From: Frank Brehm Date: Wed, 2 Nov 2016 21:03:25 +0000 (+0100) Subject: Initial commit X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=ae1bfb1bc457dc3aa2965184f13450efecc2b680;p=config%2Fns1%2Fetc.git Initial commit --- ae1bfb1bc457dc3aa2965184f13450efecc2b680 diff --git a/.etckeeper b/.etckeeper new file mode 100755 index 0000000..bdb3c87 --- /dev/null +++ b/.etckeeper @@ -0,0 +1,1112 @@ +# Generated by etckeeper. Do not edit. + +mkdir -p './X11/xkb' +mkdir -p './apparmor.d/force-complain' +mkdir -p './apt/preferences.d' +mkdir -p './bind/dyn' +mkdir -p './bind/zones' +mkdir -p './ca-certificates/update.d' +mkdir -p './console' +mkdir -p './dpkg/dpkg.cfg.d' +mkdir -p './fail2ban/fail2ban.d' +mkdir -p './initramfs-tools/conf.d' +mkdir -p './initramfs-tools/hooks' +mkdir -p './initramfs-tools/scripts/init-bottom' +mkdir -p './initramfs-tools/scripts/init-premount' +mkdir -p './initramfs-tools/scripts/init-top' +mkdir -p './initramfs-tools/scripts/local-bottom' +mkdir -p './initramfs-tools/scripts/local-premount' +mkdir -p './initramfs-tools/scripts/local-top' +mkdir -p './initramfs-tools/scripts/nfs-bottom' +mkdir -p './initramfs-tools/scripts/nfs-premount' +mkdir -p './initramfs-tools/scripts/nfs-top' +mkdir -p './initramfs-tools/scripts/panic' +mkdir -p './insserv/overrides' +mkdir -p './logwatch/conf/logfiles' +mkdir -p './logwatch/conf/services' +mkdir -p './logwatch/scripts/services' +mkdir -p './network/if-post-down.d' +mkdir -p './network/if-pre-up.d' +mkdir -p './network/interfaces.d' +mkdir -p './opt' +mkdir -p './perl/CPAN' +mkdir -p './postfix/sasl' +mkdir -p './security/limits.d' +mkdir -p './security/namespace.d' +mkdir -p './udev/hwdb.d' +maybe chmod 0755 '.' +maybe chmod 0700 '.etckeeper' +maybe chmod 0644 '.gitignore' +maybe chmod 0755 'X11' +maybe chmod 0755 'X11/xkb' +maybe chmod 0755 'acpi' +maybe chmod 0755 'acpi/events' +maybe chmod 0644 'acpi/events/powerbtn-acpi-support' +maybe chmod 0755 'acpi/powerbtn-acpi-support.sh' +maybe chmod 0644 'adduser.conf' +maybe chmod 0600 'aiccu.conf' +maybe chmod 0644 'aliases' +maybe chmod 0644 'aliases.db' +maybe chmod 0755 'alternatives' +maybe chmod 0644 'alternatives/README' +maybe chmod 0755 'apache2' +maybe chmod 0644 'apache2/apache2.conf' +maybe chmod 0755 'apache2/conf-available' +maybe chmod 0644 'apache2/conf-available/charset.conf' +maybe chmod 0755 'apache2/conf-available/custom-log.conf' +maybe chmod 0644 'apache2/conf-available/localized-error-pages.conf' +maybe chmod 0644 'apache2/conf-available/other-vhosts-access-log.conf' +maybe chmod 0644 'apache2/conf-available/security.conf' +maybe chmod 0644 'apache2/conf-available/serve-cgi-bin.conf' +maybe chmod 0755 'apache2/conf-enabled' +maybe chmod 0644 'apache2/envvars' +maybe chmod 0644 'apache2/magic' +maybe chmod 0755 'apache2/mods-available' +maybe chmod 0644 'apache2/mods-available/access_compat.load' +maybe chmod 0644 'apache2/mods-available/actions.conf' +maybe chmod 0644 'apache2/mods-available/actions.load' +maybe chmod 0644 'apache2/mods-available/alias.conf' +maybe chmod 0644 'apache2/mods-available/alias.load' +maybe chmod 0644 'apache2/mods-available/allowmethods.load' +maybe chmod 0644 'apache2/mods-available/asis.load' +maybe chmod 0644 'apache2/mods-available/auth_basic.load' +maybe chmod 0644 'apache2/mods-available/auth_digest.load' +maybe chmod 0644 'apache2/mods-available/auth_form.load' +maybe chmod 0644 'apache2/mods-available/authn_anon.load' +maybe chmod 0644 'apache2/mods-available/authn_core.load' +maybe chmod 0644 'apache2/mods-available/authn_dbd.load' +maybe chmod 0644 'apache2/mods-available/authn_dbm.load' +maybe chmod 0644 'apache2/mods-available/authn_file.load' +maybe chmod 0644 'apache2/mods-available/authn_socache.load' +maybe chmod 0644 'apache2/mods-available/authnz_fcgi.load' +maybe chmod 0644 'apache2/mods-available/authnz_ldap.load' +maybe chmod 0644 'apache2/mods-available/authz_core.load' +maybe chmod 0644 'apache2/mods-available/authz_dbd.load' +maybe chmod 0644 'apache2/mods-available/authz_dbm.load' +maybe chmod 0644 'apache2/mods-available/authz_groupfile.load' +maybe chmod 0644 'apache2/mods-available/authz_host.load' +maybe chmod 0644 'apache2/mods-available/authz_owner.load' +maybe chmod 0644 'apache2/mods-available/authz_user.load' +maybe chmod 0644 'apache2/mods-available/autoindex.conf' +maybe chmod 0644 'apache2/mods-available/autoindex.load' +maybe chmod 0644 'apache2/mods-available/buffer.load' +maybe chmod 0644 'apache2/mods-available/cache.load' +maybe chmod 0644 'apache2/mods-available/cache_disk.conf' +maybe chmod 0644 'apache2/mods-available/cache_disk.load' +maybe chmod 0644 'apache2/mods-available/cache_socache.load' +maybe chmod 0644 'apache2/mods-available/cgi.load' +maybe chmod 0644 'apache2/mods-available/cgid.conf' +maybe chmod 0644 'apache2/mods-available/cgid.load' +maybe chmod 0644 'apache2/mods-available/charset_lite.load' +maybe chmod 0644 'apache2/mods-available/data.load' +maybe chmod 0644 'apache2/mods-available/dav.load' +maybe chmod 0644 'apache2/mods-available/dav_fs.conf' +maybe chmod 0644 'apache2/mods-available/dav_fs.load' +maybe chmod 0644 'apache2/mods-available/dav_lock.load' +maybe chmod 0644 'apache2/mods-available/dbd.load' +maybe chmod 0644 'apache2/mods-available/deflate.conf' +maybe chmod 0644 'apache2/mods-available/deflate.load' +maybe chmod 0644 'apache2/mods-available/dialup.load' +maybe chmod 0644 'apache2/mods-available/dir.conf' +maybe chmod 0644 'apache2/mods-available/dir.load' +maybe chmod 0644 'apache2/mods-available/dump_io.load' +maybe chmod 0644 'apache2/mods-available/echo.load' +maybe chmod 0644 'apache2/mods-available/env.load' +maybe chmod 0644 'apache2/mods-available/expires.load' +maybe chmod 0644 'apache2/mods-available/ext_filter.load' +maybe chmod 0644 'apache2/mods-available/file_cache.load' +maybe chmod 0644 'apache2/mods-available/filter.load' +maybe chmod 0644 'apache2/mods-available/headers.load' +maybe chmod 0644 'apache2/mods-available/heartbeat.load' +maybe chmod 0644 'apache2/mods-available/heartmonitor.load' +maybe chmod 0644 'apache2/mods-available/ident.load' +maybe chmod 0644 'apache2/mods-available/include.load' +maybe chmod 0644 'apache2/mods-available/info.conf' +maybe chmod 0644 'apache2/mods-available/info.load' +maybe chmod 0644 'apache2/mods-available/lbmethod_bybusyness.load' +maybe chmod 0644 'apache2/mods-available/lbmethod_byrequests.load' +maybe chmod 0644 'apache2/mods-available/lbmethod_bytraffic.load' +maybe chmod 0644 'apache2/mods-available/lbmethod_heartbeat.load' +maybe chmod 0644 'apache2/mods-available/ldap.conf' +maybe chmod 0644 'apache2/mods-available/ldap.load' +maybe chmod 0644 'apache2/mods-available/log_debug.load' +maybe chmod 0644 'apache2/mods-available/log_forensic.load' +maybe chmod 0644 'apache2/mods-available/lua.load' +maybe chmod 0644 'apache2/mods-available/macro.load' +maybe chmod 0644 'apache2/mods-available/mime.conf' +maybe chmod 0644 'apache2/mods-available/mime.load' +maybe chmod 0644 'apache2/mods-available/mime_magic.conf' +maybe chmod 0644 'apache2/mods-available/mime_magic.load' +maybe chmod 0644 'apache2/mods-available/mpm_event.conf' +maybe chmod 0644 'apache2/mods-available/mpm_event.load' +maybe chmod 0644 'apache2/mods-available/mpm_prefork.conf' +maybe chmod 0644 'apache2/mods-available/mpm_prefork.load' +maybe chmod 0644 'apache2/mods-available/mpm_worker.conf' +maybe chmod 0644 'apache2/mods-available/mpm_worker.load' +maybe chmod 0644 'apache2/mods-available/negotiation.conf' +maybe chmod 0644 'apache2/mods-available/negotiation.load' +maybe chmod 0644 'apache2/mods-available/proxy.conf' +maybe chmod 0644 'apache2/mods-available/proxy.load' +maybe chmod 0644 'apache2/mods-available/proxy_ajp.load' +maybe chmod 0644 'apache2/mods-available/proxy_balancer.conf' +maybe chmod 0644 'apache2/mods-available/proxy_balancer.load' +maybe chmod 0644 'apache2/mods-available/proxy_connect.load' +maybe chmod 0644 'apache2/mods-available/proxy_express.load' +maybe chmod 0644 'apache2/mods-available/proxy_fcgi.load' +maybe chmod 0644 'apache2/mods-available/proxy_fdpass.load' +maybe chmod 0644 'apache2/mods-available/proxy_ftp.conf' +maybe chmod 0644 'apache2/mods-available/proxy_ftp.load' +maybe chmod 0644 'apache2/mods-available/proxy_html.conf' +maybe chmod 0644 'apache2/mods-available/proxy_html.load' +maybe chmod 0644 'apache2/mods-available/proxy_http.load' +maybe chmod 0644 'apache2/mods-available/proxy_scgi.load' +maybe chmod 0644 'apache2/mods-available/proxy_wstunnel.load' +maybe chmod 0644 'apache2/mods-available/ratelimit.load' +maybe chmod 0644 'apache2/mods-available/reflector.load' +maybe chmod 0644 'apache2/mods-available/remoteip.load' +maybe chmod 0644 'apache2/mods-available/reqtimeout.conf' +maybe chmod 0644 'apache2/mods-available/reqtimeout.load' +maybe chmod 0644 'apache2/mods-available/request.load' +maybe chmod 0644 'apache2/mods-available/rewrite.load' +maybe chmod 0644 'apache2/mods-available/sed.load' +maybe chmod 0644 'apache2/mods-available/session.load' +maybe chmod 0644 'apache2/mods-available/session_cookie.load' +maybe chmod 0644 'apache2/mods-available/session_crypto.load' +maybe chmod 0644 'apache2/mods-available/session_dbd.load' +maybe chmod 0644 'apache2/mods-available/setenvif.conf' +maybe chmod 0644 'apache2/mods-available/setenvif.load' +maybe chmod 0644 'apache2/mods-available/slotmem_plain.load' +maybe chmod 0644 'apache2/mods-available/slotmem_shm.load' +maybe chmod 0644 'apache2/mods-available/socache_dbm.load' +maybe chmod 0644 'apache2/mods-available/socache_memcache.load' +maybe chmod 0644 'apache2/mods-available/socache_shmcb.load' +maybe chmod 0644 'apache2/mods-available/speling.load' +maybe chmod 0644 'apache2/mods-available/ssl.conf' +maybe chmod 0644 'apache2/mods-available/ssl.load' +maybe chmod 0644 'apache2/mods-available/status.conf' +maybe chmod 0644 'apache2/mods-available/status.load' +maybe chmod 0644 'apache2/mods-available/substitute.load' +maybe chmod 0644 'apache2/mods-available/suexec.load' +maybe chmod 0644 'apache2/mods-available/unique_id.load' +maybe chmod 0644 'apache2/mods-available/userdir.conf' +maybe chmod 0644 'apache2/mods-available/userdir.load' +maybe chmod 0644 'apache2/mods-available/usertrack.load' +maybe chmod 0644 'apache2/mods-available/vhost_alias.load' +maybe chmod 0644 'apache2/mods-available/xml2enc.load' +maybe chmod 0755 'apache2/mods-enabled' +maybe chmod 0644 'apache2/ports.conf' +maybe chmod 0755 'apache2/sites-available' +maybe chmod 0644 'apache2/sites-available/000-default.conf' +maybe chmod 0644 'apache2/sites-available/default-include.conf' +maybe chmod 0644 'apache2/sites-available/default-ssl.conf' +maybe chmod 0755 'apache2/sites-enabled' +maybe chmod 0755 'apm' +maybe chmod 0755 'apm/event.d' +maybe chmod 0755 'apm/event.d/01chrony' +maybe chmod 0755 'apparmor.d' +maybe chmod 0755 'apparmor.d/force-complain' +maybe chmod 0755 'apparmor.d/local' +maybe chmod 0644 'apparmor.d/local/usr.sbin.named' +maybe chmod 0644 'apparmor.d/usr.sbin.named' +maybe chmod 0755 'apt' +maybe chmod 0644 'apt/SALTSTACK-GPG-KEY.pub' +maybe chmod 0755 'apt/apt.conf.d' +maybe chmod 0644 'apt/apt.conf.d/00recommends' +maybe chmod 0644 'apt/apt.conf.d/00trustcdrom' +maybe chmod 0644 'apt/apt.conf.d/01autoremove' +maybe chmod 0644 'apt/apt.conf.d/01autoremove-kernels' +maybe chmod 0644 'apt/apt.conf.d/05etckeeper' +maybe chmod 0644 'apt/apt.conf.d/70debconf' +maybe chmod 0755 'apt/preferences.d' +maybe chmod 0644 'apt/repo.uhu-banane.de.gpg-key.pub' +maybe chmod 0644 'apt/repo.uhu-banane.de.gpg-key2.pub' +maybe chmod 0644 'apt/sources.list' +maybe chmod 0755 'apt/sources.list.d' +maybe chmod 0644 'apt/sources.list.d/fbrehm.list' +maybe chmod 0644 'apt/sources.list.d/salt.list' +maybe chmod 0644 'apt/trusted.gpg' +maybe chmod 0755 'apt/trusted.gpg.d' +maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg' +maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg' +maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-jessie-stable.gpg' +maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg' +maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg' +maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg' +maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg' +maybe chmod 0755 'apticron' +maybe chmod 0644 'apticron/apticron.conf' +maybe chmod 0644 'bash.bashrc' +maybe chmod 0644 'bash_completion' +maybe chmod 0755 'bash_completion.d' +maybe chmod 0644 'bash_completion.d/apache2' +maybe chmod 0644 'bash_completion.d/debconf' +maybe chmod 0644 'bash_completion.d/etckeeper' +maybe chmod 0644 'bash_completion.d/fail2ban' +maybe chmod 0644 'bash_completion.d/git-prompt' +maybe chmod 0644 'bash_completion.d/grub' +maybe chmod 0644 'bash_completion.d/initramfs-tools' +maybe chmod 0644 'bash_completion.d/insserv' +maybe chmod 0644 'bash_completion.d/isoquery' +maybe chmod 0644 'bash_completion.d/salt-common' +maybe chmod 0644 'bash_completion.d/whiptail' +maybe chgrp 'bind' 'bind' +maybe chmod 2755 'bind' +maybe chmod 0644 'bind/bind.keys' +maybe chmod 0644 'bind/db.0' +maybe chmod 0644 'bind/db.127' +maybe chmod 0644 'bind/db.255' +maybe chmod 0644 'bind/db.empty' +maybe chmod 0644 'bind/db.local' +maybe chmod 0644 'bind/db.root' +maybe chmod 0700 'bind/dnssec' +maybe chmod 0600 'bind/dnssec/Kdns-uhu-banane.+157+21915.key' +maybe chmod 0600 'bind/dnssec/Kdns-uhu-banane.+157+21915.private' +maybe chmod 0600 'bind/dnssec/Kdyn-dns-updater.+157+29290.key' +maybe chmod 0600 'bind/dnssec/Kdyn-dns-updater.+157+29290.private' +maybe chown 'bind' 'bind/dyn' +maybe chgrp 'bind' 'bind/dyn' +maybe chmod 0770 'bind/dyn' +maybe chmod 0644 'bind/named-acl.conf' +maybe chmod 0644 'bind/named-dyn.conf' +maybe chmod 0644 'bind/named-log.conf' +maybe chmod 0644 'bind/named-pri.conf' +maybe chmod 0644 'bind/named-sec.conf' +maybe chmod 0644 'bind/named.conf' +maybe chmod 0644 'bind/named.conf.default-zones' +maybe chmod 0644 'bind/named.conf.local' +maybe chmod 0644 'bind/named.conf.options' +maybe chown 'bind' 'bind/rndc.key' +maybe chgrp 'bind' 'bind/rndc.key' +maybe chmod 0640 'bind/rndc.key' +maybe chgrp 'bind' 'bind/zones' +maybe chmod 0755 'bind/zones' +maybe chmod 0644 'bind/zones.rfc1918' +maybe chmod 0644 'bindresvport.blacklist' +maybe chmod 0755 'byobu' +maybe chmod 0644 'byobu/backend' +maybe chmod 0644 'byobu/socketdir' +maybe chmod 0755 'ca-certificates' +maybe chmod 0644 'ca-certificates.conf' +maybe chmod 0755 'ca-certificates/update.d' +maybe chmod 0755 'calendar' +maybe chmod 0644 'calendar/default' +maybe chmod 0755 'chrony' +maybe chmod 0644 'chrony/chrony.conf' +maybe chmod 0640 'chrony/chrony.keys' +maybe chmod 0644 'colordiffrc' +maybe chmod 0755 'console' +maybe chmod 0755 'console-setup' +maybe chmod 0644 'console-setup/cached_Lat15-Fixed16.psf.gz' +maybe chmod 0644 'console-setup/cached_UTF-8_del.kmap.gz' +maybe chmod 0644 'console-setup/compose.ARMSCII-8.inc' +maybe chmod 0644 'console-setup/compose.CP1251.inc' +maybe chmod 0644 'console-setup/compose.CP1255.inc' +maybe chmod 0644 'console-setup/compose.CP1256.inc' +maybe chmod 0644 'console-setup/compose.GEORGIAN-ACADEMY.inc' +maybe chmod 0644 'console-setup/compose.GEORGIAN-PS.inc' +maybe chmod 0644 'console-setup/compose.IBM1133.inc' +maybe chmod 0644 'console-setup/compose.ISIRI-3342.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-1.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-10.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-11.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-13.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-14.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-15.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-16.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-2.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-3.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-4.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-5.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-6.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-7.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-8.inc' +maybe chmod 0644 'console-setup/compose.ISO-8859-9.inc' +maybe chmod 0644 'console-setup/compose.KOI8-R.inc' +maybe chmod 0644 'console-setup/compose.KOI8-U.inc' +maybe chmod 0644 'console-setup/compose.TIS-620.inc' +maybe chmod 0644 'console-setup/compose.VISCII.inc' +maybe chmod 0644 'console-setup/remap.inc' +maybe chmod 0755 'cron.d' +maybe chmod 0644 'cron.d/.placeholder' +maybe chmod 0644 'cron.d/apticron' +maybe chmod 0644 'cron.d/certbot' +maybe chmod 0644 'cron.d/greetings' +maybe chmod 0644 'cron.d/sync-pkgs' +maybe chmod 0755 'cron.daily' +maybe chmod 0644 'cron.daily/.placeholder' +maybe chmod 0755 'cron.daily/00logwatch' +maybe chmod 0755 'cron.daily/apache2' +maybe chmod 0755 'cron.daily/apt' +maybe chmod 0755 'cron.daily/aptitude' +maybe chmod 0755 'cron.daily/bsdmainutils' +maybe chmod 0755 'cron.daily/dpkg' +maybe chmod 0755 'cron.daily/etckeeper' +maybe chmod 0755 'cron.daily/exim4-base' +maybe chmod 0755 'cron.daily/logrotate' +maybe chmod 0755 'cron.daily/man-db' +maybe chmod 0755 'cron.daily/mlocate' +maybe chmod 0755 'cron.daily/passwd' +maybe chmod 0755 'cron.hourly' +maybe chmod 0644 'cron.hourly/.placeholder' +maybe chmod 0755 'cron.monthly' +maybe chmod 0644 'cron.monthly/.placeholder' +maybe chmod 0755 'cron.weekly' +maybe chmod 0644 'cron.weekly/.placeholder' +maybe chmod 0755 'cron.weekly/man-db' +maybe chmod 0644 'crontab' +maybe chmod 0755 'cruft' +maybe chmod 0755 'cruft/filters-unex' +maybe chmod 0644 'cruft/filters-unex/etckeeper' +maybe chmod 0755 'dbus-1' +maybe chmod 0755 'dbus-1/system.d' +maybe chmod 0644 'dbus-1/system.d/org.freedesktop.hostname1.conf' +maybe chmod 0644 'dbus-1/system.d/org.freedesktop.locale1.conf' +maybe chmod 0644 'dbus-1/system.d/org.freedesktop.login1.conf' +maybe chmod 0644 'dbus-1/system.d/org.freedesktop.machine1.conf' +maybe chmod 0644 'dbus-1/system.d/org.freedesktop.systemd1.conf' +maybe chmod 0644 'dbus-1/system.d/org.freedesktop.timedate1.conf' +maybe chmod 0644 'debconf.conf' +maybe chmod 0644 'debian_version' +maybe chmod 0755 'default' +maybe chmod 0644 'default/acpid' +maybe chmod 0644 'default/aiccu' +maybe chmod 0644 'default/apache2' +maybe chmod 0644 'default/bind9' +maybe chmod 0644 'default/bsdmainutils' +maybe chmod 0644 'default/console-setup' +maybe chmod 0644 'default/cron' +maybe chmod 0644 'default/devpts' +maybe chmod 0644 'default/exim4' +maybe chmod 0644 'default/fail2ban' +maybe chmod 0644 'default/grub' +maybe chmod 0644 'default/halt' +maybe chmod 0644 'default/haveged' +maybe chmod 0644 'default/hwclock' +maybe chmod 0644 'default/keyboard' +maybe chmod 0644 'default/locale' +maybe chmod 0644 'default/locale.bak' +maybe chmod 0644 'default/netfilter-persistent' +maybe chmod 0644 'default/networking' +maybe chmod 0644 'default/nss' +maybe chmod 0644 'default/rcS' +maybe chmod 0644 'default/rsync' +maybe chmod 0644 'default/rsyslog' +maybe chmod 0644 'default/salt-minion.environment' +maybe chmod 0644 'default/ssh' +maybe chmod 0644 'default/tmpfs' +maybe chmod 0644 'default/useradd' +maybe chmod 0644 'deluser.conf' +maybe chmod 0755 'dhcp' +maybe chmod 0755 'dhcp/dhclient-enter-hooks.d' +maybe chmod 0644 'dhcp/dhclient-enter-hooks.d/debug' +maybe chmod 0644 'dhcp/dhclient-enter-hooks.d/nodnsupdate' +maybe chmod 0755 'dhcp/dhclient-exit-hooks.d' +maybe chmod 0644 'dhcp/dhclient-exit-hooks.d/debug' +maybe chmod 0644 'dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes' +maybe chmod 0644 'dhcp/dhclient.conf' +maybe chmod 0755 'dictionaries-common' +maybe chmod 0644 'discover-modprobe.conf' +maybe chmod 0755 'discover.conf.d' +maybe chmod 0644 'discover.conf.d/00discover' +maybe chmod 0755 'dpkg' +maybe chmod 0644 'dpkg/dpkg.cfg' +maybe chmod 0755 'dpkg/dpkg.cfg.d' +maybe chmod 0755 'dpkg/origins' +maybe chmod 0644 'dpkg/origins/debian' +maybe chmod 0755 'emacs' +maybe chmod 0755 'emacs/site-start.d' +maybe chmod 0644 'emacs/site-start.d/00debian-vars.el' +maybe chmod 0644 'emacs/site-start.d/50dictionaries-common.el' +maybe chmod 0644 'emacs/site-start.el' +maybe chmod 0644 'email-addresses' +maybe chmod 0644 'environment' +maybe chmod 0755 'etckeeper' +maybe chmod 0755 'etckeeper/commit.d' +maybe chmod 0755 'etckeeper/commit.d/10vcs-test' +maybe chmod 0755 'etckeeper/commit.d/30bzr-add' +maybe chmod 0755 'etckeeper/commit.d/30darcs-add' +maybe chmod 0755 'etckeeper/commit.d/30git-add' +maybe chmod 0755 'etckeeper/commit.d/30hg-addremove' +maybe chmod 0755 'etckeeper/commit.d/50vcs-commit' +maybe chmod 0755 'etckeeper/commit.d/99push' +maybe chmod 0644 'etckeeper/commit.d/README' +maybe chmod 0644 'etckeeper/etckeeper.conf' +maybe chmod 0755 'etckeeper/init.d' +maybe chmod 0755 'etckeeper/init.d/10restore-metadata' +maybe chmod 0755 'etckeeper/init.d/20restore-etckeeper' +maybe chmod 0755 'etckeeper/init.d/40vcs-init' +maybe chmod 0755 'etckeeper/init.d/50vcs-ignore' +maybe chmod 0755 'etckeeper/init.d/50vcs-perm' +maybe chmod 0755 'etckeeper/init.d/50vcs-pre-commit-hook' +maybe chmod 0755 'etckeeper/init.d/60darcs-deleted-symlinks' +maybe chmod 0755 'etckeeper/init.d/70vcs-add' +maybe chmod 0644 'etckeeper/init.d/README' +maybe chmod 0755 'etckeeper/list-installed.d' +maybe chmod 0755 'etckeeper/list-installed.d/50list-installed' +maybe chmod 0755 'etckeeper/post-install.d' +maybe chmod 0755 'etckeeper/post-install.d/50vcs-commit' +maybe chmod 0644 'etckeeper/post-install.d/README' +maybe chmod 0755 'etckeeper/pre-commit.d' +maybe chmod 0755 'etckeeper/pre-commit.d/20warn-problem-files' +maybe chmod 0755 'etckeeper/pre-commit.d/30store-metadata' +maybe chmod 0644 'etckeeper/pre-commit.d/README' +maybe chmod 0755 'etckeeper/pre-install.d' +maybe chmod 0755 'etckeeper/pre-install.d/10packagelist' +maybe chmod 0755 'etckeeper/pre-install.d/50uncommitted-changes' +maybe chmod 0644 'etckeeper/pre-install.d/README' +maybe chmod 0755 'etckeeper/unclean.d' +maybe chmod 0755 'etckeeper/unclean.d/50test' +maybe chmod 0644 'etckeeper/unclean.d/README' +maybe chmod 0755 'etckeeper/uninit.d' +maybe chmod 0755 'etckeeper/uninit.d/01prompt' +maybe chmod 0755 'etckeeper/uninit.d/50remove-metadata' +maybe chmod 0755 'etckeeper/uninit.d/50vcs-uninit' +maybe chmod 0644 'etckeeper/uninit.d/README' +maybe chmod 0755 'etckeeper/update-ignore.d' +maybe chmod 0755 'etckeeper/update-ignore.d/01update-ignore' +maybe chmod 0644 'etckeeper/update-ignore.d/README' +maybe chmod 0755 'etckeeper/vcs.d' +maybe chmod 0755 'etckeeper/vcs.d/50vcs-cmd' +maybe chmod 0755 'exim4' +maybe chmod 0755 'exim4/conf.d' +maybe chmod 0755 'exim4/conf.d/acl' +maybe chmod 0644 'exim4/conf.d/acl/00_exim4-config_header' +maybe chmod 0644 'exim4/conf.d/acl/20_exim4-config_local_deny_exceptions' +maybe chmod 0644 'exim4/conf.d/acl/30_exim4-config_check_mail' +maybe chmod 0644 'exim4/conf.d/acl/30_exim4-config_check_rcpt' +maybe chmod 0644 'exim4/conf.d/acl/40_exim4-config_check_data' +maybe chmod 0755 'exim4/conf.d/auth' +maybe chmod 0644 'exim4/conf.d/auth/00_exim4-config_header' +maybe chmod 0644 'exim4/conf.d/auth/30_exim4-config_examples' +maybe chmod 0755 'exim4/conf.d/main' +maybe chmod 0644 'exim4/conf.d/main/01_exim4-config_listmacrosdefs' +maybe chmod 0644 'exim4/conf.d/main/02_exim4-config_options' +maybe chmod 0644 'exim4/conf.d/main/03_exim4-config_tlsoptions' +maybe chmod 0644 'exim4/conf.d/main/90_exim4-config_log_selector' +maybe chmod 0755 'exim4/conf.d/retry' +maybe chmod 0644 'exim4/conf.d/retry/00_exim4-config_header' +maybe chmod 0644 'exim4/conf.d/retry/30_exim4-config' +maybe chmod 0755 'exim4/conf.d/rewrite' +maybe chmod 0644 'exim4/conf.d/rewrite/00_exim4-config_header' +maybe chmod 0644 'exim4/conf.d/rewrite/31_exim4-config_rewriting' +maybe chmod 0755 'exim4/conf.d/router' +maybe chmod 0644 'exim4/conf.d/router/00_exim4-config_header' +maybe chmod 0644 'exim4/conf.d/router/100_exim4-config_domain_literal' +maybe chmod 0644 'exim4/conf.d/router/150_exim4-config_hubbed_hosts' +maybe chmod 0644 'exim4/conf.d/router/200_exim4-config_primary' +maybe chmod 0644 'exim4/conf.d/router/300_exim4-config_real_local' +maybe chmod 0644 'exim4/conf.d/router/400_exim4-config_system_aliases' +maybe chmod 0644 'exim4/conf.d/router/500_exim4-config_hubuser' +maybe chmod 0644 'exim4/conf.d/router/600_exim4-config_userforward' +maybe chmod 0644 'exim4/conf.d/router/700_exim4-config_procmail' +maybe chmod 0644 'exim4/conf.d/router/800_exim4-config_maildrop' +maybe chmod 0644 'exim4/conf.d/router/850_exim4-config_lowuid' +maybe chmod 0644 'exim4/conf.d/router/900_exim4-config_local_user' +maybe chmod 0644 'exim4/conf.d/router/mmm_mail4root' +maybe chmod 0755 'exim4/conf.d/transport' +maybe chmod 0644 'exim4/conf.d/transport/00_exim4-config_header' +maybe chmod 0644 'exim4/conf.d/transport/10_exim4-config_transport-macros' +maybe chmod 0644 'exim4/conf.d/transport/30_exim4-config_address_file' +maybe chmod 0644 'exim4/conf.d/transport/30_exim4-config_address_pipe' +maybe chmod 0644 'exim4/conf.d/transport/30_exim4-config_address_reply' +maybe chmod 0644 'exim4/conf.d/transport/30_exim4-config_mail_spool' +maybe chmod 0644 'exim4/conf.d/transport/30_exim4-config_maildir_home' +maybe chmod 0644 'exim4/conf.d/transport/30_exim4-config_maildrop_pipe' +maybe chmod 0644 'exim4/conf.d/transport/30_exim4-config_procmail_pipe' +maybe chmod 0644 'exim4/conf.d/transport/30_exim4-config_remote_smtp' +maybe chmod 0644 'exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost' +maybe chmod 0644 'exim4/conf.d/transport/35_exim4-config_address_directory' +maybe chmod 0644 'exim4/exim4.conf.template' +maybe chgrp 'Debian-exim' 'exim4/passwd.client' +maybe chmod 0640 'exim4/passwd.client' +maybe chmod 0644 'exim4/update-exim4.conf.conf' +maybe chmod 0755 'fail2ban' +maybe chmod 0755 'fail2ban/action.d' +maybe chmod 0644 'fail2ban/action.d/apf.conf' +maybe chmod 0644 'fail2ban/action.d/badips.conf' +maybe chmod 0644 'fail2ban/action.d/blocklist_de.conf' +maybe chmod 0644 'fail2ban/action.d/bsd-ipfw.conf' +maybe chmod 0644 'fail2ban/action.d/complain.conf' +maybe chmod 0644 'fail2ban/action.d/dshield.conf' +maybe chmod 0644 'fail2ban/action.d/dummy.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-ipset.conf' +maybe chmod 0644 'fail2ban/action.d/firewallcmd-new.conf' +maybe chmod 0644 'fail2ban/action.d/hostsdeny.conf' +maybe chmod 0644 'fail2ban/action.d/ipfilter.conf' +maybe chmod 0644 'fail2ban/action.d/ipfw.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-allports.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-blocktype.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto4.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6-allports.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-multiport-log.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-multiport.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-new.conf' +maybe chmod 0644 'fail2ban/action.d/iptables-xt_recent-echo.conf' +maybe chmod 0644 'fail2ban/action.d/iptables.conf' +maybe chmod 0644 'fail2ban/action.d/mail-buffered.conf' +maybe chmod 0644 'fail2ban/action.d/mail-whois-lines.conf' +maybe chmod 0644 'fail2ban/action.d/mail-whois.conf' +maybe chmod 0644 'fail2ban/action.d/mail.conf' +maybe chmod 0644 'fail2ban/action.d/mynetwatchman.conf' +maybe chmod 0644 'fail2ban/action.d/osx-afctl.conf' +maybe chmod 0644 'fail2ban/action.d/osx-ipfw.conf' +maybe chmod 0644 'fail2ban/action.d/pf.conf' +maybe chmod 0644 'fail2ban/action.d/route.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-buffered.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-common.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois-lines.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf' +maybe chmod 0644 'fail2ban/action.d/sendmail.conf' +maybe chmod 0644 'fail2ban/action.d/shorewall.conf' +maybe chmod 0644 'fail2ban/action.d/ufw.conf' +maybe chmod 0644 'fail2ban/fail2ban.conf' +maybe chmod 0755 'fail2ban/fail2ban.d' +maybe chmod 0755 'fail2ban/filter.d' +maybe chmod 0644 'fail2ban/filter.d/3proxy.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-badbots.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-common.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-modsecurity.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-nohome.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-noscript.conf' +maybe chmod 0644 'fail2ban/filter.d/apache-overflows.conf' +maybe chmod 0644 'fail2ban/filter.d/assp.conf' +maybe chmod 0644 'fail2ban/filter.d/asterisk.conf' +maybe chmod 0644 'fail2ban/filter.d/common.conf' +maybe chmod 0644 'fail2ban/filter.d/courierlogin.conf' +maybe chmod 0644 'fail2ban/filter.d/couriersmtp.conf' +maybe chmod 0644 'fail2ban/filter.d/cyrus-imap.conf' +maybe chmod 0644 'fail2ban/filter.d/dovecot.conf' +maybe chmod 0644 'fail2ban/filter.d/dropbear.conf' +maybe chmod 0644 'fail2ban/filter.d/ejabberd-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/exim-common.conf' +maybe chmod 0644 'fail2ban/filter.d/exim-spam.conf' +maybe chmod 0644 'fail2ban/filter.d/exim.conf' +maybe chmod 0644 'fail2ban/filter.d/freeswitch.conf' +maybe chmod 0644 'fail2ban/filter.d/groupoffice.conf' +maybe chmod 0644 'fail2ban/filter.d/gssftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/horde.conf' +maybe chmod 0644 'fail2ban/filter.d/lighttpd-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/mysqld-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/nagios.conf' +maybe chmod 0644 'fail2ban/filter.d/named-refused.conf' +maybe chmod 0644 'fail2ban/filter.d/nginx-http-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/nsd.conf' +maybe chmod 0644 'fail2ban/filter.d/openwebmail.conf' +maybe chmod 0644 'fail2ban/filter.d/pam-generic.conf' +maybe chmod 0644 'fail2ban/filter.d/perdition.conf' +maybe chmod 0644 'fail2ban/filter.d/php-url-fopen.conf' +maybe chmod 0644 'fail2ban/filter.d/postfix-sasl.conf' +maybe chmod 0644 'fail2ban/filter.d/postfix.conf' +maybe chmod 0644 'fail2ban/filter.d/proftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/pure-ftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/qmail.conf' +maybe chmod 0644 'fail2ban/filter.d/recidive.conf' +maybe chmod 0644 'fail2ban/filter.d/roundcube-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/selinux-common.conf' +maybe chmod 0644 'fail2ban/filter.d/selinux-ssh.conf' +maybe chmod 0644 'fail2ban/filter.d/sendmail-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/sendmail-reject.conf' +maybe chmod 0644 'fail2ban/filter.d/sieve.conf' +maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf' +maybe chmod 0644 'fail2ban/filter.d/squid.conf' +maybe chmod 0644 'fail2ban/filter.d/sshd-ddos.conf' +maybe chmod 0644 'fail2ban/filter.d/sshd.conf' +maybe chmod 0644 'fail2ban/filter.d/suhosin.conf' +maybe chmod 0644 'fail2ban/filter.d/uwimap-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/vsftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/webmin-auth.conf' +maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf' +maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf' +maybe chmod 0644 'fail2ban/jail.conf' +maybe chmod 0755 'fail2ban/jail.d' +maybe chmod 0644 'fail2ban/jail.d/apache-jail.conf' +maybe chmod 0644 'fail2ban/jail.d/postfix.conf' +maybe chmod 0644 'fail2ban/jail.d/ssh.conf' +maybe chmod 0644 'fstab' +maybe chmod 0755 'ftp-backup' +maybe chmod 0644 'ftp-backup/backup-per-ftp.cfg' +maybe chown '1017' 'ftp-backup/backup-per-sftp.cfg' +maybe chgrp 'users' 'ftp-backup/backup-per-sftp.cfg' +maybe chmod 0644 'ftp-backup/backup-per-sftp.cfg' +maybe chown '1017' 'ftp-backup/id_rsa' +maybe chgrp 'users' 'ftp-backup/id_rsa' +maybe chmod 0600 'ftp-backup/id_rsa' +maybe chown '1017' 'ftp-backup/id_rsa.pub' +maybe chgrp 'users' 'ftp-backup/id_rsa.pub' +maybe chmod 0644 'ftp-backup/id_rsa.pub' +maybe chmod 0644 'gai.conf' +maybe chmod 0755 'groff' +maybe chmod 0644 'groff/man.local' +maybe chmod 0644 'groff/mdoc.local' +maybe chmod 0644 'group' +maybe chmod 0600 'group-' +maybe chmod 0755 'grub.d' +maybe chmod 0755 'grub.d/00_header' +maybe chmod 0755 'grub.d/05_debian_theme' +maybe chmod 0755 'grub.d/10_linux' +maybe chmod 0755 'grub.d/20_linux_xen' +maybe chmod 0755 'grub.d/30_os-prober' +maybe chmod 0755 'grub.d/30_uefi-firmware' +maybe chmod 0755 'grub.d/40_custom' +maybe chmod 0755 'grub.d/41_custom' +maybe chmod 0644 'grub.d/README' +maybe chgrp 'shadow' 'gshadow' +maybe chmod 0640 'gshadow' +maybe chmod 0600 'gshadow-' +maybe chmod 0755 'gss' +maybe chmod 0755 'gss/mech.d' +maybe chmod 0644 'gss/mech.d/README' +maybe chmod 0644 'host.conf' +maybe chmod 0644 'hostname' +maybe chmod 0644 'hosts' +maybe chmod 0644 'hosts.allow' +maybe chmod 0644 'hosts.deny' +maybe chmod 0755 'init' +maybe chmod 0755 'init.d' +maybe chmod 0644 'init.d/README' +maybe chmod 0755 'init.d/acpid' +maybe chmod 0755 'init.d/aiccu' +maybe chmod 0755 'init.d/apache2' +maybe chmod 0755 'init.d/bind9' +maybe chmod 0755 'init.d/bootlogs' +maybe chmod 0755 'init.d/bootmisc.sh' +maybe chmod 0755 'init.d/checkfs.sh' +maybe chmod 0755 'init.d/checkroot-bootclean.sh' +maybe chmod 0755 'init.d/checkroot.sh' +maybe chmod 0755 'init.d/chrony' +maybe chmod 0755 'init.d/console-setup' +maybe chmod 0755 'init.d/cron' +maybe chmod 0755 'init.d/exim4' +maybe chmod 0755 'init.d/fail2ban' +maybe chmod 0755 'init.d/halt' +maybe chmod 0755 'init.d/haveged' +maybe chmod 0755 'init.d/hostname.sh' +maybe chmod 0755 'init.d/hwclock.sh' +maybe chmod 0755 'init.d/kbd' +maybe chmod 0755 'init.d/keyboard-setup' +maybe chmod 0755 'init.d/keymap.sh' +maybe chmod 0755 'init.d/killprocs' +maybe chmod 0755 'init.d/kmod' +maybe chmod 0755 'init.d/lvm2' +maybe chmod 0755 'init.d/motd' +maybe chmod 0755 'init.d/mountall-bootclean.sh' +maybe chmod 0755 'init.d/mountall.sh' +maybe chmod 0755 'init.d/mountdevsubfs.sh' +maybe chmod 0755 'init.d/mountkernfs.sh' +maybe chmod 0755 'init.d/mountnfs-bootclean.sh' +maybe chmod 0755 'init.d/mountnfs.sh' +maybe chmod 0755 'init.d/netfilter-persistent' +maybe chmod 0755 'init.d/networking' +maybe chmod 0755 'init.d/postfix' +maybe chmod 0755 'init.d/procps' +maybe chmod 0755 'init.d/rc' +maybe chmod 0755 'init.d/rc.local' +maybe chmod 0755 'init.d/rcS' +maybe chmod 0755 'init.d/reboot' +maybe chmod 0755 'init.d/rmnologin' +maybe chmod 0755 'init.d/rsync' +maybe chmod 0755 'init.d/rsyslog' +maybe chmod 0755 'init.d/salt-minion' +maybe chmod 0755 'init.d/sendsigs' +maybe chmod 0755 'init.d/single' +maybe chmod 0644 'init.d/skeleton' +maybe chmod 0755 'init.d/ssh' +maybe chmod 0755 'init.d/sudo' +maybe chmod 0755 'init.d/udev' +maybe chmod 0755 'init.d/udev-finish' +maybe chmod 0755 'init.d/ulogd2' +maybe chmod 0755 'init.d/umountfs' +maybe chmod 0755 'init.d/umountnfs.sh' +maybe chmod 0755 'init.d/umountroot' +maybe chmod 0755 'init.d/urandom' +maybe chmod 0644 'init/network-interface-container.conf' +maybe chmod 0644 'init/network-interface-security.conf' +maybe chmod 0644 'init/network-interface.conf' +maybe chmod 0644 'init/networking.conf' +maybe chmod 0644 'init/salt-minion.conf' +maybe chmod 0644 'init/ssh.conf' +maybe chmod 0644 'init/startpar-bridge.conf' +maybe chmod 0644 'init/udev-fallback-graphics.conf' +maybe chmod 0644 'init/udev-finish.conf' +maybe chmod 0644 'init/udev.conf' +maybe chmod 0644 'init/udevmonitor.conf' +maybe chmod 0644 'init/udevtrigger.conf' +maybe chmod 0644 'init/ulogd2.conf' +maybe chmod 0755 'initramfs-tools' +maybe chmod 0755 'initramfs-tools/conf.d' +maybe chmod 0755 'initramfs-tools/hooks' +maybe chmod 0644 'initramfs-tools/initramfs.conf' +maybe chmod 0644 'initramfs-tools/modules' +maybe chmod 0755 'initramfs-tools/scripts' +maybe chmod 0755 'initramfs-tools/scripts/init-bottom' +maybe chmod 0755 'initramfs-tools/scripts/init-premount' +maybe chmod 0755 'initramfs-tools/scripts/init-top' +maybe chmod 0755 'initramfs-tools/scripts/local-bottom' +maybe chmod 0755 'initramfs-tools/scripts/local-premount' +maybe chmod 0755 'initramfs-tools/scripts/local-top' +maybe chmod 0755 'initramfs-tools/scripts/nfs-bottom' +maybe chmod 0755 'initramfs-tools/scripts/nfs-premount' +maybe chmod 0755 'initramfs-tools/scripts/nfs-top' +maybe chmod 0755 'initramfs-tools/scripts/panic' +maybe chmod 0644 'initramfs-tools/update-initramfs.conf' +maybe chmod 0644 'inittab' +maybe chmod 0644 'inittabminion' +maybe chmod 0644 'inputrc' +maybe chmod 0644 'inputrc.bak' +maybe chmod 0755 'insserv' +maybe chmod 0644 'insserv.conf' +maybe chmod 0755 'insserv.conf.d' +maybe chmod 0644 'insserv.conf.d/postfix' +maybe chmod 0755 'insserv/overrides' +maybe chmod 0755 'iproute2' +maybe chmod 0644 'iproute2/ematch_map' +maybe chmod 0644 'iproute2/group' +maybe chmod 0644 'iproute2/rt_dsfield' +maybe chmod 0644 'iproute2/rt_protos' +maybe chmod 0644 'iproute2/rt_realms' +maybe chmod 0644 'iproute2/rt_scopes' +maybe chmod 0644 'iproute2/rt_tables' +maybe chmod 0755 'iptables' +maybe chmod 0640 'iptables/rules.v4' +maybe chmod 0640 'iptables/rules.v6' +maybe chmod 0755 'iscsi' +maybe chmod 0600 'iscsi/iscsid.conf' +maybe chmod 0644 'issue' +maybe chmod 0644 'issue.net' +maybe chmod 0755 'kbd' +maybe chmod 0644 'kbd/config' +maybe chmod 0644 'kbd/remap' +maybe chmod 0755 'kernel' +maybe chmod 0644 'kernel-img.conf' +maybe chmod 0755 'kernel/postinst.d' +maybe chmod 0755 'kernel/postinst.d/apt-auto-removal' +maybe chmod 0755 'kernel/postinst.d/initramfs-tools' +maybe chmod 0755 'kernel/postinst.d/zz-update-grub' +maybe chmod 0755 'kernel/postrm.d' +maybe chmod 0755 'kernel/postrm.d/initramfs-tools' +maybe chmod 0755 'kernel/postrm.d/zz-update-grub' +maybe chmod 0644 'ld.so.conf' +maybe chmod 0755 'ld.so.conf.d' +maybe chmod 0644 'ld.so.conf.d/libc.conf' +maybe chmod 0644 'ld.so.conf.d/x86_64-linux-gnu.conf' +maybe chmod 0755 'ldap' +maybe chmod 0644 'ldap/ldap.conf' +maybe chmod 0755 'letsencrypt' +maybe chmod 0700 'letsencrypt/accounts' +maybe chmod 0700 'letsencrypt/accounts/acme-v01.api.letsencrypt.org' +maybe chmod 0700 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory' +maybe chmod 0700 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/3de664d2ee4d2a37de88887e1ed54531' +maybe chmod 0644 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/3de664d2ee4d2a37de88887e1ed54531/meta.json' +maybe chmod 0400 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/3de664d2ee4d2a37de88887e1ed54531/private_key.json' +maybe chmod 0644 'letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/3de664d2ee4d2a37de88887e1ed54531/regr.json' +maybe chmod 0700 'letsencrypt/archive' +maybe chmod 0755 'letsencrypt/archive/ns1.uhu-banane.de' +maybe chmod 0644 'letsencrypt/archive/ns1.uhu-banane.de/cert1.pem' +maybe chmod 0644 'letsencrypt/archive/ns1.uhu-banane.de/chain1.pem' +maybe chmod 0644 'letsencrypt/archive/ns1.uhu-banane.de/fullchain1.pem' +maybe chmod 0644 'letsencrypt/archive/ns1.uhu-banane.de/privkey1.pem' +maybe chmod 0755 'letsencrypt/csr' +maybe chmod 0644 'letsencrypt/csr/0000_csr-certbot.pem' +maybe chmod 0700 'letsencrypt/keys' +maybe chmod 0600 'letsencrypt/keys/0000_key-certbot.pem' +maybe chmod 0700 'letsencrypt/live' +maybe chmod 0755 'letsencrypt/live/ns1.uhu-banane.de' +maybe chmod 0644 'letsencrypt/options-ssl-apache.conf' +maybe chmod 0755 'letsencrypt/renewal' +maybe chmod 0755 'letsencrypt/renewal/ns1.uhu-banane.de.conf' +maybe chmod 0644 'lftp.conf' +maybe chmod 0644 'libaudit.conf' +maybe chmod 0644 'locale.alias' +maybe chmod 0644 'locale.gen' +maybe chmod 0644 'locale.gen.bak' +maybe chmod 0644 'localtime' +maybe chmod 0755 'logcheck' +maybe chmod 0755 'logcheck/ignore.d.server' +maybe chmod 0755 'logcheck/ignore.d.server/libsasl2-modules' +maybe chmod 0644 'logcheck/ignore.d.server/rsyslog' +maybe chmod 0644 'login.defs' +maybe chmod 0644 'logrotate.conf' +maybe chmod 0755 'logrotate.d' +maybe chmod 0644 'logrotate.d/apache2' +maybe chmod 0644 'logrotate.d/apt' +maybe chmod 0644 'logrotate.d/aptitude' +maybe chmod 0644 'logrotate.d/bind' +maybe chmod 0644 'logrotate.d/chrony' +maybe chmod 0644 'logrotate.d/dpkg' +maybe chmod 0644 'logrotate.d/exim4-base' +maybe chmod 0644 'logrotate.d/exim4-paniclog' +maybe chmod 0644 'logrotate.d/fail2ban' +maybe chmod 0644 'logrotate.d/rsyslog' +maybe chmod 0644 'logrotate.d/salt-common' +maybe chmod 0644 'logrotate.d/ulogd2' +maybe chmod 0755 'logwatch' +maybe chmod 0755 'logwatch/conf' +maybe chmod 0755 'logwatch/conf/logfiles' +maybe chmod 0755 'logwatch/conf/services' +maybe chmod 0755 'logwatch/scripts' +maybe chmod 0755 'logwatch/scripts/services' +maybe chmod 0755 'lvm' +maybe chmod 0700 'lvm/archive' +maybe chmod 0700 'lvm/backup' +maybe chmod 0600 'lvm/backup/vg00' +maybe chmod 0644 'lvm/lvm.conf' +maybe chmod 0444 'machine-id' +maybe chmod 0644 'magic' +maybe chmod 0644 'magic.mime' +maybe chmod 0644 'mail.rc' +maybe chmod 0644 'mailcap' +maybe chmod 0644 'mailcap.order' +maybe chmod 0644 'mailname' +maybe chmod 0644 'manpath.config' +maybe chmod 0644 'mime.types' +maybe chmod 0644 'mke2fs.conf' +maybe chmod 0755 'modprobe.d' +maybe chmod 0644 'modprobe.d/fbdev-blacklist.conf' +maybe chmod 0644 'modules' +maybe chmod 0644 'motd' +maybe chmod 0644 'motd.tail' +maybe chmod 0755 'mysql' +maybe chmod 0755 'mysql/conf.d' +maybe chmod 0644 'mysql/conf.d/.keepme' +maybe chmod 0644 'mysql/conf.d/mariadb.cnf' +maybe chmod 0644 'mysql/my.cnf' +maybe chmod 0644 'nanorc' +maybe chmod 0755 'network' +maybe chmod 0755 'network/if-down.d' +maybe chmod 0755 'network/if-down.d/bind9' +maybe chmod 0755 'network/if-down.d/postfix' +maybe chmod 0755 'network/if-down.d/upstart' +maybe chmod 0755 'network/if-post-down.d' +maybe chmod 0755 'network/if-pre-up.d' +maybe chmod 0755 'network/if-up.d' +maybe chmod 0755 'network/if-up.d/bind9' +maybe chmod 0755 'network/if-up.d/mountnfs' +maybe chmod 0755 'network/if-up.d/openssh-server' +maybe chmod 0755 'network/if-up.d/postfix' +maybe chmod 0755 'network/if-up.d/upstart' +maybe chmod 0644 'network/interfaces' +maybe chmod 0755 'network/interfaces.d' +maybe chmod 0644 'networks' +maybe chmod 0755 'newt' +maybe chmod 0644 'newt/palette.original' +maybe chmod 0644 'nsswitch.conf' +maybe chmod 0755 'opt' +maybe chmod 0644 'pam.conf' +maybe chmod 0755 'pam.d' +maybe chmod 0644 'pam.d/chfn' +maybe chmod 0644 'pam.d/chpasswd' +maybe chmod 0644 'pam.d/chsh' +maybe chmod 0644 'pam.d/common-account' +maybe chmod 0644 'pam.d/common-auth' +maybe chmod 0644 'pam.d/common-password' +maybe chmod 0644 'pam.d/common-session' +maybe chmod 0644 'pam.d/common-session-noninteractive' +maybe chmod 0644 'pam.d/cron' +maybe chmod 0644 'pam.d/login' +maybe chmod 0644 'pam.d/newusers' +maybe chmod 0644 'pam.d/other' +maybe chmod 0644 'pam.d/passwd' +maybe chmod 0644 'pam.d/runuser' +maybe chmod 0644 'pam.d/runuser-l' +maybe chmod 0644 'pam.d/sshd' +maybe chmod 0644 'pam.d/su' +maybe chmod 0644 'pam.d/sudo' +maybe chmod 0644 'pam.d/systemd-user' +maybe chmod 0644 'passwd' +maybe chmod 0644 'passwd-' +maybe chmod 0755 'perl' +maybe chmod 0755 'perl/CPAN' +maybe chmod 0755 'perl/Net' +maybe chmod 0644 'perl/Net/libnet.cfg' +maybe chmod 0644 'perl/sitecustomize.pl' +maybe chmod 0755 'pm' +maybe chmod 0755 'pm/sleep.d' +maybe chmod 0755 'pm/sleep.d/60aiccu' +maybe chmod 0755 'postfix' +maybe