|
|
|
|
@@ -217,7 +217,7 @@ http {
|
|
|
|
|
##
|
|
|
|
|
# Uncomment it if you installed nginx-passenger
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#passenger_root /usr;
|
|
|
|
|
#passenger_ruby /usr/bin/ruby;
|
|
|
|
|
|
|
|
|
|
@@ -233,17 +233,17 @@ http {
|
|
|
|
|
#mail {
|
|
|
|
|
# # See sample authentication script at:
|
|
|
|
|
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# # auth_http localhost/auth.php;
|
|
|
|
|
# # pop3_capabilities "TOP" "USER";
|
|
|
|
|
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# server {
|
|
|
|
|
# listen localhost:110;
|
|
|
|
|
# protocol pop3;
|
|
|
|
|
# proxy on;
|
|
|
|
|
# }
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# server {
|
|
|
|
|
# listen localhost:143;
|
|
|
|
|
# protocol imap;
|
|
|
|
|
@@ -1116,7 +1116,7 @@ data_directory = /var/lib/postfix
|
|
|
|
|
#default_privs = nobody
|
|
|
|
|
|
|
|
|
|
# INTERNET HOST AND DOMAIN NAMES
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# The myhostname parameter specifies the internet hostname of this
|
|
|
|
|
# mail system. The default is to use the fully-qualified domain name
|
|
|
|
|
# from gethostname(). $myhostname is used as a default value for many
|
|
|
|
|
@@ -1133,7 +1133,7 @@ myhostname = mail.$mydomain
|
|
|
|
|
mydomain = <SERVERNAME>
|
|
|
|
|
|
|
|
|
|
# SENDING MAIL
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# The myorigin parameter specifies the domain that locally-posted
|
|
|
|
|
# mail appears to come from. The default is to append $myhostname,
|
|
|
|
|
# which is fine for small sites. If you run a domain with multiple
|
|
|
|
|
@@ -1235,7 +1235,7 @@ mydomain = <SERVERNAME>
|
|
|
|
|
#
|
|
|
|
|
# - You define $mydestination domain recipients in files other than
|
|
|
|
|
# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
|
|
|
|
|
# For example, you define $mydestination domain recipients in
|
|
|
|
|
# For example, you define $mydestination domain recipients in
|
|
|
|
|
# the $virtual_mailbox_maps files.
|
|
|
|
|
#
|
|
|
|
|
# - You redefine the local delivery agent in master.cf.
|
|
|
|
|
@@ -1255,7 +1255,7 @@ mydomain = <SERVERNAME>
|
|
|
|
|
# The right-hand side of the lookup tables is conveniently ignored.
|
|
|
|
|
# In the left-hand side, specify a bare username, an @domain.tld
|
|
|
|
|
# wild-card, or specify a user@domain.tld address.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
#local_recipient_maps = unix:passwd.byname $alias_maps
|
|
|
|
|
#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
|
|
|
|
|
#local_recipient_maps =
|
|
|
|
|
@@ -1287,16 +1287,16 @@ unknown_local_recipient_reject_code = 550
|
|
|
|
|
# clients in the same IP subnetworks as the local machine.
|
|
|
|
|
# On Linux, this does works correctly only with interfaces specified
|
|
|
|
|
# with the "ifconfig" command.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
|
|
|
|
|
# clients in the same IP class A/B/C networks as the local machine.
|
|
|
|
|
# Don't do this with a dialup site - it would cause Postfix to "trust"
|
|
|
|
|
# your entire provider's network. Instead, specify an explicit
|
|
|
|
|
# mynetworks list by hand, as described below.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# Specify "mynetworks_style = host" when Postfix should "trust"
|
|
|
|
|
# only the local machine.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
#mynetworks_style = class
|
|
|
|
|
#mynetworks_style = subnet
|
|
|
|
|
#mynetworks_style = host
|
|
|
|
|
@@ -1326,7 +1326,7 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
# - from "untrusted" clients to destinations that match $relay_domains or
|
|
|
|
|
# subdomains thereof, except addresses with sender-specified routing.
|
|
|
|
|
# The default relay_domains value is $mydestination.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# In addition to the above, the Postfix SMTP server by default accepts mail
|
|
|
|
|
# that Postfix is final destination for:
|
|
|
|
|
# - destinations that match $inet_interfaces or $proxy_interfaces,
|
|
|
|
|
@@ -1334,7 +1334,7 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
# - destinations that match $virtual_alias_domains,
|
|
|
|
|
# - destinations that match $virtual_mailbox_domains.
|
|
|
|
|
# These destinations do not need to be listed in $relay_domains.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# Specify a list of hosts or domains, /file/name patterns or type:name
