From: Frank Brehm Date: Sun, 14 Dec 2014 07:43:34 +0000 (+0100) Subject: Current state X-Git-Url: https://git.uhu-banane.de/?a=commitdiff_plain;h=27fe1f33e48dff1b42a08dc7cd8d851b7dcd8488;p=config%2Fhelga%2Fetc.git Current state --- diff --git a/ImageMagick-6/delegates.xml b/ImageMagick-6/delegates.xml index 77d1ae6..855352e 100644 --- a/ImageMagick-6/delegates.xml +++ b/ImageMagick-6/delegates.xml @@ -74,6 +74,8 @@ + + @@ -92,6 +94,7 @@ + @@ -100,9 +103,11 @@ - - + + + + @@ -116,12 +121,14 @@ - + - + + + diff --git a/amavisd.conf b/amavisd.conf index dbce9e1..0a04472 100644 --- a/amavisd.conf +++ b/amavisd.conf @@ -51,6 +51,7 @@ $syslog_facility = 'mail'; # Syslog facility as a string # e.g.: mail, daemon, user, local0, ... local7 $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) +# $enable_zmq = 1; # enable use of ZeroMQ (SNMP and nanny) $nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed $enable_dkim_verification = 0; # enable DKIM signatures verification $enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key @@ -145,9 +146,9 @@ $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # $dspam = 'dspam'; $MAXLEVELS = 14; -$MAXFILES = 1500; +$MAXFILES = 3000; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) -$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 500*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***Spam*** '; $defang_virus = 1; # MIME-wrap passed infected mail @@ -209,8 +210,8 @@ $X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned') # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS @keep_decoded_original_maps = (new_RE( - qr'^MAIL$', # retain full original message for virus checking - qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables + qr'^MAIL$', # let virus scanner see full original message + qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); @@ -340,45 +341,50 @@ $banned_filename_re = new_RE( @decoders = ( ['mail', \&do_mime_decode], ['asc', \&do_ascii], -# ['uue', \&do_ascii], -# ['hqx', \&do_ascii], -# ['ync', \&do_ascii], - ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], - ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], - ['gz', \&do_uncompress, 'gzip -d'], +# [[qw(asc uue hqx ync)], \&do_ascii], # not safe + ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], + ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], + ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], - ['bz2', \&do_uncompress, 'bzip2 -d'], - ['xz', \&Amavis::Unpackers::do_uncompress, + ['bz2', \&do_uncompress, 'bzip2 -d'], + ['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], - ['lzma', \&Amavis::Unpackers::do_uncompress, + ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma', 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], - ['lzo', \&do_uncompress, 'lzop -d'], - ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], - ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], - ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], - ['deb', \&do_ar, 'ar'], - ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill - ['zip', \&do_unzip], - ['7z', \&do_7zip, ['7zr','7za','7z'] ], - ['rar', \&do_unrar, ['rar','unrar'] ], - ['arj', \&do_unarj, ['arj','unarj'] ], - ['arc', \&do_arc, ['nomarch','arc'] ], - ['zoo', \&do_zoo, ['zoo','unzoo'] ], - ['lha', \&do_lha, 'lha'], # unmaintained - security risk -# ['doc', \&do_ole, 'ripole'], - ['cab', \&do_cabextract, 'cabextract'], - ['tnef', \&do_tnef_ext, 'tnef'], + ['lrz', \&do_uncompress, + ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], + ['lzo', \&do_uncompress, 'lzop -d'], + ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], + [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], + # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] + ['deb', \&do_ar, 'ar'], +# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill + ['rar', \&do_unrar, ['unrar', 'rar'] ], + ['arj', \&do_unarj, ['unarj', 'arj'] ], + ['arc', \&do_arc, ['nomarch', 'arc'] ], + ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], + ['doc', \&do_ole, 'ripole'], + ['cab', \&do_cabextract, 'cabextract'], + ['tnef', \&do_tnef_ext, 'tnef'], ['tnef', \&do_tnef], -# ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder - ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], +# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead +# ['sit', \&do_unstuff, 'unstuff'], # not safe + [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], + [['zip','kmz'], \&do_unzip], + ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], + [[qw(7z zip gz bz2 Z tar)], + \&do_7zip, ['7za', '7z'] ], + [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], + \&do_7zip, '7z' ], + ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], ); @av_scanners = ( # ### http://www.sophos.com/ -# ['Sophos-SSSP', +# ['Sophos-SSSP', # SAV Dynamic Interface # \&ask_daemon, ["{}", 'sssp:/var/run/savdi/sssp.sock'], # # or: ["{}", 'sssp:[127.0.0.1]:4010'], # qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ], @@ -575,9 +581,9 @@ $banned_filename_re = new_RE( # ### http://www.avast.com/ # ['avast! Antivirus daemon', -# \&ask_daemon, # greets with 220, terminate with QUIT +# \&ask_daemon, # greets with 220, terminate with QUIT # ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], -# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ], +# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/m ], # ### http://www.avast.com/ # ['avast! Antivirus - Client/Server Version', 'avastlite', @@ -812,18 +818,17 @@ $banned_filename_re = new_RE( # sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], -# Commented out because the name 'sweep' clashes with Debian and FreeBSD -# package/port of an audio editor. Make sure the correct 'sweep' is found -# in the path when enabling. -# -# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl -# ['Sophos Anti Virus (sweep)', 'sweep', -# '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. -# '--no-reset-atime {}', -# [0,2], qr/Virus .*? found/m, -# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, -# ], -# # other options to consider: -idedir=/usr/local/sav + ### http://www.sophos.com/ + ['Sophos Anti Virus (savscan)', # formerly known as 'sweep' + ['/opt/sophos-av/bin/savscan', 'savscan'], # 'sweep' + '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. + '--no-reset-atime {}', + [0,2], qr/Virus .*? found/m, + qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, + ], + # other options to consider: -idedir=/usr/local/sav + # A name 'sweep' clashes with a name of an audio editor (Debian and FreeBSD). + # Make sure the correct 'sweep' is found in the path if using the old name. # Always succeeds and considers mail clean. # Potentially useful when all other scanners fail and it is desirable diff --git a/apache2/modules.d/00_apache_manual.conf b/apache2/modules.d/00_apache_manual.conf index 4f6ae4f..71ae990 100644 --- a/apache2/modules.d/00_apache_manual.conf +++ b/apache2/modules.d/00_apache_manual.conf @@ -2,10 +2,12 @@ # http://yourserver.example.com/manual/ # The documentation is always available at # http://httpd.apache.org/docs/2.2/ + + -AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27/manual$1" +AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apache-2.2.27-r4/manual$1" - + Options Indexes AllowOverride None Order allow,deny @@ -22,5 +24,7 @@ AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|pt-br))?(/.*)?$ "/usr/share/doc/apac ForceLanguagePriority Prefer Fallback + + # vim: ts=4 filetype=apache diff --git a/apache2/modules.d/00_default_settings.conf b/apache2/modules.d/00_default_settings.conf index c548b5b..9d1862a 100644 --- a/apache2/modules.d/00_default_settings.conf +++ b/apache2/modules.d/00_default_settings.conf @@ -120,8 +120,7 @@ LogLevel info # negotiated documents. The MultiViews Options can be used for the # same purpose, but it is much slower. # -# To add files to that list use AddDirectoryIndex in a custom config -# file. Do not change this entry unless you know what you are doing. +# Do not change this entry unless you know what you are doing. DirectoryIndex index.html index.html.var index.shtml index.htm diff --git a/apache2/modules.d/00_mod_autoindex.conf b/apache2/modules.d/00_mod_autoindex.conf index 8e34554..f03f25c 100644 --- a/apache2/modules.d/00_mod_autoindex.conf +++ b/apache2/modules.d/00_mod_autoindex.conf @@ -1,4 +1,6 @@ + + # We include the /icons/ alias for FancyIndexed directory listings. If # you do not use FancyIndexing, you may comment this out. @@ -86,6 +88,7 @@ HeaderName HEADER.html # IndexIgnore is a set of filenames which directory indexing should ignore # and not include in the listing. Shell-style wildcarding is permitted. IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + # vim: ts=4 filetype=apache diff --git a/apache2/modules.d/40_mod_ssl.conf b/apache2/modules.d/40_mod_ssl.conf index 3d0a043..82df760 100644 --- a/apache2/modules.d/40_mod_ssl.conf +++ b/apache2/modules.d/40_mod_ssl.conf @@ -58,6 +58,10 @@ SSLSessionCacheTimeout 300 # Configure the path to the mutual exclusion semaphore the SSL engine uses # internally for inter-process synchronization. SSLMutex file:/var/run/ssl_mutex + +## SSL Compression: +# Known to be vulnerable thus disabled by default (bug #507324). +SSLCompression off # vim: ts=4 filetype=apache diff --git a/apache2/vhosts.d/00_default_ssl_vhost.conf b/apache2/vhosts.d/00_default_ssl_vhost.conf index 3ebe821..741e75f 100644 --- a/apache2/vhosts.d/00_default_ssl_vhost.conf +++ b/apache2/vhosts.d/00_default_ssl_vhost.conf @@ -32,10 +32,22 @@ NameVirtualHost *:443 # Enable/Disable SSL for this virtual host. SSLEngine on + ## SSLProtocol: + # Don't use SSLv2 anymore as it's considered to be broken security-wise. + # Also disable SSLv3 as most modern browsers are capable of TLS. + SSLProtocol ALL -SSLv2 -SSLv3 + ## SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + # This list of ciphers is recommended by mozilla and was stripped off + # its RC4 ciphers. (bug #506924) + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + + ## SSLHonorCipherOrder: + # Prefer the server's cipher preference order as the client may have a + # weak default order. + SSLHonorCipherOrder On ## Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If the certificate @@ -44,7 +56,7 @@ NameVirtualHost *:443 # and a DSA certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) #SSLCertificateFile /etc/ssl/apache2/server.crt - SSLCertificateFile /etc/apache2/ssl/myadmin-cert.pem + SSLCertificateFile /etc/apache2/ssl/myadmin-cert.pem ## Server Private Key: # If the key is not combined with the certificate, use this directive to @@ -52,7 +64,7 @@ NameVirtualHost *:443 # private key you can configure both in parallel (to also allow the use of # DSA ciphers, etc.) #SSLCertificateKeyFile /etc/ssl/apache2/server.key - SSLCertificateKeyFile /etc/apache2/ssl/myadmin-cert.pem + SSLCertificateKeyFile /etc/apache2/ssl/myadmin-cert.pem ## Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the concatenation of diff --git a/apache2/vhosts.d/11-books-nossl.conf b/apache2/vhosts.d/11-books-nossl.conf index 94bef70..5ec32ef 100644 --- a/apache2/vhosts.d/11-books-nossl.conf +++ b/apache2/vhosts.d/11-books-nossl.conf @@ -1,7 +1,7 @@ - - - Include /etc/apache2/vhosts.d/books_vhost.include - - +# +# +# Include /etc/apache2/vhosts.d/books_vhost.include +# +# # vim: ts=4 filetype=apache expandtab fileencoding=utf-8 diff --git a/apache2/vhosts.d/11-books-ssl.conf b/apache2/vhosts.d/11-books-ssl.conf index 50ffe89..f6a1b63 100644 --- a/apache2/vhosts.d/11-books-ssl.conf +++ b/apache2/vhosts.d/11-books-ssl.conf @@ -1,38 +1,38 @@ - - - - - - Include /etc/apache2/vhosts.d/books_vhost.include - - #TransferLog /var/log/apache2/ssl_access_log - CustomLog /var/log/apache2/ssl_access.log full - - - SSLEngine on - SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - SSLCertificateFile /etc/apache2/ssl/myadmin-cert.pem - SSLCertificateKeyFile /etc/apache2/ssl/myadmin-cert.pem - - - SSLOptions +StdEnvVars - - - - SSLOptions +StdEnvVars - - - - BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 - - - - CustomLog /var/log/apache2/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - - - - +# +# +# +# +# +# Include /etc/apache2/vhosts.d/books_vhost.include +# +# #TransferLog /var/log/apache2/ssl_access_log +# CustomLog /var/log/apache2/ssl_access.log full +# +# +# SSLEngine on +# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +# SSLCertificateFile /etc/apache2/ssl/myadmin-cert.pem +# SSLCertificateKeyFile /etc/apache2/ssl/myadmin-cert.pem +# +# +# SSLOptions +StdEnvVars +# +# +# +# SSLOptions +StdEnvVars +# +# +# +# BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 +# +# +# +# CustomLog /var/log/apache2/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" +# +# +# +# +# +# # vim: ts=4 filetype=apache expandtab fileencoding=utf-8 diff --git a/bash/bashrc b/bash/bashrc index df6b0b8..7b7aa6e 100644 --- a/bash/bashrc +++ b/bash/bashrc @@ -40,7 +40,7 @@ shopt -s histappend # Change the window title of X terminals case ${TERM} in - xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix) + xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix|konsole*) PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"' ;; screen*) diff --git a/bash_completion.d/bash-builtins b/bash_completion.d/bash-builtins deleted file mode 120000 index 648ed6d..0000000 --- a/bash_completion.d/bash-builtins +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/bash-builtins \ No newline at end of file diff --git a/bash_completion.d/bind-utils b/bash_completion.d/bind-utils deleted file mode 120000 index 39eddb3..0000000 --- a/bash_completion.d/bind-utils +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/bind-utils \ No newline at end of file diff --git a/bash_completion.d/coreutils b/bash_completion.d/coreutils deleted file mode 120000 index 56ce8c1..0000000 --- a/bash_completion.d/coreutils +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/coreutils \ No newline at end of file diff --git a/bash_completion.d/e2fsprogs b/bash_completion.d/e2fsprogs deleted file mode 120000 index 626e75a..0000000 --- a/bash_completion.d/e2fsprogs +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/e2fsprogs \ No newline at end of file diff --git a/bash_completion.d/figlet b/bash_completion.d/figlet deleted file mode 120000 index 53d0f8d..0000000 --- a/bash_completion.d/figlet +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/figlet \ No newline at end of file diff --git a/bash_completion.d/findutils b/bash_completion.d/findutils deleted file mode 120000 index 1ce8b52..0000000 --- a/bash_completion.d/findutils +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/findutils \ No newline at end of file diff --git a/bash_completion.d/fuse b/bash_completion.d/fuse deleted file mode 120000 index 4cb39f7..0000000 --- a/bash_completion.d/fuse +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/fuse \ No newline at end of file diff --git a/bash_completion.d/imagemagick b/bash_completion.d/imagemagick deleted file mode 120000 index b39e61b..0000000 --- a/bash_completion.d/imagemagick +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/imagemagick \ No newline at end of file diff --git a/bash_completion.d/iproute2 b/bash_completion.d/iproute2 deleted file mode 120000 index 31560bb..0000000 --- a/bash_completion.d/iproute2 +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/iproute2 \ No newline at end of file diff --git a/bash_completion.d/net-tools b/bash_completion.d/net-tools deleted file mode 120000 index 8a73a24..0000000 --- a/bash_completion.d/net-tools +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/net-tools \ No newline at end of file diff --git a/bash_completion.d/procps b/bash_completion.d/procps deleted file mode 120000 index 13ea167..0000000 --- a/bash_completion.d/procps +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/procps \ No newline at end of file diff --git a/bash_completion.d/util-linux b/bash_completion.d/util-linux deleted file mode 120000 index 5e4c72e..0000000 --- a/bash_completion.d/util-linux +++ /dev/null @@ -1 +0,0 @@ -../../usr/share/bash-completion/util-linux \ No newline at end of file diff --git a/bind/named.conf b/bind/named.conf index 3c7d43a..c7275cf 100644 --- a/bind/named.conf +++ b/bind/named.conf @@ -8,6 +8,17 @@ //# von: frank@brehm-online.com //# //############################################################### +/* + * Refer to the named.conf(5) and named(8) man pages, and the documentation + * in /usr/share/doc/bind-* for more details. + * Online versions of the documentation can be found here: + * https://kb.isc.org/article/AA-01031 + * + * If you are going to set up an authoritative server, make sure you + * understand the hairy details of how DNS works. Even with simple mistakes, + * you can break connectivity for affected parties, or cause huge amounts of + * useless Internet traffic. + */ diff --git a/bind/named.conf.orig b/bind/named.conf.orig index 20dfa79..39f9be2 100644 --- a/bind/named.conf.orig +++ b/bind/named.conf.orig @@ -1,8 +1,8 @@ /* * Refer to the named.conf(5) and named(8) man pages, and the documentation - * in /usr/share/doc/bind-9 for more details. + * in /usr/share/doc/bind-* for more details. * Online versions of the documentation can be found here: - * http://www.isc.org/software/bind/documentation + * https://kb.isc.org/article/AA-01031 * * If you are going to set up an authoritative server, make sure you * understand the hairy details of how DNS works. Even with simple mistakes, @@ -28,7 +28,7 @@ acl "trusted" { options { directory "/var/bind"; - pid-file "/var/run/named/named.pid"; + pid-file "/run/named/named.pid"; /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */ //bindkeys-file "/etc/bind/bind.keys"; @@ -87,9 +87,16 @@ options { */ - //dnssec-enable yes; + dnssec-enable yes; //dnssec-validation yes; + /* + * As of bind 9.8.0: + * "If the root key provided has expired, + * named will log the expiration and validation will not work." + */ + dnssec-validation auto; + /* if you have problems and are behind a firewall: */ //query-source address * port 53; }; @@ -115,7 +122,7 @@ controls { zone "." in { type hint; - file "/var/bind/root.cache"; + file "/var/bind/named.cache"; }; zone "localhost" IN { @@ -124,12 +131,6 @@ zone "localhost" IN { notify no; }; -zone "127.in-addr.arpa" IN { - type master; - file "pri/127.zone"; - notify no; -}; - /* * Briefly, a zone which has been declared delegation-only will be effectively * limited to containing NS RRs for subdomains, but no actual data beyond its diff --git a/clamd.conf b/clamd.conf index 6f85c57..6e5ef32 100644 --- a/clamd.conf +++ b/clamd.conf @@ -103,7 +103,8 @@ LocalSocket /var/run/clamav/clamd.sock # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection -# from the outside world. +# from the outside world. This option can be specified multiple +# times if you want to listen on multiple IPs. IPv6 is now supported. # Default: no #TCPAddr 127.0.0.1 @@ -246,6 +247,12 @@ AllowSupplementaryGroups yes # when the LeaveTemporaryFiles option is enabled. #ForceToDisk yes +# This option allows you to disable the caching feature of the engine. By +# default, the engine will store an MD5 in a cache of any files that are +# not flagged as virus or that hit limits checks. Disabling the cache will +# have a negative performance impact on large scans. +# Default: no +#DisableCache yes ## ## Executable files @@ -350,6 +357,10 @@ AllowSupplementaryGroups yes # Default: no #PhishingAlwaysBlockCloak no +# Detect partition intersections in raw disk images using heuristics. +# Default: no +#PartitionIntersection no + # Allow heuristic match to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU @@ -497,6 +508,19 @@ AllowSupplementaryGroups yes # Default: 1M #MaxZipTypeRcg 1M +# This option sets the maximum number of partitions of a raw disk image to be scanned. +# Raw disk images with more partitions than this value will have up to the value number +# partitions scanned. Negative values are not allowed. +# Note: setting this limit too high may result in severe damage or impact performance. +# Default: 50 +#MaxPartitions 128 + +# This option sets the maximum number of icons within a PE to be scanned. +# PE files with more icons than this value will have up to the value number icons scanned. +# Negative values are not allowed. +# WARNING: setting this limit too high may result in severe damage or impact performance. +# Default: 100 +#MaxIconsPE 200 ## ## On-access Scan Settings @@ -558,3 +582,23 @@ AllowSupplementaryGroups yes # # Default: 5000 # BytecodeTimeout 1000 + +## +## Statistics gathering and submitting +## + +# Enable statistical reporting. +# Default: no +#StatsEnabled yes + +# Disable submission of individual PE sections for files flagged as malware. +# Default: no +#StatsPEDisabled yes + +# HostID in the form of an UUID to use when submitting statistical information. +# Default: auto +#StatsHostID auto + +# Time in seconds to wait for the stats server to come back with a response +# Default: 10 +#StatsTimeout 10 diff --git a/conf.d/fail2ban b/conf.d/fail2ban new file mode 100644 index 0000000..00d19f8 --- /dev/null +++ b/conf.d/fail2ban @@ -0,0 +1,8 @@ +# Config file for /etc/init.d/fail2ban +# +# For information on options, see "/usr/bin/fail2ban-client -h". + +FAIL2BAN_OPTIONS="" + +# Force execution of the server even if the socket already exists: +#FAIL2BAN_OPTIONS="-x" diff --git a/conf.d/iperf b/conf.d/iperf deleted file mode 100644 index adf2389..0000000 --- a/conf.d/iperf +++ /dev/null @@ -1,6 +0,0 @@ -# Copyright 1999-2005 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/iperf/files/iperf.confd,v 1.1 2005/01/23 10:52:13 ka0ttic Exp $ - -# extra options (run iperf -h for a list of supported options) -IPERF_OPTS="--format Mbytes" diff --git a/conf.d/mysql b/conf.d/mysql index df4c3a4..953575b 100644 --- a/conf.d/mysql +++ b/conf.d/mysql @@ -1,6 +1,6 @@ -# Copyright 1999-2011 Gentoo Foundation +# Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-db/mysql-init-scripts/files/mysql-5.1.53-conf.d,v 1.2 2011/01/15 17:54:31 robbat2 Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-db/mysql-init-scripts/files/conf.d-2.0,v 1.1 2014/08/21 03:08:13 grknight Exp $ # If you want a non-stock location for the config file, uncomment or update # either of these as needed. If you do use it, you must make sure that none of diff --git a/conf.d/named b/conf.d/named index 0450d5b..477a480 100644 --- a/conf.d/named +++ b/conf.d/named @@ -26,7 +26,7 @@ #CHROOT_NOCHECK=1 # Default pid file location -PIDFILE="${CHROOT}/var/run/named/named.pid" +PIDFILE="${CHROOT}/run/named/named.pid" # Scheduling priority: 19 is the lowest and -20 is the highest. # Default: 0 diff --git a/conf.d/postgrey b/conf.d/postgrey index c88be74..a269be2 100644 --- a/conf.d/postgrey +++ b/conf.d/postgrey @@ -2,7 +2,7 @@ # LISTEN TYPE # Set to 'inet' if you want to use a TCP socket. -# Set to 'unix' if you want to use an UNIX socket. +# Set to 'unix' if you want to use a UNIX socket. POSTGREY_TYPE="unix" # HOST diff --git a/conf.d/pydoc-3.4 b/conf.d/pydoc-3.4 new file mode 100644 index 0000000..7beefff --- /dev/null +++ b/conf.d/pydoc-3.4 @@ -0,0 +1,7 @@ +# /etc/init.d/pydoc.conf +# $Header: /var/cvsroot/gentoo-x86/dev-lang/python/files/pydoc.conf,v 1.3 2011/10/27 13:56:55 neurogeek Exp $ + +# This file contains the configuration for pydoc's internal webserver. + +# Default port for Python's pydoc server. +PYDOC3_4_PORT="7464" diff --git a/config-archive/etc/amavisd.conf b/config-archive/etc/amavisd.conf index 2f797ae..dbce9e1 100644 --- a/config-archive/etc/amavisd.conf +++ b/config-archive/etc/amavisd.conf @@ -398,16 +398,16 @@ $banned_filename_re = new_RE( # qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ], # settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1 -### http://www.clamav.net/ +# ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], # NOTE: run clamd under the same user as amavisd - or run it under its own -# # uid such as clamav, add user clamav to the amavis group, and then add -# # AllowSupplementaryGroups to clamd.conf; -# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in -# # this entry; when running chrooted one may prefer a socket under $MYHOME. +# uid such as clamav, add user clamav to the amavis group, and then add +# AllowSupplementaryGroups to clamd.conf; +# NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in +# this entry; when running chrooted one may prefer a socket under $MYHOME. # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) # # note that Mail::ClamAV requires perl to be build with threading! @@ -428,7 +428,7 @@ $banned_filename_re = new_RE( # ### http://www.grisoft.com/ # ['AVG Anti-Virus', # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], -# qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ], +# qr/^200/m, qr/^403/m, qr/^403[- ].*: ([^\r\n]+)/m ], # ### http://www.f-prot.com/ # ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6 @@ -555,18 +555,20 @@ $banned_filename_re = new_RE( qr/^(?:Info|Virus Name):\s+(.+)/m ], # NOTE: check options and patterns to see which entry better applies -# ### http://www.f-secure.com/products/anti-virus/ version 4.65 +# ### http://www.f-secure.com/products/anti-virus/ version 5.52 # ['F-Secure Antivirus for Linux servers', # ['/opt/f-secure/fsav/bin/fsav', 'fsav'], -# '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '. -# '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8], -# qr/(?:infection|Infected|Suspected): (.+)/m ], - - ### http://www.f-secure.com/products/anti-virus/ version 5.52 - ['F-Secure Antivirus for Linux servers', +# '--virus-action1=report --archive=yes --auto=yes '. +# '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], +# qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], +# # NOTE: internal archive handling may be switched off by '--archive=no' +# # to prevent fsav from exiting with status 9 on broken archives + + ### http://www.f-secure.com/ version 9.14 + ['F-Secure Linux Security', ['/opt/f-secure/fsav/bin/fsav', 'fsav'], '--virus-action1=report --archive=yes --auto=yes '. - '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], + '--list=no --nomimeerr {}', [0], [3,4,6,8], qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], # NOTE: internal archive handling may be switched off by '--archive=no' # to prevent fsav from exiting with status 9 on broken archives diff --git a/config-archive/etc/amavisd.conf.1 b/config-archive/etc/amavisd.conf.1 new file mode 100644 index 0000000..2f797ae --- /dev/null +++ b/config-archive/etc/amavisd.conf.1 @@ -0,0 +1,834 @@ +use strict; + +# a minimalistic configuration file for amavisd-new with all necessary settings +# +# see amavisd.conf-default for a list of all variables with their defaults; +# for more details see documentation in INSTALL, README_FILES/* +# and at http://www.ijs.si/software/amavisd/amavisd-new-docs.html + + +# COMMONLY ADJUSTED SETTINGS: + +# @bypass_virus_checks_maps = (1); # controls running of anti-virus code +# @bypass_spam_checks_maps = (1); # controls running of anti-spam code +# $bypass_decode_parts = 1; # controls running of decoders&dearchivers + +$max_servers = 2; # num of pre-forked children (2..30 is common), -m +$max_requests = 20; # retire a child after that many accepts (default 20) + +$child_timeout=5*60; # abort child if it does not complete its processing in + # approximately n seconds (default: 8*60 seconds) + +$smtpd_timeout = 120; # disconnect session if client is idle for too long + # (default: 8*60 seconds); should be higher than a + # Postfix setting max_idle (default 100s) + +$daemon_user = 'amavis'; # (no default; customary: vscan or amavis), -u +$daemon_group = 'amavis'; # (no default; customary: vscan or amavis), -g + +$mydomain = 'brehm-online.com'; # a convenient default for other settings + +# $MYHOME = '/var/amavis'; # a convenient default for other settings, -H +$TEMPBASE = "$MYHOME/tmp"; # working directory, needs to exist, -T +$ENV{TMPDIR} = $TEMPBASE; # environment variable TMPDIR, used by SA, etc. +$QUARANTINEDIR = "$MYHOME/quarantine"; # -Q +# $quarantine_subdir_levels = 1; # add level of subdirs to disperse quarantine +# $release_format = 'resend'; # 'attach', 'plain', 'resend' +# $report_format = 'arf'; # 'attach', 'plain', 'resend', 'arf' + +# $daemon_chroot_dir = $MYHOME; # chroot directory or undef, -R + +# $db_home = "$MYHOME/db"; # dir for bdb nanny/cache/snmp databases, -D +# $helpers_home = "$MYHOME/var"; # working directory for SpamAssassin, -S +# $lock_file = "$MYHOME/var/amavisd.lock"; # -L +# $pid_file = "$MYHOME/var/amavisd.pid"; # -P +#NOTE: create directories $MYHOME/tmp, $MYHOME/var, $MYHOME/db manually + +$log_level = 0; # verbosity 0..5, -d +$log_recip_templ = undef; # disable by-recipient level-0 log entries +$do_syslog = 1; # log via syslogd (preferred) +$syslog_facility = 'mail'; # Syslog facility as a string + # e.g.: mail, daemon, user, local0, ... local7 + +$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) +$nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed +$enable_dkim_verification = 0; # enable DKIM signatures verification +$enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key + +@auth_mech_avail = qw(PLAIN LOGIN); +$auth_required_inp = 0; +$auth_required_out = 0; + +@local_domains_maps = ( [".$mydomain"] ); # list of all local domains + +@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10 + 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ); + +$unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter + # option(s) -p overrides $inet_socket_port and $unix_socketname + +$inet_socket_port = 10024; # listen on this local TCP port(s) +# $inet_socket_port = [10024,10026]; # listen on multiple TCP ports +@inet_acl = qw(127.0.0.1 [::1]); # allow SMTP access only from localhost IP + # (default is qw(127.0.0.1 [::1]) ) + +$policy_bank{'MYNETS'} = { # mail originating from @mynetworks + originating => 1, # is true in MYNETS by default, but let's make it explicit + os_fingerprint_method => undef, # don't query p0f for internal clients +}; + +# it is up to MTA to re-route mail from authenticated roaming users or +# from internal hosts to a dedicated TCP port (such as 10026) for filtering +$interface_policy{'10026'} = 'ORIGINATING'; + +$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users + originating => 1, # declare that mail was submitted by our smtp client + allow_disclaimers => 1, # enables disclaimer insertion if available + # notify administrator of locally originating malware + virus_admin_maps => ["virusalert\@$mydomain"], + spam_admin_maps => ["virusalert\@$mydomain"], + warnbadhsender => 1, + # forward to a smtpd service providing DKIM signing service + forward_method => 'smtp:[127.0.0.1]:10027', + # force MTA conversion to 7-bit (e.g. before DKIM signing) + smtpd_discard_ehlo_keywords => ['8BITMIME'], + bypass_banned_checks_maps => [1], # allow sending any file names and types + terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option +}; + +$interface_policy{'SOCK'} = 'AM.PDP-SOCK'; # only applies with $unix_socketname + +# Use with amavis-release over a socket or with Petr Rehor's amavis-milter.c +# (with amavis-milter.c from this package or old amavis.c client use 'AM.CL'): +$policy_bank{'AM.PDP-SOCK'} = { + protocol => 'AM.PDP', + auth_required_release => 0, # do not require secret_id for amavisd-release +}; + +$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level +$sa_tag2_level_deflt = 6.2; # add 'spam detected' headers at that level +$sa_kill_level_deflt = 6.9; # triggers spam evasive actions (e.g. blocks mail) +$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent +$sa_crediblefrom_dsn_cutoff_level = 18; # likewise, but for a likely valid From +# $sa_quarantine_cutoff_level = 25; # spam level beyond which quarantine is off +$penpals_bonus_score = 8; # (no effect without a @storage_sql_dsn database) +$penpals_threshold_high = $sa_kill_level_deflt; # don't waste time on hi spam +$bounce_killer_score = 100; # spam score points to add for joe-jobbed bounces + +$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger +$sa_local_tests_only = 0; # only tests which do not require internet access? + +# @lookup_sql_dsn = +# ( ['DBI:mysql:database=mail;host=127.0.0.1;port=3306', 'user1', 'passwd1'], +# ['DBI:mysql:database=mail;host=host2', 'username2', 'password2'], +# ["DBI:SQLite:dbname=$MYHOME/sql/mail_prefs.sqlite", '', ''] ); +# @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database + +# $timestamp_fmt_mysql = 1; # if using MySQL *and* msgs.time_iso is TIMESTAMP; +# defaults to 0, which is good for non-MySQL or if msgs.time_iso is CHAR(16) + +$virus_admin = "virusalert\@$mydomain"; # notifications recip. + +$mailfrom_notify_admin = "virusalert\@$mydomain"; # notifications sender +$mailfrom_notify_recip = "virusalert\@$mydomain"; # notifications sender +$mailfrom_notify_spamadmin = "spam.police\@$mydomain"; # notifications sender +$mailfrom_to_quarantine = ''; # null return path; uses original sender if undef + +@addr_extension_virus_maps = ('virus'); +@addr_extension_banned_maps = ('banned'); +@addr_extension_spam_maps = ('spam'); +@addr_extension_bad_header_maps = ('badh'); +# $recipient_delimiter = '+'; # undef disables address extensions altogether +# when enabling addr extensions do also Postfix/main.cf: recipient_delimiter=+ + +$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; +# $dspam = 'dspam'; + +$MAXLEVELS = 14; +$MAXFILES = 1500; +$MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) + +$sa_spam_subject_tag = '***Spam*** '; +$defang_virus = 1; # MIME-wrap passed infected mail +$defang_banned = 1; # MIME-wrap passed mail containing banned name +# for defanging bad headers only turn on certain minor contents categories: +$defang_by_ccat{CC_BADH.",3"} = 1; # NUL or CR character in header +$defang_by_ccat{CC_BADH.",5"} = 1; # header line longer than 998 characters +$defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error + + +# OTHER MORE COMMON SETTINGS (defaults may suffice): + +# $myhostname = 'host.example.com'; # must be a fully-qualified domain name! +$myhostname = 'helga.brehm-online.com'; + +# $notify_method = 'smtp:[127.0.0.1]:10025'; +# $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter! + +# $final_virus_destiny = D_DISCARD; +# $final_banned_destiny = D_DISCARD; +# $final_spam_destiny = D_PASS; #!!! D_DISCARD / D_REJECT +# $final_bad_header_destiny = D_PASS; +# $bad_header_quarantine_method = undef; +$final_virus_destiny = D_REJECT; +$final_banned_destiny = D_REJECT; +$final_spam_destiny = D_REJECT; +$final_bad_header_destiny = D_PASS; + +# $os_fingerprint_method = 'p0f:*:2345'; # to query p0f-analyzer.pl + +## hierarchy by which a final setting is chosen: +## policy bank (based on port or IP address) -> *_by_ccat +## *_by_ccat (based on mail contents) -> *_maps +## *_maps (based on recipient address) -> final configuration value + + +# SOME OTHER VARIABLES WORTH CONSIDERING (see amavisd.conf-default for all) + +# Add X-Virus-Scanned header field to mail? +$X_HEADER_TAG = 'X-Virus-Scanned'; # (default: 'X-Virus-Scanned') + +# $warnbadhsender, +# $warnvirusrecip, $warnbannedrecip, $warnbadhrecip, (or @warn*recip_maps) +# +# @bypass_virus_checks_maps, @bypass_spam_checks_maps, +# @bypass_banned_checks_maps, @bypass_header_checks_maps, +# +# @virus_lovers_maps, @spam_lovers_maps, +# @banned_files_lovers_maps, @bad_header_lovers_maps, +# +# @blacklist_sender_maps, @score_sender_maps, +# +# $clean_quarantine_method, $virus_quarantine_to, $banned_quarantine_to, +# $bad_header_quarantine_to, $spam_quarantine_to, +# +# $defang_bad_header, $defang_undecipherable, $defang_spam + + +# REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS + +@keep_decoded_original_maps = (new_RE( + qr'^MAIL$', # retain full original message for virus checking + qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables + qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, +# qr'^Zip archive data', # don't trust Archive::Zip +)); + + +$banned_filename_re = new_RE( + +### BLOCKED ANYWHERE +# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components + qr'^\.(exe-ms|dll)$', # banned file(1) types, rudimentary +# qr'^\.(exe|lha|cab|dll)$', # banned file(1) types + +### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES: +# [ qr'^\.(gz|bz2)$' => 0 ], # allow any in gzip or bzip2 + [ qr'^\.(rpm|cpio|tar)$' => 0 ], # allow any in Unix-type archives + + qr'.\.(pif|scr)$'i, # banned extensions - rudimentary +# qr'^\.zip$', # block zip type + +### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES: +# [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ], # allow any within these archives + + qr'^application/x-msdownload$'i, # block these MIME types + qr'^application/x-msdos-program$'i, + qr'^application/hta$'i, + +# qr'^message/partial$'i, # rfc2046 MIME type +# qr'^message/external-body$'i, # rfc2046 MIME type + +# qr'^(application/x-msmetafile|image/x-wmf)$'i, # Windows Metafile MIME type +# qr'^\.wmf$', # Windows Metafile file(1) type + + # block certain double extensions in filenames + qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, + +# qr'\{[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}\}?'i, # Class ID CLSID, strict +# qr'\{[0-9a-z]{4,}(-[0-9a-z]{4,}){0,7}\}?'i, # Class ID extension CLSID, loose + + qr'.\.(exe|vbs|pif|scr|cpl)$'i, # banned extension - basic +# qr'.\.(exe|vbs|pif|scr|cpl|bat|cmd|com)$'i, # banned extension - basic+cmd +# qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|crt|emf|exe|fxp|grp|hlp|hta| +# inf|ini|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi| +# msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd| +# wmf|wsc|wsf|wsh)$'ix, # banned extensions - long +# qr'.\.(asd|asf|asx|url|vcs|wmd|wmz)$'i, # consider also +# qr'.\.(ani|cur|ico)$'i, # banned cursors and icons filename +# qr'^\.ani$', # banned animated cursor file(1) type +# qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. +); +# See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262631 +# and http://www.cknow.com/vtutor/vtextensions.htm + + +# ENVELOPE SENDER SOFT-WHITELISTING / SOFT-BLACKLISTING + +@score_sender_maps = ({ # a by-recipient hash lookup table, + # results from all matching recipient tables are summed + +# ## per-recipient personal tables (NOTE: positive: black, negative: white) +# 'user1@example.com' => [{'bla-mobile.press@example.com' => 10.0}], +# 'user3@example.com' => [{'.ebay.com' => -3.0}], +# 'user4@example.com' => [{'cleargreen@cleargreen.com' => -7.0, +# '.cleargreen.com' => -5.0}], + + ## site-wide opinions about senders (the '.' matches any recipient) + '.' => [ # the _first_ matching sender determines the score boost + + new_RE( # regexp-type lookup table, just happens to be all soft-blacklist + [qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou)@'i => 5.0], + [qr'^(greatcasino|investments|lose_weight_today|market\.alert)@'i=> 5.0], + [qr'^(money2you|MyGreenCard|new\.tld\.registry|opt-out|opt-in)@'i=> 5.0], + [qr'^(optin|saveonlsmoking2002k|specialoffer|specialoffers)@'i => 5.0], + [qr'^(stockalert|stopsnoring|wantsome|workathome|yesitsfree)@'i => 5.0], + [qr'^(your_friend|greatoffers)@'i => 5.0], + [qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i => 5.0], + [qr'@strato(?:-rz)\.de$'i => -5.0 ], + [qr'^Doris\.Hennig@BA-MH\.Verwalt-Berlin\.de$'i => -5.0 ], + [qr'^doris@hennig-berlin\.org$'i => -5.0 ], + ), + +# read_hash("/var/amavis/sender_scores_sitewide"), + + { # a hash-type lookup table (associative array) + 'nobody@cert.org' => -3.0, + 'cert-advisory@us-cert.gov' => -3.0, + 'owner-alert@iss.net' => -3.0, + 'slashdot@slashdot.org' => -3.0, + 'securityfocus.com' => -3.0, + 'ntbugtraq@listserv.ntbugtraq.com' => -3.0, + 'security-alerts@linuxsecurity.com' => -3.0, + 'mailman-announce-admin@python.org' => -3.0, + 'amavis-user-admin@lists.sourceforge.net'=> -3.0, + 'amavis-user-bounces@lists.sourceforge.net' => -3.0, + 'spamassassin.apache.org' => -3.0, + 'notification-return@lists.sophos.com' => -3.0, + 'owner-postfix-users@postfix.org' => -3.0, + 'owner-postfix-announce@postfix.org' => -3.0, + 'owner-sendmail-announce@lists.sendmail.org' => -3.0, + 'sendmail-announce-request@lists.sendmail.org' => -3.0, + 'donotreply@sendmail.org' => -3.0, + 'ca+envelope@sendmail.org' => -3.0, + 'noreply@freshmeat.net' => -3.0, + 'owner-technews@postel.acm.org' => -3.0, + 'ietf-123-owner@loki.ietf.org' => -3.0, + 'cvs-commits-list-admin@gnome.org' => -3.0, + 'rt-users-admin@lists.fsck.com' => -3.0, + 'clp-request@comp.nus.edu.sg' => -3.0, + 'surveys-errors@lists.nua.ie' => -3.0, + 'emailnews@genomeweb.com' => -5.0, + 'yahoo-dev-null@yahoo-inc.com' => -3.0, + 'returns.groups.yahoo.com' => -3.0, + 'clusternews@linuxnetworx.com' => -3.0, + lc('lvs-users-admin@LinuxVirtualServer.org') => -3.0, + lc('owner-textbreakingnews@CNNIMAIL12.CNN.COM') => -5.0, + 'niels@google.com' => -3.0, + 'kameu@gmx.de' => -3.0, + + # soft-blacklisting (positive score) + 'sender@example.net' => 3.0, + '.example.net' => 1.0, + + }, + ], # end of site-wide tables +}); + + +@decoders = ( + ['mail', \&do_mime_decode], + ['asc', \&do_ascii], +# ['uue', \&do_ascii], +# ['hqx', \&do_ascii], +# ['ync', \&do_ascii], + ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], + ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], + ['gz', \&do_uncompress, 'gzip -d'], + ['gz', \&do_gunzip], + ['bz2', \&do_uncompress, 'bzip2 -d'], + ['xz', \&Amavis::Unpackers::do_uncompress, + ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], + ['lzma', \&Amavis::Unpackers::do_uncompress, + ['lzmadec', 'xz -dc --format=lzma', + 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], + ['lzo', \&do_uncompress, 'lzop -d'], + ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], + ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], + ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], + ['deb', \&do_ar, 'ar'], + ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill + ['zip', \&do_unzip], + ['7z', \&do_7zip, ['7zr','7za','7z'] ], + ['rar', \&do_unrar, ['rar','unrar'] ], + ['arj', \&do_unarj, ['arj','unarj'] ], + ['arc', \&do_arc, ['nomarch','arc'] ], + ['zoo', \&do_zoo, ['zoo','unzoo'] ], + ['lha', \&do_lha, 'lha'], # unmaintained - security risk +# ['doc', \&do_ole, 'ripole'], + ['cab', \&do_cabextract, 'cabextract'], + ['tnef', \&do_tnef_ext, 'tnef'], + ['tnef', \&do_tnef], +# ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder + ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], +); + + +@av_scanners = ( + +# ### http://www.sophos.com/ +# ['Sophos-SSSP', +# \&ask_daemon, ["{}", 'sssp:/var/run/savdi/sssp.sock'], +# # or: ["{}", 'sssp:[127.0.0.1]:4010'], +# qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ], + +# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/) +# ['Sophie', +# \&ask_daemon, ["{}/\n", 'sophie:/var/run/sophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/ +# ['Sophos SAVI', \&ask_daemon, ['{}','savi-perl:'] ], + +# ['Avira SAVAPI', +# \&ask_daemon, ["*", 'savapi:/var/tmp/.savapi3', 'product-id'], +# qr/^(200|210)/m, qr/^(310|420|319)/m, +# qr/^(?:310|420)[,\s]*(?:.* <<< )?(.+?)(?: ; |$)/m ], +# settings for the SAVAPI3.conf: ArchiveScan=1, HeurLevel=2, MailboxScan=1 + +### http://www.clamav.net/ +['ClamAV-clamd', + \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"], + qr/\bOK$/m, qr/\bFOUND$/m, + qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], +# NOTE: run clamd under the same user as amavisd - or run it under its own +# # uid such as clamav, add user clamav to the amavis group, and then add +# # AllowSupplementaryGroups to clamd.conf; +# # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in +# # this entry; when running chrooted one may prefer a socket under $MYHOME. + +# ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) +# # note that Mail::ClamAV requires perl to be build with threading! +# ['Mail::ClamAV', \&ask_daemon, ['{}','clamav-perl:'], +# [0], [1], qr/^INFECTED: (.+)/m], + +# ### http://www.openantivirus.org/ +# ['OpenAntiVirus ScannerDaemon (OAV)', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'], +# qr/^OK/m, qr/^FOUND: /m, qr/^FOUND: (.+)/m ], + +# ### http://www.vanja.com/tools/trophie/ +# ['Trophie', +# \&ask_daemon, ["{}/\n", 'trophie:/var/run/trophie'], +# qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m, +# qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], + +# ### http://www.grisoft.com/ +# ['AVG Anti-Virus', +# \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'], +# qr/^200/m, qr/^403/m, qr/^403 .*?: ([^\r\n]+)/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot fpscand', # F-PROT Antivirus for BSD/Linux/Solaris, version 6 +# \&ask_daemon, +# ["SCAN FILE {}/*\n", '127.0.0.1:10200'], +# qr/^(0|8|64) /m, +# qr/^([1235679]|1[01345]) |<[^>:]*(?i)(infected|suspicious|unwanted)/m, +# qr/(?i)<[^>:]*(?:infected|suspicious|unwanted)[^>:]*: ([^>]*)>/m ], + +# ### http://www.f-prot.com/ +# ['F-Prot f-protd', # old version +# \&ask_daemon, +# ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n", +# ['127.0.0.1:10200', '127.0.0.1:10201', '127.0.0.1:10202', +# '127.0.0.1:10203', '127.0.0.1:10204'] ], +# qr/(?i)]*>clean<\/summary>/m, +# qr/(?i)]*>infected<\/summary>/m, +# qr/(?i)(.