chmod 0644 'postfix/dynamicmaps.cf' +maybe chmod 0644 'postfix/main.cf' +maybe chmod 0644 'postfix/master.cf' +maybe chmod 0744 'postfix/mkpostfixcert' +maybe chmod 0755 'postfix/post-install' +maybe chmod 0644 'postfix/postfix-cert.cnf' +maybe chmod 0644 'postfix/postfix-files' +maybe chmod 0755 'postfix/postfix-script' +maybe chmod 0600 'postfix/postfix.pem' +maybe chmod 0755 'postfix/sasl' +maybe chmod 0600 'postfix/smtp_auth' +maybe chmod 0600 'postfix/smtp_auth.db' +maybe chmod 0755 'ppp' +maybe chmod 0755 'ppp/ip-down.d' +maybe chmod 0755 'ppp/ip-down.d/bind9' +maybe chmod 0755 'ppp/ip-down.d/chrony' +maybe chmod 0755 'ppp/ip-down.d/postfix' +maybe chmod 0755 'ppp/ip-up.d' +maybe chmod 0755 'ppp/ip-up.d/bind9' +maybe chmod 0755 'ppp/ip-up.d/chrony' +maybe chmod 0755 'ppp/ip-up.d/exim4' +maybe chmod 0755 'ppp/ip-up.d/postfix' +maybe chmod 0644 'profile' +maybe chmod 0755 'profile.d' +maybe chmod 0644 'profile.d/Z97-byobu.sh' +maybe chmod 0644 'profile.d/bash_completion.sh' +maybe chmod 0644 'profile.d/fbrehm.sh' +maybe chmod 0644 'protocols' +maybe chmod 0755 'python' +maybe chmod 0644 'python/debian_config' +maybe chmod 0755 'python2.7' +maybe chmod 0644 'python2.7/sitecustomize.py' +maybe chmod 0755 'python3' +maybe chmod 0755 'python3.4' +maybe chmod 0644 'python3.4/sitecustomize.py' +maybe chmod 0644 'python3/debian_config' +maybe chmod 0755 'rc.local' +maybe chmod 0755 'rc0.d' +maybe chmod 0644 'rc0.d/README' +maybe chmod 0755 'rc1.d' +maybe chmod 0644 'rc1.d/README' +maybe chmod 0755 'rc2.d' +maybe chmod 0644 'rc2.d/README' +maybe chmod 0755 'rc3.d' +maybe chmod 0644 'rc3.d/README' +maybe chmod 0755 'rc4.d' +maybe chmod 0644 'rc4.d/README' +maybe chmod 0755 'rc5.d' +maybe chmod 0644 'rc5.d/README' +maybe chmod 0755 'rc6.d' +maybe chmod 0644 'rc6.d/README' +maybe chmod 0755 'rcS.d' +maybe chmod 0644 'rcS.d/README' +maybe chmod 0644 'resolv.conf' +maybe chmod 0755 'resolvconf' +maybe chmod 0755 'resolvconf/update-libc.d' +maybe chmod 0755 'resolvconf/update-libc.d/postfix' +maybe chmod 0755 'rmt' +maybe chmod 0644 'rpc' +maybe chmod 0644 'rsyslog.conf' +maybe chmod 0755 'rsyslog.d' +maybe chmod 0644 'rsyslog.d/60-default.conf' +maybe chmod 0644 'rsyslog.d/70-pb.conf' +maybe chmod 0644 'rsyslog.d/postfix.conf' +maybe chmod 0755 'salt' +maybe chmod 0644 'salt/minion' +maybe chmod 0755 'salt/minion.d' +maybe chmod 0644 'salt/minion.d/_schedule.conf' +maybe chmod 0644 'salt/minion_id' +maybe chmod 0755 'salt/pki' +maybe chmod 0700 'salt/pki/minion' +maybe chmod 0400 'salt/pki/minion/minion.pem' +maybe chmod 0644 'salt/pki/minion/minion.pub' +maybe chmod 0644 'salt/pki/minion/minion_master.pub' +maybe chmod 0644 'salt/proxy' +maybe chmod 0644 'securetty' +maybe chmod 0755 'security' +maybe chmod 0644 'security/access.conf' +maybe chmod 0644 'security/group.conf' +maybe chmod 0644 'security/limits.conf' +maybe chmod 0755 'security/limits.d' +maybe chmod 0644 'security/namespace.conf' +maybe chmod 0755 'security/namespace.d' +maybe chmod 0755 'security/namespace.init' +maybe chmod 0600 'security/opasswd' +maybe chmod 0644 'security/pam_env.conf' +maybe chmod 0644 'security/sepermit.conf' +maybe chmod 0644 'security/time.conf' +maybe chmod 0755 'selinux' +maybe chmod 0644 'selinux/semanage.conf' +maybe chmod 0644 'services' +maybe chmod 0755 'sgml' +maybe chmod 0644 'sgml/xml-core.cat' +maybe chgrp 'shadow' 'shadow' +maybe chmod 0640 'shadow' +maybe chmod 0600 'shadow-' +maybe chmod 0644 'shells' +maybe chmod 0755 'skel' +maybe chmod 0644 'skel/.bash_logout' +maybe chmod 0644 'skel/.bashrc' +maybe chmod 0644 'skel/.profile' +maybe chmod 0755 'ssh' +maybe chmod 0644 'ssh/moduli' +maybe chmod 0644 'ssh/ssh_config' +maybe chmod 0600 'ssh/ssh_host_dsa_key' +maybe chmod 0644 'ssh/ssh_host_dsa_key.pub' +maybe chmod 0600 'ssh/ssh_host_ecdsa_key' +maybe chmod 0644 'ssh/ssh_host_ecdsa_key.pub' +maybe chmod 0600 'ssh/ssh_host_ed25519_key' +maybe chmod 0644 'ssh/ssh_host_ed25519_key.pub' +maybe chmod 0600 'ssh/ssh_host_rsa_key' +maybe chmod 0644 'ssh/ssh_host_rsa_key.pub' +maybe chmod 0644 'ssh/sshd_config' +maybe chmod 0755 'ssl' +maybe chmod 0755 'ssl/certs' +maybe chmod 0644 'ssl/certs/ca-certificates.crt' +maybe chmod 0644 'ssl/certs/ssl-cert-snakeoil.pem' +maybe chmod 0644 'ssl/openssl.cnf' +maybe chgrp 'ssl-cert' 'ssl/private' +maybe chmod 0710 'ssl/private' +maybe chgrp 'ssl-cert' 'ssl/private/ssl-cert-snakeoil.key' +maybe chmod 0640 'ssl/private/ssl-cert-snakeoil.key' +maybe chmod 0644 'staff-group-for-usr-local' +maybe chmod 0644 'subgid' +maybe chmod 0600 'subgid-' +maybe chmod 0644 'subuid' +maybe chmod 0600 'subuid-' +maybe chmod 0440 'sudoers' +maybe chmod 0755 'sudoers.d' +maybe chmod 0440 'sudoers.d/README' +maybe chmod 0644 'sysctl.conf' +maybe chmod 0755 'sysctl.d' +maybe chmod 0644 'sysctl.d/README.sysctl' +maybe chmod 0755 'systemd' +maybe chmod 0644 'systemd/bootchart.conf' +maybe chmod 0644 'systemd/journald.conf' +maybe chmod 0644 'systemd/logind.conf' +maybe chmod 0644 'systemd/resolved.conf' +maybe chmod 0755 'systemd/system' +maybe chmod 0644 'systemd/system.conf' +maybe chmod 0755 'systemd/system/default.target.wants' +maybe chmod 0755 'systemd/system/getty.target.wants' +maybe chmod 0755 'systemd/system/halt.target.wants' +maybe chmod 0755 'systemd/system/local-fs.target.wants' +maybe chmod 0755 'systemd/system/multi-user.target.wants' +maybe chmod 0755 'systemd/system/paths.target.wants' +maybe chmod 0755 'systemd/system/poweroff.target.wants' +maybe chmod 0755 'systemd/system/reboot.target.wants' +maybe chmod 0755 'systemd/system/sockets.target.wants' +maybe chmod 0755 'systemd/system/sysinit.target.wants' +maybe chmod 0644 'systemd/timesyncd.conf' +maybe chmod 0644 'systemd/user.conf' +maybe chmod 0755 'terminfo' +maybe chmod 0644 'terminfo/README' +maybe chmod 0644 'timezone' +maybe chmod 0644 'ucf.conf' +maybe chmod 0755 'udev' +maybe chmod 0755 'udev/hwdb.d' +maybe chmod 0755 'udev/rules.d' +maybe chmod 0644 'udev/rules.d/80-cpu-hotplug.rules' +maybe chmod 0644 'udev/rules.d/90-memory-hotplug.rules' +maybe chmod 0644 'udev/udev.conf' +maybe chmod 0755 'ufw' +maybe chmod 0755 'ufw/applications.d' +maybe chmod 0644 'ufw/applications.d/bind9' +maybe chmod 0644 'ufw/applications.d/openssh-server' +maybe chmod 0644 'ufw/applications.d/postfix' +maybe chmod 0600 'ulogd.conf' +maybe chmod 0644 'updatedb.conf' +maybe chmod 0755 'vim' +maybe chmod 0644 'vim/vimrc' +maybe chmod 0644 'vim/vimrc.local' +maybe chmod 0644 'vim/vimrc.tiny' +maybe chmod 0644 'wgetrc' +maybe chmod 0755 'xml' +maybe chmod 0644 'xml/catalog' +maybe chmod 0644 'xml/xml-core.xml' +maybe chmod 0755 'zsh' +maybe chmod 0644 'zsh/newuser.zshrc.recommended' +maybe chmod 0644 'zsh/zlogin' +maybe chmod 0644 'zsh/zlogout' +maybe chmod 0644 'zsh/zprofile' +maybe chmod 0644 'zsh/zshenv' +maybe chmod 0644 'zsh/zshrc' diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9196cf5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,54 @@ +# begin section managed by etckeeper (do not edit this section by hand) + +# new and old versions of conffiles, stored by dpkg +*.dpkg-* +# new and old versions of conffiles, stored by ucf +*.ucf-* + +# old versions of files +*.old + +# mount(8) records system state here, no need to store these +blkid.tab +blkid.tab.old + +# some other files in /etc that typically do not need to be tracked +nologin +ld.so.cache +prelink.cache +mtab +mtab.fuselock +.pwd.lock +*.LOCK +network/run +adjtime +lvm/cache +lvm/archive +X11/xdm/authdir/authfiles/* +ntp.conf.dhcp +.initctl +webmin/fsdump/*.status +webmin/webmin/oscache +apparmor.d/cache/* +service/*/supervise/* +service/*/log/supervise/* +sv/*/supervise/* +sv/*/log/supervise/* +*.elc +*.pyc +*.pyo +init.d/.depend.* +openvpn/openvpn-status.log +cups/subscriptions.conf +cups/subscriptions.conf.O +fake-hwclock.data +check_mk/logwatch.state + +# editor temp files +*~ +.*.sw? +.sw? +\#*\# +DEADJOE + +# end section managed by etckeeper diff --git a/acpi/events/powerbtn-acpi-support b/acpi/events/powerbtn-acpi-support new file mode 100644 index 0000000..3dd9a7e --- /dev/null +++ b/acpi/events/powerbtn-acpi-support @@ -0,0 +1,2 @@ +event=button[ /]power +action=/etc/acpi/powerbtn-acpi-support.sh diff --git a/acpi/powerbtn-acpi-support.sh b/acpi/powerbtn-acpi-support.sh new file mode 100755 index 0000000..ec66597 --- /dev/null +++ b/acpi/powerbtn-acpi-support.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +# This script initiates a shutdown when the power putton has been +# pressed. Loosely based on the sample that ships with the acpid package. +# If the acpid sample is present as a real config file (as it was in earlier +# versions of acpid), we skip this script. (Purging and reinstalling acpid +# resolves this situation, or simply deleting /etc/acpi/events/powerbtn.) + +if [ -f /etc/acpi/events/powerbtn -o -f /etc/acpi/events/powerbtn.dpkg-bak ] ; then + logger Acpi-support not handling power button, acpid handler exists at /etc/acpi/events/powerbtn or /etc/acpi/events/powerbtn.dpkg-bak. + exit 0 +fi + +[ -e /usr/share/acpi-support/policy-funcs ] || exit 0 + +. /usr/share/acpi-support/policy-funcs + +if { CheckPolicy || HasLogindAndSystemd1Manager; }; then + exit 0 +fi + +if [ -x /etc/acpi/powerbtn.sh ] ; then + # Compatibility with old config script from acpid package + /etc/acpi/powerbtn.sh +elif [ -x /etc/acpi/powerbtn.sh.dpkg-bak ] ; then + # Compatibility with old config script from acpid package + # which is still around because it was changed by the admin + /etc/acpi/powerbtn.sh.dpkg-bak +else + # Normal handling. + /sbin/shutdown -h -P now "Power button pressed" +fi + diff --git a/adduser.conf b/adduser.conf new file mode 100644 index 0000000..1626c04 --- /dev/null +++ b/adduser.conf @@ -0,0 +1,85 @@ +# /etc/adduser.conf: `adduser' configuration. +# See adduser(8) and adduser.conf(5) for full documentation. + +# The DSHELL variable specifies the default login shell on your +# system. +DSHELL=/bin/bash + +# The DHOME variable specifies the directory containing users' home +# directories. +DHOME=/home + +# If GROUPHOMES is "yes", then the home directories will be created as +# /home/groupname/user. +GROUPHOMES=no + +# If LETTERHOMES is "yes", then the created home directories will have +# an extra directory - the first letter of the user name. For example: +# /home/u/user. +LETTERHOMES=no + +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +SKEL=/etc/skel + +# FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range for UIDs +# for dynamically allocated administrative and system accounts/groups. +# Please note that system software, such as the users allocated by the base-passwd +# package, may assume that UIDs less than 100 are unallocated. +FIRST_SYSTEM_UID=100 +LAST_SYSTEM_UID=999 + +FIRST_SYSTEM_GID=100 +LAST_SYSTEM_GID=999 + +# FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically +# allocated user accounts/groups. +FIRST_UID=1000 +LAST_UID=29999 + +FIRST_GID=1000 +LAST_GID=29999 + +# The USERGROUPS variable can be either "yes" or "no". If "yes" each +# created user will be given their own group to use as a default. If +# "no", each created user will be placed in the group whose gid is +# USERS_GID (see below). +USERGROUPS=yes + +# If USERGROUPS is "no", then USERS_GID should be the GID of the group +# `users' (or the equivalent group) on your system. +USERS_GID=100 + +# If DIR_MODE is set, directories will be created with the specified +# mode. Otherwise the default mode 0755 will be used. +DIR_MODE=0755 + +# If SETGID_HOME is "yes" home directories for users with their own +# group the setgid bit will be set. This was the default for +# versions << 3.13 of adduser. Because it has some bad side effects we +# no longer do this per default. If you want it nevertheless you can +# still set it here. +SETGID_HOME=no + +# If QUOTAUSER is set, a default quota will be set from that user with +# `edquota -p QUOTAUSER newuser' +QUOTAUSER="" + +# If SKEL_IGNORE_REGEX is set, adduser will ignore files matching this +# regular expression when creating a new home directory +SKEL_IGNORE_REGEX="dpkg-(old|new|dist|save)" + +# Set this if you want the --add_extra_groups option to adduser to add +# new users to other groups. +# This is the list of groups that new non-system users will be added to +# Default: +#EXTRA_GROUPS="dialout cdrom floppy audio video plugdev users" + +# If ADD_EXTRA_GROUPS is set to something non-zero, the EXTRA_GROUPS +# option above will be default behavior for adding new, non-system users +#ADD_EXTRA_GROUPS=1 + + +# check user and group names also against this regular expression. +#NAME_REGEX="^[a-z][-a-z0-9_]*\$" diff --git a/aiccu.conf b/aiccu.conf new file mode 100644 index 0000000..662f7a7 --- /dev/null +++ b/aiccu.conf @@ -0,0 +1,79 @@ +# Under control from debconf, please use 'dpkg-reconfigure aiccu' to reconfigure +# AICCU Configuration + +# Login information (defaults: none) +username FBT6-SIXXS +password EMsiWgsus + +# Protocol and server to use for setting up the tunnel (defaults: none) +protocol tic +server tic.sixxs.net + +# Interface names to use (default: aiccu) +# ipv6_interface is the name of the interface that will be used as a tunnel interface. +# On *BSD the ipv6_interface should be set to gifX (eg gif0) for proto-41 tunnels +# or tunX (eg tun0) for AYIYA tunnels. +ipv6_interface sixxs + +# The tunnel_id to use (default: none) +# (only required when there are multiple tunnels in the list) +tunnel_id T50297 + +# Be verbose? (default: false) +verbose false + +# Daemonize? (default: true) +# Set to false if you want to see any output +# When true output goes to syslog +# +# WARNING: never run AICCU from DaemonTools or a similar automated +# 'restart' tool/script. When AICCU does not start, it has a reason +# not to start which it gives on either the stdout or in the (sys)log +# file. The TIC server *will* automatically disable accounts which +# are detected to run in this mode. +# +daemonize true + +# Automatic Login and Tunnel activation? +automatic true + +# Require TLS? +# When set to true, if TLS is not supported on the server +# the TIC transaction will fail. +# When set to false, it will try a starttls, when that is +# not supported it will continue. +# In any case if AICCU is build with TLS support it will +# try to do a 'starttls' to the TIC server to see if that +# is supported. +requiretls false + +# PID File +#pidfile /var/run/aiccu.pid + +# Add a default route (default: true) +#defaultroute true + +# Script to run after setting up the interfaces (default: none) +#setupscript /usr/local/etc/aiccu-subnets.sh + +# Make heartbeats (default true) +# In general you don't want to turn this off +# Of course only applies to AYIYA and heartbeat tunnels not to static ones +#makebeats true + +# Don't configure anything (default: false) +#noconfigure true + +# Behind NAT (default: false) +# Notify the user that a NAT-kind network is detected +#behindnat true + +# Local IPv4 Override (default: none) +# Overrides the IPv4 parameter received from TIC +# This allows one to configure a NAT into "DMZ" mode and then +# forwarding the proto-41 packets to an internal host. +# +# This is only needed for static proto-41 tunnels! +# AYIYA and heartbeat tunnels don't require this. +#local_ipv4_override + diff --git a/aliases b/aliases new file mode 100644 index 0000000..a0f99a5 --- /dev/null +++ b/aliases @@ -0,0 +1,49 @@ +# See man 5 aliases for format +MAILER-DAEMON: postmaster +postmaster: root +root: frank + +# General redirections for pseudo accounts. +adm: root +bin: root +daemon: root +exim: root +lp: root +mail: root +named: root +nobody: root +postfix: root + +# Well-known aliases -- these should be filled in! +# root: +# operator: + +# Standard RFC2142 aliases +abuse: postmaster +ftp: root +hostmaster: root +news: usenet +noc: root +security: root +usenet: root +uucp: root +webmaster: root +www: webmaster + +# trap decode to catch security attacks +# decode: /dev/null + +# Persönliche Aliase + +# Frank Brehm +frank: frank@brehm-online.com +fbr: frank +brehm: frank +fbrehm: frank +f.brehm: frank +f-brehm: frank +frank.brehm: frank +frank-brehm: frank + + + diff --git a/aliases.db b/aliases.db new file mode 100644 index 0000000..2275268 Binary files /dev/null and b/aliases.db differ diff --git a/alternatives/Mail b/alternatives/Mail new file mode 120000 index 0000000..20f6356 --- /dev/null +++ b/alternatives/Mail @@ -0,0 +1 @@ +/usr/bin/bsd-mailx \ No newline at end of file diff --git a/alternatives/Mail.1.gz b/alternatives/Mail.1.gz new file mode 120000 index 0000000..8f9c194 --- /dev/null +++ b/alternatives/Mail.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/bsd-mailx.1.gz \ No newline at end of file diff --git a/alternatives/README b/alternatives/README new file mode 100644 index 0000000..54ef740 --- /dev/null +++ b/alternatives/README @@ -0,0 +1,2 @@ +Please read the update-alternatives(8) man page for information on this +directory and its contents. diff --git a/alternatives/aptitude b/alternatives/aptitude new file mode 120000 index 0000000..92636dd --- /dev/null +++ b/alternatives/aptitude @@ -0,0 +1 @@ +/usr/bin/aptitude-curses \ No newline at end of file diff --git a/alternatives/aptitude.8.gz b/alternatives/aptitude.8.gz new file mode 120000 index 0000000..7640372 --- /dev/null +++ b/alternatives/aptitude.8.gz @@ -0,0 +1 @@ +/usr/share/man/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/aptitude.cs.8.gz b/alternatives/aptitude.cs.8.gz new file mode 120000 index 0000000..3d3cfd8 --- /dev/null +++ b/alternatives/aptitude.cs.8.gz @@ -0,0 +1 @@ +/usr/share/man/cs/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/aptitude.de.8.gz b/alternatives/aptitude.de.8.gz new file mode 120000 index 0000000..677c423 --- /dev/null +++ b/alternatives/aptitude.de.8.gz @@ -0,0 +1 @@ +/usr/share/man/de/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/aptitude.es.8.gz b/alternatives/aptitude.es.8.gz new file mode 120000 index 0000000..e9553a1 --- /dev/null +++ b/alternatives/aptitude.es.8.gz @@ -0,0 +1 @@ +/usr/share/man/es/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/aptitude.fi.8.gz b/alternatives/aptitude.fi.8.gz new file mode 120000 index 0000000..7527ff1 --- /dev/null +++ b/alternatives/aptitude.fi.8.gz @@ -0,0 +1 @@ +/usr/share/man/fi/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/aptitude.fr.8.gz b/alternatives/aptitude.fr.8.gz new file mode 120000 index 0000000..8732b80 --- /dev/null +++ b/alternatives/aptitude.fr.8.gz @@ -0,0 +1 @@ +/usr/share/man/fr/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/aptitude.gl.8.gz b/alternatives/aptitude.gl.8.gz new file mode 120000 index 0000000..1be1613 --- /dev/null +++ b/alternatives/aptitude.gl.8.gz @@ -0,0 +1 @@ +/usr/share/man/gl/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/aptitude.it.8.gz b/alternatives/aptitude.it.8.gz new file mode 120000 index 0000000..aa24c32 --- /dev/null +++ b/alternatives/aptitude.it.8.gz @@ -0,0 +1 @@ +/usr/share/man/it/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/aptitude.ja.8.gz b/alternatives/aptitude.ja.8.gz new file mode 120000 index 0000000..0fadf14 --- /dev/null +++ b/alternatives/aptitude.ja.8.gz @@ -0,0 +1 @@ +/usr/share/man/ja/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/aptitude.pl.8.gz b/alternatives/aptitude.pl.8.gz new file mode 120000 index 0000000..1370bf5 --- /dev/null +++ b/alternatives/aptitude.pl.8.gz @@ -0,0 +1 @@ +/usr/share/man/pl/man8/aptitude-curses.8.gz \ No newline at end of file diff --git a/alternatives/awk b/alternatives/awk new file mode 120000 index 0000000..19ba657 --- /dev/null +++ b/alternatives/awk @@ -0,0 +1 @@ +/usr/bin/gawk \ No newline at end of file diff --git a/alternatives/awk.1.gz b/alternatives/awk.1.gz new file mode 120000 index 0000000..134262b --- /dev/null +++ b/alternatives/awk.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/gawk.1.gz \ No newline at end of file diff --git a/alternatives/builtins.7.gz b/alternatives/builtins.7.gz new file mode 120000 index 0000000..96d1b74 --- /dev/null +++ b/alternatives/builtins.7.gz @@ -0,0 +1 @@ +/usr/share/man/man7/bash-builtins.7.gz \ No newline at end of file diff --git a/alternatives/editor b/alternatives/editor new file mode 120000 index 0000000..1d112da --- /dev/null +++ b/alternatives/editor @@ -0,0 +1 @@ +/usr/bin/vim.basic \ No newline at end of file diff --git a/alternatives/editor.1.gz b/alternatives/editor.1.gz new file mode 120000 index 0000000..e02a6af --- /dev/null +++ b/alternatives/editor.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/editor.fr.1.gz b/alternatives/editor.fr.1.gz new file mode 120000 index 0000000..af52858 --- /dev/null +++ b/alternatives/editor.fr.1.gz @@ -0,0 +1 @@ +/usr/share/man/fr/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/editor.it.1.gz b/alternatives/editor.it.1.gz new file mode 120000 index 0000000..4498a3d --- /dev/null +++ b/alternatives/editor.it.1.gz @@ -0,0 +1 @@ +/usr/share/man/it/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/editor.ja.1.gz b/alternatives/editor.ja.1.gz new file mode 120000 index 0000000..071acfb --- /dev/null +++ b/alternatives/editor.ja.1.gz @@ -0,0 +1 @@ +/usr/share/man/ja/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/editor.pl.1.gz b/alternatives/editor.pl.1.gz new file mode 120000 index 0000000..345590a --- /dev/null +++ b/alternatives/editor.pl.1.gz @@ -0,0 +1 @@ +/usr/share/man/pl/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/editor.ru.1.gz b/alternatives/editor.ru.1.gz new file mode 120000 index 0000000..ea9aa16 --- /dev/null +++ b/alternatives/editor.ru.1.gz @@ -0,0 +1 @@ +/usr/share/man/ru/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/ex b/alternatives/ex new file mode 120000 index 0000000..1d112da --- /dev/null +++ b/alternatives/ex @@ -0,0 +1 @@ +/usr/bin/vim.basic \ No newline at end of file diff --git a/alternatives/ex.1.gz b/alternatives/ex.1.gz new file mode 120000 index 0000000..e02a6af --- /dev/null +++ b/alternatives/ex.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/ex.fr.1.gz b/alternatives/ex.fr.1.gz new file mode 120000 index 0000000..af52858 --- /dev/null +++ b/alternatives/ex.fr.1.gz @@ -0,0 +1 @@ +/usr/share/man/fr/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/ex.it.1.gz b/alternatives/ex.it.1.gz new file mode 120000 index 0000000..4498a3d --- /dev/null +++ b/alternatives/ex.it.1.gz @@ -0,0 +1 @@ +/usr/share/man/it/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/ex.ja.1.gz b/alternatives/ex.ja.1.gz new file mode 120000 index 0000000..071acfb --- /dev/null +++ b/alternatives/ex.ja.1.gz @@ -0,0 +1 @@ +/usr/share/man/ja/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/ex.pl.1.gz b/alternatives/ex.pl.1.gz new file mode 120000 index 0000000..345590a --- /dev/null +++ b/alternatives/ex.pl.1.gz @@ -0,0 +1 @@ +/usr/share/man/pl/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/ex.ru.1.gz b/alternatives/ex.ru.1.gz new file mode 120000 index 0000000..ea9aa16 --- /dev/null +++ b/alternatives/ex.ru.1.gz @@ -0,0 +1 @@ +/usr/share/man/ru/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/figlet b/alternatives/figlet new file mode 120000 index 0000000..28ec836 --- /dev/null +++ b/alternatives/figlet @@ -0,0 +1 @@ +/usr/bin/figlet-figlet \ No newline at end of file diff --git a/alternatives/figlet.6.gz b/alternatives/figlet.6.gz new file mode 120000 index 0000000..550fbfc --- /dev/null +++ b/alternatives/figlet.6.gz @@ -0,0 +1 @@ +/usr/share/man/man6/figlet-figlet.6.gz \ No newline at end of file diff --git a/alternatives/from b/alternatives/from new file mode 120000 index 0000000..3ee6643 --- /dev/null +++ b/alternatives/from @@ -0,0 +1 @@ +/usr/bin/bsd-from \ No newline at end of file diff --git a/alternatives/from.1.gz b/alternatives/from.1.gz new file mode 120000 index 0000000..9c0d8d3 --- /dev/null +++ b/alternatives/from.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/bsd-from.1.gz \ No newline at end of file diff --git a/alternatives/ftp b/alternatives/ftp new file mode 120000 index 0000000..f0ae93f --- /dev/null +++ b/alternatives/ftp @@ -0,0 +1 @@ +/usr/bin/netkit-ftp \ No newline at end of file diff --git a/alternatives/ftp.1.gz b/alternatives/ftp.1.gz new file mode 120000 index 0000000..5b3a00b --- /dev/null +++ b/alternatives/ftp.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/netkit-ftp.1.gz \ No newline at end of file diff --git a/alternatives/lft b/alternatives/lft new file mode 120000 index 0000000..cbc6006 --- /dev/null +++ b/alternatives/lft @@ -0,0 +1 @@ +/usr/bin/lft.db \ No newline at end of file diff --git a/alternatives/lft.1.gz b/alternatives/lft.1.gz new file mode 120000 index 0000000..c1cf08c --- /dev/null +++ b/alternatives/lft.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/lft.db.1.gz \ No newline at end of file diff --git a/alternatives/locate b/alternatives/locate new file mode 120000 index 0000000..b33f6cf --- /dev/null +++ b/alternatives/locate @@ -0,0 +1 @@ +/usr/bin/mlocate \ No newline at end of file diff --git a/alternatives/locate.1.gz b/alternatives/locate.1.gz new file mode 120000 index 0000000..8d4857d --- /dev/null +++ b/alternatives/locate.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/mlocate.1.gz \ No newline at end of file diff --git a/alternatives/lzcat b/alternatives/lzcat new file mode 120000 index 0000000..1482e0d --- /dev/null +++ b/alternatives/lzcat @@ -0,0 +1 @@ +/usr/bin/xzcat \ No newline at end of file diff --git a/alternatives/lzcat.1.gz b/alternatives/lzcat.1.gz new file mode 120000 index 0000000..c078545 --- /dev/null +++ b/alternatives/lzcat.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/xzcat.1.gz \ No newline at end of file diff --git a/alternatives/lzcmp b/alternatives/lzcmp new file mode 120000 index 0000000..5cdef99 --- /dev/null +++ b/alternatives/lzcmp @@ -0,0 +1 @@ +/usr/bin/xzcmp \ No newline at end of file diff --git a/alternatives/lzcmp.1.gz b/alternatives/lzcmp.1.gz new file mode 120000 index 0000000..f0bafbe --- /dev/null +++ b/alternatives/lzcmp.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/xzcmp.1.gz \ No newline at end of file diff --git a/alternatives/lzdiff b/alternatives/lzdiff new file mode 120000 index 0000000..0e42921 --- /dev/null +++ b/alternatives/lzdiff @@ -0,0 +1 @@ +/usr/bin/xzdiff \ No newline at end of file diff --git a/alternatives/lzdiff.1.gz b/alternatives/lzdiff.1.gz new file mode 120000 index 0000000..5687b0a --- /dev/null +++ b/alternatives/lzdiff.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/xzdiff.1.gz \ No newline at end of file diff --git a/alternatives/lzegrep b/alternatives/lzegrep new file mode 120000 index 0000000..5fee024 --- /dev/null +++ b/alternatives/lzegrep @@ -0,0 +1 @@ +/usr/bin/xzegrep \ No newline at end of file diff --git a/alternatives/lzegrep.1.gz b/alternatives/lzegrep.1.gz new file mode 120000 index 0000000..c9ad6de --- /dev/null +++ b/alternatives/lzegrep.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/xzegrep.1.gz \ No newline at end of file diff --git a/alternatives/lzfgrep b/alternatives/lzfgrep new file mode 120000 index 0000000..1b64c1b --- /dev/null +++ b/alternatives/lzfgrep @@ -0,0 +1 @@ +/usr/bin/xzfgrep \ No newline at end of file diff --git a/alternatives/lzfgrep.1.gz b/alternatives/lzfgrep.1.gz new file mode 120000 index 0000000..b292ba9 --- /dev/null +++ b/alternatives/lzfgrep.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/xzfgrep.1.gz \ No newline at end of file diff --git a/alternatives/lzgrep b/alternatives/lzgrep new file mode 120000 index 0000000..05ef59b --- /dev/null +++ b/alternatives/lzgrep @@ -0,0 +1 @@ +/usr/bin/xzgrep \ No newline at end of file diff --git a/alternatives/lzgrep.1.gz b/alternatives/lzgrep.1.gz new file mode 120000 index 0000000..8ccd2c5 --- /dev/null +++ b/alternatives/lzgrep.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/xzgrep.1.gz \ No newline at end of file diff --git a/alternatives/lzless b/alternatives/lzless new file mode 120000 index 0000000..5415736 --- /dev/null +++ b/alternatives/lzless @@ -0,0 +1 @@ +/usr/bin/xzless \ No newline at end of file diff --git a/alternatives/lzless.1.gz b/alternatives/lzless.1.gz new file mode 120000 index 0000000..bc81750 --- /dev/null +++ b/alternatives/lzless.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/xzless.1.gz \ No newline at end of file diff --git a/alternatives/lzma b/alternatives/lzma new file mode 120000 index 0000000..cdc9bb5 --- /dev/null +++ b/alternatives/lzma @@ -0,0 +1 @@ +/usr/bin/xz \ No newline at end of file diff --git a/alternatives/lzma.1.gz b/alternatives/lzma.1.gz new file mode 120000 index 0000000..16e4bcc --- /dev/null +++ b/alternatives/lzma.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/xz.1.gz \ No newline at end of file diff --git a/alternatives/lzmore b/alternatives/lzmore new file mode 120000 index 0000000..1fad361 --- /dev/null +++ b/alternatives/lzmore @@ -0,0 +1 @@ +/usr/bin/xzmore \ No newline at end of file diff --git a/alternatives/lzmore.1.gz b/alternatives/lzmore.1.gz new file mode 120000 index 0000000..e79dfa4 --- /dev/null +++ b/alternatives/lzmore.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/xzmore.1.gz \ No newline at end of file diff --git a/alternatives/mail b/alternatives/mail new file mode 120000 index 0000000..20f6356 --- /dev/null +++ b/alternatives/mail @@ -0,0 +1 @@ +/usr/bin/bsd-mailx \ No newline at end of file diff --git a/alternatives/mail.1.gz b/alternatives/mail.1.gz new file mode 120000 index 0000000..8f9c194 --- /dev/null +++ b/alternatives/mail.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/bsd-mailx.1.gz \ No newline at end of file diff --git a/alternatives/mailx b/alternatives/mailx new file mode 120000 index 0000000..20f6356 --- /dev/null +++ b/alternatives/mailx @@ -0,0 +1 @@ +/usr/bin/bsd-mailx \ No newline at end of file diff --git a/alternatives/mailx.1.gz b/alternatives/mailx.1.gz new file mode 120000 index 0000000..8f9c194 --- /dev/null +++ b/alternatives/mailx.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/bsd-mailx.1.gz \ No newline at end of file diff --git a/alternatives/mt b/alternatives/mt new file mode 120000 index 0000000..46c2596 --- /dev/null +++ b/alternatives/mt @@ -0,0 +1 @@ +/bin/mt-gnu \ No newline at end of file diff --git a/alternatives/mt.1.gz b/alternatives/mt.1.gz new file mode 120000 index 0000000..cac0e18 --- /dev/null +++ b/alternatives/mt.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/mt-gnu.1.gz \ No newline at end of file diff --git a/alternatives/nawk b/alternatives/nawk new file mode 120000 index 0000000..19ba657 --- /dev/null +++ b/alternatives/nawk @@ -0,0 +1 @@ +/usr/bin/gawk \ No newline at end of file diff --git a/alternatives/nawk.1.gz b/alternatives/nawk.1.gz new file mode 120000 index 0000000..134262b --- /dev/null +++ b/alternatives/nawk.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/gawk.1.gz \ No newline at end of file diff --git a/alternatives/nc b/alternatives/nc new file mode 120000 index 0000000..242a418 --- /dev/null +++ b/alternatives/nc @@ -0,0 +1 @@ +/bin/nc.traditional \ No newline at end of file diff --git a/alternatives/nc.1.gz b/alternatives/nc.1.gz new file mode 120000 index 0000000..c8fdfa9 --- /dev/null +++ b/alternatives/nc.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/nc.traditional.1.gz \ No newline at end of file diff --git a/alternatives/netcat b/alternatives/netcat new file mode 120000 index 0000000..242a418 --- /dev/null +++ b/alternatives/netcat @@ -0,0 +1 @@ +/bin/nc.traditional \ No newline at end of file diff --git a/alternatives/netcat.1.gz b/alternatives/netcat.1.gz new file mode 120000 index 0000000..c8fdfa9 --- /dev/null +++ b/alternatives/netcat.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/nc.traditional.1.gz \ No newline at end of file diff --git a/alternatives/pager b/alternatives/pager new file mode 120000 index 0000000..cbce297 --- /dev/null +++ b/alternatives/pager @@ -0,0 +1 @@ +/bin/less \ No newline at end of file diff --git a/alternatives/pager.1.gz b/alternatives/pager.1.gz new file mode 120000 index 0000000..c1430af --- /dev/null +++ b/alternatives/pager.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/less.1.gz \ No newline at end of file diff --git a/alternatives/pbr b/alternatives/pbr new file mode 120000 index 0000000..a1a51d1 --- /dev/null +++ b/alternatives/pbr @@ -0,0 +1 @@ +/usr/bin/python2-pbr \ No newline at end of file diff --git a/alternatives/pico b/alternatives/pico new file mode 120000 index 0000000..7a06612 --- /dev/null +++ b/alternatives/pico @@ -0,0 +1 @@ +/bin/nano \ No newline at end of file diff --git a/alternatives/pico.1.gz b/alternatives/pico.1.gz new file mode 120000 index 0000000..bb2d082 --- /dev/null +++ b/alternatives/pico.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/nano.1.gz \ No newline at end of file diff --git a/alternatives/rcp b/alternatives/rcp new file mode 120000 index 0000000..594df9e --- /dev/null +++ b/alternatives/rcp @@ -0,0 +1 @@ +/usr/bin/scp \ No newline at end of file diff --git a/alternatives/rcp.1.gz b/alternatives/rcp.1.gz new file mode 120000 index 0000000..63bfff3 --- /dev/null +++ b/alternatives/rcp.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/scp.1.gz \ No newline at end of file diff --git a/alternatives/rename b/alternatives/rename new file mode 120000 index 0000000..97ed95d --- /dev/null +++ b/alternatives/rename @@ -0,0 +1 @@ +/usr/bin/file-rename \ No newline at end of file diff --git a/alternatives/rename.1.gz b/alternatives/rename.1.gz new file mode 120000 index 0000000..af4cffb --- /dev/null +++ b/alternatives/rename.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/file-rename.1p.gz \ No newline at end of file diff --git a/alternatives/rlogin b/alternatives/rlogin new file mode 120000 index 0000000..8db89a8 --- /dev/null +++ b/alternatives/rlogin @@ -0,0 +1 @@ +/usr/bin/slogin \ No newline at end of file diff --git a/alternatives/rlogin.1.gz b/alternatives/rlogin.1.gz new file mode 120000 index 0000000..be0c6db --- /dev/null +++ b/alternatives/rlogin.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/slogin.1.gz \ No newline at end of file diff --git a/alternatives/rmt b/alternatives/rmt new file mode 120000 index 0000000..82958a9 --- /dev/null +++ b/alternatives/rmt @@ -0,0 +1 @@ +/usr/sbin/rmt-tar \ No newline at end of file diff --git a/alternatives/rmt.8.gz b/alternatives/rmt.8.gz new file mode 120000 index 0000000..8c87e21 --- /dev/null +++ b/alternatives/rmt.8.gz @@ -0,0 +1 @@ +/usr/share/man/man8/rmt-tar.8.gz \ No newline at end of file diff --git a/alternatives/rsh b/alternatives/rsh new file mode 120000 index 0000000..50a1cff --- /dev/null +++ b/alternatives/rsh @@ -0,0 +1 @@ +/usr/bin/ssh \ No newline at end of file diff --git a/alternatives/rsh.1.gz b/alternatives/rsh.1.gz new file mode 120000 index 0000000..b3b36c0 --- /dev/null +++ b/alternatives/rsh.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/ssh.1.gz \ No newline at end of file diff --git a/alternatives/rview b/alternatives/rview new file mode 120000 index 0000000..1d112da --- /dev/null +++ b/alternatives/rview @@ -0,0 +1 @@ +/usr/bin/vim.basic \ No newline at end of file diff --git a/alternatives/rvim b/alternatives/rvim new file mode 120000 index 0000000..1d112da --- /dev/null +++ b/alternatives/rvim @@ -0,0 +1 @@ +/usr/bin/vim.basic \ No newline at end of file diff --git a/alternatives/rzsh b/alternatives/rzsh new file mode 120000 index 0000000..3b005e7 --- /dev/null +++ b/alternatives/rzsh @@ -0,0 +1 @@ +/bin/zsh5 \ No newline at end of file diff --git a/alternatives/rzsh.1.gz b/alternatives/rzsh.1.gz new file mode 120000 index 0000000..15dffb2 --- /dev/null +++ b/alternatives/rzsh.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/zsh.1.gz \ No newline at end of file diff --git a/alternatives/tcptraceroute b/alternatives/tcptraceroute new file mode 120000 index 0000000..c828cd9 --- /dev/null +++ b/alternatives/tcptraceroute @@ -0,0 +1 @@ +/usr/sbin/tcptraceroute.db \ No newline at end of file diff --git a/alternatives/tcptraceroute.8.gz b/alternatives/tcptraceroute.8.gz new file mode 120000 index 0000000..815a50c --- /dev/null +++ b/alternatives/tcptraceroute.8.gz @@ -0,0 +1 @@ +/usr/share/man/man8/tcptraceroute.db.8.gz \ No newline at end of file diff --git a/alternatives/traceproto b/alternatives/traceproto new file mode 120000 index 0000000..d6973c9 --- /dev/null +++ b/alternatives/traceproto @@ -0,0 +1 @@ +/usr/bin/traceproto.db \ No newline at end of file diff --git a/alternatives/traceproto.1.gz b/alternatives/traceproto.1.gz new file mode 120000 index 0000000..3353595 --- /dev/null +++ b/alternatives/traceproto.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/traceproto.db.1.gz \ No newline at end of file diff --git a/alternatives/traceroute b/alternatives/traceroute new file mode 120000 index 0000000..fd69632 --- /dev/null +++ b/alternatives/traceroute @@ -0,0 +1 @@ +/usr/bin/traceroute.db \ No newline at end of file diff --git a/alternatives/traceroute.1.gz b/alternatives/traceroute.1.gz new file mode 120000 index 0000000..e9586f9 --- /dev/null +++ b/alternatives/traceroute.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/traceroute.db.1.gz \ No newline at end of file diff --git a/alternatives/traceroute.sbin b/alternatives/traceroute.sbin new file mode 120000 index 0000000..fd69632 --- /dev/null +++ b/alternatives/traceroute.sbin @@ -0,0 +1 @@ +/usr/bin/traceroute.db \ No newline at end of file diff --git a/alternatives/traceroute6 b/alternatives/traceroute6 new file mode 120000 index 0000000..7958fcf --- /dev/null +++ b/alternatives/traceroute6 @@ -0,0 +1 @@ +/usr/bin/traceroute6.db \ No newline at end of file diff --git a/alternatives/traceroute6.1.gz b/alternatives/traceroute6.1.gz new file mode 120000 index 0000000..7977291 --- /dev/null +++ b/alternatives/traceroute6.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/traceroute6.db.1.gz \ No newline at end of file diff --git a/alternatives/unlzma b/alternatives/unlzma new file mode 120000 index 0000000..c730a4a --- /dev/null +++ b/alternatives/unlzma @@ -0,0 +1 @@ +/usr/bin/unxz \ No newline at end of file diff --git a/alternatives/unlzma.1.gz b/alternatives/unlzma.1.gz new file mode 120000 index 0000000..c772f41 --- /dev/null +++ b/alternatives/unlzma.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/unxz.1.gz \ No newline at end of file diff --git a/alternatives/updatedb b/alternatives/updatedb new file mode 120000 index 0000000..a7598ba --- /dev/null +++ b/alternatives/updatedb @@ -0,0 +1 @@ +/usr/bin/updatedb.mlocate \ No newline at end of file diff --git a/alternatives/vi b/alternatives/vi new file mode 120000 index 0000000..1d112da --- /dev/null +++ b/alternatives/vi @@ -0,0 +1 @@ +/usr/bin/vim.basic \ No newline at end of file diff --git a/alternatives/vi.1.gz b/alternatives/vi.1.gz new file mode 120000 index 0000000..e02a6af --- /dev/null +++ b/alternatives/vi.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/vi.fr.1.gz b/alternatives/vi.fr.1.gz new file mode 120000 index 0000000..af52858 --- /dev/null +++ b/alternatives/vi.fr.1.gz @@ -0,0 +1 @@ +/usr/share/man/fr/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/vi.it.1.gz b/alternatives/vi.it.1.gz new file mode 120000 index 0000000..4498a3d --- /dev/null +++ b/alternatives/vi.it.1.gz @@ -0,0 +1 @@ +/usr/share/man/it/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/vi.ja.1.gz b/alternatives/vi.ja.1.gz new file mode 120000 index 0000000..071acfb --- /dev/null +++ b/alternatives/vi.ja.1.gz @@ -0,0 +1 @@ +/usr/share/man/ja/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/vi.pl.1.gz b/alternatives/vi.pl.1.gz new file mode 120000 index 0000000..345590a --- /dev/null +++ b/alternatives/vi.pl.1.gz @@ -0,0 +1 @@ +/usr/share/man/pl/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/vi.ru.1.gz b/alternatives/vi.ru.1.gz new file mode 120000 index 0000000..ea9aa16 --- /dev/null +++ b/alternatives/vi.ru.1.gz @@ -0,0 +1 @@ +/usr/share/man/ru/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/view b/alternatives/view new file mode 120000 index 0000000..1d112da --- /dev/null +++ b/alternatives/view @@ -0,0 +1 @@ +/usr/bin/vim.basic \ No newline at end of file diff --git a/alternatives/view.1.gz b/alternatives/view.1.gz new file mode 120000 index 0000000..e02a6af --- /dev/null +++ b/alternatives/view.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/view.fr.1.gz b/alternatives/view.fr.1.gz new file mode 120000 index 0000000..af52858 --- /dev/null +++ b/alternatives/view.fr.1.gz @@ -0,0 +1 @@ +/usr/share/man/fr/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/view.it.1.gz b/alternatives/view.it.1.gz new file mode 120000 index 0000000..4498a3d --- /dev/null +++ b/alternatives/view.it.1.gz @@ -0,0 +1 @@ +/usr/share/man/it/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/view.ja.1.gz b/alternatives/view.ja.1.gz new file mode 120000 index 0000000..071acfb --- /dev/null +++ b/alternatives/view.ja.1.gz @@ -0,0 +1 @@ +/usr/share/man/ja/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/view.pl.1.gz b/alternatives/view.pl.1.gz new file mode 120000 index 0000000..345590a --- /dev/null +++ b/alternatives/view.pl.1.gz @@ -0,0 +1 @@ +/usr/share/man/pl/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/view.ru.1.gz b/alternatives/view.ru.1.gz new file mode 120000 index 0000000..ea9aa16 --- /dev/null +++ b/alternatives/view.ru.1.gz @@ -0,0 +1 @@ +/usr/share/man/ru/man1/vim.1.gz \ No newline at end of file diff --git a/alternatives/vim b/alternatives/vim new file mode 120000 index 0000000..1d112da --- /dev/null +++ b/alternatives/vim @@ -0,0 +1 @@ +/usr/bin/vim.basic \ No newline at end of file diff --git a/alternatives/vimdiff b/alternatives/vimdiff new file mode 120000 index 0000000..1d112da --- /dev/null +++ b/alternatives/vimdiff @@ -0,0 +1 @@ +/usr/bin/vim.basic \ No newline at end of file diff --git a/alternatives/w b/alternatives/w new file mode 120000 index 0000000..11c34c4 --- /dev/null +++ b/alternatives/w @@ -0,0 +1 @@ +/usr/bin/w.procps \ No newline at end of file diff --git a/alternatives/w.1.gz b/alternatives/w.1.gz new file mode 120000 index 0000000..7391b64 --- /dev/null +++ b/alternatives/w.