|
|
|
|
|
# lookup tables, separated by commas and/or whitespace. Continue
|
|
|
|
|
# long lines by starting the next line with whitespace. A file name
|
|
|
|
|
@@ -1379,7 +1379,7 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
# The right-hand side of the lookup tables is conveniently ignored.
|
|
|
|
|
# In the left-hand side, specify an @domain.tld wild-card, or specify
|
|
|
|
|
# a user@domain.tld address.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
#relay_recipient_maps = hash:/etc/postfix/relay_recipients
|
|
|
|
|
|
|
|
|
|
# INPUT RATE CONTROL
|
|
|
|
|
@@ -1388,15 +1388,15 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
# flow control. This feature is turned on by default, although it
|
|
|
|
|
# still needs further development (it's disabled on SCO UNIX due
|
|
|
|
|
# to an SCO bug).
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# A Postfix process will pause for $in_flow_delay seconds before
|
|
|
|
|
# accepting a new message, when the message arrival rate exceeds the
|
|
|
|
|
# message delivery rate. With the default 100 SMTP server process
|
|
|
|
|
# limit, this limits the mail inflow to 100 messages a second more
|
|
|
|
|
# than the number of messages delivered per second.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# Specify 0 to disable the feature. Valid delays are 0..10.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
#in_flow_delay = 1s
|
|
|
|
|
|
|
|
|
|
# ADDRESS REWRITING
|
|
|
|
|
@@ -1426,7 +1426,7 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
# On systems with NIS, the default is to search the local alias
|
|
|
|
|
# database, then the NIS alias database. See aliases(5) for syntax
|
|
|
|
|
# details.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# If you change the alias database, run "postalias /etc/aliases" (or
|
|
|
|
|
# wherever your system stores the mail alias file), or simply run
|
|
|
|
|
# "newaliases" to build the necessary DBM or DB file.
|
|
|
|
|
@@ -1469,7 +1469,7 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
#
|
|
|
|
|
#home_mailbox = Mailbox
|
|
|
|
|
#home_mailbox = Maildir/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# The mail_spool_directory parameter specifies the directory where
|
|
|
|
|
# UNIX-style mailboxes are kept. The default setting depends on the
|
|
|
|
|
# system type.
|
|
|
|
|
@@ -1511,7 +1511,7 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
#
|
|
|
|
|
# NOTE: if you use this feature for accounts not in the UNIX password
|
|
|
|
|
# file, then you must update the "local_recipient_maps" setting in
|
|
|
|
|
# the main.cf file, otherwise the SMTP server will reject mail for
|
|
|
|
|
# the main.cf file, otherwise the SMTP server will reject mail for
|
|
|
|
|
# non-UNIX accounts with "User unknown in local recipient table".
|
|
|
|
|
#
|
|
|
|
|
# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd"
|
|
|
|
|
@@ -1533,7 +1533,7 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
#
|
|
|
|
|
# NOTE: if you use this feature for accounts not in the UNIX password
|
|
|
|
|
# file, then you must update the "local_recipient_maps" setting in
|
|
|
|
|
# the main.cf file, otherwise the SMTP server will reject mail for
|
|
|
|
|
# the main.cf file, otherwise the SMTP server will reject mail for
|
|
|
|
|
# non-UNIX accounts with "User unknown in local recipient table".
|
|
|
|
|
#
|
|
|
|
|
#fallback_transport = lmtp:unix:/file/name
|
|
|
|
|
@@ -1556,15 +1556,15 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
#
|
|
|
|
|
# NOTE: if you use this feature for accounts not in the UNIX password
|
|
|
|
|
# file, then you must specify "local_recipient_maps =" (i.e. empty) in
|
|
|
|
|
# the main.cf file, otherwise the SMTP server will reject mail for
|
|
|
|
|
# the main.cf file, otherwise the SMTP server will reject mail for
|
|
|
|
|
# non-UNIX accounts with "User unknown in local recipient table".
|
|
|
|
|
#
|
|
|
|
|
#luser_relay = $user@other.host
|
|
|
|
|
#luser_relay = $local@other.host
|
|
|
|
|
#luser_relay = admin+$local
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# JUNK MAIL CONTROLS
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# The controls listed here are only a very small subset. The file
|
|
|
|
|
# SMTPD_ACCESS_README provides an overview.
|
|
|
|
|
|
|
|
|
|
@@ -1586,11 +1586,11 @@ mynetworks = 127.0.0.0/8
|
|
|
|
|
# deferred mail, so that mail can be flushed quickly with the SMTP
|
|
|
|
|
# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
|
|
|
|
|
# See the ETRN_README document for a detailed description.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# The fast_flush_domains parameter controls what destinations are
|
|
|
|
|
# eligible for this service. By default, they are all domains that
|
|
|
|
|
# this server is willing to relay mail to.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
#fast_flush_domains = $relay_domains
|
|
|
|
|
|
|
|
|
|
# SHOW SOFTWARE VERSION OR NOT
|
|
|
|
|
@@ -1616,7 +1616,7 @@ smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
|
|
|
|
|
# too many are run at the same time. With SMTP deliveries, 10
|
|
|
|
|
# simultaneous connections to the same domain could be sufficient to
|
|
|
|
|
# raise eyebrows.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# Each message delivery transport has its XXX_destination_concurrency_limit