+)<\/name>/m ], + +# ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/ +# ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later +# [pack('N',1). # DRWEBD_SCAN_CMD +# pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES +# pack('N', # path length +# length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")). +# '{}/*'. # path +# pack('N',0). # content size +# pack('N',0), +# '/var/drweb/run/drwebd.sock', +# # '/var/amavis/var/run/drwebd.sock', # suitable for chroot +# # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default +# # '127.0.0.1:3000', # or over an inet socket +# ], +# qr/\A\x00[\x10\x11][\x00\x10]\x00/sm, # IS_CLEAN,EVAL_KEY; SKIPPED +# qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/sm,# KNOWN_V,UNKNOWN_V,V._MODIF +# qr/\A.{12}(?:infected with )?([^\x00]+)\x00/sm, +# ], +# # NOTE: If using amavis-milter, change length to: +# # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx"). + + ### http://www.kaspersky.com/ (kav4mailservers) + ['KasperskyLab AVP - aveclient', + ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient', + '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'], + '-p /var/run/aveserver -s {}/*', + [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/m, + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/m, + ], + # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious, + # currupted or protected archives are to be handled + + ### http://www.kaspersky.com/ + ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'], + '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ? + qr/infected: (.+)/m, + sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"}, + sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + + ### The kavdaemon and AVPDaemonClient have been removed from Kasperky + ### products and replaced by aveserver and aveclient + ['KasperskyLab AVPDaemonClient', + [ '/opt/AVP/kavdaemon', 'kavdaemon', + '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient', + '/opt/AVP/AvpTeamDream', 'AvpTeamDream', + '/opt/AVP/avpdc', 'avpdc' ], + "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/m ], + # change the startup-script in /etc/init.d/kavd to: + # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis" + # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" ) + # adjusting /var/amavis above to match your $TEMPBASE. + # The '-f=/var/amavis' is needed if not running it as root, so it + # can find, read, and write its pid file, etc., see 'man kavdaemon'. + # defUnix.prf: there must be an entry "*/var/amavis" (or whatever + # directory $TEMPBASE specifies) in the 'Names=' section. + # cd /opt/AVP/DaemonClients; configure; cd Sample; make + # cp AvpDaemonClient /opt/AVP/ + # su - amavis -c "${PREFIX}/kavdaemon ${DPARMS}" + + ### http://www.centralcommand.com/ + ['CentralCommand Vexira (new) vascan', + ['vascan','/usr/lib/Vexira/vascan'], + "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ". + "--log=/var/log/vascan.log {}", + [0,3], [1,2,5], + qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ /m ], + # Adjust the path of the binary and the virus database as needed. + # 'vascan' does not allow to have the temp directory to be the same as + # the quarantine directory, and the quarantine option can not be disabled. + # If $QUARANTINEDIR is not used, then another directory must be specified + # to appease 'vascan'. Move status 3 to the second list if password + # protected files are to be considered infected. + + ### http://www.avira.com/ + ### old Avira AntiVir 2.x (ex H+BEDV) or old CentralCommand Vexira Antivirus + ['Avira AntiVir', ['antivir','vexira'], + '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/m, + qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) | + (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/m ], + # NOTE: if you only have a demo version, remove -z and add 214, as in: + # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/, + + ### http://www.avira.com/ + ### Avira for UNIX 3.x + ['Avira AntiVir', ['avscan'], + '-s --batch --alert-action=none {}', [0,4], qr/(?:ALERT|FUND):/m, + qr/(?:ALERT|FUND): (?:.* <<< )?(.+?)(?: ; |$)/m ], + + ### http://www.commandsoftware.com/ + ['Command AntiVirus for Linux', 'csav', + '-all -archive -packed {}', [50], [51,52,53], + qr/Infection: (.+)/m ], + + ### http://www.symantec.com/ + ['Symantec CarrierScan via Symantec CommandLineScanner', + 'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}', + qr/^Files Infected:\s+0$/m, qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + + ### http://www.symantec.com/ + ['Symantec AntiVirus Scan Engine', + 'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}', + [0], qr/^Infected\b/m, + qr/^(?:Info|Virus Name):\s+(.+)/m ], + # NOTE: check options and patterns to see which entry better applies + +# ### http://www.f-secure.com/products/anti-virus/ version 4.65 +# ['F-Secure Antivirus for Linux servers', +# ['/opt/f-secure/fsav/bin/fsav', 'fsav'], +# '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '. +# '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8], +# qr/(?:infection|Infected|Suspected): (.+)/m ], + + ### http://www.f-secure.com/products/anti-virus/ version 5.52 + ['F-Secure Antivirus for Linux servers', + ['/opt/f-secure/fsav/bin/fsav', 'fsav'], + '--virus-action1=report --archive=yes --auto=yes '. + '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8], + qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ], + # NOTE: internal archive handling may be switched off by '--archive=no' + # to prevent fsav from exiting with status 9 on broken archives + +# ### http://www.avast.com/ +# ['avast! Antivirus daemon', +# \&ask_daemon, # greets with 220, terminate with QUIT +# ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], +# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ], + +# ### http://www.avast.com/ +# ['avast! Antivirus - Client/Server Version', 'avastlite', +# '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1], +# qr/\t\[L\]\t([^[ \t\015\012]+)/m ], + + ['CAI InoculateIT', 'inocucmd', # retired product + '-sec -nex {}', [0], [100], + qr/was infected by virus (.+)/m ], + # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html + + ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT) + ['CAI eTrust Antivirus', 'etrust-wrapper', + '-arc -nex -spm h {}', [0], [101], + qr/is infected by virus: (.+)/m ], + # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer + # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783 + + ### http://mks.com.pl/english.html + ['MkS_Vir for Linux (beta)', ['mks32','mks'], + '-s {}/*', [0], [1,2], + qr/--[ \t]*(.+)/m ], + + ### http://mks.com.pl/english.html + ['MkS_Vir daemon', 'mksscan', + '-s -q {}', [0], [1..7], + qr/^... (\S+)/m ], + +# ### http://www.nod32.com/, version v2.52 (old) +# ['ESET NOD32 for Linux Mail servers', +# ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '. +# '-w -a --action-on-infected=accept --action-on-uncleanable=accept '. +# '--action-on-notscanned=accept {}', +# [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version v2.7 (old) +# ['ESET NOD32 Linux Mail Server - command line interface', +# ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'], +# '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/m ], + +# ### http://www.eset.com/, version 2.71.12 +# ['ESET Software ESETS Command Line Interface', +# ['/usr/bin/esets_cli', 'esets_cli'], +# '--subdir {}', [0], [1,2,3], qr/virus="([^"]+)"/m ], + + ### http://www.eset.com/, version 3.0 + ['ESET Software ESETS Command Line Interface', + ['/usr/bin/esets_cli', 'esets_cli'], + '--subdir {}', [0], [1,2,3], + qr/:\s*action="(?!accepted)[^"]*"\n.*:\s*virus="([^"]*)"/m ], + + ## http://www.nod32.com/, NOD32LFS version 2.5 and above + ['ESET NOD32 for Linux File servers', + ['/opt/eset/nod32/sbin/nod32','nod32'], + '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '. + '-w -a --action=1 -b {}', + [0], [1,10], qr/^object=.*, virus="(.*?)",/m ], + +# Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31 +# ['ESET Software NOD32 Client/Server (NOD32SS)', +# \&ask_daemon2, # greets with 200, persistent, terminate with QUIT +# ["SCAN {}/*\r\n", '127.0.0.1:8448' ], +# qr/^200 File OK/m, qr/^201 /m, qr/^201 (.+)/m ], + + ### http://www.norman.com/products_nvc.shtml + ['Norman Virus Control v5 / Linux', 'nvcc', + '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14], + qr/(?i).* virus in .* -> \'(.+)\'/m ], + + ### http://www.pandasoftware.com/ + ['Panda CommandLineSecure 9 for Linux', + ['/opt/pavcl/usr/bin/pavcl','pavcl'], + '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}', + qr/Number of files infected[ .]*: 0+(?!\d)/m, + qr/Number of files infected[ .]*: 0*[1-9]/m, + qr/Found virus :\s*(\S+)/m ], + # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr' + # before starting amavisd - the bases are then loaded only once at startup. + # To reload bases in a signature update script: + # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr + # Please review other options of pavcl, for example: + # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies + +# ### http://www.pandasoftware.com/ +# ['Panda Antivirus for Linux', ['pavcl'], +# '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}', +# [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0], +# qr/Found virus :\s*(\S+)/m ], + +# GeCAD AV technology is acquired by Microsoft; RAV has been discontinued. +# Check your RAV license terms before fiddling with the following two lines! +# ['GeCAD RAV AntiVirus 8', 'ravav', +# '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/m ], +# # NOTE: the command line switches changed with scan engine 8.5 ! +# # (btw, assigning stdin to /dev/null causes RAV to fail) + + ### http://www.nai.com/ + ['NAI McAfee AntiVirus (uvscan)', 'uvscan', + '--secure -rv --mime --summary --noboot - {}', [0], [13], + qr/(?x) Found (?: + \ the\ (.+)\ (?:virus|trojan) | + \ (?:virus|trojan)\ or\ variant\ ([^ ]+) | + :\ (.+)\ NOT\ a\ virus)/m, + # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'}, + # sub {delete $ENV{LD_PRELOAD}}, + ], + # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before + # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6 + # and then clear it when finished to avoid confusing anything else. + # NOTE2: to treat encrypted files as viruses replace the [13] with: + # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/ + + ### http://www.virusbuster.hu/en/ + ['VirusBuster', ['vbuster', 'vbengcl'], + "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1], + qr/: '(.*)' - Virus/m ], + # VirusBuster Ltd. does not support the daemon version for the workstation + # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of + # binaries, some parameters AND return codes have changed (from 3 to 1). + # See also the new Vexira entry 'vascan' which is possibly related. + +# ### http://www.virusbuster.hu/en/ +# ['VirusBuster (Client + Daemon)', 'vbengd', +# '-f -log scandir {}', [0], [3], +# qr/Virus found = (.*);/m ], +# # HINT: for an infected file it always returns 3, +# # although the man-page tells a different story + + ### http://www.cyber.com/ + ['CyberSoft VFind', 'vfind', + '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/m, + # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'}, + ], + + ### http://www.avast.com/ + ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'], + '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/m ], + + ### http://www.ikarus-software.com/ + ['Ikarus AntiVirus for Linux', 'ikarus', + '{}', [0], [40], qr/Signature (.+) found/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdscan', # new version + '--action=ignore --no-list {}', qr/^Infected files\s*:\s*0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files)\s*:\s*0*[1-9]/m, + qr/(?:suspected|infected)\s*:\s*(.*)(?:\033|$)/m ], + + ### http://www.bitdefender.com/ + ['BitDefender', 'bdc', # old version + '--arc --mail {}', qr/^Infected files *:0+(?!\d)/m, + qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/m, + qr/(?:suspected|infected): (.*)(?:\033|$)/m ], + # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may + # not apply to your version of bdc, check documentation and see 'bdc --help' + + ### ArcaVir for Linux and Unix http://www.arcabit.pl/ + ['ArcaVir for Linux', ['arcacmd','arcacmd.static'], + '-v 1 -summary 0 -s {}', [0], [1,2], + qr/(?:VIR|WIR):[ \t]*(.+)/m ], + +# ### a generic SMTP-client interface to a SMTP-based virus scanner +# ['av_smtp', \&ask_av_smtp, +# ['{}', 'smtp:[127.0.0.1]:5525', 'dummy@localhost'], +# qr/^2/, qr/^5/, qr/^\s*(.*?)\s*$/m ], + +# ['File::Scan', sub {Amavis::AV::ask_av(sub{ +# use File::Scan; my($fn)=@_; +# my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0); +# my($vname) = $f->scan($fn); +# $f->error ? (2,"Error: ".$f->error) +# : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) }, +# ["{}/*"], [0], [1], qr/^(.*) FOUND$/m ], + +# ### fully-fledged checker for JPEG marker segments of invalid length +# ['check-jpeg', +# sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) }, +# ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/m ], +# # NOTE: place file JpegTester.pm somewhere where Perl can find it, +# # for example in /usr/local/lib/perl5/site_perl + +); + + +@av_scanners_backup = ( + + ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV + ['ClamAV-clamscan', 'clamscan', + "--stdout --no-summary -r --tempdir=$TEMPBASE {}", + [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + +# ### http://www.clamav.net/ - using remote clamd scanner as a backup +# ['ClamAV-clamdscan', 'clamdscan', +# "--stdout --no-summary --config-file=/etc/clamd-client.conf {}", +# [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + +# ['ClamAV-clamd-stream', +# \&ask_daemon, ["*", 'clamd:/var/run/clamav/clamd.sock'], +# qr/\bOK$/m, qr/\bFOUND$/m, +# qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon, V6 + ['F-PROT Antivirus for UNIX', ['fpscan'], + '--report --mount --adware {}', # consider: --applications -s 4 -u 3 -z 10 + [0,8,64], [1,2,3, 4+1,4+2,4+3, 8+1,8+2,8+3, 12+1,12+2,12+3], + qr/^\[Found\s+[^\]]*\]\s+<([^ \t(>]*)/m ], + + ### http://www.f-prot.com/ - backs up F-Prot Daemon (old) + ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'], + '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8], + qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/m ], + + ### http://www.trendmicro.com/ - backs up Trophie + ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'], + '-za -a {}', [0], qr/Found virus/m, qr/Found virus (.+) in/m ], + + ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD + ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier + ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'], + '-path={} -al -go -ot -cn -upn -ok-', + [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'m ], + + ### http://www.kaspersky.com/ + ['Kaspersky Antivirus v5.5', + ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner', + '/opt/kav/5.5/kav4unix/bin/kavscanner', + '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'], + '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25], + qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m, +# sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"}, +# sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, + ], + +# Commented out because the name 'sweep' clashes with Debian and FreeBSD +# package/port of an audio editor. Make sure the correct 'sweep' is found +# in the path when enabling. +# +# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl +# ['Sophos Anti Virus (sweep)', 'sweep', +# '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. +# '--no-reset-atime {}', +# [0,2], qr/Virus .*? found/m, +# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, +# ], +# # other options to consider: -idedir=/usr/local/sav + +# Always succeeds and considers mail clean. +# Potentially useful when all other scanners fail and it is desirable +# to let mail continue to flow with no virus checking (when uncommented). +# ['always-clean', sub {0}], + +); + + +1; # insure a defined return value diff --git a/config-archive/etc/amavisd.conf.dist b/config-archive/etc/amavisd.conf.dist index 9d077d3..a230d7b 100644 --- a/config-archive/etc/amavisd.conf.dist +++ b/config-archive/etc/amavisd.conf.dist @@ -42,6 +42,7 @@ $syslog_facility = 'mail'; # Syslog facility as a string # e.g.: mail, daemon, user, local0, ... local7 $enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny) +# $enable_zmq = 1; # enable use of ZeroMQ (SNMP and nanny) $nanny_details_level = 2; # nanny verbosity: 1: traditional, 2: detailed $enable_dkim_verification = 0; # enable DKIM signatures verification $enable_dkim_signing = 0; # load DKIM signing code, keys defined by dkim_key @@ -130,9 +131,9 @@ $path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin'; # $dspam = 'dspam'; $MAXLEVELS = 14; -$MAXFILES = 1500; +$MAXFILES = 3000; $MIN_EXPANSION_QUOTA = 100*1024; # bytes (default undef, not enforced) -$MAX_EXPANSION_QUOTA = 300*1024*1024; # bytes (default undef, not enforced) +$MAX_EXPANSION_QUOTA = 500*1024*1024; # bytes (default undef, not enforced) $sa_spam_subject_tag = '***Spam*** '; $defang_virus = 1; # MIME-wrap passed infected mail @@ -186,8 +187,8 @@ $defang_by_ccat{CC_BADH.",6"} = 1; # header field syntax error # REMAINING IMPORTANT VARIABLES ARE LISTED HERE BECAUSE OF LONGER ASSIGNMENTS @keep_decoded_original_maps = (new_RE( - qr'^MAIL$', # retain full original message for virus checking - qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables + qr'^MAIL$', # let virus scanner see full original message + qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); @@ -311,46 +312,50 @@ $banned_filename_re = new_RE( @decoders = ( ['mail', \&do_mime_decode], -# ['asc', \&do_ascii], -# ['uue', \&do_ascii], -# ['hqx', \&do_ascii], -# ['ync', \&do_ascii], - ['F', \&do_uncompress, ['unfreeze','freeze -d','melt','fcat'] ], - ['Z', \&do_uncompress, ['uncompress','gzip -d','zcat'] ], - ['gz', \&do_uncompress, 'gzip -d'], +# [[qw(asc uue hqx ync)], \&do_ascii], # not safe + ['F', \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ], + ['Z', \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ], + ['gz', \&do_uncompress, 'gzip -d'], ['gz', \&do_gunzip], - ['bz2', \&do_uncompress, 'bzip2 -d'], - ['xz', \&Amavis::Unpackers::do_uncompress, + ['bz2', \&do_uncompress, 'bzip2 -d'], + ['xz', \&do_uncompress, ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ], - ['lzma', \&Amavis::Unpackers::do_uncompress, + ['lzma', \&do_uncompress, ['lzmadec', 'xz -dc --format=lzma', 'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ], - ['lzo', \&do_uncompress, 'lzop -d'], - ['rpm', \&do_uncompress, ['rpm2cpio.pl','rpm2cpio'] ], - ['cpio', \&do_pax_cpio, ['pax','gcpio','cpio'] ], - ['tar', \&do_pax_cpio, ['pax','gcpio','cpio'] ], - ['deb', \&do_ar, 'ar'], -# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill - ['zip', \&do_unzip], - ['7z', \&do_7zip, ['7zr','7za','7z'] ], - ['rar', \&do_unrar, ['rar','unrar'] ], - ['arj', \&do_unarj, ['arj','unarj'] ], - ['arc', \&do_arc, ['nomarch','arc'] ], - ['zoo', \&do_zoo, ['zoo','unzoo'] ], -# ['lha', \&do_lha, 'lha'], # unmaintained - security risk -# ['doc', \&do_ole, 'ripole'], - ['cab', \&do_cabextract, 'cabextract'], - ['tnef', \&do_tnef_ext, 'tnef'], + ['lrz', \&do_uncompress, + ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ], + ['lzo', \&do_uncompress, 'lzop -d'], + ['rpm', \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ], + [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ], + # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio'] + ['deb', \&do_ar, 'ar'], +# ['a', \&do_ar, 'ar'], # unpacking .a seems an overkill + ['rar', \&do_unrar, ['unrar', 'rar'] ], + ['arj', \&do_unarj, ['unarj', 'arj'] ], + ['arc', \&do_arc, ['nomarch', 'arc'] ], + ['zoo', \&do_zoo, ['zoo', 'unzoo'] ], + ['doc', \&do_ole, 'ripole'], + ['cab', \&do_cabextract, 'cabextract'], + ['tnef', \&do_tnef_ext, 'tnef'], ['tnef', \&do_tnef], -# ['sit', \&do_unstuff, 'unstuff'], # broken/unsafe decoder - ['exe', \&do_executable, ['rar','unrar'], 'lha', ['arj','unarj'] ], +# ['lha', \&do_lha, 'lha'], # not safe, use 7z instead +# ['sit', \&do_unstuff, 'unstuff'], # not safe + [['zip','kmz'], \&do_7zip, ['7za', '7z'] ], + [['zip','kmz'], \&do_unzip], + ['7z', \&do_7zip, ['7zr', '7za', '7z'] ], + [[qw(7z zip gz bz2 Z tar)], + \&do_7zip, ['7za', '7z'] ], + [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)], + \&do_7zip, '7z' ], + ['exe', \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ], ); @av_scanners = ( # ### http://www.sophos.com/ -# ['Sophos-SSSP', +# ['Sophos-SSSP', # SAV Dynamic Interface # \&ask_daemon, ["{}", 'sssp:/var/run/savdi/sssp.sock'], # # or: ["{}", 'sssp:[127.0.0.1]:4010'], # qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ], @@ -547,9 +552,9 @@ $banned_filename_re = new_RE( # ### http://www.avast.com/ # ['avast! Antivirus daemon', -# \&ask_daemon, # greets with 220, terminate with QUIT +# \&ask_daemon, # greets with 220, terminate with QUIT # ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'], -# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t([^[ \t\015\012]+)/m ], +# qr/\t\[\+\]/m, qr/\t\[L\]\t/m, qr/\t\[L\]\t[0-9]+\s+([^[ \t\015\012]+)/m ], # ### http://www.avast.com/ # ['avast! Antivirus - Client/Server Version', 'avastlite', @@ -784,18 +789,17 @@ $banned_filename_re = new_RE( # sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"}, ], -# Commented out because the name 'sweep' clashes with Debian and FreeBSD -# package/port of an audio editor. Make sure the correct 'sweep' is found -# in the path when enabling. -# -# ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl -# ['Sophos Anti Virus (sweep)', 'sweep', -# '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. -# '--no-reset-atime {}', -# [0,2], qr/Virus .*? found/m, -# qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, -# ], -# # other options to consider: -idedir=/usr/local/sav + ### http://www.sophos.com/ + ['Sophos Anti Virus (savscan)', # formerly known as 'sweep' + ['/opt/sophos-av/bin/savscan', 'savscan'], # 'sweep' + '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '. + '--no-reset-atime {}', + [0,2], qr/Virus .*? found/m, + qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m, + ], + # other options to consider: -idedir=/usr/local/sav + # A name 'sweep' clashes with a name of an audio editor (Debian and FreeBSD). + # Make sure the correct 'sweep' is found in the path if using the old name. # Always succeeds and considers mail clean. # Potentially useful when all other scanners fail and it is desirable diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist new file mode 100644 index 0000000..afa8d91 --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist @@ -0,0 +1,133 @@ +# This configuration file reflects default settings for Apache HTTP Server. +# You may change these, but chances are that you may not need to. + +# Timeout: The number of seconds before receives and sends time out. +Timeout 300 + +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +KeepAlive On + +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +MaxKeepAliveRequests 100 + +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +KeepAliveTimeout 15 + +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +UseCanonicalName Off + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +AccessFileName .htaccess + +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +ServerTokens Prod + +# TraceEnable +# This directive overrides the behavior of TRACE for both the core server and +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, +# which disallows any request body to accompany the request. TraceEnable off +# causes the core server and mod_proxy to return a 405 (Method not allowed) +# error to the client. +# For security reasons this is turned off by default. (bug #240680) +TraceEnable off + +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +ServerSignature On + +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +HostnameLookups Off + +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall is used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +EnableMMAP On +EnableSendfile On + +# FileEtag: Configures the file attributes that are used to create +# the ETag (entity tag) response header field when the document is +# based on a static file. (The ETag value is used in cache management +# to save network bandwidth.) +FileEtag INode MTime Size + +# ContentDigest: This directive enables the generation of Content-MD5 +# headers as defined in RFC1864 respectively RFC2616. +# The Content-MD5 header provides an end-to-end message integrity +# check (MIC) of the entity-body. A proxy or client may check this +# header for detecting accidental modification of the entity-body +# in transit. +# Note that this can cause performance problems on your server since +# the message digest is computed on every request (the values are +# not cached). +# Content-MD5 is only sent for documents served by the core, and not +# by any module. For example, SSI documents, output from CGI scripts, +# and byte range responses do not have this header. +ContentDigest Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error_log + +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel warn + +# We configure the "default" to be a very restrictive set of features. + + Options FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + + +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# +# The index.html.var file (a type-map) is used to deliver content- +# negotiated documents. The MultiViews Options can be used for the +# same purpose, but it is much slower. +# +# Do not change this entry unless you know what you are doing. + + DirectoryIndex index.html index.html.var + + +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. + + Order allow,deny + Deny from all + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new b/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new deleted file mode 100644 index 0fa43b2..0000000 --- a/config-archive/etc/apache2/modules.d/00_default_settings.conf.dist.new +++ /dev/null @@ -1,134 +0,0 @@ -# This configuration file reflects default settings for Apache HTTP Server. -# You may change these, but chances are that you may not need to. - -# Timeout: The number of seconds before receives and sends time out. -Timeout 300 - -# KeepAlive: Whether or not to allow persistent connections (more than -# one request per connection). Set to "Off" to deactivate. -KeepAlive On - -# MaxKeepAliveRequests: The maximum number of requests to allow -# during a persistent connection. Set to 0 to allow an unlimited amount. -# We recommend you leave this number high, for maximum performance. -MaxKeepAliveRequests 100 - -# KeepAliveTimeout: Number of seconds to wait for the next request from the -# same client on the same connection. -KeepAliveTimeout 15 - -# UseCanonicalName: Determines how Apache constructs self-referencing -# URLs and the SERVER_NAME and SERVER_PORT variables. -# When set "Off", Apache will use the Hostname and Port supplied -# by the client. When set "On", Apache will use the value of the -# ServerName directive. -UseCanonicalName Off - -# AccessFileName: The name of the file to look for in each directory -# for additional configuration directives. See also the AllowOverride -# directive. -AccessFileName .htaccess - -# ServerTokens -# This directive configures what you return as the Server HTTP response -# Header. The default is 'Full' which sends information about the OS-Type -# and compiled in modules. -# Set to one of: Full | OS | Minor | Minimal | Major | Prod -# where Full conveys the most information, and Prod the least. -ServerTokens Prod - -# TraceEnable -# This directive overrides the behavior of TRACE for both the core server and -# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, -# which disallows any request body to accompany the request. TraceEnable off -# causes the core server and mod_proxy to return a 405 (Method not allowed) -# error to the client. -# For security reasons this is turned off by default. (bug #240680) -TraceEnable off - -# Optionally add a line containing the server version and virtual host -# name to server-generated pages (internal error documents, FTP directory -# listings, mod_status and mod_info output etc., but not CGI generated -# documents or custom error documents). -# Set to "EMail" to also include a mailto: link to the ServerAdmin. -# Set to one of: On | Off | EMail -ServerSignature On - -# HostnameLookups: Log the names of clients or just their IP addresses -# e.g., www.apache.org (on) or 204.62.129.132 (off). -# The default is off because it'd be overall better for the net if people -# had to knowingly turn this feature on, since enabling it means that -# each client request will result in AT LEAST one lookup request to the -# nameserver. -HostnameLookups Off - -# EnableMMAP and EnableSendfile: On systems that support it, -# memory-mapping or the sendfile syscall is used to deliver -# files. This usually improves server performance, but must -# be turned off when serving from networked-mounted -# filesystems or if support for these functions is otherwise -# broken on your system. -EnableMMAP On -EnableSendfile On - -# FileEtag: Configures the file attributes that are used to create -# the ETag (entity tag) response header field when the document is -# based on a static file. (The ETag value is used in cache management -# to save network bandwidth.) -FileEtag INode MTime Size - -# ContentDigest: This directive enables the generation of Content-MD5 -# headers as defined in RFC1864 respectively RFC2616. -# The Content-MD5 header provides an end-to-end message integrity -# check (MIC) of the entity-body. A proxy or client may check this -# header for detecting accidental modification of the entity-body -# in transit. -# Note that this can cause performance problems on your server since -# the message digest is computed on every request (the values are -# not cached). -# Content-MD5 is only sent for documents served by the core, and not -# by any module. For example, SSI documents, output from CGI scripts, -# and byte range responses do not have this header. -ContentDigest Off - -# ErrorLog: The location of the error log file. -# If you do not specify an ErrorLog directive within a -# container, error messages relating to that virtual host will be -# logged here. If you *do* define an error logfile for a -# container, that host's errors will be logged there and not here. -ErrorLog /var/log/apache2/error_log - -# LogLevel: Control the number of messages logged to the error_log. -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -LogLevel warn - -# We configure the "default" to be a very restrictive set of features. - - Options FollowSymLinks - AllowOverride None - Order deny,allow - Deny from all - - -# DirectoryIndex: sets the file that Apache will serve if a directory -# is requested. -# -# The index.html.var file (a type-map) is used to deliver content- -# negotiated documents. The MultiViews Options can be used for the -# same purpose, but it is much slower. -# -# To add files to that list use AddDirectoryIndex in a custom config -# file. Do not change this entry unless you know what you are doing. - - DirectoryIndex index.html index.html.var - - -# The following lines prevent .htaccess and .htpasswd files from being -# viewed by Web clients. - - Order allow,deny - Deny from all - - -# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist new file mode 100644 index 0000000..097410a --- /dev/null +++ b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist @@ -0,0 +1,86 @@ + + + + +# We include the /icons/ alias for FancyIndexed directory listings. If +# you do not use FancyIndexing, you may comment this out. +Alias /icons/ "/usr/share/apache2/icons/" + + + Options Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all + + + +# Directives controlling the display of server-generated directory listings. +# +# To see the listing of a directory, the Options directive for the +# directory must include "Indexes", and the directory must not contain +# a file matching those listed in the DirectoryIndex directive. + +# IndexOptions: Controls the appearance of server-generated directory +# listings. +IndexOptions FancyIndexing VersionSort + +# AddIcon* directives tell the server which icon to show for different +# files or filename extensions. These are only displayed for +# FancyIndexed directories. +AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + +AddIconByType (TXT,/icons/text.gif) text/* +AddIconByType (IMG,/icons/image2.gif) image/* +AddIconByType (SND,/icons/sound2.gif) audio/* +AddIconByType (VID,/icons/movie.gif) video/* + +AddIcon /icons/binary.gif .bin .exe +AddIcon /icons/binhex.gif .hqx +AddIcon /icons/tar.gif .tar +AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv +AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip +AddIcon /icons/a.gif .ps .ai .eps +AddIcon /icons/layout.gif .html .shtml .htm .pdf +AddIcon /icons/text.gif .txt +AddIcon /icons/c.gif .c +AddIcon /icons/p.gif .pl .py +AddIcon /icons/f.gif .for +AddIcon /icons/dvi.gif .dvi +AddIcon /icons/uuencoded.gif .uu +AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl +AddIcon /icons/tex.gif .tex +AddIcon /icons/bomb.gif core + +AddIcon /icons/back.gif .. +AddIcon /icons/hand.right.gif README +AddIcon /icons/folder.gif ^^DIRECTORY^^ +AddIcon /icons/blank.gif ^^BLANKICON^^ + +# DefaultIcon is which icon to show for files which do not have an icon +# explicitly set. +DefaultIcon /icons/unknown.gif + +# AddDescription allows you to place a short description after a file in +# server-generated indexes. These are only displayed for FancyIndexed +# directories. +# Format: AddDescription "description" filename + +#AddDescription "GZIP compressed document" .gz +#AddDescription "tar archive" .tar +#AddDescription "GZIP compressed tar archive" .tgz + +# ReadmeName is the name of the README file the server will look for by +# default, and append to directory listings. + +# HeaderName is the name of a file which should be prepended to +# directory indexes. +ReadmeName README.html +HeaderName HEADER.html + +# IndexIgnore is a set of filenames which directory indexing should ignore +# and not include in the listing. Shell-style wildcarding is permitted. +IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t + + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new b/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new deleted file mode 100644 index ca2a168..0000000 --- a/config-archive/etc/apache2/modules.d/00_mod_autoindex.conf.dist.new +++ /dev/null @@ -1,83 +0,0 @@ - - -# We include the /icons/ alias for FancyIndexed directory listings. If -# you do not use FancyIndexing, you may comment this out. -Alias /icons/ "/usr/share/apache2/icons/" - - - Options Indexes MultiViews - AllowOverride None - Order allow,deny - Allow from all - - - -# Directives controlling the display of server-generated directory listings. -# -# To see the listing of a directory, the Options directive for the -# directory must include "Indexes", and the directory must not contain -# a file matching those listed in the DirectoryIndex directive. - -# IndexOptions: Controls the appearance of server-generated directory -# listings. -IndexOptions FancyIndexing VersionSort - -# AddIcon* directives tell the server which icon to show for different -# files or filename extensions. These are only displayed for -# FancyIndexed directories. -AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip - -AddIconByType (TXT,/icons/text.gif) text/* -AddIconByType (IMG,/icons/image2.gif) image/* -AddIconByType (SND,/icons/sound2.gif) audio/* -AddIconByType (VID,/icons/movie.gif) video/* - -AddIcon /icons/binary.gif .bin .exe -AddIcon /icons/binhex.gif .hqx -AddIcon /icons/tar.gif .tar -AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv -AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip -AddIcon /icons/a.gif .ps .ai .eps -AddIcon /icons/layout.gif .html .shtml .htm .pdf -AddIcon /icons/text.gif .txt -AddIcon /icons/c.gif .c -AddIcon /icons/p.gif .pl .py -AddIcon /icons/f.gif .for -AddIcon /icons/dvi.gif .dvi -AddIcon /icons/uuencoded.gif .uu -AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl -AddIcon /icons/tex.gif .tex -AddIcon /icons/bomb.gif core - -AddIcon /icons/back.gif .. -AddIcon /icons/hand.right.gif README -AddIcon /icons/folder.gif ^^DIRECTORY^^ -AddIcon /icons/blank.gif ^^BLANKICON^^ - -# DefaultIcon is which icon to show for files which do not have an icon -# explicitly set. -DefaultIcon /icons/unknown.gif - -# AddDescription allows you to place a short description after a file in -# server-generated indexes. These are only displayed for FancyIndexed -# directories. -# Format: AddDescription "description" filename - -#AddDescription "GZIP compressed document" .gz -#AddDescription "tar archive" .tar -#AddDescription "GZIP compressed tar archive" .tgz - -# ReadmeName is the name of the README file the server will look for by -# default, and append to directory listings. - -# HeaderName is the name of a file which should be prepended to -# directory indexes. -ReadmeName README.html -HeaderName HEADER.html - -# IndexIgnore is a set of filenames which directory indexing should ignore -# and not include in the listing. Shell-style wildcarding is permitted. -IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t - - -# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist b/config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist new file mode 100644 index 0000000..bb39547 --- /dev/null +++ b/config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist @@ -0,0 +1,191 @@ + + + +# see bug #178966 why this is in here + +# When we also provide SSL we have to listen to the HTTPS port +# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two +# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" +Listen 443 + + + ServerName localhost + Include /etc/apache2/vhosts.d/default_vhost.include + ErrorLog /var/log/apache2/ssl_error_log + + + TransferLog /var/log/apache2/ssl_access_log + + + ## SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + ## SSLProtocol: + # Don't use SSLv2 anymore as it's considered to be broken security-wise. + # Also disable SSLv3 as most modern browsers are capable of TLS. + SSLProtocol ALL -SSLv2 -SSLv3 + + ## SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. + # See the mod_ssl documentation for a complete list. + # This list of ciphers is recommended by mozilla and was stripped off + # its RC4 ciphers. (bug #506924) + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK + + ## SSLHonorCipherOrder: + # Prefer the server's cipher preference order as the client may have a + # weak default order. + SSLHonorCipherOrder On + + ## Server Certificate: + # Point SSLCertificateFile at a PEM encoded certificate. If the certificate + # is encrypted, then you will be prompted for a pass phrase. Note that a + # kill -HUP will prompt again. Keep in mind that if you have both an RSA + # and a DSA certificate you can configure both in parallel (to also allow + # the use of DSA ciphers, etc.) + SSLCertificateFile /etc/ssl/apache2/server.crt + + ## Server Private Key: + # If the key is not combined with the certificate, use this directive to + # point at the key file. Keep in mind that if you've both a RSA and a DSA + # private key you can configure both in parallel (to also allow the use of + # DSA ciphers, etc.) + SSLCertificateKeyFile /etc/ssl/apache2/server.key + + ## Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the concatenation of + # PEM encoded CA certificates which form the certificate chain for the + # server certificate. Alternatively the referenced file can be the same as + # SSLCertificateFile when the CA certificates are directly appended to the + # server certificate for convinience. + #SSLCertificateChainFile /etc/ssl/apache2/ca.crt + + ## Certificate Authority (CA): + # Set the CA certificate verification path where to find CA certificates + # for client authentication or alternatively one huge file containing all + # of them (file must be PEM encoded). + # Note: Inside SSLCACertificatePath you need hash symlinks to point to the + # certificate files. Use the provided Makefile to update the hash symlinks + # after changes. + #SSLCACertificatePath /etc/ssl/apache2/ssl.crt + #SSLCACertificateFile /etc/ssl/apache2/ca-bundle.crt + + ## Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client authentication + # or alternatively one huge file containing all of them (file must be PEM + # encoded). + # Note: Inside SSLCARevocationPath you need hash symlinks to point to the + # certificate files. Use the provided Makefile to update the hash symlinks + # after changes. + #SSLCARevocationPath /etc/ssl/apache2/ssl.crl + #SSLCARevocationFile /etc/ssl/apache2/ca-bundle.crl + + ## Client Authentication (Type): + # Client certificate verification type and depth. Types are none, optional, + # require and optional_no_ca. Depth is a number which specifies how deeply + # to verify the certificate issuer chain before deciding the certificate is + # not valid. + #SSLVerifyClient require + #SSLVerifyDepth 10 + + ## Access Control: + # With SSLRequire you can do per-directory access control based on arbitrary + # complex boolean expressions containing server variable checks and other + # lookup directives. The syntax is a mixture between C and Perl. See the + # mod_ssl documentation for more details. + # + # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ + # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ + # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ + # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ + # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ + # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ + # + + ## SSL Engine Options: + # Set various options for the SSL engine. + + ## FakeBasicAuth: + # Translate the client X.509 into a Basic Authorisation. This means that the + # standard Auth/DBMAuth methods can be used for access control. The user + # name is the `one line' version of the client's X.509 certificate. + # Note that no password is obtained from the user. Every entry in the user + # file needs this password: `xxj31ZMTZzkVA'. + + ## ExportCertData: + # This exports two additional environment variables: SSL_CLIENT_CERT and + # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server + # (always existing) and the client (only existing when client + # authentication is used). This can be used to import the certificates into + # CGI scripts. + + ## StdEnvVars: + # This exports the standard SSL/TLS related `SSL_*' environment variables. + # Per default this exportation is switched off for performance reasons, + # because the extraction step is an expensive operation and is usually + # useless for serving static content. So one usually enables the exportation + # for CGI and SSI requests only. + + ## StrictRequire: + # This denies access when "SSLRequireSSL" or "SSLRequire" applied even under + # a "Satisfy any" situation, i.e. when it applies access is denied and no + # other module can change it. + + ## OptRenegotiate: + # This enables optimized SSL connection renegotiation handling when SSL + # directives are used in per-directory context. + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + + SSLOptions +StdEnvVars + + + ## SSL Protocol Adjustments: + # The safe and default but still SSL/TLS standard compliant shutdown + # approach is that mod_ssl sends the close notify alert but doesn't wait + # for the close notify alert from client. When you need a different + # shutdown approach you can use one of the following variables: + + ## ssl-unclean-shutdown: + # This forces an unclean shutdown when the connection is closed, i.e. no + # SSL close notify alert is send or allowed to received. This violates the + # SSL/TLS standard but is needed for some brain-dead browsers. Use this when + # you receive I/O errors because of the standard approach where mod_ssl + # sends the close notify alert. + + ## ssl-accurate-shutdown: + # This forces an accurate shutdown when the connection is closed, i.e. a + # SSL close notify alert is send and mod_ssl waits for the close notify + # alert of the client. This is 100% SSL/TLS standard compliant, but in + # practice often causes hanging connections with brain-dead browsers. Use + # this only for browsers where you know that their SSL implementation works + # correctly. + # Notice: Most problems of broken clients are also related to the HTTP + # keep-alive facility, so you usually additionally want to disable + # keep-alive for those clients, too. Use variable "nokeepalive" for this. + # Similarly, one has to force some clients to use HTTP/1.0 to workaround + # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and + # "force-response-1.0" for this. + + BrowserMatch ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + + ## Per-Server Logging: + # The home of a custom SSL log file. Use this when you want a compact + # non-error SSL logfile on a virtual host basis. + + CustomLog /var/log/apache2/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + + + + + +# vim: ts=4 filetype=apache diff --git a/config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist.new b/config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist.new