Merge branch 'packmail' into unstable
This commit is contained in:
commit
acf85bfffc
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: restart amavis
|
||||
service:
|
||||
name: amavis
|
||||
state: restarted
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: install Amavis
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- postgrey
|
||||
- amavisd-new
|
||||
tags:
|
||||
- amavis
|
||||
|
||||
- name: configure Amavis
|
||||
template:
|
||||
src: amavis.conf.j2
|
||||
dest: /etc/amavis/conf.d/49-evolinux-defaults.conf
|
||||
mode: "0644"
|
||||
notify: restart amavis
|
||||
tags:
|
||||
- amavis
|
|
@ -0,0 +1,57 @@
|
|||
use strict;
|
||||
|
||||
## Liste des domaines considérés comme locaux
|
||||
#@local_domains_acl = qw(.);
|
||||
@local_domains_acl = (".example.net","example.com");
|
||||
|
||||
# On customise la ligne ajoutée dans les entêtes
|
||||
$X_HEADER_LINE = "by Amavis at $mydomain";
|
||||
|
||||
# On precise les FROM pour etre (bugs dans certaines version d'Amavis)
|
||||
$mailfrom_notify_admin = "postmaster\@$mydomain";
|
||||
$mailfrom_notify_recip = "postmaster\@$mydomain";
|
||||
$mailfrom_notify_spamadmin = "postmaster\@$mydomain";
|
||||
|
||||
# Notifications de fichiers bannis / virus
|
||||
$virus_admin = "postmaster\@$mydomain";
|
||||
# Ne pas recevoir des notifications pour les mails UNCHECKED
|
||||
delete $admin_maps_by_ccat{&CC_UNCHECKED};
|
||||
|
||||
# Que faire avec les messages détectés
|
||||
$final_virus_destiny = D_DISCARD;
|
||||
$final_banned_destiny = D_BOUNCE;
|
||||
$final_spam_destiny = D_BOUNCE;
|
||||
$final_bad_header_destiny = D_PASS;
|
||||
|
||||
# Pour recevoir des bounces (mails originals) des fichiers bloqués / virus
|
||||
#$banned_quarantine_to = "banned\@$mydomain";
|
||||
#$virus_quarantine_to = "virus\@$mydomain";
|
||||
|
||||
# Note tueuse
|
||||
$sa_tag2_level_deflt = 6.31;
|
||||
# Pour un comportement "normal" de SA
|
||||
$sa_tag_level_deflt = -1999;
|
||||
$sa_kill_level_deflt = 1999;
|
||||
$sa_dsn_cutoff_level = -99;
|
||||
$sa_spam_subject_tag = '[SPAM]';
|
||||
|
||||
# log
|
||||
$log_level = 2;
|
||||
|
||||
# En fonction besoin/ressources, on a juste le nbre de process
|
||||
$max_servers = 2;
|
||||
|
||||
$enable_ldap = 1;
|
||||
$default_ldap = {
|
||||
hostname => '127.0.0.1', tls => 0,
|
||||
base => '{{ ldap_suffix }}', scope => 'sub',
|
||||
query_filter => '(&(mailacceptinggeneralid=%m)(isActive=TRUE))'
|
||||
};
|
||||
|
||||
# Activer l'antivirus et antivirus
|
||||
@bypass_virus_checks_maps = (
|
||||
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
|
||||
@bypass_spam_checks_maps = (
|
||||
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
|
||||
|
||||
1; # ensure a defined return
|
|
@ -38,6 +38,10 @@
|
|||
- expires
|
||||
- headers
|
||||
- cgi
|
||||
- ssl
|
||||
- include
|
||||
- negotiation
|
||||
- alias
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
|
|
@ -1,19 +1,12 @@
|
|||
---
|
||||
- name: Get mount options for partitions
|
||||
shell: "mount | grep 'on /usr type'"
|
||||
args:
|
||||
warn: no
|
||||
register: mount
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
when: not ansible_check_mode
|
||||
- name: update ansible_mounts facts
|
||||
setup:
|
||||
filter: ansible_mounts
|
||||
|
||||
- name: Remount /usr if it is a partition and it is not mounted in rw
|
||||
command: "mount -o remount,rw /usr"
|
||||
when:
|
||||
- not ansible_check_mode
|
||||
- mount.rc == 0
|
||||
- not mount.stdout_lines.0 | search("rw")
|
||||
check_mode: yes
|
||||
- name: mount /usr in rw
|
||||
command: mount -o remount,rw /usr
|
||||
args:
|
||||
warn: no
|
||||
changed_when: false
|
||||
when: item.mount == '/usr' and item.options | match(".*ro.*")
|
||||
with_items: "{{ ansible_mounts }}"
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: restart clamav
|
||||
service:
|
||||
name: clamav-daemon
|
||||
state: restarted
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
dependencies:
|
||||
- { role: amavis }
|
|
@ -0,0 +1,111 @@
|
|||
---
|
||||
- name: configure clamav-daemon
|
||||
debconf:
|
||||
name: clamav-daemon
|
||||
question: "{{ item.key }}"
|
||||
value: "{{ item.value }}"
|
||||
vtype: "{{ item.type }}"
|
||||
with_items:
|
||||
- { key: 'clamav-daemon/debconf', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/MaxHTMLNormalize', type: 'string', value: '10M' }
|
||||
- { key: 'clamav-daemon/StatsPEDisabled', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/FollowDirectorySymlinks', type: 'boolean', value: 'false' }
|
||||
- { key: 'clamav-daemon/StreamMaxLength', type: 'string', value: '25' }
|
||||
- { key: 'clamav-daemon/ReadTimeout', type: 'string', value: '180' }
|
||||
- { key: 'clamav-daemon/StatsEnabled', type: 'boolean', value: 'false' }
|
||||
- { key: 'clamav-daemon/MaxConnectionQueueLength', type: 'string', value: '15' }
|
||||
- { key: 'clamav-daemon/LogRotate', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/AllowAllMatchScan', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/ScanOnAccess', type: 'boolean', value: 'false' }
|
||||
- { key: 'clamav-daemon/LogFile', type: 'string', value: '/var/log/clamav/clamav.log' }
|
||||
- { key: 'clamav-daemon/ScanMail', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/BytecodeTimeout', type: 'string', value: '60000' }
|
||||
- { key: 'clamav-daemon/LogTime', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/OnAccessMaxFileSize', type: 'string', value: '5M' }
|
||||
- { key: 'clamav-daemon/TcpOrLocal', type: 'select', value: 'UNIX' }
|
||||
- { key: 'clamav-daemon/MaxEmbeddedPE', type: 'string', value: '10M' }
|
||||
- { key: 'clamav-daemon/FixStaleSocket', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/User', type: 'string', value: 'clamav' }
|
||||
- { key: 'clamav-daemon/BytecodeSecurity', type: 'select', value: 'TrustSigned' }
|
||||
- { key: 'clamav-daemon/ScanSWF', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/MaxDirectoryRecursion', type: 'string', value: '0' }
|
||||
- { key: 'clamav-daemon/MaxThreads', type: 'string', value: '12' }
|
||||
- { key: 'clamav-daemon/LocalSocketGroup', type: 'string', value: 'clamav' }
|
||||
- { key: 'clamav-daemon/MaxScriptNormalize', type: 'string', value: '5M' }
|
||||
- { key: 'clamav-daemon/ForceToDisk', type: 'boolean', value: 'false' }
|
||||
- { key: 'clamav-daemon/StatsHostID', type: 'string', value: 'auto' }
|
||||
- { key: 'clamav-daemon/FollowFileSymlinks', type: 'boolean', value: 'false' }
|
||||
- { key: 'clamav-daemon/TCPSocket', type: 'string', value: '3310' }
|
||||
- { key: 'clamav-daemon/TCPAddr', type: 'string', value: 'any' }
|
||||
- { key: 'clamav-daemon/DisableCertCheck', type: 'boolean', value: 'false' }
|
||||
- { key: 'clamav-daemon/SelfCheck', type: 'string', value: '3600' }
|
||||
- { key: 'clamav-daemon/LocalSocket', type: 'string', value: '/var/run/clamav/clamd.ctl' }
|
||||
- { key: 'clamav-daemon/LocalSocketMode', type: 'string', value: '666' }
|
||||
- { key: 'clamav-daemon/StatsTimeout', type: 'string', value: '10' }
|
||||
- { key: 'clamav-daemon/MaxZipTypeRcg', type: 'string', value: '1M' }
|
||||
- { key: 'clamav-daemon/MaxHTMLNoTags', type: 'string', value: '2M' }
|
||||
- { key: 'clamav-daemon/LogSyslog', type: 'boolean', value: 'false' }
|
||||
- { key: 'clamav-daemon/AddGroups', type: 'string', value: '' }
|
||||
- { key: 'clamav-daemon/Bytecode', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-daemon/ScanArchive', type: 'boolean', value: 'true' }
|
||||
tags:
|
||||
- clamav
|
||||
|
||||
- name: configure clamav-freshclam
|
||||
debconf:
|
||||
name: clamav-freshclam
|
||||
question: "{{ item.key }}"
|
||||
value: "{{ item.value }}"
|
||||
vtype: "{{ item.type }}"
|
||||
with_items:
|
||||
- { key: 'clamav-freshclam/autoupdate_freshclam', type: 'select', value: 'daemon' }
|
||||
- { key: 'clamav-freshclam/proxy_user', type: 'string', value: '' }
|
||||
- { key: 'clamav-freshclam/NotifyClamd', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-freshclam/local_mirror', type: 'select', value: 'db.fr.clamav.net' }
|
||||
- { key: 'clamav-freshclam/http_proxy', type: 'string', value: '' }
|
||||
- { key: 'clamav-freshclam/LogRotate', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-freshclam/Bytecode', type: 'boolean', value: 'true' }
|
||||
- { key: 'clamav-freshclam/update_interval', type: 'string', value: '24' }
|
||||
- { key: 'clamav-freshclam/SafeBrowsing', type: 'boolean', value: 'false' }
|
||||
- { key: 'clamav-freshclam/PrivateMirror', type: 'string', value: '' }
|
||||
- { key: 'clamav-freshclam/internet_interface', type: 'string', value: '' }
|
||||
tags:
|
||||
- clamav
|
||||
|
||||
- name: install ClamAV
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- clamav-daemon
|
||||
- clamav
|
||||
- clamdscan
|
||||
- clamav-freshclam
|
||||
- arc
|
||||
- arj
|
||||
- zoo
|
||||
- pax
|
||||
- bzip2
|
||||
- cabextract
|
||||
- rpm
|
||||
- lzop
|
||||
- razor
|
||||
tags:
|
||||
- clamav
|
||||
|
||||
- name: add clamav user to amavis group
|
||||
user:
|
||||
name: clamav
|
||||
groups: amavis
|
||||
append: True
|
||||
tags:
|
||||
- clamav
|
||||
|
||||
- name: allow supplementary groups
|
||||
replace:
|
||||
dest: /etc/clamav/clamd.conf
|
||||
regexp: 'AllowSupplementaryGroups false'
|
||||
replace: 'AllowSupplementaryGroups true'
|
||||
notify: restart clamav
|
||||
tags:
|
||||
- clamav
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
driver:
|
||||
name: docker
|
||||
privileged: true
|
||||
use_sudo: false
|
||||
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
hosts: test-kitchen
|
||||
roles_path: ../
|
||||
ansible_verbose: true
|
||||
require_ansible_source: false
|
||||
require_chef_for_busser: false
|
||||
idempotency_test: true
|
||||
|
||||
platforms:
|
||||
- name: debian
|
||||
driver_config:
|
||||
image: evolix/ansible:2.2.1
|
||||
|
||||
verifier:
|
||||
name: serverspec
|
||||
|
||||
suites:
|
||||
- name: default
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
playbook: ./tests/test.yml
|
||||
verifier:
|
||||
patterns:
|
||||
- nginx/tests/spec/memcached_spec.rb
|
||||
bundler_path: '/usr/local/bin'
|
||||
rspec_path: '/usr/local/bin'
|
||||
|
||||
transport:
|
||||
max_ssh_sessions: 6
|
|
@ -0,0 +1,11 @@
|
|||
# Dovecot
|
||||
|
||||
Installation and basic configuration of dovecot
|
||||
|
||||
## Tasks
|
||||
|
||||
Minimal configuration is in `tasks/main.yml`
|
||||
|
||||
## Available variables
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
dovecot_foo: bar
|
|
@ -0,0 +1,126 @@
|
|||
#! /bin/bash
|
||||
#
|
||||
# Munin Plugin
|
||||
# to count logins to your dovecot mailserver
|
||||
#
|
||||
# Created by Dominik Schulz <lkml@ds.gauner.org>
|
||||
# http://developer.gauner.org/munin/
|
||||
# Contributions by:
|
||||
# - Stephane Enten <tuf@delyth.net>
|
||||
# - Steve Schnepp <steve.schnepp@pwkf.org>
|
||||
#
|
||||
# Parameters understood:
|
||||
#
|
||||
# config (required)
|
||||
# autoconf (optional - used by munin-config)
|
||||
#
|
||||
# Config variables:
|
||||
#
|
||||
# logfile - Where to find the syslog file
|
||||
#
|
||||
# Add the following line to a file in /etc/munin/plugin-conf.d:
|
||||
# env.logfile /var/log/your/logfile.log
|
||||
#
|
||||
# Magic markers (optional - used by munin-config and installation scripts):
|
||||
#
|
||||
#%# family=auto
|
||||
#%# capabilities=autoconf
|
||||
|
||||
######################
|
||||
# Configuration
|
||||
######################
|
||||
EXPR_BIN=/usr/bin/expr
|
||||
LOGFILE=${logfile:-/var/log/mail.log}
|
||||
######################
|
||||
|
||||
if [ "$1" = "autoconf" ]; then
|
||||
echo yes
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$1" = "config" ]; then
|
||||
echo 'graph_title Dovecot Logins'
|
||||
echo 'graph_category Mail'
|
||||
echo 'graph_args --base 1000 -l 0'
|
||||
echo 'graph_vlabel Login Counters'
|
||||
|
||||
for t in Total TLS SSL IMAP POP3
|
||||
do
|
||||
field=$(echo $t | tr '[:upper:]' '[:lower:]')
|
||||
echo "login_$field.label $t Logins"
|
||||
echo "login_$field.type DERIVE"
|
||||
echo "login_$field.min 0"
|
||||
done
|
||||
|
||||
echo 'connected.label Connected Users'
|
||||
|
||||
exit 0
|
||||
fi
|
||||
|
||||
######################
|
||||
# Total Logins
|
||||
######################
|
||||
echo -en "login_total.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
||||
######################
|
||||
# Connected Users
|
||||
######################
|
||||
DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE)
|
||||
CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
|
||||
VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS)
|
||||
if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then
|
||||
VALUE=0
|
||||
fi
|
||||
echo -en "connected.value "
|
||||
echo $VALUE
|
||||
echo -n
|
||||
######################
|
||||
# TLS Logins
|
||||
######################
|
||||
echo -en "login_tls.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
||||
######################
|
||||
# SSL Logins
|
||||
######################
|
||||
echo -en "login_ssl.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
||||
######################
|
||||
# IMAP Logins
|
||||
######################
|
||||
echo -en "login_imap.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
||||
######################
|
||||
# POP3 Logins
|
||||
######################
|
||||
echo -en "login_pop3.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: restart dovecot
|
||||
service:
|
||||
name: dovecot
|
||||
state: restarted
|
||||
|
||||
- name: reload dovecot
|
||||
service:
|
||||
name: dovecot
|
||||
state: reloaded
|
|
@ -0,0 +1,68 @@
|
|||
- name: ensure packages are installed
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- dovecot-ldap
|
||||
- dovecot-imapd
|
||||
- dovecot-pop3d
|
||||
- dovecot-sieve
|
||||
- dovecot-managesieved
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
- name: disable pam auth
|
||||
replace:
|
||||
dest: /etc/dovecot/conf.d/10-auth.conf
|
||||
regexp: "[^#]!include auth-system.conf.ext"
|
||||
replace: "#!include auth-system.conf.ext"
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
- name: update ldap auth
|
||||
lineinfile:
|
||||
dest: /etc/dovecot/dovecot-ldap.conf.ext
|
||||
line: "{{ item.key }} = {{ item.value }}"
|
||||
regexp: "^#*{{ item.key }}"
|
||||
state: present
|
||||
with_items:
|
||||
- { key: 'hosts', value: '127.0.0.1' }
|
||||
- { key: 'auth_bind', value: 'yes' }
|
||||
- { key: 'ldap_version', value: 3 }
|
||||
- { key: 'base', value: "{{ ldap_suffix }}" }
|
||||
- { key: 'user_attrs', value: 'homeDirectory=home' }
|
||||
- { key: 'user_filter', value: '(&(isActive=TRUE)(uid=%u))' }
|
||||
- { key: 'pass_attrs', value: 'uid=user,userPassword=password' }
|
||||
when: ldap_suffix is defined
|
||||
notify: reload dovecot
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
- name: create vmail group
|
||||
group:
|
||||
name: vmail
|
||||
gid: 5000
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
- name: create vmail user
|
||||
user:
|
||||
name: vmail
|
||||
group: vmail
|
||||
uid: 5000
|
||||
shell: /bin/false
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
- name: deploy evolix config
|
||||
template:
|
||||
src: z-evolinux-defaults.conf.j2
|
||||
dest: /etc/dovecot/conf.d/z-evolinux-defaults.conf
|
||||
mode: "0644"
|
||||
notify: reload dovecot
|
||||
tags:
|
||||
- dovecot
|
||||
|
||||
- include: munin.yml
|
||||
tags:
|
||||
- dovecot
|
|
@ -0,0 +1,20 @@
|
|||
---
|
||||
|
||||
- name: is Munin present ?