|
|
|
|
|
# parameter. The default is $default_destination_concurrency_limit for
|
|
|
|
|
# most delivery transports. For the local delivery agent the default is 2.
|
|
|
|
|
@@ -1674,10 +1674,10 @@ debugger_command =
|
|
|
|
|
# INSTALL-TIME CONFIGURATION INFORMATION
|
|
|
|
|
#
|
|
|
|
|
# The following parameters are used when installing a new Postfix version.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# sendmail_path: The full pathname of the Postfix sendmail command.
|
|
|
|
|
# This is the Sendmail-compatible mail posting interface.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
sendmail_path = /usr/sbin/sendmail
|
|
|
|
|
|
|
|
|
|
# newaliases_path: The full pathname of the Postfix newaliases command.
|
|
|
|
|
@@ -1687,7 +1687,7 @@ newaliases_path = /usr/bin/newaliases
|
|
|
|
|
|
|
|
|
|
# mailq_path: The full pathname of the Postfix mailq command. This
|
|
|
|
|
# is the Sendmail-compatible mail queue listing command.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
mailq_path = /usr/bin/mailq
|
|
|
|
|
|
|
|
|
|
# setgid_group: The group for mail submission and queue management
|
|
|
|
|
@@ -1724,9 +1724,9 @@ smtpd_recipient_restrictions = permit_mynetworks,
|
|
|
|
|
reject_non_fqdn_recipient
|
|
|
|
|
smtpd_sender_restrictions = permit_mynetworks,
|
|
|
|
|
reject_sender_login_mismatch,
|
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
|
reject_unknown_helo_hostname,
|
|
|
|
|
reject_unknown_recipient_domain,
|
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
|
reject_unknown_helo_hostname,
|
|
|
|
|
reject_unknown_recipient_domain,
|
|
|
|
|
reject_unknown_sender_domain
|
|
|
|
|
smtpd_client_restrictions = permit_mynetworks,
|
|
|
|
|
permit_sasl_authenticated,
|
|
|
|
|
@@ -1734,7 +1734,7 @@ smtpd_client_restrictions = permit_mynetworks,
|
|
|
|
|
|
|
|
|
|
# Postfix 2.10 requires this option. Postfix < 2.10 ignores this.
|
|
|
|
|
# The option is intentionally left empty.
|
|
|
|
|
smtpd_relay_restrictions =
|
|
|
|
|
smtpd_relay_restrictions =
|
|
|
|
|
|
|
|
|
|
# Maximum size of Message in bytes (50MB)
|
|
|
|
|
message_size_limit = 52428800
|
|
|
|
|
@@ -1954,7 +1954,7 @@ dovecot unix - n n - - pipe
|
|
|
|
|
# Enable installed protocols
|
|
|
|
|
!include_try /usr/share/dovecot/protocols.d/*.protocol
|
|
|
|
|
|
|
|
|
|
# A comma separated list of IPs or hosts where to listen in for connections.
|
|
|
|
|
# A comma separated list of IPs or hosts where to listen in for connections.
|
|
|
|
|
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
|
|
|
|
|
# If you want to specify non-default ports or anything more complex,
|
|
|
|
|
# edit conf.d/master.conf.
|
|
|
|
|
@@ -1979,7 +1979,7 @@ dovecot unix - n n - - pipe
|
|
|
|
|
#login_trusted_networks =
|
|
|
|
|
|
|
|
|
|
# Space separated list of login access check sockets (e.g. tcpwrap)
|
|
|
|
|
#login_access_sockets =
|
|
|
|
|
#login_access_sockets =
|
|
|
|
|
|
|
|
|
|
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
|
|
|
|
|
# proxying. This isn't necessary normally, but may be useful if the destination
|
|
|
|
|
@@ -2068,7 +2068,7 @@ dict {
|
|
|
|
|
# );
|
|
|
|
|
|
|
|
|
|
# Database driver: mysql, pgsql, sqlite
|
|
|
|
|
driver = mysql
|
|
|
|
|
driver = mysql
|
|
|
|
|
|
|
|
|
|
# Database connection string. This is driver-specific setting.
|
|
|
|
|
#
|
|
|
|
|
@@ -2095,7 +2095,7 @@ driver = mysql
|
|
|
|
|
# option_file - Read options from the given file instead of
|
|
|
|
|
# the default my.cnf location
|
|
|
|
|
# option_group - Read options from the given group (default: client)
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# You can connect to UNIX sockets by using host: host=/var/run/mysql.sock