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/w.procps.1.gz \ No newline at end of file diff --git a/alternatives/write b/alternatives/write new file mode 120000 index 0000000..121ab03 --- /dev/null +++ b/alternatives/write @@ -0,0 +1 @@ +/usr/bin/bsd-write \ No newline at end of file diff --git a/alternatives/write.1.gz b/alternatives/write.1.gz new file mode 120000 index 0000000..9bcde45 --- /dev/null +++ b/alternatives/write.1.gz @@ -0,0 +1 @@ +/usr/share/man/man1/bsd-write.1.gz \ No newline at end of file diff --git a/alternatives/zsh b/alternatives/zsh new file mode 120000 index 0000000..3b005e7 --- /dev/null +++ b/alternatives/zsh @@ -0,0 +1 @@ +/bin/zsh5 \ No newline at end of file diff --git a/alternatives/zsh-usrbin b/alternatives/zsh-usrbin new file mode 120000 index 0000000..3b005e7 --- /dev/null +++ b/alternatives/zsh-usrbin @@ -0,0 +1 @@ +/bin/zsh5 \ No newline at end of file diff --git a/apache2/apache2.conf b/apache2/apache2.conf new file mode 100644 index 0000000..baf6d8a --- /dev/null +++ b/apache2/apache2.conf @@ -0,0 +1,221 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration +# + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# NOTE! If you intend to place this on an NFS (or otherwise network) +# mounted filesystem then please read the Mutex documentation (available +# at ); +# you will save yourself a lot of trouble. +# +# Do NOT add a slash at the end of the directory path. +# +#ServerRoot "/etc/apache2" + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +Mutex file:${APACHE_LOCK_DIR} default + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + +# +# Options Indexes FollowSymLinks +# AllowOverride None +# Require all granted +# + + + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + + +# +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/charset.conf b/apache2/conf-available/charset.conf new file mode 100644 index 0000000..8b0f415 --- /dev/null +++ b/apache2/conf-available/charset.conf @@ -0,0 +1,8 @@ +# Read the documentation before enabling AddDefaultCharset. +# In general, it is only a good idea if you know that all your files +# have this encoding. It will override any encoding given in the files +# in meta http-equiv or xml encoding tags. + +#AddDefaultCharset UTF-8 + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/custom-log.conf b/apache2/conf-available/custom-log.conf new file mode 100755 index 0000000..6f0a244 --- /dev/null +++ b/apache2/conf-available/custom-log.conf @@ -0,0 +1,12 @@ + +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%T\" \"%v\" \"%f\"" full +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" \"%T\" \"%v\" \"%f\"" full_combined + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%T\" \"%v\" \"%f\" %I %O" full_io + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" vhostio + + +# vim: filetype=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/localized-error-pages.conf b/apache2/conf-available/localized-error-pages.conf new file mode 100644 index 0000000..f188d80 --- /dev/null +++ b/apache2/conf-available/localized-error-pages.conf @@ -0,0 +1,81 @@ +# Customizable error responses come in three flavors: +# 1) plain text +# 2) local redirects +# 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# Putting this all together, we can internationalize error responses. +# +# We use Alias to redirect any /error/HTTP_.html.var response to +# our collection of by-error message multi-language collections. We use +# includes to substitute the appropriate text. +# +# You can modify the messages' appearance without changing any of the +# default HTTP_.html.var files by adding the line: +# +#Alias /error/include/ "/your/include/path/" +# +# which allows you to create your own set of files by starting with the +# /usr/share/apache2/error/include/ files and copying them to /your/include/path/, +# even on a per-VirtualHost basis. If you include the Alias in the global server +# context, is has to come _before_ the 'Alias /error/ ...' line. +# +# The default include files will display your Apache version number and your +# ServerAdmin email address regardless of the setting of ServerSignature. +# +# WARNING: The configuration below will NOT work out of the box if you have a +# SetHandler directive in a context somewhere. Adding +# the following three lines AFTER the context should +# make it work in most cases: +# +# SetHandler none +# +# +# The internationalized error documents require mod_alias, mod_include +# and mod_negotiation. To activate them, uncomment the following 37 lines. + +# +# +# +# +# Alias /error/ "/usr/share/apache2/error/" +# +# +# Options IncludesNoExec +# AddOutputFilter Includes html +# AddHandler type-map var +# Order allow,deny +# Allow from all +# LanguagePriority en cs de es fr it nl sv pt-br ro +# ForceLanguagePriority Prefer Fallback +# +# +# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var +# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var +# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var +# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var +# ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var +# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var +# ErrorDocument 410 /error/HTTP_GONE.html.var +# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var +# ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var +# ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var +# ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var +# ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var +# ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var +# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var +# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var +# ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var +# ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var +# +# +# + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/other-vhosts-access-log.conf b/apache2/conf-available/other-vhosts-access-log.conf new file mode 100644 index 0000000..5e9f5e9 --- /dev/null +++ b/apache2/conf-available/other-vhosts-access-log.conf @@ -0,0 +1,4 @@ +# Define an access log for VirtualHosts that don't define their own logfile +CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/security.conf b/apache2/conf-available/security.conf new file mode 100644 index 0000000..599333b --- /dev/null +++ b/apache2/conf-available/security.conf @@ -0,0 +1,74 @@ +# +# Disable access to the entire file system except for the directories that +# are explicitly allowed later. +# +# This currently breaks the configurations that come with some web application +# Debian packages. +# +# +# AllowOverride None +# Order Deny,Allow +# Deny from all +# + + +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +#ServerTokens Minimal +ServerTokens OS +#ServerTokens Full + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +#ServerSignature Off +ServerSignature On + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +TraceEnable Off +#TraceEnable On + +# +# Forbid access to version control directories +# +# If you use version control systems in your document root, you should +# probably deny access to their directories. For example, for subversion: +# +# +# Require all denied +# + +# +# Setting this header will prevent MSIE from interpreting files as something +# else than declared by the content type in the HTTP headers. +# Requires mod_headers to be enabled. +# +#Header set X-Content-Type-Options: "nosniff" + +# +# Setting this header will prevent other sites from embedding pages from this +# site as frames. This defends against clickjacking attacks. +# Requires mod_headers to be enabled. +# +#Header set X-Frame-Options: "sameorigin" + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-available/serve-cgi-bin.conf b/apache2/conf-available/serve-cgi-bin.conf new file mode 100644 index 0000000..b02782d --- /dev/null +++ b/apache2/conf-available/serve-cgi-bin.conf @@ -0,0 +1,20 @@ + + + Define ENABLE_USR_LIB_CGI_BIN + + + + Define ENABLE_USR_LIB_CGI_BIN + + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Require all granted + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/apache2/conf-enabled/charset.conf b/apache2/conf-enabled/charset.conf new file mode 120000 index 0000000..4a6ca08 --- /dev/null +++ b/apache2/conf-enabled/charset.conf @@ -0,0 +1 @@ +../conf-available/charset.conf \ No newline at end of file diff --git a/apache2/conf-enabled/custom-log.conf b/apache2/conf-enabled/custom-log.conf new file mode 120000 index 0000000..bc5fa0f --- /dev/null +++ b/apache2/conf-enabled/custom-log.conf @@ -0,0 +1 @@ +../conf-available/custom-log.conf \ No newline at end of file diff --git a/apache2/conf-enabled/localized-error-pages.conf b/apache2/conf-enabled/localized-error-pages.conf new file mode 120000 index 0000000..6e5ddaf --- /dev/null +++ b/apache2/conf-enabled/localized-error-pages.conf @@ -0,0 +1 @@ +../conf-available/localized-error-pages.conf \ No newline at end of file diff --git a/apache2/conf-enabled/other-vhosts-access-log.conf b/apache2/conf-enabled/other-vhosts-access-log.conf new file mode 120000 index 0000000..8af91e5 --- /dev/null +++ b/apache2/conf-enabled/other-vhosts-access-log.conf @@ -0,0 +1 @@ +../conf-available/other-vhosts-access-log.conf \ No newline at end of file diff --git a/apache2/conf-enabled/security.conf b/apache2/conf-enabled/security.conf new file mode 120000 index 0000000..036c97f --- /dev/null +++ b/apache2/conf-enabled/security.conf @@ -0,0 +1 @@ +../conf-available/security.conf \ No newline at end of file diff --git a/apache2/conf-enabled/serve-cgi-bin.conf b/apache2/conf-enabled/serve-cgi-bin.conf new file mode 120000 index 0000000..d917f68 --- /dev/null +++ b/apache2/conf-enabled/serve-cgi-bin.conf @@ -0,0 +1 @@ +../conf-available/serve-cgi-bin.conf \ No newline at end of file diff --git a/apache2/envvars b/apache2/envvars new file mode 100644 index 0000000..91328ac --- /dev/null +++ b/apache2/envvars @@ -0,0 +1,47 @@ +# envvars - default environment variables for apache2ctl + +# this won't be correct after changing uid +unset HOME + +# for supporting multiple apache2 instances +if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then + SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" +else + SUFFIX= +fi + +# Since there is no sane way to get the parsed apache2 config in scripts, some +# settings are defined via environment variables and then used in apache2ctl, +# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. +export APACHE_RUN_USER=www-data +export APACHE_RUN_GROUP=www-data +# temporary state file location. This might be changed to /run in Wheezy+1 +export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid +export APACHE_RUN_DIR=/var/run/apache2$SUFFIX +export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX +# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. +export APACHE_LOG_DIR=/var/log/apache2$SUFFIX + +## The locale used by some modules like mod_dav +export LANG=C +## Uncomment the following line to use the system default locale instead: +#. /etc/default/locale + +export LANG + +## The command to get the status for 'apache2ctl status'. +## Some packages providing 'www-browser' need '--dump' instead of '-dump'. +#export APACHE_LYNX='www-browser -dump' + +## If you need a higher file descriptor limit, uncomment and adjust the +## following line (default is 8192): +#APACHE_ULIMIT_MAX_FILES='ulimit -n 65536' + +## If you would like to pass arguments to the web server, add them below +## to the APACHE_ARGUMENTS environment. +#export APACHE_ARGUMENTS='' + +## Enable the debug mode for maintainer scripts. +## This will produce a verbose output on package installations of web server modules and web application +## installations which interact with Apache +#export APACHE2_MAINTSCRIPT_DEBUG=1 diff --git a/apache2/magic b/apache2/magic new file mode 100644 index 0000000..cdf9ac5 --- /dev/null +++ b/apache2/magic @@ -0,0 +1,935 @@ +# Magic data for mod_mime_magic (originally for file(1) command) +# +# The format is 4-5 columns: +# Column #1: byte number to begin checking from, ">" indicates continuation +# Column #2: type of data to match +# Column #3: contents of data to match +# Column #4: MIME type of result +# Column #5: MIME encoding of result (optional) + +#------------------------------------------------------------------------------ +# Localstuff: file(1) magic for locally observed files +# Add any locally observed files here. + +# Real Audio (Magic .ra\0375) +0 belong 0x2e7261fd audio/x-pn-realaudio +0 string .RMF application/vnd.rn-realmedia + +#video/x-pn-realvideo +#video/vnd.rn-realvideo +#application/vnd.rn-realmedia +# sigh, there are many mimes for that but the above are the most common. + +# Taken from magic, converted to magic.mime +# mime types according to http://www.geocities.com/nevilo/mod.htm: +# audio/it .it +# audio/x-zipped-it .itz +# audio/xm fasttracker modules +# audio/x-s3m screamtracker modules +# audio/s3m screamtracker modules +# audio/x-zipped-mod mdz +# audio/mod mod +# audio/x-mod All modules (mod, s3m, 669, mtm, med, xm, it, mdz, stm, itz, xmz, s3z) + +# Taken from loader code from mikmod version 2.14 +# by Steve McIntyre (stevem@chiark.greenend.org.uk) +# added title printing on 2003-06-24 +0 string MAS_UTrack_V00 +>14 string >/0 audio/x-mod +#audio/x-tracker-module + +#0 string UN05 MikMod UNI format module sound data + +0 string Extended\ Module: audio/x-mod +#audio/x-tracker-module +##>17 string >\0 Title: "%s" + +21 string/c \!SCREAM! audio/x-mod +#audio/x-screamtracker-module +21 string BMOD2STM audio/x-mod +#audio/x-screamtracker-module +1080 string M.K. audio/x-mod +#audio/x-protracker-module +#>0 string >\0 Title: "%s" +1080 string M!K! audio/x-mod +#audio/x-protracker-module +#>0 string >\0 Title: "%s" +1080 string FLT4 audio/x-mod +#audio/x-startracker-module +#>0 string >\0 Title: "%s" +1080 string FLT8 audio/x-mod +#audio/x-startracker-module +#>0 string >\0 Title: "%s" +1080 string 4CHN audio/x-mod +#audio/x-fasttracker-module +#>0 string >\0 Title: "%s" +1080 string 6CHN audio/x-mod +#audio/x-fasttracker-module +#>0 string >\0 Title: "%s" +1080 string 8CHN audio/x-mod +#audio/x-fasttracker-module +#>0 string >\0 Title: "%s" +1080 string CD81 audio/x-mod +#audio/x-oktalyzer-tracker-module +#>0 string >\0 Title: "%s" +1080 string OKTA audio/x-mod +#audio/x-oktalyzer-tracker-module +#>0 string >\0 Title: "%s" +# Not good enough. +#1082 string CH +#>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data +1080 string 16CN audio/x-mod +#audio/x-taketracker-module +#>0 string >\0 Title: "%s" +1080 string 32CN audio/x-mod +#audio/x-taketracker-module +#>0 string >\0 Title: "%s" + +# Impuse tracker module (it) +0 string IMPM audio/x-mod +#>4 string >\0 "%s" +#>40 leshort !0 compatible w/ITv%x +#>42 leshort !0 created w/ITv%x + +#------------------------------------------------------------------------------ +# end local stuff +#------------------------------------------------------------------------------ + +# xml based formats! + +# svg + +0 string \38 string \<\!DOCTYPE\040svg image/svg+xml + + +# xml +0 string \2 short 0xbabe application/java + +#------------------------------------------------------------------------------ +# audio: file(1) magic for sound formats +# +# from Jan Nicolai Langfeldt , +# + +# Sun/NeXT audio data +0 string .snd +>12 belong 1 audio/basic +>12 belong 2 audio/basic +>12 belong 3 audio/basic +>12 belong 4 audio/basic +>12 belong 5 audio/basic +>12 belong 6 audio/basic +>12 belong 7 audio/basic + +>12 belong 23 audio/x-adpcm + +# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format +# that uses little-endian encoding and has a different magic number +# (0x0064732E in little-endian encoding). +0 lelong 0x0064732E +>12 lelong 1 audio/x-dec-basic +>12 lelong 2 audio/x-dec-basic +>12 lelong 3 audio/x-dec-basic +>12 lelong 4 audio/x-dec-basic +>12 lelong 5 audio/x-dec-basic +>12 lelong 6 audio/x-dec-basic +>12 lelong 7 audio/x-dec-basic +# compressed (G.721 ADPCM) +>12 lelong 23 audio/x-dec-adpcm + +# Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM" +# AIFF audio data +8 string AIFF audio/x-aiff +# AIFF-C audio data +8 string AIFC audio/x-aiff +# IFF/8SVX audio data +8 string 8SVX audio/x-aiff + + + +# Creative Labs AUDIO stuff +# Standard MIDI data +0 string MThd audio/unknown +#>9 byte >0 (format %d) +#>11 byte >1 using %d channels +# Creative Music (CMF) data +0 string CTMF audio/unknown +# SoundBlaster instrument data +0 string SBI audio/unknown +# Creative Labs voice data +0 string Creative\ Voice\ File audio/unknown +## is this next line right? it came this way... +#>19 byte 0x1A +#>23 byte >0 - version %d +#>22 byte >0 \b.%d + +# [GRR 950115: is this also Creative Labs? Guessing that first line +# should be string instead of unknown-endian long...] +#0 long 0x4e54524b MultiTrack sound data +#0 string NTRK MultiTrack sound data +#>4 long x - version %ld + +# Microsoft WAVE format (*.wav) +# [GRR 950115: probably all of the shorts and longs should be leshort/lelong] +# Microsoft RIFF +0 string RIFF +# - WAVE format +>8 string WAVE audio/x-wav +>8 string/B AVI video/x-msvideo +# +>8 string CDRA image/x-coreldraw + +# AAC (aka MPEG-2 NBC) +0 beshort&0xfff6 0xfff0 audio/X-HX-AAC-ADTS +0 string ADIF audio/X-HX-AAC-ADIF +0 beshort&0xffe0 0x56e0 audio/MP4A-LATM +0 beshort 0x4De1 audio/MP4A-LATM + +# MPEG Layer 3 sound files +0 beshort&0xfffe =0xfffa audio/mpeg +#MP3 with ID3 tag +0 string ID3 audio/mpeg +# Ogg/Vorbis +0 string OggS application/ogg + +#------------------------------------------------------------------------------ +# c-lang: file(1) magic for C programs or various scripts +# + +# XPM icons (Greg Roelofs, newt@uchicago.edu) +# ideally should go into "images", but entries below would tag XPM as C source +0 string /*\ XPM image/x-xpmi 7bit + +# 3DS (3d Studio files) +#16 beshort 0x3d3d image/x-3ds + +# this first will upset you if you're a PL/1 shop... (are there any left?) +# in which case rm it; ascmagic will catch real C programs +# C or REXX program text +#0 string /* text/x-c +# C++ program text +#0 string // text/x-c++ + +#------------------------------------------------------------------------------ +# commands: file(1) magic for various shells and interpreters +# +#0 string :\ shell archive or commands for antique kernel text +0 string #!/bin/sh application/x-shellscript +0 string #!\ /bin/sh application/x-shellscript +0 string #!/bin/csh application/x-shellscript +0 string #!\ /bin/csh application/x-shellscript +# korn shell magic, sent by George Wu, gwu@clyde.att.com +0 string #!/bin/ksh application/x-shellscript +0 string #!\ /bin/ksh application/x-shellscript +0 string #!/bin/tcsh application/x-shellscript +0 string #!\ /bin/tcsh application/x-shellscript +0 string #!/usr/local/tcsh application/x-shellscript +0 string #!\ /usr/local/tcsh application/x-shellscript +0 string #!/usr/local/bin/tcsh application/x-shellscript +0 string #!\ /usr/local/bin/tcsh application/x-shellscript +# bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) +0 string #!/bin/bash application/x-shellscript +0 string #!\ /bin/bash application/x-shellscript +0 string #!/usr/local/bin/bash application/x-shellscript +0 string #!\ /usr/local/bin/bash application/x-shellscript + +# +# zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) +0 string #!/bin/zsh application/x-shellscript +0 string #!/usr/bin/zsh application/x-shellscript +0 string #!/usr/local/bin/zsh application/x-shellscript +0 string #!\ /usr/local/bin/zsh application/x-shellscript +0 string #!/usr/local/bin/ash application/x-shellscript +0 string #!\ /usr/local/bin/ash application/x-shellscript +#0 string #!/usr/local/bin/ae Neil Brown's ae +#0 string #!\ /usr/local/bin/ae Neil Brown's ae +0 string #!/bin/nawk application/x-nawk +0 string #!\ /bin/nawk application/x-nawk +0 string #!/usr/bin/nawk application/x-nawk +0 string #!\ /usr/bin/nawk application/x-nawk +0 string #!/usr/local/bin/nawk application/x-nawk +0 string #!\ /usr/local/bin/nawk application/x-nawk +0 string #!/bin/gawk application/x-gawk +0 string #!\ /bin/gawk application/x-gawk +0 string #!/usr/bin/gawk application/x-gawk +0 string #!\ /usr/bin/gawk application/x-gawk +0 string #!/usr/local/bin/gawk application/x-gawk +0 string #!\ /usr/local/bin/gawk application/x-gawk +# +0 string #!/bin/awk application/x-awk +0 string #!\ /bin/awk application/x-awk +0 string #!/usr/bin/awk application/x-awk +0 string #!\ /usr/bin/awk application/x-awk +# update to distinguish from *.vcf files by Joerg Jenderek: joerg dot jenderek at web dot de +#0 regex BEGIN[[:space:]]*[{] application/x-awk + +# For Larry Wall's perl language. The ``eval'' line recognizes an +# outrageously clever hack for USG systems. +# Keith Waclena +0 string #!/bin/perl application/x-perl +0 string #!\ /bin/perl application/x-perl +0 string eval\ "exec\ /bin/perl application/x-perl +0 string #!/usr/bin/perl application/x-perl +0 string #!\ /usr/bin/perl application/x-perl +0 string eval\ "exec\ /usr/bin/perl application/x-perl +0 string #!/usr/local/bin/perl application/x-perl +0 string #!\ /usr/local/bin/perl application/x-perl +0 string eval\ "exec\ /usr/local/bin/perl application/x-perl + +#------------------------------------------------------------------------------ +# compress: file(1) magic for pure-compression formats (no archives) +# +# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc. +# +# Formats for various forms of compressed data +# Formats for "compress" proper have been moved into "compress.c", +# because it tries to uncompress it to figure out what's inside. + +# standard unix compress +#0 string \037\235 application/x-compress + +# gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver) +#0 string \037\213 application/x-gzip + +0 string PK\003\004 application/x-zip + +# RAR archiver (Greg Roelofs, newt@uchicago.edu) +0 string Rar! application/x-rar + +# According to gzip.h, this is the correct byte order for packed data. +0 string \037\036 application/octet-stream +# +# This magic number is byte-order-independent. +# +0 short 017437 application/octet-stream + +# XXX - why *two* entries for "compacted data", one of which is +# byte-order independent, and one of which is byte-order dependent? +# +# compacted data +0 short 0x1fff application/octet-stream +0 string \377\037 application/octet-stream +# huf output +0 short 0145405 application/octet-stream + +# Squeeze and Crunch... +# These numbers were gleaned from the Unix versions of the programs to +# handle these formats. Note that I can only uncrunch, not crunch, and +# I didn't have a crunched file handy, so the crunch number is untested. +# Keith Waclena +#0 leshort 0x76FF squeezed data (CP/M, DOS) +#0 leshort 0x76FE crunched data (CP/M, DOS) + +# Freeze +#0 string \037\237 Frozen file 2.1 +#0 string \037\236 Frozen file 1.0 (or gzip 0.5) + +# lzh? +#0 string \037\240 LZH compressed data + +257 string ustar\0 application/x-tar posix +257 string ustar\040\040\0 application/x-tar gnu + +0 short 070707 application/x-cpio +0 short 0143561 application/x-cpio swapped + +0 string = application/x-archive +0 string \! application/x-archive +>8 string debian application/x-debian-package + +#------------------------------------------------------------------------------ +# +# RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) +# +0 beshort 0xedab +>2 beshort 0xeedb application/x-rpm + +0 lelong&0x8080ffff 0x0000081a application/x-arc lzw +0 lelong&0x8080ffff 0x0000091a application/x-arc squashed +0 lelong&0x8080ffff 0x0000021a application/x-arc uncompressed +0 lelong&0x8080ffff 0x0000031a application/x-arc packed +0 lelong&0x8080ffff 0x0000041a application/x-arc squeezed +0 lelong&0x8080ffff 0x0000061a application/x-arc crunched + +0 leshort 0xea60 application/x-arj + +# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) +2 string -lh0- application/x-lharc lh0 +2 string -lh1- application/x-lharc lh1 +2 string -lz4- application/x-lharc lz4 +2 string -lz5- application/x-lharc lz5 +# [never seen any but the last; -lh4- reported in comp.compression:] +2 string -lzs- application/x-lha lzs +2 string -lh\ - application/x-lha lh +2 string -lhd- application/x-lha lhd +2 string -lh2- application/x-lha lh2 +2 string -lh3- application/x-lha lh3 +2 string -lh4- application/x-lha lh4 +2 string -lh5- application/x-lha lh5 +2 string -lh6- application/x-lha lh6 +2 string -lh7- application/x-lha lh7 +# Shell archives +10 string #\ This\ is\ a\ shell\ archive application/octet-stream x-shell + +#------------------------------------------------------------------------------ +# frame: file(1) magic for FrameMaker files +# +# This stuff came on a FrameMaker demo tape, most of which is +# copyright, but this file is "published" as witness the following: +# +0 string \ +# +0 string/cB \14 byte 12 (OS/2 1.x format) +#>14 byte 64 (OS/2 2.x format) +#>14 byte 40 (Windows 3.x format) +#0 string IC icon +#0 string PI pointer +#0 string CI color icon +#0 string CP color pointer +#0 string BA bitmap array + +# CDROM Filesystems +32769 string CD001 application/x-iso9660 + +# Newer StuffIt archives (grant@netbsd.org) +0 string StuffIt application/x-stuffit +#>162 string >0 : %s + +# BinHex is the Macintosh ASCII-encoded file format (see also "apple") +# Daniel Quinlan, quinlan@yggdrasil.com +11 string must\ be\ converted\ with\ BinHex\ 4 application/mac-binhex40 +##>41 string x \b, version %.3s + + +#------------------------------------------------------------------------------ +# lisp: file(1) magic for lisp programs +# +# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) +0 string ;; text/plain 8bit +# Emacs 18 - this is always correct, but not very magical. +0 string \012( application/x-elc +# Emacs 19 +0 string ;ELC\023\000\000\000 application/x-elc + +#------------------------------------------------------------------------------ +# mail.news: file(1) magic for mail and news +# +# There are tests to ascmagic.c to cope with mail and news. +0 string Relay-Version: message/rfc822 7bit +0 string #!\ rnews message/rfc822 7bit +0 string N#!\ rnews message/rfc822 7bit +0 string Forward\ to message/rfc822 7bit +0 string Pipe\ to message/rfc822 7bit +0 string Return-Path: message/rfc822 7bit +0 string Received: message/rfc822 +0 string Path: message/news 8bit +0 string Xref: message/news 8bit +0 string From: message/rfc822 7bit +0 string Article message/news 8bit +#------------------------------------------------------------------------------ +# msword: file(1) magic for MS Word files +# +# Contributor claims: +# Reversed-engineered MS Word magic numbers +# + +0 string \376\067\0\043 application/msword +0 string \320\317\021\340\241\261 application/msword +0 string \333\245-\0\0\0 application/msword + + + +#------------------------------------------------------------------------------ +# printer: file(1) magic for printer-formatted files +# + +# PostScript +0 string %! application/postscript +0 string \004%! application/postscript + +# Acrobat +# (due to clamen@cs.cmu.edu) +0 string %PDF- application/pdf + +#------------------------------------------------------------------------------ +# sc: file(1) magic for "sc" spreadsheet +# +38 string Spreadsheet application/x-sc + +#------------------------------------------------------------------------------ +# tex: file(1) magic for TeX files +# +# XXX - needs byte-endian stuff (big-endian and little-endian DVI?) +# +# From + +# Although we may know the offset of certain text fields in TeX DVI +# and font files, we can't use them reliably because they are not +# zero terminated. [but we do anyway, christos] +0 string \367\002 application/x-dvi +#0 string \367\203 TeX generic font data +#0 string \367\131 TeX packed font data +#0 string \367\312 TeX virtual font data +#0 string This\ is\ TeX, TeX transcript text +#0 string This\ is\ METAFONT, METAFONT transcript text + +# There is no way to detect TeX Font Metric (*.tfm) files without +# breaking them apart and reading the data. The following patterns +# match most *.tfm files generated by METAFONT or afm2tfm. +2 string \000\021 application/x-tex-tfm +2 string \000\022 application/x-tex-tfm +#>34 string >\0 (%s) + +# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) +0 string \\input\ texinfo text/x-texinfo +0 string This\ is\ Info\ file text/x-info + +# correct TeX magic for Linux (and maybe more) +# from Peter Tobias (tobias@server.et-inf.fho-emden.de) +# +0 leshort 0x02f7 application/x-dvi + +# RTF - Rich Text Format +0 string {\\rtf text/rtf + +#------------------------------------------------------------------------------ +# animation: file(1) magic for animation/movie formats +# +# animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8) +# MPEG file +# MPEG sequences +0 belong 0x000001BA +>4 byte &0x40 video/mp2p +>4 byte ^0x40 video/mpeg +0 belong 0x000001BB video/mpeg +0 belong 0x000001B0 video/mp4v-es +0 belong 0x000001B5 video/mp4v-es +0 belong 0x000001B3 video/mpv +0 belong&0xFF5FFF1F 0x47400010 video/mp2t +0 belong 0x00000001 +>4 byte&0x1F 0x07 video/h264 + +# FLI animation format +0 leshort 0xAF11 video/fli +# FLC animation format +0 leshort 0xAF12 video/flc +# +# SGI and Apple formats +# Added ISO mimes +0 string MOVI video/sgi +4 string moov video/quicktime +4 string mdat video/quicktime +4 string wide video/quicktime +4 string skip video/quicktime +4 string free video/quicktime +4 string idsc image/x-quicktime +4 string idat image/x-quicktime +4 string pckg application/x-quicktime +4 string/B jP image/jp2 +4 string ftyp +>8 string isom video/mp4 +>8 string mp41 video/mp4 +>8 string mp42 video/mp4 +>8 string/B jp2 image/jp2 +>8 string 3gp video/3gpp +>8 string avc1 video/3gpp +>8 string mmp4 video/mp4 +>8 string/B M4A audio/mp4 +>8 string/B qt video/quicktime +# The contributor claims: +# I couldn't find a real magic number for these, however, this +# -appears- to work. Note that it might catch other files, too, +# so BE CAREFUL! +# +# Note that title and author appear in the two 20-byte chunks +# at decimal offsets 2 and 22, respectively, but they are XOR'ed with +# 255 (hex FF)! DL format SUCKS BIG ROCKS. +# +# DL file version 1 , medium format (160x100, 4 images/screen) +0 byte 1 video/unknown +0 byte 2 video/unknown +# +# Databases +# +# GDBM magic numbers +# Will be maintained as part of the GDBM distribution in the future. +# +0 belong 0x13579ace application/x-gdbm +0 lelong 0x13579ace application/x-gdbm +0 string GDBM application/x-gdbm +# +0 belong 0x061561 application/x-dbm +# +# Executables +# +0 string \177ELF +>16 leshort 0 application/octet-stream +>16 leshort 1 application/x-object +>16 leshort 2 application/x-executable +>16 leshort 3 application/x-sharedlib +>16 leshort 4 application/x-coredump +>16 beshort 0 application/octet-stream +>16 beshort 1 application/x-object +>16 beshort 2 application/x-executable +>16 beshort 3 application/x-sharedlib +>16 beshort 4 application/x-coredump +# +# DOS +0 string MZ application/x-dosexec +# +# KDE +0 string [KDE\ Desktop\ Entry] application/x-kdelnk +0 string \#\ KDE\ Config\ File application/x-kdelnk +# xmcd database file for kscd +0 string \#\ xmcd text/xmcd + +#------------------------------------------------------------------------------ +# pkgadd: file(1) magic for SysV R4 PKG Datastreams +# +0 string #\ PaCkAgE\ DaTaStReAm application/x-svr4-package + +#PNG Image Format +0 string \x89PNG image/png + +# MNG Video Format, +0 string \x8aMNG video/x-mng +0 string \x8aJNG video/x-jng + +#------------------------------------------------------------------------------ +# Hierarchical Data Format, used to facilitate scientific data exchange +# specifications at http://hdf.ncsa.uiuc.edu/ +#Hierarchical Data Format (version 4) data +0 belong 0x0e031301 application/x-hdf +#Hierarchical Data Format (version 5) data +0 string \211HDF\r\n\032 application/x-hdf + +# Adobe Photoshop +0 string 8BPS image/x-photoshop + +# Felix von Leitner +0 string d8:announce application/x-bittorrent + + +# lotus 1-2-3 document +0 belong 0x00001a00 application/x-123 +0 belong 0x00000200 application/x-123 + +# MS Access database +4 string Standard\ Jet\ DB application/msaccess + +## magic for XBase files +#0 byte 0x02 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x03 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x04 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x05 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x30 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x43 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x7b +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x83 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x8b +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x8e +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0xb3 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0xf5 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 leshort 0x0006 application/x-dbt + +# Debian has entries for the old PGP formats: +# pgp: file(1) magic for Pretty Good Privacy +# see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html +#text/PGP key public ring +0 beshort 0x9900 application/pgp +#text/PGP key security ring +0 beshort 0x9501 application/pgp +#text/PGP key security ring +0 beshort 0x9500 application/pgp +#text/PGP encrypted data +0 beshort 0xa600 application/pgp-encrypted +#text/PGP armored data +##public key block +2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- application/pgp-keys +0 string -----BEGIN\040PGP\40MESSAGE- application/pgp +0 string -----BEGIN\040PGP\40SIGNATURE- application/pgp-signature +# +# GnuPG Magic: +# +# +#text/GnuPG key public ring +0 beshort 0x9901 application/pgp +#text/OpenPGP data +0 beshort 0x8501 application/pgp-encrypted + +# flash: file(1) magic for Macromedia Flash file format +# +# See +# +# http://www.macromedia.com/software/flash/open/ +# +0 string FWS +>3 byte x application/x-shockwave-flash + +# The following paramaters are created for Namazu. +# +# +# 1999/08/13 +#0 string \ + + + + + + + + + + + + + + + + + + diff --git a/dbus-1/system.d/org.freedesktop.locale1.conf b/dbus-1/system.d/org.freedesktop.locale1.conf new file mode 100644 index 0000000..79d0ecd --- /dev/null +++ b/dbus-1/system.d/org.freedesktop.locale1.conf @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + + + + + + diff --git a/dbus-1/system.d/org.freedesktop.login1.conf b/dbus-1/system.d/org.freedesktop.login1.conf new file mode 100644 index 0000000..1318328 --- /dev/null +++ b/dbus-1/system.d/org.freedesktop.login1.conf @@ -0,0 +1,186 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/dbus-1/system.d/org.freedesktop.machine1.conf b/dbus-1/system.d/org.freedesktop.machine1.conf new file mode 100644 index 0000000..3a77c70 --- /dev/null +++ b/dbus-1/system.d/org.freedesktop.machine1.conf @@ -0,0 +1,66 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/dbus-1/system.d/org.freedesktop.systemd1.conf b/dbus-1/system.d/org.freedesktop.systemd1.conf new file mode 100644 index 0000000..9dfca81 --- /dev/null +++ b/dbus-1/system.d/org.freedesktop.systemd1.conf @@ -0,0 +1,100 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/dbus-1/system.d/org.freedesktop.timedate1.conf b/dbus-1/system.d/org.freedesktop.timedate1.conf new file mode 100644 index 0000000..36557d5 --- /dev/null +++ b/dbus-1/system.d/org.freedesktop.timedate1.conf @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + + + + + + diff --git a/debconf.conf b/debconf.conf new file mode 100644 index 0000000..549c1d5 --- /dev/null +++ b/debconf.conf @@ -0,0 +1,83 @@ +# This is the main config file for debconf. It tells debconf where to +# store data. The format of this file is a set of stanzas. Each stanza +# except the first sets up a database for debconf to use. For details, see +# debconf.conf(5) (in the debconf-doc package). +# +# So first things first. This first stanza gives the names of two databases. + +# Debconf will use this database to store the data you enter into it, +# and some other dynamic data. +Config: configdb +# Debconf will use this database to store static template data. +Templates: templatedb + +# World-readable, and accepts everything but passwords. +Name: config +Driver: File +Mode: 644 +Reject-Type: password +Filename: /var/cache/debconf/config.dat + +# Not world readable (the default), and accepts only passwords. +Name: passwords +Driver: File +Mode: 600 +Backup: false +Required: false +Accept-Type: password +Filename: /var/cache/debconf/passwords.dat + +# Set up the configdb database. By default, it consists of a stack of two +# databases, one to hold passwords and one for everything else. +Name: configdb +Driver: Stack +Stack: config, passwords + +# Set up the templatedb database, which is a single flat text file +# by default. +Name: templatedb +Driver: File +Mode: 644 +Filename: /var/cache/debconf/templates.dat + +# Well that was pretty straightforward, and it will be enough for most +# people's needs, but debconf's database drivers can be used to do much +# more interesting things. For example, suppose you want to use config +# data from another host, which is mounted over nfs or perhaps the database +# is accessed via LDAP. You don't want to write to the remote debconf database, +# just read from it, so you still need a local database for local changes. +# +# A remote NFS mounted database, read-only. It is optional; if debconf +# fails to use it it will not abort. +#Name: remotedb +#Driver: DirTree +#Directory: /mnt/otherhost/var/cache/debconf/config +#Readonly: true +#Required: false +# +# A remote LDAP database. It is also read-only. The password is really +# only necessary if the database is not accessible anonymously. +# Option KeyByKey instructs the backend to retrieve keys from the LDAP +# server individually (when they are requested), instead of loading all +# keys at startup. The default is 0, and should only be enabled if you +# want to track accesses to individual keys on the LDAP server side. +#Name: remotedb +#Driver: LDAP +#Server: remotehost +#BaseDN: cn=debconf,dc=domain,dc=com +#BindDN: uid=admin,dc=domain,dc=com +#BindPasswd: secret +#KeyByKey: 0 +# +# A stack consisting of two databases. Values will be read from +# the first database in the stack to contain a value. In this example, +# writes always go to the first database. +#Name: fulldb +#Driver: Stack +#Stack: configdb, remotedb +# +# In this example, we'd use Config: fulldb at the top of the file +# to make it use the combination of the databases. +# +# Even more complex and interesting setups are possible, see the +# debconf.conf(5) page for details. diff --git a/debian_version b/debian_version new file mode 100644 index 0000000..48c26da --- /dev/null +++ b/debian_version @@ -0,0 +1 @@ +8.6 diff --git a/default/acpid b/default/acpid new file mode 100644 index 0000000..c651a78 --- /dev/null +++ b/default/acpid @@ -0,0 +1,11 @@ +# Options to pass to acpid +# +# OPTIONS are appended to the acpid command-line +#OPTIONS="" + +# Linux kernel modules to load before starting acpid +# +# MODULES is a space separated list of modules to load, or "all" to load all +# acpi drivers, or commented out to load no module +#MODULES="battery ac processor button fan thermal video" +#MODULES="all" diff --git a/default/aiccu b/default/aiccu new file mode 100644 index 0000000..5482d8f --- /dev/null +++ b/default/aiccu @@ -0,0 +1,11 @@ +# This is a configuration file for /etc/init.d/aiccu; it allows you to +# perform common modifications to the behavior of the aiccu daemon +# startup without editing the init script (and thus getting prompted +# by dpkg on upgrades). We all love dpkg prompts. + +# Arguments to pass to aiccu daemon. +DAEMON_ARGS="" + +# Run aiccu at startup ? +AICCU_ENABLED=Yes + diff --git a/default/apache2 b/default/apache2 new file mode 100644 index 0000000..020f079 --- /dev/null +++ b/default/apache2 @@ -0,0 +1,26 @@ +### htcacheclean settings ### + +## run htcacheclean: yes, no, auto +## auto means run if /etc/apache2/mods-enabled/cache_disk.load exists +## default: auto +HTCACHECLEAN_RUN=auto + +## run mode: cron, daemon +## run in daemon mode or as daily cron job +## default: daemon +HTCACHECLEAN_MODE=daemon + +## cache size +HTCACHECLEAN_SIZE=300M + +## interval: if in daemon mode, clean cache every x minutes +HTCACHECLEAN_DAEMON_INTERVAL=120 + +## path to cache +## must be the same as in CacheRoot directive +HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk + +## additional options: +## -n : be nice +## -t : remove empty directories +HTCACHECLEAN_OPTIONS="-n" diff --git a/default/bind9 b/default/bind9 new file mode 100644 index 0000000..866a94e --- /dev/null +++ b/default/bind9 @@ -0,0 +1,5 @@ +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-u bind" diff --git a/default/bsdmainutils b/default/bsdmainutils new file mode 100644 index 0000000..e4ac054 --- /dev/null +++ b/default/bsdmainutils @@ -0,0 +1,4 @@ +# Uncomment the following line if you'd like all of your users' +# ~/calendar files to be checked daily. Calendar will send them mail +# to remind them of upcoming events. See calendar(1) for more details. +#RUN_DAILY=true diff --git a/default/console-setup b/default/console-setup new file mode 100644 index 0000000..dc3ea7f --- /dev/null +++ b/default/console-setup @@ -0,0 +1,16 @@ +# CONFIGURATION FILE FOR SETUPCON + +# Consult the console-setup(5) manual page. + +ACTIVE_CONSOLES="/dev/tty[1-6]" + +CHARMAP="UTF-8" + +CODESET="Lat15" +FONTFACE="Fixed" +FONTSIZE="8x16" + +VIDEOMODE= + +# The following is an example how to use a braille font +# FONT='lat9w-08.psf.gz brl-8x8.psf' diff --git a/default/cron b/default/cron new file mode 100644 index 0000000..f62b7be --- /dev/null +++ b/default/cron @@ -0,0 +1,28 @@ +# Cron configuration options + +# Whether to read the system's default environment files (if present) +# If set to "yes", cron will set a proper mail charset from the +# locale information. If set to something other than 'yes', the default +# charset 'C' (canonical name: ANSI_X3.4-1968) will be used. +# +# This has no effect on tasks running under cron; their environment can +# only be changed via PAM or from within the crontab; see crontab(5). +READ_ENV="yes" + +# Extra options for cron, see cron(8) +# +# For example, to enable LSB name support in /etc/cron.d/, use +# EXTRA_OPTS='-l' +# +# Or, to log standard messages, plus jobs with exit status != 0: +# EXTRA_OPTS='-L 5' +# +# For quick reference, the currently available log levels are: +# 0 no logging (errors are logged regardless) +# 1 log start of jobs +# 2 log end of jobs +# 4 log jobs with exit status != 0 +# 8 log the process identifier of child process (in all logs) +# +#EXTRA_OPTS="" + diff --git a/default/devpts b/default/devpts new file mode 100644 index 0000000..e10e371 --- /dev/null +++ b/default/devpts @@ -0,0 +1,5 @@ +# GID of the `tty' group +TTYGRP=5 + +# Set to 600 to have `mesg n' be the default +TTYMODE=620 diff --git a/default/exim4 b/default/exim4 new file mode 100644 index 0000000..2987f7f --- /dev/null +++ b/default/exim4 @@ -0,0 +1,24 @@ +# /etc/default/exim4 +EX4DEF_VERSION='' + +# 'combined' - one daemon running queue and listening on SMTP port +# 'no' - no daemon running the queue +# 'separate' - two separate daemons +# 'ppp' - only run queue with /etc/ppp/ip-up.d/exim4. +# 'nodaemon' - no daemon is started at all. +# 'queueonly' - only a queue running daemon is started, no SMTP listener. +# setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4 +QUEUERUNNER='combined' +# how often should we run the queue +QUEUEINTERVAL='30m' +# options common to quez-runner and listening daemon +COMMONOPTIONS='' +# more options for the daemon/process running the queue (applies to the one +# started in /etc/ppp/ip-up.d/exim4, too. +QUEUERUNNEROPTIONS='' +# special flags given to exim directly after the -q. See exim(8) +QFLAGS='' +# Options for the SMTP listener daemon. By default, it is listening on +# port 25 only. To listen on more ports, it is recommended to use +# -oX 25:587:10025 -oP /var/run/exim4/exim.pid +SMTPLISTENEROPTIONS='' diff --git a/default/fail2ban b/default/fail2ban new file mode 100644 index 0000000..35bb377 --- /dev/null +++ b/default/fail2ban @@ -0,0 +1,39 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Author: Cyril Jaquier +# +# $Revision$ + +# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for +# valid options. +FAIL2BAN_OPTS="" + +# Run fail2ban as a different user. If not set, fail2ban +# will run as root. +# +# The user is not created automatically. +# The user can be created e.g. with +# useradd --system --no-create-home --home-dir / --groups adm fail2ban +# Log files are readable by group adm by default. Adding the fail2ban +# user to this group allows it to read the logfiles. +# +# Another manual step that needs to be taken is to allow write access +# for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban +# script will change the ownership when starting fail2ban. Logrotate +# needs to be configured separately, see /etc/logrotate.d/fail2ban. +# +# FAIL2BAN_USER="fail2ban" diff --git a/default/grub b/default/grub new file mode 100644 index 0000000..c216928 --- /dev/null +++ b/default/grub @@ -0,0 +1,32 @@ +# If you change this file, run 'update-grub' afterwards to update +# /boot/grub/grub.cfg. +# For full documentation of the options in this file, see: +# info -f grub -n 'Simple configuration' + +GRUB_DEFAULT=0 +GRUB_TIMEOUT=2 +GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` +GRUB_CMDLINE_LINUX_DEFAULT="quiet" +GRUB_CMDLINE_LINUX="" + +# Uncomment to enable BadRAM filtering, modify to suit your needs +# This works with Linux (no patch required) and with any kernel that obtains +# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) +#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" + +# Uncomment to disable graphical terminal (grub-pc only) +#GRUB_TERMINAL=console + +# The resolution used on graphical terminal +# note that you can use only modes which your graphic card supports via VBE +# you can see them in real GRUB with the command `vbeinfo' +#GRUB_GFXMODE=640x480 + +# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux +#GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY="true" + +# Uncomment to get a beep at grub start +#GRUB_INIT_TUNE="480 440 1" diff --git a/default/halt b/default/halt new file mode 100644 index 0000000..21bc119 --- /dev/null +++ b/default/halt @@ -0,0 +1,2 @@ +# Default behaviour of shutdown -h / halt. Set to "halt" or "poweroff". +HALT=poweroff diff --git a/default/haveged b/default/haveged new file mode 100644 index 0000000..77b6941 --- /dev/null +++ b/default/haveged @@ -0,0 +1,5 @@ +# Configuration file for haveged + +# Options to pass to haveged: +# -w sets low entropy watermark (in bits) +DAEMON_ARGS="-w 1024" diff --git a/default/hwclock b/default/hwclock new file mode 100644 index 0000000..dcf5451 --- /dev/null +++ b/default/hwclock @@ -0,0 +1,19 @@ +# Defaults for the hwclock init script. See hwclock(5) and hwclock(8). + +# This is used to specify that the hardware clock incapable of storing +# years outside the range of 1994-1999. Set to yes if the hardware is +# broken or no if working correctly. +#BADYEAR=no + +# Set this to yes if it is possible to access the hardware clock, +# or no if it is not. +#HWCLOCKACCESS=yes + +# Set this to any options you might need to give to hwclock, such +# as machine hardware clock type for Alphas. +#HWCLOCKPARS= + +# Set this to the hardware clock device you want to use, it should +# probably match the CONFIG_RTC_HCTOSYS_DEVICE kernel config option. +#HCTOSYS_DEVICE=rtc0 + diff --git a/default/keyboard b/default/keyboard new file mode 100644 index 0000000..3fecbcc --- /dev/null +++ b/default/keyboard @@ -0,0 +1,10 @@ +# KEYBOARD CONFIGURATION FILE + +# Consult the keyboard(5) manual page. + +XKBMODEL="pc105" +XKBLAYOUT="us" +XKBVARIANT="" +XKBOPTIONS="" + +BACKSPACE="guess" diff --git a/default/locale b/default/locale new file mode 100644 index 0000000..188a09e --- /dev/null +++ b/default/locale @@ -0,0 +1,2 @@ +# File generated by update-locale +LANG="de_DE.UTF-8" diff --git a/default/locale.bak b/default/locale.bak new file mode 100644 index 0000000..1f6661e --- /dev/null +++ b/default/locale.bak @@ -0,0 +1,2 @@ +# File generated by update-locale +LANG="en_US.UTF-8" diff --git a/default/netfilter-persistent b/default/netfilter-persistent new file mode 100644 index 0000000..7b31799 --- /dev/null +++ b/default/netfilter-persistent @@ -0,0 +1,4 @@ +# Configuration for netfilter-persistent +# Plugins may extend this file or have their own + +FLUSH_ON_STOP=0 diff --git a/default/networking b/default/networking new file mode 100644 index 0000000..469f4ca --- /dev/null +++ b/default/networking @@ -0,0 +1,11 @@ +# Configuration for networking init script being run during +# the boot sequence + +# Set to 'no' to skip interfaces configuration on boot +#CONFIGURE_INTERFACES=yes + +# Don't configure these interfaces. Shell wildcards supported/ +#EXCLUDE_INTERFACES= + +# Set to 'yes' to enable additional verbosity +#VERBOSE=no diff --git a/default/nss b/default/nss new file mode 100644 index 0000000..c43e88b --- /dev/null +++ b/default/nss @@ -0,0 +1,37 @@ +# /etc/default/nss +# This file can theoretically contain a bunch of customization variables +# for Name Service Switch in the GNU C library. For now there are only +# four variables: +# +# NETID_AUTHORITATIVE +# If set to TRUE, the initgroups() function will accept the information +# from the netid.byname NIS map as authoritative. This can speed up the +# function significantly if the group.byname map is large. The content +# of the netid.byname map is used AS IS. The system administrator has +# to make sure it is correctly generated. +#NETID_AUTHORITATIVE=TRUE +# +# SERVICES_AUTHORITATIVE +# If set to TRUE, the getservbyname{,_r}() function will assume +# services.byservicename NIS map exists and is authoritative, particularly +# that it contains both keys with /proto and without /proto for both +# primary service names and service aliases. The system administrator +# has to make sure it is correctly generated. +#SERVICES_AUTHORITATIVE=TRUE +# +# SETENT_BATCH_READ +# If set to TRUE, various setXXent() functions will read the entire +# database at once and then hand out the requests one by one from +# memory with every getXXent() call. Otherwise each getXXent() call +# might result into a network communication with the server to get +# the next entry. +#SETENT_BATCH_READ=TRUE +# +# ADJUNCT_AS_SHADOW +# If set to TRUE, the passwd routines in the NIS NSS module will not +# use the passwd.adjunct.byname tables to fill in the password data +# in the passwd structure. This is a security problem if the NIS +# server cannot be trusted to send the passwd.adjuct table only to +# privileged clients. Instead the passwd.adjunct.byname table is +# used to synthesize the shadow.byname table if it does not exist. +ADJUNCT_AS_SHADOW=TRUE diff --git a/default/rcS b/default/rcS new file mode 100644 index 0000000..694ffc7 --- /dev/null +++ b/default/rcS @@ -0,0 +1,24 @@ +# +# /etc/default/rcS +# +# Default settings for the scripts in /etc/rcS.d/ +# +# For information about these variables see the rcS(5) manual page. +# +# This file belongs to the "initscripts" package. + +# delete files in /tmp during boot older than x days. +# '0' means always, -1 or 'infinite' disables the feature +#TMPTIME=0 + +# spawn sulogin during boot, continue normal boot if not used in 30 seconds +#SULOGIN=no + +# do not allow users to log in until the boot has completed +#DELAYLOGIN=no + +# be more verbose during the boot process +#VERBOSE=no + +# automatically repair filesystems with inconsistencies during boot +#FSCKFIX=no diff --git a/default/rsync b/default/rsync new file mode 100644 index 0000000..13780c2 --- /dev/null +++ b/default/rsync @@ -0,0 +1,41 @@ +# defaults file for rsync daemon mode + +# start rsync in daemon mode from init.d script? +# only allowed values are "true", "false", and "inetd" +# Use "inetd" if you want to start the rsyncd from inetd, +# all this does is prevent the init.d script from printing a message +# about not starting rsyncd (you still need to modify inetd's config yourself). +RSYNC_ENABLE=false + +# which file should be used as the configuration file for rsync. +# This file is used instead of the default /etc/rsyncd.conf +# Warning: This option has no effect if the daemon is accessed +# using a remote shell. When using a different file for +# rsync you might want to symlink /etc/rsyncd.conf to +# that file. +# RSYNC_CONFIG_FILE= + +# what extra options to give rsync --daemon? +# that excludes the --daemon; that's always done in the init.d script +# Possibilities are: +# --address=123.45.67.89 (bind to a specific IP address) +# --port=8730 (bind to specified port; default 873) +RSYNC_OPTS='' + +# run rsyncd at a nice level? +# the rsync daemon can impact performance due to much I/O and CPU usage, +# so you may want to run it at a nicer priority than the default priority. +# Allowed values are 0 - 19 inclusive; 10 is a reasonable value. +RSYNC_NICE='' + +# run rsyncd with ionice? +# "ionice" does for IO load what "nice" does for CPU load. +# As rsync is often used for backups which aren't all that time-critical, +# reducing the rsync IO priority will benefit the rest of the system. +# See the manpage for ionice for allowed options. +# -c3 is recommended, this will run rsync IO at "idle" priority. Uncomment +# the next line to activate this. +# RSYNC_IONICE='-c3' + +# Don't forget to create an appropriate config file, +# else the daemon will not start. diff --git a/default/rsyslog b/default/rsyslog new file mode 100644 index 0000000..8ec3ea0 --- /dev/null +++ b/default/rsyslog @@ -0,0 +1,4 @@ +# Options for rsyslogd +# -x disables DNS lookups for remote messages +# See rsyslogd(8) for more details +RSYSLOGD_OPTIONS="" diff --git a/default/salt-minion.environment b/default/salt-minion.environment new file mode 100644 index 0000000..cc33d58 --- /dev/null +++ b/default/salt-minion.environment @@ -0,0 +1,4 @@ +# Controls whether or not service is restarted automatically when it exits. +# See the manpage for systemd.service(5) for possible values for the "Restart=" +# option. +RESTART='no' diff --git a/default/ssh b/default/ssh new file mode 100644 index 0000000..3040422 --- /dev/null +++ b/default/ssh @@ -0,0 +1,5 @@ +# Default settings for openssh-server. This file is sourced by /bin/sh from +# /etc/init.d/ssh. + +# Options to pass to sshd +SSHD_OPTS= diff --git a/default/tmpfs b/default/tmpfs new file mode 100644 index 0000000..a19ba71 --- /dev/null +++ b/default/tmpfs @@ -0,0 +1,33 @@ +# Configuration for tmpfs filesystems mounted in early boot, before +# filesystems from /etc/fstab are mounted. For information about +# these variables see the tmpfs(5) manual page. + +# /run is always mounted as a tmpfs on systems which support tmpfs +# mounts. + +# mount /run/lock as a tmpfs (separately from /run). Defaults to yes; +# set to no to disable (/run/lock will then be part of the /run tmpfs, +# if available). +#RAMLOCK=yes + +# mount /run/shm as a tmpfs (separately from /run). Defaults to yes; +# set to no to disable (/run/shm will then be part of the /run tmpfs, +# if available). +#RAMSHM=yes + +# mount /tmp as a tmpfs. Defaults to no; set to yes to enable (/tmp +# will be part of the root filesystem if disabled). /tmp may also be +# configured to be a separate mount in /etc/fstab. +#RAMTMP=no + +# Size limits. Please see tmpfs(5) for details on how to configure +# tmpfs size limits. +#TMPFS_SIZE=20%VM +#RUN_SIZE=10% +#LOCK_SIZE=5242880 # 5MiB +#SHM_SIZE= +#TMP_SIZE= + +# Mount tmpfs on /tmp if there is less than the limit size (in kiB) on +# the root filesystem (overriding RAMTMP). +#TMP_OVERFLOW_LIMIT=1024 diff --git a/default/useradd b/default/useradd new file mode 100644 index 0000000..a834fef --- /dev/null +++ b/default/useradd @@ -0,0 +1,37 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/sh +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +# GROUP=100 +# +# The default home directory. Same as DHOME for adduser +# HOME=/home +# +# The number of days after a password expires until the account +# is permanently disabled +# INACTIVE=-1 +# +# The default expire date +# EXPIRE= +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes + diff --git a/deluser.conf b/deluser.conf new file mode 100644 index 0000000..fff8d81 --- /dev/null +++ b/deluser.conf @@ -0,0 +1,20 @@ +# /etc/deluser.conf: `deluser' configuration. + +# Remove home directory and mail spool when user is removed +REMOVE_HOME = 0 + +# Remove all files on the system owned by the user to be removed +REMOVE_ALL_FILES = 0 + +# Backup files before removing them. This options has only an effect if +# REMOVE_HOME or REMOVE_ALL_FILES is set. +BACKUP = 0 + +# target directory for the backup file +BACKUP_TO = "." + +# delete a group even there are still users in this group +ONLY_IF_EMPTY = 0 + +# exclude these filesystem types when searching for files of a user to backup +EXCLUDE_FSTYPES = "(proc|sysfs|usbfs|devpts|tmpfs|afs)" diff --git a/dhcp/dhclient-enter-hooks.d/debug b/dhcp/dhclient-enter-hooks.d/debug new file mode 100644 index 0000000..5785a97 --- /dev/null +++ b/dhcp/dhclient-enter-hooks.d/debug @@ -0,0 +1,39 @@ +# +# The purpose of this script is just to show the variables that are +# available to all the scripts in this directory. All these scripts +# are called from /etc/dhcp3/dhclient-script, which exports all the +# variables shown before. If you want to debug a problem with your DHCP +# setup you can enable this script and take a look at +# /tmp/dhclient-script.debug. + +# To enable this script set the following variable to "yes" +RUN="no" + +if [ "$RUN" = "yes" ]; then + echo $(date): entering ${0%/*}, dumping variables. \ + >> /tmp/dhclient-script.debug + + # loop over the 4 possible prefixes: (empty), cur_, new_, old_ + for prefix in '' 'cur_' 'new_' 'old_'; do + # loop over the DHCP variables passed to dhclient-script + for basevar in reason interface medium alias_ip_address \ + ip_address host_name network_number subnet_mask \ + broadcast_address routers static_routes \ + rfc3442_classless_static_routes \ + domain_name domain_search domain_name_servers \ + netbios_name_servers netbios_scope \ + ntp_servers \ + ip6_address ip6_prefix ip6_prefixlen \ + dhcp6_domain_search dhcp6_name_servers ; do + var="${prefix}${basevar}" + eval "content=\$var" + + # show only variables with values set + if [ -n "${content}" ]; then + echo "$var='${content}'" >> /tmp/dhclient-script.debug + fi + done + done + + echo '--------------------------' >> /tmp/dhclient-script.debug +fi diff --git a/dhcp/dhclient-enter-hooks.d/nodnsupdate b/dhcp/dhclient-enter-hooks.d/nodnsupdate new file mode 100644 index 0000000..9f5c98d --- /dev/null +++ b/dhcp/dhclient-enter-hooks.d/nodnsupdate @@ -0,0 +1,6 @@ +#!/bin/sh + +# Don't overwrite /etc/resolv.conf +make_resolv_conf() { + : +} diff --git a/dhcp/dhclient-exit-hooks.d/debug b/dhcp/dhclient-exit-hooks.d/debug new file mode 100644 index 0000000..5785a97 --- /dev/null +++ b/dhcp/dhclient-exit-hooks.d/debug @@ -0,0 +1,39 @@ +# +# The purpose of this script is just to show the variables that are +# available to all the scripts in this directory. All these scripts +# are called from /etc/dhcp3/dhclient-script, which exports all the +# variables shown before. If you want to debug a problem with your DHCP +# setup you can enable this script and take a look at +# /tmp/dhclient-script.debug. + +# To enable this script set the following variable to "yes" +RUN="no" + +if [ "$RUN" = "yes" ]; then + echo $(date): entering ${0%/*}, dumping variables. \ + >> /tmp/dhclient-script.debug + + # loop over the 4 possible prefixes: (empty), cur_, new_, old_ + for prefix in '' 'cur_' 'new_' 'old_'; do + # loop over the DHCP variables passed to dhclient-script + for basevar in reason interface medium alias_ip_address \ + ip_address host_name network_number subnet_mask \ + broadcast_address routers static_routes \ + rfc3442_classless_static_routes \ + domain_name domain_search domain_name_servers \ + netbios_name_servers netbios_scope \ + ntp_servers \ + ip6_address ip6_prefix ip6_prefixlen \ + dhcp6_domain_search dhcp6_name_servers ; do + var="${prefix}${basevar}" + eval "content=\$var" + + # show only variables with values set + if [ -n "${content}" ]; then + echo "$var='${content}'" >> /tmp/dhclient-script.debug + fi + done + done + + echo '--------------------------' >> /tmp/dhclient-script.debug +fi diff --git a/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes b/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes new file mode 100644 index 0000000..462fb46 --- /dev/null +++ b/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes @@ -0,0 +1,63 @@ +# set classless routes based on the format specified in RFC3442 +# e.g.: +# new_rfc3442_classless_static_routes='24 192 168 10 192 168 1 1 8 10 10 17 66 41' +# specifies the routes: +# 192.168.10.0/24 via 192.168.1.1 +# 10.0.0.0/8 via 10.10.17.66.41 + +RUN="yes" + + +if [ "$RUN" = "yes" ]; then + if [ -n "$new_rfc3442_classless_static_routes" ]; then + if [ "$reason" = "BOUND" ] || [ "$reason" = "REBOOT" ]; then + + set -- $new_rfc3442_classless_static_routes + + while [ $# -gt 0 ]; do + net_length=$1 + via_arg='' + + case $net_length in + 32|31|30|29|28|27|26|25) + net_address="${2}.${3}.${4}.${5}" + gateway="${6}.${7}.${8}.${9}" + shift 9 + ;; + 24|23|22|21|20|19|18|17) + net_address="${2}.${3}.${4}.0" + gateway="${5}.${6}.${7}.${8}" + shift 8 + ;; + 16|15|14|13|12|11|10|9) + net_address="${2}.${3}.0.0" + gateway="${4}.${5}.${6}.${7}" + shift 7 + ;; + 8|7|6|5|4|3|2|1) + net_address="${2}.0.0.0" + gateway="${3}.${4}.${5}.${6}" + shift 6 + ;; + 0) # default route + net_address="0.0.0.0" + gateway="${2}.${3}.${4}.${5}" + shift 5 + ;; + *) # error + return 1 + ;; + esac + + # take care of link-local routes + if [ "${gateway}" != '0.0.0.0' ]; then + via_arg="via ${gateway}" + fi + + # set route (ip detects host routes automatically) + ip -4 route add "${net_address}/${net_length}" \ + ${via_arg} dev "${interface}" >/dev/null 2>&1 + done + fi + fi +fi diff --git a/dhcp/dhclient.conf b/dhcp/dhclient.conf new file mode 100644 index 0000000..431fafd --- /dev/null +++ b/dhcp/dhclient.conf @@ -0,0 +1,55 @@ +# Configuration file for /sbin/dhclient, which is included in Debian's +# dhcp3-client package. +# +# This is a sample configuration file for dhclient. See dhclient.conf's +# man page for more information about the syntax of this file +# and a more comprehensive list of the parameters understood by +# dhclient. +# +# Normally, if the DHCP server provides reasonable information and does +# not leave anything out (like the domain name, for example), then +# few changes must be made to this file, if any. +# + +option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; + +#send host-name "andare.fugue.com"; +send host-name = gethostname(); +#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c; +#send dhcp-lease-time 3600; +#supersede domain-name "fugue.com home.vix.com"; +#prepend domain-name-servers 127.0.0.1; +request subnet-mask, broadcast-address, time-offset, routers, + domain-name, domain-name-servers, domain-search, host-name, + dhcp6.name-servers, dhcp6.domain-search, + netbios-name-servers, netbios-scope, interface-mtu, + rfc3442-classless-static-routes, ntp-servers; +#require subnet-mask, domain-name-servers; +#timeout 60; +#retry 60; +#reboot 10; +#select-timeout 5; +#initial-interval 2; +#script "/etc/dhcp3/dhclient-script"; +#media "-link0 -link1 -link2", "link0 link1"; +#reject 192.33.137.209; + +#alias { +# interface "eth0"; +# fixed-address 192.5.5.213; +# option subnet-mask 255.255.255.255; +#} + +#lease { +# interface "eth0"; +# fixed-address 192.33.137.200; +# medium "link0 link1"; +# option host-name "andare.swiftmedia.com"; +# option subnet-mask 255.255.255.0; +# option broadcast-address 192.33.137.255; +# option routers 192.33.137.250; +# option domain-name-servers 127.0.0.1; +# renew 2 2000/1/12 00:00:01; +# rebind 2 2000/1/12 00:00:01; +# expire 2 2000/1/12 00:00:01; +#} diff --git a/dictionaries-common/default.aff b/dictionaries-common/default.aff new file mode 120000 index 0000000..3be1bad --- /dev/null +++ b/dictionaries-common/default.aff @@ -0,0 +1 @@ +/usr/lib/ispell/american.aff \ No newline at end of file diff --git a/dictionaries-common/default.hash b/dictionaries-common/default.hash new file mode 120000 index 0000000..e9d3a0f --- /dev/null +++ b/dictionaries-common/default.hash @@ -0,0 +1 @@ +/usr/lib/ispell/american.hash \ No newline at end of file diff --git a/dictionaries-common/ispell-default b/dictionaries-common/ispell-default new file mode 120000 index 0000000..f4b786e --- /dev/null +++ b/dictionaries-common/ispell-default @@ -0,0 +1 @@ +/var/cache/dictionaries-common/ispell-default \ No newline at end of file diff --git a/dictionaries-common/words b/dictionaries-common/words new file mode 120000 index 0000000..1d20e7e --- /dev/null +++ b/dictionaries-common/words @@ -0,0 +1 @@ +/usr/share/dict/american-english \ No newline at end of file diff --git a/discover-modprobe.conf b/discover-modprobe.conf new file mode 100644 index 0000000..713c3e6 --- /dev/null +++ b/discover-modprobe.conf @@ -0,0 +1,13 @@ + +# $Progeny$ + +# Load modules for the following device types. Specify "all" +# to detect all device types. +types="all" + +# Don't ever load the foo, bar, or baz modules. +#skip="foo bar baz" + +# Lines below this point have been automatically added by +# discover-modprobe(8) to disable the loading of modules that have +# previously crashed the machine: diff --git a/discover.conf.d/00discover b/discover.conf.d/00discover new file mode 100644 index 0000000..69ec3a1 --- /dev/null +++ b/discover.conf.d/00discover @@ -0,0 +1,15 @@ + + + + + + + + + + + + + + + diff --git a/dpkg/dpkg.cfg b/dpkg/dpkg.cfg new file mode 100644 index 0000000..ba898ee --- /dev/null +++ b/dpkg/dpkg.cfg @@ -0,0 +1,13 @@ +# dpkg configuration file +# +# This file can contain default options for dpkg. All command-line +# options are allowed. Values can be specified by putting them after +# the option, separated by whitespace and/or an `=' sign. +# + +# Do not enable debsig-verify by default; since the distribution is not using +# embedded signatures, debsig-verify would reject all packages. +no-debsig + +# Log status changes and actions to a file. +log /var/log/dpkg.log diff --git a/dpkg/origins/debian b/dpkg/origins/debian new file mode 100644 index 0000000..91f6ed1 --- /dev/null +++ b/dpkg/origins/debian @@ -0,0 +1,3 @@ +Vendor: Debian +Vendor-URL: http://www.debian.org/ +Bugs: debbugs://bugs.debian.org diff --git a/dpkg/origins/default b/dpkg/origins/default new file mode 120000 index 0000000..b2f7fd3 --- /dev/null +++ b/dpkg/origins/default @@ -0,0 +1 @@ +debian \ No newline at end of file diff --git a/emacs/site-start.d/00debian-vars.el b/emacs/site-start.d/00debian-vars.el new file mode 100644 index 0000000..a9db99c --- /dev/null +++ b/emacs/site-start.d/00debian-vars.el @@ -0,0 +1,57 @@ +;; 00debian-vars.el +;; +;; Initialize some emacs variables from debian policy files. +;; +;; Copyright (C) 1997, Frederic Lepied +;; +;; original Author: Frederic Lepied +;; enhanced and documented by: Mark Eichin + +;;============================================================================= +;; Autoloaded section. +;;============================================================================= + + +;;;### + +(eval-when-compile + ;; Quiet byte compiler + (defvar gnus-nntpserver-file)) + +;;;*** + + +;;============================================================================= +;; Configuration section. +;;============================================================================= +(defun debian-file->string (name &optional func) + "Convert a file into a string" + (interactive "fFile name : ") + (let ((filename (expand-file-name name))) + (if (not (file-readable-p filename)) + nil + (with-temp-buffer + ;; Do not run any user `find-file-hooks' + (insert-file-contents-literally filename) + (if func + (funcall func)) + (buffer-string))))) + +(defun debian-clean-mailname () + (while (search-forward "\n" nil t) + (replace-match "" nil t))) + +;; Particular variables, and their justification: +;; policy/ch4.html, 4.3 Mail processing on Debian systems, /etc/mailname +;; policy/ch-binarypkg.html, 3.5 Maintainer scripts, /etc/news/server + +(let ((mailname + (debian-file->string "/etc/mailname" (function debian-clean-mailname)))) + (if mailname + (setq mail-host-address mailname))) + +;; Don't need to check NNTPSERVER for override, gnus does that for us. +(if (file-readable-p "/etc/news/server") + (setq gnus-nntpserver-file "/etc/news/server")) + +;;; 00debian-vars.el ends here diff --git a/emacs/site-start.d/50dictionaries-common.el b/emacs/site-start.d/50dictionaries-common.el new file mode 100644 index 0000000..924f605 --- /dev/null +++ b/emacs/site-start.d/50dictionaries-common.el @@ -0,0 +1,40 @@ +;; File: startup.el.in +;; Description: Emacsen startup for dictionaries-common in Debian +;; Authors: Rafael Laboissière +;; Agustin Martin +;; Created on: Fri Oct 22 09:48:21 CEST 1999 + +(let ((skip-emacs-flavors-list '(emacs19 + emacs20 + emacs21 + emacs22 + emacs-snapshot)) + (debian-dict-entries "/var/cache/dictionaries-common/emacsen-ispell-dicts.el")) + (if (member debian-emacs-flavor skip-emacs-flavors-list) + (message "Skipping dictionaries-common setup for %s" debian-emacs-flavor) + + (debian-pkg-add-load-path-item + (concat "/usr/share/" + (symbol-name debian-emacs-flavor) + "/site-lisp/dictionaries-common")) + + (autoload 'flyspell-word "flyspell" nil t) + (autoload 'flyspell-mode "flyspell" nil t) + (autoload 'flyspell-prog-mode "flyspell" nil t) + + ;; Load Debian emacsen cache file, with entries for installed dictionaries + ;; This might result in a call to debian-ispell, so do this only if + ;; a) It exists, that is, package is not removed. + ;; b) Not in installations under dpkg control, otherwise we might get some + ;; bogus errors on installation because of #132355 and friends. + (if (file-exists-p "/usr/share/emacs/site-lisp/dictionaries-common/debian-ispell.el") + (if (getenv "DPKG_RUNNING_VERSION") + (message "Info: Skip debian-el loading if run under dpkg control.") + (let ((coding-system-for-read 'raw-text)) ;; Read these as data streams + (load "debian-ispell" t) + (load debian-dict-entries t))) + (message "Info: Package dictionaries-common removed but not purged.")))) + +;;; Previous code for loading ispell.el and refreshing spell-checking +;;; pulldown menus has been removed from this file since it should no +;;; longer be needed. diff --git a/emacs/site-start.el b/emacs/site-start.el new file mode 100644 index 0000000..06a95b1 --- /dev/null +++ b/emacs/site-start.el @@ -0,0 +1,8 @@ +;; Emacsen independent startup file. All of the various installed +;; flavors of emacs (emacs22, emacs23, xemacs21) will load this file +;; at startup. Make sure any code you put here is emacs flavor +;; independent. + +;; Package maintainers: do not have Debian packages edit this file. +;; See /usr/share/doc/emacsen-common/debian-emacs-policy.gz for the +;; proper way to handle Emacs package initialization code. diff --git a/email-addresses b/email-addresses new file mode 100644 index 0000000..8e4f2cb --- /dev/null +++ b/email-addresses @@ -0,0 +1,9 @@ +# This is /etc/email-addresses. It is part of the exim package +# +# This file contains email addresses to use for outgoing mail. Any local +# part not in here will be qualified by the system domain as normal. +# +# It should contain lines of the form: +# +#user: someone@isp.com +#otheruser: someoneelse@anotherisp.com diff --git a/environment b/environment new file mode 100644 index 0000000..e69de29 diff --git a/etckeeper/commit.d/10vcs-test b/etckeeper/commit.d/10vcs-test new file mode 100755 index 0000000..e33d734 --- /dev/null +++ b/etckeeper/commit.d/10vcs-test @@ -0,0 +1,17 @@ +#!/bin/sh +set -e + +not_enabled_warning() { + echo "etckeeper warning: etckeeper is not yet enabled for $(pwd)" >&2 + echo "etckeeper warning: run etckeeper init to enable it" >&2 +} + +if [ "$VCS" = git ] && [ ! -d .git ]; then + not_enabled_warning +elif [ "$VCS" = hg ] && [ ! -d .hg ]; then + not_enabled_warning +elif [ "$VCS" = bzr ] && [ ! -d .bzr ]; then + not_enabled_warning +elif [ "$VCS" = darcs ] && [ ! -d _darcs ]; then + not_enabled_warning +fi diff --git a/etckeeper/commit.d/30bzr-add b/etckeeper/commit.d/30bzr-add new file mode 100755 index 0000000..3e7e95d --- /dev/null +++ b/etckeeper/commit.d/30bzr-add @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ "$VCS" = bzr ] && [ -d .bzr ]; then + if ! bzr add -q .; then + echo "etckeeper warning: bzr add failed" >&2 + fi +fi diff --git a/etckeeper/commit.d/30darcs-add b/etckeeper/commit.d/30darcs-add new file mode 100755 index 0000000..98be4bf --- /dev/null +++ b/etckeeper/commit.d/30darcs-add @@ -0,0 +1,14 @@ +#!/bin/sh +set -e + +if [ "$VCS" = darcs ] && [ -d _darcs ]; then + rc=0 + res=$( darcs add -qr . 2>&1 ) || rc=$? + if test $rc -ne 0; then + if ! test $rc -eq 2 -a "${res%No files were added}" != "$res"; then + printf "%s" "$res" + echo "etckeeper warning: darcs add failed" >&2 + fi + fi + unset rc res +fi diff --git a/etckeeper/commit.d/30git-add b/etckeeper/commit.d/30git-add new file mode 100755 index 0000000..b08b583 --- /dev/null +++ b/etckeeper/commit.d/30git-add @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ "$VCS" = git ] && [ -d .git ]; then + if ! git add --all; then + echo "etckeeper warning: git add --all" >&2 + fi +fi diff --git a/etckeeper/commit.d/30hg-addremove b/etckeeper/commit.d/30hg-addremove new file mode 100755 index 0000000..1b999bb --- /dev/null +++ b/etckeeper/commit.d/30hg-addremove @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ "$VCS" = hg ] && [ -d .hg ]; then + if ! hg addremove .; then + echo "etckeeper warning: hg addremove failed" >&2 + fi +fi diff --git a/etckeeper/commit.d/50vcs-commit b/etckeeper/commit.d/50vcs-commit new file mode 100755 index 0000000..7c6173f --- /dev/null +++ b/etckeeper/commit.d/50vcs-commit @@ -0,0 +1,113 @@ +#!/bin/sh +set -e + +cleanup () { + if [ -n "$logfile" ]; then + rm -f "$logfile" + fi +} +if [ -n "$1" ]; then + trap cleanup EXIT + logfile="$(mktemp -t etckeeper-$VCS.XXXXXXXXXX)" + if [ "x$1" = "x--stdin" ]; then + cat > "$logfile" + else + if [ "x$1" = "x-m" ]; then + shift 1 + fi + echo "$1" > "$logfile" + fi +else + logfile="" +fi + +hostname=`hostname` +hostname="${hostname%%.*}" +dnsdomainname=`dnsdomainname 2>/dev/null || true` +if [ -n "$dnsdomainname" ]; then + hostname="$hostname.$dnsdomainname" +fi + +USER= +if [ -n "$SUDO_USER" ]; then + USER="$SUDO_USER" +else + # try to check tty ownership, in case user su'd to root + TTY="$(tty 2>/dev/null || true)" + if [ -n "$TTY" ] && [ -c "$TTY" ]; then + USER="$(find "$TTY" -printf "%u")" + fi +fi + +if [ "$VCS" = git ] && [ -d .git ]; then + if [ -n "$USER" ]; then + # Use user.name and user.email from the gitconfig belonging + # to the user who became root. + USER_HOME="$(perl -e 'print ((getpwnam(shift()))[7])' "$USER")" + if [ -n "$USER_HOME" ] && [ -e "$USER_HOME/.gitconfig" ]; then + if [ -z "$GIT_AUTHOR_NAME" ]; then + GIT_AUTHOR_NAME="$(git config -f "$USER_HOME/.gitconfig" user.name)" || true + export GIT_AUTHOR_NAME + fi + if [ -z "$GIT_AUTHOR_EMAIL" ]; then + GIT_AUTHOR_EMAIL="$(git config -f "$USER_HOME/.gitconfig" user.email)" || true + export GIT_AUTHOR_EMAIL + fi + fi + if [ -z "$GIT_COMMITTER_EMAIL" ]; then + GIT_COMMITER_EMAIL="$(git config --global user.email)" || true + export GIT_COMMITER_EMAIL + fi + + if [ -z "$GIT_AUTHOR_NAME" ]; then + GIT_AUTHOR_NAME="$USER" + export GIT_AUTHOR_NAME + fi + if [ -z "$GIT_AUTHOR_EMAIL" ]; then + GIT_AUTHOR_EMAIL="$USER@$hostname" + export GIT_AUTHOR_EMAIL + fi + if [ -z "$GIT_COMMITTER_EMAIL" ]; then + GIT_COMMITTER_EMAIL=`whoami`"@$hostname" + export GIT_COMMITTER_EMAIL + fi + fi + if [ -n "$logfile" ]; then + git commit $GIT_COMMIT_OPTIONS -F "$logfile" + else + git commit $GIT_COMMIT_OPTIONS + fi +elif [ "$VCS" = hg ] && [ -d .hg ]; then + if [ -n "$USER" ]; then + LOGNAME="$USER" + export LOGNAME + fi + if [ -z "$HGUSER" ]; then + HGUSER="$USER@$hostname" + export HGUSER + fi + if [ -n "$logfile" ]; then + hg commit $HG_COMMIT_OPTIONS -l "$logfile" + else + hg commit $HG_COMMIT_OPTIONS + fi +elif [ "$VCS" = bzr ] && [ -d .bzr ]; then + if [ -z "$EMAIL" ] && [ -n "$USER" ]; then + EMAIL="$USER <$USER@$hostname>" + export EMAIL + fi + if [ -n "$logfile" ]; then + bzr commit $BZR_COMMIT_OPTIONS -F "$logfile" + else + bzr commit $BZR_COMMIT_OPTIONS + fi +elif [ "$VCS" = darcs ] && [ -d _darcs ]; then + if [ -z "$USER" ]; then + USER=root + fi + if [ -n "$logfile" ]; then + darcs record --author="$USER" $DARCS_COMMIT_OPTIONS --logfile="$logfile" + else + darcs record --author="$USER" $DARCS_COMMIT_OPTIONS + fi +fi diff --git a/etckeeper/commit.d/99push b/etckeeper/commit.d/99push new file mode 100755 index 0000000..b5418f7 --- /dev/null +++ b/etckeeper/commit.d/99push @@ -0,0 +1,14 @@ +#!/bin/sh +if [ -n "$PUSH_REMOTE" ]; then + if [ "$VCS" = git ] && [ -d .git ]; then + for REMOTE in $PUSH_REMOTE; do + git push "$REMOTE" master || true + done + elif [ "$VCS" = hg ] && [ -d .hg ]; then + for REMOTE in $PUSH_REMOTE; do + hg push "$REMOTE" || true + done + else + echo "PUSH_REMOTE not yet supported for $VCS" >&2 + fi +fi diff --git a/etckeeper/commit.d/README b/etckeeper/commit.d/README new file mode 100644 index 0000000..25d0d45 --- /dev/null +++ b/etckeeper/commit.d/README @@ -0,0 +1,3 @@ +Files in this directory are run when there might be changes to commit. +(Before and after packages are installed, upgraded, etc.) +They should commit changes and new files in /etc to repository. diff --git a/etckeeper/etckeeper.conf b/etckeeper/etckeeper.conf new file mode 100644 index 0000000..f988c10 --- /dev/null +++ b/etckeeper/etckeeper.conf @@ -0,0 +1,43 @@ +# The VCS to use. +#VCS="hg" +VCS="git" +#VCS="bzr" +#VCS="darcs" + +# Options passed to git commit when run by etckeeper. +GIT_COMMIT_OPTIONS="" + +# Options passed to hg commit when run by etckeeper. +HG_COMMIT_OPTIONS="" + +# Options passed to bzr commit when run by etckeeper. +BZR_COMMIT_OPTIONS="" + +# Options passed to darcs record when run by etckeeper. +DARCS_COMMIT_OPTIONS="-a" + +# Uncomment to avoid etckeeper committing existing changes +# to /etc automatically once per day. +#AVOID_DAILY_AUTOCOMMITS=1 + +# Uncomment the following to avoid special file warning +# (the option is enabled automatically by cronjob regardless). +#AVOID_SPECIAL_FILE_WARNING=1 + +# Uncomment to avoid etckeeper committing existing changes to +# /etc before installation. It will cancel the installation, +# so you can commit the changes by hand. +#AVOID_COMMIT_BEFORE_INSTALL=1 + +# The high-level package manager that's being used. +# (apt, pacman-g2, yum, zypper etc) +HIGHLEVEL_PACKAGE_MANAGER=apt + +# The low-level package manager that's being used. +# (dpkg, rpm, pacman, pacman-g2, etc) +LOWLEVEL_PACKAGE_MANAGER=dpkg + +# To push each commit to a remote, put the name of the remote here. +# (eg, "origin" for git). Space-separated lists of multiple remotes +# also work (eg, "origin gitlab github" for git). +PUSH_REMOTE="" diff --git a/etckeeper/init.d/10restore-metadata b/etckeeper/init.d/10restore-metadata new file mode 100755 index 0000000..9c2bf65 --- /dev/null +++ b/etckeeper/init.d/10restore-metadata @@ -0,0 +1,14 @@ +#!/bin/sh +set -e + +# Note that metastore doesn't check that the .metastore file only changes +# perms of files in the current directory. It's ok to trust the .metastore +# file won't do anything shady, because, as documented, etckeeper-init +# should only be run on repositories you trust. +if [ -e .metadata ]; then + if which metastore >/dev/null; then + metastore --apply --mtime + else + echo "etckeeper warning: legacy .metastore file is present but metastore is not installed" >&2 + fi +fi diff --git a/etckeeper/init.d/20restore-etckeeper b/etckeeper/init.d/20restore-etckeeper new file mode 100755 index 0000000..0485e63 --- /dev/null +++ b/etckeeper/init.d/20restore-etckeeper @@ -0,0 +1,22 @@ +#!/bin/sh +set -e + +# Used by .etckeeper to run a command if the file it acts on +# (the last parameter) exists. +maybe () { + command="$1" + shift 1 + + if eval [ -e "\"\$$#\"" ]; then + "$command" "$@" + fi +} + +# Yes, this runs code from the repository. As documented, etckeeper-init +# should only be run on repositories you trust. +if [ -e .etckeeper ]; then + . ./.etckeeper +else + touch .etckeeper + chmod 600 .etckeeper +fi diff --git a/etckeeper/init.d/40vcs-init b/etckeeper/init.d/40vcs-init new file mode 100755 index 0000000..3c7a3bb --- /dev/null +++ b/etckeeper/init.d/40vcs-init @@ -0,0 +1,17 @@ +#!/bin/sh +set -e + +if [ "$VCS" = git ] && [ ! -e .git ]; then + git init + echo "$(hostname) /etc repository" > .git/description +elif [ "$VCS" = hg ] && [ ! -e .hg ]; then + hg init + echo "[web]" > .hg/hgrc + echo "description = $(hostname) /etc repository" >> .hg/hgrc +elif [ "$VCS" = bzr ] && [ ! -e .bzr ]; then + bzr init + bzr nick "$(hostname) /etc repository" +elif [ "$VCS" = darcs ] && [ ! -e _darcs ]; then + darcs initialize + echo "$(hostname) /etc repository" > _darcs/prefs/motd +fi diff --git a/etckeeper/init.d/50vcs-ignore b/etckeeper/init.d/50vcs-ignore new file mode 100755 index 0000000..33d79d3 --- /dev/null +++ b/etckeeper/init.d/50vcs-ignore @@ -0,0 +1,4 @@ +#!/bin/sh +set -e + +etckeeper update-ignore -a || true diff --git a/etckeeper/init.d/50vcs-perm b/etckeeper/init.d/50vcs-perm new file mode 100755 index 0000000..4dd080b --- /dev/null +++ b/etckeeper/init.d/50vcs-perm @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +if [ "$VCS" = git ]; then + chmod 700 .git +elif [ "$VCS" = hg ]; then + chmod 700 .hg +elif [ "$VCS" = bzr ]; then + chmod 700 .bzr +elif [ "$VCS" = darcs ]; then + chmod 700 _darcs +fi diff --git a/etckeeper/init.d/50vcs-pre-commit-hook b/etckeeper/init.d/50vcs-pre-commit-hook new file mode 100755 index 0000000..6045981 --- /dev/null +++ b/etckeeper/init.d/50vcs-pre-commit-hook @@ -0,0 +1,49 @@ +#!/bin/sh +set -e + +case "$VCS" in + git) + if [ -x .git/hooks/pre-commit ]; then + if ! grep -q "etckeeper pre-commit" .git/hooks/pre-commit; then + echo "etckeeper warning: .git/hooks/pre-commit needs to be manually modified to run: etckeeper pre-commit -d `pwd`" >&2 + fi + else + cat >.git/hooks/pre-commit <&2 + fi + else + touch .hg/hgrc + cat >>.hg/hgrc <&2 + fi + else + cat >_darcs/prefs/defaults < "$patternsfile" || true + grep -Evf "$patternsfile" + rm -f "$patternsfile" + unset patternsfile + else + cat - + fi +} + + +if [ "$VCS" = darcs ];then + NOVCS='. -path ./.git -prune -o -path ./.bzr -prune -o -path ./.hg -prune -o -path ./_darcs -prune -o' + + # We assume that if .etckeeper is empty this is the first run + if [ -s .etckeeper ]; then + linksindex="$( mktemp -t etckeeper-$VCS.XXXXXXXXXX )" + grep '^ln -s' .etckeeper | while IFS="'" read n n n link n; do + printf "%s\n" "$link" >> "$linksindex" + done + + # Warn about symbolic links that shouldn't exist + if links=$( find $NOVCS -type l -print | filter_ignore | grep -vFf "$linksindex" ); then + printf "%s\n%s\n" \ + "The following symbolic links should not exist:" \ + "$links" >&2 + fi + + rm -f "$linksindex" + unset links linksindex + fi + +fi diff --git a/etckeeper/init.d/70vcs-add b/etckeeper/init.d/70vcs-add new file mode 100755 index 0000000..9a9ec45 --- /dev/null +++ b/etckeeper/init.d/70vcs-add @@ -0,0 +1,27 @@ +#!/bin/sh +set -e + +if [ "$VCS" = git ]; then + if ! git add .; then + echo "etckeeper warning: git add failed" >&2 + fi +elif [ "$VCS" = hg ]; then + if ! hg add .; then + echo "etckeeper warning: hg add failed" >&2 + fi +elif [ "$VCS" = bzr ]; then + if ! bzr add .; then + echo "etckeeper warning: bzr add failed" >&2 + fi +elif [ "$VCS" = darcs ]; then + # Don't warn if all the files were already added. + rc=0 + res=$( darcs add -qr . 2>&1 ) || rc=$? + if test $rc -ne 0; then + if ! test $rc -eq 2 -a "${res%No files were added}" != "$res"; then + printf "%s" "$res" + echo "etckeeper warning: darcs add failed" >&2 + fi + fi + unset rc res +fi diff --git a/etckeeper/init.d/README b/etckeeper/init.d/README new file mode 100644 index 0000000..90aec67 --- /dev/null +++ b/etckeeper/init.d/README @@ -0,0 +1,13 @@ +Executable files in this directory are run to initialise the working directory +for use by etckeeper. If the working directory is not already in version +control, that includes setting up the version control, but not actually +committing anything. If the working directory is in version control, +it includes applying stored metadata to the checked out files in the +working directory. + +Please be careful to *never* overwrite existing files/directories +in the working directory (or use absolute care when doing so). If a file +you need to write already exists, check if its contents are sane, and +if not, emit a warning on stderr. + +If initialisation fails, exit nonzero and no later files will be run. diff --git a/etckeeper/list-installed.d/50list-installed b/etckeeper/list-installed.d/50list-installed new file mode 100755 index 0000000..f392027 --- /dev/null +++ b/etckeeper/list-installed.d/50list-installed @@ -0,0 +1,12 @@ +#!/bin/sh +# Output to stdout a *sorted* list of all currently installed +# (or removed but still with config-files) packages, in the +# format "package version\n" (or something similar). +if [ "$LOWLEVEL_PACKAGE_MANAGER" = dpkg ]; then + dpkg-query -W -f '${Status}\t${Package} ${Version}\n' | \ + egrep '(ok installed|ok config-files)' | cut -f2,3 +elif [ "$LOWLEVEL_PACKAGE_MANAGER" = rpm ]; then + rpm -qa --qf "%|epoch?{%{epoch}}:{0}|:%{name}-%{version}-%{release}.%{arch}\n" | sort +elif [ "$LOWLEVEL_PACKAGE_MANAGER" = pacman ]; then + pacman -Q +fi diff --git a/etckeeper/post-install.d/50vcs-commit b/etckeeper/post-install.d/50vcs-commit new file mode 100755 index 0000000..36f3ee4 --- /dev/null +++ b/etckeeper/post-install.d/50vcs-commit @@ -0,0 +1,30 @@ +#!/bin/sh +set -e + +pl="/var/cache/etckeeper/packagelist" + +if etckeeper unclean; then + message="committing changes in /etc after $HIGHLEVEL_PACKAGE_MANAGER run" + + set +e + if [ -e $pl.pre-install ]; then + ( + echo "$message" + echo + echo "Package changes:" + etckeeper list-installed | diff -U0 $pl.pre-install - | tail -n+4 | egrep '^[-+]' || true + ) | etckeeper commit --stdin + else + etckeeper commit "$(printf "$message")" + fi + status=$? + set -e + + if [ "$status" != 0 ]; then + echo "warning: etckeeper failed to commit changes in /etc using $VCS" >&2 + fi +fi + +if [ -e $pl.pre-install ]; then + rm -f $pl.pre-install +fi diff --git a/etckeeper/post-install.d/README b/etckeeper/post-install.d/README new file mode 100644 index 0000000..62f4f9c --- /dev/null +++ b/etckeeper/post-install.d/README @@ -0,0 +1,2 @@ +Files in this directory are run after packages are installed, upgraded, etc. +They should commit changes and new files in /etc to repository. diff --git a/etckeeper/pre-commit.d/20warn-problem-files b/etckeeper/pre-commit.d/20warn-problem-files new file mode 100755 index 0000000..f28d5ac --- /dev/null +++ b/etckeeper/pre-commit.d/20warn-problem-files @@ -0,0 +1,30 @@ +#!