From 0c1fa44113b3f5d4e77c9179c78096f05d3428c7 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Thu, 8 Apr 2021 22:05:25 +0200 Subject: [PATCH] saving uncommitted changes in /etc prior to apt run --- .etckeeper | 134 +- amavis/conf.d/50-user | 663 +++++- amavis/conf.d/50-user.2021.04.08.22.02.11 | 13 + clamav/clamd.conf | 3 +- clamav/clamd.conf.2021.04.08.22.02.11 | 87 + clamav/freshclam.conf.2021.04.08.22.02.11 | 28 + default/spamassassin | 2 +- dovecot/dovecot-last-login.conf | 50 + dovecot/dovecot-master-users | 0 dovecot/dovecot-mysql.conf | 28 + dovecot/dovecot-share-folder.conf | 22 + dovecot/dovecot-used-quota.conf | 13 + dovecot/dovecot.conf | 588 ++++- dovecot/dovecot.conf.2021.04.08.22.02.11 | 102 + group | 11 +- group- | 8 +- gshadow | 11 +- gshadow- | 8 +- iredmail-release | 2 + logrotate.d/dovecot | 13 + logrotate.d/iredapd | 13 + logrotate.d/mlmmjadmin | 13 + logrotate.d/netdata | 12 + logrotate.d/php7.3-fpm | 22 +- mysql/my.cnf | 24 +- mysql/my.cnf.2021.04.08.22.02.11 | 23 + netdata | 1 + nginx/conf-available/0-general.conf | 1 + nginx/conf-available/cache.conf | 8 + .../conf-available/client_max_body_size.conf | 1 + nginx/conf-available/default_type.conf | 1 + nginx/conf-available/gzip.conf | 41 + nginx/conf-available/headers.conf | 7 + nginx/conf-available/log.conf | 2 + nginx/conf-available/mime_types.conf | 1 + nginx/conf-available/php_fpm.conf | 3 + nginx/conf-available/sendfile.conf | 1 + nginx/conf-available/server_tokens.conf | 2 + nginx/conf-available/types_hash_max_size.conf | 1 + nginx/conf-enabled/0-general.conf | 1 + nginx/conf-enabled/cache.conf | 1 + nginx/conf-enabled/client_max_body_size.conf | 1 + nginx/conf-enabled/default_type.conf | 1 + nginx/conf-enabled/gzip.conf | 1 + nginx/conf-enabled/headers.conf | 1 + nginx/conf-enabled/log.conf | 1 + nginx/conf-enabled/mime_types.conf | 1 + nginx/conf-enabled/php_fpm.conf | 1 + nginx/conf-enabled/sendfile.conf | 1 + nginx/conf-enabled/server_tokens.conf | 1 + nginx/conf-enabled/types_hash_max_size.conf | 1 + nginx/netdata.users | 1 + nginx/nginx.conf | 83 +- nginx/nginx.conf.2021.04.08.22.02.11 | 85 + .../default | 0 nginx/sites-available/00-default-ssl.conf | 21 + nginx/sites-available/00-default.conf | 14 + .../default | 0 nginx/sites-enabled/00-default-ssl.conf | 1 + nginx/sites-enabled/00-default.conf | 1 + nginx/templates/adminer.tmpl | 46 + nginx/templates/fastcgi_php.tmpl | 17 + nginx/templates/hsts.tmpl | 17 + nginx/templates/iredadmin-subdomain.tmpl | 16 + nginx/templates/iredadmin.tmpl | 35 + nginx/templates/misc.tmpl | 15 + nginx/templates/netdata-subdomain.tmpl | 22 + nginx/templates/netdata.tmpl | 27 + nginx/templates/php-catchall.tmpl | 6 + nginx/templates/redirect_to_https.tmpl | 5 + nginx/templates/roundcube-subdomain.tmpl | 26 + nginx/templates/roundcube.tmpl | 30 + nginx/templates/sogo-subdomain.tmpl | 65 + nginx/templates/sogo.tmpl | 60 + nginx/templates/ssl.tmpl | 21 + nginx/templates/stub_status.tmpl | 15 + passwd | 5 + passwd- | 6 +- php/7.3/fpm/php-fpm.conf | 8 +- php/7.3/fpm/php.ini | 14 +- php/7.3/fpm/php.ini.2021.04.08.22.02.11 | 1939 +++++++++++++++++ php/7.3/fpm/pool.d/www.conf | 443 +--- .../fpm/pool.d/www.conf.2021.04.08.22.02.11 | 439 ++++ postfix/aliases | 10 + postfix/aliases.db | Bin 0 -> 12288 bytes postfix/body_checks.pcre | 0 postfix/command_filter.pcre | 3 + postfix/disclaimer/default.txt | 2 + postfix/header_checks | 0 postfix/helo_access.pcre | 182 ++ postfix/helo_access.pcre.2021.04.08.22.02.11 | 0 postfix/main.cf | 382 +++- postfix/main.cf.2021.04.08.22.02.11 | 48 + postfix/master.cf | 164 +- postfix/master.cf.2021.04.08.22.02.11 | 127 ++ postfix/mysql/catchall_maps.cf | 5 + postfix/mysql/domain_alias_catchall_maps.cf | 5 + postfix/mysql/domain_alias_maps.cf | 5 + postfix/mysql/recipient_bcc_maps_domain.cf | 5 + postfix/mysql/recipient_bcc_maps_user.cf | 5 + postfix/mysql/relay_domains.cf | 5 + postfix/mysql/sender_bcc_maps_domain.cf | 5 + postfix/mysql/sender_bcc_maps_user.cf | 5 + .../mysql/sender_dependent_relayhost_maps.cf | 6 + postfix/mysql/sender_login_maps.cf | 5 + postfix/mysql/transport_maps_domain.cf | 5 + postfix/mysql/transport_maps_maillist.cf | 5 + postfix/mysql/transport_maps_user.cf | 5 + postfix/mysql/virtual_alias_maps.cf | 5 + postfix/mysql/virtual_mailbox_domains.cf | 5 + postfix/mysql/virtual_mailbox_maps.cf | 5 + postfix/postscreen_access.cidr | 6 + postfix/postscreen_dnsbl_reply | 0 postfix/sender_access.pcre | 0 rsyslog.d/1-iredmail-dovecot.conf | 23 + rsyslog.d/1-iredmail-iredapd.conf | 12 + rsyslog.d/1-iredmail-mlmmjadmin.conf | 12 + rsyslog.d/1-iredmail-phpfpm.conf | 3 + shadow | 5 + shadow- | 4 + spamassassin/local.cf | 275 ++- spamassassin/local.cf.2021.04.08.22.02.11 | 89 + spamassassin/razor.conf | 1 + ssl/certs/iRedMail.crt | 36 + ssl/dh2048_param.pem | 8 + ssl/dh512_param.pem | 4 + ssl/private/iRedMail.key | 52 + subgid | 5 + subgid- | 5 + subuid | 5 + subuid- | 5 + sysctl.conf | 3 + .../system/mariadb.service.d/override.conf | 3 + .../multi-user.target.wants/iredadmin.service | 1 + .../multi-user.target.wants/iredapd.service | 1 + .../mlmmjadmin.service | 1 + .../multi-user.target.wants/netdata.service | 1 + systemd/system/netdata.service.d/limits.conf | 2 + 138 files changed, 6212 insertions(+), 807 deletions(-) create mode 100644 amavis/conf.d/50-user.2021.04.08.22.02.11 create mode 100644 clamav/clamd.conf.2021.04.08.22.02.11 create mode 100644 clamav/freshclam.conf.2021.04.08.22.02.11 create mode 100755 dovecot/dovecot-last-login.conf create mode 100755 dovecot/dovecot-master-users create mode 100755 dovecot/dovecot-mysql.conf create mode 100755 dovecot/dovecot-share-folder.conf create mode 100755 dovecot/dovecot-used-quota.conf create mode 100644 dovecot/dovecot.conf.2021.04.08.22.02.11 create mode 100644 iredmail-release create mode 100644 logrotate.d/dovecot create mode 100644 logrotate.d/iredapd create mode 100644 logrotate.d/mlmmjadmin create mode 100644 logrotate.d/netdata mode change 120000 => 100644 mysql/my.cnf create mode 100644 mysql/my.cnf.2021.04.08.22.02.11 create mode 120000 netdata create mode 100644 nginx/conf-available/0-general.conf create mode 100644 nginx/conf-available/cache.conf create mode 100644 nginx/conf-available/client_max_body_size.conf create mode 100644 nginx/conf-available/default_type.conf create mode 100644 nginx/conf-available/gzip.conf create mode 100644 nginx/conf-available/headers.conf create mode 100644 nginx/conf-available/log.conf create mode 100644 nginx/conf-available/mime_types.conf create mode 100644 nginx/conf-available/php_fpm.conf create mode 100644 nginx/conf-available/sendfile.conf create mode 100644 nginx/conf-available/server_tokens.conf create mode 100644 nginx/conf-available/types_hash_max_size.conf create mode 120000 nginx/conf-enabled/0-general.conf create mode 120000 nginx/conf-enabled/cache.conf create mode 120000 nginx/conf-enabled/client_max_body_size.conf create mode 120000 nginx/conf-enabled/default_type.conf create mode 120000 nginx/conf-enabled/gzip.conf create mode 120000 nginx/conf-enabled/headers.conf create mode 120000 nginx/conf-enabled/log.conf create mode 120000 nginx/conf-enabled/mime_types.conf create mode 120000 nginx/conf-enabled/php_fpm.conf create mode 120000 nginx/conf-enabled/sendfile.conf create mode 120000 nginx/conf-enabled/server_tokens.conf create mode 120000 nginx/conf-enabled/types_hash_max_size.conf create mode 100644 nginx/netdata.users create mode 100644 nginx/nginx.conf.2021.04.08.22.02.11 rename nginx/{sites-available => sites-available.bak}/default (100%) create mode 100644 nginx/sites-available/00-default-ssl.conf create mode 100644 nginx/sites-available/00-default.conf rename nginx/{sites-enabled => sites-enabled.bak}/default (100%) create mode 120000 nginx/sites-enabled/00-default-ssl.conf create mode 120000 nginx/sites-enabled/00-default.conf create mode 100644 nginx/templates/adminer.tmpl create mode 100644 nginx/templates/fastcgi_php.tmpl create mode 100644 nginx/templates/hsts.tmpl create mode 100644 nginx/templates/iredadmin-subdomain.tmpl create mode 100644 nginx/templates/iredadmin.tmpl create mode 100644 nginx/templates/misc.tmpl create mode 100644 nginx/templates/netdata-subdomain.tmpl create mode 100644 nginx/templates/netdata.tmpl create mode 100644 nginx/templates/php-catchall.tmpl create mode 100644 nginx/templates/redirect_to_https.tmpl create mode 100644 nginx/templates/roundcube-subdomain.tmpl create mode 100644 nginx/templates/roundcube.tmpl create mode 100644 nginx/templates/sogo-subdomain.tmpl create mode 100644 nginx/templates/sogo.tmpl create mode 100644 nginx/templates/ssl.tmpl create mode 100644 nginx/templates/stub_status.tmpl create mode 100644 php/7.3/fpm/php.ini.2021.04.08.22.02.11 create mode 100644 php/7.3/fpm/pool.d/www.conf.2021.04.08.22.02.11 create mode 100644 postfix/aliases create mode 100644 postfix/aliases.db create mode 100644 postfix/body_checks.pcre create mode 100644 postfix/command_filter.pcre create mode 100644 postfix/disclaimer/default.txt create mode 100644 postfix/header_checks create mode 100644 postfix/helo_access.pcre create mode 100644 postfix/helo_access.pcre.2021.04.08.22.02.11 create mode 100644 postfix/main.cf.2021.04.08.22.02.11 create mode 100644 postfix/master.cf.2021.04.08.22.02.11 create mode 100644 postfix/mysql/catchall_maps.cf create mode 100644 postfix/mysql/domain_alias_catchall_maps.cf create mode 100644 postfix/mysql/domain_alias_maps.cf create mode 100644 postfix/mysql/recipient_bcc_maps_domain.cf create mode 100644 postfix/mysql/recipient_bcc_maps_user.cf create mode 100644 postfix/mysql/relay_domains.cf create mode 100644 postfix/mysql/sender_bcc_maps_domain.cf create mode 100644 postfix/mysql/sender_bcc_maps_user.cf create mode 100644 postfix/mysql/sender_dependent_relayhost_maps.cf create mode 100644 postfix/mysql/sender_login_maps.cf create mode 100644 postfix/mysql/transport_maps_domain.cf create mode 100644 postfix/mysql/transport_maps_maillist.cf create mode 100644 postfix/mysql/transport_maps_user.cf create mode 100644 postfix/mysql/virtual_alias_maps.cf create mode 100644 postfix/mysql/virtual_mailbox_domains.cf create mode 100644 postfix/mysql/virtual_mailbox_maps.cf create mode 100644 postfix/postscreen_access.cidr create mode 100644 postfix/postscreen_dnsbl_reply create mode 100644 postfix/sender_access.pcre create mode 100644 rsyslog.d/1-iredmail-dovecot.conf create mode 100644 rsyslog.d/1-iredmail-iredapd.conf create mode 100644 rsyslog.d/1-iredmail-mlmmjadmin.conf create mode 100644 rsyslog.d/1-iredmail-phpfpm.conf create mode 100644 spamassassin/local.cf.2021.04.08.22.02.11 create mode 100644 spamassassin/razor.conf create mode 100644 ssl/certs/iRedMail.crt create mode 100644 ssl/dh2048_param.pem create mode 100644 ssl/dh512_param.pem create mode 100644 ssl/private/iRedMail.key create mode 100644 systemd/system/mariadb.service.d/override.conf create mode 120000 systemd/system/multi-user.target.wants/iredadmin.service create mode 120000 systemd/system/multi-user.target.wants/iredapd.service create mode 120000 systemd/system/multi-user.target.wants/mlmmjadmin.service create mode 120000 systemd/system/multi-user.target.wants/netdata.service create mode 100644 systemd/system/netdata.service.d/limits.conf diff --git a/.etckeeper b/.etckeeper index 7731562..9a95435 100755 --- a/.etckeeper +++ b/.etckeeper @@ -73,6 +73,7 @@ maybe chmod 0644 'amavis/conf.d/20-debian_defaults' maybe chmod 0644 'amavis/conf.d/25-amavis_helpers' maybe chmod 0644 'amavis/conf.d/30-template_localization' maybe chmod 0644 'amavis/conf.d/50-user' +maybe chmod 0644 'amavis/conf.d/50-user.2021.04.08.22.02.11' maybe chmod 0755 'amavis/en_US' maybe chmod 0644 'amavis/en_US/charset' maybe chmod 0644 'amavis/en_US/template-auto-response.txt' @@ -344,9 +345,11 @@ maybe chmod 0644 'chrony/chrony.conf' maybe chmod 0640 'chrony/chrony.keys' maybe chmod 0755 'clamav' maybe chmod 0644 'clamav/clamd.conf' +maybe chmod 0644 'clamav/clamd.conf.2021.04.08.22.02.11' maybe chown 'clamav' 'clamav/freshclam.conf' maybe chgrp 'adm' 'clamav/freshclam.conf' maybe chmod 0444 'clamav/freshclam.conf' +maybe chmod 0444 'clamav/freshclam.conf.2021.04.08.22.02.11' maybe chmod 0755 'clamav/onerrorexecute.d' maybe chmod 0755 'clamav/onupdateexecute.d' maybe chmod 0755 'clamav/virusevent.d' @@ -530,9 +533,23 @@ maybe chgrp 'dovecot' 'dovecot/dovecot-dict-auth.conf.ext' maybe chmod 0640 'dovecot/dovecot-dict-auth.conf.ext' maybe chgrp 'dovecot' 'dovecot/dovecot-dict-sql.conf.ext' maybe chmod 0640 'dovecot/dovecot-dict-sql.conf.ext' +maybe chown 'dovecot' 'dovecot/dovecot-last-login.conf' +maybe chgrp 'dovecot' 'dovecot/dovecot-last-login.conf' +maybe chmod 0500 'dovecot/dovecot-last-login.conf' +maybe chown 'dovecot' 'dovecot/dovecot-master-users' +maybe chgrp 'dovecot' 'dovecot/dovecot-master-users' +maybe chmod 0500 'dovecot/dovecot-master-users' +maybe chmod 0550 'dovecot/dovecot-mysql.conf' +maybe chown 'dovecot' 'dovecot/dovecot-share-folder.conf' +maybe chgrp 'dovecot' 'dovecot/dovecot-share-folder.conf' +maybe chmod 0500 'dovecot/dovecot-share-folder.conf' maybe chgrp 'dovecot' 'dovecot/dovecot-sql.conf.ext' maybe chmod 0640 'dovecot/dovecot-sql.conf.ext' -maybe chmod 0644 'dovecot/dovecot.conf' +maybe chown 'dovecot' 'dovecot/dovecot-used-quota.conf' +maybe chgrp 'dovecot' 'dovecot/dovecot-used-quota.conf' +maybe chmod 0500 'dovecot/dovecot-used-quota.conf' +maybe chmod 0664 'dovecot/dovecot.conf' +maybe chmod 0644 'dovecot/dovecot.conf.2021.04.08.22.02.11' maybe chmod 0700 'dovecot/private' maybe chmod 0755 'dpkg' maybe chmod 0644 'dpkg/dpkg.cfg' @@ -722,6 +739,7 @@ maybe chmod 0644 'iproute2/rt_scopes' maybe chmod 0644 'iproute2/rt_tables' maybe chmod 0755 'iproute2/rt_tables.d' maybe chmod 0644 'iproute2/rt_tables.d/README' +maybe chmod 0644 'iredmail-release' maybe chmod 0644 'issue' maybe chmod 0644 'issue.net' maybe chmod 0755 'kernel' @@ -773,8 +791,12 @@ maybe chmod 0644 'logrotate.d/btmp' maybe chmod 0644 'logrotate.d/chrony' maybe chmod 0644 'logrotate.d/clamav-daemon' maybe chmod 0644 'logrotate.d/clamav-freshclam' +maybe chmod 0644 'logrotate.d/dovecot' maybe chmod 0644 'logrotate.d/dpkg' +maybe chmod 0644 'logrotate.d/iredapd' +maybe chmod 0644 'logrotate.d/mlmmjadmin' maybe chmod 0644 'logrotate.d/mysql-server' +maybe chmod 0644 'logrotate.d/netdata' maybe chmod 0644 'logrotate.d/nginx' maybe chmod 0644 'logrotate.d/php7.3-fpm' maybe chmod 0644 'logrotate.d/rsyslog' @@ -833,6 +855,8 @@ maybe chmod 0644 'mysql/mariadb.conf.d/50-client.cnf' maybe chmod 0644 'mysql/mariadb.conf.d/50-mysql-clients.cnf' maybe chmod 0644 'mysql/mariadb.conf.d/50-mysqld_safe.cnf' maybe chmod 0644 'mysql/mariadb.conf.d/50-server.cnf' +maybe chmod 0644 'mysql/my.cnf' +maybe chmod 0644 'mysql/my.cnf.2021.04.08.22.02.11' maybe chmod 0644 'mysql/my.cnf.fallback' maybe chmod 0644 'nanorc' maybe chmod 0755 'network' @@ -856,6 +880,20 @@ maybe chmod 0644 'network/interfaces.d/50-cloud-init' maybe chmod 0644 'networks' maybe chmod 0755 'nftables.conf' maybe chmod 0755 'nginx' +maybe chmod 0755 'nginx/conf-available' +maybe chmod 0644 'nginx/conf-available/0-general.conf' +maybe chmod 0644 'nginx/conf-available/cache.conf' +maybe chmod 0644 'nginx/conf-available/client_max_body_size.conf' +maybe chmod 0644 'nginx/conf-available/default_type.conf' +maybe chmod 0644 'nginx/conf-available/gzip.conf' +maybe chmod 0644 'nginx/conf-available/headers.conf' +maybe chmod 0644 'nginx/conf-available/log.conf' +maybe chmod 0644 'nginx/conf-available/mime_types.conf' +maybe chmod 0644 'nginx/conf-available/php_fpm.conf' +maybe chmod 0644 'nginx/conf-available/sendfile.conf' +maybe chmod 0644 'nginx/conf-available/server_tokens.conf' +maybe chmod 0644 'nginx/conf-available/types_hash_max_size.conf' +maybe chmod 0755 'nginx/conf-enabled' maybe chmod 0755 'nginx/conf.d' maybe chmod 0644 'nginx/fastcgi.conf' maybe chmod 0644 'nginx/fastcgi_params' @@ -864,15 +902,40 @@ maybe chmod 0644 'nginx/koi-win' maybe chmod 0644 'nginx/mime.types' maybe chmod 0755 'nginx/modules-available' maybe chmod 0755 'nginx/modules-enabled' +maybe chown 'www-data' 'nginx/netdata.users' +maybe chgrp 'www-data' 'nginx/netdata.users' +maybe chmod 0400 'nginx/netdata.users' maybe chmod 0644 'nginx/nginx.conf' +maybe chmod 0644 'nginx/nginx.conf.2021.04.08.22.02.11' maybe chmod 0644 'nginx/proxy_params' maybe chmod 0644 'nginx/scgi_params' maybe chmod 0755 'nginx/sites-available' -maybe chmod 0644 'nginx/sites-available/default' +maybe chmod 0755 'nginx/sites-available.bak' +maybe chmod 0644 'nginx/sites-available.bak/default' +maybe chmod 0644 'nginx/sites-available/00-default-ssl.conf' +maybe chmod 0644 'nginx/sites-available/00-default.conf' maybe chmod 0755 'nginx/sites-enabled' +maybe chmod 0755 'nginx/sites-enabled.bak' maybe chmod 0755 'nginx/snippets' maybe chmod 0644 'nginx/snippets/fastcgi-php.conf' maybe chmod 0644 'nginx/snippets/snakeoil.conf' +maybe chmod 0755 'nginx/templates' +maybe chmod 0644 'nginx/templates/adminer.tmpl' +maybe chmod 0644 'nginx/templates/fastcgi_php.tmpl' +maybe chmod 0644 'nginx/templates/hsts.tmpl' +maybe chmod 0644 'nginx/templates/iredadmin-subdomain.tmpl' +maybe chmod 0644 'nginx/templates/iredadmin.tmpl' +maybe chmod 0644 'nginx/templates/misc.tmpl' +maybe chmod 0644 'nginx/templates/netdata-subdomain.tmpl' +maybe chmod 0644 'nginx/templates/netdata.tmpl' +maybe chmod 0644 'nginx/templates/php-catchall.tmpl' +maybe chmod 0644 'nginx/templates/redirect_to_https.tmpl' +maybe chmod 0644 'nginx/templates/roundcube-subdomain.tmpl' +maybe chmod 0644 'nginx/templates/roundcube.tmpl' +maybe chmod 0644 'nginx/templates/sogo-subdomain.tmpl' +maybe chmod 0644 'nginx/templates/sogo.tmpl' +maybe chmod 0644 'nginx/templates/ssl.tmpl' +maybe chmod 0644 'nginx/templates/stub_status.tmpl' maybe chmod 0644 'nginx/uwsgi_params' maybe chmod 0644 'nginx/win-utf' maybe chmod 0644 'nsswitch.conf' @@ -916,8 +979,10 @@ maybe chmod 0755 'php/7.3/fpm' maybe chmod 0755 'php/7.3/fpm/conf.d' maybe chmod 0644 'php/7.3/fpm/php-fpm.conf' maybe chmod 0644 'php/7.3/fpm/php.ini' +maybe chmod 0644 'php/7.3/fpm/php.ini.2021.04.08.22.02.11' maybe chmod 0755 'php/7.3/fpm/pool.d' maybe chmod 0644 'php/7.3/fpm/pool.d/www.conf' +maybe chmod 0644 'php/7.3/fpm/pool.d/www.conf.2021.04.08.22.02.11' maybe chmod 0755 'php/7.3/mods-available' maybe chmod 0644 'php/7.3/mods-available/calendar.ini' maybe chmod 0644 'php/7.3/mods-available/ctype.ini' @@ -954,14 +1019,61 @@ maybe chmod 0644 'php/7.3/mods-available/xmlwriter.ini' maybe chmod 0644 'php/7.3/mods-available/xsl.ini' maybe chmod 0644 'php/7.3/mods-available/zip.ini' maybe chmod 0755 'postfix' +maybe chmod 0644 'postfix/aliases' +maybe chmod 0644 'postfix/aliases.db' +maybe chgrp 'postfix' 'postfix/body_checks.pcre' +maybe chmod 0640 'postfix/body_checks.pcre' +maybe chmod 0644 'postfix/command_filter.pcre' +maybe chmod 0755 'postfix/disclaimer' +maybe chmod 0644 'postfix/disclaimer/default.txt' maybe chmod 0644 'postfix/dynamicmaps.cf' maybe chmod 0755 'postfix/dynamicmaps.cf.d' +maybe chgrp 'postfix' 'postfix/header_checks' +maybe chmod 0640 'postfix/header_checks' +maybe chgrp 'postfix' 'postfix/helo_access.pcre' +maybe chmod 0640 'postfix/helo_access.pcre' +maybe chmod 0640 'postfix/helo_access.pcre.2021.04.08.22.02.11' maybe chmod 0644 'postfix/main.cf' +maybe chmod 0644 'postfix/main.cf.2021.04.08.22.02.11' maybe chmod 0644 'postfix/main.cf.initial' maybe chmod 0644 'postfix/main.cf.proto' maybe chmod 0644 'postfix/master.cf' +maybe chmod 0644 'postfix/master.cf.2021.04.08.22.02.11' maybe chmod 0644 'postfix/master.cf.initial' maybe chmod 0644 'postfix/master.cf.proto' +maybe chmod 0755 'postfix/mysql' +maybe chgrp 'postfix' 'postfix/mysql/catchall_maps.cf' +maybe chmod 0640 'postfix/mysql/catchall_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/domain_alias_catchall_maps.cf' +maybe chmod 0640 'postfix/mysql/domain_alias_catchall_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/domain_alias_maps.cf' +maybe chmod 0640 'postfix/mysql/domain_alias_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/recipient_bcc_maps_domain.cf' +maybe chmod 0640 'postfix/mysql/recipient_bcc_maps_domain.cf' +maybe chgrp 'postfix' 'postfix/mysql/recipient_bcc_maps_user.cf' +maybe chmod 0640 'postfix/mysql/recipient_bcc_maps_user.cf' +maybe chgrp 'postfix' 'postfix/mysql/relay_domains.cf' +maybe chmod 0640 'postfix/mysql/relay_domains.cf' +maybe chgrp 'postfix' 'postfix/mysql/sender_bcc_maps_domain.cf' +maybe chmod 0640 'postfix/mysql/sender_bcc_maps_domain.cf' +maybe chgrp 'postfix' 'postfix/mysql/sender_bcc_maps_user.cf' +maybe chmod 0640 'postfix/mysql/sender_bcc_maps_user.cf' +maybe chgrp 'postfix' 'postfix/mysql/sender_dependent_relayhost_maps.cf' +maybe chmod 0640 'postfix/mysql/sender_dependent_relayhost_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/sender_login_maps.cf' +maybe chmod 0640 'postfix/mysql/sender_login_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/transport_maps_domain.cf' +maybe chmod 0640 'postfix/mysql/transport_maps_domain.cf' +maybe chgrp 'postfix' 'postfix/mysql/transport_maps_maillist.cf' +maybe chmod 0640 'postfix/mysql/transport_maps_maillist.cf' +maybe chgrp 'postfix' 'postfix/mysql/transport_maps_user.cf' +maybe chmod 0640 'postfix/mysql/transport_maps_user.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_alias_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_alias_maps.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_mailbox_domains.cf' +maybe chmod 0640 'postfix/mysql/virtual_mailbox_domains.cf' +maybe chgrp 'postfix' 'postfix/mysql/virtual_mailbox_maps.cf' +maybe chmod 0640 'postfix/mysql/virtual_mailbox_maps.cf' maybe chmod 0755 'postfix/post-install' maybe chmod 0644 'postfix/postfix-files' maybe chmod 0755 'postfix/postfix-files.d' @@ -970,7 +1082,11 @@ maybe chmod 0644 'postfix/postfix-files.d/mysql.files' maybe chmod 0644 'postfix/postfix-files.d/pcre.files' maybe chmod 0644 'postfix/postfix-files.d/sqlite.files' maybe chmod 0755 'postfix/postfix-script' +maybe chmod 0644 'postfix/postscreen_access.cidr' +maybe chmod 0644 'postfix/postscreen_dnsbl_reply' maybe chmod 0755 'postfix/sasl' +maybe chgrp 'postfix' 'postfix/sender_access.pcre' +maybe chmod 0640 'postfix/sender_access.pcre' maybe chmod 0755 'ppp' maybe chmod 0755 'ppp/ip-down.d' maybe chmod 0755 'ppp/ip-down.d/bind9' @@ -1019,6 +1135,10 @@ maybe chmod 0755 'resolvconf/update-libc.d/postfix' maybe chmod 0644 'rpc' maybe chmod 0644 'rsyslog.conf' maybe chmod 0755 'rsyslog.d' +maybe chmod 0644 'rsyslog.d/1-iredmail-dovecot.conf' +maybe chmod 0644 'rsyslog.d/1-iredmail-iredapd.conf' +maybe chmod 0644 'rsyslog.d/1-iredmail-mlmmjadmin.conf' +maybe chmod 0644 'rsyslog.d/1-iredmail-phpfpm.conf' maybe chmod 0644 'rsyslog.d/21-cloudinit.conf' maybe chmod 0644 'rsyslog.d/60-default.conf' maybe chmod 0644 'rsyslog.d/60-mail.conf' @@ -1071,6 +1191,8 @@ maybe chmod 0755 'spamassassin' maybe chmod 0644 'spamassassin/65_debian.cf' maybe chmod 0644 'spamassassin/init.pre' maybe chmod 0644 'spamassassin/local.cf' +maybe chmod 0644 'spamassassin/local.cf.2021.04.08.22.02.11' +maybe chmod 0644 'spamassassin/razor.conf' maybe chmod 0755 'spamassassin/sa-update-hooks.d' maybe chmod 0755 'spamassassin/sa-update-hooks.d/amavisd-new' maybe chmod 0644 'spamassassin/v310.pre' @@ -1095,10 +1217,14 @@ maybe chmod 0644 'ssh/sshd_config' maybe chmod 0755 'ssl' maybe chmod 0755 'ssl/certs' maybe chmod 0644 'ssl/certs/ca-certificates.crt' +maybe chmod 0644 'ssl/certs/iRedMail.crt' maybe chmod 0644 'ssl/certs/ssl-cert-snakeoil.pem' +maybe chmod 0644 'ssl/dh2048_param.pem' +maybe chmod 0644 'ssl/dh512_param.pem' maybe chmod 0644 'ssl/openssl.cnf' maybe chgrp 'ssl-cert' 'ssl/private' maybe chmod 0710 'ssl/private' +maybe chmod 0644 'ssl/private/iRedMail.key' maybe chgrp 'ssl-cert' 'ssl/private/ssl-cert-snakeoil.key' maybe chmod 0640 'ssl/private/ssl-cert-snakeoil.key' maybe chmod 0644 'subgid' @@ -1126,7 +1252,11 @@ maybe chmod 0755 'systemd/system/clamav-daemon.service.d' maybe chmod 0644 'systemd/system/clamav-daemon.service.d/extend.conf' maybe chmod 0755 'systemd/system/cloud-init.target.wants' maybe chmod 0755 'systemd/system/getty.target.wants' +maybe chmod 0755 'systemd/system/mariadb.service.d' +maybe chmod 0644 'systemd/system/mariadb.service.d/override.conf' maybe chmod 0755 'systemd/system/multi-user.target.wants' +maybe chmod 0755 'systemd/system/netdata.service.d' +maybe chmod 0644 'systemd/system/netdata.service.d/limits.conf' maybe chmod 0755 'systemd/system/network-online.target.wants' maybe chmod 0755 'systemd/system/sockets.target.wants' maybe chmod 0755 'systemd/system/sysinit.target.wants' diff --git a/amavis/conf.d/50-user b/amavis/conf.d/50-user index c43c6ba..4c0964c 100644 --- a/amavis/conf.d/50-user +++ b/amavis/conf.d/50-user @@ -1,13 +1,664 @@ use strict; +# controls running of anti-virus/spam code: 0 -> enabled, 1 -> disabled. +@bypass_virus_checks_maps = (0); +@bypass_spam_checks_maps = (0); +# $bypass_decode_parts = 1; # controls running of decoders&dearchivers + +$daemon_user = 'amavis'; +$daemon_group = 'amavis'; + +# Set hostname. +$myhostname = 'helga.uhu-banane.de'; +$mydomain = $myhostname; +$localhost_name = $myhostname; + +# +# NOTE: $MYHOME/{tmp,var,db} must be created manually +# +$MYHOME = '/var/lib/amavis'; +$TEMPBASE = '/var/lib/amavis/tmp'; # working directory, needs to exist, -T +$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. +$db_home = '/var/lib/amavis/db'; # dir for bdb nanny/cache/snmp databases, -D +$QUARANTINEDIR = '/var/lib/amavis/quarantine'; # -Q +$quarantine_subdir_levels = 2; # add level of subdirs to disperse quarantine +# $release_format = 'resend'; # 'attach', 'plain', 'resend' +# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf' +# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R +# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S + +$lock_file = '/var/run/amavis/amavisd.lock'; # -L +$pid_file = '/var/run/amavis/amavisd.pid'; # -P + +@local_domains_maps = 1; +@mynetworks = qw( 127.0.0.0/8 [::1] 127.0.0.1 ); + +# Socket file, used by amavisd-release or amavis-milter. +$unix_socketname = '/var/run/amavis/amavisd.socket'; + +# +# BDB +# +$enable_db = 0; # enable use of BerkeleyDB/libdb (SNMP and nanny) +$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed + +$inet_socket_port = [10024, 10026, 10027, 9998]; + +$policy_bank{'MYNETS'} = { # mail originating from @mynetworks + originating => 1, # is true in MYNETS by default, but let's make it explicit + os_fingerprint_method => undef, # don't query p0f for internal clients + allow_disclaimers => 1, # enables disclaimer insertion if available + enable_dkim_signing => 1, +}; + +# Postfix will re-route mail from authenticated users to this port. +$interface_policy{'10026'} = 'ORIGINATING'; +$policy_bank{'ORIGINATING'} = { + originating => 1, # declare that mail was submitted by our smtp client + allow_disclaimers => 1, # enables disclaimer insertion if available + enable_dkim_signing => 1, + + # notify administrator of locally originating malware + spam_admin_maps => ["root\@$mydomain"], + # notify administrator of locally originating malware + virus_admin_maps => ["root\@$mydomain"], + spam_admin_maps => ["root\@$mydomain"], + bad_header_admin_maps => ["root\@$mydomain"], + banned_admin_maps => ["root\@$mydomain"], + warnbadhsender => 0, + warnbannedsender => 0, + + # force MTA conversion to 7-bit (e.g. before DKIM signing) + smtpd_discard_ehlo_keywords => ['8BITMIME'], + terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option + + # Bypass checks + #bypass_spam_checks_maps => [1], # don't check spam + #bypass_virus_checks_maps => [1], # don't check virus + #bypass_banned_checks_maps => [1], # don't check banned file names and types + #bypass_header_checks_maps => [1], # don't check bad header +}; + +$interface_policy{'10027'} = 'MLMMJ'; +$policy_bank{'MLMMJ'} = { + originating => 1, # declare that mail was submitted by our smtp client + allow_disclaimers => 0, # we use 'mlmmj-amime-receive' program to handle disclaimer/footer + enable_dkim_signing => 1, # enable DKIM signing for outbound + virus_admin_maps => ["root\@$mydomain"], + spam_admin_maps => ["root\@$mydomain"], + smtpd_discard_ehlo_keywords => ['8BITMIME'], + terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option + # re-inject processed email to Postfix, with address mapping enabled. + forward_method => 'smtp:[127.0.0.1]:10028', + # Amavisd performs the checks for email sent to mailing list, so no need to + # check again for outbound. + bypass_spam_checks_maps => [1], # don't check spam + bypass_virus_checks_maps => [1], # don't check virus + bypass_banned_checks_maps => [1], # don't check banned file names and types + bypass_header_checks_maps => [1], # don't check bad header +}; + +$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname + +# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c +# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): +$policy_bank{'AM.PDP-SOCK'} = { + protocol => 'AM.PDP', + auth_required_release => 0, # do not require secret_id for amavisd-release +}; + +$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level +$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level +$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail) +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent +$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From +#$sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off + +$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger +$sa_local_tests_only = 0; # only tests which do not require internet access? + +$virus_admin = undef; # notifications recip. + +$mailfrom_notify_admin = undef; # notifications sender +$mailfrom_notify_recip = undef; # notifications sender +$mailfrom_notify_spamadmin = undef; # notifications sender +$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef + +@addr_extension_virus_maps = ('virus'); +@addr_extension_banned_maps = ('banned'); +@addr_extension_spam_maps = ('spam'); +@addr_extension_bad_header_maps = ('badh'); +# $recipient_delimiter = '+'; # undef disables address extensions altogether +# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ + +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; +# $dspam = 'dspam'; + +$MAXLEVELS = 14; +$MAXFILES = 3000; +$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 500*1024*1024; # bytes (default undef, not enforced) + +# Prepend '[SPAM] ' to subject of spam message. +$sa_spam_modifies_subj = 1; +$sa_spam_subject_tag = '[SPAM] '; + +$defang_virus = 1; # MIME-wrap passed infected mail +$defang_banned = 0; # MIME-wrap passed mail containing banned name +# for defanging bad headers only turn on certain minor contents categories: +$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header +$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters +$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error + +@keep_decoded_original_maps = (new_RE( + # let virus scanner (clamav) see full original message (can be slow) + # this setting is required if we're going to use third-party clamav + # signatures. for example, Sanesecurity signatures. + # FYI: http://sanesecurity.com/support/signature-testing/ + #qr'^MAIL$', + + qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable + qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, + #qr'^Zip archive data', # don't trust Archive::Zip +)); + +$banned_filename_re = new_RE( + +### BLOCKED ANYWHERE +# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components + qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary +# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types + +### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: +# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 + [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives + + qr'.