Table des matières
0 billet(s) pour février 2026
NFSv4 sous Debian
Configuration client et serveur NFSv4 (sans Kerberos)
Voir
Protocole
Voir :
| Étape | Date | Réf |
| Création | 1984 | |
| NFSv2 | 1989 | RFC 1094 |
| NFSv3 | 1995 | RFC 1813 |
| NFSv4 | 2003 | RFC 3530 |
| NFSv4.1 | 2010 | RFC 5661 |
| NFSv4.2 | 2016 | RFC 7862 |
En NFSv4 contrairement aux versions précédentes seul le port TCP 2049 suffit
Sur le serveur
cat /proc/fs/nfsd/versions +2 +3 +4 +4.1 -4.2
apt-get install nfs-kernel-server
lsmod | grep nfs nfsv4 410783 1 dns_resolver 12641 1 nfsv4 nfsd 263032 13 auth_rpcgss 51211 2 nfsd,rpcsec_gss_krb5 nfs_acl 12511 1 nfsd nfs 188136 2 nfsv4 lockd 83389 2 nfs,nfsd fscache 45542 2 nfs,nfsv4 sunrpc 237402 33 nfs,nfsd,rpcsec_gss_krb5,auth_rpcgss,lockd,nfsv4,nfs_acl
/etc/default/nfs-common
NEED_STATD=no STATDOPTS= NEED_GSSD=no # Nécessaire que si mapping d'utilisateur en NFSv4 NEED_IDMAPD=no
/etc/default/nfs-kernel-server
# /usr/sbin/rpc.mountd --manage-gids -N 2 -N 3 -V 4 -V 4.1 # man rpc.mountd #RPCMOUNTDOPTS="--manage-gids" RPCMOUNTDOPTS="--manage-gids -N 2 -N 3 -V 4 -V 4.1"
/etc/exports
# Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /export 192.168.1.0/24(rw,sync,fsid=0,crossmnt,no_subtree_check) 127.0.0.1(rw,sync,fsid=0,crossmnt,no_subtree_check) /export/partage 192.168.1.0/24(rw,sync,nohide,insecure,no_subtree_check) 127.0.0.1(rw,sync,nohide,insecure,no_subtree_check)
chown jean: /export/partage/
Après avoir modifié le fichier /etc/exports
exportfs -ra
killall rpc.statd
service nfs-common restart
service nfs-kernel-server restart
Notes : pour une base de donnée Postgres sur le serveur il faut absolument mettre l'option hard et il est recommandé de mettre coté serveur sync
The only firm requirement for using NFS with PostgreSQL is that the file system is mounted using the hard option. With the hard option, processes can “hang” indefinitely if there are network problems, so this configuration will require a careful monitoring setup. The soft option will interrupt system calls in case of network problems, but PostgreSQL will not repeat system calls interrupted in this way, so any such interruption will result in an I/O error being reported.
It is not necessary to use the sync mount option. The behavior of the async option is sufficient, since PostgreSQL issues fsync calls at appropriate times to flush the write caches. (This is analogous to how it works on a local file system.) However, it is strongly recommended to use the sync export option on the NFS server on systems where it exists (mainly Linux). Otherwise, an fsync or equivalent on the NFS client is not actually guaranteed to reach permanent storage on the server, which could cause corruption similar to running with the parameter fsync off. The defaults of these mount and export options differ between vendors and versions, so it is recommended to check and perhaps specify them explicitly in any case to avoid any ambiguity.
Source: https://www.postgresql.org/docs/current/creating-cluster.html
Sur le client
Voir : https://learn.microsoft.com/fr-fr/azure/azure-netapp-files/performance-linux-mount-options
apt-get install nfs-common
lsmod |grep nfs nfsv4 410783 1 dns_resolver 12641 1 nfsv4 nfsd 263032 2 auth_rpcgss 51211 2 nfsd,rpcsec_gss_krb5 nfs_acl 12511 1 nfsd nfs 188136 2 nfsv4 lockd 83389 2 nfs,nfsd sunrpc 237402 14 nfs,nfsd,rpcsec_gss_krb5,auth_rpcgss,lockd,nfsv4,nfs_acl fscache 45542 2 nfs,nfsv4
/etc/default/nfs-common
NEED_STATD=no STATDOPTS= NEED_GSSD=no # Nécessaire que si mapping d'utilisateur en NFSv4 NEED_IDMAPD=no
/etc/fstab
192.168.1.10:/partage /mnt/nfs nfs4 _netdev,noatime,bg,soft,rw,nodev,nosuid,noexec,noauto,proto=tcp,port=2049,vers=4.1,timeo=5,retrans=5,actimeo=10,retry=5 0 0
killall rpc.statd
systemctl disable rpcbind
service rpcbind stop
service nfs-common restart
Notes
Les uid des utilisateur doivent coïncider (sinon il est possible de mapper les utilisateurs sur le nom mais dans ce cas il faut activer Kerberos) Voir “you need to use Kerberos for the mapping to have any effect” https://help.ubuntu.com/community/NFSv4Howto Voir
- /etc/idmapd.conf
- rpc.mountd --manage-gids (RPCMOUNTDOPTS)
- apt-get install nscd
Après avoir modifier /etc/idmap.conf faire
nfsidmap -c
Dans la conf actuelle, root ne peut pas écrire sur la partition NFS
Le service rpcbind semble nécessaire qu'une seul fois au lancement de nfs-kernel-server Sinon pas d'écoute sur le port TCP 2049. Semble possible sur RedHat Ho can I disable rpcbind on NFSv4-only servers
Voir /var/lib/nfs/
Disable rpcbind on NFS server (RedHat)
Source : https://www.spinics.net/linux/fedora/fedora-users/msg513100.html
systemctl mask --now rpc-statd.service rpcbind.service rpcbind.socket
systemctl restart nfs-server
Obtenir des info sur le montage / quelle version de NFS
nfsstat -m
Client Autofs
/etc/auto.master
/mnt/nfs /etc/auto.nfs --ghost,--timeout=60
/etc/auto.nfs
partage -fstype=nfs4,noatime,bg,soft,rw,nodev,nosuid,noexec,proto=tcp,port=2049,vers=4.1,timeo=5,retrans=5,actimeo=10,retry=5 192.168.1.10:/partage
Démonter une partition NFS en erreur
umount -lf /mnt/nfs
Liste des partages
Montez le répertoire / et observez son contenu.
# mount myserver:/ /mnt/ #cd /mnt/ exports # ls exports foo bar
showmount -e 127.0.0.1
La commande showmount n'affiche que les exportations des versions 2 et 3 de NFS.
Cependant si le serveur gère simultanément NFSv4 et NFSv3, cette méthode fonctionnera quand même.
Autres
Quel port le serveur écoute
# rpcinfo -p | grep nfs rsize=8192,wsize=8192
Rationale: This issue is a bug on the NFS server that involves handling of delegations. NOTE: Disabling delegations may impact performance and depends on your workload. For more information, see What is the performance impact of disabling or enabling NFS4 delegations?. Disable delegations on the NFS server with the following commands:
echo 0 > /proc/sys/fs/leases-enable sysctl -w fs.leases-enable=0
Diag
mount.nfs4 -v -o noauto,sec=sys,proto=tcp,port=2049,vers=4.2 127.0.0.1:/export/files /mnt/nfs/ mount -t nfs4 127.0.0.1:files /mnt/nfs/ -v journalctl -u nfs-server -f dmesg
Source https://access.redhat.com/solutions/3915571
tshark -Y 'tcp.port == 2049' -r tcpdump.pcap > tcpdump.txt tshark -Y 'frame.number == 961595' -V -r tcpdump.pcap > tcpdump-frame-961595.txt grep -A 30 SEQUENCE tcpdump-frame-961595.txt tshark -r tcpdump.pcap -Y 'rpc.msgtyp == 1 && nfs' | wc -l tshark -r tcpdump.pcap -Y 'rpc.msgtyp == 1 && nfs.sequence.flags.recallable_state_revoked == 1' | wc -l
Err nfs-server.service is masked (RedHat)
# systemctl enable --now nfs-server.service Failed to enable unit: Unit file /etc/systemd/system/nfs-server.service is masked. # ls -l /etc/systemd/system/nfs-server.service lrwxrwxrwx. 1 root root 9 Apr 24 2024 /etc/systemd/system/nfs-server.service -> /dev/null # rm /etc/systemd/system/nfs-server.service rm: remove symbolic link '/etc/systemd/system/nfs-server.service'? y # systemctl enable --now nfs-server.service Created symlink /etc/systemd/system/multi-user.target.wants/nfs-server.service → /usr/lib/systemd/system/nfs-server.service. Job for nfs-server.service canceled.
Monter un serveur SFTP (SSH) avec ProFTPd
Voir : http://linuxfr.org/news/se-passer-de-dropbox-en-montant-son-coffre-fort-numerique-a-la-maison
Voir aussi :
Ne pas confondre FTPS avec SFTP !
apt-get install proftpd-basic
/etc/proftpd/proftpd.conf
#<Limit LOGIN> # Allow from 127.0.0.1 192.168.1.0/8 # Allow from 78.233.103.193 # DenyAll #</Limit> ####### ## ## SFTP Config SFTPEngine On Port <PORT> SFTPHostKey /etc/ssh/ssh_host_rsa_key SFTPHostKey /etc/ssh/ssh_host_dsa_key SFTPClientMatch "WS_FTP" channelWindowSize 1GB # enable for sftp debugging: TraceLog /var/log/proftpd/sftp-trace.log #Trace scp:20 sftp:20 ssh2:20 Trace scp:7 sftp:7 ssh2:7 ## End SFTP Config ## SFTPLog /var/log/proftpd/sftp.log TransferLog /var/log/proftpd/sftp-xferlog SFTPAuthMethods publickey password #SFTPAuthMethods publickey AuthUserFile /etc/proftpd/sftp.passwd #SFTPAuthorizedUserKeys file:/etc/proftpd/authorized_keys/%u SFTPAuthorizedUserKeys file:/etc/proftpd/sftp.passwd.keys/%u # SFTP specific configuration #DefaultRoot ~ DefaultRoot /partage # Enable compression SFTPCompression delayed ######
/etc/proftpd/sftp.passwd
<USER>:<$1$PASSWORD.>:1005:1008::/partage:/usr/bin/rssh
/etc/rssh.conf
user=<USER>:007:000110:"/partage"
Déposez les clef SSH publiques (à convertir) /etc/proftpd/sftp.passwd.keys/ Now fill the file with the SSH public keys you want. You need to convert it in RFC4716 style before:
ssh-keygen -e -f id_rsa.pub > /etc/proftpd/sftp.passwd.keys/virtual2
mkdir /etc/proftpd/authorized_keys ssh-keygen -e -f id_rsa.pub > /etc/proftpd/authorized_keys/jean chmod 600 /etc/proftpd/authorized_keys chmod 600 /etc/proftpd/authorized_keys/* service proftpd restart
Installation sur Debian ou Ubuntu
Avant toute chose vérifier que votre système d'exploitation soit à jour
sudo -s apt-get update apt-get upgrade apt-get dist-upgrade apt-get install proftpd-basic rssh mkdir -p /partage/jean mkdir -p /partage/public addgroup sftp chgrp sftp /partage -R chmod 750 /partage/* chmod 1777 /partage/public
<Limit LOGIN> Allow from 78.234.113.74 127.0.0.1 192.168.2.0/8 DenyAll </Limit>
#######
## SFTP Config
SFTPEngine On
Port 7010
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPClientMatch "WS_FTP" channelWindowSize 1GB
# enable for sftp debugging:
TraceLog /var/log/proftpd/sftp-trace.log
#Trace scp:20 sftp:20 ssh2:20
Trace scp:7 sftp:7 ssh2:7
SFTPLog /var/log/proftpd/sftp.log
TransferLog /var/log/proftpd/sftp-xferlog
SFTPAuthMethods publickey password
AuthUserFile /etc/proftpd/sftp.passwd
SFTPAuthorizedUserKeys file:/etc/proftpd/sftp.passwd.keys/%u
# SFTP specific configuration
DefaultRoot ~
# Enable compression
SFTPCompression delayed
######
Commenter
Changer :
Port
Umask 007 007
#TransferLog
$ getent group sftp |cut -d':' -f3 1008
$ mkpasswd --hash=md5 $PASS $1$L0PQHYcl$fUkBeMISuAg.miC0qJONP.
cat >>/etc/proftpd/sftp.passwd <EOF jean:$1$L0PQHYcl$fUkBeMISuAg.miC0qJONP.:1005:1008::/partage:/usr/bin/rssh EOF
/etc/rssh.conf
logfacility = LOG_USER umask = 066 # if your chroot_path contains spaces, it must be quoted... # In the following examples, the chroot_path is "/usr/local/my chroot" #user=rudy:011:000010:"/usr/local/my chroot" # scp with chroot #user=rudy:011:000100:"/usr/local/my chroot" # sftp with chroot #user=rudy:011:000110:"/usr/local/my chroot" # both with chroot user=jean:007:000110:"/partage" # both with chroot chrootpath = "/partage"
/etc/passwd
jean:x:1006:1007:,,,:/home/jean:/usr/sbin/nologin
Connexion sans mot de passe
ssh-keygen -e -f ~/.ssh/id_dsa.pub
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "1024-bit DSA, converted by jibe@bureau1 from OpenSSH" AAAAB3NzaC1kc3MAAACBAJA018SvcOTMOWCnPf+nF8QvPd31ei0spdxTgzualoieKkInx7 glj+4zoxfUbweL4XmouUpzx0qDWE5EvFp+tNCJpKBrksq2tTPfkRqNl96gpXzY3SzWqslh ZQSyuSYaTK09r+IGGK1TRQCSzOXysCPpUGMxUDL3lhG8G7uHmFp3AAAAFQD7+zbnWBW49f chkTgTGUXn/ySKXQAAAIBzG//psWQ1KXHDbVNkJIyYfACH+fBiHKO4zhIYSYDbTU8sQBQ9 bAnzDsUFAlLLmeEZOuux4zeGEPvjqGn+pCbpSRfY8FD3ItdGgipf0SiVpRL1b3uP1GrMpe IoQja1nnf7rsQBasWWsw2g3kvYz8OZnYCckVZDzbd0um+gRVRndQAAAIBfsJjGVF90lPWo sv1Mqsrn/itJGX67lHyWMLLVJ5/9SgmB4fY66OJXX8Ht7eH98kT5DXQEZ8Rms5WA4/u7SL Qbf/t1G096eMuA3WjrxBUOmQnVfGbAKVSQnt8MChikaxu4CChzjk08IfidTPoEdDfSqmZ2 cE9X54zlPNJ8j+wqCA== ---- END SSH2 PUBLIC KEY ----
Copier la clef publique sur le serveur SFTP :
- /etc/proftpd/sftp.passwd.keys/jean
Monter son serveur mail sous Debian
Voir Gérer ses courriels en ligne de commande
Tester la conf : https://www.mail-tester.com/
Voir : https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf
Configuration du serveur SMTP Postfix
serv1
/etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname #smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT. biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = serv1.acme.fr alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = acme.fr, serv1.acme.fr, localhost.localdomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all home_mailbox = Maildir/ mailbox_command = procmail -a "$EXTENSION" #smtpd_sasl_local_domain = #smtpd_sasl_auth_enable = yes #broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_sasl_type = dovecot smtpd_sasl_security_options = noanonymous smtpd_tls_auth_only = yes # Can be an absolute path, or relative to $queue_directory # Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below smtpd_sasl_path = private/auth # On Debian Wheezy path must be relative and queue_directory defined #queue_directory = /var/spool/postfix # and the common settings to enable SASL: smtpd_sasl_auth_enable = yes # With Postfix version before 2.10, use smtpd_recipient_restrictions #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination # virtual_alias_maps = hash:/etc/postfix/virtual # inbound smtpd_tls_security_level = may smtpd_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 # outbound smtp_tls_security_level = may smtp_tls_protocols=!SSLv2,!SSLv3 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
Koala /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname #smtpd_banner = $myhostname ESMTP $mail_name (GNU) smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT. biff = yes # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache myhostname = smtp.acme.fr alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = acme.fr, localhost.localdomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24 172.16.0.0/12 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 10485760 recipient_delimiter = + inet_interfaces = all virtual_alias_maps = hash:/etc/postfix/virtual relay_domains = acme.fr home_mailbox = Maildir/ notify_classes = resource, software, protocol defer_transports = smtp delay_warning_time = 5m #maximal_queue_lifetime = 5d debug_peer_level = 7 #default_transport = smtp:smtp.acme.fr defer_transports = disable_dns_lookups = no
/etc/mailname
acme.fr
/etc/aliases
# See man 5 aliases for format dev-null: /dev/null postmaster: root abuse: root jean: jibe root: jibe # https://arno0x0x.wordpress.com/2016/02/07/postfix-lancer-un-script-sur-reception-dun-e-mail/ bot: "|/path/to/script/mailBot.php"
Puis
/etc/postfix/virtual
emailadresse comptelocal
postmap /etc/postfix/virtual
Puis
vi /etc/aliases newaliases
mkdir /etc/skel/Maildir/ mkdir /etc/skel/Maildir/cur mkdir /etc/skel/Maildir/new mkdir /etc/skel/Maildir/tmp touch /etc/skel/Maildir/Trash touch /etc/skel/Maildir/Drafts touch /etc/skel/Maildir/Sent
/etc/skel/.procmailrc
VERBOSE=Yes SHELL=/bin/bash PATH=$HOME/bin:/usr/bin:/bin:/usr/local/bin:. MAILDIR=$HOME/Maildir/ # You d better make sure it exists DEFAULT=$MAILDIR/$USERNAME LOGFILE=$MAILDIR/.procmail.log LOCKFILE=$HOME/.lockmail LOGNAME=$USERNAME
Configuration Dovecot
/etc/dovecot/dovecot.conf
mail_location = maildir:~/Maildir
/etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
/etc/dovecot/conf.d/15-mailboxes.conf
mailbox Drafts { auto = subscribe # <-- ADD THIS special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Trash { # Fix invisible Trash auto = subscribe # <-- ADD THIS special_use = \Trash }
https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle
/etc/dovecot/conf.d/10-ssl.conf
ssl = required ssl_protocols = !SSLv2 !SSLv3
Debug
doveadm -Dv force-resync -u jibe INBOX
/etc/letsencrypt/cli.ini
# Source : https://gist.github.com/mrothNET/cb6f313e9cbe896f3e0fdec80ad2f3fa # Manage Firewall #pre-hook = ufw allow http #post-hook = ufw deny http # Restart Postfix & Dovecot renew-hook = systemctl restart dovecot.service postfix.service
Dovecot Exploit
Nettoyage cache / log
find ~/Maildir/ -type f \( -iname dovecot.index.cache -o -iname dovecot.index.log \) -delete
Pb
Pb suite à mis-à-jour Wheezy⇒Stretch
/var/log/mail.log
Jan 19 18:42:10 sever1 dovecot[394]: imap-login: Fatal: Invalid ssl_protocols setting: Unknown protocol 'SSLv2'
Solution de contournement provisoir
/etc/dovecot/conf.d/10-ssl.conf
#ssl_protocols = !SSLv2 !SSLv3 ssl_protocols = !SSLv3
systemctl restart dovecot
Postfix authentification avec Dovecot
Vérification compatibilité authentification Docecot
# postconf -a cyrus dovecot
/etc/dovecot/conf.d/10-master.conf
# Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix }
/etc/init.d/dovecot restart
$ ls -l /var/spool/postfix/private/auth srw-rw---- 1 postfix postfix 0 mai 20 12:48 /var/spool/postfix/private/auth
/etc/postfix/main.cf
smtpd_sasl_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_sasl_type = dovecot # Can be an absolute path, or relative to $queue_directory # Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below smtpd_sasl_path = private/auth # On Debian Wheezy path must be relative and queue_directory defined #queue_directory = /var/spool/postfix # and the common settings to enable SASL: smtpd_sasl_auth_enable = yes
Configuration DNS
- champ MX
- SRV (TXT)
Vérification
Vérification sécurité
Avant toute chose nous devons être certain que notre serveur SMTP n'est pas un relais ouvert.
telnet smtp.acme.fr 25
EHLO localhost
Vous devez voir la ligne suivante :
250-STARTTLS
$ echo -ne "\0nom\0MOTDEPASS" |openssl enc -base64 AG5vbQBNT1RERVBBU1M=
openssl s_client -tls1 -starttls smtp -crlf -connect smtp.acme.fr:25 EHLO localhost AUTH PLAIN AG5vbQBNT1RERVBBU1M=
On test que SSLv3 soit bien désactivé
openssl s_client -ssl3 -starttls smtp -crlf -connect smtp.acme.fr:25
Vérification DNS
Champs DNS : SPF DKIM ARC DMARC etc….
Voir :
$ dig acme.fr TXT @8.8.8.8 +short "v=spf1 mx ~all"
$ dig acme.fr MX @8.8.8.8 +short 1 smtp.acme.fr. 100 smtp2.acme.fr.
Pour ne pas être considéré comme un spammer, il faut aussi créer le PTR dans le Reverse DNS.
ip ⇒ smtp.acme.fr
Fail2ban
/etc/fail2ban/jail.local
### SSH [ssh] enabled = true port = 7001 filter = sshd logpath = /var/log/auth.log maxretry = 6 [ssh-ddos] enabled = true port = 7001 filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6 ### GENERIC # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = true # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6 ### MAILS [postfix] enabled = true port = smtp,ssmtp filter = postfix logpath = /var/log/mail.log [sasl] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = /var/log/mail.log [dovecot] enabled = true port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log
service fail2ban restart service fail2ban status
Webmail avec RoundCube
Si vous avez toujours nom@localhost au lieu de nom@domain.com il peut être nécessaire de supprimer la base de donnée sqlite (par précaution renommer le fichier sqlite (base.db dans notre exemple)
defaults.inc.php
$config['mail_domain'] = '%d';
La base de donnée (ici sqlite)
config.inc.php
$config['db_dsnw'] = 'sqlite:////var/www/roundcubemail/config/base.db?mode=0646';
apt-get install php5-fpm php5-sqlite php5-mcrypt php5-intl
/etc/php5/fpm/php.ini
date.timezone = 'Europe/Paris'
/etc/nginx/sites-available/webmail
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/private/serv1.acme.fr.crt;
ssl_certificate_key /etc/ssl/private/serv1.acme.fr.key;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM;
ssl_dhparam /etc/ssl/private/dh2048.pem;
add_header Strict-Transport-Security max-age=2678400;
root /var/www/roundcubemail;
index index.html index.htm index.php;
client_max_body_size 20M;
server_name webmail.serv1.acme.fr;
access_log /var/log/nginx/webmail/access.log;
error_log /var/log/nginx/webmail/error.log;
autoindex off;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
# With php5-cgi alone:
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
}
ln -s /etc/nginx/sites-available/webmail /etc/nginx/sites-enabled/ nginx -t service nginx reload
cd /etc/ssl/private/ openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 openssl genrsa -des3 -out serv1.acme.fr.key 2048 # Ou : "openssl ecparam -genkey" pour Elliptic Curve key openssl req -new -key serv1.acme.fr.key -out serv1.acme.fr.csr openssl rsa -in serv1.acme.fr.key -out serv1.acme.fr.key.unencrypted mv -f serv1.acme.fr.key.unencrypted serv1.acme.fr.key chmod 600 serv1.acme.fr.key openssl x509 -req -days 3650 -in serv1.acme.fr.csr -signkey serv1.acme.fr.key -out serv1.acme.fr.crt
chown www-data: /var/www/roundcubemail/temp chown www-data: /var/www/roundcubemail/logs chown www-data: /var/www/roundcubemail/config
Après avoir fait la conf sur https://webmail.serv1.acme.fr/installer
rm /var/www/roundcubemail/installer/ -rf
Bloquer les URLS: https://webmail.serv1.acme.fr/logs/errors
ln -s /var/www/roundcubemail/logs /var/log/roundcube
Extension
Tag thunderbird, couleurs en fonction des étiquettes sur les mails
cd /var/www/roundcubemail/plugins git clone https://github.com/mike-kfed/rcmail-thunderbird-labels chmod -R a+rX rcmail-thunderbird-labels mv rcmail-thunderbird-labels thunderbird_labels
config.inc.php
$config['plugins'] = array('thunderbird_labels');
Plugin zipdownload pour télécharger toutes les pièces jointes dans un fichier Zip
php_zip extension (including ZipArchive class)
apt-get install libphp-pclzip
config/config.inc.php
$config['plugins'] = array( 'thunderbird_labels', 'archive', 'zipdownload', );
Note commande postconf
postconf -d ; Affiche les valeurs par défaut à la place de la conf actuelle. -n Print main.cf parameter settings that are explicitly specified in main.cf. Specify -nf to fold long lines for human readability
postconf -n
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no bounce_queue_lifetime = 1d bounce_size_limit = 2000 broken_sasl_auth_clients = no config_directory = /etc/postfix disable_vrfy_command = yes home_mailbox = Maildir/ inet_interfaces = all mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 maximal_queue_lifetime = 1d mydestination = $mydomain, localhost.$mydomain, localhost myhostname = serv1.acme.fr mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.16.0.0/12 mynetworks_style = host myorigin = /etc/mailname policy-spf_time_limit = 3600s readme_directory = no recipient_delimiter = + relayhost = show_user_unknown_table_name = no smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = Every illegal access will be referred to the appropriate authorities and the CERT. smtpd_client_message_rate_limit = 3 smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_delay_reject = yes smtpd_error_sleep_time = 10 smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_hard_error_limit = 5 smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, warn_if_reject reject_invalid_hostname smtpd_junk_command_limit = 3 smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_multi_recipient_bounce, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unknown_client, warn_if_reject reject_unknown_hostname, reject_unauth_pipelining, reject_rhsbl_sender dsn.rfc-ignorant.org reject_rhsbl_sender bogusmx.rfc-ignorant.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, check_policy_service unix:private/policy-spf, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address smtpd_soft_error_limit = 2 smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom
Console câble série croisé RS-232
Voir aussi Console iDRAC / ILO
/etc/inittab
SO:12345:respawn:/sbin/getty -L 19200 ttyS0 vt102
/etc/default/grub
GRUB_TERMINAL="console serial" GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
update-grub
Pour prendre la console depuis le 2em PC raccordé avec la câble série croisé (RS-232)
screen /dev/ttyS0 115200
Autre
Voir aussi :
SystemD
Brouillon
Voir https://freedesktop.org/wiki/Software/systemd/Debugging/
Boot parameter
systemd.journald.forward_to_console=1 console=ttyS0,38400
systemctl enable serial-getty@ttyS0.service
Notes
earlyprintk=ttyS0 console=ttyS0,9600n8 nousb noplymouth ip=:::::eth0: boot=local
Dokuwiki - Strata semi-structured data
Intro
Voir :
- SPARQL
DokuWiki utilise des fichiers plats, nul besoin de base de données relationnelle. Cependant il peut être utile d'utiliser des données structurées, sémantique et autre.
Une solution intéressante est l’extension Strata (semi-structured data) qui utilise par défaut sqlite (possibilité d'utiliser PostgreSQL ou MySQL).
Nous avons que les avantages d'une base de données relationnelle, sans les inconvénients. En effet, toutes les données sont dans les pages du Wiki au format texte. Un effacement de la base ne serait donc pas catastrophique !
Install
Nécessite l’extension DokuWiki sqlite
Module PHP pour communiquer avec sqlite. Sur Debian :
apt-get install php5-sqlite
Install sur alpine / PHP7
apk add php7-sqlite3 sqlite php7-pdo_sqlite
Note fichier :
| Conf DW | sqlite:@METADIR@/strata.sqlite3 |
| Emplacement | ./data/meta/strata.sqlite3 |
Notes
Pour commenter une ligne, préfixer là par “--” comme en SQL
Les données ne peuvent être saisi que par la balise <data> Pour requêter il existe les balises <table> et <list>
Exemple
Données
Création d'un page sur DokuWiki
people:alice_king
<data person> Full Name: Alice King Birthday [date::Y-m-d]: 1985-11-12 Birthplace [page::places]: London Contact [link]: alice.king@example.org Friends [ref]*: Bob Marley, Jean Paul </data>
page people:bob_marley
<data person> Full Name: Bob Marley Birthday [date::Y-m-d]: 1945-02-06 Birthplace [page::places]: Nine Miles Contact [link]: Friends [ref]*: Alice King, Jean Paul </data>
NB : Le ligne Contact [link]: ne contenant aucune valeur sera ignorée, elle ne sert à rien
La syntaxe basée sur SPARQL est assez simple pour la saisi de donnés.
<data nomDeLaTable> -- Les lignes commençant par -- sont ignorées -- Exemple Clef: Valeur -- Ou Clef [type]: valeur -- Ou encore -- Le symbole "*" signifie que plusieurs valeurs sont possibles Clef [type]*: valeur Clef [type::hint]: valeur -- Exemple DateFacture [date::Y-m-d]: 2016-03-04 </data>
Le type sert à la fois au stockage des données ainsi qu'à la présentation
Requête
Sur une autre page
~~NOCACHE~~ <table ?p "Person" ?birthday "Birthday" ?birthplace "Birthplace" ?contact "Contact"> ?p is a: person ?p Contact [link]: ?contact ?p Birthday [date]: ?birthday ?p Birthplace [page::places]: ?birthplace </table>
Bob Marley n’apparaît pas. Ce n'est pas parce que vous n'avez pas assez fumé. En fait ici tous les champs demandés sont obligatoires alors que le champ Contact est vide
Réécrivons notre requête avec le champ Contact optionnel
<table ?p "Person" ?birthday "Birthday" ?birthplace "Birthplace" ?contact "Contact">
?p is a: person
optional {
?p Contact [link]: ?contact
}
?p Birthday [date]: ?birthday
?p Birthplace [page::places]: ?birthplace
</table>
Exemple avec Union
<table ?p "Person" ?birthday "Birthday" ?birthplace "Birthplace" ?contact "Contact">
?p is a: person
optional {
?p Contact [link]: ?contact
}
?p Birthday [date]: ?birthday
--Lignes commentées
--?p Birthplace [page::places]: ?birthplace
--?birthplace = London
union {
{
?p Birthplace [page::places]: ?birthplace
?birthplace = London
}
{
?p Birthplace [page::places]: ?birthplace
?birthplace = Nine Miles
}
}
</table>