deleted file mode 100644 index 98bfc2f..0000000 --- a/config-archive/etc/apache2/vhosts.d/00_default_ssl_vhost.conf.dist.new +++ /dev/null @@ -1,179 +0,0 @@ - - - -# see bug #178966 why this is in here - -# When we also provide SSL we have to listen to the HTTPS port -# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two -# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" -Listen 443 - - - ServerName localhost - Include /etc/apache2/vhosts.d/default_vhost.include - ErrorLog /var/log/apache2/ssl_error_log - - - TransferLog /var/log/apache2/ssl_access_log - - - ## SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - ## SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. - SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - - ## Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If the certificate - # is encrypted, then you will be prompted for a pass phrase. Note that a - # kill -HUP will prompt again. Keep in mind that if you have both an RSA - # and a DSA certificate you can configure both in parallel (to also allow - # the use of DSA ciphers, etc.) - SSLCertificateFile /etc/ssl/apache2/server.crt - - ## Server Private Key: - # If the key is not combined with the certificate, use this directive to - # point at the key file. Keep in mind that if you've both a RSA and a DSA - # private key you can configure both in parallel (to also allow the use of - # DSA ciphers, etc.) - SSLCertificateKeyFile /etc/ssl/apache2/server.key - - ## Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the concatenation of - # PEM encoded CA certificates which form the certificate chain for the - # server certificate. Alternatively the referenced file can be the same as - # SSLCertificateFile when the CA certificates are directly appended to the - # server certificate for convinience. - #SSLCertificateChainFile /etc/ssl/apache2/ca.crt - - ## Certificate Authority (CA): - # Set the CA certificate verification path where to find CA certificates - # for client authentication or alternatively one huge file containing all - # of them (file must be PEM encoded). - # Note: Inside SSLCACertificatePath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCACertificatePath /etc/ssl/apache2/ssl.crt - #SSLCACertificateFile /etc/ssl/apache2/ca-bundle.crt - - ## Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client authentication - # or alternatively one huge file containing all of them (file must be PEM - # encoded). - # Note: Inside SSLCARevocationPath you need hash symlinks to point to the - # certificate files. Use the provided Makefile to update the hash symlinks - # after changes. - #SSLCARevocationPath /etc/ssl/apache2/ssl.crl - #SSLCARevocationFile /etc/ssl/apache2/ca-bundle.crl - - ## Client Authentication (Type): - # Client certificate verification type and depth. Types are none, optional, - # require and optional_no_ca. Depth is a number which specifies how deeply - # to verify the certificate issuer chain before deciding the certificate is - # not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - ## Access Control: - # With SSLRequire you can do per-directory access control based on arbitrary - # complex boolean expressions containing server variable checks and other - # lookup directives. The syntax is a mixture between C and Perl. See the - # mod_ssl documentation for more details. - # - # #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ - # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ - # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ - # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ - # - - ## SSL Engine Options: - # Set various options for the SSL engine. - - ## FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that the - # standard Auth/DBMAuth methods can be used for access control. The user - # name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - - ## ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the server - # (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates into - # CGI scripts. - - ## StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the exportation - # for CGI and SSI requests only. - - ## StrictRequire: - # This denies access when "SSLRequireSSL" or "SSLRequire" applied even under - # a "Satisfy any" situation, i.e. when it applies access is denied and no - # other module can change it. - - ## OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - - SSLOptions +StdEnvVars - - - ## SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait - # for the close notify alert from client. When you need a different - # shutdown approach you can use one of the following variables: - - ## ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates the - # SSL/TLS standard but is needed for some brain-dead browsers. Use this when - # you receive I/O errors because of the standard approach where mod_ssl - # sends the close notify alert. - - ## ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation works - # correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - - BrowserMatch ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - - ## Per-Server Logging: - # The home of a custom SSL log file. Use this when you want a compact - # non-error SSL logfile on a virtual host basis. - - CustomLog /var/log/apache2/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - - - - - -# vim: ts=4 filetype=apache diff --git a/config-archive/etc/bash/bashrc b/config-archive/etc/bash/bashrc index fc0515b..df6b0b8 100644 --- a/config-archive/etc/bash/bashrc +++ b/config-archive/etc/bash/bashrc @@ -40,12 +40,12 @@ shopt -s histappend # Change the window title of X terminals case ${TERM} in - xterm*|rxvt*|Eterm|aterm|kterm|gnome*|interix) - PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"' - ;; - screen) - PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"' - ;; + xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"' + ;; + screen*) + PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"' + ;; esac use_color=false @@ -60,8 +60,8 @@ match_lhs="" [[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)" [[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(/dev/null \ - && match_lhs=$(dircolors --print-database) + && type -P dircolors >/dev/null \ + && match_lhs=$(dircolors --print-database) [[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true if ${use_color} ; then @@ -85,6 +85,8 @@ if ${use_color} ; then alias ls='ls --color=auto' alias grep='grep --colour=auto' + alias egrep='egrep --colour=auto' + alias fgrep='fgrep --colour=auto' else if [[ ${EUID} == 0 ]] ; then # show root@ when we don't have colors @@ -99,6 +101,7 @@ if [[ ${EUID} == 0 ]] ; then else alias ll="ls -l" fi +alias l="ls -l" alias la="ls -la" alias md=mkdir alias rd=rmdir diff --git a/config-archive/etc/bash/bashrc.1 b/config-archive/etc/bash/bashrc.1 index 6262977..fc0515b 100644 --- a/config-archive/etc/bash/bashrc.1 +++ b/config-archive/etc/bash/bashrc.1 @@ -7,26 +7,26 @@ if [ -d /usr/scripts ] ; then - PATH=/usr/scripts:$PATH - export PATH + PATH=/usr/scripts:$PATH + export PATH fi if [ -d $HOME/bin ] ; then - PATH=$PATH:$HOME/bin - export PATH + PATH=$PATH:$HOME/bin + export PATH fi if [ -d $HOME/lib ] ; then - PERL5LIB=$HOME/lib - export PERL5LIB + PERL5LIB=$HOME/lib + export PERL5LIB fi # Test for an interactive shell. There is no need to set anything # past this point for scp and rcp, and it's important to refrain from # outputting anything in those cases. if [[ $- != *i* ]] ; then - # Shell is non-interactive. Be done now! - return + # Shell is non-interactive. Be done now! + return fi # Bash won't get SIGWINCH if another process is in the foreground. @@ -40,12 +40,12 @@ shopt -s histappend # Change the window title of X terminals case ${TERM} in - xterm*|rxvt*|Eterm|aterm|kterm|gnome*|interix) - PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"' - ;; - screen) - PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"' - ;; + xterm*|rxvt*|Eterm|aterm|kterm|gnome*|interix) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"' + ;; + screen) + PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"' + ;; esac use_color=false @@ -60,8 +60,8 @@ match_lhs="" [[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)" [[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(/dev/null \ - && match_lhs=$(dircolors --print-database) + && type -P dircolors >/dev/null \ + && match_lhs=$(dircolors --print-database) [[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true if ${use_color} ; then @@ -127,11 +127,12 @@ printf("%s\n", $newa); HISTCONTROL=ignoreboth -HISTSIZE=5000 -HISTFILESIZE=5000 +HISTSIZE=50000 +HISTFILESIZE=50000 HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S ' export LESSCOLOR=yes +export LESSCHARSET="utf-8" # Change the window title of X terminals case $TERM in @@ -147,11 +148,30 @@ if [ -f /usr/share/mc/mc.gentoo ]; then . /usr/share/mc/mc.gentoo fi -if [ -f /etc/profile.d/bash-completion ]; then - . /etc/profile.d/bash-completion +#if [ -f /etc/profile.d/bash-completion ]; then +# . /etc/profile.d/bash-completion +#fi + +if [ -e /etc/bash_completion.d/git -o "${HOME}"/.bash_completion.d/git ] ; then + #echo "/etc/bash_completion.d/git or ${HOME}/.bash_completion.d/git exists ..." + if ${use_color} ; then + if [ "$UID" = 0 ]; then + PS1='$? \[\033[01;31m\]\h\[\033[01;30m\]:\[\033[01;34m\]\w\[\033[01;31m\]$(__git_ps1)\[\033[01;34m\] \$ \[\033[00m\]' + else + PS1='$? \[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[01;31m\]$(__git_ps1)\[\033[01;34m\] > \[\033[00m\]' + fi + else + if [ "$UID" = 0 ]; then + PS1='$? \h:\w$(__git_ps1) \$ ' + else + PS1='$? \u@\h:\w$(__git_ps1) > ' + fi + fi fi # Try to keep environment pollution down, EPA loves us. unset use_color safe_term match_lhs + +# vim: ts=4 expandtab diff --git a/config-archive/etc/bash/bashrc.2 b/config-archive/etc/bash/bashrc.2 new file mode 100644 index 0000000..6262977 --- /dev/null +++ b/config-archive/etc/bash/bashrc.2 @@ -0,0 +1,157 @@ +# /etc/bash/bashrc +# +# This file is sourced by all *interactive* bash shells on startup, +# including some apparently interactive shells such as scp and rcp +# that can't tolerate any output. So make sure this doesn't display +# anything or bad things will happen ! + + +if [ -d /usr/scripts ] ; then + PATH=/usr/scripts:$PATH + export PATH +fi + +if [ -d $HOME/bin ] ; then + PATH=$PATH:$HOME/bin + export PATH +fi + +if [ -d $HOME/lib ] ; then + PERL5LIB=$HOME/lib + export PERL5LIB +fi + +# Test for an interactive shell. There is no need to set anything +# past this point for scp and rcp, and it's important to refrain from +# outputting anything in those cases. +if [[ $- != *i* ]] ; then + # Shell is non-interactive. Be done now! + return +fi + +# Bash won't get SIGWINCH if another process is in the foreground. +# Enable checkwinsize so that bash will check the terminal size when +# it regains control. #65623 +# http://cnswww.cns.cwru.edu/~chet/bash/FAQ (E11) +shopt -s checkwinsize + +# Enable history appending instead of overwriting. #139609 +shopt -s histappend + +# Change the window title of X terminals +case ${TERM} in + xterm*|rxvt*|Eterm|aterm|kterm|gnome*|interix) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"' + ;; + screen) + PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\033\\"' + ;; +esac + +use_color=false + +# Set colorful PS1 only on colorful terminals. +# dircolors --print-database uses its own built-in database +# instead of using /etc/DIR_COLORS. Try to use the external file +# first to take advantage of user additions. Use internal bash +# globbing instead of external grep binary. +safe_term=${TERM//[^[:alnum:]]/?} # sanitize TERM +match_lhs="" +[[ -f ~/.dir_colors ]] && match_lhs="${match_lhs}$(<~/.dir_colors)" +[[ -f /etc/DIR_COLORS ]] && match_lhs="${match_lhs}$(/dev/null \ + && match_lhs=$(dircolors --print-database) +[[ $'\n'${match_lhs} == *$'\n'"TERM "${safe_term}* ]] && use_color=true + +if ${use_color} ; then + # Enable colors for ls, etc. Prefer ~/.dir_colors #64489 + if type -P dircolors >/dev/null ; then + if [[ -f ~/.dir_colors ]] ; then + eval $(dircolors -b ~/.dir_colors) + elif [[ -f /etc/DIR_COLORS ]] ; then + eval $(dircolors -b /etc/DIR_COLORS) + fi + fi + + if [[ ${EUID} == 0 ]] ; then + #PS1='\[\033[01;31m\]\h\[\033[01;34m\] \W \$\[\033[00m\] ' + PS1='$? \[\033[01;31m\]\h\[\033[01;30m\]:\[\033[01;34m\]\w \$ \[\033[00m\]' + #PS1='$? \[\033[01;31m\]Gentoo (chroot)\[\033[01;30m\]:\[\033[01;34m\]\w \$ \[\033[00m\]' + else + #PS1='\[\033[01;32m\]\u@\h\[\033[01;34m\] \w \$\[\033[00m\] ' + PS1='$? \[\033[01;32m\]\u@\h\[\033[01;30m\]:\[\033[01;34m\]\w > \[\033[00m\]' + fi + + alias ls='ls --color=auto' + alias grep='grep --colour=auto' +else + if [[ ${EUID} == 0 ]] ; then + # show root@ when we don't have colors + PS1='\u@\h \W \$ ' + else + PS1='\u@\h \w \$ ' + fi +fi + +if [[ ${EUID} == 0 ]] ; then + alias ll="ls -lA" +else + alias ll="ls -l" +fi +alias la="ls -la" +alias md=mkdir +alias rd=rmdir +alias ..='cd ..' +alias ...='cd ../..' +alias cd..='cd ..' +alias cd...='cd ../..' +alias pl="ps -fu $USER" +grep='grep --colour=auto' +alias cpwd='cd `realpath .`' + +lcd() { + cd $( perl -e ' +use strict; +use Cwd; +my $new = shift; +my $cwd = Cwd::abs_path(getcwd()); +my $newa = $cwd; +if ($new){ + $newa = Cwd::abs_path($new); + $newa = $cwd unless $newa; +}; +printf("%s\n", $newa); +' $1 ) +} + + +HISTCONTROL=ignoreboth +HISTSIZE=5000 +HISTFILESIZE=5000 +HISTTIMEFORMAT='%Y-%m-%d %H:%M:%S ' + +export LESSCOLOR=yes + +# Change the window title of X terminals +case $TERM in + xterm*|rxvt|Eterm|eterm) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/$HOME/~}\007"' + ;; + screen) + PROMPT_COMMAND='echo -ne "\033_${USER}@${HOSTNAME%%.*}:${PWD/$HOME/~}\033\\"' + ;; +esac + +if [ -f /usr/share/mc/mc.gentoo ]; then + . /usr/share/mc/mc.gentoo +fi + +if [ -f /etc/profile.d/bash-completion ]; then + . /etc/profile.d/bash-completion +fi + + + +# Try to keep environment pollution down, EPA loves us. +unset use_color safe_term match_lhs diff --git a/config-archive/etc/bash/bashrc.dist b/config-archive/etc/bash/bashrc.dist index 3067022..3a8095c 100644 --- a/config-archive/etc/bash/bashrc.dist +++ b/config-archive/etc/bash/bashrc.dist @@ -25,7 +25,7 @@ shopt -s histappend # Change the window title of X terminals case ${TERM} in - xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix) + xterm*|rxvt*|Eterm*|aterm|kterm|gnome*|interix|konsole*) PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#$HOME/~}\007"' ;; screen*) diff --git a/config-archive/etc/bind/named.conf b/config-archive/etc/bind/named.conf index 56cb07c..c7275cf 100644 --- a/config-archive/etc/bind/named.conf +++ b/config-archive/etc/bind/named.conf @@ -8,6 +8,17 @@ //# von: frank@brehm-online.com //# //############################################################### +/* + * Refer to the named.conf(5) and named(8) man pages, and the documentation + * in /usr/share/doc/bind-* for more details. + * Online versions of the documentation can be found here: + * https://kb.isc.org/article/AA-01031 + * + * If you are going to set up an authoritative server, make sure you + * understand the hairy details of how DNS works. Even with simple mistakes, + * you can break connectivity for affected parties, or cause huge amounts of + * useless Internet traffic. + */ @@ -39,24 +50,26 @@ options { //}; allow-notify { - 85.214.147.150; - 85.214.134.152; + 85.214.147.150; // leela + 85.214.134.152; // helga + 144.76.221.169; // maria 46.16.73.175; 127.0.0.1/8; ::1; - 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; - 2a01:238:4239:8a00:d4da:215d:3d01:f9b9; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; // helga + 2a01:238:4239:8a00:d4da:215d:3d01:f9b9; // leela + 2a01:4f8:200:94a8::2; // maria }; allow-recursion { 127.0.0.0/8; - 85.214.134.152; + 85.214.134.152; // helga 85.214.109.1; 46.16.73.175; 46.16.73.212; ::1/128; fe80::/10; - 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; // helga }; // if you have problems and are behind a firewall: diff --git a/config-archive/etc/bind/named.conf.1 b/config-archive/etc/bind/named.conf.1 index a545669..3c7d43a 100644 --- a/config-archive/etc/bind/named.conf.1 +++ b/config-archive/etc/bind/named.conf.1 @@ -39,13 +39,26 @@ options { //}; allow-notify { - 85.214.147.150; - 85.214.134.152; + 85.214.147.150; // leela + 85.214.134.152; // helga + 144.76.221.169; // maria 46.16.73.175; 127.0.0.1/8; ::1; - 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; - 2a01:238:4239:8a00:d4da:215d:3d01:f9b9; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; // helga + 2a01:238:4239:8a00:d4da:215d:3d01:f9b9; // leela + 2a01:4f8:200:94a8::2; // maria + }; + + allow-recursion { + 127.0.0.0/8; + 85.214.134.152; // helga + 85.214.109.1; + 46.16.73.175; + 46.16.73.212; + ::1/128; + fe80::/10; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; // helga }; // if you have problems and are behind a firewall: diff --git a/config-archive/etc/bind/named.conf.2 b/config-archive/etc/bind/named.conf.2 new file mode 100644 index 0000000..56cb07c --- /dev/null +++ b/config-archive/etc/bind/named.conf.2 @@ -0,0 +1,150 @@ +//############################################################### +//# Bind9-Konfigurationsdatei +//# /etc/bind/named.conf +//# +//# Host Helga +//# +//# Generiert am: 26.05.2010 +//# von: frank@brehm-online.com +//# +//############################################################### + + + +//############################################################### +//# Allgemeine Optionen + +options { + directory "/var/bind"; + + // uncomment the following lines to turn on DNS forwarding, + // and change the forwarding ip address(es) : + //forward first; + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + # Auf allen Ports lauschen ... + listen-on-v6 { + any; + }; + listen-on { + any; + }; + + // to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + allow-notify { + 85.214.147.150; + 85.214.134.152; + 46.16.73.175; + 127.0.0.1/8; + ::1; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 2a01:238:4239:8a00:d4da:215d:3d01:f9b9; + }; + + allow-recursion { + 127.0.0.0/8; + 85.214.134.152; + 85.214.109.1; + 46.16.73.175; + 46.16.73.212; + ::1/128; + fe80::/10; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + }; + + // if you have problems and are behind a firewall: + //query-source address * port 53; + pid-file "/var/run/named/named.pid"; + + version "none"; + +}; + +// Logging +include "/etc/bind/named-log.conf"; + +// Managed Keys +include "/etc/bind/bind.keys"; + +//############################################################### +//# Kontrollkanäle für RNDC + +controls { + inet 127.0.0.1 port 953 allow { + 127.0.0.1; + } keys { + "rndc-key"; + }; +}; + +//############################################################### +//# Id-Schlüssel + +key rndc-key { + algorithm hmac-md5; + secret "qVWegky7GAFenNmgrZgf6A=="; +}; + +key DYN_DNS_UPDATER { + algorithm hmac-md5; + secret "gi69Yjzo1OSPVQ/oTTgw+Q=="; +}; + +// Access-Control-Listen +include "/etc/bind/named-acl.conf"; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +//############################################################### +//# Hint-Zonen (zum Finden der Root-Server) + +zone "." IN { + type hint; + file "named.cache"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; + +//############################################################### +// Include der Zonendefinitionen + +// Master-Zonen +include "/etc/bind/named-pri.conf"; + +// Dynamische Zonen +include "/etc/bind/named-dyn.conf"; + +// Slave-Zonen +include "/etc/bind/named-sec.conf"; + + + +# vim: ts=4 filetype=named noai diff --git a/config-archive/etc/bind/named.conf.3 b/config-archive/etc/bind/named.conf.3 new file mode 100644 index 0000000..a545669 --- /dev/null +++ b/config-archive/etc/bind/named.conf.3 @@ -0,0 +1,139 @@ +//############################################################### +//# Bind9-Konfigurationsdatei +//# /etc/bind/named.conf +//# +//# Host Helga +//# +//# Generiert am: 26.05.2010 +//# von: frank@brehm-online.com +//# +//############################################################### + + + +//############################################################### +//# Allgemeine Optionen + +options { + directory "/var/bind"; + + // uncomment the following lines to turn on DNS forwarding, + // and change the forwarding ip address(es) : + //forward first; + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + # Auf allen Ports lauschen ... + listen-on-v6 { + any; + }; + listen-on { + any; + }; + + // to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + allow-notify { + 85.214.147.150; + 85.214.134.152; + 46.16.73.175; + 127.0.0.1/8; + ::1; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 2a01:238:4239:8a00:d4da:215d:3d01:f9b9; + }; + + // if you have problems and are behind a firewall: + //query-source address * port 53; + pid-file "/var/run/named/named.pid"; + + version "none"; + +}; + +// Logging +include "/etc/bind/named-log.conf"; + +// Managed Keys +include "/etc/bind/bind.keys"; + +//############################################################### +//# Kontrollkanäle für RNDC + +controls { + inet 127.0.0.1 port 953 allow { + 127.0.0.1; + } keys { + "rndc-key"; + }; +}; + +//############################################################### +//# Id-Schlüssel + +key rndc-key { + algorithm hmac-md5; + secret "qVWegky7GAFenNmgrZgf6A=="; +}; + +key DYN_DNS_UPDATER { + algorithm hmac-md5; + secret "gi69Yjzo1OSPVQ/oTTgw+Q=="; +}; + +// Access-Control-Listen +include "/etc/bind/named-acl.conf"; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +//############################################################### +//# Hint-Zonen (zum Finden der Root-Server) + +zone "." IN { + type hint; + file "named.cache"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; + +//############################################################### +// Include der Zonendefinitionen + +// Master-Zonen +include "/etc/bind/named-pri.conf"; + +// Dynamische Zonen +include "/etc/bind/named-dyn.conf"; + +// Slave-Zonen +include "/etc/bind/named-sec.conf"; + + + +# vim: ts=4 filetype=named noai diff --git a/config-archive/etc/bind/named.conf.dist.new b/config-archive/etc/bind/named.conf.dist.new index b24c2e4..39f9be2 100644 --- a/config-archive/etc/bind/named.conf.dist.new +++ b/config-archive/etc/bind/named.conf.dist.new @@ -1,8 +1,8 @@ /* * Refer to the named.conf(5) and named(8) man pages, and the documentation - * in /usr/share/doc/bind-9 for more details. + * in /usr/share/doc/bind-* for more details. * Online versions of the documentation can be found here: - * http://www.isc.org/software/bind/documentation + * https://kb.isc.org/article/AA-01031 * * If you are going to set up an authoritative server, make sure you * understand the hairy details of how DNS works. Even with simple mistakes, @@ -28,7 +28,7 @@ acl "trusted" { options { directory "/var/bind"; - pid-file "/var/run/named/named.pid"; + pid-file "/run/named/named.pid"; /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */ //bindkeys-file "/etc/bind/bind.keys"; @@ -87,7 +87,7 @@ options { */ - //dnssec-enable yes; + dnssec-enable yes; //dnssec-validation yes; /* @@ -95,7 +95,7 @@ options { * "If the root key provided has expired, * named will log the expiration and validation will not work." */ - //dnssec-validation auto; + dnssec-validation auto; /* if you have problems and are behind a firewall: */ //query-source address * port 53; @@ -131,12 +131,6 @@ zone "localhost" IN { notify no; }; -zone "127.in-addr.arpa" IN { - type master; - file "pri/127.zone"; - notify no; -}; - /* * Briefly, a zone which has been declared delegation-only will be effectively * limited to containing NS RRs for subdomains, but no actual data beyond its diff --git a/config-archive/etc/conf.d/postgrey.dist b/config-archive/etc/conf.d/postgrey.dist new file mode 100644 index 0000000..58db734 --- /dev/null +++ b/config-archive/etc/conf.d/postgrey.dist @@ -0,0 +1,55 @@ +# Config file for /etc/init.d/postgrey + +# LISTEN TYPE +# Set to 'inet' if you want to use a TCP socket. +# Set to 'unix' if you want to use a UNIX socket. +POSTGREY_TYPE="inet" + +# HOST +# What IP should postgrey bind to? +# Leave unchanged unless you know what you are doing. +# (ignored if POSTGREY_TYPE is set to 'unix') +POSTGREY_HOST="127.0.0.1" + +# PORT +# What TCP port should postgrey listen on? +# (ignored if POSTGREY_TYPE is set to 'unix') +POSTGREY_PORT="10030" + +# SOCKET +# Unix socket to listen on, if POSTGREY_TYPE is set to 'unix'. +# Leave unchanged unless you know what you are doing. +# (ignored if POSTGREY_TYPE is set to 'inet') +POSTGREY_SOCKET="/var/spool/postfix/private/postgrey" + +# PID +# Postgrey pid file. +# Do not change, if you don't know what this is! +POSTGREY_PID="/var/run/postgrey.pid" + +# DELAY +# How long to delay mail that is greylisted in seconds. +POSTGREY_DELAY=300 + +# TEXT +# The response we'll send back with delayed mail. +POSTGREY_TEXT="Greylisted for %s seconds" + +# Additional Postgrey options +# +# -v, --verbose increase verbosity level +# --max-age=N delete entries older than N days since the last time +# that they have been seen (default: 30) +# --retry-window=N allow only N days for the first retrial (default: 2) +# append 'h' if you want to specify it in hours +# --greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT) +# --lookup-by-subnet strip the last 8 bits from IP addresses (default) +# --lookup-by-host do not strip the last 8 bits from IP addresses +# --whitelist-clients=FILE default: /etc/postfix/postgrey_whitelist_clients +# --whitelist-recipients=FILE default: /etc/postfix/postgrey_whitelist_recipients +# +# Note that the --whitelist-x options can be specified multiple times, and that +# per default /etc/postfix/postgrey_whitelist_clients.local is also read, so +# that you can put there local entries. +# +POSTGREY_OPTS="" diff --git a/config-archive/etc/conf.d/postgrey.dist.new b/config-archive/etc/conf.d/postgrey.dist.new deleted file mode 100644 index 7a6deb5..0000000 --- a/config-archive/etc/conf.d/postgrey.dist.new +++ /dev/null @@ -1,55 +0,0 @@ -# Config file for /etc/init.d/postgrey - -# LISTEN TYPE -# Set to 'inet' if you want to use a TCP socket. -# Set to 'unix' if you want to use an UNIX socket. -POSTGREY_TYPE="inet" - -# HOST -# What IP should postgrey bind to? -# Leave unchanged unless you know what you are doing. -# (ignored if POSTGREY_TYPE is set to 'unix') -POSTGREY_HOST="127.0.0.1" - -# PORT -# What TCP port should postgrey listen on? -# (ignored if POSTGREY_TYPE is set to 'unix') -POSTGREY_PORT="10030" - -# SOCKET -# Unix socket to listen on, if POSTGREY_TYPE is set to 'unix'. -# Leave unchanged unless you know what you are doing. -# (ignored if POSTGREY_TYPE is set to 'inet') -POSTGREY_SOCKET="/var/spool/postfix/private/postgrey" - -# PID -# Postgrey pid file. -# Do not change, if you don't know what this is! -POSTGREY_PID="/var/run/postgrey.pid" - -# DELAY -# How long to delay mail that is greylisted in seconds. -POSTGREY_DELAY=300 - -# TEXT -# The response we'll send back with delayed mail. -POSTGREY_TEXT="Greylisted for %s seconds" - -# Additional Postgrey options -# -# -v, --verbose increase verbosity level -# --max-age=N delete entries older than N days since the last time -# that they have been seen (default: 30) -# --retry-window=N allow only N days for the first retrial (default: 2) -# append 'h' if you want to specify it in hours -# --greylist-action=A if greylisted, return A to Postfix (default: DEFER_IF_PERMIT) -# --lookup-by-subnet strip the last 8 bits from IP addresses (default) -# --lookup-by-host do not strip the last 8 bits from IP addresses -# --whitelist-clients=FILE default: /etc/postfix/postgrey_whitelist_clients -# --whitelist-recipients=FILE default: /etc/postfix/postgrey_whitelist_recipients -# -# Note that the --whitelist-x options can be specified multiple times, and that -# per default /etc/postfix/postgrey_whitelist_clients.local is also read, so -# that you can put there local entries. -# -POSTGREY_OPTS="" diff --git a/config-archive/etc/courier-imap/imapd b/config-archive/etc/courier-imap/imapd index 3c6c141..c0d690d 100644 --- a/config-archive/etc/courier-imap/imapd +++ b/config-archive/etc/courier-imap/imapd @@ -1,4 +1,4 @@ -##VERSION: $Id: imapd,v 1.2 2010/10/05 17:24:49 root Exp $ +##VERSION: $Id: imapd.dist.in,v 1.41 2008/06/21 16:01:23 mrsam Exp $ # # imapd created from imapd.dist by sysconftool # diff --git a/config-archive/etc/courier-imap/imapd-ssl b/config-archive/etc/courier-imap/imapd-ssl index 92d6619..93e9328 100644 --- a/config-archive/etc/courier-imap/imapd-ssl +++ b/config-archive/etc/courier-imap/imapd-ssl @@ -1,4 +1,4 @@ -##VERSION: $Id: imapd-ssl,v 1.3 2010/10/05 17:35:41 root Exp $ +##VERSION: $Id: imapd-ssl.dist.in,v 1.22 2009/08/12 22:25:49 mrsam Exp $ # # imapd-ssl created from imapd-ssl.dist by sysconftool # @@ -149,7 +149,7 @@ TLS_STARTTLS_PROTOCOL=TLS1 # # OpenSSL: # -# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL@STRENGTH" +# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" # # To enable SSL2, remove the obvious "!SSLv2" part from the above list. # diff --git a/config-archive/etc/courier-imap/imapd-ssl.1 b/config-archive/etc/courier-imap/imapd-ssl.1 new file mode 100644 index 0000000..92d6619 --- /dev/null +++ b/config-archive/etc/courier-imap/imapd-ssl.1 @@ -0,0 +1,338 @@ +##VERSION: $Id: imapd-ssl,v 1.3 2010/10/05 17:35:41 root Exp $ +# +# imapd-ssl created from imapd-ssl.dist by sysconftool +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# Copyright 2000 - 2008 Double Precision, Inc. See COPYING for +# distribution information. +# +# This configuration file sets various options for the Courier-IMAP server +# when used to handle SSL IMAP connections. +# +# SSL and non-SSL connections are handled by a dedicated instance of the +# couriertcpd daemon. If you are accepting both SSL and non-SSL IMAP +# connections, you will start two instances of couriertcpd, one on the +# IMAP port 143, and another one on the IMAP-SSL port 993. +# +# Download OpenSSL from http://www.openssl.org/ +# +##NAME: SSLPORT:1 +# +# Options in the imapd-ssl configuration file AUGMENT the options in the +# imapd configuration file. First the imapd configuration file is read, +# then the imapd-ssl configuration file, so we do not have to redefine +# anything. +# +# However, some things do have to be redefined. The port number is +# specified by SSLPORT, instead of PORT. The default port is port 993. +# +# Multiple port numbers can be separated by commas. When multiple port +# numbers are used it is possibly to select a specific IP address for a +# given port as "ip.port". For example, "127.0.0.1.900,192.168.0.1.900" +# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1 +# The SSLADDRESS setting is a default for ports that do not have +# a specified IP address. + +SSLPORT=993 + +##NAME: SSLADDRESS:0 +# +# Address to listen on, can be set to a single IP address. +# +# SSLADDRESS=127.0.0.1 + +SSLADDRESS=0 + +##NAME: SSLPIDFILE:0 +# +# That's the SSL IMAP port we'll listen on. +# Feel free to redefine MAXDAEMONS, TCPDOPTS, and MAXPERIP. + +SSLPIDFILE=/var/run/imapd-ssl.pid + +##NAME: SSLLOGGEROPTS:0 +# +# courierlogger(1) options. +# + +SSLLOGGEROPTS="-name=imapd-ssl" + +##NAME: IMAPDSSLSTART:0 +# +# Different pid files, so that both instances of couriertcpd can coexist +# happily. +# +# You can also redefine IMAP_CAPABILITY, although I can't +# think of why you'd want to do that. +# +# +# Ok, the following settings are new to imapd-ssl: +# +# Whether or not to start IMAP over SSL on simap port: + +IMAPDSSLSTART=NO + +##NAME: IMAPDSTARTTLS:0 +# +# Whether or not to implement IMAP STARTTLS extension instead: + +IMAPDSTARTTLS=YES + +##NAME: IMAP_TLS_REQUIRED:1 +# +# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone. +# (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS +# is issued). + +IMAP_TLS_REQUIRED=0 + + +######################################################################### +# +# The following variables configure IMAP over SSL. If OpenSSL or GnuTLS +# is available during configuration, the couriertls helper gets compiled, and +# upon installation a dummy TLS_CERTFILE gets generated. +# +# WARNING: Peer certificate verification has NOT yet been tested. Proceed +# at your own risk. Only the basic SSL/TLS functionality is known to be +# working. Keep this in mind as you play with the following variables. +# +##NAME: COURIERTLS:0 +# + +COURIERTLS=/usr/sbin/couriertls + +##NAME: TLS_PROTOCOL:0 +# +# TLS_PROTOCOL sets the protocol version. The possible versions are: +# +# OpenSSL: +# +# SSL2 - SSLv2 +# SSL3 - SSLv3 +# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems) +# TLS1 - TLS1 +# +# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST +# setting, below. +# +# GnuTLS: +# +# SSL3 - SSLv3 +# TLS1 - TLS 1.0 +# TLS1_1 - TLS 1.1 +# +# When compiled against GnuTLS, multiple protocols can be selected as follows: +# +# TLS_PROTOCOL="TLS1_1:TLS1:SSL3" +# +# DEFAULT VALUES: +# +# SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS) +TLS_PROTOCOL="SSL3" + +##NAME: TLS_STARTTLS_PROTOCOL:0 +# +# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS +# extension, as opposed to IMAP over SSL on port 993. +# +# It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL +TLS_STARTTLS_PROTOCOL=TLS1 + +##NAME: TLS_CIPHER_LIST:0 +# +# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the +# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST +# undefined +# +# OpenSSL: +# +# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL@STRENGTH" +# +# To enable SSL2, remove the obvious "!SSLv2" part from the above list. +# +# +# GnuTLS: +# +# TLS_CIPHER_LIST="HIGH:MEDIUM" +# +# The actual list of available ciphers depend on the options GnuTLS was +# compiled against. The possible ciphers are: +# +# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL +# +# Also, the following aliases: +# +# HIGH -- all ciphers that use more than a 128 bit key size +# MEDIUM -- all ciphers that use a 128 bit key size +# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher +# is not included +# ALL -- all ciphers except the NULL cipher + +##NAME: TLS_MIN_DH_BITS:0 +# +# TLS_MIN_DH_BITS=n +# +# GnuTLS only: +# +# Set the minimum number of acceptable bits for a DH key exchange. +# +# GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server +# have been encountered that offer 512 bit keys. You may have to set +# TLS_MIN_DH_BITS=512 here, if necessary. + +##NAME: TLS_KX_LIST:0 +# +# GnuTLS only: +# +# Allowed key exchange protocols. The default of "ALL" should be sufficient. +# The list of supported key exchange protocols depends on the options GnuTLS +# was compiled against, but may include the following: +# +# DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT + +TLS_KX_LIST=ALL + +##NAME: TLS_COMPRESSION:0 +# +# GnuTLS only: +# +# Optional compression. "ALL" selects all available compression methods. +# +# Available compression methods: DEFLATE, LZO, NULL + +TLS_COMPRESSION=ALL + +##NAME: TLS_CERTS:0 +# +# GnuTLS only: +# +# Supported certificate types are X509 and OPENPGP. +# +# OPENPGP has not been tested + +TLS_CERTS=X509 + +##NAME: TLS_TIMEOUT:0 +# TLS_TIMEOUT is currently not implemented, and reserved for future use. +# This is supposed to be an inactivity timeout, but its not yet implemented. +# + +##NAME: TLS_DHCERTFILE:0 +# +# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate. +# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA +# you must generate a DH pair that will be used. In most situations the +# DH pair is to be treated as confidential, and the file specified by +# TLS_DHCERTFILE must not be world-readable. +# +# TLS_DHCERTFILE= + +##NAME: TLS_CERTFILE:0 +# +# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS +# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually +# treated as confidential, and must not be world-readable. Set TLS_CERTFILE +# instead of TLS_DHCERTFILE if this is a garden-variety certificate +# +# VIRTUAL HOSTS (servers only): +# +# Due to technical limitations in the original SSL/TLS protocol, a dedicated +# IP address is required for each virtual host certificate. If you have +# multiple certificates, install each certificate file as +# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address +# for the certificate's domain name. So, if TLS_CERTFILE is set to +# /etc/certificate.pem, then you'll need to install the actual certificate +# files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3 +# and so on, for each IP address. +# +# GnuTLS only (servers only): +# +# GnuTLS implements a new TLS extension that eliminates the need to have a +# dedicated IP address for each SSL/TLS domain name. Install each certificate +# as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem, +# then you'll need to install the actual certificate files as +# /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com +# and so on. +# +# Note that this TLS extension also requires a corresponding support in the +# client. Older SSL/TLS clients may not support this feature. +# +# This is an experimental feature. + +TLS_CERTFILE=/etc/courier-imap/imapd.pem + +##NAME: TLS_TRUSTCERTS:0 +# +# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. +# pathname can be a file or a directory. If a file, the file should +# contain a list of trusted certificates, in PEM format. If a +# directory, the directory should contain the trusted certificates, +# in PEM format, one per file and hashed using OpenSSL's c_rehash +# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying +# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set +# to PEER or REQUIREPEER). +# + +TLS_TRUSTCERTS=/etc/ssl/certs + +##NAME: TLS_VERIFYPEER:0 +# +# TLS_VERIFYPEER - how to verify client certificates. The possible values of +# this setting are: +# +# NONE - do not verify anything +# +# PEER - verify the client certificate, if one's presented +# +# REQUIREPEER - require a client certificate, fail if one's not presented +# +# +TLS_VERIFYPEER=NONE + + +##NAME: TLS_EXTERNAL:0 +# +# To enable SSL certificate-based authentication: +# +# 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate +# authority's SSL certificate +# +# 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings +# requires all SSL clients to present a certificate, and rejects +# SSL/TLS connections without a valid cert). +# +# 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID. +# Example: +# +# TLS_EXTERNAL=emailaddress +# +# The above example retrieves the login ID from the "emailaddress" subject +# field. The certificate's emailaddress subject must match exactly the login +# ID in the courier-authlib database. + +##NAME: TLS_CACHE:0 +# +# A TLS/SSL session cache may slightly improve response for IMAP clients +# that open multiple SSL sessions to the server. TLS_CACHEFILE will be +# automatically created, TLS_CACHESIZE bytes long, and used as a cache +# buffer. +# +# This is an experimental feature and should be disabled if it causes +# problems with SSL clients. Disable SSL caching by commenting out the +# following settings: + +TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache +TLS_CACHESIZE=524288 + +##NAME: MAILDIRPATH:0 +# +# MAILDIRPATH - directory name of the maildir directory. +# +MAILDIRPATH=Maildir + +# Hardwire a value for ${MAILDIR} +MAILDIR=.maildir +MAILDIRPATH=.maildir diff --git a/config-archive/etc/courier-imap/imapd-ssl.dist.new b/config-archive/etc/courier-imap/imapd-ssl.dist.new new file mode 100644 index 0000000..0811b73 --- /dev/null +++ b/config-archive/etc/courier-imap/imapd-ssl.dist.new @@ -0,0 +1,307 @@ +##VERSION: $Id: 2013-10-14 22:07:39 -0400 37a74ee0f736237b67330c620de7dc08232dec17$ +# +# imapd-ssl created from imapd-ssl.dist by sysconftool +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# Copyright 2000 - 2013 Double Precision, Inc. See COPYING for +# distribution information. +# +# This configuration file sets various options for the Courier-IMAP server +# when used to handle SSL IMAP connections. +# +# SSL and non-SSL connections are handled by a dedicated instance of the +# couriertcpd daemon. If you are accepting both SSL and non-SSL IMAP +# connections, you will start two instances of couriertcpd, one on the +# IMAP port 143, and another one on the IMAP-SSL port 993. +# +# Download OpenSSL from http://www.openssl.org/ +# +##NAME: SSLPORT:1 +# +# Options in the imapd-ssl configuration file AUGMENT the options in the +# imapd configuration file. First the imapd configuration file is read, +# then the imapd-ssl configuration file, so we do not have to redefine +# anything. +# +# However, some things do have to be redefined. The port number is +# specified by SSLPORT, instead of PORT. The default port is port 993. +# +# Multiple port numbers can be separated by commas. When multiple port +# numbers are used it is possibly to select a specific IP address for a +# given port as "ip.port". For example, "127.0.0.1.900,192.168.0.1.900" +# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1 +# The SSLADDRESS setting is a default for ports that do not have +# a specified IP address. + +SSLPORT=993 + +##NAME: SSLADDRESS:0 +# +# Address to listen on, can be set to a single IP address. +# +# SSLADDRESS=127.0.0.1 + +SSLADDRESS=0 + +##NAME: SSLPIDFILE:0 +# +# That's the SSL IMAP port we'll listen on. +# Feel free to redefine MAXDAEMONS, TCPDOPTS, and MAXPERIP. + +SSLPIDFILE=/var/run/imapd-ssl.pid + +##NAME: SSLLOGGEROPTS:0 +# +# courierlogger(1) options. +# + +SSLLOGGEROPTS="-name=imapd-ssl" + +##NAME: IMAPDSSLSTART:0 +# +# Different pid files, so that both instances of couriertcpd can coexist +# happily. +# +# You can also redefine IMAP_CAPABILITY, although I can't +# think of why you'd want to do that. +# +# +# Ok, the following settings are new to imapd-ssl: +# +# Whether or not to start IMAP over SSL on simap port: + +IMAPDSSLSTART=NO + +##NAME: IMAPDSTARTTLS:0 +# +# Whether or not to implement IMAP STARTTLS extension instead: + +IMAPDSTARTTLS=YES + +##NAME: IMAP_TLS_REQUIRED:1 +# +# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone. +# (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS +# is issued). + +IMAP_TLS_REQUIRED=0 + + +######################################################################### +# +# The following variables configure IMAP over SSL. If OpenSSL or GnuTLS +# is available during configuration, the couriertls helper gets compiled, and +# upon installation a dummy TLS_CERTFILE gets generated. +# +# WARNING: Peer certificate verification has NOT yet been tested. Proceed +# at your own risk. Only the basic SSL/TLS functionality is known to be +# working. Keep this in mind as you play with the following variables. +# +##NAME: COURIERTLS:0 +# + +COURIERTLS=/usr/sbin/couriertls + +##NAME: TLS_PRIORITY:0 +# +# GnuTLS setting only +# +# Set TLS protocol priority settings (GnuTLS only) +# +# DEFAULT: NORMAL:-CTYPE-OPENPGP +# +# TLS_PRIORITY="NORMAL:-CTYPE-OPENPGP" + +##NAME: TLS_PROTOCOL:0 +# +# TLS_PROTOCOL sets the protocol version. The possible versions are: +# +# OpenSSL: +# +# SSL3 - SSLv3 +# SSL23 - all protocols (including TLS 1.x protocols) +# TLS1 - TLS1 +# TLSv1.1 - TLS1.1 +# TLSv1.2 - TLS1.2 +# +# Leave it unset to use any protocol except SSL 2. + +##NAME: TLS_CIPHER_LIST:0 +# +# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the +# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST +# undefined +# +# OpenSSL: +# +# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" +# +# GnuTLS: +# +# TLS_CIPHER_LIST="HIGH:MEDIUM" +# +# The actual list of available ciphers depend on the options GnuTLS was +# compiled against. The possible ciphers are: +# +# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL +# +# Also, the following aliases: +# +# HIGH -- all ciphers that use more than a 128 bit key size +# MEDIUM -- all ciphers that use a 128 bit key size +# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher +# is not included +# ALL -- all ciphers except the NULL cipher +# +# See GnuTLS documentation, gnutls_priority_init(3) for additional +# documentation. + +##NAME: TLS_STARTTLS_PROTOCOL:0 +# +# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS +# extension, as opposed to IMAP over SSL on port 993. +# +# It takes the same values for OpenSSL as TLS_PROTOCOL + +##NAME: TLS_CIPHER_LIST:0 +# +# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the +# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST +# undefined +# +# OpenSSL: +# +# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" +# +# + +##NAME: TLS_MIN_DH_BITS:0 +# +# TLS_MIN_DH_BITS=n +# +# GnuTLS only: +# +# Set the minimum number of acceptable bits for a DH key exchange. +# +# GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server +# have been encountered that offer 512 bit keys. You may have to set +# TLS_MIN_DH_BITS=512 here, if necessary. + +##NAME: TLS_TIMEOUT:0 +# TLS_TIMEOUT is currently not implemented, and reserved for future use. +# This is supposed to be an inactivity timeout, but its not yet implemented. +# + +##NAME: TLS_CERTFILE:0 +# +# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS +# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually +# treated as confidential, and must not be world-readable. Set TLS_CERTFILE +# instead of TLS_DHCERTFILE if this is a