\.(pif|scr)$'i, # banned extensions - rudimentary +# qr'^\.zip$', # block zip type + +### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: +# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives + + qr'^application/x-msdownload$'i, # block these MIME types + qr'^application/x-msdos-program$'i, + qr'^application/hta$'i, + +# qr'^message/partial$'i, # rfc2046 MIME type +# qr'^message/external-body$'i, # rfc2046 MIME type + +# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type +# qr'^\.wmf$', # Windows Metafile file(1) type + + # block certain double extensions in filenames + qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, + +# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict +# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose + + qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic +# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd +# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| +# inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| +# msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| +# wmf|wsc|wsf|wsh)$'ix, # banned extensions - long +# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also +# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename +# qr'^\.ani$', # banned animated cursor file(1) type +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. +); +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 +# and http://www.cknow.com/vtutor/vtextensions.htm + + +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING + +@score_sender_maps = ({ # a by-recipient hash lookup table, + # results from all matching recipient tables are summed + +# ## per-recipient personal tables (NOTE: positive: black, negative: white) +# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], +# 'user3@example.com' => [{'.ebay.com' => -3.0}], +# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, +# '.cleargreen.com' => -5.0}], + + ## site-wide opinions about senders (the '.' matches any recipient) + '.' => [ # the _first_ matching sender determines the score boost + + new_RE( # regexp-type lookup table, just happens to be all soft-blacklist + [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], + [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], + [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], + [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], + [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], + [qr'^(your_friend|greatoffers)@'i => 5.0], + [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], + ), + + #read_hash("/var/amavis/sender_scores_sitewide"), + + { # a hash-type lookup table (associative array) + 'nobody@cert.org' => -3.0, + 'cert-advisory@us-cert.gov' => -3.0, + 'owner-alert@iss.net' => -3.0, + 'slashdot@slashdot.org' => -3.0, + 'securityfocus.com' => -3.0, + 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, + 'security-alerts@linuxsecurity.com' => -3.0, + 'mailman-announce-admin@python.org' => -3.0, + 'amavis-user-admin@lists.sourceforge.net'=> -3.0, + 'amavis-user-bounces@lists.sourceforge.net' => -3.0, + 'spamassassin.apache.org' => -3.0, + 'notification-return@lists.sophos.com' => -3.0, + 'owner-postfix-users@postfix.org' => -3.0, + 'owner-postfix-announce@postfix.org' => -3.0, + 'owner-sendmail-announce@lists.sendmail.org' => -3.0, + 'sendmail-announce-request@lists.sendmail.org' => -3.0, + 'donotreply@sendmail.org' => -3.0, + 'ca+envelope@sendmail.org' => -3.0, + 'noreply@freshmeat.net' => -3.0, + 'owner-technews@postel.acm.org' => -3.0, + 'ietf-123-owner@loki.ietf.org' => -3.0, + 'cvs-commits-list-admin@gnome.org' => -3.0, + 'rt-users-admin@lists.fsck.com' => -3.0, + 'clp-request@comp.nus.edu.sg' => -3.0, + 'surveys-errors@lists.nua.ie' => -3.0, + 'emailnews@genomeweb.com' => -5.0, + 'yahoo-dev-null@yahoo-inc.com' => -3.0, + 'returns.groups.yahoo.com' => -3.0, + 'clusternews@linuxnetworx.com' => -3.0, + lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, + lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, + + # soft-blacklisting (positive score) + 'sender@example.net' => 3.0, + '.example.net' => 1.0, + + }, + ], # end of site-wide tables +}); + + +@decoders = ( + ['mail', \&do_mime_decode], +# [[qw(asc uue hqx ync)], \&do_ascii], # not safe + ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], + ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], + ['gz', \&do_uncompress, 'gzip -d'], + ['gz', \&do_gunzip], + ['bz2', \&do_uncompress, 'bzip2 -d'], + ['xz', \&do_uncompress, + ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], + ['lzma', \&do_uncompress, + ['lzmadec', 'xz -dc --format=lzma', + 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], + ['lrz', \&do_uncompress, + ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], + ['lzo', \&do_uncompress, 'lzop -d'], + ['lz4', \&do_uncompress, ['lz4c -d'] ], + ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], + [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], + # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] + ['deb', \&do_ar, 'ar'], +# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill + ['rar', \&do_unrar, ['unrar', 'rar'] ], + ['arj', \&do_unarj, ['unarj', 'arj'] ], + ['arc', \&do_arc, ['nomarch', 'arc'] ], + ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], +# ['doc', \&do_ole, 'ripole'], # no ripole package so far + ['cab', \&do_cabextract, 'cabextract'], +# ['tnef', \&do_tnef_ext, 'tnef'], # use internal do_tnef() instead + ['tnef', \&do_tnef], +# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead +# ['sit', \&do_unstuff, 'unstuff'], # not safe + [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], + [['zip','kmz'], \&do_unzip], + ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], + [[qw(gz bz2 Z tar)], + \&do_7zip, ['7za', '7z'] ], + [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], + \&do_7zip, '7z' ], + ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], +); + +$notify_method = 'smtp:[127.0.0.1]:10025'; +$forward_method = 'smtp:[127.0.0.1]:10025'; + +# Mark Spam/Virus with third-party clamav signatures: SaneSecurity. +# *) The order matters, first match wins. Set to 'undef' to keep as infected +# *) Anything declared as undefined will be marked as a virus +@virus_name_to_spam_score_maps =(new_RE( + # SaneSecurity + Foxhole + [ qr'^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.' => undef ], + [ qr'^Sanesecurity\.MalwareHash\.' => undef ], + [ qr'^Sanesecurity.TestSig_' => undef ], + [ qr'^Sanesecurity\.' => 0.1 ], + + # winnow + [ qr'^winnow\.(Exploit|Trojan|malware)\.' => undef ], + [ qr'^winnow\.(botnet|compromised|trojan)' => undef ], + [ qr'^winnow\.(exe|ms|JS)\.' => undef ], + [ qr'^winnow\.phish\.' => 3.0 ], + [ qr'^winnow\.' => 0.1 ], + + # bofhland + [ qr'^Bofhland\.Malware\.' => undef ], + [ qr'^BofhlandMWFile' => undef ], + [ qr'^Bofhland\.Phishing\.' => 3.0 ], + [ qr'^Bofhland\.' => 0.1 ], + + # porcupine.ndb + [ qr'^Porcupine\.(Malware|Trojan)\.' => undef ], + [ qr'^Porcupine\.(Junk|Spammer)\.' => 3.0 ], + [ qr'^Porcupine\.Phishing\.' => 3.0 ], + [ qr'^Porcupine\.' => 0.01 ], + + # phishtank.ndb + [ qr'^PhishTank\.Phishing\.' => 3.0 ], + + # SecuriteInfo + [ qr'^SecuriteInfo\.com\.Spam' => 3.0 ], + + # Others + [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ], + [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ], + [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ], + [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ], + [ qr'^Email\.Spammail\b' => 0.1 ], + [ qr'^MSRBL-(Images|SPAM)\b' => 0.1 ], + [ qr'^VX\.Honeypot-SecuriteInfo\.com\.Joke' => 0.1 ], + [ qr'^VX\.not-virus_(Hoax|Joke)\..*-SecuriteInfo\.com(\.|\z)' => 0.1 ], + [ qr'^Email\.Spam.*-SecuriteInfo\.com(\.|\z)' => 0.1 ], + [ qr'^Safebrowsing\.' => 0.1 ], + [ qr'^INetMsg\.SpamDomain' => 0.1 ], + [ qr'^Doppelstern\.(Spam|Scam|Phishing|Junk|Lott|Loan)'=> 0.1 ], + [ qr'^ScamNailer\.' => 0.1 ], + [ qr'^HTML/Bankish' => 0.1 ], + [ qr'(-)?SecuriteInfo\.com(\.|\z)' => undef ], + [ qr'^MBL_NA\.UNOFFICIAL' => 0.1 ], + [ qr'^MBL_' => undef ], +)); + +@av_scanners = ( + ['clamav-socket', + \&ask_daemon, ["CONTSCAN {}\n", '/var/run/clamav/clamd.ctl'], + qr/\bOK$/m, + qr/\bFOUND$/m, + qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], +); + +@av_scanners_backup = ( + ['clamav-clamscan', 'clamscan', + "--stdout --disable-summary -r --tempdir=$TEMPBASE {}", [0], [1], + qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], +); + +# +# Port used to release quarantined mails. +# +$interface_policy{'9998'} = 'AM.PDP-INET'; +$policy_bank{'AM.PDP-INET'} = { + protocol => 'AM.PDP', # select Amavis policy delegation protocol + auth_required_release => 1, # 0 - don't require secret_id for amavisd-release + #log_level => 4, + #always_bcc_by_ccat => {CC_CLEAN, 'admin@example.com'}, +}; + +######################### +# Default action applied to detected spam/virus/banned/bad-header, and how to +# quarantine them +# +# Available actions: +# +# - D_PASS: Mail will pass to recipients, regardless of bad contents. +# If a quarantine is configured, a copy of the mail will go there. +# Note that including a recipient in a @*_lovers_maps is +# functionally equivalent to setting '*_destiny = D_PASS;' +# for that recipient. +# +# - D_BOUNCE: Mail will not be delivered to its recipients. A non-delivery +# notification (bounce) will be created and sent to the sender. +# +# - D_REJECT: Mail will not be delivered to its recipients. Amavisd will +# send the typical 55x reject response to the upstream MTA and +# that MTA may create a reject notice (bounce) and return it to +# the sender. +# This notice is not as informative as the one created using +# D_BOUNCE, so usually D_BOUNCE is preferred over D_REJECT. +# If a quarantine is configured, a copy of the mail will go +# there, if not mail message will be lost, but the sender should +# be notified their message was rejected. +# +# - D_DISCARD: Mail will not be delivered to its recipients and the sender +# normally will NOT be notified. +# If a quarantine is configured, a copy of the mail will go +# there, if not mail message will be lost. Note that there are +# additional settings available that can send notifications to +# persons that normally may not be notified when an undesirable +# message is found, so it is possible to notify the sender even +# when using D_DISCARD. +# +# Where to store quarantined mail message: +# +# - 'local:spam-%i-%m', quarantine mail on local file system. +# - 'sql:', quarantine mail in SQL server specified in @storage_sql_dsn. +# - undef, do not quarantine mail. + +# SPAM. +$final_spam_destiny = D_DISCARD; +$spam_quarantine_method = 'sql:'; +$spam_quarantine_to = 'spam-quarantine'; + +# Virus +$final_virus_destiny = D_DISCARD; +$virus_quarantine_method = 'sql:'; +$virus_quarantine_to = 'virus-quarantine'; + +# Banned +$final_banned_destiny = D_DISCARD; +$banned_files_quarantine_method = 'sql:'; +$banned_quarantine_to = 'banned-quarantine'; + +# Bad header. +$final_bad_header_destiny = D_DISCARD; +$bad_header_quarantine_method = 'sql:'; +$bad_header_quarantine_to = 'bad-header-quarantine'; + +######################### +# Quarantine CLEAN mails. +# Don't forget to enable clean quarantine in policy bank 'MYUSERS'. +# +#$clean_quarantine_method = 'sql:'; +#$clean_quarantine_to = 'clean-quarantine'; + +# a string to prepend to Subject (for local recipients only) if mail could +# not be decoded or checked entirely, e.g. due to password-protected archives +#$undecipherable_subject_tag = '***UNCHECKED*** '; # undef disables it +$undecipherable_subject_tag = undef; + +# Hope to fix 'nested MAIL command' issue on high load server. +$smtp_connection_cache_enable = 0; + +# The default set of header fields to be signed can be controlled +# by setting %signed_header_fields elements to true (to sign) or +# to false (not to sign). Keys must be in lowercase, e.g.: +# 0 -> off +# 1 -> on +$signed_header_fields{'received'} = 0; +$signed_header_fields{'to'} = 1; +$signed_header_fields{'from'} = 1; +$signed_header_fields{'subject'} = 1; +$signed_header_fields{'message-id'} = 1; +$signed_header_fields{'content-type'} = 1; +$signed_header_fields{'date'} = 1; +$signed_header_fields{'mime-version'} = 1; + # -# Place your configuration directives here. They will override those in -# earlier files. +# DKIM +# +# Enable DKIM verification globally. +$enable_dkim_verification = 1; + +# Disable DKIM signing globally, because it's controlled per policy bank. +#$enable_dkim_signing = 1; + +# Add dkim_key here. +dkim_key('brehm-berlin.de', 'dkim', '/var/lib/dkim/brehm-berlin.de.pem'); + +@dkim_signature_options_bysender_maps = ({ + # 'd' defaults to a domain of an author/sender address, + # 's' defaults to whatever selector is offered by a matching key + + # Per-domain dkim key + #"domain.com" => { d => "domain.com", a => 'rsa-sha256', ttl => 10*24*3600 }, + + # catch-all (one dkim key for all domains) + '.' => {d => 'brehm-berlin.de', + a => 'rsa-sha256', + c => 'relaxed/simple', + ttl => 30*24*3600 }, +}); + # -# See /usr/share/doc/amavisd-new/ for documentation and examples of -# the directives you can use in this file +# Disclaimer settings # +# Uncomment below line to enable singing disclaimer in outgoing mails. +#$defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ]; + +# Program used to signing disclaimer in outgoing mails. +$altermime = '/usr/bin/altermime'; + +# Disclaimer in plain text formart. +@altermime_args_disclaimer = qw(--disclaimer=/etc/postfix/disclaimer/_OPTION_.txt --disclaimer-html=/etc/postfix/disclaimer/_OPTION_.txt --force-for-bad-html); + +@disclaimer_options_bysender_maps = ({ + # Per-domain, per-user disclaimer setting: + # '' => /path/to/disclaimer.txt, + # '' => /path/to/disclaimer.txt, + + # Catch-all disclaimer setting: /etc/postfix/disclaimer/default.txt + '.' => 'default', +},); + +$sql_allow_8bit_address = 1; +$timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; + +# Reporting and quarantining. +@storage_sql_dsn = (['DBI:mysql:database=amavisd;host=127.0.0.1;port=3306', 'amavisd', 'zgBEdCOURV8TveGk4KIWPjQFYLk745IJ']); + +# Lookup for per-recipient, per-domain and global policy. +@lookup_sql_dsn = @storage_sql_dsn; + +# Don't send email with subject "UNCHECKED contents in mail FROM xxx". +delete $admin_maps_by_ccat{&CC_UNCHECKED}; + +# Do not notify administrator about SPAM/VIRUS from remote servers. +$virus_admin = undef; +$spam_admin = undef; +$banned_admin = undef; +$bad_header_admin = undef; + +# +# Pre-define some policy banks. +# +# You can assign certain policy banks to clients/senders you want to whitelist +# with parameter `@client_ipaddr_policy` and @author_to_policy_bank_maps. +$policy_bank{'FULL_WHITELIST'} = { + bypass_spam_checks_maps => [1], + spam_lovers_maps => [1], + bypass_decode_parts => 1, + bypass_virus_checks_maps => [1], + virus_lovers_maps => [1], + bypass_banned_checks_maps => [1], + banned_files_lovers_maps => [1], + bypass_header_checks_maps => [1], + bad_header_lovers_maps => [1], +}; + +$policy_bank{'NO_SPAM_CHECK'} = { + bypass_spam_checks_maps => [1], + spam_lovers_maps => [1], +}; + +$policy_bank{'NO_VIRUS_CHECK'} = { + bypass_decode_parts => 1, + bypass_virus_checks_maps => [1], + virus_lovers_maps => [1], +}; + +$policy_bank{'NO_BANNED_CHECK'} = { + bypass_banned_checks_maps => [1], + banned_files_lovers_maps => [1], +}; + +$policy_bank{'NO_BAD_HEADER_CHECK'} = { + bypass_header_checks_maps => [1], + bad_header_lovers_maps => [1], +}; + +#$policy_bank{'MILD_WHITELIST'} = { +# score_sender_maps => [ { '.' => [-1.8] } ], +#}; + +# +# Logging +# +$do_syslog = 1; # log via syslogd (preferred) +$syslog_facility = 'mail'; # Syslog facility as a string +$log_level = 0; # Amavisd log level. + # Verbosity: 0, 1, 2, 3, 4, 5. +$sa_debug = 0; # SpamAssassin debugging (require $log_level). + # Default if off (0). + +# Amavisd on some Linux/BSD distribution use $banned_namepath_re instead of +# $banned_filename_re, so we define some blocked file types here. +# +# Sample input for $banned_namepath_re: +# +# P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=my_docum.zip +# P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/zip,T=zip,N=FedEx_00628727.zip | P=p005,L=1/2/2,T=asc,N=FedEx_00628727.doc.wsf +# +# What it means: +# - T: type. e.g. zip archive. +# - M: MIME type. e.g. application/octet-stream. +# - N: suggested (MIME) name. e.g. my_docum.zip. + +$banned_namepath_re = new_RE( + #[qr'T=(rar|arc|arj|zoo|gz|bz2)(,|\t)'xmi => 'DISCARD'], # Compressed file types + [qr'T=x-(msdownload|msdos-program|msmetafile)(,|\t)'xmi => 'DISCARD'], + [qr'T=(hta)(,|\t)'xmi => 'DISCARD'], + + # Dangerous mime types + [qr'T=(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)(,|\t)'xmi => 'DISCARD'], + + # Dangerous file name extensions + [qr'N=.*\.(9|386|LeChiffre|aaa|abc|aepl|ani|aru|atm|aut|b64|bat|bhx|bkd|blf|bll|bmw|boo|bps|bqf|breaking_bad|buk|bup|bxz|cc|ccc|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|cpl|crinf|crjoker|crypt|cryptolocker|cryptowall|ctbl|cxq|cyw|dbd|delf|dev|dlb|dli|dll|dllx|dom|drv|dx|dxz|dyv|dyz|ecc|exe|exe-ms|exe1|exe_renamed|exx|ezt|ezz|fag|fjl|fnr|fuj|good|gzquar|hlp|hlw|hqx|hsq|hts|iva|iws|jar|js|kcd|keybtc@inbox_com|let|lik|lkh|lnk|locky|lok|lol!|lpaq5|magic|mfu|micro|mim|mjg|mjz|nls|oar|ocx|osa|ozd|pcx|pgm|php2|php3|pid|pif|plc|pr|pzdc|qit|qrn|r5a|rhk|rna|rsc_tmp|s7p|scr|shs|ska|smm|smtmp|sop|spam|ssy|swf|sys|tko|tps|tsa|tti|ttt|txs|upa|uu|uue|uzy|vb|vba|vbe|vbs|vbx|vexe|vxd|vzr|wlpginstall|ws|wsc|wsf|wsh|wss|xdu|xir|xlm|xlv|xnt|xnxx|xtbl|xxe|xxx|xyz|zix|zvz|zzz)$'xmi => 'DISCARD'], +); + +# Log verbose. +$log_templ = $log_verbose_templ; + +# $bounce_killer_score defaults to 100, it will cause quota exceed notification +# email sent by Dovecot quarantined by Amavisd. +$penpals_bonus_score = undef; +$bounce_killer_score = 0; + +# Selectively disable some of the header checks +# +# Duplicate or multiple occurrence of a header field +$allowed_header_tests{'multiple'} = 0; + +# Missing some headers. e.g. 'Date:' +$allowed_header_tests{'missing'} = 0; + +# Listen on specified addresses. +$inet_socket_bind = ['127.0.0.1']; + +# Set ACL +@inet_acl = qw(127.0.0.1 [::1] 127.0.0.1); +# Num of pre-forked children. +# WARNING: it must match (equal to or larger than) the number set in +# `maxproc` column in Postfix master.cf for the `smtp-amavis` transport. +$max_servers = 4; -#------------ Do not modify anything below this line ------------- -1; # ensure a defined return +1; # insure a defined return diff --git a/amavis/conf.d/50-user.2021.04.08.22.02.11 b/amavis/conf.d/50-user.2021.04.08.22.02.11 new file mode 100644 index 0000000..c43c6ba --- /dev/null +++ b/amavis/conf.d/50-user.2021.04.08.22.02.11 @@ -0,0 +1,13 @@ +use strict; + +# +# Place your configuration directives here. They will override those in +# earlier files. +# +# See /usr/share/doc/amavisd-new/ for documentation and examples of +# the directives you can use in this file +# + + +#------------ Do not modify anything below this line ------------- +1; # ensure a defined return diff --git a/clamav/clamd.conf b/clamav/clamd.conf index 3c4f513..ecc5b08 100644 --- a/clamav/clamd.conf +++ b/clamav/clamd.conf @@ -77,7 +77,7 @@ ScanXMLDOCS true ScanHWP3 true MaxRecHWP3 16 StreamMaxLength 25M -LogFile /var/log/clamav/clamav.log +#LogFile /var/log/clamav/clamav.log LogTime true LogFileUnlock false LogFileMaxSize 0 @@ -85,3 +85,4 @@ Bytecode true BytecodeSecurity TrustSigned BytecodeTimeout 60000 OnAccessMaxFileSize 5M +AllowSupplementaryGroups true diff --git a/clamav/clamd.conf.2021.04.08.22.02.11 b/clamav/clamd.conf.2021.04.08.22.02.11 new file mode 100644 index 0000000..3c4f513 --- /dev/null +++ b/clamav/clamd.conf.2021.04.08.22.02.11 @@ -0,0 +1,87 @@ +#Automatically Generated by clamav-daemon postinst +#To reconfigure clamd run #dpkg-reconfigure clamav-daemon +#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details +LocalSocket /var/run/clamav/clamd.ctl +FixStaleSocket true +LocalSocketGroup clamav +LocalSocketMode 666 +# TemporaryDirectory is not set to its default /tmp here to make overriding +# the default with environment variables TMPDIR/TMP/TEMP possible +User clamav +ScanMail true +ScanArchive true +ArchiveBlockEncrypted false +MaxDirectoryRecursion 15 +FollowDirectorySymlinks false +FollowFileSymlinks false +ReadTimeout 180 +MaxThreads 12 +MaxConnectionQueueLength 15 +LogSyslog false +LogRotate true +LogFacility LOG_LOCAL6 +LogClean false +LogVerbose false +PreludeEnable no +PreludeAnalyzerName ClamAV +DatabaseDirectory /var/lib/clamav +OfficialDatabaseOnly false +SelfCheck 3600 +Foreground false +Debug false +ScanPE true +MaxEmbeddedPE 10M +ScanOLE2 true +ScanPDF true +ScanHTML true +MaxHTMLNormalize 10M +MaxHTMLNoTags 2M +MaxScriptNormalize 5M +MaxZipTypeRcg 1M +ScanSWF true +ExitOnOOM false +LeaveTemporaryFiles false +AlgorithmicDetection true +ScanELF true +IdleTimeout 30 +CrossFilesystems true +PhishingSignatures true +PhishingScanURLs true +PhishingAlwaysBlockSSLMismatch false +PhishingAlwaysBlockCloak false +PartitionIntersection false +DetectPUA false +ScanPartialMessages false +HeuristicScanPrecedence false +StructuredDataDetection false +CommandReadTimeout 30 +SendBufTimeout 200 +MaxQueue 100 +ExtendedDetectionInfo true +OLE2BlockMacros false +AllowAllMatchScan true +ForceToDisk false +DisableCertCheck false +DisableCache false +MaxScanTime 120000 +MaxScanSize 100M +MaxFileSize 25M +MaxRecursion 16 +MaxFiles 10000 +MaxPartitions 50 +MaxIconsPE 100 +PCREMatchLimit 10000 +PCRERecMatchLimit 5000 +PCREMaxFileSize 25M +ScanXMLDOCS true +ScanHWP3 true +MaxRecHWP3 16 +StreamMaxLength 25M +LogFile /var/log/clamav/clamav.log +LogTime true +LogFileUnlock false +LogFileMaxSize 0 +Bytecode true +BytecodeSecurity TrustSigned +BytecodeTimeout 60000 +OnAccessMaxFileSize 5M diff --git a/clamav/freshclam.conf.2021.04.08.22.02.11 b/clamav/freshclam.conf.2021.04.08.22.02.11 new file mode 100644 index 0000000..d238dc2 --- /dev/null +++ b/clamav/freshclam.conf.2021.04.08.22.02.11 @@ -0,0 +1,28 @@ +# Automatically created by the clamav-freshclam postinst +# Comments will get lost when you reconfigure the clamav-freshclam package + +DatabaseOwner clamav +UpdateLogFile /var/log/clamav/freshclam.log +LogVerbose false +LogSyslog false +LogFacility LOG_LOCAL6 +LogFileMaxSize 0 +LogRotate true +LogTime true +Foreground false +Debug false +MaxAttempts 5 +DatabaseDirectory /var/lib/clamav +DNSDatabaseInfo current.cvd.clamav.net +ConnectTimeout 30 +ReceiveTimeout 0 +TestDatabases yes +ScriptedUpdates yes +CompressLocalDatabase no +SafeBrowsing false +Bytecode true +NotifyClamd /etc/clamav/clamd.conf +# Check for new database 24 times a day +Checks 24 +DatabaseMirror db.local.clamav.net +DatabaseMirror database.clamav.net diff --git a/default/spamassassin b/default/spamassassin index 9efb197..279434a 100644 --- a/default/spamassassin +++ b/default/spamassassin @@ -30,4 +30,4 @@ PIDFILE="/var/run/spamd.pid" # Cronjob # Set to anything but 0 to enable the cron job to automatically update # spamassassin's rules on a nightly basis -CRON=0 +CRON=1 diff --git a/dovecot/dovecot-last-login.conf b/dovecot/dovecot-last-login.conf new file mode 100755 index 0000000..172bca5 --- /dev/null +++ b/dovecot/dovecot-last-login.conf @@ -0,0 +1,50 @@ +connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin password=kjnjsPN5ph8MB8Qcnuy9J7ucTvXat8Sp + +map { + pattern = shared/last-login/imap/$user/$domain + table = last_login + value_field = imap + value_type = uint + + fields { + username = $user + domain = $domain + } +} + +map { + pattern = shared/last-login/pop3/$user/$domain + table = last_login + value_field = pop3 + value_type = uint + + fields { + username = $user + domain = $domain + } +} + +map { + pattern = shared/last-login/lda/$user/$domain + table = last_login + value_field = lda + value_type = uint + + fields { + username = $user + domain = $domain + } +} + +# Treat lmtp as lda. +map { + pattern = shared/last-login/lmtp/$user/$domain + table = last_login + value_field = lda + value_type = uint + + fields { + username = $user + domain = $domain + } +} diff --git a/dovecot/dovecot-master-users b/dovecot/dovecot-master-users new file mode 100755 index 0000000..e69de29 diff --git a/dovecot/dovecot-mysql.conf b/dovecot/dovecot-mysql.conf new file mode 100755 index 0000000..f06ef0e --- /dev/null +++ b/dovecot/dovecot-mysql.conf @@ -0,0 +1,28 @@ +driver = mysql +default_pass_scheme = CRYPT +connect = host=127.0.0.1 port=3306 dbname=vmail user=vmail password=Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i + +# Required by doveadm tools which require to list all mail users. +iterate_query = SELECT username AS user FROM mailbox + +password_query = SELECT mailbox.password, mailbox.allow_nets \ + FROM mailbox,domain \ + WHERE mailbox.username='%u' \ + AND mailbox.`enable%Ls%Lc`=1 \ + AND mailbox.active=1 \ + AND mailbox.domain=domain.domain \ + AND domain.backupmx=0 \ + AND domain.active=1 + +user_query = SELECT \ + LOWER('%u') AS master_user, \ + LOWER(CONCAT(mailbox.storagebasedirectory, '/', mailbox.storagenode, '/', mailbox.maildir)) AS home, \ + CONCAT(mailbox.mailboxformat, ':~/', mailbox.mailboxfolder) AS mail, \ + CONCAT('*:bytes=', mailbox.quota*1048576) AS quota_rule \ + FROM mailbox,domain \ + WHERE mailbox.username='%u' \ + AND mailbox.`enable%Ls%Lc`=1 \ + AND mailbox.active=1 \ + AND mailbox.domain=domain.domain \ + AND domain.backupmx=0 \ + AND domain.active=1 diff --git a/dovecot/dovecot-share-folder.conf b/dovecot/dovecot-share-folder.conf new file mode 100755 index 0000000..42fde96 --- /dev/null +++ b/dovecot/dovecot-share-folder.conf @@ -0,0 +1,22 @@ +connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin password=kjnjsPN5ph8MB8Qcnuy9J7ucTvXat8Sp +map { + pattern = shared/shared-boxes/user/$to/$from + table = share_folder + value_field = dummy + + fields { + from_user = $from + to_user = $to + } +} + +# To share mailbox to anyone, please uncomment 'acl_anyone = allow' in +# dovecot.conf +map { + pattern = shared/shared-boxes/anyone/$from + table = anyone_shares + value_field = dummy + fields { + from_user = $from + } +} diff --git a/dovecot/dovecot-used-quota.conf b/dovecot/dovecot-used-quota.conf new file mode 100755 index 0000000..71a6e91 --- /dev/null +++ b/dovecot/dovecot-used-quota.conf @@ -0,0 +1,13 @@ +connect = host=127.0.0.1 port=3306 dbname=vmail user=vmailadmin password=kjnjsPN5ph8MB8Qcnuy9J7ucTvXat8Sp +map { + pattern = priv/quota/storage + table = used_quota + username_field = username + value_field = bytes +} +map { + pattern = priv/quota/messages + table = used_quota + username_field = username + value_field = messages +} diff --git a/dovecot/dovecot.conf b/dovecot/dovecot.conf index c802011..12f7e24 100644 --- a/dovecot/dovecot.conf +++ b/dovecot/dovecot.conf @@ -1,102 +1,496 @@ -## Dovecot configuration file - -# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration - -# "doveconf -n" command gives a clean output of the changed settings. Use it -# instead of copy&pasting files when posting to the Dovecot mailing list. - -# '#' character and everything after it is treated as comments. Extra spaces -# and tabs are ignored. If you want to use either of these explicitly, put the -# value inside quotes, eg.: key = "# char and trailing whitespace " - -# Most (but not all) settings can be overridden by different protocols and/or -# source/destination IPs by placing the settings inside sections, for example: -# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { } - -# Default values are shown for each setting, it's not required to uncomment -# those. These are exceptions to this though: No sections (e.g. namespace {}) -# or plugin settings are added by default, they're listed only as examples. -# Paths are also just examples with the real defaults being based on configure -# options. The paths listed here are for configure --prefix=/usr -# --sysconfdir=/etc --localstatedir=/var - -# Enable installed protocols -!include_try /usr/share/dovecot/protocols.d/*.protocol - -# A comma separated list of IPs or hosts where to listen in for connections. -# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. -# If you want to specify non-default ports or anything more complex, -# edit conf.d/master.conf. -#listen = *, :: - -# Base directory where to store runtime data. -#base_dir = /var/run/dovecot/ - -# Name of this instance. In multi-instance setup doveadm and other commands -# can use -i to select which instance is used (an alternative -# to -c ). The instance name is also added to Dovecot processes -# in ps output. -#instance_name = dovecot - -# Greeting message for clients. -#login_greeting = Dovecot ready. - -# Space separated list of trusted network ranges. Connections from these -# IPs are allowed to override their IP addresses and ports (for logging and -# for authentication checks). disable_plaintext_auth is also ignored for -# these networks. Typically you'd specify your IMAP proxy servers here. -#login_trusted_networks = - -# Space separated list of login access check sockets (e.g. tcpwrap) -#login_access_sockets = - -# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do -# proxying. This isn't necessary normally, but may be useful if the destination -# IP is e.g. a load balancer's IP. -#auth_proxy_self = - -# Show more verbose process titles (in ps). Currently shows user name and -# IP address. Useful for seeing who are actually using the IMAP processes -# (eg. shared mailboxes or if same uid is used for multiple accounts). -#verbose_proctitle = no - -# Should all processes be killed when Dovecot master process shuts down. -# Setting this to "no" means that Dovecot can be upgraded without -# forcing existing client connections to close (although that could also be -# a problem if the upgrade is e.g. because of a security fix). -#shutdown_clients = yes - -# If non-zero, run mail commands via this many connections to doveadm server, -# instead of running them directly in the same process. -#doveadm_worker_count = 0 -# UNIX socket or host:port used for connecting to doveadm server -#doveadm_socket_path = doveadm-server - -# Space separated list of environment variables that are preserved on Dovecot -# startup and passed down to all of its child processes. You can also give -# key=value pairs to always set specific settings. -#import_environment = TZ - -## -## Dictionary server settings -## - -# Dictionary can be used to store key=value lists. This is used by several -# plugins. The dictionary can be accessed either directly or though a -# dictionary server. The following dict block maps dictionary names to URIs -# when the server is used. These can then be referenced using URIs in format -# "proxy::". +# More details about Dovecot settings: +# - http://wiki2.dovecot.org/ +# - http://wiki2.dovecot.org/Variables + +# Listen addresses. +# - '*' means all available IPv4 addresses. +# - '[::]' means all available IPv6 addresses. +# Listen on all available addresses by default +listen = * [::] + +#base_dir = /var/run/dovecot +mail_plugins = quota mailbox_alias acl mail_log notify + +# Enabled mail protocols. +protocols = pop3 imap sieve lmtp + +# User/group who owns the message files: +mail_uid = 2000 +mail_gid = 2000 + +# Assign uid to virtual users. +first_valid_uid = 2000 +last_valid_uid = 2000 + +# Logging. Reference: http://wiki2.dovecot.org/Logging +# +# Use syslog +syslog_facility = local5 +# Log file path if we use internal log system +#log_path = /var/log/dovecot/dovecot.log + +# Debug +#mail_debug = yes +#auth_verbose = yes +#auth_debug = yes +#auth_debug_passwords = yes +# Possible values: no, plain, sha1. +#auth_verbose_passwords = no + +# SSL: Global settings. +# Refer to wiki site for per protocol, ip, server name SSL settings: +# http://wiki2.dovecot.org/SSL/DovecotConfiguration +ssl_min_protocol = TLSv1.2 +ssl = required +verbose_ssl = no +#ssl_ca = method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}> + +# Mail delivery log format +deliver_log_format = from=%{from}, envelope_sender=%{from_envelope}, subject=%{subject}, msgid=%m, size=%{size}, delivery_time=%{delivery_time}ms, %$ + +service auth { + unix_listener /var/spool/postfix/private/dovecot-auth { + user = postfix + group = postfix + mode = 0666 + } + unix_listener auth-master { + user = vmail + group = vmail + mode = 0666 + } + unix_listener auth-userdb { + user = vmail + group = vmail + mode = 0660 + } +} + +# LMTP server (Local Mail Transfer Protocol). +# Reference: http://wiki2.dovecot.org/LMTP +service lmtp { + user = vmail + + # For higher volume sites, it may be desirable to increase the number of + # active listener processes. A range of 5 to 20 is probably good for most + # sites. + process_min_avail = 5 + + # Logging. + # Require 'log_path =' in 'protocol lmtp {}' block. + executable = lmtp -L + + # Listening on socket file and TCP + unix_listener /var/spool/postfix/private/dovecot-lmtp { + user = postfix + group = postfix + mode = 0600 + } + + inet_listener lmtp { + # Listen on localhost (ipv4) + address = 127.0.0.1 + port = 24 + } +} + +# Virtual mail accounts. +userdb { + args = /etc/dovecot/dovecot-mysql.conf + driver = sql +} +passdb { + args = /etc/dovecot/dovecot-mysql.conf + driver = sql +} + +# Master user. +# Master users are able to log in as other users. It's also possible to +# directly log in as any user using a master password, although this isn't +# recommended. +# Reference: http://wiki2.dovecot.org/Authentication/MasterUsers +auth_master_user_separator = * +passdb { + driver = passwd-file + args = /etc/dovecot/dovecot-master-users + master = yes +} + +plugin { + # Quota configuration. + # Reference: http://wiki2.dovecot.org/Quota/Configuration + quota = dict:user::proxy::quotadict + + # Set default quota rule if no quota returned from SQL/LDAP query. + #quota_rule = *:storage=1G + #quota_rule2 = *:messages=0 + #quota_rule3 = Trash:storage=1G + #quota_rule4 = Junk:ignore + + # Quota warning. + # + # If user suddenly receives a huge mail and the quota jumps from + # 85% to 95%, only the 95% script is executed. + # + # Only the command for the first exceeded limit is executed, so configure + # the highest limit first. + quota_warning = storage=100%% quota-warning 100 %u + quota_warning2 = storage=95%% quota-warning 95 %u + quota_warning3 = storage=90%% quota-warning 90 %u + quota_warning4 = storage=85%% quota-warning 85 %u + + # allow user to become max 10% (or 50 MB) over quota + quota_grace = 10%% + #quota_grace = 50 M + + # Custom Quota Exceeded Message. + # You can specify the message directly or read the message from a file. + #quota_exceeded_message = Quota exceeded, please try again later. + #quota_exceeded_message = ). + sieve_vacation_send_from_recipient = yes + + # Reference: http://wiki2.dovecot.org/Plugins/MailboxAlias + mailbox_alias_old = Sent + mailbox_alias_new = Sent Messages + mailbox_alias_old2 = Sent + mailbox_alias_new2 = Sent Items + + # Events to log. `autoexpunge` is included in `expunge` + # Defined in https://github.com/dovecot/core/blob/master/src/plugins/mail-log/mail-log-plugin.c + mail_log_events = delete undelete expunge copy mailbox_create mailbox_delete mailbox_rename + mail_log_fields = uid box msgid size from subject flags + + # Track user last login + last_login_dict = proxy::lastlogin + last_login_key = last-login/%s/%u/%d +} + +service stats { + fifo_listener stats-mail { + user = vmail + mode = 0644 + } + + unix_listener stats-writer { + user = vmail + group = vmail + mode = 0660 + } + + inet_listener { + address = 127.0.0.1 + port = 24242 + } +} + +service quota-warning { + executable = script /usr/local/bin/dovecot-quota-warning.sh + unix_listener quota-warning { + user = vmail + group = vmail + mode = 0660 + } +} + +service quota-status { + # '-p '. Currently only 'postfix' protocol is supported. + executable = quota-status -p postfix + client_limit = 1 + inet_listener { + address = 127.0.0.1 + port = 12340 + } +} + +service dict { + unix_listener dict { + mode = 0660 + user = vmail + group = vmail + } +} dict { - #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext - #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext + #expire = db:/var/lib/dovecot/expire/expire.db + quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf + acl = mysql:/etc/dovecot/dovecot-share-folder.conf + lastlogin = mysql:/etc/dovecot/dovecot-last-login.conf +} + +protocol lda { + mail_plugins = $mail_plugins sieve + lda_mailbox_autocreate = yes + lda_mailbox_autosubscribe = yes +} + +protocol lmtp { + # Plugins + mail_plugins = $mail_plugins sieve + + # Address extension delivery + lmtp_save_to_detail_mailbox = yes + recipient_delimiter = + +} + +protocol imap { + mail_plugins = $mail_plugins imap_quota imap_acl last_login + imap_client_workarounds = tb-extra-mailbox-sep + + # Maximum number of IMAP connections allowed for a user from each IP address. + # NOTE: The username is compared case-sensitively. + # Default is 10. + # Increase it to avoid issue like below: + # "Maximum number of concurrent IMAP connections exceeded" + mail_max_userip_connections = 30 +} + +protocol pop3 { + mail_plugins = $mail_plugins last_login + pop3_client_workarounds = outlook-no-nuls oe-ns-eoh + pop3_uidl_format = %08Xu%08Xv + + # Maximum number of IMAP connections allowed for a user from each IP address. + # NOTE: The username is compared case-sensitively. + # Default is 10. + mail_max_userip_connections = 30 + + # POP3 logout format string: + # %i - total number of bytes read from client + # %o - total number of bytes sent to client + # %t - number of TOP commands + # %p - number of bytes sent to client as a result of TOP command + # %r - number of RETR commands + # %b - number of bytes sent to client as a result of RETR command + # %d - number of deleted messages + # %m - number of messages (before deletion) + # %s - mailbox size in bytes (before deletion) + # Default format doesn't have 'in=%i, out=%o'. + #pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, in=%i, out=%o +} + +# Login processes. Refer to Dovecot wiki for more details: +# http://wiki2.dovecot.org/LoginProcess +service imap-login { + #inet_listener imap { + # port = 143 + #} + #inet_listener imaps { + # port = 993 + # ssl = yes + #} + + service_count = 1 + + # To avoid startup latency for new client connections, set process_min_avail + # to higher than zero. That many idling processes are always kept around + # waiting for new connections. + #process_min_avail = 0 + + # number of simultaneous IMAP connections + process_limit = 500 + + # vsz_limit should be fine at its default 64MB value + #vsz_limit = 64M +} + +service pop3-login { + #inet_listener pop3 { + # port = 110 + #} + #inet_listener pop3s { + # port = 995 + # ssl = yes + #} + + service_count = 1 + + # number of simultaneous POP3 connections + #process_limit = 500 +} + +service managesieve-login { + inet_listener sieve { + # Listen on localhost (ipv4) + address = 127.0.0.1 + port = 4190 + } +} + +metric imap_command_finished { + event_name = imap_command_finished +} + +namespace { + type = private + separator = / + prefix = + inbox = yes + + # Refer to document for more details about alias mailbox: + # http://wiki2.dovecot.org/MailboxSettings + # + # Sent + mailbox Sent { + auto = subscribe + special_use = \Sent + } + mailbox "Sent Messages" { + auto = no + special_use = \Sent + } + mailbox "Sent Items" { + auto = no + special_use = \Sent + } + + mailbox Drafts { + auto = subscribe + special_use = \Drafts + } + + # Trash + mailbox Trash { + auto = subscribe + special_use = \Trash + } + + mailbox "Deleted Messages" { + auto = no + special_use = \Trash + } + + # Junk + mailbox Junk { + auto = subscribe + special_use = \Junk + } + mailbox Spam { + auto = no + special_use = \Junk + } + mailbox "Junk E-mail" { + auto = no + special_use = \Junk + } + + # Archive + mailbox Archive { + auto = no + special_use = \Archive + } + mailbox Archives { + auto = no + special_use = \Archive + } +} + +namespace { + type = shared + separator = / + prefix = Shared/%%u/ + location = maildir:%%Lh/Maildir/:INDEX=%%Lh/Maildir/Shared/%%Ld/%%Ln + + # this namespace should handle its own subscriptions or not. + subscriptions = yes + list = children } -# Most of the actual configuration gets included below. The filenames are -# first sorted by their ASCII value and parsed in that order. The 00-prefixes -# in filenames are intended to make it easier to understand the ordering. -!include conf.d/*.conf +# Public mailboxes. +# Refer to Dovecot wiki page for more details: +# http://wiki2.dovecot.org/SharedMailboxes/Public +#namespace { +# type = public +# separator = / +# prefix = Public/ +# location = maildir:/var/vmail/public:CONTROL=%Lh/Maildir/public:INDEXPVT=%Lh/Maildir/public +# +# # Allow users to subscribe to the public folders. +# subscriptions = yes +#} -# A config file can also tried to be included without giving an error if -# it's not found: -!include_try local.conf +!include_try /etc/dovecot/iredmail/*.conf diff --git a/dovecot/dovecot.conf.2021.04.08.22.02.11 b/dovecot/dovecot.conf.2021.04.08.22.02.11 new file mode 100644 index 0000000..c802011 --- /dev/null +++ b/dovecot/dovecot.conf.2021.04.08.22.02.11 @@ -0,0 +1,102 @@ +## Dovecot configuration file + +# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration + +# "doveconf -n" command gives a clean output of the changed settings. Use it +# instead of copy&pasting files when posting to the Dovecot mailing list. + +# '#' character and everything after it is treated as comments. Extra spaces +# and tabs are ignored. If you want to use either of these explicitly, put the +# value inside quotes, eg.: key = "# char and trailing whitespace " + +# Most (but not all) settings can be overridden by different protocols and/or +# source/destination IPs by placing the settings inside sections, for example: +# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { } + +# Default values are shown for each setting, it's not required to uncomment +# those. These are exceptions to this though: No sections (e.g. namespace {}) +# or plugin settings are added by default, they're listed only as examples. +# Paths are also just examples with the real defaults being based on configure +# options. The paths listed here are for configure --prefix=/usr +# --sysconfdir=/etc --localstatedir=/var + +# Enable installed protocols +!include_try /usr/share/dovecot/protocols.d/*.protocol + +# A comma separated list of IPs or hosts where to listen in for connections. +# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces. +# If you want to specify non-default ports or anything more complex, +# edit conf.d/master.conf. +#listen = *, :: + +# Base directory where to store runtime data. +#base_dir = /var/run/dovecot/ + +# Name of this instance. In multi-instance setup doveadm and other commands +# can use -i to select which instance is used (an alternative +# to -c ). The instance name is also added to Dovecot processes +# in ps output. +#instance_name = dovecot + +# Greeting message for clients. +#login_greeting = Dovecot ready. + +# Space separated list of trusted network ranges. Connections from these +# IPs are allowed to override their IP addresses and ports (for logging and +# for authentication checks). disable_plaintext_auth is also ignored for +# these networks. Typically you'd specify your IMAP proxy servers here. +#login_trusted_networks = + +# Space separated list of login access check sockets (e.g. tcpwrap) +#login_access_sockets = + +# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do +# proxying. This isn't necessary normally, but may be useful if the destination +# IP is e.g. a load balancer's IP. +#auth_proxy_self = + +# Show more verbose process titles (in ps). Currently shows user name and +# IP address. Useful for seeing who are actually using the IMAP processes +# (eg. shared mailboxes or if same uid is used for multiple accounts). +#verbose_proctitle = no + +# Should all processes be killed when Dovecot master process shuts down. +# Setting this to "no" means that Dovecot can be upgraded without +# forcing existing client connections to close (although that could also be +# a problem if the upgrade is e.g. because of a security fix). +#shutdown_clients = yes + +# If non-zero, run mail commands via this many connections to doveadm server, +# instead of running them directly in the same process. +#doveadm_worker_count = 0 +# UNIX socket or host:port used for connecting to doveadm server +#doveadm_socket_path = doveadm-server + +# Space separated list of environment variables that are preserved on Dovecot +# startup and passed down to all of its child processes. You can also give +# key=value pairs to always set specific settings. +#import_environment = TZ + +## +## Dictionary server settings +## + +# Dictionary can be used to store key=value lists. This is used by several +# plugins. The dictionary can be accessed either directly or though a +# dictionary server. The following dict block maps dictionary names to URIs +# when the server is used. These can then be referenced using URIs in format +# "proxy::". + +dict { + #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext + #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext +} + +# Most of the actual configuration gets included below. The filenames are +# first sorted by their ASCII value and parsed in that order. The 00-prefixes +# in filenames are intended to make it easier to understand the ordering. +!include conf.d/*.conf + +# A config file can also tried to be included without giving an error if +# it's not found: +!include_try local.conf diff --git a/group b/group index 30280eb..8a4ad65 100644 --- a/group +++ b/group @@ -2,7 +2,7 @@ root:x:0:frank daemon:x:1:frank bin:x:2:frank sys:x:3:frank -adm:x:4: +adm:x:4:netdata tty:x:5:frank disk:x:6:frank lp:x:7:frank @@ -10,7 +10,7 @@ mail:x:8:frank news:x:9: uucp:x:10: man:x:12:frank -proxy:x:13: +proxy:x:13:netdata kmem:x:15: dialout:x:20: fax:x:21: @@ -60,4 +60,9 @@ clamav:x:119: dovecot:x:120: dovenull:x:121: debian-spamd:x:122: -amavis:x:123: +amavis:x:123:clamav +vmail:x:2000: +mlmmj:x:2003: +iredadmin:x:2001: +iredapd:x:2002: +netdata:x:2004: diff --git a/group- b/group- index 97d70ac..25433ec 100644 --- a/group- +++ b/group- @@ -2,7 +2,7 @@ root:x:0:frank daemon:x:1:frank bin:x:2:frank sys:x:3:frank -adm:x:4: +adm:x:4:netdata tty:x:5:frank disk:x:6:frank lp:x:7:frank @@ -60,3 +60,9 @@ clamav:x:119: dovecot:x:120: dovenull:x:121: debian-spamd:x:122: +amavis:x:123:clamav +vmail:x:2000: +mlmmj:x:2003: +iredadmin:x:2001: +iredapd:x:2002: +netdata:x:2004: diff --git a/gshadow b/gshadow index d9f8917..e5ce203 100644 --- a/gshadow +++ b/gshadow @@ -2,7 +2,7 @@ root:*::frank daemon:*::frank bin:*::frank sys:*::frank -adm:*:: +adm:*::netdata tty:*::frank disk:*::frank lp:*::frank @@ -10,7 +10,7 @@ mail:*::frank news:*:: uucp:*:: man:*::frank -proxy:*:: +proxy:*::netdata kmem:*:: dialout:*:: fax:*:: @@ -60,4 +60,9 @@ clamav:!:: dovecot:!:: dovenull:!:: debian-spamd:!:: -amavis:!:: +amavis:!::clamav +vmail:!:: +mlmmj:!:: +iredadmin:!:: +iredapd:!:: +netdata:!:: diff --git a/gshadow- b/gshadow- index 6dde24c..d4c00ca 100644 --- a/gshadow- +++ b/gshadow- @@ -2,7 +2,7 @@ root:*::frank daemon:*::frank bin:*::frank sys:*::frank -adm:*:: +adm:*::netdata tty:*::frank disk:*::frank lp:*::frank @@ -60,3 +60,9 @@ clamav:!:: dovecot:!:: dovenull:!:: debian-spamd:!:: +amavis:!::clamav +vmail:!:: +mlmmj:!:: +iredadmin:!:: +iredapd:!:: +netdata:!:: diff --git a/iredmail-release b/iredmail-release new file mode 100644 index 0000000..9284142 --- /dev/null +++ b/iredmail-release @@ -0,0 +1,2 @@ +1.3.2 MARIADB edition. +# Get professional support from iRedMail Team: http://www.iredmail.org/support.html diff --git a/logrotate.d/dovecot b/logrotate.d/dovecot new file mode 100644 index 0000000..6d4ba30 --- /dev/null +++ b/logrotate.d/dovecot @@ -0,0 +1,13 @@ +/var/log/dovecot/*.log { + weekly + rotate 10 + missingok + compress + delaycompress + notifempty + sharedscripts + + postrotate + + endscript +} diff --git a/logrotate.d/iredapd b/logrotate.d/iredapd new file mode 100644 index 0000000..043d2b9 --- /dev/null +++ b/logrotate.d/iredapd @@ -0,0 +1,13 @@ +/var/log/iredapd/*.log { + weekly + rotate 10 + missingok + compress + delaycompress + notifempty + sharedscripts + + postrotate + + endscript +} diff --git a/logrotate.d/mlmmjadmin b/logrotate.d/mlmmjadmin new file mode 100644 index 0000000..11ed152 --- /dev/null +++ b/logrotate.d/mlmmjadmin @@ -0,0 +1,13 @@ +/var/log/mlmmjadmin/*.log { + weekly + rotate 10 + missingok + compress + delaycompress + notifempty + sharedscripts + + postrotate + + endscript +} diff --git a/logrotate.d/netdata b/logrotate.d/netdata new file mode 100644 index 0000000..603a814 --- /dev/null +++ b/logrotate.d/netdata @@ -0,0 +1,12 @@ +/opt/netdata/var/log/netdata/*.log { + daily + missingok + rotate 14 + compress + delaycompress + notifempty + sharedscripts + postrotate + /bin/kill -HUP `cat /opt/netdata/var/run/netdata/netdata.pid 2>/dev/null` 2>/dev/null || true + endscript +} diff --git a/logrotate.d/php7.3-fpm b/logrotate.d/php7.3-fpm index 124db40..9164038 100644 --- a/logrotate.d/php7.3-fpm +++ b/logrotate.d/php7.3-fpm @@ -1,11 +1,13 @@ -/var/log/php7.3-fpm.log { - rotate 12 - weekly - missingok - notifempty - compress - delaycompress - postrotate - /usr/lib/php/php7.3-fpm-reopenlogs - endscript +/var/log/php-fpm/*.log { + weekly + rotate 10 + missingok + compress + delaycompress + notifempty + sharedscripts + + postrotate + /bin/kill -SIGUSR1 `cat /run/php/php-fpm.pid 2>/dev/null` 2>/dev/null || true + endscript } diff --git a/mysql/my.cnf b/mysql/my.cnf deleted file mode 120000 index 18bea13..0000000 --- a/mysql/my.cnf +++ /dev/null @@ -1 +0,0 @@ -/etc/alternatives/my.cnf \ No newline at end of file diff --git a/mysql/my.cnf b/mysql/my.cnf new file mode 100644 index 0000000..94d8f10 --- /dev/null +++ b/mysql/my.cnf @@ -0,0 +1,23 @@ +# The MariaDB configuration file +# +# The MariaDB/MySQL tools read configuration files in the following order: +# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults, +# 2. "/etc/mysql/conf.d/*.cnf" to set global options. +# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options. +# 4. "~/.my.cnf" to set user-specific options. +# +# If the same option is defined multiple times, the last one will apply. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. + +# +# This group is read both both by the client and the server +# use it for options that affect everything +# +[client-server] + +# Import all .cnf files from configuration directory +!includedir /etc/mysql/conf.d/ +!includedir /etc/mysql/mariadb.conf.d/ diff --git a/mysql/my.cnf.2021.04.08.22.02.11 b/mysql/my.cnf.2021.04.08.22.02.11 new file mode 100644 index 0000000..94d8f10 --- /dev/null +++ b/mysql/my.cnf.2021.04.08.22.02.11 @@ -0,0 +1,23 @@ +# The MariaDB configuration file +# +# The MariaDB/MySQL tools read configuration files in the following order: +# 1. "/etc/mysql/mariadb.cnf" (this file) to set global defaults, +# 2. "/etc/mysql/conf.d/*.cnf" to set global options. +# 3. "/etc/mysql/mariadb.conf.d/*.cnf" to set MariaDB-only options. +# 4. "~/.my.cnf" to set user-specific options. +# +# If the same option is defined multiple times, the last one will apply. +# +# One can use all long options that the program supports. +# Run program with --help to get a list of available options and with +# --print-defaults to see which it would actually understand and use. + +# +# This group is read both both by the client and the server +# use it for options that affect everything +# +[client-server] + +# Import all .cnf files from configuration directory +!includedir /etc/mysql/conf.d/ +!includedir /etc/mysql/mariadb.conf.d/ diff --git a/netdata b/netdata new file mode 120000 index 0000000..1eed92a --- /dev/null +++ b/netdata @@ -0,0 +1 @@ +/opt/netdata/etc/netdata \ No newline at end of file diff --git a/nginx/conf-available/0-general.conf b/nginx/conf-available/0-general.conf new file mode 100644 index 0000000..3fe949f --- /dev/null +++ b/nginx/conf-available/0-general.conf @@ -0,0 +1 @@ +map_hash_bucket_size 1024; diff --git a/nginx/conf-available/cache.conf b/nginx/conf-available/cache.conf new file mode 100644 index 0000000..4dd6942 --- /dev/null +++ b/nginx/conf-available/cache.conf @@ -0,0 +1,8 @@ +map $sent_http_content_type $expires { + default off; + application/x-javascript 1d; + text/css 1d; + ~image/ 1d; +} + +expires $expires; diff --git a/nginx/conf-available/client_max_body_size.conf b/nginx/conf-available/client_max_body_size.conf new file mode 100644 index 0000000..356bcf9 --- /dev/null +++ b/nginx/conf-available/client_max_body_size.conf @@ -0,0 +1 @@ +client_max_body_size 12m; diff --git a/nginx/conf-available/default_type.conf b/nginx/conf-available/default_type.conf new file mode 100644 index 0000000..29447da --- /dev/null +++ b/nginx/conf-available/default_type.conf @@ -0,0 +1 @@ +default_type application/octet-stream; diff --git a/nginx/conf-available/gzip.conf b/nginx/conf-available/gzip.conf new file mode 100644 index 0000000..09c9e84 --- /dev/null +++ b/nginx/conf-available/gzip.conf @@ -0,0 +1,41 @@ +gzip on; +gzip_vary on; +gzip_http_version 1.0; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_min_length 10240; +gzip_proxied any; +gzip_disable "MSIE [1-6]\."; + +# text/html is always compressed. +gzip_types + text/plain + text/css + text/xml + text/javascript + text/json + text/vcard + text/cache-manifest + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy + image/bmp + image/vnd.microsoft.icon + image/x-icon + image/svg+xml + font/truetype + font/opentype + application/atom+xml + application/javascript + application/json + application/ld+json + application/vnd.geo+json + application/manifest+json + application/x-javascript + application/x-font-ttf + application/x-web-app-manifest+json + application/xml + application/xml+rss + application/xhtml+xml + application/vnd.ms-fontobject; diff --git a/nginx/conf-available/headers.conf b/nginx/conf-available/headers.conf new file mode 100644 index 0000000..27cb373 --- /dev/null +++ b/nginx/conf-available/headers.conf @@ -0,0 +1,7 @@ +add_header X-Frame-Options sameorigin; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection '1; mode=block'; +add_header X-Download-Options noopen; +add_header X-Permitted-Cross-Domain-Policies none; +add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"; +add_header Referrer-Policy strict-origin; diff --git a/nginx/conf-available/log.conf b/nginx/conf-available/log.conf new file mode 100644 index 0000000..2e3046e --- /dev/null +++ b/nginx/conf-available/log.conf @@ -0,0 +1,2 @@ +access_log /var/log/nginx/access.log; +error_log /var/log/nginx/error.log; diff --git a/nginx/conf-available/mime_types.conf b/nginx/conf-available/mime_types.conf new file mode 100644 index 0000000..816a04e --- /dev/null +++ b/nginx/conf-available/mime_types.conf @@ -0,0 +1 @@ +include /etc/nginx/mime.types; diff --git a/nginx/conf-available/php_fpm.conf b/nginx/conf-available/php_fpm.conf new file mode 100644 index 0000000..df57ce6 --- /dev/null +++ b/nginx/conf-available/php_fpm.conf @@ -0,0 +1,3 @@ +upstream php_workers { + server 127.0.0.1:9999; +} diff --git a/nginx/conf-available/sendfile.conf b/nginx/conf-available/sendfile.conf new file mode 100644 index 0000000..af4702d --- /dev/null +++ b/nginx/conf-available/sendfile.conf @@ -0,0 +1 @@ +sendfile on; diff --git a/nginx/conf-available/server_tokens.conf b/nginx/conf-available/server_tokens.conf new file mode 100644 index 0000000..e0caf96 --- /dev/null +++ b/nginx/conf-available/server_tokens.conf @@ -0,0 +1,2 @@ +# Hide Nginx version number +server_tokens off; diff --git a/nginx/conf-available/types_hash_max_size.conf b/nginx/conf-available/types_hash_max_size.conf new file mode 100644 index 0000000..694e14d --- /dev/null +++ b/nginx/conf-available/types_hash_max_size.conf @@ -0,0 +1 @@ +types_hash_max_size 2048; diff --git a/nginx/conf-enabled/0-general.conf b/nginx/conf-enabled/0-general.conf new file mode 120000 index 0000000..2146952 --- /dev/null +++ b/nginx/conf-enabled/0-general.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/0-general.conf \ No newline at end of file diff --git a/nginx/conf-enabled/cache.conf b/nginx/conf-enabled/cache.conf new file mode 120000 index 0000000..3ced18d --- /dev/null +++ b/nginx/conf-enabled/cache.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/cache.conf \ No newline at end of file diff --git a/nginx/conf-enabled/client_max_body_size.conf b/nginx/conf-enabled/client_max_body_size.conf new file mode 120000 index 0000000..7eff5cf --- /dev/null +++ b/nginx/conf-enabled/client_max_body_size.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/client_max_body_size.conf \ No newline at end of file diff --git a/nginx/conf-enabled/default_type.conf b/nginx/conf-enabled/default_type.conf new file mode 120000 index 0000000..1c92f4e --- /dev/null +++ b/nginx/conf-enabled/default_type.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/default_type.conf \ No newline at end of file diff --git a/nginx/conf-enabled/gzip.conf b/nginx/conf-enabled/gzip.conf new file mode 120000 index 0000000..b447a6d --- /dev/null +++ b/nginx/conf-enabled/gzip.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/gzip.conf \ No newline at end of file diff --git a/nginx/conf-enabled/headers.conf b/nginx/conf-enabled/headers.conf new file mode 120000 index 0000000..a97215a --- /dev/null +++ b/nginx/conf-enabled/headers.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/headers.conf \ No newline at end of file diff --git a/nginx/conf-enabled/log.conf b/nginx/conf-enabled/log.conf new file mode 120000 index 0000000..411cafe --- /dev/null +++ b/nginx/conf-enabled/log.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/log.conf \ No newline at end of file diff --git a/nginx/conf-enabled/mime_types.conf b/nginx/conf-enabled/mime_types.conf new file mode 120000 index 0000000..282a14b --- /dev/null +++ b/nginx/conf-enabled/mime_types.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/mime_types.conf \ No newline at end of file diff --git a/nginx/conf-enabled/php_fpm.conf b/nginx/conf-enabled/php_fpm.conf new file mode 120000 index 0000000..116274c --- /dev/null +++ b/nginx/conf-enabled/php_fpm.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/php_fpm.conf \ No newline at end of file diff --git a/nginx/conf-enabled/sendfile.conf b/nginx/conf-enabled/sendfile.conf new file mode 120000 index 0000000..4ccf4c4 --- /dev/null +++ b/nginx/conf-enabled/sendfile.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/sendfile.conf \ No newline at end of file diff --git a/nginx/conf-enabled/server_tokens.conf b/nginx/conf-enabled/server_tokens.conf new file mode 120000 index 0000000..d0159b4 --- /dev/null +++ b/nginx/conf-enabled/server_tokens.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/server_tokens.conf \ No newline at end of file diff --git a/nginx/conf-enabled/types_hash_max_size.conf b/nginx/conf-enabled/types_hash_max_size.conf new file mode 120000 index 0000000..28f99e0 --- /dev/null +++ b/nginx/conf-enabled/types_hash_max_size.conf @@ -0,0 +1 @@ +/etc/nginx/conf-available/types_hash_max_size.conf \ No newline at end of file diff --git a/nginx/netdata.users b/nginx/netdata.users new file mode 100644 index 0000000..aa1bd06 --- /dev/null +++ b/nginx/netdata.users @@ -0,0 +1 @@ +postmaster@brehm-berlin.de:{SSHA}ui9JiDic/BkCBDhyd4dzMOKZ/HGVCytg diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 132f680..0e82a68 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -1,85 +1,12 @@ user www-data; -worker_processes auto; -pid /run/nginx.pid; -include /etc/nginx/modules-enabled/*.conf; +worker_processes 1; +pid /var/run/nginx.pid; events { - worker_connections 768; - # multi_accept on; + worker_connections 1024; } http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # SSL Settings - ## - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE - ssl_prefer_server_ciphers on; - - ## - # Logging Settings - ## - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - ## - # Gzip Settings - ## - - gzip on; - - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; + include /etc/nginx/conf-enabled/*.conf; + include /etc/nginx/sites-enabled/*.conf; } - - -#mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } -# -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -#} diff --git a/nginx/nginx.conf.2021.04.08.22.02.11 b/nginx/nginx.conf.2021.04.08.22.02.11 new file mode 100644 index 0000000..132f680 --- /dev/null +++ b/nginx/nginx.conf.2021.04.08.22.02.11 @@ -0,0 +1,85 @@ +user www-data; +worker_processes auto; +pid /run/nginx.pid; +include /etc/nginx/modules-enabled/*.conf; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} + + +#mail { +# # See sample authentication script at: +# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript +# +# # auth_http localhost/auth.php; +# # pop3_capabilities "TOP" "USER"; +# # imap_capabilities "IMAP4rev1" "UIDPLUS"; +# +# server { +# listen localhost:110; +# protocol pop3; +# proxy on; +# } +# +# server { +# listen localhost:143; +# protocol imap; +# proxy on; +# } +#} diff --git a/nginx/sites-available/default b/nginx/sites-available.bak/default similarity index 100% rename from nginx/sites-available/default rename to nginx/sites-available.bak/default diff --git a/nginx/sites-available/00-default-ssl.conf b/nginx/sites-available/00-default-ssl.conf new file mode 100644 index 0000000..50488bd --- /dev/null +++ b/nginx/sites-available/00-default-ssl.conf @@ -0,0 +1,21 @@ +# +# Note: This file must be loaded before other virtual host config files, +# +# HTTPS +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name _; + + root /var/www/html; + index index.php index.html; + + include /etc/nginx/templates/misc.tmpl; + include /etc/nginx/templates/ssl.tmpl; + include /etc/nginx/templates/iredadmin.tmpl; + include /etc/nginx/templates/roundcube.tmpl; + include /etc/nginx/templates/sogo.tmpl; + include /etc/nginx/templates/netdata.tmpl; + include /etc/nginx/templates/php-catchall.tmpl; + include /etc/nginx/templates/stub_status.tmpl; +} diff --git a/nginx/sites-available/00-default.conf b/nginx/sites-available/00-default.conf new file mode 100644 index 0000000..f4091b2 --- /dev/null +++ b/nginx/sites-available/00-default.conf @@ -0,0 +1,14 @@ +# +# Note: This file must be loaded before other virtual host config files, +# +# HTTP +server { + # Listen on ipv4 + listen 80; + listen [::]:80; + + server_name _; + + # Redirect all insecure http:// requests to https:// + return 301 https://$host$request_uri; +} diff --git a/nginx/sites-enabled/default b/nginx/sites-enabled.bak/default similarity index 100% rename from nginx/sites-enabled/default rename to nginx/sites-enabled.bak/default diff --git a/nginx/sites-enabled/00-default-ssl.conf b/nginx/sites-enabled/00-default-ssl.conf new file mode 120000 index 0000000..f008663 --- /dev/null +++ b/nginx/sites-enabled/00-default-ssl.