/bin/sh +set -e + +exclude_internal () { + egrep -v '(^|/)(.git|.hg|.bzr|_darcs)/' +} + +if [ "$VCS" = bzr ] || [ "$VCS" = darcs ]; then + special=$(find . ! -type d ! -type f ! -type l | exclude_internal) || true + hardlinks=$(find . -type f ! -links 1 | exclude_internal ) || true +elif [ "$VCS" = hg ]; then + special=$(find . ! -type d ! -type f ! -type l | exclude_internal) || true + hardlinks=$(find . -type f ! -links 1 -exec hg status {} \; | exclude_internal ) || true +elif [ "$VCS" = git ]; then + special=$(find . ! -type d ! -type f ! -type l -exec git ls-files --exclude-standard --cached --others {} \; | exclude_internal) || true + hardlinks=$(find . -type f ! -links 1 -exec git ls-files --exclude-standard --cached --others {} \; | exclude_internal) || true +else + special="" +fi + +if [ -n "$special" ] && [ -z "$AVOID_SPECIAL_FILE_WARNING" ]; then + echo "etckeeper warning: special files could cause problems with $VCS:" >&2 + echo "$special" >&2 +fi +if [ -n "$hardlinks" ] && [ -z "$AVOID_SPECIAL_FILE_WARNING" ]; then + echo "etckeeper warning: hardlinked files could cause problems with $VCS:" >&2 + echo "$hardlinks" >&2 +fi + +true diff --git a/etckeeper/pre-commit.d/30store-metadata b/etckeeper/pre-commit.d/30store-metadata new file mode 100755 index 0000000..edec06b --- /dev/null +++ b/etckeeper/pre-commit.d/30store-metadata @@ -0,0 +1,153 @@ +#!/bin/sh +set -e + +# Filters out UNKNOWN users and groups, prints a warning on stderr. +filter_unknown() { + CMD=$1 + while read line; do + # if the first n chars of $line equal "$CMD UNKNOWN "... + if [ "$(printf %.$((9+${#CMD}))s "$line")" = "$CMD UNKNOWN " ]; then + echo Bad "$2" for "$line" >&2 + else + echo "$line" + fi + done +} + +filter_ignore() { + case "$VCS" in + darcs) ignorefile=.darcsignore ;; + git) ignorefile=.gitignore ;; + esac + + if [ -n "$ignorefile" ] && [ -e "$ignorefile" ]; then + listfile="$( mktemp -t etckeeper-$VCS.XXXXXXXXXX )" + case "$VCS" in + darcs) + grep -v '^[[:space:]]*\(#\|$\)' "$ignorefile" > "$listfile" || true + grep -Evf "$listfile" + ;; + git) + (git ls-files -oi --exclude-standard; git ls-files -oi --exclude-standard --directory) | sort | uniq > "$listfile" || true + sed 's/^\.\///' | grep -xFvf "$listfile" + ;; + esac + rm -f "$listfile" + unset listfile + else + cat - + fi +} + +shellquote() { + # Single quotes text, escaping existing single quotes. + sed -e "s/'/'\"'\"'/g" -e "s/^/'/" -e "s/$/'/" +} + +generate_metadata() { + # This function generates the script commands to fix any file + # ownerships that aren't owner=root, group=root, as well as to + # store the permissions of files. + # The script is produced on stdout. Errors go to stderr. + # + # The script can use a 'maybe' function, which only runs a command + # if the file in its last argument exists. + + # We want files in the directory containing VCS data + # but we want find to ignore the VCS files themselves. + # + # (Note that when using this, the find expression must end with + # -print or -exec, else the excluded directories will actually be + # printed!) + NOVCS='. -path ./.git -prune -o -path ./.bzr -prune -o -path ./.hg -prune -o -path ./_darcs -prune -o' + + # Keep the sort order the same at all times. + LC_COLLATE=C + export LC_COLLATE + + if [ "$VCS" = git ] || [ "$VCS" = hg ]; then + # These version control systems do not track directories, + # so empty directories must be stored specially. + find $NOVCS -type d -empty -print | + sort | shellquote | sed -e "s/^/mkdir -p /" + fi + + if [ "$VCS" = darcs ]; then + # This version control system does not track symlinks, + # so they must be stored specially. + find $NOVCS -type l -print | sort | filter_ignore | while read link; do + dest=$( readlink "$link" ) + printf "ln -sf '%s' '%s'\n" "$(echo "$dest" | shellquote)" "$(echo "$link" | shellquote)" + done + fi + + # Store things that don't have the default user or group. + # Store all file modes, in case the user has an unusual umask. + find $NOVCS \( -type f -or -type d \) -print | filter_ignore | sort | perl -ne ' + BEGIN { $q=chr(39) } + sub uidname { + my $want=shift; + if (exists $uidcache{$want}) { + return $uidcache{$want}; + } + my $name=scalar getpwuid($want); + return $uidcache{$want}=defined $name ? $name : $want; + } + sub gidname { + my $want=shift; + if (exists $gidcache{$want}) { + return $gidcache{$want}; + } + my $name=scalar getgrgid($want); + return $gidcache{$want}=defined $name ? $name : $want; + } + chomp; + my @stat=stat($_); + my $mode = $stat[2]; + my $uid = $stat[4]; + my $gid = $stat[5]; + s/$q/$q"$q"$q/g; # escape single quotes + s/^/$q/; + s/$/$q/; + if ($uid != $>) { + printf "maybe chown $q%s$q %s\n", uidname($uid), $_; + } + if ($gid != $)) { + printf "maybe chgrp $q%s$q %s\n", gidname($gid), $_; + } + printf "maybe chmod %04o %s\n", $mode & 07777, $_; + ' + + # We don't handle xattrs. + # Maybe check for getfattr/setfattr and use them if they're available? +} + +if [ "$VCS" = git ] || [ "$VCS" = hg ] || [ "$VCS" = bzr ] || [ "$VCS" = darcs ]; then + if [ -f .metadata ]; then + # remove obsolete .metadata file + # git allows fully deleting it at this point, other VCS + # may not (the repo is locked for hg). + if [ "$VCS" = git ]; then + $VCS rm .metadata + else + rm -f .metadata + fi + fi + + echo "# Generated by etckeeper. Do not edit." > .etckeeper + echo >> .etckeeper + + # Make sure the file is not readable by others, since it can leak + # information about contents of non-readable directories in /etc. + chmod 700 .etckeeper + + generate_metadata >> .etckeeper + + # stage the file as part of the current commit + if [ "$VCS" = git ]; then + # this will do nothing if the metadata file is unchanged. + git add .etckeeper + fi + # hg, bzr and darcs add not done, they will automatically + # include the file in the current commit +fi diff --git a/etckeeper/pre-commit.d/README b/etckeeper/pre-commit.d/README new file mode 100644 index 0000000..051d094 --- /dev/null +++ b/etckeeper/pre-commit.d/README @@ -0,0 +1,2 @@ +This is run by a git pre-commit hook before committing changes to the +repository. This can be used for storing metadata, and for sanity checks. diff --git a/etckeeper/pre-install.d/10packagelist b/etckeeper/pre-install.d/10packagelist new file mode 100755 index 0000000..e5fefa8 --- /dev/null +++ b/etckeeper/pre-install.d/10packagelist @@ -0,0 +1,4 @@ +#!/bin/sh +# This list will be later used when committing. +mkdir -p /var/cache/etckeeper/ +etckeeper list-installed > /var/cache/etckeeper/packagelist.pre-install diff --git a/etckeeper/pre-install.d/50uncommitted-changes b/etckeeper/pre-install.d/50uncommitted-changes new file mode 100755 index 0000000..969d341 --- /dev/null +++ b/etckeeper/pre-install.d/50uncommitted-changes @@ -0,0 +1,15 @@ +#!/bin/sh +set -e + +if etckeeper unclean; then + if [ "$AVOID_COMMIT_BEFORE_INSTALL" = 1 ]; then + echo "" >&2 + echo "** etckeeper detected uncommitted changes in /etc prior to $HIGHLEVEL_PACKAGE_MANAGER run" >&2 + echo "** Aborting $HIGHLEVEL_PACKAGE_MANAGER run. Manually commit and restart." >&2 + echo "" >&2 + exit 1 + fi + if ! etckeeper commit "saving uncommitted changes in /etc prior to $HIGHLEVEL_PACKAGE_MANAGER run"; then + echo "warning: etckeeper failed to commit changes in /etc using $VCS" >&2 + fi +fi diff --git a/etckeeper/pre-install.d/README b/etckeeper/pre-install.d/README new file mode 100644 index 0000000..a3b5a57 --- /dev/null +++ b/etckeeper/pre-install.d/README @@ -0,0 +1,3 @@ +Files in this directory are run before packages are installed, upgraded, +etc. This is mostly used for sanity checks, ie, does /etc have any +uncommitted changes? diff --git a/etckeeper/unclean.d/50test b/etckeeper/unclean.d/50test new file mode 100755 index 0000000..e52003f --- /dev/null +++ b/etckeeper/unclean.d/50test @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +if [ "$VCS" = git ]; then + [ -d .git ] && [ -n "`git status --porcelain`" ] +elif [ "$VCS" = hg ]; then + [ -d .hg ] && ! hg status 2>&1 | wc -l | grep -q "^0$" +elif [ "$VCS" = bzr ]; then + [ -d .bzr ] && ! bzr version-info --custom --template="{clean}\n" | grep -q "^1$" +elif [ "$VCS" = darcs ]; then + [ -d _darcs ] && darcs whatsnew -l >/dev/null +fi diff --git a/etckeeper/unclean.d/README b/etckeeper/unclean.d/README new file mode 100644 index 0000000..74bfbdd --- /dev/null +++ b/etckeeper/unclean.d/README @@ -0,0 +1,2 @@ +Files in this directory are used to test if the working copy has +uncommitted changes. diff --git a/etckeeper/uninit.d/01prompt b/etckeeper/uninit.d/01prompt new file mode 100755 index 0000000..8b43937 --- /dev/null +++ b/etckeeper/uninit.d/01prompt @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +if [ "$1" != "-f" ]; then + echo "** Warning: This will DESTROY all recorded history for $ETCKEEPER_DIR," + echo "** including the $VCS repository." + echo "" + printf "Are you sure you want to do this? [yN] " + read answer + case "$answer" in + [Yy]*) + echo "Proceeding.." + exit 0 + ;; + *) + echo "Aborting etckeeper uninit." + exit 1 + ;; + esac +fi diff --git a/etckeeper/uninit.d/50remove-metadata b/etckeeper/uninit.d/50remove-metadata new file mode 100755 index 0000000..0be8d36 --- /dev/null +++ b/etckeeper/uninit.d/50remove-metadata @@ -0,0 +1,6 @@ +#!/bin/sh +set -e + +# Files generated by etckeeper to store metadata the VCS cannot preserve. +rm -f .etckeeper +rm -f .metadata # only generated by old versions diff --git a/etckeeper/uninit.d/50vcs-uninit b/etckeeper/uninit.d/50vcs-uninit new file mode 100755 index 0000000..b330f1b --- /dev/null +++ b/etckeeper/uninit.d/50vcs-uninit @@ -0,0 +1,54 @@ +#!/bin/sh +set -e + +if [ "$VCS" = git ]; then + rm -rf .git + file=.gitignore +elif [ "$VCS" = hg ]; then + rm -rf .hg + file=.hgignore +elif [ "$VCS" = bzr ]; then + rm -rf .bzr + file=.bzrignore +elif [ "$VCS" = darcs ]; then + rm -rf _darcs + file=.darcsignore +fi + +managed_by_etckeeper="managed by etckeeper" + +if ! grep -q "$managed_by_etckeeper" "$file"; then + exit 0 +else + realfile="$file" + if which tempfile >/dev/null 2>&1 || type -p tempfile >/dev/null 2>&1; then + tempfile="tempfile" + elif which mktemp >/dev/null 2>&1 || type -p mktemp >/dev/null 2>&1; then + tempfile="mktemp" + else + echo "etckeeper warning: can't find tempfile or mktemp" >&2 + exit 1 + fi + file=$($tempfile) + otherentries= + skipping= + while read -r line; do + if echo "$line" | grep -q "$managed_by_etckeeper"; then + if [ ! "$skipping" ]; then + skipping=1 + else + skipping= + fi + elif [ ! "$skipping" ]; then + echo "$line" >> "$file" + otherentries=1 + fi + done <"$realfile" + + if [ "$otherentries" ]; then + mv -f "$file" "$realfile" + else + rm -f "$file" + rm -f "$realfile" + fi +fi diff --git a/etckeeper/uninit.d/README b/etckeeper/uninit.d/README new file mode 100644 index 0000000..d1a4eaa --- /dev/null +++ b/etckeeper/uninit.d/README @@ -0,0 +1,2 @@ +Executable files in this directory are run to uninitialise the working +directory, removing files added by `etckeeper init`. diff --git a/etckeeper/update-ignore.d/01update-ignore b/etckeeper/update-ignore.d/01update-ignore new file mode 100755 index 0000000..528ff8a --- /dev/null +++ b/etckeeper/update-ignore.d/01update-ignore @@ -0,0 +1,205 @@ +#!/bin/sh +set -e + +if [ "$VCS" = git ]; then + dir=.git + file=.gitignore +elif [ "$VCS" = hg ]; then + dir=.hg + file=.hgignore +elif [ "$VCS" = bzr ]; then + dir=.bzr + file=.bzrignore +elif [ "$VCS" = darcs ]; then + dir=_darcs + file=.darcsignore +else + echo "etckeeper: unsupported VCS $VCS" >&2 + exit 1 +fi + +if [ ! -d "$dir" ]; then + exit 0 +fi + +managed_by_etckeeper="managed by etckeeper" + +nl() { + echo >>"$file" +} + +comment() { + comment="$1" + echo "# $comment" >>"$file" +} + +ignore() { + glob="$1" + + case "$VCS" in + git) + # escape "#" in ignores, as otherwise it may + # be considered a comment + echo "$glob" | sed 's/#/\\#/g' >>"$file" + ;; + bzr) + echo "$glob" >>"$file" + ;; + hg) + # rather than converting the glob to a regexp, just + # configure hg to use globs + if [ -z "$hg_syntax_printed" ]; then + comment "use glob syntax" + echo "syntax: glob" >>"$file" + nl + hg_syntax_printed=1 + fi + echo "$glob" | sed 's/#/\\#/g' >>"$file" + ;; + darcs) + # darcs doesn't understand globs, so we need to + # translate them into regexs. Not a complete converter, + # but suitable for given globs. + if [ "${glob%\*}" != "$glob" ]; then + glob="${glob%\*}" + else + glob="$glob"'($|/)' + fi + if [ "${glob#\*}" != "$glob" ]; then + glob="${glob#\*}" + else + glob='(^|/)'"$glob" + fi + glob="$( printf %s $glob | sed -e 's/\./\\./g;s/\*/[^\/]*/g;s/\?/[^\/]/g' )" + echo "$glob" >>"$file" + esac +} + +writefile () { + comment "begin section $managed_by_etckeeper (do not edit this section by hand)" + nl + + if [ "$VCS" = darcs ]; then + darcs setpref boringfile .darcsignore + fi + + if [ "$LOWLEVEL_PACKAGE_MANAGER" = dpkg ]; then + comment "new and old versions of conffiles, stored by dpkg" + ignore "*.dpkg-*" + comment "new and old versions of conffiles, stored by ucf" + ignore "*.ucf-*" + nl + elif [ "$LOWLEVEL_PACKAGE_MANAGER" = "rpm" ]; then + comment "new and old versions of conffiles, stored by apt/rpm" + ignore "*.rpm*" + nl + elif [ "$LOWLEVEL_PACKAGE_MANAGER" = "pacman-g2" -o "$LOWLEVEL_PACKAGE_MANAGER" = "pacman" ]; then + comment "new and old versions of conffiles, stored by pacman" + ignore "*.pacnew" + ignore "*.pacorig" + ignore "*.pacsave" + nl + fi + + comment "old versions of files" + ignore "*.old" + # Not currently ignored as admins tend to rely on these files. + #ignore "passwd-" + #ignore "group-" + #ignore "shadow-" + #ignore "gshadow-" + nl + + comment "mount(8) records system state here, no need to store these" + ignore blkid.tab + ignore blkid.tab.old + nl + + comment "some other files in /etc that typically do not need to be tracked" + ignore nologin + ignore ld.so.cache + ignore prelink.cache + ignore mtab + ignore mtab.fuselock + ignore .pwd.lock + ignore "*.LOCK" + ignore network/run + ignore adjtime + ignore lvm/cache + ignore lvm/archive + ignore "X11/xdm/authdir/authfiles/*" + ignore ntp.conf.dhcp + ignore .initctl + ignore "webmin/fsdump/*.status" + ignore "webmin/webmin/oscache" + ignore "apparmor.d/cache/*" + ignore "service/*/supervise/*" + ignore "service/*/log/supervise/*" + ignore "sv/*/supervise/*" + ignore "sv/*/log/supervise/*" + ignore "*.elc" + ignore "*.pyc" + ignore "*.pyo" + ignore "init.d/.depend.*" + ignore "openvpn/openvpn-status.log" + ignore "cups/subscriptions.conf" + ignore "cups/subscriptions.conf.O" + ignore "fake-hwclock.data" + ignore "check_mk/logwatch.state" + nl + + comment "editor temp files" + ignore "*~" + ignore ".*.sw?" + ignore ".sw?" + ignore "#*#" + ignore DEADJOE + + nl + comment "end section $managed_by_etckeeper" +} + +if [ -e "$file" ]; then + if ! grep -q "$managed_by_etckeeper" "$file"; then + if [ "$1" != "-a" ]; then + echo "etckeeper: "$file" does not contain \"$managed_by_etckeeper\" comment; not updating" + exit 1 + else + echo "etckeeper: "$file" exists but does not contain \"$managed_by_etckeeper\" comment; updating" + writefile + exit 0 + fi + fi + realfile="$file" + if which tempfile >/dev/null 2>&1 || type -p tempfile >/dev/null 2>&1; then + tempfile="tempfile" + elif which mktemp >/dev/null 2>&1 || type -p mktemp >/dev/null 2>&1; then + tempfile="mktemp" + else + echo "etckeeper warning: can't find tempfile or mktemp" >&2 + fi + file=$($tempfile) + ( + skipping= + while read -r line; do + if echo "$line" | grep -q "$managed_by_etckeeper"; then + if [ ! "$skipping" ]; then + skipping=1 + else + skipping= + writefile + fi + elif [ ! "$skipping" ]; then + echo "$line" >> "$file" + fi + done + if [ "$skipping" ]; then + # reached end of file w/o ending block + writefile + fi + ) <"$realfile" + + mv -f "$file" "$realfile" +else + writefile +fi diff --git a/etckeeper/update-ignore.d/README b/etckeeper/update-ignore.d/README new file mode 100644 index 0000000..a573135 --- /dev/null +++ b/etckeeper/update-ignore.d/README @@ -0,0 +1,2 @@ +Executable files in this directory are run to update the VCS ignore file, +or create it if it does not exist. diff --git a/etckeeper/vcs.d/50vcs-cmd b/etckeeper/vcs.d/50vcs-cmd new file mode 100755 index 0000000..f515abb --- /dev/null +++ b/etckeeper/vcs.d/50vcs-cmd @@ -0,0 +1,11 @@ +#!/bin/sh +set -e + +# check whether we can locate the vcs binary +if [ -n "$VCS" ] && which "$VCS" > /dev/null; then + # pass commands to the VCS application + $VCS "$@" +else + echo "error: VCS ($VCS) not set or not in PATH" >&2 + exit 1 +fi diff --git a/exim4/conf.d/acl/00_exim4-config_header b/exim4/conf.d/acl/00_exim4-config_header new file mode 100644 index 0000000..76b017e --- /dev/null +++ b/exim4/conf.d/acl/00_exim4-config_header @@ -0,0 +1,8 @@ + +###################################################################### +# ACL CONFIGURATION # +# Specifies access control lists for incoming SMTP mail # +###################################################################### +begin acl + + diff --git a/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions b/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions new file mode 100644 index 0000000..2372795 --- /dev/null +++ b/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions @@ -0,0 +1,49 @@ + +### acl/20_exim4-config_local_deny_exceptions +################################# + +# This is used to determine whitelisted senders and hosts. +# It checks for CONFDIR/host_local_deny_exceptions and +# CONFDIR/sender_local_deny_exceptions. +# +# It is meant to be used from some other acl entry. +# +# See exim4-config_files(5) for details. +# +# If the files do not exist, the white list never matches, which is +# the desired behaviour. +# +# The old file names CONFDIR/local_host_whitelist and +# CONFDIR/local_sender_whitelist will continue to be honored for a +# transition period. Their use is deprecated. + +acl_local_deny_exceptions: + accept + hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\ + {CONFDIR/host_local_deny_exceptions}\ + {}} + accept + senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\ + {CONFDIR/sender_local_deny_exceptions}\ + {}} + accept + hosts = ${if exists{CONFDIR/local_host_whitelist}\ + {CONFDIR/local_host_whitelist}\ + {}} + accept + senders = ${if exists{CONFDIR/local_sender_whitelist}\ + {CONFDIR/local_sender_whitelist}\ + {}} + + # This hook allows you to hook in your own ACLs without having to + # modify this file. If you do it like we suggest, you'll end up with + # a small performance penalty since there is an additional file being + # accessed. This doesn't happen if you leave the macro unset. + .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE + .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE + .endif + + # this is still supported for a transition period and is deprecated. + .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE + .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE + .endif diff --git a/exim4/conf.d/acl/30_exim4-config_check_mail b/exim4/conf.d/acl/30_exim4-config_check_mail new file mode 100644 index 0000000..7a6a3e7 --- /dev/null +++ b/exim4/conf.d/acl/30_exim4-config_check_mail @@ -0,0 +1,16 @@ + +### acl/30_exim4-config_check_mail +################################# + +# This access control list is used for every MAIL command in an incoming +# SMTP message. The tests are run in order until the address is either +# accepted or denied. +# +acl_check_mail: + .ifdef CHECK_MAIL_HELO_ISSUED + deny + message = no HELO given before MAIL command + condition = ${if def:sender_helo_name {no}{yes}} + .endif + + accept diff --git a/exim4/conf.d/acl/30_exim4-config_check_rcpt b/exim4/conf.d/acl/30_exim4-config_check_rcpt new file mode 100644 index 0000000..4949587 --- /dev/null +++ b/exim4/conf.d/acl/30_exim4-config_check_rcpt @@ -0,0 +1,358 @@ + +### acl/30_exim4-config_check_rcpt +################################# + +# This access control list is used for every RCPT command in an incoming +# SMTP message. The tests are run in order until the address is either +# accepted or denied. +# +acl_check_rcpt: + + # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by + # testing for an empty sending host field. + accept + hosts = : + control = dkim_disable_verify + + # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns + # or DISABLE_DKIM_VERIFY are set. +.ifdef DC_minimaldns + warn + control = dkim_disable_verify +.else +.ifdef DISABLE_DKIM_VERIFY + warn + control = dkim_disable_verify +.endif +.endif + + # The following section of the ACL is concerned with local parts that contain + # certain non-alphanumeric characters. Dots in unusual places are + # handled by this ACL as well. + # + # Non-alphanumeric characters other than dots are rarely found in genuine + # local parts, but are often tried by people looking to circumvent + # relaying restrictions. Therefore, although they are valid in local + # parts, these rules disallow certain non-alphanumeric characters, as + # a precaution. + # + # Empty components (two dots in a row) are not valid in RFC 2822, but Exim + # allows them because they have been encountered. (Consider local parts + # constructed as "firstinitial.secondinitial.familyname" when applied to + # a name without a second initial.) However, a local part starting + # with a dot or containing /../ can cause trouble if it is used as part of a + # file name (e.g. for a mailing list). This is also true for local parts that + # contain slashes. A pipe symbol can also be troublesome if the local part is + # incorporated unthinkingly into a shell command line. + # + # These ACL components will block recipient addresses that are valid + # from an RFC2822 point of view. We chose to have them blocked by + # default for security reasons. + # + # If you feel that your site should have less strict recipient + # checking, please feel free to change the default values of the macros + # defined in main/01_exim4-config_listmacrosdefs or override them from a + # local configuration file. + # + # Two different rules are used. The first one has a quite strict + # default, and is applied to messages that are addressed to one of the + # local domains handled by this host. + + # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in + # main/01_exim4-config_listmacrosdefs: + # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] + # This blocks local parts that begin with a dot or contain a quite + # broad range of non-alphanumeric characters. + .ifdef CHECK_RCPT_LOCAL_LOCALPARTS + deny + domains = +local_domains + local_parts = CHECK_RCPT_LOCAL_LOCALPARTS + message = restricted characters in address + .endif + + + # The second rule applies to all other domains, and its default is + # considerably less strict. + + # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in + # main/01_exim4-config_listmacrosdefs: + # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ + + # It allows local users to send outgoing messages to sites + # that use slashes and vertical bars in their local parts. It blocks + # local parts that begin with a dot, slash, or vertical bar, but allows + # these characters within the local part. However, the sequence /../ is + # barred. The use of some other non-alphanumeric characters is blocked. + # Single quotes might probably be dangerous as well, but they're + # allowed by the default regexps to avoid rejecting mails to Ireland. + # The motivation here is to prevent local users (or local users' malware) + # from mounting certain kinds of attack on remote sites. + .ifdef CHECK_RCPT_REMOTE_LOCALPARTS + deny + domains = !+local_domains + local_parts = CHECK_RCPT_REMOTE_LOCALPARTS + message = restricted characters in address + .endif + + + # Accept mail to postmaster in any local domain, regardless of the source, + # and without verifying the sender. + # + accept + .ifndef CHECK_RCPT_POSTMASTER + local_parts = postmaster + .else + local_parts = CHECK_RCPT_POSTMASTER + .endif + domains = +local_domains : +relay_to_domains + + + # Deny unless the sender address can be verified. + # + # This is disabled by default so that DNSless systems don't break. If + # your system can do DNS lookups without delay or cost, you might want + # to enable this feature. + # + # This feature does not work in smarthost and satellite setups as + # with these setups all domains pass verification. See spec.txt chapter + # 39.31 with the added information that a smarthost/satellite setup + # routes all non-local e-mail to the smarthost. + .ifdef CHECK_RCPT_VERIFY_SENDER + deny + message = Sender verification failed + !acl = acl_local_deny_exceptions + !verify = sender + .endif + + # Verify senders listed in local_sender_callout with a callout. + # + # In smarthost and satellite setups, this causes the callout to be + # done to the smarthost. Verification will thus only be reliable if the + # smarthost does reject illegal addresses in the SMTP dialog. + deny + !acl = acl_local_deny_exceptions + senders = ${if exists{CONFDIR/local_sender_callout}\ + {CONFDIR/local_sender_callout}\ + {}} + !verify = sender/callout + + + # Accept if the message comes from one of the hosts for which we are an + # outgoing relay. It is assumed that such hosts are most likely to be MUAs, + # so we set control=submission to make Exim treat the message as a + # submission. It will fix up various errors in the message, for example, the + # lack of a Date: header line. If you are actually relaying out out from + # MTAs, you may want to disable this. If you are handling both relaying from + # MTAs and submissions from MUAs you should probably split them into two + # lists, and handle them differently. + + # Recipient verification is omitted here, because in many cases the clients + # are dumb MUAs that don't cope well with SMTP error responses. If you are + # actually relaying out from MTAs, you should probably add recipient + # verification here. + + # Note that, by putting this test before any DNS black list checks, you will + # always accept from these hosts, even if they end up on a black list. The + # assumption is that they are your friends, and if they get onto black + # list, it is a mistake. + accept + hosts = +relay_from_hosts + control = submission/sender_retain + control = dkim_disable_verify + + + # Accept if the message arrived over an authenticated connection, from + # any host. Again, these messages are usually from MUAs, so recipient + # verification is omitted, and submission mode is set. And again, we do this + # check before any black list tests. + accept + authenticated = * + control = submission/sender_retain + control = dkim_disable_verify + + + # Insist that any other recipient address that we accept is either in one of + # our local domains, or is in a domain for which we explicitly allow + # relaying. Any other domain is rejected as being unacceptable for relaying. + require + message = relay not permitted + domains = +local_domains : +relay_to_domains + + + # We also require all accepted addresses to be verifiable. This check will + # do local part verification for local domains, but only check the domain + # for remote domains. + require + verify = recipient + + + # Verify recipients listed in local_rcpt_callout with a callout. + # This is especially handy for forwarding MX hosts (secondary MX or + # mail hubs) of domains that receive a lot of spam to non-existent + # addresses. The only way to check local parts for remote relay + # domains is to use a callout (add /callout), but please read the + # documentation about callouts before doing this. + deny + !acl = acl_local_deny_exceptions + recipients = ${if exists{CONFDIR/local_rcpt_callout}\ + {CONFDIR/local_rcpt_callout}\ + {}} + !verify = recipient/callout + + + # CONFDIR/local_sender_blacklist holds a list of envelope senders that + # should have their access denied to the local host. Incoming messages + # with one of these senders are rejected at RCPT time. + # + # The explicit white lists are honored as well as negative items in + # the black list. See exim4-config_files(5) for details. + deny + message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + !acl = acl_local_deny_exceptions + senders = ${if exists{CONFDIR/local_sender_blacklist}\ + {CONFDIR/local_sender_blacklist}\ + {}} + + + # deny bad sites (IP address) + # CONFDIR/local_host_blacklist holds a list of host names, IP addresses + # and networks (CIDR notation) that should have their access denied to + # The local host. Messages coming in from a listed host will have all + # RCPT statements rejected. + # + # The explicit white lists are honored as well as negative items in + # the black list. See exim4-config_files(5) for details. + deny + message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + !acl = acl_local_deny_exceptions + hosts = ${if exists{CONFDIR/local_host_blacklist}\ + {CONFDIR/local_host_blacklist}\ + {}} + + + # Warn if the sender host does not have valid reverse DNS. + # + # If your system can do DNS lookups without delay or cost, you might want + # to enable this. + # If sender_host_address is defined, it's a remote call. If + # sender_host_name is not defined, then reverse lookup failed. Use + # this instead of !verify = reverse_host_lookup to catch deferrals + # as well as outright failures. + .ifdef CHECK_RCPT_REVERSE_DNS + warn + condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ + {yes}{no}} + add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) + .endif + + + # Use spfquery to perform a pair of SPF checks (for details, see + # http://www.openspf.org/) + # + # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not + # enable if that's an issue. Also note that if you enable this, you must + # install "spf-tools-perl" which provides the spfquery command. + # Missing spf-tools-perl will trigger the "Unexpected error in + # SPF check" warning. + .ifdef CHECK_RCPT_SPF + deny + message = [SPF] $sender_host_address is not allowed to send mail from \ + ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ + Please see \ + http://www.openspf.org/Why?scope=${if def:sender_address_domain \ + {mfrom}{helo}};identity=${if def:sender_address_domain \ + {$sender_address}{$sender_helo_name}};ip=$sender_host_address + log_message = SPF check failed. + !acl = acl_local_deny_exceptions + condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \ + ${quote:$sender_host_address} --identity \ + ${if def:sender_address_domain \ + {--scope mfrom --identity ${quote:$sender_address}}\ + {--scope helo --identity ${quote:$sender_helo_name}}}}\ + {no}{${if eq {$runrc}{1}{yes}{no}}}} + + defer + message = Temporary DNS error while checking SPF record. Try again later. + !acl = acl_local_deny_exceptions + condition = ${if eq {$runrc}{5}{yes}{no}} + + warn + condition = ${if <={$runrc}{6}{yes}{no}} + add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\ + {${if eq {$runrc}{2}{softfail}\ + {${if eq {$runrc}{3}{neutral}\ + {${if eq {$runrc}{4}{permerror}\ + {${if eq {$runrc}{6}{none}{error}}}}}}}}}\ + } client-ip=$sender_host_address; \ + ${if def:sender_address_domain \ + {envelope-from=${sender_address}; }{}}\ + helo=$sender_helo_name + + warn + log_message = Unexpected error in SPF check. + condition = ${if >{$runrc}{6}{yes}{no}} + .endif + + + # Check against classic DNS "black" lists (DNSBLs) which list + # sender IP addresses + .ifdef CHECK_RCPT_IP_DNSBLS + warn + dnslists = CHECK_RCPT_IP_DNSBLS + add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + .endif + + + # Check against DNSBLs which list sender domains, with an option to locally + # whitelist certain domains that might be blacklisted. + # + # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append + # "/$sender_address_domain" after each domain. For example: + # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \ + # : rhsbl.bar.org/$sender_address_domain + .ifdef CHECK_RCPT_DOMAIN_DNSBLS + warn + !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ + {CONFDIR/local_domain_dnsbl_whitelist}\ + {}} + dnslists = CHECK_RCPT_DOMAIN_DNSBLS + add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + .endif + + + # This hook allows you to hook in your own ACLs without having to + # modify this file. If you do it like we suggest, you'll end up with + # a small performance penalty since there is an additional file being + # accessed. This doesn't happen if you leave the macro unset. + .ifdef CHECK_RCPT_LOCAL_ACL_FILE + .include CHECK_RCPT_LOCAL_ACL_FILE + .endif + + + ############################################################################# + # This check is commented out because it is recognized that not every + # sysadmin will want to do it. If you enable it, the check performs + # Client SMTP Authorization (csa) checks on the sending host. These checks + # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) + # an Internet draft. You can, of course, add additional conditions to this + # ACL statement to restrict the CSA checks to certain hosts only. + # + # require verify = csa + ############################################################################# + + + # Accept if the address is in a domain for which we are an incoming relay, + # but again, only if the recipient can be verified. + + accept + domains = +relay_to_domains + endpass + verify = recipient + + + # At this point, the address has passed all the checks that have been + # configured, so we accept it unconditionally. + + accept diff --git a/exim4/conf.d/acl/40_exim4-config_check_data b/exim4/conf.d/acl/40_exim4-config_check_data new file mode 100644 index 0000000..1b371d2 --- /dev/null +++ b/exim4/conf.d/acl/40_exim4-config_check_data @@ -0,0 +1,75 @@ + +### acl/40_exim4-config_check_data +################################# + +# This ACL is used after the contents of a message have been received. This +# is the ACL in which you can test a message's headers or body, and in +# particular, this is where you can invoke external virus or spam scanners. + +acl_check_data: + + # Deny unless the address list headers are syntactically correct. + # + # If you enable this, you might reject legitimate mail. + .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX + deny + message = Message headers fail syntax check + !acl = acl_local_deny_exceptions + !verify = header_syntax + .endif + + + # require that there is a verifiable sender address in at least + # one of the "Sender:", "Reply-To:", or "From:" header lines. + .ifdef CHECK_DATA_VERIFY_HEADER_SENDER + deny + message = No verifiable sender address in message headers + !acl = acl_local_deny_exceptions + !verify = header_sender + .endif + + + # Deny if the message contains malware. Before enabling this check, you + # must install a virus scanner and set the av_scanner option in the + # main configuration. + # + # exim4-daemon-heavy must be used for this section to work. + # + # deny + # malware = * + # message = This message was detected as possible malware ($malware_name). + + + # Add headers to a message if it is judged to be spam. Before enabling this, + # you must install SpamAssassin. You also need to set the spamd_address + # option in the main configuration. + # + # exim4-daemon-heavy must be used for this section to work. + # + # Please note that this is only suiteable as an example. There are + # multiple issues with this configuration method. For example, if you go + # this way, you'll give your spamassassin daemon write access to the + # entire exim spool which might be a security issue in case of a + # spamassassin exploit. + # + # See the exim docs and the exim wiki for more suitable examples. + # + # warn + # spam = Debian-exim:true + # add_header = X-Spam_score: $spam_score\n\ + # X-Spam_score_int: $spam_score_int\n\ + # X-Spam_bar: $spam_bar\n\ + # X-Spam_report: $spam_report + + + # This hook allows you to hook in your own ACLs without having to + # modify this file. If you do it like we suggest, you'll end up with + # a small performance penalty since there is an additional file being + # accessed. This doesn't happen if you leave the macro unset. + .ifdef CHECK_DATA_LOCAL_ACL_FILE + .include CHECK_DATA_LOCAL_ACL_FILE + .endif + + + # accept otherwise + accept diff --git a/exim4/conf.d/auth/00_exim4-config_header b/exim4/conf.d/auth/00_exim4-config_header new file mode 100644 index 0000000..c5f8fc1 --- /dev/null +++ b/exim4/conf.d/auth/00_exim4-config_header @@ -0,0 +1,8 @@ + +###################################################################### +# AUTHENTICATION CONFIGURATION # +###################################################################### + +begin authenticators + + diff --git a/exim4/conf.d/auth/30_exim4-config_examples b/exim4/conf.d/auth/30_exim4-config_examples new file mode 100644 index 0000000..b3b1ce6 --- /dev/null +++ b/exim4/conf.d/auth/30_exim4-config_examples @@ -0,0 +1,254 @@ + +### auth/30_exim4-config_examples +################################# + +# The examples below are for server side authentication, when the +# local exim is SMTP server and clients authenticate to the local exim. + +# They allow two styles of plain-text authentication against an +# CONFDIR/passwd file whose syntax is described in exim4_passwd(5). + +# Hosts that are allowed to use AUTH are defined by the +# auth_advertise_hosts option in the main configuration. The default is +# "*", which allows authentication to all hosts over all kinds of +# connections if there is at least one authenticator defined here. +# Authenticators which rely on unencrypted clear text passwords don't +# advertise on unencrypted connections by default. Thus, it might be +# wise to set up TLS to allow encrypted connections. If TLS cannot be +# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to +# advertise unencrypted clear text password based authenticators on all +# connections. As this is severely reducing security, using TLS is +# preferred over allowing clear text password based authenticators on +# unencrypted connections. + +# PLAIN authentication has no server prompts. The client sends its +# credentials in one lump, containing an authorization ID (which we do not +# use), an authentication ID, and a password. The latter two appear as +# $auth2 and $auth3 in the configuration and should be checked against a +# valid username and password. In a real configuration you would typically +# use $auth2 as a lookup key, and compare $auth3 against the result of the +# lookup, perhaps using the crypteq{}{} condition. + +# plain_server: +# driver = plaintext +# public_name = PLAIN +# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +# server_set_id = $auth2 +# server_prompts = : +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# LOGIN authentication has traditional prompts and responses. There is no +# authorization ID in this mechanism, so unlike PLAIN the username and +# password are $auth1 and $auth2. Apart from that you can use the same +# server_condition setting for both authenticators. + +# login_server: +# driver = plaintext +# public_name = LOGIN +# server_prompts = "Username:: : Password::" +# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# cram_md5_server: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} +# server_set_id = $auth1 + +# Here is an example of CRAM-MD5 authentication against PostgreSQL: +# +# psqldb_auth_server: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} +# server_set_id = $auth1 + +# Authenticate against local passwords using sasl2-bin +# Requires exim_uid to be a member of sasl group, see README.Debian.gz +# plain_saslauthd_server: +# driver = plaintext +# public_name = PLAIN +# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} +# server_set_id = $auth2 +# server_prompts = : +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# login_saslauthd_server: +# driver = plaintext +# public_name = LOGIN +# server_prompts = "Username:: : Password::" +# # don't send system passwords over unencrypted connections +# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# ntlm_sasl_server: +# driver = cyrus_sasl +# public_name = NTLM +# server_realm = +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# digest_md5_sasl_server: +# driver = cyrus_sasl +# public_name = DIGEST-MD5 +# server_realm = +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# Authentcate against cyrus-sasl +# This is mainly untested, please report any problems to +# pkg-exim4-users@lists.alioth.debian.org. +# cram_md5_sasl_server: +# driver = cyrus_sasl +# public_name = CRAM-MD5 +# server_realm = +# server_set_id = $auth1 +# +# plain_sasl_server: +# driver = cyrus_sasl +# public_name = PLAIN +# server_realm = +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# login_sasl_server: +# driver = cyrus_sasl +# public_name = LOGIN +# server_realm = +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# Authenticate against courier authdaemon + +# This is now the (working!) example from +# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 +# Possible pitfall: access rights on /var/run/courier/authdaemon/socket. +# plain_courier_authdaemon: +# driver = plaintext +# public_name = PLAIN +# server_condition = \ +# ${extract {ADDRESS} \ +# {${readsocket{/var/run/courier/authdaemon/socket} \ +# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ +# {yes} \ +# fail} +# server_set_id = $auth2 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# login_courier_authdaemon: +# driver = plaintext +# public_name = LOGIN +# server_prompts = Username:: : Password:: +# server_condition = \ +# ${extract {ADDRESS} \ +# {${readsocket{/var/run/courier/authdaemon/socket} \ +# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ +# {yes} \ +# fail} +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# This one is a bad hack to support the broken version 4.xx of +# Microsoft Outlook Express which violates the RFCs by demanding +# "250-AUTH=" instead of "250-AUTH ". +# If your list of offered authenticators is other than PLAIN and LOGIN, +# you need to adapt the public_name line manually. +# It has to be the last authenticator to work and has not been tested +# well. Use at your own risk. +# See the thread entry point from +# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html +# for the related discussion on the exim-users mailing list. +# Thanks to Fred Viles for this great work. + +# support_broken_outlook_express_4_server: +# driver = plaintext +# public_name = "\r\n250-AUTH=PLAIN LOGIN" +# server_prompts = User Name : Password +# server_condition = no +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +############## +# See /usr/share/doc/exim4-base/README.Debian.gz +############## + +# These examples below are the equivalent for client side authentication. +# They get the passwords from CONFDIR/passwd.client, whose format is +# defined in exim4_passwd_client(5) + +# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we +# only allow these mechanisms over encrypted connections by default. +# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted +# clear text password authentication on all connections. + +cram_md5: + driver = cram_md5 + public_name = CRAM-MD5 + client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} + client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} + +# this returns the matching line from passwd.client and doubles all ^ +PASSWDLINE=${sg{\ + ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ + }\ + {\\N[\\^]\\N}\ + {^^}\ + } + +plain: + driver = plaintext + public_name = PLAIN +.