garden-variety certificate +# +# VIRTUAL HOSTS (servers only): +# +# Due to technical limitations in the original SSL/TLS protocol, a dedicated +# IP address is required for each virtual host certificate. If you have +# multiple certificates, install each certificate file as +# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address +# for the certificate's domain name. So, if TLS_CERTFILE is set to +# /etc/certificate.pem, then you'll need to install the actual certificate +# files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3 +# and so on, for each IP address. +# +# GnuTLS only (servers only): +# +# GnuTLS implements a new TLS extension that eliminates the need to have a +# dedicated IP address for each SSL/TLS domain name. Install each certificate +# as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem, +# then you'll need to install the actual certificate files as +# /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com +# and so on. +# +# Note that this TLS extension also requires a corresponding support in the +# client. Older SSL/TLS clients may not support this feature. +# +# This is an experimental feature. + +TLS_CERTFILE=/etc/courier-imap/imapd.pem + +##NAME: TLS_DHPARAMS:0 +# +# TLS_DHPARAMS - DH parameter file. +# +TLS_DHPARAMS=/usr/share/dhparams.pem + +##NAME: TLS_TRUSTCERTS:0 +# +# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. +# pathname can be a file or a directory. If a file, the file should +# contain a list of trusted certificates, in PEM format. If a +# directory, the directory should contain the trusted certificates, +# in PEM format, one per file and hashed using OpenSSL's c_rehash +# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying +# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set +# to PEER or REQUIREPEER). +# + +TLS_TRUSTCERTS=/etc/ssl/certs + +##NAME: TLS_VERIFYPEER:0 +# +# TLS_VERIFYPEER - how to verify client certificates. The possible values of +# this setting are: +# +# NONE - do not verify anything +# +# PEER - verify the client certificate, if one's presented +# +# REQUIREPEER - require a client certificate, fail if one's not presented +# +# +TLS_VERIFYPEER=NONE + +##NAME: TLS_EXTERNAL:0 +# +# To enable SSL certificate-based authentication: +# +# 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate +# authority's SSL certificate +# +# 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings +# requires all SSL clients to present a certificate, and rejects +# SSL/TLS connections without a valid cert). +# +# 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID. +# Example: +# +# TLS_EXTERNAL=emailaddress +# +# The above example retrieves the login ID from the "emailaddress" subject +# field. The certificate's emailaddress subject must match exactly the login +# ID in the courier-authlib database. + +##NAME: TLS_CACHE:0 +# +# A TLS/SSL session cache may slightly improve response for IMAP clients +# that open multiple SSL sessions to the server. TLS_CACHEFILE will be +# automatically created, TLS_CACHESIZE bytes long, and used as a cache +# buffer. +# +# This is an experimental feature and should be disabled if it causes +# problems with SSL clients. Disable SSL caching by commenting out the +# following settings: + +TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache +TLS_CACHESIZE=524288 + +##NAME: MAILDIRPATH:0 +# +# MAILDIRPATH - directory name of the maildir directory. +# +MAILDIRPATH=Maildir + +# Hardwire a value for ${MAILDIR} +MAILDIR=.maildir +MAILDIRPATH=.maildir diff --git a/config-archive/etc/courier-imap/imapd.1 b/config-archive/etc/courier-imap/imapd.1 new file mode 100644 index 0000000..3c6c141 --- /dev/null +++ b/config-archive/etc/courier-imap/imapd.1 @@ -0,0 +1,429 @@ +##VERSION: $Id: imapd,v 1.2 2010/10/05 17:24:49 root Exp $ +# +# imapd created from imapd.dist by sysconftool +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# Copyright 1998 - 2008 Double Precision, Inc. See COPYING for +# distribution information. +# +# This configuration file sets various options for the Courier-IMAP server +# when used with the couriertcpd server. +# A lot of the stuff here is documented in the manual page for couriertcpd. +# +# NOTE - do not use \ to split long variable contents on multiple lines. +# This will break the default imapd.rc script, which parses this file. +# +##NAME: ADDRESS:0 +# +# Address to listen on, can be set to a single IP address. +# +# ADDRESS=127.0.0.1 + +ADDRESS=0 + +##NAME: PORT:1 +# +# Port numbers that connections are accepted on. The default is 143, +# the standard IMAP port. +# +# Multiple port numbers can be separated by commas. When multiple port +# numbers are used it is possible to select a specific IP address for a +# given port as "ip.port". For example, "127.0.0.1.900,192.68.0.1.900" +# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1 +# The previous ADDRESS setting is a default for ports that do not have +# a specified IP address. + +PORT=143 + +##NAME: AUTHSERVICE:0 +# +# It's possible to authenticate using a different 'service' parameter +# depending on the connection's port. This only works with authentication +# modules that use the 'service' parameter, such as PAM. Example: +# +# AUTHSERVICE143=imap +# AUTHSERVICE993=imaps + +##NAME: MAXDAEMONS:0 +# +# Maximum number of IMAP servers started +# + +MAXDAEMONS=40 + +##NAME: MAXPERIP:0 +# +# Maximum number of connections to accept from the same IP address + +MAXPERIP=10 + +##NAME: PIDFILE:0 +# +# File where couriertcpd will save its process ID +# + +PIDFILE=/var/run/imapd.pid + +##NAME: TCPDOPTS:0 +# +# Miscellaneous couriertcpd options that shouldn't be changed. +# + +TCPDOPTS="-nodnslookup -noidentlookup" + +##NAME: LOGGEROPTS:0 +# +# courierlogger(1) options. +# + +LOGGEROPTS="-name=imapd" + +##NAME: DEFDOMAIN:0 +# +# Optional default domain. If the username does not contain the +# first character of DEFDOMAIN, then it is appended to the username. +# If DEFDOMAIN and DOMAINSEP are both set, then DEFDOMAIN is appended +# only if the username does not contain any character from DOMAINSEP. +# You can set different default domains based on the the interface IP +# address using the -access and -accesslocal options of couriertcpd(1). + +#DEFDOMAIN="@example.com" + +##NAME: IMAP_CAPABILITY:1 +# +# IMAP_CAPABILITY specifies what most of the response should be to the +# CAPABILITY command. +# +# If you have properly configured Courier to use CRAM-MD5, CRAM-SHA1, or +# CRAM-SHA256 authentication (see INSTALL), set IMAP_CAPABILITY as follows: +# +# IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE" +# + +IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE" + +##NAME: KEYWORDS_CAPABILITY:0 +# +# IMAP_KEYWORDS=1 enables custom IMAP keywords. Set this option to 0 to +# disable custom keywords. +# +# IMAP_KEYWORDS=2 also enables custom IMAP keywords, but uses a slower +# algorithm. Use this setting if keyword-related problems occur when +# multiple IMAP clients are updating keywords on the same message. + +IMAP_KEYWORDS=1 + +##NAME: ACL_CAPABILITY:0 +# +# IMAP_ACL=1 enables IMAP ACL extension. Set this option to 0 to +# disable ACL capabilities announce. + +IMAP_ACL=1 + +##NAME: SMAP1_CAPABILITY:0 +# +# EXPERIMENTAL +# +# To enable the experimental "Simple Mail Access Protocol" extensions, +# uncomment the following setting. +# +# SMAP_CAPABILITY=SMAP1 + +##NAME: IMAP_CAPABILITY_ORIG:2 +# +# For use by webadmin + +IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE" + +##NAME: IMAP_PROXY:0 +# +# Enable proxying. See README.proxy + +IMAP_PROXY=0 + +##NAME: PROXY_HOSTNAME:0 +# +# Override value from gethostname() when checking if a proxy connection is +# required. +# +# PROXY_HOSTNAME= + +##NAME: IMAP_PROXY_FOREIGN:0 +# +# Proxying to non-Courier servers. Re-sends the CAPABILITY command after +# logging in to the remote server. May not work with all IMAP clients. + +IMAP_PROXY_FOREIGN=0 + +##NAME: IMAP_IDLE_TIMEOUT:0 +# +# This setting controls how often +# the server polls for changes to the folder, in IDLE mode (in seconds). + +IMAP_IDLE_TIMEOUT=60 + +##NAME: IMAP_MAILBOX_SANITY_CHECK:0 +# +# Sanity check -- make sure home directory and maildir's ownership matches +# the IMAP server's effective uid and gid + +IMAP_MAILBOX_SANITY_CHECK=1 + +##NAME: IMAP_CAPABILITY_TLS:0 +# +# The following setting will advertise SASL PLAIN authentication after +# STARTTLS is established. If you want to allow SASL PLAIN authentication +# with or without TLS then just comment this out, and add AUTH=PLAIN to +# IMAP_CAPABILITY + +IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN" + +##NAME: IMAP_TLS_ORIG:0 +# +# For use by webadmin + +IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN" + +##NAME: IMAP_DISABLETHREADSORT:0 +# +# Set IMAP_DISABLETHREADSORT to disable the THREAD and SORT commands - +# server side sorting and threading. +# +# Those capabilities will still be advertised, but the server will reject +# them. Set this option if you want to disable all the extra load from +# server-side threading and sorting. Not advertising those capabilities +# will simply result in the clients reading the entire folder, and sorting +# it on the client side. That will still put some load on the server. +# advertising these capabilities, but rejecting the commands, will stop this +# silliness. +# + +IMAP_DISABLETHREADSORT=0 + +##NAME: IMAP_CHECK_ALL_FOLDERS:0 +# +# Set IMAP_CHECK_ALL_FOLDERS to 1 if you want the server to check for new +# mail in every folder. Not all IMAP clients use the IMAP's new mail +# indicator, but some do. Normally new mail is checked only in INBOX, +# because it is a comparatively time consuming operation, and it would be +# a complete waste of time unless mail filters are used to deliver +# mail directly to folders. +# +# When IMAP clients are used which support new mail indication, and when +# mail filters are used to sort incoming mail into folders, setting +# IMAP_CHECK_ALL_FOLDERS to 1 will allow IMAP clients to announce new +# mail in folders. Note that this will result in slightly more load on the +# server. +# + +IMAP_CHECK_ALL_FOLDERS=0 + +##NAME: IMAP_OBSOLETE_CLIENT:0 +# +# Set IMAP_OBSOLETE_CLIENT if your IMAP client expects \\NoInferiors to mean +# what \\HasNoChildren really means. + +IMAP_OBSOLETE_CLIENT=0 + +##NAME: IMAP_UMASK:0 +# +# IMAP_UMASK sets the umask of the server process. The value of IMAP_UMASK is +# simply passed to the "umask" command. The default value is 022. +# +# This feature is mostly useful for shared folders, where the file permissions +# of the messages may be important. + +IMAP_UMASK=022 + +##NAME: IMAP_ULIMITD:0 +# +# IMAP_ULIMITD sets the maximum size of the data segment of the server +# process. The value of IMAP_ULIMITD is simply passed to the "ulimit -d" +# command (or ulimit -v). The argument to ulimi sets the upper limit on the +# size of the data segment of the server process, in kilobytes. The default +# value of 65536 sets a very generous limit of 64 megabytes, which should +# be more than plenty for anyone. +# +# This feature is used as an additional safety check that should stop +# any potential denial-of-service attacks that exploit any kind of +# a memory leak to exhaust all the available memory on the server. +# It is theoretically possible that obscenely huge folders will also +# result in the server running out of memory when doing server-side +# sorting (by my calculations you have to have at least 100,000 messages +# in a single folder, for that to happen). + +IMAP_ULIMITD=65536 + +##NAME: IMAP_USELOCKS:0 +# +# Setting IMAP_USELOCKS to 1 will use dot-locking to support concurrent +# multiple access to the same folder. This incurs slight additional +# overhead. Concurrent multiple access will still work without this setting, +# however occasionally a minor race condition may result in an IMAP client +# downloading the same message twice, or a keyword update will fail. +# +# IMAP_USELOCKS=1 is strongly recommended when shared folders are used. + +IMAP_USELOCKS=1 + +##NAME: IMAP_SHAREDINDEXFILE:0 +# +# The index of all accessible folders. Do not change this setting unless +# you know what you're doing. See README.sharedfolders for additional +# information. + +IMAP_SHAREDINDEXFILE=/etc/courier-imap/shared/index + +##NAME: IMAP_ENHANCEDIDLE:0 +# +# If Courier was compiled with the File Alteration Monitor, setting +# IMAP_ENHANCEDIDLE to 1 enables enhanced IDLE mode, where multiple +# clients may open the same folder concurrently, and receive updates to +# folder contents in realtime. See the imapd(8) man page for additional +# information. +# +# IMPORTANT: IMAP_USELOCKS *MUST* also be set to 1, and IDLE must be included +# in the IMAP_CAPABILITY list. +# + +IMAP_ENHANCEDIDLE=0 + +##NAME: IMAP_TRASHFOLDERNAME:0 +# +# The name of the magic trash Folder. For MSOE compatibility, +# you can set IMAP_TRASHFOLDERNAME="Deleted Items". +# +# IMPORTANT: If you change this, you must also change IMAP_EMPTYTRASH + +IMAP_TRASHFOLDERNAME=Trash + +##NAME: IMAP_EMPTYTRASH:0 +# +# The following setting is optional, and causes messages from the given +# folder to be automatically deleted after the given number of days. +# IMAP_EMPTYTRASH is a comma-separated list of folder:days. The default +# setting, below, purges 7 day old messages from the Trash folder. +# Another useful setting would be: +# +# IMAP_EMPTYTRASH=Trash:7,Sent:30 +# +# This would also delete messages from the Sent folder (presumably copies +# of sent mail) after 30 days. This is a global setting that is applied to +# every mail account, and is probably useful in a controlled, corporate +# environment. +# +# Important: the purging is controlled by CTIME, not MTIME (the file time +# as shown by ls). It is perfectly ordinary to see stuff in Trash that's +# a year old. That's the file modification time, MTIME, that's displayed. +# This is generally when the message was originally delivered to this +# mailbox. Purging is controlled by a different timestamp, CTIME, which is +# changed when the file is moved to the Trash folder (and at other times too). +# +# You might want to disable this setting in certain situations - it results +# in a stat() of every file in each folder, at login and logout. +# + +IMAP_EMPTYTRASH=Trash:7 + +##NAME: IMAP_MOVE_EXPUNGE_TO_TRASH:0 +# +# Set IMAP_MOVE_EXPUNGE_TO_TRASH to move expunged messages to Trash. This +# effectively allows an undo of message deletion by fishing the deleted +# mail from trash. Trash can be manually expunged as usually, and mail +# will get automatically expunged from Trash according to IMAP_EMPTYTRASH. +# +# NOTE: shared folders are still expunged as usual. Shared folders are +# not affected. +# + +IMAP_MOVE_EXPUNGE_TO_TRASH=0 + + +##NAME: OUTBOX:0 +# +# The next set of options deal with the "Outbox" enhancement. +# Uncomment the following setting to create a special folder, named +# INBOX.Outbox +# +# OUTBOX=.Outbox + +##NAME: SENDMAIL:0 +# +# If OUTBOX is defined, mail can be sent via the IMAP connection by copying +# a message to the INBOX.Outbox folder. For all practical matters, +# INBOX.Outbox looks and behaves just like any other IMAP folder. If this +# folder doesn't exist it must be created by the IMAP mail client, just +# like any other IMAP folder. The kicker: any message copied or moved to +# this folder is will be E-mailed by the Courier-IMAP server, by running +# the SENDMAIL program. Therefore, messages copied or moved to this +# folder must be well-formed RFC-2822 messages, with the recipient list +# specified in the To:, Cc:, and Bcc: headers. Courier-IMAP relies on +# SENDMAIL to read the recipient list from these headers (and delete the Bcc: +# header) by running the command "$SENDMAIL -oi -t -f $SENDER", with the +# message piped on standard input. $SENDER will be the return address +# of the message, which is set by the authentication module. +# +# DO NOT MODIFY SENDMAIL, below, unless you know what you're doing. +# + +SENDMAIL=/usr/sbin/sendmail + +##NAME: HEADERFROM:0 +# +# For administrative and oversight purposes, the return address, $SENDER +# will also be saved in the X-IMAP-Sender mail header. This header gets +# added to the sent E-mail (but it doesn't get saved in the copy of the +# message that's saved in the folder) +# +# WARNING - By enabling OUTBOX above, *every* IMAP mail client will receive +# the magic OUTBOX treatment. Therefore advance LARTing is in order for +# _all_ of your lusers, until every one of them is aware of this. Otherwise if +# OUTBOX is left at its default setting - a folder name that might be used +# accidentally - some people may be in for a rude surprise. You can redefine +# the name of the magic folder by changing OUTBOX, above. You should do that +# and pick a less-obvious name. Perhaps brand it with your organizational +# name ( OUTBOX=.WidgetsAndSonsOutbox ) + +HEADERFROM=X-IMAP-Sender + +##NAME: OUTBOX_MULTIPLE_SEND:0 +# +# Remove the following comment to allow a COPY of more than one message to +# the Outbox, at a time. +# +# OUTBOX_MULTIPLE_SEND=1 + +##NAME: IMAPDSTART:0 +# +# IMAPDSTART is not used directly. Rather, this is a convenient flag to +# be read by your system startup script in /etc/rc.d, like this: +# +# . /etc/courier-imap/imapd +# +# case x$IMAPDSTART in +# x[yY]*) +# /usr/lib64/courier-imap/imapd.rc start +# ;; +# esac +# +# The default setting is going to be NO, so you'll have to manually flip +# it to yes. + +IMAPDSTART=YES + +##NAME: MAILDIRPATH:0 +# +# MAILDIRPATH - directory name of the maildir directory. +# +MAILDIRPATH=Maildir + +# Hardwire a value for ${MAILDIR} +MAILDIR=.maildir +MAILDIRPATH=.maildir +# Put any program for ${PRERUN} here +PRERUN= +# Put any program for ${LOGINRUN} here +# this is for relay-ctrl-allow in 4* +LOGINRUN= diff --git a/config-archive/etc/courier-imap/imapd.dist b/config-archive/etc/courier-imap/imapd.dist index 8f8a010..7c20c45 100644 --- a/config-archive/etc/courier-imap/imapd.dist +++ b/config-archive/etc/courier-imap/imapd.dist @@ -1,4 +1,4 @@ -##VERSION: $Id: imapd.dist.in,v 1.41 2008/06/21 16:01:23 mrsam Exp $ +##VERSION: $Id: 2013-08-19 16:39:41 -0400 9c45d9ad13fdf439d44d7443ae75da15ea0223ed$ # # imapd created from imapd.dist by sysconftool # @@ -340,6 +340,24 @@ IMAP_EMPTYTRASH=Trash:7 IMAP_MOVE_EXPUNGE_TO_TRASH=0 +##NAME: IMAP_LOG_DELETIONS:0 +# +# +# Set IMAP_LOG_DELETIONS to log all message deletions to syslog. +# +# IMAP_LOG_DELETIONS=1 + +##NAME: IMAPDEBUGFILE:0 +# +# IMAPDEBUGFILE="imaplog.dat" +# +# Generate diagnostic logging of IMAP commands. +# +# Set this globally, restart the server. Touch this file in an account's +# maildir directory, and Courier-IMAP will append all IMAP commands received +# for new sessions for this account. NOTE: existing IMAP sessions are not +# affected, only new IMAP logins. + ##NAME: OUTBOX:0 # @@ -388,6 +406,30 @@ SENDMAIL=/usr/sbin/sendmail HEADERFROM=X-IMAP-Sender +##NAME: ID_FIELDS:0 +# +# Have the server be polite, and identify its version to the client. The client +# must be logged in before the server will identify itself. Additionally, +# the client will mutually supply its own software version, and the server will +# log it. +# +# Although the server's banner message identifies itself, in free-form manner, +# this the ID IMAP extension, for clients to log. +# +# IMAP_ID_FIELDS is the sum of the following values: +# +# 1 - identify the version of the IMAP server +# 2 - identify the operating system (if available) +# 4 - identify the operating system release (if available) +# +# A value of 0 identifies the server software only. +# +# Uncomment this setting to enable the IMAP ID extension. One reason you might +# want to enable it is to log the clients' software version. Enabling this +# setting will mutually log the client's software, in the system logs. +# +# IMAP_ID_FIELDS=0 + ##NAME: OUTBOX_MULTIPLE_SEND:0 # # Remove the following comment to allow a COPY of more than one message to diff --git a/config-archive/etc/default/grub b/config-archive/etc/default/grub new file mode 100644 index 0000000..f3be2eb --- /dev/null +++ b/config-archive/etc/default/grub @@ -0,0 +1,66 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.3 2014/09/10 14:38:39 floppym Exp $ +# +# To populate all changes in this file you need to regenerate your +# grub configuration file afterwards: +# 'grub2-mkconfig -o /boot/grub/grub.cfg' +# +# See the grub info page for documentation on possible variables and +# their associated values. + +GRUB_DISTRIBUTOR="Gentoo (Helga)" + +# Default menu entry +GRUB_DEFAULT=0 + +GRUB_HIDDEN_TIMEOUT=5 +GRUB_HIDDEN_TIMEOUT_QUIET=true +# Boot the default entry this many seconds after the menu is displayed +GRUB_TIMEOUT=10 +#GRUB_TIMEOUT_STYLE=menu + +# Append parameters to the linux kernel command line +#GRUB_CMDLINE_LINUX="" +# +# Examples: +# +# Boot with network interface renaming disabled +# GRUB_CMDLINE_LINUX="net.ifnames=0" +# +# Boot with systemd instead of sysvinit (openrc) +# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd" +GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,57600n8 domdadm dolvm" + +GRUB_PRELOAD_MODULES=lvm + +# Append parameters to the linux kernel command line for non-recovery entries +#GRUB_CMDLINE_LINUX_DEFAULT="" +#GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,57600n8" + +# Uncomment to disable graphical terminal (grub-pc only) +#GRUB_TERMINAL=console +# Serial console +GRUB_TERMINAL=serial +GRUB_SERIAL_COMMAND="serial --speed=57600 --unit=0 --word=8 --parity=no --stop=1" + + +# The resolution used on graphical terminal. +# Note that you can use only modes which your graphic card supports via VBE. +# You can see them in real GRUB with the command `vbeinfo'. +#GRUB_GFXMODE=640x480 + +# Path to theme spec txt file. +# The starfield is by default provided with use truetype. +# NOTE: when enabling custom theme, ensure you have required font/etc. +#GRUB_THEME="/boot/grub/themes/starfield/theme.txt" + +# Background image used on graphical terminal. +# Can be in various bitmap formats. +#GRUB_BACKGROUND="/boot/grub/mybackground.png" + +# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel +GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY=true diff --git a/config-archive/etc/default/grub.1 b/config-archive/etc/default/grub.1 new file mode 100644 index 0000000..e810299 --- /dev/null +++ b/config-archive/etc/default/grub.1 @@ -0,0 +1,53 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-2,v 1.4 2013/09/21 18:10:55 floppym Exp $ +# +# To populate all changes in this file you need to regenerate your +# grub configuration file afterwards: +# 'grub2-mkconfig -o /boot/grub/grub.cfg' +# +# See the grub info page for documentation on possible variables and +# their associated values. + +GRUB_DISTRIBUTOR="Gentoo" + +GRUB_DEFAULT=0 +GRUB_HIDDEN_TIMEOUT=5 +GRUB_HIDDEN_TIMEOUT_QUIET=true +GRUB_TIMEOUT=10 + +# Append parameters to the linux kernel command line +GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,57600n8 domdadm dolvm" + +GRUB_PRELOAD_MODULES=lvm + +# Append parameters to the linux kernel command line for non-recovery entries +#GRUB_CMDLINE_LINUX_DEFAULT="" +#GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,57600n8" + +# Uncomment to disable graphical terminal (grub-pc only) +#GRUB_TERMINAL=console +# Serial console +GRUB_TERMINAL=serial +GRUB_SERIAL_COMMAND="serial --speed=57600 --unit=0 --word=8 --parity=no --stop=1" + + +# The resolution used on graphical terminal. +# Note that you can use only modes which your graphic card supports via VBE. +# You can see them in real GRUB with the command `vbeinfo'. +#GRUB_GFXMODE=640x480 + +# Path to theme spec txt file. +# The starfield is by default provided with use truetype. +# NOTE: when enabling custom theme, ensure you have required font/etc. +#GRUB_THEME="/boot/grub/themes/starfield/theme.txt" + +# Background image used on graphical terminal. +# Can be in various bitmap formats. +#GRUB_BACKGROUND="/boot/grub/mybackground.png" + +# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel +GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY=true diff --git a/config-archive/etc/default/grub.dist b/config-archive/etc/default/grub.dist new file mode 100644 index 0000000..f3f7e47 --- /dev/null +++ b/config-archive/etc/default/grub.dist @@ -0,0 +1,63 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.4 2014/10/16 04:04:02 floppym Exp $ +# +# To populate all changes in this file you need to regenerate your +# grub configuration file afterwards: +# 'grub2-mkconfig -o /boot/grub/grub.cfg' +# +# See the grub info page for documentation on possible variables and +# their associated values. + +GRUB_DISTRIBUTOR="Gentoo" + +# Default menu entry +#GRUB_DEFAULT=0 + +# Boot the default entry this many seconds after the menu is displayed +#GRUB_TIMEOUT=5 +#GRUB_TIMEOUT_STYLE=menu + +# Append parameters to the linux kernel command line +#GRUB_CMDLINE_LINUX="" +# +# Examples: +# +# Boot with network interface renaming disabled +# GRUB_CMDLINE_LINUX="net.ifnames=0" +# +# Boot with systemd instead of sysvinit (openrc) +# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd" + +# Append parameters to the linux kernel command line for non-recovery entries +#GRUB_CMDLINE_LINUX_DEFAULT="" + +# Uncomment to disable graphical terminal (grub-pc only) +#GRUB_TERMINAL=console + +# The resolution used on graphical terminal. +# Note that you can use only modes which your graphic card supports via VBE. +# You can see them in real GRUB with the command `vbeinfo'. +#GRUB_GFXMODE=640x480 + +# Set to 'text' to force the Linux kernel to boot in normal text +# mode, 'keep' to preserve the graphics mode set using +# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular +# graphics mode, or a sequence of these separated by commas or +# semicolons to try several modes in sequence. +#GRUB_GFXPAYLOAD_LINUX= + +# Path to theme spec txt file. +# The starfield is by default provided with use truetype. +# NOTE: when enabling custom theme, ensure you have required font/etc. +#GRUB_THEME="/boot/grub/themes/starfield/theme.txt" + +# Background image used on graphical terminal. +# Can be in various bitmap formats. +#GRUB_BACKGROUND="/boot/grub/mybackground.png" + +# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel +#GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY=true diff --git a/config-archive/etc/genkernel.conf b/config-archive/etc/genkernel.conf index 8e2dabe..91d7e74 100644 --- a/config-archive/etc/genkernel.conf +++ b/config-archive/etc/genkernel.conf @@ -96,6 +96,9 @@ MDADM_CONFIG="/etc/mdadm.conf" # Include support for unionfs #UNIONFS="1" +# Include support for zfs volume management. +#ZFS="no" + # Enable copying of firmware into initramfs #FIRMWARE="no" # Specify directory to pull from @@ -117,6 +120,10 @@ DISKLABEL="yes" # This supersedes the "SPLASH_THEME" option of /etc/conf.d/splash (in early space). #SPLASH_THEME="gentoo" +# Run the specified command in the current environment after the kernel and +# modules have been compiled, useful to rebuild external kernel module. +# use "emerge --quiet @module-rebuild" for >=portage-2.2 +#CMD_CALLBACK="" # =========Keymap Settings========= # diff --git a/config-archive/etc/genkernel.conf.1 b/config-archive/etc/genkernel.conf.1 index 3a5e217..8e2dabe 100644 --- a/config-archive/etc/genkernel.conf.1 +++ b/config-archive/etc/genkernel.conf.1 @@ -1,5 +1,4 @@ # Configuration file for genkernel -# $Id: b39a952ab3df9371a15786986e417f187396a39c $ # This file is sourced by genkernel at startup and determines which options # we will be using to compile our kernel. The order of precidence is simple, @@ -91,6 +90,9 @@ MDADM_CONFIG="/etc/mdadm.conf" # Add iSCSI support. #ISCSI="no" +# Add e2fsprogs support. +#E2FSPROGS="no" + # Include support for unionfs #UNIONFS="1" @@ -202,7 +204,7 @@ DEFAULT_KERNEL_SOURCE="/usr/src/linux" # Specifies a user created busybox config #BUSYBOX_CONFIG="/path/to/file" -BUSYBOX_VER="1.20.1" +BUSYBOX_VER="1.20.2" BUSYBOX_SRCTAR="${DISTDIR}/busybox-${BUSYBOX_VER}.tar.bz2" BUSYBOX_DIR="busybox-${BUSYBOX_VER}" BUSYBOX_BINCACHE="%%CACHE%%/busybox-${BUSYBOX_VER}-%%ARCH%%.tar.bz2" @@ -223,7 +225,7 @@ MDADM_DIR="mdadm-${MDADM_VER}" MDADM_SRCTAR="${DISTDIR}/mdadm-${MDADM_VER}.tar.bz2" MDADM_BINCACHE="%%CACHE%%/mdadm-${MDADM_VER}-%%ARCH%%.tar.bz2" -DMRAID_VER="1.0.0.rc14" +DMRAID_VER="1.0.0.rc16-3" DMRAID_DIR="dmraid/${DMRAID_VER}" DMRAID_SRCTAR="${DISTDIR}/dmraid-${DMRAID_VER}.tar.bz2" DMRAID_BINCACHE="%%CACHE%%/dmraid-${DMRAID_VER}-%%ARCH%%.tar.bz2" @@ -320,6 +322,14 @@ GPG_BINCACHE="%%CACHE%%/gnupg-${GPG_VER}-%%ARCH%%.bz2" #INTEGRATED_INITRAMFS="1" +# Compress generated initramfs +#COMPRESS_INITRD="yes" +# Types of compression: best, xz, lzma, bzip2, gzip, lzop, fastest +# "best" selects the best available compression method +# "fastest" selects the fastest available compression method +#COMPRESS_INITRD_TYPE="best" + + # Create a self-contained env in the initramfs #NETBOOT="1" diff --git a/config-archive/etc/genkernel.conf.2 b/config-archive/etc/genkernel.conf.2 new file mode 100644 index 0000000..3a5e217 --- /dev/null +++ b/config-archive/etc/genkernel.conf.2 @@ -0,0 +1,330 @@ +# Configuration file for genkernel +# $Id: b39a952ab3df9371a15786986e417f187396a39c $ + +# This file is sourced by genkernel at startup and determines which options +# we will be using to compile our kernel. The order of precidence is simple, +# with the internal settings being least important, configuration file +# settings next, and command line options being most important. + +# =========Common Command Line Option Defaults========= + +# Should we install to $BOOTDIR? Default is "no" because genkernel is used in +# catalyst and stage building. +#INSTALL="yes" + +# Run 'make oldconfig' before compiling this kernel? +OLDCONFIG="yes" + +# Run 'make menuconfig' before compiling this kernel? +MENUCONFIG="no" + +# Run 'make clean' before compilation? +# If set to NO, implies MRPROPER WILL NOT be run +# Also, if clean is NO, it won't copy over any configuration +# file, it will use what's there. +CLEAN="yes" + +# Run 'make mrproper' before configuration/compilation? +MRPROPER="yes" + +# Override the arch detection? +#ARCH_OVERRIDE="x86" + +# Mount BOOTDIR automatically if it isn't mounted? +MOUNTBOOT="yes" + +# Make symlinks in BOOTDIR automatically? +#SYMLINK="no" + +# Save the new configuration in /etc/kernels upon +# successfull compilation +SAVE_CONFIG="yes" + +# Use Color output in Genkernel? +USECOLOR="yes" + +# Clear build cache dir +#CLEAR_CACHE_DIR="yes" + +# Clear all tmp files and caches after genkernel has run +#POSTCLEAR="1" + +# Genkernel uses an independent configuration for MAKEOPTS, and does not source +# /etc/make.conf . You can override the default setting by uncommenting and +# tweaking the following line. Default setting is set up by +# ${GK_SHARE}/${ARCH_OVERRIDE}/config.sh . The recommended value for -j +# argument is: *+1 +#MAKEOPTS="-j2" + +# Add in LVM support from static binaries if they exist on the system, or +# compile static LVM binaries if static ones do not exist. +#LVM="no" +LVM="yes" + +# Add in Luks support. Needs sys-fs/cryptsetup with -dynamic installed. +#LUKS="no" + +# Add in GnuPG support +#GPG="no" + +# Add DMRAID support. +#DMRAID="no" + +# Include (or suppresses the inclusion of) busybox in the initrd or initramfs. +# If included, busybox is rebuilt if the cached copy is out of date. +#BUSYBOX="yes" + +# Includes mdadm/mdmon binaries in initramfs. +# Without sys-fs/mdadm[static] installed, this will build a static mdadm. +#MDADM="no" +MDADM="yes" + +# Specify a custom mdadm.conf. +# By default the ramdisk will be built *without* an mdadm.conf and will auto-detect +# arrays during bootup. Usually, this should not be needed. +#MDADM_CONFIG="/etc/mdadm.conf" +MDADM_CONFIG="/etc/mdadm.conf" + +# Add Multipath support. +#MULTIPATH="no" + +# Add iSCSI support. +#ISCSI="no" + +# Include support for unionfs +#UNIONFS="1" + +# Enable copying of firmware into initramfs +#FIRMWARE="no" +# Specify directory to pull from +#FIRMWARE_DIR="/lib/firmware" +# Specify specific firmware files to include. This overrides FIRMWARE_DIR +#FIRMWARE_FILES="" + +# Enable disklabel support (copies blkid to initrd) +DISKLABEL="yes" + +# Add new kernel to grub? +#BOOTLOADER="grub" + +# Enable splashutils in early space (initrd). Default is "no". +#SPLASH="yes" + +# Use this splash theme. If commented out - the "default" name theme is used. +# Also, SPLASH="yes" needs to be enabled for this one to one work. +# This supersedes the "SPLASH_THEME" option of /etc/conf.d/splash (in early space). +#SPLASH_THEME="gentoo" + + +# =========Keymap Settings========= +# +# Force keymap selection at boot +#DOKEYMAPAUTO="yes" + + +# Disables keymap selection support +#KEYMAP="0" + + +# =========Low Level Compile Settings========= +# +# GNU Make to use for kernel. See also the --kernel-make command line option. +#KERNEL_MAKE="make" + +# Compiler to use for the kernel (e.g. distcc). See also the --kernel-cc +# command line option. +#KERNEL_CC="gcc" + +# Assembler to use for the kernel. See also the --kernel-as command line +# option. +#KERNEL_AS="as" + +# Linker to use for the kernel. See also the --kernel-ld command line option. +#KERNEL_LD="ld" + +# GNU Make to use for the utilities. See also the --utils-make command line +# option. +#UTILS_MAKE="make" + +# Compiler to use for the utilities (e.g. distcc). See also the --utils-cc +# command line option. +#UTILS_CC="gcc" + +# Assembler to use for the utilities. See also the --utils-as command line +# option. +#UTILS_AS="as" + +# Linker to use for the utilities. See also the --utils-ld command line +# option. +#UTILS_LD="ld" + + +# Common prefix of cros compile commands +#UTILS_CROSS_COMPILE="x86_64-pc-linux-gnu" + + +# Value of CROSS_COMPILE utils variable +# during kernel compilation +#KERNEL_CROSS_COMPILE="x86_64-pc-linux-gnu" + + +# =========GENKERNEL LOCATION CONFIGURATION============ +# Variables: +# %%ARCH%% - Final determined architecture +# %%CACHE%% - Final determined cache location + +# Set genkernel's temporary work directory. Default is /var/tmp/genkernel +#TMPDIR="/var/tmp/genkernel" + +# Set the boot directory, default is /boot +#BOOTDIR="/boot" + +# Default share directory location +GK_SHARE="${GK_SHARE:-/usr/share/genkernel}" + +# Location of the default cache +CACHE_DIR="/var/cache/genkernel" +# Location of DISTDIR, where our source tarballs are stored +DISTDIR="${CACHE_DIR}/src" +# Log output file +LOGFILE="/var/log/genkernel.log" +# Debug Level +LOGLEVEL=1 + +# =========COMPILED UTILS CONFIGURATION============ +# +# Default location of kernel source +DEFAULT_KERNEL_SOURCE="/usr/src/linux" +# Default kernel config (only use to override using +# arch/%%ARCH%%/kernel-config-${VER}.${PAT} !) +#DEFAULT_KERNEL_CONFIG="${GK_SHARE}/arch/%%ARCH%%/kernel-config" + +# Specifies a user created busybox config +#BUSYBOX_CONFIG="/path/to/file" + +BUSYBOX_VER="1.20.1" +BUSYBOX_SRCTAR="${DISTDIR}/busybox-${BUSYBOX_VER}.tar.bz2" +BUSYBOX_DIR="busybox-${BUSYBOX_VER}" +BUSYBOX_BINCACHE="%%CACHE%%/busybox-${BUSYBOX_VER}-%%ARCH%%.tar.bz2" +#BUSYBOX_APPLETS="[ ash sh mount uname echo cut cat" + +DEVICE_MAPPER_VER="1.02.22" +DEVICE_MAPPER_DIR="device-mapper.${DEVICE_MAPPER_VER}" +DEVICE_MAPPER_SRCTAR="${DISTDIR}/device-mapper.${DEVICE_MAPPER_VER}.tgz" +DEVICE_MAPPER_BINCACHE="%%CACHE%%/device-mapper-${DEVICE_MAPPER_VER}-%%ARCH%%.tar.bz2" + +LVM_VER="2.02.88" +LVM_DIR="LVM2.${LVM_VER}" +LVM_SRCTAR="${DISTDIR}/LVM2.${LVM_VER}.tgz" +LVM_BINCACHE="%%CACHE%%/LVM2.${LVM_VER}-%%ARCH%%.tar.bz2" + +MDADM_VER="3.1.5" +MDADM_DIR="mdadm-${MDADM_VER}" +MDADM_SRCTAR="${DISTDIR}/mdadm-${MDADM_VER}.tar.bz2" +MDADM_BINCACHE="%%CACHE%%/mdadm-${MDADM_VER}-%%ARCH%%.tar.bz2" + +DMRAID_VER="1.0.0.rc14" +DMRAID_DIR="dmraid/${DMRAID_VER}" +DMRAID_SRCTAR="${DISTDIR}/dmraid-${DMRAID_VER}.tar.bz2" +DMRAID_BINCACHE="%%CACHE%%/dmraid-${DMRAID_VER}-%%ARCH%%.tar.bz2" + +ISCSI_VER="2.0-872" +ISCSI_DIR="open-iscsi-${ISCSI_VER}" +ISCSI_SRCTAR="${DISTDIR}/open-iscsi-${ISCSI_VER}.tar.gz" +ISCSI_BINCACHE="%%CACHE%%/iscsi-${ISCSI_VER}-%%ARCH%%.bz2" + +E2FSPROGS_VER="1.42" +E2FSPROGS_DIR="e2fsprogs-${E2FSPROGS_VER}" +E2FSPROGS_SRCTAR="${DISTDIR}/e2fsprogs-${E2FSPROGS_VER}.tar.gz" +BLKID_BINCACHE="%%CACHE%%/blkid-${E2FSPROGS_VER}-%%ARCH%%.bz2" + +FUSE_VER="2.8.6" +FUSE_DIR="fuse-${FUSE_VER}" +FUSE_SRCTAR="${DISTDIR}/fuse-${FUSE_VER}.tar.gz" +FUSE_BINCACHE="%%CACHE%%/fuse-${FUSE_VER}-%%ARCH%%.tar.bz2" + +UNIONFS_FUSE_VER="0.24" +UNIONFS_FUSE_DIR="unionfs-fuse-${UNIONFS_FUSE_VER}" +UNIONFS_FUSE_SRCTAR="${DISTDIR}/unionfs-fuse-${UNIONFS_FUSE_VER}.tar.bz2" +UNIONFS_FUSE_BINCACHE="%%CACHE%%/unionfs-fuse-${UNIONFS_FUSE_VER}-%%ARCH%%.bz2" + +GPG_VER="1.4.11" +GPG_DIR="gnupg-${GPG_VER}" +GPG_SRCTAR="${DISTDIR}/gnupg-${GPG_VER}.tar.bz2" +GPG_BINCACHE="%%CACHE%%/gnupg-${GPG_VER}-%%ARCH%%.bz2" + + +# =========MISC KERNEL CONFIGURATION============ +# +# Tag the kernel and ramdisk with a name: +# If not defined the option defaults to +# 'genkernel' +#KNAME="genkernel" + + +# This option is only valid if kerncache is +# defined. If there is a valid kerncache no checks +# will be made against a kernel source tree +#KERNEL_SOURCES="0" + + +# Build a static (monolithic kernel) +#BUILD_STATIC="1" + + +# Make and install kernelz image (PowerPC) +#GENZIMAGE="1" + + +# File to output a .tar.bz2'd kernel contents +# of /lib/modules/ and the kernel config +# NOTE: This is created before the callbacks +# are run! +#KERNCACHE="/path/to/file" + + +# Prefix to kernel module destination, modules +# will be installed in /lib/modules +# (.conf equivalent of --module-prefix=) +#INSTALL_MOD_PATH="" + + +# =========MISC INITRD CONFIGURATION============ +# +# Copy all kernel modules to the ramdisk +#ALLRAMDISKMODULES="1" + + +# Don't copy any modules to the ramdisk +#RAMDISKMODULES="0" + + +# File to output a .tar.bz2'd kernel and ramdisk: +# No modules outside of the ramdisk will be +# included... +#MINKERNPACKAGE="/path/to/file.bz2" + + +# File to output a .tar.bz2'd modules after the +# callbacks have run +#MODULESPACKAGE="/path/to/file.bz2" + + +# Directory structure to include in the initramfs, +# only available on >=2.6 kernels +#INITRAMFS_OVERLAY="" + + +# Build the generated initramfs into the kernel instead of +# keeping it as a separate file +#INTEGRATED_INITRAMFS="1" + + +# Create a self-contained env in the initramfs +#NETBOOT="1" + + +# =========MISC BOOT CONFIGURATION============ +# +# Specify a default for real_root= +#REAL_ROOT="/dev/one/two/gentoo" diff --git a/config-archive/etc/genkernel.conf.dist b/config-archive/etc/genkernel.conf.dist index 09a7fcc..ad5750e 100644 --- a/config-archive/etc/genkernel.conf.dist +++ b/config-archive/etc/genkernel.conf.dist @@ -191,7 +191,7 @@ GK_SHARE="${GK_SHARE:-/usr/share/genkernel}" # Location of the default cache CACHE_DIR="/var/cache/genkernel" # Location of DISTDIR, where our source tarballs are stored -DISTDIR="${CACHE_DIR}/src" +DISTDIR="${GK_SHARE}/distfiles" # Log output file LOGFILE="/var/log/genkernel.log" # Debug Level diff --git a/config-archive/etc/logrotate.d/ulogd.dist.new b/config-archive/etc/logrotate.d/ulogd.dist.new index 5e43711..787f49b 100644 --- a/config-archive/etc/logrotate.d/ulogd.dist.new +++ b/config-archive/etc/logrotate.d/ulogd.dist.new @@ -1,15 +1,6 @@ -/var/log/ulogd/ulogd.log { - notifempty - size 1M - create 0640 ulogd - postrotate - /etc/init.d/ulogd reopen_logs > /dev/null - endscript -} - -/var/log/ulogd/ulogd_syslogemu.log { - rotate 12 - size 5M +/var/log/ulogd/ulogd.log /var/log/ulogd/ulogd_syslogemu.log { + sharedscripts + missingok notifempty create 0640 ulogd postrotate diff --git a/config-archive/etc/mysql/my.cnf b/config-archive/etc/mysql/my.cnf index 8cd84f0..0fedcb4 100644 --- a/config-archive/etc/mysql/my.cnf +++ b/config-archive/etc/mysql/my.cnf @@ -45,7 +45,6 @@ err-log = /var/log/mysql/mysql.err # add a section [mysqld-4.1] or [mysqld-5.0] for specific configurations [mysqld] character-set-server = utf8 -#default-character-set = utf8 user = mysql port = 3306 socket = /var/run/mysqld/mysqld.sock diff --git a/config-archive/etc/mysql/my.cnf.1 b/config-archive/etc/mysql/my.cnf.1 new file mode 100644 index 0000000..8cd84f0 --- /dev/null +++ b/config-archive/etc/mysql/my.cnf.1 @@ -0,0 +1,160 @@ +# /etc/mysql/my.cnf: The global mysql configuration file. +# $Header: /etc/mysql/.rcs/my.cnf,v 1.5 2010/11/30 08:33:13 root Exp $ + +# The following options will be passed to all MySQL clients +[client] +#password = your_password +port = 3306 +socket = /var/run/mysqld/mysqld.sock + +[mysql] +character-sets-dir=/usr/share/mysql/charsets +default-character-set=utf8 +prompt=MySQL \u@\h:\d >\_ + +[mysqladmin] +character-sets-dir=/usr/share/mysql/charsets +default-character-set=utf8 + +[mysqlcheck] +character-sets-dir=/usr/share/mysql/charsets +default-character-set=utf8 + +[mysqldump] +character-sets-dir=/usr/share/mysql/charsets +default-character-set=utf8 + +[mysqlimport] +character-sets-dir=/usr/share/mysql/charsets +default-character-set=utf8 + +[mysqlshow] +character-sets-dir=/usr/share/mysql/charsets +default-character-set=utf8 + +[myisamchk] +character-sets-dir=/usr/share/mysql/charsets + +[myisampack] +character-sets-dir=/usr/share/mysql/charsets + +# use [safe_mysqld] with mysql-3 +[mysqld_safe] +err-log = /var/log/mysql/mysql.err + +# add a section [mysqld-4.1] or [mysqld-5.0] for specific configurations +[mysqld] +character-set-server = utf8 +#default-character-set = utf8 +user = mysql +port = 3306 +socket = /var/run/mysqld/mysqld.sock +pid-file = /var/run/mysqld/mysqld.pid +log-error = /var/log/mysql/mysqld.err +basedir = /usr +datadir = /var/lib/mysql +skip-external-locking +key_buffer = 32M +max_allowed_packet = 4M +table_cache = 64 +sort_buffer_size = 2M +net_buffer_length = 8K +read_buffer_size = 2M +read_rnd_buffer_size = 4M +myisam_sort_buffer_size = 32M +#language = /usr/share/mysql/english +language = /usr/share/mysql/german + +# security: +# using "localhost" in connects uses sockets by default +# skip-networking +#bind-address = 127.0.0.1 + +#log-bin = helga-mysql-bin +server-id = 2 + +#auto_increment_increment = 2 +#auto_increment_offset = 2 + +#master-host = sarah.brehm-online.com +#master-port = 3306 +#master-user = replication +#master-password = uhu +#master-connect-retry = 60 +#report-host = helga.brehm-online.com + +# point the following paths to different dedicated disks +tmpdir = /tmp/ +#log-update = /path-to-dedicated-directory/hostname + +# you need the debug USE flag enabled to use the following directives, +# if needed, uncomment them, start the server and issue +# #tail -f /tmp/mysqld.sql /tmp/mysqld.trace +# this will show you *exactly* what's happening in your server ;) + +#log = /tmp/mysqld.sql +#gdb +#debug = d:t:i:o,/tmp/mysqld.trace +#one-thread + +# uncomment the following directives if you are using BDB tables +#bdb_cache_size = 4M +#bdb_max_lock = 10000 + +# the following is the InnoDB configuration +# if you wish to disable innodb instead +# uncomment just the next line +#skip-innodb +# +# the rest of the innodb config follows: +# don't eat too much memory, we're trying to be safe on 64Mb boxes +# you might want to bump this up a bit on boxes with more RAM +innodb_buffer_pool_size = 64M +# this is the default, increase it if you have lots of tables +innodb_additional_mem_pool_size = 4M +# +# i'd like to use /var/lib/mysql/innodb, but that is seen as a database :-( +# and upstream wants things to be under /var/lib/mysql/, so that's the route +# we have to take for the moment +#innodb_data_home_dir = /var/lib/mysql/ +#innodb_log_arch_dir = /var/lib/mysql/ +#innodb_log_group_home_dir = /var/lib/mysql/ +# you may wish to change this size to be more suitable for your system +# the max is there to avoid run-away growth on your machine +innodb_data_file_path = ibdata1:10M:autoextend:max:128M +# we keep this at around 25% of of innodb_buffer_pool_size +# sensible values range from 1MB to (1/innodb_log_files_in_group*innodb_buffer_pool_size) +innodb_log_file_size = 5M +# this is the default, increase it if you have very large transactions going on +innodb_log_buffer_size = 8M +# this is the default and won't hurt you +# you shouldn't need to tweak it +innodb_log_files_in_group=2 +# see the innodb config docs, the other options are not always safe +innodb_flush_log_at_trx_commit = 1 +innodb_lock_wait_timeout = 50 +innodb_file_per_table +sync_binlog = 1 + +[mysqldump] +quick +max_allowed_packet = 64M + +[mysql] +# uncomment the next directive if you are not familiar with SQL +#safe-updates + +[isamchk] +key_buffer = 20M +sort_buffer_size = 20M +read_buffer = 2M +write_buffer = 2M + +[myisamchk] +key_buffer = 40M +sort_buffer_size = 40M +read_buffer = 4M +write_buffer = 4M + +[mysqlhotcopy] +interactive-timeout diff --git a/config-archive/etc/mysql/my.cnf.dist.new b/config-archive/etc/mysql/my.cnf.dist.new index 833d8ae..4829b67 100644 --- a/config-archive/etc/mysql/my.cnf.dist.new +++ b/config-archive/etc/mysql/my.cnf.dist.new @@ -1,5 +1,5 @@ # /etc/mysql/my.cnf: The global mysql configuration file. -# $Header: /var/cvsroot/gentoo-x86/dev-db/mysql/files/my.cnf-5.1,v 1.4 2013/01/20 02:40:02 robbat2 Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-db/mysql/files/my.cnf-5.5,v 1.4 2014/08/28 14:06:54 grknight Exp $ # The following options will be passed