Bascule de la messagerie

roles/firewall/templates/firewall.j2

@@ -61,16 +61,6 @@ config rule
 	option family 'ipv6'
 	option limit '1000/sec'
 
-## Deny IPv6 SMTP
-config rule
-	option name 'Deny-SMTP'
-	option src 'lan'
-	option proto 'tcp'
-	option dest 'wan'
-	option dest_port '25'
-	option target 'REJECT'
-	option family 'ipv6'
-
 ## SSH from VINCI rules
 config rule
 	option name 'Allow-Input-SSH-VINCI'
@@ -92,36 +82,6 @@ config rule
 	option family 'ipv6'
 
 ## Traffic for n0box2 server
-config rule
-	option name 'n0box2-SMTP+SMTPS+SUBMISSION'
-	option src 'wan'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option dest_port '25 465 587'
-	option target 'ACCEPT'
-	option family 'ipv6'
-
-config rule
-	option name 'n0box2-IMAP+IMAPS'
-	option src 'wan'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option dest_port '143 993'
-	option target 'ACCEPT'
-	option family 'ipv6'
-
-config rule
-	option name 'n0box2-HTTP+HTTPS'
-	option src 'wan'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option dest_port '80 443'
-	option target 'ACCEPT'
-	option family 'ipv6'
-
 #config rule
 #	option name 'n0box2-TS-com+com2'
 #	option src 'wan'
@@ -152,56 +112,6 @@ config rule
 #	option target 'ACCEPT'
 #	option family 'ipv6'
 
-config redirect
-	option name 'n0box2-SMTP'
-	option src 'wan'
-	option src_dport '25'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '25'
-	option target 'DNAT'
-
-config redirect
-	option name 'n0box2-SMTPS'
-	option src 'wan'
-	option src_dport '465'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '465'
-	option target 'DNAT'
-
-config redirect
-	option name 'n0box2-SUBMISSION'
-	option src 'wan'
-	option src_dport '587'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '587'
-	option target 'DNAT'
-
-config redirect
-	option name 'n0box2-IMAP'
-	option src 'wan'
-	option src_dport '143'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '143'
-	option target 'DNAT'
-
-config redirect
-	option name 'n0box2-IMAPS'
-	option src 'wan'
-	option src_dport '993'
-	option proto 'tcp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '993'
-	option target 'DNAT'
-
 #config redirect
 #	option name 'n0box2-TS-com'
 #	option src 'wan'
@@ -318,6 +228,7 @@ config rule
 	option target 'ACCEPT'
 	option family 'ipv6'
 
+# a supprimer le prochain coup
 # Allow traffic to n0box2
 config rule
 	option name 'Allow-OUTPUT-to-n0box2'
@@ -426,17 +337,6 @@ config rule
 	option family 'ipv6'
 {% endfor %}
 
-# Allow SMTP traffic from mail
-config rule
-	option name 'Allow-OUTPUT-SMTP'
-	option src 'dmz'
-	option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option proto 'tcp'
-	option dest 'wan'
-	option dst_port '25'
-	option target 'ACCEPT'
-	option family 'ipv4'
-
 # Allow XMPP traffic
 config rule
 	option name 'Allow-OUTPUT-XMPP-s2s'
@@ -509,6 +409,87 @@ config redirect
 	option dest_port '64738'
 	option target 'DNAT'
 
+# Allow mail traffic
+config rule
+	option name 'Allow-OUTPUT-SMTP'
+	option src 'dmz'
+	option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option proto 'tcp'
+	option dest 'wan'
+	option dst_port '25'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION'
+	option src 'wan'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_port '25 465 587'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
+config rule
+	option name 'Allow-INPUT-IMAP+IMAPS'
+	option src 'wan'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_port '143 993'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
+config redirect
+	option name 'Allow-INPUT-SMTP'
+	option src 'wan'
+	option src_dport '25'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '25'
+	option target 'DNAT'
+
+config redirect
+	option name 'Allow-INPUT-SMTPS'
+	option src 'wan'
+	option src_dport '465'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '465'
+	option target 'DNAT'
+
+config redirect
+	option name 'Allow-INPUT-SUBMISSION'
+	option src 'wan'
+	option src_dport '587'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '587'
+	option target 'DNAT'
+
+config redirect
+	option name 'Allow-INPUT-IMAP'
+	option src 'wan'
+	option src_dport '143'
+	option proto 'tcp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '143'
+	option target 'DNAT'
+
+config redirect
+	option name 'Allow-INPUT-IMAPS'
+	option src 'wan'
+	option src_dport '993'
+	option proto 'tcp'
+	option dest 'lan'
+	option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '993'
+	option target 'DNAT'
+
 ## Default configuration
 config defaults
 	option syn_flood '1'

roles/nginx/templates/vhosts/mm.pipoworld.fr.conf.j2

@@ -0,0 +1,27 @@
+server {
+	listen *:443 ssl http2;
+	listen [::]:443 ssl http2;
+	ssl_certificate /etc/x509/mm.pipoworld.fr/fullchain.cer;
+	ssl_certificate_key /etc/x509/mm.pipoworld.fr/mm.pipoworld.fr.key;
+	server_name mm.pipoworld.fr mm.nintendojo.fr;
+	access_log /var/log/nginx/mm.pipoworld.fr.access.log combined_port;
+	error_log /var/log/nginx/mm.pipoworld.fr.error.log;
+
+	location = / {
+		rewrite ^ /cgi-bin/mailman/listinfo permanent;
+	}
+
+	location /cgi-bin/mailman {
+		root /usr/lib/;
+		fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
+		fastcgi_pass unix:/var/run/fcgiwrap.socket;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		include fastcgi_params;
+		gzip off;
+	}
+
+	location /images/mailman {
+		alias /usr/share/images/mailman;
+	}
+}
+

roles/postfix/files/main.cf

@@ -23,12 +23,14 @@ mynetworks = 163.172.112.17, 127.0.0.1, [::1]/128, 10.233.212.64/27, [2001:bc8:2
 #relayhost = 178.32.223.202
 relayhost = 37.187.5.75
 transport_maps = hash:/etc/postfix/transport
-myhostname = n0box2.mateu.be
+myhostname = mail.dmz.mateu.be
 myorigin = mateu.be
 mydestination = $myhostname,localhost.$mydomain,localhost,mateu.be,libertus.eu,p.libertus.eu,pipoworld.fr,nintendojo.fr
 recipient_delimiter = +
 virtual_alias_maps = regexp:/etc/postfix/virtual-regexp
 
+smtputf8_enable = no
+
 mail_owner = postfix
 unknown_local_recipient_reject_code = 550
 alias_maps = hash:/etc/aliases

roles/spamassassin/files/local.cf

@@ -1,4 +1,4 @@
-required_hits 4
+required_hits 4.0
 report_safe 1
 rewrite_header Subject *****SPAM*****
 use_bayes               1