|
|
|
|
|
# Note that currently you can't use spaces in parameters.
|
|
|
|
|
#
|
|
|
|
|
@@ -2134,7 +2134,7 @@ default_pass_scheme = CRYPT
|
|
|
|
|
# %u = entire user@domain
|
|
|
|
|
# %n = user part of user@domain
|
|
|
|
|
# %d = domain part of user@domain
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# Note that these can be used only as input to SQL query. If the query outputs
|
|
|
|
|
# any of these substitutions, they're not touched. Otherwise it would be
|
|
|
|
|
# difficult to have eg. usernames containing '%' characters.
|
|
|
|
|
@@ -2218,7 +2218,7 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed
|
|
|
|
|
|
|
|
|
|
# Default realm/domain to use if none was specified. This is used for both
|
|
|
|
|
# SASL realms and appending @domain to username in plaintext logins.
|
|
|
|
|
#auth_default_realm =
|
|
|
|
|
#auth_default_realm =
|
|
|
|
|
|
|
|
|
|
# List of allowed characters in username. If the user-given username contains
|
|
|
|
|
# a character not listed in here, the login automatically fails. This is just
|
|
|
|
|
@@ -2261,7 +2261,7 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed
|
|
|
|
|
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
|
|
|
|
|
# default (usually /etc/krb5.keytab) if not specified. You may need to change
|
|
|
|
|
# the auth service to run as root to be able to read this file.
|
|
|
|
|
#auth_krb5_keytab =
|
|
|
|
|
#auth_krb5_keytab =
|
|
|
|
|
|
|
|
|
|
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
|
|
|
|
|
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
|
|
|
|
|
@@ -2276,9 +2276,9 @@ password_query = SELECT username AS user, password_enc AS password, CONCAT(homed
|
|
|
|
|
# Require a valid SSL client certificate or the authentication fails.
|
|
|
|
|
#auth_ssl_require_client_cert = no
|
|
|
|
|
|
|
|
|
|
# Take the username from client's SSL certificate, using
|
|
|
|
|
# Take the username from client's SSL certificate, using
|
|
|
|
|
# X509_NAME_get_text_by_NID() which returns the subject's DN's
|
|
|
|
|
# CommonName.
|
|
|
|
|
# CommonName.
|
|
|
|
|
#auth_ssl_username_from_cert = no
|
|
|
|
|
|
|
|
|
|
# Space separated list of wanted authentication mechanisms:
|
|
|
|
|
@@ -2368,11 +2368,11 @@ namespace inbox {
|
|
|
|
|
# Hierarchy separator to use. You should use the same separator for all
|
|
|
|
|
# namespaces or some clients get confused. '/' is usually a good one.
|
|
|
|
|
# The default however depends on the underlying mail storage format.
|
|
|
|
|
#separator =
|
|
|
|
|
#separator =
|
|
|
|
|
|
|
|
|
|
# Prefix required to access this namespace. This needs to be different for
|
|
|
|
|
# all namespaces. For example "Public/".
|
|
|
|
|
#prefix =
|
|
|
|
|
#prefix =
|
|
|
|
|
|
|
|
|
|
# Physical location of the mailbox. This is in same format as
|
|
|
|
|
# mail_location, which is also the default for it.
|
|
|
|
|
@@ -2501,7 +2501,7 @@ mail_access_groups = vmail
|
|
|
|
|
# WARNING: Never add directories here which local users can modify, that
|
|
|
|
|
# may lead to root exploit. Usually this should be done only if you don't
|
|
|
|
|
# allow shell access for users. <doc/wiki/Chrooting.txt>
|
|
|
|
|
#valid_chroot_dirs =
|
|
|
|
|
#valid_chroot_dirs =
|
|
|
|
|
|
|
|
|
|
# Default chroot directory for mail processes. This can be overridden for
|
|
|
|
|
# specific users in user database by giving /./ in user's home directory
|
|
|
|
|
@@ -2509,7 +2509,7 @@ mail_access_groups = vmail
|
|
|
|
|
# need to do chrooting, Dovecot doesn't allow users to access files outside
|
|
|
|
|
# their mail directory anyway. If your home directories are prefixed with
|
|
|
|
|
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
|
|
|
|
|
#mail_chroot =
|
|
|
|
|
#mail_chroot =
|
|
|
|
|
|
|
|
|
|
# UNIX socket path to master authentication server to find users.
|
|
|
|
|
# This is used by imap (for shared users) and lda.
|
|
|
|
|
@@ -2520,7 +2520,7 @@ mail_access_groups = vmail
|
|
|
|
|
|
|
|
|
|
# Space separated list of plugins to load for all services. Plugins specific to
|
|
|
|
|
# IMAP, LDA, etc. are added to this list in their own .conf files.
|
|
|
|
|
#mail_plugins =
|
|
|
|
|
#mail_plugins =
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
## Mailbox handling optimizations
|
|
|
|
|
@@ -2626,7 +2626,7 @@ mail_access_groups = vmail
|
|
|
|
|
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
|
|
|
|
|
# how it's expected to be. The only real downside to this setting is that if
|
|
|
|
|
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
|
|
|
|
|
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
|
|
|
|
|
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
|
|
|
|
|
# commands.
|
|
|
|
|
#mbox_dirty_syncs = yes
|
|
|
|
|
|
|
|
|
|
@@ -2753,7 +2753,7 @@ service lmtp {
|
|
|
|
|
#inet_listener lmtp {
|
|
|
|
|
# Avoid making LMTP visible for the entire internet
|
|
|
|
|
#address =
|
|
|
|
|
#port =
|
|
|
|
|
#port =
|
|
|
|
|
#}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -2787,8 +2787,8 @@ service auth {