to all MySQL clients [client] @@ -52,7 +52,7 @@ log-error = /var/log/mysql/mysqld.err basedir = /usr datadir = /var/lib/mysql skip-external-locking -key_buffer = 16M +key_buffer_size = 16M max_allowed_packet = 1M table_open_cache = 64 sort_buffer_size = 512K @@ -60,7 +60,9 @@ net_buffer_length = 8K read_buffer_size = 256K read_rnd_buffer_size = 512K myisam_sort_buffer_size = 8M -language = /usr/share/mysql/english +lc_messages_dir = /usr/share/mysql +#Set this to your desired error message language +lc_messages = en_US # security: # using "localhost" in connects uses sockets by default @@ -84,10 +86,6 @@ tmpdir = /tmp/ #debug = d:t:i:o,/tmp/mysqld.trace #one-thread -# uncomment the following directives if you are using BDB tables -#bdb_cache_size = 4M -#bdb_max_lock = 10000 - # the following is the InnoDB configuration # if you wish to disable innodb instead # uncomment just the next line @@ -122,6 +120,10 @@ innodb_flush_log_at_trx_commit = 1 innodb_lock_wait_timeout = 50 innodb_file_per_table +# Uncomment this to get FEDERATED engine support +#plugin-load=federated=ha_federated.so +#loose-federated + [mysqldump] quick max_allowed_packet = 16M @@ -131,16 +133,17 @@ max_allowed_packet = 16M #safe-updates [isamchk] -key_buffer = 20M +key_buffer_size = 20M sort_buffer_size = 20M read_buffer = 2M write_buffer = 2M [myisamchk] -key_buffer = 20M +key_buffer_size = 20M sort_buffer_size = 20M -read_buffer = 2M -write_buffer = 2M +read_buffer_size = 2M +write_buffer_size = 2M [mysqlhotcopy] interactive-timeout + diff --git a/config-archive/etc/php/apache2-php5.4/php.ini b/config-archive/etc/php/apache2-php5.4/php.ini index e16e49f..65899d9 100644 --- a/config-archive/etc/php/apache2-php5.4/php.ini +++ b/config-archive/etc/php/apache2-php5.4/php.ini @@ -138,16 +138,6 @@ ; Development Value: "GP" ; Production Value: "GP" -; session.bug_compat_42 -; Default Value: On -; Development Value: On -; Production Value: Off - -; session.bug_compat_warn -; Default Value: On -; Development Value: On -; Production Value: Off - ; session.gc_divisor ; Default Value: 100 ; Development Value: 1000 @@ -1476,31 +1466,6 @@ session.gc_maxlifetime = 1440 ; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): ; find /path/to/sessions -cmin +24 -type f | xargs rm -; PHP 4.2 and less have an undocumented feature/bug that allows you to -; to initialize a session variable in the global scope. -; PHP 4.3 and later will warn you, if this feature is used. -; You can disable the feature and the warning separately. At this time, -; the warning is only displayed, if bug_compat_42 is enabled. This feature -; introduces some serious security problems if not handled correctly. It's -; recommended that you do not use this feature on production servers. But you -; should enable this on development servers and enable the warning as well. If you -; do not enable the feature on development servers, you won't be warned when it's -; used and debugging errors caused by this can be difficult to track down. -; Default Value: On -; Development Value: On -; Production Value: Off -; http://php.net/session.bug-compat-42 -session.bug_compat_42 = On - -; This setting controls whether or not you are warned by PHP when initializing a -; session value into the global space. session.bug_compat_42 must be enabled before -; these warnings can be issued by PHP. See the directive above for more information. -; Default Value: On -; Development Value: On -; Production Value: Off -; http://php.net/session.bug-compat-warn -session.bug_compat_warn = On - ; Check HTTP Referer to invalidate externally stored URLs containing ids. ; HTTP_REFERER has to contain this substring for the session to be ; considered as valid. diff --git a/config-archive/etc/php/apache2-php5.4/php.ini.1 b/config-archive/etc/php/apache2-php5.4/php.ini.1 index ebb804a..e16e49f 100644 --- a/config-archive/etc/php/apache2-php5.4/php.ini.1 +++ b/config-archive/etc/php/apache2-php5.4/php.ini.1 @@ -83,6 +83,8 @@ ; development version only in development environments as errors shown to ; application users can inadvertently leak otherwise secure information. +; This is php.ini-development INI file. + ;;;;;;;;;;;;;;;;;;; ; Quick Reference ; ;;;;;;;;;;;;;;;;;;; @@ -197,13 +199,12 @@ engine = On ; This directive determines whether or not PHP will recognize code between -; tags as PHP source which should be processed as such. It's been -; recommended for several years that you not use the short tag "short cut" and -; instead to use the full tag combination. With the wide spread use -; of XML and use of these tags by other languages, the server can become easily -; confused and end up parsing the wrong code in the wrong context. But because -; this short cut has been a feature for such a long time, it's currently still -; supported for backwards compatibility, but we recommend you don't use them. +; tags as PHP source which should be processed as such. It is +; generally recommended that should be used and that this feature +; should be disabled, as enabling it may result in issues when generating XML +; documents, however this remains supported for backward compatibility reasons. +; Note that this directive does not control the tags as PHP source which should be processed as such. It's been +; recommended for several years that you not use the short tag "short cut" and +; instead to use the full tag combination. With the wide spread use +; of XML and use of these tags by other languages, the server can become easily +; confused and end up parsing the wrong code in the wrong context. But because +; this short cut has been a feature for such a long time, it's currently still +; supported for backwards compatibility, but we recommend you don't use them. +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/short-open-tag +short_open_tag = Off + +; Allow ASP-style <% %> tags. +; http://php.net/asp-tags +asp_tags = Off + +; The number of significant digits displayed in floating point numbers. +; http://php.net/precision +precision = 14 + +; Output buffering is a mechanism for controlling how much output data +; (excluding headers and cookies) PHP should keep internally before pushing that +; data to the client. If your application's output exceeds this setting, PHP +; will send that data in chunks of roughly the size you specify. +; Turning on this setting and managing its maximum buffer size can yield some +; interesting side-effects depending on your application and web server. +; You may be able to send headers and cookies after you've already sent output +; through print or echo. You also may see performance benefits if your server is +; emitting less packets due to buffered output versus PHP streaming the output +; as it gets it. On production servers, 4096 bytes is a good setting for performance +; reasons. +; Note: Output buffering can also be controlled via Output Buffering Control +; functions. +; Possible Values: +; On = Enabled and buffer is unlimited. (Use with caution) +; Off = Disabled +; Integer = Enables the buffer and sets its maximum size in bytes. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 +; http://php.net/output-buffering +output_buffering = 4096 + +; You can redirect all of the output of your scripts to a function. For +; example, if you set output_handler to "mb_output_handler", character +; encoding will be transparently converted to the specified encoding. +; Setting any output handler automatically turns on output buffering. +; Note: People who wrote portable scripts should not depend on this ini +; directive. Instead, explicitly set the output handler using ob_start(). +; Using this ini directive may cause problems unless you know what script +; is doing. +; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler" +; and you cannot use both "ob_gzhandler" and "zlib.output_compression". +; Note: output_handler must be empty if this is set 'On' !!!! +; Instead you must use zlib.output_handler. +; http://php.net/output-handler +;output_handler = + +; Transparent output compression using the zlib library +; Valid values for this option are 'off', 'on', or a specific buffer size +; to be used for compression (default is 4KB) +; Note: Resulting chunk size may vary due to nature of compression. PHP +; outputs chunks that are few hundreds bytes each as a result of +; compression. If you prefer a larger chunk size for better +; performance, enable output_buffering in addition. +; Note: You need to use zlib.output_handler instead of the standard +; output_handler, or otherwise the output will be corrupted. +; http://php.net/zlib.output-compression +zlib.output_compression = Off + +; http://php.net/zlib.output-compression-level +;zlib.output_compression_level = -1 + +; You cannot specify additional output handlers if zlib.output_compression +; is activated here. This setting does the same as output_handler but in +; a different order. +; http://php.net/zlib.output-handler +;zlib.output_handler = + +; Implicit flush tells PHP to tell the output layer to flush itself +; automatically after every output block. This is equivalent to calling the +; PHP function flush() after each and every call to print() or echo() and each +; and every HTML block. Turning this option on has serious performance +; implications and is generally recommended for debugging purposes only. +; http://php.net/implicit-flush +; Note: This directive is hardcoded to On for the CLI SAPI +implicit_flush = Off + +; The unserialize callback function will be called (with the undefined class' +; name as parameter), if the unserializer finds an undefined class +; which should be instantiated. A warning appears if the specified function is +; not defined, or if the function doesn't include/implement the missing class. +; So only set this entry, if you really want to implement such a +; callback-function. +unserialize_callback_func = + +; When floats & doubles are serialized store serialize_precision significant +; digits after the floating point. The default value ensures that when floats +; are decoded with unserialize, the data will remain the same. +serialize_precision = 17 + +; open_basedir, if set, limits all file operations to the defined directory +; and below. This directive makes most sense if used in a per-directory +; or per-virtualhost web server configuration file. This directive is +; *NOT* affected by whether Safe Mode is turned On or Off. +; http://php.net/open-basedir +;open_basedir = + +; This directive allows you to disable certain functions for security reasons. +; It receives a comma-delimited list of function names. This directive is +; *NOT* affected by whether Safe Mode is turned On or Off. +; http://php.net/disable-functions +disable_functions = + +; This directive allows you to disable certain classes for security reasons. +; It receives a comma-delimited list of class names. This directive is +; *NOT* affected by whether Safe Mode is turned On or Off. +; http://php.net/disable-classes +disable_classes = + +; Colors for Syntax Highlighting mode. Anything that's acceptable in +; would work. +; http://php.net/syntax-highlighting +;highlight.string = #DD0000 +;highlight.comment = #FF9900 +;highlight.keyword = #007700 +;highlight.default = #0000BB +;highlight.html = #000000 + +; If enabled, the request will be allowed to complete even if the user aborts +; the request. Consider enabling it if executing long requests, which may end up +; being interrupted by the user or a browser timing out. PHP's default behavior +; is to disable this feature. +; http://php.net/ignore-user-abort +;ignore_user_abort = On + +; Determines the size of the realpath cache to be used by PHP. This value should +; be increased on systems where PHP opens many files to reflect the quantity of +; the file operations performed. +; http://php.net/realpath-cache-size +;realpath_cache_size = 16k + +; Duration of time, in seconds for which to cache realpath information for a given +; file or directory. For systems with rarely changing files, consider increasing this +; value. +; http://php.net/realpath-cache-ttl +;realpath_cache_ttl = 120 + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +; If enabled, scripts may be written in encodings that are incompatible with +; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such +; encodings. To use this feature, mbstring extension must be enabled. +; Default: Off +;zend.multibyte = Off + +; Allows to set the default encoding for the scripts. This value will be used +; unless "declare(encoding=...)" directive appears at the top of the script. +; Only affects if zend.multibyte is set. +; Default: "" +;zend.script_encoding = + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; + +; Decides whether PHP may expose the fact that it is installed on the server +; (e.g. by adding its signature to the Web server header). It is no security +; threat in any way, but it makes it possible to determine whether you use PHP +; on your server or not. +; http://php.net/expose-php +expose_php = On + +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +; Maximum execution time of each script, in seconds +; http://php.net/max-execution-time +; Note: This directive is hardcoded to 0 for the CLI SAPI +max_execution_time = 30 + +; Maximum amount of time each script may spend parsing request data. It's a good +; idea to limit this time on productions servers in order to eliminate unexpectedly +; long running scripts. +; Note: This directive is hardcoded to -1 for the CLI SAPI +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) +; http://php.net/max-input-time +max_input_time = 60 + +; Maximum input variable nesting level +; http://php.net/max-input-nesting-level +;max_input_nesting_level = 64 + +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + +; Maximum amount of memory a script may consume (128MB) +; http://php.net/memory-limit +memory_limit = 128M + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Error handling and logging ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; This directive informs PHP of which errors, warnings and notices you would like +; it to take action for. The recommended way of setting values for this +; directive is through the use of the error level constants and bitwise +; operators. The error level constants are below here for convenience as well as +; some common settings and their meanings. +; By default, PHP is set to take action on all errors, notices and warnings EXCEPT +; those related to E_NOTICE and E_STRICT, which together cover best practices and +; recommended coding standards in PHP. For performance reasons, this is the +; recommend error reporting setting. Your production server shouldn't be wasting +; resources complaining about best practices and coding standards. That's what +; development servers and development settings are for. +; Note: The php.ini-development file has this setting as E_ALL. This +; means it pretty much reports everything which is exactly what you want during +; development and early testing. +; +; Error Level Constants: +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) +; E_ERROR - fatal run-time errors +; E_RECOVERABLE_ERROR - almost fatal run-time errors +; E_WARNING - run-time warnings (non-fatal errors) +; E_PARSE - compile-time parse errors +; E_NOTICE - run-time notices (these are warnings which often result +; from a bug in your code, but it's possible that it was +; intentional (e.g., using an uninitialized variable and +; relying on the fact it's automatically initialized to an +; empty string) +; E_STRICT - run-time notices, enable to have PHP suggest changes +; to your code which will ensure the best interoperability +; and forward compatibility of your code +; E_CORE_ERROR - fatal errors that occur during PHP's initial startup +; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's +; initial startup +; E_COMPILE_ERROR - fatal compile-time errors +; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) +; E_USER_ERROR - user-generated error message +; E_USER_WARNING - user-generated warning message +; E_USER_NOTICE - user-generated notice message +; E_DEPRECATED - warn about code that will not work in future versions +; of PHP +; E_USER_DEPRECATED - user-generated deprecation warnings +; +; Common Values: +; E_ALL (Show all errors, warnings and notices including coding standards.) +; E_ALL & ~E_NOTICE (Show all errors, except for notices) +; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) +; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT +; http://php.net/error-reporting +error_reporting = E_ALL + +; This directive controls whether or not and where PHP will output errors, +; notices and warnings too. Error output is very useful during development, but +; it could be very dangerous in production environments. Depending on the code +; which is triggering the error, sensitive information could potentially leak +; out of your application such as database usernames and passwords or worse. +; It's recommended that errors be logged on production servers rather than +; having the errors sent to STDOUT. +; Possible Values: +; Off = Do not display any errors +; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) +; On or stdout = Display errors to STDOUT +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-errors +display_errors = On + +; The display of errors which occur during PHP's startup sequence are handled +; separately from display_errors. PHP's default behavior is to suppress those +; errors from clients. Turning the display of startup errors on can be useful in +; debugging configuration problems. But, it's strongly recommended that you +; leave this setting off on production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/display-startup-errors +display_startup_errors = On + +; Besides displaying errors, PHP can also log errors to locations such as a +; server-specific log, STDERR, or a location specified by the error_log +; directive found below. While errors should not be displayed on productions +; servers they should still be monitored and logging is a great way to do that. +; Default Value: Off +; Development Value: On +; Production Value: On +; http://php.net/log-errors +log_errors = On + +; Set maximum length of log_errors. In error_log information about the source is +; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len +log_errors_max_len = 1024 + +; Do not log repeated messages. Repeated errors must occur in same file on same +; line unless ignore_repeated_source is set true. +; http://php.net/ignore-repeated-errors +ignore_repeated_errors = Off + +; Ignore source of message when ignoring repeated messages. When this setting +; is On you will not log errors with repeated messages from different files or +; source lines. +; http://php.net/ignore-repeated-source +ignore_repeated_source = Off + +; If this parameter is set to Off, then memory leaks will not be shown (on +; stdout or in the log). This has only effect in a debug compile, and if +; error reporting includes E_WARNING in the allowed list +; http://php.net/report-memleaks +report_memleaks = On + +; This setting is on by default. +;report_zend_debug = 0 + +; Store the last error/warning message in $php_errormsg (boolean). Setting this value +; to On can assist in debugging and is appropriate for development servers. It should +; however be disabled on production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/track-errors +track_errors = On + +; Turn off normal error reporting and emit XML-RPC error XML +; http://php.net/xmlrpc-errors +;xmlrpc_errors = 0 + +; An XML-RPC faultCode +;xmlrpc_error_number = 0 + +; When PHP displays or logs an error, it has the capability of formatting the +; error message as HTML for easier reading. This directive controls whether +; the error message is formatted as HTML or not. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: On +; Development Value: On +; Production value: On +; http://php.net/html-errors +html_errors = On + +; If html_errors is set to On *and* docref_root is not empty, then PHP +; produces clickable error messages that direct to a page describing the error +; or function causing the error in detail. +; You can download a copy of the PHP manual from http://php.net/docs +; and change docref_root to the base URL of your local copy including the +; leading '/'. You must also specify the file extension being used including +; the dot. PHP's default behavior is to leave these settings empty, in which +; case no links to documentation are generated. +; Note: Never use this feature for production boxes. +; http://php.net/docref-root +; Examples +;docref_root = "/phpmanual/" + +; http://php.net/docref-ext +;docref_ext = .html + +; String to output before an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-prepend-string +; Example: +;error_prepend_string = "" + +; String to output after an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-append-string +; Example: +;error_append_string = "" + +; Log errors to specified file. PHP's default behavior is to leave this value +; empty. +; http://php.net/error-log +; Example: +;error_log = php_errors.log +; Log errors to syslog (Event Log on NT, not valid in Windows 95). +;error_log = syslog + +;windows.show_crt_warning +; Default value: 0 +; Development value: 0 +; Production value: 0 + +;;;;;;;;;;;;;;;;; +; Data Handling ; +;;;;;;;;;;;;;;;;; + +; The separator used in PHP generated URLs to separate arguments. +; PHP's default setting is "&". +; http://php.net/arg-separator.output +; Example: +;arg_separator.output = "&" + +; List of separator(s) used by PHP to parse input URLs into variables. +; PHP's default setting is "&". +; NOTE: Every character in this directive is considered as separator! +; http://php.net/arg-separator.input +; Example: +;arg_separator.input = ";&" + +; This directive determines which super global arrays are registered when PHP +; starts up. G,P,C,E & S are abbreviations for the following respective super +; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty +; paid for the registration of these arrays and because ENV is not as commonly +; used as the others, ENV is not recommended on productions servers. You +; can still get access to the environment variables through getenv() should you +; need to. +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS"; +; http://php.net/variables-order +variables_order = "GPCS" + +; This directive determines which super global data (G,P,C,E & S) should +; be registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive are +; specified in the same manner as the variables_order directive, EXCEPT one. +; Leaving this value empty will cause PHP to use the value set in the +; variables_order directive. It does not mean it will leave the super globals +; array REQUEST empty. +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" +; http://php.net/request-order +request_order = "GP" + +; This directive determines whether PHP registers $argv & $argc each time it +; runs. $argv contains an array of all the arguments passed to PHP when a script +; is invoked. $argc contains an integer representing the number of arguments +; that were passed when the script was invoked. These arrays are extremely +; useful when running scripts from the command line. When this directive is +; enabled, registering these variables consumes CPU cycles and memory each time +; a script is executed. For performance reasons, this feature should be disabled +; on production servers. +; Note: This directive is hardcoded to On for the CLI SAPI +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/register-argc-argv +register_argc_argv = Off + +; When enabled, the ENV, REQUEST and SERVER variables are created when they're +; first used (Just In Time) instead of when the script starts. If these +; variables are not used within a script, having this directive on will result +; in a performance gain. The PHP directive register_argc_argv must be disabled +; for this directive to have any affect. +; http://php.net/auto-globals-jit +auto_globals_jit = On + +; Whether PHP will read the POST data. +; This option is enabled by default. +; Most likely, you won't want to disable this option globally. It causes $_POST +; and $_FILES to always be empty; the only way you will be able to read the +; POST data will be through the php://input stream wrapper. This can be useful +; to proxy requests or to process the POST data in a memory efficient fashion. +; http://php.net/enable-post-data-reading +;enable_post_data_reading = Off + +; Maximum size of POST data that PHP will accept. +; Its value may be 0 to disable the limit. It is ignored if POST data reading +; is disabled through enable_post_data_reading. +; http://php.net/post-max-size +post_max_size = 8M + +; Automatically add files before PHP document. +; http://php.net/auto-prepend-file +auto_prepend_file = + +; Automatically add files after PHP document. +; http://php.net/auto-append-file +auto_append_file = + +; By default, PHP will output a character encoding using +; the Content-type: header. To disable sending of the charset, simply +; set it to be empty. +; +; PHP's built-in default is text/html +; http://php.net/default-mimetype +default_mimetype = "text/html" + +; PHP's default character set is set to empty. +; http://php.net/default-charset +;default_charset = "UTF-8" + +; Always populate the $HTTP_RAW_POST_DATA variable. PHP's default behavior is +; to disable this feature. If post reading is disabled through +; enable_post_data_reading, $HTTP_RAW_POST_DATA is *NOT* populated. +; http://php.net/always-populate-raw-post-data +;always_populate_raw_post_data = On + +;;;;;;;;;;;;;;;;;;;;;;;;; +; Paths and Directories ; +;;;;;;;;;;;;;;;;;;;;;;;;; + +; UNIX: "/path1:/path2" +include_path = ".:/usr/share/php5:/usr/share/php" +; +; Windows: "\path1;\path2" +;include_path = ".;c:\php\includes" +; +; PHP's default setting for include_path is ".;/path/to/php/pear" +; http://php.net/include-path + +; The root of the PHP pages, used only if nonempty. +; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root +; if you are running php as a CGI under any web server (other than IIS) +; see documentation for security issues. The alternate is to use the +; cgi.force_redirect configuration below +; http://php.net/doc-root +doc_root = + +; The directory under which PHP opens the script using /~username used only +; if nonempty. +; http://php.net/user-dir +user_dir = + +; Directory in which the loadable extensions (modules) reside. +; http://php.net/extension-dir +; extension_dir = "./" +; On windows: +; extension_dir = "ext" + +; Whether or not to enable the dl() function. The dl() function does NOT work +; properly in multithreaded servers, such as IIS or Zeus, and is automatically +; disabled on them. +; http://php.net/enable-dl +enable_dl = Off + +; cgi.force_redirect is necessary to provide security running PHP as a CGI under +; most web servers. Left undefined, PHP turns this on by default. You can +; turn it off here AT YOUR OWN RISK +; **You CAN safely turn this off for IIS, in fact, you MUST.** +; http://php.net/cgi.force-redirect +;cgi.force_redirect = 1 + +; if cgi.nph is enabled it will force cgi to always sent Status: 200 with +; every request. PHP's default behavior is to disable this feature. +;cgi.nph = 1 + +; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape +; (iPlanet) web servers, you MAY need to set an environment variable name that PHP +; will look for to know it is OK to continue execution. Setting this variable MAY +; cause security issues, KNOW WHAT YOU ARE DOING FIRST. +; http://php.net/cgi.redirect-status-env +;cgi.redirect_status_env = + +; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's +; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok +; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting +; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting +; of zero causes PHP to behave as before. Default is 1. You should fix your scripts +; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. +; http://php.net/cgi.fix-pathinfo +;cgi.fix_pathinfo=1 + +; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate +; security tokens of the calling client. This allows IIS to define the +; security context that the request runs under. mod_fastcgi under Apache +; does not currently support this feature (03/17/2002) +; Set to 1 if running under IIS. Default is zero. +; http://php.net/fastcgi.impersonate +;fastcgi.impersonate = 1 + +; Disable logging through FastCGI connection. PHP's default behavior is to enable +; this feature. +;fastcgi.logging = 0 + +; cgi.rfc2616_headers configuration option tells PHP what type of headers to +; use when sending HTTP response code. If it's set 0 PHP sends Status: header that +; is supported by Apache. When this option is set to 1 PHP will send +; RFC2616 compliant header. +; Default is zero. +; http://php.net/cgi.rfc2616-headers +;cgi.rfc2616_headers = 0 + +;;;;;;;;;;;;;;;; +; File Uploads ; +;;;;;;;;;;;;;;;; + +; Whether to allow HTTP file uploads. +; http://php.net/file-uploads +file_uploads = On + +; Temporary directory for HTTP uploaded files (will use system default if not +; specified). +; http://php.net/upload-tmp-dir +;upload_tmp_dir = + +; Maximum allowed size for uploaded files. +; http://php.net/upload-max-filesize +upload_max_filesize = 2M + +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 20 + +;;;;;;;;;;;;;;;;;; +; Fopen wrappers ; +;;;;;;;;;;;;;;;;;; + +; Whether to allow the treatment of URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-fopen +allow_url_fopen = Off + +; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include +allow_url_include = Off + +; Define the anonymous ftp password (your email address). PHP's default setting +; for this is empty. +; http://php.net/from +;from="john@doe.com" + +; Define the User-Agent string. PHP's default setting for this is empty. +; http://php.net/user-agent +;user_agent="PHP" + +; Default timeout for socket based streams (seconds) +; http://php.net/default-socket-timeout +default_socket_timeout = 60 + +; If your scripts have to deal with files from Macintosh systems, +; or you are running on a Mac and need to deal with files from +; unix or win32 systems, setting this flag will cause PHP to +; automatically detect the EOL character in those files so that +; fgets() and file() will work regardless of the source of the file. +; http://php.net/auto-detect-line-endings +;auto_detect_line_endings = Off + +;;;;;;;;;;;;;;;;;;;;;; +; Dynamic Extensions ; +;;;;;;;;;;;;;;;;;;;;;; + +; If you wish to have an extension loaded automatically, use the following +; syntax: +; +; extension=modulename.extension +; +; For example, on Windows: +; +; extension=msql.dll +; +; ... or under UNIX: +; +; extension=msql.so +; +; ... or with a path: +; +; extension=/path/to/extension/msql.so +; +; If you only provide the name of the extension, PHP will look for it in its +; default extension directory. +; +; Windows Extensions +; Note that ODBC support is built in, so no dll is needed for it. +; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5) +; extension folders as well as the separate PECL DLL download (PHP 5). +; Be sure to appropriately set the extension_dir directive. +; +;extension=php_bz2.dll +;extension=php_curl.dll +;extension=php_fileinfo.dll +;extension=php_gd2.dll +;extension=php_gettext.dll +;extension=php_gmp.dll +;extension=php_intl.dll +;extension=php_imap.dll +;extension=php_interbase.dll +;extension=php_ldap.dll +;extension=php_mbstring.dll +;extension=php_exif.dll ; Must be after mbstring as it depends on it +;extension=php_mysql.dll +;extension=php_mysqli.dll +;extension=php_oci8.dll ; Use with Oracle 10gR2 Instant Client +;extension=php_oci8_11g.dll ; Use with Oracle 11gR2 Instant Client +;extension=php_openssl.dll +;extension=php_pdo_firebird.dll +;extension=php_pdo_mysql.dll +;extension=php_pdo_oci.dll +;extension=php_pdo_odbc.dll +;extension=php_pdo_pgsql.dll +;extension=php_pdo_sqlite.dll +;extension=php_pgsql.dll +;extension=php_pspell.dll +;extension=php_shmop.dll + +; The MIBS data available in the PHP distribution must be installed. +; See http://www.php.net/manual/en/snmp.installation.php +;extension=php_snmp.dll + +;extension=php_soap.dll +;extension=php_sockets.dll +;extension=php_sqlite3.dll +;extension=php_sybase_ct.dll +;extension=php_tidy.dll +;extension=php_xmlrpc.dll +;extension=php_xsl.dll +;extension=php_zip.dll + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; + +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + +[Date] +; Defines the default timezone used by the date functions +; http://php.net/date.timezone +date.timezone = Europe/Berlin + +; http://php.net/date.default-latitude +;date.default_latitude = 31.7667 + +; http://php.net/date.default-longitude +;date.default_longitude = 35.2333 + +; http://php.net/date.sunrise-zenith +;date.sunrise_zenith = 90.583333 + +; http://php.net/date.sunset-zenith +;date.sunset_zenith = 90.583333 + +[filter] +; http://php.net/filter.default +;filter.default = unsafe_raw + +; http://php.net/filter.default-flags +;filter.default_flags = + +[iconv] +;iconv.input_encoding = ISO-8859-1 +;iconv.internal_encoding = ISO-8859-1 +;iconv.output_encoding = ISO-8859-1 + +[intl] +;intl.default_locale = +; This directive allows you to produce PHP errors when some error +; happens within intl functions. The value is the level of the error produced. +; Default is 0, which does not produce any errors. +;intl.error_level = E_WARNING + +[sqlite] +; http://php.net/sqlite.assoc-case +;sqlite.assoc_case = 0 + +[sqlite3] +;sqlite3.extension_dir = + +[Pcre] +;PCRE library backtracking limit. +; http://php.net/pcre.backtrack-limit +;pcre.backtrack_limit=100000 + +;PCRE library recursion limit. +;Please note that if you set this value to a high number you may consume all +;the available process stack and eventually crash PHP (due to reaching the +;stack size limit imposed by the Operating System). +; http://php.net/pcre.recursion-limit +;pcre.recursion_limit=100000 + +[Pdo] +; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" +; http://php.net/pdo-odbc.connection-pooling +;pdo_odbc.connection_pooling=strict + +;pdo_odbc.db2_instance_name + +[Pdo_mysql] +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/pdo_mysql.cache_size +pdo_mysql.cache_size = 2000 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/pdo_mysql.default-socket +pdo_mysql.default_socket= + +[Phar] +; http://php.net/phar.readonly +;phar.readonly = On + +; http://php.net/phar.require-hash +;phar.require_hash = On + +;phar.cache_list = + +[mail function] +; For Win32 only. +; http://php.net/smtp +SMTP = localhost +; http://php.net/smtp-port +smtp_port = 25 + +; For Win32 only. +; http://php.net/sendmail-from +;sendmail_from = me@example.com + +; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). +; http://php.net/sendmail-path +;sendmail_path = + +; Force the addition of the specified parameters to be passed as extra parameters +; to the sendmail binary. These parameters will always replace the value of +; the 5th parameter to mail(), even in safe mode. +;mail.force_extra_parameters = + +; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename +mail.add_x_header = On + +; The path to a log file that will log all mail() calls. Log entries include +; the full path of the script, line number, To address and headers. +;mail.log = +; Log mail to syslog (Event Log on NT, not valid in Windows 95). +;mail.log = syslog + +[SQL] +; http://php.net/sql.safe-mode +sql.safe_mode = Off + +[ODBC] +; http://php.net/odbc.default-db +;odbc.default_db = Not yet implemented + +; http://php.net/odbc.default-user +;odbc.default_user = Not yet implemented + +; http://php.net/odbc.default-pw +;odbc.default_pw = Not yet implemented + +; Controls the ODBC cursor model. +; Default: SQL_CURSOR_STATIC (default). +;odbc.default_cursortype + +; Allow or prevent persistent links. +; http://php.net/odbc.allow-persistent +odbc.allow_persistent = On + +; Check that a connection is still valid before reuse. +; http://php.net/odbc.check-persistent +odbc.check_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/odbc.max-persistent +odbc.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/odbc.max-links +odbc.max_links = -1 + +; Handling of LONG fields. Returns number of bytes to variables. 0 means +; passthru. +; http://php.net/odbc.defaultlrl +odbc.defaultlrl = 4096 + +; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. +; See the documentation on odbc_binmode and odbc_longreadlen for an explanation +; of odbc.defaultlrl and odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode +odbc.defaultbinmode = 1 + +;birdstep.max_links = -1 + +[Interbase] +; Allow or prevent persistent links. +ibase.allow_persistent = 1 + +; Maximum number of persistent links. -1 means no limit. +ibase.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +ibase.max_links = -1 + +; Default database name for ibase_connect(). +;ibase.default_db = + +; Default username for ibase_connect(). +;ibase.default_user = + +; Default password for ibase_connect(). +;ibase.default_password = + +; Default charset for ibase_connect(). +;ibase.default_charset = + +; Default timestamp format. +ibase.timestampformat = "%Y-%m-%d %H:%M:%S" + +; Default date format. +ibase.dateformat = "%Y-%m-%d" + +; Default time format. +ibase.timeformat = "%H:%M:%S" + +[MySQL] +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysql.allow_local_infile +mysql.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysql.allow-persistent +mysql.allow_persistent = On + +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/mysql.cache_size +mysql.cache_size = 2000 + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysql.max-persistent +mysql.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/mysql.max-links +mysql.max_links = -1 + +; Default port number for mysql_connect(). If unset, mysql_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysql.default-port +mysql.default_port = + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysql.default-socket +mysql.default_socket = + +; Default host for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysql.default-host +mysql.default_host = + +; Default user for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysql.default-user +mysql.default_user = + +; Default password for mysql_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysql.default-password +mysql.default_password = + +; Maximum time (in seconds) for connect timeout. -1 means no limit +; http://php.net/mysql.connect-timeout +mysql.connect_timeout = 60 + +; Trace mode. When trace_mode is active (=On), warnings for table/index scans and +; SQL-Errors will be displayed. +; http://php.net/mysql.trace-mode +mysql.trace_mode = Off + +[MySQLi] + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysqli.max-persistent +mysqli.max_persistent = -1 + +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysqli.allow_local_infile +;mysqli.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysqli.allow-persistent +mysqli.allow_persistent = On + +; Maximum number of links. -1 means no limit. +; http://php.net/mysqli.max-links +mysqli.max_links = -1 + +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/mysqli.cache_size +mysqli.cache_size = 2000 + +; Default port number for mysqli_connect(). If unset, mysqli_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysqli.default-port +mysqli.default_port = 3306 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysqli.default-socket +mysqli.default_socket = + +; Default host for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-host +mysqli.default_host = + +; Default user for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-user +mysqli.default_user = + +; Default password for mysqli_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysqli.default-pw +mysqli.default_pw = + +; Allow or prevent reconnect +mysqli.reconnect = Off + +[mysqlnd] +; Enable / Disable collection of general statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +; http://php.net/mysqlnd.collect_statistics +mysqlnd.collect_statistics = On + +; Enable / Disable collection of memory usage statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +; http://php.net/mysqlnd.collect_memory_statistics +mysqlnd.collect_memory_statistics = On + +; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. +; http://php.net/mysqlnd.net_cmd_buffer_size +;mysqlnd.net_cmd_buffer_size = 2048 + +; Size of a pre-allocated buffer used for reading data sent by the server in +; bytes. +; http://php.net/mysqlnd.net_read_buffer_size +;mysqlnd.net_read_buffer_size = 32768 + +[OCI8] + +; Connection: Enables privileged connections using external +; credentials (OCI_SYSOPER, OCI_SYSDBA) +; http://php.net/oci8.privileged-connect +;oci8.privileged_connect = Off + +; Connection: The maximum number of persistent OCI8 connections per +; process. Using -1 means no limit. +; http://php.net/oci8.max-persistent +;oci8.max_persistent = -1 + +; Connection: The maximum number of seconds a process is allowed to +; maintain an idle persistent connection. Using -1 means idle +; persistent connections will be maintained forever. +; http://php.net/oci8.persistent-timeout +;oci8.persistent_timeout = -1 + +; Connection: The number of seconds that must pass before issuing a +; ping during oci_pconnect() to check the connection validity. When +; set to 0, each oci_pconnect() will cause a ping. Using -1 disables +; pings completely. +; http://php.net/oci8.ping-interval +;oci8.ping_interval = 60 + +; Connection: Set this to a user chosen connection class to be used +; for all pooled server requests with Oracle 11g Database Resident +; Connection Pooling (DRCP). To use DRCP, this value should be set to +; the same string for all web servers running the same application, +; the database pool must be configured, and the connection string must +; specify to use a pooled server. +;oci8.connection_class = + +; High Availability: Using On lets PHP receive Fast Application +; Notification (FAN) events generated when a database node fails. The +; database must also be configured to post FAN events. +;oci8.events = Off + +; Tuning: This option enables statement caching, and specifies how +; many statements to cache. Using 0 disables statement caching. +; http://php.net/oci8.statement-cache-size +;oci8.statement_cache_size = 20 + +; Tuning: Enables statement prefetching and sets the default number of +; rows that will be fetched automatically after statement execution. +; http://php.net/oci8.default-prefetch +;oci8.default_prefetch = 100 + +; Compatibility. Using On means oci_close() will not close +; oci_connect() and oci_new_connect() connections. +; http://php.net/oci8.old-oci-close-semantics +;oci8.old_oci_close_semantics = Off + +[PostgreSQL] +; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent +pgsql.allow_persistent = On + +; Detect broken persistent links always with pg_pconnect(). +; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent +pgsql.auto_reset_persistent = Off + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent +pgsql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links +pgsql.max_links = -1 + +; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice +pgsql.ignore_notice = 0 + +; Log PostgreSQL backends Notice message or not. +; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice +pgsql.log_notice = 0 + +[Sybase-CT] +; Allow or prevent persistent links. +; http://php.net/sybct.allow-persistent +sybct.allow_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/sybct.max-persistent +sybct.