Last active
May 18, 2023 06:51
-
-
Save msimerson/ec7fb081203e89e9970e to your computer and use it in GitHub Desktop.
Mail Toaster 6 - sample output - configure-host.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[~/mt6]# provision host | |
*** skipping fetch, running from git *** | |
v: 20230507 | |
loading mail-toaster.conf | |
mysql enabled | |
toaster host: freebsd.vmware.imac27.simerson.net | |
email domain: imac27.simerson.net | |
IPv6 jail network: fd7a:e5cd:1fc1:186f:dead:beef:cafe | |
shell: /usr/local/bin/bash | |
safe name: stage | |
*** skipping include d/l, running from git *** | |
background_fsck: YES -> NO | |
*** updating FreeBSD with security patches *** | |
Looking up update.FreeBSD.org mirrors... 2 mirrors found. | |
Fetching metadata signature for 13.2-RELEASE from update2.freebsd.org... done. | |
Fetching metadata index... done. | |
Inspecting system... done. | |
Preparing to download files... done. | |
No updates needed to update system to 13.2-RELEASE-p0. | |
No updates are available to install. | |
*** updating FreeBSD pkg collection *** | |
Updating FreeBSD repository catalogue... | |
Fetching packagesite.pkg: 100% 7 MiB 3.5MB/s 00:02 | |
Processing entries: 100% | |
FreeBSD repository update completed. 33157 packages processed. | |
All repositories are up to date. | |
*** upgrading installed FreeBSD packages *** | |
Updating FreeBSD repository catalogue... | |
FreeBSD repository is up to date. | |
All repositories are up to date. | |
Checking for upgrades (0 candidates): 100% | |
Processing candidates (0 candidates): 100% | |
Checking integrity... done (0 conflicting) | |
Your packages are up to date. | |
*** updating FreeBSD ports tree *** | |
ports via git detected | |
remote: Enumerating objects: 4990, done. | |
remote: Counting objects: 100% (4990/4990), done. | |
remote: Compressing objects: 100% (1919/1919), done. | |
remote: Total 3208 (delta 1736), reused 2640 (delta 1275), pack-reused 0 | |
Receiving objects: 100% (3208/3208), 733.77 KiB | 529.00 KiB/s, done. | |
Resolving deltas: 100% (1736/1736), completed with 977 local objects. | |
From https://git.freebsd.org/ports | |
386c6ade3..fbbfb0d1e main -> origin/main | |
Updating 386c6ade3..fbbfb0d1e | |
Fast-forward | |
<snip 1000+ lines> | |
*** preserving sendmail config *** | |
*** checking sshd listening scope *** | |
root sshd 951 3 tcp6 *:22 *:* | |
root sshd 951 4 tcp4 *:22 *:* | |
┌────────────────────────────────────────────────────────────────────┐ | |
│ │ | |
│ To not interfere with the jails, sshd should be constrained to │ | |
│ listening on your hosts public facing IP(s). │ | |
│ │ | |
│ Your public IPs are detected as 10.0.1.209 │ | |
│ and 2602:61:714a:b00:20c:29ff:fedb:44d8 │ | |
│ │ | |
│ May I update /etc/ssh/sshd_config? │ | |
│ │ | |
├────────────────────────────────────────────────────────────────────┤ | |
│ < Yes > < No > │ | |
└────────────────────────────────────────────────────────────────────┘ | |
*** Limiting SSHd to host IP address *** | |
ListenAddress 10.0.1.209 | |
ListenAddress 2602:61:714a:b00:20c:29ff:fedb:44d8 | |
Performing sanity check on sshd configuration. | |
Performing sanity check on sshd configuration. | |
Stopping sshd. | |
Waiting for PIDS: 951. | |
Performing sanity check on sshd configuration. | |
Starting sshd. | |
*** plumb lo1 interface at startup *** | |
cloned_interfaces: -> lo1 | |
*** plumb lo1 interface *** | |
*** adding syslog IP to lo1 *** | |
ifconfig_lo1: -> 172.16.15.1 netmask 255.255.255.0 | |
assigning 172.16.15.1 to lo1 | |
*** configuring syslog to accept messages from jails *** | |
syslogd_flags: -s -> -b 172.16.15.1 -a 172.16.15.0/12:* -a [fd7a:e5cd:1fc1:186f:dead:beef:cafe]/112:* -cc | |
Stopping syslogd. | |
Waiting for PIDS: 845. | |
Starting syslogd. | |
*** setting up the PF firewall and NAT for jails *** | |
## Macros | |
ext_if="em0" | |
table <ext_ip4> { 10.0.1.209 } | |
table <ext_ip6> { 2602:61:714a:b00:20c:29ff:fedb:44d8 } | |
# to permit legacy users to access insecure POP3 & IMAP, add their IPs/masks | |
table <allow_insecure> { } | |
table <bruteforce> persist | |
table <sshguard> persist | |
ssh_ports = "{ 22 }" | |
http_ports = "{ 80 443 }" | |
msa_ports = "{ 465 587 }" | |
mta_ports = "{ 25 465 587 }" | |
mua_insecure = "{ 110 143 }" | |
mua_ports = "{ 993 995 }" | |
dovecot_lo4 = "{ 172.16.15.15 }" | |
haraka_lo4 = "{ 172.16.15.9 }" | |