|
|
|
|
|
# permissions (e.g. 0777 allows everyone full permissions).
|
|
|
|
|
unix_listener auth-userdb {
|
|
|
|
|
#mode = 0666
|
|
|
|
|
#user =
|
|
|
|
|
#group =
|
|
|
|
|
#user =
|
|
|
|
|
#group =
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Postfix smtp-auth
|
|
|
|
|
@@ -2821,8 +2821,8 @@ service dict {
|
|
|
|
|
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
|
|
|
|
|
unix_listener dict {
|
|
|
|
|
#mode = 0600
|
|
|
|
|
#user =
|
|
|
|
|
#group =
|
|
|
|
|
#user =
|
|
|
|
|
#group =
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]]>
|
|
|
|
|
@@ -2841,7 +2841,7 @@ postmaster_address = postmaster@<SERVERNAME>
|
|
|
|
|
|
|
|
|
|
# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
|
|
|
|
|
# in LMTP replies. Default is the system's real hostname@domain.
|
|
|
|
|
#hostname =
|
|
|
|
|
#hostname =
|
|
|
|
|
|
|
|
|
|
# If user is over quota, return with temporary failure instead of
|
|
|
|
|
# bouncing the mail.
|
|
|
|
|
@@ -2865,7 +2865,7 @@ postmaster_address = postmaster@<SERVERNAME>
|
|
|
|
|
#recipient_delimiter = +
|
|
|
|
|
|
|
|
|
|
# Header where the original recipient address (SMTP's RCPT TO: address) is taken
|
|
|
|
|
# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
|
|
|
|
|
# from if not available elsewhere. With dovecot-lda -a parameter overrides this.
|
|
|
|
|
# A commonly used header for this is X-Original-To.
|
|
|
|
|
#lda_original_recipient_header =
|
|
|
|
|
|
|
|
|
|
@@ -2901,7 +2901,7 @@ protocol lda {
|
|
|
|
|
|
|
|
|
|
# Override the IMAP CAPABILITY response. If the value begins with '+',
|
|
|
|
|
# add the given capabilities on top of the defaults (e.g. +XFOO XBAR).
|
|
|
|
|
#imap_capability =
|
|
|
|
|
#imap_capability =
|
|
|
|
|
|
|
|
|
|
# How long to wait between "OK Still here" notifications when client is
|
|
|
|
|
# IDLEing.
|
|
|
|
|
@@ -2910,7 +2910,7 @@ protocol lda {
|
|
|
|
|
# ID field names and values to send to clients. Using * as the value makes
|
|
|
|
|
# Dovecot use the default value. The following fields have default values
|
|
|
|
|
# currently: name, version, os, os-version, support-url, support-email.
|
|
|
|
|
#imap_id_send =
|
|
|
|
|
#imap_id_send =
|
|
|
|
|
|
|
|
|
|
# ID fields sent by client to log. * means everything.
|
|
|
|
|
#imap_id_log =
|
|
|
|
|
@@ -2933,7 +2933,7 @@ protocol lda {
|
|
|
|
|
# greyed out, instead of only later giving "not selectable" popup error.
|
|
|
|
|
#
|
|
|
|
|
# The list is space-separated.
|
|
|
|
|
#imap_client_workarounds =
|
|
|
|
|
#imap_client_workarounds =
|
|
|
|
|
|
|
|
|
|
# Host allowed in URLAUTH URLs sent by client. "*" allows all.
|
|
|
|
|
#imap_urlauth_host =
|
|
|
|
|
@@ -3122,7 +3122,7 @@ protocol sieve {
|
|
|
|
|
# Outlook Express and Netscape Mail breaks if end of headers-line is
|
|
|
|
|
# missing. This option simply sends it if it's missing.
|
|
|
|
|
# The list is space-separated.
|
|
|
|
|
#pop3_client_workarounds =
|
|
|
|
|
#pop3_client_workarounds =
|
|
|
|
|
|
|
|
|
|
protocol pop3 {
|
|
|
|
|
# Space separated list of plugins to load (default is global mail_plugins).
|
|
|
|
|
@@ -3276,6 +3276,11 @@ plugin {
|
|
|
|
|
<!-- Proftpd -->
|
|
|
|
|
<daemon name="proftpd" title="ProFTPd" default="true">
|
|
|
|
|
<install><![CDATA[apt-get install proftpd-basic proftpd-mod-mysql]]></install>
|
|
|
|
|
<commands>
|
|
|
|
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd.crt ] || openssl req -new -x509 -newkey rsa:4096 -days 3650 -nodes -out /etc/ssl/certs/proftpd.crt -keyout /etc/ssl/private/proftpd.key -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
|
|
|
|
<command><![CDATA[[ -f /etc/ssl/certs/proftpd_ec.crt ] || openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp521r1) -keyout /etc/ssl/private/proftpd_ec.key -out /etc/ssl/certs/proftpd_ec.crt -days 3650 -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"]]></command>
|
|
|
|
|
<command><![CDATA[chmod 0600 /etc/ssl/private/proftpd.key /etc/ssl/private/proftpd_ec.key]]></command>
|
|
|
|
|
</commands>
|
|
|
|
|
<file name="/etc/proftpd/proftpd.conf" chown="root:0" chmod="0600"
|
|
|
|
|
backup="true">
|
|
|
|
|
<content><![CDATA[
|
|
|
|
|
@@ -3283,7 +3288,7 @@ plugin {
|
|
|
|
|
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
|
|
|
|
|
# To really apply changes, reload proftpd after modifications, if
|
|
|
|
|
# it runs in daemon mode. It is not required in inetd/xinetd mode.
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# Includes DSO modules
|
|
|
|
|
Include /etc/proftpd/modules.conf
|
|
|
|
|
@@ -3311,7 +3316,7 @@ ListOptions "-l"
|
|
|
|
|
|
|
|
|
|
DenyFilter \*.*/
|
|
|
|
|
|
|
|
|
|
# Use this to jail all users in their homes
|
|
|
|
|
# Use this to jail all users in their homes
|
|
|
|
|
# DefaultRoot ~
|
|
|
|
|
|
|
|
|
|
# Users require a valid shell listed in /etc/shells to login.
|
|
|
|
|
@@ -3390,7 +3395,7 @@ Ratios off
|
|
|
|
|
|
|
|
|
|
# Delay engine reduces impact of the so-called Timing Attack described in
|
|
|
|
|
# http://www.securityfocus.com/bid/11430/discuss
|
|
|
|
|
# It is on by default.
|
|
|
|
|
# It is on by default.
|
|
|
|
|
<IfModule mod_delay.c>
|
|
|
|
|
DelayEngine on
|
|
|
|
|
</IfModule>
|
|
|
|
|
@@ -3416,7 +3421,7 @@ Include /etc/proftpd/sql.conf
|
|
|
|
|
#
|
|
|
|
|
# This is used for FTPS connections
|
|
|
|
|
#
|
|
|
|
|
#Include /etc/proftpd/tls.conf
|
|
|
|
|
Include /etc/proftpd/tls.conf
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Useful to keep VirtualHost/VirtualRoot directives separated
|
|
|
|
|
@@ -3433,24 +3438,24 @@ Include /etc/proftpd/sql.conf
|
|
|
|
|
# # Cosmetic changes, all files belongs to ftp user
|
|
|
|
|
# DirFakeUser on ftp
|
|
|
|
|
# DirFakeGroup on ftp
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# RequireValidShell off
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# # Limit the maximum number of anonymous logins
|
|
|
|
|
# MaxClients 10
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# # We want 'welcome.msg' displayed at login, and '.message' displayed
|
|
|
|
|
# # in each newly chdired directory.
|
|
|
|
|
# DisplayLogin welcome.msg
|
|
|
|
|
# DisplayChdir .message
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# # Limit WRITE everywhere in the anonymous chroot
|
|
|
|
|
# <Directory *>
|
|
|
|
|
# <Limit WRITE>
|
|
|
|
|
# DenyAll
|
|
|
|
|
# </Limit>
|
|
|
|
|
# </Directory>
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# # Uncomment this if you're brave.