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/sybct.max-links +sybct.max_links = -1 + +; Minimum server message severity to display. +; http://php.net/sybct.min-server-severity +sybct.min_server_severity = 10 + +; Minimum client message severity to display. +; http://php.net/sybct.min-client-severity +sybct.min_client_severity = 10 + +; Set per-context timeout +; http://php.net/sybct.timeout +;sybct.timeout= + +;sybct.packet_size + +; The maximum time in seconds to wait for a connection attempt to succeed before returning failure. +; Default: one minute +;sybct.login_timeout= + +; The name of the host you claim to be connecting from, for display by sp_who. +; Default: none +;sybct.hostname= + +; Allows you to define how often deadlocks are to be retried. -1 means "forever". +; Default: 0 +;sybct.deadlock_retry_count= + +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 + +[browscap] +; http://php.net/browscap +;browscap = extra/browscap.ini + +[Session] +; Handler used to store/retrieve data. +; http://php.net/session.save-handler +session.save_handler = files + +; Argument passed to save_handler. In the case of files, this is the path +; where data files are stored. Note: Windows users have to change this +; variable in order to use PHP's session functions. +; +; The path can be defined as: +; +; session.save_path = "N;/path" +; +; where N is an integer. Instead of storing all the session files in +; /path, what this will do is use subdirectories N-levels deep, and +; store the session data in those directories. This is useful if you +; or your OS have problems with lots of files in one directory, and is +; a more efficient layout for servers that handle lots of sessions. +; +; NOTE 1: PHP will not create this directory structure automatically. +; You can use the script in the ext/session dir for that purpose. +; NOTE 2: See the section on garbage collection below if you choose to +; use subdirectories for session storage +; +; The file storage module creates files using mode 600 by default. +; You can change that by using +; +; session.save_path = "N;MODE;/path" +; +; where MODE is the octal representation of the mode. Note that this +; does not overwrite the process's umask. +; http://php.net/session.save-path +session.save_path = "/tmp" + +; Whether to use cookies. +; http://php.net/session.use-cookies +session.use_cookies = 1 + +; http://php.net/session.cookie-secure +;session.cookie_secure = + +; This option forces PHP to fetch and use a cookie for storing and maintaining +; the session id. We encourage this operation as it's very helpful in combating +; session hijacking when not specifying and managing your own session id. It is +; not the end all be all of session hijacking defense, but it's a good start. +; http://php.net/session.use-only-cookies +session.use_only_cookies = 1 + +; Name of the session (used as cookie name). +; http://php.net/session.name +session.name = PHPSESSID + +; Initialize session on request startup. +; http://php.net/session.auto-start +session.auto_start = 0 + +; Lifetime in seconds of cookie or, if 0, until browser is restarted. +; http://php.net/session.cookie-lifetime +session.cookie_lifetime = 0 + +; The path for which the cookie is valid. +; http://php.net/session.cookie-path +session.cookie_path = / + +; The domain for which the cookie is valid. +; http://php.net/session.cookie-domain +session.cookie_domain = + +; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. +; http://php.net/session.cookie-httponly +session.cookie_httponly = + +; Handler used to serialize data. php is the standard serializer of PHP. +; http://php.net/session.serialize-handler +session.serialize_handler = php + +; Defines the probability that the 'garbage collection' process is started +; on every session initialization. The probability is calculated by using +; gc_probability/gc_divisor. Where session.gc_probability is the numerator +; and gc_divisor is the denominator in the equation. Setting this value to 1 +; when the session.gc_divisor value is 100 will give you approximately a 1% chance +; the gc will run on any give request. +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.gc-probability +session.gc_probability = 1 + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using the following equation: +; gc_probability/gc_divisor. Where session.gc_probability is the numerator and +; session.gc_divisor is the denominator in the equation. Setting this value to 1 +; when the session.gc_divisor value is 100 will give you approximately a 1% chance +; the gc will run on any give request. Increasing this value to 1000 will give you +; a 0.1% chance the gc will run on any give request. For high volume production servers, +; this is a more efficient approach. +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 +; http://php.net/session.gc-divisor +session.gc_divisor = 1000 + +; After this number of seconds, stored data will be seen as 'garbage' and +; cleaned up by the garbage collection process. +; http://php.net/session.gc-maxlifetime +session.gc_maxlifetime = 1440 + +; NOTE: If you are using the subdirectory option for storing session files +; (see session.save_path above), then garbage collection does *not* +; happen automatically. You will need to do your own garbage +; collection through a shell script, cron entry, or some other method. +; For example, the following script would is the equivalent of +; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): +; find /path/to/sessions -cmin +24 | xargs rm + +; PHP 4.2 and less have an undocumented feature/bug that allows you to +; to initialize a session variable in the global scope. +; PHP 4.3 and later will warn you, if this feature is used. +; You can disable the feature and the warning separately. At this time, +; the warning is only displayed, if bug_compat_42 is enabled. This feature +; introduces some serious security problems if not handled correctly. It's +; recommended that you do not use this feature on production servers. But you +; should enable this on development servers and enable the warning as well. If you +; do not enable the feature on development servers, you won't be warned when it's +; used and debugging errors caused by this can be difficult to track down. +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/session.bug-compat-42 +session.bug_compat_42 = On + +; This setting controls whether or not you are warned by PHP when initializing a +; session value into the global space. session.bug_compat_42 must be enabled before +; these warnings can be issued by PHP. See the directive above for more information. +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/session.bug-compat-warn +session.bug_compat_warn = On + +; Check HTTP Referer to invalidate externally stored URLs containing ids. +; HTTP_REFERER has to contain this substring for the session to be +; considered as valid. +; http://php.net/session.referer-check +session.referer_check = + +; How many bytes to read from the file. +; http://php.net/session.entropy-length +;session.entropy_length = 32 + +; Specified here to create the session id. +; http://php.net/session.entropy-file +; Defaults to /dev/urandom +; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom +; If neither are found at compile time, the default is no entropy file. +; On windows, setting the entropy_length setting will activate the +; Windows random source (using the CryptoAPI) +;session.entropy_file = /dev/urandom + +; Set to {nocache,private,public,} to determine HTTP caching aspects +; or leave this empty to avoid sending anti-caching headers. +; http://php.net/session.cache-limiter +session.cache_limiter = nocache + +; Document expires after n minutes. +; http://php.net/session.cache-expire +session.cache_expire = 180 + +; trans sid support is disabled by default. +; Use of trans sid may risk your users security. +; Use this option with caution. +; - User may send URL contains active session ID +; to other person via. email/irc/etc. +; - URL that contains active session ID may be stored +; in publicly accessible computer. +; - User may access your site with the same session ID +; always using URL stored in browser's history or bookmarks. +; http://php.net/session.use-trans-sid +session.use_trans_sid = 0 + +; Select a hash function for use in generating session ids. +; Possible Values +; 0 (MD5 128 bits) +; 1 (SHA-1 160 bits) +; This option may also be set to the name of any hash function supported by +; the hash extension. A list of available hashes is returned by the hash_algos() +; function. +; http://php.net/session.hash-function +session.hash_function = 0 + +; Define how many bits are stored in each character when converting +; the binary hash data to something readable. +; Possible values: +; 4 (4 bits: 0-9, a-f) +; 5 (5 bits: 0-9, a-v) +; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 +; http://php.net/session.hash-bits-per-character +session.hash_bits_per_character = 5 + +; The URL rewriter will look for URLs in a defined set of HTML tags. +; form/fieldset are special; if you include them here, the rewriter will +; add a hidden field with the info which is otherwise appended +; to URLs. If you want XHTML conformity, remove the form entry. +; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=,fieldset=" +; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry" +; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry" +; http://php.net/url-rewriter.tags +url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" + +; Enable upload progress tracking in $_SESSION +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.enabled +;session.upload_progress.enabled = On + +; Cleanup the progress information as soon as all POST data has been read +; (i.e. upload completed). +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.cleanup +;session.upload_progress.cleanup = On + +; A prefix used for the upload progress key in $_SESSION +; Default Value: "upload_progress_" +; Development Value: "upload_progress_" +; Production Value: "upload_progress_" +; http://php.net/session.upload-progress.prefix +;session.upload_progress.prefix = "upload_progress_" + +; The index name (concatenated with the prefix) in $_SESSION +; containing the upload progress information +; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" +; http://php.net/session.upload-progress.name +;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" + +; How frequently the upload progress should be updated. +; Given either in percentages (per-file), or in bytes +; Default Value: "1%" +; Development Value: "1%" +; Production Value: "1%" +; http://php.net/session.upload-progress.freq +;session.upload_progress.freq = "1%" + +; The minimum delay between updates, in seconds +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.upload-progress.min-freq +;session.upload_progress.min_freq = "1" + +[MSSQL] +; Allow or prevent persistent links. +mssql.allow_persistent = On + +; Maximum number of persistent links. -1 means no limit. +mssql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +mssql.max_links = -1 + +; Minimum error severity to display. +mssql.min_error_severity = 10 + +; Minimum message severity to display. +mssql.min_message_severity = 10 + +; Compatibility mode with old versions of PHP 3.0. +mssql.compatability_mode = Off + +; Connect timeout +;mssql.connect_timeout = 5 + +; Query timeout +;mssql.timeout = 60 + +; Valid range 0 - 2147483647. Default = 4096. +;mssql.textlimit = 4096 + +; Valid range 0 - 2147483647. Default = 4096. +;mssql.textsize = 4096 + +; Limits the number of records in each batch. 0 = all records in one batch. +;mssql.batchsize = 0 + +; Specify how datetime and datetim4 columns are returned +; On => Returns data converted to SQL server settings +; Off => Returns values as YYYY-MM-DD hh:mm:ss +;mssql.datetimeconvert = On + +; Use NT authentication when connecting to the server +mssql.secure_connection = Off + +; Specify max number of processes. -1 = library default +; msdlib defaults to 25 +; FreeTDS defaults to 4096 +;mssql.max_procs = -1 + +; Specify client character set. +; If empty or not set the client charset from freetds.conf is used +; This is only used when compiled with FreeTDS +;mssql.charset = "ISO-8859-1" + +[Assertion] +; Assert(expr); active by default. +; http://php.net/assert.active +;assert.active = On + +; Issue a PHP warning for each failed assertion. +; http://php.net/assert.warning +;assert.warning = On + +; Don't bail out by default. +; http://php.net/assert.bail +;assert.bail = Off + +; User-function to be called if an assertion fails. +; http://php.net/assert.callback +;assert.callback = 0 + +; Eval the expression with current error_reporting(). Set to true if you want +; error_reporting(0) around the eval(). +; http://php.net/assert.quiet-eval +;assert.quiet_eval = 0 + +[COM] +; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs +; http://php.net/com.typelib-file +;com.typelib_file = + +; allow Distributed-COM calls +; http://php.net/com.allow-dcom +;com.allow_dcom = true + +; autoregister constants of a components typlib on com_load() +; http://php.net/com.autoregister-typelib +;com.autoregister_typelib = true + +; register constants casesensitive +; http://php.net/com.autoregister-casesensitive +;com.autoregister_casesensitive = false + +; show warnings on duplicate constant registrations +; http://php.net/com.autoregister-verbose +;com.autoregister_verbose = true + +; The default character set code-page to use when passing strings to and from COM objects. +; Default: system ANSI code page +;com.code_page= + +[mbstring] +; language for internal character representation. +; http://php.net/mbstring.language +;mbstring.language = Japanese + +; internal/script encoding. +; Some encoding cannot work as internal encoding. +; (e.g. SJIS, BIG5, ISO-2022-*) +; http://php.net/mbstring.internal-encoding +;mbstring.internal_encoding = EUC-JP + +; http input encoding. +; http://php.net/mbstring.http-input +;mbstring.http_input = auto + +; http output encoding. mb_output_handler must be +; registered as output buffer to function +; http://php.net/mbstring.http-output +;mbstring.http_output = SJIS + +; enable automatic encoding translation according to +; mbstring.internal_encoding setting. Input chars are +; converted to internal encoding by setting this to On. +; Note: Do _not_ use automatic encoding translation for +; portable libs/applications. +; http://php.net/mbstring.encoding-translation +;mbstring.encoding_translation = Off + +; automatic encoding detection order. +; auto means +; http://php.net/mbstring.detect-order +;mbstring.detect_order = auto + +; substitute_character used when character cannot be converted +; one from another +; http://php.net/mbstring.substitute-character +;mbstring.substitute_character = none; + +; overload(replace) single byte functions by mbstring functions. +; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), +; etc. Possible values are 0,1,2,4 or combination of them. +; For example, 7 for overload everything. +; 0: No overload +; 1: Overload mail() function +; 2: Overload str*() functions +; 4: Overload ereg*() functions +; http://php.net/mbstring.func-overload +;mbstring.func_overload = 0 + +; enable strict encoding detection. +;mbstring.strict_detection = Off + +; This directive specifies the regex pattern of content types for which mb_output_handler() +; is activated. +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= + +[gd] +; Tell the jpeg decode to ignore warnings and try to create +; a gd image. The warning will then be displayed as notices +; disabled by default +; http://php.net/gd.jpeg-ignore-warning +;gd.jpeg_ignore_warning = 0 + +[exif] +; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. +; With mbstring support this will automatically be converted into the encoding +; given by corresponding encode setting. When empty mbstring.internal_encoding +; is used. For the decode settings you can distinguish between motorola and +; intel byte order. A decode setting cannot be empty. +; http://php.net/exif.encode-unicode +;exif.encode_unicode = ISO-8859-15 + +; http://php.net/exif.decode-unicode-motorola +;exif.decode_unicode_motorola = UCS-2BE + +; http://php.net/exif.decode-unicode-intel +;exif.decode_unicode_intel = UCS-2LE + +; http://php.net/exif.encode-jis +;exif.encode_jis = + +; http://php.net/exif.decode-jis-motorola +;exif.decode_jis_motorola = JIS + +; http://php.net/exif.decode-jis-intel +;exif.decode_jis_intel = JIS + +[Tidy] +; The path to a default tidy configuration file to use when using tidy +; http://php.net/tidy.default-config +;tidy.default_config = /usr/local/lib/php/default.tcfg + +; Should tidy clean and repair output automatically? +; WARNING: Do not use this option if you are generating non-html content +; such as dynamic images +; http://php.net/tidy.clean-output +tidy.clean_output = Off + +[soap] +; Enables or disables WSDL caching feature. +; http://php.net/soap.wsdl-cache-enabled +soap.wsdl_cache_enabled=1 + +; Sets the directory name where SOAP extension will put cache files. +; http://php.net/soap.wsdl-cache-dir +soap.wsdl_cache_dir="/tmp" + +; (time to live) Sets the number of second while cached file will be used +; instead of original one. +; http://php.net/soap.wsdl-cache-ttl +soap.wsdl_cache_ttl=86400 + +; Sets the size of the cache limit. (Max. number of WSDL files to cache) +soap.wsdl_cache_limit = 5 + +[sysvshm] +; A default size of the shared memory segment +;sysvshm.init_mem = 10000 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[mcrypt] +; For more information about mcrypt settings see http://php.net/mcrypt-module-open + +; Directory where to load mcrypt algorithms +; Default: Compiled in into libmcrypt (usually /usr/local/lib/libmcrypt) +;mcrypt.algorithms_dir= + +; Directory where to load mcrypt modes +; Default: Compiled in into libmcrypt (usually /usr/local/lib/libmcrypt) +;mcrypt.modes_dir= + +[dba] +;dba.default_handler= + +; Local Variables: +; tab-width: 4 +; End: diff --git a/config-archive/etc/php/apache2-php5.4/php.ini.dist b/config-archive/etc/php/apache2-php5.4/php.ini.dist index 604c51a..dfe9eea 100644 --- a/config-archive/etc/php/apache2-php5.4/php.ini.dist +++ b/config-archive/etc/php/apache2-php5.4/php.ini.dist @@ -573,7 +573,7 @@ html_errors = On ; http://php.net/error-log ; Example: ;error_log = php_errors.log -; Log errors to syslog (Event Log on NT, not valid in Windows 95). +; Log errors to syslog (Event Log on Windows). ;error_log = syslog ;windows.show_crt_warning @@ -1010,7 +1010,7 @@ mail.add_x_header = On ; The path to a log file that will log all mail() calls. Log entries include ; the full path of the script, line number, To address and headers. ;mail.log = -; Log mail to syslog (Event Log on NT, not valid in Windows 95). +; Log mail to syslog (Event Log on Windows). ;mail.log = syslog [SQL] diff --git a/config-archive/etc/postfix/main.cf b/config-archive/etc/postfix/main.cf index 67ed344..9408611 100644 --- a/config-archive/etc/postfix/main.cf +++ b/config-archive/etc/postfix/main.cf @@ -642,7 +642,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.10.2/html +html_directory = /usr/share/doc/postfix-2.10.3/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -655,7 +655,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.10.2/readme +readme_directory = /usr/share/doc/postfix-2.10.3/readme home_mailbox = .maildir/ #alias_maps = mysql:/etc/postfix/mysql-aliases.cf alias_maps = hash:/etc/postfix/maps/aliases diff --git a/config-archive/etc/postfix/main.cf.1 b/config-archive/etc/postfix/main.cf.1 index 508be66..67ed344 100644 --- a/config-archive/etc/postfix/main.cf.1 +++ b/config-archive/etc/postfix/main.cf.1 @@ -642,7 +642,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.10.1/html +html_directory = /usr/share/doc/postfix-2.10.2/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -655,7 +655,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.10.1/readme +readme_directory = /usr/share/doc/postfix-2.10.2/readme home_mailbox = .maildir/ #alias_maps = mysql:/etc/postfix/mysql-aliases.cf alias_maps = hash:/etc/postfix/maps/aliases diff --git a/config-archive/etc/postfix/main.cf.2 b/config-archive/etc/postfix/main.cf.2 index f1639d8..508be66 100644 --- a/config-archive/etc/postfix/main.cf.2 +++ b/config-archive/etc/postfix/main.cf.2 @@ -642,7 +642,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.10.0/html +html_directory = /usr/share/doc/postfix-2.10.1/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -655,7 +655,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.10.0/readme +readme_directory = /usr/share/doc/postfix-2.10.1/readme home_mailbox = .maildir/ #alias_maps = mysql:/etc/postfix/mysql-aliases.cf alias_maps = hash:/etc/postfix/maps/aliases diff --git a/config-archive/etc/postfix/main.cf.3 b/config-archive/etc/postfix/main.cf.3 index 0befb51..f1639d8 100644 --- a/config-archive/etc/postfix/main.cf.3 +++ b/config-archive/etc/postfix/main.cf.3 @@ -642,7 +642,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.9.5/html +html_directory = /usr/share/doc/postfix-2.10.0/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -655,7 +655,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.9.5/readme +readme_directory = /usr/share/doc/postfix-2.10.0/readme home_mailbox = .maildir/ #alias_maps = mysql:/etc/postfix/mysql-aliases.cf alias_maps = hash:/etc/postfix/maps/aliases diff --git a/config-archive/etc/postfix/main.cf.4 b/config-archive/etc/postfix/main.cf.4 index e911f61..0befb51 100644 --- a/config-archive/etc/postfix/main.cf.4 +++ b/config-archive/etc/postfix/main.cf.4 @@ -642,7 +642,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.9.4/html +html_directory = /usr/share/doc/postfix-2.9.5/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -655,7 +655,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.9.4/readme +readme_directory = /usr/share/doc/postfix-2.9.5/readme home_mailbox = .maildir/ #alias_maps = mysql:/etc/postfix/mysql-aliases.cf alias_maps = hash:/etc/postfix/maps/aliases diff --git a/config-archive/etc/postfix/main.cf.5 b/config-archive/etc/postfix/main.cf.5 index 044fe07..e911f61 100644 --- a/config-archive/etc/postfix/main.cf.5 +++ b/config-archive/etc/postfix/main.cf.5 @@ -642,7 +642,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.9.3/html +html_directory = /usr/share/doc/postfix-2.9.4/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -655,7 +655,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.9.3/readme +readme_directory = /usr/share/doc/postfix-2.9.4/readme home_mailbox = .maildir/ #alias_maps = mysql:/etc/postfix/mysql-aliases.cf alias_maps = hash:/etc/postfix/maps/aliases diff --git a/config-archive/etc/postfix/main.cf.6 b/config-archive/etc/postfix/main.cf.6 index 6bac0c9..044fe07 100644 --- a/config-archive/etc/postfix/main.cf.6 +++ b/config-archive/etc/postfix/main.cf.6 @@ -41,7 +41,7 @@ command_directory = /usr/sbin # daemon programs (i.e. programs listed in the master.cf file). This # directory must be owned by root. # -daemon_directory = /usr/lib64/postfix +daemon_directory = /usr/libexec/postfix # The data_directory parameter specifies the location of Postfix-writable # data files (caches, random numbers). This directory must be owned @@ -460,7 +460,12 @@ unknown_local_recipient_reject_code = 550 # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # -#mailbox_transport = lmtp:unix:/file/name +# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" +# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. +#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp +# +# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and +# subsequent line in master.cf. #mailbox_transport = cyrus # The fallback_transport specifies the optional transport in master.cf @@ -637,7 +642,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.8.9/html +html_directory = /usr/share/doc/postfix-2.9.3/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -650,7 +655,7 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.8.9/readme +readme_directory = /usr/share/doc/postfix-2.9.3/readme home_mailbox = .maildir/ #alias_maps = mysql:/etc/postfix/mysql-aliases.cf alias_maps = hash:/etc/postfix/maps/aliases diff --git a/config-archive/etc/postfix/main.cf.7 b/config-archive/etc/postfix/main.cf.7 index 01dffb3..6bac0c9 100644 --- a/config-archive/etc/postfix/main.cf.7 +++ b/config-archive/etc/postfix/main.cf.7 @@ -41,7 +41,7 @@ command_directory = /usr/sbin # daemon programs (i.e. programs listed in the master.cf file). This # directory must be owned by root. # -daemon_directory = //usr/lib64/postfix +daemon_directory = /usr/lib64/postfix # The data_directory parameter specifies the location of Postfix-writable # data files (caches, random numbers). This directory must be owned diff --git a/config-archive/etc/postfix/main.cf.8 b/config-archive/etc/postfix/main.cf.8 new file mode 100644 index 0000000..01dffb3 --- /dev/null +++ b/config-archive/etc/postfix/main.cf.8 @@ -0,0 +1,736 @@ +# vim: noai: filetype=pfmain ts=4 sw=4 + +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/sbin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = //usr/lib64/postfix + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). +# +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +#myhostname = host.domain.tld +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain. On a mail domain +# gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +#mydestination = $myhostname, localhost.$mydomain, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = subnet), Postfix "trusts" SMTP +# clients in the same IP subnetworks as the local machine. +# On Linux, this does works correctly only with interfaces specified +# with the "ifconfig" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +#mynetworks = 168.100.189.0/28, 127.0.0.0/8 +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_recipient_restrictions description in +# postconf(5) for detailed information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is $mydestination. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = $mydestination + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +#alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +#alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +#recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /some/where/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#mailbox_transport = lmtp:unix:/file/name +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/file/name +#fallback_transport = cyrus +#fallback_transport = + +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +#header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen sesssion, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/sbin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = /usr/bin/mailq + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = /usr/share/doc/postfix-2.8.9/html + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = /etc/postfix + +# readme_directory: The location of the Postfix README files. +# +readme_directory = /usr/share/doc/postfix-2.8.9/readme +home_mailbox = .maildir/ +#alias_maps = mysql:/etc/postfix/mysql-aliases.cf +alias_maps = hash:/etc/postfix/maps/aliases +anvil_status_update_time = 3600s +body_checks = pcre:/etc/postfix/maps/body_checks +bounce_template_file = /etc/postfix/bounce-templates/bounce.de-DE.cf +broken_sasl_auth_clients = yes +#canonical_maps = mysql:/etc/postfix/mysql-canonical.cf +canonical_maps = hash:/etc/postfix/maps/canonical +cyrus_sasl_config_path = /etc/sasl2 +default_destination_concurrency_limit = 5 +header_checks = pcre:/etc/postfix/maps/header_checks +inet_protocols = all +local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname +mail_spool_directory = /var/spool/mail +mailbox_size_limit = 512000000 +message_size_limit = 51200000 +#mydestination = $myhostname, $mydomain, mysql:/etc/postfix/mysql-mydomains.cf +mydestination = $myhostname, $mydomain, hash:/etc/postfix/maps/mydomains +mydomain = brehm-online.com +myhostname = helga.brehm-online.com +mynetworks = 127.0.0.0/8 85.214.134.152/32 85.214.109.1/32 [::1]/128 [2a01:238:4225:6e00:8f8c:808a:7fb8:88df]/128 +mynetworks_style = host +myorigin = $mydomain +#recipient_bcc_maps = mysql:/etc/postfix/mysql-recipient_bcc.cf +recipient_bcc_maps = hash:/etc/postfix/maps/recipient_bcc +#relay_clientcerts = hash:/etc/postfix/relay_clientcerts +relay_clientcerts = hash:/etc/postfix/maps/relay_clientcerts +#relay_domains = mysql:/etc/postfix/mysql-relay-domains.cf +relay_domains = hash:/etc/postfix/maps/relay_domains +#relocated_maps = mysql:/etc/postfix/mysql-relocated.cf +relocated_maps = hash:/etc/postfix/maps/relocated +#sender_bcc_maps = mysql:/etc/postfix/mysql-sender_bcc.cf +sender_bcc_maps = hash:/etc/postfix/maps/sender_bcc +smtp_generic_maps = hash:/etc/postfix/maps/generic +smtp_tls_CAfile = /etc/ssl/CA-Brehm/cacert.pem +smtp_tls_cert_file = /etc/postfix/postfix.pem +smtp_tls_enforce_peername = no +smtp_use_tls = yes +smtpd_banner = $myhostname ESMTP Frank Brehms Mail Service $mail_name ($mail_version) + +smtpd_recipient_restrictions = + check_client_access cidr:/etc/postfix/maps/access_client, + check_recipient_access hash:/etc/postfix/maps/access_recipient, + check_helo_access hash:/etc/postfix/maps/access_helo, + check_sender_access hash:/etc/postfix/maps/access_sender, + reject_non_fqdn_recipient, + reject_unknown_recipient_domain, + reject_non_fqdn_sender, + reject_unknown_sender_domain, + reject_invalid_helo_hostname, + permit_mynetworks, + permit_sasl_authenticated, + permit_tls_clientcerts, + reject_rbl_client zen.spamhaus.org, + reject_rbl_client ix.dnsbl.manitu.net, + check_policy_service unix:private/postgrey, + check_policy_service inet:127.0.0.1:12525, + reject_unverified_recipient, + permit_mx_backup, + reject_unauth_destination, + permit + +smtpd_sasl_auth_enable = yes +smtpd_tls_CAfile = $smtp_tls_CAfile +smtpd_tls_cert_file = $smtp_tls_cert_file +smtpd_tls_key_file = $smtp_tls_cert_file +smtpd_tls_loglevel = 1 +smtpd_tls_received_header = yes +smtpd_use_tls = yes +transport_maps = hash:/etc/postfix/maps/transport +#virtual_alias_domains = mysql:/etc/postfix/mysql-virtual-alias-domains.cf +virtual_alias_domains = hash:/etc/postfix/maps/virtual_alias_domains +#virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf +virtual_alias_maps = hash:/etc/postfix/maps/virtual_alias_maps +virtual_gid_maps = static:1023 +virtual_mailbox_base = / +#virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf +virtual_mailbox_domains = hash:/etc/postfix/maps/virtual_mailbox_domains +virtual_mailbox_limit = 512000000 +#virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf +virtual_mailbox_maps = hash:/etc/postfix/maps/virtual_mailbox_maps +virtual_uid_maps = static:1023 diff --git a/config-archive/etc/postfix/main.cf.dist b/config-archive/etc/postfix/main.cf.dist index f08724a..85273d8 100644 --- a/config-archive/etc/postfix/main.cf.dist +++ b/config-archive/etc/postfix/main.cf.dist @@ -5,7 +5,7 @@ # For common configuration examples, see BASIC_CONFIGURATION_README # and STANDARD_CONFIGURATION_README. To find these documents, use # the command "postconf html_directory readme_directory", or go to -# http://www.postfix.org/. +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. # # For best results, change no more than 2-3 parameters at a time, # and test if Postfix still works after every change. @@ -640,7 +640,7 @@ setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # -html_directory = /usr/share/doc/postfix-2.10.3/html +html_directory = /usr/share/doc/postfix-2.11.3/html # manpage_directory: The location of the Postfix on-line manual pages. # @@ -653,5 +653,5 @@ sample_directory = /etc/postfix # readme_directory: The location of the Postfix README files. # -readme_directory = /usr/share/doc/postfix-2.10.3/readme +readme_directory = /usr/share/doc/postfix-2.11.3/readme home_mailbox = .maildir/ diff --git a/config-archive/etc/postfix/master.cf b/config-archive/etc/postfix/master.cf index eecc1c2..ac18012 100644 --- a/config-archive/etc/postfix/master.cf +++ b/config-archive/etc/postfix/master.cf @@ -34,8 +34,6 @@ localhost:10025 inet n - n - - smtpd -o content_filter= -o smtpd_proxy_filter= -o smtpd_authorized_xforward_hosts=127.0.0.0/8 - -o smtpd_client_restictions= - -o smtpd_helo_restictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= diff --git a/config-archive/etc/postfix/master.cf.1 b/config-archive/etc/postfix/master.cf.1 new file mode 100644 index 0000000..eecc1c2 --- /dev/null +++ b/config-archive/etc/postfix/master.cf.1 @@ -0,0 +1,143 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd + -o content_filter= + -o smtpd_proxy_filter=localhost:10024 +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +#submission inet n - n - - smtpd +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - n - - smtpd +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +smtps inet n - n - - smtpd + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o content_filter= + -o smtpd_proxy_filter=localhost:10024 +localhost:10025 inet n - n - - smtpd + -o content_filter= + -o smtpd_proxy_filter= + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + -o smtpd_client_restictions= + -o smtpd_helo_restictions= + -o smtpd_sender_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject + -o smtpd_data_restrictions= + -o mynetworks=127.0.0.0/8 + -o receive_override_options=no_unknown_recipient_checks +#628 inet n - n - - qmqpd +pickup fifo n - n 60 1 pickup +# -o content_filter=smtp:[localhost]:10024 +cleanup unix n - n - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - n 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +# When relaying mail as backup MX, disable fallback_relay to avoid MX loops +relay unix - - n - - smtp + -o smtp_fallback_relay= +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +#maildrop unix - n n - - pipe +# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +#uucp unix - n n - - pipe +# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# ==================================================================== +# +# Other external delivery methods. +# +#ifmail unix - n n - - pipe +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +# +#bsmtp unix - n n - - pipe +# flags=Fq. user=bsmtp argv=/usr/sbin/bsmtp -f $sender $nexthop $recipient +# +#scalemail-backend unix - n n - 2 pipe +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store +# ${nexthop} ${user} ${extension} +# +#mailman unix - n n - - pipe +# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py +# ${nexthop} ${user} +# +# Greylisting +# ==================================================================== +policy unix - n n - - spawn + user=nobody argv=/usr/bin/perl -T /etc/postfix/greylist/greylist.pl diff --git a/config-archive/etc/postfix/master.cf.dist.new b/config-archive/etc/postfix/master.cf.dist.new index ec708eb..79ca4bb 100644 --- a/config-archive/etc/postfix/master.cf.dist.new +++ b/config-archive/etc/postfix/master.cf.dist.new @@ -1,6 +1,7 @@ # # Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master"). +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # @@ -21,7 +22,8 @@ smtp inet n - n - - smtpd # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps @@ -31,7 +33,8 @@ smtp inet n - n - - smtpd # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup diff --git a/config-archive/etc/postfix/postgrey_whitelist_clients b/config-archive/etc/postfix/postgrey_whitelist_clients new file mode 100644 index 0000000..480e8e0 --- /dev/null +++ b/config-archive/etc/postfix/postgrey_whitelist_clients @@ -0,0 +1,223 @@ +# postgrey whitelist for mail client hostnames +# -------------------------------------------- +# put this file in /etc/postfix or specify its path +# with --whitelist-clients=xxx +# +# postgrey version: 1.34, build date: 2011-05-04 + +# greylisting.org: Southwest Airlines (unique sender, no retry) +southwest.com +# greylisting.org: isp.belgacom.be (wierd retry pattern) +isp.belgacom.be +# greylisting.org: Ameritrade (no retry) +ameritradeinfo.com +# greylisting.org: Amazon.com (unique sender with letters) +amazon.com +# 2004-05-20: Linux kernel mailing-list (unique sender with letters) +vger.kernel.org +# 2004-06-02: karger.ch, no retry +karger.ch +# 2004-06-02: lilys.ch, (slow: 4 hours) +server-x001.hostpoint.ch +# 2004-06-09: roche.com (no retry) +gw.bas.roche.com +# 2004-06-09: newsletter (no retry) +mail.hhlaw.com +# 2004-06-09: no retry (reported by Ralph Hildebrandt) +prd051.appliedbiosystems.com +# 2004-06-17: swissre.com (no retry) +swissre.com +# 2004-06-17: dowjones.com newsletter (unique sender with letters) +returns.dowjones.com +# 2004-06-18: switch.ch (works but personnel is confused by the error) +domin.switch.ch +# 2004-06-23: accor-hotels.com (slow: 6 hours) +accor-hotels.com +# 2004-06-29: rr.com (no retry, reported by Duncan Hill) +/^ms-smtp.*\.rr\.com$/ +# 2004-06-29: cox.net (no retry, reported by Duncan Hill) +/^lake.*mta.*\.cox\.net$/ +# 2004-06-29: motorola.com (no retry) +mot.com +# 2004-07-01: nic.fr (address verification, reported by Arnaud Launay) +nic.fr +# 2004-07-01: verizon.net (address verification, reported by Bill Moran and Eric, adapted by Adam C. Mathews) +/^s[cv]\d+pub\.verizon\.net$/ +# 2004-07-02: cs.columbia.edu (no retry) +cs.columbia.edu +# 2004-07-02: papersinvited.com (no retry) +66.216.126.174 +# 2004-07-02: telekom.de (slow: 6 hours) +/^mail\d+\.telekom\.de$/ +# 2004-07-04: tiscali.dk (slow: 12 hours, reported by Klaus Alexander Seistrup) +/^smtp\d+\.tiscali\.dk$/ +# 2004-07-04: freshmeat.net (address verification) +freshmeat.net +# 2004-07-11: zd-swx.com (unique sender with letters, reported by Bill Landry) +zd-swx.com +# 2004-07-11: lockergnome.wc09.net (unique sender with letters, reported by Bill Landry) +lockergnome.wc09.net +# 2004-07-19: mxlogic.net (no retry, reported by Eric) +p01m168.mxlogic.net +p02m169.mxlogic.net +# 2004-09-08: intel.com (pool on different subnets) +/^fmr\d+\.intel\.com$/ +# 2004-09-17: cox-internet.com (no retry, reported by Rod Roark) +/^fe\d+\.cox-internet\.com$/ +# 2004-10-11: logismata.ch (no retry) +logismata.ch +# 2004-11-25: brief.cw.reum.de (no retry, reported by Manuel Oetiker) +brief.cw.reum.de +# 2004-12-03: ingeno.ch (no retry) +qmail.ingeno.ch +# 2004-12-06: rein.ch (no retry) +mail1.thurweb.ch +# 2005-01-26: tu-ilmenau.de (no retry) +piggy.rz.tu-ilmenau.de +# 2005-04-06: polymed.ch (no retry) +mail.polymed.ch +# 2005-06-08: hu-berlin.de (slow: 6 hours, reported by Joachim Schoenberg) +rz.hu-berlin.de +# 2005-06-17: gmail.com (big pool, reported by Beat Mueller) +proxy.gmail.com +# 2005-06-23: cacert.org (address verification, reported by Martin Lohmeier) +cacert.org +# 2005-07-27: polytech.univ-mrs.fr (no retry, reported by Giovanni Mandorino) +polytech.univ-mrs.fr +# 2005-08-05: gnu.org (address verification, reported by Martin Lohmeier) +gnu.org +# 2005-08-17: ciphirelabs.com (needs fast responses, reported by Sven Mueller) +cs.ciphire.net +# 2005-11-11: lufthansa (no retry, reported by Peter Bieringer) +/^gateway\d+\.np4\.de$/ +# 2005-11-23: arcor-online.net (slow: 12 hours, reported by Bernd Zeimetz) +/^mail-in-\d+\.arcor-online\.net$/ +# 2005-12-29: netsolmail.com (no retry, reported by Gareth Greenaway) +netsolmail.com +# mail.likopris.si (no retry, reported by Vito Robar) +193.77.153.67 +# jcsw.nato.int (several servers, no retry, reported by Vito Robar) +195.235.39 +# tesla.vtszg.hr (no retry, reported by Vito Robar) +tesla.vtszg.hr +# mailgw*.iai.co.il (pool of several servers, reported by Vito Robar) +/^mailgw.*\.iai\.co\.il$/ +# gw.stud-serv-mb.si (no retry, reported by Vito Robar) +gw.stud-serv-mb.si +# mail.commandtech.com (no retry, reported by Vito Robar) +216.238.112.99 +# duropack.co.at (no retry, reported by Vito Robar) +193.81.20.195 +# mail.esimit-tech.si (no retry, reported by Vito Robar) +193.77.126.208 +# mail.resotel.be (ocasionally no retry, reported by Vito Robar) +80.200.249.216 +# mail2.alliancefr.be (ocasionally no retry, reported by Vito Robar) +mail2.alliancefr.be +# webserver.turboinstitut.si (no retry, reported by Vito Robar) +webserver.turboinstitut.si +# mil.be (pool of different servers, reported by Vito Robar) +193.191.218.141 +193.191.218.142 +193.191.218.143 +194.7.234.141 +194.7.234.142 +194.7.234.143 +# mail*.usafisnews.org (no retry, reported by Vito Robar) +/^mail\d+\.usafisnews\.org$/ +# odk.fdv.uni-lj.si (no retry, reported by Vito Robar) +/^odk.fdv.uni-lj.si$/ +# rak-gentoo-1.nameserver.de (no retry, reported by Vito Robar) +rak-gentoo-1.nameserver.de +# dars.si (ocasionally no retry, reported by Vito Robar) +mx.dars.si +# cosis.si (no retry, reported by Vito Robar) +213.143.66.210 +# mta?.siol.net (sometimes no or slow retry; they use intermail, reported by Vito Robar) +/^mta[12].siol.net$/ +# pim-N-N.quickinspirationsmail.com (unique sender, reported by Vito Robar) +/^pim-\d+-\d+\.quickinspirationsmail\.com$/ +# flymonarch (no retry, reported by Marko Djukic) +flymonarch.com +# wxs.nl (no retry, reported by Johannes Fehr) +/^p?smtp.*\.wxs\.nl$/ +# ibm.com (big pool, reported by Casey Peel) +ibm.com +# messagelabs.com (big pool, reported by John Tobin) +/^mail\d+\.messagelabs\.com$/ +# ptb.de (slow, reported by Joachim Schoenberg) +berlin.ptb.de +# registrarmail.net (unique sender names, reported by Simon Waters) +registrarmail.net +# google.com (big pool, reported by Matthias Dyer, Martin Toft) +google.com +# orange.fr (big pool, reported by Loïc Le Loarer) +/^smtp\d+\.orange\.fr$/ +# citigroup.com (slow retry, reported by Michael Monnerie) +/^smtp\d+.citigroup.com$/ +# cruisingclub.ch (no retry) +mail.ccs-cruising.ch +# digg.com (no retry, Debian #406774) +diggstage01.digg.com +# liberal.ca (retries only during 270 seconds, Debian #406774) +smtp.liberal.ca +# pi.ws (pool + long retry, Debian #409851) +/^mail[12]\.pi\.ws$/ +# rambler.ru (big pool, reported by Michael Monnerie) +rambler.ru +# free.fr (big pool, reported by Denis Sacchet) +/^smtp[0-9]+-g[0-9]+\.free\.fr$/ +/^postfix[0-9]+-g[0-9]+\.free\.fr$/ +# thehartford.com (pool + long retry, reported by Jacob Leifman) +/^netmail\d+\.thehartford\.com$/ +# abb.com (only one retry, reported by Roman Plessl) +/^nse\d+\.abb\.com$/ +# 2007-07-27: sourceforge.net (sender verification) +lists.sourceforge.net +# 2007-08-06: polytec.de (no retry, reported by Patrick McLean) +polytec.de +# 2007-09-06: qualiflow.com (no retry, reported by Alex Beckert) +/^mail\d+\.msg\.oleane\.net$/ +# 2007-09-07: nrl.navy.mil (no retry, reported by Axel Beckert) +nrl.navy.mil +# 2007-10-18: aliplast.com (long retry, reported by Johannes Feigl) +mail.aliplast.com +# 2007-10-18: inode.at (long retry, reported by Johannes Feigl) +/^mx\d+\..*\.inode\.at$/ +# 2008-02-01: bol.com (no retry, reported by Frank Breedijk) +/^.*?.server.arvato-systems.de$/ +# 2008-06-05: registeredsite.com (no retry, reported by Fred Kilbourn) +/^(?:mail|fallback-mx)\d+.atl.registeredsite.com$/ +# 2008-07-17: mahidol.ac.th (no retry, reported by Alex Beckert) +saturn.mahidol.ac.th +# 2008-07-18: ebay.com (big pool, reported by Peter Samuelson) +ebay.com +# 2008-07-22: yahoo.com (big pool, reported by Juan Alonso) +yahoo.com +# 2008-11-07: facebook (no retry, reported by Tim Freeman) +/^outmail\d+\.sctm\.tfbnw\.net$/ +# 2009-02-10: server14.cyon.ch (long retry, reported by Alex Beckert) +server14.cyon.ch +# 2009-08-19: 126.com (big pool) +/^m\d+-\d+\.126\.com$/ +# 2010-01-08: tifr.res.in (no retry, reported by Alex Beckert) +home.theory.tifr.res.in +# 2010-01-08: 1blu.de (long retry, reported by Alex Beckert) +ms4-1.1blu.de +# 2010-03-17: chello.at (big pool, reported by Jan-willem van Eys) +/^viefep\d+-int\.chello\.at$/ +# 2010-05-31: nic.nu (long retry, reported by Ivan Sie) +mx.nic.nu +# 2010-06-10: Microsoft servers (long/no retry, reported by Roy McMorran) +bigfish.com +frontbridge.com +microsoft.com +# 2010-06-18: Google/Postini (big pool, reported by Warren Trakman) +postini.com +# 2011-02-04: evanzo-server.de (no retry, reported by Andre Hoepner) +/^mx.*\.evanzo-server\.de$/ +# 2011-05-02: upcmail.net (big pool, reported by Michael Monnerie) +upcmail.net + +mx\.acwain\.net + diff --git a/config-archive/etc/postfix/postgrey_whitelist_clients.dist.new b/config-archive/etc/postfix/postgrey_whitelist_clients.dist.new new file mode 100644 index 0000000..9dbe6bd --- /dev/null +++ b/config-archive/etc/postfix/postgrey_whitelist_clients.dist.new @@ -0,0 +1,220 @@ +# postgrey whitelist for mail client hostnames +# -------------------------------------------- +# put this file in /etc/postfix or specify its path +# with --whitelist-clients=xxx +# +# postgrey version: 1.34, build date: 2011-05-04 + +# greylisting.org: Southwest Airlines (unique sender, no retry) +southwest.com +# greylisting.org: isp.belgacom.be (wierd retry pattern) +isp.belgacom.be +# greylisting.org: Ameritrade (no retry) +ameritradeinfo.com +# greylisting.org: Amazon.com (unique sender with letters) +amazon.com +# 2004-05-20: Linux kernel mailing-list (unique sender with letters) +vger.kernel.org +# 2004-06-02: karger.ch, no retry +karger.ch +# 2004-06-02: lilys.ch, (slow: 4 hours) +server-x001.hostpoint.ch +# 2004-06-09: roche.com (no retry) +gw.bas.roche.com +# 2004-06-09: newsletter (no retry) +mail.hhlaw.com +# 2004-06-09: no retry (reported by Ralph Hildebrandt) +prd051.appliedbiosystems.com +# 2004-06-17: swissre.com (no retry) +swissre.com +# 2004-06-17: dowjones.com newsletter (unique sender with letters) +returns.dowjones.com +# 2004-06-18: switch.ch (works but personnel is confused by the error) +domin.switch.ch +# 2004-06-23: accor-hotels.com (slow: 6 hours) +accor-hotels.com +# 2004-06-29: rr.com (no retry, reported by Duncan Hill) +/^ms-smtp.*\.rr\.com$/ +# 2004-06-29: cox.net (no retry, reported by Duncan Hill) +/^lake.*mta.