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS + client_send = "<; ${if !eq{$tls_out_cipher}{}\ + {^${extract{1}{:}{PASSWDLINE}}\ + ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ + }fail}" +.else + client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ + ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" +.endif + +login: + driver = plaintext + public_name = LOGIN +.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS + # Return empty string if not non-TLS AND looking up $host in passwd-file + # yields a non-empty string; fail otherwise. + client_send = "<; ${if and{\ + {!eq{$tls_out_cipher}{}}\ + {!eq{PASSWDLINE}{}}\ + }\ + {}fail}\ + ; ${extract{1}{::}{PASSWDLINE}}\ + ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" +.else + # Return empty string if looking up $host in passwd-file yields a + # non-empty string; fail otherwise. + client_send = "<; ${if !eq{PASSWDLINE}{}\ + {}fail}\ + ; ${extract{1}{::}{PASSWDLINE}}\ + ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" +.endif diff --git a/exim4/conf.d/main/01_exim4-config_listmacrosdefs b/exim4/conf.d/main/01_exim4-config_listmacrosdefs new file mode 100644 index 0000000..8e51605 --- /dev/null +++ b/exim4/conf.d/main/01_exim4-config_listmacrosdefs @@ -0,0 +1,100 @@ +###################################################################### +# Runtime configuration file for Exim 4 (Debian Packaging) # +###################################################################### + +###################################################################### +# /etc/exim4/exim4.conf.template is only used with the non-split +# configuration scheme. +# /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used +# with the split configuration scheme. +# If you find this comment anywhere else, somebody copied it there. +# Documentation about the Debian exim4 configuration scheme can be +# found in /usr/share/doc/exim4-base/README.Debian.gz. +###################################################################### + +###################################################################### +# MAIN CONFIGURATION SETTINGS # +###################################################################### + +# Just for reference and scripts. +# On Debian systems, the main binary is installed as exim4 to avoid +# conflicts with the exim 3 packages. +exim_path = /usr/sbin/exim4 + +# Macro defining the main configuration directory. +# We do not use absolute paths. +.ifndef CONFDIR +CONFDIR = /etc/exim4 +.endif + +# debconf-driven macro definitions get inserted after this line +UPEX4CmacrosUPEX4C = 1 + +# Create domain and host lists for relay control +# '@' refers to 'the name of the local host' + +# List of domains considered local for exim. Domains not listed here +# need to be deliverable remotely. +domainlist local_domains = MAIN_LOCAL_DOMAINS + +# List of recipient domains to relay _to_. Use this list if you're - +# for example - fallback MX or mail gateway for domains. +domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS + +# List of sender networks (IP addresses) to _unconditionally_ relay +# _for_. If you intend to be SMTP AUTH server, you do not need to enter +# anything here. +hostlist relay_from_hosts = MAIN_RELAY_NETS + + +# Decide which domain to use to add to all unqualified addresses. +# If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary +# hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value +# of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined, +# the first line of /etc/mailname is used. +.ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN +.ifndef MAIN_QUALIFY_DOMAIN +qualify_domain = ETC_MAILNAME +.else +qualify_domain = MAIN_QUALIFY_DOMAIN +.endif +.endif + +# listen on all all interfaces? +.ifdef MAIN_LOCAL_INTERFACES +local_interfaces = MAIN_LOCAL_INTERFACES +.endif + +.ifndef LOCAL_DELIVERY +# The default transport, set in /etc/exim4/update-exim4.conf.conf, +# defaulting to mail_spool. See CONFDIR/conf.d/transport/ for possibilities +LOCAL_DELIVERY=mail_spool +.endif + +# The gecos field in /etc/passwd holds not only the name. see passwd(5). +gecos_pattern = ^([^,:]*) +gecos_name = $1 + +# define macros to be used in acl/30_exim4-config_check_rcpt to check +# recipient local parts for strange characters. + +# This macro definition really should be in +# acl/30_exim4-config_check_rcpt but cannot be there due to +# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62. + +# These macros are documented in acl/30_exim4-config_check_rcpt, +# can be changed here or overridden by a locally added configuration +# file as described in README.Debian chapter 2.1.2 + +.ifndef CHECK_RCPT_LOCAL_LOCALPARTS +CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] +.endif + +.ifndef CHECK_RCPT_REMOTE_LOCALPARTS +CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ +.endif + +# always log tls_peerdn as we use TLS for outgoing connects by default +.ifndef MAIN_LOG_SELECTOR +MAIN_LOG_SELECTOR = +tls_peerdn +.endif diff --git a/exim4/conf.d/main/02_exim4-config_options b/exim4/conf.d/main/02_exim4-config_options new file mode 100644 index 0000000..cae5e9b --- /dev/null +++ b/exim4/conf.d/main/02_exim4-config_options @@ -0,0 +1,200 @@ + +### main/02_exim4-config_options +################################# + + +# Defines the access control list that is run when an +# SMTP MAIL command is received. +# +.ifndef MAIN_ACL_CHECK_MAIL +MAIN_ACL_CHECK_MAIL = acl_check_mail +.endif +acl_smtp_mail = MAIN_ACL_CHECK_MAIL + + +# Defines the access control list that is run when an +# SMTP RCPT command is received. +# +.ifndef MAIN_ACL_CHECK_RCPT +MAIN_ACL_CHECK_RCPT = acl_check_rcpt +.endif +acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT + + +# Defines the access control list that is run when an +# SMTP DATA command is received. +# +.ifndef MAIN_ACL_CHECK_DATA +MAIN_ACL_CHECK_DATA = acl_check_data +.endif +acl_smtp_data = MAIN_ACL_CHECK_DATA + + +# Message size limit. The default (used when MESSAGE_SIZE_LIMIT +# is unset) is 50 MB +.ifdef MESSAGE_SIZE_LIMIT +message_size_limit = MESSAGE_SIZE_LIMIT +.endif + + +# If you are running exim4-daemon-heavy or a custom version of Exim that +# was compiled with the content-scanning extension, you can cause incoming +# messages to be automatically scanned for viruses. You have to modify the +# configuration in two places to set this up. The first of them is here, +# where you define the interface to your scanner. This example is typical +# for ClamAV; see the manual for details of what to set for other virus +# scanners. The second modification is in the acl_check_data access +# control list. + +# av_scanner = clamd:/var/run/clamav/clamd.ctl + + +# For spam scanning, there is a similar option that defines the interface to +# SpamAssassin. You do not need to set this if you are using the default, which +# is shown in this commented example. As for virus scanning, you must also +# modify the acl_check_data access control list to enable spam scanning. + +# spamd_address = 127.0.0.1 783 + +# Domain used to qualify unqualified recipient addresses +# If this option is not set, the qualify_domain value is used. +# qualify_recipient = + + +# Allow Exim to recognize addresses of the form "user@[10.11.12.13]", +# where the domain part is a "domain literal" (an IP address) instead +# of a named domain. The RFCs require this facility, but it is disabled +# in the default config since it is seldomly used and frequently abused. +# Domain literal support also needs a special router, which is automatically +# enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS. +# Additionally, you might want to make your local IP addresses (or @[]) +# local domains. +.ifdef MAIN_ALLOW_DOMAIN_LITERALS +allow_domain_literals +.endif + + +# Do a reverse DNS lookup on all incoming IP calls, in order to get the +# true host name. If you feel this is too expensive, the networks for +# which a lookup is done can be listed here. +.ifndef DC_minimaldns +.ifndef MAIN_HOST_LOOKUP +MAIN_HOST_LOOKUP = * +.endif +host_lookup = MAIN_HOST_LOOKUP +.endif + + +# In a minimaldns setup, update-exim4.conf guesses the hostname and +# dumps it here to avoid DNS lookups being done at Exim run time. +.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME +primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME +.endif + +# The settings below, which are actually the same as the defaults in the +# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP +# calls. You can limit the hosts to which these calls are made, and/or change +# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls +# are disabled. RFC 1413 calls are cheap and can provide useful information +# for tracing problem messages, but some hosts and firewalls are +# misconfigured to drop the requests instead of either answering or +# rejecting them. This can result in a timeout instead of an immediate refused +# connection, leading to delays on starting up SMTP sessions. (The default was +# reduced from 30s to 5s for release 4.61.) +# rfc1413_hosts = * +# rfc1413_query_timeout = 5s + +# When using an external relay tester (such as rt.njabl.org and/or the +# currently defunct relay-test.mail-abuse.org, the test may be aborted +# since exim complains about "too many nonmail commands". If you want +# the test to complete, add the host from where "your" relay tester +# connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro. +# Please note that a non-empty setting may cause extra DNS lookups to +# happen, which is the reason why this option is commented out in the +# default settings. +# MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org +.ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS +smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS +.endif + +# By default, exim forces a Sender: header containing the local +# account name at the local host name in all locally submitted messages +# that don't have the local account name at the local host name in the +# From: header, deletes any Sender: header present in the submitted +# message and forces the envelope sender of all locally submitted +# messages to the local account name at the local host name. +# The following settings allow local users to specify their own envelope sender +# in a locally submitted message. Sender: headers existing in a locally +# submitted message are not removed, and no automatic Sender: headers +# are added. These settings are fine for most hosts. +# If you run exim on a classical multi-user systems where all users +# have local mailboxes that can be reached via SMTP from the Internet +# with the local FQDN as the domain part of the address, you might want +# to disable the following three lines for traceability reasons. +.ifndef MAIN_FORCE_SENDER +local_from_check = false +local_sender_retain = true +untrusted_set_sender = * +.endif + + +# By default, Exim expects all envelope addresses to be fully qualified, that +# is, they must contain both a local part and a domain. Configure exim +# to accept unqualified addresses from certain hosts. When this is done, +# unqualified addresses are qualified using the settings of qualify_domain +# and/or qualify_recipient (see above). +# sender_unqualified_hosts = +# recipient_unqualified_hosts = + + +# Configure Exim to support the "percent hack" for certain domains. +# The "percent hack" is the feature by which mail addressed to x%y@z +# (where z is one of the domains listed) is locally rerouted to x@y +# and sent on. If z is not one of the "percent hack" domains, x%y is +# treated as an ordinary local part. The percent hack is rarely needed +# nowadays but frequently abused. You should not enable it unless you +# are sure that you really need it. +# percent_hack_domains = + + +# Bounce handling +.ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER +MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d +.endif +ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER + +.ifndef MAIN_TIMEOUT_FROZEN_AFTER +MAIN_TIMEOUT_FROZEN_AFTER = 7d +.endif +timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER + +.ifndef MAIN_FREEZE_TELL +MAIN_FREEZE_TELL = postmaster +.endif +freeze_tell = MAIN_FREEZE_TELL + + +# Define spool directory +.ifndef SPOOLDIR +SPOOLDIR = /var/spool/exim4 +.endif +spool_directory = SPOOLDIR + + +# trusted users can set envelope-from to arbitrary values +.ifndef MAIN_TRUSTED_USERS +MAIN_TRUSTED_USERS = uucp +.endif +trusted_users = MAIN_TRUSTED_USERS +.ifdef MAIN_TRUSTED_GROUPS +trusted_groups = MAIN_TRUSTED_GROUPS +.endif + + +# users in admin group can do many other things +# admin_groups = + + +# SMTP Banner. The example includes the Debian version in the SMTP dialog +# MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}" +# smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full diff --git a/exim4/conf.d/main/03_exim4-config_tlsoptions b/exim4/conf.d/main/03_exim4-config_tlsoptions new file mode 100644 index 0000000..3f40c59 --- /dev/null +++ b/exim4/conf.d/main/03_exim4-config_tlsoptions @@ -0,0 +1,78 @@ + +### main/03_exim4-config_tlsoptions +################################# + +# TLS/SSL configuration for exim as an SMTP server. +# See /usr/share/doc/exim4-base/README.Debian.gz for explanations. + +.ifdef MAIN_TLS_ENABLE +# Defines what hosts to 'advertise' STARTTLS functionality to. The +# default, *, will advertise to all hosts that connect with EHLO. +.ifndef MAIN_TLS_ADVERTISE_HOSTS +MAIN_TLS_ADVERTISE_HOSTS = * +.endif +tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS + + +# Full paths to Certificate and Private Key. The Private Key file +# must be kept 'secret' and should be owned by root.Debian-exim mode +# 640 (-rw-r-----). exim-gencert takes care of these prerequisites. +# Normally, exim4 looks for certificate and key in different files: +# MAIN_TLS_CERTIFICATE - path to certificate file, +# CONFDIR/exim.crt if unset +# MAIN_TLS_PRIVATEKEY - path to private key file +# CONFDIR/exim.key if unset +# You can also configure exim to look for certificate and key in the +# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes +# precedence over all other settings regarding certificate and key file. +.ifdef MAIN_TLS_CERTKEY +tls_certificate = MAIN_TLS_CERTKEY +.else +.ifndef MAIN_TLS_CERTIFICATE +MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt +.endif +tls_certificate = MAIN_TLS_CERTIFICATE + +.ifndef MAIN_TLS_PRIVATEKEY +MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key +.endif +tls_privatekey = MAIN_TLS_PRIVATEKEY +.endif + +# Pointer to the CA Certificates against which client certificates are +# checked. This is controlled by the `tls_verify_hosts' and +# `tls_try_verify_hosts' lists below. +# If you want to check server certificates, you need to add an +# tls_verify_certificates statement to the smtp transport. +# /etc/ssl/certs/ca-certificates.crt is generated by +# the "ca-certificates" package's update-ca-certificates(8) command. +.ifndef MAIN_TLS_VERIFY_CERTIFICATES +MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\ + {/etc/ssl/certs/ca-certificates.crt}\ + {/dev/null}} +.endif +tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES + + +# A list of hosts which are constrained by `tls_verify_certificates'. A host +# that matches `tls_verify_host' must present a certificate that is +# verifyable through `tls_verify_certificates' in order to be accepted as an +# SMTP client. If it does not, the connection is aborted. +.ifdef MAIN_TLS_VERIFY_HOSTS +tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS +.endif + +# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but +# not `tls_verify_hosts'), request a certificate and check it against +# `tls_verify_certificates' but do not abort the connection if there is no +# certificate or if the certificate presented does not match. (This +# condition can be tested for in ACLs through `verify = certificate') +# By default, this check is done for all hosts. It is known that some +# clients (including incredimail's version downloadable in February +# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an +# empty value. +.ifdef MAIN_TLS_TRY_VERIFY_HOSTS +tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS +.endif + +.endif diff --git a/exim4/conf.d/main/90_exim4-config_log_selector b/exim4/conf.d/main/90_exim4-config_log_selector new file mode 100644 index 0000000..685c404 --- /dev/null +++ b/exim4/conf.d/main/90_exim4-config_log_selector @@ -0,0 +1,10 @@ + +### main/90_exim4-config_log_selector +################################# + +# uncomment this for debugging +# MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all -subject -arguments + +.ifdef MAIN_LOG_SELECTOR +log_selector = MAIN_LOG_SELECTOR +.endif diff --git a/exim4/conf.d/retry/00_exim4-config_header b/exim4/conf.d/retry/00_exim4-config_header new file mode 100644 index 0000000..e2bb4a4 --- /dev/null +++ b/exim4/conf.d/retry/00_exim4-config_header @@ -0,0 +1,7 @@ + +###################################################################### +# RETRY CONFIGURATION # +###################################################################### + +begin retry + diff --git a/exim4/conf.d/retry/30_exim4-config b/exim4/conf.d/retry/30_exim4-config new file mode 100644 index 0000000..52b002f --- /dev/null +++ b/exim4/conf.d/retry/30_exim4-config @@ -0,0 +1,19 @@ + +### retry/30_exim4-config +################################# + +# This single retry rule applies to all domains and all errors. It specifies +# retries every 15 minutes for 2 hours, then increasing retry intervals, +# starting at 1 hour and increasing each time by a factor of 1.5, up to 16 +# hours, then retries every 6 hours until 4 days have passed since the first +# failed delivery. + +# Please note that these rules only limit the frequency of retries, the +# effective retry-time depends on the frequency of queue-running, too. +# See QUEUEINTERVAL in /etc/default/exim4. + +# Address or Domain Error Retries +# ----------------- ----- ------- + +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + diff --git a/exim4/conf.d/rewrite/00_exim4-config_header b/exim4/conf.d/rewrite/00_exim4-config_header new file mode 100644 index 0000000..a32db17 --- /dev/null +++ b/exim4/conf.d/rewrite/00_exim4-config_header @@ -0,0 +1,7 @@ + +###################################################################### +# REWRITE CONFIGURATION # +###################################################################### + +begin rewrite + diff --git a/exim4/conf.d/rewrite/31_exim4-config_rewriting b/exim4/conf.d/rewrite/31_exim4-config_rewriting new file mode 100644 index 0000000..b11b797 --- /dev/null +++ b/exim4/conf.d/rewrite/31_exim4-config_rewriting @@ -0,0 +1,16 @@ + +### rewrite/31_exim4-config_rewriting +################################# + +# This rewriting rule is particularily useful for dialup users who +# don't have their own domain, but could be useful for anyone. +# It looks up the real address of all local users in a file +.ifndef NO_EAA_REWRITE_REWRITE +*@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\ + {$value}fail}" Ffrs +# identical rewriting rule for /etc/mailname +*@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\ + {$value}fail}" Ffrs +.endif + + diff --git a/exim4/conf.d/router/00_exim4-config_header b/exim4/conf.d/router/00_exim4-config_header new file mode 100644 index 0000000..531e21f --- /dev/null +++ b/exim4/conf.d/router/00_exim4-config_header @@ -0,0 +1,11 @@ + +###################################################################### +# ROUTERS CONFIGURATION # +# Specifies how addresses are handled # +###################################################################### +# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # +# An address is passed to each router in turn until it is accepted. # +###################################################################### + +begin routers + diff --git a/exim4/conf.d/router/100_exim4-config_domain_literal b/exim4/conf.d/router/100_exim4-config_domain_literal new file mode 100644 index 0000000..244b479 --- /dev/null +++ b/exim4/conf.d/router/100_exim4-config_domain_literal @@ -0,0 +1,18 @@ + +### router/100_exim4-config_domain_literal +################################# + +# This router handles e-mail addresses in "domain literal" form like +# . The RFCs require this facility, but it is disabled +# in the default config since it is seldomly used and frequently abused. +# Domain literal support also needs to be enabled in the main config, +# which is automatically done if you use the enable macro +# MAIN_ALLOW_DOMAIN_LITERALS. + +.ifdef MAIN_ALLOW_DOMAIN_LITERALS +domain_literal: + debug_print = "R: domain_literal for $local_part@$domain" + driver = ipliteral + domains = ! +local_domains + transport = remote_smtp +.endif diff --git a/exim4/conf.d/router/150_exim4-config_hubbed_hosts b/exim4/conf.d/router/150_exim4-config_hubbed_hosts new file mode 100644 index 0000000..a0fcb26 --- /dev/null +++ b/exim4/conf.d/router/150_exim4-config_hubbed_hosts @@ -0,0 +1,18 @@ + +# router/150_exim4-config_hubbed_hosts +################################# + +# route specific domains manually. +# +# see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for +# more detailed documentation. + +hubbed_hosts: + debug_print = "R: hubbed_hosts for $domain" + driver = manualroute + domains = "${if exists{CONFDIR/hubbed_hosts}\ + {partial-lsearch;CONFDIR/hubbed_hosts}\ + fail}" + same_domain_copy_routing = yes + route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}} + transport = remote_smtp diff --git a/exim4/conf.d/router/200_exim4-config_primary b/exim4/conf.d/router/200_exim4-config_primary new file mode 100644 index 0000000..7681d91 --- /dev/null +++ b/exim4/conf.d/router/200_exim4-config_primary @@ -0,0 +1,90 @@ + +### router/200_exim4-config_primary +################################# +# This file holds the primary router, responsible for nonlocal mails + +.ifdef DCconfig_internet +# configtype=internet +# +# deliver mail to the recipient if recipient domain is a domain we +# relay for. We do not ignore any target hosts here since delivering to +# a site local or even a link local address might be wanted here, and if +# such an address has found its way into the MX record of such a domain, +# the local admin is probably in a place where that broken MX record +# could be fixed. + +dnslookup_relay_to_domains: + debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains : +relay_to_domains + transport = remote_smtp + same_domain_copy_routing = yes + no_more + +# deliver mail directly to the recipient. This router is only reached +# for domains that we do not relay for. Since we most probably can't +# have broken MX records pointing to site local or link local IP +# addresses fixed, we ignore target hosts pointing to these addresses. + +dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + same_domain_copy_routing = yes + # ignore private rfc1918 and APIPA addresses + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + 255.255.255.255 + no_more + +.endif + + +.ifdef DCconfig_local +# configtype=local +# +# Stand-alone system, so generate an error for mail to a non-local domain +nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + +.endif + + +.ifdef DCconfig_smarthost DCconfig_satellite +# configtype=smarthost or configtype=satellite +# +# Send all non-local mail to a single other machine (smarthost). +# +# This means _ALL_ non-local mail goes to the smarthost. This will most +# probably not do what you want for domains that are listed in +# relay_domains. The most typical use for relay_domains is to control +# relaying for incoming e-mail on secondary MX hosts. In that case, +# it doesn't make sense to send the mail to the smarthost since the +# smarthost will probably send the message right back here, causing a +# loop. +# +# If you want to use a smarthost while being secondary MX for some +# domains, you'll need to copy the dnslookup_relay_to_domains router +# here so that mail to relay_domains is handled separately. + +smarthost: + debug_print = "R: smarthost for $local_part@$domain" + driver = manualroute + domains = ! +local_domains + transport = remote_smtp_smarthost + route_list = * DCsmarthost byname + host_find_failed = ignore + same_domain_copy_routing = yes + no_more + +.endif + + +# The "no_more" above means that all later routers are for +# domains in the local_domains list, i.e. just like Exim 3 directors. diff --git a/exim4/conf.d/router/300_exim4-config_real_local b/exim4/conf.d/router/300_exim4-config_real_local new file mode 100644 index 0000000..34ea282 --- /dev/null +++ b/exim4/conf.d/router/300_exim4-config_real_local @@ -0,0 +1,22 @@ + +### router/300_exim4-config_real_local +################################# + +# This router allows reaching a local user while avoiding local +# processing. This can be used to inform a user of a broken .forward +# file, for example. The userforward router does this. + +COND_LOCAL_SUBMITTER = "\ + ${if match_ip{$sender_host_address}{:@[]}\ + {1}{0}\ + }" + +real_local: + debug_print = "R: real_local for $local_part@$domain" + driver = accept + domains = +local_domains + condition = COND_LOCAL_SUBMITTER + local_part_prefix = real- + check_local_user + transport = LOCAL_DELIVERY + diff --git a/exim4/conf.d/router/400_exim4-config_system_aliases b/exim4/conf.d/router/400_exim4-config_system_aliases new file mode 100644 index 0000000..f5f5f1c --- /dev/null +++ b/exim4/conf.d/router/400_exim4-config_system_aliases @@ -0,0 +1,44 @@ + +### router/400_exim4-config_system_aliases +################################# + +# This router handles aliasing using a traditional /etc/aliases file. +# +##### NB You must ensure that /etc/aliases exists. It used to be the case +##### NB that every Unix had that file, because it was the Sendmail default. +##### NB These days, there are systems that don't have it. Your aliases +##### NB file should at least contain an alias for "postmaster". +# +# This router handles the local part in a case-insensitive way which +# satisfies the RFCs requirement that postmaster be reachable regardless +# of case. If you decide to handle /etc/aliases in a caseful way, you +# need to make arrangements for a caseless postmaster. +# +# Delivery to arbitrary directories, files, and piping to programs in +# /etc/aliases is disabled per default. +# If that is a problem for you, see +# /usr/share/doc/exim4-base/README.Debian.gz +# for explanation and some workarounds. + +system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + domains = +local_domains + allow_fail + allow_defer + data = ${lookup{$local_part}lsearch{/etc/aliases}} + .ifdef SYSTEM_ALIASES_USER + user = SYSTEM_ALIASES_USER + .endif + .ifdef SYSTEM_ALIASES_GROUP + group = SYSTEM_ALIASES_GROUP + .endif + .ifdef SYSTEM_ALIASES_FILE_TRANSPORT + file_transport = SYSTEM_ALIASES_FILE_TRANSPORT + .endif + .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT + pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT + .endif + .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT + directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT + .endif diff --git a/exim4/conf.d/router/500_exim4-config_hubuser b/exim4/conf.d/router/500_exim4-config_hubuser new file mode 100644 index 0000000..01a4c94 --- /dev/null +++ b/exim4/conf.d/router/500_exim4-config_hubuser @@ -0,0 +1,31 @@ + +### router/500_exim4-config_hubuser +################################# + +.ifdef DCconfig_satellite +# This router is only used for configtype=satellite. +# It takes care to route all mail targetted to +# to the host where we read our mail +# +hub_user: + debug_print = "R: hub_user for $local_part@$domain" + driver = redirect + domains = +local_domains + data = ${local_part}@DCreadhost + check_local_user + +# Grab the redirected mail and deliver it. +# This is a duplicate of the smarthost router, needed because +# DCreadhost might end up as part of +local_domains +hub_user_smarthost: + debug_print = "R: hub_user_smarthost for $local_part@$domain" + driver = manualroute + domains = DCreadhost + transport = remote_smtp_smarthost + route_list = * DCsmarthost byname + host_find_failed = ignore + same_domain_copy_routing = yes + check_local_user +.endif + + diff --git a/exim4/conf.d/router/600_exim4-config_userforward b/exim4/conf.d/router/600_exim4-config_userforward new file mode 100644 index 0000000..59259ca --- /dev/null +++ b/exim4/conf.d/router/600_exim4-config_userforward @@ -0,0 +1,51 @@ + +### router/600_exim4-config_userforward +################################# + +# This router handles forwarding using traditional .forward files in users' +# home directories. It also allows mail filtering with a forward file +# starting with the string "# Exim filter" or "# Sieve filter". +# +# The no_verify setting means that this router is skipped when Exim is +# verifying addresses. Similarly, no_expn means that this router is skipped if +# Exim is processing an EXPN command. +# +# The check_ancestor option means that if the forward file generates an +# address that is an ancestor of the current one, the current one gets +# passed on instead. This covers the case where A is aliased to B and B +# has a .forward file pointing to A. +# +# The four transports specified at the end are those that are used when +# forwarding generates a direct delivery to a directory, or a file, or to a +# pipe, or sets up an auto-reply, respectively. +# +userforward: + debug_print = "R: userforward for $local_part@$domain" + driver = redirect + domains = +local_domains + check_local_user + file = $home/.forward + require_files = $local_part:$home/.forward + no_verify + no_expn + check_ancestor + allow_filter + forbid_smtp_code = true + directory_transport = address_directory + file_transport = address_file + pipe_transport = address_pipe + reply_transport = address_reply + skip_syntax_errors + syntax_errors_to = real-$local_part@$domain + syntax_errors_text = \ + This is an automatically generated message. An error has\n\ + been found in your .forward file. Details of the error are\n\ + reported below. While this error persists, you will receive\n\ + a copy of this message for every message that is addressed\n\ + to you. If your .forward file is a filter file, or if it is\n\ + a non-filter file containing no valid forwarding addresses,\n\ + a copy of each incoming message will be put in your normal\n\ + mailbox. If a non-filter file contains at least one valid\n\ + forwarding address, forwarding to the valid addresses will\n\ + happen, and those will be the only deliveries that occur. + diff --git a/exim4/conf.d/router/700_exim4-config_procmail b/exim4/conf.d/router/700_exim4-config_procmail new file mode 100644 index 0000000..8d827c7 --- /dev/null +++ b/exim4/conf.d/router/700_exim4-config_procmail @@ -0,0 +1,15 @@ + +procmail: + debug_print = "R: procmail for $local_part@$domain" + driver = accept + domains = +local_domains + check_local_user + transport = procmail_pipe + # emulate OR with "if exists"-expansion + require_files = ${local_part}:\ + ${if exists{/etc/procmailrc}\ + {/etc/procmailrc}{${home}/.procmailrc}}:\ + +/usr/bin/procmail + no_verify + no_expn + diff --git a/exim4/conf.d/router/800_exim4-config_maildrop b/exim4/conf.d/router/800_exim4-config_maildrop new file mode 100644 index 0000000..0c57fc6 --- /dev/null +++ b/exim4/conf.d/router/800_exim4-config_maildrop @@ -0,0 +1,14 @@ + +### router/800_exim4-config_maildrop +################################# + +maildrop: + debug_print = "R: maildrop for $local_part@$domain" + driver = accept + domains = +local_domains + check_local_user + transport = maildrop_pipe + require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop + no_verify + no_expn + diff --git a/exim4/conf.d/router/850_exim4-config_lowuid b/exim4/conf.d/router/850_exim4-config_lowuid new file mode 100644 index 0000000..43741c6 --- /dev/null +++ b/exim4/conf.d/router/850_exim4-config_lowuid @@ -0,0 +1,29 @@ + +### router/850_exim4-config_lowuid +################################# + +.ifndef FIRST_USER_ACCOUNT_UID +FIRST_USER_ACCOUNT_UID = 0 +.endif + +.ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS +DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts +.endif + +COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\ + ${if and{{! match_ip{$sender_host_address}{:@[]}}\ + {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\ + {1}{0}\ + }" + +lowuid_aliases: + debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)" + check_local_user + driver = redirect + allow_fail + domains = +local_domains + condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER + data = ${if exists{CONFDIR/lowuid-aliases}\ + {${lookup{$local_part}lsearch{CONFDIR/lowuid-aliases}\ + {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}\ + {DEFAULT_SYSTEM_ACCOUNT_ALIAS}} diff --git a/exim4/conf.d/router/900_exim4-config_local_user b/exim4/conf.d/router/900_exim4-config_local_user new file mode 100644 index 0000000..423c729 --- /dev/null +++ b/exim4/conf.d/router/900_exim4-config_local_user @@ -0,0 +1,15 @@ + +### router/900_exim4-config_local_user +################################# + +# This router matches local user mailboxes. If the router fails, the error +# message is "Unknown user". + +local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + domains = +local_domains + check_local_user + local_parts = ! root + transport = LOCAL_DELIVERY + cannot_route_message = Unknown user diff --git a/exim4/conf.d/router/mmm_mail4root b/exim4/conf.d/router/mmm_mail4root new file mode 100644 index 0000000..88017ba --- /dev/null +++ b/exim4/conf.d/router/mmm_mail4root @@ -0,0 +1,17 @@ + +### router/mmm_mail4root +################################# +# deliver mail addressed to root to /var/mail/mail as user mail:mail +# if it was not redirected in /etc/aliases or by other means +# Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS) + +mail4root: + debug_print = "R: mail4root for $local_part@$domain" + driver = redirect + domains = +local_domains + data = /var/mail/mail + file_transport = address_file + local_parts = root + user = mail + group = mail + diff --git a/exim4/conf.d/transport/00_exim4-config_header b/exim4/conf.d/transport/00_exim4-config_header new file mode 100644 index 0000000..48e45da --- /dev/null +++ b/exim4/conf.d/transport/00_exim4-config_header @@ -0,0 +1,13 @@ + +###################################################################### +# TRANSPORTS CONFIGURATION # +###################################################################### +# ORDER DOES NOT MATTER # +# Only one appropriate transport is called for each delivery. # +###################################################################### + +# A transport is used only when referenced from a router that successfully +# handles an address. + +begin transports + diff --git a/exim4/conf.d/transport/10_exim4-config_transport-macros b/exim4/conf.d/transport/10_exim4-config_transport-macros new file mode 100644 index 0000000..449fb31 --- /dev/null +++ b/exim4/conf.d/transport/10_exim4-config_transport-macros @@ -0,0 +1,16 @@ + +### transport/10_exim4-config_transport-macros +################################# + +.ifdef HIDE_MAILNAME +REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs +REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}} +.endif + +.ifdef REMOTE_SMTP_HELO_FROM_DNS +.ifdef REMOTE_SMTP_HELO_DATA +REMOTE_SMTP_HELO_DATA==${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}} +.else +REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}} +.endif +.endif diff --git a/exim4/conf.d/transport/30_exim4-config_address_file b/exim4/conf.d/transport/30_exim4-config_address_file new file mode 100644 index 0000000..82b55e2 --- /dev/null +++ b/exim4/conf.d/transport/30_exim4-config_address_file @@ -0,0 +1,11 @@ + +# This transport is used for handling deliveries directly to files that are +# generated by aliasing or forwarding. +# +address_file: + debug_print = "T: address_file for $local_part@$domain" + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + diff --git a/exim4/conf.d/transport/30_exim4-config_address_pipe b/exim4/conf.d/transport/30_exim4-config_address_pipe new file mode 100644 index 0000000..c5f1828 --- /dev/null +++ b/exim4/conf.d/transport/30_exim4-config_address_pipe @@ -0,0 +1,10 @@ + +# This transport is used for handling pipe deliveries generated by +# .forward files. If the commands fails and produces any output on standard +# output or standard error streams, the output is returned to the sender +# of the message as a delivery error. +address_pipe: + debug_print = "T: address_pipe for $local_part@$domain" + driver = pipe + return_fail_output + diff --git a/exim4/conf.d/transport/30_exim4-config_address_reply b/exim4/conf.d/transport/30_exim4-config_address_reply new file mode 100644 index 0000000..b2b8862 --- /dev/null +++ b/exim4/conf.d/transport/30_exim4-config_address_reply @@ -0,0 +1,8 @@ + +# This transport is used for handling autoreplies generated by the filtering +# option of the userforward router. +# +address_reply: + debug_print = "T: autoreply for $local_part@$domain" + driver = autoreply + diff --git a/exim4/conf.d/transport/30_exim4-config_mail_spool b/exim4/conf.d/transport/30_exim4-config_mail_spool new file mode 100644 index 0000000..21dfae4 --- /dev/null +++ b/exim4/conf.d/transport/30_exim4-config_mail_spool @@ -0,0 +1,17 @@ + +### transport/30_exim4-config_mail_spool + +# This transport is used for local delivery to user mailboxes in traditional +# BSD mailbox format. +# +mail_spool: + debug_print = "T: appendfile for $local_part@$domain" + driver = appendfile + file = /var/mail/$local_part + delivery_date_add + envelope_to_add + return_path_add + group = mail + mode = 0660 + mode_fail_narrower = false + diff --git a/exim4/conf.d/transport/30_exim4-config_maildir_home b/exim4/conf.d/transport/30_exim4-config_maildir_home new file mode 100644 index 0000000..a872acc --- /dev/null +++ b/exim4/conf.d/transport/30_exim4-config_maildir_home @@ -0,0 +1,41 @@ + +### transport/30_exim4-config_maildir_home +################################# + +# Use this instead of mail_spool if you want to to deliver to Maildir in +# home-directory - change the definition of LOCAL_DELIVERY +# +maildir_home: + debug_print = "T: maildir_home for $local_part@$domain" + driver = appendfile + .ifdef MAILDIR_HOME_MAILDIR_LOCATION + directory = MAILDIR_HOME_MAILDIR_LOCATION + .else + directory = $home/Maildir + .endif + .ifdef MAILDIR_HOME_CREATE_DIRECTORY + create_directory + .endif + .ifdef MAILDIR_HOME_CREATE_FILE + create_file = MAILDIR_HOME_CREATE_FILE + .endif + delivery_date_add + envelope_to_add + return_path_add + maildir_format + .ifdef MAILDIR_HOME_DIRECTORY_MODE + directory_mode = MAILDIR_HOME_DIRECTORY_MODE + .else + directory_mode = 0700 + .endif + .ifdef MAILDIR_HOME_MODE + mode = MAILDIR_HOME_MODE + .else + mode = 0600 + .endif + mode_fail_narrower = false + # This transport always chdirs to $home before trying to deliver. If + # $home is not accessible, this chdir fails and prevents delivery. + # If you are in a setup where home directories might not be + # accessible, uncomment the current_directory line below. + # current_directory = / diff --git a/exim4/conf.d/transport/30_exim4-config_maildrop_pipe b/exim4/conf.d/transport/30_exim4-config_maildrop_pipe new file mode 100644 index 0000000..3bd8924 --- /dev/null +++ b/exim4/conf.d/transport/30_exim4-config_maildrop_pipe @@ -0,0 +1,12 @@ + +maildrop_pipe: + debug_print = "T: maildrop_pipe for $local_part@$domain" + driver = pipe + path = "/bin:/usr/bin:/usr/local/bin" + command = "/usr/bin/maildrop" + message_prefix = + message_suffix = + return_path_add + delivery_date_add + envelope_to_add + diff --git a/exim4/conf.d/transport/30_exim4-config_procmail_pipe b/exim4/conf.d/transport/30_exim4-config_procmail_pipe new file mode 100644 index 0000000..5fb03ff --- /dev/null +++ b/exim4/conf.d/transport/30_exim4-config_procmail_pipe @@ -0,0 +1,10 @@ + +procmail_pipe: + debug_print = "T: procmail_pipe for $local_part@$domain" + driver = pipe + path = "/bin:/usr/bin:/usr/local/bin" + command = "/usr/bin/procmail" + return_path_add + delivery_date_add + envelope_to_add + diff --git a/exim4/conf.d/transport/30_exim4-config_remote_smtp b/exim4/conf.d/transport/30_exim4-config_remote_smtp new file mode 100644 index 0000000..11d72bb --- /dev/null +++ b/exim4/conf.d/transport/30_exim4-config_remote_smtp @@ -0,0 +1,47 @@ + +### transport/30_exim4-config_remote_smtp +################################# +# This transport is used for delivering messages over SMTP connections. + +remote_smtp: + debug_print = "T: remote_smtp for $local_part@$domain" + driver = smtp +.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS + hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS +.endif +.ifdef REMOTE_SMTP_HEADERS_REWRITE + headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE +.endif +.ifdef REMOTE_SMTP_RETURN_PATH + return_path = REMOTE_SMTP_RETURN_PATH +.endif +.ifdef REMOTE_SMTP_HELO_DATA + helo_data=REMOTE_SMTP_HELO_DATA +.endif +.ifdef DKIM_DOMAIN +dkim_domain = DKIM_DOMAIN +.endif +.ifdef DKIM_SELECTOR +dkim_selector = DKIM_SELECTOR +.endif +.ifdef DKIM_PRIVATE_KEY +dkim_private_key = DKIM_PRIVATE_KEY +.endif +.ifdef DKIM_CANON +dkim_canon = DKIM_CANON +.endif +.ifdef DKIM_STRICT +dkim_strict = DKIM_STRICT +.endif +.ifdef DKIM_SIGN_HEADERS +dkim_sign_headers = DKIM_SIGN_HEADERS +.endif +.ifdef TLS_DH_MIN_BITS +tls_dh_min_bits = TLS_DH_MIN_BITS +.endif +.ifdef REMOTE_SMTP_TLS_CERTIFICATE +tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE +.endif +.ifdef REMOTE_SMTP_PRIVATEKEY +tls_privatekey = REMOTE_SMTP_PRIVATEKEY +.endif diff --git a/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost b/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost new file mode 100644 index 0000000..b834249 --- /dev/null +++ b/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost @@ -0,0 +1,38 @@ + +### transport/30_exim4-config_remote_smtp_smarthost +################################# + +# This transport is used for delivering messages over SMTP connections +# to a smarthost. The local host tries to authenticate. +# This transport is used for smarthost and satellite configurations. + +remote_smtp_smarthost: + debug_print = "T: remote_smtp_smarthost for $local_part@$domain" + driver = smtp + hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \ + {\ + ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\ + }\ + {} \ + } +.