|
||||
stat:
|
||||
path: /etc/munin/plugin-conf.d/munin-node
|
||||
check_mode: no
|
||||
register: munin_node_plugins_config
|
||||
|
||||
- block:
|
||||
- name: Install munin plugin
|
||||
copy:
|
||||
src: munin_plugin
|
||||
dest: /etc/munin/plugins/dovecot
|
||||
mode: "0755"
|
||||
|
||||
# TODO : add in /etc/munin/plugin-conf.d/munin-node
|
||||
# [dovecot]
|
||||
# group adm
|
||||
|
||||
when: munin_node_plugins_config.stat.exists
|
|
@ -0,0 +1,36 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS
|
||||
disable_plaintext_auth = no
|
||||
auth_mechanisms = plain login
|
||||
|
||||
# Authentification LDAP + intégration avec Postfix pour l'auth SMTP
|
||||
!include auth-ldap.conf.ext
|
||||
service auth {
|
||||
unix_listener auth-userdb {
|
||||
mode = 0600
|
||||
user = vmail
|
||||
group = vmail
|
||||
}
|
||||
unix_listener /var/spool/postfix/private/auth-client {
|
||||
mode = 0666
|
||||
user = postfix
|
||||
group = postfix
|
||||
}
|
||||
}
|
||||
|
||||
# Stockage des emails dans /home/mail avec UID/GID 5000/5000
|
||||
mail_location = maildir:/home/vmail/%d/%n
|
||||
mail_uid = 5000
|
||||
mail_gid = 5000
|
||||
|
||||
# Activation Sieve
|
||||
protocol lda {
|
||||
mail_plugins = sieve
|
||||
}
|
||||
|
||||
# Optimisations
|
||||
service login {
|
||||
process_limit = 256
|
||||
}
|
||||
mail_max_userip_connections = 42
|
|
@ -3,3 +3,4 @@ general_alert_email: "root@localhost"
|
|||
fail2ban_alert_email: Null
|
||||
fail2ban_ignore_ips: []
|
||||
fail2ban_wordpress: False
|
||||
fail2ban_roundcube: False
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
[Definition]
|
||||
failregex = Login failed for .*. from <HOST>
|
|
@ -22,14 +22,6 @@
|
|||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: package is installed
|
||||
apt:
|
||||
name: fail2ban
|
||||
state: present
|
||||
tags:
|
||||
- fail2ban
|
||||
- packages
|
||||
|
||||
- name: custom filters are installed
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
|
@ -40,6 +32,16 @@
|
|||
- sasl-evolix.conf
|
||||
- wordpress-soft.conf
|
||||
- wordpress-hard.conf
|
||||
- roundcube.conf
|
||||
notify: restart fail2ban
|
||||
tags:
|
||||
- fail2ban
|
||||
|
||||
- name: package is installed
|
||||
apt:
|
||||
name: fail2ban
|
||||
state: present
|
||||
tags:
|
||||
- fail2ban
|
||||
- packages
|
||||
|
||||
|
|
|
@ -44,3 +44,12 @@ logpath = /var/log/auth.log
|
|||
maxretry = 5
|
||||
findtime = 300
|
||||
{% endif %}
|
||||
|
||||
{% if fail2ban_roundcube %}
|
||||
[roundcube]
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = roundcube
|
||||
logpath = /var/lib/roundcube/logs/errors
|
||||
maxretry = 5
|
||||
{% endif %}
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
---
|
||||
ldap_domain: "{{ ansible_fqdn }}"
|
||||
ldap_organization: "{{ ansible_domain }}"
|
||||
#ldap_password=$(apg -n1 -m 12 -c cl_seed)
|
||||
ldap_suffix: "dc=example,dc=com"
|
||||
ldap_suffix_dc: "example"
|
||||
|
|
|
@ -6,8 +6,82 @@
|
|||
- slapd
|
||||
- ldap-utils
|
||||
- ldapvi
|
||||
- shelldap
|
||||
|
||||
- name: "Is /root/.ldapvirc present ?"
|
||||
stat:
|
||||
path: /root/.ldapvirc
|
||||
check_mode: no
|
||||
register: root_ldapvirc_path
|
||||
|
||||
- name: apg package is installed
|
||||
apt:
|
||||
name: apg
|
||||
state: present
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: create a password for cn=admin
|
||||
command: "apg -n 1 -m 16 -M lcN"
|
||||
register: ldap_admin_password
|
||||
changed_when: False
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: create a password for cn=nagios
|
||||
command: "apg -n 1 -m 16 -M lcN"
|
||||
register: ldap_nagios_password
|
||||
changed_when: False
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: hash password for cn=admin
|
||||
command: "slappasswd -s {{ ldap_admin_password.stdout }}"
|
||||
register: ldap_admin_password_ssha
|
||||
changed_when: False
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: hash password for cn=nagios
|
||||
command: "slappasswd -s {{ ldap_nagios_password.stdout }}"
|
||||
register: ldap_nagios_password_ssha
|
||||
changed_when: False
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: create ldapvirc config
|
||||
template:
|
||||
src: ldapvirc.j2
|
||||
dest: /root/.ldapvirc
|
||||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: upload ldap initial config
|
||||
template:
|
||||
src: config_ldapvi.j2
|
||||
dest: /root/evolinux_ldap_config.ldapvi
|
||||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: upload ldap initial entries
|
||||
template:
|
||||
src: first-entries.ldif.j2
|
||||
dest: /root/evolinux_ldap_first-entries.ldif
|
||||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: inject config
|
||||
command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
|
||||
environment:
|
||||
TERM: xterm
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: inject first entries
|
||||
command: slapadd -l /root/evolinux_ldap_first-entries.ldif
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: upload custom schema
|
||||
copy:
|
||||
src: "{{ ldap_schema }}"
|
||||
dest: "/root/{{ ldap_schema }}"
|
||||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
|
||||
|
||||
- name: inject custom schema
|
||||
command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}"
|
||||
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
modify: olcDatabase={1}mdb,cn=config
|
||||
olcSuffix: {{ ldap_suffix }}
|
||||
olcRootDN: cn=admin,{{ ldap_suffix }}
|
||||
olcRootPW: {{ ldap_admin_password_ssha.stdout }}
|
||||
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
|
||||
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none
|
||||
olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
|
||||
olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
|
|
@ -0,0 +1,30 @@
|
|||
dn: {{ ldap_suffix }}
|
||||
objectClass: top
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
o: {{ ldap_suffix_dc }}
|
||||
dc: {{ ldap_suffix_dc }}
|
||||
|
||||
dn: cn=admin,{{ ldap_suffix }}
|
||||
objectClass: simpleSecurityObject
|
||||
objectClass: organizationalRole
|
||||
cn: admin
|
||||
description: LDAP administrator
|
||||
userPassword: {{ ldap_admin_password_ssha.stdout }}
|
||||
|
||||
dn: ou=ldapusers,{{ ldap_suffix }}
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
ou: ldapusers
|
||||
|
||||
dn: cn=perl,ou=ldapusers,{{ ldap_suffix }}
|
||||
objectClass: simpleSecurityObject
|
||||
objectClass: organizationalRole
|
||||
cn: perl
|
||||
userPassword: {{ ldap_admin_password_ssha.stdout }}
|
||||
|
||||
dn: cn=nagios,ou=ldapusers,{{ ldap_suffix }}
|
||||
objectClass: simpleSecurityObject
|
||||
objectClass: organizationalRole
|
||||
cn: nagios
|
||||
userPassword: {{ ldap_nagios_password_ssha.stdout }}
|
|
@ -0,0 +1,6 @@
|
|||
profile default
|
||||
host: ldap://127.0.0.1
|
||||
base: {{ ldap_suffix }}
|
||||
user: cn=admin,{{ ldap_suffix }}
|
||||
bind: simple
|
||||
password: {{ ldap_admin_password.stdout }}
|
|
@ -28,6 +28,7 @@ command[check_ldap]=/usr/lib/nagios/plugins/check_ldap -3 -H localhost -D cn=nag
|
|||
command[check_ldaps]=/usr/lib/nagios/plugins/check_ldaps -3 -H localhost -b {{ nagios_nrpe_ldap_dc }}
|
||||
command[check_imap]=/usr/lib/nagios/plugins/check_imap -H localhost
|
||||
command[check_imaps]=/usr/lib/nagios/plugins/check_imap -S -H localhost -p 993
|
||||
command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
|
||||
command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
|
||||
command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
|
||||
command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
|
||||
|
|
|
@ -0,0 +1,46 @@
|
|||
#!/bin/sh
|
||||
|
||||
if [ "$#" -ne 1 ]; then
|
||||
echo "Usage : $0 example.com" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
domain="$(echo "$1"|xargs)"
|
||||
|
||||
mkdir -pm 0750 "/etc/opendkim/keys/${domain}"
|
||||
chown opendkim:opendkim "/etc/opendkim/keys/${domain}"
|
||||
|
||||
if [ ! -f "/etc/opendkim/keys/${domain}/default.private" ]; then
|
||||
cd "/etc/opendkim/keys/${domain}"
|
||||
echo "Generate DKIM keys ..."
|
||||
sudo -u opendkim opendkim-genkey -r -d "${domain}"
|
||||
chmod 640 /etc/opendkim/keys/${domain}/*
|
||||
fi
|
||||
|
||||
grep -q "${domain}" /etc/opendkim/TrustedHosts
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "Add ${domain} to TrustedHosts ..."
|
||||
echo "${domain}" >> /etc/opendkim/TrustedHosts
|
||||
fi
|
||||
|
||||
grep -q "${domain}" /etc/opendkim/KeyTable
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "Add ${domain} to KeyTable ..."
|
||||
echo "default._domainkey.${domain} ${domain}:default:/etc/opendkim/keys/${domain}/default.private" >> /etc/opendkim/KeyTable
|
||||
fi
|
||||
|
||||
grep -q "${domain}" /etc/opendkim/SigningTable
|
||||
if [ "$?" -ne 0 ]; then
|
||||
echo "Add ${domain} to SigningTable ..."