|
|
|
|
|
# # <Directory incoming>
|
|
|
|
|
# # # Umask 022 is a good standard umask to prevent new files and dirs
|
|
|
|
|
@@ -3463,7 +3468,7 @@ Include /etc/proftpd/sql.conf
|
|
|
|
|
# # AllowAll
|
|
|
|
|
# # </Limit>
|
|
|
|
|
# # </Directory>
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# </Anonymous>
|
|
|
|
|
|
|
|
|
|
# Include other custom configuration files
|
|
|
|
|
@@ -3501,7 +3506,7 @@ LoadModule mod_sql.c
|
|
|
|
|
#LoadModule mod_ldap.c
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives
|
|
|
|
|
# 'SQLBackend mysql' or 'SQLBackend postgres' (or any other valid backend) directives
|
|
|
|
|
# are required to have SQL authorization working. You can also comment out the
|
|
|
|
|
# unused module here, in alternative.
|
|
|
|
|
#
|
|
|
|
|
@@ -3510,7 +3515,7 @@ LoadModule mod_sql.c
|
|
|
|
|
# mod_sql.c module to use this.
|
|
|
|
|
LoadModule mod_sql_mysql.c
|
|
|
|
|
|
|
|
|
|
# Install proftpd-mod-pgsql and decomment the previous
|
|
|
|
|
# Install proftpd-mod-pgsql and decomment the previous
|
|
|
|
|
# mod_sql.c module to use this.
|
|
|
|
|
#LoadModule mod_sql_postgres.c
|
|
|
|
|
|
|
|
|
|
@@ -3522,7 +3527,7 @@ LoadModule mod_sql_mysql.c
|
|
|
|
|
# mod_sql.c module to use this
|
|
|
|
|
#LoadModule mod_sql_odbc.c
|
|
|
|
|
|
|
|
|
|
# Install one of the previous SQL backends and decomment
|
|
|
|
|
# Install one of the previous SQL backends and decomment
|
|
|
|
|
# the previous mod_sql.c module to use this
|
|
|
|
|
#LoadModule mod_sql_passwd.c
|
|
|
|
|
|
|
|
|
|
@@ -3533,7 +3538,7 @@ LoadModule mod_quotatab_file.c
|
|
|
|
|
# Install proftpd-mod-ldap to use this
|
|
|
|
|
#LoadModule mod_quotatab_ldap.c
|
|
|
|
|
|
|
|
|
|
# Install one of the previous SQL backends and decomment
|
|
|
|
|
# Install one of the previous SQL backends and decomment
|
|
|
|
|
# the previous mod_sql.c module to use this
|
|
|
|
|
LoadModule mod_quotatab_sql.c
|
|
|
|
|
LoadModule mod_quotatab_radius.c
|
|
|
|
|
@@ -3543,7 +3548,7 @@ LoadModule mod_load.c
|
|
|
|
|
LoadModule mod_ban.c
|
|
|
|
|
LoadModule mod_wrap2.c
|
|
|
|
|
LoadModule mod_wrap2_file.c
|
|
|
|
|
# Install one of the previous SQL backends and decomment
|
|
|
|
|
# Install one of the previous SQL backends and decomment
|
|
|
|
|
# the previous mod_sql.c module to use this
|
|
|
|
|
#LoadModule mod_wrap2_sql.c
|
|
|
|
|
LoadModule mod_dynmasq.c
|
|
|
|
|
@@ -3554,7 +3559,7 @@ LoadModule mod_site_misc.c
|
|
|
|
|
|
|
|
|
|
LoadModule mod_sftp.c
|
|
|
|
|
LoadModule mod_sftp_pam.c
|
|
|
|
|
# Install one of the previous SQL backends and decomment
|
|
|
|
|
# Install one of the previous SQL backends and decomment
|
|
|
|
|
# the previous mod_sql.c module to use this
|
|
|
|
|
#LoadModule mod_sftp_sql.c
|
|
|
|
|
|
|
|
|
|
@@ -3590,7 +3595,7 @@ AuthOrder mod_sql.c
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Choose a SQL backend among MySQL or PostgreSQL.