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/00-default-ssl.conf \ No newline at end of file diff --git a/nginx/sites-enabled/00-default.conf b/nginx/sites-enabled/00-default.conf new file mode 120000 index 0000000..3f962f6 --- /dev/null +++ b/nginx/sites-enabled/00-default.conf @@ -0,0 +1 @@ +/etc/nginx/sites-available/00-default.conf \ No newline at end of file diff --git a/nginx/templates/adminer.tmpl b/nginx/templates/adminer.tmpl new file mode 100644 index 0000000..ee30159 --- /dev/null +++ b/nginx/templates/adminer.tmpl @@ -0,0 +1,46 @@ +# Sample setting for Adminer: http://adminer.org/ + +# ----------------------------------------- +# How to get it working: +# +# mkdir /opt/www/adminer +# cd /opt/www/adminer +# wget http://www.adminer.org/latest.php +# chmod +x latest.php +# +# Warning: for security concern, it's recommended to change the URL '/adminer' +# to another random string to avoid login attempts from bad guys. +# for example, change the url to '^/HIoWCwogSHukIbGL'. +# +# ----------------------------------------- +# If you cannot login to MySQL server as root user: +# +# New MySQL or MariaDB support plugin authentication, by default, the root +# account has setting `user.plugin=unix_socket` (in `mysql` database). The +# `auth_socket` authentication plugin authenticates clients that connect from +# the local host through the Unix socket file, this prevents access via network +# connection, including Adminer. To make it working, please disable this +# authentication plugin with sql commands below: +# +# sql> USE mysql; +# sql> UPDATE user SET plugin='' WHERE User='root'; +# +# Refer to MySQL document for more details: +# https://dev.mysql.com/doc/refman/5.7/en/socket-authentication-plugin.html + +location ~ ^/adminer$ { + include /etc/nginx/templates/hsts.tmpl; + include /etc/nginx/templates/fastcgi_php.tmpl; + + fastcgi_param SCRIPT_FILENAME /opt/www/adminer/latest.php; + + # Access control + #allow 127.0.0.1; + #allow 192.168.1.10; + #allow 192.168.1.0/24; + #deny all; +} + +location ~ ^/adminer.css$ { + alias /opt/www/adminer/adminer.css; +} diff --git a/nginx/templates/fastcgi_php.tmpl b/nginx/templates/fastcgi_php.tmpl new file mode 100644 index 0000000..d5033c5 --- /dev/null +++ b/nginx/templates/fastcgi_php.tmpl @@ -0,0 +1,17 @@ +# +# Template used to handle PHP fastcgi applications +# +# You still need to define `SCRIPT_FILENAME` for your PHP application, and +# probably `fastcgi_index` if your application use different index file. +# +include fastcgi_params; + +# Directory index file +fastcgi_index index.php; + +# Handle PHP files with upstream handler +fastcgi_pass php_workers; + +# Fix the HTTPROXY issue. +# Reference: https://httpoxy.org/ +fastcgi_param HTTP_PROXY ''; diff --git a/nginx/templates/hsts.tmpl b/nginx/templates/hsts.tmpl new file mode 100644 index 0000000..1274071 --- /dev/null +++ b/nginx/templates/hsts.tmpl @@ -0,0 +1,17 @@ +# Use HTTP Strict Transport Security to force client to use secure +# connections only. References: +# +# * RFC Document (6797): HTTP Strict Transport Security (HSTS) +# https://tools.ietf.org/html/rfc6797#section-6.1.2 +# +# * Short tutorial from Mozilla: +# https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security +# +# WARNING: According to RFC document, HSTS will fail with self-signed SSL +# certificate. +# https://tools.ietf.org/html/rfc6797#page-27 +# +# Syntax: +# +# Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload] +add_header Strict-Transport-Security "max-age=31536000"; diff --git a/nginx/templates/iredadmin-subdomain.tmpl b/nginx/templates/iredadmin-subdomain.tmpl new file mode 100644 index 0000000..e3f1b4c --- /dev/null +++ b/nginx/templates/iredadmin-subdomain.tmpl @@ -0,0 +1,16 @@ +# +# Run iRedAdmin as a sub-domain virtual host. +# +include /etc/nginx/templates/hsts.tmpl; + +location / { + root /opt/www/iredadmin; + uwsgi_pass 127.0.0.1:7791; + uwsgi_param UWSGI_CHDIR /opt/www/iredadmin; + uwsgi_param UWSGI_SCRIPT iredadmin; + include uwsgi_params; +} + +location /static { + alias /opt/www/iredadmin/static; +} diff --git a/nginx/templates/iredadmin.tmpl b/nginx/templates/iredadmin.tmpl new file mode 100644 index 0000000..a7508b1 --- /dev/null +++ b/nginx/templates/iredadmin.tmpl @@ -0,0 +1,35 @@ +# Settings for iRedAdmin. + +# static files under /iredadmin/static +location ~ ^/iredadmin/static/(.*) { + alias /opt/www/iredadmin/static/$1; +} + +# Python scripts +location ~ ^/iredadmin(.*) { + rewrite ^/iredadmin(/.*)$ $1 break; + + include /etc/nginx/templates/hsts.tmpl; + + include uwsgi_params; + uwsgi_pass 127.0.0.1:7791; + uwsgi_param UWSGI_CHDIR /opt/www/iredadmin; + uwsgi_param UWSGI_SCRIPT iredadmin; + uwsgi_param SCRIPT_NAME /iredadmin; + + # Access control + #allow 127.0.0.1; + #allow 192.168.1.10; + #allow 192.168.1.0/24; + #deny all; +} + +# iRedAdmin: redirect /iredadmin to /iredadmin/ +location = /iredadmin { + rewrite ^ /iredadmin/; +} + +# Handle newsletter-style subscription/unsubscription supported in iRedAdmin-Pro. +location ~ ^/newsletter/ { + rewrite /newsletter/(.*) /iredadmin/newsletter/$1 last; +} diff --git a/nginx/templates/misc.tmpl b/nginx/templates/misc.tmpl new file mode 100644 index 0000000..e356af4 --- /dev/null +++ b/nginx/templates/misc.tmpl @@ -0,0 +1,15 @@ +# Allow access to '^/.well-known/' +location ~ ^/.well-known/ { + allow all; + access_log off; + log_not_found off; + autoindex off; + #root /var/www/html; +} + +# Deny all attempts to access hidden files such as .htaccess. +location ~ /\. { deny all; } + +# Handling noisy messages +location = /favicon.ico { access_log off; log_not_found off; } +location = /robots.txt { access_log off; log_not_found off; } diff --git a/nginx/templates/netdata-subdomain.tmpl b/nginx/templates/netdata-subdomain.tmpl new file mode 100644 index 0000000..5b7bcbf --- /dev/null +++ b/nginx/templates/netdata-subdomain.tmpl @@ -0,0 +1,22 @@ +# +# Run netdata as a sub-domain virtual host. +# +# FYI: https://github.com/firehol/netdata/wiki/Running-behind-nginx + +location / { + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.1:19999; + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_set_header Connection "keep-alive"; + proxy_store off; + + gzip on; + gzip_proxied any; + gzip_types *; + + auth_basic "Authentication Required"; + auth_basic_user_file /etc/nginx/netdata.users; +} diff --git a/nginx/templates/netdata.tmpl b/nginx/templates/netdata.tmpl new file mode 100644 index 0000000..df8d0cb --- /dev/null +++ b/nginx/templates/netdata.tmpl @@ -0,0 +1,27 @@ +# Running netdata as a subfolder to an existing virtual host +# FYI: https://github.com/firehol/netdata/wiki/Running-behind-nginx + +location = /netdata { + return 301 /netdata/; +} + +location ~ /netdata/(?.*) { + proxy_redirect off; + proxy_set_header Host $host; + + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_http_version 1.1; + proxy_pass_request_headers on; + proxy_set_header Connection "keep-alive"; + proxy_store off; + proxy_pass http://127.0.0.1:19999/$ndpath$is_args$args; + + gzip on; + gzip_proxied any; + gzip_types *; + + auth_basic "Authentication Required"; + auth_basic_user_file /etc/nginx/netdata.users; +} diff --git a/nginx/templates/php-catchall.tmpl b/nginx/templates/php-catchall.tmpl new file mode 100644 index 0000000..3419c04 --- /dev/null +++ b/nginx/templates/php-catchall.tmpl @@ -0,0 +1,6 @@ +# Normal PHP scripts +location ~ \.php$ { + include /etc/nginx/templates/fastcgi_php.tmpl; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +} diff --git a/nginx/templates/redirect_to_https.tmpl b/nginx/templates/redirect_to_https.tmpl new file mode 100644 index 0000000..8017123 --- /dev/null +++ b/nginx/templates/redirect_to_https.tmpl @@ -0,0 +1,5 @@ +# Redirect webmail/SOGo/iredadmin to HTTPS +location ~ ^/mail { rewrite ^ https://$host$request_uri?; } +location ~ ^/mail/index.php$ { rewrite ^ https://$host/mail/; } +location ~* ^/sogo { rewrite ^ https://$host/SOGo; } +location ~ ^/iredadmin { rewrite ^ https://$host$request_uri?; } diff --git a/nginx/templates/roundcube-subdomain.tmpl b/nginx/templates/roundcube-subdomain.tmpl new file mode 100644 index 0000000..ae01722 --- /dev/null +++ b/nginx/templates/roundcube-subdomain.tmpl @@ -0,0 +1,26 @@ +# +# Run Roundcube as a sub-domain virtual host. +# +# Block access to default directories and files under these directories +location ~ ^/(bin|config|installer|logs|SQL|temp|vendor)/.* { deny all; } + +# Block access to default files under top-directory and files start with same name. +location ~ ^/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)$ { deny all; } + +# Block plugin config files and sample config files. +location ~ ^/plugins/.*/config.inc.php.* { deny all; } + +# Block access to plugin data +location ~ ^/plugins/enigma/home($|/.*) { deny all; } + +location / { + root /opt/www/roundcubemail; + index index.php index.html; + include /etc/nginx/templates/hsts.tmpl; +} + +location ~ \.php$ { + root /opt/www/roundcubemail; + include /etc/nginx/templates/fastcgi_php.tmpl; + fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail$fastcgi_script_name; +} diff --git a/nginx/templates/roundcube.tmpl b/nginx/templates/roundcube.tmpl new file mode 100644 index 0000000..d4c3f5a --- /dev/null +++ b/nginx/templates/roundcube.tmpl @@ -0,0 +1,30 @@ +# +# Running Roundcube as a subfolder on an existing virtual host +# +# Block access to default directories and files under these directories +location ~ ^/mail/(bin|config|installer|logs|SQL|temp|vendor)($|/.*) { deny all; } + +# Block access to default files under top-directory and files start with same name. +location ~ ^/mail/(CHANGELOG|composer.json|INSTALL|jsdeps.json|LICENSE|README|UPGRADING)($|.*) { deny all; } + +# Block plugin config files and sample config files. +location ~ ^/mail/plugins/.*/config.inc.php.* { deny all; } + +# Block access to plugin data +location ~ ^/mail/plugins/enigma/home($|/.*) { deny all; } + +# Redirect URI `/mail` to `/mail/`. +location = /mail { + return 301 /mail/; +} + +location ~ ^/mail/(.*\.php)$ { + include /etc/nginx/templates/hsts.tmpl; + include /etc/nginx/templates/fastcgi_php.tmpl; + fastcgi_param SCRIPT_FILENAME /opt/www/roundcubemail/$1; +} + +location ~ ^/mail/(.*) { + alias /opt/www/roundcubemail/$1; + index index.php; +} diff --git a/nginx/templates/sogo-subdomain.tmpl b/nginx/templates/sogo-subdomain.tmpl new file mode 100644 index 0000000..025656d --- /dev/null +++ b/nginx/templates/sogo-subdomain.tmpl @@ -0,0 +1,65 @@ +# +# Run SOGo as a sub-domain virtual host. +# + +root /usr/lib/GNUstep/SOGo/WebServerResources; + +location / { + rewrite ^ https://$host/SOGo; +} + +# For Mac OS X and iOS devices. +rewrite ^/.well-known/caldav /SOGo/dav permanent; +rewrite ^/.well-known/carddav /SOGo/dav permanent; +rewrite ^/principals /SOGo/dav permanent; + +include /etc/nginx/templates/hsts.tmpl; + +location ^~ /SOGo { + proxy_pass http://127.0.0.1:20000; + + # forward user's IP address + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + + # always use https + proxy_set_header x-webobjects-server-port $server_port; + proxy_set_header x-webobjects-server-name $host; + proxy_set_header x-webobjects-server-url https://$host; + + proxy_set_header x-webobjects-server-protocol HTTP/1.0; +} + +location ^~ /Microsoft-Server-ActiveSync { + proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; + + proxy_connect_timeout 3540; + proxy_send_timeout 3540; + proxy_read_timeout 3540; +} + +location ^~ /SOGo/Microsoft-Server-ActiveSync { + proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; + + proxy_connect_timeout 3540; + proxy_send_timeout 3540; + proxy_read_timeout 3540; +} + +location /SOGo.woa/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + expires max; +} +location /SOGo/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + expires max; +} +location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; +} +location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; +} diff --git a/nginx/templates/sogo.tmpl b/nginx/templates/sogo.tmpl new file mode 100644 index 0000000..3fd34e6 --- /dev/null +++ b/nginx/templates/sogo.tmpl @@ -0,0 +1,60 @@ +# Settings for SOGo Groupware + +# SOGo +location ~ ^/sogo { rewrite ^ https://$host/SOGo; } +location ~ ^/SOGO { rewrite ^ https://$host/SOGo; } + +# Redirect /mail to /SOGo +#location ~ ^/mail { rewrite ^ https://$host/SOGo; } + +# For Mac OS X and iOS devices. +rewrite ^/.well-known/caldav /SOGo/dav permanent; +rewrite ^/.well-known/carddav /SOGo/dav permanent; +rewrite ^/principals /SOGo/dav permanent; + +location ^~ /SOGo { + include /etc/nginx/templates/hsts.tmpl; + + proxy_pass http://127.0.0.1:20000; + + # forward user's IP address + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + + # always use https + proxy_set_header x-webobjects-server-port $server_port; + proxy_set_header x-webobjects-server-name $host; + proxy_set_header x-webobjects-server-url https://$host; + + proxy_set_header x-webobjects-server-protocol HTTP/1.0; +} + +location ^~ /Microsoft-Server-ActiveSync { + proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; + + proxy_connect_timeout 3540; + proxy_send_timeout 3540; + proxy_read_timeout 3540; +} + +location ^~ /SOGo/Microsoft-Server-ActiveSync { + proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; + + proxy_connect_timeout 3540; + proxy_send_timeout 3540; + proxy_read_timeout 3540; +} + +location /SOGo.woa/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + expires max; +} +location /SOGo/WebServerResources/ { + alias /usr/lib/GNUstep/SOGo/WebServerResources/; + expires max; +} +location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ { + alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; + expires max; +} diff --git a/nginx/templates/ssl.tmpl b/nginx/templates/ssl.tmpl new file mode 100644 index 0000000..cf72620 --- /dev/null +++ b/nginx/templates/ssl.tmpl @@ -0,0 +1,21 @@ +ssl_protocols TLSv1.2; + +# Fix 'The Logjam Attack'. +ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; +ssl_prefer_server_ciphers on; +ssl_dhparam /etc/ssl/dh2048_param.pem; + +# To use your own ssl cert (e.g. "Let's Encrypt"), please create symbol link to +# ssl cert/key used below, so that we can manage this config file with Ansible. +# +# For example: +# +# rm -f /etc/ssl/private/iRedMail.key +# rm -f /etc/ssl/certs/iRedMail.crt +# ln -s /etc/letsencrypt/live//privkey.pem /etc/ssl/private/iRedMail.key +# ln -s /etc/letsencrypt/live//fullchain.pem /etc/ssl/certs/iRedMail.crt +# +# To request free "Let's Encrypt" cert, please check our tutorial: +# https://docs.iredmail.org/letsencrypt.html +ssl_certificate /etc/ssl/certs/iRedMail.crt; +ssl_certificate_key /etc/ssl/private/iRedMail.key; diff --git a/nginx/templates/stub_status.tmpl b/nginx/templates/stub_status.tmpl new file mode 100644 index 0000000..b23fc9a --- /dev/null +++ b/nginx/templates/stub_status.tmpl @@ -0,0 +1,15 @@ +location = /stub_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; +} + +location = /status { + include fastcgi_params; + fastcgi_pass php_workers; + fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; + access_log off; + allow 127.0.0.1; + deny all; +} diff --git a/passwd b/passwd index 53c08c0..107f7e6 100644 --- a/passwd +++ b/passwd @@ -33,3 +33,8 @@ dovecot:x:111:120:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin dovenull:x:112:121:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin debian-spamd:x:113:122::/var/lib/spamassassin:/bin/sh amavis:x:114:123:AMaViS system user,,,:/var/lib/amavis:/bin/sh +vmail:x:2000:2000::/home/vmail:/usr/sbin/nologin +mlmmj:x:2003:2003::/var/vmail/mlmmj:/usr/sbin/nologin +iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin +iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin +netdata:x:2004:2004::/home/netdata:/usr/sbin/nologin diff --git a/passwd- b/passwd- index 2630ae3..927e4c0 100644 --- a/passwd- +++ b/passwd- @@ -32,4 +32,8 @@ clamav:x:110:119::/var/lib/clamav:/bin/false dovecot:x:111:120:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin dovenull:x:112:121:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin debian-spamd:x:113:122::/var/lib/spamassassin:/bin/sh -amavis:x:114:123::/var/lib/amavis:/bin/sh +amavis:x:114:123:AMaViS system user,,,:/var/lib/amavis:/bin/sh +vmail:x:2000:2000::/home/vmail:/usr/sbin/nologin +mlmmj:x:2003:2003::/var/vmail/mlmmj:/usr/sbin/nologin +iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin +iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin diff --git a/php/7.3/fpm/php-fpm.conf b/php/7.3/fpm/php-fpm.conf index b45684d..a014393 100644 --- a/php/7.3/fpm/php-fpm.conf +++ b/php/7.3/fpm/php-fpm.conf @@ -14,27 +14,27 @@ ; Pid file ; Note: the default prefix is /var ; Default Value: none -pid = /run/php/php7.3-fpm.pid +pid = /run/php/php-fpm.pid ; Error log file ; If it's set to "syslog", log is sent to syslogd instead of being written ; into a local file. ; Note: the default prefix is /var ; Default Value: log/php-fpm.log -error_log = /var/log/php7.3-fpm.log +error_log = syslog ; syslog_facility is used to specify what type of program is logging the ; message. This lets syslogd specify that messages from different facilities ; will be handled differently. ; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) ; Default Value: daemon -;syslog.facility = daemon +syslog.facility = local5 ; syslog_ident is prepended to every message. If you have multiple FPM ; instances running on the same server, you can change the default value ; which must suit common needs. ; Default Value: php-fpm -;syslog.ident = php-fpm +syslog.ident = php-fpm ; Log level ; Possible Values: alert, error, warning, notice, debug diff --git a/php/7.3/fpm/php.ini b/php/7.3/fpm/php.ini index 1af6007..2d9caa0 100644 --- a/php/7.3/fpm/php.ini +++ b/php/7.3/fpm/php.ini @@ -307,7 +307,7 @@ serialize_precision = -1 ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. ; http://php.net/disable-functions -disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals, +disable_functions = posix_uname,eval,pcntl_wexitstatus,posix_getpwuid,xmlrpc_entity_decode,pcntl_wifstopped,pcntl_wifexited,pcntl_wifsignaled,phpAds_XmlRpc,pcntl_strerror,ftp_exec,pcntl_wtermsig,mysql_pconnect,proc_nice,pcntl_sigtimedwait,posix_kill,pcntl_sigprocmask,fput,phpinfo,system,phpAds_remoteInfo,ftp_login,inject_code,posix_mkfifo,highlight_file,escapeshellcmd,show_source,pcntl_wifcontinued,fp,pcntl_alarm,pcntl_wait,ini_alter,posix_setpgid,parse_ini_file,ftp_raw,pcntl_waitpid,pcntl_getpriority,ftp_connect,pcntl_signal_dispatch,pcntl_wstopsig,ini_restore,ftp_put,passthru,proc_terminate,posix_setsid,pcntl_signal,pcntl_setpriority,phpAds_xmlrpcEncode,pcntl_exec,ftp_nb_fput,ftp_get,phpAds_xmlrpcDecode,pcntl_sigwaitinfo,shell_exec,pcntl_get_last_error,ftp_rawlist,pcntl_fork,posix_setuid ; This directive allows you to disable certain classes for security reasons. ; It receives a comma-delimited list of class names. @@ -368,7 +368,7 @@ zend.enable_gc = On ; threat in any way, but it makes it possible to determine whether you use PHP ; on your server or not. ; http://php.net/expose-php -expose_php = Off +expose_php = Off; ;;;;;;;;;;;;;;;;;;; ; Resource Limits ; @@ -398,7 +398,7 @@ max_input_time = 60 ; Maximum amount of memory a script may consume (128MB) ; http://php.net/memory-limit -memory_limit = 128M +memory_limit = 256M; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Error handling and logging ; @@ -686,7 +686,7 @@ auto_globals_jit = On ; Its value may be 0 to disable the limit. It is ignored if POST data reading ; is disabled through enable_post_data_reading. ; http://php.net/post-max-size -post_max_size = 8M +post_max_size = 12M; ; Automatically add files before PHP document. ; http://php.net/auto-prepend-file @@ -838,7 +838,7 @@ file_uploads = On ; Maximum allowed size for uploaded files. ; http://php.net/upload-max-filesize -upload_max_filesize = 2M +upload_max_filesize = 10M; ; Maximum number of files that can be uploaded via a single request max_file_uploads = 20 @@ -953,7 +953,7 @@ cli_server.color = On [Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone -;date.timezone = +date.timezone = GMT ; http://php.net/date.default-latitude ;date.default_latitude = 31.7667 @@ -1364,7 +1364,7 @@ session.save_handler = files ; where MODE is the octal representation of the mode. Note that this ; does not overwrite the process's umask. ; http://php.net/session.save-path -;session.save_path = "/var/lib/php/sessions" +session.save_path = "/var/lib/php/sessions" ; Whether to use strict session mode. ; Strict session mode does not accept an uninitialized session ID, and diff --git a/php/7.3/fpm/php.ini.2021.04.08.22.02.11 b/php/7.3/fpm/php.ini.2021.04.08.22.02.11 new file mode 100644 index 0000000..1af6007 --- /dev/null +++ b/php/7.3/fpm/php.ini.2021.04.08.22.02.11 @@ -0,0 +1,1939 @@ +[PHP] + +;;;;;;;;;;;;;;;;;;; +; About php.ini ; +;;;;;;;;;;;;;;;;;;; +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. + +; PHP attempts to find and load this configuration from a number of locations. +; The following is a summary of its search order: +; 1. SAPI module specific location. +; 2. The PHPRC environment variable. (As of PHP 5.2.0) +; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) +; 4. Current working directory (except CLI) +; 5. The web server's directory (for SAPI modules), or directory of PHP +; (otherwise in Windows) +; 6. The directory from the --with-config-file-path compile time option, or the +; Windows directory (usually C:\windows) +; See the PHP docs for more specific information. +; http://php.net/configuration.file + +; The syntax of the file is extremely simple. Whitespace and lines +; beginning with a semicolon are silently ignored (as you probably guessed). +; Section headers (e.g. [Foo]) are also silently ignored, even though +; they might mean something in the future. + +; Directives following the section heading [PATH=/www/mysite] only +; apply to PHP files in the /www/mysite directory. Directives +; following the section heading [HOST=www.example.com] only apply to +; PHP files served from www.example.com. Directives set in these +; special sections cannot be overridden by user-defined INI files or +; at runtime. Currently, [PATH=] and [HOST=] sections only work under +; CGI/FastCGI. +; http://php.net/ini.sections + +; Directives are specified using the following syntax: +; directive = value +; Directive names are *case sensitive* - foo=bar is different from FOO=bar. +; Directives are variables used to configure PHP or PHP extensions. +; There is no name validation. If PHP can't find an expected +; directive because it is not set or is mistyped, a default value will be used. + +; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one +; of the INI constants (On, Off, True, False, Yes, No and None) or an expression +; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a +; previously set variable or directive (e.g. ${foo}) + +; Expressions in the INI file are limited to bitwise operators and parentheses: +; | bitwise OR +; ^ bitwise XOR +; & bitwise AND +; ~ bitwise NOT +; ! boolean NOT + +; Boolean flags can be turned on using the values 1, On, True or Yes. +; They can be turned off using the values 0, Off, False or No. + +; An empty string can be denoted by simply not writing anything after the equal +; sign, or by using the None keyword: + +; foo = ; sets foo to an empty string +; foo = None ; sets foo to an empty string +; foo = "None" ; sets foo to the string 'None' + +; If you use constants in your value, and these constants belong to a +; dynamically loaded extension (either a PHP extension or a Zend extension), +; you may only use these constants *after* the line that loads the extension. + +;;;;;;;;;;;;;;;;;;; +; About this file ; +;;;;;;;;;;;;;;;;;;; +; PHP comes packaged with two INI files. One that is recommended to be used +; in production environments and one that is recommended to be used in +; development environments. + +; php.ini-production contains settings which hold security, performance and +; best practices at its core. But please be aware, these settings may break +; compatibility with older or less security conscience applications. We +; recommending using the production ini in production and testing environments. + +; php.ini-development is very similar to its production variant, except it is +; much more verbose when it comes to errors. We recommend using the +; development version only in development environments, as errors shown to +; application users can inadvertently leak otherwise secure information. + +; This is the php.ini-production INI file. + +;;;;;;;;;;;;;;;;;;; +; Quick Reference ; +;;;;;;;;;;;;;;;;;;; +; The following are all the settings which are different in either the production +; or development versions of the INIs with respect to PHP's default behavior. +; Please see the actual settings later in the document for more details as to why +; we recommend these changes in PHP's behavior. + +; display_errors +; Default Value: On +; Development Value: On +; Production Value: Off + +; display_startup_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; error_reporting +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT + +; html_errors +; Default Value: On +; Development Value: On +; Production value: On + +; log_errors +; Default Value: Off +; Development Value: On +; Production Value: On + +; max_input_time +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) + +; output_buffering +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 + +; register_argc_argv +; Default Value: On +; Development Value: Off +; Production Value: Off + +; request_order +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" + +; session.gc_divisor +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 + +; session.sid_bits_per_character +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 + +; short_open_tag +; Default Value: On +; Development Value: Off +; Production Value: Off + +; variables_order +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS" + +;;;;;;;;;;;;;;;;;;;; +; php.ini Options ; +;;;;;;;;;;;;;;;;;;;; +; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini" +;user_ini.filename = ".user.ini" + +; To disable this feature set this option to an empty value +;user_ini.filename = + +; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) +;user_ini.cache_ttl = 300 + +;;;;;;;;;;;;;;;;;;;; +; Language Options ; +;;;;;;;;;;;;;;;;;;;; + +; Enable the PHP scripting language engine under Apache. +; http://php.net/engine +engine = On + +; This directive determines whether or not PHP will recognize code between +; tags as PHP source which should be processed as such. It is +; generally recommended that should be used and that this feature +; should be disabled, as enabling it may result in issues when generating XML +; documents, however this remains supported for backward compatibility reasons. +; Note that this directive does not control the would work. +; http://php.net/syntax-highlighting +;highlight.string = #DD0000 +;highlight.comment = #FF9900 +;highlight.keyword = #007700 +;highlight.default = #0000BB +;highlight.html = #000000 + +; If enabled, the request will be allowed to complete even if the user aborts +; the request. Consider enabling it if executing long requests, which may end up +; being interrupted by the user or a browser timing out. PHP's default behavior +; is to disable this feature. +; http://php.net/ignore-user-abort +;ignore_user_abort = On + +; Determines the size of the realpath cache to be used by PHP. This value should +; be increased on systems where PHP opens many files to reflect the quantity of +; the file operations performed. +; Note: if open_basedir is set, the cache is disabled +; http://php.net/realpath-cache-size +;realpath_cache_size = 4096k + +; Duration of time, in seconds for which to cache realpath information for a given +; file or directory. For systems with rarely changing files, consider increasing this +; value. +; http://php.net/realpath-cache-ttl +;realpath_cache_ttl = 120 + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +; If enabled, scripts may be written in encodings that are incompatible with +; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such +; encodings. To use this feature, mbstring extension must be enabled. +; Default: Off +;zend.multibyte = Off + +; Allows to set the default encoding for the scripts. This value will be used +; unless "declare(encoding=...)" directive appears at the top of the script. +; Only affects if zend.multibyte is set. +; Default: "" +;zend.script_encoding = + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; + +; Decides whether PHP may expose the fact that it is installed on the server +; (e.g. by adding its signature to the Web server header). It is no security +; threat in any way, but it makes it possible to determine whether you use PHP +; on your server or not. +; http://php.net/expose-php +expose_php = Off + +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +; Maximum execution time of each script, in seconds +; http://php.net/max-execution-time +; Note: This directive is hardcoded to 0 for the CLI SAPI +max_execution_time = 30 + +; Maximum amount of time each script may spend parsing request data. It's a good +; idea to limit this time on productions servers in order to eliminate unexpectedly +; long running scripts. +; Note: This directive is hardcoded to -1 for the CLI SAPI +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) +; http://php.net/max-input-time +max_input_time = 60 + +; Maximum input variable nesting level +; http://php.net/max-input-nesting-level +;max_input_nesting_level = 64 + +; How many GET/POST/COOKIE input variables may be accepted +;max_input_vars = 1000 + +; Maximum amount of memory a script may consume (128MB) +; http://php.net/memory-limit +memory_limit = 128M + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Error handling and logging ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; This directive informs PHP of which errors, warnings and notices you would like +; it to take action for. The recommended way of setting values for this +; directive is through the use of the error level constants and bitwise +; operators. The error level constants are below here for convenience as well as +; some common settings and their meanings. +; By default, PHP is set to take action on all errors, notices and warnings EXCEPT +; those related to E_NOTICE and E_STRICT, which together cover best practices and +; recommended coding standards in PHP. For performance reasons, this is the +; recommend error reporting setting. Your production server shouldn't be wasting +; resources complaining about best practices and coding standards. That's what +; development servers and development settings are for. +; Note: The php.ini-development file has this setting as E_ALL. This +; means it pretty much reports everything which is exactly what you want during +; development and early testing. +; +; Error Level Constants: +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) +; E_ERROR - fatal run-time errors +; E_RECOVERABLE_ERROR - almost fatal run-time errors +; E_WARNING - run-time warnings (non-fatal errors) +; E_PARSE - compile-time parse errors +; E_NOTICE - run-time notices (these are warnings which often result +; from a bug in your code, but it's possible that it was +; intentional (e.g., using an uninitialized variable and +; relying on the fact it is automatically initialized to an +; empty string) +; E_STRICT - run-time notices, enable to have PHP suggest changes +; to your code which will ensure the best interoperability +; and forward compatibility of your code +; E_CORE_ERROR - fatal errors that occur during PHP's initial startup +; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's +; initial startup +; E_COMPILE_ERROR - fatal compile-time errors +; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) +; E_USER_ERROR - user-generated error message +; E_USER_WARNING - user-generated warning message +; E_USER_NOTICE - user-generated notice message +; E_DEPRECATED - warn about code that will not work in future versions +; of PHP +; E_USER_DEPRECATED - user-generated deprecation warnings +; +; Common Values: +; E_ALL (Show all errors, warnings and notices including coding standards.) +; E_ALL & ~E_NOTICE (Show all errors, except for notices) +; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) +; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT +; http://php.net/error-reporting +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT + +; This directive controls whether or not and where PHP will output errors, +; notices and warnings too. Error output is very useful during development, but +; it could be very dangerous in production environments. Depending on the code +; which is triggering the error, sensitive information could potentially leak +; out of your application such as database usernames and passwords or worse. +; For production environments, we recommend logging errors rather than +; sending them to STDOUT. +; Possible Values: +; Off = Do not display any errors +; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) +; On or stdout = Display errors to STDOUT +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-errors +display_errors = Off + +; The display of errors which occur during PHP's startup sequence are handled +; separately from display_errors. PHP's default behavior is to suppress those +; errors from clients. Turning the display of startup errors on can be useful in +; debugging configuration problems. We strongly recommend you +; set this to 'off' for production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/display-startup-errors +display_startup_errors = Off + +; Besides displaying errors, PHP can also log errors to locations such as a +; server-specific log, STDERR, or a location specified by the error_log +; directive found below. While errors should not be displayed on productions +; servers they should still be monitored and logging is a great way to do that. +; Default Value: Off +; Development Value: On +; Production Value: On +; http://php.net/log-errors +log_errors = On + +; Set maximum length of log_errors. In error_log information about the source is +; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len +log_errors_max_len = 1024 + +; Do not log repeated messages. Repeated errors must occur in same file on same +; line unless ignore_repeated_source is set true. +; http://php.net/ignore-repeated-errors +ignore_repeated_errors = Off + +; Ignore source of message when ignoring repeated messages. When this setting +; is On you will not log errors with repeated messages from different files or +; source lines. +; http://php.net/ignore-repeated-source +ignore_repeated_source = Off + +; If this parameter is set to Off, then memory leaks will not be shown (on +; stdout or in the log). This has only effect in a debug compile, and if +; error reporting includes E_WARNING in the allowed list +; http://php.net/report-memleaks +report_memleaks = On + +; This setting is on by default. +;report_zend_debug = 0 + +; Store the last error/warning message in $php_errormsg (boolean). Setting this value +; to On can assist in debugging and is appropriate for development servers. It should +; however be disabled on production servers. +; This directive is DEPRECATED. +; Default Value: Off +; Development Value: Off +; Production Value: Off +; http://php.net/track-errors +;track_errors = Off + +; Turn off normal error reporting and emit XML-RPC error XML +; http://php.net/xmlrpc-errors +;xmlrpc_errors = 0 + +; An XML-RPC faultCode +;xmlrpc_error_number = 0 + +; When PHP displays or logs an error, it has the capability of formatting the +; error message as HTML for easier reading. This directive controls whether +; the error message is formatted as HTML or not. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: On +; Development Value: On +; Production value: On +; http://php.net/html-errors +html_errors = On + +; If html_errors is set to On *and* docref_root is not empty, then PHP +; produces clickable error messages that direct to a page describing the error +; or function causing the error in detail. +; You can download a copy of the PHP manual from http://php.net/docs +; and change docref_root to the base URL of your local copy including the +; leading '/'. You must also specify the file extension being used including +; the dot. PHP's default behavior is to leave these settings empty, in which +; case no links to documentation are generated. +; Note: Never use this feature for production boxes. +; http://php.net/docref-root +; Examples +;docref_root = "/phpmanual/" + +; http://php.net/docref-ext +;docref_ext = .html + +; String to output before an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-prepend-string +; Example: +;error_prepend_string = "" + +; String to output after an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-append-string +; Example: +;error_append_string = "" + +; Log errors to specified file. PHP's default behavior is to leave this value +; empty. +; http://php.net/error-log +; Example: +;error_log = php_errors.log +; Log errors to syslog (Event Log on Windows). +;error_log = syslog + +; The syslog ident is a string which is prepended to every message logged +; to syslog. Only used when error_log is set to syslog. +;syslog.ident = php + +; The syslog facility is used to specify what type of program is logging +; the message. Only used when error_log is set to syslog. +;syslog.facility = user + +; Set this to disable filtering control characters (the default). +; Some loggers only accept NVT-ASCII, others accept anything that's not +; control characters. If your logger accepts everything, then no filtering +; is needed at all. +; Allowed values are: +; ascii (all printable ASCII characters and NL) +; no-ctrl (all characters except control characters) +; all (all characters) +; raw (like "all", but messages are not split at newlines) +; http://php.net/syslog.filter +;syslog.filter = ascii + +;windows.show_crt_warning +; Default value: 0 +; Development value: 0 +; Production value: 0 + +;;;;;;;;;;;;;;;;; +; Data Handling ; +;;;;;;;;;;;;;;;;; + +; The separator used in PHP generated URLs to separate arguments. +; PHP's default setting is "&". +; http://php.net/arg-separator.output +; Example: +;arg_separator.output = "&" + +; List of separator(s) used by PHP to parse input URLs into variables. +; PHP's default setting is "&". +; NOTE: Every character in this directive is considered as separator! +; http://php.net/arg-separator.input +; Example: +;arg_separator.input = ";&" + +; This directive determines which super global arrays are registered when PHP +; starts up. G,P,C,E & S are abbreviations for the following respective super +; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty +; paid for the registration of these arrays and because ENV is not as commonly +; used as the others, ENV is not recommended on productions servers. You +; can still get access to the environment variables through getenv() should you +; need to. +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS"; +; http://php.net/variables-order +variables_order = "GPCS" + +; This directive determines which super global data (G,P & C) should be +; registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive +; are specified in the same manner as the variables_order directive, +; EXCEPT one. Leaving this value empty will cause PHP to use the value set +; in the variables_order directive. It does not mean it will leave the super +; globals array REQUEST empty. +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" +; http://php.net/request-order +request_order = "GP" + +; This directive determines whether PHP registers $argv & $argc each time it +; runs. $argv contains an array of all the arguments passed to PHP when a script +; is invoked. $argc contains an integer representing the number of arguments +; that were passed when the script was invoked. These arrays are extremely +; useful when running scripts from the command line. When this directive is +; enabled, registering these variables consumes CPU cycles and memory each time +; a script is executed. For performance reasons, this feature should be disabled +; on production servers. +; Note: This directive is hardcoded to On for the CLI SAPI +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/register-argc-argv +register_argc_argv = Off + +; When enabled, the ENV, REQUEST and SERVER variables are created when they're +; first used (Just In Time) instead of when the script starts. If these +; variables are not used within a script, having this directive on will result +; in a performance gain. The PHP directive register_argc_argv must be disabled +; for this directive to have any affect. +; http://php.net/auto-globals-jit +auto_globals_jit = On + +; Whether PHP will read the POST data. +; This option is enabled by default. +; Most likely, you won't want to disable this option globally. It causes $_POST +; and $_FILES to always be empty; the only way you will be able to read the +; POST data will be through the php://input stream wrapper. This can be useful +; to proxy requests or to process the POST data in a memory efficient fashion. +; http://php.net/enable-post-data-reading +;enable_post_data_reading = Off + +; Maximum size of POST data that PHP will accept. +; Its value may be 0 to disable the limit. It is ignored if POST data reading +; is disabled through enable_post_data_reading. +; http://php.net/post-max-size +post_max_size = 8M + +; Automatically add files before PHP document. +; http://php.net/auto-prepend-file +auto_prepend_file = + +; Automatically add files after PHP document. +; http://php.net/auto-append-file +auto_append_file = + +; By default, PHP will output a media type using the Content-Type header. To +; disable this, simply set it to be empty. +; +; PHP's built-in default media type is set to text/html. +; http://php.net/default-mimetype +default_mimetype = "text/html" + +; PHP's default character set is set to UTF-8. +; http://php.net/default-charset +default_charset = "UTF-8" + +; PHP internal character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/internal-encoding +;internal_encoding = + +; PHP input character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/input-encoding +;input_encoding = + +; PHP output character encoding is set to empty. +; If empty, default_charset is used. +; See also output_buffer. +; http://php.net/output-encoding +;output_encoding = + +;;;;;;;;;;;;;;;;;;;;;;;;; +; Paths and Directories ; +;;;;;;;;;;;;;;;;;;;;;;;;; + +; UNIX: "/path1:/path2" +;include_path = ".:/usr/share/php" +; +; Windows: "\path1;\path2" +;include_path = ".;c:\php\includes" +; +; PHP's default setting for include_path is ".;/path/to/php/pear" +; http://php.net/include-path + +; The root of the PHP pages, used only if nonempty. +; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root +; if you are running php as a CGI under any web server (other than IIS) +; see documentation for security issues. The alternate is to use the +; cgi.force_redirect configuration below +; http://php.net/doc-root +doc_root = + +; The directory under which PHP opens the script using /~username used only +; if nonempty. +; http://php.net/user-dir +user_dir = + +; Directory in which the loadable extensions (modules) reside. +; http://php.net/extension-dir +;extension_dir = "./" +; On windows: +;extension_dir = "ext" + +; Directory where the temporary files should be placed. +; Defaults to the system default (see sys_get_temp_dir) +;sys_temp_dir = "/tmp" + +; Whether or not to enable the dl() function. The dl() function does NOT work +; properly in multithreaded servers, such as IIS or Zeus, and is automatically +; disabled on them. +; http://php.net/enable-dl +enable_dl = Off + +; cgi.force_redirect is necessary to provide security running PHP as a CGI under +; most web servers. Left undefined, PHP turns this on by default. You can +; turn it off here AT YOUR OWN RISK +; **You CAN safely turn this off for IIS, in fact, you MUST.** +; http://php.net/cgi.force-redirect +;cgi.force_redirect = 1 + +; if cgi.nph is enabled it will force cgi to always sent Status: 200 with +; every request. PHP's default behavior is to disable this feature. +;cgi.nph = 1 + +; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape +; (iPlanet) web servers, you MAY need to set an environment variable name that PHP +; will look for to know it is OK to continue execution. Setting this variable MAY +; cause security issues, KNOW WHAT YOU ARE DOING FIRST. +; http://php.net/cgi.redirect-status-env +;cgi.redirect_status_env = + +; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's +; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok +; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting +; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting +; of zero causes PHP to behave as before. Default is 1. You should fix your scripts +; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. +; http://php.net/cgi.fix-pathinfo +;cgi.fix_pathinfo=1 + +; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside +; of the web tree and people will not be able to circumvent .htaccess security. +;cgi.discard_path=1 + +; FastCGI under IIS supports the ability to impersonate +; security tokens of the calling client. This allows IIS to define the +; security context that the request runs under. mod_fastcgi under Apache +; does not currently support this feature (03/17/2002) +; Set to 1 if running under IIS. Default is zero. +; http://php.net/fastcgi.impersonate +;fastcgi.impersonate = 1 + +; Disable logging through FastCGI connection. PHP's default behavior is to enable +; this feature. +;fastcgi.logging = 0 + +; cgi.rfc2616_headers configuration option tells PHP what type of headers to +; use when sending HTTP response code. If set to 0, PHP sends Status: header that +; is supported by Apache. When this option is set to 1, PHP will send +; RFC2616 compliant header. +; Default is zero. +; http://php.net/cgi.rfc2616-headers +;cgi.rfc2616_headers = 0 + +; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #! +; (shebang) at the top of the running script. This line might be needed if the +; script support running both as stand-alone script and via PHP CGI<. PHP in CGI +; mode skips this line and ignores its content if this directive is turned on. +; http://php.net/cgi.check-shebang-line +;cgi.check_shebang_line=1 + +;;;;;;;;;;;;;;;; +; File Uploads ; +;;;;;;;;;;;;;;;; + +; Whether to allow HTTP file uploads. +; http://php.net/file-uploads +file_uploads = On + +; Temporary directory for HTTP uploaded files (will use system default if not +; specified). +; http://php.net/upload-tmp-dir +;upload_tmp_dir = + +; Maximum allowed size for uploaded files. +; http://php.net/upload-max-filesize +upload_max_filesize = 2M + +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 20 + +;;;;;;;;;;;;;;;;;; +; Fopen wrappers ; +;;;;;;;;;;;;;;;;;; + +; Whether to allow the treatment of URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-fopen +allow_url_fopen = On + +; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include +allow_url_include = Off + +; Define the anonymous ftp password (your email address). PHP's default setting +; for this is empty. +; http://php.net/from +;from="john@doe.com" + +; Define the User-Agent string. PHP's default setting for this is empty. +; http://php.net/user-agent +;user_agent="PHP" + +; Default timeout for socket based streams (seconds) +; http://php.net/default-socket-timeout +default_socket_timeout = 60 + +; If your scripts have to deal with files from Macintosh systems, +; or you are running on a Mac and need to deal with files from +; unix or win32 systems, setting this flag will cause PHP to +; automatically detect the EOL character in those files so that +; fgets() and file() will work regardless of the source of the file. +; http://php.net/auto-detect-line-endings +;auto_detect_line_endings = Off + +;;;;;;;;;;;;;;;;;;;;;; +; Dynamic Extensions ; +;;;;;;;;;;;;;;;;;;;;;; + +; If you wish to have an extension loaded automatically, use the following +; syntax: +; +; extension=modulename +; +; For example: +; +; extension=mysqli +; +; When the extension library to load is not located in the default extension +; directory, You may specify an absolute path to the library file: +; +; extension=/path/to/extension/mysqli.so +; +; Note : The syntax used in previous PHP versions ('extension=.so' and +; 'extension='php_.dll') is supported for legacy reasons and may be +; deprecated in a future PHP major version. So, when it is possible, please +; move to the new ('extension=) syntax. +; +; Notes for Windows environments : +; +; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+) +; extension folders as well as the separate PECL DLL download (PHP 5+). +; Be sure to appropriately set the extension_dir directive. +; +;extension=bz2 +;extension=curl +;extension=fileinfo +;extension=gd2 +;extension=gettext +;extension=gmp +;extension=intl +;extension=imap +;extension=interbase +;extension=ldap +;extension=mbstring +;extension=exif ; Must be after mbstring as it depends on it +;extension=mysqli +;extension=oci8_12c ; Use with Oracle Database 12c Instant Client +;extension=odbc +;extension=openssl +;extension=pdo_firebird +;extension=pdo_mysql +;extension=pdo_oci +;extension=pdo_odbc +;extension=pdo_pgsql +;extension=pdo_sqlite +;extension=pgsql +;extension=shmop + +; The MIBS data available in the PHP distribution must be installed. +; See http://www.php.net/manual/en/snmp.installation.php +;extension=snmp + +;extension=soap +;extension=sockets +;extension=sodium +;extension=sqlite3 +;extension=tidy +;extension=xmlrpc +;extension=xsl + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; + +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + +[Date] +; Defines the default timezone used by the date functions +; http://php.net/date.timezone +;date.timezone = + +; http://php.net/date.default-latitude +;date.default_latitude = 31.7667 + +; http://php.net/date.default-longitude +;date.default_longitude = 35.2333 + +; http://php.net/date.sunrise-zenith +;date.sunrise_zenith = 90.583333 + +; http://php.net/date.sunset-zenith +;date.sunset_zenith = 90.583333 + +[filter] +; http://php.net/filter.default +;filter.default = unsafe_raw + +; http://php.net/filter.default-flags +;filter.default_flags = + +[iconv] +; Use of this INI entry is deprecated, use global input_encoding instead. +; If empty, default_charset or input_encoding or iconv.input_encoding is used. +; The precedence is: default_charset < input_encoding < iconv.input_encoding +;iconv.input_encoding = + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;iconv.internal_encoding = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; If empty, default_charset or output_encoding or iconv.output_encoding is used. +; The precedence is: default_charset < output_encoding < iconv.output_encoding +; To use an output encoding conversion, iconv's output handler must be set +; otherwise output encoding conversion cannot be performed. +;iconv.output_encoding = + +[imap] +; rsh/ssh logins are disabled by default. Use this INI entry if you want to +; enable them. Note that the IMAP library does not filter mailbox names before +; passing them to rsh/ssh command, thus passing untrusted data to this function +; with rsh/ssh enabled is insecure. +;imap.enable_insecure_rsh=0 + +[intl] +;intl.default_locale = +; This directive allows you to produce PHP errors when some error +; happens within intl functions. The value is the level of the error produced. +; Default is 0, which does not produce any errors. +;intl.error_level = E_WARNING +;intl.use_exceptions = 0 + +[sqlite3] +; Directory pointing to SQLite3 extensions +; http://php.net/sqlite3.extension-dir +;sqlite3.extension_dir = + +; SQLite defensive mode flag (only available from SQLite 3.26+) +; When the defensive flag is enabled, language features that allow ordinary +; SQL to deliberately corrupt the database file are disabled. This forbids +; writing directly to the schema, shadow tables (eg. FTS data tables), or +; the sqlite_dbpage virtual table. +; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html +; (for older SQLite versions, this flag has no use) +;sqlite3.defensive = 1 + +[Pcre] +; PCRE library backtracking limit. +; http://php.net/pcre.backtrack-limit +;pcre.backtrack_limit=100000 + +; PCRE library recursion limit. +; Please note that if you set this value to a high number you may consume all +; the available process stack and eventually crash PHP (due to reaching the +; stack size limit imposed by the Operating System). +; http://php.net/pcre.recursion-limit +;pcre.recursion_limit=100000 + +; Enables or disables JIT compilation of patterns. This requires the PCRE +; library to be compiled with JIT support. +;pcre.jit=1 + +[Pdo] +; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" +; http://php.net/pdo-odbc.connection-pooling +;pdo_odbc.connection_pooling=strict + +;pdo_odbc.db2_instance_name + +[Pdo_mysql] +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +pdo_mysql.default_socket= + +[Phar] +; http://php.net/phar.readonly +;phar.readonly = On + +; http://php.net/phar.require-hash +;phar.require_hash = On + +;phar.cache_list = + +[mail function] +; For Win32 only. +; http://php.net/smtp +SMTP = localhost +; http://php.net/smtp-port +smtp_port = 25 + +; For Win32 only. +; http://php.net/sendmail-from +;sendmail_from = me@example.com + +; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). +; http://php.net/sendmail-path +;sendmail_path = + +; Force the addition of the specified parameters to be passed as extra parameters +; to the sendmail binary. These parameters will always replace the value of +; the 5th parameter to mail(). +;mail.force_extra_parameters = + +; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename +mail.add_x_header = Off + +; The path to a log file that will log all mail() calls. Log entries include +; the full path of the script, line number, To address and headers. +;mail.log = +; Log mail to syslog (Event Log on Windows). +;mail.log = syslog + +[ODBC] +; http://php.net/odbc.default-db +;odbc.default_db = Not yet implemented + +; http://php.net/odbc.default-user +;odbc.default_user = Not yet implemented + +; http://php.net/odbc.default-pw +;odbc.default_pw = Not yet implemented + +; Controls the ODBC cursor model. +; Default: SQL_CURSOR_STATIC (default). +;odbc.default_cursortype + +; Allow or prevent persistent links. +; http://php.net/odbc.allow-persistent +odbc.allow_persistent = On + +; Check that a connection is still valid before reuse. +; http://php.net/odbc.check-persistent +odbc.check_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/odbc.max-persistent +odbc.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/odbc.max-links +odbc.max_links = -1 + +; Handling of LONG fields. Returns number of bytes to variables. 0 means +; passthru. +; http://php.net/odbc.defaultlrl +odbc.defaultlrl = 4096 + +; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. +; See the documentation on odbc_binmode and odbc_longreadlen for an explanation +; of odbc.defaultlrl and odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode +odbc.defaultbinmode = 1 + +[Interbase] +; Allow or prevent persistent links. +ibase.allow_persistent = 1 + +; Maximum number of persistent links. -1 means no limit. +ibase.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +ibase.max_links = -1 + +; Default database name for ibase_connect(). +;ibase.default_db = + +; Default username for ibase_connect(). +;ibase.default_user = + +; Default password for ibase_connect(). +;ibase.default_password = + +; Default charset for ibase_connect(). +;ibase.default_charset = + +; Default timestamp format. +ibase.timestampformat = "%Y-%m-%d %H:%M:%S" + +; Default date format. +ibase.dateformat = "%Y-%m-%d" + +; Default time format. +ibase.timeformat = "%H:%M:%S" + +[MySQLi] + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysqli.max-persistent +mysqli.max_persistent = -1 + +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysqli.allow_local_infile +;mysqli.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysqli.allow-persistent +mysqli.allow_persistent = On + +; Maximum number of links. -1 means no limit. +; http://php.net/mysqli.max-links +mysqli.max_links = -1 + +; Default port number for mysqli_connect(). If unset, mysqli_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysqli.default-port +mysqli.default_port = 3306 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysqli.default-socket +mysqli.default_socket = + +; Default host for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-host +mysqli.default_host = + +; Default user for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-user +mysqli.default_user = + +; Default password for mysqli_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysqli.default-pw +mysqli.default_pw = + +; Allow or prevent reconnect +mysqli.reconnect = Off + +[mysqlnd] +; Enable / Disable collection of general statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_statistics = On + +; Enable / Disable collection of memory usage statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +mysqlnd.collect_memory_statistics = Off + +; Records communication from all extensions using mysqlnd to the specified log +; file. +; http://php.net/mysqlnd.debug +;mysqlnd.debug = + +; Defines which queries will be logged. +;mysqlnd.log_mask = 0 + +; Default size of the mysqlnd memory pool, which is used by result sets. +;mysqlnd.mempool_default_size = 16000 + +; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. +;mysqlnd.net_cmd_buffer_size = 2048 + +; Size of a pre-allocated buffer used for reading data sent by the server in +; bytes. +;mysqlnd.net_read_buffer_size = 32768 + +; Timeout for network requests in seconds. +;mysqlnd.net_read_timeout = 31536000 + +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA +; key. +;mysqlnd.sha256_server_public_key = + +[OCI8] + +; Connection: Enables privileged connections using external +; credentials (OCI_SYSOPER, OCI_SYSDBA) +; http://php.net/oci8.privileged-connect +;oci8.privileged_connect = Off + +; Connection: The maximum number of persistent OCI8 connections per +; process. Using -1 means no limit. +; http://php.net/oci8.max-persistent +;oci8.max_persistent = -1 + +; Connection: The maximum number of seconds a process is allowed to +; maintain an idle persistent connection. Using -1 means idle +; persistent connections will be maintained forever. +; http://php.net/oci8.persistent-timeout +;oci8.persistent_timeout = -1 + +; Connection: The number of seconds that must pass before issuing a +; ping during oci_pconnect() to check the connection validity. When +; set to 0, each oci_pconnect() will cause a ping. Using -1 disables +; pings completely. +; http://php.net/oci8.ping-interval +;oci8.ping_interval = 60 + +; Connection: Set this to a user chosen connection class to be used +; for all pooled server requests with Oracle 11g Database Resident +; Connection Pooling (DRCP). To use DRCP, this value should be set to +; the same string for all web servers running the same application, +; the database pool must be configured, and the connection string must +; specify to use a pooled server. +;oci8.connection_class = + +; High Availability: Using On lets PHP receive Fast Application +; Notification (FAN) events generated when a database node fails. The +; database must also be configured to post FAN events. +;oci8.events = Off + +; Tuning: This option enables statement caching, and specifies how +; many statements to cache. Using 0 disables statement caching. +; http://php.net/oci8.statement-cache-size +;oci8.statement_cache_size = 20 + +; Tuning: Enables statement prefetching and sets the default number of +; rows that will be fetched automatically after statement execution. +; http://php.net/oci8.default-prefetch +;oci8.default_prefetch = 100 + +; Compatibility. Using On means oci_close() will not close +; oci_connect() and oci_new_connect() connections. +; http://php.net/oci8.old-oci-close-semantics +;oci8.old_oci_close_semantics = Off + +[PostgreSQL] +; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent +pgsql.allow_persistent = On + +; Detect broken persistent links always with pg_pconnect(). +; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent +pgsql.auto_reset_persistent = Off + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent +pgsql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links +pgsql.max_links = -1 + +; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice +pgsql.ignore_notice = 0 + +; Log PostgreSQL backends Notice message or not. +; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice +pgsql.log_notice = 0 + +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 + +[browscap] +; http://php.net/browscap +;browscap = extra/browscap.ini + +[Session] +; Handler used to store/retrieve data. +; http://php.net/session.save-handler +session.save_handler = files + +; Argument passed to save_handler. In the case of files, this is the path +; where data files are stored. Note: Windows users have to change this +; variable in order to use PHP's session functions. +; +; The path can be defined as: +; +; session.save_path = "N;/path" +; +; where N is an integer. Instead of storing all the session files in +; /path, what this will do is use subdirectories N-levels deep, and +; store the session data in those directories. This is useful if +; your OS has problems with many files in one directory, and is +; a more efficient layout for servers that handle many sessions. +; +; NOTE 1: PHP will not create this directory structure automatically. +; You can use the script in the ext/session dir for that purpose. +; NOTE 2: See the section on garbage collection below if you choose to +; use subdirectories for session storage +; +; The file storage module creates files using mode 600 by default. +; You can change that by using +; +; session.save_path = "N;MODE;/path" +; +; where MODE is the octal representation of the mode. Note that this +; does not overwrite the process's umask. +; http://php.net/session.save-path +;session.save_path = "/var/lib/php/sessions" + +; Whether to use strict session mode. +; Strict session mode does not accept an uninitialized session ID, and +; regenerates the session ID if the browser sends an uninitialized session ID. +; Strict mode protects applications from session fixation via a session adoption +; vulnerability. It is disabled by default for maximum compatibility, but +; enabling it is encouraged. +; https://wiki.php.net/rfc/strict_sessions +session.use_strict_mode = 0 + +; Whether to use cookies. +; http://php.net/session.use-cookies +session.use_cookies = 1 + +; http://php.net/session.cookie-secure +;session.cookie_secure = + +; This option forces PHP to fetch and use a cookie for storing and maintaining +; the session id. We encourage this operation as it's very helpful in combating +; session hijacking when not specifying and managing your own session id. It is +; not the be-all and end-all of session hijacking defense, but it's a good start. +; http://php.net/session.use-only-cookies +session.use_only_cookies = 1 + +; Name of the session (used as cookie name). +; http://php.net/session.name +session.name = PHPSESSID + +; Initialize session on request startup. +; http://php.net/session.auto-start +session.auto_start = 0 + +; Lifetime in seconds of cookie or, if 0, until browser is restarted. +; http://php.net/session.cookie-lifetime +session.cookie_lifetime = 0 + +; The path for which the cookie is valid. +; http://php.net/session.cookie-path +session.cookie_path = / + +; The domain for which the cookie is valid. +; http://php.net/session.cookie-domain +session.cookie_domain = + +; Whether or not to add the httpOnly flag to the cookie, which makes it +; inaccessible to browser scripting languages such as JavaScript. +; http://php.net/session.cookie-httponly +session.cookie_httponly = + +; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF) +; Current valid values are "Strict", "Lax" or "None". When using "None", +; make sure to include the quotes, as `none` is interpreted like `false` in ini files. +; https://tools.ietf.org/html/draft-west-first-party-cookies-07 +session.cookie_samesite = + +; Handler used to serialize data. php is the standard serializer of PHP. +; http://php.net/session.serialize-handler +session.serialize_handler = php + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using gc_probability/gc_divisor, +; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.gc-probability +session.gc_probability = 0 + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using gc_probability/gc_divisor, +; e.g. 1/100 means there is a 1% chance that the GC process starts on each request. +; For high volume production servers, using a value of 1000 is a more efficient approach. +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 +; http://php.net/session.gc-divisor +session.gc_divisor = 1000 + +; After this number of seconds, stored data will be seen as 'garbage' and +; cleaned up by the garbage collection process. +; http://php.net/session.gc-maxlifetime +session.gc_maxlifetime = 1440 + +; NOTE: If you are using the subdirectory option for storing session files +; (see session.save_path above), then garbage collection does *not* +; happen automatically. You will need to do your own garbage +; collection through a shell script, cron entry, or some other method. +; For example, the following script is the equivalent of setting +; session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): +; find /path/to/sessions -cmin +24 -type f | xargs rm + +; Check HTTP Referer to invalidate externally stored URLs containing ids. +; HTTP_REFERER has to contain this substring for the session to be +; considered as valid. +; http://php.net/session.referer-check +session.referer_check = + +; Set to {nocache,private,public,} to determine HTTP caching aspects +; or leave this empty to avoid sending anti-caching headers. +; http://php.net/session.cache-limiter +session.cache_limiter = nocache + +; Document expires after n minutes. +; http://php.net/session.cache-expire +session.cache_expire = 180 + +; trans sid support is disabled by default. +; Use of trans sid may risk your users' security. +; Use this option with caution. +; - User may send URL contains active session ID +; to other person via. email/irc/etc. +; - URL that contains active session ID may be stored +; in publicly accessible computer. +; - User may access your site with the same session ID +; always using URL stored in browser's history or bookmarks. +; http://php.net/session.use-trans-sid +session.use_trans_sid = 0 + +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid-length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 + +; The URL rewriter will look for URLs in a defined set of HTML tags. +;
