lab/docker-deploy
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: lab:master
Branches Tags
lab:master
..
compare: lab:1d2d569b6dd50e345670f2c95343eb1f5f67968f
Branches Tags
lab:master

No commits in common. "master" and "1d2d569b6dd50e345670f2c95343eb1f5f67968f" have entirely different histories.
master ... 1d2d569b6d

107 changed files with 26 additions and 4349 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +0,0 @@
.env

15
database/docker-compose.yml
View File

@ -1,15 +0,0 @@
version: "3.9"
services:
postgresql:
image: postgres:alpine
container_name: "postgresql"
environment:
- "POSTGRES_PASSWORD=${POSTGRES_PASSWORD}"
volumes:
- ./data:/var/lib/postgresql/data
networks:
- database
networks:
database:
external: true

84
db/postgresql/docker-compose.yml
View File

@ -1,84 +0,0 @@
version: "3.9"
services:
reverse-proxy:
image: traefik:v2.5
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik-dashboard.entrypoints=web"
- "traefik.http.routers.traefik-dashboard.service=api@internal"
- "traefik.http.routers.traefik-dashboard.rule=Host(`localhost`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.middlewares.traefik-dashboard.compress=true"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- "80:80"
- "8082:8082"
- "5432:5432"
networks:
- traefik
command:
- "--global.sendanonymoususage=false"
- "--global.checknewversion=false"
# EntryPoints
- "--entrypoints.web.address=:80"
- "--entrypoints.db-pg.address=:5432"
- "--entryPoints.metrics.address=:8082"
# Enable dashboard
- "--api.dashboard=true"
- "--api.insecure=true"
- "--ping"
# Provider
- "--providers.docker.network=${TRAEFIK_NETWORK}"
- "--providers.docker.watch=true"
- "--providers.docker.exposedByDefault=false"
# Metrics
- "--metrics.prometheus.entryPoint=metrics"
- "--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000"
- "--metrics.prometheus.addrouterslabels=true"
- "--metrics.prometheus.addServicesLabels=true"
# Tracing
- "--tracing=true"
- "--tracing.serviceName=traefik"
- "--tracing.spanNameLimit=150"
# Logging
- "--log.filePath=/var/log/traefik.log"
- "--log.format=json"
- "--log.level=INFO"
- "--accessLog.filepath=/var/log/access.log"
- "--accessLog.format=json"
- "--accessLog.bufferingsize=100"
postgres:
image: postgres:14.1-alpine
restart: always
environment:
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
labels:
- "traefik.enable=true"
- "traefik.tcp.routers.postgres.entrypoints=db-pg"
- "traefik.tcp.routers.postgres.rule=HostSNI(`*`)"
- "traefik.tcp.services.postgres.loadbalancer.server.port=5432"
networks:
- traefik
pgweb:
image: sosedoff/pgweb
environment:
- "TZ=Asia/Shanghai"
- "SESSIONS=1"
labels:
- "traefik.enable=true"
- "traefik.http.routers.pgweb.rule=Host(`pgweb.localhost`)"
- "traefik.http.routers.pgweb.entrypoints=web"
- "traefik.http.routers.pgweb.middlewares=pgweb"
- "traefik.http.middlewares.pgweb.compress=true"
- "traefik.http.middlewares.pgweb.compress.excludedcontenttypes=text/event-stream"
- "traefik.http.services.pgweb.loadbalancer.server.port=8081"
networks:
- traefik
networks:
traefik:
name: ${TRAEFIK_NETWORK}
external: true

41
drone/Dockerfile
View File

@ -1,41 +0,0 @@
FROM golang:alpine AS Builder
WORKDIR /src
ENV DRONE_VERSION "v2.5.0"
ENV CGO_CFLAGS="-g -O2 -Wno-return-local-addr"
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories && \
echo "Asia/Shanghai" > /etc/timezone && \
apk add build-base git ca-certificates && \
git clone https://github.com/harness/drone.git drone-${DRONE_VERSION}
WORKDIR /src/drone-${DRONE_VERSION}
RUN go env -w GOPROXY="https://goproxy.cn,direct" && \
go mod download && \
go build -ldflags "-extldflags \"-static\"" -tags="nolimit" github.com/drone/drone/cmd/drone-server
FROM alpine
EXPOSE 80 443
VOLUME /data
RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
ENV GODEBUG netdns=go
ENV XDG_CACHE_HOME /data
ENV DRONE_DATABASE_DRIVER sqlite3
ENV DRONE_DATABASE_DATASOURCE /data/database.sqlite
ENV DRONE_RUNNER_OS=linux
ENV DRONE_RUNNER_ARCH=amd64
ENV DRONE_SERVER_PORT=:80
ENV DRONE_SERVER_HOST=localhost
ENV DRONE_DATADOG_ENABLED=true
ENV DRONE_DATADOG_ENDPOINT=https://stats.drone.ci/api/v1/series
COPY --from=Builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=Builder /src/drone-v2.5.0/drone-server /bin/drone-server
ENTRYPOINT ["/bin/drone-server"]

64
drone/docker-compose.yml
View File

@ -1,64 +0,0 @@
version: "3.9"
services:
drone-server:
image: esinio/drone:v2.5.0
env_file:
- ./.env
environment:
- "TZ=Asia/Shanghai"
- "DRONE_GITEA_CLIENT_ID=${DRONE_GITEA_CLIENT_ID}"
- "DRONE_GITEA_CLIENT_SECRET=${DRONE_GITEA_CLIENT_SECRET}"
- "DRONE_GITEA_SERVER=${DRONE_GITEA_SERVER}"
- "DRONE_RPC_SECRET=${DRONE_RPC_SECRET}"
- "DRONE_SERVER_HOST=${DRONE_SERVER_HOST}"
- "DRONE_SERVER_PROTO=${DRONE_SERVER_PROTO}"
- "DRONE_DATABASE_DRIVER=${DRONE_DATABASE_DRIVER}"
- "DRONE_DATABASE_DATASOURCE=${DRONE_DATABASE_DATASOURCE}"
- "DRONE_DATABASE_SECRET=${DRONE_DATABASE_SECRET}"
- "DRONE_USER_CREATE=${DRONE_USER_CREATE}"
- "DRONE_USER_FILTER=${DRONE_USER_FILTER}"
- "DRONE_LOGS_DEBUG=${DRONE_LOGS_DEBUG}"
volumes:
- "./data:/data"
labels:
- "traefik.enable=true"
- "traefik.http.routers.dronesrv.rule=Host(`${DRONE_SERVER_HOST}`)"
- "traefik.http.routers.dronesrv.entrypoints=websecure"
- "traefik.http.routers.dronesrv.tls=true"
- "traefik.http.routers.dronesrv.middlewares=dronesrv-mw"
- "traefik.http.middlewares.dronesrv-mw.compress=true"
- "traefik.http.middlewares.dronesrv-mw.compress.excludedcontenttypes=text/event-stream"
- "traefik.http.services.dronesrv.loadbalancer.server.port=80"
external_links:
- postgresql
networks:
- traefik
- database
drone-runner-docker:
image: drone/drone-runner-docker:1
environment:
- "DRONE_RPC_HOST=${DRONE_SERVER_HOST}"
- "DRONE_RPC_PROTO=${DRONE_SERVER_PROTO}"
- "DRONE_RPC_SECRET=${DRONE_RPC_SECRET}"
- "DRONE_RUNNER_CAPACITY=${DRONE_RUNNER_CAPACITY}"
- "DRONE_RUNNER_NAME=${DRONE_RUNNER_DOCKER_NAME}"
- "DRONE_UI_USERNAME=${DRONE_UI_USERNAME}"
- "DRONE_UI_PASSWORD=${DRONE_UI_PASSWORD}"
- "DRONE_DEBUG=true"
- "DRONE_TRACE=true"
- "DRONE_RPC_DUMP_HTTP=true"
- "DRONE_RPC_DUMP_HTTP_BODY=true"
labels:
- "traefik.enable=true"
- "traefik.http.routers.drone-runner-docker.rule=Host(`${DRONE_RUNNER_DOCKER_HOST}`)"
- "traefik.http.routers.drone-runner-docker.entrypoints=websecure"
- "traefik.http.routers.drone-runner-docker.tls=true"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
networks:
- traefik
networks:
traefik:
external: true
database:
external: true

36
gitea/docker-compose.yml
View File

@ -1,36 +0,0 @@
version: "3.9"
services:
gitea:
image: gitea/gitea
container_name: "git.esin.io"
environment:
- "TZ=Asia/Shanghai"
labels:
- "traefik.enable=true"
- "traefik.http.routers.gitea.rule=Host(`git.esin.io`)"
- "traefik.http.routers.gitea.entrypoints=websecure"
- "traefik.http.routers.gitea.tls=true"
- "traefik.http.routers.gitea.tls.certresolver=letsencrypt"
- "traefik.http.routers.gitea.tls.domains[0].main=esin.io"
- "traefik.http.routers.gitea.tls.domains[0].sans=*.esin.io"
- "traefik.http.routers.gitea.middlewares=gitea-mw"
- "traefik.http.middlewares.gitea-mw.compress=true"
- "traefik.http.middlewares.gitea-mw.compress.excludedcontenttypes=text/event-stream"
- "traefik.http.services.gitea.loadbalancer.server.port=3000"
volumes:
- ./gitea:/data
ports:
- "2222:22"
external_links:
- postgresql
networks:
traefik:
priority: 1000
database:
priority: 100
networks:
traefik:
external: true
database:
external: true

32
l2tp/README.md
View File

@ -1,32 +0,0 @@
# l2tp server
# ENV
```shell
cat > ./l2tp.env <<EOF
VPN_IPSEC_PSK=PSK
VPN_USER=USER
VPN_PASSWORD=PASSWORD
VPN_PUBLIC_IP=
VPN_L2TP_NET=
VPN_L2TP_LOCAL=
VPN_L2TP_REMOTE=
VPN_XAUTH_NET=
VPN_XAUTH_REMOTE=
VPN_DNS1=
VPN_DNS2=
VPN_SHA2_TRUNCBUG=
EOF
```
# Docker run
```shell
docker run -d --privileged \
-p 500:500/udp \
-p 4500:4500/udp \
--name l2tp \
--restart=always \
--env-file ${PWD}/l2tp.env \
-v /lib/modules:/lib/modules \
teddysun/l2tp
```

25
l2tp/docker-compose.yml
View File

@ -1,25 +0,0 @@
version: "3"
services:
l2tp:
image: teddysun/l2tp
restart: always
ports:
- "500:500/udp"
- "4500:4500/udp"
privileged: true
volumes:
- "/lib/modules:/lib/modules"
environment:
- "VPN_IPSEC_PSK=${L2TP_PSK}"
- "VPN_USER=${L2TP_USER}
- "VPN_PASSWORD=${L2TP_PASSWORD}"
- "VPN_PUBLIC_IP="
- "VPN_L2TP_NET="
- "VPN_L2TP_LOCAL="
- "VPN_L2TP_REMOTE="
- "VPN_XAUTH_NET="
- "VPN_XAUTH_REMOTE="
- "VPN_DNS1="
- "VPN_DNS2="
- "VPN_SHA2_TRUNCBUG="

19
mail/Dockerfile
View File

@ -1,19 +0,0 @@
FROM alpine:3.15
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories \
&& apk add \
postfix postfix-pgsql \
dovecot-pgsql dovecot-lmtpd \
opendkim opendkim-utils \
&& rm -rf /var/cache/apk/*
#COPY ./conf/postfix /etc/postfix
#COPY ./conf/dovecot /etc/dovecot
#COPY ./conf/opendkim /etc/opendkim
#COPY ./conf/clamav /etc/clamav
COPY ./run.sh /
# pop3, dovecot-submission removed
EXPOSE 25 110 143 465 587 993 995
ENTRYPOINT ["/run.sh"]

794
mail/conf/clamav/clamd.conf
View File

@ -1,794 +0,0 @@
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
# Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# Enable Prelude output.
# Default: no
#PreludeEnable yes
#
# Set the name of the analyzer used by prelude-admin.
# Default: ClamAV
#PreludeAnalyzerName ClamAV
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
#ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# This file will be owned by root, as long as clamd was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
PidFile /run/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /run/clamd.sock
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes
# TCP port address.
# Default: no
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr localhost
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
#StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 30
#CommandReadTimeout 30
# This option specifies how long to wait (in milliseconds) if the send buffer
# is full.
# Keep this value low to prevent clamd hanging.
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
# MaxThreads threads).
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file
# descriptors, the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
# max is 1024).
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Enable non-blocking (multi-threaded/concurrent) database reloads.
# This feature will temporarily load a second scanning engine while scanning
# continues using the first engine. Once loaded, the new engine takes over.
# The old engine is removed as soon as all scans using the old engine have
# completed.
# This feature requires more RAM, so this option is provided in case users are
# willing to block scans during reload in exchange for lower RAM requirements.
# Default: yes
#ConcurrentDatabaseReload no
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name and %f will be replaced with the file name.
# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
# and $CLAM_VIRUSEVENT_VIRUSNAME.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
# any ALLMATCHSCAN command as invalid.
# Default: yes
#AllowAllMatchScan no
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
# the complete list of PUA categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
# This option allows you to disable the caching feature of the engine. By
# default, the engine will store an MD5 in a cache of any files that are
# not flagged as virus or that hit limits checks. Disabling the cache will
# have a negative performance impact on large scans.
# Default: no
#DisableCache yes
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
# may be malicious. This option enables alerting on such heuristically
# detected potential threats.
# Default: yes
#HeuristicAlerts yes
# Allow heuristic alerts to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only
# at the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Heuristic Alerts
##
# With this option clamav will try to detect broken executables (both PE and
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
# With this option clamav will try to detect broken media file (JPEG,
# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature.
# Default: no
#AlertBrokenMedia yes
# Alert on encrypted archives _and_ documents with heuristic signature
# (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
# .rar).
# Default: no
#AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#AlertPhishingSSLMismatch yes
# Alert on cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#AlertPhishingCloak yes
# Alert on raw DMG image files containing partition intersections
# Default: no
#AlertPartitionIntersection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option
# allows ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
#ScanPE yes
# Certain PE files contain an authenticode signature. By default, we check
# the signature chain in the PE file against a database of trusted and
# revoked certificates if the file being scanned is marked as a virus.
# If any certificate in the chain validates against any trusted root, but
# does not match any revoked certificate, the file is marked as trusted.
# If the file does match a revoked certificate, the file is marked as virus.
# The following setting completely turns off authenticode verification.
# Default: no
#DisableCertCheck yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanELF yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOLE2 yes
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanPDF yes
# This option enables scanning within SWF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanSWF yes
# This option enables scanning xml-based document files supported by libclamav.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanXMLDOCS yes
# This option enables scanning of HWP3 files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanHWP3 yes
##
## Mail files
##
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
#ScanMail yes
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial
# directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
#PhishingSignatures no
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
#PhishingScanURLs no
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# With this option enabled the DLP module will search for valid Credit Card
# numbers only. Debit and Private Label cards will not be searched.
# Default: no
#StructuredCCOnly yes
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
#ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
#ScanArchive yes
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of time to a scan may take.
# In this version, this field only affects the scan time of ZIP archives.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result allow scanning
# of certain files to lock up the scanning process/threads resulting in a
# Denial of Service.
# Time is in milliseconds.
# Default: 120000
#MaxScanTime 300000
# This option sets the maximum amount of data to be scanned for each input
# file. Archives and other containers are recursively extracted and scanned
# up to this value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Technical design limitations prevent ClamAV from scanning files greater than
# 2 GB at this time.
# Default: 25M
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 17
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# Maximum size of a file to check for embedded PE. Files larger than this value
# will skip the additional analysis step.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxEmbeddedPE 10M
# Maximum size of a HTML file to normalize. HTML files larger than this value
# will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxHTMLNormalize 10M
# Maximum size of a normalized HTML file to scan. HTML files larger than this
# value after normalization will not be scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 2M
#MaxHTMLNoTags 2M
# Maximum size of a script file to normalize. Script content larger than this
# value will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 5M
#MaxScriptNormalize 5M
# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
# than this value will skip the step to potentially reanalyze as PE.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be
# scanned.
# Raw disk images with more partitions than this value will have up to
# the value number partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact
# performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number
# icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 100
#MaxIconsPE 200
# This option sets the maximum recursive calls for HWP3 parsing during
# scanning. HWP3 files using more than this limit will be terminated and
# alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit
# is reached.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 16
#MaxRecHWP3 16
# This option sets the maximum calls to the PCRE match function during
# an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit, see the PCRE documentation.
# Negative values are not allowed.
# WARNING: setting this limit too high may severely impact performance.
# Default: 100000
#PCREMatchLimit 20000
# This option sets the maximum recursive calls to the PCRE match function
# during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit_recursion, see the PCRE documentation.
# Negative values are not allowed and values > PCREMatchLimit are superfluous.
# WARNING: setting this limit too high may severely impact performance.
# Default: 2000
#PCRERecMatchLimit 10000
# This option sets the maximum filesize for which PCRE subsigs will be
# executed. Files exceeding this limit will not have PCRE subsigs executed
# unless a subsig is encompassed to a smaller buffer.
# Negative values are not allowed.
# Setting this value to zero disables the limit.
# WARNING: setting this limit too high or disabling it may severely impact
# performance.
# Default: 25M
#PCREMaxFileSize 100M
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# MaxRecursion limit will be flagged with the virus name starting with
# "Heuristics.Limits.Exceeded".
# Default: no
#AlertExceedsMax yes
##
## On-access Scan Settings
##
# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#OnAccessMaxFileSize 10M
# Max number of scanning threads to allocate to the OnAccess thread pool at
# startup. These threads are the ones responsible for creating a connection
# with the daemon and kicking off scanning after an event has been processed.
# To prevent clamonacc from consuming all clamd's resources keep this lower
# than clamd's max threads.
# Default: 5
#OnAccessMaxThreads 10
# Max amount of time (in milliseconds) that the OnAccess client should spend
# for every connect, send, and recieve attempt when communicating with clamd
# via curl.
# Default: 5000 (5 seconds)
# OnAccessCurlTimeout 10000
# Toggles dynamic directory determination. Allows for recursively watching
# include paths.
# Default: no
#OnAccessDisableDDD yes
# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line.
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#OnAccessExcludePath /home/user
# Modifies fanotify blocking behaviour when handling permission events.
# If off, fanotify will only notify if the file scanned is a virus,
# and not perform any blocking.
# Default: no
#OnAccessPrevention yes
# When using prevention, if this option is turned on, any errors that occur
# during scanning will result in the event attempt being denied. This could
# potentially lead to unwanted system behaviour with certain configurations,
# so the client defaults this to off and prefers allowing access events in
# case of scan or connection error.
# Default: no
#OnAccessDenyOnError yes
# Toggles extra scanning and notifications when a file or directory is
# created or moved.
# Requires the DDD system to kick-off extra scans.
# Default: no
#OnAccessExtraScanning yes
# Set the mount point to be scanned. The mount point specified, or the mount
# point containing the specified directory will be watched. If any directories
# are specified, this option will preempt (disable and ignore all options
# related to) the DDD system. This option will result in verdicts only.
# Note that prevention is explicitly disallowed to prevent common, fatal
# misconfigurations. (e.g. watching "/" with prevention on and no exclusions
# made on vital system directories)
# It can be used multiple times.
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
# With this option you can exclude the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
# With this option you can exclude specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
# denied events.
# This option can be used multiple times (one per line).
# Using a value of 0 on any line will disable this option entirely.
# To exclude the root UID (0) please enable the OnAccessExcludeRootUID
# option.
# Also note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
# Default: disabled
#OnAccessExcludeUID -1
# This option allows exclusions via user names when using the on-access
# scanning client. It can be used multiple times.
# It has the same potential race condition limitations of the
# OnAccessExcludeUID option.
# Default: disabled
#OnAccessExcludeUname clamav
# Number of times the OnAccess client will retry a failed scan due to
# connection problems (or other issues).
# Default: 0
#OnAccessRetryAttempts 3
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss
# detections for many new viruses.
# Default: yes
#Bytecode yes
# Set bytecode security level.
# Possible values:
# None - No security at all, meant for debugging.
# DO NOT USE THIS ON PRODUCTION SYSTEMS.
# This value is only available if clamav was built
# with --enable-debug!
# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
# runtime safety checks for bytecode loaded from other sources.
# Paranoid - Don't trust any bytecode, insert runtime checks for all.
# Recommended: TrustSigned, because bytecode in .cvd files already has these
# checks.
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned
# Allow loading bytecode from outside digitally signed .c[lv]d files.
# **Caution**: You should NEVER run bytecode signatures from untrusted sources.
# Doing so may result in arbitrary code execution.
# Default: no
#BytecodeUnsigned yes
# Set bytecode timeout in milliseconds.
#
# Default: 5000
# BytecodeTimeout 1000

204
mail/conf/clamav/freshclam.conf
View File

@ -1,204 +0,0 @@
##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##
# Comment or remove the line below.
# Example
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/clamav/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows you to save the process identifier of the daemon
# This file will be owned by root, as long as freshclam was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
PidFile /run/clamav/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner clamav
# Use DNS to verify virus database version. FreshClam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# database.clamav.net is now the primary domain name to be used world-wide.
# Now that CloudFlare is being used as our Content Delivery Network (CDN),
# this one domain name works world-wide to direct freshclam to the closest
# geographic endpoint.
# If the old db.XY.clamav.net domains are set, freshclam will automatically
# use database.clamav.net instead.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources for database files.
# This option can be used multiple times. Support for:
# http(s)://, ftp(s)://, or file://
# Default: no custom URLs
#DatabaseCustomURL http://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com:4567/allow_list.wdb
#DatabaseCustomURL ftp://myserver.example.com/example.ldb
#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.example.com
#PrivateMirror mirror2.example.com
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind
# of proxy is used.
# http:// HTTP Proxy. Default when no scheme or proxy type is specified.
# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
# socks4:// SOCKS4 Proxy.
# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname.
# socks5:// SOCKS5 Proxy.
# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname.
# Default: disabled
#HTTPProxyServer https://proxy.example.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# As of ClamAV 0.103.3, this setting may not be used when updating from the
# clamav.net CDN and can only be used when updating from a private mirror.
# Default: clamav/version_number (OS: ..., ARCH: ..., CPU: ..., UUID: ...)
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
NotifyClamd /etc/clamav/clamd.conf
# Run command after successful database update.
# Use EXIT_1 to return 1 after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Maximum time in seconds for each download operation. 0 means no timeout.
# Default: 0
#ReceiveTimeout 1800
# With this option enabled, freshclam will attempt to load new databases into
# memory to make sure they are properly handled by libclamav before replacing
# the old ones.
# Tip: This feature uses a lot of RAM. If your system has limited RAM and you
# are actively running ClamD or ClamScan during the update, then you may need
# to set `TestDatabases no`.
# Default: yes
#TestDatabases no
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: yes
#Bytecode no
# Include an optional signature databases (opt-in).
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
# Exclude a standard signature database (opt-out).
# This option can be used multiple times.
#ExcludeDatabase dbname1
#ExcludeDatabase dbname2

24
mail/conf/dovecot/dovecot-sql-mysql.conf
View File

@ -1,24 +0,0 @@
driver = mysql
connect = host=dbserver dbname=postfix user=postfix password=password
default_pass_scheme = MD5-CRYPT
user_query = \
SELECT \
'/var/mail/domains/%u/' as home, \
'maildir:/var/mail/domains/%u/' as mail, \
8 AS uid, \
12 AS gid, \
concat('dirsize:storage=', quota) AS quota \
FROM mailbox \
WHERE username = '%u' AND active = '1'
password_query = \
SELECT \
username as user, \
password, \
'/var/mail/domains/%u/' as userdb_home, \
'maildir:/var/mail/domains/%u/' as userdb_mail, \
8 as userdb_uid, \
12 as userdb_gid \
FROM mailbox \
WHERE username = '%u' AND active = '1'

22
mail/conf/dovecot/dovecot-sql-pgsql.conf
View File

@ -1,22 +0,0 @@
driver = pgsql
connect = host=dbserver dbname=postfix user=postgres password=psqlpass
default_pass_scheme = MD5-CRYPT
user_query = \
SELECT \
'/var/mail/domains/%u/' as home, \
'maildir:/var/mail/domains/%u/' as mail, \
8 as uid, \
12 as gid\
FROM mailbox \
WHERE username = '%u' AND active = true
password_query = SELECT \
username AS user, \
password, \
8 as userdb_uid, \
12 as userdb_gid, \
'/var/mail/domains/' || maildir AS userdb_home, \
'/var/mail/domains/' || maildir AS userdb_mail \
FROM mailbox \
WHERE username = '%u' AND active = true

79
mail/conf/dovecot/dovecot.conf
View File

@ -1,79 +0,0 @@
# debug
auth_debug = yes
auth_debug_passwords= no
mail_debug = no
first_valid_uid = 8
#last_valid_uid = 8
postmaster_address = admin@example.com
protocols = "imap lmtp pop3"
auth_mechanisms = plain login
disable_plaintext_auth = no
#mail_location = maildir:/var/lib/vmail/%d/%n
mail_location = maildir:/var/mail/domains/%u/
mail_gid = mail
mail_uid = vmail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql-pgsql.conf
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql-pgsql.conf
}
service auth {
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
service imap {
executable = imap
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
#ssl_cert = </etc/ssl/dovecot/server.pem
#ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#ssl_dh_parameters_length = 2048
#ssl_key = </etc/ssl/dovecot/server.key
#ssl_prefer_server_ciphers = yes
#ssl_min_protocol = TLSv1.2
log_path = /var/log/dovecot.log

3
mail/conf/opendkim/KeyTable
View File

@ -1,3 +0,0 @@
default._domainkey.2a436487427d 2a436487427d:default:/etc/opendkim/keys/2a436487427d/default.private
default._domainkey.9509fbb20ce0 9509fbb20ce0:default:/etc/opendkim/keys/9509fbb20ce0/default.private
default._domainkey.9509fbb20ce0 9509fbb20ce0:default:/etc/opendkim/keys/9509fbb20ce0/default.private

3
mail/conf/opendkim/SigningTable
View File

@ -1,3 +0,0 @@
*@2a436487427d default._domainkey.2a436487427d
*@9509fbb20ce0 default._domainkey.9509fbb20ce0
*@esin.io default._domainkey.2a436487427d

4
mail/conf/opendkim/TrustedHosts
View File

@ -1,4 +0,0 @@
localhost
2a436487427d
9509fbb20ce0
9509fbb20ce0

15
mail/conf/opendkim/keys/2a436487427d/default.private
View File

@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDqnjC34hWdCIEG+Y8qD3yHLkwIziH+H0pNQwwEkKf4VpT3HTfJ
FxlPtKNpyFlAaclBd3BrtYkcvxr99qNjFdwNzPZJ5Fxo4Ug/9aP6e/t9DYlqBh/g
dqCxsnp9rInoTJBq7D1qiUljr9dmbURVwbggqkrP2l8UJyO1yw562ubAfwIDAQAB
AoGAESBbDhFC4qOsR4YQHVHkFTob8siZUqOWGO28AtlMaaRoW2GWoOc+wcK96wrk
+P6/4jeFzVcDG0YYAlHuu1ztIzD2lYslaDGM3mY3enx9ZOdWwZjuatlgDQmyRHji
VhW5n/Gs0ZWjFeVEIvu3w3RlrSoY9Yis/7sf15+Ujjd6HIECQQD9FvUDdaru1Czf
TtT8Q/k2cUZeNdNYjKWX9yHGexD0r6ZD3YE2yJuJ3jn5j1xk5jP3BjmtWNbj4cil
txRO8XYrAkEA7VDbNRPw8i654O84+pYMk7AP+vaxFqVBhZLeTG+lQMbHelBTW6vU
i1KhweatXgs0odEFZIp/nFLnLvbE8Iro/QJBALLL9B4Uk8STunur+oWZE8dlcPv/
dKaa/iWEnqTUrl7edEx/gNiOEmvsxfJLWE+j3dRG3ppbJ7zn9lM0KrG2ne8CQFhM
6pNwTQm/yxffywKqTBmzu+50VeYILT4HLMGiFQnqLJTdSHbmk5oXb+qW61D/uGCx
RmFnix3eVvjJhvO9q/0CQQCYbjMbyDYBFqgXkwC0iThFG50DUkrYvFYZSja5qdIX
u0vqdroQZUqxRoF2J1sPB78BTZFfLiePNTrl232A3T6q
-----END RSA PRIVATE KEY-----

2
mail/conf/opendkim/keys/2a436487427d/default.txt
View File

@ -1,2 +0,0 @@
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqnjC34hWdCIEG+Y8qD3yHLkwIziH+H0pNQwwEkKf4VpT3HTfJFxlPtKNpyFlAaclBd3BrtYkcvxr99qNjFdwNzPZJ5Fxo4Ug/9aP6e/t9DYlqBh/gdqCxsnp9rInoTJBq7D1qiUljr9dmbURVwbggqkrP2l8UJyO1yw562ubAfwIDAQAB" ) ; ----- DKIM key default for 2a436487427d

15
mail/conf/opendkim/keys/9509fbb20ce0/default.private
View File

@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQChHkpXhl+izKhPFIgniNaVPgrZtGqHmMY2iHHrhwMS8x6y6FRi
XQd+jWkMMDon9H+jNP2Yk8KjolfrX0KEg6l7FWeHGJKwqsltp7x1nx1Qf1paqN5O
6Z7QySjCsltjA+Gpepzm93nTPg0Iai1MFpOYbugTSjNrdMbANRzu3dRegwIDAQAB
AoGAZ+xBx3LE/R1E8r0rlVSOFHWQShw1GoFQWJxp3qGXOgHXK07wHwIic16DA3mY
CW2LZponeOLWCPYN/6PSI+dIyTVmDQcxHj++ZXsU/dCXX2NUydjaC1yyVo8xp/N7
s8Ap8abgQphrWZEppd3Of2MoMgG7NehgQyT+EkPj/x5evwECQQDLYPydO5JvQ9r5
ALJkHhHs4OCXSfGPPBqIXva2xhVaoOs1TjKy+oNpPZatRMAFI7mI/sNvB0O2cg0J
CG/WDGK3AkEAys4h8oiyMBu7B+lYzfUSCC2fxo7ptwhJuE78Zlc+9TvKYLeusSFo
RTDIUWyJcR/mZVjLFiUb4+tUZU7PPwZmlQJBAJkrAPU1oVIUq3xubuuBzgQ1VE/8
S2WRYXYk9u+t/PUVTi8GJp6ulnuS+8Cgj3EPd7LaE7uxn+huuqx74yY0i78CQDd1
u27Z1vC1BKabN3/LHw1BfMoN1vgIujA+2WMbRMpHeYaNdKZX3m3dc0phBgz7jkP0
zkTWDRR9DG1P6fjwRSkCQQDGMVIAEh0kftOxKU3n7qms0zbBDycWikLMQSLWZhYY
ZGblN7sKAkbIw6aHlDy4mMAS+zaiCVKQ2ReT0HqcHZVs
-----END RSA PRIVATE KEY-----

2
mail/conf/opendkim/keys/9509fbb20ce0/default.txt
View File

@ -1,2 +0,0 @@
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChHkpXhl+izKhPFIgniNaVPgrZtGqHmMY2iHHrhwMS8x6y6FRiXQd+jWkMMDon9H+jNP2Yk8KjolfrX0KEg6l7FWeHGJKwqsltp7x1nx1Qf1paqN5O6Z7QySjCsltjA+Gpepzm93nTPg0Iai1MFpOYbugTSjNrdMbANRzu3dRegwIDAQAB" ) ; ----- DKIM key default for 9509fbb20ce0

15
mail/conf/opendkim/opendkim.conf
View File

@ -1,15 +0,0 @@
UserID opendkim:opendkim
UMask 022
Mode sv
PidFile /var/run/opendkim.pid
Canonicalization relaxed/relaxed
TemporaryDirectory /var/tmp
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
MinimumKeyBits 1024
Socket inet:8891
LogWhy Yes
Syslog Yes
SyslogSuccess Yes

29
mail/conf/opendkim/opendkim.conf.apk-new
View File

@ -1,29 +0,0 @@
BaseDirectory /run/opendkim
#LogWhy yes
Syslog yes
SyslogSuccess yes
Canonicalization relaxed/simple
Domain example.com
Selector default
KeyFile /var/db/dkim/example.com.private
Socket inet:8891@localhost
#Socket local:opendkim.sock
ReportAddress postmaster@example.com
SendReports yes
## Hosts to sign email for - 127.0.0.1 is default
## See the OPERATION section of opendkim(8) for more information
#
# InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
## For secondary mailservers - indicates not to sign or verify messages
## from these hosts
#
# PeerList X.X.X.X
# PidFile /var/run/opendkim/opendkim.pid

29
mail/conf/opendkim/opendkim.conf.default
View File

@ -1,29 +0,0 @@
BaseDirectory /run/opendkim
#LogWhy yes
Syslog yes
SyslogSuccess yes
Canonicalization relaxed/simple
Domain example.com
Selector default
KeyFile /var/db/dkim/example.com.private
Socket inet:8891@localhost
#Socket local:opendkim.sock
ReportAddress postmaster@example.com
SendReports yes
## Hosts to sign email for - 127.0.0.1 is default
## See the OPERATION section of opendkim(8) for more information
#
# InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
## For secondary mailservers - indicates not to sign or verify messages
## from these hosts
#
# PeerList X.X.X.X
# PidFile /var/run/opendkim/opendkim.pid

173
mail/conf/postfix/main.cf
View File

@ -1,173 +0,0 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
#smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
#smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
#smtpd_use_tls=yes
#smtpd_tls_auth_only = yes
#smtp_tls_security_level = may
#smtpd_tls_security_level = may
#smtpd_sasl_security_options = noanonymous, noplaintext
#smtpd_sasl_tls_security_options = noanonymous
# Authentication
# SASL Auth for SMTP relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# Restrictions
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unlisted_recipient
reject_unauth_destination
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
smtpd_data_restrictions =
reject_unauth_pipelining
permit
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.esin.io
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
mydomain = esin.io
myorigin = $mydomain
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
#mynetworks = all
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
#virtual_transport = virtual
virtual_transport = lmtp:unix:private/dovecot-lmtp
local_transport = virtual
# Virtual domains, users, and aliases
#virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
#virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
#virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,
# mysql:/etc/postfix/mysql-virtual-email2email.cf
virtual_mailbox_base = /var/mail/domains
#virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql_virtual_domains_maps.cf
#virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql_virtual_mailbox_maps.cf, proxy:pgsql:/etc/postfix/pgsql_virtual_mailbox_domainaliases_maps.cf
#virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql_virtual_alias_maps.cf, proxy:pgsql:/etc/postfix/pgsql_virtual_alias_domainaliases_maps.cf
relay_domains = $mydestination, proxy:pgsql:/etc/postfix/pgsql/relay_domains.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
local_recipient_maps = $virtual_mailbox_maps
#smtpd_sender_login_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_sender_maps.cf
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 8
virtual_uid_maps = static:8
virtual_gid_maps = static:12
# Even more Restrictions and MTA params
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
#smtpd_etrn_restrictions = reject
#smtpd_reject_unlisted_sender = yes
#smtpd_reject_unlisted_recipient = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
#smtpd_hard_error_limit = 1
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h
# Reply Rejection Codes
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
mynetworks_style = subnet
# ---------------------------------
# Header manipulation
# --------------------------------------
# Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
#header_checks = regexp:/etc/postfix/header_checks
# getting rid of x-original-to
enable_original_recipient = no
# ---------------------------------
# DKIM
# --------------------------------------
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:8891
non_smtpd_milters = inet:8891
# ---------
# log
# --------
#maillog_file = /var/log/mail.log

149
mail/conf/postfix/master.cf
View File

@ -1,149 +0,0 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_wrappermode=no
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
# -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable smtps for loopback clients only, or for any client.
#127.0.0.1:smtps inet n - n - - smtpd
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
#dovecot unix - n n - - pipe
# flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

5
mail/conf/postfix/mysql/relay_domains.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1' AND (transport LIKE 'smtp%%' OR transport LIKE 'relay%%')

5
mail/conf/postfix/mysql/transport_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT transport FROM domain WHERE domain='%s' AND active = '1' AND transport != 'virtual'

5
mail/conf/postfix/mysql/virtual_alias_domain_catchall_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active='1' AND alias_domain.active='1'

5
mail/conf/postfix/mysql/virtual_alias_domain_mailbox_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active='1' AND alias_domain.active='1'

5
mail/conf/postfix/mysql/virtual_alias_domain_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active='1' AND alias_domain.active='1'

5
mail/conf/postfix/mysql/virtual_alias_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

10
mail/conf/postfix/mysql/virtual_domains_maps.cf
View File

@ -1,10 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'
#query = SELECT domain FROM domain WHERE domain='%s'
#optional query to use when relaying for backup MX
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'
#optional query to use for transport map support
#query = SELECT domain FROM domain WHERE domain='%s' AND active = '1' AND NOT (transport LIKE 'smtp%%' OR transport LIKE 'relay%%')

5
mail/conf/postfix/mysql/virtual_mailbox_limit_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

5
mail/conf/postfix/mysql/virtual_mailbox_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

5
mail/conf/postfix/mysql/virtual_sender_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT username FROM mailbox WHERE username='%s' AND active = '1'

5
mail/conf/postfix/pgsql/relay_domains.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = true AND (transport LIKE 'smtp%%' OR transport LIKE 'relay%%')

5
mail/conf/postfix/pgsql/transport_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT transport FROM domain WHERE domain='%s' AND active = true AND transport != 'virtual'

5
mail/conf/postfix/pgsql/virtual_alias_domain_catchall_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active=true AND alias_domain.active=true

5
mail/conf/postfix/pgsql/virtual_alias_domain_mailbox_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active=true AND alias_domain.active=true

5
mail/conf/postfix/pgsql/virtual_alias_domain_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active=true AND alias_domain.active=true

5
mail/conf/postfix/pgsql/virtual_alias_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = true

10
mail/conf/postfix/pgsql/virtual_domains_maps.cf
View File

@ -1,10 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = true
#query = SELECT domain FROM domain WHERE domain='%s'
#optional query to use when relaying for backup MX
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = false AND active = true
#optional query to use for transport map support
#query = SELECT domain FROM domain WHERE domain='%s' AND active = true AND NOT (transport LIKE 'smtp%%' OR transport LIKE 'relay%%')

5
mail/conf/postfix/pgsql/virtual_mailbox_limit_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s' AND active = true

5
mail/conf/postfix/pgsql/virtual_mailbox_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true

5
mail/conf/postfix/pgsql/virtual_sender_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT username FROM mailbox WHERE username='%s' AND active = true

42
mail/dkim.sh
View File

@ -1,42 +0,0 @@
cat > /etc/opendkim.conf<<EOF
UserID opendkim:opendkim
UMask 022
Mode sv
PidFile /var/run/opendkim/opendkim.pid
Canonicalization relaxed/relaxed
TemporaryDirectory /var/tmp
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
MinimumKeyBits 1024
Socket inet:8891
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
EOF
mkdir -p /etc/opendkim/keys/`hostname -f`
opendkim-genkey -D /etc/opendkim/keys/`hostname -f`/ -d `hostname -f` -s default
#chown opendkim:opendkim -R /etc/opendkim/
#chmod -R 700 /etc/opendkim
echo "default._domainkey.`hostname -f` `hostname -f`:default:/etc/opendkim/keys/`hostname -f`/default.private" >> /etc/opendkim/KeyTable
echo "*@`hostname -f` default._domainkey.`hostname -f`" >> /etc/opendkim/SigningTable
echo "localhost" >> /etc/opendkim/TrustedHosts
echo "`hostname -f`" >> /etc/opendkim/TrustedHosts
cat >> /etc/postfix/main.cf<<EOF
#DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:8891
non_smtpd_milters = inet:8891
EOF
#service opendkim start
#service postfix restart
cp /etc/opendkim/keys/`hostname -f`/default.txt /root/`hostname -f`-dkim-signature_default.txt
echo "open '/root/`hostname -f`-dkim-signature_default.txt', then add the TXT record to you DNS resolution system."

29
mail/doc
View File

@ -1,29 +0,0 @@
# create password
doveadm pw -s MD5-CRYPT -p admin | sed 's/{MD5-CRYPT}//'
chown -R mail:mail /var/lib/vmail/
chown -R postfix /var/lib/postfix/
spamassassin ? rspamd \
# start apps
/ # opendkim
/ # dovecot
/ # syslogd
/ # postfix start
# useful documents
https://www.linode.com/docs/guides/configure-spf-and-dkim-in-postfix-on-debian-9/
https://github.com/postfixadmin/postfixadmin/blob/master/DOCUMENTS/Postfix-Dovecot-Postgresql-Example.md
https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/
https://wiki.archlinux.org/title/Virtual_user_mail_system_with_Postfix,_Dovecot_and_Roundcube
# do some checking
postmap -q esin.io proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
postmap -q hi@esin.io proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
# dkim
https://www.cnblogs.com/MYue/p/8205439.html

81
mail/docker-compose.yml
View File

@ -1,81 +0,0 @@
version: "3.9"
services:
mailserver:
image: esinio/mail
volumes:
- ./mail:/var/mail
- ./log:/var/log
ports:
- "25:25"
- 143:143
- 110:110
- 465:465
- 993:993
- 995:995
external_links:
- postgresql:dbserver
networks:
- traefik
- database
webmail:
image: roundcube/roundcubemail
labels:
- "traefik.enable=true"
- "traefik.http.routers.webmail.rule=Host(`mail.esin.io`)"
- "traefik.http.routers.webmail.tls=true"
- "traefik.http.routers.webmail.middlewares=webmail-mw"
- "traefik.http.middlewares.webmail-mw.compress=true"
- "traefik.http.services.webmail.loadbalancer.server.port=80"
environment:
- ROUNDCUBEMAIL_DEFAULT_HOST=mailserver
- ROUNDCUBEMAIL_DEFAULT_PORT=143
- ROUNDCUBEMAIL_SMTP_SERVER=mailserver
- ROUNDCUBEMAIL_SMTP_PORT=25
links:
- mailserver
depends_on:
- mailserver
networks:
- traefik
- database
postfixadmin:
image: postfixadmin:3.3.10-apache
labels:
- "traefik.enable=true"
- "traefik.http.routers.postfixadmin.rule=Host(`postfixadmin.esin.io`)"
- "traefik.http.routers.postfixadmin.tls=true"
- "traefik.http.routers.postfixadmin.middlewares=postfixadmin-mw"
- "traefik.http.middlewares.postfixadmin-mw.compress=true"
- "traefik.http.services.postfixadmin.loadbalancer.server.port=80"
environment:
- POSTFIXADMIN_SETUP_PASSWORD=${POSTFIXADMIN_SETUP_PASSWORD}
- POSTFIXADMIN_DB_TYPE=pgsql
- POSTFIXADMIN_DB_HOST=dbserver
- POSTFIXADMIN_DB_USER=${POSTGRES_USER}
- POSTFIXADMIN_DB_PASSWORD=${POSTGRES_PASSWORD}
- POSTFIXADMIN_DB_NAME=postfix
- POSTFIXADMIN_SMTP_SERVER=${POSTFIXADMIN_SMTP_SERVER}
- POSTFIXADMIN_SMTP_PORT=${POSTFIXADMIN_SMTP_PORT}
# - POSTFIXADMIN_DB_TYPE=mysqli
# - POSTFIXADMIN_DB_HOST=dbserver
# - POSTFIXADMIN_DB_USER=${MARIADB_USER}
# - POSTFIXADMIN_DB_PASSWORD=${MARIADB_PASSWORD}
# - POSTFIXADMIN_DB_NAME=postfix
# - POSTFIXADMIN_SMTP_SERVER=${POSTFIXADMIN_SMTP_SERVER}
# - POSTFIXADMIN_SMTP_PORT=${POSTFIXADMIN_SMTP_PORT}
restart: unless-stopped
external_links:
- postgresql:dbserver
links:
- mailserver
depends_on:
- mailserver
networks:
- traefik
- database
networks:
traefik:
external: true
database:
external: true

14
mail/run.sh
View File

@ -1,14 +0,0 @@
#!/bin/sh
# maildir
MAIL_PATH="/var/mail/domains"
MAIL_USER="mail"
if [ ! -d ${MAIL_PATH} ]; then mkdir -p ${MAIL_PATH}; fi
chown -R ${MAIL_USER} ${MAIL_PATH}
# openkdim
chown -R opendkim:opendkim /etc/opendkim
# starting
syslogd; opendkim; postfix start; dovecot -F

2
mail/v2/Makefile
View File

@ -1,2 +0,0 @@
build:
docker-compose build --compress --no-cache --parallel

794
mail/v2/conf/clamav/clamd.conf
View File

@ -1,794 +0,0 @@
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##
# Comment or remove the line below.
# Example
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# Enable Prelude output.
# Default: no
#PreludeEnable yes
#
# Set the name of the analyzer used by prelude-admin.
# Default: ClamAV
#PreludeAnalyzerName ClamAV
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
#ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# This file will be owned by root, as long as clamd was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
PidFile /run/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /run/clamd.sock
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes
# TCP port address.
# Default: no
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr localhost
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
#StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 30
#CommandReadTimeout 30
# This option specifies how long to wait (in milliseconds) if the send buffer
# is full.
# Keep this value low to prevent clamd hanging.
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by
# MaxThreads threads).
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file
# descriptors, the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual
# max is 1024).
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Enable non-blocking (multi-threaded/concurrent) database reloads.
# This feature will temporarily load a second scanning engine while scanning
# continues using the first engine. Once loaded, the new engine takes over.
# The old engine is removed as soon as all scans using the old engine have
# completed.
# This feature requires more RAM, so this option is provided in case users are
# willing to block scans during reload in exchange for lower RAM requirements.
# Default: yes
#ConcurrentDatabaseReload no
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name and %f will be replaced with the file name.
# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
# and $CLAM_VIRUSEVENT_VIRUSNAME.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
# any ALLMATCHSCAN command as invalid.
# Default: yes
#AllowAllMatchScan no
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
# the complete list of PUA categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
# This option allows you to disable the caching feature of the engine. By
# default, the engine will store an MD5 in a cache of any files that are
# not flagged as virus or that hit limits checks. Disabling the cache will
# have a negative performance impact on large scans.
# Default: no
#DisableCache yes
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to detect abnormal patterns and behaviors that
# may be malicious. This option enables alerting on such heuristically
# detected potential threats.
# Default: yes
#HeuristicAlerts yes
# Allow heuristic alerts to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only
# at the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Heuristic Alerts
##
# With this option clamav will try to detect broken executables (both PE and
# ELF) and alert on them with the Broken.Executable heuristic signature.
# Default: no
#AlertBrokenExecutables yes
# With this option clamav will try to detect broken media file (JPEG,
# TIFF, PNG, GIF) and alert on them with a Broken.Media heuristic signature.
# Default: no
#AlertBrokenMedia yes
# Alert on encrypted archives _and_ documents with heuristic signature
# (encrypted .zip, .7zip, .rar, .pdf).
# Default: no
#AlertEncrypted yes
# Alert on encrypted archives with heuristic signature (encrypted .zip, .7zip,
# .rar).
# Default: no
#AlertEncryptedArchive yes
# Alert on encrypted archives with heuristic signature (encrypted .pdf).
# Default: no
#AlertEncryptedDoc yes
# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#AlertOLE2Macros yes
# Alert on SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
# Default: no
#AlertPhishingSSLMismatch yes
# Alert on cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
# Default: no
#AlertPhishingCloak yes
# Alert on raw DMG image files containing partition intersections
# Default: no
#AlertPartitionIntersection yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option
# allows ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
#ScanPE yes
# Certain PE files contain an authenticode signature. By default, we check
# the signature chain in the PE file against a database of trusted and
# revoked certificates if the file being scanned is marked as a virus.
# If any certificate in the chain validates against any trusted root, but
# does not match any revoked certificate, the file is marked as trusted.
# If the file does match a revoked certificate, the file is marked as virus.
# The following setting completely turns off authenticode verification.
# Default: no
#DisableCertCheck yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanELF yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOLE2 yes
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanPDF yes
# This option enables scanning within SWF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanSWF yes
# This option enables scanning xml-based document files supported by libclamav.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanXMLDOCS yes
# This option enables scanning of HWP3 files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanHWP3 yes
##
## Mail files
##
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
#ScanMail yes
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial
# directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# HTML.Phishing and Email.Phishing NDB signatures.
# Default: yes
#PhishingSignatures no
# With this option enabled ClamAV will try to detect phishing attempts by
# analyzing URLs found in emails using WDB and PDB signature databases.
# Default: yes
#PhishingScanURLs no
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# With this option enabled the DLP module will search for valid Credit Card
# numbers only. Debit and Private Label cards will not be searched.
# Default: no
#StructuredCCOnly yes
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
#ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
#ScanArchive yes
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of time to a scan may take.
# In this version, this field only affects the scan time of ZIP archives.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result allow scanning
# of certain files to lock up the scanning process/threads resulting in a
# Denial of Service.
# Time is in milliseconds.
# Default: 120000
#MaxScanTime 300000
# This option sets the maximum amount of data to be scanned for each input
# file. Archives and other containers are recursively extracted and scanned
# up to this value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Technical design limitations prevent ClamAV from scanning files greater than
# 2 GB at this time.
# Default: 25M
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 17
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# Maximum size of a file to check for embedded PE. Files larger than this value
# will skip the additional analysis step.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxEmbeddedPE 10M
# Maximum size of a HTML file to normalize. HTML files larger than this value
# will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxHTMLNormalize 10M
# Maximum size of a normalized HTML file to scan. HTML files larger than this
# value after normalization will not be scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 2M
#MaxHTMLNoTags 2M
# Maximum size of a script file to normalize. Script content larger than this
# value will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 5M
#MaxScriptNormalize 5M
# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
# than this value will skip the step to potentially reanalyze as PE.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be
# scanned.
# Raw disk images with more partitions than this value will have up to
# the value number partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact
# performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number
# icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 100
#MaxIconsPE 200
# This option sets the maximum recursive calls for HWP3 parsing during
# scanning. HWP3 files using more than this limit will be terminated and
# alert the user.
# Scans will be unable to scan any HWP3 attachments if the recursive limit
# is reached.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact
# performance.
# Default: 16
#MaxRecHWP3 16
# This option sets the maximum calls to the PCRE match function during
# an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit, see the PCRE documentation.
# Negative values are not allowed.
# WARNING: setting this limit too high may severely impact performance.
# Default: 100000
#PCREMatchLimit 20000
# This option sets the maximum recursive calls to the PCRE match function
# during an instance of regex matching.
# Instances using more than this limit will be terminated and alert the user
# but the scan will continue.
# For more information on match_limit_recursion, see the PCRE documentation.
# Negative values are not allowed and values > PCREMatchLimit are superfluous.
# WARNING: setting this limit too high may severely impact performance.
# Default: 2000
#PCRERecMatchLimit 10000
# This option sets the maximum filesize for which PCRE subsigs will be
# executed. Files exceeding this limit will not have PCRE subsigs executed
# unless a subsig is encompassed to a smaller buffer.
# Negative values are not allowed.
# Setting this value to zero disables the limit.
# WARNING: setting this limit too high or disabling it may severely impact
# performance.
# Default: 25M
#PCREMaxFileSize 100M
# When AlertExceedsMax is set, files exceeding the MaxFileSize, MaxScanSize, or
# MaxRecursion limit will be flagged with the virus name starting with
# "Heuristics.Limits.Exceeded".
# Default: no
#AlertExceedsMax yes
##
## On-access Scan Settings
##
# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#OnAccessMaxFileSize 10M
# Max number of scanning threads to allocate to the OnAccess thread pool at
# startup. These threads are the ones responsible for creating a connection
# with the daemon and kicking off scanning after an event has been processed.
# To prevent clamonacc from consuming all clamd's resources keep this lower
# than clamd's max threads.
# Default: 5
#OnAccessMaxThreads 10
# Max amount of time (in milliseconds) that the OnAccess client should spend
# for every connect, send, and recieve attempt when communicating with clamd
# via curl.
# Default: 5000 (5 seconds)
# OnAccessCurlTimeout 10000
# Toggles dynamic directory determination. Allows for recursively watching
# include paths.
# Default: no
#OnAccessDisableDDD yes
# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line.
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# Default: disabled
#OnAccessExcludePath /home/user
# Modifies fanotify blocking behaviour when handling permission events.
# If off, fanotify will only notify if the file scanned is a virus,
# and not perform any blocking.
# Default: no
#OnAccessPrevention yes
# When using prevention, if this option is turned on, any errors that occur
# during scanning will result in the event attempt being denied. This could
# potentially lead to unwanted system behaviour with certain configurations,
# so the client defaults this to off and prefers allowing access events in
# case of scan or connection error.
# Default: no
#OnAccessDenyOnError yes
# Toggles extra scanning and notifications when a file or directory is
# created or moved.
# Requires the DDD system to kick-off extra scans.
# Default: no
#OnAccessExtraScanning yes
# Set the mount point to be scanned. The mount point specified, or the mount
# point containing the specified directory will be watched. If any directories
# are specified, this option will preempt (disable and ignore all options
# related to) the DDD system. This option will result in verdicts only.
# Note that prevention is explicitly disallowed to prevent common, fatal
# misconfigurations. (e.g. watching "/" with prevention on and no exclusions
# made on vital system directories)
# It can be used multiple times.
# Default: disabled
#OnAccessMountPath /
#OnAccessMountPath /home/user
# With this option you can exclude the root UID (0). Processes run under
# root with be able to access all files without triggering scans or
# permission denied events.
# Note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeRootUID is not *guaranteed* to prevent every access by the
# root user from triggering a scan (unless OnAccessPrevention is enabled).
# Default: no
#OnAccessExcludeRootUID no
# With this option you can exclude specific UIDs. Processes with these UIDs
# will be able to access all files without triggering scans or permission
# denied events.
# This option can be used multiple times (one per line).
# Using a value of 0 on any line will disable this option entirely.
# To exclude the root UID (0) please enable the OnAccessExcludeRootUID
# option.
# Also note that if clamd cannot check the uid of the process that generated an
# on-access scan event (e.g., because OnAccessPrevention was not enabled, and
# the process already exited), clamd will perform a scan. Thus, setting
# OnAccessExcludeUID is not *guaranteed* to prevent every access by the
# specified uid from triggering a scan (unless OnAccessPrevention is enabled).
# Default: disabled
#OnAccessExcludeUID -1
# This option allows exclusions via user names when using the on-access
# scanning client. It can be used multiple times.
# It has the same potential race condition limitations of the
# OnAccessExcludeUID option.
# Default: disabled
#OnAccessExcludeUname clamav
# Number of times the OnAccess client will retry a failed scan due to
# connection problems (or other issues).
# Default: 0
#OnAccessRetryAttempts 3
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss
# detections for many new viruses.
# Default: yes
#Bytecode yes
# Set bytecode security level.
# Possible values:
# None - No security at all, meant for debugging.
# DO NOT USE THIS ON PRODUCTION SYSTEMS.
# This value is only available if clamav was built
# with --enable-debug!
# TrustSigned - Trust bytecode loaded from signed .c[lv]d files, insert
# runtime safety checks for bytecode loaded from other sources.
# Paranoid - Don't trust any bytecode, insert runtime checks for all.
# Recommended: TrustSigned, because bytecode in .cvd files already has these
# checks.
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned
# Allow loading bytecode from outside digitally signed .c[lv]d files.
# **Caution**: You should NEVER run bytecode signatures from untrusted sources.
# Doing so may result in arbitrary code execution.
# Default: no
#BytecodeUnsigned yes
# Set bytecode timeout in milliseconds.
#
# Default: 5000
# BytecodeTimeout 1000

204
mail/v2/conf/clamav/freshclam.conf
View File

@ -1,204 +0,0 @@
##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##
# Comment or remove the line below.
# Example
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/clamav/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
# Default: no
#LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows you to save the process identifier of the daemon
# This file will be owned by root, as long as freshclam was started by root.
# It is recommended that the directory where this file is stored is
# also owned by root to keep other users from tampering with it.
# Default: disabled
PidFile /run/clamav/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner clamav
# Use DNS to verify virus database version. FreshClam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# database.clamav.net is now the primary domain name to be used world-wide.
# Now that CloudFlare is being used as our Content Delivery Network (CDN),
# this one domain name works world-wide to direct freshclam to the closest
# geographic endpoint.
# If the old db.XY.clamav.net domains are set, freshclam will automatically
# use database.clamav.net instead.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources for database files.
# This option can be used multiple times. Support for:
# http(s)://, ftp(s)://, or file://
# Default: no custom URLs
#DatabaseCustomURL http://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com/mysigs.ndb
#DatabaseCustomURL https://myserver.example.com:4567/allow_list.wdb
#DatabaseCustomURL ftp://myserver.example.com/example.ldb
#DatabaseCustomURL ftps://myserver.example.com:4567/example.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.example.com
#PrivateMirror mirror2.example.com
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# The HTTPProxyServer may be prefixed with [scheme]:// to specify which kind
# of proxy is used.
# http:// HTTP Proxy. Default when no scheme or proxy type is specified.
# https:// HTTPS Proxy. (Added in 7.52.0 for OpenSSL, GnuTLS and NSS)
# socks4:// SOCKS4 Proxy.
# socks4a:// SOCKS4a Proxy. Proxy resolves URL hostname.
# socks5:// SOCKS5 Proxy.
# socks5h:// SOCKS5 Proxy. Proxy resolves URL hostname.
# Default: disabled
#HTTPProxyServer https://proxy.example.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# As of ClamAV 0.103.3, this setting may not be used when updating from the
# clamav.net CDN and can only be used when updating from a private mirror.
# Default: clamav/version_number (OS: ..., ARCH: ..., CPU: ..., UUID: ...)
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
NotifyClamd /etc/clamav/clamd.conf
# Run command after successful database update.
# Use EXIT_1 to return 1 after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Maximum time in seconds for each download operation. 0 means no timeout.
# Default: 0
#ReceiveTimeout 1800
# With this option enabled, freshclam will attempt to load new databases into
# memory to make sure they are properly handled by libclamav before replacing
# the old ones.
# Tip: This feature uses a lot of RAM. If your system has limited RAM and you
# are actively running ClamD or ClamScan during the update, then you may need
# to set `TestDatabases no`.
# Default: yes
#TestDatabases no
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: yes
#Bytecode no
# Include an optional signature databases (opt-in).
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
# Exclude a standard signature database (opt-out).
# This option can be used multiple times.
#ExcludeDatabase dbname1
#ExcludeDatabase dbname2

24
mail/v2/conf/dovecot/dovecot-sql-mysql.conf
View File

@ -1,24 +0,0 @@
driver = mysql
connect = host=dbserver dbname=postfix user=postfix password=password
default_pass_scheme = MD5-CRYPT
user_query = \
SELECT \
'/var/mail/domains/%u/' as home, \
'maildir:/var/mail/domains/%u/' as mail, \
8 AS uid, \
12 AS gid, \
concat('dirsize:storage=', quota) AS quota \
FROM mailbox \
WHERE username = '%u' AND active = '1'
password_query = \
SELECT \
username as user, \
password, \
'/var/mail/domains/%u/' as userdb_home, \
'maildir:/var/mail/domains/%u/' as userdb_mail, \
8 as userdb_uid, \
12 as userdb_gid \
FROM mailbox \
WHERE username = '%u' AND active = '1'

23
mail/v2/conf/dovecot/dovecot-sql-pgsql.conf
View File

@ -1,23 +0,0 @@
driver = pgsql
connect = host=dbserver dbname=postfix user=postgres password=psqlpass
default_pass_scheme = MD5-CRYPT
user_query = \
SELECT \
'/var/mail/domains/%u/' as home, \
'maildir:/var/mail/domains/%u/' as mail, \
8 as uid, \
12 as gid, \
'dirsize:storage=' || quota AS quota \
FROM mailbox \
WHERE username = '%u' AND active = true
password_query = SELECT \
username AS user, \
password, \
8 as userdb_uid, \
12 as userdb_gid, \
'/var/mail/domains/' || maildir AS userdb_home, \
'/var/mail/domains/' || maildir AS userdb_mail \
FROM mailbox \
WHERE username = '%u' AND active = true

89
mail/v2/conf/dovecot/dovecot.conf
View File

@ -1,89 +0,0 @@
# debug
#auth_debug = yes
#auth_debug_passwords = yes
#mail_debug = yes
first_valid_uid = 8
#last_valid_uid = 8
postmaster_address = admin@example.com
protocols = "imap lmtp"
auth_mechanisms = plain login
disable_plaintext_auth = no
mail_location = maildir:/var/lib/vmail/%d/%n
#mail_location = maildir:/var/mail/domains/%u/
mail_gid = mail
mail_uid = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql-pgsql.conf
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql-pgsql.conf
}
service auth {
# Postfix smtp-auth
inet_listener {
port = 50026
#mode = 0660
#user = mail
#group = mail
}
}
service imap {
executable = imap
}
service lmtp {
executable = lmtp -L
process_min_avail = 5
inet_listener lmtp {
port = 50024
#user = mail
#process_min_avail = 5
#mode = 0600
#user = mail
#group = mail
}
}
#ssl_cert = </etc/ssl/dovecot/server.pem
#ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#ssl_dh_parameters_length = 2048
#ssl_key = </etc/ssl/dovecot/server.key
#ssl_prefer_server_ciphers = yes
#ssl_min_protocol = TLSv1.2
log_path = /dev/stderr
info_log_path = /dev/stdout
debug_log_path = /dev/stdout

3
mail/v2/conf/opendkim/KeyTable
View File

@ -1,3 +0,0 @@
default._domainkey.2a436487427d 2a436487427d:default:/etc/opendkim/keys/2a436487427d/default.private
default._domainkey.9509fbb20ce0 9509fbb20ce0:default:/etc/opendkim/keys/9509fbb20ce0/default.private
default._domainkey.esin.io esin.io:default:/etc/opendkim/keys/2a436487427d/default.private

3
mail/v2/conf/opendkim/SigningTable
View File

@ -1,3 +0,0 @@
*@2a436487427d default._domainkey.2a436487427d
*@9509fbb20ce0 default._domainkey.9509fbb20ce0
*@esin.io default._domainkey.esin.io

2
mail/v2/conf/opendkim/TrustedHosts
View File

@ -1,2 +0,0 @@
localhost
127.0.0.1

15
mail/v2/conf/opendkim/keys/2a436487427d/default.private
View File

@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDqnjC34hWdCIEG+Y8qD3yHLkwIziH+H0pNQwwEkKf4VpT3HTfJ
FxlPtKNpyFlAaclBd3BrtYkcvxr99qNjFdwNzPZJ5Fxo4Ug/9aP6e/t9DYlqBh/g
dqCxsnp9rInoTJBq7D1qiUljr9dmbURVwbggqkrP2l8UJyO1yw562ubAfwIDAQAB
AoGAESBbDhFC4qOsR4YQHVHkFTob8siZUqOWGO28AtlMaaRoW2GWoOc+wcK96wrk
+P6/4jeFzVcDG0YYAlHuu1ztIzD2lYslaDGM3mY3enx9ZOdWwZjuatlgDQmyRHji
VhW5n/Gs0ZWjFeVEIvu3w3RlrSoY9Yis/7sf15+Ujjd6HIECQQD9FvUDdaru1Czf
TtT8Q/k2cUZeNdNYjKWX9yHGexD0r6ZD3YE2yJuJ3jn5j1xk5jP3BjmtWNbj4cil
txRO8XYrAkEA7VDbNRPw8i654O84+pYMk7AP+vaxFqVBhZLeTG+lQMbHelBTW6vU
i1KhweatXgs0odEFZIp/nFLnLvbE8Iro/QJBALLL9B4Uk8STunur+oWZE8dlcPv/
dKaa/iWEnqTUrl7edEx/gNiOEmvsxfJLWE+j3dRG3ppbJ7zn9lM0KrG2ne8CQFhM
6pNwTQm/yxffywKqTBmzu+50VeYILT4HLMGiFQnqLJTdSHbmk5oXb+qW61D/uGCx
RmFnix3eVvjJhvO9q/0CQQCYbjMbyDYBFqgXkwC0iThFG50DUkrYvFYZSja5qdIX
u0vqdroQZUqxRoF2J1sPB78BTZFfLiePNTrl232A3T6q
-----END RSA PRIVATE KEY-----

2
mail/v2/conf/opendkim/keys/2a436487427d/default.txt
View File

@ -1,2 +0,0 @@
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqnjC34hWdCIEG+Y8qD3yHLkwIziH+H0pNQwwEkKf4VpT3HTfJFxlPtKNpyFlAaclBd3BrtYkcvxr99qNjFdwNzPZJ5Fxo4Ug/9aP6e/t9DYlqBh/gdqCxsnp9rInoTJBq7D1qiUljr9dmbURVwbggqkrP2l8UJyO1yw562ubAfwIDAQAB" ) ; ----- DKIM key default for 2a436487427d

15
mail/v2/conf/opendkim/keys/9509fbb20ce0/default.private
View File

@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQChHkpXhl+izKhPFIgniNaVPgrZtGqHmMY2iHHrhwMS8x6y6FRi
XQd+jWkMMDon9H+jNP2Yk8KjolfrX0KEg6l7FWeHGJKwqsltp7x1nx1Qf1paqN5O
6Z7QySjCsltjA+Gpepzm93nTPg0Iai1MFpOYbugTSjNrdMbANRzu3dRegwIDAQAB
AoGAZ+xBx3LE/R1E8r0rlVSOFHWQShw1GoFQWJxp3qGXOgHXK07wHwIic16DA3mY
CW2LZponeOLWCPYN/6PSI+dIyTVmDQcxHj++ZXsU/dCXX2NUydjaC1yyVo8xp/N7
s8Ap8abgQphrWZEppd3Of2MoMgG7NehgQyT+EkPj/x5evwECQQDLYPydO5JvQ9r5
ALJkHhHs4OCXSfGPPBqIXva2xhVaoOs1TjKy+oNpPZatRMAFI7mI/sNvB0O2cg0J
CG/WDGK3AkEAys4h8oiyMBu7B+lYzfUSCC2fxo7ptwhJuE78Zlc+9TvKYLeusSFo
RTDIUWyJcR/mZVjLFiUb4+tUZU7PPwZmlQJBAJkrAPU1oVIUq3xubuuBzgQ1VE/8
S2WRYXYk9u+t/PUVTi8GJp6ulnuS+8Cgj3EPd7LaE7uxn+huuqx74yY0i78CQDd1
u27Z1vC1BKabN3/LHw1BfMoN1vgIujA+2WMbRMpHeYaNdKZX3m3dc0phBgz7jkP0
zkTWDRR9DG1P6fjwRSkCQQDGMVIAEh0kftOxKU3n7qms0zbBDycWikLMQSLWZhYY
ZGblN7sKAkbIw6aHlDy4mMAS+zaiCVKQ2ReT0HqcHZVs
-----END RSA PRIVATE KEY-----

2
mail/v2/conf/opendkim/keys/9509fbb20ce0/default.txt
View File

@ -1,2 +0,0 @@
default._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChHkpXhl+izKhPFIgniNaVPgrZtGqHmMY2iHHrhwMS8x6y6FRiXQd+jWkMMDon9H+jNP2Yk8KjolfrX0KEg6l7FWeHGJKwqsltp7x1nx1Qf1paqN5O6Z7QySjCsltjA+Gpepzm93nTPg0Iai1MFpOYbugTSjNrdMbANRzu3dRegwIDAQAB" ) ; ----- DKIM key default for 9509fbb20ce0

17
mail/v2/conf/opendkim/opendkim.conf
View File

@ -1,17 +0,0 @@
AutoRestart Yes
AutoRestartRate 10/1h
UserID opendkim:opendkim
UMask 022
Mode sv
PidFile /var/run/opendkim.pid
Canonicalization relaxed/relaxed
TemporaryDirectory /var/tmp
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
MinimumKeyBits 1024
Socket inet:8891
LogWhy Yes
Syslog Yes
SyslogSuccess Yes

29
mail/v2/conf/opendkim/opendkim.conf.apk-new
View File

@ -1,29 +0,0 @@
BaseDirectory /run/opendkim
#LogWhy yes
Syslog yes
SyslogSuccess yes
Canonicalization relaxed/simple
Domain example.com
Selector default
KeyFile /var/db/dkim/example.com.private
Socket inet:8891@localhost
#Socket local:opendkim.sock
ReportAddress postmaster@example.com
SendReports yes
## Hosts to sign email for - 127.0.0.1 is default
## See the OPERATION section of opendkim(8) for more information
#
# InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
## For secondary mailservers - indicates not to sign or verify messages
## from these hosts
#
# PeerList X.X.X.X
# PidFile /var/run/opendkim/opendkim.pid

29
mail/v2/conf/opendkim/opendkim.conf.default
View File

@ -1,29 +0,0 @@
BaseDirectory /run/opendkim
#LogWhy yes
Syslog yes
SyslogSuccess yes
Canonicalization relaxed/simple
Domain example.com
Selector default
KeyFile /var/db/dkim/example.com.private
Socket inet:8891@localhost
#Socket local:opendkim.sock
ReportAddress postmaster@example.com
SendReports yes
## Hosts to sign email for - 127.0.0.1 is default
## See the OPERATION section of opendkim(8) for more information
#
# InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
## For secondary mailservers - indicates not to sign or verify messages
## from these hosts
#
# PeerList X.X.X.X
# PidFile /var/run/opendkim/opendkim.pid

5
mail/v2/conf/postfix/header_checks
View File

@ -1,5 +0,0 @@
/^Received:.*/ IGNORE
/^X-Originating-IP:/ IGNORE
/^X-Mailer:/ IGNORE
/^Mime-Version:/ IGNORE
/^User-Agent:/ IGNORE

175
mail/v2/conf/postfix/main.cf
View File

@ -1,175 +0,0 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
#smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
#smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
#smtpd_use_tls=yes
#smtpd_tls_auth_only = yes
#smtp_tls_security_level = may
#smtpd_tls_security_level = may
#smtpd_sasl_security_options = noanonymous, noplaintext
#smtpd_sasl_tls_security_options = noanonymous
# Authentication
# SASL Auth for SMTP relaying
smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
smtpd_sasl_path = inet:mdaserver:50026
smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
# Restrictions
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_unlisted_recipient
reject_unauth_destination
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
smtpd_relay_restrictions =
permit_mynetworks
permit_sasl_authenticated
defer_unauth_destination
smtpd_data_restrictions =
reject_unauth_pipelining
permit
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.esin.io
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
mydomain = esin.io
myorigin = $mydomain
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
#mynetworks = all
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
#virtual_transport = virtual
#virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_transport = lmtp:inet:mdaserver:50024
#local_transport = virtual
#virtual_mailbox_base = /var/mail/domains
# Virtual domains, users, and aliases
relay_domains = $mydestination, proxy:pgsql:/etc/postfix/pgsql/relay_domains.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
local_recipient_maps = $virtual_mailbox_maps
smtpd_sender_login_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_sender_maps.cf
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 8
virtual_uid_maps = static:8
virtual_gid_maps = static:12
# Even more Restrictions and MTA params
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
#smtpd_etrn_restrictions = reject
#smtpd_reject_unlisted_sender = yes
#smtpd_reject_unlisted_recipient = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtp_always_send_ehlo = yes
#smtpd_hard_error_limit = 1
smtpd_timeout = 30s
smtp_helo_timeout = 15s
smtp_rcpt_timeout = 15s
smtpd_recipient_limit = 40
minimal_backoff_time = 180s
maximal_backoff_time = 3h
# Reply Rejection Codes
invalid_hostname_reject_code = 550
non_fqdn_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
mynetworks_style = host
# ---------------------------------
# Header manipulation
# --------------------------------------
# Getting rid of unwanted headers. See: https://posluns.com/guides/header-removal/
#header_checks = regexp:/etc/postfix/header_checks
# getting rid of x-original-to
enable_original_recipient = no
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = $header_checks
# ---------------------------------
# DKIM
# --------------------------------------
milter_default_action = accept
milter_protocol = 2
#smtpd_milters = inet:8891
#non_smtpd_milters = inet:dkimserver:8891
smtpd_milters = inet:dkimserver:8891
non_smtpd_milters = inet:dkimserver:8891
# ---------
# log
# --------
#maillog_file = /var/log/mail.log
maillog_file = /dev/stdout

149
mail/v2/conf/postfix/master.cf
View File

@ -1,149 +0,0 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_wrappermode=no
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
# -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
# Choose one: enable smtps for loopback clients only, or for any client.
#127.0.0.1:smtps inet n - n - - smtpd
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
# ${nexthop} ${user} ${extension}
#
#mailman unix - n n - - pipe
# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
#dovecot unix - n n - - pipe
# flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

5
mail/v2/conf/postfix/mysql/relay_domains.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1' AND (transport LIKE 'smtp%%' OR transport LIKE 'relay%%')

5
mail/v2/conf/postfix/mysql/transport_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT transport FROM domain WHERE domain='%s' AND active = '1' AND transport != 'virtual'

5
mail/v2/conf/postfix/mysql/virtual_alias_domain_catchall_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active='1' AND alias_domain.active='1'

5
mail/v2/conf/postfix/mysql/virtual_alias_domain_mailbox_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active='1' AND alias_domain.active='1'

5
mail/v2/conf/postfix/mysql/virtual_alias_domain_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active='1' AND alias_domain.active='1'

5
mail/v2/conf/postfix/mysql/virtual_alias_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'

10
mail/v2/conf/postfix/mysql/virtual_domains_maps.cf
View File

@ -1,10 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'
#query = SELECT domain FROM domain WHERE domain='%s'
#optional query to use when relaying for backup MX
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'
#optional query to use for transport map support
#query = SELECT domain FROM domain WHERE domain='%s' AND active = '1' AND NOT (transport LIKE 'smtp%%' OR transport LIKE 'relay%%')

5
mail/v2/conf/postfix/mysql/virtual_mailbox_limit_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

5
mail/v2/conf/postfix/mysql/virtual_mailbox_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'

5
mail/v2/conf/postfix/mysql/virtual_sender_maps.cf
View File

@ -1,5 +0,0 @@
user = postfix
password = password
hosts = dbserver
dbname = postfix
query = SELECT username FROM mailbox WHERE username='%s' AND active = '1'

5
mail/v2/conf/postfix/pgsql/relay_domains.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = true AND (transport LIKE 'smtp%%' OR transport LIKE 'relay%%')

5
mail/v2/conf/postfix/pgsql/transport_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT transport FROM domain WHERE domain='%s' AND active = true AND transport != 'virtual'

5
mail/v2/conf/postfix/pgsql/virtual_alias_domain_catchall_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active=true AND alias_domain.active=true

5
mail/v2/conf/postfix/pgsql/virtual_alias_domain_mailbox_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active=true AND alias_domain.active=true

5
mail/v2/conf/postfix/pgsql/virtual_alias_domain_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active=true AND alias_domain.active=true

5
mail/v2/conf/postfix/pgsql/virtual_alias_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = true

10
mail/v2/conf/postfix/pgsql/virtual_domains_maps.cf
View File

@ -1,10 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' AND active = true
#query = SELECT domain FROM domain WHERE domain='%s'
#optional query to use when relaying for backup MX
#query = SELECT domain FROM domain WHERE domain='%s' AND backupmx = false AND active = true
#optional query to use for transport map support
#query = SELECT domain FROM domain WHERE domain='%s' AND active = true AND NOT (transport LIKE 'smtp%%' OR transport LIKE 'relay%%')

5
mail/v2/conf/postfix/pgsql/virtual_mailbox_limit_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s' AND active = true

5
mail/v2/conf/postfix/pgsql/virtual_mailbox_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true

5
mail/v2/conf/postfix/pgsql/virtual_sender_maps.cf
View File

@ -1,5 +0,0 @@
user = postgres
password = psqlpass
hosts = dbserver
dbname = postfix
query = SELECT username FROM mailbox WHERE username='%s' AND active = true

42
mail/v2/dkim.sh
View File

@ -1,42 +0,0 @@
cat > /etc/opendkim.conf<<EOF
UserID opendkim:opendkim
UMask 022
Mode sv
PidFile /var/run/opendkim/opendkim.pid
Canonicalization relaxed/relaxed
TemporaryDirectory /var/tmp
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
MinimumKeyBits 1024
Socket inet:8891
LogWhy Yes
Syslog Yes
SyslogSuccess Yes
EOF
mkdir -p /etc/opendkim/keys/`hostname -f`
opendkim-genkey -D /etc/opendkim/keys/`hostname -f`/ -d `hostname -f` -s default
#chown opendkim:opendkim -R /etc/opendkim/
#chmod -R 700 /etc/opendkim
echo "default._domainkey.`hostname -f` `hostname -f`:default:/etc/opendkim/keys/`hostname -f`/default.private" >> /etc/opendkim/KeyTable
echo "*@`hostname -f` default._domainkey.`hostname -f`" >> /etc/opendkim/SigningTable
echo "localhost" >> /etc/opendkim/TrustedHosts
echo "`hostname -f`" >> /etc/opendkim/TrustedHosts
cat >> /etc/postfix/main.cf<<EOF
#DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:8891
non_smtpd_milters = inet:8891
EOF
#service opendkim start
#service postfix restart
cp /etc/opendkim/keys/`hostname -f`/default.txt /root/`hostname -f`-dkim-signature_default.txt
echo "open '/root/`hostname -f`-dkim-signature_default.txt', then add the TXT record to you DNS resolution system."

29
mail/v2/doc
View File

@ -1,29 +0,0 @@
# create password
doveadm pw -s MD5-CRYPT -p admin | sed 's/{MD5-CRYPT}//'
chown -R mail:mail /var/lib/vmail/
chown -R postfix /var/lib/postfix/
spamassassin ? rspamd \
# start apps
/ # opendkim
/ # dovecot
/ # syslogd
/ # postfix start
# useful documents
https://www.linode.com/docs/guides/configure-spf-and-dkim-in-postfix-on-debian-9/
https://github.com/postfixadmin/postfixadmin/blob/master/DOCUMENTS/Postfix-Dovecot-Postgresql-Example.md
https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/
https://wiki.archlinux.org/title/Virtual_user_mail_system_with_Postfix,_Dovecot_and_Roundcube
# do some checking
postmap -q esin.io proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf
postmap -q hi@esin.io proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
# dkim
https://www.cnblogs.com/MYue/p/8205439.html

82
mail/v2/docker-compose.yml
View File

@ -1,82 +0,0 @@
version: "3.9"
services:
mtaserver:
build:
context: ./docker
dockerfile: mta-postfix
image: esinio/mailserver:postfix-3.6.3
volumes:
- ./conf/postfix/main.cf:/etc/postfix/main.cf
- ./conf/postfix/master.cf:/etc/postfix/master.cf
- ./conf/postfix/pgsql:/etc/postfix/pgsql
ports:
- "10025:25"
- "10465:465"
mdaserver:
build:
context: ./docker
dockerfile: mda-dovecot
image: esinio/mailserver:dovecot-2.3.17.1
volumes:
- ./conf/dovecot:/etc/dovecot
ports:
- 10143:143
- 10993:993
# command:
# - dovecot -F
dkimserver:
build:
context: ./docker
dockerfile: opendkim
image: esinio/mailserver:opendkim-2.11.0
volumes:
- ./conf/opendkim:/etc/opendkim
# command:
# - opendkim
# - -f
# - -l
webmail:
image: roundcube/roundcubemail
environment:
- ROUNDCUBEMAIL_DEFAULT_HOST=mdaserver
- ROUNDCUBEMAIL_DEFAULT_PORT=143
- ROUNDCUBEMAIL_SMTP_SERVER=mtaserver
- ROUNDCUBEMAIL_SMTP_PORT=25
ports:
- 8000:80
links:
- mdaserver
- mtaserver
depends_on:
- mdaserver
- mtaserver
- dbserver
dbserver:
image: postgres:14.1-alpine
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
volumes:
- ./data/postgresql:/var/lib/postgresql/data
ports:
- 15432:5432
postfixadmin:
image: postfixadmin:3.3.10-apache
environment:
- POSTFIXADMIN_SETUP_PASSWORD=${POSTFIXADMIN_SETUP_PASSWORD}
- POSTFIXADMIN_DB_TYPE=pgsql
- POSTFIXADMIN_DB_HOST=dbserver
- POSTFIXADMIN_DB_USER=${POSTGRES_USER}
- POSTFIXADMIN_DB_PASSWORD=${POSTGRES_PASSWORD}
- POSTFIXADMIN_DB_NAME=postfix
- POSTFIXADMIN_SMTP_SERVER=${POSTFIXADMIN_SMTP_SERVER}
- POSTFIXADMIN_SMTP_PORT=${POSTFIXADMIN_SMTP_PORT}
restart: unless-stopped
ports:
- 8080:80
links:
- dbserver
- mtaserver
depends_on:
- dbserver

10
mail/v2/docker/mda-dovecot
View File

@ -1,10 +0,0 @@
FROM alpine:3.15
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories \
&& apk add dovecot-pgsql dovecot-lmtpd \
&& chown -R mail /var/mail \
&& rm -rf /var/cache/apk/*
EXPOSE 143 993
CMD ["/usr/sbin/dovecot", "-F"]

10
mail/v2/docker/mta-postfix
View File

@ -1,10 +0,0 @@
FROM alpine:3.15
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories \
&& apk add postfix postfix-pgsql \
&& postconf -e "maillog_file = /dev/stdout" \
&& rm -rf /var/cache/apk/*
EXPOSE 25 465
CMD ["/usr/sbin/postfix", "start-fg"]

11
mail/v2/docker/opendkim
View File

@ -1,11 +0,0 @@
FROM alpine:3.15
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories \
&& apk add opendkim opendkim-utils \
&& chown opendkim:opendkim -R /etc/opendkim/ \
&& chmod -R 700 /etc/opendkim \
&& rm -rf /var/cache/apk/*
EXPOSE 8891
CMD ["/usr/sbin/opendkim", "-f"]

14
mail/v2/run.sh
View File

@ -1,14 +0,0 @@
#!/bin/sh
# maildir
MAIL_PATH="/var/mail/domains"
MAIL_USER="mail"
if [ ! -d ${MAIL_PATH} ]; then mkdir -p ${MAIL_PATH}; fi
chown -R ${MAIL_USER} ${MAIL_PATH}
# openkdim
chown -R opendkim:opendkim /etc/opendkim
# starting
syslogd; opendkim; postfix start; dovecot -F

26
nginx-proxy/README.md
View File

@ -1,26 +0,0 @@
# docker run
```shell
# nginx-proxy
docker run -itd \
--name nginx-proxy \
--restart=always \
-p 80:80 \
-p 443:443 \
-v /data/nginx/certs:/etc/nginx/certs \
-v /data/nginx/vhost.d:/etc/nginx/vhost.d \
-v /data/nginx/html:/usr/share/nginx/html \
-v /var/run/docker.sock:/tmp/docker.sock:ro \
jwilder/nginx-proxy:alpine
# letsencrypt-nginx-proxy-companion
docker run -itd \
--name nginx-proxy-letsencrypt \
--restart=always \
--volumes-from nginx-proxy \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /data/acme.sh:/etc/acme.sh \
-e "DEFAULT_EMAIL=hi@esin.io" \
jrcs/letsencrypt-nginx-proxy-companion
```

29
nginx-proxy/docker-compose.yml
View File

@ -1,29 +0,0 @@
version: "2"
services:
nginx-proxy:
image: jwilder/nginx-proxy:alpine
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- /data/nginx/certs:/etc/nginx/certs
- /data/nginx/vhost.d:/etc/nginx/vhost.d
- /data/nginx/html:/usr/share/nginx/html
- /var/run/docker.sock:/tmp/docker.sock:ro
letsencrypt-companion:
image: jrcs/letsencrypt-nginx-proxy-companion
restart: always
volumes-from: "nginx-proxy"
environment:
- "DEFAULT_EMAIL=hi@esin.io"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- /data/acme.sh:/etc/acme.sh
#set environments in service
#- VIRTUAL_HOST=sub.example.com
#- VIRTUAL_PORT=3000
#- LETSENCRYPT_HOST=sub.example.com
#- LETSENCRYPT_EMAIL=admin@example.com

32
pgweb/docker-compose.yml
View File

@ -1,32 +0,0 @@
version: "3.9"
services:
pgweb:
image: sosedoff/pgweb
container_name: "pgweb.esin.io"
environment:
- "TZ=Asia/Shanghai"
- "SESSIONS=1"
labels:
- "traefik.enable=true"
- "traefik.http.routers.pgweb.rule=Host(`pgweb.esin.io`)"
- "traefik.http.routers.pgweb.entrypoints=websecure"
- "traefik.http.routers.pgweb.tls=true"
- "traefik.http.routers.pgweb.tls.certresolver=letsencrypt"
- "traefik.http.routers.pgweb.tls.domains[0].main=esin.io"
- "traefik.http.routers.pgweb.tls.domains[0].sans=*.esin.io"
- "traefik.http.routers.pgweb.middlewares=pgweb-mw"
- "traefik.http.middlewares.pgweb-mw.compress=true"
- "traefik.http.middlewares.pgweb-mw.compress.excludedcontenttypes=text/event-stream"
- "traefik.http.services.pgweb.loadbalancer.server.port=8081"
external_links:
- postgresql
networks:
traefik:
priority: 1000
database:
priority: 100
networks:
traefik:
external: true
database:
external: true

29
portainer/docker-compose.yml
View File

@ -1,29 +0,0 @@
version: "3.9"
services:
portainer:
image: portainer/portainer-ce
container_name: "portainer.esin.io"
environment:
- "TZ=Asia/Shanghai"
labels:
- "traefik.enable=true"
- "traefik.http.routers.portainer.rule=Host(`portainer.esin.io`)"
- "traefik.http.routers.portainer.entrypoints=websecure"
- "traefik.http.routers.portainer.tls=true"
- "traefik.http.routers.portainer.tls.certresolver=letsencrypt"
- "traefik.http.routers.portainer.tls.domains[0].main=esin.io"
- "traefik.http.routers.portainer.tls.domains[0].sans=*.esin.io"
- "traefik.http.routers.portainer.middlewares=portainer-mw"
- "traefik.http.middlewares.portainer-mw.compress=true"
- "traefik.http.middlewares.portainer-mw.compress.excludedcontenttypes=text/event-stream"
- "traefik.http.services.portainer.loadbalancer.server.port=9000"
volumes:
- ./data:/data
- /var/run/docker.sock:/var/run/docker.sock
networks:
- traefik
networks:
traefik:
external: true

Some files were not shown because too many files have changed in this diff Show More