*\.cox\.net$/ +# 2004-06-29: motorola.com (no retry) +mot.com +# 2004-07-01: nic.fr (address verification, reported by Arnaud Launay) +nic.fr +# 2004-07-01: verizon.net (address verification, reported by Bill Moran and Eric, adapted by Adam C. Mathews) +/^s[cv]\d+pub\.verizon\.net$/ +# 2004-07-02: cs.columbia.edu (no retry) +cs.columbia.edu +# 2004-07-02: papersinvited.com (no retry) +66.216.126.174 +# 2004-07-02: telekom.de (slow: 6 hours) +/^mail\d+\.telekom\.de$/ +# 2004-07-04: tiscali.dk (slow: 12 hours, reported by Klaus Alexander Seistrup) +/^smtp\d+\.tiscali\.dk$/ +# 2004-07-04: freshmeat.net (address verification) +freshmeat.net +# 2004-07-11: zd-swx.com (unique sender with letters, reported by Bill Landry) +zd-swx.com +# 2004-07-11: lockergnome.wc09.net (unique sender with letters, reported by Bill Landry) +lockergnome.wc09.net +# 2004-07-19: mxlogic.net (no retry, reported by Eric) +p01m168.mxlogic.net +p02m169.mxlogic.net +# 2004-09-08: intel.com (pool on different subnets) +/^fmr\d+\.intel\.com$/ +# 2004-09-17: cox-internet.com (no retry, reported by Rod Roark) +/^fe\d+\.cox-internet\.com$/ +# 2004-10-11: logismata.ch (no retry) +logismata.ch +# 2004-11-25: brief.cw.reum.de (no retry, reported by Manuel Oetiker) +brief.cw.reum.de +# 2004-12-03: ingeno.ch (no retry) +qmail.ingeno.ch +# 2004-12-06: rein.ch (no retry) +mail1.thurweb.ch +# 2005-01-26: tu-ilmenau.de (no retry) +piggy.rz.tu-ilmenau.de +# 2005-04-06: polymed.ch (no retry) +mail.polymed.ch +# 2005-06-08: hu-berlin.de (slow: 6 hours, reported by Joachim Schoenberg) +rz.hu-berlin.de +# 2005-06-17: gmail.com (big pool, reported by Beat Mueller) +proxy.gmail.com +# 2005-06-23: cacert.org (address verification, reported by Martin Lohmeier) +cacert.org +# 2005-07-27: polytech.univ-mrs.fr (no retry, reported by Giovanni Mandorino) +polytech.univ-mrs.fr +# 2005-08-05: gnu.org (address verification, reported by Martin Lohmeier) +gnu.org +# 2005-08-17: ciphirelabs.com (needs fast responses, reported by Sven Mueller) +cs.ciphire.net +# 2005-11-11: lufthansa (no retry, reported by Peter Bieringer) +/^gateway\d+\.np4\.de$/ +# 2005-11-23: arcor-online.net (slow: 12 hours, reported by Bernd Zeimetz) +/^mail-in-\d+\.arcor-online\.net$/ +# 2005-12-29: netsolmail.com (no retry, reported by Gareth Greenaway) +netsolmail.com +# mail.likopris.si (no retry, reported by Vito Robar) +193.77.153.67 +# jcsw.nato.int (several servers, no retry, reported by Vito Robar) +195.235.39 +# tesla.vtszg.hr (no retry, reported by Vito Robar) +tesla.vtszg.hr +# mailgw*.iai.co.il (pool of several servers, reported by Vito Robar) +/^mailgw.*\.iai\.co\.il$/ +# gw.stud-serv-mb.si (no retry, reported by Vito Robar) +gw.stud-serv-mb.si +# mail.commandtech.com (no retry, reported by Vito Robar) +216.238.112.99 +# duropack.co.at (no retry, reported by Vito Robar) +193.81.20.195 +# mail.esimit-tech.si (no retry, reported by Vito Robar) +193.77.126.208 +# mail.resotel.be (ocasionally no retry, reported by Vito Robar) +80.200.249.216 +# mail2.alliancefr.be (ocasionally no retry, reported by Vito Robar) +mail2.alliancefr.be +# webserver.turboinstitut.si (no retry, reported by Vito Robar) +webserver.turboinstitut.si +# mil.be (pool of different servers, reported by Vito Robar) +193.191.218.141 +193.191.218.142 +193.191.218.143 +194.7.234.141 +194.7.234.142 +194.7.234.143 +# mail*.usafisnews.org (no retry, reported by Vito Robar) +/^mail\d+\.usafisnews\.org$/ +# odk.fdv.uni-lj.si (no retry, reported by Vito Robar) +/^odk.fdv.uni-lj.si$/ +# rak-gentoo-1.nameserver.de (no retry, reported by Vito Robar) +rak-gentoo-1.nameserver.de +# dars.si (ocasionally no retry, reported by Vito Robar) +mx.dars.si +# cosis.si (no retry, reported by Vito Robar) +213.143.66.210 +# mta?.siol.net (sometimes no or slow retry; they use intermail, reported by Vito Robar) +/^mta[12].siol.net$/ +# pim-N-N.quickinspirationsmail.com (unique sender, reported by Vito Robar) +/^pim-\d+-\d+\.quickinspirationsmail\.com$/ +# flymonarch (no retry, reported by Marko Djukic) +flymonarch.com +# wxs.nl (no retry, reported by Johannes Fehr) +/^p?smtp.*\.wxs\.nl$/ +# ibm.com (big pool, reported by Casey Peel) +ibm.com +# messagelabs.com (big pool, reported by John Tobin) +/^mail\d+\.messagelabs\.com$/ +# ptb.de (slow, reported by Joachim Schoenberg) +berlin.ptb.de +# registrarmail.net (unique sender names, reported by Simon Waters) +registrarmail.net +# google.com (big pool, reported by Matthias Dyer, Martin Toft) +google.com +# orange.fr (big pool, reported by Loïc Le Loarer) +/^smtp\d+\.orange\.fr$/ +# citigroup.com (slow retry, reported by Michael Monnerie) +/^smtp\d+.citigroup.com$/ +# cruisingclub.ch (no retry) +mail.ccs-cruising.ch +# digg.com (no retry, Debian #406774) +diggstage01.digg.com +# liberal.ca (retries only during 270 seconds, Debian #406774) +smtp.liberal.ca +# pi.ws (pool + long retry, Debian #409851) +/^mail[12]\.pi\.ws$/ +# rambler.ru (big pool, reported by Michael Monnerie) +rambler.ru +# free.fr (big pool, reported by Denis Sacchet) +/^smtp[0-9]+-g[0-9]+\.free\.fr$/ +/^postfix[0-9]+-g[0-9]+\.free\.fr$/ +# thehartford.com (pool + long retry, reported by Jacob Leifman) +/^netmail\d+\.thehartford\.com$/ +# abb.com (only one retry, reported by Roman Plessl) +/^nse\d+\.abb\.com$/ +# 2007-07-27: sourceforge.net (sender verification) +lists.sourceforge.net +# 2007-08-06: polytec.de (no retry, reported by Patrick McLean) +polytec.de +# 2007-09-06: qualiflow.com (no retry, reported by Alex Beckert) +/^mail\d+\.msg\.oleane\.net$/ +# 2007-09-07: nrl.navy.mil (no retry, reported by Axel Beckert) +nrl.navy.mil +# 2007-10-18: aliplast.com (long retry, reported by Johannes Feigl) +mail.aliplast.com +# 2007-10-18: inode.at (long retry, reported by Johannes Feigl) +/^mx\d+\..*\.inode\.at$/ +# 2008-02-01: bol.com (no retry, reported by Frank Breedijk) +/^.*?.server.arvato-systems.de$/ +# 2008-06-05: registeredsite.com (no retry, reported by Fred Kilbourn) +/^(?:mail|fallback-mx)\d+.atl.registeredsite.com$/ +# 2008-07-17: mahidol.ac.th (no retry, reported by Alex Beckert) +saturn.mahidol.ac.th +# 2008-07-18: ebay.com (big pool, reported by Peter Samuelson) +ebay.com +# 2008-07-22: yahoo.com (big pool, reported by Juan Alonso) +yahoo.com +# 2008-11-07: facebook (no retry, reported by Tim Freeman) +/^outmail\d+\.sctm\.tfbnw\.net$/ +# 2009-02-10: server14.cyon.ch (long retry, reported by Alex Beckert) +server14.cyon.ch +# 2009-08-19: 126.com (big pool) +/^m\d+-\d+\.126\.com$/ +# 2010-01-08: tifr.res.in (no retry, reported by Alex Beckert) +home.theory.tifr.res.in +# 2010-01-08: 1blu.de (long retry, reported by Alex Beckert) +ms4-1.1blu.de +# 2010-03-17: chello.at (big pool, reported by Jan-willem van Eys) +/^viefep\d+-int\.chello\.at$/ +# 2010-05-31: nic.nu (long retry, reported by Ivan Sie) +mx.nic.nu +# 2010-06-10: Microsoft servers (long/no retry, reported by Roy McMorran) +bigfish.com +frontbridge.com +microsoft.com +# 2010-06-18: Google/Postini (big pool, reported by Warren Trakman) +postini.com +# 2011-02-04: evanzo-server.de (no retry, reported by Andre Hoepner) +/^mx.*\.evanzo-server\.de$/ +# 2011-05-02: upcmail.net (big pool, reported by Michael Monnerie) +upcmail.net diff --git a/config-archive/etc/ssh/ssh_config b/config-archive/etc/ssh/ssh_config index 3974564..1d4aedc 100644 --- a/config-archive/etc/ssh/ssh_config +++ b/config-archive/etc/ssh/ssh_config @@ -57,3 +57,7 @@ ForwardAgent yes # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h + +# Send locale environment variables #367017 +SendEnv LANG LC_* diff --git a/config-archive/etc/ssh/ssh_config.1 b/config-archive/etc/ssh/ssh_config.1 new file mode 100644 index 0000000..3974564 --- /dev/null +++ b/config-archive/etc/ssh/ssh_config.1 @@ -0,0 +1,59 @@ +# $OpenBSD$ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +# Host * +# ForwardAgent no +ForwardAgent yes +# ForwardX11 no +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# Port 22 +# Protocol 2,1 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# AllowedCertPurpose sslserver +# MandatoryCRL no +# CACertificateFile /etc/ssh/ca/ca-bundle.crt +# CACertificatePath /etc/ssh/ca/crt +# CARevocationFile /etc/ssh/ca/ca-bundle.crl +# CARevocationPath /etc/ssh/ca/crl +# UserCACertificateFile ~/.ssh/ca-bundle.crt +# UserCACertificatePath ~/.ssh/crt +# UserCARevocationFile ~/.ssh/ca-bundle.crl +# UserCARevocationPath ~/.ssh/crl +# VAType none +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com diff --git a/config-archive/etc/ssh/ssh_config.dist b/config-archive/etc/ssh/ssh_config.dist index fde6a76..42874fe 100644 --- a/config-archive/etc/ssh/ssh_config.dist +++ b/config-archive/etc/ssh/ssh_config.dist @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -40,17 +40,6 @@ # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ -# AllowedCertPurpose sslserver -# MandatoryCRL no -# CACertificateFile /etc/ssh/ca/ca-bundle.crt -# CACertificatePath /etc/ssh/ca/crt -# CARevocationFile /etc/ssh/ca/ca-bundle.crl -# CARevocationPath /etc/ssh/ca/crl -# UserCACertificateFile ~/.ssh/ca-bundle.crt -# UserCACertificatePath ~/.ssh/crt -# UserCARevocationFile ~/.ssh/ca-bundle.crl -# UserCARevocationPath ~/.ssh/crl -# VAType none # Tunnel no # TunnelDevice any:any # PermitLocalCommand no diff --git a/config-archive/etc/ssh/sshd_config b/config-archive/etc/ssh/sshd_config index 7084972..ed0b2e9 100644 --- a/config-archive/etc/ssh/sshd_config +++ b/config-archive/etc/ssh/sshd_config @@ -24,6 +24,7 @@ #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! @@ -153,8 +154,8 @@ ChallengeResponseAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -171,6 +172,7 @@ UsePAM yes X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes PrintMotd no PrintLastLog no #TCPKeepAlive yes @@ -211,6 +213,7 @@ Subsystem sftp /usr/lib64/misc/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server # Allow client to pass locale environment variables #367017 diff --git a/config-archive/etc/ssh/sshd_config.1 b/config-archive/etc/ssh/sshd_config.1 index 9a37794..7084972 100644 --- a/config-archive/etc/ssh/sshd_config.1 +++ b/config-archive/etc/ssh/sshd_config.1 @@ -27,8 +27,8 @@ # "key type names" for X.509 certificates with RSA key # Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 #X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 # "key type names" for X.509 certificates with DSA key # Note first defined is used in signature operations! @@ -95,11 +95,13 @@ #KeyRegenerationInterval 1h #ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none + # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO -#LogLevel DEBUG # Authentication: @@ -117,6 +119,11 @@ PermitRootLogin yes # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 @@ -168,23 +175,21 @@ PrintMotd no PrintLastLog no #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none -# Allow client to pass locale environment variables -AcceptEnv LANG LC_* - # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server @@ -192,18 +197,21 @@ Subsystem sftp /usr/lib64/misc/sftp-server # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes -# allow the use of the none cipher -#NoneEnabled no - -# disable hpn performance boosts. +# disable hpn performance boosts #HPNDisabled no # buffer size for hpn to non-hpn connections #HPNBufferSize 2048 +# allow the use of the none cipher +#NoneEnabled no + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server + +# Allow client to pass locale environment variables #367017 +AcceptEnv LANG LC_* diff --git a/config-archive/etc/ssh/sshd_config.2 b/config-archive/etc/ssh/sshd_config.2 new file mode 100644 index 0000000..9a37794 --- /dev/null +++ b/config-archive/etc/ssh/sshd_config.2 @@ -0,0 +1,209 @@ +# $OpenBSD$ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +#Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key + +# "key type names" for X.509 certificates with RSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 +#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 + +# "key type names" for X.509 certificates with DSA key +# Note first defined is used in signature operations! +#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 +#X509KeyAlgorithm x509v3-sign-dss,dss-raw + +# The intended use for the X509 client certificate. Without this option +# no chain verification will be done. Currently accepted uses are case +# insensitive: +# - "sslclient", "SSL client", "SSL_client" or "client" +# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" +# - "skip" or ""(empty): don`t check purpose. +#AllowedCertPurpose sslclient + +# Specifies whether self-issued(self-signed) X.509 certificate can be +# allowed only by entry in AutorizedKeysFile that contain matching +# public key or certificate blob. +#KeyAllowSelfIssued no + +# Specifies whether CRL must present in store for all certificates in +# certificate chain with atribute "cRLDistributionPoints" +#MandatoryCRL no + +# A file with multiple certificates of certificate signers +# in PEM format concatenated together. +#CACertificateFile /etc/ssh/ca/ca-bundle.crt + +# A directory with certificates of certificate signers. +# The certificates should have name of the form: [HASH].[NUMBER] +# or have symbolic links to them of this form. +#CACertificatePath /etc/ssh/ca/crt + +# A file with multiple CRL of certificate signers +# in PEM format concatenated together. +#CARevocationFile /etc/ssh/ca/ca-bundle.crl + +# A directory with CRL of certificate signers. +# The CRL should have name of the form: [HASH].r[NUMBER] +# or have symbolic links to them of this form. +#CARevocationPath /etc/ssh/ca/crl + +# LDAP protocol version. +# Example: +# CAldapVersion 2 + +# Note because of OpenSSH options parser limitation +# use %3D instead of = ! +# LDAP initialization may require URL to be escaped, i.e. +# use %2C instead of ,(comma). Escaped URL don't depend from +# LDAP initialization method. +# Example: +# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom + +# SSH can use "Online Certificate Status Protocol"(OCSP) +# to validate certificate. Set VAType to +# - none : do not use OCSP to validate certificates; +# - ocspcert: validate only certificates that specify `OCSP +# Service Locator' URL; +# - ocspspec: use specified in the configuration 'OCSP Responder' +# to validate all certificates. +#VAType none + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO +#LogLevel DEBUG + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +#AuthorizedKeysFile .ssh/authorized_keys + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no +# similar for protocol version 2 +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +PrintMotd no +PrintLastLog no +#TCPKeepAlive yes +#UseLogin no +#UsePrivilegeSeparation yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10 +#PermitTunnel no +#ChrootDirectory none + +# no default banner path +#Banner none + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +# override default of no subsystems +Subsystem sftp /usr/lib64/misc/sftp-server + +# the following are HPN related configuration options +# tcp receive buffer polling. disable in non autotuning kernels +#TcpRcvBufPoll yes + +# allow the use of the none cipher +#NoneEnabled no + +# disable hpn performance boosts. +#HPNDisabled no + +# buffer size for hpn to non-hpn connections +#HPNBufferSize 2048 + + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server diff --git a/config-archive/etc/ssh/sshd_config.dist b/config-archive/etc/ssh/sshd_config.dist index c76351a..5683e16 100644 --- a/config-archive/etc/ssh/sshd_config.dist +++ b/config-archive/etc/ssh/sshd_config.dist @@ -1,4 +1,4 @@ -# $OpenBSD$ +# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -26,72 +26,6 @@ #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key -# "key type names" for X.509 certificates with RSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-rsa,rsa-sha1 -#X509KeyAlgorithm x509v3-sign-rsa,rsa-md5 - -# "key type names" for X.509 certificates with DSA key -# Note first defined is used in signature operations! -#X509KeyAlgorithm x509v3-sign-dss,dss-asn1 -#X509KeyAlgorithm x509v3-sign-dss,dss-raw - -# The intended use for the X509 client certificate. Without this option -# no chain verification will be done. Currently accepted uses are case -# insensitive: -# - "sslclient", "SSL client", "SSL_client" or "client" -# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" -# - "skip" or ""(empty): don`t check purpose. -#AllowedCertPurpose sslclient - -# Specifies whether self-issued(self-signed) X.509 certificate can be -# allowed only by entry in AutorizedKeysFile that contain matching -# public key or certificate blob. -#KeyAllowSelfIssued no - -# Specifies whether CRL must present in store for all certificates in -# certificate chain with atribute "cRLDistributionPoints" -#MandatoryCRL no - -# A file with multiple certificates of certificate signers -# in PEM format concatenated together. -#CACertificateFile /etc/ssh/ca/ca-bundle.crt - -# A directory with certificates of certificate signers. -# The certificates should have name of the form: [HASH].[NUMBER] -# or have symbolic links to them of this form. -#CACertificatePath /etc/ssh/ca/crt - -# A file with multiple CRL of certificate signers -# in PEM format concatenated together. -#CARevocationFile /etc/ssh/ca/ca-bundle.crl - -# A directory with CRL of certificate signers. -# The CRL should have name of the form: [HASH].r[NUMBER] -# or have symbolic links to them of this form. -#CARevocationPath /etc/ssh/ca/crl - -# LDAP protocol version. -# Example: -# CAldapVersion 2 - -# Note because of OpenSSH options parser limitation -# use %3D instead of = ! -# LDAP initialization may require URL to be escaped, i.e. -# use %2C instead of ,(comma). Escaped URL don't depend from -# LDAP initialization method. -# Example: -# CAldapURL ldap://localhost:389/dc%3Dexample%2Cdc%3Dcom - -# SSH can use "Online Certificate Status Protocol"(OCSP) -# to validate certificate. Set VAType to -# - none : do not use OCSP to validate certificates; -# - ocspcert: validate only certificates that specify `OCSP -# Service Locator' URL; -# - ocspspec: use specified in the configuration 'OCSP Responder' -# to validate all certificates. -#VAType none - # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 @@ -189,13 +123,29 @@ UsePrivilegeSeparation sandbox # Default for new installations. # no default banner path #Banner none +# here are the new patched ldap related tokens +# entries in your LDAP must have posixAccount & ldapPublicKey objectclass +#UseLPK yes +#LpkLdapConf /etc/ldap.conf +#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ +#LpkUserDN ou=users,dc=phear,dc=org +#LpkGroupDN ou=groups,dc=phear,dc=org +#LpkBindDN cn=Manager,dc=phear,dc=org +#LpkBindPw secret +#LpkServerGroup mail +#LpkFilter (hostAccess=master.phear.org) +#LpkForceTLS no +#LpkSearchTimelimit 3 +#LpkBindTimelimit 3 +#LpkPubKeyAttr sshPublicKey + # override default of no subsystems Subsystem sftp /usr/lib64/misc/sftp-server # the following are HPN related configuration options # tcp receive buffer polling. disable in non autotuning kernels #TcpRcvBufPoll yes - + # disable hpn performance boosts #HPNDisabled no diff --git a/config-archive/etc/sudoers b/config-archive/etc/sudoers index 71fe6ca..c003ec9 100644 --- a/config-archive/etc/sudoers +++ b/config-archive/etc/sudoers @@ -74,6 +74,7 @@ root ALL=(ALL) NOPASSWD: ALL ## Uncomment to allow members of group wheel to execute any command %wheel ALL=(ALL) ALL %root ALL=(ALL) NOPASSWD: ALL +nagios ALL=(ALL) NOPASSWD: ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL diff --git a/config-archive/etc/sudoers.1 b/config-archive/etc/sudoers.1 new file mode 100644 index 0000000..71fe6ca --- /dev/null +++ b/config-archive/etc/sudoers.1 @@ -0,0 +1,91 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top + +## +## Defaults specification +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!/sbin/reboot !log_output + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group wheel to execute any command +%wheel ALL=(ALL) ALL +%root ALL=(ALL) NOPASSWD: ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +## (the '#' here does not indicate a comment) +#includedir /etc/sudoers.d diff --git a/config-archive/etc/sudoers.dist b/config-archive/etc/sudoers.dist index 0d7760b..4808d47 100644 --- a/config-archive/etc/sudoers.dist +++ b/config-archive/etc/sudoers.dist @@ -27,6 +27,7 @@ ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff ## ## Defaults specification @@ -60,7 +61,7 @@ # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output # Defaults!/usr/local/bin/sudoreplay !log_output -# Defaults!/sbin/reboot !log_output +# Defaults!REBOOT !log_output ## ## Runas alias specification diff --git a/config-archive/etc/sudoers.dist.new b/config-archive/etc/sudoers.dist.new deleted file mode 100644 index 0d7760b..0000000 --- a/config-archive/etc/sudoers.dist.new +++ /dev/null @@ -1,90 +0,0 @@ -## sudoers file. -## -## This file MUST be edited with the 'visudo' command as root. -## Failure to use 'visudo' may result in syntax or file permission errors -## that prevent sudo from running. -## -## See the sudoers man page for the details on how to write a sudoers file. -## - -## -## Host alias specification -## -## Groups of machines. These may include host names (optionally with wildcards), -## IP addresses, network numbers or netgroups. -# Host_Alias WEBSERVERS = www1, www2, www3 - -## -## User alias specification -## -## Groups of users. These may consist of user names, uids, Unix groups, -## or netgroups. -# User_Alias ADMINS = millert, dowdy, mikef - -## -## Cmnd alias specification -## -## Groups of commands. Often used to group related commands together. -# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ -# /usr/bin/pkill, /usr/bin/top - -## -## Defaults specification -## -## You may wish to keep some of the following environment variables -## when running commands via sudo. -## -## Locale settings -# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" -## -## Run X applications through sudo; HOME is used to find the -## .Xauthority file. Note that other programs use HOME to find -## configuration files and this may lead to privilege escalation! -# Defaults env_keep += "HOME" -## -## X11 resource path settings -# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" -## -## Desktop path settings -# Defaults env_keep += "QTDIR KDEDIR" -## -## Allow sudo-run commands to inherit the callers' ConsoleKit session -# Defaults env_keep += "XDG_SESSION_COOKIE" -## -## Uncomment to enable special input methods. Care should be taken as -## this may allow users to subvert the command being run via sudo. -# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" -## -## Uncomment to enable logging of a command's output, except for -## sudoreplay and reboot. Use sudoreplay to play back logged sessions. -# Defaults log_output -# Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output -# Defaults!/sbin/reboot !log_output - -## -## Runas alias specification -## - -## -## User privilege specification -## -root ALL=(ALL) ALL - -## Uncomment to allow members of group wheel to execute any command -# %wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Uncomment to allow members of group sudo to execute any command -# %sudo ALL=(ALL) ALL - -## Uncomment to allow any user to run sudo if they know the password -## of the user they are running the command as (root by default). -# Defaults targetpw # Ask for the password of the target user -# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' - -## Read drop-in files from /etc/sudoers.d -## (the '#' here does not indicate a comment) -#includedir /etc/sudoers.d diff --git a/config-archive/etc/ulogd.conf.dist b/config-archive/etc/ulogd.conf.dist index bd72e6b..b9e0a98 100644 --- a/config-archive/etc/ulogd.conf.dist +++ b/config-archive/etc/ulogd.conf.dist @@ -1,5 +1,4 @@ # Example configuration for ulogd -# $Id$ # Adapted to Debian by Achilleas Kotsis [global] @@ -9,10 +8,10 @@ # logfile for status messages -logfile="/var/log/ulogd.log" +logfile="/var/log/ulogd/ulogd.log" -# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) -loglevel=1 +# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5) +# loglevel=1 ###################################################################### # PLUGIN OPTIONS @@ -27,10 +26,12 @@ loglevel=1 plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so" #plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so" +#plugin="/usr/lib64/ulogd/ulogd_inppkt_UNIXSOCK.so" plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so" plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so" plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so" plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so" +#plugin="/usr/lib64/ulogd/ulogd_filter_IP2HBIN.so" plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so" plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so" plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so" @@ -38,13 +39,16 @@ plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so" plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so" plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so" plugin="/usr/lib64/ulogd/ulogd_output_XML.so" -#plugin="/usr/lib64/ulogd/ulogd_output_OPRINT.so" +#plugin="/usr/lib64/ulogd/ulogd_output_SQLITE3.so" +plugin="/usr/lib64/ulogd/ulogd_output_GPRINT.so" #plugin="/usr/lib64/ulogd/ulogd_output_NACCT.so" #plugin="/usr/lib64/ulogd/ulogd_output_PCAP.so" #plugin="/usr/lib64/ulogd/ulogd_output_PGSQL.so" #plugin="/usr/lib64/ulogd/ulogd_output_MYSQL.so" #plugin="/usr/lib64/ulogd/ulogd_output_DBI.so" plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so" +plugin="/usr/lib64/ulogd/ulogd_inpflow_NFACCT.so" +plugin="/usr/lib64/ulogd/ulogd_output_GRAPHITE.so" # this is a stack for logging packet send by system via LOGEMU #stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU @@ -58,11 +62,14 @@ plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so" # this is a stack for packet-based logging via LOGEMU with filtering on MARK #stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU +# this is a stack for packet-based logging via GPRINT +#stack=log1:NFLOG,gp1:GPRINT + # this is a stack for flow-based logging via LOGEMU #stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU -# this is a stack for flow-based logging via OPRINT -#stack=ct1:NFCT,op1:OPRINT +# this is a stack for flow-based logging via GPRINT +#stack=ct1:NFCT,gp1:GPRINT # this is a stack for flow-based logging via XML #stack=ct1:NFCT,xml1:XML @@ -70,6 +77,12 @@ plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so" # this is a stack for logging in XML #stack=log1:NFLOG,xml1:XML +# this is a stack for accounting-based logging via XML +#stack=acct1:NFACCT,xml1:XML + +# this is a stack for accounting-based logging to a Graphite server +#stack=acct1:NFACCT,graphite1:GRAPHITE + # this is a stack for NFLOG packet-based logging to PCAP #stack=log2:NFLOG,base1:BASE,pcap1:PCAP @@ -82,6 +95,9 @@ plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so" # this is a stack for logging packets to syslog after a collect via NFLOG #stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG +# this is a stack for logging packets to syslog after a collect via NuFW +#stack=nuauth1:UNIXSOCK,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG + # this is a stack for flow-based logging to MySQL #stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL @@ -91,19 +107,33 @@ plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so" # this is a stack for flow-based logging to PGSQL without local hash #stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL +# this is a stack for flow-based logging to SQLITE3 +#stack=ct1:NFCT,sqlite3_ct:SQLITE3 + +# this is a stack for logging packet to SQLITE3 +#stack=log1:NFLOG,sqlite3_pkt:SQLITE3 # this is a stack for flow-based logging in NACCT compatible format #stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT +# this is a stack for accounting-based logging via GPRINT +#stack=acct1:NFACCT,gp1:GPRINT + [ct1] #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 #netlink_resync_timeout=60 # seconds to wait to perform resynchronization #pollinterval=10 # use poll-based logging instead of event-driven +# If pollinterval is not set, NFCT plugin will work in event mode +# In this case, you can use the following filters on events: +#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks +#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks +#accept_proto_filter=tcp,sctp # layer 4 proto of connections [ct2] #netlink_socket_buffer_size=217088 #netlink_socket_buffer_maxsize=1085440 +#reliable=1 # enable reliable flow-based logging (may drop packets) hash_enable=0 # Logging of system packet through NFLOG @@ -145,19 +175,29 @@ numeric_label=1 # you can label the log info based on the packet verdict nlgroup=1 #numeric_label=0 # optional argument +[nuauth1] +socket_path="/run/nuauth_ulogd2.sock" + [emu1] -file="/var/log/ulogd_syslogemu.log" +file="/var/log/ulogd/ulogd_syslogemu.log" sync=1 [op1] -file="/var/log/ulogd_oprint.log" +file="/var/log/ulogd/ulogd_oprint.log" +sync=1 + +[gp1] +file="/var/log/ulogd/ulogd_gprint.log" sync=1 +timestamp=1 [xml1] -directory="/var/log/" +directory="/var/log/ulogd/" sync=1 [pcap1] +#default file is /var/log/ulogd/ulogd.pcap +#file="/var/log/ulogd/ulogd.pcap" sync=1 [mysql1] @@ -167,12 +207,19 @@ user="nupik" table="ulog" pass="changeme" procedure="INSERT_PACKET_FULL" +# backlog configuration: +# set backlog_memcap to the size of memory that will be +# allocated to store events in memory if data is temporary down +# and insert them when the database came back. +#backlog_memcap=1000000 +# number of events to insert at once when backlog is not empty +#backlog_oneshot_requests=10 [mysql2] db="nulog" host="localhost" user="nupik" -table="ulog" +table="conntrack" pass="changeme" procedure="INSERT_CT" @@ -181,14 +228,28 @@ db="nulog" host="localhost" user="nupik" table="ulog" +#schema="public" pass="changeme" procedure="INSERT_PACKET_FULL" +# connstring can be used to define PostgreSQL connection string which +# contains all parameters of the connection. If set, this value has +# precedence on other variables used to build the connection string. +# See http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING +# for a complete description of options. +#connstring="host=localhost port=4321 dbname=nulog user=nupik password=changeme" +#backlog_memcap=1000000 +#backlog_oneshot_requests=10 +# If superior to 1 a thread dedicated to SQL request execution +# is created. The value stores the number of SQL request to keep +# in the ring buffer +#ring_buffer_size=1000 [pgsql2] db="nulog" host="localhost" user="nupik" table="ulog2_ct" +#schema="public" pass="changeme" procedure="INSERT_CT" @@ -197,9 +258,19 @@ db="nulog" host="localhost" user="nupik" table="ulog2_ct" +#schema="public" pass="changeme" procedure="INSERT_OR_REPLACE_CT" +[pgsql4] +db="nulog" +host="localhost" +user="nupik" +table="nfacct" +#schema="public" +pass="changeme" +procedure="INSERT_NFACCT" + [dbi1] db="ulog2" dbtype="pgsql" @@ -209,11 +280,36 @@ table="ulog" pass="ulog2" procedure="INSERT_PACKET_FULL" +[sqlite3_ct] +table="ulog_ct" +db="/var/log/ulogd/ulogd.sqlite3db" +buffer=200 + +[sqlite3_pkt] +table="ulog_pkt" +db="/var/log/ulogd/ulogd.sqlite3db" +buffer=200 + [sys2] facility=LOG_LOCAL2 [nacct1] sync = 1 +#file = /var/log/ulogd/ulogd_nacct.log [mark1] mark = 1 + +[acct1] +pollinterval = 2 +# If set to 0, we don't reset the counters for each polling (default is 1). +#zerocounter = 0 +# Set timestamp (default is 0, which means not set). This timestamp can be +# interpreted by the output plugin. +#timestamp = 1 + +[graphite1] +host="127.0.0.1" +port="2003" +# Prefix of data name sent to graphite server +prefix="netfilter.nfacct" diff --git a/config-archive/etc/ulogd.conf.dist.new b/config-archive/etc/ulogd.conf.dist.new deleted file mode 100644 index e9bed91..0000000 --- a/config-archive/etc/ulogd.conf.dist.new +++ /dev/null @@ -1,296 +0,0 @@ -# Example configuration for ulogd -# Adapted to Debian by Achilleas Kotsis - -[global] -###################################################################### -# GLOBAL OPTIONS -###################################################################### - - -# logfile for status messages -logfile="/var/log/ulogd/ulogd.log" - -# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5) -# loglevel=1 - -###################################################################### -# PLUGIN OPTIONS -###################################################################### - -# We have to configure and load all the plugins we want to use - -# general rules: -# 1. load the plugins _first_ from the global section -# 2. options for each plugin in seperate section below - - -plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so" -#plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so" -#plugin="/usr/lib64/ulogd/ulogd_inppkt_UNIXSOCK.so" -plugin="/usr/lib64/ulogd/ulogd_inpflow_NFCT.so" -plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so" -plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so" -plugin="/usr/lib64/ulogd/ulogd_filter_IP2BIN.so" -#plugin="/usr/lib64/ulogd/ulogd_filter_IP2HBIN.so" -plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so" -plugin="/usr/lib64/ulogd/ulogd_filter_HWHDR.so" -plugin="/usr/lib64/ulogd/ulogd_filter_PRINTFLOW.so" -#plugin="/usr/lib64/ulogd/ulogd_filter_MARK.so" -plugin="/usr/lib64/ulogd/ulogd_output_LOGEMU.so" -plugin="/usr/lib64/ulogd/ulogd_output_SYSLOG.so" -plugin="/usr/lib64/ulogd/ulogd_output_XML.so" -#plugin="/usr/lib64/ulogd/ulogd_output_SQLITE3.so" -plugin="/usr/lib64/ulogd/ulogd_output_GPRINT.so" -#plugin="/usr/lib64/ulogd/ulogd_output_NACCT.so" -#plugin="/usr/lib64/ulogd/ulogd_output_PCAP.so" -#plugin="/usr/lib64/ulogd/ulogd_output_PGSQL.so" -#plugin="/usr/lib64/ulogd/ulogd_output_MYSQL.so" -#plugin="/usr/lib64/ulogd/ulogd_output_DBI.so" -plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so" -plugin="/usr/lib64/ulogd/ulogd_inpflow_NFACCT.so" -plugin="/usr/lib64/ulogd/ulogd_output_GRAPHITE.so" - -# this is a stack for logging packet send by system via LOGEMU -#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU - -# this is a stack for packet-based logging via LOGEMU -#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU - -# this is a stack for ULOG packet-based logging via LOGEMU -#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU - -# this is a stack for packet-based logging via LOGEMU with filtering on MARK -#stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU - -# this is a stack for packet-based logging via GPRINT -#stack=log1:NFLOG,gp1:GPRINT - -# this is a stack for flow-based logging via LOGEMU -#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU - -# this is a stack for flow-based logging via GPRINT -#stack=ct1:NFCT,gp1:GPRINT - -# this is a stack for flow-based logging via XML -#stack=ct1:NFCT,xml1:XML - -# this is a stack for logging in XML -#stack=log1:NFLOG,xml1:XML - -# this is a stack for accounting-based logging via XML -#stack=acct1:NFACCT,xml1:XML - -# this is a stack for accounting-based logging to a Graphite server -#stack=acct1:NFACCT,graphite1:GRAPHITE - -# this is a stack for NFLOG packet-based logging to PCAP -#stack=log2:NFLOG,base1:BASE,pcap1:PCAP - -# this is a stack for logging packet to MySQL -#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL - -# this is a stack for logging packet to PGsql after a collect via NFLOG -#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL - -# this is a stack for logging packets to syslog after a collect via NFLOG -#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG - -# this is a stack for logging packets to syslog after a collect via NuFW -#stack=nuauth1:UNIXSOCK,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG - -# this is a stack for flow-based logging to MySQL -#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL - -# this is a stack for flow-based logging to PGSQL -#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL - -# this is a stack for flow-based logging to PGSQL without local hash -#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL - -# this is a stack for flow-based logging to SQLITE3 -#stack=ct1:NFCT,sqlite3_ct:SQLITE3 - -# this is a stack for logging packet to SQLITE3 -#stack=log1:NFLOG,sqlite3_pkt:SQLITE3 - -# this is a stack for flow-based logging in NACCT compatible format -#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT - -# this is a stack for accounting-based logging via GPRINT -#stack=acct1:NFACCT,gp1:GPRINT - -[ct1] -#netlink_socket_buffer_size=217088 -#netlink_socket_buffer_maxsize=1085440 -#netlink_resync_timeout=60 # seconds to wait to perform resynchronization -#pollinterval=10 # use poll-based logging instead of event-driven -# If pollinterval is not set, NFCT plugin will work in event mode -# In this case, you can use the following filters on events: -#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks -#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks -#accept_proto_filter=tcp,sctp # layer 4 proto of connections - -[ct2] -#netlink_socket_buffer_size=217088 -#netlink_socket_buffer_maxsize=1085440 -#reliable=1 # enable reliable flow-based logging (may drop packets) -hash_enable=0 - -# Logging of system packet through NFLOG -[log1] -# netlink multicast group (the same as the iptables --nflog-group param) -# Group O is used by the kernel to log connection tracking invalid message -group=0 -#netlink_socket_buffer_size=217088 -#netlink_socket_buffer_maxsize=1085440 -# set number of packet to queue inside kernel -#netlink_qthreshold=1 -# set the delay before flushing packet in the queue inside kernel (in 10ms) -#netlink_qtimeout=100 - -# packet logging through NFLOG for group 1 -[log2] -# netlink multicast group (the same as the iptables --nflog-group param) -group=1 # Group has to be different from the one use in log1 -#netlink_socket_buffer_size=217088 -#netlink_socket_buffer_maxsize=1085440 -# If your kernel is older than 2.6.29 and if a NFLOG input plugin with -# group 0 is not used by any stack, you need to have at least one NFLOG -# input plugin with bind set to 1. If you don't do that you may not -# receive any message from the kernel. -#bind=1 - -# packet logging through NFLOG for group 2, numeric_label is -# set to 1 -[log3] -# netlink multicast group (the same as the iptables --nflog-group param) -group=2 # Group has to be different from the one use in log1/log2 -numeric_label=1 # you can label the log info based on the packet verdict -#netlink_socket_buffer_size=217088 -#netlink_socket_buffer_maxsize=1085440 -#bind=1 - -[ulog1] -# netlink multicast group (the same as the iptables --ulog-nlgroup param) -nlgroup=1 -#numeric_label=0 # optional argument - -[nuauth1] -socket_path="/run/nuauth_ulogd2.sock" - -[emu1] -file="/var/log/ulogd/ulogd_syslogemu.log" -sync=1 - -[op1] -file="/var/log/ulogd/ulogd_oprint.log" -sync=1 - -[gp1] -file="/var/log/ulogd/ulogd_gprint.log" -sync=1 -timestamp=1 - -[xml1] -directory="/var/log/ulogd/" -sync=1 - -[pcap1] -#default file is /var/log/ulogd/ulogd.pcap -#file=/var/log/ulogd/ulogd.pcap -sync=1 - -[mysql1] -db="nulog" -host="localhost" -user="nupik" -table="ulog" -pass="changeme" -procedure="INSERT_PACKET_FULL" - -[mysql2] -db="nulog" -host="localhost" -user="nupik" -table="conntrack" -pass="changeme" -procedure="INSERT_CT" - -[pgsql1] -db="nulog" -host="localhost" -user="nupik" -table="ulog" -#schema="public" -pass="changeme" -procedure="INSERT_PACKET_FULL" - -[pgsql2] -db="nulog" -host="localhost" -user="nupik" -table="ulog2_ct" -#schema="public" -pass="changeme" -procedure="INSERT_CT" - -[pgsql3] -db="nulog" -host="localhost" -user="nupik" -table="ulog2_ct" -#schema="public" -pass="changeme" -procedure="INSERT_OR_REPLACE_CT" - -[pgsql4] -db="nulog" -host="localhost" -user="nupik" -table="nfacct" -#schema="public" -pass="changeme" -procedure="INSERT_NFACCT" - -[dbi1] -db="ulog2" -dbtype="pgsql" -host="localhost" -user="ulog2" -table="ulog" -pass="ulog2" -procedure="INSERT_PACKET_FULL" - -[sqlite3_ct] -table="ulog_ct" -db="/var/log/ulogd/ulogd.sqlite3db" -buffer=200 - -[sqlite3_pkt] -table="ulog_pkt" -db="/var/log/ulogd/ulogd.sqlite3db" -buffer=200 - -[sys2] -facility=LOG_LOCAL2 - -[nacct1] -sync = 1 -#file = /var/log/ulogd/ulogd_nacct.log - -[mark1] -mark = 1 - -[acct1] -pollinterval = 2 -# If set to 0, we don't reset the counters for each polling (default is 1). -#zerocounter = 0 -# Set timestamp (default is 0, which means not set). This timestamp can be -# interpreted by the output plugin. -#timestamp = 1 - -[graphite1] -host="127.0.0.1" -port="2003" -# Prefix of data name sent to graphite server -prefix="netfilter.nfacct" diff --git a/courier-imap/imapd b/courier-imap/imapd index c0d690d..e817027 100644 --- a/courier-imap/imapd +++ b/courier-imap/imapd @@ -1,4 +1,4 @@ -##VERSION: $Id: imapd.dist.in,v 1.41 2008/06/21 16:01:23 mrsam Exp $ +##VERSION: $Id: 2013-08-19 16:39:41 -0400 9c45d9ad13fdf439d44d7443ae75da15ea0223ed$ # # imapd created from imapd.dist by sysconftool # @@ -340,6 +340,24 @@ IMAP_EMPTYTRASH=Trash:7 IMAP_MOVE_EXPUNGE_TO_TRASH=0 +##NAME: IMAP_LOG_DELETIONS:0 +# +# +# Set IMAP_LOG_DELETIONS to log all message deletions to syslog. +# +# IMAP_LOG_DELETIONS=1 + +##NAME: IMAPDEBUGFILE:0 +# +# IMAPDEBUGFILE="imaplog.dat" +# +# Generate diagnostic logging of IMAP commands. +# +# Set this globally, restart the server. Touch this file in an account's +# maildir directory, and Courier-IMAP will append all IMAP commands received +# for new sessions for this account. NOTE: existing IMAP sessions are not +# affected, only new IMAP logins. + ##NAME: OUTBOX:0 # @@ -388,6 +406,30 @@ SENDMAIL=/usr/sbin/sendmail HEADERFROM=X-IMAP-Sender +##NAME: ID_FIELDS:0 +# +# Have the server be polite, and identify its version to the client. The client +# must be logged in before the server will identify itself. Additionally, +# the client will mutually supply its own software version, and the server will +# log it. +# +# Although the server's banner message identifies itself, in free-form manner, +# this the ID IMAP extension, for clients to log. +# +# IMAP_ID_FIELDS is the sum of the following values: +# +# 1 - identify the version of the IMAP server +# 2 - identify the operating system (if available) +# 4 - identify the operating system release (if available) +# +# A value of 0 identifies the server software only. +# +# Uncomment this setting to enable the IMAP ID extension. One reason you might +# want to enable it is to log the clients' software version. Enabling this +# setting will mutually log the client's software, in the system logs. +# +# IMAP_ID_FIELDS=0 + ##NAME: OUTBOX_MULTIPLE_SEND:0 # # Remove the following comment to allow a COPY of more than one message to diff --git a/courier-imap/imapd-ssl b/courier-imap/imapd-ssl index 93e9328..70d7625 100644 --- a/courier-imap/imapd-ssl +++ b/courier-imap/imapd-ssl @@ -1,11 +1,11 @@ -##VERSION: $Id: imapd-ssl.dist.in,v 1.22 2009/08/12 22:25:49 mrsam Exp $ +##VERSION: $Id: 2013-10-14 22:07:39 -0400 37a74ee0f736237b67330c620de7dc08232dec17$ # # imapd-ssl created from imapd-ssl.dist by sysconftool # # Do not alter lines that begin with ##, they are used when upgrading # this configuration. # -# Copyright 2000 - 2008 Double Precision, Inc. See COPYING for +# Copyright 2000 - 2013 Double Precision, Inc. See COPYING for # distribution information. # # This configuration file sets various options for the Courier-IMAP server @@ -104,16 +104,27 @@ IMAP_TLS_REQUIRED=0 COURIERTLS=/usr/sbin/couriertls +##NAME: TLS_PRIORITY:0 +# +# GnuTLS setting only +# +# Set TLS protocol priority settings (GnuTLS only) +# +# DEFAULT: NORMAL:-CTYPE-OPENPGP +# +# TLS_PRIORITY="NORMAL:-CTYPE-OPENPGP" + ##NAME: TLS_PROTOCOL:0 # # TLS_PROTOCOL sets the protocol version. The possible versions are: # # OpenSSL: # -# SSL2 - SSLv2 # SSL3 - SSLv3 -# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems) +# SSL23 - all protocols (including TLS 1.x protocols) # TLS1 - TLS1 +# TLSv1.1 - TLS1.1 +# TLSv1.2 - TLS1.2 # # Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST # setting, below. @@ -131,7 +142,7 @@ COURIERTLS=/usr/sbin/couriertls # DEFAULT VALUES: # # SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS) -TLS_PROTOCOL="SSL3" +TLS_PROTOCOL="SSL23" ##NAME: TLS_STARTTLS_PROTOCOL:0 # @@ -149,10 +160,7 @@ TLS_STARTTLS_PROTOCOL=TLS1 # # OpenSSL: # -# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" -# -# To enable SSL2, remove the obvious "!SSLv2" part from the above list. -# +# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" # # GnuTLS: # @@ -170,6 +178,9 @@ TLS_STARTTLS_PROTOCOL=TLS1 # LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher # is not included # ALL -- all ciphers except the NULL cipher +# +# See GnuTLS documentation, gnutls_priority_init(3) for additional +# documentation. ##NAME: TLS_MIN_DH_BITS:0 # @@ -220,16 +231,6 @@ TLS_CERTS=X509 # This is supposed to be an inactivity timeout, but its not yet implemented. # -##NAME: TLS_DHCERTFILE:0 -# -# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate. -# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA -# you must generate a DH pair that will be used. In most situations the -# DH pair is to be treated as confidential, and the file specified by -# TLS_DHCERTFILE must not be world-readable. -# -# TLS_DHCERTFILE= - ##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS @@ -264,6 +265,12 @@ TLS_CERTS=X509 TLS_CERTFILE=/etc/courier-imap/imapd.pem +##NAME: TLS_DHPARAMS:0 +# +# TLS_DHPARAMS - DH parameter file. +# +TLS_DHPARAMS=/usr/share/dhparams.pem + ##NAME: TLS_TRUSTCERTS:0 # # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. diff --git a/courier-imap/imapd-ssl.orig b/courier-imap/imapd-ssl.orig new file mode 100644 index 0000000..0811b73 --- /dev/null +++ b/courier-imap/imapd-ssl.orig @@ -0,0 +1,307 @@ +##VERSION: $Id: 2013-10-14 22:07:39 -0400 37a74ee0f736237b67330c620de7dc08232dec17$ +# +# imapd-ssl created from imapd-ssl.dist by sysconftool +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# Copyright 2000 - 2013 Double Precision, Inc. See COPYING for +# distribution information. +# +# This configuration file sets various options for the Courier-IMAP server +# when used to handle SSL IMAP connections. +# +# SSL and non-SSL connections are handled by a dedicated instance of the +# couriertcpd daemon. If you are accepting both SSL and non-SSL IMAP +# connections, you will start two instances of couriertcpd, one on the +# IMAP port 