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS + hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS +.endif +.ifdef REMOTE_SMTP_HEADERS_REWRITE + headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE +.endif +.ifdef REMOTE_SMTP_RETURN_PATH + return_path = REMOTE_SMTP_RETURN_PATH +.endif +.ifdef REMOTE_SMTP_HELO_DATA + helo_data=REMOTE_SMTP_HELO_DATA +.endif +.ifdef TLS_DH_MIN_BITS +tls_dh_min_bits = TLS_DH_MIN_BITS +.endif +.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE +tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE +.endif +.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY +tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY +.endif diff --git a/exim4/conf.d/transport/35_exim4-config_address_directory b/exim4/conf.d/transport/35_exim4-config_address_directory new file mode 100644 index 0000000..6861426 --- /dev/null +++ b/exim4/conf.d/transport/35_exim4-config_address_directory @@ -0,0 +1,14 @@ +# This transport is used for handling file addresses generated by alias +# or .forward files if the path ends in "/", which causes it to be treated +# as a directory name rather than a file name. + +address_directory: + debug_print = "T: address_directory for $local_part@$domain" + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + check_string = "" + escape_string = "" + maildir_format + diff --git a/exim4/exim4.conf.template b/exim4/exim4.conf.template new file mode 100644 index 0000000..64d81fd --- /dev/null +++ b/exim4/exim4.conf.template @@ -0,0 +1,2057 @@ +##################################################### +### main/01_exim4-config_listmacrosdefs +##################################################### +###################################################################### +# Runtime configuration file for Exim 4 (Debian Packaging) # +###################################################################### + +###################################################################### +# /etc/exim4/exim4.conf.template is only used with the non-split +# configuration scheme. +# /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs is only used +# with the split configuration scheme. +# If you find this comment anywhere else, somebody copied it there. +# Documentation about the Debian exim4 configuration scheme can be +# found in /usr/share/doc/exim4-base/README.Debian.gz. +###################################################################### + +###################################################################### +# MAIN CONFIGURATION SETTINGS # +###################################################################### + +# Just for reference and scripts. +# On Debian systems, the main binary is installed as exim4 to avoid +# conflicts with the exim 3 packages. +exim_path = /usr/sbin/exim4 + +# Macro defining the main configuration directory. +# We do not use absolute paths. +.ifndef CONFDIR +CONFDIR = /etc/exim4 +.endif + +# debconf-driven macro definitions get inserted after this line +UPEX4CmacrosUPEX4C = 1 + +# Create domain and host lists for relay control +# '@' refers to 'the name of the local host' + +# List of domains considered local for exim. Domains not listed here +# need to be deliverable remotely. +domainlist local_domains = MAIN_LOCAL_DOMAINS + +# List of recipient domains to relay _to_. Use this list if you're - +# for example - fallback MX or mail gateway for domains. +domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS + +# List of sender networks (IP addresses) to _unconditionally_ relay +# _for_. If you intend to be SMTP AUTH server, you do not need to enter +# anything here. +hostlist relay_from_hosts = MAIN_RELAY_NETS + + +# Decide which domain to use to add to all unqualified addresses. +# If MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN is defined, the primary +# hostname is used. If not, but MAIN_QUALIFY_DOMAIN is set, the value +# of MAIN_QUALIFY_DOMAIN is used. If both macros are not defined, +# the first line of /etc/mailname is used. +.ifndef MAIN_PRIMARY_HOSTNAME_AS_QUALIFY_DOMAIN +.ifndef MAIN_QUALIFY_DOMAIN +qualify_domain = ETC_MAILNAME +.else +qualify_domain = MAIN_QUALIFY_DOMAIN +.endif +.endif + +# listen on all all interfaces? +.ifdef MAIN_LOCAL_INTERFACES +local_interfaces = MAIN_LOCAL_INTERFACES +.endif + +.ifndef LOCAL_DELIVERY +# The default transport, set in /etc/exim4/update-exim4.conf.conf, +# defaulting to mail_spool. See CONFDIR/conf.d/transport/ for possibilities +LOCAL_DELIVERY=mail_spool +.endif + +# The gecos field in /etc/passwd holds not only the name. see passwd(5). +gecos_pattern = ^([^,:]*) +gecos_name = $1 + +# define macros to be used in acl/30_exim4-config_check_rcpt to check +# recipient local parts for strange characters. + +# This macro definition really should be in +# acl/30_exim4-config_check_rcpt but cannot be there due to +# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62. + +# These macros are documented in acl/30_exim4-config_check_rcpt, +# can be changed here or overridden by a locally added configuration +# file as described in README.Debian chapter 2.1.2 + +.ifndef CHECK_RCPT_LOCAL_LOCALPARTS +CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] +.endif + +.ifndef CHECK_RCPT_REMOTE_LOCALPARTS +CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ +.endif + +# always log tls_peerdn as we use TLS for outgoing connects by default +.ifndef MAIN_LOG_SELECTOR +MAIN_LOG_SELECTOR = +tls_peerdn +.endif +##################################################### +### end main/01_exim4-config_listmacrosdefs +##################################################### +##################################################### +### main/02_exim4-config_options +##################################################### + +### main/02_exim4-config_options +################################# + + +# Defines the access control list that is run when an +# SMTP MAIL command is received. +# +.ifndef MAIN_ACL_CHECK_MAIL +MAIN_ACL_CHECK_MAIL = acl_check_mail +.endif +acl_smtp_mail = MAIN_ACL_CHECK_MAIL + + +# Defines the access control list that is run when an +# SMTP RCPT command is received. +# +.ifndef MAIN_ACL_CHECK_RCPT +MAIN_ACL_CHECK_RCPT = acl_check_rcpt +.endif +acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT + + +# Defines the access control list that is run when an +# SMTP DATA command is received. +# +.ifndef MAIN_ACL_CHECK_DATA +MAIN_ACL_CHECK_DATA = acl_check_data +.endif +acl_smtp_data = MAIN_ACL_CHECK_DATA + + +# Message size limit. The default (used when MESSAGE_SIZE_LIMIT +# is unset) is 50 MB +.ifdef MESSAGE_SIZE_LIMIT +message_size_limit = MESSAGE_SIZE_LIMIT +.endif + + +# If you are running exim4-daemon-heavy or a custom version of Exim that +# was compiled with the content-scanning extension, you can cause incoming +# messages to be automatically scanned for viruses. You have to modify the +# configuration in two places to set this up. The first of them is here, +# where you define the interface to your scanner. This example is typical +# for ClamAV; see the manual for details of what to set for other virus +# scanners. The second modification is in the acl_check_data access +# control list. + +# av_scanner = clamd:/var/run/clamav/clamd.ctl + + +# For spam scanning, there is a similar option that defines the interface to +# SpamAssassin. You do not need to set this if you are using the default, which +# is shown in this commented example. As for virus scanning, you must also +# modify the acl_check_data access control list to enable spam scanning. + +# spamd_address = 127.0.0.1 783 + +# Domain used to qualify unqualified recipient addresses +# If this option is not set, the qualify_domain value is used. +# qualify_recipient = + + +# Allow Exim to recognize addresses of the form "user@[10.11.12.13]", +# where the domain part is a "domain literal" (an IP address) instead +# of a named domain. The RFCs require this facility, but it is disabled +# in the default config since it is seldomly used and frequently abused. +# Domain literal support also needs a special router, which is automatically +# enabled if you use the enable macro MAIN_ALLOW_DOMAIN_LITERALS. +# Additionally, you might want to make your local IP addresses (or @[]) +# local domains. +.ifdef MAIN_ALLOW_DOMAIN_LITERALS +allow_domain_literals +.endif + + +# Do a reverse DNS lookup on all incoming IP calls, in order to get the +# true host name. If you feel this is too expensive, the networks for +# which a lookup is done can be listed here. +.ifndef DC_minimaldns +.ifndef MAIN_HOST_LOOKUP +MAIN_HOST_LOOKUP = * +.endif +host_lookup = MAIN_HOST_LOOKUP +.endif + + +# In a minimaldns setup, update-exim4.conf guesses the hostname and +# dumps it here to avoid DNS lookups being done at Exim run time. +.ifdef MAIN_HARDCODE_PRIMARY_HOSTNAME +primary_hostname = MAIN_HARDCODE_PRIMARY_HOSTNAME +.endif + +# The settings below, which are actually the same as the defaults in the +# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP +# calls. You can limit the hosts to which these calls are made, and/or change +# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls +# are disabled. RFC 1413 calls are cheap and can provide useful information +# for tracing problem messages, but some hosts and firewalls are +# misconfigured to drop the requests instead of either answering or +# rejecting them. This can result in a timeout instead of an immediate refused +# connection, leading to delays on starting up SMTP sessions. (The default was +# reduced from 30s to 5s for release 4.61.) +# rfc1413_hosts = * +# rfc1413_query_timeout = 5s + +# When using an external relay tester (such as rt.njabl.org and/or the +# currently defunct relay-test.mail-abuse.org, the test may be aborted +# since exim complains about "too many nonmail commands". If you want +# the test to complete, add the host from where "your" relay tester +# connects from to the MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS macro. +# Please note that a non-empty setting may cause extra DNS lookups to +# happen, which is the reason why this option is commented out in the +# default settings. +# MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS = !rt.njabl.org +.ifdef MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS +smtp_accept_max_nonmail_hosts = MAIN_SMTP_ACCEPT_MAX_NOMAIL_HOSTS +.endif + +# By default, exim forces a Sender: header containing the local +# account name at the local host name in all locally submitted messages +# that don't have the local account name at the local host name in the +# From: header, deletes any Sender: header present in the submitted +# message and forces the envelope sender of all locally submitted +# messages to the local account name at the local host name. +# The following settings allow local users to specify their own envelope sender +# in a locally submitted message. Sender: headers existing in a locally +# submitted message are not removed, and no automatic Sender: headers +# are added. These settings are fine for most hosts. +# If you run exim on a classical multi-user systems where all users +# have local mailboxes that can be reached via SMTP from the Internet +# with the local FQDN as the domain part of the address, you might want +# to disable the following three lines for traceability reasons. +.ifndef MAIN_FORCE_SENDER +local_from_check = false +local_sender_retain = true +untrusted_set_sender = * +.endif + + +# By default, Exim expects all envelope addresses to be fully qualified, that +# is, they must contain both a local part and a domain. Configure exim +# to accept unqualified addresses from certain hosts. When this is done, +# unqualified addresses are qualified using the settings of qualify_domain +# and/or qualify_recipient (see above). +# sender_unqualified_hosts = +# recipient_unqualified_hosts = + + +# Configure Exim to support the "percent hack" for certain domains. +# The "percent hack" is the feature by which mail addressed to x%y@z +# (where z is one of the domains listed) is locally rerouted to x@y +# and sent on. If z is not one of the "percent hack" domains, x%y is +# treated as an ordinary local part. The percent hack is rarely needed +# nowadays but frequently abused. You should not enable it unless you +# are sure that you really need it. +# percent_hack_domains = + + +# Bounce handling +.ifndef MAIN_IGNORE_BOUNCE_ERRORS_AFTER +MAIN_IGNORE_BOUNCE_ERRORS_AFTER = 2d +.endif +ignore_bounce_errors_after = MAIN_IGNORE_BOUNCE_ERRORS_AFTER + +.ifndef MAIN_TIMEOUT_FROZEN_AFTER +MAIN_TIMEOUT_FROZEN_AFTER = 7d +.endif +timeout_frozen_after = MAIN_TIMEOUT_FROZEN_AFTER + +.ifndef MAIN_FREEZE_TELL +MAIN_FREEZE_TELL = postmaster +.endif +freeze_tell = MAIN_FREEZE_TELL + + +# Define spool directory +.ifndef SPOOLDIR +SPOOLDIR = /var/spool/exim4 +.endif +spool_directory = SPOOLDIR + + +# trusted users can set envelope-from to arbitrary values +.ifndef MAIN_TRUSTED_USERS +MAIN_TRUSTED_USERS = uucp +.endif +trusted_users = MAIN_TRUSTED_USERS +.ifdef MAIN_TRUSTED_GROUPS +trusted_groups = MAIN_TRUSTED_GROUPS +.endif + + +# users in admin group can do many other things +# admin_groups = + + +# SMTP Banner. The example includes the Debian version in the SMTP dialog +# MAIN_SMTP_BANNER = "${primary_hostname} ESMTP Exim ${version_number} (Debian package MAIN_PACKAGE_VERSION) ${tod_full}" +# smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full +##################################################### +### end main/02_exim4-config_options +##################################################### +##################################################### +### main/03_exim4-config_tlsoptions +##################################################### + +### main/03_exim4-config_tlsoptions +################################# + +# TLS/SSL configuration for exim as an SMTP server. +# See /usr/share/doc/exim4-base/README.Debian.gz for explanations. + +.ifdef MAIN_TLS_ENABLE +# Defines what hosts to 'advertise' STARTTLS functionality to. The +# default, *, will advertise to all hosts that connect with EHLO. +.ifndef MAIN_TLS_ADVERTISE_HOSTS +MAIN_TLS_ADVERTISE_HOSTS = * +.endif +tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS + + +# Full paths to Certificate and Private Key. The Private Key file +# must be kept 'secret' and should be owned by root.Debian-exim mode +# 640 (-rw-r-----). exim-gencert takes care of these prerequisites. +# Normally, exim4 looks for certificate and key in different files: +# MAIN_TLS_CERTIFICATE - path to certificate file, +# CONFDIR/exim.crt if unset +# MAIN_TLS_PRIVATEKEY - path to private key file +# CONFDIR/exim.key if unset +# You can also configure exim to look for certificate and key in the +# same file, set MAIN_TLS_CERTKEY to that file to enable. This takes +# precedence over all other settings regarding certificate and key file. +.ifdef MAIN_TLS_CERTKEY +tls_certificate = MAIN_TLS_CERTKEY +.else +.ifndef MAIN_TLS_CERTIFICATE +MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt +.endif +tls_certificate = MAIN_TLS_CERTIFICATE + +.ifndef MAIN_TLS_PRIVATEKEY +MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key +.endif +tls_privatekey = MAIN_TLS_PRIVATEKEY +.endif + +# Pointer to the CA Certificates against which client certificates are +# checked. This is controlled by the `tls_verify_hosts' and +# `tls_try_verify_hosts' lists below. +# If you want to check server certificates, you need to add an +# tls_verify_certificates statement to the smtp transport. +# /etc/ssl/certs/ca-certificates.crt is generated by +# the "ca-certificates" package's update-ca-certificates(8) command. +.ifndef MAIN_TLS_VERIFY_CERTIFICATES +MAIN_TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt}\ + {/etc/ssl/certs/ca-certificates.crt}\ + {/dev/null}} +.endif +tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES + + +# A list of hosts which are constrained by `tls_verify_certificates'. A host +# that matches `tls_verify_host' must present a certificate that is +# verifyable through `tls_verify_certificates' in order to be accepted as an +# SMTP client. If it does not, the connection is aborted. +.ifdef MAIN_TLS_VERIFY_HOSTS +tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS +.endif + +# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but +# not `tls_verify_hosts'), request a certificate and check it against +# `tls_verify_certificates' but do not abort the connection if there is no +# certificate or if the certificate presented does not match. (This +# condition can be tested for in ACLs through `verify = certificate') +# By default, this check is done for all hosts. It is known that some +# clients (including incredimail's version downloadable in February +# 2008) choke on this. To disable, set MAIN_TLS_TRY_VERIFY_HOSTS to an +# empty value. +.ifdef MAIN_TLS_TRY_VERIFY_HOSTS +tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS +.endif + +.endif +##################################################### +### end main/03_exim4-config_tlsoptions +##################################################### +##################################################### +### main/90_exim4-config_log_selector +##################################################### + +### main/90_exim4-config_log_selector +################################# + +# uncomment this for debugging +# MAIN_LOG_SELECTOR == MAIN_LOG_SELECTOR +all -subject -arguments + +.ifdef MAIN_LOG_SELECTOR +log_selector = MAIN_LOG_SELECTOR +.endif +##################################################### +### end main/90_exim4-config_log_selector +##################################################### +##################################################### +### acl/00_exim4-config_header +##################################################### + +###################################################################### +# ACL CONFIGURATION # +# Specifies access control lists for incoming SMTP mail # +###################################################################### +begin acl + + +##################################################### +### end acl/00_exim4-config_header +##################################################### +##################################################### +### acl/20_exim4-config_local_deny_exceptions +##################################################### + +### acl/20_exim4-config_local_deny_exceptions +################################# + +# This is used to determine whitelisted senders and hosts. +# It checks for CONFDIR/host_local_deny_exceptions and +# CONFDIR/sender_local_deny_exceptions. +# +# It is meant to be used from some other acl entry. +# +# See exim4-config_files(5) for details. +# +# If the files do not exist, the white list never matches, which is +# the desired behaviour. +# +# The old file names CONFDIR/local_host_whitelist and +# CONFDIR/local_sender_whitelist will continue to be honored for a +# transition period. Their use is deprecated. + +acl_local_deny_exceptions: + accept + hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\ + {CONFDIR/host_local_deny_exceptions}\ + {}} + accept + senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\ + {CONFDIR/sender_local_deny_exceptions}\ + {}} + accept + hosts = ${if exists{CONFDIR/local_host_whitelist}\ + {CONFDIR/local_host_whitelist}\ + {}} + accept + senders = ${if exists{CONFDIR/local_sender_whitelist}\ + {CONFDIR/local_sender_whitelist}\ + {}} + + # This hook allows you to hook in your own ACLs without having to + # modify this file. If you do it like we suggest, you'll end up with + # a small performance penalty since there is an additional file being + # accessed. This doesn't happen if you leave the macro unset. + .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE + .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE + .endif + + # this is still supported for a transition period and is deprecated. + .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE + .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE + .endif +##################################################### +### end acl/20_exim4-config_local_deny_exceptions +##################################################### +##################################################### +### acl/30_exim4-config_check_mail +##################################################### + +### acl/30_exim4-config_check_mail +################################# + +# This access control list is used for every MAIL command in an incoming +# SMTP message. The tests are run in order until the address is either +# accepted or denied. +# +acl_check_mail: + .ifdef CHECK_MAIL_HELO_ISSUED + deny + message = no HELO given before MAIL command + condition = ${if def:sender_helo_name {no}{yes}} + .endif + + accept +##################################################### +### end acl/30_exim4-config_check_mail +##################################################### +##################################################### +### acl/30_exim4-config_check_rcpt +##################################################### + +### acl/30_exim4-config_check_rcpt +################################# + +# This access control list is used for every RCPT command in an incoming +# SMTP message. The tests are run in order until the address is either +# accepted or denied. +# +acl_check_rcpt: + + # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by + # testing for an empty sending host field. + accept + hosts = : + control = dkim_disable_verify + + # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns + # or DISABLE_DKIM_VERIFY are set. +.ifdef DC_minimaldns + warn + control = dkim_disable_verify +.else +.ifdef DISABLE_DKIM_VERIFY + warn + control = dkim_disable_verify +.endif +.endif + + # The following section of the ACL is concerned with local parts that contain + # certain non-alphanumeric characters. Dots in unusual places are + # handled by this ACL as well. + # + # Non-alphanumeric characters other than dots are rarely found in genuine + # local parts, but are often tried by people looking to circumvent + # relaying restrictions. Therefore, although they are valid in local + # parts, these rules disallow certain non-alphanumeric characters, as + # a precaution. + # + # Empty components (two dots in a row) are not valid in RFC 2822, but Exim + # allows them because they have been encountered. (Consider local parts + # constructed as "firstinitial.secondinitial.familyname" when applied to + # a name without a second initial.) However, a local part starting + # with a dot or containing /../ can cause trouble if it is used as part of a + # file name (e.g. for a mailing list). This is also true for local parts that + # contain slashes. A pipe symbol can also be troublesome if the local part is + # incorporated unthinkingly into a shell command line. + # + # These ACL components will block recipient addresses that are valid + # from an RFC2822 point of view. We chose to have them blocked by + # default for security reasons. + # + # If you feel that your site should have less strict recipient + # checking, please feel free to change the default values of the macros + # defined in main/01_exim4-config_listmacrosdefs or override them from a + # local configuration file. + # + # Two different rules are used. The first one has a quite strict + # default, and is applied to messages that are addressed to one of the + # local domains handled by this host. + + # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in + # main/01_exim4-config_listmacrosdefs: + # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] + # This blocks local parts that begin with a dot or contain a quite + # broad range of non-alphanumeric characters. + .ifdef CHECK_RCPT_LOCAL_LOCALPARTS + deny + domains = +local_domains + local_parts = CHECK_RCPT_LOCAL_LOCALPARTS + message = restricted characters in address + .endif + + + # The second rule applies to all other domains, and its default is + # considerably less strict. + + # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in + # main/01_exim4-config_listmacrosdefs: + # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ + + # It allows local users to send outgoing messages to sites + # that use slashes and vertical bars in their local parts. It blocks + # local parts that begin with a dot, slash, or vertical bar, but allows + # these characters within the local part. However, the sequence /../ is + # barred. The use of some other non-alphanumeric characters is blocked. + # Single quotes might probably be dangerous as well, but they're + # allowed by the default regexps to avoid rejecting mails to Ireland. + # The motivation here is to prevent local users (or local users' malware) + # from mounting certain kinds of attack on remote sites. + .ifdef CHECK_RCPT_REMOTE_LOCALPARTS + deny + domains = !+local_domains + local_parts = CHECK_RCPT_REMOTE_LOCALPARTS + message = restricted characters in address + .endif + + + # Accept mail to postmaster in any local domain, regardless of the source, + # and without verifying the sender. + # + accept + .ifndef CHECK_RCPT_POSTMASTER + local_parts = postmaster + .else + local_parts = CHECK_RCPT_POSTMASTER + .endif + domains = +local_domains : +relay_to_domains + + + # Deny unless the sender address can be verified. + # + # This is disabled by default so that DNSless systems don't break. If + # your system can do DNS lookups without delay or cost, you might want + # to enable this feature. + # + # This feature does not work in smarthost and satellite setups as + # with these setups all domains pass verification. See spec.txt chapter + # 39.31 with the added information that a smarthost/satellite setup + # routes all non-local e-mail to the smarthost. + .ifdef CHECK_RCPT_VERIFY_SENDER + deny + message = Sender verification failed + !acl = acl_local_deny_exceptions + !verify = sender + .endif + + # Verify senders listed in local_sender_callout with a callout. + # + # In smarthost and satellite setups, this causes the callout to be + # done to the smarthost. Verification will thus only be reliable if the + # smarthost does reject illegal addresses in the SMTP dialog. + deny + !acl = acl_local_deny_exceptions + senders = ${if exists{CONFDIR/local_sender_callout}\ + {CONFDIR/local_sender_callout}\ + {}} + !verify = sender/callout + + + # Accept if the message comes from one of the hosts for which we are an + # outgoing relay. It is assumed that such hosts are most likely to be MUAs, + # so we set control=submission to make Exim treat the message as a + # submission. It will fix up various errors in the message, for example, the + # lack of a Date: header line. If you are actually relaying out out from + # MTAs, you may want to disable this. If you are handling both relaying from + # MTAs and submissions from MUAs you should probably split them into two + # lists, and handle them differently. + + # Recipient verification is omitted here, because in many cases the clients + # are dumb MUAs that don't cope well with SMTP error responses. If you are + # actually relaying out from MTAs, you should probably add recipient + # verification here. + + # Note that, by putting this test before any DNS black list checks, you will + # always accept from these hosts, even if they end up on a black list. The + # assumption is that they are your friends, and if they get onto black + # list, it is a mistake. + accept + hosts = +relay_from_hosts + control = submission/sender_retain + control = dkim_disable_verify + + + # Accept if the message arrived over an authenticated connection, from + # any host. Again, these messages are usually from MUAs, so recipient + # verification is omitted, and submission mode is set. And again, we do this + # check before any black list tests. + accept + authenticated = * + control = submission/sender_retain + control = dkim_disable_verify + + + # Insist that any other recipient address that we accept is either in one of + # our local domains, or is in a domain for which we explicitly allow + # relaying. Any other domain is rejected as being unacceptable for relaying. + require + message = relay not permitted + domains = +local_domains : +relay_to_domains + + + # We also require all accepted addresses to be verifiable. This check will + # do local part verification for local domains, but only check the domain + # for remote domains. + require + verify = recipient + + + # Verify recipients listed in local_rcpt_callout with a callout. + # This is especially handy for forwarding MX hosts (secondary MX or + # mail hubs) of domains that receive a lot of spam to non-existent + # addresses. The only way to check local parts for remote relay + # domains is to use a callout (add /callout), but please read the + # documentation about callouts before doing this. + deny + !acl = acl_local_deny_exceptions + recipients = ${if exists{CONFDIR/local_rcpt_callout}\ + {CONFDIR/local_rcpt_callout}\ + {}} + !verify = recipient/callout + + + # CONFDIR/local_sender_blacklist holds a list of envelope senders that + # should have their access denied to the local host. Incoming messages + # with one of these senders are rejected at RCPT time. + # + # The explicit white lists are honored as well as negative items in + # the black list. See exim4-config_files(5) for details. + deny + message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + !acl = acl_local_deny_exceptions + senders = ${if exists{CONFDIR/local_sender_blacklist}\ + {CONFDIR/local_sender_blacklist}\ + {}} + + + # deny bad sites (IP address) + # CONFDIR/local_host_blacklist holds a list of host names, IP addresses + # and networks (CIDR notation) that should have their access denied to + # The local host. Messages coming in from a listed host will have all + # RCPT statements rejected. + # + # The explicit white lists are honored as well as negative items in + # the black list. See exim4-config_files(5) for details. + deny + message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster + !acl = acl_local_deny_exceptions + hosts = ${if exists{CONFDIR/local_host_blacklist}\ + {CONFDIR/local_host_blacklist}\ + {}} + + + # Warn if the sender host does not have valid reverse DNS. + # + # If your system can do DNS lookups without delay or cost, you might want + # to enable this. + # If sender_host_address is defined, it's a remote call. If + # sender_host_name is not defined, then reverse lookup failed. Use + # this instead of !verify = reverse_host_lookup to catch deferrals + # as well as outright failures. + .ifdef CHECK_RCPT_REVERSE_DNS + warn + condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ + {yes}{no}} + add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) + .endif + + + # Use spfquery to perform a pair of SPF checks (for details, see + # http://www.openspf.org/) + # + # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not + # enable if that's an issue. Also note that if you enable this, you must + # install "spf-tools-perl" which provides the spfquery command. + # Missing spf-tools-perl will trigger the "Unexpected error in + # SPF check" warning. + .ifdef CHECK_RCPT_SPF + deny + message = [SPF] $sender_host_address is not allowed to send mail from \ + ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ + Please see \ + http://www.openspf.org/Why?scope=${if def:sender_address_domain \ + {mfrom}{helo}};identity=${if def:sender_address_domain \ + {$sender_address}{$sender_helo_name}};ip=$sender_host_address + log_message = SPF check failed. + !acl = acl_local_deny_exceptions + condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \ + ${quote:$sender_host_address} --identity \ + ${if def:sender_address_domain \ + {--scope mfrom --identity ${quote:$sender_address}}\ + {--scope helo --identity ${quote:$sender_helo_name}}}}\ + {no}{${if eq {$runrc}{1}{yes}{no}}}} + + defer + message = Temporary DNS error while checking SPF record. Try again later. + !acl = acl_local_deny_exceptions + condition = ${if eq {$runrc}{5}{yes}{no}} + + warn + condition = ${if <={$runrc}{6}{yes}{no}} + add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\ + {${if eq {$runrc}{2}{softfail}\ + {${if eq {$runrc}{3}{neutral}\ + {${if eq {$runrc}{4}{permerror}\ + {${if eq {$runrc}{6}{none}{error}}}}}}}}}\ + } client-ip=$sender_host_address; \ + ${if def:sender_address_domain \ + {envelope-from=${sender_address}; }{}}\ + helo=$sender_helo_name + + warn + log_message = Unexpected error in SPF check. + condition = ${if >{$runrc}{6}{yes}{no}} + .endif + + + # Check against classic DNS "black" lists (DNSBLs) which list + # sender IP addresses + .ifdef CHECK_RCPT_IP_DNSBLS + warn + dnslists = CHECK_RCPT_IP_DNSBLS + add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + .endif + + + # Check against DNSBLs which list sender domains, with an option to locally + # whitelist certain domains that might be blacklisted. + # + # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append + # "/$sender_address_domain" after each domain. For example: + # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \ + # : rhsbl.bar.org/$sender_address_domain + .ifdef CHECK_RCPT_DOMAIN_DNSBLS + warn + !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ + {CONFDIR/local_domain_dnsbl_whitelist}\ + {}} + dnslists = CHECK_RCPT_DOMAIN_DNSBLS + add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) + .endif + + + # This hook allows you to hook in your own ACLs without having to + # modify this file. If you do it like we suggest, you'll end up with + # a small performance penalty since there is an additional file being + # accessed. This doesn't happen if you leave the macro unset. + .ifdef CHECK_RCPT_LOCAL_ACL_FILE + .include CHECK_RCPT_LOCAL_ACL_FILE + .endif + + + ############################################################################# + # This check is commented out because it is recognized that not every + # sysadmin will want to do it. If you enable it, the check performs + # Client SMTP Authorization (csa) checks on the sending host. These checks + # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) + # an Internet draft. You can, of course, add additional conditions to this + # ACL statement to restrict the CSA checks to certain hosts only. + # + # require verify = csa + ############################################################################# + + + # Accept if the address is in a domain for which we are an incoming relay, + # but again, only if the recipient can be verified. + + accept + domains = +relay_to_domains + endpass + verify = recipient + + + # At this point, the address has passed all the checks that have been + # configured, so we accept it unconditionally. + + accept +##################################################### +### end acl/30_exim4-config_check_rcpt +##################################################### +##################################################### +### acl/40_exim4-config_check_data +##################################################### + +### acl/40_exim4-config_check_data +################################# + +# This ACL is used after the contents of a message have been received. This +# is the ACL in which you can test a message's headers or body, and in +# particular, this is where you can invoke external virus or spam scanners. + +acl_check_data: + + # Deny unless the address list headers are syntactically correct. + # + # If you enable this, you might reject legitimate mail. + .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX + deny + message = Message headers fail syntax check + !acl = acl_local_deny_exceptions + !verify = header_syntax + .endif + + + # require that there is a verifiable sender address in at least + # one of the "Sender:", "Reply-To:", or "From:" header lines. + .ifdef CHECK_DATA_VERIFY_HEADER_SENDER + deny + message = No verifiable sender address in message headers + !acl = acl_local_deny_exceptions + !verify = header_sender + .endif + + + # Deny if the message contains malware. Before enabling this check, you + # must install a virus scanner and set the av_scanner option in the + # main configuration. + # + # exim4-daemon-heavy must be used for this section to work. + # + # deny + # malware = * + # message = This message was detected as possible malware ($malware_name). + + + # Add headers to a message if it is judged to be spam. Before enabling this, + # you must install SpamAssassin. You also need to set the spamd_address + # option in the main configuration. + # + # exim4-daemon-heavy must be used for this section to work. + # + # Please note that this is only suiteable as an example. There are + # multiple issues with this configuration method. For example, if you go + # this way, you'll give your spamassassin daemon write access to the + # entire exim spool which might be a security issue in case of a + # spamassassin exploit. + # + # See the exim docs and the exim wiki for more suitable examples. + # + # warn + # spam = Debian-exim:true + # add_header = X-Spam_score: $spam_score\n\ + # X-Spam_score_int: $spam_score_int\n\ + # X-Spam_bar: $spam_bar\n\ + # X-Spam_report: $spam_report + + + # This hook allows you to hook in your own ACLs without having to + # modify this file. If you do it like we suggest, you'll end up with + # a small performance penalty since there is an additional file being + # accessed. This doesn't happen if you leave the macro unset. + .ifdef CHECK_DATA_LOCAL_ACL_FILE + .include CHECK_DATA_LOCAL_ACL_FILE + .endif + + + # accept otherwise + accept +##################################################### +### end acl/40_exim4-config_check_data +##################################################### +##################################################### +### router/00_exim4-config_header +##################################################### + +###################################################################### +# ROUTERS CONFIGURATION # +# Specifies how addresses are handled # +###################################################################### +# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # +# An address is passed to each router in turn until it is accepted. # +###################################################################### + +begin routers + +##################################################### +### end router/00_exim4-config_header +##################################################### +##################################################### +### router/100_exim4-config_domain_literal +##################################################### + +### router/100_exim4-config_domain_literal +################################# + +# This router handles e-mail addresses in "domain literal" form like +# . The RFCs require this facility, but it is disabled +# in the default config since it is seldomly used and frequently abused. +# Domain literal support also needs to be enabled in the main config, +# which is automatically done if you use the enable macro +# MAIN_ALLOW_DOMAIN_LITERALS. + +.ifdef MAIN_ALLOW_DOMAIN_LITERALS +domain_literal: + debug_print = "R: domain_literal for $local_part@$domain" + driver = ipliteral + domains = ! +local_domains + transport = remote_smtp +.endif +##################################################### +### end router/100_exim4-config_domain_literal +##################################################### +##################################################### +### router/150_exim4-config_hubbed_hosts +##################################################### + +# router/150_exim4-config_hubbed_hosts +################################# + +# route specific domains manually. +# +# see exim4-config_files(5) and spec.txt chapter 20.3 through 20.7 for +# more detailed documentation. + +hubbed_hosts: + debug_print = "R: hubbed_hosts for $domain" + driver = manualroute + domains = "${if exists{CONFDIR/hubbed_hosts}\ + {partial-lsearch;CONFDIR/hubbed_hosts}\ + fail}" + same_domain_copy_routing = yes + route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}} + transport = remote_smtp +##################################################### +### end router/150_exim4-config_hubbed_hosts +##################################################### +##################################################### +### router/200_exim4-config_primary +##################################################### + +### router/200_exim4-config_primary +################################# +# This file holds the primary router, responsible for nonlocal mails + +.ifdef DCconfig_internet +# configtype=internet +# +# deliver mail to the recipient if recipient domain is a domain we +# relay for. We do not ignore any target hosts here since delivering to +# a site local or even a link local address might be wanted here, and if +# such an address has found its way into the MX record of such a domain, +# the local admin is probably in a place where that broken MX record +# could be fixed. + +dnslookup_relay_to_domains: + debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains : +relay_to_domains + transport = remote_smtp + same_domain_copy_routing = yes + no_more + +# deliver mail directly to the recipient. This router is only reached +# for domains that we do not relay for. Since we most probably can't +# have broken MX records pointing to site local or link local IP +# addresses fixed, we ignore target hosts pointing to these addresses. + +dnslookup: + debug_print = "R: dnslookup for $local_part@$domain" + driver = dnslookup + domains = ! +local_domains + transport = remote_smtp + same_domain_copy_routing = yes + # ignore private rfc1918 and APIPA addresses + ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\ + 172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\ + 255.255.255.255 + no_more + +.endif + + +.ifdef DCconfig_local +# configtype=local +# +# Stand-alone system, so generate an error for mail to a non-local domain +nonlocal: + debug_print = "R: nonlocal for $local_part@$domain" + driver = redirect + domains = ! +local_domains + allow_fail + data = :fail: Mailing to remote domains not supported + no_more + +.endif + + +.ifdef DCconfig_smarthost DCconfig_satellite +# configtype=smarthost or configtype=satellite +# +# Send all non-local mail to a single other machine (smarthost). +# +# This means _ALL_ non-local mail goes to the smarthost. This will most +# probably not do what you want for domains that are listed in +# relay_domains. The most typical use for relay_domains is to control +# relaying for incoming e-mail on secondary MX hosts. In that case, +# it doesn't make sense to send the mail to the smarthost since the +# smarthost will probably send the message right back here, causing a +# loop. +# +# If you want to use a smarthost while being secondary MX for some +# domains, you'll need to copy the dnslookup_relay_to_domains router +# here so that mail to relay_domains is handled separately. + +smarthost: + debug_print = "R: smarthost for $local_part@$domain" + driver = manualroute + domains = ! +local_domains + transport = remote_smtp_smarthost + route_list = * DCsmarthost byname + host_find_failed = ignore + same_domain_copy_routing = yes + no_more + +.endif + + +# The "no_more" above means that all later routers are for +# domains in the local_domains list, i.e. just like Exim 3 directors. +##################################################### +### end router/200_exim4-config_primary +##################################################### +##################################################### +### router/300_exim4-config_real_local +##################################################### + +### router/300_exim4-config_real_local +################################# + +# This router allows reaching a local user while avoiding local +# processing. This can be used to inform a user of a broken .forward +# file, for example. The userforward router does this. + +COND_LOCAL_SUBMITTER = "\ + ${if match_ip{$sender_host_address}{:@[]}\ + {1}{0}\ + }" + +real_local: + debug_print = "R: real_local for $local_part@$domain" + driver = accept + domains = +local_domains + condition = COND_LOCAL_SUBMITTER + local_part_prefix = real- + check_local_user + transport = LOCAL_DELIVERY + +##################################################### +### end router/300_exim4-config_real_local +##################################################### +##################################################### +### router/400_exim4-config_system_aliases +##################################################### + +### router/400_exim4-config_system_aliases +################################# + +# This router handles aliasing using a traditional /etc/aliases file. +# +##### NB You must ensure that /etc/aliases exists. It used to be the case +##### NB that every Unix had that file, because it was the Sendmail default. +##### NB These days, there are systems that don't have it. Your aliases +##### NB file should at least contain an alias for "postmaster". +# +# This router handles the local part in a case-insensitive way which +# satisfies the RFCs requirement that postmaster be reachable regardless +# of case. If you decide to handle /etc/aliases in a caseful way, you +# need to make arrangements for a caseless postmaster. +# +# Delivery to arbitrary directories, files, and piping to programs in +# /etc/aliases is disabled per default. +# If that is a problem for you, see +# /usr/share/doc/exim4-base/README.Debian.gz +# for explanation and some workarounds. + +system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + domains = +local_domains + allow_fail + allow_defer + data = ${lookup{$local_part}lsearch{/etc/aliases}} + .ifdef SYSTEM_ALIASES_USER + user = SYSTEM_ALIASES_USER + .endif + .ifdef SYSTEM_ALIASES_GROUP + group = SYSTEM_ALIASES_GROUP + .endif + .ifdef SYSTEM_ALIASES_FILE_TRANSPORT + file_transport = SYSTEM_ALIASES_FILE_TRANSPORT + .endif + .ifdef SYSTEM_ALIASES_PIPE_TRANSPORT + pipe_transport = SYSTEM_ALIASES_PIPE_TRANSPORT + .endif + .ifdef SYSTEM_ALIASES_DIRECTORY_TRANSPORT + directory_transport = SYSTEM_ALIASES_DIRECTORY_TRANSPORT + .endif +##################################################### +### end router/400_exim4-config_system_aliases +##################################################### +##################################################### +### router/500_exim4-config_hubuser +##################################################### + +### router/500_exim4-config_hubuser +################################# + +.ifdef DCconfig_satellite +# This router is only used for configtype=satellite. +# It takes care to route all mail targetted to +# to the host where we read our mail +# +hub_user: + debug_print = "R: hub_user for $local_part@$domain" + driver = redirect + domains = +local_domains + data = ${local_part}@DCreadhost + check_local_user + +# Grab the redirected mail and deliver it. +# This is a duplicate of the smarthost router, needed because +# DCreadhost might end up as part of +local_domains +hub_user_smarthost: + debug_print = "R: hub_user_smarthost for $local_part@$domain" + driver = manualroute + domains = DCreadhost + transport = remote_smtp_smarthost + route_list = * DCsmarthost byname + host_find_failed = ignore + same_domain_copy_routing = yes + check_local_user +.endif + + +##################################################### +### end router/500_exim4-config_hubuser +##################################################### +##################################################### +### router/600_exim4-config_userforward +##################################################### + +### router/600_exim4-config_userforward +################################# + +# This router handles forwarding using traditional .forward files in users' +# home directories. It also allows mail filtering with a forward file +# starting with the string "# Exim filter" or "# Sieve filter". +# +# The no_verify setting means that this router is skipped when Exim is +# verifying addresses. Similarly, no_expn means that this router is skipped if +# Exim is processing an EXPN command. +# +# The check_ancestor option means that if the forward file generates an +# address that is an ancestor of the current one, the current one gets +# passed on instead. This covers the case where A is aliased to B and B +# has a .forward file pointing to A. +# +# The four transports specified at the end are those that are used when +# forwarding generates a direct delivery to a directory, or a file, or to a +# pipe, or sets up an auto-reply, respectively. +# +userforward: + debug_print = "R: userforward for $local_part@$domain" + driver = redirect + domains = +local_domains + check_local_user + file = $home/.forward + require_files = $local_part:$home/.forward + no_verify + no_expn + check_ancestor + allow_filter + forbid_smtp_code = true + directory_transport = address_directory + file_transport = address_file + pipe_transport = address_pipe + reply_transport = address_reply + skip_syntax_errors + syntax_errors_to = real-$local_part@$domain + syntax_errors_text = \ + This is an automatically generated message. An error has\n\ + been found in your .forward file. Details of the error are\n\ + reported below. While this error persists, you will receive\n\ + a copy of this message for every message that is addressed\n\ + to you. If your .forward file is a filter file, or if it is\n\ + a non-filter file containing no valid forwarding addresses,\n\ + a copy of each incoming message will be put in your normal\n\ + mailbox. If a non-filter file contains at least one valid\n\ + forwarding address, forwarding to the valid addresses will\n\ + happen, and those will be the only deliveries that occur. + +##################################################### +### end router/600_exim4-config_userforward +##################################################### +##################################################### +### router/700_exim4-config_procmail +##################################################### + +procmail: + debug_print = "R: procmail for $local_part@$domain" + driver = accept + domains = +local_domains + check_local_user + transport = procmail_pipe + # emulate OR with "if exists"-expansion + require_files = ${local_part}:\ + ${if exists{/etc/procmailrc}\ + {/etc/procmailrc}{${home}/.procmailrc}}:\ + +/usr/bin/procmail + no_verify + no_expn + +##################################################### +### end router/700_exim4-config_procmail +##################################################### +##################################################### +### router/800_exim4-config_maildrop +##################################################### + +### router/800_exim4-config_maildrop +################################# + +maildrop: + debug_print = "R: maildrop for $local_part@$domain" + driver = accept + domains = +local_domains + check_local_user + transport = maildrop_pipe + require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop + no_verify + no_expn + +##################################################### +### end router/800_exim4-config_maildrop +##################################################### +##################################################### +### router/850_exim4-config_lowuid +##################################################### + +### router/850_exim4-config_lowuid +################################# + +.ifndef FIRST_USER_ACCOUNT_UID +FIRST_USER_ACCOUNT_UID = 0 +.endif + +.ifndef DEFAULT_SYSTEM_ACCOUNT_ALIAS +DEFAULT_SYSTEM_ACCOUNT_ALIAS = :fail: no mail to system accounts +.endif + +COND_SYSTEM_USER_AND_REMOTE_SUBMITTER = "\ + ${if and{{! match_ip{$sender_host_address}{:@[]}}\ + {<{$local_user_uid}{FIRST_USER_ACCOUNT_UID}}}\ + {1}{0}\ + }" + +lowuid_aliases: + debug_print = "R: lowuid_aliases for $local_part@$domain (UID $local_user_uid)" + check_local_user + driver = redirect + allow_fail + domains = +local_domains + condition = COND_SYSTEM_USER_AND_REMOTE_SUBMITTER + data = ${if exists{CONFDIR/lowuid-aliases}\ + {${lookup{$local_part}lsearch{CONFDIR/lowuid-aliases}\ + {$value}{DEFAULT_SYSTEM_ACCOUNT_ALIAS}}}\ + {DEFAULT_SYSTEM_ACCOUNT_ALIAS}} +##################################################### +### end router/850_exim4-config_lowuid +##################################################### +##################################################### +### router/900_exim4-config_local_user +##################################################### + +### router/900_exim4-config_local_user +################################# + +# This router matches local user mailboxes. If the router fails, the error +# message is "Unknown user". + +local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + domains = +local_domains + check_local_user + local_parts = ! root + transport = LOCAL_DELIVERY + cannot_route_message = Unknown user +##################################################### +### end router/900_exim4-config_local_user +##################################################### +##################################################### +### router/mmm_mail4root +##################################################### + +### router/mmm_mail4root +################################# +# deliver mail addressed to root to /var/mail/mail as user mail:mail +# if it was not redirected in /etc/aliases or by other means +# Exim cannot deliver as root since 4.24 (FIXED_NEVER_USERS) + +mail4root: + debug_print = "R: mail4root for $local_part@$domain" + driver = redirect + domains = +local_domains + data = /var/mail/mail + file_transport = address_file + local_parts = root + user = mail + group = mail + +##################################################### +### end router/mmm_mail4root +##################################################### +##################################################### +### transport/00_exim4-config_header +##################################################### + +###################################################################### +# TRANSPORTS CONFIGURATION # +###################################################################### +# ORDER DOES NOT MATTER # +# Only one appropriate transport is called for each delivery. # +###################################################################### + +# A transport is used only when referenced from a router that successfully +# handles an address. + +begin transports + +##################################################### +### end transport/00_exim4-config_header +##################################################### +##################################################### +### transport/10_exim4-config_transport-macros +##################################################### + +### transport/10_exim4-config_transport-macros +################################# + +.ifdef HIDE_MAILNAME +REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs +REMOTE_SMTP_RETURN_PATH=${if match_domain{$sender_address_domain}{+local_domains}{${sender_address_local_part}@DCreadhost}{${if match_domain{$sender_address_domain}{ETC_MAILNAME}{${sender_address_local_part}@DCreadhost}fail}}} +.endif + +.ifdef REMOTE_SMTP_HELO_FROM_DNS +.ifdef REMOTE_SMTP_HELO_DATA +REMOTE_SMTP_HELO_DATA==${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}} +.else +REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}} +.endif +.endif +##################################################### +### end transport/10_exim4-config_transport-macros +##################################################### +##################################################### +### transport/30_exim4-config_address_file +##################################################### + +# This transport is used for handling deliveries directly to files that are +# generated by aliasing or forwarding. +# +address_file: + debug_print = "T: address_file for $local_part@$domain" + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + +##################################################### +### end transport/30_exim4-config_address_file +##################################################### +##################################################### +### transport/30_exim4-config_address_pipe +##################################################### + +# This transport is used for handling pipe deliveries generated by +# .forward files. If the commands fails and produces any output on standard +# output or standard error streams, the output is returned to the sender +# of the message as a delivery error. +address_pipe: + debug_print = "T: address_pipe for $local_part@$domain" + driver = pipe + return_fail_output + +##################################################### +### end transport/30_exim4-config_address_pipe +##################################################### +##################################################### +### transport/30_exim4-config_address_reply +##################################################### + +# This transport is used for handling autoreplies generated by the filtering +# option of the userforward router. +# +address_reply: + debug_print = "T: autoreply for $local_part@$domain" + driver = autoreply + +##################################################### +### end transport/30_exim4-config_address_reply +##################################################### +##################################################### +### transport/30_exim4-config_mail_spool +##################################################### + +### transport/30_exim4-config_mail_spool + +# This transport is used for local delivery to user mailboxes in traditional +# BSD mailbox format. +# +mail_spool: + debug_print = "T: appendfile for $local_part@$domain" + driver = appendfile + file = /var/mail/$local_part + delivery_date_add + envelope_to_add + return_path_add + group = mail + mode = 0660 + mode_fail_narrower = false + +##################################################### +### end transport/30_exim4-config_mail_spool +##################################################### +##################################################### +### transport/30_exim4-config_maildir_home +##################################################### + +### transport/30_exim4-config_maildir_home +################################# + +# Use this instead of mail_spool if you want to to deliver to Maildir in +# home-directory - change the definition of LOCAL_DELIVERY +# +maildir_home: + debug_print = "T: maildir_home for $local_part@$domain" + driver = appendfile + .ifdef MAILDIR_HOME_MAILDIR_LOCATION + directory = MAILDIR_HOME_MAILDIR_LOCATION + .else + directory = $home/Maildir + .endif + .ifdef MAILDIR_HOME_CREATE_DIRECTORY + create_directory + .endif + .ifdef MAILDIR_HOME_CREATE_FILE + create_file = MAILDIR_HOME_CREATE_FILE + .endif + delivery_date_add + envelope_to_add + return_path_add + maildir_format + .ifdef MAILDIR_HOME_DIRECTORY_MODE + directory_mode = MAILDIR_HOME_DIRECTORY_MODE + .else + directory_mode = 0700 + .endif + .ifdef MAILDIR_HOME_MODE + mode = MAILDIR_HOME_MODE + .else + mode = 0600 + .endif + mode_fail_narrower = false + # This transport always chdirs to $home before trying to deliver. If + # $home is not accessible, this chdir fails and prevents delivery. + # If you are in a setup where home directories might not be + # accessible, uncomment the current_directory line below. + # current_directory = / +##################################################### +### end transport/30_exim4-config_maildir_home +##################################################### +##################################################### +### transport/30_exim4-config_maildrop_pipe +##################################################### + +maildrop_pipe: + debug_print = "T: maildrop_pipe for $local_part@$domain" + driver = pipe + path = "/bin:/usr/bin:/usr/local/bin" + command = "/usr/bin/maildrop" + message_prefix = + message_suffix = + return_path_add + delivery_date_add + envelope_to_add + +##################################################### +### end transport/30_exim4-config_maildrop_pipe +##################################################### +##################################################### +### transport/30_exim4-config_procmail_pipe +##################################################### + +procmail_pipe: + debug_print = "T: procmail_pipe for $local_part@$domain" + driver = pipe + path = "/bin:/usr/bin:/usr/local/bin" + command = "/usr/bin/procmail" + return_path_add + delivery_date_add + envelope_to_add + +##################################################### +### end transport/30_exim4-config_procmail_pipe +##################################################### +##################################################### +### transport/30_exim4-config_remote_smtp +##################################################### + +### transport/30_exim4-config_remote_smtp +################################# +# This transport is used for delivering messages over SMTP connections. + +remote_smtp: + debug_print = "T: remote_smtp for $local_part@$domain" + driver = smtp +.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS + hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS +.endif +.ifdef REMOTE_SMTP_HEADERS_REWRITE + headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE +.endif +.ifdef REMOTE_SMTP_RETURN_PATH + return_path = REMOTE_SMTP_RETURN_PATH +.endif +.ifdef REMOTE_SMTP_HELO_DATA + helo_data=REMOTE_SMTP_HELO_DATA +.endif +.ifdef DKIM_DOMAIN +dkim_domain = DKIM_DOMAIN +.endif +.ifdef DKIM_SELECTOR +dkim_selector = DKIM_SELECTOR +.endif +.ifdef DKIM_PRIVATE_KEY +dkim_private_key = DKIM_PRIVATE_KEY +.endif +.ifdef DKIM_CANON +dkim_canon = DKIM_CANON +.endif +.ifdef DKIM_STRICT +dkim_strict = DKIM_STRICT +.endif +.ifdef DKIM_SIGN_HEADERS +dkim_sign_headers = DKIM_SIGN_HEADERS +.endif +.ifdef TLS_DH_MIN_BITS +tls_dh_min_bits = TLS_DH_MIN_BITS +.endif +.ifdef REMOTE_SMTP_TLS_CERTIFICATE +tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE +.endif +.ifdef REMOTE_SMTP_PRIVATEKEY +tls_privatekey = REMOTE_SMTP_PRIVATEKEY +.endif +##################################################### +### end transport/30_exim4-config_remote_smtp +##################################################### +##################################################### +### transport/30_exim4-config_remote_smtp_smarthost +##################################################### + +### transport/30_exim4-config_remote_smtp_smarthost +################################# + +# This transport is used for delivering messages over SMTP connections +# to a smarthost. The local host tries to authenticate. +# This transport is used for smarthost and satellite configurations. + +remote_smtp_smarthost: + debug_print = "T: remote_smtp_smarthost for $local_part@$domain" + driver = smtp + hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \ + {\ + ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\ + }\ + {} \ + } +.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS + hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS +.endif +.ifdef REMOTE_SMTP_HEADERS_REWRITE + headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE +.endif +.ifdef REMOTE_SMTP_RETURN_PATH + return_path = REMOTE_SMTP_RETURN_PATH +.endif +.ifdef REMOTE_SMTP_HELO_DATA + helo_data=REMOTE_SMTP_HELO_DATA +.endif +.ifdef TLS_DH_MIN_BITS +tls_dh_min_bits = TLS_DH_MIN_BITS +.endif +.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE +tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE +.endif +.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY +tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY +.endif +##################################################### +### end transport/30_exim4-config_remote_smtp_smarthost +##################################################### +##################################################### +### transport/35_exim4-config_address_directory +##################################################### +# This transport is used for handling file addresses generated by alias +# or .forward files if the path ends in "/", which causes it to be treated +# as a directory name rather than a file name. + +address_directory: + debug_print = "T: address_directory for $local_part@$domain" + driver = appendfile + delivery_date_add + envelope_to_add + return_path_add + check_string = "" + escape_string = "" + maildir_format + +##################################################### +### end transport/35_exim4-config_address_directory +##################################################### +##################################################### +### retry/00_exim4-config_header +##################################################### + +###################################################################### +# RETRY CONFIGURATION # +###################################################################### + +begin retry + +##################################################### +### end retry/00_exim4-config_header +##################################################### +##################################################### +### retry/30_exim4-config +##################################################### + +### retry/30_exim4-config +################################# + +# This single retry rule applies to all domains and all errors. It specifies +# retries every 15 minutes for 2 hours, then increasing retry intervals, +# starting at 1 hour and increasing each time by a factor of 1.5, up to 16 +# hours, then retries every 6 hours until 4 days have passed since the first +# failed delivery. + +# Please note that these rules only limit the frequency of retries, the +# effective retry-time depends on the frequency of queue-running, too. +# See QUEUEINTERVAL in /etc/default/exim4. + +# Address or Domain Error Retries +# ----------------- ----- ------- + +* * F,2h,15m; G,16h,1h,1.5; F,4d,6h + +##################################################### +### end retry/30_exim4-config +##################################################### +##################################################### +### rewrite/00_exim4-config_header +##################################################### + +###################################################################### +# REWRITE CONFIGURATION # +###################################################################### + +begin rewrite + +##################################################### +### end rewrite/00_exim4-config_header +##################################################### +##################################################### +### rewrite/31_exim4-config_rewriting +##################################################### + +### rewrite/31_exim4-config_rewriting +################################# + +# This rewriting rule is particularily useful for dialup users who +# don't have their own domain, but could be useful for anyone. +# It looks up the real address of all local users in a file +.ifndef NO_EAA_REWRITE_REWRITE +*@+local_domains "${lookup{${local_part}}lsearch{/etc/email-addresses}\ + {$value}fail}" Ffrs +# identical rewriting rule for /etc/mailname +*@ETC_MAILNAME "${lookup{${local_part}}lsearch{/etc/email-addresses}\ + {$value}fail}" Ffrs +.endif + + +##################################################### +### end rewrite/31_exim4-config_rewriting +##################################################### +##################################################### +### auth/00_exim4-config_header +##################################################### + +###################################################################### +# AUTHENTICATION CONFIGURATION # +###################################################################### + +begin authenticators + + +##################################################### +### end auth/00_exim4-config_header +##################################################### +##################################################### +### auth/30_exim4-config_examples +##################################################### + +### auth/30_exim4-config_examples +################################# + +# The examples below are for server side authentication, when the +# local exim is SMTP server and clients authenticate to the local exim. + +# They allow two styles of plain-text authentication against an +# CONFDIR/passwd file whose syntax is described in exim4_passwd(5). + +# Hosts that are allowed to use AUTH are defined by the +# auth_advertise_hosts option in the main configuration. The default is +# "*", which allows authentication to all hosts over all kinds of +# connections if there is at least one authenticator defined here. +# Authenticators which rely on unencrypted clear text passwords don't +# advertise on unencrypted connections by default. Thus, it might be +# wise to set up TLS to allow encrypted connections. If TLS cannot be +# used for some reason, you can set AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to +# advertise unencrypted clear text password based authenticators on all +# connections. As this is severely reducing security, using TLS is +# preferred over allowing clear text password based authenticators on +# unencrypted connections. + +# PLAIN authentication has no server prompts. The client sends its +# credentials in one lump, containing an authorization ID (which we do not +# use), an authentication ID, and a password. The latter two appear as +# $auth2 and $auth3 in the configuration and should be checked against a +# valid username and password. In a real configuration you would typically +# use $auth2 as a lookup key, and compare $auth3 against the result of the +# lookup, perhaps using the crypteq{}{} condition. + +# plain_server: +# driver = plaintext +# public_name = PLAIN +# server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +# server_set_id = $auth2 +# server_prompts = : +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# LOGIN authentication has traditional prompts and responses. There is no +# authorization ID in this mechanism, so unlike PLAIN the username and +# password are $auth1 and $auth2. Apart from that you can use the same +# server_condition setting for both authenticators. + +# login_server: +# driver = plaintext +# public_name = LOGIN +# server_prompts = "Username:: : Password::" +# server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# cram_md5_server: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${extract{2}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}fail}}} +# server_set_id = $auth1 + +# Here is an example of CRAM-MD5 authentication against PostgreSQL: +# +# psqldb_auth_server: +# driver = cram_md5 +# public_name = CRAM-MD5 +# server_secret = ${lookup pgsql{SELECT pw FROM users WHERE username = '${quote_pgsql:$auth1}'}{$value}fail} +# server_set_id = $auth1 + +# Authenticate against local passwords using sasl2-bin +# Requires exim_uid to be a member of sasl group, see README.Debian.gz +# plain_saslauthd_server: +# driver = plaintext +# public_name = PLAIN +# server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}} +# server_set_id = $auth2 +# server_prompts = : +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# login_saslauthd_server: +# driver = plaintext +# public_name = LOGIN +# server_prompts = "Username:: : Password::" +# # don't send system passwords over unencrypted connections +# server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# ntlm_sasl_server: +# driver = cyrus_sasl +# public_name = NTLM +# server_realm = +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# digest_md5_sasl_server: +# driver = cyrus_sasl +# public_name = DIGEST-MD5 +# server_realm = +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# Authentcate against cyrus-sasl +# This is mainly untested, please report any problems to +# pkg-exim4-users@lists.alioth.debian.org. +# cram_md5_sasl_server: +# driver = cyrus_sasl +# public_name = CRAM-MD5 +# server_realm = +# server_set_id = $auth1 +# +# plain_sasl_server: +# driver = cyrus_sasl +# public_name = PLAIN +# server_realm = +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif +# +# login_sasl_server: +# driver = cyrus_sasl +# public_name = LOGIN +# server_realm = +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# Authenticate against courier authdaemon + +# This is now the (working!) example from +# http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 +# Possible pitfall: access rights on /var/run/courier/authdaemon/socket. +# plain_courier_authdaemon: +# driver = plaintext +# public_name = PLAIN +# server_condition = \ +# ${extract {ADDRESS} \ +# {${readsocket{/var/run/courier/authdaemon/socket} \ +# {AUTH ${strlen:exim\nlogin\n$auth2\n$auth3\n}\nexim\nlogin\n$auth2\n$auth3\n} }} \ +# {yes} \ +# fail} +# server_set_id = $auth2 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# login_courier_authdaemon: +# driver = plaintext +# public_name = LOGIN +# server_prompts = Username:: : Password:: +# server_condition = \ +# ${extract {ADDRESS} \ +# {${readsocket{/var/run/courier/authdaemon/socket} \ +# {AUTH ${strlen:exim\nlogin\n$auth1\n$auth2\n}\nexim\nlogin\n$auth1\n$auth2\n} }} \ +# {yes} \ +# fail} +# server_set_id = $auth1 +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +# This one is a bad hack to support the broken version 4.xx of +# Microsoft Outlook Express which violates the RFCs by demanding +# "250-AUTH=" instead of "250-AUTH ". +# If your list of offered authenticators is other than PLAIN and LOGIN, +# you need to adapt the public_name line manually. +# It has to be the last authenticator to work and has not been tested +# well. Use at your own risk. +# See the thread entry point from +# http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050214/msg00213.html +# for the related discussion on the exim-users mailing list. +# Thanks to Fred Viles for this great work. + +# support_broken_outlook_express_4_server: +# driver = plaintext +# public_name = "\r\n250-AUTH=PLAIN LOGIN" +# server_prompts = User Name : Password +# server_condition = no +# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +# .endif + +############## +# See /usr/share/doc/exim4-base/README.Debian.gz +############## + +# These examples below are the equivalent for client side authentication. +# They get the passwords from CONFDIR/passwd.client, whose format is +# defined in exim4_passwd_client(5) + +# Because AUTH PLAIN and AUTH LOGIN send the password in clear, we +# only allow these mechanisms over encrypted connections by default. +# You can set AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS to allow unencrypted +# clear text password authentication on all connections. + +cram_md5: + driver = cram_md5 + public_name = CRAM-MD5 + client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} + client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}}} + +# this returns the matching line from passwd.client and doubles all ^ +PASSWDLINE=${sg{\ + ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\ + }\ + {\\N[\\^]\\N}\ + {^^}\ + } + +plain: + driver = plaintext + public_name = PLAIN +.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS + client_send = "<; ${if !eq{$tls_out_cipher}{}\ + {^${extract{1}{:}{PASSWDLINE}}\ + ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ + }fail}" +.else + client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\ + ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" +.endif + +login: + driver = plaintext + public_name = LOGIN +.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS + # Return empty string if not non-TLS AND looking up $host in passwd-file + # yields a non-empty string; fail otherwise. + client_send = "<; ${if and{\ + {!eq{$tls_out_cipher}{}}\ + {!eq{PASSWDLINE}{}}\ + }\ + {}fail}\ + ; ${extract{1}{::}{PASSWDLINE}}\ + ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" +.else + # Return empty string if looking up $host in passwd-file yields a + # non-empty string; fail otherwise. + client_send = "<; ${if !eq{PASSWDLINE}{}\ + {}fail}\ + ; ${extract{1}{::}{PASSWDLINE}}\ + ; ${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}" +.endif +##################################################### +### end auth/30_exim4-config_examples +##################################################### diff --git a/exim4/passwd.client b/exim4/passwd.client new file mode 100644 index 0000000..2f06b8d --- /dev/null +++ b/exim4/passwd.client @@ -0,0 +1,7 @@ +# password file used when the local exim is authenticating to a remote +# host as a client. +# +# see exim4_passwd_client(5) for more documentation +# +# Example: +### target.mail.server.example:login:password diff --git a/exim4/update-exim4.conf.conf b/exim4/update-exim4.conf.conf new file mode 100644 index 0000000..f6fc575 --- /dev/null +++ b/exim4/update-exim4.conf.conf @@ -0,0 +1,31 @@ +# /etc/exim4/update-exim4.conf.conf +# +# Edit this file and /etc/mailname by hand and execute update-exim4.conf +# yourself or use 'dpkg-reconfigure exim4-config' +# +# Please note that this is _not_ a dpkg-conffile and that automatic changes +# to this file might happen. The code handling this will honor your local +# changes, so this is usually fine, but will break local schemes that mess +# around with multiple versions of the file. +# +# update-exim4.conf uses this file to determine variable values to generate +# exim configuration macros for the configuration file. +# +# Most settings found in here do have corresponding questions in the +# Debconf configuration, but not all of them. +# +# This is a Debian specific file + +dc_eximconfig_configtype='local' +dc_other_hostnames='ns1.uhu-banane.de' +dc_local_interfaces='127.0.0.1 ; ::1' +dc_readhost='' +dc_relay_domains='' +dc_minimaldns='false' +dc_relay_nets='' +dc_smarthost='' +CFILEMODE='644' +dc_use_split_config='false' +dc_hide_mailname='' +dc_mailname_in_oh='true' +dc_localdelivery='mail_spool' diff --git a/fail2ban/action.d/apf.conf b/fail2ban/action.d/apf.conf new file mode 100644 index 0000000..5c4a261 --- /dev/null +++ b/fail2ban/action.d/apf.conf @@ -0,0 +1,25 @@ +# Fail2Ban configuration file +# https://www.rfxn.com/projects/advanced-policy-firewall/ +# +# Note: APF doesn't play nicely with other actions. It has been observed to +# remove bans created by other iptables based actions. If you are going to use +# this action, use it for all of your jails. +# +# DON'T MIX APF and other IPTABLES based actions +[Definition] + +actionstart = +actionstop = +actioncheck = +actionban = apf --deny "banned by Fail2Ban " +actionunban = apf --remove + +[Init] + +# Name used in APF configuration +# +name = default + +# DEV NOTES: +# +# Author: Mark McKinstry diff --git a/fail2ban/action.d/badips.conf b/fail2ban/action.d/badips.conf new file mode 100644 index 0000000..4a5c0f9 --- /dev/null +++ b/fail2ban/action.d/badips.conf @@ -0,0 +1,19 @@ +# Fail2ban reporting to badips.com +# +# Note: This reports and IP only and does not actually ban traffic. Use +# another action in the same jail if you want bans to occur. +# +# Set the category to the appropriate value before use. +# +# To get see register and optional key to get personalised graphs see: +# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key + +[Definition] + +actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add// + +[Init] + +# Option: category +# Notes.: Values are from the list here: http://www.badips.com/get/categories +category = diff --git a/fail2ban/action.d/blocklist_de.conf b/fail2ban/action.d/blocklist_de.conf new file mode 100644 index 0000000..d4170ca --- /dev/null +++ b/fail2ban/action.d/blocklist_de.conf @@ -0,0 +1,86 @@ +# Fail2Ban configuration file +# +# Author: Steven Hiscocks +# +# + +# Action to report IP address to blocklist.de +# Blocklist.de must be signed up to at www.blocklist.de +# Once registered, one or more servers can be added. +# This action requires the server 'email address' and the assoicate apikey. +# +# From blocklist.de: +# www.blocklist.de is a free and voluntary service provided by a +# Fraud/Abuse-specialist, whose servers are often attacked on SSH-, +# Mail-Login-, FTP-, Webserver- and other services. +# The mission is to report all attacks to the abuse deparments of the +# infected PCs/servers to ensure that the responsible provider can inform +# the customer about the infection and disable them +# +# IMPORTANT: +# +# Reporting an IP of abuse is a serious complaint. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelyhood of receiving human errors +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = curl --fail --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] + +# Option: email +# Notes server email address, as per blocklise.de account +# Values: STRING Default: None +# +#email = + +# Option: apikey +# Notes your user blocklist.de user account apikey +# Values: STRING Default: None +# +#apikey = + +# Option: service +# Notes service name you are reporting on, typically aligns with filter name +# see http://www.blocklist.de/en/httpreports.html for full list +# Values: STRING Default: None +# +#service = diff --git a/fail2ban/action.d/bsd-ipfw.conf b/fail2ban/action.d/bsd-ipfw.conf new file mode 100644 index 0000000..1285361 --- /dev/null +++ b/fail2ban/action.d/bsd-ipfw.conf @@ -0,0 +1,83 @@ +# Fail2Ban configuration file +# +# Author: Nick Munger +# Modified by: Ken Menzel +# Daniel Black (start/stop) +# Fabian Wenk (many ideas as per fail2ban users list) +# +# Ensure firewall_enable="YES" in the top of /etc/rc.conf +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = ipfw show | fgrep -q 'table()' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e
else exit b }'; num=$?; ipfw -q add $num from table\(
\) to me ; echo $num > "" ) + + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = [ ! -f ] || ( read num < ""
ipfw -q delete $num
rm "" ) + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +# requires an ipfw rule like "deny ip from table(1) to me" +actionban = ipfw table
add + + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = ipfw table
delete + +[Init] +# Option: table +# Notes: The ipfw table to use. If a ipfw rule using this table already exists, +# this action will not create a ipfw rule to block it and the following +# options will have no effect. +# Values: NUM +table = 1 + +# Option: port +# Notes.: Specifies port to monitor. Blank indicate block all ports. +# Values: [ NUM | STRING ] +# +port = + +# Option: startstatefile +# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table. +# Values: STRING +startstatefile = /var/run/fail2ban/ipfw-started-table_
+ +# Option: block +# Notes: This is how much to block. +# Can be "ip", "tcp", "udp" or various other options. +# Values: STRING +block = ip + +# Option: blocktype +# Notes.: How to block the traffic. Use a action from man 5 ipfw +# Common values: deny, unreach port, reset +# ACTION defination at the top of man ipfw for allowed values. +# Values: STRING +# +blocktype = unreach port diff --git a/fail2ban/action.d/complain.conf b/fail2ban/action.d/complain.conf new file mode 100644 index 0000000..c017583 --- /dev/null +++ b/fail2ban/action.d/complain.conf @@ -0,0 +1,94 @@ +# Fail2Ban configuration file +# +# Author: Russell Odom , Daniel Black +# Sends a complaint e-mail to addresses listed in the whois record for an +# offending IP address. +# This uses the https://abusix.com/contactdb.html to lookup abuse contacts. +# +# DEPENDANCIES: +# This requires the dig command from bind-utils +# +# You should provide the in the jail config - lines from the log +# matching the given IP address will be provided in the complaint as evidence. +# +# WARNING +# ------- +# +# Please do not use this action unless you are certain that fail2ban +# does not result in "false positives" for your deployment. False +# positive reports could serve a mis-favor to the original cause by +# flooding corresponding contact addresses, and complicating the work +# of administration personnel responsible for handling (verified) legit +# complains. +# +# Please consider using e.g. sendmail-whois-lines.conf action which +# would send the reports with relevant information to you, so the +# report could be first reviewed and then forwarded to a corresponding +# contact if legit. +# + + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = oifs=${IFS}; IFS=.;SEP_IP=( ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs} + IP= + if [ ! -z "$ADDRESSES" ]; then + (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep -E '(^|[^0-9])([^0-9]|$)' ) | "Abuse from " ${ADDRESSES//,/\" \"} + fi + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] +message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n + +# Path to the log files which contain relevant lines for the abuser IP +# +logpath = /dev/null + +# Option: mailcmd +# Notes.: Your system mail command. Is passed 2 args: subject and recipient +# Values: CMD +# +mailcmd = mail -s + +# Option: mailargs +# Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +# CC reports to another address: +# -c me@example.com +# Appear to come from a different address - the '--' indicates +# arguments to be passed to Sendmail: +# -- -f me@example.com +# Values: [ STRING ] +# +mailargs = + diff --git a/fail2ban/action.d/dshield.conf b/fail2ban/action.d/dshield.conf new file mode 100644 index 0000000..a004198 --- /dev/null +++ b/fail2ban/action.d/dshield.conf @@ -0,0 +1,204 @@ +# Fail2Ban configuration file +# +# Author: Russell Odom +# Submits attack reports to DShield (http://www.dshield.org/) +# +# You MUST configure at least: +# (the port that's being attacked - use number not name). +# +# You SHOULD also provide: +# (your public IP address, if it's not the address of eth0) +# (your DShield userID, if you have one - recommended, but reports will +# be used anonymously if not) +# (the protocol in use - defaults to tcp) +# +# Best practice is to provide and in jail.conf like this: +# action = dshield[port=1234,protocol=tcp] +# +# ...and create "dshield.local" with contents something like this: +# [Init] +# myip = 10.0.0.1 +# userid = 12345 +# +# Other useful configuration values are (you can use for specifying +# a different sender address for the report e-mails, which should match what is +# configured at DShield), and // (to +# configure how often the buffer is flushed). +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = if [ -f .buffer ]; then + cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" + date +%%s > .lastsent + fi + rm -f .buffer .first + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +# See http://www.dshield.org/specs.html for more on report format/notes +# +# Note: We are currently using