit if you have huge mailboxes. + #vsz_limit = $default_vsz_limit ++ vsz_limit = 2048M + + # Max. number of IMAP processes (connections) + #process_limit = 1024 +diff -Nur conf.d.orig/10-ssl.conf conf.d/10-ssl.conf +--- conf.d.orig/10-ssl.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/10-ssl.conf 2013-06-06 00:30:58.227832000 +0200 +@@ -4,13 +4,16 @@ + + # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> + #ssl = yes ++ssl = required + + # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before + # dropping root privileges, so keep the key file unreadable by anyone but + # root. Included doc/mkcert.sh can be used to easily generate self-signed + # certificate, just make sure to update the domains in dovecot-openssl.cnf +-ssl_cert = </etc/dovecot/dovecot.pem +-ssl_key = </etc/dovecot/private/dovecot.pem ++#ssl_cert = </etc/dovecot/dovecot.pem ++#ssl_key = </etc/dovecot/private/dovecot.pem ++ssl_cert = </etc/ssl/local/jogamp2013-hostcert.pem ++ssl_key = </etc/ssl/local/jogamp2013-hostkey.mail.pem + + # If key file is password protected, give the password here. Alternatively + # give it when starting dovecot with -p parameter. Since this file is often +@@ -22,6 +25,7 @@ + # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) + # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) + #ssl_ca = ++ssl_ca = </etc/ssl/local/thawte-SSL123_CA_Bundle.pem + + # Require that CRL check succeeds for client certificates. + #ssl_require_crl = yes +diff -Nur conf.d.orig/15-lda.conf conf.d/15-lda.conf +--- conf.d.orig/15-lda.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/15-lda.conf 2013-06-05 22:38:44.724403000 +0200 +@@ -37,12 +37,12 @@ + #lda_original_recipient_header = + + # Should saving a mail to a nonexistent mailbox automatically create it? +-#lda_mailbox_autocreate = no ++lda_mailbox_autocreate = yes + + # Should automatically created mailboxes be also automatically subscribed? +-#lda_mailbox_autosubscribe = no ++lda_mailbox_autosubscribe = yes + + protocol lda { + # Space separated list of plugins to load (default is global mail_plugins). +- #mail_plugins = $mail_plugins ++ mail_plugins = $mail_plugins sieve + } +diff -Nur conf.d.orig/20-imap.conf conf.d/20-imap.conf +--- conf.d.orig/20-imap.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/20-imap.conf 2013-06-05 22:38:44.724715000 +0200 +@@ -14,6 +14,7 @@ + + # Space separated list of plugins to load (default is global mail_plugins). + #mail_plugins = $mail_plugins ++ mail_plugins = $mail_plugins imap_acl + + # IMAP logout format string: + # %i - total number of bytes read from client +diff -Nur conf.d.orig/20-lmtp.conf conf.d/20-lmtp.conf +--- conf.d.orig/20-lmtp.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/20-lmtp.conf 2013-06-05 22:38:44.725026000 +0200 +@@ -12,5 +12,5 @@ + + protocol lmtp { + # Space separated list of plugins to load (default is global mail_plugins). +- #mail_plugins = $mail_plugins ++ mail_plugins = $mail_plugins sieve + } +diff -Nur conf.d.orig/20-managesieve.conf conf.d/20-managesieve.conf +--- conf.d.orig/20-managesieve.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/20-managesieve.conf 2013-06-06 01:10:53.662647000 +0200 +@@ -4,7 +4,7 @@ + + # Service definitions + +-#service managesieve-login { ++service managesieve-login { + #inet_listener sieve { + # port = 4190 + #} +@@ -23,16 +23,16 @@ + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = 64M +-#} ++} + +-#service managesieve { ++service managesieve { + # Max. number of ManageSieve processes (connections) + #process_count = 1024 +-#} ++} + + # Service configuration + +-#protocol sieve { ++protocol sieve { + # Maximum ManageSieve command line length in bytes. ManageSieve usually does + # not involve overly long command lines, so this setting will not normally + # need adjustment +@@ -70,4 +70,4 @@ + + # Refer to 90-sieve.conf for script quota configuration and configuration of + # Sieve execution limits. +-#} ++} +diff -Nur conf.d.orig/90-acl.conf conf.d/90-acl.conf +--- conf.d.orig/90-acl.