143, and another one on the IMAP-SSL port 993. +# +# Download OpenSSL from http://www.openssl.org/ +# +##NAME: SSLPORT:1 +# +# Options in the imapd-ssl configuration file AUGMENT the options in the +# imapd configuration file. First the imapd configuration file is read, +# then the imapd-ssl configuration file, so we do not have to redefine +# anything. +# +# However, some things do have to be redefined. The port number is +# specified by SSLPORT, instead of PORT. The default port is port 993. +# +# Multiple port numbers can be separated by commas. When multiple port +# numbers are used it is possibly to select a specific IP address for a +# given port as "ip.port". For example, "127.0.0.1.900,192.168.0.1.900" +# accepts connections on port 900 on IP addresses 127.0.0.1 and 192.168.0.1 +# The SSLADDRESS setting is a default for ports that do not have +# a specified IP address. + +SSLPORT=993 + +##NAME: SSLADDRESS:0 +# +# Address to listen on, can be set to a single IP address. +# +# SSLADDRESS=127.0.0.1 + +SSLADDRESS=0 + +##NAME: SSLPIDFILE:0 +# +# That's the SSL IMAP port we'll listen on. +# Feel free to redefine MAXDAEMONS, TCPDOPTS, and MAXPERIP. + +SSLPIDFILE=/var/run/imapd-ssl.pid + +##NAME: SSLLOGGEROPTS:0 +# +# courierlogger(1) options. +# + +SSLLOGGEROPTS="-name=imapd-ssl" + +##NAME: IMAPDSSLSTART:0 +# +# Different pid files, so that both instances of couriertcpd can coexist +# happily. +# +# You can also redefine IMAP_CAPABILITY, although I can't +# think of why you'd want to do that. +# +# +# Ok, the following settings are new to imapd-ssl: +# +# Whether or not to start IMAP over SSL on simap port: + +IMAPDSSLSTART=NO + +##NAME: IMAPDSTARTTLS:0 +# +# Whether or not to implement IMAP STARTTLS extension instead: + +IMAPDSTARTTLS=YES + +##NAME: IMAP_TLS_REQUIRED:1 +# +# Set IMAP_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone. +# (this option advertises the LOGINDISABLED IMAP capability, until STARTTLS +# is issued). + +IMAP_TLS_REQUIRED=0 + + +######################################################################### +# +# The following variables configure IMAP over SSL. If OpenSSL or GnuTLS +# is available during configuration, the couriertls helper gets compiled, and +# upon installation a dummy TLS_CERTFILE gets generated. +# +# WARNING: Peer certificate verification has NOT yet been tested. Proceed +# at your own risk. Only the basic SSL/TLS functionality is known to be +# working. Keep this in mind as you play with the following variables. +# +##NAME: COURIERTLS:0 +# + +COURIERTLS=/usr/sbin/couriertls + +##NAME: TLS_PRIORITY:0 +# +# GnuTLS setting only +# +# Set TLS protocol priority settings (GnuTLS only) +# +# DEFAULT: NORMAL:-CTYPE-OPENPGP +# +# TLS_PRIORITY="NORMAL:-CTYPE-OPENPGP" + +##NAME: TLS_PROTOCOL:0 +# +# TLS_PROTOCOL sets the protocol version. The possible versions are: +# +# OpenSSL: +# +# SSL3 - SSLv3 +# SSL23 - all protocols (including TLS 1.x protocols) +# TLS1 - TLS1 +# TLSv1.1 - TLS1.1 +# TLSv1.2 - TLS1.2 +# +# Leave it unset to use any protocol except SSL 2. + +##NAME: TLS_CIPHER_LIST:0 +# +# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the +# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST +# undefined +# +# OpenSSL: +# +# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" +# +# GnuTLS: +# +# TLS_CIPHER_LIST="HIGH:MEDIUM" +# +# The actual list of available ciphers depend on the options GnuTLS was +# compiled against. The possible ciphers are: +# +# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL +# +# Also, the following aliases: +# +# HIGH -- all ciphers that use more than a 128 bit key size +# MEDIUM -- all ciphers that use a 128 bit key size +# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher +# is not included +# ALL -- all ciphers except the NULL cipher +# +# See GnuTLS documentation, gnutls_priority_init(3) for additional +# documentation. + +##NAME: TLS_STARTTLS_PROTOCOL:0 +# +# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS +# extension, as opposed to IMAP over SSL on port 993. +# +# It takes the same values for OpenSSL as TLS_PROTOCOL + +##NAME: TLS_CIPHER_LIST:0 +# +# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the +# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST +# undefined +# +# OpenSSL: +# +# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" +# +# + +##NAME: TLS_MIN_DH_BITS:0 +# +# TLS_MIN_DH_BITS=n +# +# GnuTLS only: +# +# Set the minimum number of acceptable bits for a DH key exchange. +# +# GnuTLS's compiled-in default is 727 bits (as of GnuTLS 1.6.3). Some server +# have been encountered that offer 512 bit keys. You may have to set +# TLS_MIN_DH_BITS=512 here, if necessary. + +##NAME: TLS_TIMEOUT:0 +# TLS_TIMEOUT is currently not implemented, and reserved for future use. +# This is supposed to be an inactivity timeout, but its not yet implemented. +# + +##NAME: TLS_CERTFILE:0 +# +# TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS +# servers, and is optional for SSL/TLS clients. TLS_CERTFILE is usually +# treated as confidential, and must not be world-readable. Set TLS_CERTFILE +# instead of TLS_DHCERTFILE if this is a garden-variety certificate +# +# VIRTUAL HOSTS (servers only): +# +# Due to technical limitations in the original SSL/TLS protocol, a dedicated +# IP address is required for each virtual host certificate. If you have +# multiple certificates, install each certificate file as +# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address +# for the certificate's domain name. So, if TLS_CERTFILE is set to +# /etc/certificate.pem, then you'll need to install the actual certificate +# files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3 +# and so on, for each IP address. +# +# GnuTLS only (servers only): +# +# GnuTLS implements a new TLS extension that eliminates the need to have a +# dedicated IP address for each SSL/TLS domain name. Install each certificate +# as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem, +# then you'll need to install the actual certificate files as +# /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com +# and so on. +# +# Note that this TLS extension also requires a corresponding support in the +# client. Older SSL/TLS clients may not support this feature. +# +# This is an experimental feature. + +TLS_CERTFILE=/etc/courier-imap/imapd.pem + +##NAME: TLS_DHPARAMS:0 +# +# TLS_DHPARAMS - DH parameter file. +# +TLS_DHPARAMS=/usr/share/dhparams.pem + +##NAME: TLS_TRUSTCERTS:0 +# +# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. +# pathname can be a file or a directory. If a file, the file should +# contain a list of trusted certificates, in PEM format. If a +# directory, the directory should contain the trusted certificates, +# in PEM format, one per file and hashed using OpenSSL's c_rehash +# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying +# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set +# to PEER or REQUIREPEER). +# + +TLS_TRUSTCERTS=/etc/ssl/certs + +##NAME: TLS_VERIFYPEER:0 +# +# TLS_VERIFYPEER - how to verify client certificates. The possible values of +# this setting are: +# +# NONE - do not verify anything +# +# PEER - verify the client certificate, if one's presented +# +# REQUIREPEER - require a client certificate, fail if one's not presented +# +# +TLS_VERIFYPEER=NONE + +##NAME: TLS_EXTERNAL:0 +# +# To enable SSL certificate-based authentication: +# +# 1) TLS_TRUSTCERTS must be set to a pathname that holds your certificate +# authority's SSL certificate +# +# 2) TLS_VERIFYPEER=PEER or TLS_VERIFYPEER=REQUIREPEER (the later settings +# requires all SSL clients to present a certificate, and rejects +# SSL/TLS connections without a valid cert). +# +# 3) Set TLS_EXTERNAL, below, to the subject field that holds the login ID. +# Example: +# +# TLS_EXTERNAL=emailaddress +# +# The above example retrieves the login ID from the "emailaddress" subject +# field. The certificate's emailaddress subject must match exactly the login +# ID in the courier-authlib database. + +##NAME: TLS_CACHE:0 +# +# A TLS/SSL session cache may slightly improve response for IMAP clients +# that open multiple SSL sessions to the server. TLS_CACHEFILE will be +# automatically created, TLS_CACHESIZE bytes long, and used as a cache +# buffer. +# +# This is an experimental feature and should be disabled if it causes +# problems with SSL clients. Disable SSL caching by commenting out the +# following settings: + +TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache +TLS_CACHESIZE=524288 + +##NAME: MAILDIRPATH:0 +# +# MAILDIRPATH - directory name of the maildir directory. +# +MAILDIRPATH=Maildir + +# Hardwire a value for ${MAILDIR} +MAILDIR=.maildir +MAILDIRPATH=.maildir diff --git a/courier-imap/imapd.cnf b/courier-imap/imapd.cnf index c7c1f61..ed03134 100644 --- a/courier-imap/imapd.cnf +++ b/courier-imap/imapd.cnf @@ -2,11 +2,12 @@ RANDFILE = /usr/share/imapd.rand [ req ] -default_bits = 1024 +default_bits = 4096 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no +default_md = sha1 [ req_dn ] C=US diff --git a/courier-imap/pop3d b/courier-imap/pop3d index 8dd8bd1..908c5c5 100644 --- a/courier-imap/pop3d +++ b/courier-imap/pop3d @@ -1,11 +1,11 @@ -##VERSION: $Id: pop3d.dist.in,v 1.16 2005/07/05 12:42:51 mrsam Exp $ +##VERSION: $Id: 2013-08-19 16:39:41 -0400 9c45d9ad13fdf439d44d7443ae75da15ea0223ed$ # # pop3d created from pop3d.dist by sysconftool # # Do not alter lines that begin with ##, they are used when upgrading # this configuration. # -# Copyright 1998 - 2004 Double Precision, Inc. See COPYING for +# Copyright 1998 - 2011 Double Precision, Inc. See COPYING for # distribution information. # # Courier POP3 daemon configuration @@ -95,6 +95,15 @@ PORT=110 ADDRESS=0 +##NAME: AUTHSERVICE:0 +# +# It's possible to authenticate using a different 'service' parameter +# depending on the connection's port. This only works with authentication +# modules that use the 'service' parameter, such as PAM. Example: +# +# AUTHSERVICE110=pop3 +# AUTHSERVICE995=pop3s + ##NAME: TCPDOPTS:0 # # Other couriertcpd(1) options. The following defaults should be fine. @@ -139,6 +148,14 @@ LOGGEROPTS="-name=pop3d" POP3DSTART=NO +##NAME: POP3_LOG_DELETIONS:0 +# +# +# Set POP3_LOG_DELETIONS to log all message deletions to syslog. +# +# POP3_LOG_DELETIONS=1 + + ##NAME: MAILDIRPATH:0 # # MAILDIRPATH - directory name of the maildir directory. diff --git a/courier-imap/pop3d-ssl b/courier-imap/pop3d-ssl index 472fa52..8597a05 100644 --- a/courier-imap/pop3d-ssl +++ b/courier-imap/pop3d-ssl @@ -1,11 +1,11 @@ -##VERSION: $Id: pop3d-ssl.dist.in,v 1.23 2009/08/12 22:25:49 mrsam Exp $ +##VERSION: $Id: 2013-10-14 22:07:39 -0400 37a74ee0f736237b67330c620de7dc08232dec17$ # # pop3d-ssl created from pop3d-ssl.dist by sysconftool # # Do not alter lines that begin with ##, they are used when upgrading # this configuration. # -# Copyright 2000-2008 Double Precision, Inc. See COPYING for +# Copyright 2000-2013 Double Precision, Inc. See COPYING for # distribution information. # # This configuration file sets various options for the Courier-IMAP server @@ -89,42 +89,27 @@ POP3_TLS_REQUIRED=0 COURIERTLS=/usr/sbin/couriertls +##NAME: TLS_PRIORITY:0 +# +# Set TLS protocol priority settings (GnuTLS only) +# +# DEFAULT: NORMAL:-CTYPE-OPENPGP +# +# TLS_PRIORITY="NORMAL:-CTYPE-OPENPGP" + ##NAME: TLS_PROTOCOL:0 # # TLS_PROTOCOL sets the protocol version. The possible versions are: # # OpenSSL: # -# SSL2 - SSLv2 # SSL3 - SSLv3 -# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems) +# SSL23 - all protocols (including TLS 1.x protocols) # TLS1 - TLS1 +# TLSv1.1 - TLS1.1 +# TLSv1.2 - TLS1.2 # -# Note that this setting, with OpenSSL, is modified by the TLS_CIPHER_LIST -# setting, below. -# -# GnuTLS: -# -# SSL3 - SSLv3 -# TLS1 - TLS 1.0 -# TLS1_1 - TLS 1.1 -# -# When compiled against GnuTLS, multiple protocols can be selected as follows: -# -# TLS_PROTOCOL="TLS1_1:TLS1:SSL3" -# -# DEFAULT VALUES: -# -# SSL23 (OpenSSL), or "TLS_1:TLS1:SSL3" (GnuTLS) - -##NAME: TLS_STARTTLS_PROTOCOL:0 -# -# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS -# extension, as opposed to POP3 over SSL on port 995. -# -# It takes the same values for OpenSSL/GnuTLS as TLS_PROTOCOL - -TLS_STARTTLS_PROTOCOL=TLS1 +# Leave it unset to use any protocol except SSL 2. ##NAME: TLS_CIPHER_LIST:0 # @@ -134,10 +119,7 @@ TLS_STARTTLS_PROTOCOL=TLS1 # # OpenSSL: # -# TLS_CIPHER_LIST="SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" -# -# To enable SSL2, remove the obvious "!SSLv2" part from the above list. -# +# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" # # GnuTLS: # @@ -155,7 +137,9 @@ TLS_STARTTLS_PROTOCOL=TLS1 # LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher # is not included # ALL -- all ciphers except the NULL cipher - +# +# See GnuTLS documentation, gnutls_priority_init(3) for additional +# documentation. ##NAME: TLS_MIN_DH_BITS:0 # @@ -169,53 +153,11 @@ TLS_STARTTLS_PROTOCOL=TLS1 # have been encountered that offer 512 bit keys. You may have to set # TLS_MIN_DH_BITS=512 here, if necessary. -##NAME: TLS_KX_LIST:0 -# -# GnuTLS only: -# -# Allowed key exchange protocols. The default of "ALL" should be sufficient. -# The list of supported key exchange protocols depends on the options GnuTLS -# was compiled against, but may include the following: -# -# DHERSA, DHEDSS, RSA, SRP, SRPRSA, SRPDSS, PSK, DHEPSK, ANONDH, RSAEXPORT - -TLS_KX_LIST=ALL - -##NAME: TLS_COMPRESSION:0 -# -# GnuTLS only: -# -# Optional compression. "ALL" selects all available compression methods. -# -# Available compression methods: DEFLATE, LZO, NULL - -TLS_COMPRESSION=ALL - -##NAME: TLS_CERTS:0 -# -# GnuTLS only: -# -# Supported certificate types are X509 and OPENPGP. -# -# OPENPGP has not been tested - -TLS_CERTS=X509 - ##NAME: TLS_TIMEOUT:0 # TLS_TIMEOUT is currently not implemented, and reserved for future use. # This is supposed to be an inactivity timeout, but its not yet implemented. # -##NAME: TLS_DHCERTFILE:0 -# -# TLS_DHCERTFILE - PEM file that stores a Diffie-Hellman -based certificate. -# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA -# you must generate a DH pair that will be used. In most situations the -# DH pair is to be treated as confidential, and the file specified by -# TLS_DHCERTFILE must not be world-readable. -# -# TLS_DHCERTFILE= - ##NAME: TLS_CERTFILE:0 # # TLS_CERTFILE - certificate to use. TLS_CERTFILE is required for SSL/TLS @@ -250,6 +192,12 @@ TLS_CERTS=X509 TLS_CERTFILE=/etc/courier-imap/pop3d.pem +##NAME: TLS_DHPARAMS:0 +# +# TLS_DHPARAMS - DH parameter file. +# +TLS_DHPARAMS=/usr/share/dhparams.pem + ##NAME: TLS_TRUSTCERTS:0 # # TLS_TRUSTCERTS=pathname - load trusted certificates from pathname. diff --git a/courier-imap/pop3d.cnf b/courier-imap/pop3d.cnf index f5ee623..a792cb9 100644 --- a/courier-imap/pop3d.cnf +++ b/courier-imap/pop3d.cnf @@ -2,11 +2,12 @@ RANDFILE = /usr/share/pop3d.rand [ req ] -default_bits = 1024 +default_bits = 4096 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no +default_md = sha1 [ req_dn ] C=US diff --git a/courier/authlib/authdaemonrc b/courier/authlib/authdaemonrc index cebb788..cd1e743 100644 --- a/courier/authlib/authdaemonrc +++ b/courier/authlib/authdaemonrc @@ -90,7 +90,7 @@ DEFAULTOPTIONS="" # courierlogger(1) options, e.g. to set syslog facility # -LOGGEROPTS="" +LOGGEROPTS="-facility=auth" ##NAME: LDAP_TLS_OPTIONS:0 # diff --git a/cron.d/sysstat b/cron.d/sysstat new file mode 100644 index 0000000..1edaa67 --- /dev/null +++ b/cron.d/sysstat @@ -0,0 +1,6 @@ +# Run system activity accounting tool every 10 minutes +*/10 * * * * root /usr/lib64/sa/sa1 1 1 +# 0 * * * * root /usr/lib64/sa/sa1 600 6 & +# Generate a daily summary of process accounting at 23:53 +53 23 * * * root /usr/lib64/sa/sa2 -A + diff --git a/cron.daily/sysstat b/cron.daily/sysstat deleted file mode 100755 index 11211b5..0000000 --- a/cron.daily/sysstat +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -# Generate a daily summary of process accounting. Since this will probably -# get kicked off in the morning, it would probably be better to run against -# the previous days data. -/usr/lib64/sa/sa2 -A & diff --git a/cron.hourly/sysstat b/cron.hourly/sysstat deleted file mode 100755 index 05e6d71..0000000 --- a/cron.hourly/sysstat +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -# Run system activity accounting tool every 10 minutes -/usr/lib64/sa/sa1 600 6 & diff --git a/cron.weekly/mdadm b/cron.weekly/mdadm new file mode 100644 index 0000000..72e401d --- /dev/null +++ b/cron.weekly/mdadm @@ -0,0 +1,4 @@ +#!/bin/sh +if [ -x /usr/sbin/checkarray ] && [ $(date +\%d) -le 7 ]; then + /usr/sbin/checkarray --cron --all --idle --quiet +fi diff --git a/csh.env b/csh.env index 473b962..6ba8e58 100644 --- a/csh.env +++ b/csh.env @@ -3,23 +3,24 @@ # GO INTO /etc/csh.cshrc NOT /etc/csh.env setenv CONFIG_PROTECT '/var/bind /usr/share/gnupg/qualified.txt' -setenv CONFIG_PROTECT_MASK '/etc/gentoo-release /etc/sandbox.d /etc/php/cli-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/cli-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/apache2-php5.4/ext-active/ /etc/fonts/fonts.conf /etc/terminfo /etc/ca-certificates.conf /etc/texmf/web2c /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/revdep-rebuild' +setenv CONFIG_PROTECT_MASK '/etc/gentoo-release /etc/sandbox.d /etc/php/cli-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/apache2-php5.5/ext-active/ /etc/fonts/fonts.conf /etc/terminfo /etc/ca-certificates.conf /etc/texmf/web2c /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/revdep-rebuild' setenv CVS_RSH 'ssh' setenv EDITOR '/usr/bin/vim' +setenv ES_BASHCOMP_DIRS '/usr/share/bash-completion/completions' setenv GCC_SPECS '' setenv GUILE_LOAD_PATH '/usr/share/guile/1.8' setenv HG '/usr/bin/hg' -setenv INFOPATH '/usr/share/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.7.3/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.23.2/info' +setenv INFOPATH '/usr/share/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.3/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.24/info' setenv LESS '-R -M --shift 5' setenv LESSOPEN '|lesspipe %s' -setenv MANPATH '/usr/local/share/man:/usr/share/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.7.3/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.23.2/man:/etc/java-config-2/current-system-vm/man/:/usr/lib64/php5.3/man/:/usr/lib64/php5.4/man/:/usr/share/postgresql/man/:/usr/share/postgresql-9.3/man/' +setenv MANPATH '/usr/local/share/man:/usr/share/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.3/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.24/man:/etc/java-config-2/current-system-vm/man/:/usr/lib64/php5.3/man/:/usr/lib64/php5.5/man/:/usr/share/postgresql/man/:/usr/share/postgresql-9.3/man/' setenv MULTIOSDIRS '../lib64:../lib32' setenv OPENGL_PROFILE 'xorg-x11' setenv PAGER '/usr/bin/less' -setenv PATH '/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.7.3:/usr/lib64/subversion/bin' +setenv PATH '/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3:/usr/lib64/subversion/bin' setenv PRELINK_PATH_MASK '/usr/lib64/libfreebl3.so:/usr/lib64/libnssdbm3.so:/usr/lib64/libsoftokn3.so' setenv PYTHONDOCS_2_7 '/usr/share/doc/python-docs-2.7.3/html/library' setenv PYTHONDOCS_3_3 '/usr/share/doc/python-docs-3.3.2/html/library' -setenv ROOTPATH '/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.7.3:/usr/lib64/subversion/bin' +setenv ROOTPATH '/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3:/usr/lib64/subversion/bin' setenv XDG_CONFIG_DIRS '/etc/xdg' setenv XDG_DATA_DIRS '/usr/local/share:/usr/share' diff --git a/dbus-1/session.conf b/dbus-1/session.conf index dde5ef6..5d93be7 100644 --- a/dbus-1/session.conf +++ b/dbus-1/session.conf @@ -49,9 +49,11 @@ 1000000000 250000000 1000000000 - 4096 + 120000 240000 + 150000 100000 10000 100000 diff --git a/default/grub b/default/grub index e810299..365e64c 100644 --- a/default/grub +++ b/default/grub @@ -1,22 +1,33 @@ -# Copyright 1999-2013 Gentoo Foundation +# Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-2,v 1.4 2013/09/21 18:10:55 floppym Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.4 2014/10/16 04:04:02 floppym Exp $ # # To populate all changes in this file you need to regenerate your # grub configuration file afterwards: # 'grub2-mkconfig -o /boot/grub/grub.cfg' # # See the grub info page for documentation on possible variables and -# their associated values. +# their associated values. -GRUB_DISTRIBUTOR="Gentoo" +GRUB_DISTRIBUTOR="Gentoo (Helga)" -GRUB_DEFAULT=0 -GRUB_HIDDEN_TIMEOUT=5 -GRUB_HIDDEN_TIMEOUT_QUIET=true +# Default menu entry +#GRUB_DEFAULT=0 + +# Boot the default entry this many seconds after the menu is displayed GRUB_TIMEOUT=10 +#GRUB_TIMEOUT_STYLE=menu # Append parameters to the linux kernel command line +#GRUB_CMDLINE_LINUX="" +# +# Examples: +# +# Boot with network interface renaming disabled +# GRUB_CMDLINE_LINUX="net.ifnames=0" +# +# Boot with systemd instead of sysvinit (openrc) +# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd" GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,57600n8 domdadm dolvm" GRUB_PRELOAD_MODULES=lvm @@ -37,6 +48,13 @@ GRUB_SERIAL_COMMAND="serial --speed=57600 --unit=0 --word=8 --parity=no --stop=1 # You can see them in real GRUB with the command `vbeinfo'. #GRUB_GFXMODE=640x480 +# Set to 'text' to force the Linux kernel to boot in normal text +# mode, 'keep' to preserve the graphics mode set using +# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular +# graphics mode, or a sequence of these separated by commas or +# semicolons to try several modes in sequence. +#GRUB_GFXPAYLOAD_LINUX= + # Path to theme spec txt file. # The starfield is by default provided with use truetype. # NOTE: when enabling custom theme, ensure you have required font/etc. diff --git a/default/grub.orig b/default/grub.orig new file mode 100644 index 0000000..8f0549d --- /dev/null +++ b/default/grub.orig @@ -0,0 +1,56 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.3 2014/09/10 14:38:39 floppym Exp $ +# +# To populate all changes in this file you need to regenerate your +# grub configuration file afterwards: +# 'grub2-mkconfig -o /boot/grub/grub.cfg' +# +# See the grub info page for documentation on possible variables and +# their associated values. + +GRUB_DISTRIBUTOR="Gentoo" + +# Default menu entry +#GRUB_DEFAULT=0 + +# Boot the default entry this many seconds after the menu is displayed +#GRUB_TIMEOUT=5 +#GRUB_TIMEOUT_STYLE=menu + +# Append parameters to the linux kernel command line +#GRUB_CMDLINE_LINUX="" +# +# Examples: +# +# Boot with network interface renaming disabled +# GRUB_CMDLINE_LINUX="net.ifnames=0" +# +# Boot with systemd instead of sysvinit (openrc) +# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd" + +# Append parameters to the linux kernel command line for non-recovery entries +#GRUB_CMDLINE_LINUX_DEFAULT="" + +# Uncomment to disable graphical terminal (grub-pc only) +#GRUB_TERMINAL=console + +# The resolution used on graphical terminal. +# Note that you can use only modes which your graphic card supports via VBE. +# You can see them in real GRUB with the command `vbeinfo'. +#GRUB_GFXMODE=640x480 + +# Path to theme spec txt file. +# The starfield is by default provided with use truetype. +# NOTE: when enabling custom theme, ensure you have required font/etc. +#GRUB_THEME="/boot/grub/themes/starfield/theme.txt" + +# Background image used on graphical terminal. +# Can be in various bitmap formats. +#GRUB_BACKGROUND="/boot/grub/mybackground.png" + +# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel +#GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY=true diff --git a/dhcpcd.conf b/dhcpcd.conf index 96eaf52..e905b34 100644 --- a/dhcpcd.conf +++ b/dhcpcd.conf @@ -1,6 +1,9 @@ # A sample configuration for dhcpcd. # See dhcpcd.conf(5) for details. +# Allow users of this group to interact with dhcpcd via the control socket. +#controlgroup wheel + # Inform the DHCP server of our hostname for DDNS. hostname @@ -30,6 +33,9 @@ option ntp_servers # A ServerID is required by RFC2131. require dhcp_server_identifier +# Generate Stable Private IPv6 Addresses instead of hardware based ones +slaac private + # A hook script is provided to lookup the hostname if not set by the DHCP # server, but it should not be run by default. nohook lookup-hostname diff --git a/eixrc/00-eixrc b/eixrc/00-eixrc index be2cdea..8e63813 100644 --- a/eixrc/00-eixrc +++ b/eixrc/00-eixrc @@ -1,4 +1,4 @@ -# /etc/eixrc/00-eirc +# /etc/eixrc/00-eixrc # # All non-hidden files in /etc/eixrc # (or a subdirectory thereof) are read in alphabetical order. diff --git a/env.d/04gcc-x86_64-pc-linux-gnu b/env.d/04gcc-x86_64-pc-linux-gnu index eb3094f..36b9270 100644 --- a/env.d/04gcc-x86_64-pc-linux-gnu +++ b/env.d/04gcc-x86_64-pc-linux-gnu @@ -1,6 +1,6 @@ -PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.7.3" -ROOTPATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.7.3" +PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3" +ROOTPATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3" GCC_SPECS="" -MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.7.3/man" -INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.7.3/info" +MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.3/man" +INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.3/info" MULTIOSDIRS="../lib64:../lib32" diff --git a/env.d/05binutils b/env.d/05binutils index 7b6cfe5..6c9aa5a 100644 --- a/env.d/05binutils +++ b/env.d/05binutils @@ -1,2 +1,2 @@ -MANPATH=/usr/share/binutils-data/x86_64-pc-linux-gnu/2.23.2/man -INFOPATH=/usr/share/binutils-data/x86_64-pc-linux-gnu/2.23.2/info +MANPATH=/usr/share/binutils-data/x86_64-pc-linux-gnu/2.24/man +INFOPATH=/usr/share/binutils-data/x86_64-pc-linux-gnu/2.24/info diff --git a/env.d/20php5.4 b/env.d/20php5.4 deleted file mode 100644 index 8ba97fa..0000000 --- a/env.d/20php5.4 +++ /dev/null @@ -1,2 +0,0 @@ -MANPATH="/usr/lib64/php5.4/man/" -CONFIG_PROTECT_MASK="/etc/php/cli-php5.4/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/apache2-php5.4/ext-active/" diff --git a/env.d/20php5.5 b/env.d/20php5.5 new file mode 100644 index 0000000..87065d2 --- /dev/null +++ b/env.d/20php5.5 @@ -0,0 +1,2 @@ +MANPATH="/usr/lib64/php5.5/man/" +CONFIG_PROTECT_MASK="/etc/php/cli-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/apache2-php5.5/ext-active/" diff --git a/env.d/50bash_completion b/env.d/50bash_completion new file mode 100644 index 0000000..ef1d881 --- /dev/null +++ b/env.d/50bash_completion @@ -0,0 +1 @@ +ES_BASHCOMP_DIRS="/usr/share/bash-completion/completions" diff --git a/env.d/90nss b/env.d/90nss deleted file mode 100644 index fbade16..0000000 --- a/env.d/90nss +++ /dev/null @@ -1 +0,0 @@ -PRELINK_PATH_MASK=/usr/lib64/libfreebl3.so:/usr/lib64/libnssdbm3.so:/usr/lib64/libsoftokn3.so diff --git a/env.d/90nss-amd64 b/env.d/90nss-amd64 new file mode 100644 index 0000000..fbade16 --- /dev/null +++ b/env.d/90nss-amd64 @@ -0,0 +1 @@ +PRELINK_PATH_MASK=/usr/lib64/libfreebl3.so:/usr/lib64/libnssdbm3.so:/usr/lib64/libsoftokn3.so diff --git a/env.d/binutils/config-x86_64-pc-linux-gnu b/env.d/binutils/config-x86_64-pc-linux-gnu index 9abf957..77a1de2 100644 --- a/env.d/binutils/config-x86_64-pc-linux-gnu +++ b/env.d/binutils/config-x86_64-pc-linux-gnu @@ -1 +1 @@ -CURRENT=2.23.2 +CURRENT=2.24 diff --git a/env.d/binutils/x86_64-pc-linux-gnu-2.23.2 b/env.d/binutils/x86_64-pc-linux-gnu-2.23.2 deleted file mode 100644 index 6f49818..0000000 --- a/env.d/binutils/x86_64-pc-linux-gnu-2.23.2 +++ /dev/null @@ -1,4 +0,0 @@ -TARGET="x86_64-pc-linux-gnu" -VER="2.23.2" -LIBPATH="/usr/lib64/binutils/x86_64-pc-linux-gnu/2.23.2" -FAKE_TARGETS="x86_64-pc-linux-gnu" diff --git a/env.d/binutils/x86_64-pc-linux-gnu-2.24 b/env.d/binutils/x86_64-pc-linux-gnu-2.24 new file mode 100644 index 0000000..c57d3fe --- /dev/null +++ b/env.d/binutils/x86_64-pc-linux-gnu-2.24 @@ -0,0 +1,4 @@ +TARGET="x86_64-pc-linux-gnu" +VER="2.24" +LIBPATH="/usr/lib64/binutils/x86_64-pc-linux-gnu/2.24" +FAKE_TARGETS="x86_64-pc-linux-gnu" diff --git a/env.d/gcc/.NATIVE b/env.d/gcc/.NATIVE index d7f9d99..84d7b4f 120000 --- a/env.d/gcc/.NATIVE +++ b/env.d/gcc/.NATIVE @@ -1 +1 @@ -x86_64-pc-linux-gnu-4.7.3 \ No newline at end of file +x86_64-pc-linux-gnu-4.8.3 \ No newline at end of file diff --git a/env.d/gcc/config-x86_64-pc-linux-gnu b/env.d/gcc/config-x86_64-pc-linux-gnu index b93dfd2..502efb9 100644 --- a/env.d/gcc/config-x86_64-pc-linux-gnu +++ b/env.d/gcc/config-x86_64-pc-linux-gnu @@ -1 +1 @@ -CURRENT=x86_64-pc-linux-gnu-4.7.3 +CURRENT=x86_64-pc-linux-gnu-4.8.3 diff --git a/env.d/gcc/x86_64-pc-linux-gnu-4.7.3 b/env.d/gcc/x86_64-pc-linux-gnu-4.7.3 deleted file mode 100644 index 58a677b..0000000 --- a/env.d/gcc/x86_64-pc-linux-gnu-4.7.3 +++ /dev/null @@ -1,8 +0,0 @@ -LDPATH="/usr/lib/gcc/x86_64-pc-linux-gnu/4.7.3:/usr/lib/gcc/x86_64-pc-linux-gnu/4.7.3/32" -MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.7.3/man" -INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.7.3/info" -STDCXX_INCDIR="g++-v4" -CTARGET="x86_64-pc-linux-gnu" -GCC_SPECS="" -MULTIOSDIRS="../lib64:../lib32" -GCC_PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.7.3" diff --git a/env.d/gcc/x86_64-pc-linux-gnu-4.8.3 b/env.d/gcc/x86_64-pc-linux-gnu-4.8.3 new file mode 100644 index 0000000..5727e94 --- /dev/null +++ b/env.d/gcc/x86_64-pc-linux-gnu-4.8.3 @@ -0,0 +1,8 @@ +LDPATH="/usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3:/usr/lib/gcc/x86_64-pc-linux-gnu/4.8.3/32" +MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.3/man" +INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.8.3/info" +STDCXX_INCDIR="g++-v4" +CTARGET="x86_64-pc-linux-gnu" +GCC_SPECS="" +MULTIOSDIRS="../lib64:../lib32" +GCC_PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3" diff --git a/eselect/postgresql/slots/9.3/base b/eselect/postgresql/slots/9.3/base index bd422ab..7d4a07f 100644 --- a/eselect/postgresql/slots/9.3/base +++ b/eselect/postgresql/slots/9.3/base @@ -1 +1 @@ -postgres_ebuilds="${postgres_ebuilds} postgresql-base-9.3.3" +postgres_ebuilds="${postgres_ebuilds} postgresql-base-9.3.5" diff --git a/eselect/postgresql/slots/9.3/docs b/eselect/postgresql/slots/9.3/docs index 4eda6eb..41c7233 100644 --- a/eselect/postgresql/slots/9.3/docs +++ b/eselect/postgresql/slots/9.3/docs @@ -1 +1 @@ -postgres_ebuilds="${postgres_ebuilds} postgresql-docs-9.3.3" +postgres_ebuilds="${postgres_ebuilds} postgresql-docs-9.3.5" diff --git a/fail2ban/action.d/apf.conf b/fail2ban/action.d/apf.conf new file mode 100644 index 0000000..5c4a261 --- /dev/null +++ b/fail2ban/action.d/apf.conf @@ -0,0 +1,25 @@ +# Fail2Ban configuration file +# https://www.rfxn.com/projects/advanced-policy-firewall/ +# +# Note: APF doesn't play nicely with other actions. It has been observed to +# remove bans created by other iptables based actions. If you are going to use +# this action, use it for all of your jails. +# +# DON'T MIX APF and other IPTABLES based actions +[Definition] + +actionstart = +actionstop = +actioncheck = +actionban = apf --deny "banned by Fail2Ban " +actionunban = apf --remove + +[Init] + +# Name used in APF configuration +# +name = default + +# DEV NOTES: +# +# Author: Mark McKinstry diff --git a/fail2ban/action.d/badips.conf b/fail2ban/action.d/badips.conf new file mode 100644 index 0000000..4a5c0f9 --- /dev/null +++ b/fail2ban/action.d/badips.conf @@ -0,0 +1,19 @@ +# Fail2ban reporting to badips.com +# +# Note: This reports and IP only and does not actually ban traffic. Use +# another action in the same jail if you want bans to occur. +# +# Set the category to the appropriate value before use. +# +# To get see register and optional key to get personalised graphs see: +# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key + +[Definition] + +actionban = curl --fail --user-agent "fail2ban v0.8.12" http://www.badips.com/add// + +[Init] + +# Option: category +# Notes.: Values are from the list here: http://www.badips.com/get/categories +category = diff --git a/fail2ban/action.d/badips.py b/fail2ban/action.d/badips.py new file mode 100644 index 0000000..250b1dc --- /dev/null +++ b/fail2ban/action.d/badips.py @@ -0,0 +1,363 @@ +# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- +# vi: set ft=python sts=4 ts=4 sw=4 noet : + +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +import sys +if sys.version_info < (2, 7): + raise ImportError("badips.py action requires Python >= 2.7") +import json +from functools import partial +import threading +import logging +if sys.version_info >= (3, ): + from urllib.request import Request, urlopen + from urllib.parse import urlencode + from urllib.error import HTTPError +else: + from urllib2 import Request, urlopen, HTTPError + from urllib import urlencode + +from fail2ban.server.actions import ActionBase +from fail2ban.version import version as f2bVersion + +class BadIPsAction(ActionBase): + """Fail2Ban action which reports bans to badips.com, and also + blacklist bad IPs listed on badips.com by using another action's + ban method. + + Parameters + ---------- + jail : Jail + The jail which the action belongs to. + name : str + Name assigned to the action. + category : str + Valid badips.com category for reporting failures. + score : int, optional + Minimum score for bad IPs. Default 3. + age : str, optional + Age of last report for bad IPs, per badips.com syntax. + Default "24h" (24 hours) + key : str, optional + Key issued by badips.com to report bans, for later retrieval + of personalised content. + banaction : str, optional + Name of banaction to use for blacklisting bad IPs. If `None`, + no blacklist of IPs will take place. + Default `None`. + bancategory : str, optional + Name of category to use for blacklisting, which can differ + from category used for reporting. e.g. may want to report + "postfix", but want to use whole "mail" category for blacklist. + Default `category`. + bankey : str, optional + Key issued by badips.com to blacklist IPs reported with the + associated key. + updateperiod : int, optional + Time in seconds between updating bad IPs blacklist. + Default 900 (15 minutes) + + Raises + ------ + ValueError + If invalid `category`, `score`, `banaction` or `updateperiod`. + """ + + _badips = "http://www.badips.com" + _Request = partial( + Request, headers={'User-Agent': "Fail2Ban %s" % f2bVersion}) + + def __init__(self, jail, name, category, score=3, age="24h", key=None, + banaction=None, bancategory=None, bankey=None, updateperiod=900): + super(BadIPsAction, self).__init__(jail, name) + + self.category = category + self.score = score + self.age = age + self.key = key + self.banaction = banaction + self.bancategory = bancategory or category + self.bankey = bankey + self.updateperiod = updateperiod + + self._bannedips = set() + # Used later for threading.Timer for updating badips + self._timer = None + + def getCategories(self, incParents=False): + """Get badips.com categories. + + Returns + ------- + set + Set of categories. + + Raises + ------ + HTTPError + Any issues with badips.com request. + """ + try: + response = urlopen( + self._Request("/".join([self._badips, "get", "categories"]))) + except HTTPError as response: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.error( + "Failed to fetch categories. badips.com response: '%s'", + messages['err']) + raise + else: + categories = json.loads(response.read().decode('utf-8'))['categories'] + categories_names = set( + value['Name'] for value in categories) + if incParents: + categories_names.update(set( + value['Parent'] for value in categories + if "Parent" in value)) + return categories_names + + def getList(self, category, score, age, key=None): + """Get badips.com list of bad IPs. + + Parameters + ---------- + category : str + Valid badips.com category. + score : int + Minimum score for bad IPs. + age : str + Age of last report for bad IPs, per badips.com syntax. + key : str, optional + Key issued by badips.com to fetch IPs reported with the + associated key. + + Returns + ------- + set + Set of bad IPs. + + Raises + ------ + HTTPError + Any issues with badips.com request. + """ + try: + url = "?".join([ + "/".join([self._badips, "get", "list", category, str(score)]), + urlencode({'age': age})]) + if key: + url = "&".join([url, urlencode({'key': key})]) + response = urlopen(self._Request(url)) + except HTTPError as response: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.error( + "Failed to fetch bad IP list. badips.com response: '%s'", + messages['err']) + raise + else: + return set(response.read().decode('utf-8').split()) + + @property + def category(self): + """badips.com category for reporting IPs. + """ + return self._category + + @category.setter + def category(self, category): + if category not in self.getCategories(): + self._logSys.error("Category name '%s' not valid. " + "see badips.com for list of valid categories", + category) + raise ValueError("Invalid category: %s" % category) + self._category = category + + @property + def bancategory(self): + """badips.com bancategory for fetching IPs. + """ + return self._bancategory + + @bancategory.setter + def bancategory(self, bancategory): + if bancategory not in self.getCategories(incParents=True): + self._logSys.error("Category name '%s' not valid. " + "see badips.com for list of valid categories", + bancategory) + raise ValueError("Invalid bancategory: %s" % bancategory) + self._bancategory = bancategory + + @property + def score(self): + """badips.com minimum score for fetching IPs. + """ + return self._score + + @score.setter + def score(self, score): + score = int(score) + if 0 <= score <= 5: + self._score = score + else: + raise ValueError("Score must be 0-5") + + @property + def banaction(self): + """Jail action to use for banning/unbanning. + """ + return self._banaction + + @banaction.setter + def banaction(self, banaction): + if banaction is not None and banaction not in self._jail.actions: + self._logSys.error("Action name '%s' not in jail '%s'", + banaction, self._jail.name) + raise ValueError("Invalid banaction") + self._banaction = banaction + + @property + def updateperiod(self): + """Period in seconds between banned bad IPs will be updated. + """ + return self._updateperiod + + @updateperiod.setter + def updateperiod(self, updateperiod): + updateperiod = int(updateperiod) + if updateperiod > 0: + self._updateperiod = updateperiod + else: + raise ValueError("Update period must be integer greater than 0") + + def _banIPs(self, ips): + for ip in ips: + try: + self._jail.actions[self.banaction].ban({ + 'ip': ip, + 'failures': 0, + 'matches': "", + 'ipmatches': "", + 'ipjailmatches': "", + }) + except Exception as e: + self._logSys.error( + "Error banning IP %s for jail '%s' with action '%s': %s", + ip, self._jail.name, self.banaction, e, + exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) + else: + self._bannedips.add(ip) + self._logSys.info( + "Banned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) + + def _unbanIPs(self, ips): + for ip in ips: + try: + self._jail.actions[self.banaction].unban({ + 'ip': ip, + 'failures': 0, + 'matches': "", + 'ipmatches': "", + 'ipjailmatches': "", + }) + except Exception as e: + self._logSys.info( + "Error unbanning IP %s for jail '%s' with action '%s': %s", + ip, self._jail.name, self.banaction, e, + exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) + else: + self._logSys.info( + "Unbanned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) + finally: + self._bannedips.remove(ip) + + def start(self): + """If `banaction` set, blacklists bad IPs. + """ + if self.banaction is not None: + self.update() + + def update(self): + """If `banaction` set, updates blacklisted IPs. + + Queries badips.com for list of bad IPs, removing IPs from the + blacklist if no longer present, and adds new bad IPs to the + blacklist. + """ + if self.banaction is not None: + if self._timer: + self._timer.cancel() + self._timer = None + + try: + ips = self.getList( + self.bancategory, self.score, self.age, self.bankey) + # Remove old IPs no longer listed + self._unbanIPs(self._bannedips - ips) + # Add new IPs which are now listed + self._banIPs(ips - self._bannedips) + + self._logSys.info( + "Updated IPs for jail '%s'. Update again in %i seconds", + self._jail.name, self.updateperiod) + finally: + self._timer = threading.Timer(self.updateperiod, self.update) + self._timer.start() + + def stop(self): + """If `banaction` set, clears blacklisted IPs. + """ + if self.banaction is not None: + if self._timer: + self._timer.cancel() + self._timer = None + self._unbanIPs(self._bannedips.copy()) + + def ban(self, aInfo): + """Reports banned IP to badips.com. + + Parameters + ---------- + aInfo : dict + Dictionary which includes information in relation to + the ban. + + Raises + ------ + HTTPError + Any issues with badips.com request. + """ + try: + url = "/".join([self._badips, "add", self.category, aInfo['ip']]) + if self.key: + url = "?".join([url, urlencode({'key': self.key})]) + response = urlopen(self._Request(url)) + except HTTPError as response: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.error( + "Response from badips.com report: '%s'", + messages['err']) + raise + else: + messages = json.loads(response.read().decode('utf-8')) + self._logSys.info( + "Response from badips.com report: '%s'", + messages['suc']) + +Action = BadIPsAction diff --git a/fail2ban/action.d/blocklist_de.conf b/fail2ban/action.d/blocklist_de.conf new file mode 100644 index 0000000..6d52069 --- /dev/null +++ b/fail2ban/action.d/blocklist_de.conf @@ -0,0 +1,86 @@ +# Fail2Ban configuration file +# +# Author: Steven Hiscocks +# +# + +# Action to report IP address to blocklist.de +# Blocklist.de must be signed up to at www.blocklist.de +# Once registered, one or more servers can be added. +# This action requires the server 'email address' and the associated apikey. +# +# From blocklist.de: +# www.blocklist.de is a free and voluntary service provided by a +# Fraud/Abuse-specialist, whose servers are often attacked on SSH-, +# Mail-Login-, FTP-, Webserver- and other services. +# The mission is to report all attacks to the abuse departments of the +# infected PCs/servers to ensure that the responsible provider can inform +# the customer about the infection and disable them +# +# IMPORTANT: +# +# Reporting an IP of abuse is a serious complaint. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelihood of receiving human errors +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = curl --fail --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] + +# Option: email +# Notes server email address, as per blocklise.de account +# Values: STRING Default: None +# +#email = + +# Option: apikey +# Notes your user blocklist.de user account apikey +# Values: STRING Default: None +# +#apikey = + +# Option: service +# Notes service name you are reporting on, typically aligns with filter name +# see http://www.blocklist.de/en/httpreports.html for full list +# Values: STRING Default: None +# +#service = diff --git a/fail2ban/action.d/bsd-ipfw.conf b/fail2ban/action.d/bsd-ipfw.conf new file mode 100644 index 0000000..475d247 --- /dev/null +++ b/fail2ban/action.d/bsd-ipfw.conf @@ -0,0 +1,83 @@ +# Fail2Ban configuration file +# +# Author: Nick Munger +# Modified by: Ken Menzel +# Daniel Black (start/stop) +# Fabian Wenk (many ideas as per fail2ban users list) +# +# Ensure firewall_enable="YES" in the top of /etc/rc.conf +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = ipfw show | fgrep -q 'table()' || ( ipfw show | awk 'BEGIN { b = 1 } { if ($1 <= b) { b = $1 + 1 } else { e = b } } END { if (e) exit e
else exit b }'; num=$?; ipfw -q add $num from table\(
\) to me ; echo $num > "" ) + + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = [ ! -f ] || ( read num < ""
ipfw -q delete $num
rm "" ) + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +# requires an ipfw rule like "deny ip from table(1) to me" +actionban = ipfw table
add + + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = ipfw table
delete + +[Init] +# Option: table +# Notes: The ipfw table to use. If a ipfw rule using this table already exists, +# this action will not create a ipfw rule to block it and the following +# options will have no effect. +# Values: NUM +table = 1 + +# Option: port +# Notes.: Specifies port to monitor. Blank indicate block all ports. +# Values: [ NUM | STRING ] +# +port = + +# Option: startstatefile +# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table. +# Values: STRING +startstatefile = /run/fail2ban/ipfw-started-table_
+ +# Option: block +# Notes: This is how much to block. +# Can be "ip", "tcp", "udp" or various other options. +# Values: STRING +block = ip + +# Option: blocktype +# Notes.: How to block the traffic. Use a action from man 5 ipfw +# Common values: deny, unreach port, reset +# ACTION defination at the top of man ipfw for allowed values. +# Values: STRING +# +blocktype = unreach port diff --git a/fail2ban/action.d/cloudflare.conf b/fail2ban/action.d/cloudflare.conf new file mode 100644 index 0000000..4d5e2dc --- /dev/null +++ b/fail2ban/action.d/cloudflare.conf @@ -0,0 +1,55 @@ +# +# Author: Mike Rushton +# +# Referenced from from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE +# +# To get your Cloudflare API key: https://www.cloudflare.com/my-account +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +#