ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update..

Browse Source
This commit is contained in:
Christoph
2022-09-20 01:23:54 +02:00
parent 68e7e0e174
commit f80772ed42
98 changed files with 4127 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
roles/common/files/a.mx/etc/postfix/postfwd.bl-sender
View File

@@ -1,12 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Sender addresses blocked by postfwd
# ---
# annoying spammer domains
.*@acieu.co.uk
# annoying spammer addresses
error@mailfrom.com
sqek@eike.se

9
roles/common/files/a.mx/etc/postfix/postfwd.bl-sender_domain
View File

@@ -1,9 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Sender domains blocked by postfwd
# ---
# annoying spammer domains
acieu.co.uk

6
roles/common/files/a.mx/etc/postfix/postfwd.bl-user
View File

@@ -1,6 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# SASL Users blocked by postfwd
# ---

9
roles/common/files/a.mx/etc/postfix/postfwd.wl-user
View File

@@ -2,9 +2,18 @@
# ---
# SASL Users whitelisted by postfwd
#
# example:
#
# # give trusted sasl usernames here
# ckubu@oopen.de
# vertrieb@akweb.de
#
# ---
# give trusted sasl usernames here
abo@akweb.de
vertrieb@akweb.de
prokla@akweb.de
presse@mbr-berlin.de

0
roles/common/files/root/.ssh/a.mx-id_rsa-dehydrated → roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-dehydrated
View File

0
roles/common/files/root/.ssh/a.mx-id_rsa-dehydrated.pub → roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-dehydrated.pub
View File

0
roles/common/files/root/.ssh/a.mx-id_rsa-opendkim → roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-opendkim
View File

0
roles/common/files/root/.ssh/a.mx-id_rsa-opendkim.pub → roles/common/files/a.mx/root/.ssh/a.mx-id_rsa-opendkim.pub
View File

2
roles/common/files/a.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf
View File

@@ -75,7 +75,7 @@
# - Defaults to: quota="536870912"
# -
#quota="536870912"
quota=1073741824
quota=2147483648
# - log_file
# -

22
roles/common/files/b.mx/etc/postfix/postfwd.bl-hosts Normal file
View File

@@ -0,0 +1,22 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# hosts blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # block all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # block host a.mx.oopen.de
# ^a\.mx\.oopen\.de$
#
# ---
# give hostnames to blocke here

16
roles/common/files/b.mx/etc/postfix/postfwd.bl-nets Normal file
View File

@@ -0,0 +1,16 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Networks blocked by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give networks to block here

33
roles/common/files/b.mx/etc/postfix/postfwd.bl-sender
View File

@@ -2,4 +2,37 @@
# ---
# Sender addresses blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# @acieu\.co\.uk$
# ^error@mailfrom.com$
#
# instedt of
#
# @acieu.co.uk
# error@mailfrom.com
#
#
# Example:
#
# # # annoying spammer domains
# # block all senders of maildomaindomain 'oopen.de'
# @acieu\.co\.uk$
#
# # annoying spammer addresses
# # block sender address
# error@mailfrom.com
# sqek@eike\.se$
#
# ---
# annoying spammer domains
@acieu\.co\.uk$
# annoying spammer addresses
^error@mailfrom\.com$
^sqek@eike\.se$

7
roles/common/files/b.mx/etc/postfix/postfwd.bl-user
View File

@@ -2,5 +2,12 @@
# ---
# SASL Users blocked by postfwd
#
# Example:
#
# # give SASL usernames to block here
# ckubu@oopen.de
#
# ---
# give SASL usernames to block here

172
roles/common/files/b.mx/etc/postfix/postfwd.cf Normal file
View File

@@ -0,0 +1,172 @@
#======= Definitions ============
# Match messages with an associated SASL username
&&SASL_AUTH {
sasl_username!~^$
}
# Trusted networks
&&TRUSTED_NETS {
client_address==file:/etc/postfix/postfwd.wl-nets
}
# Trusted hostnames
# client_name~=.warenform.de$
&&TRUSTED_HOSTS {
client_name=~file:/etc/postfix/postfwd.wl-hosts
}
# Trusted users
&&TRUSTED_USERS {
sasl_username==file:/etc/postfix/postfwd.wl-user
}
# Trusted senders
&&TRUSTED_SENDERS {
sender=~file:/etc/postfix/postfwd.wl-sender
}
# Blacklist networks
&&BLOCK_NETS {
client_address==file:/etc/postfix/postfwd.bl-nets
}
# Blacklist hostnames
&&BLOCK_HOSTS {
client_name=~file:/etc/postfix/postfwd.bl-hosts
}
# Blacklist users
&&BLOCK_USERS {
sasl_username==file:/etc/postfix/postfwd.bl-user
}
# Blacklist sender adresses
&&BLOCK_SENDER {
# =~
# using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
sender=~file:/etc/postfix/postfwd.bl-sender
}
# Inbound emails only
&&INCOMING {
client_address!=127.0.0.1
}
#======= Rule Sets ============
# ---
#
# Processing of the Rule Sets
#
# The parser checks the elements of a policy delegation request against the postfwd set
# of rules and, if necessary, triggers the configured action (action=). Similar to a
# classic firewall, a rule is considered true if every element of the set of rules (or
# one from every element list) applies to the comparison. I.e. the following rule:
#
# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
#
# triggers a REJECT if the
#
# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
#
# Note:
# If an element occurs more than once, an element list is formed:
#
# The following rule set is equivalent to the above:
#
# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
#
#
# triggers a REJECT if (as above) the
#
# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
# ---
# Whitelists
# Whitelist trusted networks
id=WHL_NETS
&&TRUSTED_NETS
action=DUNNO
# Whitelist trusted hostnames
id=WHL_HOSTS
&&TRUSTED_HOSTS
action=DUNNO
# Whitelist sasl users
id=WHL_USERS
&&TRUSTED_USERS
action=DUNNO
# Whitelist senders
id=WHL_SENDERS
&&INCOMING
&&TRUSTED_SENDERS
action=DUNNO
# Blacklists
# Block networks
id=BL_NETS
&&BLOCK_NETS
action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
# Block hostname
id=BL_HOSTS
&&BLOCK_HOSTS
action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
# Block users
id=BL_USERS
&&BLOCK_USERS
action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
# Blacklist sender
#
# Claim successful delivery and silently discard the message.
#
id=BL_SENDER
&&BLOCK_SENDER
#action=DISCARD
action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
# Rate Limits
# Throttle unknown clients to 5 recipients per 5 minutes:
id=RATE_UNKNOWN_CLIENT_ADDR
sasl_username =~ /^$/
client_name==unknown
action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
id=RATE_CLIENT_ADDR
&&INCOMING
action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address)
# Block messages with more than 50 recipients
id=BLOCK_MSG_RCPT
&&INCOMING
&&SASL_AUTH
recipient_count=50
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
# Block users sending more than 50 messages/hour
id=RATE_MSG
&&INCOMING
&&SASL_AUTH
action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
# Block users sending more than 250 recipients total/hour
id=RATE_RCPT
&&INCOMING
&&SASL_AUTH
action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)

22
roles/common/files/b.mx/etc/postfix/postfwd.wl-hosts Normal file
View File

@@ -0,0 +1,22 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted hosts whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # host a.mx.oopen.de
# ^a\.mx\.oopen\.de$
#
# ---
# give truested hostnames here

15
roles/common/files/b.mx/etc/postfix/postfwd.wl-nets Normal file
View File

@@ -0,0 +1,15 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted networks whitelisted by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give truested networrk adresses here

22
roles/common/files/b.mx/etc/postfix/postfwd.wl-sender Normal file
View File

@@ -0,0 +1,22 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted senders whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # all senders of maildomaindomain 'oopen.de'
# @oopen\.de$
#
# # sender address ckubu@oopen.de
# ^ckubu@oopen\.de$
#
# ---
# give trusted sender addresses here

9
roles/common/files/b.mx/etc/postfix/postfwd.wl-user
View File

@@ -2,6 +2,15 @@
# ---
# SASL Users whitelisted by postfwd
#
# example:
#
# # give trusted sasl usernames here
# ckubu@oopen.de
# vertrieb@akweb.de
#
# ---
# give trusted sasl usernames here
kanzlei-kiel@b.mx.oopen.de

0
roles/common/files/root/.ssh/b.mx-id_rsa-dehydrated → roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-dehydrated
View File

0
roles/common/files/root/.ssh/b.mx-id_rsa-dehydrated.pub → roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-dehydrated.pub
View File

0
roles/common/files/root/.ssh/b.mx-id_rsa-opendkim → roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-opendkim
View File

0
roles/common/files/root/.ssh/b.mx-id_rsa-opendkim.pub → roles/common/files/b.mx/root/.ssh/b.mx-id_rsa-opendkim.pub
View File

0
roles/common/files/root/.ssh/c.mx-id_rsa → roles/common/files/c.mx/root/.ssh/c.mx-id_rsa
View File

0
roles/common/files/root/.ssh/c.mx-id_rsa-dehydrated → roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-dehydrated
View File

0
roles/common/files/root/.ssh/c.mx-id_rsa-dehydrated.pub → roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-dehydrated.pub
View File

0
roles/common/files/root/.ssh/c.mx-id_rsa-opendkim → roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-opendkim
View File

0
roles/common/files/root/.ssh/c.mx-id_rsa-opendkim.pub → roles/common/files/c.mx/root/.ssh/c.mx-id_rsa-opendkim.pub
View File

0
roles/common/files/root/.ssh/c.mx-id_rsa.pub → roles/common/files/c.mx/root/.ssh/c.mx-id_rsa.pub
View File

135
roles/common/files/c.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf Normal file
View File

@@ -0,0 +1,135 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings for script check_cert_for_dovecot.sh
#-----------------------------
#---------------------------------------
# - service_domain
# -
# - The main domain for which the certificate was issued
# -
# - Example:
# - service_domain="a.mx.oopen.de"
# - service_domain="mail.cadus.org"
# - service_domain="mx.warenform.de"
# -
#service_domain=""
service_domain="mail.initiativenserver.de"
# - service_name
# -
# - Name of service.
# -
# - Note: this var will also be used to determin systemd service file
# - or sysVinit script.
# -
# - Example:
# - service_name="Mumble"
# - service_name="Prosody"
# -
# - Defaults to:
# - service_name="Dovecot"
# -
#service_name=""
# - check_string_ps
# -
# - String wich (clearly) identifies the service at the process list (ps)
# -
# - Example:
# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd"
# - check_string_ps=""
# -
# - Defaults to:
# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot"
# -
#check_string_ps=""
# - service_user
# -
# - User under which the service is running.
# -
# - Example:
# - service_user="mumble-server"
# - service_user="prosody"
# -
# - Defaults to:
# - service_user="prosody"
# -
#service_user=""
# - service_group
# -
# - Group under which the service is running.
# -
# - Example:
# - service_group="mumble-server"
# - service_group="prosody"
# -
# - Defaults to:
# - service_group="prosody"
# -
#service_group=""
# - cert_installed
# -
# - Locataion of certificate read by service
# -
# - Example:
# - cert_installed="/var/lib/mumble-server/fullchain.pem"
# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.crt
# -
#cert_installed=""
# - key_installed
# -
# - Location of the key read by service
# -
# - Example:
# - key_installed="/var/lib/mumble-server/privkey.pem"
# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.key
# -
#key_installed=""
# - cert_newest
# -
# - Location of the newest certificate.
# -
# - Example:
# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem"
# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem
# -
#cert_newest=""
# - key_newest
# -
# - Location of the newest Key
# -
# - Example:
# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem"
# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem
# -
#key_newest=""

178
roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf Normal file
View File

@@ -0,0 +1,178 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - What to check
# -
check_load=true
check_mysql=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args="--login-path=local"
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="7.4"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

172
roles/common/files/c.mx/root/bin/postfix/conf/create_opendkim_key.conf Normal file
View File

