# Django 2014-07-13 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit) # Version=CentOS 7 # Run the Setup Agent on first boot ######firstboot --enable ######ignoredisk --only-use=vda # Tastaturlayout definieren keyboard --vckeymap=de --xlayouts='de (nodeadkeys)' # Systemsprache setzen lang en_US.UTF-8 # Definition der Netzwerkeinstellungen %include /tmp/networks.cfg # Zeitzone setzen timezone Europe/Berlin --isUtc --ntpservers=vml000020.dmz.nausch.org # Netzwerkinstallation aus dem eigenen Repository #url --url="http://10.0.0.50/centos/7/os/x86_64" # Netzwerkinstallation aus dem eigenen Repository mit den aktuellen Paketen repo --name=installupdates --baseurl=http://10.0.0.57/centos/7/updates/x86_64/ # Authentifizierungsoptionen für das System definieren auth --enableshadow --passalgo=sha512 # Root-Passwort verschlüsselt vorgeben rootpw --iscrypted $6$PZhVKqBb7vE5NgOq$fuqZ6zwDjbK214BUqjEIjxB0omMMzWrLbOmfKIlK14b71RsTmkRLqTmxZyr0YmCrl8sgkgIuj7N3B1TG67/6a0 # Default-Benutzerkonto anlegen user --name=django --password=$6$34os/lDDY2cAEfyW$fqe3PP3Qo5FDAtC724a7plCieqgeYCWONkaKgYnQKm5iDx/3WtCq8Tv0VA2MLkYAhW9/IySlhFIJZIU0UyiOv/ --iscrypted # vorhandene Partitionen löschen clearpart --all --initlabel --drives=vda # Konfiguration des System Bootloaders bootloader --location=mbr --boot-drive=vda # SELinux permissive Modus aktivieren selinux --permissive # Disable kdump services --disabled=bluetooth,kdump # Reboot nach der Installation ausführen reboot # Paketauswahl definieren (Minimalinstallation mit zusätzlichen Paketen %packages @core #-selinux-policy* -iwl*firmware vim mc bind-utils wget telnet yum-priorities acpid net-tools yum-plugin-changelog lsof bash-completion %end %addon com_redhat_kdump --disable --reserve-mb='auto' %end # Preinstall-Anweisungen Netzwerk-Adresse und Hostname ermitteln und setzen %pre #!/bin/bash echo "network --device eth0 --bootproto dhcp --hostname vml000XXX.dmz.nausch.org" > /tmp/network.ks for x in `cat /proc/cmdline`; do case $x in SERVERNAME*) eval $x NULL=${SERVERNAME:6:1} if [ "$SERVERNAME" == "" ]; then echo "network --device eth0 --bootproto=static --onboot=on --ip 10.0.0.250 --netmask 255.255.255.0 --gateway 10.0.0.17 --nameserver 10.0.0.20 --noipv6 --hostname vml000250.dmz.nausch.org" > /tmp/networks.cfg else if [ "$NULL" == "0" ]; then OCTET=${SERVERNAME:7:2} else OCTET=${SERVERNAME:6:3} fi #IP="10.0.0."${OCTET} echo "network --device eth0 --bootproto=static --onboot=on --ip 10.0.0.${OCTET} --netmask 255.255.255.0 --gateway 10.0.0.17 --nameserver 10.0.0.20 --noipv6 --hostname ${SERVERNAME}.dmz.nausch.org" > /tmp/networks.cfg fi ;; esac; done %end # Postinstall-Anweisungen %post --log=/root/anaconda-postinstall.log #!/bin/bash DATUM=$(date +"%Y-%m-%d") for x in `cat /proc/cmdline`; do case $x in SERVERNAME*) eval $x ############ bootloader anpassen, rhgb bei den Bootoptionen entfernen ########### sed -i 's/rhgb//g' /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg ################################################################################# ######################## MOTD und ISSUE.NET individualisieren ################### # /etc/issue.net anlegen cat < /etc/issue.net ############################################################################## # # # This is a private home server. # # # # Unauthorized access to this system is prohibited ! # # # # This system is actively monitored and all connections may be logged. # # By accessing this system, you consent to this monitoring. # # # ############################################################################## ISSUE.NET chown root:root /etc/issue.net chmod 644 /etc/issue.net # /etc/motd anlegen cat < /etc/motd ############################################################################## # # # This is the home server of Michael Nausch. # # # # $SERVERNAME.nausch.org # # # # Unauthorized access to this system is prohibited ! # # # # This system is actively monitored and all connections may be logged. # # By accessing this system, you consent to this monitoring. # # # ############################################################################## MOTD chown root:root /etc/motd chmod 644 /etc/motd ################################################################################# #################### lokales gespiegeltes Repository benutzen ################### rm -f /etc/yum.repos.d/CentOS-Base.repo cat < /etc/yum.repos.d/CentOS-Base.repo # CentOS-LOCAL.repo # # This file uses a new mirrorlist system developed by Lance Davis for CentOS. # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # Version für den Zugriff auf das lokale Centos-Repository [base-LC] name=CentOS-7 - Base baseurl=http://repository.nausch.org/centos/\$releasever/os/\$basearch/ priority=1 exclude=dovecot* gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 #released updates [updates-LC] name=CentOS-7 - Updates baseurl=http://repository.nausch.org/centos/\$releasever/updates/\$basearch/ priority=1 exclude=dovecot* gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 #additional packages that may be useful [extras-LC] name=CentOS-7 - Extras baseurl=http://repository.nausch.org/centos/\$releasever/extras/\$basearch/ priority=1 gpgcheck=1 enabled = 1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 #additional packages that extend functionality of existing packages [centosplus-LC] name=CentOS-7 - Plus baseurl=http://repository.nausch.org/centos/\$releasever/centosplus/\$basearch/ priority=2 gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 REPOSITORY chown root:root /etc/yum.repos.d/CentOS-Base.repo chmod 644 /etc/yum.repos.d/CentOS-Base.repo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 ################################################################################# ################### eigenes Repository mailserver.guru benutzen ################# cat < /etc/yum.repos.d/mailserver.guru.repo [mailserver.guru-os] name=Extra (Mailserver-)Packages for Enterprise Linux 7 - $basearch baseurl=http://repo.mailserver.guru/7/os/\$basearch priority=5 enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/MAILSERVER.GURU-RPM-GPG-KEY-CentOS-7 [mailserver.guru-testing] name=Testing (Mailserver-)Packages for Enterprise Linux 7 - $basearch baseurl=http://repo.mailserver.guru/7/testing/\$basearch/ priority=5 enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/MAILSERVER.GURU-RPM-GPG-KEY-CentOS-7 MAILSERVER.GURU chown root:root /etc/yum.repos.d/mailserver.guru.repo chmod 644 /etc/yum.repos.d/mailserver.guru.repo rpm --import http://repo.mailserver.guru/7/MAILSERVER.GURU-RPM-GPG-KEY-CentOS-7 ################################################################################# ########################### EPEL Repository einbinden ########################### cat < /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux 7 - \$basearch baseurl=http://repository.nausch.org/epel/7/\$basearch #mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=\$basearch failovermethod=priority enabled=1 gpgcheck=1 priority = 10 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 [epel-debuginfo] name=Extra Packages for Enterprise Linux 7 - \$basearch - Debug #baseurl=http://download.fedoraproject.org/pub/epel/7/\$basearch/debug mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=\$basearch failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=1 [epel-source] name=Extra Packages for Enterprise Linux 7 - \$basearch - Source #baseurl=http://download.fedoraproject.org/pub/epel/7/\$basearch/SRPMS mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=\$basearch failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=1 EPEL chown root:root /etc/yum.repos.d/epel.repo chmod 644 /etc/yum.repos.d/epel.repo rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 ################################################################################# #################### yum-changelog auf always-on stellen ####################### rm -f /etc/yum/pluginconf.d/changelog.conf cat </etc/yum/pluginconf.d/changelog.conf [main] enabled=1 # Set to 'pre' or 'post' to see changes before or after transaction when=pre # Set to true, to always get the output (removes the cmd line arg) # Django : $DATUM # default: always=false always=true CHANGELOG chown root:root /etc/yum/pluginconf.d/changelog.conf chmod 644 /etc/yum/pluginconf.d/changelog.conf ################################################################################# ######################### yum-plugin-fastestmirror deaktivieren ################# rm -f /etc/yum/pluginconf.d/fastestmirror.conf cat < /etc/yum/pluginconf.d/fastestmirror.conf [main] # Django : $DATUM # fastestmirror deaktiviert, da nur das interne Repository genutzt werden soll! # default: enabled=1 enabled=0 verbose=0 always_print_best_host = true socket_timeout=3 # Relative paths are relative to the cachedir (and so works for users as well # as root). hostfilepath=timedhosts.txt maxhostfileage=10 maxthreads=15 #exclude=.gov, facebook #include_only=.nl,.de,.uk,.ie YUM-PLUGIN-FASTESTMIRROR chown root:root /etc/yum/pluginconf.d/fastestmirror.conf chmod 644 /etc/yum/pluginconf.d/fastestmirror.conf ################################################################################# ########################### ssh-daemon konfigurieren ############################ rm -f /etc/ssh/sshd_config cat < /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Specifies which address family should be used by sshd(8). Valid arguments # are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only). AddressFamily any # Specifies the local addresses sshd(8) should listen on. The following # forms may be used: # ListenAddress host|IPv4_addr|IPv6_addr # ListenAddress host|IPv4_addr:port # ListenAddress [host|IPv6_addr]:port # If port is not specified, sshd will listen on the address and all prior # Port options specified. The default is to listen on all local addresses. # Multiple ListenAddress options are permitted. Additionally, any Port # options must precede this option for non-port qualified addresses. ListenAddress 0.0.0.0:22 # Specifies the protocol versions sshd(8) supports. The possible values are # '1' and '2'. Multiple versions must be comma-separated. The default is # ''2,1''. Note that the order of the protocol list does not indicate # preference, because the client selects among multiple protocol versions # offered by the server. Specifying ''2,1'' is identical to ''1,2''. Protocol 2 # Specifies a file containing a private host key used by SSH. The default # is /etc/ssh/ssh_host_key for protocol version 1, and # /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol # version 2. Note that sshd(8) will refuse to use a file if it is # group/world-accessible. It is possible to have multiple host key files. # ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for # version 2 of the SSH protocol. HostKey /etc/ssh/ssh_host_ed25519_key # Specifies the ciphers allowed for protocol version 2. Multiple ciphers # must be comma-separated. The supported ciphers are ''3des-cbc'', # ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'', # ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'', # ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''. Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr # MACs' Specifies the available MAC (message authentication code) # algorithms. The MAC algorithm is used in protocol version 2 for data # integrity protection. Multiple algorithms must be comma-separated. MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 # Specifies the available KEX (Key Exchange) algorithms. Multiple # algorithms must be comma-separated. For ineroperability with Eclipse # and WinSCP): # KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # If needed, open /etc/ssh/moduli if exists, and delete lines where the # 5th column is less than 2000. # awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" # wc -l "${HOME}/moduli" # make sure there is something left # mv "${HOME}/moduli" /etc/ssh/moduli # # CentOS 6 # KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 # CentOS 7 / Fedora >21 "only" KexAlgorithms curve25519-sha256@libssh.org # Logging # Gives the facility code that is used when logging messages from sshd(8). # The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, # LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. SyslogFacility AUTHPRIV # Gives the verbosity level that is used when logging messages from sshd(8). # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, # DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are # equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging # output. Logging with a DEBUG level violates the privacy of users and is # not recommended. # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a # clear audit track of which key was using to log in. LogLevel VERBOSE # Configures an external subsystem (e.g. file transfer daemon). Arguments # should be a subsystem name and a command (with optional arguments) to # execute upon subsystem request. Log sftp level file access # (read/write/etc.) that would not be easily logged otherwise. Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO # Authentication: # The server disconnects after this time if the user has not successfully # logged in. If the value is 0, there is no time limit. LoginGraceTime 0 # Specifies whether root can log in using ssh(1). The argument must be # ''yes'', ''without-password'', ''forced-commands-only'', or ''no''. # The default is ''yes''. If this option is set to ''without-password'', # password authentication is disabled for root. If this option is set to # ''forced-commands-only'', root login with public key authentication will # be allowed, but only if the command option has been specified (which # may be useful for taking remote backups even if root login is normally # not allowed). All other authentication methods are disabled for root. # If this option is set to ''no'', root is not allowed to log in. PermitRootLogin no # This keyword can be followed by a list of user name patterns, separated # by spaces. If specified, login is allowed only for user names that match # one of the patterns. Only user names are valid; a numerical user ID is # not recognized. By default, login is allowed for all users. If the pattern # takes the form USER@HOST then USER and HOST are separately checked, # restricting logins to particular users from particular hosts. The # allow/deny directives are processed in the following order: # DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. AllowUsers django # Specifies whether sshd(8) should check file modes and ownership of the # user's files and home directory before accepting login. This is normally # desirable because novices sometimes accidentally leave their directory # or files world-writable. StrictModes yes # Specifies the maximum number of authentication attempts permitted per # connection. Once the number of failures reaches half this value, # additional failures are logged. MaxAuthTries 6 # Specifies the maximum number of open sessions permitted per network # connection. MaxSessions 10 # Specifies the file that contains the public keys that can be used for # user authentication. AuthorizedKeysFile may contain tokens of the form # %T which are substituted during connection setup. The following tokens # are defined: %% is replaced by a literal '%', %h is replaced by the # home directory of the user being authenticated, and %u is replaced by # the username of that user. After expansion, AuthorizedKeysFile is # taken to be an absolute path or one relative to the user's home directory. AuthorizedKeysFile .ssh/authorized_keys # Specifies whether pure RSA authentication is allowed. The default is # ''yes''. This option applies to protocol version 1 only. RSAAuthentication no # Specifies whether public key authentication is allowed. The default is # ''yes''. Note that this option applies to protocol version 2 only. PubkeyAuthentication yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication RhostsRSAAuthentication no # Specifies whether rhosts or /etc/hosts.equiv authentication together # with successful public key client host authentication is allowed # (host-based authentication). This option is similar to # RhostsRSAAuthentication and applies to protocol version 2 only. HostbasedAuthentication no # Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts # during RhostsRSAAuthentication or HostbasedAuthentication. IgnoreUserKnownHosts no # Specifies that .rhosts and .shosts files will not be used in # RhostsRSAAuthentication or HostbasedAuthentication. # /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. IgnoreRhosts yes # Specifies whether password authentication is allowed. To disable tunneled # clear text passwords, change to no here! PasswordAuthentication no # When password authentication is allowed, it specifies whether the server # allows login to accounts with empty password strings. The default is ''no''. PermitEmptyPasswords no # Specifies whether challenge-response authentication is allowed # (e.g. via PAM or though authentication styles supported in login.conf(5)) # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Specifies whether user authentication based on GSSAPI is allowed. GSSAPIAuthentication no # Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key # exchange doesn't rely on ssh keys to verify host identity. GSSAPIKeyExchange no # Specifies whether to automatically destroy the user's credentials cache # on logout. GSSAPICleanupCredentials yes # Determines whether to be strict about the identity of the GSSAPI acceptor # a client authenticates against. If ''yes'' then the client must authenticate # against the host service on the current hostname. If ''no'' then the client # may authenticate against any service key stored in the machine's default # store. This facility is provided to assist with operation on multi homed # machines. The default is ''yes''. Note that this option applies only to # protocol version 2 GSSAPI connections, and setting it to ''no'' may only # work with recent Kerberos GSSAPI libraries. GSSAPIStrictAcceptorCheck yes # Controls whether the user's GSSAPI credentials should be updated following # a successful connection rekeying. This option can be used to accepted # renewed or updated credentials from a compatible client. GSSAPIStoreCredentialsOnRekey no # Specifies whether ssh-agent(1) forwarding is permitted. The default is # ''yes''. Note that disabling agent forwarding does not improve security # unless users are also denied shell access, as they can always install # their own forwarders. AllowAgentForwarding yes # Specifies whether TCP forwarding is permitted. The default is ''yes''. # Note that disabling TCP forwarding does not improve security unless users # are also denied shell access, as they can always install their own # forwarders. AllowTcpForwarding yes # Specifies whether remote hosts are allowed to connect to ports forwarded # for the client. By default, sshd(8) binds remote port forwardings to the # loopback address. This prevents other remote hosts from connecting to # forwarded ports. GatewayPorts can be used to specify that sshd should # allow remote port forwardings to bind to non-loopback addresses, thus # allowing other hosts to connect. The argument may be ''no'' to force # remote port forwardings to be available to the local host only, ''yes'' # to force remote port forwardings to bind to the wildcard address, or # ''clientspecified'' to allow the client to select the address to which # the forwarding is bound. The default is ''no''. GatewayPorts no # Specifies whether X11 forwarding is permitted. The argument must be # ''yes'' or ''no''. The default is ''no''. # When X11 forwarding is enabled, there may be additional exposure to the # server and to client displays if the sshd(8) proxy display is configured # to listen on the wildcard address (see X11UseLocalhost below), though this # is not the default. Additionally, the authentication spoofing and # authentication data verification and substitution occur on the client side. # The security risk of using X11 forwarding is that the client's X11 display # server may be exposed to attack when the SSH client requests forwarding # (see the warnings for ForwardX11 in ssh_config(5)). A system administrator # may have a stance in which they want to protect clients that may expose # themselves to attack by unwittingly requesting X11 forwarding, which can # warrant a ''no'' setting. Note that disabling X11 forwarding does not # prevent users from forwarding X11 traffic, as users can always install # their own forwarders. X11 forwarding is automatically disabled if UseLogin # is enabled. X11Forwarding yes # Specifies the first display number available for sshd(8)'s X11 forwarding. # This prevents sshd from interfering with real X11 servers. # The default is 10. X11DisplayOffset 10 # Specifies whether sshd(8) should bind the X11 forwarding server to the # loopback address or to the wildcard address. By default, sshd binds the # forwarding server to the loopback address and sets the hostname part of # the DISPLAY environment variable to ''localhost''. This prevents remote # hosts from connecting to the proxy display. However, some older X11 clients # may not function with this configuration. X11UseLocalhost may be set to # ''no'' to specify that the forwarding server should be bound to the # wildcard address. The argument must be ''yes'' or ''no''. The default is # ''yes''. X11UseLocalhost yes # Specifies whether sshd(8) should print /etc/motd