Différences

Ci-dessous, les différences entre deux révisions de la page.

--- linux:grommunio-linux [2022/08/02 14:33] – [Postfix] root
+++ linux:grommunio-linux [2023/07/14 19:01] (Version actuelle) – [Autoriser le relay pour les users authentifiés] root
@@ Ligne 167: / Ligne 167: @@
   - Quelques commandes pour configurer postfix: <code bash>postconf -e virtual_alias_maps=mysql:/etc/postfix/g-alias.cf
 postconf -e virtual_mailbox_domains=mysql:/etc/postfix/g-virt.cf
-postconf -e virtual_transport="smtp:[localhost]:24"
+postconf -e virtual_transport="smtp:[::1]:24"
 postconf -e mynetworks="127.0.0.0/8 [::1]/128"
 postconf -e smtpd_banner='$myhostname ESMTP'
@@ Ligne 252: / Ligne 252: @@
       prefilter = "true";
       map = "/var/lib/rspamd/whitelist.sender.ip.map";
-      action = "accept";
+      #action = "accept";
+      score = -10.0
 }
@@ Ligne 272: / Ligne 273: @@
   - Créer un répertoire pour les signatures dkim:<code bash>mkdir /var/lib/rspamd/dkim
 chown -R _rspamd:_rspamd /var/lib/rspamd/dkim</code>
+=== Signer DKIM ===
+  - Créer un répertoire pour stocker les clés: <code bash>mkdir /var/lib/rspamd/dkim/</code>
+  - Créer un fichier dkim_signing<code bash>nano /etc/rspamd/local.d/dkim_signing.conf</code>Avec ceci: <file - dkim_signing.conf># If false, messages with empty envelope from are not signed
+# If false, messages with empty envelope from are not signed
+allow_envfrom_empty = true;
+# If true, envelope/header domain mismatch is ignored
+allow_hdrfrom_mismatch = false;
+# If true, multiple from headers are allowed (but only first is used)
+allow_hdrfrom_multiple = false;
+# If true, username does not need to contain matching domain
+allow_username_mismatch = false;
+# Default path to key, can include '$domain' and '$selector' variables
+path = "/var/lib/rspamd/dkim/$domain.$selector.key";
+# Default selector to use
+selector = "dkim";
+# If false, messages from authenticated users are not selected for signing
+sign_authenticated = true;
+# If false, messages from local networks are not selected for signing
+sign_local = true;
+# Map file of IP addresses/subnets to consider for signing
+# sign_networks = "/some/file"; # or url
+# Symbol to add when message is signed
+symbol = "DKIM_SIGNED";
+# Whether to fallback to global config
+try_fallback = true;
+# Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From) or "auth" (SMTP username)
+use_domain = "header";
+# Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
+#use_domain_sign_networks = "header";
+# Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
+#use_domain_sign_local = "header";
+# Whether to normalise domains to eSLD
+use_esld = true;
+# Whether to get keys from Redis
+use_redis = true;
+# Hash for DKIM keys in Redis
+key_prefix = "DKIM_KEYS";
+# If `true` get pubkey from DNS record and check if it matches private key
+check_pubkey = false;
+# Set to `false` if you want to skip signing if public and private keys mismatch
+allow_pubkey_mismatch = true;
+  </file>
+=== Signer ARC ===
+  - Créer un fichier arc.conf<code bash>nano /etc/rspamd/local.d/arc.conf</code>Avec ceci: <file - arc.conf># If false, messages with empty envelope from are not signed
+allow_envfrom_empty = true;
+# If true, envelope/header domain mismatch is ignored
+allow_hdrfrom_mismatch = false;
+# If true, multiple from headers are allowed (but only first is used)
+allow_hdrfrom_multiple = false;
+# If true, username does not need to contain matching domain
+allow_username_mismatch = false;
+# Default path to key, can include '$domain' and '$selector' variables
+path = "${DBDIR}/dkim/$domain.$selector.key";
+# Default selector to use
+selector = "dkim";
+# If false, messages from authenticated users are not selected for signing
+sign_authenticated = true;
+# If false, messages from local networks are not selected for signing
+sign_local = true;
+# Symbol to add when message is signed
+symbol_signed = "ARC_SIGNED";
+# Whether to fallback to global config
+try_fallback = true;
+# Domain to use for ARC signing: can be "header" or "envelope"
+use_domain = "header";
+# Whether to normalise domains to eSLD
+use_esld = true;
+# Whether to get keys from Redis
+use_redis = false;
+# Hash for ARC keys in Redis
+key_prefix = "ARC_KEYS";
+# map of domains -> names of selectors (since rspamd 1.5.3)
+#selector_map = "/etc/rspamd/arc_selectors.map";
+# map of domains -> paths to keys (since rspamd 1.5.3)
+#path_map = "/etc/rspamd/arc_paths.map";
+# map of trusted domains. Symbol ARC_ALLOW_TRUSTED is added to messages
+# with valid ARC chains from these domains. A failed DMARC result is removed/ignored.
