Configuration examples #
/etc/dovecot/local.conf #
# listen both ipv4 and ipv6
listen = *, [::]
# imap better than pop
protocols = imap
ssl = yes
ssl_cert = </etc/ssl/athome.tld.crt
ssl_key = </etc/ssl/private/athome.tld.key
disable_plaintext_auth = yes
service auth {
user = $default_internal_user
group = _maildaemons
}
passdb {
args = scheme=blf-crypt /etc/mail/passwd
driver = passwd-file
}
userdb {
driver = static
args = uid=_vmail gid=_vmail home=/mnt/bigstorage/_vmail/%d/%n/
}
# Plugins
mail_plugins = $mail_plugins quota zlib
protocol imap {
mail_plugins = $mail_plugins imap_quota imap_zlib imap_sieve
}
plugin {
quota = maildir:User quota
quota_rule = *:storage=1G
quota_rule2 = Trash:storage=+100M
quota_grace = 50%%
quota_status_success = DUNNO
quota_status_nouser = DUNNO
quota_status_overquota = "552 5.2.2 Mailbox is full"
zlib_save_level = 9 # 1..9; default is 6
zlib_save = gz # or bz2, xz or lz4
sieve_plugins = sieve_imapsieve sieve_extprograms
sieve_default = /usr/local/lib/dovecot/sieve/default.sieve
imapsieve_mailbox1_name = Junk
imapsieve_mailbox1_causes = COPY
imapsieve_mailbox1_before = file:/usr/local/lib/dovecot/sieve/report-spam.sieve
imapsieve_mailbox2_name = *
imapsieve_mailbox2_from = Junk
imapsieve_mailbox2_causes = COPY
imapsieve_mailbox2_before = file:/usr/local/lib/dovecot/sieve/report-ham.sieve
sieve_pipe_bin_dir = /usr/local/lib/dovecot/sieve
sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
}
/etc/httpd.conf #
types { include "/usr/share/misc/mime.types" }
server "default" {
listen on * port 80
root "/htdocs/athome.tld"
}
server "athome.tld" {
listen on * port 80
block return 301 "https://$SERVER_NAME$REQUEST_URI"
}
server "athome.tld" {
alias "www.athome.tld"
listen on * tls port 443
root "/htdocs/athome.tld"
directory index index.html
log style combined
hsts preload
tls {
certificate "/etc/ssl/athome.tld.crt"
key "/etc/ssl/private/athome.tld.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "/Blog/" {
directory index index.php
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/DL/PDF/" {
directory auto index
}
location "/private/" {
authenticate "education" with "/htdocs/private.htpw"
directory auto index
}
}
server "site2.athome.tld" {
alias "www.site2.athome.tld"
listen on * port 80
listen on * tls port 443
root "/htdocs/site2"
directory index index.html
log access "site2.log"
hsts
tls {
certificate "/etc/ssl/athome.tld.crt"
key "/etc/ssl/private/athome.tld.key"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
location "*.php" {
fastcgi socket "/run/php-fpm.sock"
}
location "/downloads/" {
directory index index.php
}
}
/var/nsd/etc/nsd.conf #
server:
hide-version: yes
verbosity: 2
database: "" # disable database
zonesdir: "/var/nsd/zones/"
ip-address: 46.23.92.148
ip-address: 2a03:6000:9137::148
remote-control:
control-enable: yes
key:
name: "secretkey"
algorithm: hmac-sha256
secret: "i8f4FgDsldD11pHAqo9Ko="
zone:
name: "reiva.xyz"
zonefile: "signed/reiva.xyz"
provide-xfr: 109.190.128.23 secretkey
notify: 109.190.128.23 secretkey
# GANDI
provide-xfr: 217.70.177.40 NOKEY
notify: 217.70.177.40 NOKEY
# slaves
zone:
name: "athome.tld"
zonefile: "slave/athome.tld"
allow-notify: 109.190.128.23 secretkey
request-xfr: 109.190.128.23 secretkey
zone:
name: "ouaf.xyz"
zonefile: "slave/ouaf.xyz"
allow-notify: 109.190.128.23 secretkey
request-xfr: 109.190.128.23 secretkey
zone:
name: "3hg.fr"
zonefile: "slave/3hg.fr"
allow-notify: 109.190.128.23 secretkey
request-xfr: 109.190.128.23 secretkey
/etc/pf.conf #
# See pf.conf(5) and /etc/examples/pf.conf
# Macros
## Interfaces to take care. egress should be enough
## but it's an example ^^
ifaces = "{ egress em0 em1 }"
## various ports
mail_ports = "{ submission imaps smtp }"
tcp_pass = "{ domain xmpp-client xmpp-server 5280 5281 62882 5232 }" # 5280-5281 are xmpp-http, 62882 transmission, 5232 radicale
udp_pass = "{ domain 62882 }" # 62882 dht rtorrent, 4545 wg
blocking_tcp="{ ftp ftp-data telnet finger sunrpc epmap netbios-ns netbios-dgm netbios-ssn microsoft-ds ipp ldaps ldp ms-sql-s ms-sql-m pptp mysql postgresql rfb rdp 27019 1194 ldap 8080 kerberos socks }"
# Tables
table <evils> persist
table <bruteforce> persist
table <sshguard> persist
table <pfbadhost> persist file "/etc/pf-badhost.txt"