|
|
|
|
|
# Both modules are loaded in default configuration, so you have to specify the backend
|
|
|
|
|
# Both modules are loaded in default configuration, so you have to specify the backend
|
|
|
|
|
# or comment out the unused module in /etc/proftpd/modules.conf.
|
|
|
|
|
# Use 'mysql' or 'postgres' as possible values.
|
|
|
|
|
#
|
|
|
|
|
@@ -3599,13 +3604,13 @@ SQLBackend mysql
|
|
|
|
|
SQLEngine on
|
|
|
|
|
SQLAuthenticate on
|
|
|
|
|
#
|
|
|
|
|
# Use both a crypted or plaintext password
|
|
|
|
|
# Use both a crypted or plaintext password
|
|
|
|
|
SQLAuthTypes Crypt
|
|
|
|
|
|
|
|
|
|
SQLAuthenticate users* groups*
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Connection
|
|
|
|
|
# Connection
|
|
|
|
|
SQLConnectInfo <SQL_DB>@<SQL_HOST> <SQL_UNPRIVILEGED_USER> <SQL_UNPRIVILEGED_PASSWORD>
|
|
|
|
|
#
|
|
|
|
|
# Describes both users/groups tables
|
|
|
|
|
@@ -3635,6 +3640,33 @@ SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used,bytes_out_
|
|
|
|
|
SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used= files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name= '%{6}' AND quota_type = '%{7}'" ftp_quotatallies
|
|
|
|
|
SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4},%{5}, %{6}, %{7}" ftp_quotatallies
|
|
|
|
|
|
|
|
|
|
</IfModule>
|
|
|
|
|
]]>
|
|
|
|
|
</content>
|
|
|
|
|
</file>
|
|
|
|
|
<file name="/etc/proftpd/tls.conf" chown="root:root" chmod="0644" backup="true">
|
|
|
|
|
<content><![CDATA[
|
|
|
|
|
<IfModule mod_tls.c>
|
|
|
|
|
TLSEngine on
|
|
|
|
|
TLSLog /var/log/proftpd/tls.log
|
|
|
|
|
TLSProtocol TLSv1 TLSv1.1 TLSv1.2
|
|
|
|
|
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
|
|
|
|
|
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
|
|
|
|
|
TLSECCertificateFile /etc/ssl/certs/proftpd_ec.crt
|
|
|
|
|
TLSECCertificateKeyFile /etc/ssl/private/proftpd_ec.key
|
|
|
|
|
TLSOptions NoCertRequest NoSessionReuseRequired
|
|
|
|
|
TLSVerifyClient off
|
|
|
|
|
|
|
|
|
|
# Are clients required to use FTP over TLS when talking to this server?
|
|
|
|
|
#TLSRequired on
|
|
|
|
|
|
|
|
|
|
# Allow SSL/TLS renegotiations when the client requests them, but
|
|
|
|
|
# do not force the renegotations. Some clients do not support
|
|
|
|
|
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
|
|
|
|
|
# clients will close the data connection, or there will be a timeout
|
|
|
|
|
# on an idle data connection.
|
|
|
|
|
#
|
|
|
|
|
#TLSRenegotiate required off
|
|
|
|
|
</IfModule>
|
|
|
|
|
]]>
|
|
|
|
|
</content>
|
|
|
|
|
@@ -3777,7 +3809,7 @@ MYSQLGetGID SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled=
|
|
|
|
|
MYSQLGetDir SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Optional : query to get the maximal number of files
|
|
|
|
|
# Optional : query to get the maximal number of files
|
|
|
|
|
# Pure-FTPd must have been compiled with virtual quotas support.
|
|
|
|
|
|
|
|
|
|
# MySQLGetQTAFS SELECT QuotaFiles FROM users WHERE User='\L'
|
|
|
|
|
@@ -3971,7 +4003,7 @@ password <SQL_UNPRIVILEGED_PASSWORD>
|
|
|
|
|
</file>
|
|
|
|
|
<file name="/etc/nsswitch.conf" backup="true">
|
|
|
|
|
<content><![CDATA[
|
|
|
|
|
# Make sure that `passwd`, `group` and `shadow` have mysql in their lines
|
|
|
|
|
# Make sure that `passwd`, `group` and `shadow` have mysql in their lines
|
|
|
|
|
# You should place mysql at the end, so that it is queried after the other mechanisams
|
|
|
|
|
#
|
|
|
|
|
passwd: compat mysql
|
|
|
|
|
@@ -4036,7 +4068,7 @@ aliases: files
|
|
|
|
|
<command><![CDATA[mkdir -p {{settings.system.mod_fcgid_tmpdir}}]]></command>
|
|
|
|
|
<command><![CDATA[a2dismod php5]]></command>
|
|
|
|
|
</commands>
|
|
|
|
|
<!-- instead of just restarting apache, we let the cronjob do all the
|
|
|
|
|
<!-- instead of just restarting apache, we let the cronjob do all the
|
|
|
|
|
dirty work -->
|
|
|
|
|
<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
|
|
|
|
|
</daemon>
|
|
|
|
|
@@ -4074,7 +4106,7 @@ aliases: files
|
|
|
|
|
</visibility>
|
|
|
|
|
<command><![CDATA[a2dismod php5]]></command>
|
|
|
|
|
</commands>
|
|
|
|
|
<!-- instead of just restarting apache, we let the cronjob do all the
|
|
|
|
|
<!-- instead of just restarting apache, we let the cronjob do all the
|
|
|
|
|
dirty work -->
|
|
|
|
|
<command><![CDATA[php {{const.FROXLOR_INSTALL_DIR}}/scripts/froxlor_master_cronjob.php --force]]></command>
|
|
|
|
|
</daemon>
|
|
|
|
|
|
Johannes Feichtner