@@ -0,0 +1,172 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---------------------------------------------------------
# - Parameter Settings for script 'create_opendkim_key.sh'.
# ---------------------------------------------------------
# ----------
# DNS Server
# ----------
# - dns_dkim_zone_master_server
# -
# - The DNS Server who is serving the update zone and is used
# - for the dynamic updates (nsupdate)
# -
dns_dkim_zone_master_server="b.ns.oopen.de"
# - update_dns
# -
# - Possible Values are 'true' or 'false'
# -
#update_dns=""
# - update_zone
# -
# - Zone containing the DKIM TXT record.
# -
# - Defaults to '_domainkey.<dkim_domaini>'
# -
# - Note:
# - do NOT change/set this option unless you know what you do.
# -
#update_zone=""
# - TTL
# -
# - TTL for the DKIM TXT Record.
# -
# - Defaults to "" if update_dns=false
# - Defaults to "43200" if update_dns=true
#
#TTL=""
# ----------
# TSIG Key
# ----------
# - key_secret
# -
# - Sectret Key used by 'nsupdate' to create/update the
# - DKIM TXT record.
# -
# - Example:
# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI="
# -
key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw="
# - key_algo
# -
# - The key algorithm used for key creation. Available choices are: hmac-md5,
# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The
# - default is hmac-sha256. Options are case-insensitive.
# -
# - Example:
# - key_algo="hmac-md5"
# -
# - Defaults to 'hmac-sha256'
# -
key_algo="hmac-sha256"
# - key_name
# -
# - Name of the Key
# -
# - Defaults to "$update_zone"
# -
key_name="update-dkim"
# ----------
# Access Credentials DNS Server
# ----------
# - dns_ssh_user
# -
# - Defaults to 'manage-bind'
# -
#dns_ssh_user="manage-bind"
# - dns_ssh_port
# -
# - Defaults to '22'
# -
#dns_ssh_port=22
# - dns_ssh_key
# -
# - Defaults to '/root/.ssh/id_rsa-opendkim'
# -
#dns_ssh_key="/root/.ssh/id_rsa-opendkim"
# ----------
# Scripts envoked at DNS Server
# ----------
# - set_new_serial_script
# -
# - Script increases the serial for a given domain or a given
# - hostname's concerning domain.
# -
# - Defaults to '/root/bin/bind/bind_set_new_serial.sh'
# -
#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh"
# - create_dkim_delegation_script
# -
# - Script adds DKIM subdomain delegation for a given domain
# -
# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh'
# -
#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh"
# - add_dkim_zone_master_script
# -
# - Script adds zone _domainkey.<dkim domain> as master zone
# -
# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh'
# -
#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh"
# - add_dkim_zone_slave_script
# -
# - Script adds zone _domainkey.<dkim domain> as slave zone
# -
# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh'
# -
#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh"
# ----------
# OpenDKIM Installation
# ----------
# - opendkim_dir
# -
# - OpenDKIM's etc-directory
# -
# - Defaults to opendkim_dir="/etc/opendkim"
# -
#opendkim_dir="/etc/opendkim"
# - key_base_dir
# -
# - Defaults to "${opendkim_dir}/keys"
# -
#key_base_dir=${opendkim_dir}/keys
# - signing_table_file
# -
# - Defaults to "${opendkim_dir}/signing.table"
# -
#signing_table_file="${opendkim_dir}/signing.table"
# - key_table_file
# -
# - Defaults to "${opendkim_dir}/key.table"
# -
#key_table_file="${opendkim_dir}/key.table"

86
roles/common/files/c.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf Normal file
View File

@@ -0,0 +1,86 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'postfix_add_mailboxes.sh'.
# ---
# ----------------------------------------------------
# - dovecot_enc_method
# -
# - The (dovecot) password scheme which should be used to generate the hashed
# - passwords of EXISTING users.
# -
# - Possible values are:
# -
# - See output of 'doveadm pw -l'
# -
# - DEFAULTS to: dovecot_enc_method="SHA512-CRYPT"
# -
#dovecot_enc_method="SHA512-CRYPT"
# - in_file
# -
# - The file from wich the script reads the e-mail-address/password
# - kombination(s). Each line in this file must only contain
# - <emal-address> <password>
# -
# - Defaults to: in_file="${conf_dir}/mailboxes_new.lst"
# -
#in_file="${conf_dir}/mailboxes_new.lst"
# - db_type
# -
# - Type of Postfix Database
# -
# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL)
# -
# - Defaults to: db_type="pgsql"
# -
#db_type="pgsql"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - mysql_credential_args (root access to MySQL Database)
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - Defaults to:
# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system
# - '/usr/local/mysql/sys-maint.cnf' otherwise
# -
#mysql_credential_args=""
# - quota
# -
# - The quota setting for the new mailboxes.
# -
# - Defaults to: quota="536870912"
# -
#quota="536870912"
quota=1073741824
# - log_file
# -
# - Where to write logging informations?
# -
# - Defaults to: log_file="${script_dir}/log/postfix_add_mailboxes.log"
# -
#log_file="${script_dir}/log/postfix_add_mailboxes.log"

94
roles/common/files/c.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf Normal file
View File

@@ -0,0 +1,94 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'sent_userinfo_postfix.sh'.
# ---
# ----------------------------------------------------
# - message_body_file
# -
# - Full path to file containing the user info. This file must contain
# - the message body WITHOUT e-mail headers. If file is placed in the
# - 'files' directory use '${file_dir}/<file-name>'
# -
# - Defaults to '${file_dir}/sent_userinfo_postfix.message'
# -
#message_body_file="${file_dir}/sent_userinfo_postfix.email"
# - email_from
# -
# - From Address of user info
# -
# - Example: 'oo@oopen.de'
# -
#email_from=""
email_from="admin@initiativenserver.de"
# - email_from_org
# -
# - Example: email_from_org="O.OPEN"
# -
#email_from_org=""
email_from_org="Aktionsbuendnis Brandenburg"
# - db_type
# -
# - Type of Postfix Database
# -
# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL)
# -
# - Defaults to: db_type="pgsql"
# -
#db_type="pgsql"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - mysql_credential_args (root access to MySQL Database)
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - Defaults to:
# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system
# - '/usr/local/mysql/sys-maint.cnf' otherwise
# -
#mysql_credential_args=""
# - mail_user
# -
# - The owner of the mailbox directories and within the e-mails itself.
# -
# - defaults to mail_user="vmail"
# -
#mail_user="vmail"
# - mail_group
# -
# - The group of the mailbox directories
# -
# - defaults to mail_group="vmail"
# -
#mail_group="vmail"
# - mail_basedir - No more needed!
# -
# - The root directory where all mailbox-domains are located.
# -
# - Defaults to '/var/vmail'.
# -
#mail_basedir=/var/vmail

44
roles/common/files/c.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf Normal file
View File

@@ -0,0 +1,44 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ======================================================
# ---
# Parameter Settings for Script 'whitelist_mb_sigs.conf'
# ---
# ======================================================
# QUARANTINE_BASE_DIR
#
# Base directory where amavis stores quarantined e-mails, mostly in
#
# virus e-mails: $QUARANTINE_BASE_DIR/virus
# spam emails: $QUARANTINE_BASE_DIR/spam
# ..
#
# Defaults to:
# QUARANTINE_BASE_DIR="/var/QUARANTINE"
#
#QUARANTINE_BASE_DIR="/var/QUARANTINE"
# CLAMAV_VIRUS_WHITE_LIST
#
# Full path to clamav's (personal) white list file
#
# Defaults to:
# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
#
#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
# WHITE_LIST_STRINGS
#
# A blank separated list of strings to whitelist.
#
# Example:
# WHITE_LIST_STRINGS="google.com tinyurl.com"
#
# Defaults to:
# WHITE_LIST_STRINGS="google.com"
#
#WHITE_LIST_STRINGS="google.com"
WHITE_LIST_STRINGS="google.com tinyurl.com"

22
roles/common/files/e.mx/etc/postfix/postfwd.bl-hosts Normal file
View File

@@ -0,0 +1,22 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# hosts blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # block all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # block host a.mx.oopen.de
# ^a\.mx\.oopen\.de$
#
# ---
# give hostnames to blocke here

16
roles/common/files/e.mx/etc/postfix/postfwd.bl-nets Normal file
View File

@@ -0,0 +1,16 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Networks blocked by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give networks to block here

38
roles/common/files/e.mx/etc/postfix/postfwd.bl-sender Normal file
View File

@@ -0,0 +1,38 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Sender addresses blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# @acieu\.co\.uk$
# ^error@mailfrom.com$
#
# instedt of
#
# @acieu.co.uk
# error@mailfrom.com
#
#
# Example:
#
# # # annoying spammer domains
# # block all senders of maildomaindomain 'oopen.de'
# @acieu\.co\.uk$
#
# # annoying spammer addresses
# # block sender address
# error@mailfrom.com
# sqek@eike\.se$
#
# ---
# annoying spammer domains
@acieu\.co\.uk$
# annoying spammer addresses
^error@mailfrom\.com$
^sqek@eike\.se$

13
roles/common/files/e.mx/etc/postfix/postfwd.bl-user Normal file
View File

@@ -0,0 +1,13 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# SASL Users blocked by postfwd
#
# Example:
#
# # give SASL usernames to block here
# ckubu@oopen.de
#
# ---
# give SASL usernames to block here

172
roles/common/files/e.mx/etc/postfix/postfwd.cf Normal file
View File

@@ -0,0 +1,172 @@
#======= Definitions ============
# Match messages with an associated SASL username
&&SASL_AUTH {
sasl_username!~^$
}
# Trusted networks
&&TRUSTED_NETS {
client_address==file:/etc/postfix/postfwd.wl-nets
}
# Trusted hostnames
# client_name~=.warenform.de$
&&TRUSTED_HOSTS {
client_name=~file:/etc/postfix/postfwd.wl-hosts
}
# Trusted users
&&TRUSTED_USERS {
sasl_username==file:/etc/postfix/postfwd.wl-user
}
# Trusted senders
&&TRUSTED_SENDERS {
sender=~file:/etc/postfix/postfwd.wl-sender
}
# Blacklist networks
&&BLOCK_NETS {
client_address==file:/etc/postfix/postfwd.bl-nets
}
# Blacklist hostnames
&&BLOCK_HOSTS {
client_name=~file:/etc/postfix/postfwd.bl-hosts
}
# Blacklist users
&&BLOCK_USERS {
sasl_username==file:/etc/postfix/postfwd.bl-user
}
# Blacklist sender adresses
&&BLOCK_SENDER {
# =~
# using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
sender=~file:/etc/postfix/postfwd.bl-sender
}
# Inbound emails only
&&INCOMING {
client_address!=127.0.0.1
}
#======= Rule Sets ============
# ---
#
# Processing of the Rule Sets
#
# The parser checks the elements of a policy delegation request against the postfwd set
# of rules and, if necessary, triggers the configured action (action=). Similar to a
# classic firewall, a rule is considered true if every element of the set of rules (or
# one from every element list) applies to the comparison. I.e. the following rule:
#
# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
#
# triggers a REJECT if the
#
# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
#
# Note:
# If an element occurs more than once, an element list is formed:
#
# The following rule set is equivalent to the above:
#
# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
#
#
# triggers a REJECT if (as above) the
#
# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
# ---
# Whitelists
# Whitelist trusted networks
id=WHL_NETS
&&TRUSTED_NETS
action=DUNNO
# Whitelist trusted hostnames
id=WHL_HOSTS
&&TRUSTED_HOSTS
action=DUNNO
# Whitelist sasl users
id=WHL_USERS
&&TRUSTED_USERS
action=DUNNO
# Whitelist senders
id=WHL_SENDERS
&&INCOMING
&&TRUSTED_SENDERS
action=DUNNO
# Blacklists
# Block networks
id=BL_NETS
&&BLOCK_NETS
action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
# Block hostname
id=BL_HOSTS
&&BLOCK_HOSTS
action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
# Block users
id=BL_USERS
&&BLOCK_USERS
action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
# Blacklist sender
#
# Claim successful delivery and silently discard the message.
#
id=BL_SENDER
&&BLOCK_SENDER
#action=DISCARD
action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
# Rate Limits
# Throttle unknown clients to 5 recipients per 5 minutes:
id=RATE_UNKNOWN_CLIENT_ADDR
sasl_username =~ /^$/
client_name==unknown
action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
id=RATE_CLIENT_ADDR
&&INCOMING
action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address)
# Block messages with more than 50 recipients
id=BLOCK_MSG_RCPT
&&INCOMING
&&SASL_AUTH
recipient_count=50
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
# Block users sending more than 50 messages/hour
id=RATE_MSG
&&INCOMING
&&SASL_AUTH
action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
# Block users sending more than 250 recipients total/hour
id=RATE_RCPT
&&INCOMING
&&SASL_AUTH
action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)

22
roles/common/files/e.mx/etc/postfix/postfwd.wl-hosts Normal file
View File

@@ -0,0 +1,22 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted hosts whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # host a.mx.oopen.de
# ^a\.mx\.oopen\.de$
#
# ---
# give truested hostnames here

15
roles/common/files/e.mx/etc/postfix/postfwd.wl-nets Normal file
View File

@@ -0,0 +1,15 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted networks whitelisted by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give truested networrk adresses here

22
roles/common/files/e.mx/etc/postfix/postfwd.wl-sender Normal file
View File

@@ -0,0 +1,22 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted senders whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # all senders of maildomaindomain 'oopen.de'
# @oopen\.de$
#
# # sender address ckubu@oopen.de
# ^ckubu@oopen\.de$
#
# ---
# give trusted sender addresses here

15
roles/common/files/e.mx/etc/postfix/postfwd.wl-user Normal file
View File

@@ -0,0 +1,15 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# SASL Users whitelisted by postfwd
#
# example:
#
# # give trusted sasl usernames here
# ckubu@oopen.de
# vertrieb@akweb.de
#
# ---
# give trusted sasl usernames here

0
roles/common/files/root/.ssh/e.mx-id_rsa-dehydrated → roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-dehydrated
View File

0
roles/common/files/root/.ssh/e.mx-id_rsa-dehydrated.pub → roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-dehydrated.pub
View File

0
roles/common/files/root/.ssh/e.mx-id_rsa-opendkim → roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-opendkim
View File

0
roles/common/files/root/.ssh/e.mx-id_rsa-opendkim.pub → roles/common/files/e.mx/root/.ssh/e.mx-id_rsa-opendkim.pub
View File

2
roles/common/files/e.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf
View File

@@ -1,3 +1,5 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings for script check_cert_for_dovecot.sh

2
roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,3 +1,5 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings

2
roles/common/files/e.mx/root/bin/postfix/conf/create_opendkim_key.conf
View File

@@ -1,3 +1,5 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---------------------------------------------------------
# - Parameter Settings for script 'create_opendkim_key.sh'.
# ---------------------------------------------------------

2
roles/common/files/e.mx/root/bin/postfix/conf/postfix_add_mailboxes.conf
View File

@@ -1,3 +1,5 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'postfix_add_mailboxes.sh'.

2
roles/common/files/e.mx/root/bin/postfix/conf/sent_userinfo_postfix.conf
View File

@@ -1,3 +1,5 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'sent_userinfo_postfix.sh'.

2
roles/common/files/e.mx/root/bin/postfix/conf/whitelist_mb_sigs.conf
View File

@@ -1,3 +1,5 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ======================================================
# ---
# Parameter Settings for Script 'whitelist_mb_sigs.conf'

51
roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated Normal file
View File

@@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEA8Q7zcxe+VCBbnLzMVLlLKBfjle1hBDwTAv18dSSvpXc6iy4R
1UGWoS4tm+8EV8uBdd40vvkwdGGrLDPplsSqdPFaSj5wlRh7zHTYbRwq9RFFLnk0
xvJQk8HrQTV+MNAI4Of0nqf1JcgPL0d0mcug7gZ9gQCdFHjcKZafpbl4Afri2Chc
SHd4HGlXmVMYwM9W4TzWfauxaYVLxhpO/aBQ4v5NKFGIYlZN/D67JNA0uSZ/geGq
lCWQpVMLh7avWR2mdRo6hHcM9hmF7J1R3GZKzXIlSHHEIy+fru7Da+Ak2ufWI/P8
aY1lQrHOkxK91oOk8BT/WIFKKVxby5mI+jdO4rTn95Ha4pYvGrxTPiywwO0Lmpzm
1ti1iRSV4aFIQ7BpFKCzb4/vdFUjM/cTI4qGNbCv/dpAVSRuAcZ2T82QKSK6FpgE
FJJ6v6pk6oB/9E+vOyW+2gOB5Rva5h6OpSIQmbRfPbXIujEQ6lFmqV7dbBrf6nkG
Gk6xf3ZJyqFCwTy+ea9RZ1ZiXlF+p9xVJPhSiAfwL7+EdfkDjfQaS2SJKy1qQw+v
2mG315hjJzL7y/KoiNcNG9VVrKAc4v0mG7fHs+4+YdMEBRvpciYgdEVRtJBGePe3
RyBS4zwqJHJP9Ev3xUFFPw0dT3FaXRFLzeXOC3fCeBCM6tb5HkXUuk0DxdcCAwEA
AQKCAgAWbf+1C9aH2WLs2JxincMifeaNQsMuM7DJLHDyLXGygb+Ox8CdCTdM1BEm
Wz0aNjNblktuIZ2ilpvoxwPLJY1+yB5QnjK3jMmoIo8ox+AvYWYAhwKkKFPbC8Yq
ESImxJSu6KZYROSImW7gRVPSI6Jbw3rWEAqNpxlFPWCpePJzrLaCym6bx5IDgsHF
4HeDKUe6OYDzvJALc32zdys2aj5cgLEJOVzpWYJ0IBoluMHPIIfou+i1VDF7UJjY
DeWO8zVT3Bbp0HICTCmr9I9zZIk9SIuzi/JmG75N9qV0WizTuZKxUbiA0clERWsl
QC8t0J3+QNXplE4kPxXDggu+zHqoa1VK4ZeNFMMOHv2R87PXgwOhIEBRY5/QQdKH
M0RWLcUHiyakx+QyfWNOUTwPNHpwwicHJR/k2oppIYvQj121acsSo0br+Zncg0Dg
WagHBGbZncjXCXWsZktRTz4srNoTEytVUqbVt6RCdUeEI6K6rh0X6w+qpu0GmS0X
CykA/VzxAVZT2F9FBrp/l+6MeoiBSdwjqmBPp+2NcIJNLfS8NrjRIbWI03CIkCuR
dKEDVnHIX2O4QAQgNfxFIbnelbQ6fZ74scpsF1pqhIwsajEgIuDINx3pd0OQCK4U
yjK6BkpoOXn1AbM0l5F63st5zjb35iibIUP/baQ8UZCRYKiEsQKCAQEA+08MrI/f
SrelrhuBZvXicxL2MDBz1FZwSgltIsCrtBZQrCyrh7myISor2DZLe0XftFSRaZQa
iBjrhsgHD2EetGmPT/zaQEc/fJo20JDkWs8E5Z6b18NYaOuhMXlpinXgS/myD9UX
vLY3DN+YVnb0q/uhm+ddYQaxQ24rdFbI3EH66fgy33NB4A0yVTjazp29RdKHXL3m
2OtXIh2BqUPeau639iLRU9PzjYVzX7M6ddKuhYatblOrprnJyUx1jrGjfjRUt8D1
Mn4scMfmRYg8eH3bh+Kp4l0QHYRq8+KR2i7QZ4Gh4WHp7ROiwuHf3IBPyYHgb6FI
tnaRmXOzwkV8bQKCAQEA9Y7qxkr8D5iVzH0M5xJOch1pZ4e4Eq2wsZQ4eFX+1aZr
nqAgCCs/UuEdbJh7AdUQhjtLsEW2WjOEEqMyXAVc5wgNGh6Zw46CvCIJ+k7rKccF
xx4b/Fwm8D0eXTGdiGA0shkelRGX8HN3AJp8dKy6vDrumSDZXdqZi8lkjz09NdYm
rt/qC3/4getxOkeDS6tlUSCISm15XoL00taDskpUl0hqqxzsd1+RDvmCcook3Re6
iBi1RwCmoF4Dil94q8fjMEAxg5RtHnYxWWDpFSHzhE7TAkE8jW3V9tg1Pfb9JMYU
glojMEHOsETyNqNVqIwHMvmXIVW7aiigv6ctneQY0wKCAQAKSM/h9/lRW3aiS2ne
Rs2/m9ULX9A9rlPmE8CtnWjpc8hVY3aZlVXe2ZT1wjMQlmlzPcq9oVv8mdh5qZHw
ZS8WfwNoaJad7syAUudPXb6aoMI4i2chS1NA5/OuzKMvEWfedBd/Yl8YT/SsyDG5
yCB3MVMJyEwf/mAevFF2715E9UZJcOjUEClv+9pFdpAtyHLIercjanoaAneMY9y8
ipR9l8tbfU1HuvLKpd102ybXT4no2Pwb+byalBvX6xMchdSFA6s74d+m81bqPqQD
0HF5FN15ECOXqetQ6exekrUZUrUgp0Nyr8kc9KLCiu/YXD/npTMEHnuVTADlYMDI
gIN5AoIBABq59Gmira6Q3/UCw02/G1SmSNug1PMLfojFZiQK0BK26023heT9uAWw
RMCWFAVOCF9jwsgrvj4xDzXsF0YWu1bV9H8cR4YWU7pgRg+9WTER3Voft9IOwZoy
PMTN6qR2PCYKP97frFbaamBhcBxO1IA6Nc/q2F2ztjSVteE1PB1I8qrj6hhYVFbn
pko+kFbDD+L1lH/tTGFyBW2RNYJJPs28bweyvTX868/ibkVDLeH2fDHl5o0U0A3y
TZZY78xalCqjQgBdPkcrfBGLT7MiH9wNrD+5k/qcssYMIDdfU4wWFxNc9imBcBqV
VnuF6YPPwdTVf5J8P0q9o0lYy8k8k0sCggEBAMLlHCucicV2ldGH1hvcsUEBbsS1
Ave+1utiGpb9QCHKpMLmBzxNFq6ZgV52F03pDjR/ACiuT40Uc2uxAiw6EQ6UtU6s
dd8mKUjJUAUi/fujCFs0nn9VETZGBSyUipLA4AH6LyJSwXLZ4HKN37o34K9CcMJ0
XBYm+67Inn37Z/lRSViGTBSyOizwN1KHGQoEtUlTD5iMBdvmr44unaPB4WXzbKX7
nm9yeN+OjAvxfvYRczmmlOJ3+p6CqRqOOv21pdV6DOfJ4kml1Y2A+gYft4rANOGC
KaBJaopIm11AMyiauOMrGy7L968xOfKRLnXGjxNqg5+I9YD6V91y32vOJWc=
-----END RSA PRIVATE KEY-----

1
roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-dehydrated.pub Normal file
View File

@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxDvNzF75UIFucvMxUuUsoF+OV7WEEPBMC/Xx1JK+ldzqLLhHVQZahLi2b7wRXy4F13jS++TB0YassM+mWxKp08VpKPnCVGHvMdNhtHCr1EUUueTTG8lCTwetBNX4w0Ajg5/Sep/UlyA8vR3SZy6DuBn2BAJ0UeNwplp+luXgB+uLYKFxId3gcaVeZUxjAz1bhPNZ9q7FphUvGGk79oFDi/k0oUYhiVk38Prsk0DS5Jn+B4aqUJZClUwuHtq9ZHaZ1GjqEdwz2GYXsnVHcZkrNciVIccQjL5+u7sNr4CTa59Yj8/xpjWVCsc6TEr3Wg6TwFP9YgUopXFvLmYj6N07itOf3kdrili8avFM+LLDA7QuanObW2LWJFJXhoUhDsGkUoLNvj+90VSMz9xMjioY1sK/92kBVJG4BxnZPzZApIroWmAQUknq/qmTqgH/0T687Jb7aA4HlG9rmHo6lIhCZtF89tci6MRDqUWapXt1sGt/qeQYaTrF/dknKoULBPL55r1FnVmJeUX6n3FUk+FKIB/Avv4R1+QON9BpLZIkrLWpDD6/aYbfXmGMnMvvL8qiI1w0b1VWsoBzi/SYbt8ez7j5h0wQFG+lyJiB0RVG0kEZ497dHIFLjPCokck/0S/fFQUU/DR1PcVpdEUvN5c4Ld8J4EIzq1vkeRdS6TQPF1w== root@mail.cadus.org

51
roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim Normal file
View File

@@ -0,0 +1,51 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEAzOY9bQkcFRrxmrVUFS8VM1eK+ROUBEV8ZBBnBqGrCxfMwUDu
SmOtIqlPwyw419M09ho7uXZVVHf7NTf3or9C4X4MTnCit9bVjlZvKF+YLCAvsr/X
CGwCaLobLVcQIBqFHIuZtv4rP6tln1EVrrxhaAlc6yUXqk4f8jJGHoHEaZxUr/vz
rnCLf6kMrDkEh8if5qyF+h50yr1oGx41Zz49I5InEeccnxmcT2EGEuKLDcnlskeX
+UGiFxVB4VpkHfpsN5u+ZJJMcKPEJtP8o+1uymTWg9gGsIhRTcstN+EC1BJMf8WZ
KdoA//Gq6i2eUv5q4R+Luy6zeQXhPvEaCsilZR1onWlw9cvUunCunEP3zvhqti4X
Pi4ITwGh9Mk4H2FO2AQnKjWBMku7BhDIfLvGkBU2AljqWWouW/p7vWOh5g2T+woH
w+GzSATQZdQrBk4VoUk+wyA4T6CeMbaAop7saKqvEXY21aQHz1HnJL82Yp8H+qdX
3ynAYUyWCP/mmKzaj6Cwp+vqT/9G9QOu5MpdButMTtdz558SUrEQYk4qg/DmDzOg
Q5kLn7XO91ziWWx8Q91RTtAeONJPeP0vVkKjDVWh+wADEmm1PXa7yPGn4MMXX7ke
3c0GWDLWVavcYHP514m01un7fO8mNoPHibDzTC0rznbhPGvlZ1JgIfqdEqUCAwEA
AQKCAgAMQxMV/V+S28PtsEBR7Dlmkyyb71ICV240Rs8DlJU52rjEL/CSvxhTZLKD
SZg1Qkx/Fd7RIIXGwk9kRe8p7CxCdlqiLxdtzQuGsyF/1wiyS1LPba+er2gNgGWz
9uveH/grVydhziAkdUtll2KmzFs/8J+A6v1ZkcdTpTKRDM8GSva+eWOB4vZWM3Ww
sNDWl2kKUvTJnRz8LQ2X4dzsSss537s61QvfcZbrITFN3ATaVGTMoIA1yHm8y+bf
Z5tqN9xWD5n7Rs4QR5yrfjA2VzU0I4i65yivU9kZwLj6CRs0OcweMWMTIBrDNmE2
FnjNGrCmvE6OayMOcQ2jyKX4Uz2ijgVcelY/KzVl6VZK1bj3ooZYEqZOhj2dKnvJ
rqAKzOTjVUMPAi52I/l8/lTmJbJlkaNpAgu64xXRquxhJNCNhqTn0I2OzM5oTV0c
gcCrOLmCN4qwuronM7JI1Zj0PRKNOavhIg4qI2hgNqIeE4RBURGLzvnquz1vhPyr
LurhblP5+9bcuG0+rO0eWK0TJMzeHuf+AIo3XZGJhP06aoABFhfgtDqcKALZ8gic
fa/4mu5jkvCO6a3y+TfJtS1IVpIRLiOfSYJ9As+E1l/ahfG28/DJvOeICv2mR46l
t4gnYu+u2j21UxH0VfoT54PJFW3b5fFZpNmP1h/51u+pEmbbgQKCAQEA8j59XYPQ
bjvW4zssTWHUGxIfGrzrcOahpZMxk/2F19nhjs55ILk1Tu0niPcLKq0JftjxQ/AN
x3SyxXrbngxpH1VdNGFujn61g/FTdSyr5APtORLjbgS3gu6OHocjvQeS7ApZlfGW
ptn4bRiHOyZJMu0kv7ZOgR4LfmwMF7mWXAhlOxAu6q3Nl9qc8pBXc62xfHfL+5Zv
JapfcjvhonIw1zDHLJ+Z6B+w/+j4PWl/uEfLCQ+waO+wVwjuCABXg4NTiTjfhNol
PM7sjmhS3a8INIoLrdF+SdxVlOynCg+t1Y3A8PYc84+4l+jeopYLqtMTHPDsQfU+
PdDv//8WJVrlsQKCAQEA2IjeZt6OnvatltY/ynlusRergaOc+8jQeFLlg7Rvs4NO
0/dq5bBWpNc0kmY8ARKGMYS13bVv38ZGVeXaxmMTPbf+eUOu2wZJaawq23UWDEor
DV7mQutGy7yosVBzIa3bFR+CW0pTHvTyPhQmWgFsflMsjZKSR8IjhIYkW9XIJN2i
Ho4Hef5MN2VXjt9hOOt0hH5KsIJ8iQM6fS6eMRw4EjRADp53ps3HfTSNAa1w8op3
9YltsarFG+1zRBlbLrbIiWNmmfu5Q5R8pbPgOY29bQTMbWPD3iyrM/rUvVppDOyw
g9I0wVYBLfXP4LD/DeWm3X8vm3O3LwGKD5KFwjQVNQKCAQEAw+hHqL42bT/VnHU5
cedhCveP0ibg3bCXH/m3SbDpclRRtxVCHnXKJ+dhZsIr9Lp2CHDYRZI5AopdHZor
TFlLFr0JoJf/Ohw9HdSoIwYaiU+npNWiulH0O15D72ppO7GJX31LUBlONefnogsJ
Kove/OGOK8D7Ii6zKu2kpfdAI3Pism53EvG2aE2zSfPz1ait9jRH8lKJ1tM/V3oY
EzD4UL+xBGSaqoAevAej4r6UPOtKxyw6BdN6MBkXr77fB4vInhwxoBZvsQrDgrPZ
+FBaeWr+4PaghIk9aTAuMtPVSPTYCcdwSIV9ytTYYHKqQt9rAKfS2dDFImb8AXNB
bLpjMQKCAQEAlrm3Lh4PYuHM9akPYG5kucsDLEtqc+1WB9uUPbh05J0rWurnsxir
RzUyOBIIBKsTVBbPzZOFW1wWC6bjQaMnepfAAEM3zOg0Y+VfM8Ht5gIes8DyQXSq
pBkfx8V7Tt9JGAwF3mv/LhZNJR87jv1cuxZEdgun3WFq/c2uM2q9VcQdHG27EJUO
EqVtbFtbvpZPVgbfELzT2T+xEABKR18gPLO4PzTZjvfAvAu/d4J2k64FUJooDDsV
15nS2X1Y9kxvjQrvGZKaZEtQ9LsgApACYoerkR2X8uhfB+C7A0+Svldni2rgJBAs
5AQufnZWJCNOovHsfqXuxj6pDqvshcFhXQKCAQEAiTdFEQ5phltKANr+viBS4Mec
UwbIRUg4MZOaOLqHytCh30uK/a+fX6SwbVcuD2IFheUorox8GsC13a/5ruKO2Vh/
JccgfkypMDDYzoAodrX1lBQvlvc5SnNhNTJMlMqkWQcKtILy+f2gzxx/xsA9b92t
LpAnrGIKnbf+ewnfOvJqopBxr1H6EanCjo7VtDPU8l5zR/xxaWAwZV1/z0y1CwkP
MNTp6Xao1lVrgjUz2s9VykDPIDE8FazmnSKSXbuxuEo3+qlPhDKVVsd7LSMdlukz
lkrS7ROdtFNB91sQnwmSPdTCqjso8SUIlpFqGfno5pl7UPD6DuQQDHsF6lMajw==
-----END RSA PRIVATE KEY-----

1
roles/common/files/mail.cadus/root/.ssh/mail.cadus-id_rsa-opendkim.pub Normal file
View File

@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5j1tCRwVGvGatVQVLxUzV4r5E5QERXxkEGcGoasLF8zBQO5KY60iqU/DLDjX0zT2Gju5dlVUd/s1N/eiv0LhfgxOcKK31tWOVm8oX5gsIC+yv9cIbAJouhstVxAgGoUci5m2/is/q2WfURWuvGFoCVzrJReqTh/yMkYegcRpnFSv+/OucIt/qQysOQSHyJ/mrIX6HnTKvWgbHjVnPj0jkicR5xyfGZxPYQYS4osNyeWyR5f5QaIXFUHhWmQd+mw3m75kkkxwo8Qm0/yj7W7KZNaD2AawiFFNyy034QLUEkx/xZkp2gD/8arqLZ5S/mrhH4u7LrN5BeE+8RoKyKVlHWidaXD1y9S6cK6cQ/fO+Gq2Lhc+LghPAaH0yTgfYU7YBCcqNYEyS7sGEMh8u8aQFTYCWOpZai5b+nu9Y6HmDZP7CgfD4bNIBNBl1CsGThWhST7DIDhPoJ4xtoCinuxoqq8RdjbVpAfPUeckvzZinwf6p1ffKcBhTJYI/+aYrNqPoLCn6+pP/0b1A67kyl0G60xO13PnnxJSsRBiTiqD8OYPM6BDmQuftc73XOJZbHxD3VFO0B440k94/S9WQqMNVaH7AAMSabU9drvI8afgwxdfuR7dzQZYMtZVq9xgc/nXibTW6ft87yY2g8eJsPNMLSvOduE8a+VnUmAh+p0SpQ== root@mail

135
roles/common/files/mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf Normal file
View File

@@ -0,0 +1,135 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings for script check_cert_for_dovecot.sh
#-----------------------------
#---------------------------------------
# - service_domain
# -
# - The main domain for which the certificate was issued
# -
# - Example:
# - service_domain="a.mx.oopen.de"
# - service_domain="mail.cadus.org"
# - service_domain="mx.warenform.de"
# -
#service_domain=""
service_domain="mail.cadus.org"
# - service_name
# -
# - Name of service.
# -
# - Note: this var will also be used to determin systemd service file
# - or sysVinit script.
# -
# - Example:
# - service_name="Mumble"
# - service_name="Prosody"
# -
# - Defaults to:
# - service_name="Dovecot"
# -
#service_name=""
# - check_string_ps
# -
# - String wich (clearly) identifies the service at the process list (ps)
# -
# - Example:
# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd"
# - check_string_ps=""
# -
# - Defaults to:
# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot"
# -
#check_string_ps=""
# - service_user
# -
# - User under which the service is running.
# -
# - Example:
# - service_user="mumble-server"
# - service_user="prosody"
# -
# - Defaults to:
# - service_user="prosody"
# -
#service_user=""
# - service_group
# -
# - Group under which the service is running.
# -
# - Example:
# - service_group="mumble-server"
# - service_group="prosody"
# -
# - Defaults to:
# - service_group="prosody"
# -
#service_group=""
# - cert_installed
# -
# - Locataion of certificate read by service
# -
# - Example:
# - cert_installed="/var/lib/mumble-server/fullchain.pem"
# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.crt
# -
#cert_installed=""
# - key_installed
# -
# - Location of the key read by service
# -
# - Example:
# - key_installed="/var/lib/mumble-server/privkey.pem"
# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.key
# -
#key_installed=""
# - cert_newest
# -
# - Location of the newest certificate.
# -
# - Example:
# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem"
# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem
# -
#cert_newest=""
# - key_newest
# -
# - Location of the newest Key
# -
# - Example:
# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem"
# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem
# -
#key_newest=""

178
roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf Normal file
View File

@@ -0,0 +1,178 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - What to check
# -
check_load=true
check_mysql=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args="--login-path=local"
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="7.4"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

176
roles/common/files/mail.cadus/root/bin/postfix/conf/create_opendkim_key.conf Normal file
View File

@@ -0,0 +1,176 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---------------------------------------------------------
# - Parameter Settings for script 'create_opendkim_key.sh'.
# ---------------------------------------------------------
# ----------
# DNS Server
# ----------
# - dns_dkim_zone_master_server
# -
# - The DNS Server who is serving the update zone and is used
# - for the dynamic updates (nsupdate)
# -
#dns_dkim_zone_master_server=""
dns_dkim_zone_master_server="b.ns.oopen.de"
# - update_dns
# -
# - Possible Values are 'true' or 'false'
# -
#update_dns=""
# - update_zone
# -
# - Zone containing the DKIM TXT record.
# -
# - Defaults to '_domainkey.<dkim_domaini>'
# -
# - Note:
# - do NOT change/set this option unless you know what you do.
# -
#update_zone=""
# - TTL
# -
# - TTL for the DKIM TXT Record.
# -
# - Defaults to "" if update_dns=false
# - Defaults to "43200" if update_dns=true
#
#TTL=""
# ----------
# TSIG Key
# ----------
# - key_secret
# -
# - Sectret Key used by 'nsupdate' to create/update the
# - DKIM TXT record.
# -
# - Example:
# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI="
# -
#key_secret=""
key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw="
# - key_algo
# -
# - The key algorithm used for key creation. Available choices are: hmac-md5,
# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The
# - default is hmac-sha256. Options are case-insensitive.
# -
# - Example:
# - key_algo="hmac-md5"
# -
# - Defaults to 'hmac-sha256'
# -
#key_algo="hmac-sha256"
key_algo="hmac-sha256"
# - key_name
# -
# - Name of the Key
# -
# - Defaults to "$update_zone"
# -
#key_name=
key_name="update-dkim"
# ----------
# Access Credentials DNS Server
# ----------
# - dns_ssh_user
# -
# - Defaults to 'manage-bind'
# -
#dns_ssh_user="manage-bind"
# - dns_ssh_port
# -
# - Defaults to '22'
# -
#dns_ssh_port=22
# - dns_ssh_key
# -
# - Defaults to '/root/.ssh/id_rsa-opendkim'
# -
#dns_ssh_key="/root/.ssh/id_rsa-opendkim"
# ----------
# Scripts envoked at DNS Server
# ----------
# - set_new_serial_script
# -
# - Script increases the serial for a given domain or a given
# - hostname's concerning domain.
# -
# - Defaults to '/root/bin/bind/bind_set_new_serial.sh'
# -
#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh"
# - create_dkim_delegation_script
# -
# - Script adds DKIM subdomain delegation for a given domain
# -
# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh'
# -
#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh"
# - add_dkim_zone_master_script
# -
# - Script adds zone _domainkey.<dkim domain> as master zone
# -
# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh'
# -
#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh"
# - add_dkim_zone_slave_script
# -
# - Script adds zone _domainkey.<dkim domain> as slave zone
# -
# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh'
# -
#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh"
# ----------
# OpenDKIM Installation
# ----------
# - opendkim_dir
# -
# - OpenDKIM's etc-directory
# -
# - Defaults to opendkim_dir="/etc/opendkim"
# -
#opendkim_dir="/etc/opendkim"
# - key_base_dir
# -
# - Defaults to "${opendkim_dir}/keys"
# -
#key_base_dir=${opendkim_dir}/keys
# - signing_table_file
# -
# - Defaults to "${opendkim_dir}/signing.table"
# -
#signing_table_file="${opendkim_dir}/signing.table"
# - key_table_file
# -
# - Defaults to "${opendkim_dir}/key.table"
# -
#key_table_file="${opendkim_dir}/key.table"

87
roles/common/files/mail.cadus/root/bin/postfix/conf/postfix_add_mailboxes.conf Normal file
View File

@@ -0,0 +1,87 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'postfix_add_mailboxes.sh'.
# ---
# ----------------------------------------------------
# - dovecot_enc_method
# -
# - The (dovecot) password scheme which should be used to generate the hashed
# - passwords of EXISTING users.
# -
# - Possible values are:
# -
# - See output of 'doveadm pw -l'
# -
# - DEFAULTS to: dovecot_enc_method="SHA512-CRYPT"
# -
#dovecot_enc_method="SHA512-CRYPT"
# - in_file
# -
# - The file from wich the script reads the e-mail-address/password
# - kombination(s). Each line in this file must only contain
# - <emal-address> <password>
# -
# - Defaults to: in_file="${conf_dir}/mailboxes_new.lst"
# -
#in_file="${conf_dir}/mailboxes_new.lst"
# - db_type
# -
# - Type of Postfix Database
# -
# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL)
# -
# - Defaults to: db_type="pgsql"
# -
#db_type="pgsql"
db_type="mysql"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - mysql_credential_args (root access to MySQL Database)
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - Defaults to:
# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system
# - '/usr/local/mysql/sys-maint.cnf' otherwise
# -
#mysql_credential_args=""
# - quota
# -
# - The quota setting for the new mailboxes.
# -
# - Defaults to: quota="536870912"
# -
#quota="536870912"
quota="1073741824"
# - log_file
# -
# - Where to write logging informations?
# -
# - Defaults to: log_file="${script_dir}/log/postfix_add_mailboxes.log"
# -
#log_file="${script_dir}/log/postfix_add_mailboxes.log"

92
roles/common/files/mail.cadus/root/bin/postfix/conf/sent_userinfo_postfix.conf Normal file
View File

@@ -0,0 +1,92 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'sent_userinfo_postfix.sh'.
# ---
# ----------------------------------------------------
# - message_body_file
# -
# - Full path to file containing the user info. This file must contain
# - the message body WITHOUT e-mail headers. If file is placed in the
# - 'files' directory use '${file_dir}/<file-name>'
# -
# - Defaults to '${file_dir}/sent_userinfo_postfix.message'
# -
#message_body_file="${file_dir}/sent_userinfo_postfix.email"
# - email_from
# -
# - From Address of user info
# -
# - Example: 'oo@oopen.de'
# -
email_from="postmaster@cadus.org"
# - email_from_org
# -
# - Example: email_from_org="O.OPEN"
# -
email_from_org="Cadus e.V."
# - db_type
# -
# - Type of Postfix Database
# -
# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL)
# -
# - Defaults to: db_type="pgsql"
# -
#db_type="pgsql"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - mysql_credential_args (root access to MySQL Database)
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - Defaults to:
# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system
# - '/usr/local/mysql/sys-maint.cnf' otherwise
# -
#mysql_credential_args=""
# - mail_user
# -
# - The owner of the mailbox directories and within the e-mails itself.
# -
# - defaults to mail_user="vmail"
# -
#mail_user="vmail"
# - mail_group
# -
# - The group of the mailbox directories
# -
# - defaults to mail_group="vmail"
# -
#mail_group="vmail"
# - mail_basedir - No more needed!
# -
# - The root directory where all mailbox-domains are located.
# -
# - Defaults to '/var/vmail'.
# -
#mail_basedir=/var/vmail

44
roles/common/files/mail.cadus/root/bin/postfix/conf/whitelist_mb_sigs.conf Normal file
View File

@@ -0,0 +1,44 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ======================================================
# ---
# Parameter Settings for Script 'whitelist_mb_sigs.conf'
# ---
# ======================================================
# QUARANTINE_BASE_DIR
#
# Base directory where amavis stores quarantined e-mails, mostly in
#
# virus e-mails: $QUARANTINE_BASE_DIR/virus
# spam emails: $QUARANTINE_BASE_DIR/spam
# ..
#
# Defaults to:
# QUARANTINE_BASE_DIR="/var/QUARANTINE"
#
#QUARANTINE_BASE_DIR="/var/QUARANTINE"
# CLAMAV_VIRUS_WHITE_LIST
#
# Full path to clamav's (personal) white list file
#
# Defaults to:
# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
#
#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
# WHITE_LIST_STRINGS
#
# A blank separated list of strings to whitelist.
#
# Example:
# WHITE_LIST_STRINGS="google.com tinyurl.com"
#
# Defaults to:
# WHITE_LIST_STRINGS="google.com"
#
#WHITE_LIST_STRINGS="google.com"
WHITE_LIST_STRINGS="google.com tinyurl.com ngosafety.org"

49
roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated Normal file
View File

@@ -0,0 +1,49 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAzObdiB309CxdWnNh9FvcZciVIFCKkpBOZA5lv7gKCZFk5bO/oeA5
2mBdPX+UP+hzm/EVfGOcxUGSxvPbuptpMjSUY1nyikv4OpAq53LQkgI/Tz7YVCsalVgYjo
9EEnMR6S4cYHm3jK9UXdYUFAhWDrjnfqe3Winf3W69w4c1X0kgfNhba5y2lWswcl/24pO2
dnaJA/9NtK9bVF2PrEexXtYhewDwlo3DUC1HAchprmDFYjVZw/NmUmKhFIwOFBnZ7YeIpk
uOzRU88c+cvsluSxofltesNlqZ4S24kqhdpRp2gnzcyhwXUdWrSCbc2IRcDtb8X+ONHZbF
sIMfMKwVvXFWg7Wj1ZY9D8EidAyiwWqmMVRQKNd9ns49fEMQDAKuEBHEWeKWV5l7ocvpoP
dT3ETecCHIbpTIbG7Q8kFhfjd0thQyD6CFzRSP0Tj4kKH8Z5sxO2nRStYKj+krIYw0ncdE
pmPhLpgDJ0fbAFS2h7AtpdmTIh2H8agigawiP6KQgMCpw/h4Giy9Hrxy8mkqVGDXzW0qXM
vNL7ARdLPyNYm8oRgpML9+IqQw/sN/RRy+x8/CmSUAVOV1OuEs4a7Dhwk1dzEUxvtEvGFP
dy/P+0xMtMSI7y+WAFF0Ft0WpmR6SBvrRO/EcbV6QvPOXXDlw69M3H/lLsZLGI7UFQryst
8AAAdA6cyXPOnMlzwAAAAHc3NoLXJzYQAAAgEAzObdiB309CxdWnNh9FvcZciVIFCKkpBO
ZA5lv7gKCZFk5bO/oeA52mBdPX+UP+hzm/EVfGOcxUGSxvPbuptpMjSUY1nyikv4OpAq53
LQkgI/Tz7YVCsalVgYjo9EEnMR6S4cYHm3jK9UXdYUFAhWDrjnfqe3Winf3W69w4c1X0kg
fNhba5y2lWswcl/24pO2dnaJA/9NtK9bVF2PrEexXtYhewDwlo3DUC1HAchprmDFYjVZw/
NmUmKhFIwOFBnZ7YeIpkuOzRU88c+cvsluSxofltesNlqZ4S24kqhdpRp2gnzcyhwXUdWr
SCbc2IRcDtb8X+ONHZbFsIMfMKwVvXFWg7Wj1ZY9D8EidAyiwWqmMVRQKNd9ns49fEMQDA
KuEBHEWeKWV5l7ocvpoPdT3ETecCHIbpTIbG7Q8kFhfjd0thQyD6CFzRSP0Tj4kKH8Z5sx
O2nRStYKj+krIYw0ncdEpmPhLpgDJ0fbAFS2h7AtpdmTIh2H8agigawiP6KQgMCpw/h4Gi
y9Hrxy8mkqVGDXzW0qXMvNL7ARdLPyNYm8oRgpML9+IqQw/sN/RRy+x8/CmSUAVOV1OuEs
4a7Dhwk1dzEUxvtEvGFPdy/P+0xMtMSI7y+WAFF0Ft0WpmR6SBvrRO/EcbV6QvPOXXDlw6
9M3H/lLsZLGI7UFQryst8AAAADAQABAAACAQDDE0Dx6GNfXCV8icFGXXaVSMQBQezL4Kth
QvvH7TVRKqU+s0TMnqc1quzaMe44cdwvKPVluYh1nBpbY6tcG72pWLm1ZNsuo2kuiDbwpz
S+7XjMv25Bo8/pQzgN8YPDdN4mfAn0J62COSI/PCNddxpHZe6vfIlpQ9in/liYIM/Fad+O
PIW9DDQgSS6UlZx81liuq+eCcLvQO+rdhT3VrWPGgGLbsmdbTpgWayThI6bJp8QD3fsaPU
67PL9SyoxUws/h/lkwyVqpEYE2ToxSb3+b7MEKYUbJcLRz142Twst09p7BWJLzsI7bEGvD
g4xabpkeX7tip0egVfzcMdmuAwel381t2vy1dDYG7bpg41MQkxlmthxgAM8Sm6qvOAZdR/
/DuQLFIoaQNgW0457e3i99zfnJ6eJDlRPj7nD2a9MMOyHHyYTLA38vDQ6c5/uGfAal8Y/q
woXxNQmfbAqxJ/Osv24ar4aFzTpMkVCi1yxyBiTFyg4TimPN4Tjhgjf4fmwUs7dsquTrsK
L3nUeQYf/tVX/etQNvRBxsam1GgKQhv1lDXBFZPqoova7g44HRRB7YndgiW74lQ8yuTSqj
Tyrq8jO4fjZAebjDtjwFu3ZYYxyj/MOcXBRKsTDFD9LLA1mdNoMERx3I5QH+XIOry+sCyz
7OXQfh433wimRCfa8dcQAAAQEAmxHGMKSC0YXKsj8KR/NBDVLg5MudvYrtsPlk3UIaioh5
0wwPkrsvCMlRiTAsdDLGVPSEqNe8EWvMmJvqssCC75KVoxWr2VfhVnPFlogrJy+wz+TkX+
oaasVm+59KP30jm6SlUkahbyfSABxnWuZUeckpST9EanUSG5mbqVvA+eZsAb7OmT9OVOLd
hIBu+n9muziGAkCKigPUx7aw60aD982rsp6gro+qv+nWF2vrJoGZYJQrB7nHlyPI8WlOt7
ue9aXCitKjrcbFggHlfuhsej3p3cy3UhgIC0/PUp4av1mYgLc8Z56RBlX5lhdGMPvLR2y2
iaqCrtOwgVgNmYLaRAAAAQEA/9aVC8Z90GQ5t0kVEa/KUYytp2EM41MnDqqLy0TM9MtNbF
NKD/PzP1IjQR49qKAgtLc2njTsMIUoDNT6osPkMHIwIhx+Z6c4GcOBqYu4bdaN7UEHKvbh
DOB18rAH+8nOEQfIP3iixnNFtilcJ0UcGSDgU0kAG/5hovMTXSYcahSsTuLTi9MLbriUvv
jhAxq0RwMa38nRLDG7lNRRqdMAV9d6ViYSRcuQlH1CqUy0PAJE16hhFsXDtLDzzgx23fAS
sQrAW5vDjkmB+65x6WSTsN1wNGf+7+oboB0uKrb1Owob/cn9Fk3JWlYweMTGNwo5qQ1SIi
Gku0hoIefPc1SuXQAAAQEAzQgJepA65Hcl7qpuPpc1AtIZWnwWHVBsKrBQGMeB22xd0z67
/F7xzas+FmLmZIMOIhr3KYpHpe/XdL9c71CWwryQYu386liib7el/7rGM6aeINR1Y/c1ei
3ZgbfotBW+95537DFha25HW12lGOxIVcKl1o93XsisVayLI73q2kLRmQq6BqvoObo5pzg3
hFbwAzGpVVi3P3wBnSwt/JApIEoOgQCDK44W6FcBbKGa8EclxY8gugaaZ+1W8hHAVq4TeA
1kP/MbPUiSOqGN20IWqo3ORNlnIyc5oEgWinHEKHFTuiXuIBulUQtClOTotElbJJhnav2i
I13KhvLmCvP6awAAAAlyb290QG1haWw=
-----END OPENSSH PRIVATE KEY-----

1
roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-dehydrated.pub Normal file
View File

@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDM5t2IHfT0LF1ac2H0W9xlyJUgUIqSkE5kDmW/uAoJkWTls7+h4DnaYF09f5Q/6HOb8RV8Y5zFQZLG89u6m2kyNJRjWfKKS/g6kCrnctCSAj9PPthUKxqVWBiOj0QScxHpLhxgebeMr1Rd1hQUCFYOuOd+p7daKd/dbr3DhzVfSSB82FtrnLaVazByX/bik7Z2dokD/020r1tUXY+sR7Fe1iF7APCWjcNQLUcByGmuYMViNVnD82ZSYqEUjA4UGdnth4imS47NFTzxz5y+yW5LGh+W16w2WpnhLbiSqF2lGnaCfNzKHBdR1atIJtzYhFwO1vxf440dlsWwgx8wrBW9cVaDtaPVlj0PwSJ0DKLBaqYxVFAo132ezj18QxAMAq4QEcRZ4pZXmXuhy+mg91PcRN5wIchulMhsbtDyQWF+N3S2FDIPoIXNFI/ROPiQofxnmzE7adFK1gqP6SshjDSdx0SmY+EumAMnR9sAVLaHsC2l2ZMiHYfxqCKBrCI/opCAwKnD+HgaLL0evHLyaSpUYNfNbSpcy80vsBF0s/I1ibyhGCkwv34ipDD+w39FHL7Hz8KZJQBU5XU64SzhrsOHCTV3MRTG+0S8YU93L8/7TEy0xIjvL5YAUXQW3RamZHpIG+tE78RxtXpC885dcOXDr0zcf+UuxksYjtQVCvKy3w== root@mail

49
roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim Normal file
View File

@@ -0,0 +1,49 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEA35XdcuUkcGZptZJWsAPLG5bqQVMWX4NnKIJvbTin6xrDfAGTpaLR
RIVj5mUdMXC02s2CXTtzIIUVFBMN5qnNs5g1z+1hgq0DQlwWNMaR2/QfsJ7zEDKNHS7DpO
vuPGdU1srXgP+71dG6MP1ouT3xloZ9wTVFVRcPczy+RdbAl6u/W35cNvzPkOsABx4ULDUP
JxpSFarpvrQngxT+GJcDGsqtNxpsUxjPZJm/3IjTXJs/Y0jS8DPX1lUai8eEHB8DPU4x/x
uGH5p+tw4E3k5YfKRZSFKoEL0zwIAEsppJs7QEe1KFuLWjIZUp9OS6p2YwEppqMdpG/UO8
ZOMiVnQOOnwH/OuO//+zfDFK+1hCziwxscVZyp0X7aNh4eW/hmLXsP33MXOkqQ1KkB/1aq
RQh5SnuRFPELGUyTEUbRqX97hA/6q4p6Hk7oUSomyyTXLQImmpF5F75jJzPIjXo6IcMtNI
xEcdHQH2ZpB4ucOseu+31syrtInQbF97aq6p70DffVS8HS0jbaaXxNhJEg8vINMQ1CACbG
rz9vxp6T6eAsONIpy/eIHxu5wafZKBmynyDNO9jysunh86/uHxk1lBqZuB72hjfImsymoV
NSVbHtTnIwk4mb7rdEt2OpzkC7VdXDt8ii4TbzxIeDZUbDaGlW5/5EenvezNJ1QyCmCh7f
MAAAdAf2KMEH9ijBAAAAAHc3NoLXJzYQAAAgEA35XdcuUkcGZptZJWsAPLG5bqQVMWX4Nn
KIJvbTin6xrDfAGTpaLRRIVj5mUdMXC02s2CXTtzIIUVFBMN5qnNs5g1z+1hgq0DQlwWNM
aR2/QfsJ7zEDKNHS7DpOvuPGdU1srXgP+71dG6MP1ouT3xloZ9wTVFVRcPczy+RdbAl6u/
W35cNvzPkOsABx4ULDUPJxpSFarpvrQngxT+GJcDGsqtNxpsUxjPZJm/3IjTXJs/Y0jS8D
PX1lUai8eEHB8DPU4x/xuGH5p+tw4E3k5YfKRZSFKoEL0zwIAEsppJs7QEe1KFuLWjIZUp
9OS6p2YwEppqMdpG/UO8ZOMiVnQOOnwH/OuO//+zfDFK+1hCziwxscVZyp0X7aNh4eW/hm
LXsP33MXOkqQ1KkB/1aqRQh5SnuRFPELGUyTEUbRqX97hA/6q4p6Hk7oUSomyyTXLQImmp
F5F75jJzPIjXo6IcMtNIxEcdHQH2ZpB4ucOseu+31syrtInQbF97aq6p70DffVS8HS0jba
aXxNhJEg8vINMQ1CACbGrz9vxp6T6eAsONIpy/eIHxu5wafZKBmynyDNO9jysunh86/uHx
k1lBqZuB72hjfImsymoVNSVbHtTnIwk4mb7rdEt2OpzkC7VdXDt8ii4TbzxIeDZUbDaGlW
5/5EenvezNJ1QyCmCh7fMAAAADAQABAAACADG9sYqCF905q4LNj6OQ9Hqq1Gq8BVoybZzB
h/CQjirrxVmtMB/FXTEVS+hRznDVVibnWX1MYIx3jvzsUEdkt3KhBje/49Wij/sPaZFMK9
73LKWqdwC/fk1jvfrO0i11/5XZgqAcRLmI8xc7CTVM5pZKTWfSZh5MBw/oD5yR7j7P4r6E
GhfRnovq/BKZSnubQke8v046u83FXpT28qCd1/754BdGNZs3Bcynt9tkRUFw+GUqKmNt5T
K1tDYsqONostvMrarHgMs/H7mx0Lt0SpNQLNy+Js2yifTlhiYF1Se5gNW+wikZn7U07iSh
TjU3srIw0DdPDEQD8cGwFk+Neix2H89d5Br2Y9eR9MI7iGO2F8h7nakH6jH6qjR+Msk67B
KyO8CCVuoacoBl01rM3WDaHg91CIP/jdimEyc51Q2huTQl3ljSg1hruxpluEE6hRyKEyWB
ipE7peQtHsXY/oofPJoGH8vK/d9ShhLo4I/v4h77gtOGMZlZkChWLXVxJmGr25cMganQJC
UVBbK1gCNgZ/o/FbVb/Sa7qs4kMxaa8UkGU/ARx6jnj+Tywz4QOiukvm17/ZUB844KXfyi
FvOVYD7nMrOO6J4htl+4ejEPhqYXn41OXhLiQyU4f8d9CRDkblJR8UM/wwtaA7+OaK1Ad8
t2wGKVNEXJNvV1CmPBAAABAQCs2kuDZfBPls1+7UCEoCcupKSGSMUcPiTbx+ImF0YTVYhs
Dokv+9xhQ6KWyk2V2OAaxBu9Ic/k/ehM6rIcGVnL+/z6LCrUqq34w/q4PdE8SzqrBwdthv
N3C7u150hlc8LHutDCUAAP7di/8XgzaVcl/FmI+2+RSdhoV3YGRP/DtvP3/4+FpjFIEBlg
TljexM8l4ie/cCeULu59bCGLjE4ZYUR2F9yDoJvG+S1B30PecV+oohwbbYGDIw+1+VhbkJ
tztk8qd6SafR+WHqffMiqHerg0LeqbT04cNWGyNEaBtcajv3Koi04EG6uXthgBJXG2anl9
RAdKgissLWx54ug7AAABAQD7LE558uvMho1PuEYZZpjHc+OAcnT3+nQ8y+zM28kYugFV+o
KOd4vp6olASbpTs9nDhrGy6bOvDoxVi/auP/XsIt/no78IiFzmoAVce9NvveR89GAgGhnI
7cqEEFgEWfupfwrC/WK3Dmiij/ah3nslHC5ECwhfxpurIEaHrhxhkdWS9ZzUxREL+xQqyn
7dr1CUnhU8z/W5ISdkLUWkwk6cHQ/bz+AA6YQZCYi3oiQt4QyQBxQHj5PT6rJBJWvlAfzV
XGvMLVCDCUfpGzedoQ8YjFLryON8DgrmkW6V/eBoiVM8HAPR9ZtKZCuqoovRe2pcmcKYrb
Xw1uuQoxjxEI75AAABAQDj4dX0iJv8sg+UB6SYXImzM2avjNzi7xZJXZMvYHvNW+Jk8Qvq
4A9rNooQRsCs5TMg3N/72/gVYnxHjiDunxepTW2qvLf7i27epjKTSqbpmxKa48e5lJk+V9
38BI6NdS9oCXlqYvo54WtqeniQFH+/nZMVe9EowSHEsaKZ7IUCEmYwpsZvrGuaKALmeZfX
wvDkj6KZl/Fcuhx8U8jFl4c9SEBpeouNC/ZZZ2eRwb3b9zpL0tDr8VYDhoT92yGflwP/db
crz3FRXR4rfmzMu4Jlezt2LqjiGCzG51Weucgvz+2CliJ7zIwUDhpzaPJoITo4Xk1A7IXi
asSfThIqHCNLAAAACXJvb3RAbWFpbAE=
-----END OPENSSH PRIVATE KEY-----