when a user logs in # interactively. (On some systems it is also printed by the shell, # /etc/profile, or equivalent.) The default is ''yes''. PrintMotd yes # Specifies whether sshd(8) should print the date and time of the last user # login when a user logs in interactively. The default is ''yes''. PrintLastLog yes # Specifies whether login(1) is used for interactive login sessions. The # default is ''no''. Note that login(1) is never used for remote command # execution. Note also, that if this is enabled, X11Forwarding will be # disabled because login(1) does not know how to handle xauth(1) cookies. # If UsePrivilegeSeparation is specified, it will be disabled after # authentication. UseLogin no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux # and may cause several problems. UsePAM yes # Specifies whether sshd(8) separates privileges by creating an unprivileged # child process to deal with incoming network traffic. After successful # authentication, another process will be created that has the privilege of # the authenticated user. The goal of privilege separation is to prevent # privilege escalation by containing any corruption within the unprivileged # processes. UsePrivilegeSeparation sandbox # Sets a timeout interval in seconds after which if no data has been # received from the client, sshd(8) will send a message through the # encrypted channel to request a response from the client. The default is 0, # indicating that these messages will not be sent to the client. This option # applies to protocol version 2 only. ClientAliveInterval 0 # Sets the number of client alive messages (see below) which may be sent # without sshd(8) receiving any messages back from the client. If this # threshold is reached while client alive messages are being sent, sshd will # disconnect the client, terminating the session. It is important to note # that the use of client alive messages is very different from TCPKeepAlive # (below). The client alive messages are sent through the encrypted channel # and therefore will not be spoofable. The TCP keepalive option enabled by # TCPKeepAlive is spoofable. The client alive mechanism is valuable when the # client or server depend on knowing when a connection has become inactive. # The default value is 3. If ClientAliveInterval (see below) is set to 15, # and ClientAliveCountMax is left at the default, unresponsive SSH clients # will be disconnected after approximately 45 seconds. This option applies # to protocol version 2 only. ClientAliveCountMax 3 # Specifies whether the system should send TCP keepalive messages to the # other side. If they are sent, death of the connection or crash of one of # the machines will be properly noticed. However, this means that # connections will die if the route is down temporarily, and some people # find it annoying. On the other hand, if TCP keepalives are not sent, # sessions may hang indefinitely on the server, leaving ''ghost'' users # and consuming server resources. The default is ''yes'' (to send TCP # keepalive messages), and the server will notice if the network goes down # or the client host crashes. This avoids infinitely hanging sessions. # To disable TCP keepalive messages, the value should be set to ''no''. TCPKeepAlive yes # Specifies whether sshd(8) should look up the remote host name and check # that the resolved host name for the remote IP address maps back to the # very same IP address. UseDNS yes # Specifies the file that contains the process ID of the SSH daemon. # The default is /var/run/sshd.pid. PidFile /var/run/sshd.pid # Specifies the maximum number of concurrent unauthenticated connections # to the SSH daemon. Additional connections will be dropped until # authentication succeeds or the LoginGraceTime expires for a connection. # The default is 10. # Alternatively, random early drop can be enabled by specifying the three # colon separated values ''start:rate:full'' (e.g. "10:30:60"). sshd(8) # will refuse connection attempts with a probability of ''rate/100'' (30%) # if there are currently ''start'' (10) unauthenticated connections. The # probability increases linearly and all connection attempts are refused # if the number of unauthenticated connections reaches ''full'' (60). MaxStartups 10:30:100 # Specifies whether tun(4) device forwarding is allowed. The argument must # be ''yes'', ''point-to-point'' (layer 3), ''ethernet'' (layer 2), or # ''no''. Specifying ''yes'' permits both ''point-to-point'' and # ''ethernet''. The default is ''no''. PermitTunnel no # Specifies a path to chroot(2) to after authentication. This path, and all # its components, must be root-owned directories that are not writable by # any other user or group. After the chroot, sshd(8) changes the working # directory to the user's home directory. # The path may contain the following tokens that are expanded at runtime # once the connecting user has been authenticated: %% is replaced by a # literal '%', %h is replaced by the home directory of the user being # authenticated, and %u is replaced by the username of that user. # The ChrootDirectory must contain the necessary files and directories to # support the user's session. For an interactive session this requires at # least a shell, typically sh(1), and basic /dev nodes such as null(4), # zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. # For file transfer sessions using ''sftp'', no additional configuration # of the environment is necessary if the in-process sftp server is used, # though sessions which use logging do require /dev/log inside the chroot # directory (see sftp-server(8) for details). ChrootDirectory none # The contents of the specified file are sent to the remote user before # authentication is allowed. Banner /etc/issue.net # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server SSHD_CONFIG chown root:root /etc/ssh/sshd_config chmod 644 /etc/ssh/sshd_config ################################################################################# ####################### Django's ssh-pubkey hinterlegen ######################### mkdir /home/django/.ssh chmod 700 /home/django/.ssh chown django:django /home/django/.ssh cat </home/django/.ssh/authorized_keys ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYjDCtBTfrpbHHkRrqHOkhsMagrrD5d+IbkU6ddoBSp django@nausch.org AUTHORIZED_KEYS chmod 644 /home/django/.ssh/authorized_keys chown django:django /home/django/.ssh/authorized_keys ################################################################################# ####################### Nameserver Suchliste festlegen ########################## echo 'DOMAIN="dmz.nausch.org nausch.org"' >> /etc/sysconfig/network-scripts/ifcfg-eth0 ################################################################################# ############################# IPv6 deaktivieren ################################## #echo "# Django : $DATUM ## default: unset (IPv6 aktiv) #net.ipv6.conf.all.disable_ipv6 = 1 #net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf ################################################################################## ########################### Postfix Basis-Konfiguration ######################### rm -f /etc/postfix/main.cf cat < /etc/postfix/main.cf # Global Postfix configuration file. This file lists only a subset # of all parameters. For the syntax, and for a complete parameter # list, see the postconf(5) manual page (command: "man 5 postconf"). # # For common configuration examples, see BASIC_CONFIGURATION_README # and STANDARD_CONFIGURATION_README. To find these documents, use # the command "postconf html_directory readme_directory", or go to # http://www.postfix.org/. # # For best results, change no more than 2-3 parameters at a time, # and test if Postfix still works after every change. # SOFT BOUNCE # # The soft_bounce parameter provides a limited safety net for # testing. When soft_bounce is enabled, mail will remain queued that # would otherwise bounce. This parameter disables locally-generated # bounces, and prevents the SMTP server from rejecting mail permanently # (by changing 5xx replies into 4xx replies). However, soft_bounce # is no cure for address rewriting mistakes or mail routing mistakes. # #soft_bounce = no # LOCAL PATHNAME INFORMATION # # The queue_directory specifies the location of the Postfix queue. # This is also the root directory of Postfix daemons that run chrooted. # See the files in examples/chroot-setup for setting up Postfix chroot # environments on different UNIX systems. # queue_directory = /var/spool/postfix # The command_directory parameter specifies the location of all # postXXX commands. # command_directory = /usr/sbin # The daemon_directory parameter specifies the location of all Postfix # daemon programs (i.e. programs listed in the master.cf file). This # directory must be owned by root. # daemon_directory = /usr/libexec/postfix # The data_directory parameter specifies the location of Postfix-writable # data files (caches, random numbers). This directory must be owned # by the mail_owner account (see below). # data_directory = /var/lib/postfix # QUEUE AND PROCESS OWNERSHIP # # The mail_owner parameter specifies the owner of the Postfix queue # and of most Postfix daemon processes. Specify the name of a user # account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS # AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In # particular, don't specify nobody or daemon. PLEASE USE A DEDICATED # USER. # mail_owner = postfix # The default_privs parameter specifies the default rights used by # the local delivery agent for delivery to external file or command. # These rights are used in the absence of a recipient user context. # DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. # #default_privs = nobody # INTERNET HOST AND DOMAIN NAMES # # The myhostname parameter specifies the internet hostname of this # mail system. The default is to use the fully-qualified domain name # from gethostname(). \$myhostname is used as a default value for many # other configuration parameters. # #myhostname = host.domain.tld #myhostname = virtual.domain.tld # Django : $DATUM - Hostname setzen # default: unset myhostname = $HOSTNAME # The mydomain parameter specifies the local internet domain name. # The default is to use \$myhostname minus the first component. # \$mydomain is used as a default value for many other configuration # parameters. # #mydomain = domain.tld # Django : $DATUM - Domainname setzen # default: unset mydomain = nausch.org # SENDING MAIL # # The myorigin parameter specifies the domain that locally-posted # mail appears to come from. The default is to append \$myhostname, # which is fine for small sites. If you run a domain with multiple # machines, you should (1) change this to \$mydomain and (2) set up # a domain-wide alias database that aliases each user to # user@that.users.mailhost. # # For the sake of consistency between sender and recipient addresses, # myorigin also specifies the default domain name that is appended # to recipient addresses that have no @domain part. # #myorigin = \$myhostname #myorigin = \$mydomain # Django : $DATUM Origin gesetzt # default: unset myorigin = \$mydomain # RECEIVING MAIL # The inet_interfaces parameter specifies the network interface # addresses that this mail system receives mail on. By default, # the software claims all active interfaces on the machine. The # parameter also controls delivery of mail to user@[ip.address]. # # See also the proxy_interfaces parameter, for network addresses that # are forwarded to us via a proxy or network address translator. # # Note: you need to stop/start Postfix when this parameter changes. # #inet_interfaces = all #inet_interfaces = \$myhostname #inet_interfaces = \$myhostname, localhost inet_interfaces = localhost # Enable IPv4, and IPv6 if supported # Django : $DATUM IPv6-Support deaktiviert # default : inet_protocols = all ##inet_protocols = ipv4 inet_protocols = all # The proxy_interfaces parameter specifies the network interface # addresses that this mail system receives mail on by way of a # proxy or network address translation unit. This setting extends # the address list specified with the inet_interfaces parameter. # # You must specify your proxy/NAT addresses when your system is a # backup MX host for other domains, otherwise mail delivery loops # will happen when the primary MX host is down. # #proxy_interfaces = #proxy_interfaces = 1.2.3.4 # The mydestination parameter specifies the list of domains that this # machine considers itself the final destination for. # # These domains are routed to the delivery agent specified with the # local_transport parameter setting. By default, that is the UNIX # compatible delivery agent that lookups all recipients in /etc/passwd # and /etc/aliases or their equivalent. # # The default is \$myhostname + localhost.\$mydomain. On a mail domain # gateway, you should also include \$mydomain. # # Do not specify the names of virtual domains - those domains are # specified elsewhere (see VIRTUAL_README). # # Do not specify the names of domains that this machine is backup MX # host for. Specify those names via the relay_domains settings for # the SMTP server, or use permit_mx_backup if you are lazy (see # STANDARD_CONFIGURATION_README). # # The local machine is always the final destination for mail addressed # to user@[the.net.work.address] of an interface that the mail system # receives mail on (see the inet_interfaces parameter). # # Specify a list of host or domain names, /file/name or type:table # patterns, separated by commas and/or whitespace. A /file/name # pattern is replaced by its contents; a type:table is matched when # a name matches a lookup key (the right-hand side is ignored). # Continue long lines by starting the next line with whitespace. # # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". # mydestination = \$myhostname, localhost.\$mydomain, localhost #mydestination = \$myhostname, localhost.\$mydomain, localhost, \$mydomain #mydestination = \$myhostname, localhost.\$mydomain, localhost, \$mydomain, # mail.\$mydomain, www.\$mydomain, ftp.