|
||||
echo "*@${domain} default._domainkey.${domain}" >> /etc/opendkim/SigningTable
|
||||
fi
|
||||
|
||||
systemctl reload opendkim
|
||||
if [ "$?" -eq 0 ]; then
|
||||
echo "OpenDKIM successfully reloaded"
|
||||
echo "Public key is in : /etc/opendkim/keys/${domain}/default.txt"
|
||||
exit 0
|
||||
else
|
||||
echo "An error has occurred while opendkim reload, please FIX configuration !" >&2
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,18 @@
|
|||
UserID opendkim:opendkim
|
||||
Socket inet:54321@127.0.0.1
|
||||
PidFile /var/run/opendkim/opendkim.pid
|
||||
OversignHeaders From
|
||||
TrustAnchorFile /usr/share/dns/root.key
|
||||
Selector default
|
||||
Canonicalization relaxed/relaxed
|
||||
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
|
||||
InternalHosts refile:/etc/opendkim/TrustedHosts
|
||||
KeyTable refile:/etc/opendkim/KeyTable
|
||||
LogResults Yes
|
||||
LogWhy Yes
|
||||
Mode sv
|
||||
SigningTable refile:/etc/opendkim/SigningTable
|
||||
Syslog Yes
|
||||
SyslogSuccess Yes
|
||||
TemporaryDirectory /var/tmp
|
||||
UMask 007
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: reload opendkim
|
||||
systemd:
|
||||
name: opendkim
|
||||
state: reloaded
|
||||
|
||||
- name: restart opendkim
|
||||
systemd:
|
||||
name: opendkim
|
||||
state: restarted
|
|
@ -0,0 +1,95 @@
|
|||
---
|
||||
- name: install OpenDKIM
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- opendkim
|
||||
- opendkim-tools
|
||||
tags:
|
||||
- opendkim
|
||||
|
||||
- name: create keys directory
|
||||
file:
|
||||
name: "{{ item }}"
|
||||
state: directory
|
||||
owner: opendkim
|
||||
group: opendkim
|
||||
mode: "0750"
|
||||
with_items:
|
||||
- '/etc/opendkim'
|
||||
- '/etc/opendkim/keys'
|
||||
tags:
|
||||
- opendkim
|
||||
|
||||
- name: add 127.0.0.1 to TrustedHosts
|
||||
lineinfile:
|
||||
dest: '/etc/opendkim/TrustedHosts'
|
||||
line: '127.0.0.1'
|
||||
create: True
|
||||
owner: opendkim
|
||||
group: opendkim
|
||||
mode: "0640"
|
||||
notify: reload opendkim
|
||||
tags:
|
||||
- opendkim
|
||||
|
||||
- name: create config files
|
||||
file:
|
||||
name: "/etc/opendkim/{{ item }}"
|
||||
state: touch
|
||||
owner: opendkim
|
||||
group: opendkim
|
||||
mode: "0640"
|
||||
with_items:
|
||||
- 'KeyTable'
|
||||
- 'SigningTable'
|
||||
changed_when: False
|
||||
tags:
|
||||
- opendkim
|
||||
|
||||
- name: copy OpenDKIM config
|
||||
copy:
|
||||
src: opendkim.conf
|
||||
dest: /etc/opendkim.conf
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart opendkim
|
||||
tags:
|
||||
- opendkim
|
||||
|
||||
- name: ensure opendkim is started and enabled
|
||||
systemd:
|
||||
name: opendkim
|
||||
state: started
|
||||
enabled: True
|
||||
tags:
|
||||
- opendkim
|
||||
|
||||
- name: check if /usr is a partition
|
||||
shell: "mount | grep 'on /usr type'"
|
||||
args:
|
||||
warn: no
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
register: usr_partition
|
||||
check_mode: no
|
||||
tags:
|
||||
- opendkim
|
||||
|
||||
- name: mount /usr in rw
|
||||
command: mount -o remount,rw /usr
|
||||
args:
|
||||
warn: no
|
||||
changed_when: False
|
||||
when: usr_partition.rc == 0
|
||||
tags:
|
||||
- opendkim
|
||||
|
||||
- name: deploy opendkim-add.sh script
|
||||
copy:
|
||||
src: opendkim-add.sh
|
||||
dest: /usr/share/scripts/opendkim-add.sh
|
||||
mode: "0750"
|
||||
tags:
|
||||
- opendkim
|
|
@ -4,9 +4,10 @@ Installation and basic configuration of Postfix.
|
|||
|
||||
## Tasks
|
||||
|
||||
Minimal configuration is in `tasks/main.yml` and optional customization in :
|
||||
Minimal configuration is in `tasks/minimal.yml` and optional customization in :
|
||||
|
||||
* `slow_transport.yml` : slow transport to specific destination.
|
||||
* `packmail.yml` : config for virtual mail accounts with OpenLDAP
|
||||
|
||||
## Available variables
|
||||
|
||||
|
@ -14,5 +15,7 @@ Main variables are :
|
|||
|
||||
* `postfix_hostname` : hostname for Postfix ;
|
||||
* `postfix_slow_transport` : enable customization for delivrability.
|
||||
* `postfix_force_main_cf` : force copy of main.cf
|
||||
* `postfix_packmail` : install an Evolix Packmail instead of lite postfix config
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
---
|
||||
postfix_hostname: "{{ ansible_fqdn }}"
|
||||
postfix_slow_transport_include: False
|
||||
postfix_force_main_cf: False
|
||||
postfix_packmail: False
|
||||
postfix_slow_transport_include: "{{ postfix_packmail }}"
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
dn: cn={4}evolix,cn=schema,cn=config
|
||||
objectClass: olcSchemaConfig
|
||||
cn: {4}evolix
|
||||
olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo
|
||||
rward' SUP mail )
|
||||
olcAttributeTypes: {1}( 1.3.6.1.4.1.24331.22.1.2 NAME 'mailacceptinggeneralid'
|
||||
DESC 'mail alias' SUP mail )
|
||||
olcAttributeTypes: {2}( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' DESC 'boolean
|
||||
to verify an global account is active or not' EQUALITY booleanMatch SYNTAX 1
|
||||
.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||
olcAttributeTypes: {3}( 1.3.6.1.4.1.24331.22.1.4 NAME 'accountActive' DESC 'bo
|
||||
olean to verify if an mail account is active' EQUALITY booleanMatch SYNTAX 1.
|
||||
3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||
olcAttributeTypes: {4}( 1.3.6.1.4.1.24331.22.1.5 NAME 'authsmtpActive' DESC 'b
|
||||
oolean to verify if SMTP-AUTH is enabled for entry' EQUALITY booleanMatch SYN
|
||||
TAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||
olcAttributeTypes: {5}( 1.3.6.1.4.1.24331.22.1.6 NAME 'courierActive' DESC 'bo
|
||||
olean to verify if Courier POP/IMAP is enabled for entry' EQUALITY booleanMat
|
||||
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||
olcAttributeTypes: {6}( 1.3.6.1.4.1.24331.22.1.7 NAME 'webmailActive' DESC 'bo
|
||||
olean to verify if webmail is enabled for entry' EQUALITY booleanMatch SYNTAX
|
||||
1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||
olcAttributeTypes: {7}( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' DESC 'boolean
|
||||
to verify if entry is admin for entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4
|
||||
.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||
olcAttributeTypes: {8}( 1.3.6.1.4.1.24331.22.1.9 NAME 'postfixTransport' DESC
|
||||
'transport for Postfix' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.11
|
||||
5.121.1.26{20} SINGLE-VALUE )
|
||||
olcAttributeTypes: {9}( 1.3.6.1.4.1.24331.22.1.10 NAME 'domain' DESC 'Postfix
|
||||
domain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTA
|
||||
X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||
olcAttributeTypes: {10}( 1.3.6.1.4.1.24331.22.1.11 NAME 'quota' DESC 'Courier
|
||||
maildir quota' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
|
||||
26 SINGLE-VALUE )
|
||||
olcAttributeTypes: {11}( 1.3.6.1.4.1.24331.22.1.16 NAME 'vacationActive' DESC
|
||||
'A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1.3
|
||||
.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||
olcAttributeTypes: {12}( 1.3.6.1.4.1.24331.22.1.17 NAME 'vacationInfo' DESC 'A
|
||||
bsentee note to leave behind, while on vacation' EQUALITY octetStringMatch SY
|
||||
NTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
|
||||
olcAttributeTypes: {13}( 1.3.6.1.4.1.24331.22.1.18 NAME 'vacationStart' DESC '
|
||||
Beginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.
|
||||
121.1.40 SINGLE-VALUE )
|
||||
olcAttributeTypes: {14}( 1.3.6.1.4.1.24331.22.1.19 NAME 'vacationEnd' DESC 'En
|
||||
d of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
|
||||
SINGLE-VALUE )
|
||||
olcAttributeTypes: {15}( 1.3.6.1.4.1.24331.22.1.20 NAME 'vacationForward' DESC
|
||||
'Where to forward mails to, while on vacation' EQUALITY caseIgnoreIA5Match S
|
||||
UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
|
||||
)
|
||||
olcAttributeTypes: {16}( 1.3.6.1.4.1.24331.22.1.21 NAME 'smbActive' DESC 'bool
|
||||
ean to verify if an Samba account is active' EQUALITY booleanMatch SYNTAX 1.3
|
||||
.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
|
||||
olcObjectClasses: {0}( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' DESC 'LDAP/
|
||||
Unix mail account or virtual account' SUP top AUXILIARY MUST ( uid $ mailacce
|
||||
ptinggeneralid ) MAY ( accountActive $ authsmtpActive $ quota $ isActive $ co
|
||||
urierActive $ webmailActive $ isAdmin $ vacationActive $ vacationInfo $ vacat
|
||||
ionStart $ vacationEnd $ vacationForward $ maildrop ) )
|
||||
olcObjectClasses: {1}( 1.3.6.1.4.1.24331.22.2.2 NAME 'mailAlias' DESC 'Mail al
|
||||
iasing/forwarding entry' SUP top STRUCTURAL MUST ( mailacceptinggeneralid $ m
|
||||
aildrop ) MAY ( cn $ isActive ) )
|
||||
olcObjectClasses: {2}( 1.3.6.1.4.1.24331.22.2.4 NAME 'postfixDomain' DESC 'Pos
|
||||
tfix domain' SUP posixGroup STRUCTURAL MAY ( postfixTransport $ isActive ) )
|
|
@ -0,0 +1 @@
|
|||
# Default empty file
|
|
@ -0,0 +1,87 @@
|
|||
#!/bin/bash
|
||||
|
||||
#set -x
|
||||
|
||||
umask 022
|
||||
|
||||
tmp_file=$(mktemp)
|
||||
|
||||
tmp=$(mktemp -d)
|
||||
|
||||
if [ -f $tmp_file ] ;
|
||||
then rm $tmp_file ;
|
||||
fi
|
||||
|
||||
sleep $[ $RANDOM / 1024 ]
|
||||
|
||||
# Postfix
|
||||
cd $tmp
|
||||
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/client.access -O $tmp_file
|
||||
cp $tmp_file /etc/postfix/client.access
|
||||
rm $tmp_file
|
||||
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/sender.access -O $tmp_file
|
||||
cp $tmp_file /etc/postfix/sender.access
|
||||
rm $tmp_file
|
||||
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/recipient.access -O $tmp_file
|
||||
cp $tmp_file /etc/postfix/recipient.access
|
||||
rm $tmp_file
|
||||
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/header_kill -O $tmp_file
|
||||
cp $tmp_file /etc/postfix/header_kill
|
||||
rm $tmp_file
|
||||
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access -O sa-blacklist.access
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/sa-blacklist.access.md5 -O $tmp_file
|
||||
if md5sum -c $tmp_file > /dev/null && [ -s sa-blacklist.access ] ; then
|
||||
cp sa-blacklist.access /etc/postfix/sa-blacklist.access
|
||||
fi
|
||||
rm sa-blacklist.access
|
||||
rm $tmp_file
|
||||
|
||||
/usr/sbin/postmap hash:/etc/postfix/client.access
|
||||
/usr/sbin/postmap hash:/etc/postfix/sender.access
|
||||
/usr/sbin/postmap hash:/etc/postfix/recipient.access
|
||||
/usr/sbin/postmap -r hash:/etc/postfix/sa-blacklist.access
|
||||
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr -O spamd.cidr
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/spamd.cidr.md5 -O $tmp_file
|
||||
if md5sum -c $tmp_file > /dev/null && [ -s spamd.cidr ] ; then
|
||||
cp spamd.cidr /etc/postfix/spamd.cidr
|
||||
fi
|
||||
rm spamd.cidr
|
||||
rm $tmp_file
|
||||
|
||||
|
||||
# SpamAssassin
|
||||
cd $tmp
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf -O evolix_rules.cf
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/evolix_rules.cf.md5 -O $tmp_file
|
||||
if md5sum -c $tmp_file > /dev/null && [ -s evolix_rules.cf ] ; then
|
||||
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp evolix_rules.cf /etc/spamassassin
|
||||
dpkg -l spamassassin 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/spamassassin reload > /dev/null
|
||||
if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
|
||||
run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
|
||||
fi
|
||||
fi
|
||||
|
||||
# ClamAV
|
||||
cd $tmp
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb -O evolix.ndb
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.ndb.md5 -O $tmp_file
|
||||
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.ndb
|
||||
if md5sum -c $tmp_file > /dev/null && [ -s evolix.ndb ] ; then
|
||||
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.ndb /var/lib/clamav/
|
||||
fi
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb -O evolix.hsb
|
||||
wget -q -t 3 http://antispam00.evolix.org/spam/evolix.hsb.md5 -O $tmp_file
|
||||
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && chown clamav: evolix.hsb
|
||||
if md5sum -c $tmp_file > /dev/null && [ -s evolix.hsb ] ; then
|
||||
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && cp -a evolix.hsb /var/lib/clamav/
|
||||
fi
|
||||
dpkg -l clamav-daemon 2>&1 | grep -v "no packages found matching" | grep -q ^ii && /etc/init.d/clamav-daemon reload-database > /dev/null
|
||||
rm $tmp_file
|
||||
|
||||
rm -rf $tmp
|
|
@ -13,7 +13,9 @@ galaxy_info:
|
|||
versions:
|
||||
- jessie
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
||||
dependencies:
|
||||
- { role: ldap, ldap_schema: 'cn4evolix.ldif', when: postfix_packmail == True }