1
roles/common/files/mail.faire-mobilitaet/root/.ssh/mail.faire-mobilitaet-id_rsa-opendkim.pub Normal file
View File

@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfld1y5SRwZmm1klawA8sblupBUxZfg2cogm9tOKfrGsN8AZOlotFEhWPmZR0xcLTazYJdO3MghRUUEw3mqc2zmDXP7WGCrQNCXBY0xpHb9B+wnvMQMo0dLsOk6+48Z1TWyteA/7vV0bow/Wi5PfGWhn3BNUVVFw9zPL5F1sCXq79bflw2/M+Q6wAHHhQsNQ8nGlIVqum+tCeDFP4YlwMayq03GmxTGM9kmb/ciNNcmz9jSNLwM9fWVRqLx4QcHwM9TjH/G4Yfmn63DgTeTlh8pFlIUqgQvTPAgASymkmztAR7UoW4taMhlSn05LqnZjASmmox2kb9Q7xk4yJWdA46fAf8647//7N8MUr7WELOLDGxxVnKnRfto2Hh5b+GYtew/fcxc6SpDUqQH/VqpFCHlKe5EU8QsZTJMRRtGpf3uED/qrinoeTuhRKibLJNctAiaakXkXvmMnM8iNejohwy00jERx0dAfZmkHi5w6x677fWzKu0idBsX3tqrqnvQN99VLwdLSNtppfE2EkSDy8g0xDUIAJsavP2/GnpPp4Cw40inL94gfG7nBp9koGbKfIM072PKy6eHzr+4fGTWUGpm4HvaGN8iazKahU1JVse1OcjCTiZvut0S3Y6nOQLtV1cO3yKLhNvPEh4NlRsNoaVbn/kR6e97M0nVDIKYKHt8w== root@mail.faire-mobilitaet.de-opendkim

135
roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_cert_for_dovecot.conf Normal file
View File

@@ -0,0 +1,135 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings for script check_cert_for_dovecot.sh
#-----------------------------
#---------------------------------------
# - service_domain
# -
# - The main domain for which the certificate was issued
# -
# - Example:
# - service_domain="a.mx.oopen.de"
# - service_domain="mail.cadus.org"
# - service_domain="mx.warenform.de"
# -
#service_domain=""
service_domain="mail.faire-mobilitaet.de"
# - service_name
# -
# - Name of service.
# -
# - Note: this var will also be used to determin systemd service file
# - or sysVinit script.
# -
# - Example:
# - service_name="Mumble"
# - service_name="Prosody"
# -
# - Defaults to:
# - service_name="Dovecot"
# -
#service_name=""
# - check_string_ps
# -
# - String wich (clearly) identifies the service at the process list (ps)
# -
# - Example:
# - check_string_ps="[[:digit:]]\ /usr/sbin/murmurd"
# - check_string_ps=""
# -
# - Defaults to:
# - check_string_ps="[[:digit:]]\ /usr/local/dovecot-[[:digit:]]{1,2}\.[[:digit:]]{1,2}\.[[:digit:]]{1,2}(\.[[:digit:]]{1,2})?/sbin/dovecot"
# -
#check_string_ps=""
# - service_user
# -
# - User under which the service is running.
# -
# - Example:
# - service_user="mumble-server"
# - service_user="prosody"
# -
# - Defaults to:
# - service_user="prosody"
# -
#service_user=""
# - service_group
# -
# - Group under which the service is running.
# -
# - Example:
# - service_group="mumble-server"
# - service_group="prosody"
# -
# - Defaults to:
# - service_group="prosody"
# -
#service_group=""
# - cert_installed
# -
# - Locataion of certificate read by service
# -
# - Example:
# - cert_installed="/var/lib/mumble-server/fullchain.pem"
# - cert_installed="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.crt
# -
#cert_installed=""
# - key_installed
# -
# - Location of the key read by service
# -
# - Example:
# - key_installed="/var/lib/mumble-server/privkey.pem"
# - key_installed="/etc/prosody/certs/privkey_jabber.so36.pem"
# -
# - Defaults to:
# - /etc/dovecot/ssl/mailserver.key
# -
#key_installed=""
# - cert_newest
# -
# - Location of the newest certificate.
# -
# - Example:
# - cert_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/fullchain.pem"
# - cert_newest="/var/lib/dehydrated/certs/jabber.so36.net/fullchain.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/fullchain.pem
# -
#cert_newest=""
# - key_newest
# -
# - Location of the newest Key
# -
# - Example:
# - key_newest="/var/lib/dehydrated/certs/il-mumble.oopen.de/privkey.pem"
# - key_newest="/var/lib/dehydrated/certs/jabber.so36.net/privkey.pem"
# -
# - Defaults to:
# - /var/lib/dehydrated/certs/${service_domain}/privkey.pem
# -
#key_newest=""

178
roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf Normal file
View File

@@ -0,0 +1,178 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - What to check
# -
check_load=true
check_mysql=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="7.4"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

176
roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/create_opendkim_key.conf Normal file
View File

@@ -0,0 +1,176 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---------------------------------------------------------
# - Parameter Settings for script 'create_opendkim_key.sh'.
# ---------------------------------------------------------
# ----------
# DNS Server
# ----------
# - dns_dkim_zone_master_server
# -
# - The DNS Server who is serving the update zone and is used
# - for the dynamic updates (nsupdate)
# -
#dns_dkim_zone_master_server=""
dns_dkim_zone_master_server="b.ns.oopen.de"
# - update_dns
# -
# - Possible Values are 'true' or 'false'
# -
#update_dns=""
# - update_zone
# -
# - Zone containing the DKIM TXT record.
# -
# - Defaults to '_domainkey.<dkim_domaini>'
# -
# - Note:
# - do NOT change/set this option unless you know what you do.
# -
#update_zone=""
# - TTL
# -
# - TTL for the DKIM TXT Record.
# -
# - Defaults to "" if update_dns=false
# - Defaults to "43200" if update_dns=true
#
#TTL=""
# ----------
# TSIG Key
# ----------
# - key_secret
# -
# - Sectret Key used by 'nsupdate' to create/update the
# - DKIM TXT record.
# -
# - Example:
# - key_secret="EtvvMdW0PXD4GMHP+onuHZ0dT/Z8OSJGlce/xH10OwI="
# -
#key_secret=""
key_secret="4woPu0jqf9Jp1IX+gduJ3BVW/1ZMeyCPTQMqEsMXLFw="
# - key_algo
# -
# - The key algorithm used for key creation. Available choices are: hmac-md5,
# - hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512. The
# - default is hmac-sha256. Options are case-insensitive.
# -
# - Example:
# - key_algo="hmac-md5"
# -
# - Defaults to 'hmac-sha256'
# -
#key_algo="hmac-sha256"
key_algo="hmac-sha256"
# - key_name
# -
# - Name of the Key
# -
# - Defaults to "$update_zone"
# -
#key_name=
key_name="update-dkim"
# ----------
# Access Credentials DNS Server
# ----------
# - dns_ssh_user
# -
# - Defaults to 'manage-bind'
# -
#dns_ssh_user="manage-bind"
# - dns_ssh_port
# -
# - Defaults to '22'
# -
#dns_ssh_port=22
# - dns_ssh_key
# -
# - Defaults to '/root/.ssh/id_rsa-opendkim'
# -
#dns_ssh_key="/root/.ssh/id_rsa-opendkim"
# ----------
# Scripts envoked at DNS Server
# ----------
# - set_new_serial_script
# -
# - Script increases the serial for a given domain or a given
# - hostname's concerning domain.
# -
# - Defaults to '/root/bin/bind/bind_set_new_serial.sh'
# -
#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh"
# - create_dkim_delegation_script
# -
# - Script adds DKIM subdomain delegation for a given domain
# -
# - Defaults to '/root/bin/bind/bind_create_dkim_delegation.sh'
# -
#create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh"
# - add_dkim_zone_master_script
# -
# - Script adds zone _domainkey.<dkim domain> as master zone
# -
# - Defaults to '/root/bin/bind/bind_add_dkim_zone_master.sh'
# -
#add_dkim_zone_master_script="/root/bin/bind/bind_add_dkim_zone_master.sh"
# - add_dkim_zone_slave_script
# -
# - Script adds zone _domainkey.<dkim domain> as slave zone
# -
# - Defaults to '/root/bin/bind/bind_add_dkim_zone_slave.sh'
# -
#add_dkim_zone_slave_script="/root/bin/bind/bind_add_dkim_zone_slave.sh"
# ----------
# OpenDKIM Installation
# ----------
# - opendkim_dir
# -
# - OpenDKIM's etc-directory
# -
# - Defaults to opendkim_dir="/etc/opendkim"
# -
#opendkim_dir="/etc/opendkim"
# - key_base_dir
# -
# - Defaults to "${opendkim_dir}/keys"
# -
#key_base_dir=${opendkim_dir}/keys
# - signing_table_file
# -
# - Defaults to "${opendkim_dir}/signing.table"
# -
#signing_table_file="${opendkim_dir}/signing.table"
# - key_table_file
# -
# - Defaults to "${opendkim_dir}/key.table"
# -
#key_table_file="${opendkim_dir}/key.table"

86
roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/postfix_add_mailboxes.conf Normal file
View File

@@ -0,0 +1,86 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'postfix_add_mailboxes.sh'.
# ---
# ----------------------------------------------------
# - dovecot_enc_method
# -
# - The (dovecot) password scheme which should be used to generate the hashed
# - passwords of EXISTING users.
# -
# - Possible values are:
# -
# - See output of 'doveadm pw -l'
# -
# - DEFAULTS to: dovecot_enc_method="SHA512-CRYPT"
# -
#dovecot_enc_method="SHA512-CRYPT"
# - in_file
# -
# - The file from wich the script reads the e-mail-address/password
# - kombination(s). Each line in this file must only contain
# - <emal-address> <password>
# -
# - Defaults to: in_file="${conf_dir}/mailboxes_new.lst"
# -
#in_file="${conf_dir}/mailboxes_new.lst"
# - db_type
# -
# - Type of Postfix Database
# -
# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL)
# -
# - Defaults to: db_type="pgsql"
# -
db_type="pgsql"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - mysql_credential_args (root access to MySQL Database)
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - Defaults to:
# - '--defaults-file=/etc/mysql/debian.cnf' if MySQL is installed from debian package system
# - '--defaults-file=/usr/local/mysql/sys-maint.cnf' otherwise
# -
#mysql_credential_args=""
# - quota
# -
# - The quota setting for the new mailboxes.
# -
# - Defaults to: quota="536870912"
# -
#quota="536870912"
quota="1073741824"
# - log_file
# -
# - Where to write logging informations?
# -
# - Defaults to: log_file="${script_dir}/log/postfix_add_mailboxes.log"
# -
#log_file="${script_dir}/log/postfix_add_mailboxes.log"

92
roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/sent_userinfo_postfix.conf Normal file
View File

@@ -0,0 +1,92 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ----------------------------------------------------
# ---
# - Parameter Settings for script 'sent_userinfo_postfix.sh'.
# ---
# ----------------------------------------------------
# - message_body_file
# -
# - Full path to file containing the user info. This file must contain
# - the message body WITHOUT e-mail headers. If file is placed in the
# - 'files' directory use '${file_dir}/<file-name>'
# -
# - Defaults to '${file_dir}/sent_userinfo_postfix.message'
# -
#message_body_file="${file_dir}/sent_userinfo_postfix.email"
# - email_from
# -
# - From Address of user info
# -
# - Example: 'oo@oopen.de'
# -
email_from="postmster@faire-mobilitaet.de"
# - email_from_org
# -
# - Example: email_from_org="O.OPEN"
# -
email_from_org="Projekt Faire Mobilität"
# - db_type
# -
# - Type of Postfix Database
# -
# - Possible values are 'pgsql' (PostgeSQL) or 'mysql' (MySQL)
# -
# - Defaults to: db_type="pgsql"
# -
#db_type="pgsql"
# - db_name
# -
# - Database name for the postfix database
# -
# - Defaults to: db_name="postfix"
# -
#db_name="postfix"
# - mysql_credential_args (root access to MySQL Database)
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - Defaults to:
# - '/etc/mysql/debian.cnf' if MySQL is installed from debian package system
# - '/usr/local/mysql/sys-maint.cnf' otherwise
# -
#mysql_credential_args=""
# - mail_user
# -
# - The owner of the mailbox directories and within the e-mails itself.
# -
# - defaults to mail_user="vmail"
# -
#mail_user="vmail"
# - mail_group
# -
# - The group of the mailbox directories
# -
# - defaults to mail_group="vmail"
# -
#mail_group="vmail"
# - mail_basedir - No more needed!
# -
# - The root directory where all mailbox-domains are located.
# -
# - Defaults to '/var/vmail'.
# -
#mail_basedir=/var/vmail

44
roles/common/files/mail.faire-mobilitaet/root/bin/postfix/conf/whitelist_mb_sigs.conf Normal file
View File

@@ -0,0 +1,44 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ======================================================
# ---
# Parameter Settings for Script 'whitelist_mb_sigs.conf'
# ---
# ======================================================
# QUARANTINE_BASE_DIR
#
# Base directory where amavis stores quarantined e-mails, mostly in
#
# virus e-mails: $QUARANTINE_BASE_DIR/virus
# spam emails: $QUARANTINE_BASE_DIR/spam
# ..
#
# Defaults to:
# QUARANTINE_BASE_DIR="/var/QUARANTINE"
#
#QUARANTINE_BASE_DIR="/var/QUARANTINE"
# CLAMAV_VIRUS_WHITE_LIST
#
# Full path to clamav's (personal) white list file
#
# Defaults to:
# CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
#
#CLAMAV_VIRUS_WHITE_LIST="/var/lib/clamav/my_whitelist.ign2"
# WHITE_LIST_STRINGS
#
# A blank separated list of strings to whitelist.
#
# Example:
# WHITE_LIST_STRINGS="google.com tinyurl.com"
#
# Defaults to:
# WHITE_LIST_STRINGS="google.com"
#
#WHITE_LIST_STRINGS="google.com"
WHITE_LIST_STRINGS="google.com tinyurl.com"

24
roles/common/files/mailserver/etc/postfix/postfwd.bl-hosts Normal file
View File

@@ -0,0 +1,24 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# hosts blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # block all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # block host a.mx.oopen.de
# ^a\.mx\.oopen\.de$
#
# ---
# give hostnames to blocke here
illuminatus\.lionheart\.lovejoy$
dancortez\.500$
geplosser\.pl$

20
roles/common/files/mailserver/etc/postfix/postfwd.bl-nets Normal file
View File

@@ -0,0 +1,20 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Networks blocked by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give networks to block here
188.214.104.0/24
91.219.236.254
85.254.72.106
103.136.40.0/23
185.53.170.115

58
roles/common/files/mailserver/etc/postfix/postfwd.bl-sender Normal file
View File

@@ -0,0 +1,58 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Sender addresses blocked by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# @acieu\.co\.uk$
# ^error@mailfrom.com$
#
# instedt of
#
# @acieu.co.uk
# error@mailfrom.com
#
#
# Example:
#
# # # annoying spammer domains
# # block all senders of maildomaindomain 'oopen.de'
# @acieu\.co\.uk$
#
# # annoying spammer addresses
# # block sender address
# error@mailfrom.com
# sqek@eike\.se$
#
# ---
# annoying spammer domains
@acieu\.co\.uk$
@sendelope\.eu$
@growthrecords\.com$
@videosicherheit.biz$
@arbeitsschutzmasken.shop$
@medprodukte.shop$
@geplosser\.pl$
@alfasells\.de$
@news-des-tages\.de$
@inx1and1\..+$
@ppe-healthcare-europe\.\S+$
@testbedarf\.shop$
@acievents\.\S+$
@dokpotenz\.\S+$
@doktorapo\.\S+$
@team-de-luxe\.\S+$
@klickensiejetzt\.\S+$
@podiumskate\.\S+$
@ppe-healthcare-europe\.\S+$
# annoying spammer addresses
^error@mailfrom\.com$
^sqek@eike\.se$

13
roles/common/files/mailserver/etc/postfix/postfwd.bl-user Normal file
View File

@@ -0,0 +1,13 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# SASL Users blocked by postfwd
#
# Example:
#
# # give SASL usernames to block here
# ckubu@oopen.de
#
# ---
# give SASL usernames to block here

173
roles/common/files/mailserver/etc/postfix/postfwd.cf Normal file
View File

@@ -0,0 +1,173 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#======= Definitions ============
# Match messages with an associated SASL username
&&SASL_AUTH {
sasl_username!~^$
}
# Trusted networks
&&TRUSTED_NETS {
client_address==file:/etc/postfix/postfwd.wl-nets
}
# Trusted hostnames
# client_name~=.warenform.de$
&&TRUSTED_HOSTS {
client_name=~file:/etc/postfix/postfwd.wl-hosts
}
# Trusted users
&&TRUSTED_USERS {
sasl_username==file:/etc/postfix/postfwd.wl-user
}
# Trusted senders
&&TRUSTED_SENDERS {
sender=~file:/etc/postfix/postfwd.wl-sender
}
# Blacklist networks
&&BLOCK_NETS {
client_address==file:/etc/postfix/postfwd.bl-nets
}
# Blacklist hostnames
&&BLOCK_HOSTS {
client_name=~file:/etc/postfix/postfwd.bl-hosts
}
# Blacklist users
&&BLOCK_USERS {
sasl_username==file:/etc/postfix/postfwd.bl-user
}
# Blacklist sender adresses
&&BLOCK_SENDER {
# =~
# using '=~' allows also matching entries for domains (i.e. @acieu.co.uk)
sender=~file:/etc/postfix/postfwd.bl-sender
}
# Inbound emails only
&&INCOMING {
client_address!=127.0.0.1
}
#======= Rule Sets ============
# ---
#
# Processing of the Rule Sets
#
# The parser checks the elements of a policy delegation request against the postfwd set
# of rules and, if necessary, triggers the configured action (action=). Similar to a
# classic firewall, a rule is considered true if every element of the set of rules (or
# one from every element list) applies to the comparison. I.e. the following rule:
#
# client_address=1.1.1.1, 1.1.1.2; client_name==unknown; action=REJECT
#
# triggers a REJECT if the
#
# Client address is equal (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
#
# Note:
# If an element occurs more than once, an element list is formed:
#
# The following rule set is equivalent to the above:
#
# client_address=1.1.1.1; client_address=1.1.1.2; client_name==unknown; action=REJECT
#
#
# triggers a REJECT if (as above) the
#
# Client address (1.1.1.1 OR 1.1.1.2) AND the client name 'unknown'
#
# ---
# Whitelists
# Whitelist trusted networks
id=WHL_NETS
&&TRUSTED_NETS
action=DUNNO
# Whitelist trusted hostnames
id=WHL_HOSTS
&&TRUSTED_HOSTS
action=DUNNO
# Whitelist sasl users
id=WHL_USERS
&&TRUSTED_USERS
action=DUNNO
# Whitelist senders
id=WHL_SENDERS
&&INCOMING
&&TRUSTED_SENDERS
action=DUNNO
# Blacklists
# Block networks
id=BL_NETS
&&BLOCK_NETS
action=REJECT Network Address $$client_address blocked by Mailserver admins. Error: BL_NETS
# Block hostname
id=BL_HOSTS
&&BLOCK_HOSTS
action=REJECT $$client_name blocked by Mailserver admins. Error: BL_HOSTS
# Block users
id=BL_USERS
&&BLOCK_USERS
action=REJECT User is blocked by Mailserver admins. Error: BL_USERS
# Blacklist sender
#
# Claim successful delivery and silently discard the message.
#
id=BL_SENDER
&&BLOCK_SENDER
#action=DISCARD
action=REJECT Sender address is blocked by Mailserver admins. Error: BL_SENDER
# Rate Limits
# Throttle unknown clients to 5 recipients per 5 minutes:
id=RATE_UNKNOWN_CLIENT_ADDR
sasl_username =~ /^$/
client_name==unknown
action=rate(client_address/5/300/450 4.7.1 only 5 recipients per 5 minutes allowed)
# Block clients (ip-addresses) sending more than 50 messages per minute exceeded. Error:RATE_CLIENT)
id=RATE_CLIENT_ADDR
&&INCOMING
action=rate($$client_address/50/60/421 421 4.7.0 Too many connections from $$client_address)
# Block messages with more than 50 recipients
id=BLOCK_MSG_RCPT
&&INCOMING
&&SASL_AUTH
recipient_count=50
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT
# Block users sending more than 50 messages/hour
id=RATE_MSG
&&INCOMING
&&SASL_AUTH
action=rate($$sasl_username/50/3600/450 4.7.1 Number messages per hour exceeded. Error:RATE_MSG)
# Block users sending more than 250 recipients total/hour
id=RATE_RCPT
&&INCOMING
&&SASL_AUTH
action=rcpt($$sasl_username/250/3600/450 4.7.1 Number recipients per hour exceeded. Error:RATE_RCPT)

22
roles/common/files/mailserver/etc/postfix/postfwd.wl-hosts Normal file
View File

@@ -0,0 +1,22 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted hosts whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # all hosts of domain 'oopen.de'
# \.oopen\.de$
#
# # host a.mx.oopen.de
# ^a\.mx\.oopen\.de$
#
# ---
# give truested hostnames here

15
roles/common/files/mailserver/etc/postfix/postfwd.wl-nets Normal file
View File

@@ -0,0 +1,15 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted networks whitelisted by postfwd
#
# Example:
#
# # web0.warenform.de
# #83.223.86.76
# #2a01:30:0:505:286:96ff:fe4a:6ee
# #2a01:30:0:13:286:96ff:fe4a:6eee
#
# ---
# give truested networrk adresses here

22
roles/common/files/mailserver/etc/postfix/postfwd.wl-sender Normal file
View File

@@ -0,0 +1,22 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# Trusted senders whitelisted by postfwd
#
# This file is called with '=~'. This means perl regexp is possible
#
#
# To increase performance use ^ and/or $ in regular expressions
#
# Example:
#
# # all senders of maildomaindomain 'oopen.de'
# @oopen\.de$
#
# # sender address ckubu@oopen.de
# ^ckubu@oopen\.de$
#
# ---
# give trusted sender addresses here

15
roles/common/files/mailserver/etc/postfix/postfwd.wl-user Normal file
View File

@@ -0,0 +1,15 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# SASL Users whitelisted by postfwd
#
# example:
#
# # give trusted sasl usernames here
# ckubu@oopen.de
# vertrieb@akweb.de
#
# ---
# give trusted sasl usernames here