is special; if you include them here, the rewriter will +; add a hidden field with the info which is otherwise appended +; to URLs. tag's action attribute URL will not be modified +; unless it is specified. +; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=" +; Development Value: "a=href,area=href,frame=src,form=" +; Production Value: "a=href,area=href,frame=src,form=" +; http://php.net/url-rewriter.tags +session.trans_sid_tags = "a=href,area=href,frame=src,form=" + +; URL rewriter does not rewrite absolute URLs by default. +; To enable rewrites for absolute paths, target hosts must be specified +; at RUNTIME. i.e. use ini_set() +; tags is special. PHP will check action attribute's URL regardless +; of session.trans_sid_tags setting. +; If no host is defined, HTTP_HOST will be used for allowed host. +; Example value: php.net,www.php.net,wiki.php.net +; Use "," for multiple hosts. No spaces are allowed. +; Default Value: "" +; Development Value: "" +; Production Value: "" +;session.trans_sid_hosts="" + +; Define how many bits are stored in each character when converting +; the binary hash data to something readable. +; Possible values: +; 4 (4 bits: 0-9, a-f) +; 5 (5 bits: 0-9, a-v) +; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 +; http://php.net/session.hash-bits-per-character +session.sid_bits_per_character = 5 + +; Enable upload progress tracking in $_SESSION +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.enabled +;session.upload_progress.enabled = On + +; Cleanup the progress information as soon as all POST data has been read +; (i.e. upload completed). +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.cleanup +;session.upload_progress.cleanup = On + +; A prefix used for the upload progress key in $_SESSION +; Default Value: "upload_progress_" +; Development Value: "upload_progress_" +; Production Value: "upload_progress_" +; http://php.net/session.upload-progress.prefix +;session.upload_progress.prefix = "upload_progress_" + +; The index name (concatenated with the prefix) in $_SESSION +; containing the upload progress information +; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" +; http://php.net/session.upload-progress.name +;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" + +; How frequently the upload progress should be updated. +; Given either in percentages (per-file), or in bytes +; Default Value: "1%" +; Development Value: "1%" +; Production Value: "1%" +; http://php.net/session.upload-progress.freq +;session.upload_progress.freq = "1%" + +; The minimum delay between updates, in seconds +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.upload-progress.min-freq +;session.upload_progress.min_freq = "1" + +; Only write session data when session data is changed. Enabled by default. +; http://php.net/session.lazy-write +;session.lazy_write = On + +[Assertion] +; Switch whether to compile assertions at all (to have no overhead at run-time) +; -1: Do not compile at all +; 0: Jump over assertion at run-time +; 1: Execute assertions +; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1) +; Default Value: 1 +; Development Value: 1 +; Production Value: -1 +; http://php.net/zend.assertions +zend.assertions = -1 + +; Assert(expr); active by default. +; http://php.net/assert.active +;assert.active = On + +; Throw an AssertionError on failed assertions +; http://php.net/assert.exception +;assert.exception = On + +; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active) +; http://php.net/assert.warning +;assert.warning = On + +; Don't bail out by default. +; http://php.net/assert.bail +;assert.bail = Off + +; User-function to be called if an assertion fails. +; http://php.net/assert.callback +;assert.callback = 0 + +; Eval the expression with current error_reporting(). Set to true if you want +; error_reporting(0) around the eval(). +; http://php.net/assert.quiet-eval +;assert.quiet_eval = 0 + +[COM] +; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs +; http://php.net/com.typelib-file +;com.typelib_file = + +; allow Distributed-COM calls +; http://php.net/com.allow-dcom +;com.allow_dcom = true + +; autoregister constants of a component's typlib on com_load() +; http://php.net/com.autoregister-typelib +;com.autoregister_typelib = true + +; register constants casesensitive +; http://php.net/com.autoregister-casesensitive +;com.autoregister_casesensitive = false + +; show warnings on duplicate constant registrations +; http://php.net/com.autoregister-verbose +;com.autoregister_verbose = true + +; The default character set code-page to use when passing strings to and from COM objects. +; Default: system ANSI code page +;com.code_page= + +[mbstring] +; language for internal character representation. +; This affects mb_send_mail() and mbstring.detect_order. +; http://php.net/mbstring.language +;mbstring.language = Japanese + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; internal/script encoding. +; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;mbstring.internal_encoding = + +; Use of this INI entry is deprecated, use global input_encoding instead. +; http input encoding. +; mbstring.encoding_translation = On is needed to use this setting. +; If empty, default_charset or input_encoding or mbstring.input is used. +; The precedence is: default_charset < input_encoding < mbsting.http_input +; http://php.net/mbstring.http-input +;mbstring.http_input = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; http output encoding. +; mb_output_handler must be registered as output buffer to function. +; If empty, default_charset or output_encoding or mbstring.http_output is used. +; The precedence is: default_charset < output_encoding < mbstring.http_output +; To use an output encoding conversion, mbstring's output handler must be set +; otherwise output encoding conversion cannot be performed. +; http://php.net/mbstring.http-output +;mbstring.http_output = + +; enable automatic encoding translation according to +; mbstring.internal_encoding setting. Input chars are +; converted to internal encoding by setting this to On. +; Note: Do _not_ use automatic encoding translation for +; portable libs/applications. +; http://php.net/mbstring.encoding-translation +;mbstring.encoding_translation = Off + +; automatic encoding detection order. +; "auto" detect order is changed according to mbstring.language +; http://php.net/mbstring.detect-order +;mbstring.detect_order = auto + +; substitute_character used when character cannot be converted +; one from another +; http://php.net/mbstring.substitute-character +;mbstring.substitute_character = none + +; overload(replace) single byte functions by mbstring functions. +; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), +; etc. Possible values are 0,1,2,4 or combination of them. +; For example, 7 for overload everything. +; 0: No overload +; 1: Overload mail() function +; 2: Overload str*() functions +; 4: Overload ereg*() functions +; http://php.net/mbstring.func-overload +;mbstring.func_overload = 0 + +; enable strict encoding detection. +; Default: Off +;mbstring.strict_detection = On + +; This directive specifies the regex pattern of content types for which mb_output_handler() +; is activated. +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= + +; This directive specifies maximum stack depth for mbstring regular expressions. It is similar +; to the pcre.recursion_limit for PCRE. +; Default: 100000 +;mbstring.regex_stack_limit=100000 + +[gd] +; Tell the jpeg decode to ignore warnings and try to create +; a gd image. The warning will then be displayed as notices +; disabled by default +; http://php.net/gd.jpeg-ignore-warning +;gd.jpeg_ignore_warning = 1 + +[exif] +; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. +; With mbstring support this will automatically be converted into the encoding +; given by corresponding encode setting. When empty mbstring.internal_encoding +; is used. For the decode settings you can distinguish between motorola and +; intel byte order. A decode setting cannot be empty. +; http://php.net/exif.encode-unicode +;exif.encode_unicode = ISO-8859-15 + +; http://php.net/exif.decode-unicode-motorola +;exif.decode_unicode_motorola = UCS-2BE + +; http://php.net/exif.decode-unicode-intel +;exif.decode_unicode_intel = UCS-2LE + +; http://php.net/exif.encode-jis +;exif.encode_jis = + +; http://php.net/exif.decode-jis-motorola +;exif.decode_jis_motorola = JIS + +; http://php.net/exif.decode-jis-intel +;exif.decode_jis_intel = JIS + +[Tidy] +; The path to a default tidy configuration file to use when using tidy +; http://php.net/tidy.default-config +;tidy.default_config = /usr/local/lib/php/default.tcfg + +; Should tidy clean and repair output automatically? +; WARNING: Do not use this option if you are generating non-html content +; such as dynamic images +; http://php.net/tidy.clean-output +tidy.clean_output = Off + +[soap] +; Enables or disables WSDL caching feature. +; http://php.net/soap.wsdl-cache-enabled +soap.wsdl_cache_enabled=1 + +; Sets the directory name where SOAP extension will put cache files. +; http://php.net/soap.wsdl-cache-dir +soap.wsdl_cache_dir="/tmp" + +; (time to live) Sets the number of second while cached file will be used +; instead of original one. +; http://php.net/soap.wsdl-cache-ttl +soap.wsdl_cache_ttl=86400 + +; Sets the size of the cache limit. (Max. number of WSDL files to cache) +soap.wsdl_cache_limit = 5 + +[sysvshm] +; A default size of the shared memory segment +;sysvshm.init_mem = 10000 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[dba] +;dba.default_handler= + +[opcache] +; Determines if Zend OPCache is enabled +;opcache.enable=1 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +;opcache.enable_cli=0 + +; The OPcache shared memory storage size. +;opcache.memory_consumption=128 + +; The amount of memory for interned strings in Mbytes. +;opcache.interned_strings_buffer=8 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 1000000 are allowed. +;opcache.max_accelerated_files=10000 + +; The maximum percentage of "wasted" memory until a restart is scheduled. +;opcache.max_wasted_percentage=5 + +; When this directive is enabled, the OPcache appends the current working +; directory to the script key, thus eliminating possible collisions between +; files with the same name (basename). Disabling the directive improves +; performance, but may break existing applications. +;opcache.use_cwd=1 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +;opcache.validate_timestamps=1 + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +;opcache.revalidate_freq=2 + +; Enables or disables file search in include_path optimization +;opcache.revalidate_path=0 + +; If disabled, all PHPDoc comments are dropped from the code to reduce the +; size of the optimized code. +;opcache.save_comments=1 + +; Allow file existence override (file_exists, etc.) performance feature. +;opcache.enable_file_override=0 + +; A bitmask, where each bit enables or disables the appropriate OPcache +; passes +;opcache.optimization_level=0x7FFFBFFF + +;opcache.dups_fix=0 + +; The location of the OPcache blacklist file (wildcards allowed). +; Each OPcache blacklist file is a text file that holds the names of files +; that should not be accelerated. The file format is to add each filename +; to a new line. The filename may be a full path or just a file prefix +; (i.e., /var/www/x blacklists all the files and directories in /var/www +; that start with 'x'). Line starting with a ; are ignored (comments). +;opcache.blacklist_filename= + +; Allows exclusion of large files from being cached. By default all files +; are cached. +;opcache.max_file_size=0 + +; Check the cache checksum each N requests. +; The default value of "0" means that the checks are disabled. +;opcache.consistency_checks=0 + +; How long to wait (in seconds) for a scheduled restart to begin if the cache +; is not being accessed. +;opcache.force_restart_timeout=180 + +; OPcache error_log file name. Empty string assumes "stderr". +;opcache.error_log= + +; All OPcache errors go to the Web server log. +; By default, only fatal errors (level 0) or errors (level 1) are logged. +; You can also enable warnings (level 2), info messages (level 3) or +; debug messages (level 4). +;opcache.log_verbosity_level=1 + +; Preferred Shared Memory back-end. Leave empty and let the system decide. +;opcache.preferred_memory_model= + +; Protect the shared memory from unexpected writing during script execution. +; Useful for internal debugging only. +;opcache.protect_memory=0 + +; Allows calling OPcache API functions only from PHP scripts which path is +; started from specified string. The default "" means no restriction +;opcache.restrict_api= + +; Mapping base of shared memory segments (for Windows only). All the PHP +; processes have to map shared memory into the same address space. This +; directive allows to manually fix the "Unable to reattach to base address" +; errors. +;opcache.mmap_base= + +; Enables and sets the second level cache directory. +; It should improve performance when SHM memory is full, at server restart or +; SHM reset. The default "" disables file based caching. +;opcache.file_cache= + +; Enables or disables opcode caching in shared memory. +;opcache.file_cache_only=0 + +; Enables or disables checksum validation when script loaded from file cache. +;opcache.file_cache_consistency_checks=1 + +; Implies opcache.file_cache_only=1 for a certain process that failed to +; reattach to the shared memory (for Windows only). Explicitly enabled file +; cache is required. +;opcache.file_cache_fallback=1 + +; Enables or disables copying of PHP code (text segment) into HUGE PAGES. +; This should improve performance, but requires appropriate OS configuration. +;opcache.huge_code_pages=1 + +; Validate cached file permissions. +;opcache.validate_permission=0 + +; Prevent name collisions in chroot'ed environment. +;opcache.validate_root=0 + +; If specified, it produces opcode dumps for debugging different stages of +; optimizations. +;opcache.opt_debug_level=0 + +[curl] +; A default value for the CURLOPT_CAINFO option. This is required to be an +; absolute path. +;curl.cainfo = + +[openssl] +; The location of a Certificate Authority (CA) file on the local filesystem +; to use when verifying the identity of SSL/TLS peers. Most users should +; not specify a value for this directive as PHP will attempt to use the +; OS-managed cert stores in its absence. If specified, this value may still +; be overridden on a per-stream basis via the "cafile" SSL stream context +; option. +;openssl.cafile= + +; If openssl.cafile is not specified or if the CA file is not found, the +; directory pointed to by openssl.capath is searched for a suitable +; certificate. This value must be a correctly hashed certificate directory. +; Most users should not specify a value for this directive as PHP will +; attempt to use the OS-managed cert stores in its absence. If specified, +; this value may still be overridden on a per-stream basis via the "capath" +; SSL stream context option. +;openssl.capath= + +; Local Variables: +; tab-width: 4 +; End: diff --git a/php/7.3/fpm/pool.d/www.conf b/php/7.3/fpm/pool.d/www.conf index 03ce7b0..dba7769 100644 --- a/php/7.3/fpm/pool.d/www.conf +++ b/php/7.3/fpm/pool.d/www.conf @@ -1,439 +1,30 @@ -; Start a new pool named 'www'. -; the variable $pool can be used in any directive and will be replaced by the -; pool name ('www' here) -[www] - -; Per pool prefix -; It only applies on the following directives: -; - 'access.log' -; - 'slowlog' -; - 'listen' (unixsocket) -; - 'chroot' -; - 'chdir' -; - 'php_values' -; - 'php_admin_values' -; When not set, the global prefix (or /usr) applies instead. -; Note: This directive can also be relative to the global prefix. -; Default Value: none -;prefix = /path/to/pools/$pool - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. +[inet] user = www-data group = www-data -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on -; a specific port; -; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses -; (IPv6 and IPv4-mapped) on a specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. -listen = /run/php/php7.3-fpm.sock - -; Set listen(2) backlog. -; Default Value: 511 (-1 on FreeBSD and OpenBSD) -;listen.backlog = 511 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. The owner -; and group can be specified either by name or by their numeric IDs. -; Default Values: user and group are set as the running user -; mode is set to 0660 +listen = 127.0.0.1:9999 listen.owner = www-data listen.group = www-data -;listen.mode = 0660 -; When POSIX Access Control Lists are supported you can set them using -; these options, value is a comma separated list of user/group names. -; When set, listen.owner and listen.group are ignored -;listen.acl_users = -;listen.acl_groups = - -; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -;listen.allowed_clients = 127.0.0.1 +listen.mode = 0660 -; Specify the nice(2) priority to apply to the pool processes (only if set) -; The value can vary from -19 (highest priority) to 20 (lower priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool processes will inherit the master process priority -; unless it specified otherwise -; Default Value: no set -; process.priority = -19 +; IP addresses must be separated by comma, and no space between comma and ip. +listen.allowed_clients = 127.0.0.1 -; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user -; or group is differrent than the master process user. It allows to create process -; core dump and ptrace the process for the pool user. -; Default Value: no -; process.dumpable = yes - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives. With this process management, there will be -; always at least 1 children. -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; ondemand - no children are created at startup. Children will be forked when -; new requests will connect. The following parameter are used: -; pm.max_children - the maximum number of children that -; can be alive at the same time. -; pm.process_idle_timeout - The number of seconds after which -; an idle process will be killed. -; Note: This value is mandatory. pm = dynamic +pm.max_children = 100 +pm.start_servers = 5 +pm.min_spare_servers = 5 +pm.max_spare_servers = 10 +pm.max_requests = 100 -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. The below defaults are based on a server without much resources. Don't -; forget to tweak pm.* to fit your needs. -; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' -; Note: This value is mandatory. -pm.max_children = 5 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 3 +pm.status_path = /status +ping.path = /ping -; The number of seconds after which an idle process will be killed. -; Note: Used only when pm is set to 'ondemand' -; Default Value: 10s -;pm.process_idle_timeout = 10s; +request_terminate_timeout = 60s +request_slowlog_timeout = 10s -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. It shows the following informations: -; pool - the name of the pool; -; process manager - static, dynamic or ondemand; -; start time - the date and time FPM has started; -; start since - number of seconds since FPM has started; -; accepted conn - the number of request accepted by the pool; -; listen queue - the number of request in the queue of pending -; connections (see backlog in listen(2)); -; max listen queue - the maximum number of requests in the queue -; of pending connections since FPM has started; -; listen queue len - the size of the socket queue of pending connections; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes; -; max active processes - the maximum number of active processes since FPM -; has started; -; max children reached - number of times, the process limit has been reached, -; when pm tries to start more children (works only for -; pm 'dynamic' and 'ondemand'); -; Value are updated in real time. -; Example output: -; pool: www -; process manager: static -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 62636 -; accepted conn: 190460 -; listen queue: 0 -; max listen queue: 1 -; listen queue len: 42 -; idle processes: 4 -; active processes: 11 -; total processes: 15 -; max active processes: 12 -; max children reached: 0 -; -; By default the status page output is formatted as text/plain. Passing either -; 'html', 'xml' or 'json' in the query string will return the corresponding -; output syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; http://www.foo.bar/status?xml -; -; By default the status page only outputs short status. Passing 'full' in the -; query string will also return status for each pool process. -; Example: -; http://www.foo.bar/status?full -; http://www.foo.bar/status?json&full -; http://www.foo.bar/status?html&full -; http://www.foo.bar/status?xml&full -; The Full status returns for each process: -; pid - the PID of the process; -; state - the state of the process (Idle, Running, ...); -; start time - the date and time the process has started; -; start since - the number of seconds since the process has started; -; requests - the number of requests the process has served; -; request duration - the duration in µs of the requests; -; request method - the request method (GET, POST, ...); -; request URI - the request URI with the query string; -; content length - the content length of the request (only with POST); -; user - the user (PHP_AUTH_USER) (or '-' if not set); -; script - the main script called (or '-' if not set); -; last request cpu - the %cpu the last request consumed -; it's always 0 if the process is not in Idle state -; because CPU calculation is done when the request -; processing has terminated; -; last request memory - the max amount of memory the last request consumed -; it's always 0 if the process is not in Idle state -; because memory calculation is done when the request -; processing has terminated; -; If the process is in Idle state, then informations are related to the -; last request the process has served. Otherwise informations are related to -; the current request being served. -; Example output: -; ************************ -; pid: 31330 -; state: Running -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 63087 -; requests: 12808 -; request duration: 1250261 -; request method: GET -; request URI: /test_mem.php?N=10000 -; content length: 0 -; user: - -; script: /home/fat/web/docs/php/test_mem.php -; last request cpu: 0.00 -; last request memory: 0 ; -; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: /usr/share/php/7.3/fpm/status.html +; Log files ; -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The access log file -; Default: not set -;access.log = log/$pool.access.log - -; The access log format. -; The following syntax is allowed -; %%: the '%' character -; %C: %CPU used by the request -; it can accept the following format: -; - %{user}C for user CPU only -; - %{system}C for system CPU only -; - %{total}C for user + system CPU (default) -; %d: time taken to serve the request -; it can accept the following format: -; - %{seconds}d (default) -; - %{miliseconds}d -; - %{mili}d -; - %{microseconds}d -; - %{micro}d -; %e: an environment variable (same as $_ENV or $_SERVER) -; it must be associated with embraces to specify the name of the env -; variable. Some exemples: -; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e -; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e -; %f: script filename -; %l: content-length of the request (for POST request only) -; %m: request method -; %M: peak of memory allocated by PHP -; it can accept the following format: -; - %{bytes}M (default) -; - %{kilobytes}M -; - %{kilo}M -; - %{megabytes}M -; - %{mega}M -; %n: pool name -; %o: output header -; it must be associated with embraces to specify the name of the header: -; - %{Content-Type}o -; - %{X-Powered-By}o -; - %{Transfert-Encoding}o -; - .... -; %p: PID of the child that serviced the request -; %P: PID of the parent of the child that serviced the request -; %q: the query string -; %Q: the '?' character if query string exists -; %r: the request URI (without the query string, see %q and %Q) -; %R: remote IP address -; %s: status (response code) -; %t: server time the request was received -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; The strftime(3) format must be encapsuled in a %{}t tag -; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t -; %T: time the log has been written (the request has finished) -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; The strftime(3) format must be encapsuled in a %{}t tag -; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t -; %u: remote user -; -; Default: "%R - %u %t \"%m %r\" %s" -;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -;slowlog = log/$pool.log.slow - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; Depth of slow log stack trace. -; Default Value: 20 -;request_slowlog_trace_depth = 20 - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout set by 'request_terminate_timeout' ini option is not engaged after -; application calls 'fastcgi_finish_request' or when application has finished and -; shutdown functions are being called (registered via register_shutdown_function). -; This option will enable timeout limit to be applied unconditionally -; even in such cases. -; Default Value: no -;request_terminate_timeout_track_finished = no - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: you can prefix with '$prefix' to chroot to the pool prefix or one -; of its subdirectories. If the pool prefix is not set, the global prefix -; will be used instead. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. -; Note: relative path can be used. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Note: on highloaded environement, this can cause some delay in the page -; process time (several ms). -; Default Value: no -;catch_workers_output = yes - -; Decorate worker output with prefix and suffix containing information about -; the child that writes to the log and if stdout or stderr is used as well as -; log level and time. This options is used only if catch_workers_output is yes. -; Settings to "no" will output data as written to the stdout or stderr. -; Default value: yes -;decorate_workers_output = no - -; Clear environment in FPM workers -; Prevents arbitrary environment variables from reaching FPM worker processes -; by clearing the environment in workers before env vars specified in this -; pool configuration are added. -; Setting to "no" will make all environment variables available to PHP code -; via getenv(), $_ENV and $_SERVER. -; Default Value: yes -;clear_env = no - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; execute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 .php7 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Note: path INI options can be relative and will be expanded with the prefix -; (pool, global or /usr) - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -;php_admin_value[error_log] = /var/log/fpm-php.www.log -;php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 32M +access.log = /var/log/php-fpm/php-fpm.log +slowlog = /var/log/php-fpm/slow.log diff --git a/php/7.3/fpm/pool.d/www.conf.2021.04.08.22.02.11 b/php/7.3/fpm/pool.d/www.conf.2021.04.08.22.02.11 new file mode 100644 index 0000000..03ce7b0 --- /dev/null +++ b/php/7.3/fpm/pool.d/www.conf.2021.04.08.22.02.11 @@ -0,0 +1,439 @@ +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = www-data +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /run/php/php7.3-fpm.sock + +; Set listen(2) backlog. +; Default Value: 511 (-1 on FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. The owner +; and group can be specified either by name or by their numeric IDs. +; Default Values: user and group are set as the running user +; mode is set to 0660 +listen.owner = www-data +listen.group = www-data +;listen.mode = 0660 +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user +; or group is differrent than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 5 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 2 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 1 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 3 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following informations: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/share/php/7.3/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{miliseconds}d +; - %{mili}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some exemples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsuled in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout set by 'request_terminate_timeout' ini option is not engaged after +; application calls 'fastcgi_finish_request' or when application has finished and +; shutdown functions are being called (registered via register_shutdown_function). +; This option will enable timeout limit to be applied unconditionally +; even in such cases. +; Default Value: no +;request_terminate_timeout_track_finished = no + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M diff --git a/postfix/aliases b/postfix/aliases new file mode 100644 index 0000000..5947f3b --- /dev/null +++ b/postfix/aliases @@ -0,0 +1,10 @@ +# See man 5 aliases for format +postmaster: root +#clamav: root +nobody: root +vmail: root +root: postmaster@brehm-berlin.de +www-data: root +clamav: root +amavis: root +iredapd: root diff --git a/postfix/aliases.db b/postfix/aliases.db new file mode 100644 index 0000000000000000000000000000000000000000..a06b976fb7adcd8c90d4b79972792f143c11889a GIT binary patch literal 12288 zcmeI&ze@u#6bJAZDN+%AF8&!UoP*k}g;pq76?Jj3E~O0 zk;{?L`PSt~KCGuHvqrX#iOlOYZjar=>3BLCH3T340SG_<0uX=z1Rwwb2tWV=|1B`R zM_(k5Y2lsU_?aL1hDSW)b3Wr!KH&jJtg|Q(fB*y_009U<00Izz00bZa0SNpgAmS)W zNc8*tf+G`2q8)XTKz0%pm+e@&LBUqB?}bH2(Rge+<8xdVZ}~EiJrb_+k7Tjyb_=!) zWvKL2aj?^DRQC33yUndiqb96XYprChSS8D3Hg%@i*sj($>b0sUlYUGw`~R=^{CT?4 z`~O#d(fj`=zUMo>W*wQ7-`xM3e+Y2@KOsW{0uX=z1Rwwb2tWV=5P$##An+#w<0FG! cAU!`jCkP`uat2w?i` (Outlook 2003/2007). +# WARNING: do not lose the parameters that follow the address. +/^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/ $1$2$3 diff --git a/postfix/disclaimer/default.txt b/postfix/disclaimer/default.txt new file mode 100644 index 0000000..fe6450b --- /dev/null +++ b/postfix/disclaimer/default.txt @@ -0,0 +1,2 @@ + +---- diff --git a/postfix/header_checks b/postfix/header_checks new file mode 100644 index 0000000..e69de29 diff --git a/postfix/helo_access.pcre b/postfix/helo_access.pcre new file mode 100644 index 0000000..4efda13 --- /dev/null +++ b/postfix/helo_access.pcre @@ -0,0 +1,182 @@ +#--------------------------------------------------------------------- +# This file is part of iRedMail, which is an open source mail server +# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu. +# +# iRedMail is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# iRedMail is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with iRedMail. If not, see . +#--------------------------------------------------------------------- + +# +# Sample Postfix check_helo_access rule. It should be located at: +# /etc/postfix/check_helo_access.pcre +# +# Shipped within iRedMail project: +# * http://www.iredmail.org/ + +# Prepend HELO hostname of sender server +#/(.*)/ PREPEND X-Original-Helo: $1 (iRedMail: http://www.iredmail.org/) + +# No one will use these in helo command. +/^(localhost)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/^(localhost.localdomain)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(\.local)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) + +# Reject who use IP address as helo. +# Correct: [xxx.xxx.xxx.xxx] +# Incorrect: xxx.xxx.xxx.xxx +/^([0-9\.]+)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server sent non RFC compliant HELO identity (${1}) + +# +# This is the real HELO identify of these ISPs: +# sohu.com websmtp.sohu.com relay2nd.mail.sohu.com +# 126.com m15-78.126.com +# 163.com m31-189.vip.163.com m13-49.163.com +# sina.com mail2-209.sinamail.sina.com.cn +# gmail.com xx-out-NNNN.google.com +/^(126\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1}) +/^(163\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1}) +/^(163\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1}) +/^(sohu\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1}) +/^(gmail\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1}) +/^(google\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1}) +/^(yahoo\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1}) +/^(yahoo\.co\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server (${1}) + +# +# Spammers. +# +/^(728154EA470B4AA\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(taj-co\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(CF8D3DB045C1455\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(dsgsfdg\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(se\.nit7-ngbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(mail\.goo\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(n-ong_an\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(meqail\.teamefs-ine5tl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(zzg\.jhf-sp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(din_glo-ng\.net)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(fda-cnc\.ie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(yrtaj-yrco\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(m\.am\.biz\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(xr_haig\.roup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(hjn\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(we_blf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(netvigator\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(mysam\.biz)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(mail\.teams-intl\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(seningbo\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(nblf\.com\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(kdn\.ktguide\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(zzsp\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(nblongan\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(dpu\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(nbalton\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(cncie\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(xinhaigroup\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/^(wz\.com)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/(\.zj\.cn)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) +/(\.kornet)$/ REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server (${1}) + +/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/^(system\.mail)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/^(speedtouch\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/^(dsldevice\.lan)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) + +# +# Reject adsl spammers. +# +# match word `adsl` with word boundary `\b`. +/(\badsl\b)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) + +# bypass "[IP_ADDRESS]" +/^\[(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]$/ OK + +# bypass some HELOs which contains IP address +/^o\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.outbound-mail\.sendgrid\.net$/ OK +/^\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.mail-(mail|campmail)\.facebook\.com$/ OK +/^outbound-\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}\.pinterestmail\.com$/ OK + +# reject HELO which contains IP address +/(\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3}[\.-]\d{1,3})/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(\d{1,3}\.ip\.-\d{1,3}-\d{1,3}-\d{1,3}\.eu)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(pppoe)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(dsl\.brasiltelecom\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(dsl\.optinet\.hr)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(dsl\.telesp\.net\.br)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(dialup)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(dhcp)/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(static-pool-[\d\.-]*\.flagman\.zp\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) + +/(speedy\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(speedyterra\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(static\.sbb\.rs)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) +/(static\.vsnl\.net\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (${1}) + +/(advance\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(airtelbroadband\.in)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(bb\.netvision\.net\.il)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(broadband3\.iol\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(cable\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(catv\.broadband\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(chello\.nl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(chello\.sk)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(client\.mchsi\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(comunitel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(coprosys\.cz)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(dclient\.hispeed\.ch)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(dip0\.t-ipconnect\.de)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(domain\.invalid)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(dyn\.centurytel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(embarqhsd\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(emcali\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(epm\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(fibertel\.com\.ar)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(freedom2surf\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(hgcbroadband\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(HINET-IP\.hinet\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(infonet\.by)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(is74\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(kievnet\.com\.ua)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(metrotel\.net\.co)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(nw\.nuvox\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(pldt\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(pool\.invitel\.hu)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(pool\.ukrtel\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(pools\.arcor-ip\.net)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(pppoe\.avangarddsl\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(retail\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(revip2\.asianet\.co\.th)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(tim\.ro)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(tsi\.tychy\.pl)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(ttnet\.net\.tr)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(tttmaxnet\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(user\.veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(utk\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(veloxzone\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(virtua\.com\.br)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(wanamaroc\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(wbt\.ru)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(wireless\.iaw\.on\.ca)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(business\.telecomitalia\.it)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(cotas\.com\.bo)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(marunouchi\.tokyo\.ocn\.ne\.jp)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(amedex\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/(aageneva\.com)$/ REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly (${1}) +/^ylmf-pc/ REJECT ACCESS DENIED + +/(\.*wideragents\.com)$/ REJECT ACCESS DENIED (${1}) +/(\.*resumekeep\.net)$/ REJECT ACCESS DENIED (${1}) +/(\.*terracedrink\.com)$/ REJECT ACCESS DENIED (${1}) +/(\.*sincemessage\.com)$/ REJECT ACCESS DENIED (${1}) +/(\.*ordertranquility\.com)$/ REJECT ACCESS DENIED (${1}) +/(\.*terracedrink\.com)$/ REJECT ACCESS DENIED (${1}) diff --git a/postfix/helo_access.pcre.2021.04.08.22.02.11 b/postfix/helo_access.pcre.2021.04.08.22.02.11 new file mode 100644 index 0000000..e69de29 diff --git a/postfix/main.cf b/postfix/main.cf index 8623373..dd0798a 100644 --- a/postfix/main.cf +++ b/postfix/main.cf @@ -1,48 +1,364 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version +# -------------------- +# INSTALL-TIME CONFIGURATION INFORMATION +# +# location of the Postfix queue. Default is /var/spool/postfix. +queue_directory = /var/spool/postfix +# location of all postXXX commands. Default is /usr/sbin. +command_directory = /usr/sbin -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname +# location of all Postfix daemon programs (i.e. programs listed in the +# master.cf file). This directory must be owned by root. +# Default is /usr/libexec/postfix +daemon_directory = /usr/lib/postfix/sbin -smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +# location of Postfix-writable data files (caches, random numbers). +# This directory must be owned by the mail_owner account (see below). +# Default is /var/lib/postfix. +data_directory = /var/lib/postfix + +# owner of the Postfix queue and of most Postfix daemon processes. +# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID +# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. +# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER. +# Default is postfix. +mail_owner = postfix + +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/sbin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases + +# full pathname of the Postfix mailq command. This is the Sendmail-compatible +# mail queue listing command. +mailq_path = /usr/bin/mailq + +# group for mail submission and queue management commands. +# This must be a group name with a numerical group ID that is not shared with +# other accounts, not even with the Postfix account. +setgid_group = postdrop + +# external command that is executed when a Postfix daemon program is run with +# the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +debug_peer_level = 2 + +# -------------------- +# CUSTOM SETTINGS +# + +# SMTP server response code when recipient or domain not found. +unknown_local_recipient_reject_code = 550 + +# Do not notify local user. biff = no -# appending .domain is the MUA's job. -append_dot_mydomain = no +# Disable the rewriting of "site!user" into "user@site". +swap_bangpath = no -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h +# Disable the rewriting of the form "user%domain" to "user@domain". +allow_percent_hack = no -readme_directory = no +# Allow recipient address start with '-'. +allow_min_user = no -# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on -# fresh installs. -compatibility_level = 2 +# Disable the SMTP VRFY command. This stops some techniques used to +# harvest email addresses. +disable_vrfy_command = yes + +# Enable both IPv4 and/or IPv6: ipv4, ipv6, all. +inet_protocols = all + +# Enable all network interfaces. +inet_interfaces = all + +# +# TLS settings. +# +# SSL key, certificate, CA +# +smtpd_tls_key_file = /etc/ssl/private/iRedMail.key +smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt +smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt +smtpd_tls_CApath = /etc/ssl/certs + +# +# Disable SSLv2, SSLv3 +# +smtpd_tls_protocols = !SSLv2 !SSLv3 +smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 +smtp_tls_protocols = !SSLv2 !SSLv3 +smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 +lmtp_tls_protocols = !SSLv2 !SSLv3 +lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 + +# +# Fix 'The Logjam Attack'. +# +smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA +smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem +smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem + +tls_random_source = dev:/dev/urandom + +# Log only a summary message on TLS handshake completion — no logging of client +# certificate trust-chain verification errors if client certificate +# verification is not required. With Postfix 2.8 and earlier, log the summary +# message, peer certificate summary information and unconditionally log +# trust-chain verification errors. +smtp_tls_loglevel = 1 +smtpd_tls_loglevel = 1 + +# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do +# not require that clients use TLS encryption. +smtpd_tls_security_level = may + +# Produce `Received:` message headers that include information about the +# protocol and cipher used, as well as the remote SMTP client CommonName and +# client certificate issuer CommonName. +# This is disabled by default, as the information may be modified in transit +# through other mail servers. Only information that was recorded by the final +# destination can be trusted. +#smtpd_tls_received_header = yes + +# Opportunistic TLS, used when Postfix sends email to remote SMTP server. +# Use TLS if this is supported by the remote SMTP server, otherwise use +# plaintext. +# References: +# - http://www.postfix.org/TLS_README.html#client_tls_may +# - http://www.postfix.org/postconf.5.html#smtp_tls_security_level +smtp_tls_security_level = may + +# Use the same CA file as smtpd. +smtp_tls_CApath = /etc/ssl/certs +smtp_tls_CAfile = $smtpd_tls_CAfile +smtp_tls_note_starttls_offer = yes + +# Enable long, non-repeating, queue IDs (queue file names). +# The benefit of non-repeating names is simpler logfile analysis and easier +# queue migration (there is no need to run "postsuper" to change queue file +# names that don't match their message file inode number). +enable_long_queue_ids = yes + +# Reject unlisted sender and recipient +smtpd_reject_unlisted_recipient = yes +smtpd_reject_unlisted_sender = yes + +# Header and body checks with PCRE table +header_checks = pcre:/etc/postfix/header_checks +body_checks = pcre:/etc/postfix/body_checks.pcre + +# A mechanism to transform commands from remote SMTP clients. +# This is a last-resort tool to work around client commands that break +# interoperability with the Postfix SMTP server. Other uses involve fault +# injection to test Postfix's handling of invalid commands. +# Requires Postfix-2.7+. +smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre + +# HELO restriction +smtpd_helo_required = yes +smtpd_helo_restrictions = + permit_mynetworks + permit_sasl_authenticated + check_helo_access pcre:/etc/postfix/helo_access.pcre + reject_non_fqdn_helo_hostname + reject_unknown_helo_hostname + +# Sender restrictions +smtpd_sender_restrictions = + reject_non_fqdn_sender + reject_unlisted_sender + permit_mynetworks + permit_sasl_authenticated + check_sender_access pcre:/etc/postfix/sender_access.pcre + reject_unknown_sender_domain + +# Recipient restrictions +smtpd_recipient_restrictions = + reject_non_fqdn_recipient + reject_unlisted_recipient + check_policy_service inet:127.0.0.1:7777 + permit_mynetworks + permit_sasl_authenticated + reject_unauth_destination + check_policy_service inet:127.0.0.1:12340 +# END-OF-MESSAGE restrictions +smtpd_end_of_data_restrictions = + check_policy_service inet:127.0.0.1:7777 +# Data restrictions +smtpd_data_restrictions = reject_unauth_pipelining -# TLS parameters -smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +# SRS (Sender Rewriting Scheme) support +#sender_canonical_maps = tcp:127.0.0.1:7778 +#sender_canonical_classes = envelope_sender +#recipient_canonical_maps = tcp:127.0.0.1:7779 +#recipient_canonical_classes= envelope_recipient,header_recipient -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. +proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps -smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +# Avoid duplicate recipient messages. Default is 'yes'. +enable_original_recipient = no + +# Virtual support. +virtual_minimum_uid = 2000 +virtual_uid_maps = static:2000 +virtual_gid_maps = static:2000 +virtual_mailbox_base = /var/vmail + +# Do not set virtual_alias_domains. +virtual_alias_domains = + +# +# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication. +# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should +# be forced to submit email through port 587 instead. +# +#smtpd_sasl_auth_enable = yes +#smtpd_sasl_security_options = noanonymous +#smtpd_tls_auth_only = yes + +# hostname myhostname = helga.uhu-banane.de -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -myorigin = /etc/mailname -mydestination = $myhostname, helga.uhu-banane.de, localhost.uhu-banane.de, , localhost -relayhost = -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 -mailbox_command = procmail -a "$EXTENSION" -mailbox_size_limit = 0 +myorigin = helga.uhu-banane.de +mydomain = helga.uhu-banane.de + +# trusted SMTP clients which are allowed to relay mail through Postfix. +# +# Note: additional IP addresses/networks listed in mynetworks should be listed +# in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too. +# for example: +# +# MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...] +# +mynetworks = 127.0.0.1 [::1] + +# Accepted local emails +mydestination = $myhostname, localhost, localhost.localdomain + +alias_maps = hash:/etc/postfix/aliases +alias_database = hash:/etc/postfix/aliases + +# Default message_size_limit. +message_size_limit = 15728640 + +# The set of characters that can separate a user name from its extension +# (example: user+foo), or a .forward file name from its extension (example: +# .forward+foo). +# Postfix 2.11 and later supports multiple characters. recipient_delimiter = + -inet_interfaces = all -inet_protocols = all + +# The time after which the sender receives a copy of the message headers of +# mail that is still queued. Default setting is disabled (0h) by Postfix. +#delay_warning_time = 1h + +# Do not display the name of the recipient table in the "User unknown" responses. +# The extra detail makes trouble shooting easier but also reveals information +# that is nobody elses business. +show_user_unknown_table_name = no +compatibility_level = 2 +# +# Lookup virtual mail accounts +# +transport_maps = + proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf + proxy:mysql:/etc/postfix/mysql/transport_maps_maillist.cf + proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf + +sender_dependent_relayhost_maps = + proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf + +# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses. +smtpd_sender_login_maps = + proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf + +virtual_mailbox_domains = + proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf + +relay_domains = + $mydestination + proxy:mysql:/etc/postfix/mysql/relay_domains.cf + +virtual_mailbox_maps = + proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf + +virtual_alias_maps = + proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf + proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf + proxy:mysql:/etc/postfix/mysql/catchall_maps.cf + proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf + +sender_bcc_maps = + proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf + proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf + +recipient_bcc_maps = + proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf + proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf + +# +# Postscreen +# +postscreen_greet_action = drop +postscreen_blacklist_action = drop +postscreen_dnsbl_action = drop +postscreen_dnsbl_threshold = 2 + +# Attention: +# - zen.spamhaus.org free tire has 3 limits +# (https://www.spamhaus.org/organization/dnsblusage/): +# +# 1) Your use of the Spamhaus DNSBLs is non-commercial*, and +# 2) Your email traffic is less than 100,000 SMTP connections per day, and +# 3) Your DNSBL query volume is less than 300,000 queries per day. +# +# - FAQ: "Your DNSBL blocks nothing at all!" +# https://www.spamhaus.org/faq/section/DNSBL%20Usage#261 +# +# It's strongly recommended to use a local DNS server for cache. +postscreen_dnsbl_sites = + zen.spamhaus.org=127.0.0.[2..11]*3 + b.barracudacentral.org=127.0.0.2*2 + +postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply +postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr + +# Require Postfix-2.11+ +postscreen_dnsbl_whitelist_threshold = -2 + +# +# Dovecot SASL support. +# +smtpd_sasl_type = dovecot +smtpd_sasl_path = private/dovecot-auth +virtual_transport = dovecot +dovecot_destination_recipient_limit = 1 + +# +# mlmmj - mailing list manager +# +mlmmj_destination_recipient_limit = 1 + +# +# Amavisd + SpamAssassin + ClamAV +# +content_filter = smtp-amavis:[127.0.0.1]:10024 + +# Concurrency per recipient limit. +smtp-amavis_destination_recipient_limit = 1 diff --git a/postfix/main.cf.2021.04.08.22.02.11 b/postfix/main.cf.2021.04.08.22.02.11 new file mode 100644 index 0000000..8623373 --- /dev/null +++ b/postfix/main.cf.2021.04.08.22.02.11 @@ -0,0 +1,48 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on +# fresh installs. +compatibility_level = 2 + + + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = helga.uhu-banane.de +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = $myhostname, helga.uhu-banane.de, localhost.uhu-banane.de, , localhost +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all diff --git a/postfix/master.cf b/postfix/master.cf index ea53632..7d80a73 100644 --- a/postfix/master.cf +++ b/postfix/master.cf @@ -9,11 +9,10 @@ # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== -smtp inet n - y - - smtpd -#smtp inet n - y - 1 postscreen -#smtpd pass - - y - - smtpd -#dnsblog unix - - y - 0 dnsblog -#tlsproxy unix - - y - 0 tlsproxy +smtp inet n - y - 1 postscreen +smtpd pass - - y - - smtpd +dnsblog unix - - y - 0 dnsblog +tlsproxy unix - - y - 0 tlsproxy #submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt @@ -38,33 +37,34 @@ smtp inet n - y - - smtpd # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - y - - qmqpd -pickup unix n - y 60 1 pickup -cleanup unix n - y - 0 cleanup -qmgr unix n - n 300 1 qmgr +#smtp inet n - - - - smtpd +pickup unix n - n 60 1 pickup + -o content_filter=smtp-amavis:[127.0.0.1]:10026 +cleanup unix n - n - 0 cleanup #qmgr unix n - n 300 1 oqmgr -tlsmgr unix - - y 1000? 1 tlsmgr -rewrite unix - - y - - trivial-rewrite -bounce unix - - y - 0 bounce -defer unix - - y - 0 bounce -trace unix - - y - 0 bounce -verify unix - - y - 1 verify -flush unix n - y 1000? 0 flush -proxymap unix - - n - - proxymap -proxywrite unix - - n - 1 proxymap -smtp unix - - y - - smtp -relay unix - - y - - smtp - -o syslog_name=postfix/$service_name +qmgr unix n - n 300 1 qmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - y - - showq -error unix - - y - - error -retry unix - - y - - error -discard unix - - y - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - y - - lmtp -anvil unix - - y - 1 anvil -scache unix - - y - 1 scache -postlog unix-dgram n - n - 1 postlogd +relay unix - - n - - smtp + -o syslog_name=postfix/$service_name +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual @@ -78,8 +78,7 @@ postlog unix-dgram n - n - 1 postlogd # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # -maildrop unix - n n - - pipe - flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +postlog unix-dgram n - n - 1 postlogd # # ==================================================================== # @@ -110,18 +109,97 @@ maildrop unix - n n - - pipe # # See the Postfix UUCP_README file for configuration details. # -uucp unix - n n - - pipe - flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +maildrop unix - n n - - pipe flags=DRhu + user=vmail argv=/usr/bin/maildrop -d ${recipient} # # Other external delivery methods. # -ifmail unix - n n - - pipe - flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -bsmtp unix - n n - - pipe - flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient -scalemail-backend unix - n n - 2 pipe - flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} -mailman unix - n n - - pipe - flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py - ${nexthop} ${user} +uucp unix - n n - - pipe flags=Fqhu + user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +ifmail unix - n n - - pipe flags=F user=ftn + argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe flags=Fq. + user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe flags=R + user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} + ${user} ${extension} + +mailman unix - n n - - pipe flags=FR + user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} + ${user} +# Submission, port 587, force TLS connection. +submission inet n - n - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o content_filter=smtp-amavis:[127.0.0.1]:10026 + +# Use dovecot's `deliver` program as LDA. +dovecot unix - n n - - pipe + flags=DRh user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension} + +# mlmmj - mailing list manager +# ${nexthop} is '%d/%u' in transport ('mlmmj:%d/%u') +mlmmj unix - n n - - pipe + flags=ORhu user=mlmmj:mlmmj argv=/usr/bin/mlmmj-amime-receive -L /var/vmail/mlmmj/${nexthop} + +# Amavisd integration. +smtp-amavis unix - - n - 4 smtp + -o syslog_name=postfix/amavis + -o smtp_data_done_timeout=1200 + -o smtp_send_xforward_command=yes + -o disable_dns_lookups=yes + -o max_use=20 + +# smtp port used by Amavisd to re-inject scanned email back to Postfix +127.0.0.1:10025 inet n - n - - smtpd + -o syslog_name=postfix/10025 + -o content_filter= + -o mynetworks_style=host + -o mynetworks=127.0.0.0/8 + -o local_recipient_maps= + -o relay_recipient_maps= + -o strict_rfc821_envelopes=yes + -o smtp_tls_security_level=none + -o smtpd_tls_security_level=none + -o smtpd_restriction_classes= + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_end_of_data_restrictions= + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_client_connection_count_limit=0 + -o smtpd_client_connection_rate_limit=0 + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings + +# smtp port used by mlmmj to re-inject scanned email back to Postfix, with +# address mapping support +127.0.0.1:10028 inet n - n - - smtpd + -o syslog_name=postfix/10028 + -o content_filter= + -o mynetworks_style=host + -o mynetworks=127.0.0.0/8 + -o local_recipient_maps= + -o relay_recipient_maps= + -o strict_rfc821_envelopes=yes + -o smtp_tls_security_level=none + -o smtpd_tls_security_level=none + -o smtpd_restriction_classes= + -o smtpd_delay_reject=no + -o smtpd_client_restrictions=permit_mynetworks,reject + -o smtpd_helo_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_end_of_data_restrictions= + -o smtpd_error_sleep_time=0 + -o smtpd_soft_error_limit=1001 + -o smtpd_hard_error_limit=1000 + -o smtpd_client_connection_count_limit=0 + -o smtpd_client_connection_rate_limit=0 + -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks diff --git a/postfix/master.cf.2021.04.08.22.02.11 b/postfix/master.cf.2021.04.08.22.02.11 new file mode 100644 index 0000000..ea53632 --- /dev/null +++ b/postfix/master.cf.2021.04.08.22.02.11 @@ -0,0 +1,127 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + diff --git a/postfix/mysql/catchall_maps.cf b/postfix/mysql/catchall_maps.cf new file mode 100644 index 0000000..8114cf9 --- /dev/null +++ b/postfix/mysql/catchall_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%d' AND '%u' NOT LIKE '%%+%%' AND forwardings.address=domain.domain AND forwardings.active=1 AND domain.active=1 AND domain.backupmx=0 diff --git a/postfix/mysql/domain_alias_catchall_maps.cf b/postfix/mysql/domain_alias_catchall_maps.cf new file mode 100644 index 0000000..548e20a --- /dev/null +++ b/postfix/mysql/domain_alias_catchall_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=alias_domain.target_domain AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1 diff --git a/postfix/mysql/domain_alias_maps.cf b/postfix/mysql/domain_alias_maps.cf new file mode 100644 index 0000000..81b8789 --- /dev/null +++ b/postfix/mysql/domain_alias_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT forwardings.forwarding FROM forwardings,alias_domain,domain WHERE alias_domain.alias_domain='%d' AND forwardings.address=CONCAT('%u', '@', alias_domain.target_domain) AND alias_domain.target_domain=domain.domain AND forwardings.active=1 AND alias_domain.active=1 AND domain.backupmx=0 diff --git a/postfix/mysql/recipient_bcc_maps_domain.cf b/postfix/mysql/recipient_bcc_maps_domain.cf new file mode 100644 index 0000000..99327e5 --- /dev/null +++ b/postfix/mysql/recipient_bcc_maps_domain.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT bcc_address FROM recipient_bcc_domain WHERE domain='%d' AND active=1 diff --git a/postfix/mysql/recipient_bcc_maps_user.cf b/postfix/mysql/recipient_bcc_maps_user.cf new file mode 100644 index 0000000..fc8552b --- /dev/null +++ b/postfix/mysql/recipient_bcc_maps_user.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT recipient_bcc_user.bcc_address FROM recipient_bcc_user,domain WHERE recipient_bcc_user.username='%s' AND recipient_bcc_user.domain='%d' AND recipient_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND recipient_bcc_user.active=1 diff --git a/postfix/mysql/relay_domains.cf b/postfix/mysql/relay_domains.cf new file mode 100644 index 0000000..b865c37 --- /dev/null +++ b/postfix/mysql/relay_domains.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT domain FROM domain WHERE domain='%s' AND backupmx=1 AND active=1 LIMIT 1 diff --git a/postfix/mysql/sender_bcc_maps_domain.cf b/postfix/mysql/sender_bcc_maps_domain.cf new file mode 100644 index 0000000..492714d --- /dev/null +++ b/postfix/mysql/sender_bcc_maps_domain.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT bcc_address FROM sender_bcc_domain WHERE domain='%d' AND active=1 diff --git a/postfix/mysql/sender_bcc_maps_user.cf b/postfix/mysql/sender_bcc_maps_user.cf new file mode 100644 index 0000000..4f914b3 --- /dev/null +++ b/postfix/mysql/sender_bcc_maps_user.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT sender_bcc_user.bcc_address FROM sender_bcc_user,domain WHERE sender_bcc_user.username='%s' AND sender_bcc_user.domain='%d' AND sender_bcc_user.domain=domain.domain AND domain.backupmx=0 AND domain.active=1 AND sender_bcc_user.active=1 diff --git a/postfix/mysql/sender_dependent_relayhost_maps.cf b/postfix/mysql/sender_dependent_relayhost_maps.cf new file mode 100644 index 0000000..b383c1a --- /dev/null +++ b/postfix/mysql/sender_dependent_relayhost_maps.cf @@ -0,0 +1,6 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +# '%s' will be replaced by the envelope sender address or @domain. +query = SELECT relayhost FROM sender_relayhost WHERE account='%s' LIMIT 1 diff --git a/postfix/mysql/sender_login_maps.cf b/postfix/mysql/sender_login_maps.cf new file mode 100644 index 0000000..cde3dc0 --- /dev/null +++ b/postfix/mysql/sender_login_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT mailbox.username FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.enablesmtp=1 AND mailbox.active=1 AND domain.backupmx=0 AND domain.active=1 diff --git a/postfix/mysql/transport_maps_domain.cf b/postfix/mysql/transport_maps_domain.cf new file mode 100644 index 0000000..08a5ea9 --- /dev/null +++ b/postfix/mysql/transport_maps_domain.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT transport FROM domain WHERE domain='%s' AND active=1 LIMIT 1 diff --git a/postfix/mysql/transport_maps_maillist.cf b/postfix/mysql/transport_maps_maillist.cf new file mode 100644 index 0000000..b27d9fa --- /dev/null +++ b/postfix/mysql/transport_maps_maillist.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT maillists.transport FROM maillists,domain WHERE maillists.address='%s' AND maillists.active=1 AND maillists.domain = domain.domain AND domain.active=1 diff --git a/postfix/mysql/transport_maps_user.cf b/postfix/mysql/transport_maps_user.cf new file mode 100644 index 0000000..b0c5911 --- /dev/null +++ b/postfix/mysql/transport_maps_user.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT mailbox.transport FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.transport<>'' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.backupmx=0 AND domain.active=1 diff --git a/postfix/mysql/virtual_alias_maps.cf b/postfix/mysql/virtual_alias_maps.cf new file mode 100644 index 0000000..e4c35c3 --- /dev/null +++ b/postfix/mysql/virtual_alias_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT forwardings.forwarding FROM forwardings,domain WHERE forwardings.address='%s' AND forwardings.domain=domain.domain AND forwardings.active=1 AND domain.backupmx=0 AND domain.active=1 diff --git a/postfix/mysql/virtual_mailbox_domains.cf b/postfix/mysql/virtual_mailbox_domains.cf new file mode 100644 index 0000000..d29180d --- /dev/null +++ b/postfix/mysql/virtual_mailbox_domains.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = (SELECT domain FROM domain WHERE domain='%s' AND backupmx=0 AND active=1 LIMIT 1) UNION (SELECT alias_domain.alias_domain FROM alias_domain,domain WHERE alias_domain.alias_domain='%s' AND alias_domain.active=1 AND alias_domain.target_domain=domain.domain AND domain.active=1 AND domain.backupmx=0 LIMIT 1) diff --git a/postfix/mysql/virtual_mailbox_maps.cf b/postfix/mysql/virtual_mailbox_maps.cf new file mode 100644 index 0000000..00e2fa2 --- /dev/null +++ b/postfix/mysql/virtual_mailbox_maps.cf @@ -0,0 +1,5 @@ +hosts = 127.0.0.1:3306 +user = vmail +password = Dw9xvZrLjCBfB5IobpRPTQjIg40LCz9i +dbname = vmail +query = SELECT CONCAT(mailbox.storagenode, '/', mailbox.maildir, '/Maildir/') FROM mailbox,domain WHERE mailbox.username='%s' AND mailbox.active=1 AND mailbox.enabledeliver=1 AND domain.domain = mailbox.domain AND domain.active=1 diff --git a/postfix/postscreen_access.cidr b/postfix/postscreen_access.cidr new file mode 100644 index 0000000..20b00cc --- /dev/null +++ b/postfix/postscreen_access.cidr @@ -0,0 +1,6 @@ +# Rules are evaluated in the order as specified. +#1.2.3.4 permit +#2.3.4.5 reject + +# Permit local clients +127.0.0.0/8 permit diff --git a/postfix/postscreen_dnsbl_reply b/postfix/postscreen_dnsbl_reply new file mode 100644 index 0000000..e69de29 diff --git a/postfix/sender_access.pcre b/postfix/sender_access.pcre new file mode 100644 index 0000000..e69de29 diff --git a/rsyslog.d/1-iredmail-dovecot.conf b/rsyslog.d/1-iredmail-dovecot.conf new file mode 100644 index 0000000..a9166a8 --- /dev/null +++ b/rsyslog.d/1-iredmail-dovecot.conf @@ -0,0 +1,23 @@ +# Debug +if $syslogfacility-text == 'local5' and ($msg contains ": Debug:") then -/var/log/dovecot/dovecot.log +& stop + +# sieve and LMTP +if $syslogfacility-text == 'local5' and ($msg contains "lmtp(" or $msg contains "lda(") then -/var/log/dovecot/lda.log +& stop + +# IMAP +if $syslogfacility-text == 'local5' and ($msg contains "imap(" or $msg contains "imap-login:") then -/var/log/dovecot/imap.log +& stop + +# POP3 +if $syslogfacility-text == 'local5' and ($msg contains "pop3(" or $msg contains "pop3-login:") then -/var/log/dovecot/pop3.log +& stop + +# managesieve +if $syslogfacility-text == 'local5' and ($msg contains "managesieve(" or $msg contains "managesieve-login:") then -/var/log/dovecot/sieve.log +& stop + +# All other Dovecot log +if $syslogfacility-text == 'local5' and $programname startswith "dovecot" then -/var/log/dovecot/dovecot.log +& stop diff --git a/rsyslog.d/1-iredmail-iredapd.conf b/rsyslog.d/1-iredmail-iredapd.conf new file mode 100644 index 0000000..cc50066 --- /dev/null +++ b/rsyslog.d/1-iredmail-iredapd.conf @@ -0,0 +1,12 @@ +# Log to /var/log/iredapd/iredapd.log +# +# Notes: +# +# - $syslogfacility-text must be same as value of parameter SYSLOG_FACILITY +# in iredapd config file. Defaults to 'local5' (defined in +# libs/default_settings.py). +# +# - Directory /var/log/iredapd/ must be owned by syslog daemon user/group. +# +if $syslogfacility-text == 'local5' and ($syslogtag startswith 'iredapd' or $msg startswith 'iredapd') then -/var/log/iredapd/iredapd.log +& stop diff --git a/rsyslog.d/1-iredmail-mlmmjadmin.conf b/rsyslog.d/1-iredmail-mlmmjadmin.conf new file mode 100644 index 0000000..1d5158c --- /dev/null +++ b/rsyslog.d/1-iredmail-mlmmjadmin.conf @@ -0,0 +1,12 @@ +# Log to /var/log/mlmmjadmin/mlmmjadmin.log +# +# Notes: +# +# - $syslogfacility-text must be same as value of parameter SYSLOG_FACILITY +# in mlmmjadmin config file. Defaults to 'local5' (defined in +# libs/default_settings.py). +# +# - Directory /var/log/mlmmjadmin/ must be owned by syslog daemon user/group. +# +if $syslogfacility-text == 'local5' and $programname startswith 'mlmmjadmin' then -/var/log/mlmmjadmin/mlmmjadmin.log +& stop diff --git a/rsyslog.d/1-iredmail-phpfpm.conf b/rsyslog.d/1-iredmail-phpfpm.conf new file mode 100644 index 0000000..f2920c2 --- /dev/null +++ b/rsyslog.d/1-iredmail-phpfpm.conf @@ -0,0 +1,3 @@ +# php-fpm +if $syslogfacility-text == 'local5' and $syslogtag startswith 'php-fpm' then -/var/log/php-fpm/php-fpm.log +& stop diff --git a/shadow b/shadow index cb30e03..84b864c 100644 --- a/shadow +++ b/shadow @@ -33,3 +33,8 @@ dovecot:*:18725:0:99999:7::: dovenull:*:18725:0:99999:7::: debian-spamd:*:18725:0:99999:7::: amavis:*:18725:0:99999:7::: +vmail:!:18725:0:99999:7::: +mlmmj:!:18725:0:99999:7::: +iredadmin:!:18725:0:99999:7::: +iredapd:!:18725:0:99999:7::: +netdata:!:18725:0:99999:7::: diff --git a/shadow- b/shadow- index cb30e03..e034360 100644 --- a/shadow- +++ b/shadow- @@ -33,3 +33,7 @@ dovecot:*:18725:0:99999:7::: dovenull:*:18725:0:99999:7::: debian-spamd:*:18725:0:99999:7::: amavis:*:18725:0:99999:7::: +vmail:!:18725:0:99999:7::: +mlmmj:!:18725:0:99999:7::: +iredadmin:!:18725:0:99999:7::: +iredapd:!:18725:0:99999:7::: diff --git a/spamassassin/local.cf b/spamassassin/local.cf index 95bc494..3bd8ff9 100644 --- a/spamassassin/local.cf +++ b/spamassassin/local.cf @@ -1,89 +1,186 @@ -# This is the right place to customize your installation of SpamAssassin. -# -# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be -# tweaked. -# -# Only a small subset of options are listed below -# -########################################################################### - -# Add *****SPAM***** to the Subject header of spam e-mails -# -# rewrite_header Subject *****SPAM***** - - -# Save spam messages as a message/rfc822 MIME attachment instead of -# modifying the original message (0: off, 2: use text/plain instead) -# -# report_safe 1 - - -# Set which networks or hosts are considered 'trusted' by your mail -# server (i.e. not spammers) -# -# trusted_networks 212.17.35. - - -# Set file-locking method (flock is not safe over NFS, but is faster) -# -# lock_method flock - - -# Set the threshold at which a message is considered spam (default: 5.0) -# -# required_score 5.0 - - -# Use Bayesian classifier (default: 1) -# -# use_bayes 1 - - -# Bayesian classifier auto-learning (default: 1) -# -# bayes_auto_learn 1 - - -# Set headers which may provide inappropriate cues to the Bayesian -# classifier -# -# bayes_ignore_header X-Bogosity -# bayes_ignore_header X-Spam-Flag -# bayes_ignore_header X-Spam-Status - - -# Whether to decode non- UTF-8 and non-ASCII textual parts and recode -# them to UTF-8 before the text is given over to rules processing. -# -# normalize_charset 1 - -# Some shortcircuiting, if the plugin is enabled -# -ifplugin Mail::SpamAssassin::Plugin::Shortcircuit -# -# default: strongly-whitelisted mails are *really* whitelisted now, if the -# shortcircuiting plugin is active, causing early exit to save CPU load. -# Uncomment to turn this on -# -# shortcircuit USER_IN_WHITELIST on -# shortcircuit USER_IN_DEF_WHITELIST on -# shortcircuit USER_IN_ALL_SPAM_TO on -# shortcircuit SUBJECT_IN_WHITELIST on - -# the opposite; blacklisted mails can also save CPU -# -# shortcircuit USER_IN_BLACKLIST on -# shortcircuit USER_IN_BLACKLIST_TO on -# shortcircuit SUBJECT_IN_BLACKLIST on - -# if you have taken the time to correctly specify your "trusted_networks", -# this is another good way to save CPU -# -# shortcircuit ALL_TRUSTED on - -# and a well-trained bayes DB can save running rules, too -# -# shortcircuit BAYES_99 spam -# shortcircuit BAYES_00 ham - -endif # Mail::SpamAssassin::Plugin::Shortcircuit +#--------------------------------------------------------------------- +# This file is part of iRedMail, which is an open source mail server +# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu. +# +# iRedMail is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# iRedMail is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with iRedMail. If not, see . +#--------------------------------------------------------------------- + +# +# Sample SpamAssassin rules. It should be located at: +# /etc/mail/spamassassin/local.cf +# +# Shipped within iRedMail project: +# * http://iRedMail.googlecode.com/ +# +# See also: +# $ man Mail::SpamAssassin::Conf +# + + +# These two lines will not affect due to Amavisd use its +# own variables setting in /etc/amavisd.conf. +required_score 5.0 +rewrite_header subject [ SPAM ] + +report_safe 0 +lock_method flock + +# +# Bayesian support +# +# References: +# - http://wiki.apache.org/spamassassin/BayesInSpamAssassin +# - http://svn.apache.org/repos/asf/spamassassin/branches/3.3/sql/README.bayes +# Addition plugin for Roundcube webmail to call sa-learn +# - http://www.tehinterweb.co.uk/roundcube/#pimarkasjunk2 +# +use_bayes 1 +bayes_auto_learn 1 +bayes_auto_expire 1 + +# Store bayesian data in MySQL. +# Please make sure you have correct server address, port and database name. +#bayes_store_module Mail::SpamAssassin::BayesStore::MySQL +#bayes_sql_dsn DBI:mysql:sa_bayes:127.0.0.1:3306 + +# Store bayesian data in PostgreSQL. +# Please make sure you have correct server address, port and database name. +#bayes_store_module Mail::SpamAssassin::BayesStore::PgSQL +#bayes_sql_dsn DBI:Pg:database=sa_bayes;host=127.0.0.1;port=5432 + +# SQL username and password. +#bayes_sql_username db_username +#bayes_sql_password db_password + +# Override the username used for storing data in the database. +# This could be used to group users together to share bayesian filter data. +# You can also use this config option to trick sa-learn to learn data as a specific user. +#bayes_sql_override_username vmail + +# Increase score for message which contains blacklisted or phishing URI +# URIBL +#score URIBL_SBL 3 +# dbl.spamhaus.org +#score URIBL_DBL_SPAM 3 +#score URIBL_DBL_PHISH 3 +#score URIBL_DBL_MALWARE 3 +#score URIBL_DBL_BOTNETCC 3 +#score URIBL_DBL_ABUSE_SPAM 3 +#score URIBL_DBL_ABUSE_REDIR 3 +#score URIBL_DBL_ABUSE_PHISH 3 +#score URIBL_DBL_ABUSE_MALW 3 +#score URIBL_DBL_ABUSE_BOTCC 3 +#score URIBL_DBL_ERROR 0 +# multi.surbl.org +#score URIBL_WS_SURBL 3 +#score URIBL_PH_SURBL 3 +#score URIBL_MW_SURBL 3 +#score URIBL_CR_SURBL 3 +#score URIBL_ABUSE_SURBL 3 +#score SURBL_BLOCKED 0 +# multi.urlbl.com +#score URIBL_BLACK 3 +#score URIBL_RED 3 +#score URIBL_BLOCKED 0 + +# DNSBL +#score RCVD_IN_SBL 5 +#score RCVD_IN_XBL 5 +#score RCVD_IN_PBL 5 + +# Turn off ALL DNSBL (DNS Blocklists) +#skip_rbl_checks 1 +# Turn off DNSBL: rhsbl.ahbl.org. +# Check /usr/share/spamassassin/20_dnsbl_teest.cf to see the rule name. +score DNS_FROM_AHBL_RHSBL 0 + +score URIBL_AB_SURBL 0 0.3306 0 0.3812 +score URIBL_JP_SURBL 0 0.3360 0 0.4087 +score URIBL_OB_SURBL 0 0.2617 0 0.3008 +score URIBL_PH_SURBL 0 0.2240 0 0.2800 +score URIBL_SBL 0 0.1094 0 0.1639 +score URIBL_SC_SURBL 0 0.3600 0 0.4498 +score URIBL_WS_SURBL 0 0.1533 0 0.2140 + +# For SpamAssassin-3.2.x. Reference: +# http://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_SPF.html +#do_not_use_mail_spf 0 +#do_not_use_mail_spf_query 1 +#ignore_received_spf_header 1 + +# Trusted networks. Examples: +# 192.168/16 # all in 192.168.*.* +# 212.17.35.15 # just that host +# !10.0.1.5 10.0.1/24 # all in 10.0.1.* but not 10.0.1.5 +# DEAD:BEEF::/32 # all in that ipv6 prefix +# Local host (127.0.0.1) will automatically be trusted implicitly. +#trusted_networks 192.168/16 + +# Whitelist from SPF. +#whitelist_from_spf joe@example.com fred@example.com +#whitelist_from_spf *@example.com + +# Whitelist from DKIM. +loadplugin Mail::SpamAssassin::Plugin::DKIM +whitelist_from_dkim *@paypal.com +whitelist_from_dkim *@linkedin.com +whitelist_from_dkim *@twitter.com +whitelist_from_dkim *@bounce.twitter.com + +# Whitelist domains. +# Reference: http://wiki.apache.org/spamassassin/ManualWhitelist +#whitelist_from *@gmail.com + +# Locales. +ok_locales all + +# Some sample custom file rules. Refer to SpamAssassin wiki site for more +# details: http://wiki.apache.org/spamassassin/WritingRules +# +# Filter Headers. +# -- Subject +#header LOCAL_DEMONSTRATION_SUBJECT Subject =~ /\btest\b/i +#score LOCAL_DEMONSTRATION_SUBJECT 0.1 +# -- From +#header LOCAL_DEMONSTRATION_FROM From =~ /test\.com/i +#score LOCAL_DEMONSTRATION_FROM 0.1 +# -- Look at all the headers and match if any of them contain the specified regex: +#header LOCAL_DEMONSTRATION_ALL ALL =~ /test\.com/i +#score LOCAL_DEMONSTRATION_ALL 0.1 +# +# Filter mail body. +#body LOCAL_DEMONSTRATION_RULE /test/ +#score LOCAL_DEMONSTRATION_RULE 0.1 +#describe LOCAL_DEMONSTRATION_RULE This is a simple test rule + +# Decrease score for authenticated senders. +# IMPORTANT NOTES: +# +# 1) Please replace 'your\.server\.com' by the value of Postfix parameter +# "myhostname". +# 2) Please set 'smtpd_sasl_authenticated_header = yes' in Postfix main.cf. +# +#header AUTHENTICATED_SENDER Received =~ /Authenticated\ sender\:.*by\ your\.server\.com/ +#describe AUTHENTICATED_SENDER Header 'Received:' contains 'Authenticated sender:' +#score AUTHENTICATED_SENDER -3 + +# Checks if domain name of an envelope sender address matches the domain name +# of the first untrusted relay (if any), or any trusted relay otherwise. +# https://wiki.apache.org/spamassassin/Rules/RP_MATCHES_RCVD +score RP_MATCHES_RCVD 0 + +# SPF mismatch +score SPF_FAIL 5 + +razor_config /etc/mail/spamassassin/razor.conf diff --git a/spamassassin/local.cf.2021.04.08.22.02.11 b/spamassassin/local.cf.2021.04.08.22.02.11 new file mode 100644 index 0000000..95bc494 --- /dev/null +++ b/spamassassin/local.cf.2021.04.08.22.02.11 @@ -0,0 +1,89 @@ +# This is the right place to customize your installation of SpamAssassin. +# +# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be +# tweaked. +# +# Only a small subset of options are listed below +# +########################################################################### + +# Add *****SPAM***** to the Subject header of spam e-mails +# +# rewrite_header Subject *****SPAM***** + + +# Save spam messages as a message/rfc822 MIME attachment instead of +# modifying the original message (0: off, 2: use text/plain instead) +# +# report_safe 1 + + +# Set which networks or hosts are considered 'trusted' by your mail +# server (i.e. not spammers) +# +# trusted_networks 212.17.35. + + +# Set file-locking method (flock is not safe over NFS, but is faster) +# +# lock_method flock + + +# Set the threshold at which a message is considered spam (default: 5.0) +# +# required_score 5.0 + + +# Use Bayesian classifier (default: 1) +# +# use_bayes 1 + + +# Bayesian classifier auto-learning (default: 1) +# +# bayes_auto_learn 1 + + +# Set headers which may provide inappropriate cues to the Bayesian +# classifier +# +# bayes_ignore_header X-Bogosity +# bayes_ignore_header X-Spam-Flag +# bayes_ignore_header X-Spam-Status + + +# Whether to decode non- UTF-8 and non-ASCII textual parts and recode +# them to UTF-8 before the text is given over to rules processing. +# +# normalize_charset 1 + +# Some shortcircuiting, if the plugin is enabled +# +ifplugin Mail::SpamAssassin::Plugin::Shortcircuit +# +# default: strongly-whitelisted mails are *really* whitelisted now, if the +# shortcircuiting plugin is active, causing early exit to save CPU load. +# Uncomment to turn this on +# +# shortcircuit USER_IN_WHITELIST on +# shortcircuit USER_IN_DEF_WHITELIST on +# shortcircuit USER_IN_ALL_SPAM_TO on +# shortcircuit SUBJECT_IN_WHITELIST on + +# the opposite; blacklisted mails can also save CPU +# +# shortcircuit USER_IN_BLACKLIST on +# shortcircuit USER_IN_BLACKLIST_TO on +# shortcircuit SUBJECT_IN_BLACKLIST on + +# if you have taken the time to correctly specify your "trusted_networks", +# this is another good way to save CPU +# +# shortcircuit ALL_TRUSTED on + +# and a well-trained bayes DB can save running rules, too +# +# shortcircuit BAYES_99 spam +# shortcircuit BAYES_00 ham + +endif # Mail::SpamAssassin::Plugin::Shortcircuit diff --git a/spamassassin/razor.conf b/spamassassin/razor.conf new file mode 100644 index 0000000..b6170a9 --- /dev/null +++ b/spamassassin/razor.conf @@ -0,0 +1 @@ +debuglevel = 0 diff --git a/ssl/certs/iRedMail.crt b/ssl/certs/iRedMail.crt new file mode 100644 index 0000000..46fd586 --- /dev/null +++ b/ssl/certs/iRedMail.crt @@ -0,0 +1,36 @@ +-----BEGIN CERTIFICATE----- +MIIGLzCCBBegAwIBAgIUUDTsI1RzjR/xSTdy6Ynw0lEl1oUwDQYJKoZIhvcNAQEL +BQAwgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcM +CFNoZW5aaGVuMRwwGgYDVQQKDBNoZWxnYS51aHUtYmFuYW5lLmRlMQswCQYDVQQL +DAJJVDEcMBoGA1UEAwwTaGVsZ2EudWh1LWJhbmFuZS5kZTEnMCUGCSqGSIb3DQEJ +ARYYcm9vdEBoZWxnYS51aHUtYmFuYW5lLmRlMB4XDTIxMDQwODIwMDIzMVoXDTMx +MDQwNjIwMDIzMVowgaYxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0Rvbmcx +ETAPBgNVBAcMCFNoZW5aaGVuMRwwGgYDVQQKDBNoZWxnYS51aHUtYmFuYW5lLmRl +MQswCQYDVQQLDAJJVDEcMBoGA1UEAwwTaGVsZ2EudWh1LWJhbmFuZS5kZTEnMCUG +CSqGSIb3DQEJARYYcm9vdEBoZWxnYS51aHUtYmFuYW5lLmRlMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAyft3/rLPQDxUEZ8FrkmTqtLPssxy8p+hYh0G +P40UwB0s/B+gAU7t/Dut+i8Gl+sLdjb2hVus7j3Qq36vpe+pMyG3R3Cg5vhgQDAN +5nnUYxSLL3jo24dyYsGjpIaxBA0UpR0I1l6+vSH+Ogl3SOtvDJ7mJSD3btLDDAcl +MRhhVYFox45OQVbrz6waza7+mfBC6uRGWzwUi09Whn21GX7F5g6YrvLmcflDc2IO +mSwTmlG5V/pbTw6NtyqYEm7Dr179Uogd6gU92mQNA76kJi0I/MnAkwWNL//ASw3e +b7mkjgxUMgN/RFzpvLl4QJsoA7DEOTPF4yuqrHhnWSU8Ctztjfj6R8sPXfy5s5Ot +fZFZeGotFagTt7UmxUQHVb9MP0S+eSYAhLKz/8cH24OWzkeoyBeD8aXCUmsbDRdP +mOlLOpPFmSwzwsVcWHobf9dy7DuzfeTFIAIFWXH8yZEz1FeNncqiFSFILwlxDftY +hcJcVyPtHjjQOk8NMzxd/pPmgiJL5AIwHCLEmJWYHEASqEtCPUIPE3leSW++d6Rs +hEfPrKm3aN5NA6RBXVBePwkjhzQBPKUcu4RdoXY3RHriZ2DCXcCb/aGlTBVtG2ki +y/6AJU1hlz9I9FAscHOWkjt/0dt/aCPD5EJRKsqbEX5OQJtBNkMduhfZ63/w4bsb +u2SCNmMCAwEAAaNTMFEwHQYDVR0OBBYEFLgUu6zRtIHhBv/bTp9wxAlr3fSfMB8G +A1UdIwQYMBaAFLgUu6zRtIHhBv/bTp9wxAlr3fSfMA8GA1UdEwEB/wQFMAMBAf8w +DQYJKoZIhvcNAQELBQADggIBAJoM5mlxmVYvbHPmNUFF3D5eK0ETZZILGrD9WLuQ +UJ9Zgf73bUTdGIp9arohFoQdyMe20EVbeMt/VeYwCQ1a970IaOHMWjwMPmHL6M5d +J5/gssomLHtyF3L4oRxkubvIsowwSDkoCBbc3GzYt1RELdfbH52GO3hzqhhuYntU +/po/TTBCNFh9HjBIC0ztFeuBtQcsCaqZzhobDVRxc1jF8ASJm0YzOpENd32MdUwC +7dr+lRpXgdy+3s0yyd0Col53W47hcSLdCoF4x4swQmUjV4dTXlkHnXa5qUB55WvN +7jcyHEpYyiJH/9tDYmDjTrDDgaS/M3zvxds0jZlklZTvxzKNtfMJxRv4nq7Kgipg +5ED9VeaDmXSLuVjq7qmARtLN2jh+XNZD0esITrVbDCv57yHR1nKMCZYHN99/xl3h +pUe7iHcSbaHDGGX8Tt4lHFipVDfFtC1bvy8mrlYb1SCyO0PXvs3/v9YHmviFtd4k +P/iYPT2BM83FqMmvAJPQ/sdW6IamkcdCr6RKOkgjNjrHDmEfmU8gNbaK2FbTZ1aY +4+SvtG89N3mmlcbjF7M3FANacGEEzHtPyU8JDrkOmcxd2sxWVcLwGlI1XSv8f4Az +dRKeO1xpiGERp4GiMP5/4AAvHCIeoebsRODPMko0wWIaOU4cUVGlTyIla9Yi9N9p +BSwD +-----END CERTIFICATE----- diff --git a/ssl/dh2048_param.pem b/ssl/dh2048_param.pem new file mode 100644 index 0000000..15573be --- /dev/null +++ b/ssl/dh2048_param.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA0XOwq9DHuWZyPU1CITlkb8Rpqqtzp6zipz37sJ9TukpiQz1eNfcr +rHaCzZsdnS1395jgT++ZOJfgqGbx7/MP/oaXfeujWshMpx0vTOeIi7FAfwpc1qB1 +iY8suZpyObzLNszg8Bvc+qE97xOvMI2cM4fI94423XLI9nUve9U1vMTIsvztPmG+ +NiiyL4+9U2uSKb5NXRHWJT1KwooLJgZoHiYuIhyyLQ5QKZQVj147BeHE+xTSx9Cf +fvkYxq23PregHu5mL5OGHheF9kqwoCeYMoSHelsWVBv+7QqIEnhSKpzEByL804zN +1k/GCxyY7z9k4CrKrPB9Jari8ew108oPqwIBAg== +-----END DH PARAMETERS----- diff --git a/ssl/dh512_param.pem b/ssl/dh512_param.pem new file mode 100644 index 0000000..db41414 --- /dev/null +++ b/ssl/dh512_param.pem @@ -0,0 +1,4 @@ +-----BEGIN DH PARAMETERS----- +MEYCQQDSc+hZPYcdopzZAnwu0RiI/5ZIcWXeCqXS9u+dUl6b7LXnnNs1EBARIvmM +pVR4OTY1AY0sFhlSrdWGQI/427XLAgEC +-----END DH PARAMETERS----- diff --git a/ssl/private/iRedMail.key b/ssl/private/iRedMail.key new file mode 100644 index 0000000..c90951e --- /dev/null +++ b/ssl/private/iRedMail.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDJ+3f+ss9APFQR +nwWuSZOq0s+yzHLyn6FiHQY/jRTAHSz8H6ABTu38O636LwaX6wt2NvaFW6zuPdCr +fq+l76kzIbdHcKDm+GBAMA3medRjFIsveOjbh3JiwaOkhrEEDRSlHQjWXr69If46 +CXdI628MnuYlIPdu0sMMByUxGGFVgWjHjk5BVuvPrBrNrv6Z8ELq5EZbPBSLT1aG +fbUZfsXmDpiu8uZx+UNzYg6ZLBOaUblX+ltPDo23KpgSbsOvXv1SiB3qBT3aZA0D +vqQmLQj8ycCTBY0v/8BLDd5vuaSODFQyA39EXOm8uXhAmygDsMQ5M8XjK6qseGdZ +JTwK3O2N+PpHyw9d/Lmzk619kVl4ai0VqBO3tSbFRAdVv0w/RL55JgCEsrP/xwfb +g5bOR6jIF4PxpcJSaxsNF0+Y6Us6k8WZLDPCxVxYeht/13LsO7N95MUgAgVZcfzJ +kTPUV42dyqIVIUgvCXEN+1iFwlxXI+0eONA6Tw0zPF3+k+aCIkvkAjAcIsSYlZgc +QBKoS0I9Qg8TeV5Jb753pGyER8+sqbdo3k0DpEFdUF4/CSOHNAE8pRy7hF2hdjdE +euJnYMJdwJv9oaVMFW0baSLL/oAlTWGXP0j0UCxwc5aSO3/R239oI8PkQlEqypsR +fk5Am0E2Qx26F9nrf/Dhuxu7ZII2YwIDAQABAoICADREVY3cOZNWyS5yJycttP+s +Y8DR9SDhvAJGnnpNiMQaCK0Jhf8wrJbr3p5yEtO3KBUkLfDeg0Z3SotGUi+vb+pi +XCopdAmw1j9l8ALnHdWx2D6lnCRKzYfOsgj+LcptlB0SAVpv1A3fQQlFr8931Rm/ ++LA88qqD8aMoKjClLXLR9QpGwetYkdcAo0L8eLffG4HrJmWvi2VtV2egGgAJ9S4O +MuZ6xrVRmmm+QybR6BSz9zFUANLZYkS2yfljHlJAU29K9+q6BoKAB3ojmBik6MF5 +d9LTyfBUzy7c3OWudW2otRToIMPRA08p83tMazNhR7XBtwCNKTJOSfggkYQCHZp8 +1lh79+XYE2aFV1Jrx+o5MQ40dZyWVv9I2ZHQM63d7hARSpcnvHq+kG+B4JXow4hh +ARyjqharrzTWbHlQGaAwKKGO/Lvi3VEp9dbcjl/8RbU3A6AS/HobM+GG/zwUhWv9 +8uupQCDevYX2qnYEkt6Z8RSF70lPegQKUXLonFrzXsWr/ZiNqJkl4UqFiApx98JR +8QtHIZa6RKNH/g70VViSdItKcUVOfdYHmObsFslOgZieo86JV42Zinr4xXUDqLtq +eLNKBCungyapB9TS1rxkjN3RfXS+vlJgi9V1GU4MseWQjcHrMotkVYq5jBK7rVhA +NVLjBy5Ms+zJ486i2Ub5AoIBAQDkOLY4rJA2RhyATYZIeDmoz8tFUvpsa+lsK6FT +yhRjrawM3TOvwwKiW39RAqKXsB7KJyL8CS/8QuqFeLC/ntAljpqBxTa9XUl07KSP +J2X7nELeKwlFqXJ+1mxKMsrCt4wUf8AFoVYfkGSuKhSjD94anBCOjmXh4jwNEbhX +eJHDHRlqllkIPEvksp1W8g9zXL2IycxDs9HPLrPpSKemuc9X9S+Ma66nd2k6cRqG +BL/UHPxCl18zpbvtufZKGV9t7WsDK4onwEU2q+A9P4Qo4Ij73IZpzR3enbvpG4RX +S5ZEL90BVMbdYkmZX8F/VWc1H755Eg8sPgFGOgOuDN9j//MfAoIBAQDikSdEN5Lr +Vy/fnZ5TsrTb2jKWgInmkmjCbNm5RYtEooP02qvlGoYOa5IB4VNaNWrgFKwse29s +DbM7nF8en+15uFmeyfsQDdoAabNRwZN2yQ9jwcm172lNTHvgkkhWAJWu9xcrcc0F +QR/TjYBWdVkZBTz1TGSLTt6LV12tlE10ANdCuzCZwLLB+kabrikUAKp+NmvQG3Ev +BlwISWOuKx664U8OozgJ1Dm2oZVJ7cYSbKKPh0pGNfFSNLCMGt2TEk8mYSnJF6Vn +r8NrEauiTmzLWXcVaGvxmBuVPYqIo9ResHdOw4znRgAb8stK37n9Usj+RDKmvlt4 +u8fwdWxsWbg9AoIBAG09oCucniL8iGP5t880jRT68eerAmend8HpWH2M+xmDZhl6 +QGVfSQGCHn0eb8l/6h0Fgr91flyXgz6EOMZgNG3lxptbVQprft/S7in/x9caQv+p +RfTsWPvRk2Ao09lElm6xf66yPVE6gpbDWcF7tOqzzVEPZEEtU2VGGCD2e38TjLjy +YoeIpSNBRAL8Nt0XhTnWrkmx5znutvtxZZ5uzorht/LVEHLku5/Xx8RivZfAkBcn +8c/9AumV3Ag4AO/Tdye7TZQdeoPi3aEzqAURBUDZnBVEs4l9oxa/rydB7RmSd41N +kSsjAuvBZBOZQ5+wJDI7rLuWqnF9D4nea4eoWi0CggEAJBao4YXUoiXuGzlZCc3y +Xv6fhjeNP6vcgfOiro80Qsd8K1lVfhW+ereJt0Dz7O+LSYwhbKhwtA5umTUsNY2V +3wiNRey4T/NU4TH0/TXPTmFyURqCDbfH1ycyqC/E0+Yd8ZOsHiBvXsHj1ue4JI1m +lsSt1AjKDyKN8jYFVuvDdpHXt+pnMGZwUtORwaR5KJV+ksIKZEiqu6nQqQU/mnOF +3pCa7iLzfyVN2Bhe1jrIjRC+yAvtucdH3CdGY9q3poCJGPzrEfvxPdXSU9CpvR2u +2Kk0fbV3VDE9W4VE9sTZxAdpyaL+Y6xTwh/nX9LJJl+0YkPsqYCyw0Vt8JBTp+KW +pQKCAQEAtpUbpWpRbnj09XLrFupvacWDFPcrkKDVXD7cY0JWp/aLAFoxzswuRT0k +qhniZIDLTH8fsVGkeJBDgzc5E8q6/w0yIPpICp47qFK63HVvJDz0lEYmK3rHN6pu +LFLD4ibLTr4mc9mRRowVHlJPFugh7icI3ejcXcE7o0GHWb0/DgdWCfB3gXpGuEGP +Uh3wZbacK48AiFATWCwgF171nBM55KbT055jJqob2C/Ci2t1SJoZtCvLydzM5Wnk +2HtKx1l6A9d6hMqSFLQYA20P+4lHO0Q4rb27b7rJyz+1Q23KLlNvzlwGKY9qWt9r +UEyvPYOkCr8/qEVcHTMhf/daAMCpGQ== +-----END PRIVATE KEY----- diff --git a/subgid b/subgid index f1ee3c1..67463a3 100644 --- a/subgid +++ b/subgid @@ -1 +1,6 @@ frank:100000:65536 +vmail:165536:65536 +mlmmj:231072:65536 +iredadmin:296608:65536 +iredapd:362144:65536 +netdata:427680:65536 diff --git a/subgid- b/subgid- index e69de29..21f8186 100644 --- a/subgid- +++ b/subgid- @@ -0,0 +1,5 @@ +frank:100000:65536 +vmail:165536:65536 +mlmmj:231072:65536 +iredadmin:296608:65536 +iredapd:362144:65536 diff --git a/subuid b/subuid index f1ee3c1..67463a3 100644 --- a/subuid +++ b/subuid @@ -1 +1,6 @@ frank:100000:65536 +vmail:165536:65536 +mlmmj:231072:65536 +iredadmin:296608:65536 +iredapd:362144:65536 +netdata:427680:65536 diff --git a/subuid- b/subuid- index e69de29..21f8186 100644 --- a/subuid- +++ b/subuid- @@ -0,0 +1,5 @@ +frank:100000:65536 +vmail:165536:65536 +mlmmj:231072:65536 +iredadmin:296608:65536 +iredapd:362144:65536 diff --git a/sysctl.conf b/sysctl.conf index bd112aa..b4baa68 100644 --- a/sysctl.conf +++ b/sysctl.conf @@ -66,3 +66,6 @@ # for what other values do #kernel.sysrq=438 +vm.dirty_expire_centisecs=60000 +vm.dirty_background_ratio=80 +vm.dirty_ratio=90 diff --git a/systemd/system/mariadb.service.d/override.conf b/systemd/system/mariadb.service.d/override.conf new file mode 100644 index 0000000..7f64aab --- /dev/null +++ b/systemd/system/mariadb.service.d/override.conf @@ -0,0 +1,3 @@ +# Reference: https://mariadb.com/kb/en/the-mariadb-library/server-system-variables/#open_files_limit +[Service] +LimitNOFILE=infinity diff --git a/systemd/system/multi-user.target.wants/iredadmin.service b/systemd/system/multi-user.target.wants/iredadmin.service new file mode 120000 index 0000000..e391dc9 --- /dev/null +++ b/systemd/system/multi-user.target.wants/iredadmin.service @@ -0,0 +1 @@ +/lib/systemd/system/iredadmin.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/iredapd.service b/systemd/system/multi-user.target.wants/iredapd.service new file mode 120000 index 0000000..02ece82 --- /dev/null +++ b/systemd/system/multi-user.target.wants/iredapd.service @@ -0,0 +1 @@ +/lib/systemd/system/iredapd.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/mlmmjadmin.service b/systemd/system/multi-user.target.wants/mlmmjadmin.service new file mode 120000 index 0000000..1fa9e1c --- /dev/null +++ b/systemd/system/multi-user.target.wants/mlmmjadmin.service @@ -0,0 +1 @@ +/lib/systemd/system/mlmmjadmin.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/netdata.service b/systemd/system/multi-user.target.wants/netdata.service new file mode 120000 index 0000000..765211c --- /dev/null +++ b/systemd/system/multi-user.target.wants/netdata.service @@ -0,0 +1 @@ +/lib/systemd/system/netdata.service \ No newline at end of file diff --git a/systemd/system/netdata.service.d/limits.conf b/systemd/system/netdata.service.d/limits.conf new file mode 100644 index 0000000..4f82fd3 --- /dev/null +++ b/systemd/system/netdata.service.d/limits.conf @@ -0,0 +1,2 @@ +[Service] +LimitNOFILE=30000 -- 2.39.5