## Machine virtuelle MAIL Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association. ### Matériel virtuel CPU : 2 RAM : 1000 Mio Stockage de masse : 50 Gio ### Logiciel Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye) Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org) Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen` Serveur IMAP (et authentification) : `courier` Mail Transfer Agent : `postfix` Webmail : `roundcube` (**upstream**) Serveur http : `nginx` ### Caractéristiques notables Domaine : mail.a-lec.org Adresse ipv4 publique : 80.67.176.33 Adresse ipv4 interne : 192.168.1.201 Adresse ipv6 publique : 2001:910:1021::201 ### Configuration MTA
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on # fresh installs. compatibility_level = 2 # TLS parameters smtpd_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_cert_file=/etc/letsencrypt/live/mail.a-lec.org/fullchain.pem smtp_tls_key_file=/etc/letsencrypt/live/mail.a-lec.org/privkey.pem smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3 smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sender_restrictions = reject_unknown_sender_domain myhostname = mail.a-lec.org alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $myhostname, a-lec.org, mail.a-lec.org, localhost, os-k.eu relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.169.1.0/24 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all home_mailbox = Maildir/ virtual_alias_maps = hash:/etc/postfix/virtual mailbox_command = ## DKIM smtpd_milters = unix:var/run/opendkim/opendkim.sock non_smtpd_milters = unix:var/run/opendkim/opendkim.sock ## Ralentissement pour les serveurs problématiques transport_maps = hash:/etc/postfix/transport slow_destination_concurrency_limit = 3 slow_destination_rate_delay = 3s maximal_queue_lifetime = 1d ## Forwarding pour mails du bureau recipient_bcc_maps = hash:/etc/postfix/recipient_bcc message_size_limit = 524288000 smtp_helo_name = $mydomain
### Configuration serveur web (nginx)
server { set_real_ip_from 192.169.1.1; real_ip_header proxy_protocol; listen 443 ssl proxy_protocol; listen [::]:443 ssl; ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot # Add index.php to the list if you are using PHP root /var/www/html/roundcube; server_name mail.a-lec.org; client_max_body_size 100M; # Add index.php to the list if you are using PHP index index.html index.htm index.php; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ /index.php?q=$uri&$args; } # pass PHP scripts to FastCGI server # location ~ \.php$ { include snippets/fastcgi-php.conf; # # With php-fpm (or other unix sockets): fastcgi_pass unix:/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location ^~ /data { deny all; } }