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/90-acl.conf 2013-06-05 23:41:19.326258000 +0200 +@@ -9,7 +9,7 @@ + # specifies how many seconds to wait between stat()ing dovecot-acl file + # to see if it changed. + plugin { +- #acl = vfile:/etc/dovecot/global-acls:cache_secs=300 ++ acl = vfile:/etc/dovecot/global-acls:cache_secs=300 + } + + # To let users LIST mailboxes shared by other users, Dovecot needs a +diff -Nur conf.d.orig/90-sieve.conf conf.d/90-sieve.conf +--- conf.d.orig/90-sieve.conf 2013-02-05 02:03:27.000000000 +0100 ++++ conf.d/90-sieve.conf 2013-06-05 22:38:44.726032000 +0200 +@@ -17,6 +17,7 @@ + # --> See sieve_before fore executing scripts before the user's personal + # script. + #sieve_default = /var/lib/dovecot/sieve/default.sieve ++ sieve_default = /var/lib/dovecot/sieve/global/default.sieve + + # Directory for :personal include scripts for the include extension. This + # is also where the ManageSieve service stores the user's scripts. +@@ -24,6 +25,7 @@ + + # Directory for :global include scripts for the include extension. + #sieve_global_dir = ++ sieve_global_dir = /var/lib/dovecot/sieve/global/ + + # Path to a script file or a directory containing script files that need to be + # executed before the user's script. If the path points to a directory, all +@@ -34,6 +36,7 @@ + #sieve_before = + #sieve_before2 = + #sieve_before3 = (etc...) ++ sieve_before = /var/lib/dovecot/sieve/prologue.sieve + + # Identical to sieve_before, only the specified scripts are executed after the + # user's script (only when keep is still in effect!). Multiple script file or diff --git a/server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff b/server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff new file mode 100644 index 0000000..d37ff28 --- /dev/null +++ b/server/setup/05-service-settings/etc/dovecot/dovecot.conf.diff @@ -0,0 +1,19 @@ +--- dovecot.conf.orig 2013-02-05 02:03:27.000000000 +0100 ++++ dovecot.conf 2013-06-05 22:36:52.290033000 +0200 +@@ -18,6 +18,7 @@ + + # Enable installed protocols + !include_try /usr/share/dovecot/protocols.d/*.protocol ++# protocols = imaps pop3s sieve lmtp + + # A comma separated list of IPs or hosts where to listen in for connections. + # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. +@@ -35,7 +36,7 @@ + #instance_name = dovecot + + # Greeting message for clients. +-#login_greeting = Dovecot ready. ++login_greeting = jogamp.org is ready. + + # Space separated list of trusted network ranges. Connections from these + # IPs are allowed to override their IP addresses and ports (for logging and diff --git a/server/setup/05-service-settings/etc/logrotate.conf b/server/setup/05-service-settings/etc/logrotate.conf new file mode 100644 index 0000000..3860fd4 --- /dev/null +++ b/server/setup/05-service-settings/etc/logrotate.conf @@ -0,0 +1,32 @@ +# see "man logrotate" for details +# rotate log files weekly +weekly + +# keep 48 weeks (a year) worth of backlogs +rotate 48 + +# create new (empty) log files after rotating old ones +create + +# uncomment this if you want your log files compressed +compress + +# packages drop log rotation information into this directory +include /etc/logrotate.d + +# no packages own wtmp, or btmp -- we'll rotate them here +/var/log/wtmp { + missingok + monthly + create 0664 root utmp + rotate 1 +} + +/var/log/btmp { + missingok + monthly + create 0660 root utmp + rotate 1 +} + +# system-specific logs may be configured here diff --git a/server/setup/05-service-settings/etc/logrotate.d/rsyslog b/server/setup/05-service-settings/etc/logrotate.d/rsyslog new file mode 100644 index 0000000..cb5d25f --- /dev/null +++ b/server/setup/05-service-settings/etc/logrotate.d/rsyslog @@ -0,0 +1,39 @@ +/var/log/syslog +{ + rotate 7 + daily + missingok + notifempty + delaycompress + compress + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} + +/var/log/mail.info +/var/log/mail.warn +/var/log/mail.err +/var/log/mail.log +/var/log/daemon.log +/var/log/kern.log +/var/log/auth.log +/var/log/user.log +/var/log/lpr.log +/var/log/cron.log +/var/log/debug +/var/log/messages +/var/log/firewall +/var/log/dovecot.log +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} diff --git a/server/setup/05-service-settings/etc/mail/access b/server/setup/05-service-settings/etc/mail/access new file mode 100644 index 0000000..b5f0643 --- /dev/null +++ b/server/setup/05-service-settings/etc/mail/access @@ -0,0 +1,145 @@ +# /etc/mail/access +# Copyright (c) 1998,2004 Richard Nelson <[email protected]>. +# Time-stamp: <1998/10/27 10:00:00 cowboy> +# GPL'd config file, please feed any gripes, suggestions, etc. to me +# +# Function: +# Access Control for this smtp server - determines: +# * Who we accept mail from +# * Who we accept relaying from +# * Who we will not send to +# +# Usage: +# FEATURE(access_db[, type [-o] /etc/mail/access])dnl +# makemap hash access < access +# +# Format: +# lhs: +# email addr <user@[host.domain]> +# domain name unless FEATURE(relay_hosts_only) is used, +# then this is a fqdn - and relay-domains ($=R) +# must also be fqdns. +# network number must end on an octet boundary, or +# you're stuck going the longwinded way ;-{ +# rhs: +# OK accept mail even if other rules in the +# running ruleset would reject it. +# RELAY Allow domain to relay through your SMTP +# server. RELAY also serves an implicit +# OK for the other checks. +# REJECT reject the sender/recipient with a general +# purpose message that can be customized. +# confREJECT_MSG [550 Access denied] will be issued +# DISCARD discard the message completely using +# the $#discard mailer. +# ### any text where ### is an RFC 821 compliant error code +# and "any text" is a message to return for +# the command +# Examples: +# [email protected] REJECT +# FREE.STEALTH.MAILER@ 550 Spam not accepted +# +# Notes: +# With FEATURE(blacklist_recipients) this is also possible: +# badlocaluser 550 Mailbox disabled for this username +# host.mydomain.com 550 That host does not accept mail +# [email protected] 550 Mailbox disabled for this recipient +# +# Related: +# define(`confREJECT_MSG', `550 Access denied')dnl +# define(`confCR_FILE', `-o /etc/mail/relay-domains')dnl <<- $=R +# FEATURE(relay_hosts_only)dnl +# FEATURE(relay_entire_domain)dnl <<- relays any host in the $=m class +# FEATURE(relay_based_on_MX)dnl <<- relaying for boxes MX'd to you +# FEATURE(blacklist_recipients)dnl +# FEATURE(rbl[,alternate server])dnl +# FEATURE(orbs[,alternate server])dnl <<- Debian addition +# FEATURE(orca[,alternate server])dnl <<- Debian addition +# FEATURE(accept_unqualified_senders)dnl +# FEATURE(accept_unresolvable_domains)dnl +# +# Local addresses 10.x.x.x, 127.x.x.x, 172.16-31.x.x 192.168.x.x can relay +# Note Well! You *must* make sure these address can't be spoofed externally +# Note, outbound relaying is controlled by connection and/or auth +# If you're not firewalled, and you don't have a lan, comment these out +# If you're not firewalled, and you have a lan, get firewalled *NOW* +# GreetPause - delay to check for spammers +# Client Connection rate (and #) control +Connect:localhost RELAY +GreetPause:localhost 0 +ClientRate:localhost 0 +ClientConn:localhost 0 +#Connect:10 RELAY +#GreetPause:10 0 +#ClientRate:10 0 +#ClientConn:10 0 +Connect:127 RELAY +GreetPause:127 0 +ClientRate:127 0 +ClientConn:127 0 +Connect:IPv6:::1 RELAY +GreetPause:IPv6:::1 0 +ClientRate:IPv6:::1 0 +ClientConn:IPv6:::1 0 +#Connect:172.16 RELAY +#Connect:172.17 RELAY +#Connect:172.18 RELAY +#Connect:172.19 RELAY +#Connect:172.20 RELAY +#Connect:172.21 RELAY +#Connect:172.22 RELAY +#Connect:172.23 RELAY +#Connect:172.24 RELAY +#Connect:172.25 RELAY +#Connect:172.26 RELAY +#Connect:172.27 RELAY +#Connect:172.28 RELAY +#Connect:172.29 RELAY +#Connect:172.30 RELAY +#Connect:172.31 RELAY +#Connect:192.168 RELAY +#GreetPause:192.168 0 +#ClientRate:192.168 0 +#ClientConn:192.168 0 + +Connect:144.76.84.102 RELAY +Connect:2a01:4f8:192:1165::2 RELAY +GreetPause:144.76.84.102 0 +GreetPause:2a01:4f8:192:1165::2 0 + +# Defaults +GreetPause: 5000 +ClientRate: 10 +ClientConn: 10 +# +# Don't offer AUTH on local network +#SRV_Features:192.168.1 A +# +# Hosts with to allow relaying +# +# +# Hosts that validly forward to me +#GreetPause:<ip> 0 +#ClientRate:<ip> 30 +#ClientConn:<ip> 0 +# +# Whitelisted users +# +Spam:postmaster@ FRIEND +Spam:abuse@ FRIEND +Spam:spam@ FRIEND +# +# Blacklisted users +# +#Connect:rampellsoft.com 554 Email directly, not through didtheyreadit.com +reject@ REJECT +#cyberpromo.com REJECT +#From:[email protected] REJECT +# +# Block invalid IPs +# +#Connect:0 REJECT whilst invalid, this also blocks sendmail -bs -Am +Connect:169.254 REJECT +Connect:192.0.2 REJECT +Connect:224 REJECT +Connect:255 REJECT diff --git a/server/setup/05-service-settings/etc/mail/local-host-names b/server/setup/05-service-settings/etc/mail/local-host-names new file mode 100644 index 0000000..5261b0b --- /dev/null +++ b/server/setup/05-service-settings/etc/mail/local-host-names @@ -0,0 +1,10 @@ +localhost +jausoft.com +mail.jausoft.com +mcp.jausoft.com +www.jausoft.com +www.jausoft.org +www.jausoft.net +jausoft.com +jausoft.org +jausoft.net diff --git a/server/setup/05-service-settings/etc/mail/mail.diff b/server/setup/05-service-settings/etc/mail/mail.diff new file mode 100644 index 0000000..f8d0331 --- /dev/null +++ b/server/setup/05-service-settings/etc/mail/mail.diff @@ -0,0 +1,213 @@ +--- mail.orig/access 2013-06-05 13:30:08.812083000 +0200 ++++ mail/access 2013-06-06 01:52:31.460642000 +0200 +@@ -101,6 +101,12 @@ + #GreetPause:192.168 0 + #ClientRate:192.168 0 + #ClientConn:192.168 0 ++ ++Connect:144.76.84.101 RELAY ++Connect:2a01:4f8:192:1164::2 RELAY ++GreetPause:144.76.84.101 0 ++GreetPause:2a01:4f8:192:1164::2 0 ++ + # Defaults + GreetPause: 5000 + ClientRate: 10 +--- mail.orig/local-host-names 2013-06-05 13:30:08.803772000 +0200 ++++ mail/local-host-names 2013-06-06 00:06:50.857480000 +0200 +@@ -1,2 +1,4 @@ + localhost ++mail.jogamp.org ++www.jogamp.org + jogamp.org +--- mail.orig/sendmail.mc 2013-06-05 13:30:07.254441000 +0200 ++++ mail/sendmail.mc 2013-06-06 01:51:45.426125000 +0200 +@@ -40,6 +40,34 @@ + undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= + dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE + dnl # ++ ++dnl # default logging level is 9, you might want to set it higher to ++dnl # debug the configuration ++dnl # ++dnl define(`confLOG_LEVEL', `9')dnl ++dnl define(`confLOG_LEVEL', `22')dnl ++dnl # ++ ++dnl # ++dnl # Uncomment and edit the following line if your outgoing mail needs to ++dnl # be sent out through an external mail server: ++dnl # ++dnl define(`SMART_HOST', `smtp.your.provider')dnl ++dnl define(`SMART_HOST', `smtp:mail.jogamp.org')dnl ++dnl define(`RELAY_MAILER_ARGS', `TCP $h 26')dnl ++dnl # ++define(`confDEF_USER_ID', ``8:12'')dnl ++dnl define(`confAUTO_REBUILD')dnl ++define(`confTO_CONNECT', `1m')dnl ++define(`confTO_COMMAND', `2m')dnl ++define(`confTRY_NULL_MX_LIST', `True')dnl ++define(`confDONT_PROBE_INTERFACES', `True')dnl ++define(`UUCP_MAILER_MAX', `2000000')dnl ++define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl ++dnl # ++define(`ALIAS_FILE', `/etc/aliases')dnl ++define(`STATUS_FILE', `/var/log/mail/statistics')dnl ++ + dnl # General defines + dnl # + dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot() +@@ -52,15 +80,72 @@ + dnl # Remove `, Addr=' clauses to receive from any interface + dnl # If you want to support IPv6, switch the commented/uncommentd lines + dnl # ++ + FEATURE(`no_default_msa')dnl +-dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl ++ ++DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl ++DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=2a01:4f8:192:1164::2')dnl + DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl +-dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl ++DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=144.76.84.101')dnl ++ ++DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl + DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl ++ ++DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=::1')dnl ++DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=2a01:4f8:192:1164::2')dnl ++DAEMON_OPTIONS(`Family=inet, Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=127.0.0.1')dnl ++DAEMON_OPTIONS(`Family=inet, Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=144.76.84.101')dnl ++ + dnl # + dnl # Be somewhat anal in what we allow + define(`confPRIVACY_FLAGS',dnl + `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl ++dnl # define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,novrfy,noexpn,noetrn,noverb,restrictqrun')dnl ++ ++dnl define(`confAUTH_OPTIONS', `A')dnl ++dnl # ++dnl # The following allows relaying if the user authenticates, and disallows ++dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links ++dnl # ++dnl define(`confAUTH_OPTIONS', `A p')dnl ++define(`confAUTH_OPTIONS', `Apy')dnl ++dnl # ++dnl # PLAIN is the preferred plaintext authentication method and used by ++dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do ++dnl # use LOGIN. Other mechanisms should be used if the connection is not ++dnl # guaranteed secure. ++dnl # Please remember that saslauthd needs to be running for AUTH. ++dnl # ++dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl ++dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl ++TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl ++define(`confAUTH_MECHANISMS', `GSSAPI LOGIN PLAIN')dnl ++ ++dnl # ++dnl # Rudimentary information on creating certificates for sendmail TLS: ++dnl # cd /usr/share/ssl/certs; make sendmail.pem ++dnl # Complete usage: ++dnl # make -C /usr/share/ssl/certs usage ++dnl # ++define(`confCACERT_PATH', `/etc/ssl/local')dnl ++dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl ++dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl ++dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl ++dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl ++define(`confCACERT', `/etc/ssl/local/thawte-SSL123_CA_Bundle.pem')dnl ++define(`confSERVER_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl ++define(`confSERVER_KEY', `/etc/ssl/local/jogamp2013-hostkey.mail.pem')dnl ++define(`confCLIENT_CERT', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl ++define(`confCLIENT_KEY', `/etc/ssl/local/jogamp2013-hostcert.pem')dnl ++dnl # ++dnl define(`confTO_QUEUEWARN', `4h')dnl ++dnl define(`confTO_QUEUERETURN', `5d')dnl ++dnl define(`confQUEUE_LA', `12')dnl ++dnl define(`confREFUSE_LA', `18')dnl ++define(`confQUEUE_LA', `12')dnl ++define(`confREFUSE_LA', `18')dnl ++define(`confTO_IDENT', `0')dnl ++ + dnl # + dnl # Define connection throttling and window length + define(`confCONNECTION_RATE_THROTTLE', `15')dnl +@@ -68,15 +153,43 @@ + dnl # + dnl # Features + dnl # ++ ++dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl ++FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl ++FEATURE(redirect)dnl ++FEATURE(always_add_domain)dnl ++dnl # Masquerading options ++MASQUERADE_AS(`jogamp.org')dnl ++dnl FEATURE(`allmasquerade')dnl ++FEATURE(`masquerade_envelope')dnl ++FEATURE(`masquerade_entire_domain')dnl ++ + dnl # use /etc/mail/local-host-names + FEATURE(`use_cw_file')dnl ++dnl ++dnl # use /etc/mail/trusted-users ++dnl ++FEATURE(use_ct_file)dnl ++dnl # ++ ++# define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl ++# FEATURE(local_procmail, `', `/usr/bin/procmail -t -Y -a $h -d $u')dnl ++dnl # ++dnl # dovecot ++dnl # ++dnl FEATURE(local_procmail, `/usr/lib/dovecot/dovecot-lda', `/usr/lib/dovecot/dovecot-lda -d $u')dnl ++dnl MODIFY_MAILER_FLAGS(`LOCAL', `-f')dnl ++ + dnl # + dnl # The access db is the basis for most of sendmail's checking +-FEATURE(`access_db', , `skip')dnl ++dnl # FEATURE(`access_db', , `skip')dnl ++FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl + dnl # + dnl # The greet_pause feature stops some automail bots - but check the + dnl # provided access db for details on excluding localhosts... +-FEATURE(`greet_pause', `1000')dnl 1 seconds ++dnl # configured in file: access ++dnl FEATURE(`greet_pause', `1000')dnl 1 seconds ++FEATURE(`blacklist_recipients')dnl + dnl # + dnl # Delay_checks allows sender<->recipient checking + FEATURE(`delay_checks', `friend', `n')dnl +@@ -97,8 +210,16 @@ + include(`/etc/mail/m4/dialup.m4')dnl + include(`/etc/mail/m4/provider.m4')dnl + dnl # ++dnl # The following example makes mail from this host and any additional ++dnl # specified domains appear to be sent from mydomain.com ++dnl # + dnl # Default Mailer setup + MAILER_DEFINITIONS + MAILER(`local')dnl + MAILER(`smtp')dnl ++MAILER(`procmail')dnl + ++dnl define(`FAX_MAILER_PATH',`/usr/bin/faxmail')dnl ++dnl define(`FAX_MAILER_ARGS',`faxmail -d -n -t done -R -s a4 -p 12pt $u@$h $f')dnl ++dnl define(`FAX_MAILER_MAX',`100000000')dnl ++dnl MAILER(`fax')dnl +--- mail.orig/submit.mc 2013-06-05 13:30:07.256640000 +0200 ++++ mail/submit.mc 2013-06-06 00:05:36.459064992 +0200 +@@ -44,6 +44,7 @@ + dnl MASQUERADE_AS()dnl + dnl FEATURE(`masquerade_envelope')dnl + dnl # ++FEATURE(`use_ct_file')dnl + dnl #--------------------------------------------------------------------- + dnl # The real reason we're here: the FEATURE(msp) + dnl # NOTE WELL: MSA (587) should have M=Ea, so we need to use stock 25 +--- mail.orig/virtusertable 1970-01-01 01:00:00.000000000 +0100 ++++ mail/virtusertable 2013-06-06 02:02:58.162920000 +0200 +@@ -0,0 +1,3 @@ [email protected] mediastream ++ [email protected] nirvana diff --git a/server/setup/05-service-settings/etc/mail/sendmail.mc b/server/setup/05-service-settings/etc/mail/sendmail.mc new file mode 100644 index 0000000..32ec569 --- /dev/null +++ b/server/setup/05-service-settings/etc/mail/sendmail.mc @@ -0,0 +1,228 @@ +divert(-1)dnl +#----------------------------------------------------------------------------- +# $Sendmail: debproto.mc,v 8.14.4 2013-02-11 11:12:33 cowboy Exp $ +# +# Copyright (c) 1998-2010 Richard Nelson. All Rights Reserved. +# +# cf/debian/sendmail.mc. Generated from sendmail.mc.in by configure. +# +# sendmail.mc prototype config file for building Sendmail 8.14.4 +# +# Note: the .in file supports 8.7.6 - 9.0.0, but the generated +# file is customized to the version noted above. +# +# This file is used to configure Sendmail for use with Debian systems. +# +# If you modify this file, you will have to regenerate /etc/mail/sendmail.cf +# by running this file through the m4 preprocessor via one of the following: +# * make (or make -C /etc/mail) +# * sendmailconfig +# * m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf +# The first two options are preferred as they will also update other files +# that depend upon the contents of this file. +# +# The best documentation for this .mc file is: +# /usr/share/doc/sendmail-doc/cf.README.gz +# +#----------------------------------------------------------------------------- +divert(0)dnl +# +# Copyright (c) 1998-2005 Richard Nelson. All Rights Reserved. +# +# This file is used to configure Sendmail for use with Debian systems. +# +define(`_USE_ETC_MAIL_')dnl +include(`/usr/share/sendmail/cf/m4/cf.m4')dnl +VERSIONID(`$Id: sendmail.mc, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $') +OSTYPE(`debian')dnl +DOMAIN(`debian-mta')dnl +dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE +undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= +dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE +dnl # + +dnl # default logging level is 9, you might want to set it higher to +dnl # debug the configuration +dnl # +dnl define(`confLOG_LEVEL', `9')dnl +dnl define(`confLOG_LEVEL', `22')dnl +dnl # + +dnl # +dnl # Uncomment and edit the following line if your outgoing mail needs to +dnl # be sent out through an external mail server: +dnl # +dnl define(`SMART_HOST', `smtp.your.provider')dnl +dnl define(`SMART_HOST', `smtp:mail.jausoft.com')dnl +dnl define(`RELAY_MAILER_ARGS', `TCP $h 26')dnl +dnl # +define(`confDEF_USER_ID', ``8:12'')dnl +dnl define(`confAUTO_REBUILD')dnl +define(`confTO_CONNECT', `1m')dnl +define(`confTO_COMMAND', `2m')dnl +define(`confTRY_NULL_MX_LIST', `True')dnl +define(`confDONT_PROBE_INTERFACES', `True')dnl +define(`UUCP_MAILER_MAX', `2000000')dnl +define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl +dnl # +define(`ALIAS_FILE', `/etc/aliases')dnl +define(`STATUS_FILE', `/var/log/mail/statistics')dnl + +dnl # General defines +dnl # +dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot() +dnl # into this directory before writing files. +dnl # If *all* your user accounts are under /home then use that +dnl # instead - it will prevent any writes outside of /home ! +dnl # define(`confSAFE_FILE_ENV', `')dnl +dnl # +dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!! +dnl # Remove `, Addr=' clauses to receive from any interface +dnl # If you want to support IPv6, switch the commented/uncommentd lines +dnl # + +FEATURE(`no_default_msa')dnl + +DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl +DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=2a01:4f8:192:1165::2')dnl +DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl +DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=144.76.84.102')dnl + +DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, M=Ea, Addr=::1')dnl +DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea, Addr=127.0.0.1')dnl + +DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=::1')dnl +DAEMON_OPTIONS(`Family=inet6, Name=TLSMTA-v6, Port=smtps, M=Eas, Addr=2a01:4f8:192:1165::2')dnl +DAEMON_OPTIONS(`Family=inet, Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=127.0.0.1')dnl +DAEMON_OPTIONS(`Family=inet, Name=TLSMTA-v4, Port=smtps, M=Eas, Addr=144.76.84.102')dnl + +dnl # +dnl # Be somewhat anal in what we allow +define(`confPRIVACY_FLAGS',dnl +`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl +dnl # define(`confPRIVACY_FLAGS', `authwarnings,needmailhelo,novrfy,noexpn,noetrn,noverb,restrictqrun')dnl + +dnl define(`confAUTH_OPTIONS', `A')dnl +dnl # +dnl # The following allows relaying if the user authenticates, and disallows +dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links +dnl # +dnl define(`confAUTH_OPTIONS', `A p')dnl +define(`confAUTH_OPTIONS', `Apy')dnl +dnl # +dnl # PLAIN is the preferred plaintext authentication method and used by +dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do +dnl # use LOGIN. Other mechanisms should be used if the connection is not +dnl # guaranteed secure. +dnl # Please remember that saslauthd needs to be running for AUTH. +dnl # +dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl +dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl +TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl +define(`confAUTH_MECHANISMS', `GSSAPI LOGIN PLAIN')dnl + +dnl # +dnl # Rudimentary information on creating certificates for sendmail TLS: +dnl # cd /usr/share/ssl/certs; make sendmail.pem +dnl # Complete usage: +dnl # make -C /usr/share/ssl/certs usage +dnl # +define(`confCACERT_PATH', `/etc/ssl/local')dnl +dnl define(`confCACERT', `/etc/ssl/local/ca-my.crt')dnl +dnl define(`confCRL', `/etc/ssl/local/ca-my.crl')dnl +dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl +dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl +define(`confCACERT', `/etc/ssl/local/thawte-SSL123_CA_Bundle.pem')dnl +define(`confSERVER_CERT', `/etc/ssl/local/jausoft2013-hostcert.pem')dnl +define(`confSERVER_KEY', `/etc/ssl/local/jausoft2013-hostkey.mail.pem')dnl +define(`confCLIENT_CERT', `/etc/ssl/local/jausoft2013-hostcert.pem')dnl +define(`confCLIENT_KEY', `/etc/ssl/local/jausoft2013-hostcert.pem')dnl +dnl # +dnl define(`confTO_QUEUEWARN', `4h')dnl +dnl define(`confTO_QUEUERETURN', `5d')dnl +dnl define(`confQUEUE_LA', `12')dnl +dnl define(`confREFUSE_LA', `18')dnl +define(`confQUEUE_LA', `12')dnl +define(`confREFUSE_LA', `18')dnl +define(`confTO_IDENT', `0')dnl + +dnl # +dnl # Define connection throttling and window length +define(`confCONNECTION_RATE_THROTTLE', `15')dnl +define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl +dnl # +dnl # Features +dnl # + +dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl +FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl +FEATURE(redirect)dnl +FEATURE(always_add_domain)dnl +dnl # Masquerading options +MASQUERADE_AS(`jausoft.com')dnl +dnl MASQUERADE_AS(`jausoft.net')dnl +dnl MASQUERADE_DOMAIN(`jordan.goethel.localnet')dnl +dnl MASQUERADE_DOMAIN(`goethel.localnet')dnl +dnl FEATURE(`allmasquerade')dnl +FEATURE(`masquerade_envelope')dnl +FEATURE(`masquerade_entire_domain')dnl + +dnl # use /etc/mail/local-host-names +FEATURE(`use_cw_file')dnl +dnl +dnl # use /etc/mail/trusted-users +dnl +FEATURE(use_ct_file)dnl +dnl # + +# define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl +# FEATURE(local_procmail, `', `/usr/bin/procmail -t -Y -a $h -d $u')dnl +dnl # +dnl # dovecot +dnl # +dnl FEATURE(local_procmail, `/usr/lib/dovecot/dovecot-lda', `/usr/lib/dovecot/dovecot-lda -d $u')dnl +dnl MODIFY_MAILER_FLAGS(`LOCAL', `-f')dnl + +dnl # +dnl # The access db is the basis for most of sendmail's checking +dnl # FEATURE(`access_db', , `skip')dnl +FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl +dnl # +dnl # The greet_pause feature stops some automail bots - but check the +dnl # provided access db for details on excluding localhosts... +dnl # configured in file: access +dnl FEATURE(`greet_pause', `1000')dnl 1 seconds +FEATURE(`blacklist_recipients')dnl +dnl # +dnl # Delay_checks allows sender<->recipient checking +FEATURE(`delay_checks', `friend', `n')dnl +dnl # +dnl # If we get too many bad recipients, slow things down... +define(`confBAD_RCPT_THROTTLE',`3')dnl +dnl # +dnl # Stop connections that overflow our concurrent and time connection rates +FEATURE(`conncontrol', `nodelay', `terminate')dnl +FEATURE(`ratecontrol', `nodelay', `terminate')dnl +dnl # +dnl # If you're on a dialup link, you should enable this - so sendmail +dnl # will not bring up the link (it will queue mail for later) +dnl define(`confCON_EXPENSIVE',`True')dnl +dnl # +dnl # Dialup/LAN connection overrides +dnl # +include(`/etc/mail/m4/dialup.m4')dnl +include(`/etc/mail/m4/provider.m4')dnl +dnl # +dnl # The following example makes mail from this host and any additional +dnl # specified domains appear to be sent from mydomain.com +dnl # +dnl # Default Mailer setup +MAILER_DEFINITIONS +MAILER(`local')dnl +MAILER(`smtp')dnl +MAILER(`procmail')dnl + +dnl define(`FAX_MAILER_PATH',`/usr/bin/faxmail')dnl +dnl define(`FAX_MAILER_ARGS',`faxmail -d -n -t done -R -s a4 -p 12pt $u@$h $f')dnl +dnl define(`FAX_MAILER_MAX',`100000000')dnl +dnl MAILER(`fax')dnl diff --git a/server/setup/05-service-settings/etc/mail/submit.mc b/server/setup/05-service-settings/etc/mail/submit.mc new file mode 100644 index 0000000..a304f44 --- /dev/null +++ b/server/setup/05-service-settings/etc/mail/submit.mc @@ -0,0 +1,58 @@ +divert(-1)dnl +#----------------------------------------------------------------------------- +# $Sendmail: submit.mc,v 8.14.4 2013-02-11 11:12:33 cowboy Exp $ +# +# Copyright (c) 2000-2010 Richard Nelson. All Rights Reserved. +# +# cf/debian/submit.mc. Generated from submit.mc.in by configure. +# +# submit.mc prototype config file for building Sendmail 8.14.4 +# +# Note: the .in file supports 8.7.6 - 9.0.0, but the generated +# file is customized to the version noted above. +# +# This file is used to configure Sendmail for use with Debian systems. +# +# If you modify this file, you will have to regenerate /etc/mail/submit.cf +# by running this file through the m4 preprocessor via one of the following: +# * make (or make -C /etc/mail) +# * sendmailconfig +# * m4 /etc/mail/submit.mc > /etc/mail/submit.cf +# The first two options are preferred as they will also update other files +# that depend upon the contents of this file. +# +# The best documentation for this .mc file is: +# /usr/share/doc/sendmail-doc/cf.README.gz +# +#----------------------------------------------------------------------------- +divert(0)dnl +# +# Copyright (c) 2000-2002 Richard Nelson. All Rights Reserved. +# +# This file is used to configure Sendmail for use with Debian systems. +# +define(`_USE_ETC_MAIL_')dnl +include(`/usr/share/sendmail/cf/m4/cf.m4')dnl +VERSIONID(`$Id: submit.mc, v 8.14.4-4 2013-02-11 11:12:33 cowboy Exp $') +OSTYPE(`debian')dnl +DOMAIN(`debian-msp')dnl +dnl # +dnl #--------------------------------------------------------------------- +dnl # Masquerading