\$mydomain # REJECTING MAIL FOR UNKNOWN LOCAL USERS # # The local_recipient_maps parameter specifies optional lookup tables # with all names or addresses of users that are local with respect # to \$mydestination, \$inet_interfaces or \$proxy_interfaces. # # If this parameter is defined, then the SMTP server will reject # mail for unknown local users. This parameter is defined by default. # # To turn off local recipient checking in the SMTP server, specify # local_recipient_maps = (i.e. empty). # # The default setting assumes that you use the default Postfix local # delivery agent for local delivery. You need to update the # local_recipient_maps setting if: # # - You define \$mydestination domain recipients in files other than # /etc/passwd, /etc/aliases, or the \$virtual_alias_maps files. # For example, you define \$mydestination domain recipients in # the \$virtual_mailbox_maps files. # # - You redefine the local delivery agent in master.cf. # # - You redefine the "local_transport" setting in main.cf. # # - You use the "luser_relay", "mailbox_transport", or "fallback_transport" # feature of the Postfix local delivery agent (see local(8)). # # Details are described in the LOCAL_RECIPIENT_README file. # # Beware: if the Postfix SMTP server runs chrooted, you probably have # to access the passwd file via the proxymap service, in order to # overcome chroot restrictions. The alternative, having a copy of # the system passwd file in the chroot jail is just not practical. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify a bare username, an @domain.tld # wild-card, or specify a user@domain.tld address. # #local_recipient_maps = unix:passwd.byname \$alias_maps #local_recipient_maps = proxy:unix:passwd.byname \$alias_maps #local_recipient_maps = # The unknown_local_recipient_reject_code specifies the SMTP server # response code when a recipient domain matches \$mydestination or # \${proxy,inet}_interfaces, while \$local_recipient_maps is non-empty # and the recipient address or address local-part is not found. # # The default setting is 550 (reject mail) but it is safer to start # with 450 (try again later) until you are certain that your # local_recipient_maps settings are OK. # unknown_local_recipient_reject_code = 550 # TRUST AND RELAY CONTROL # The mynetworks parameter specifies the list of "trusted" SMTP # clients that have more privileges than "strangers". # # In particular, "trusted" SMTP clients are allowed to relay mail # through Postfix. See the smtpd_recipient_restrictions parameter # in postconf(5). # # You can specify the list of "trusted" network addresses by hand # or you can let Postfix do it for you (which is the default). # # By default (mynetworks_style = subnet), Postfix "trusts" SMTP # clients in the same IP subnetworks as the local machine. # On Linux, this does works correctly only with interfaces specified # with the "ifconfig" command. # # Specify "mynetworks_style = class" when Postfix should "trust" SMTP # clients in the same IP class A/B/C networks as the local machine. # Don't do this with a dialup site - it would cause Postfix to "trust" # your entire provider's network. Instead, specify an explicit # mynetworks list by hand, as described below. # # Specify "mynetworks_style = host" when Postfix should "trust" # only the local machine. # #mynetworks_style = class #mynetworks_style = subnet #mynetworks_style = host # Alternatively, you can specify the mynetworks list by hand, in # which case Postfix ignores the mynetworks_style setting. # # Specify an explicit list of network/netmask patterns, where the # mask specifies the number of bits in the network part of a host # address. # # You can also specify the absolute pathname of a pattern file instead # of listing the patterns here. Specify type:table for table-based lookups # (the value on the table right-hand side is not used). # #mynetworks = 168.100.189.0/28, 127.0.0.0/8 #mynetworks = \$config_directory/mynetworks #mynetworks = hash:/etc/postfix/network_table # The relay_domains parameter restricts what destinations this system will # relay mail to. See the smtpd_recipient_restrictions description in # postconf(5) for detailed information. # # By default, Postfix relays mail # - from "trusted" clients (IP address matches \$mynetworks) to any destination, # - from "untrusted" clients to destinations that match \$relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is \$mydestination. # # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match \$inet_interfaces or \$proxy_interfaces, # - destinations that match \$mydestination # - destinations that match \$virtual_alias_domains, # - destinations that match \$virtual_mailbox_domains. # These destinations do not need to be listed in \$relay_domains. # # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name # is replaced by its contents; a type:name table is matched when a # (parent) domain appears as lookup key. # # NOTE: Postfix will not automatically forward mail for domains that # list this system as their primary or backup MX host. See the # permit_mx_backup restriction description in postconf(5). # #relay_domains = \$mydestination # INTERNET OR INTRANET # The relayhost parameter specifies the default host to send mail to # when no entry is matched in the optional transport(5) table. When # no relayhost is given, mail is routed directly to the destination. # # On an intranet, specify the organizational domain name. If your # internal DNS uses no MX records, specify the name of the intranet # gateway host instead. # # In the case of SMTP, specify a domain, host, host:port, [host]:port, # [address] or [address]:port; the form [host] turns off MX lookups. # # If you're connected via UUCP, see also the default_transport parameter. # #relayhost = \$mydomain #relayhost = [gateway.my.domain] #relayhost = [mailserver.isp.tld] #relayhost = uucphost #relayhost = [an.ip.add.ress] # Django : $DATUM Relayhost auf mx01.nausch.org gesetzt # default: unset relayhost = dmz.nausch.org # REJECTING UNKNOWN RELAY USERS # # The relay_recipient_maps parameter specifies optional lookup tables # with all addresses in the domains that match \$relay_domains. # # If this parameter is defined, then the SMTP server will reject # mail for unknown relay users. This feature is off by default. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify an @domain.tld wild-card, or specify # a user@domain.tld address. # #relay_recipient_maps = hash:/etc/postfix/relay_recipients # INPUT RATE CONTROL # # The in_flow_delay configuration parameter implements mail input # flow control. This feature is turned on by default, although it # still needs further development (it's disabled on SCO UNIX due # to an SCO bug). # # A Postfix process will pause for \$in_flow_delay seconds before # accepting a new message, when the message arrival rate exceeds the # message delivery rate. With the default 100 SMTP server process # limit, this limits the mail inflow to 100 messages a second more # than the number of messages delivered per second. # # Specify 0 to disable the feature. Valid delays are 0..10. # #in_flow_delay = 1s # ADDRESS REWRITING # # The ADDRESS_REWRITING_README document gives information about # address masquerading or other forms of address rewriting including # username->Firstname.Lastname mapping. # ADDRESS REDIRECTION (VIRTUAL DOMAIN) # # The VIRTUAL_README document gives information about the many forms # of domain hosting