98 lines
2.7 KiB
Markdown
98 lines
2.7 KiB
Markdown
## Machine virtuelle MAIL
|
|
|
|
Cette machine est destinée à accueillir le serveur d'envoi, réception et consultation de courriel de l'association.
|
|
|
|
### Matériel virtuel
|
|
|
|
CPU : 2
|
|
RAM : 1000 Mio
|
|
Stockage de masse : 50 Gio
|
|
|
|
### Logiciel
|
|
|
|
Système d'exploitation : Debian GNU/Linux-libre 11 (Bullseye)
|
|
Noyau : Linux-libre LTS (`linux-libre-lts` des dépôts https://linux-libre.fsfla.org)
|
|
Sécurités de la maintenance : `etckeeper`, `mollyguard`, `git`, `tig`, `screen`
|
|
Serveur IMAP (et authentification) : `courier`
|
|
Mail Transfer Agent : `postfix`
|
|
Webmail : `roundcube` (**upstream**)
|
|
Serveur http : `nginx`
|
|
|
|
### Caractéristiques notables
|
|
|
|
Domaine : mail.a-lec.org
|
|
Adresse ipv4 publique : 80.67.179.96
|
|
Adresse ipv4 interne : 192.169.1.201
|
|
Adresse ipv6 publique : 2001:910:1360::148
|
|
|
|
#### Configuration réseau
|
|
|
|
##### /etc/network/interfaces
|
|
|
|
# The primary network interface
|
|
allow-hotplug enp1s0
|
|
iface enp1s0 inet dhcp
|
|
iface enp1s0 inet6 static
|
|
address 2001:910:1360::148/128
|
|
gateway 2001:910:1360::
|
|
|
|
##### /etc/host.allow
|
|
|
|
sshd: 192.169.1.0/24, [2001:910:1360::]/48
|
|
|
|
##### /etc/host/deny
|
|
|
|
sshd: ALL
|
|
|
|
### Configuration MTA
|
|
|
|
*(à compléter)*
|
|
|
|
### Configuration serveur web (nginx)
|
|
|
|
server {
|
|
set_real_ip_from 192.169.1.1;
|
|
real_ip_header proxy_protocol;
|
|
|
|
listen 443 ssl proxy_protocol;
|
|
listen [::]:443 ssl;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/mail.a-lec.org/fullchain.pem; # managed by Certbot
|
|
ssl_certificate_key /etc/letsencrypt/live/mail.a-lec.org/privkey.pem; # managed by Certbot
|
|
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
|
|
|
# Add index.php to the list if you are using PHP
|
|
root /var/www/html/roundcube;
|
|
|
|
server_name mail.a-lec.org;
|
|
|
|
client_max_body_size 100M;
|
|
|
|
# Add index.php to the list if you are using PHP
|
|
index index.html index.htm index.php;
|
|
|
|
|
|
location / {
|
|
# First attempt to serve request as file, then
|
|
# as directory, then fall back to displaying a 404.
|
|
try_files $uri $uri/ /index.php?q=$uri&$args;
|
|
}
|
|
|
|
# pass PHP scripts to FastCGI server
|
|
#
|
|
location ~ \.php$ {
|
|
include snippets/fastcgi-php.conf;
|
|
# # With php-fpm (or other unix sockets):
|
|
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
|
|
# # With php-cgi (or other tcp sockets):
|
|
# fastcgi_pass 127.0.0.1:9000;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
}
|
|
|
|
location ^~ /data {
|
|
deny all;
|
|
}
|
|
}
|