information, if needed, should go here +dnl # You likely will not need this, as the MTA will do it +dnl #--------------------------------------------------------------------- +dnl MASQUERADE_AS()dnl +dnl FEATURE(`masquerade_envelope')dnl +dnl # +FEATURE(`use_ct_file')dnl +dnl #--------------------------------------------------------------------- +dnl # The real reason we're here: the FEATURE(msp) +dnl # NOTE WELL: MSA (587) should have M=Ea, so we need to use stock 25 +dnl #--------------------------------------------------------------------- +FEATURE(`msp', `[127.0.0.1]', `25')dnl +dnl # +dnl #--------------------------------------------------------------------- +dnl # Some minor cleanup from FEATURE(msp) +dnl #--------------------------------------------------------------------- +dnl # +dnl #--------------------------------------------------------------------- diff --git a/server/setup/05-service-settings/etc/mail/virtusertable b/server/setup/05-service-settings/etc/mail/virtusertable new file mode 100644 index 0000000..af7dcd0 --- /dev/null +++ b/server/setup/05-service-settings/etc/mail/virtusertable @@ -0,0 +1,33 @@ [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel + [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel [email protected] sgothel + [email protected] qgothel [email protected] qgothel [email protected] qgothel + [email protected] kgothel [email protected] kgothel [email protected] kgothel + [email protected] rsantina [email protected] wbaumann + [email protected] nirvana [email protected] nirvana diff --git a/server/setup/05-service-settings/etc/procmailrc b/server/setup/05-service-settings/etc/procmailrc new file mode 100644 index 0000000..08c0492 --- /dev/null +++ b/server/setup/05-service-settings/etc/procmailrc @@ -0,0 +1,29 @@ +# file: /etc/procmailrc +# system-wide settings for procmail +SHELL="/bin/bash" +SENDMAIL="/usr/sbin/sendmail -oi -t" +LOGFILE="/var/log/procmail.log" +DELIVER="/usr/lib/dovecot/deliver" + +# filter mail through bogofilter, tagging it as Ham, Spam, or Unsure, +# and updating the wordlist +:0fw +| /usr/bin/bogofilter -uep + +# if bogofilter failed, return the mail to the queue; +# the MTA will retry to deliver it later +# 75 is the value for EX_TEMPFAIL in /usr/include/sysexits.h +:0e +{ EXITCODE=75 HOST } + +# deliver to dovecot +# +:0 w +| $DELIVER -d $LOGNAME + +# if deliver failed, return the mail to the queue; +# the MTA will retry to deliver it later +# 75 is the value for EX_TEMPFAIL in /usr/include/sysexits.h +:0e +{ EXITCODE=75 HOST } + diff --git a/server/setup/05-service-settings/etc/rsyslog.conf b/server/setup/05-service-settings/etc/rsyslog.conf new file mode 100644 index 0000000..e4bf2cd --- /dev/null +++ b/server/setup/05-service-settings/etc/rsyslog.conf @@ -0,0 +1,123 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad imklog # provides kernel logging support +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +kern.debug -/var/log/firewall + +# +# First some standard log files. Log by facility. +# +auth,authpriv.* /var/log/auth.log +*.*;auth,authpriv.none;kern.!=debug;mail.none -/var/log/syslog +#cron.* /var/log/cron.log +daemon.* -/var/log/daemon.log +kern.*;;kern.!=debug -/var/log/kern.log +lpr.* -/var/log/lpr.log +mail.* -/var/log/mail.log +user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +mail.info -/var/log/mail.info +mail.warn -/var/log/mail.warn +mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +news.crit /var/log/news/news.crit +news.err /var/log/news/news.err +news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +*.=debug;kern.!=debug;\ + auth,authpriv.none;\ + news.none;mail.none -/var/log/debug +*.=info;*.=notice;*.=warn;\ + auth,authpriv.none;\ + cron,daemon.none;\ + mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +daemon.*;mail.*;\ + news.err;\ + *.=debug;*.=info;\ + *.=notice;*.=warn |/dev/xconsole diff --git a/server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve b/server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/server/setup/05-service-settings/var/lib/dovecot/sieve/global/default.sieve @@ -0,0 +1 @@ + diff --git a/server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve b/server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve new file mode 100644 index 0000000..c66db85 --- /dev/null +++ b/server/setup/05-service-settings/var/lib/dovecot/sieve/prologue.sieve @@ -0,0 +1,11 @@ +require ["copy", "fileinto", "mailbox"]; + +# +# Spam First +# +if header :matches "X-Bogosity" "Spam*" { + fileinto :create "0-Spam"; +} elsif header :matches "X-Bogosity" "Unsure*" { + fileinto :create :copy "0-Spam-unsure-copy"; +} + |