+# whitelisted_signers_map = ["example.org", "example.com"]
+# From version 1.8.4, Rspamd uses a different set of sign_headers for ARC:
+sign_headers = "(o)from:(o)sender:(o)reply-to:(o)subject:(o)date:(o)message-id:(o)to:(o)cc:(o)mime-version:(o)content-type:(o)content-transfer-encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:(o)in-reply-to:(o)r>
+ </file>
 ==== Grommunio-dav (WIP) ====
 <code bash>apt install grommunio-dav
-ln -s /etc/php7/fpm/php-fpm.d/pool-grommunio-dav.conf /etc/php/7.4/fpm/pool.d</code>
+ln -s /etc/php7/fpm/php-fpm.d/pool-grommunio-dav.conf /etc/php/7.4/fpm/pool.d
+chown root:grodav /var/lib/grommunio-dav/
+chmod 770 /var/lib/grommunio-dav/</code>
+Modifs du 31/12/2022
+<code bash>
+ln -s /etc/grommunio-dav/grommunio-dav.conf.php /usr/share/grommunio-dav/config.php
+ln -s /etc/grommunio-dav/log4php.xml /usr/share/grommunio-dav/
+chmod 770 /var/log/grommunio-dav/ -R
+</code>
 ===== Tips & tricks =====
 ==== Activer le port submission ====
@@ Ligne 299: / Ligne 413: @@
 ==== Autoriser le relay pour les users authentifiés ====
-nano /etc/postfix/master.cf
+Work in progress
--o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
+https://community.grommunio.com/d/383-no-smtp-auth-on-smtp-submission-due-to-saslauth-not-available/2
-Remplacer reject par reject_unauth_destination
+  - Installer le paquet <code bash>apt install sasl2-bin</code>
+  - Modifier le fichier de config: <code bash>nano /etc/default/saslauthd</code> <file - saslauthd>
+START=yes
+NAME="saslauthd"
+MECHANISMS="pam"
+MECH_OPTIONS="127.0.0.1"
+THREADS=5
+OPTIONS="-r  -m /var/spool/postfix/var/run/saslauthd"
+</file>
+  - Créer les répertoires nécessaires: <code bash>
+mkdir -p /var/spool/postfix/var/run/saslauthd
+chown root:sasl /var/spool/postfix/var/run/saslauthd
+usermod -a -G sasl postfix
+service postfix restart
+service saslauthd restart
+</code>
+  - Editer le fichier pam: <code bash>nano /etc/pam.d/smtp</code> <file - smtp>#%PAM-1.0
+auth required pam_gromox.so service=smtp
+account required pam_permit.so</file>
+  - Ajouter un fichier de configuration postfix: <code bash>mkdir /etc/postfix/sasl/
+nano /etc/postfix/sasl/smtpd.conf</code> <file - smtpd.conf>log_level: 10
+mech_list: PLAIN LOGIN
+saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux</file>
+  - Modifier le fichier de config postfix: <code bash>nano /etc/postfix/main.cf</code> et rajouter: <file - main.cf>
+cyrus_sasl_config_path = /etc/postfix/sasl
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_service = smtpd
+broken_sasl_auth_clients = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain =
+</file>
 ==== Backup / Transfert ====
 <code bash>
@@ Ligne 334: / Ligne 478: @@
 ==== Nettoyer les comptes users ====
 <code bash>for i in /var/lib/gromox/user/*/*; do /usr/libexec/gromox/cleaner -v -d "$i"; done</code>
+==== Workaround pour les confirmations de lecture envoyées à invalid@invalid ====
+  - <code bash>nano /etc/postfix/main.cf</code>Et rajouter invalid dans mydestination <code>mydestination = $myhostname, localhost.$mydomain, localhost, invalid</code>
+  - <code bash> nano /etc/aliases</code>Et rajouter invalid: postmaster
+  - <code bash>newaliases
+service postfix restart</code>
+==== Workaround pour le "upstream sent too big header while reading response header from upstream" ====
+<code bash>nano /usr/share/grommunio-common/nginx/locations.d/grommunio-web.conf</code>
+<file - grommunio-web.conf>fastcgi_buffers 16 16k;
+fastcgi_buffer_size 32k;</file>
+==== Debug ====
+  * dans /etc/gromox/zcore.cfg <file - zcore.cfg>zrpc_debug=1</file>
+  * dans /etc/gromox/http.cfg <file - http.cfg>http_debug=1</file>
+==== Droits en console ====
+<code bash># Voir les dossiers
+grommunio-admin exmdb shared-user@mail.com folder list
+# Voir les permissions sur le dossier principal
+grommunio-admin exmdb shared-user@mail.com folder permissions 0x9 user@mail.com
+# Voir les permissions sur le dossier calendar
+grommunio-admin exmdb shared-user@mail.com folder permissions 0xf user@mail.com
+# Donner la permission foldervisible à user pour le compte shared-user
+grommunio-admin exmdb shared-user@mail.com folder grant 0xf user@mail.com  foldervisible
+</code>
+==== Autodiscover issue ====
+https://support.microsoft.com/en-us/topic/outlook-2016-implementation-of-autodiscover-0d7b2709-958a-7249-1c87-434d257b9087
+https://learn.microsoft.com/en-us/outlook/troubleshoot/profiles-and-accounts/unexpected-autodiscover-behavior
+<code registry>
+[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
+"ExcludeExplicitO365Endpoint"=dword:00000001
+"ExcludeLastKnownGoodURL"=dword:00000001
+"ExcludeHttpsRootDomain"=dword:00000001
+“ExcludeHttpsAutoDiscoverDomain"=dword:00000000
+“ExcludeHttpRedirect"=dword:00000000
+“ExcludeScpLookup"=dword:00000001
+“ExcludeSrvRecord"=dword:00000001
+“EnableOffice365ConfigService"=dword:00000000 </code>