From f438a50000ae62b8bc59246f867c66e9a8f7c66b Mon Sep 17 00:00:00 2001 From: VC Date: Sat, 7 Sep 2019 08:19:20 +0200 Subject: [PATCH] Bascule de la messagerie --- production/hosts | 2 +- roles/firewall/templates/firewall.j2 | 183 ++++++++---------- .../templates/vhosts/imap.libertus.eu.conf.j2 | 0 .../templates/vhosts/mm.nintendojo.fr.conf.j2 | 0 .../templates/vhosts/mm.pipoworld.fr.conf.j2 | 27 +++ .../templates/vhosts/smtp.libertus.eu.conf.j2 | 0 roles/postfix/files/main.cf | 4 +- roles/spamassassin/files/local.cf | 2 +- 8 files changed, 114 insertions(+), 104 deletions(-) create mode 100644 roles/nginx/templates/vhosts/imap.libertus.eu.conf.j2 create mode 100644 roles/nginx/templates/vhosts/mm.nintendojo.fr.conf.j2 create mode 100644 roles/nginx/templates/vhosts/mm.pipoworld.fr.conf.j2 create mode 100644 roles/nginx/templates/vhosts/smtp.libertus.eu.conf.j2 diff --git a/production/hosts b/production/hosts index 9210b87..1c2296c 100644 --- a/production/hosts +++ b/production/hosts @@ -47,7 +47,7 @@ web2.dmz.mateu.be web_hostname="['analyse.nintendojo.fr', 'nintendojo.fr', 'www. ror.dmz.mateu.be web_hostname="['m.nintendojo.fr']" jabber.dmz.mateu.be web_hostname="['libertus.eu', 'upload.libertus.eu', 'xmpp.libertus.eu']" voice3.dmz.mateu.be web_hostname="['radio.nintendojo.fr']" -#mail.dmz.mateu.be +mail.dmz.mateu.be web_hostname="['imap.libertus.eu', 'smtp.libertus.eu', 'mm.pipoworld.fr', 'mm.nintendojo.fr']" [phpservers] web1.dmz.mateu.be php_modules="['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'curl', 'gettext', 'imap', 'zip', 'apcu']" diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2 index dcbf10d..2863a5f 100644 --- a/roles/firewall/templates/firewall.j2 +++ b/roles/firewall/templates/firewall.j2 @@ -61,16 +61,6 @@ config rule option family 'ipv6' option limit '1000/sec' -## Deny IPv6 SMTP -config rule - option name 'Deny-SMTP' - option src 'lan' - option proto 'tcp' - option dest 'wan' - option dest_port '25' - option target 'REJECT' - option family 'ipv6' - ## SSH from VINCI rules config rule option name 'Allow-Input-SSH-VINCI' @@ -92,36 +82,6 @@ config rule option family 'ipv6' ## Traffic for n0box2 server -config rule - option name 'n0box2-SMTP+SMTPS+SUBMISSION' - option src 'wan' - option proto 'tcp' - option dest 'lan' - option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' - option dest_port '25 465 587' - option target 'ACCEPT' - option family 'ipv6' - -config rule - option name 'n0box2-IMAP+IMAPS' - option src 'wan' - option proto 'tcp' - option dest 'lan' - option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' - option dest_port '143 993' - option target 'ACCEPT' - option family 'ipv6' - -config rule - option name 'n0box2-HTTP+HTTPS' - option src 'wan' - option proto 'tcp' - option dest 'lan' - option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}' - option dest_port '80 443' - option target 'ACCEPT' - option family 'ipv6' - #config rule # option name 'n0box2-TS-com+com2' # option src 'wan' @@ -152,56 +112,6 @@ config rule # option target 'ACCEPT' # option family 'ipv6' -config redirect - option name 'n0box2-SMTP' - option src 'wan' - option src_dport '25' - option proto 'tcp' - option dest 'lan' - option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' - option dest_port '25' - option target 'DNAT' - -config redirect - option name 'n0box2-SMTPS' - option src 'wan' - option src_dport '465' - option proto 'tcp' - option dest 'lan' - option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' - option dest_port '465' - option target 'DNAT' - -config redirect - option name 'n0box2-SUBMISSION' - option src 'wan' - option src_dport '587' - option proto 'tcp' - option dest 'lan' - option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' - option dest_port '587' - option target 'DNAT' - -config redirect - option name 'n0box2-IMAP' - option src 'wan' - option src_dport '143' - option proto 'tcp' - option dest 'lan' - option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' - option dest_port '143' - option target 'DNAT' - -config redirect - option name 'n0box2-IMAPS' - option src 'wan' - option src_dport '993' - option proto 'tcp' - option dest 'lan' - option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}' - option dest_port '993' - option target 'DNAT' - #config redirect # option name 'n0box2-TS-com' # option src 'wan' @@ -318,6 +228,7 @@ config rule option target 'ACCEPT' option family 'ipv6' +# a supprimer le prochain coup # Allow traffic to n0box2 config rule option name 'Allow-OUTPUT-to-n0box2' @@ -426,17 +337,6 @@ config rule option family 'ipv6' {% endfor %} -# Allow SMTP traffic from mail -config rule - option name 'Allow-OUTPUT-SMTP' - option src 'dmz' - option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' - option proto 'tcp' - option dest 'wan' - option dst_port '25' - option target 'ACCEPT' - option family 'ipv4' - # Allow XMPP traffic config rule option name 'Allow-OUTPUT-XMPP-s2s' @@ -509,6 +409,87 @@ config redirect option dest_port '64738' option target 'DNAT' +# Allow mail traffic +config rule + option name 'Allow-OUTPUT-SMTP' + option src 'dmz' + option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option proto 'tcp' + option dest 'wan' + option dst_port '25' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION' + option src 'wan' + option proto 'tcp' + option dest 'dmz' + option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '25 465 587' + option target 'ACCEPT' + option family 'ipv6' + +config rule + option name 'Allow-INPUT-IMAP+IMAPS' + option src 'wan' + option proto 'tcp' + option dest 'dmz' + option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '143 993' + option target 'ACCEPT' + option family 'ipv6' + +config redirect + option name 'Allow-INPUT-SMTP' + option src 'wan' + option src_dport '25' + option proto 'tcp' + option dest 'dmz' + option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '25' + option target 'DNAT' + +config redirect + option name 'Allow-INPUT-SMTPS' + option src 'wan' + option src_dport '465' + option proto 'tcp' + option dest 'dmz' + option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '465' + option target 'DNAT' + +config redirect + option name 'Allow-INPUT-SUBMISSION' + option src 'wan' + option src_dport '587' + option proto 'tcp' + option dest 'dmz' + option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '587' + option target 'DNAT' + +config redirect + option name 'Allow-INPUT-IMAP' + option src 'wan' + option src_dport '143' + option proto 'tcp' + option dest 'dmz' + option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '143' + option target 'DNAT' + +config redirect + option name 'Allow-INPUT-IMAPS' + option src 'wan' + option src_dport '993' + option proto 'tcp' + option dest 'lan' + option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '993' + option target 'DNAT' + ## Default configuration config defaults option syn_flood '1' diff --git a/roles/nginx/templates/vhosts/imap.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/imap.libertus.eu.conf.j2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/nginx/templates/vhosts/mm.nintendojo.fr.conf.j2 b/roles/nginx/templates/vhosts/mm.nintendojo.fr.conf.j2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/nginx/templates/vhosts/mm.pipoworld.fr.conf.j2 b/roles/nginx/templates/vhosts/mm.pipoworld.fr.conf.j2 new file mode 100644 index 0000000..914bd51 --- /dev/null +++ b/roles/nginx/templates/vhosts/mm.pipoworld.fr.conf.j2 @@ -0,0 +1,27 @@ +server { + listen *:443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/x509/mm.pipoworld.fr/fullchain.cer; + ssl_certificate_key /etc/x509/mm.pipoworld.fr/mm.pipoworld.fr.key; + server_name mm.pipoworld.fr mm.nintendojo.fr; + access_log /var/log/nginx/mm.pipoworld.fr.access.log combined_port; + error_log /var/log/nginx/mm.pipoworld.fr.error.log; + + location = / { + rewrite ^ /cgi-bin/mailman/listinfo permanent; + } + + location /cgi-bin/mailman { + root /usr/lib/; + fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + gzip off; + } + + location /images/mailman { + alias /usr/share/images/mailman; + } +} + diff --git a/roles/nginx/templates/vhosts/smtp.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/smtp.libertus.eu.conf.j2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/postfix/files/main.cf b/roles/postfix/files/main.cf index aa2b57f..d7454c0 100644 --- a/roles/postfix/files/main.cf +++ b/roles/postfix/files/main.cf @@ -23,12 +23,14 @@ mynetworks = 163.172.112.17, 127.0.0.1, [::1]/128, 10.233.212.64/27, [2001:bc8:2 #relayhost = 178.32.223.202 relayhost = 37.187.5.75 transport_maps = hash:/etc/postfix/transport -myhostname = n0box2.mateu.be +myhostname = mail.dmz.mateu.be myorigin = mateu.be mydestination = $myhostname,localhost.$mydomain,localhost,mateu.be,libertus.eu,p.libertus.eu,pipoworld.fr,nintendojo.fr recipient_delimiter = + virtual_alias_maps = regexp:/etc/postfix/virtual-regexp +smtputf8_enable = no + mail_owner = postfix unknown_local_recipient_reject_code = 550 alias_maps = hash:/etc/aliases diff --git a/roles/spamassassin/files/local.cf b/roles/spamassassin/files/local.cf index 54a671a..233498f 100644 --- a/roles/spamassassin/files/local.cf +++ b/roles/spamassassin/files/local.cf @@ -1,4 +1,4 @@ -required_hits 4 +required_hits 4.0 report_safe 1 rewrite_header Subject *****SPAM***** use_bayes 1