slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bascule de la messagerie

Browse Source
This commit is contained in:
VC
2019-09-07 08:19:20 +02:00
parent a60f09935a
commit f438a50000
8 changed files with 114 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
production/hosts
View File

@@ -47,7 +47,7 @@ web2.dmz.mateu.be web_hostname="['analyse.nintendojo.fr', 'nintendojo.fr', 'www.
ror.dmz.mateu.be web_hostname="['m.nintendojo.fr']" ror.dmz.mateu.be web_hostname="['m.nintendojo.fr']"
jabber.dmz.mateu.be web_hostname="['libertus.eu', 'upload.libertus.eu', 'xmpp.libertus.eu']" jabber.dmz.mateu.be web_hostname="['libertus.eu', 'upload.libertus.eu', 'xmpp.libertus.eu']"
voice3.dmz.mateu.be web_hostname="['radio.nintendojo.fr']" voice3.dmz.mateu.be web_hostname="['radio.nintendojo.fr']"
#mail.dmz.mateu.be mail.dmz.mateu.be web_hostname="['imap.libertus.eu', 'smtp.libertus.eu', 'mm.pipoworld.fr', 'mm.nintendojo.fr']"
[phpservers] [phpservers]
web1.dmz.mateu.be php_modules="['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'curl', 'gettext', 'imap', 'zip', 'apcu']" web1.dmz.mateu.be php_modules="['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'curl', 'gettext', 'imap', 'zip', 'apcu']"

183
roles/firewall/templates/firewall.j2
View File

@@ -61,16 +61,6 @@ config rule
option family 'ipv6' option family 'ipv6'
option limit '1000/sec' option limit '1000/sec'
## Deny IPv6 SMTP
config rule
option name 'Deny-SMTP'
option src 'lan'
option proto 'tcp'
option dest 'wan'
option dest_port '25'
option target 'REJECT'
option family 'ipv6'
## SSH from VINCI rules ## SSH from VINCI rules
config rule config rule
option name 'Allow-Input-SSH-VINCI' option name 'Allow-Input-SSH-VINCI'
@@ -92,36 +82,6 @@ config rule
option family 'ipv6' option family 'ipv6'
## Traffic for n0box2 server ## Traffic for n0box2 server
config rule
option name 'n0box2-SMTP+SMTPS+SUBMISSION'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '25 465 587'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-IMAP+IMAPS'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '143 993'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'n0box2-HTTP+HTTPS'
option src 'wan'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '80 443'
option target 'ACCEPT'
option family 'ipv6'
#config rule #config rule
# option name 'n0box2-TS-com+com2' # option name 'n0box2-TS-com+com2'
# option src 'wan' # option src 'wan'
@@ -152,56 +112,6 @@ config rule
# option target 'ACCEPT' # option target 'ACCEPT'
# option family 'ipv6' # option family 'ipv6'
config redirect
option name 'n0box2-SMTP'
option src 'wan'
option src_dport '25'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '25'
option target 'DNAT'
config redirect
option name 'n0box2-SMTPS'
option src 'wan'
option src_dport '465'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '465'
option target 'DNAT'
config redirect
option name 'n0box2-SUBMISSION'
option src 'wan'
option src_dport '587'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '587'
option target 'DNAT'
config redirect
option name 'n0box2-IMAP'
option src 'wan'
option src_dport '143'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '143'
option target 'DNAT'
config redirect
option name 'n0box2-IMAPS'
option src 'wan'
option src_dport '993'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '993'
option target 'DNAT'
#config redirect #config redirect
# option name 'n0box2-TS-com' # option name 'n0box2-TS-com'
# option src 'wan' # option src 'wan'
@@ -318,6 +228,7 @@ config rule
option target 'ACCEPT' option target 'ACCEPT'
option family 'ipv6' option family 'ipv6'
# a supprimer le prochain coup
# Allow traffic to n0box2 # Allow traffic to n0box2
config rule config rule
option name 'Allow-OUTPUT-to-n0box2' option name 'Allow-OUTPUT-to-n0box2'
@@ -426,17 +337,6 @@ config rule
option family 'ipv6' option family 'ipv6'
{% endfor %} {% endfor %}
# Allow SMTP traffic from mail
config rule
option name 'Allow-OUTPUT-SMTP'
option src 'dmz'
option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option proto 'tcp'
option dest 'wan'
option dst_port '25'
option target 'ACCEPT'
option family 'ipv4'
# Allow XMPP traffic # Allow XMPP traffic
config rule config rule
option name 'Allow-OUTPUT-XMPP-s2s' option name 'Allow-OUTPUT-XMPP-s2s'
@@ -509,6 +409,87 @@ config redirect
option dest_port '64738' option dest_port '64738'
option target 'DNAT' option target 'DNAT'
# Allow mail traffic
config rule
option name 'Allow-OUTPUT-SMTP'
option src 'dmz'
option src_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option proto 'tcp'
option dest 'wan'
option dst_port '25'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-INPUT-SMTP+SMTPS+SUBMISSION'
option src 'wan'
option proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '25 465 587'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'Allow-INPUT-IMAP+IMAPS'
option src 'wan'
option proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '143 993'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option name 'Allow-INPUT-SMTP'
option src 'wan'
option src_dport '25'
option proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '25'
option target 'DNAT'
config redirect
option name 'Allow-INPUT-SMTPS'
option src 'wan'
option src_dport '465'
option proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '465'
option target 'DNAT'
config redirect
option name 'Allow-INPUT-SUBMISSION'
option src 'wan'
option src_dport '587'
option proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '587'
option target 'DNAT'
config redirect
option name 'Allow-INPUT-IMAP'
option src 'wan'
option src_dport '143'
option proto 'tcp'
option dest 'dmz'
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '143'
option target 'DNAT'
config redirect
option name 'Allow-INPUT-IMAPS'
option src 'wan'
option src_dport '993'
option proto 'tcp'
option dest 'lan'
option dest_ip '{{ hostvars['mail.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '993'
option target 'DNAT'
## Default configuration ## Default configuration
config defaults config defaults
option syn_flood '1' option syn_flood '1'

0
roles/nginx/templates/vhosts/imap.libertus.eu.conf.j2 Normal file
View File

0
roles/nginx/templates/vhosts/mm.nintendojo.fr.conf.j2 Normal file
View File

27
roles/nginx/templates/vhosts/mm.pipoworld.fr.conf.j2 Normal file
View File

@@ -0,0 +1,27 @@
server {
listen *:443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/x509/mm.pipoworld.fr/fullchain.cer;
ssl_certificate_key /etc/x509/mm.pipoworld.fr/mm.pipoworld.fr.key;
server_name mm.pipoworld.fr mm.nintendojo.fr;
access_log /var/log/nginx/mm.pipoworld.fr.access.log combined_port;
error_log /var/log/nginx/mm.pipoworld.fr.error.log;
location = / {
rewrite ^ /cgi-bin/mailman/listinfo permanent;
}
location /cgi-bin/mailman {
root /usr/lib/;
fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
gzip off;
}
location /images/mailman {
alias /usr/share/images/mailman;
}
}

0
roles/nginx/templates/vhosts/smtp.libertus.eu.conf.j2 Normal file
View File

4
roles/postfix/files/main.cf
View File

@@ -23,12 +23,14 @@ mynetworks = 163.172.112.17, 127.0.0.1, [::1]/128, 10.233.212.64/27, [2001:bc8:2
#relayhost = 178.32.223.202 #relayhost = 178.32.223.202
relayhost = 37.187.5.75 relayhost = 37.187.5.75
transport_maps = hash:/etc/postfix/transport transport_maps = hash:/etc/postfix/transport
myhostname = n0box2.mateu.be myhostname = mail.dmz.mateu.be
myorigin = mateu.be myorigin = mateu.be
mydestination = $myhostname,localhost.$mydomain,localhost,mateu.be,libertus.eu,p.libertus.eu,pipoworld.fr,nintendojo.fr mydestination = $myhostname,localhost.$mydomain,localhost,mateu.be,libertus.eu,p.libertus.eu,pipoworld.fr,nintendojo.fr
recipient_delimiter = + recipient_delimiter = +
virtual_alias_maps = regexp:/etc/postfix/virtual-regexp virtual_alias_maps = regexp:/etc/postfix/virtual-regexp
smtputf8_enable = no
mail_owner = postfix mail_owner = postfix
unknown_local_recipient_reject_code = 550 unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases alias_maps = hash:/etc/aliases

2
roles/spamassassin/files/local.cf
View File

@@ -1,4 +1,4 @@
required_hits 4 required_hits 4.0
report_safe 1 report_safe 1
rewrite_header Subject *****SPAM***** rewrite_header Subject *****SPAM*****
use_bayes 1 use_bayes 1