# Options
## increase limit for huge blocking table files
set limit table-entries 409600
set skip on { lo }
# Avoid spoofing
antispoof for $ifaces
# Rules
## block by default
block
anchor "relayd/*" # so relayd works properly
## "quick" rules : the rest won't be read if it matches.
## This filter bad ip
### block unwanted sources, and don't go further
block log quick from <bruteforce> label "BRUTES"
block log quick from <evils> label "EVILS"
block log quick from <sshguard> label "SSHGUARD"
block log quick on $ifaces from <pfbadhost> label "PFBADHOST"
### Let in local network, or it is blocked by pfbadhost
pass in quick from 192.168.1.0/24 modulate state
# iblock : everything else is banned
pass in quick on $ifaces inet proto tcp to port $blocking_tcp rdr-to 127.0.0.1 port 2507
pass in quick on $ifaces inet6 proto tcp to port $blocking_tcp rdr-to ::1 port 2507
## Allow some incoming traffic
### spamd traps in blacklist only
pass in on $ifaces inet proto tcp from <spamd> to any port smtp \
divert-to 127.0.0.1 port spamd modulate state
### let http + https in, with anti bruteforce
pass in on $ifaces proto tcp to port {www https} modulate state \
(max-src-conn 100, max-src-conn-rate 30/5, overload <bruteforce> flush global)
### let ssh in, with anti bruteforce
pass in on $ifaces proto tcp to port ssh modulate state \
(source-track rule, \
max-src-conn 8, max-src-conn-rate 15/5, \
overload <bruteforce> flush global)
### same for mail
pass in on $ifaces proto tcp to port $mail_ports modulate state \
(source-track rule, \
max-src-conn 100, max-src-conn-rate 50/100, \
overload <bruteforce> flush global)
# allow ping
pass on $ifaces inet6 proto ipv6-icmp all #icmp6-type echoreq
pass on $ifaces inet proto icmp all # icmp-type echoreq
# let other ports
pass in on $ifaces proto tcp to port $tcp_pass modulate state
pass in on $ifaces proto udp to port $udp_pass
### Let it go
pass out on $ifaces proto { tcp udp }
/etc/relayd.conf #
ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2
tcp protocol "gemini" {
tls keypair athome.tld-self
}
relay "gemini4" {
listen on $ext_ip4 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
relay "gemini6" {
listen on $ext_ip6 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
# in /etc/torrc:
# HiddenServiceDir /var/tor/hidden-gemini/
# HiddenServicePort 1965 localhost:11966
# relay tor hidden onion
relay "geminitor" {
listen on localhost port 11966 tls
protocol "gemini"
forward to localhost port 11965
}
http protocol "https" {
include "/etc/relayd.proxy.conf"
tls keypair athome.tld
}
http protocol "http" {
include "/etc/relayd.proxy.conf"
}
relay "www" {
listen on $ext_ip4 port 80
protocol "http"
forward to localhost port 8080
}
relay "www6" {
listen on $ext_ip6 port 80
protocol "http"
forward to localhost port 8080
}
relay "wwwtls" {
listen on $ext_ip4 port 443 tls
protocol "https"
forward to localhost port 8080
}
relay "wwwtls6" {
listen on $ext_ip6 port 443 tls
protocol "https"
forward to localhost port 8080
}
/etc/relayd.proxy.conf :
return error
return error style "body { background: silver; color: black; text-align:center } hr {border:0;
background-color:silver; color:silver; height:1px; width:30%; margin-top:50px;}"
match request header set "X-Forwarded-For" \
value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match header set "Keep-Alive" value "$TIMEOUT"
block quick path "/wp-*" label '<em>Stop scanning for wordpress</em>.'
match request header remove "Proxy"
match response header set "Frame-Options" value "SAMEORIGIN"
match response header set "X-Xss-Protection" value "1; mode=block"
match response header set "X-Frame-Options" value "SAMEORIGIN"
match response header set "X-Robots-Tag" value "index,nofollow"
match response header set "X-Permitted-Cross-Domain-Policies" value "none"
match response header set "X-Download-Options" value "noopen"
match response header set "X-Content-Type-Options" value "nosniff"
match response header set "Referrer-Policy" value "no-referrer"
match response header set "Permissions-Policy" value "interest-cohort=()"
match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains"
match response header set "Content-Security-Policy" value "default-src 'self';"
match response header set "X-Powered-By" value "Powered by OpenBSD"
match request path "/*.css" tag "CACHE"
match request path "/*.js" tag "CACHE"
match request path "/*.atom" tag "CACHE"
match request path "/*.rss" tag "CACHE"
match request path "/*.xml" tag "CACHE"
match request path "/*.jpg" tag "CACHE"
match request path "/*.png" tag "CACHE"
match request path "/*.svg" tag "CACHE"
match request path "/*.gif" tag "CACHE"
match request path "/*.ico" tag "CACHE"
match request path "/*.html" tag "CACHE"
match request path "/*.gmi" tag "CACHE"
match request path "*/" tag "CACHE"
match response tagged "CACHE" header set "Cache-Control" value \
"public, max-age=86400"
match request path "/*.html" tag "HTML"
match response tagged "HTML" header set "Content-Type" value "text/html; charset=utf-8"
match request path "/*.txt" tag "TXT"
match request path "/*.md" tag "TXT"
match request path "/*.gmi" tag "TXT"
match response tagged "TXT" header set "Content-Type" value "text/plain; charset=utf-8"
pass
/etc/mail/smtpd.conf #
Example for multiple domains
Example 1 (rspamd) #
# install :
# opensmtpd-filter-rspamd
# opensmtpd-filter-senderscore
table aliases "/etc/mail/aliases"
table domains "/etc/mail/domains"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"
pki athome.tld key "/etc/ssl/private/athome.tld.key"
pki athome.tld cert "/etc/ssl/athome.tld.crt"
pki domaine2.net key "/etc/ssl/private/domaine2.net.key"
pki domaine2.net cert "/etc/ssl/domaine2.net.crt"
pki autredomaine.xyz key "/etc/ssl/private/autredomaine.xyz.key"
pki autredomaine.xyz cert "/etc/ssl/autredomaine.xyz.crt"
# certificat par defaut
pki "*" key "/etc/ssl/private/athome.tld.key"
pki "*" cert "/etc/ssl/athome.tld.crt"
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter rspamd proc-exec "filter-rspamd"
listen on all tls pki athome.tld \
filter { senderscore, rspamd }
listen on all port submission tls-require pki athome.tld auth <passwd> \
filter rspamd
action "relay" relay
action relaybackup relay backup tls helo "athome.tld"
action "local_mail" maildir alias <aliases>
action virtual_maildir maildir "/home/_vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>
match from any for domain <domains> action virtual_maildir
match from any for local action local_mail
match from any for domain friend.eu action relaybackup
match auth from any for any action "relay"
match for any action "relay"
Example 2 (spamassassin + dkimproxy) #
Only one certificate matching all domains is used here.
We add some options on queue, because.
table aliases "/etc/mail/aliases"
table passwd "/etc/mail/passwd"
table virtuals "/etc/mail/virtuals"
table domains "/etc/mail/domains"
pki athome.tld key "/etc/ssl/private/athome.tld.key"
pki athome.tld cert "/etc/ssl/athome.tld.crt"
queue compression # less disk space
queue encryption 7dbecabecabeca45bce4aebc # encrypt all o/
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
listen on lo0 port 10028 tag DKIM
listen on lo0 port 10026 tag SPAMASSASSIN
listen on all tls pki athome.tld filter { senderscore }
listen on all port submission tls-require pki athome.tld auth <passwd>
action "envoi" relay
action dkimproxy relay host smtp://127.0.0.1:10027
action spamassassin relay host smtp://127.0.0.1:10025
action local_mail maildir alias <aliases>
action relaybackup relay backup mx "athome.tld" helo "athome.tld"
action virtual_maildir maildir "/var/vmail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir" junk virtual <virtuals>
match for local action local_mail
match tag SPAMASSASSIN from any for domain <domains> action virtual_maildir
match from any for domain <domains> action spamassassin
match tag DKIM for any action "envoi"
match auth tag DKIM from any for any action "envoi"
match from any for domain copain.eu action relaybackup
match auth from any for any action dkimproxy
match for any action dkimproxy
Example 3 (spamassassin + senderscore + opensptmd-filters) #
table aliases "/etc/mail/aliases"
pki athome.tld.pki key "/etc/ssl/private/athome.tld.key"
pki athome.tld.pki cert "/etc/ssl/athome.tld.crt"
filter senderscore \
proc-exec "filter-senderscore -junkBelow 70 -slowFactor 2000"
filter "spamassassin" proc-exec "filter-spamassassin"
filter "dkimsign" proc-exec "filter-dkimsign \
-d athome.tld \
-s pubkey \
-k /etc/dkim/private.key" \
user _dkimsign group _dkimsign
listen on all tls pki athome.tld.pki filter { spamassassin senderscore }
listen on all port submission tls-require pki athome.tld.pki auth \
filter dkimsign
action relayout relay
action relaybackup relay backup
action distribute maildir junk alias <aliases>
match for local action distribute
match from any for domain athome.tld action distribute
# backup for friends
match from any for domain friend.tld action relaybackup
match auth from any for any action relayout
match for any action relayout
/etc/mail/domains #
All MX records
athome.tld domaine2.net other.xyz
/etc/mail/spamd.conf #
all:\
:nixspam:bgp-spamd:bsdlyblack:whitelist:
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz
bsdlyblack:\
:black:\
:msg="Your address %A is in the bsdly.net list":\
:method=http:\
:file=www.bsdly.net/~peter/bsdly.net.traplist
bgp-spamd:\
:black:\
:msg="Your address %A has sent mail to a spamtrap\n\
within the last 24 hours":\
:method=file:\
:file=/var/spamd.black
whitelist:\
:white:\
:method=file:\
:file=/etc/mail/whitelist.txt
/etc/webalizer.conf #
LogFile /var/www/logs/si3t.ch.log
OutputDir /var/www/htdocs/si3t.ch/stats/
HistoryName webalizer.hist
Incremental yes
ReportTitle Statistiques pour
HostName si3t.ch
HTMLExtension html
PageType htm*
PageType txt
PageType php
UseHTTPS yes
HTMLPre <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
HTMLHead <meta name="viewport" content="width=device-width, initial-scale=1">
HTMLHead <style type="text/css">
HTMLHead body { font:1.1rem/1.4 system-ui, sans-serif; padding:1rem; }
HTMLHead table { border: 1px solid; padding:1ex; background-color: #eceff4; }
HTMLHead th, td { border: 0; }
HTMLHead tr:nth-child(even) { background:#e5e9f0; }
HTMLHead tr:hover { background: #88c0d0; }
HTMLHead a { color:#3b4252; text-underline-offset:.25em; }
HTMLHead a:hover { text-decoration:none; }
HTMLHead p { overflow-x:auto; }
HTMLHead </style>
HTMLBody <BODY>
ResponseGraph yes
CountryGraph no
GraphLegend yes
GraphLines 0
IndexMonths 12
YearTotals yes
GraphMonths 12
TopReferrers 100
TopCountries 0
TopUsers 0
HideSite si3t.ch
HideReferrer https://si3t.ch
HideReferrer http://si3t.ch
HideReferrer si3t.ch
HideReferrer https://si3tch.eu
HideReferrer http://si3tch.eu
HideReferrer si3tch.eu
HideReferrer localhost
HideReferrer 6gvb6fzoxv72mtlpvr2fgj7ytpeggwuerdawspt24njlkwfxir6jncid.onion/
HideReferrer http://6gvb6fzoxv72mtlpvr2fgj7ytpeggwuerdawspt24njlkwfxir6jncid.onion
HideURL *.gif
HideURL *.woff2
HideURL *.GIF
HideURL *.jpg
HideURL *.JPG
HideURL *.png
HideURL *.PNG
HideURL /sitemap.*
HideURL /favicon.*
HideURL /s.css
HideURL /robots.txt
GroupReferrer yahoo.com/ Yahoo!
GroupReferrer excite.com/ Excite
GroupReferrer infoseek.com/ InfoSeek
GroupReferrer webcrawler.com/ WebCrawler
GroupReferrer google. Google Intl
HideReferrer google.
TableBorder 1
ChartBorder 0
ColorBackground eceff4
ColorText 2e3440
ColorLink 3b4252
ColorVLink b48ead
ColorALink 5e81ac
ColorGrp 434c5e
ColorHeadline d8dee9
ColorCounter 4c566a
ColorHit 8fbcbb
ColorFile 5e81ac
ColorSite bf616a
ColorKbyte d08770
ColorPage ebcb8b
ColorVisit a3be8c
ColorMisc b48ead
ChartBackgroundColor e5e9f0
ChartLegendColor 2e3440
ChartShadowColor1 2e3440
ChartShadowColor2 2e3440
PieColor1 d08770
PieColor2 a3be8c
PieColor3 ebcb8b
PieColor4 81a1c1