|
||||
- { role: spamassasin, when: postfix_packmail == True }
|
||||
- { role: clamav, when: postfix_packmail == True }
|
||||
- { role: opendkim, when: postfix_packmail == True }
|
||||
- { role: dovecot, when: postfix_packmail == True }
|
||||
|
|
|
@ -1,30 +1,17 @@
|
|||
- name: ensure packages are installed
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- postfix
|
||||
- mailgraph
|
||||
|
||||
---
|
||||
- name: check if main.cf is default
|
||||
shell: grep -v -E "^(myhostname|mydestination|mailbox_command)" /etc/postfix/main.cf | md5sum -
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: default_main_cf
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: create minimal main.cf
|
||||
template:
|
||||
src: evolinux_main.cf.j2
|
||||
dest: /etc/postfix/main.cf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
when: default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or
|
||||
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
|
||||
notify: restart postfix
|
||||
- include: minimal.yml
|
||||
when: postfix_packmail == False
|
||||
|
||||
- meta: flush_handlers
|
||||
- include: packmail.yml
|
||||
when: postfix_packmail == True
|
||||
|
||||
- include: slow_transport.yml
|
||||
when: postfix_slow_transport_include
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
- name: ensure packages are installed
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- postfix
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: create minimal main.cf
|
||||
template:
|
||||
src: evolinux_main.cf.j2
|
||||
dest: /etc/postfix/main.cf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart postfix
|
||||
when: postfix_force_main_cf == True or
|
||||
default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or
|
||||
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
|
||||
tags:
|
||||
- postfix
|
|
@ -0,0 +1,128 @@
|
|||
---
|
||||
- name: ensure packages are installed
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- postfix
|
||||
- postfix-ldap
|
||||
- postfix-policyd-spf-python
|
||||
- mailgraph
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: create packmail main.cf
|
||||
template:
|
||||
src: packmail_main.cf.j2
|
||||
dest: /etc/postfix/main.cf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart postfix
|
||||
when: postfix_force_main_cf == True or
|
||||
default_main_cf.stdout == "5450c05d65878e99dad696c7c722e511 -" or
|
||||
default_main_cf.stdout == "30022953f1f61f002bfb72e163ecb27e -"
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: deploy packmail master.cf
|
||||
template:
|
||||
src: packmail_master.cf.j2
|
||||
dest: /etc/postfix/master.cf
|
||||
mode: "0644"
|
||||
notify: restart postfix
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: copy default filter files
|
||||
copy:
|
||||
src: filter
|
||||
dest: "/etc/postfix/{{ item }}"
|
||||
force: no
|
||||
with_items:
|
||||
- virtual
|
||||
- client.access
|
||||
- client.access_local
|
||||
- header_kill
|
||||
- header_kill_local
|
||||
- recipient.access
|
||||
- recipient.access_local
|
||||
- sa-blacklist.access
|
||||
- sender.access
|
||||
- sender.access_local
|
||||
- spamd.cidr
|
||||
register: postfix_copy_filter
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: postmap filter files
|
||||
command: "postmap /etc/postfix/{{ item }}"
|
||||
with_items:
|
||||
- virtual
|
||||
- client.access
|
||||
- client.access_local
|
||||
- header_kill
|
||||
- header_kill_local
|
||||
- recipient.access
|
||||
- recipient.access_local
|
||||
- sa-blacklist.access
|
||||
- sender.access
|
||||
- sender.access_local
|
||||
- spamd.cidr
|
||||
when: postfix_copy_filter.changed
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: deploy ldap postfix config
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/postfix/{{ item }}"
|
||||
mode: "0644"
|
||||
with_items:
|
||||
- virtual_aliases.cf
|
||||
- virtual_domains.cf
|
||||
- virtual_mailboxes.cf
|
||||
notify: restart postfix
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: update ansible_mounts facts
|
||||
setup:
|
||||
filter: ansible_mounts
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: mount /usr in rw
|
||||
command: mount -o remount,rw /usr
|
||||
args:
|
||||
warn: no
|
||||
changed_when: false
|
||||
when: item.mount == '/usr' and item.options | match(".*ro.*")
|
||||
with_items: "{{ ansible_mounts }}"
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: copy spam.sh script
|
||||
copy:
|
||||
src: spam.sh
|
||||
dest: /usr/share/scripts/spam.sh
|
||||
mode: "0700"
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: enable spam.sh cron
|
||||
lineinfile:
|
||||
dest: /etc/cron.d/spam
|
||||
line: "42 * * * * /usr/share/scripts/spam.sh"
|
||||
create: yes
|
||||
state: present
|
||||
mode: "0640"
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: update antispam list
|
||||
command: /usr/share/scripts/spam.sh
|
||||
changed_when: false
|
||||
tags:
|
||||
- postfix
|
|
@ -1,10 +1,12 @@
|
|||
---
|
||||
|
||||
- name: slow transport is defined in master.cf
|
||||
lineinfile:
|
||||
dest: /etc/postfix/master.cf
|
||||
regexp: "^slow "
|
||||
line: "slow unix - - n - - smtp"
|
||||
notify: restart postfix
|
||||
tags:
|
||||
- postfix
|
||||
|
||||
- name: list of providers for slow transport
|
||||
lineinfile:
|
||||
|
@ -21,24 +23,5 @@
|
|||
- "hotmail.fr slow:"
|
||||
- "hotmail.com slow:"
|
||||
notify: postmap transport
|
||||
|
||||
- name: main.cf is configured for slow transports
|
||||
blockinfile:
|
||||
dest: /etc/postfix/main.cf
|
||||
marker: "# {mark} Slow transports configuration (installed by Ansible)"
|
||||
block: |
|
||||
minimal_backoff_time = 2h
|
||||
maximal_backoff_time = 6h
|
||||
maximal_queue_lifetime = 4d
|
||||
queue_run_delay = 100s
|
||||
bounce_queue_lifetime = 1d
|
||||
initial_destination_concurrency = 5
|
||||
default_destination_concurrency_limit = 20
|
||||
slow_destination_rate_delay = 0
|
||||
slow_destination_concurrency_limit = 1
|
||||
slow_destination_concurrency_failed_cohort_limit = 100
|
||||
slow_destination_recipient_limit = 25
|
||||
transport_maps = hash:$config_directory/transport
|
||||
notify: restart postfix
|
||||
|
||||
- meta: flush_handlers
|
||||
tags:
|
||||
- postfix
|
||||
|
|
|
@ -13,3 +13,19 @@ recipient_delimiter = +
|
|||
inet_interfaces = all
|
||||
inet_protocols = ipv4
|
||||
disable_vrfy_command = yes
|
||||
|
||||
{% if postfix_slow_transport_include == True %}
|
||||
# Slow transports configuration
|
||||
minimal_backoff_time = 2h
|
||||
maximal_backoff_time = 6h
|
||||
maximal_queue_lifetime = 4d
|
||||
queue_run_delay = 100s
|
||||
bounce_queue_lifetime = 1d
|
||||
initial_destination_concurrency = 5
|
||||
default_destination_concurrency_limit = 20
|
||||
slow_destination_rate_delay = 0
|
||||
slow_destination_concurrency_limit = 1
|
||||
slow_destination_concurrency_failed_cohort_limit = 100
|
||||
slow_destination_recipient_limit = 25
|
||||
transport_maps = hash:$config_directory/transport
|
||||
{% endif %}
|
||||
|
|
|
@ -0,0 +1,423 @@
|
|||
## fichier principal de configuration de Postfix
|
||||
## commentaires de Gregory Colpart reg AT evolix DOT fr
|
||||
## version 1.0 : 1ere version publique (05.04.2010)
|
||||
|
||||
########################
|
||||
# Section : Emplacements
|
||||
########################
|
||||
|
||||
# Repertoire ou se trouvent les commandes de postfix [OBLIGATOIRE]
|
||||
#par defaut, = $program_directory
|
||||
command_directory = /usr/sbin
|
||||
|
||||
# Repertoire ou se trouvent les demons de postfix [OBLIGATOIRE]
|
||||
#par defaut, = $program_directory
|
||||
daemon_directory = /usr/lib/postfix/sbin
|
||||
|
||||
# Variable pour indiquer les emplacements des commandes et demons de postfix
|
||||
#program_directory = /usr/lib/postfix
|
||||
|
||||
# Repertoire contenant les fichiers de boites aux lettres
|
||||
#par defaut, = /var/mail
|
||||
#mail_spool_directory =
|
||||
|
||||
# Repertoire de la file d'attente de postfix
|
||||
#par defaut, = /var/spool/postfix
|
||||
#queue_directory =
|
||||
|
||||
# Boites aux lettres
|
||||
#par defaut, =
|
||||
home_mailbox = Maildir/
|
||||
|
||||
# Transmettre les mails a un MDA
|
||||
#par defaut, =
|
||||
#mailbox_command = /usr/bin/procmail
|
||||
|
||||
# Separateur entre noms d'utilisateur et extensions d'adresse
|
||||
# mettre + pour integration avec amavis
|
||||
#par defaut, =
|
||||
recipient_delimiter = +
|
||||
|
||||
# Controle si le repertoire existe (souvent pour les systemes de fichiers montes)
|
||||
#par defaut, = no
|
||||
#require_home_directory =
|
||||
|
||||
# Commande pour transmettre le courrier a un MDA
|
||||
#par defaut, =
|
||||
#mailbox_command = /usr/bin/procmail
|
||||
|
||||
# Banniere SMTP affichee
|
||||
#par default, = $myhostname ESMTP $mail_name
|
||||
smtpd_banner = $myhostname ESMTP mail server
|
||||
|
||||
# Groupe des commandes set-gid ayant des acces en ecriture
|
||||
#par defaut, = postdrop
|
||||
# setgid_group = postdrop
|
||||
|
||||
# Produire des "biff notifications" aux utilisateurs pour
|
||||
# prevenir de l'arrivee de nouveaux mails
|
||||
# par default, = yes
|
||||
#biff = no
|
||||
|
||||
|
||||
####################
|
||||
# Section : domaines
|
||||
####################
|
||||
|
||||
# Indique le nom d'hote pleinement qualifie ou se trouve postfix [OBLIGATOIRE]
|
||||
#par defaut, = [retour de la commande Unix hostname]
|
||||
myhostname = {{ ansible_fqdn }}
|
||||
|
||||
# Variable indiquant le domaine dans lequel se trouve la machine
|
||||
#par defaut, = [partie domain de la variable $myhostname]
|
||||
#mydomain =
|
||||
|
||||
# Liste des noms de domaine (ou IP) consideres comme local
|
||||
#par defaut, = $myhostname, localhost.$mydomain, localhost
|
||||
mydestination = $myhostname
|
||||
|
||||
# Indique le domaine apparaissant dans le courrier envoye
|
||||
#par defaut, = $myhostname
|
||||
myorigin = {{ ansible_fqdn }}
|
||||
|
||||
# Liste de domaine fonctionnant UNIQUEMENT avec des alias virtuels
|
||||
#par defaut, = $virtual_alias_maps
|
||||
#virtual_alias_domains = [ domaines avec alias virtuels ]
|
||||
|
||||
# Liste de domaine fonctionnant avec des comptes virtuels
|
||||
#par defaut, = $virtual_mailbox_maps
|
||||
virtual_mailbox_domains = ldap:$config_directory/virtual_domains.cf
|
||||
|
||||
# Repertoire de base de l'espace de stockage
|
||||
#par defaut, =
|
||||
virtual_mailbox_base = /
|
||||
|
||||
# Ajoute $mydomain aux adresse ne compoirtant que la partie hote sans le domaine
|
||||
#par defaut, = yes
|
||||
#append_dot_mydomain = no
|
||||
|
||||
# Ajoute $myorigin aux adresses ne comportant pas de composante de domaine
|
||||
#par defaut, = yes
|
||||
#append_at_myorigin = no
|
||||
|
||||
# Liste de domaines cachant des sous-domaines internes
|
||||
#par defaut, =
|
||||
#masquerade_domains =
|
||||
|
||||
# A l'exception de certains comptes :
|
||||
#par defaut, =
|
||||
#masquerade_exceptions = root, admin
|
||||
|
||||
# Champs d'application de la reecriture des sous-domaines caches
|
||||
#par defaut, = envelope_sender, header_sender, header_recipient
|
||||
#masquerade_classes =
|
||||
|
||||
# Sites eligibles pour un vidage rapide (postqueue -s [domain.tld])
|
||||
#par defaut, = $relay_domains
|
||||
#fast_flush_domains =
|
||||
|
||||
# Interfaces sur lesquelles ecoutent postfix
|
||||
#par defaut, = all
|
||||
#inet_interfaces = all
|
||||
|
||||
# Adresse IP externe du firewall/proxy si derriere NAT ou proxy
|
||||
# evite principalement les boucles si MX secondaire et MX primaire indisponible
|
||||
#par defaut, =
|
||||
#proxy_interfaces = [adresse IP]
|
||||
|
||||
# Domaines acceptes pour faire relai (MX 2aire)
|
||||
#relay_domains = [domaine a relayer]
|
||||
|
||||
|
||||
###########################
|
||||
# Section : base de donnees
|
||||
###########################
|
||||
|
||||
# Liste des bases de donnees utilisees par l'agent de distribution locale
|
||||
# Pour regenerer une base de donnees : postalias /etc/aliases (par ex)
|
||||
#par defaut, = hash:/etc/aliases, nis:mail.aliases
|
||||
alias_maps = hash:/etc/aliases
|
||||
|
||||
# Liste des bases de donnees locales
|
||||
# Pour regenerer avec newaliases
|
||||
#par defaut, = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
|
||||
# Chemin vers la commande newaliases
|
||||
#par defaut, = /usr/bin/newaliases
|
||||
#newaliases_path =
|
||||
|
||||
# Base de donnes d'alias virtuels
|
||||
# ne pas oublier : postmap /etc/postfix/virtual
|
||||
#par defaut, = $virtual_maps
|
||||
virtual_alias_maps = hash:$config_directory/virtual, ldap:$config_directory/virtual_aliases.cf
|
||||
|
||||
# Base de donners des boites virtuelles
|
||||
# ne pas oublier : postmap /etc/postfix/vmailbox
|
||||
#par defaut, =
|
||||
virtual_mailbox_maps = ldap:$config_directory/virtual_mailboxes.cf
|
||||
|
||||
virtual_uid_maps = static:5000
|
||||
virtual_gid_maps = static:5000
|
||||
virtual_transport = dovecot
|
||||
dovecot_destination_recipient_limit = 1
|
||||
|
||||
# Reecriture des adresses
|
||||
#par defaut, =
|
||||
#canonical_maps = hash:/etc/postfix/canonical
|
||||
|
||||
# Reecriture des adresses a l'arrivee (ecrase $canonical_maps)
|
||||
#par defaut, =
|
||||
#recipient_canonical_maps = hash:/etc/postfix/canonical
|
||||
|
||||
# Reecriture des adresses au depart
|
||||
#par defaut, =
|
||||
#sender_canonical_maps = hash:/etc/postfix/canonical
|
||||
|
||||
# Adresses changees
|
||||
#relocated_maps = hash:/etc/postfix/relocated
|
||||
|
||||
# Boite pour receptionner tous les utilisateurs inconnus
|
||||
#luser_relay = spam
|
||||
|
||||
# Liste de base de donnees contenant les adresses locales permettant de rejeter les messages aux utilisateurs inconnus
|
||||
# (sera nulle pour recuperer les courriels vers les utilisateurs inconnus)
|
||||
#par defaut, = proxy:unix:passwd.byname $alias_maps
|
||||
#local_recipient_maps =
|
||||
|
||||
# MAILING-LIST nommee xx
|
||||
# dans le fichier /etc/aliases :
|
||||
# xx: user1@domain1 user2@domain2 etc.
|
||||
# owner-xx: admin@domain
|
||||
# Utiliser ou non l'alias xx-owner comme adresse d'enveloppe d'expedition
|
||||
#par defaut, = yes
|
||||
#owner_request_special =
|
||||
|
||||
# Utiliser l'adresse relle de l'admin au lieu de xx-owner
|
||||
#par defaut, = no
|
||||
#expand_owner_alias =
|
||||
|
||||
|
||||
###########################################
|
||||
# Section : parametres de la file d'attente
|
||||
###########################################
|
||||
|
||||
# Lorsqu'un message n'a pas ete delivre, Postfix adjoint une marque indiquant le moment ou la prochaine tentaive pourra avoir lieu
|
||||
|
||||
# Delai au-dela duquel les messages non delivres seront renvoyes a l'expediteur
|
||||
#par defaut, = 5d
|
||||
#maximal_queue_lifetime =
|
||||
|
||||
# Delai au-dela duquel les *bounces* non delivres ne seront plus envoyes
|
||||
#par defaut, = 5d
|
||||
bounce_queue_lifetime = 1d
|
||||
|
||||
# Intervalle de temps ou postfix examinera la file
|
||||
# Il examine notamment la file deferred pour voir si de NOUVEAUX messages sont arrives
|
||||
# Il faut aussi que la marque indique qu'ils soient prets
|
||||
#par defaut, = 1000s
|
||||
#queue_run_delay =
|
||||
|
||||
# A chaque echec, le delai de la prochaine distribution double, avec les restrictions suivantes :
|
||||
# Delai minimal
|
||||
#par defaut, = 1000s
|
||||
#minimal_backoff_time =
|
||||
# Delai maximal
|
||||
#par defaut, = 4000s
|
||||
#maximal_backoff_time =
|
||||
|
||||
# Si maxproc est vide (master.cf), nombre maximal est :
|
||||
#par defaut, = 100
|
||||
#default_process_limit =
|
||||
|
||||
# Nombre maximal de destinataires stockes en memoire par qmgr pour un transport particulier
|
||||
#par defaut, = 10000
|
||||
#default_recipient_limit =
|
||||
|
||||
# Nombre limitant de messages envoyes simultanement INITIALEMENT pour une destination particuliere
|
||||
# (forcement majoree par maxproc du master.cf ou $default_process_limit)
|
||||
#par defaut, = 5
|
||||
#initial_destination_concurrency =
|
||||
|
||||
# Une fois ces messages distribues, si il reste des messages dans la file d'attente pour cette destination
|
||||
# particuliere, postfix augmente le nombre de tentative tant qu'il ne detecte pas de probleme avec
|
||||
# la destination, avec la limite suivante :
|
||||
#par defaut, = 20
|
||||
#default_destination_concurrency_limit =
|
||||
|
||||
# Cette limite peut etre differente selon le type de transport utilise :
|
||||
#par defaut, = $default_destination_concurrency_limit
|
||||
#lmtp_destination_concurrency_limit =
|
||||
#par defaut, = 2
|
||||
#local_destination_concurrency_limit =
|
||||
#par defaut, = $default_destination_concurrency_limit
|
||||
#relay_destination_concurrency_limit =
|
||||
#par defaut, = $default_destination_concurrency_limit
|
||||
#smtp_destination_concurrency_limit =
|
||||
#par defaut, = $default_destination_concurrency_limit
|
||||
#virtual_destination_concurrency_limit =
|
||||
|
||||
# On peut aussi limiter le nombre maximum de destinataire pour un meme message
|
||||
# Si le nombre de destinataire depasse la limite, postfix divise en groupe d'adresses plus petites et envoie des copies distinctes du message
|
||||
#par defaut, = 10000
|
||||
#default_destination_recipient_limit =
|
||||
#par defaut, = $default_destination_recipient_limit
|
||||
#lmtp_destination_recipient_limit =
|
||||
#par defaut, = 1
|
||||
#local_destination_recipient_limit =
|
||||
#par defaut, = 20000
|
||||
#qmgr_message_recipient_limit =
|
||||
#par defaut, = $default_destination_recipient_limit
|
||||
#relay_destination_recipient_limit =
|
||||
#par defaut, = $default_destination_recipient_limit
|
||||
#smtp_destination_recipient_limit =
|
||||
#par defaut, = 1000
|
||||
#smtpd_recipient_limit =
|
||||
#par defaut, = $default_destination_recipient_limit
|
||||
#virtual_destination_recipient_limit =
|
||||
|
||||
# Nombre maximum de destinataires pour un transport lorsque priorite superieure de transport
|
||||
#par defaut, = 1000
|
||||
#default_extra_recipient_limit =
|
||||
|
||||
slow_destination_rate_delay = 0
|
||||
slow_destination_concurrency_limit = 1
|
||||
slow_destination_recipient_limit = 25
|
||||
slow_destination_concurrency_failed_cohort_limit = 100
|
||||
|
||||
# Types d'incidents a rapporter
|
||||
# resource : message non delivre pour probleme de ressource
|
||||
# software : message non delivre pour probleme de logiciels
|
||||
# policy : envoie le transcription smtp d'un message rejete par restrictions
|
||||
# protocol : envoie toute transcription smtp erronee
|
||||
# delay : envoie les entetes de messages differes
|
||||
# bounce : envoie les entetes de tous les message renvoyes
|
||||
# 2bounce : envoie les entetes de tous les messages renvoyes non delivres
|
||||
#par defaut, = resource, software
|
||||
notify_classes = resource, software, bounce, 2bounce, delay, policy, protocol
|
||||
|
||||
# A qui les reporter ?
|
||||
#Pour delay
|
||||
#par defaut, = postmaster
|
||||
delay_notice_recipient = delay
|
||||
#Pour policy, protocol, resource, software
|
||||
#par defaut, = postmaster
|
||||
error_notice_recipient = error
|
||||
#Pour bounce
|
||||
#par defaut, = postmaster
|
||||
bounce_notice_recipient = bounce
|
||||
#Pour 2bounce
|
||||
#par defaut, = postmaster
|
||||
2bounce_notice_recipient = bounce
|
||||
|
||||
|
||||
########################
|
||||
# Section : restrictions
|
||||
########################
|
||||
|
||||
# Restrictions au depart de la conversation
|
||||
#par defaut, =
|
||||
smtpd_client_restrictions =
|
||||
permit_mynetworks,
|
||||
permit_sasl_authenticated,
|
||||
cidr:$config_directory/spamd.cidr,
|
||||
|
||||
# Restrictions au niveau de la commande HELO/EHLO
|
||||
#par defaut, =
|
||||
smtpd_helo_restrictions =
|
||||
reject_invalid_hostname
|
||||
|
||||
# Restrictions au niveau de la commande MAIL FROM
|
||||
#par defaut, =
|
||||
smtpd_sender_restrictions =
|
||||
permit_mynetworks,
|
||||
check_sender_access hash:$config_directory/sa-blacklist.access
|
||||
|
||||
# Restrictions au niveau de la commande MAIL FROM
|
||||
#par defaut, = permit_mynetworks, reject_unauth_destination
|
||||
smtpd_recipient_restrictions =
|
||||
permit_mynetworks,
|
||||
permit_sasl_authenticated,
|
||||
reject_unauth_destination,
|
||||
check_policy_service unix:private/policyd-spf,
|
||||
check_client_access hash:$config_directory/client.access_local,
|
||||
check_client_access hash:$config_directory/client.access,
|
||||
check_sender_access hash:$config_directory/sender.access_local,
|
||||
check_sender_access hash:$config_directory/sender.access,
|
||||
check_recipient_access hash:$config_directory/recipient.access_local,
|
||||
check_recipient_access hash:$config_directory/recipient.access,
|
||||
reject_unlisted_recipient,
|
||||
reject_unknown_sender_domain,
|
||||
reject_non_fqdn_sender,
|
||||
reject_unauth_pipelining,
|
||||
|
||||
policyd-spf_time_limit = 3600
|
||||
|
||||
header_checks =
|
||||
regexp:$config_directory/header_kill_local,
|
||||
regexp:$config_directory/header_kill
|
||||
|
||||
transport_maps = hash:$config_directory/transport
|
||||
|
||||
# Attendre la commande 'RCPT TO' avant d'evaluer les restrictions ?
|
||||
# (peut poser pb avec certains clients et permet d'avoir renseignements suppl)
|
||||
#par defaut, = yes
|
||||
#smtpd_delay_reject =
|
||||
|
||||
# Definition des plages IP appartenant a mynetworks
|
||||
#par defaut, toutes les plages d'adresses IPv4 (et IPv6) des interfaces
|
||||
mynetworks = 127.0.0.0/8,[::1]/128,10.0.0.0/16
|
||||
|
||||
# Exiger la commande HELO/EHLO
|
||||
#par defaut, = no
|
||||
smtpd_helo_required = yes
|
||||
|
||||
# Exiger syntaxe conforme dans les commandes MAIL FROM ou RCPT TO
|
||||
#par defaut, = no
|
||||
strict_rfc821_envelopes = yes
|
||||
|
||||
# Rejeter le courrier provenant d'une adresse inexistante ?
|
||||
#par defaut, = no
|
||||
#smtpd_reject_unlisted_sender =
|
||||
|
||||
# Rejeter le courrier a destination d'une adresse inexistante ?
|
||||
#par defaut, = yes
|
||||
#smtpd_reject_unlisted_recipient =
|
||||
|
||||
|
||||
#######################
|
||||
# Section : Chiffrement
|
||||
#######################
|
||||
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtpd_use_tls=yes
|
||||
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
|
||||
# SASL
|
||||
smtpd_sasl_auth_enable = yes
|
||||
broken_sasl_auth_clients = yes
|
||||
smtpd_sasl_type = dovecot
|
||||
smtpd_sasl_path = private/auth-client
|
||||
|
||||
# Amavis and OpenDKIM
|
||||
content_filter = smtp-amavis:[127.0.0.1]:10024
|
||||
smtpd_milters = inet:[127.0.0.1]:54321
|
||||
non_smtpd_milters = inet:[127.0.0.1]:54321
|
||||
|
||||
{% if postfix_slow_transport_include == True %}
|
||||
# Slow transports configuration
|
||||
minimal_backoff_time = 2h
|
||||
maximal_backoff_time = 6h
|
||||
maximal_queue_lifetime = 4d
|
||||
queue_run_delay = 100s
|
||||
bounce_queue_lifetime = 1d
|
||||
initial_destination_concurrency = 5
|
||||
default_destination_concurrency_limit = 20
|
||||
slow_destination_rate_delay = 0
|
||||
slow_destination_concurrency_limit = 1
|
||||
slow_destination_concurrency_failed_cohort_limit = 100
|
||||
slow_destination_recipient_limit = 25
|
||||
transport_maps = hash:$config_directory/transport
|
||||
{% endif %}
|
|
@ -0,0 +1,171 @@
|
|||
#
|
||||
# Postfix master process configuration file. For details on the format
|
||||
# of the file, see the master(5) manual page (command: "man 5 master" or
|
||||
# on-line: http://www.postfix.org/master.5.html).
|
||||
#
|
||||
# Do not forget to execute "postfix reload" after editing this file.
|
||||
#
|
||||
# ==========================================================================
|
||||
# service type private unpriv chroot wakeup maxproc command + args
|
||||
# (yes) (yes) (no) (never) (100)
|
||||
# ==========================================================================
|
||||
smtp inet n - y - - smtpd
|
||||
#smtp inet n - y - 1 postscreen
|
||||
#smtpd pass - - y - - smtpd
|
||||
#dnsblog unix - - y - 0 dnsblog
|
||||
#tlsproxy unix - - y - 0 tlsproxy
|
||||
submission inet n - y - - smtpd
|
||||
-o syslog_name=postfix/submission
|
||||
-o smtpd_tls_security_level=encrypt
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
smtps inet n - y - - smtpd
|
||||
-o syslog_name=postfix/smtps
|
||||
-o smtpd_tls_wrappermode=yes
|
||||
-o smtpd_sasl_auth_enable=yes
|
||||
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
|
||||
-o milter_macro_daemon_name=ORIGINATING
|
||||
#628 inet n - y - - qmqpd
|
||||
pickup unix n - y 60 1 pickup
|
||||
cleanup unix n - y - 0 cleanup
|
||||
qmgr unix n - n 300 1 qmgr
|
||||
#qmgr unix n - n 300 1 oqmgr
|
||||
tlsmgr unix - - y 1000? 1 tlsmgr
|
||||
rewrite unix - - y - - trivial-rewrite
|
||||
bounce unix - - y - 0 bounce
|
||||
defer unix - - y - 0 bounce
|
||||
trace unix - - y - 0 bounce
|
||||
verify unix - - y - 1 verify
|
||||
flush unix n - y 1000? 0 flush
|
||||
proxymap unix - - n - - proxymap
|
||||
proxywrite unix - - n - 1 proxymap
|
||||
smtp unix - - y - - smtp
|
||||
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
|
||||
relay unix - - y - - smtp
|
||||
-o smtp_fallback_relay=
|
||||
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
|
||||
showq unix n - y - - showq
|
||||
error unix - - y - - error
|
||||
retry unix - - y - - error
|
||||
discard unix - - y - - discard
|
||||
local unix - n n - - local
|
||||
virtual unix - n n - - virtual
|
||||
lmtp unix - - y - - lmtp
|
||||
anvil unix - - y - 1 anvil
|
||||
scache unix - - y - 1 scache
|
||||
#
|
||||
# ====================================================================
|
||||
# Interfaces to non-Postfix software. Be sure to examine the manual
|
||||
# pages of the non-Postfix software to find out what options it wants.
|
||||
#
|
||||
# Many of the following services use the Postfix pipe(8) delivery
|
||||
# agent. See the pipe(8) man page for information about ${recipient}
|
||||
# and other message envelope options.
|
||||
# ====================================================================
|
||||
#
|
||||
# maildrop. See the Postfix MAILDROP_README file for details.
|
||||
# Also specify in main.cf: maildrop_destination_recipient_limit=1
|
||||
#
|
||||
maildrop unix - n n - - pipe
|
||||
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
|
||||
#
|
||||
# Specify in cyrus.conf:
|
||||
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
|
||||
#
|
||||
# Specify in main.cf one or more of the following:
|
||||
# mailbox_transport = lmtp:inet:localhost
|
||||
# virtual_transport = lmtp:inet:localhost
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# Cyrus 2.1.5 (Amos Gouaux)
|
||||
# Also specify in main.cf: cyrus_destination_recipient_limit=1
|
||||
#
|
||||
#cyrus unix - n n - - pipe
|
||||
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
# Old example of delivery via Cyrus.
|
||||
#
|
||||
#old-cyrus unix - n n - - pipe
|
||||
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
|
||||
#
|
||||
# ====================================================================
|
||||
#
|
||||
# See the Postfix UUCP_README file for configuration details.
|
||||
#
|
||||
uucp unix - n n - - pipe
|
||||
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
|
||||
#
|
||||
# Other external delivery methods.
|
||||
#
|
||||
ifmail unix - n n - - pipe
|
||||
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
|
||||
bsmtp unix - n n - - pipe
|
||||
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
|
||||
scalemail-backend unix - n n - 2 pipe
|
||||
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
|
||||
mailman unix - n n - - pipe
|
||||
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
|
||||
${nexthop} ${user}
|
||||
|
||||
slow unix - - n - - smtp
|
||||
|
||||
policyd-spf unix - n n - 0 spawn
|
||||
user=policyd-spf argv=/usr/bin/policyd-spf
|
||||
|
||||
dovecot unix - n n - - pipe
|
||||
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
|
||||
|
||||
scan unix - - y - 10 smtp
|
||||
localhost:10026 inet n - y - 10 smtpd
|
||||
-o content_filter=
|
||||
-o local_recipient_maps=
|
||||
-o relay_recipient_maps=
|
||||
-o myhostname=filter.mynetwork.local
|
||||
-o smtpd_helo_restrictions=
|
||||
-o smtpd_client_restrictions=
|
||||
-o smtpd_sender_restrictions=
|
||||
-o smtpd_recipient_restrictions=permit_mynetworks,reject
|
||||
-o mynetworks=127.0.0.0/8
|
||||
|
||||
smtp-amavis unix - - y - 2 lmtp
|
||||
-o lmtp_data_done_timeout=1200
|
||||
-o lmtp_send_xforward_command=yes
|
||||
|
||||
127.0.0.1:10025 inet n - y - - smtpd
|
||||
-o content_filter=
|
||||
-o smtpd_milters=
|
||||
-o local_recipient_maps=
|
||||
-o relay_recipient_maps=
|
||||
-o smtpd_restriction_classes=
|
||||
-o smtpd_delay_reject=no
|
||||
-o smtpd_client_restrictions=permit_mynetworks,reject
|
||||
-o smtpd_helo_restrictions=
|
||||
-o smtpd_sender_restrictions=
|
||||
-o smtpd_recipient_restrictions=permit_mynetworks,reject
|
||||
-o smtpd_data_restrictions=reject_unauth_pipelining
|
||||
-o smtpd_end_of_data_restrictions=
|
||||
-o mynetworks=127.0.0.0/8
|
||||
-o strict_rfc821_envelopes=yes
|
||||
-o smtpd_error_sleep_time=0
|
||||
-o smtpd_soft_error_limit=1001
|
||||
-o smtpd_hard_error_limit=1000
|
||||
-o smtpd_client_connection_count_limit=0
|
||||
-o smtpd_client_connection_rate_limit=0
|
||||
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
|
||||
|
||||
pre-cleanup unix n - n - 0 cleanup
|
||||
-o virtual_alias_maps=
|
||||
-o canonical_maps=
|
||||
-o sender_canonical_maps=
|
||||
-o recipient_canonical_maps=
|
||||
-o masquerade_domains=
|
||||
-o always_bcc=
|
||||
-o sender_bcc_maps=
|
||||
-o recipient_bcc_maps=
|
|
@ -0,0 +1,5 @@
|
|||
search_base = {{ ldap_suffix }}
|
||||
query_filter = (&(mailacceptinggeneralid=%u@%d)(isActive=TRUE))
|
||||
result_attribute = maildrop
|
||||
version = 3
|
||||
aliases_scope = sub
|
|
@ -0,0 +1,5 @@
|
|||
search_base = {{ ldap_suffix }}
|
||||
query_filter = (&(cn=%s)(objectClass=postfixDomain)(isActive=TRUE))
|
||||
result_attribute = cn
|
||||
scope = sub
|
||||
version = 3
|
|
@ -0,0 +1,5 @@
|
|||
search_base = {{ ldap_suffix }}
|
||||
query_filter = (&(mailacceptinggeneralid=%s)(objectClass=mailAccount)(isActive=TRUE)(accountActive=TRUE))
|
||||
result_attribute = homeDirectory
|
||||
scope = sub
|
||||
version = 3
|
|
@ -0,0 +1,68 @@
|
|||
#!/bin/sh
|
||||
|
||||
# Evolix sa-update, based on:
|
||||
# Duncan Findlay
|
||||
# duncf@debian.org
|
||||
|
||||
mail=$(grep EVOMAINTMAIL /etc/evomaintenance.cf | cut -d'=' -f2)
|
||||
test -x /usr/bin/sa-update || exit 0
|
||||
test -x /etc/init.d/spamassassin || exit 0
|
||||
|
||||
# If there's a problem with the ruleset or configs, print the output
|
||||
# of spamassassin --lint (which will typically get emailed to root)
|
||||
# and abort.
|
||||
die_with_lint() {
|
||||
su debian-spamd -c "spamassassin --lint -D 2>&1"
|
||||
exit 1
|
||||
}
|
||||
|
||||
do_compile() {
|
||||
# Compile, if rules have previously been compiled, and it's possible
|
||||
if [ -x /usr/bin/re2c -a -x /usr/bin/sa-compile \
|
||||
-a -d /var/lib/spamassassin/compiled ]; then
|
||||
su debian-spamd -c "sa-compile --quiet"
|
||||
# Fixup perms -- group and other should be able to
|
||||
# read and execute, but never write. Works around
|
||||
# sa-compile's failure to obey umask.
|
||||
chmod -R go-w,go+rX /var/lib/spamassassin/compiled
|
||||
fi
|
||||
}
|
||||
|
||||
# Tell a running spamd to reload its configs and rules.
|
||||
reload() {
|
||||
# Reload
|
||||
if which invoke-rc.d >/dev/null 2>&1; then
|
||||
invoke-rc.d spamassassin reload > /dev/null
|
||||
else
|
||||
/etc/init.d/spamassassin reload > /dev/null
|
||||
fi
|
||||
if [ -d /etc/spamassassin/sa-update-hooks.d ]; then
|
||||
run-parts --lsbsysinit /etc/spamassassin/sa-update-hooks.d
|
||||
fi
|
||||
}
|
||||
|
||||
# Update
|
||||
umask 022
|
||||
su debian-spamd -c "sa-update --gpghomedir /var/lib/spamassassin/sa-update-keys"
|
||||
|
||||
case $? in
|
||||
0)
|
||||
# got updates!
|
||||
su debian-spamd -c "spamassassin --lint" || die_with_lint
|
||||
do_compile
|
||||
reload
|
||||
echo -e "Les règles SpamAsassin ont été mises à jour. Merci de reporter toute anomalie." | \
|
||||
mail -s "SpamAsassin's rules updated." $mail
|
||||
;;
|
||||
1)
|
||||
# no updates
|
||||
exit 0
|
||||
;;
|
||||
2)
|
||||
# lint failed!
|
||||
die_with_lint
|
||||
;;
|
||||
*)