that Postfix supports. # "USER HAS MOVED" BOUNCE MESSAGES # # See the discussion in the ADDRESS_REWRITING_README document. # TRANSPORT MAP # # See the discussion in the ADDRESS_REWRITING_README document. # ALIAS DATABASE # # The alias_maps parameter specifies the list of alias databases used # by the local delivery agent. The default list is system dependent. # # On systems with NIS, the default is to search the local alias # database, then the NIS alias database. See aliases(5) for syntax # details. # # If you change the alias database, run "postalias /etc/aliases" (or # wherever your system stores the mail alias file), or simply run # "newaliases" to build the necessary DBM or DB file. # # It will take a minute or so before changes become visible. Use # "postfix reload" to eliminate the delay. # #alias_maps = dbm:/etc/aliases alias_maps = hash:/etc/aliases #alias_maps = hash:/etc/aliases, nis:mail.aliases #alias_maps = netinfo:/aliases # The alias_database parameter specifies the alias database(s) that # are built with "newaliases" or "sendmail -bi". This is a separate # configuration parameter, because alias_maps (see above) may specify # tables that are not necessarily all under control by Postfix. # #alias_database = dbm:/etc/aliases #alias_database = dbm:/etc/mail/aliases alias_database = hash:/etc/aliases #alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases # ADDRESS EXTENSIONS (e.g., user+foo) # # The recipient_delimiter parameter specifies the separator between # user names and address extensions (user+foo). See canonical(5), # local(8), relocated(5) and virtual(5) for the effects this has on # aliases, canonical, virtual, relocated and .forward file lookups. # Basically, the software tries user+foo and .forward+foo before # trying user and .forward. # #recipient_delimiter = + # DELIVERY TO MAILBOX # # The home_mailbox parameter specifies the optional pathname of a # mailbox file relative to a user's home directory. The default # mailbox file is /var/spool/mail/user or /var/mail/user. Specify # "Maildir/" for qmail-style delivery (the / is required). # #home_mailbox = Mailbox #home_mailbox = Maildir/ # The mail_spool_directory parameter specifies the directory where # UNIX-style mailboxes are kept. The default setting depends on the # system type. # #mail_spool_directory = /var/mail #mail_spool_directory = /var/spool/mail # The mailbox_command parameter specifies the optional external # command to use instead of mailbox delivery. The command is run as # the recipient with proper HOME, SHELL and LOGNAME environment settings. # Exception: delivery for root is done as \$default_user. # # Other environment variables of interest: USER (recipient username), # EXTENSION (address extension), DOMAIN (domain part of address), # and LOCAL (the address localpart). # # Unlike other Postfix configuration parameters, the mailbox_command # parameter is not subjected to \$parameter substitutions. This is to # make it easier to specify shell syntax (see example below). # # Avoid shell meta characters because they will force Postfix to run # an expensive shell process. Procmail alone is expensive enough. # # IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN # ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. # #mailbox_command = /some/where/procmail #mailbox_command = /some/where/procmail -a "\$EXTENSION" # The mailbox_transport specifies the optional transport in master.cf # to use after processing aliases and .forward files. This parameter # has precedence over the mailbox_command, fallback_transport and # luser_relay parameters. # # Specify a string of the form transport:nexthop, where transport is # the name of a mail delivery transport defined in master.cf. The # :nexthop part is optional. For more details see the sample transport # configuration file. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # # Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" # listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. #mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp # If using the cyrus-imapd IMAP server deliver local mail to the IMAP # server using LMTP (Local Mail Transport Protocol), this is prefered # over the older cyrus deliver program by setting the # mailbox_transport as below: # # mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp # # The efficiency of LMTP delivery for cyrus-imapd can be enhanced via # these settings. # # local_destination_recipient_limit = 300 # local_destination_concurrency_limit = 5 # # Of course you should adjust these settings as appropriate for the # capacity of the hardware you are using. The recipient limit setting # can be used to take advantage of the single instance message store # capability of Cyrus. The concurrency limit can be used to control # how many simultaneous LMTP sessions will be permitted to the Cyrus # message store. # # Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and # subsequent line in master.cf. #mailbox_transport = cyrus # The fallback_transport specifies the optional transport in master.cf # to use for recipients that are not found in the UNIX passwd database. # This parameter has precedence over the luser_relay parameter. # # Specify a string of the form transport:nexthop, where transport is # the name of a mail delivery transport defined in master.cf. The # :nexthop part is optional. For more details see the sample transport # configuration file. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must update the "local_recipient_maps" setting in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp #fallback_transport = # The luser_relay parameter specifies an optional destination address # for unknown recipients. By default, mail for unknown@\$mydestination, # unknown@[\$inet_interfaces] or unknown@[\$proxy_interfaces] is returned # as undeliverable. # # The following expansions are done on luser_relay: \$user (recipient # username), \$shell (recipient shell), \$home (recipient home directory), # \$recipient (full recipient address), \$extension (recipient address # extension), \$domain (recipient domain), \$local (entire recipient # localpart), \$recipient_delimiter. Specify \${name?value} or # \${name:value} to expand value only when \$name does (does not) exist. # # luser_relay works only for the default Postfix local delivery agent. # # NOTE: if you use this feature for accounts not in the UNIX password # file, then you must specify "local_recipient_maps =" (i.e. empty) in # the main.cf file, otherwise the SMTP server will reject mail for # non-UNIX accounts with "User unknown in local recipient table". # #luser_relay = \$user@other.host #luser_relay = \$local@other.host #luser_relay = admin+\$local # JUNK MAIL CONTROLS # # The controls listed here are only a very small subset. The file # SMTPD_ACCESS_README provides an overview. # The header_checks parameter specifies an optional table with patterns # that each logical message header is matched against, including # headers that span multiple physical lines. # # By default, these patterns also apply to MIME headers and to the # headers of attached messages. With older Postfix versions, MIME and # attached