## Machine virtuelle MAIL

Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association.

### Matériel virtuel

CPU : 2  
RAM : 1000 Mio
Stockage de masse : 50 Gio

### Logiciel

Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)  
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)  
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`  
Serveur IMAP (et authentification) : `courier`  
Mail Transfer Agent : `postfix`  
Webmail : `roundcube` (**upstream**)  
Serveur http : `nginx`

### Caractéristiques notables

Domaine : mail.a-lec.org  
Adresse ipv4 publique : 80.67.179.96  
Adresse ipv4 interne : 192.169.1.201  
Adresse ipv6 publique : 2001:910:1360::148

#### Configuration réseau

##### /etc/network/interfaces

    # The primary network interface
    allow-hotplug enp1s0
    iface enp1s0 inet dhcp
    iface enp1s0 inet6 static
        address 2001:910:1360::148/128
        gateway 2001:910:1360::

##### /etc/host.allow
    
    sshd: 192.169.1.0/24, [2001:910:1360::]/48

##### /etc/host/deny
    
    sshd: ALL

### Configuration MTA

*(à compléter)*

### Configuration serveur web (nginx)

    server {
            set_real_ip_from  192.169.1.1;
            real_ip_header proxy_protocol;

        listen 443 ssl proxy_protocol;
        listen [::]:443 ssl;

        ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        # Add index.php to the list if you are using PHP
        root /var/www/html/roundcube;

        server_name mail.a-lec.org;

        client_max_body_size 100M;

        # Add index.php to the list if you are using PHP
            index index.html index.htm index.php;


        location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ /index.php?q=$uri&$args;
        }

        # pass PHP scripts to FastCGI server
        #
        location ~ \.php$ {
            include snippets/fastcgi-php.conf;
        #    # With php-fpm (or other unix sockets):
            fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #    # With php-cgi (or other tcp sockets):
        #    fastcgi_pass 127.0.0.1:9000;
                 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
             include fastcgi_params;
        }

        location ^~ /data {
            deny all;
        }
    }