|
||||
echo "sa-update failed for unknown reasons" 1>&2
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,117 @@
|
|||
#required_score 5 -> assure par Amavis
|
||||
report_safe 0
|
||||
#rewrite_header Subject [SPAM] -> assure par Amavis
|
||||
add_header all Report _REPORT_
|
||||
|
||||
# filtre bayesien
|
||||
# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/
|
||||
use_bayes 1
|
||||
bayes_auto_learn 1
|
||||
bayes_path /var/spool/spam/bayes
|
||||
bayes_file_mode 0777
|
||||
|
||||
# AWL : AutoWhitelist
|
||||
# mkdir -p /var/spool/spam/ && chown amavis /var/spool/spam/
|
||||
loadplugin Mail::SpamAssassin::Plugin::AWL
|
||||
use_auto_whitelist 1
|
||||
auto_whitelist_path /var/spool/spam/auto_whitelist
|
||||
auto_whitelist_file_mode 0666
|
||||
|
||||
# LANG TESTS
|
||||
loadplugin Mail::SpamAssassin::Plugin::TextCat
|
||||
ok_languages en fr es it
|
||||
ok_locales en fr es it
|
||||
|
||||
score BODY_8BITS 1.500
|
||||
score CHARSET_FARAWAY 3.200
|
||||
score CHARSET_FARAWAY_HEADER 3.200
|
||||
score HTML_CHARSET_FARAWAY 0.500
|
||||
score MIME_CHARSET_FARAWAY 2.450
|
||||
score UNWANTED_LANGUAGE_BODY 2.800
|
||||
|
||||
# DCC
|
||||
# use_dcc 1 => un plugin maintenant...
|
||||
score DCC_CHECK 2.9
|
||||
|
||||
# RAZOR : http://razor.sourceforge.net
|
||||
use_razor2 1
|
||||
score RAZOR2_CHECK 2.9
|
||||
score RAZOR2_CF_RANGE_51_100 1.3
|
||||
|
||||
# pyzor : http://pyzor.sourceforge.net/
|
||||
use_pyzor 0
|
||||
|
||||
# RBL (Realtime Blackhole List)
|
||||
skip_rbl_checks 0
|
||||
score RCVD_IN_BL_SPAMCOP_NET 3
|
||||
|
||||
# misc
|
||||
score HELO_DYNAMIC_IPADDR 0.3
|
||||
score BIZ_TLD 0.1
|
||||
score PRIORITY_NO_NAME 0.2
|
||||
|
||||
# disable HTML tests
|
||||
|
||||
score HTML_MESSAGE 0
|
||||
score HTML_00_10 0
|
||||
score HTML_10_20 0
|
||||
score HTML_20_30 0
|
||||
score HTML_30_40 0
|
||||
score HTML_40_50 0
|
||||
score HTML_50_60 0
|
||||
score HTML_60_70 0
|
||||
score HTML_70_80 0
|
||||
score HTML_80_90 0
|
||||
score HTML_90_100 0
|
||||
#score HTML_COMMENT_8BITS 0
|
||||
score UPPERCASE_25_50 0
|
||||
score UPPERCASE_50_75 0
|
||||
score UPPERCASE_75_100 0
|
||||
score MIME_HTML_ONLY 0.1
|
||||
# From http://maxime.ritter.eu.org/Spam/user_prefs
|
||||
# Trop de faux negatifs avec BAYES_(0|1|2|3|4)*
|
||||
score BAYES_00 0 0 -0.01 -0.01
|
||||
score BAYES_01 0 0 -0.01 -0.01
|
||||
score BAYES_10 0 0 -0.01 -0.01
|
||||
score BAYES_20 0 0 -0.01 -0.01
|
||||
score BAYES_30 0 0 -0.01 -0.01
|
||||
score BAYES_40 0 0 -0.01 -0.01
|
||||
score BAYES_44 0 0 -0.01 -0.01
|
||||
score BAYES_50 0 0 0.1 0.1
|
||||
score BAYES_56 0 0 0.5 0.5
|
||||
score BAYES_60 0 0 1.0 1.0
|
||||
score BAYES_70 0 0 2.5 2.5
|
||||
score BAYES_80 0 0 3.5 3.5
|
||||
score BAYES_90 0 0 4.5 4.5
|
||||
score BAYES_99 0 0 8.0 8.0
|
||||
|
||||
score RCVD_IN_SORBS_DUL 0.3
|
||||
score SUBJ_ILLEGAL_CHARS 0
|
||||
score RCVD_IN_NJABL_DUL 0.3
|
||||
|
||||
score ADDRESS_IN_SUBJECT 0.1
|
||||
|
||||
score HELO_LH_HOME 1.0
|
||||
|
||||
#internal_networks 192.168.XXX/24
|
||||
trusted_networks 62.212.111.216 88.179.18.233 85.118.59.50 31.170.8.0/21
|
||||
#score ALL_TRUSTED 0.3
|
||||
score HELO_DYNAMIC_IPADDR 0.3
|
||||
|
||||
score FORGED_MUA_OUTLOOK 0.5
|
||||
|
||||
# Eudora sucks
|
||||
score EXTRA_MPART_TYPE 0.1
|
||||
score MIME_BOUND_EQ_REL 0.1
|
||||
score MIME_QP_LONG_LINE 0.1
|
||||
|
||||
# SMTP senders *have* dynamic IP addresses
|
||||
# A.B.C.D.dnsbl.sorbs.net -> 127.0.0.10
|
||||
score RCVD_IN_DYNABLOCK 0
|
||||
score HELO_DYNAMIC_IPADDR 0.3
|
||||
score RCVD_IN_SORBS 0.1
|
||||
score RCVD_IN_PBL 0.1
|
||||
score RCVD_IN_SORBS_DUL 0
|
||||
|
||||
# old bug...
|
||||
score FH_DATE_PAST_20XX 0.0
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: restart spamassassin
|
||||
service:
|
||||
name: spamassassin
|
||||
state: restarted
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
dependencies:
|
||||
- { role: amavis }
|
|
@ -0,0 +1,68 @@
|
|||
---
|
||||
- name: install SpamAssasin
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- spamassassin
|
||||
- evomaintenance
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: configure SpamAssasin
|
||||
copy:
|
||||
src: spamassassin.cf
|
||||
dest: /etc/spamassassin/local_evolix.cf
|
||||
mode: "0644"
|
||||
notify: restart spamassassin
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: enable SpamAssasin
|
||||
replace:
|
||||
dest: /etc/default/spamassassin
|
||||
regexp: 'ENABLED=0'
|
||||
replace: 'ENABLED=1'
|
||||
notify: restart spamassassin
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: update ansible_mounts facts
|
||||
setup:
|
||||
filter: ansible_mounts
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: mount /usr in rw
|
||||
command: mount -o remount,rw /usr
|
||||
args:
|
||||
warn: no
|
||||
changed_when: false
|
||||
when: item.mount == '/usr' and item.options | match(".*ro.*")
|
||||
with_items: "{{ ansible_mounts }}"
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: copy sa-update.sh script
|
||||
copy:
|
||||
src: sa-update.sh
|
||||
dest: /usr/share/scripts/sa-update.sh
|
||||
mode: "0750"
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: enable sa-update.sh cron
|
||||
lineinfile:
|
||||
dest: /etc/cron.d/sa-update
|
||||
line: "42 6 5 1,4,7,10 * /usr/share/scripts/sa-update.sh"
|
||||
create: yes
|
||||
state: present
|
||||
mode: "0640"
|
||||
tags:
|
||||
- spamassassin
|
||||
|
||||
- name: update SpamAssasin's rules
|
||||
command: /usr/share/scripts/sa-update.sh
|
||||
changed_when: false
|
||||
tags:
|
||||
- spamassassin
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
general_alert_email: "root@localhost"
|
||||
evoadminmail_contact_email: Null
|
||||
evoadminmail_bounce_email: "{{ evoadminmail_contact_email }}"
|
||||
|
||||
evoadminmail_username: evoadmin-mail
|
||||
evoadminmail_home_dir: "/home/{{ evoadminmail_username }}"
|
||||
evoadminmail_document_root: "{{ evoadminmail_home_dir }}/www"
|
||||
evoadminmail_log_dir: "{{ evoadminmail_home_dir }}/log"
|
||||
evoadminmail_scripts_dir: /usr/share/scripts/
|
||||
evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}"
|
||||
|
||||
evoadminmail_enable_vhost: True
|
||||
|
||||
evoadminmail_tpl_servername: "{{ ansible_fqdn }}"
|
||||
evoadminmail_tpl_address: "{{ ansible_default_ipv4.address }}"
|
||||
evoadminmail_tpl_phpmyadmin_url: Null
|
||||
evoadminmail_tpl_cgi_suffix: Null
|
||||
evoadminmail_tpl_signature: evoadmin
|
||||
evoadminmail_tpl_mail_from: root@localhost
|
||||
evoadminmail_tpl_mail_bcc: Null
|
||||
evoadminmail_tpl_mail_standard: "{{ general_alert_email }}"
|
||||
evoadminmail_tpl_mail_urgent: "{{ general_alert_email }}"
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
- name: reload apache2
|
||||
service:
|
||||
name: apache2
|
||||
state: reloaded
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
|
||||
- name: "Create /etc/evolinux"
|
||||
file:
|
||||
dest: "/etc/evolinux"
|
||||
recurse: yes
|
||||
state: directory
|
||||
|
||||
#- name: Configure web-add config file
|
||||
# template:
|
||||
# src: web-add.conf.j2
|
||||
# dest: /etc/evolinux/web-add.conf
|
||||
#
|
||||
#- name: Configure web-add template file for mail
|
||||
# template:
|
||||
# src: web-mail.tpl.j2
|
||||
# dest: "{{ evoadminmail_scripts_dir }}/web-mail.tpl"
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
|
||||
- include: packages.yml
|
||||
|
||||
- include: user.yml
|
||||
|
||||
- include: config.yml
|
||||
|
||||
- include: ssl.yml
|
||||
|
||||
- include: web.yml
|
||||
|
||||
- name: enable evoadmin-mail link in default site index
|
||||
lineinfile:
|
||||
dest: /var/www/index.html
|
||||
state: present
|
||||
regexp: "EvoAdmin-mail"
|
||||
line: ' <li><a href="https://{{ evoadminmail_host }}">Interface admin mail (EvoAdmin-mail)</a></li>'
|
||||
insertbefore: "</ul>"
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
|
||||
- include_role:
|
||||
name: apt
|
||||
tasks_from: evolix_public.yml
|
||||
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: Install PHP packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- php-pear
|
||||
- php-log
|
||||
- php-crypt-chap
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
- name: Get mount options for partitions
|
||||
shell: "mount | grep 'on /usr type'"
|
||||
args:
|
||||
warn: no
|
||||
register: mount
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
when: not ansible_check_mode
|
||||
|
||||
- name: Remount /usr if it is a partition and it is not mounted in rw
|
||||
command: "mount -o remount,rw /usr"
|
||||
when: mount.rc == 0 and not mount.stdout_lines.0 | search("rw")
|
||||
args:
|
||||
warn: no
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
|
||||
|
||||
- name: ssl-cert package is installed
|
||||
apt:
|
||||
name: ssl-cert
|
||||
state: present
|
||||
|
||||
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/{{ evoadminmail_host }}.csr -batch -subj "/CN={{ evoadminmail_host }}"
|
||||
args:
|
||||
creates: "/etc/ssl/private/{{ evoadminmail_host }}.key"
|
||||
|
||||
- name: Adjust rights on private key
|
||||
file:
|
||||
path: /etc/ssl/private/{{ evoadminmail_host }}.key
|
||||
owner: root
|
||||
group: ssl-cert
|
||||
mode: "0640"
|
||||
|
||||
- name: Create certificate for default site
|
||||
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadminmail_host }}.csr -signkey /etc/ssl/private/{{ evoadminmail_host }}.key -out /etc/ssl/certs/{{ evoadminmail_host }}.crt
|
||||
args:
|
||||
creates: "/etc/ssl/certs/{{ evoadminmail_host }}.crt"
|
|
@ -0,0 +1,113 @@
|
|||
---
|
||||
|
||||
- name: Create evoadmin account
|
||||
user:
|
||||
name: "{{ evoadminmail_username }}"
|
||||
comment: "Evoadmin Web Account"
|
||||
home: "{{ evoadminmail_home_dir}}"
|
||||
shell: /bin/bash
|
||||
password: "!"
|
||||
|
||||
- name: Create log/ directory
|
||||
file:
|
||||
path: "{{ evoadminmail_home_dir}}/log"
|
||||
state: directory
|
||||
owner: "{{ evoadminmail_username }}"
|
||||
group: "{{ evoadminmail_username }}"
|
||||
mode: "0750"
|
||||
|
||||
- name: Create www-evoadminmail group
|
||||
group:
|
||||
name: "www-{{ evoadminmail_username }}"
|
||||
state: present
|
||||
|
||||
- name: "Create www-evoadmin (Debian 9 or later)"
|
||||
user:
|
||||
name: "www-{{ evoadminmail_username }}"
|
||||
home: "{{ evoadminmail_home_dir}}/www"
|
||||
shell: /bin/bash
|
||||
createhome: no
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Install Git
|
||||
apt:
|
||||
name: git
|
||||
state: present
|
||||
|
||||
- name: "Clone evoadmin repository (Debian 9 or later)"
|
||||
git:
|
||||
repo: https://forge.evolix.org/evoadmin-mail.git
|
||||
dest: "{{ evoadminmail_document_root}}"
|
||||
version: master
|
||||
update: yes
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "Change perms on evoadminmail document root"
|
||||
file:
|
||||
dest: "{{ evoadminmail_document_root }}"
|
||||
owner: "www-{{ evoadminmail_username }}"
|
||||
group: "{{ evoadminmail_username }}"
|
||||
recurse: yes
|
||||
|
||||
- name: "Copy connect.php"
|
||||
template:
|
||||
src: connect.php.j2
|
||||
dest: "{{ evoadminmail_document_root }}/htdocs/config/connect.php"
|
||||
owner: "www-{{ evoadminmail_username }}"
|
||||
group: "{{ evoadminmail_username }}"
|
||||
when: ldap_admin_password is defined
|
||||
|
||||
- name: "Copy conf.php"
|
||||
template:
|
||||
src: conf.php.j2
|
||||
dest: "{{ evoadminmail_document_root }}/htdocs/config/conf.php"
|
||||
owner: "www-{{ evoadminmail_username }}"
|
||||
group: "{{ evoadminmail_username }}"
|
||||
|
||||
- name: create a password for evoadmin user
|
||||
command: "apg -n 1 -m 16 -M lcN"
|
||||
register: evoadminmail_admin_password
|
||||
changed_when: False
|
||||
|
||||
- name: upload ldif for evoadmin user
|
||||
template:
|
||||
src: evoadmin.ldif.j2
|
||||
dest: /root/evolinux_evoadminmail_admin.ldif
|
||||
mode: "0640"
|
||||
|
||||
- name: inject config
|
||||
command: slapadd -l /root/evolinux_evoadminmail_admin.ldif
|
||||
|
||||
- name: create log file
|
||||
file:
|
||||
dest: /var/log/evoadmin-mail.log
|
||||
state: touch
|
||||
owner: "www-{{ evoadminmail_username }}"
|
||||
group: "adm"
|
||||
mode: "0640"
|
||||
|
||||
- include: remount_usr_rw.yml
|
||||
when: evoadminmail_scripts_dir | search ("/usr")
|
||||
|
||||
- name: "Create {{ evoadminmail_scripts_dir }}"
|
||||
file:
|
||||
dest: "{{ evoadminmail_scripts_dir }}"
|
||||
# recurse: yes
|
||||
mode: "0700"
|
||||
state: directory
|
||||
|
||||
# we use a shell command to have a "changed" thet really reflects the result.
|
||||
- name: Fix permissions
|
||||
shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'changed' in command_result.stdout"
|
||||
# failed_when: False
|
||||
with_items:
|
||||
- "{{ evoadminmail_home_dir}}/www"
|
||||
|
||||
#- name: Add evoadmin sudoers file
|
||||
# template:
|
||||
# src: sudoers.j2
|
||||
# dest: /etc/sudoers.d/evoadmin
|
||||
# mode: "0600"
|
||||
# validate: "visudo -cf %s"
|
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
|
||||
- name: "Set custom values for PHP config (Debian 9 or later)"
|
||||
ini_file:
|
||||
dest: /etc/php/7.0/apache2/conf.d/zzz-evolinux-custom.ini
|
||||
section: PHP
|
||||
option: "disable_functions"
|
||||
value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority"
|
||||
notify: reload apache2
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Install evoadminmail VHost
|
||||
template:
|
||||
src: evoadminmail.conf.j2
|
||||
dest: /etc/apache2/sites-available/evoadminmail.conf
|
||||
notify: reload apache2
|
||||
|
||||
- name: Enable evoadminmail vhost
|
||||
command: "a2ensite evoadminmail.conf"
|
||||
register: cmd_a2ensite
|
||||
changed_when: "'Enabling site' in cmd_a2ensite.stdout"
|
||||
notify: reload apache2
|
||||
when: evoadminmail_enable_vhost
|
||||
|
||||
- name: Disable evoadminmail vhost
|
||||
command: "a2dissite evoadminmail.conf"
|
||||
register: cmd_a2dissite
|
||||
changed_when: "'Disabling site' in cmd_a2dissite.stdout"
|
||||
notify: reload apache2
|
||||
when: not evoadminmail_enable_vhost
|
|
@ -0,0 +1,56 @@
|
|||
<?php
|
||||
|
||||
// Email pour les notifications
|
||||
$conf['admin']['mail'] = '{{ evoadminmail_contact_email or general_alert_email | mandatory }}';
|
||||
// login des superadmins
|
||||
// Note: utile uniquement si domaines/driver=ldap, laisser vide sinon...
|
||||
$conf['admin']['logins'] = array('evoadmin');
|
||||
// What do you want?
|
||||
// 0 = nothing...
|
||||
// 1 = only mail accounts
|
||||
// 2 = only samba accounts
|
||||
// 3 = mail and samba accounts
|
||||
$conf['admin']['what'] = 1;
|
||||
// use hook.php instead of hook-dist.php
|
||||
$conf['admin']['use_hook'] = false;
|
||||
// enable quota
|
||||
$conf['admin']['quota'] = true;
|
||||
|
||||
// compatibilite LDAP
|
||||
$conf['evoadmin']['version'] = 3;
|
||||
$conf['url']['webroot'] = '/';
|
||||
|
||||
$conf['domaines']['onlyone'] = false;
|
||||
$conf['domaines']['driver'] = 'ldap';
|
||||
$conf['domaines']['file']['all'] = array('example.com');
|
||||
$conf['domaines']['file']['gid'] = 1000;
|
||||
// Pack Mail "virtuel"... attention
|
||||
// uniquement possible si $conf['admin']['what']=1 !!
|
||||
$conf['domaines']['ldap']['virtual'] = true;
|
||||
|
||||
// Mode cluster
|
||||
// Uniquement en mode mail seul et des utilisateurs virtuels
|
||||
$conf['evoadmin']['cluster'] = false;
|
||||
|
||||
// auth SMTP by default ?
|
||||
$conf['evoadmin']['useauthsmtp'] = false;
|
||||
|
||||
// Si comptes virtuels
|
||||
$conf['unix']['uid'] = 5000;
|
||||
|
||||
// Si pas virtuel
|
||||
$conf['unix']['minuid'] = 1000;
|
||||
$conf['unix']['mingid'] = 1000;
|
||||
|
||||
$conf['html']['title'] = "Evoadmin Mail";
|
||||
|
||||
// gestion des logs
|
||||
$conf['log']['priority'] = PEAR_LOG_DEBUG;
|
||||
$conf['log']['name'] = '/var/log/evoadmin-mail.log';
|
||||
$conf['log']['software'] = 'evoadminmail';
|
||||
$conf['log']['enabled'] = true;
|
||||
|
||||
// samba
|
||||
$conf['samba']['dn'] = 'DOMAINNAME';
|
||||
$conf['samba']['sid'] = 'S-1-5-21-XXX-XXX-XXX';
|
||||
$conf['samba']['admin_default'] = false;
|
|
@ -0,0 +1,28 @@
|
|||
<?php
|
||||
|
||||
/**
|
||||
* Secrete parameters
|
||||
*
|
||||
* $Id: connect-dist.php,v 1.3 2007-05-22 21:12:23 reg Exp $
|
||||
*
|
||||
* @author Gregory Colpart <reg@evolix.fr>
|
||||
* @version 1.0
|
||||
*/
|
||||
|
||||
define("LDAP_URI","ldap://127.0.0.1");
|
||||
$ldap_servers = array('ldap://127.0.0.1');
|
||||
define("LDAP_BASE","{{ ldap_suffix }}");
|
||||
define("LDAP_ADMIN_DN","cn=admin,{{ ldap_suffix }}");
|
||||
define("LDAP_ADMIN_PASS","{{ ldap_admin_password.stdout }}");
|
||||
|
||||
define("SUDOBIN","/usr/bin/sudo");
|
||||
define("SUDOSCRIPT","/usr/share/scripts/evoadmin.sh");
|
||||
define("SUDOPASS","xxxxxx");
|
||||
|
||||
define('SERVEUR','localhost');
|
||||
define('SERVEURPORT',3306);
|
||||
define('BASE','horde');
|
||||
define('NOM', 'horde');
|
||||
define('PASSE', 'xxxx');
|
||||
|
||||
?>
|
|
@ -0,0 +1,12 @@
|
|||
dn: uid=evoadmin,{{ ldap_suffix }}
|
||||
uid: evoadmin
|
||||
cn: Evoadmin ADM
|
||||
uidNumber: 4242
|
||||
gidNumber: 4242
|
||||
homeDirectory: /dev/null
|
||||
isAdmin: TRUE
|
||||
mailacceptinggeneralid: evoadmin@{{ ansible_fqdn }}
|
||||
objectClass: mailAccount
|
||||
objectClass: organizationalRole
|
||||
objectClass: posixAccount
|
||||
userPassword: {{ evoadminmail_admin_password.stdout }}
|
|
@ -0,0 +1,58 @@
|
|||
<VirtualHost *:80>
|
||||
ServerName {{ evoadminmail_host }}
|
||||
Redirect permanent / https://{{ evoadminmail_host }}/
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
|
||||
# FQDN principal
|
||||
ServerName {{ evoadminmail_host }}
|
||||
#ServerAlias {{ evoadminmail_host }}
|
||||
|
||||
# Repertoire principal
|
||||
DocumentRoot {{ evoadminmail_document_root }}/htdocs/
|
||||
|
||||
# SSL
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/ssl/certs/{{ evoadminmail_host }}.crt
|
||||
SSLCertificateKeyFile /etc/ssl/private/{{ evoadminmail_host }}.key
|
||||
SSLProtocol all -SSLv2 -SSLv3
|
||||
|
||||
# Propriete du repertoire
|
||||
<Directory {{ evoadminmail_document_root }}/htdocs/>
|
||||
#Options Indexes SymLinksIfOwnerMatch
|
||||
Options SymLinksIfOwnerMatch
|
||||
AllowOverride AuthConfig Limit FileInfo
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
# user - group (thanks to sesse@debian.org)
|
||||
AssignUserID www-{{ evoadminmail_username }} {{ evoadminmail_username }}
|
||||
|
||||
# LOG
|
||||
CustomLog /var/log/apache2/access.log combined
|
||||
CustomLog {{ evoadminmail_log_dir }}/access.log combined
|
||||
ErrorLog {{ evoadminmail_log_dir }}/error.log
|
||||
|
||||
# AWSTATS
|
||||
SetEnv AWSTATS_FORCE_CONFIG {{ evoadminmail_username }}
|
||||
|
||||
# REWRITE
|
||||
UseCanonicalName On
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTP_HOST} !^{{ evoadminmail_host }}$
|
||||
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
|
||||
|
||||
# PHP
|
||||
#php_admin_flag engine off
|
||||
#AddType text/html .html
|
||||
#php_admin_flag display_errors On
|
||||
#php_flag short_open_tag On
|
||||
#php_flag register_globals On
|
||||
#php_admin_value memory_limit 256M
|
||||
#php_admin_value max_execution_time 60
|
||||
#php_admin_value upload_max_filesize 8M
|
||||
#php_admin_flag allow_url_fopen Off
|
||||
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-{{ evoadminmail_username }}"
|
||||
php_admin_value open_basedir "none"
|
||||
</VirtualHost>
|
|
@ -0,0 +1,3 @@
|
|||
User_Alias EVOADMIN = www-evoadmin
|
||||
Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
|
||||
EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB
|
|
@ -0,0 +1,2 @@
|
|||
CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
|
||||
WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
|
|
@ -0,0 +1,86 @@
|
|||
From: {{ evoadmin_tpl_mail_from }}
|
||||
To: RCPTTO
|
||||
Bcc: {{ evoadmin_tpl_mail_bcc }}
|
||||
Subject: Parametres hebergement web : LOGIN
|
||||
|
||||
Bonjour,
|
||||
|
||||
Votre compte d'hebergement web a ete cree.
|
||||
|
||||
**********************************
|
||||
* CONNEXION SFTP/SSH
|
||||
**********************************
|
||||
|
||||
NOM DU SERVEUR : {{ evoadmin_tpl_servername }}
|
||||
USER : LOGIN
|
||||
PASSWORD : PASSE1
|
||||
|
||||
*****************************************
|
||||
* Details sur l'environnement Apache/PHP
|
||||
*****************************************
|
||||
|
||||
URL du site :
|
||||
http://{{ evoadmin_tpl_servername }}
|
||||
|
||||
URL des stats :
|
||||
http://{{ evoadmin_tpl_servername }}/cgi-RANDOM/awstats.pl
|
||||
(acces par IP ou login a demander !)
|
||||
|
||||
Repertoire de connexion : HOME_DIR/LOGIN/
|
||||
Repertoire pour site web : HOME_DIR/LOGIN/www/
|
||||
|
||||
Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
|
||||
uniquement *en lecture* aux differents fichiers/repertoires
|
||||
(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
|
||||
fichiers ce qui est le comportement par defaut).
|
||||
|
||||
Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
|
||||
fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
|
||||
|
||||
***********************************
|
||||
* MySQL
|
||||
***********************************
|
||||
|
||||
SERVEUR : 127.0.0.1
|
||||
PORT DU SERVEUR : 3306
|
||||
USER : LOGIN
|
||||
PASSWORD : PASSE2
|
||||
NOM BASE : DBNAME
|
||||
URL interface d'admin :
|
||||
{{ evoadmin_tpl_phpmyadmin_url }}
|
||||
|
||||
***********************************
|
||||
* Rappels divers
|
||||
***********************************
|
||||
|
||||
Votre nom de domaine doit etre configure pour pointer
|
||||
sur l'adresse IP {{ evoadmin_tpl_address }} (enregistrement DNS A)
|
||||
ou etre un alias de {{ evoadmin_tpl_servername }} (enregistrement DNS CNAME).
|
||||
|
||||
Si vous avez besoin de faire des tests, vous devez
|
||||
ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
|
||||
ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
|
||||
{{ evoadmin_tpl_address }} {{ evoadmin_tpl_servername }}
|
||||
|
||||
Attention, par defaut, toutes les connexions vers l'exterieur
|
||||
sont bloquees. Si vous avez besoin de recuperer des donnees
|
||||
a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
|
||||
afin de mettre en oeuvre les autorisations necessaires.
|
||||
|
||||
Afin de securiser au maximum le serveur, certaines URL
|
||||
particulieres sont non autorisees pour eviter diverses
|
||||
attaques (XSS, robots, trojans, injections, etc.).
|
||||
Exemple d'URL refusee :
|
||||
http://{{ evoadmin_tpl_servername }}/cmd32.exe
|
||||
En cas de soucis avec votre application, prevenez-nous.
|
||||
|
||||
Si vous desirez mettre en place des parametres particuliers
|
||||
pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab,
|
||||
etc.), n'hesitez pas a nous contacter a l'adresse
|
||||
{{ evoadmin_tpl_mail_standard }} (ou {{ evoadmin_tpl_mail_urgent }} si votre demande est
|
||||
urgente).
|
||||
|
||||
|
||||
Cordialement,
|
||||
--
|
||||
{{ evoadmin_tpl_signature }}
|
|
@ -6,7 +6,7 @@
|
|||
section: PHP
|
||||
option: "disable_functions"
|
||||
value: "shell-exec,system,passthru,putenv,popen"
|
||||
notify: reload apache
|
||||
notify: reload apache2
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Set custom values for PHP config (Debian 9 or later)"
|
||||
|
@ -15,7 +15,7 @@
|
|||
section: PHP
|
||||
option: "disable_functions"
|
||||
value: "shell-exec,system,passthru,putenv,popen"
|
||||
notify: reload apache
|
||||
notify: reload apache2
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Install evoadmin VHost
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
roundcube_host: "roundcube.{{ ansible_fqdn }}"
|
||||
roundcube_imap_host: "localhost"
|
||||
roundcube_imap_port: 143
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: restart imapproxy
|
||||
systemd:
|
||||
name: imapproxy
|
||||
state: restarted
|
|
@ -0,0 +1,104 @@
|
|||
---
|
||||
- name: configure roundcube-core
|
||||
debconf:
|
||||
name: roundcube-core
|
||||
question: "{{ item.key }}"
|
||||
value: "{{ item.value }}"
|
||||
vtype: "{{ item.type }}"
|
||||
with_items:
|
||||
- { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' }
|
||||
- { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' }
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: install Roundcube
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- imapproxy
|
||||
- roundcube
|
||||
- roundcube-sqlite3
|
||||
- roundcube-plugins
|
||||
- php-net-sieve
|
||||
- php-zip
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: configure imapproxy imap host
|
||||
lineinfile:
|
||||
dest: /etc/imapproxy.conf
|
||||
regexp: "^server_hostname"
|
||||
line: "server_hostname {{ roundcube_imap_host }}"
|
||||
notify: restart imapproxy
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: configure imapproxy imap port
|
||||
lineinfile:
|
||||
dest: /etc/imapproxy.conf
|
||||
regexp: "^server_port"
|
||||
line: "server_port {{ roundcube_imap_port }}"
|
||||
notify: reload imapproxy
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: enable and start imapproxy
|
||||
service:
|
||||
name: imapproxy
|
||||
state: started
|
||||
enabled: True
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: configure roundcube imap host
|
||||
lineinfile:
|
||||
dest: /etc/roundcube/config.inc.php
|
||||
regexp: "\\$config\\['default_host'\\]"
|
||||
line: "$config['default_host'] = array('127.0.0.1');"
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: configure roudcube imap port
|
||||
lineinfile:
|
||||
dest: /etc/roundcube/config.inc.php
|
||||
regexp: "\\$config\\['default_port'\\]"
|
||||
insertafter: "\\$config\\['default_host'\\]"
|
||||
line: "$config['default_port'] = 1143;"
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: configure managesieve plugin
|
||||
copy:
|
||||
src: /usr/share/roundcube/plugins/managesieve/config.inc.php.dist
|
||||
dest: /etc/roundcube/plugins/managesieve/config.inc.php
|
||||
mode: "0644"
|
||||
remote_src: True
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: enable default plugins
|
||||
replace:
|
||||
dest: /etc/roundcube/config.inc.php
|
||||
regexp: "^\\$config\\['plugins'\\] = array\\($"
|
||||
replace: "$config['plugins'] = array('zipdownload','managesieve'"
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: deploy roundcube vhost
|
||||
template:
|
||||
src: apache2.conf.j2
|
||||
dest: /etc/apache2/sites-available/rouncube.conf
|
||||
mode: "0640"
|
||||
notify: reload apache2
|
||||
tags:
|
||||
- roundcube
|
||||
|
||||
- name: enable roundcube vhost
|
||||
file:
|
||||
src: /etc/apache2/sites-available/rouncube.conf
|
||||
dest: /etc/apache2/sites-enabled/rouncube.conf
|
||||
state: link
|
||||
notify: reload apache2
|
||||
tags:
|
||||
- roundcube
|
|
@ -0,0 +1,46 @@
|
|||
<VirtualHost *:80>
|
||||
ServerName {{ roundcube_host }}
|
||||
Redirect permanent / https://{{ roundcube_host }}
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
|
||||
# FQDN principal
|
||||
ServerName {{ roundcube_host }}
|
||||
|
||||
# Repertoire principal
|
||||
DocumentRoot /var/lib/roundcube/
|
||||
|
||||
# Return 503 if imapproxy doesn't run
|
||||
<If "! -f '/run/imapproxy.pid'">
|
||||
Redirect 503 /
|
||||
</If>
|
||||
|
||||
Include /etc/roundcube/apache.conf
|
||||
|
||||
# LOG
|
||||
CustomLog /var/log/apache2/access.log vhost_combined
|
||||
CustomLog /var/lib/roundcube/logs/access.log combined
|
||||
ErrorLog /var/lib/roundcube/logs/error.log
|
||||
|
||||
# REWRITE
|
||||
UseCanonicalName On
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTP_HOST} !^{{ roundcube_host }}$
|
||||
RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R]
|
||||
|
||||
# PHP
|
||||
#php_admin_flag engine off
|
||||
#AddType text/html .html
|
||||
#php_admin_flag display_errors On
|
||||
#php_flag short_open_tag On
|
||||
#php_flag register_globals On
|
||||
#php_admin_value memory_limit 256M
|
||||
#php_admin_value max_execution_time 60
|
||||
#php_admin_value upload_max_filesize 8M
|
||||
#php_admin_flag allow_url_fopen Off
|
||||
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-roundcube"
|
||||
php_admin_value error_log "/home/roundcube/log/php.log"
|
||||
#php_admin_value open_basedir "/usr/share/php:/home/roundcube:/tmp"
|
||||
|
||||
</VirtualHost>
|
Loading…
Reference in New Issue