haproxy_lo4 = "{ 172.16.15.12 }" | |
dovecot_lo6 = "{ fd7a:e5cd:1fc1:186f:dead:beef:cafe:000f }" | |
haraka_lo6 = "{ fd7a:e5cd:1fc1:186f:dead:beef:cafe:0009 }" | |
haproxy_lo6 = "{ fd7a:e5cd:1fc1:186f:dead:beef:cafe:000c }" | |
## Translation rules | |
# default route to the internet for jails | |
nat on $ext_if inet from 172.16.15.0/12 to any -> ($ext_if) | |
nat on $ext_if inet6 from ! $ext_if to any -> <ext_ip6> | |
nat-anchor "nat/*" | |
# Secured POP3 & IMAP traffic to dovecot jail | |
rdr inet proto tcp from any to <ext_ip4> port $mua_ports -> $dovecot_lo4 | |
rdr inet6 proto tcp from any to <ext_ip6> port $mua_ports -> $dovecot_lo6 | |
# POP3 & IMAP from insecure IPs | |
rdr inet proto tcp from <allow_insecure> to <ext_ip4> port $mua_insecure -> $dovecot_lo4 | |
rdr inet6 proto tcp from <allow_insecure> to <ext_ip6> port $mua_insecure -> $dovecot_lo6 | |
# SMTP traffic to the Haraka jail | |
rdr inet proto tcp from any to <ext_ip4> port $mta_ports -> $haraka_lo4 | |
rdr inet6 proto tcp from any to <ext_ip6> port $mta_ports -> $haraka_lo6 | |
# HTTP traffic to HAproxy | |
rdr inet proto tcp from any to <ext_ip4> port $http_ports -> $haproxy_lo4 | |
rdr inet6 proto tcp from any to <ext_ip6> port $http_ports -> $haproxy_lo6 | |
rdr-anchor "rdr/*" | |
## Filtering rules | |
block in quick inet proto tcp from <sshguard> to any port $ssh_ports | |
block in quick inet6 proto tcp from <sshguard> to any port $ssh_ports | |
block in quick from <bruteforce> | |
/etc/pf.conf has been installed | |
pf_enable: NO -> YES | |
Enabling pf. | |
*** TLS certificate exists *** | |
*** installing sshguard *** | |
Updating FreeBSD repository catalogue... | |
FreeBSD repository is up to date. | |
All repositories are up to date. | |
Checking integrity... done (0 conflicting) | |
The most recent versions of packages are already installed | |
*** configuring sshguard for PF *** | |
*** starting sshguard *** | |
sshguard_enable: NO -> YES | |
jail_enable: NO -> YES | |
*** reverse jails when shutting down *** | |
jail_reverse_stop: NO -> YES | |
*** creating /etc/jail.conf.d/stage.conf *** | |
exec.start = "/bin/sh /etc/rc"; | |
exec.stop = "/bin/sh /etc/rc.shutdown"; | |
exec.clean; | |
mount.devfs; | |
devfs_ruleset=5; | |
path = "/jails/$name"; | |
interface = lo1; | |
host.hostname = $name; | |
stage { | |
ip4.addr = lo1|172.16.15.254; | |
ip6.addr = lo1|fd7a:e5cd:1fc1:186f:dead:beef:cafe:00fe; | |
mount += "/data/stage $path/data nullfs rw 0 0"; | |
} | |
*** installing jailmanage *** | |
/usr/local/bin/jailmanage 11 kB 21 MBps 00s | |
*** adding /etc/hosts entries *** | |
172.16.15.1 syslog | |
172.16.15.2 base | |
172.16.15.3 dns | |
172.16.15.4 mysql | |
172.16.15.5 clamav | |
172.16.15.6 spamassassin | |
172.16.15.7 dspam | |
172.16.15.8 vpopmail | |
172.16.15.9 haraka | |
172.16.15.10 webmail | |
172.16.15.11 munin | |
172.16.15.12 haproxy | |
172.16.15.13 rspamd | |
172.16.15.14 avg | |
172.16.15.15 dovecot | |
172.16.15.16 redis | |
172.16.15.17 geoip | |
172.16.15.18 nginx | |
172.16.15.19 mailtest | |
172.16.15.20 apache | |
172.16.15.21 postgres | |
172.16.15.22 minecraft | |
172.16.15.23 joomla | |
172.16.15.24 php7 | |
172.16.15.25 memcached | |
172.16.15.26 sphinxsearch | |
172.16.15.27 elasticsearch | |
172.16.15.28 nictool | |
172.16.15.29 sqwebmail | |
172.16.15.30 dhcp | |
172.16.15.31 letsencrypt | |
172.16.15.32 tinydns | |
172.16.15.33 roundcube | |
172.16.15.34 squirrelmail | |
172.16.15.35 rainloop | |
172.16.15.36 rsnapshot | |
172.16.15.37 mediawiki | |
172.16.15.38 smf | |
172.16.15.39 wordpress | |
172.16.15.40 whmcs | |
172.16.15.41 squirrelcart | |
172.16.15.42 horde | |
172.16.15.43 grafana | |
172.16.15.44 unifi | |
172.16.15.45 mongodb | |
172.16.15.46 gitlab | |
172.16.15.47 gitlab_runner | |
172.16.15.48 dcc | |
172.16.15.49 prometheus | |
172.16.15.50 influxdb | |
172.16.15.51 telegraf | |
172.16.15.52 statsd | |
172.16.15.53 mail_dmarc | |
172.16.15.54 ghost | |
172.16.15.55 jekyll | |
172.16.15.56 borg | |
172.16.15.57 nagios | |
172.16.15.58 postfix | |
172.16.15.59 puppeteer | |
172.16.15.60 snappymail | |
172.16.15.61 knot | |
172.16.15.62 nsd | |
172.16.15.63 bsd_cache | |
*** preserving /etc/csh.cshrc *** | |
*** bourne shell configured *** | |
*** checking for host listeners on all IPs *** | |
Success! Your host is ready to install Mail Toaster 6! | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment