164 lines
7.2 KiB
Markdown
164 lines
7.2 KiB
Markdown
|
## Machine virtuelle MAIL
|
||
|
|
|
||
|
|
Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association.
|
||
|
|
|
||
|
|
### Matériel virtuel
|
||
|
|
|
||
|
|
CPU : 2
|
||
|
|
RAM : 1000 Mio
|
||
|
|
Stockage de masse : 50 Gio
|
||
|
|
|
||
|
|
### Logiciel
|
||
|
|
|
||
|
|
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
||
|
|
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
||
|
|
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
||
|
|
Serveur IMAP (et authentification) : `courier`
|
||
|
|
Mail Transfer Agent : `postfix`
|
||
|
|
Webmail : `roundcube` (**upstream**)
|
||
|
|
Serveur http : `nginx`
|
||
|
|
|
||
|
|
### Caractéristiques notables
|
||
|
|
|
||
|
|
Domaine : mail.a-lec.org
|
||
|
|
Adresse ipv4 publique : 80.67.176.33
|
||
|
|
Adresse ipv4 interne : 192.168.1.201
|
||
|
|
Adresse ipv6 publique : 2001:910:1021::201
|
||
|
|
|
||
|
|
### Configuration MTA
|
||
|
|
|
||
|
|
<details>
|
||
|
|
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||
|
|
|
||
|
|
|
||
|
|
\# Debian specific: Specifying a file name will cause the first
|
||
|
|
\# line of that file to be used as the name. The Debian default
|
||
|
|
\# is /etc/mailname.
|
||
|
|
\#myorigin = /etc/mailname
|
||
|
|
|
||
|
|
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
||
|
|
biff = no
|
||
|
|
|
||
|
|
\# appending .domain is the MUA's job.
|
||
|
|
append_dot_mydomain = no
|
||
|
|
|
||
|
|
\# Uncomment the next line to generate "delayed mail" warnings
|
||
|
|
\#delay_warning_time = 4h
|
||
|
|
|
||
|
|
readme_directory = no
|
||
|
|
|
||
|
|
\# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
|
||
|
|
\# fresh installs.
|
||
|
|
compatibility_level = 2
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
\# TLS parameters
|
||
|
|
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem
|
||
|
|
smtpd_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem
|
||
|
|
smtpd_tls_security_level = may
|
||
|
|
smtpd_tls_auth_only = yes
|
||
|
|
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||
|
|
smtpd_tls_protocols=!SSLv2,!SSLv3
|
||
|
|
smtpd_tls_loglevel = 1
|
||
|
|
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||
|
|
|
||
|
|
smtp_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem
|
||
|
|
smtp_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem
|
||
|
|
smtp_tls_security_level = may
|
||
|
|
smtp_tls_note_starttls_offer = yes
|
||
|
|
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
|
||
|
|
smtp_tls_protocols=!SSLv2,!SSLv3
|
||
|
|
smtp_tls_loglevel = 1
|
||
|
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||
|
|
|
||
|
|
|
||
|
|
\# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
|
||
|
|
\# information on enabling SSL in the smtp client.
|
||
|
|
|
||
|
|
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
|
||
|
|
smtpd_sender_restrictions = reject_unknown_sender_domain
|
||
|
|
myhostname = mail.a-lec.org
|
||
|
|
alias_maps = hash:/etc/aliases
|
||
|
|
alias_database = hash:/etc/aliases
|
||
|
|
myorigin = /etc/mailname
|
||
|
|
mydestination = $myhostname, a-lec.org, mail.a-lec.org, localhost, os-k.eu
|
||
|
|
relayhost =
|
||
|
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.169.1.0/24
|
||
|
|
mailbox_size_limit = 0
|
||
|
|
recipient_delimiter = +
|
||
|
|
inet_interfaces = all
|
||
|
|
inet_protocols = all
|
||
|
|
home_mailbox = Maildir/
|
||
|
|
virtual_alias_maps = hash:/etc/postfix/virtual
|
||
|
|
mailbox_command =
|
||
|
|
|
||
|
|
\## DKIM
|
||
|
|
smtpd_milters = unix:var/run/opendkim/opendkim.sock
|
||
|
|
non_smtpd_milters = unix:var/run/opendkim/opendkim.sock
|
||
|
|
|
||
|
|
\## Ralentissement pour les serveurs problématiques
|
||
|
|
transport_maps = hash:/etc/postfix/transport
|
||
|
|
slow_destination_concurrency_limit = 3
|
||
|
|
slow_destination_rate_delay = 3s
|
||
|
|
|
||
|
|
maximal_queue_lifetime = 1d
|
||
|
|
|
||
|
|
\## Forwarding pour mails du bureau
|
||
|
|
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
|
||
|
|
message_size_limit = 524288000
|
||
|
|
|
||
|
|
smtp_helo_name = $mydomain
|
||
|
|
</details>
|
||
|
|
|
||
|
|
### Configuration serveur web (nginx)
|
||
|
|
<details>
|
||
|
|
|
||
|
|
server {
|
||
|
|
set_real_ip_from 192.169.1.1;
|
||
|
|
real_ip_header proxy_protocol;
|
||
|
|
|
||
|
|
listen 443 ssl proxy_protocol;
|
||
|
|
listen [::]:443 ssl;
|
||
|
|
|
||
|
|
ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot
|
||
|
|
ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
|
||
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||
|
|
|
||
|
|
# Add index.php to the list if you are using PHP
|
||
|
|
root /var/www/html/roundcube;
|
||
|
|
|
||
|
|
server_name mail.a-lec.org;
|
||
|
|
|
||
|
|
client_max_body_size 100M;
|
||
|
|
|
||
|
|
# Add index.php to the list if you are using PHP
|
||
|
|
index index.html index.htm index.php;
|
||
|
|
|
||
|
|
|
||
|
|
location / {
|
||
|
|
# First attempt to serve request as file, then
|
||
|
|
# as directory, then fall back to displaying a 404.
|
||
|
|
try_files $uri $uri/ /index.php?q=$uri&$args;
|
||
|
|
}
|
||
|
|
|
||
|
|
# pass PHP scripts to FastCGI server
|
||
|
|
#
|
||
|
|
location ~ \.php$ {
|
||
|
|
include snippets/fastcgi-php.conf;
|
||
|
|
# # With php-fpm (or other unix sockets):
|
||
|
|
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
||
|
|
# # With php-cgi (or other tcp sockets):
|
||
|
|
# fastcgi_pass 127.0.0.1:9000;
|
||
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||
|
|
include fastcgi_params;
|
||
|
|
}
|
||
|
|
|
||
|
|
location ^~ /data {
|
||
|
|
deny all;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
</details>
|