message headers were treated as body text. # # For details, see "man header_checks". # #header_checks = regexp:/etc/postfix/header_checks # FAST ETRN SERVICE # # Postfix maintains per-destination logfiles with information about # deferred mail, so that mail can be flushed quickly with the SMTP # "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". # See the ETRN_README document for a detailed description. # # The fast_flush_domains parameter controls what destinations are # eligible for this service. By default, they are all domains that # this server is willing to relay mail to. # #fast_flush_domains = \$relay_domains # SHOW SOFTWARE VERSION OR NOT # # The smtpd_banner parameter specifies the text that follows the 220 # code in the SMTP server's greeting banner. Some people like to see # the mail version advertised. By default, Postfix shows no version. # # You MUST specify \$myhostname at the start of the text. That is an # RFC requirement. Postfix itself does not care. # #smtpd_banner = \$myhostname ESMTP \$mail_name #smtpd_banner = \$myhostname ESMTP \$mail_name (\$mail_version) # PARALLEL DELIVERY TO THE SAME DESTINATION # # How many parallel deliveries to the same user or domain? With local # delivery, it does not make sense to do massively parallel delivery # to the same user, because mailbox updates must happen sequentially, # and expensive pipelines in .forward files can cause disasters when # too many are run at the same time. With SMTP deliveries, 10 # simultaneous connections to the same domain could be sufficient to # raise eyebrows. # # Each message delivery transport has its XXX_destination_concurrency_limit # parameter. The default is \$default_destination_concurrency_limit for # most delivery transports. For the local delivery agent the default is 2. #local_destination_concurrency_limit = 2 #default_destination_concurrency_limit = 20 # DEBUGGING CONTROL # # The debug_peer_level parameter specifies the increment in verbose # logging level when an SMTP client or server host name or address # matches a pattern in the debug_peer_list parameter. # debug_peer_level = 2 # The debug_peer_list parameter specifies an optional list of domain # or network patterns, /file/name patterns or type:name tables. When # an SMTP client or server host name or address matches a pattern, # increase the verbose logging level by the amount specified in the # debug_peer_level parameter. # #debug_peer_list = 127.0.0.1 #debug_peer_list = some.domain # The debugger_command specifies the external command that is executed # when a Postfix daemon program is run with the -D option. # # Use "command .. & sleep 5" so that the debugger can attach before # the process marches on. If you use an X-based debugger, be sure to # set up your XAUTHORITY environment variable before starting Postfix. # debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd \$daemon_directory/\$process_name \$process_id & sleep 5 # If you can't use X, use this to capture the call stack when a # daemon crashes. The result is in a file in the configuration # directory, and is named after the process name and the process ID. # # debugger_command = # PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; # echo where) | gdb \$daemon_directory/\$process_name \$process_id 2>&1 # >\$config_directory/\$process_name.\$process_id.log & sleep 5 # # Another possibility is to run gdb under a detached screen session. # To attach to the screen sesssion, su root and run "screen -r # " where uniquely matches one of the detached # sessions (from "screen -list"). # # debugger_command = # PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen # -dmS \$process_name gdb \$daemon_directory/\$process_name # \$process_id & sleep 1 # INSTALL-TIME CONFIGURATION INFORMATION # # The following parameters are used when installing a new Postfix version. # # sendmail_path: The full pathname of the Postfix sendmail command. # This is the Sendmail-compatible mail posting interface. # sendmail_path = /usr/sbin/sendmail.postfix # newaliases_path: The full pathname of the Postfix newaliases command. # This is the Sendmail-compatible command to build alias databases. # newaliases_path = /usr/bin/newaliases.postfix # mailq_path: The full pathname of the Postfix mailq command. This # is the Sendmail-compatible mail queue listing command. # mailq_path = /usr/bin/mailq.postfix # setgid_group: The group for mail submission and queue management # commands. This must be a group name with a numerical group ID that # is not shared with other accounts, not even with the Postfix account. # setgid_group = postdrop # html_directory: The location of the Postfix HTML documentation. # html_directory = no # manpage_directory: The location of the Postfix on-line manual pages. # manpage_directory = /usr/share/man # sample_directory: The location of the Postfix sample configuration files. # This parameter is obsolete as of Postfix 2.1. # sample_directory = /usr/share/doc/postfix-2.10.1/samples # readme_directory: The location of the Postfix README files. # readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES MAIN.CF chown root:root /etc/postfix/main.cf chmod 644 /etc/postfix/main.cf ################################################################################# ######################### chrony-Clientkonfigurationn ########################### rm -f /etc/chrony.conf cat </etc/chrony.conf # These servers were defined in the installation: # Django : $DATUM # Definition des hauseigenen NTP-Servers: server time.dmz.nausch.org iburst # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). # Ignore stratum in source selection. stratumweight 0 # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Enable kernel RTC synchronization. rtcsync # In first three updates step the system clock instead of slew # if the adjustment is larger than 10 seconds. makestep 10 3 # Allow NTP client access from local network. #allow 192.168/16 # Listen for commands only on localhost. bindcmdaddress 127.0.0.1 # Django : $DATUM # default: bindcmdaddress ::1 # This option allows you to configure the port on which chronyd will listen for NTP requests. # # The compiled in default is udp/123, the standard NTP port. If set to 0, chronyd will not # open the server socket and will operate strictly in a client-only mode. The source port # used in NTP client requests can be set by the acquisitionport directive. # Django : $DATUM # default: unset port 0 # Serve time even if not synchronized to any NTP server. #local stratum 10 keyfile /etc/chrony.keys # Specify the key used as password for chronyc. commandkey 1 # Generate command key if missing. generatecommandkey # Disable logging of client accesses. noclientlog # Send a message to syslog if a clock adjustment is larger than 0.5 seconds. logchange 0.5 logdir /var/log/chrony #log measurements statistics tracking CHRONY.CONF chown root:root /etc/chrony.conf chmod 644 /etc/chrony.conf cat </etc/sysconfig/chronyd # Django : $DATUM # disable IPv6 support OPTIONS=-4 CHRONYD chown root:root /etc/sysconfig/chronyd chmod 644 /etc/sysconfig/chronyd ################################################################################# ;; esac; done %end