fripost-ansible/roles/common/templates, branch master Fripost ansible scripts Send internal system mails to root@f.o. 2025-09-10T13:14:45+00:00 Guilhem Moulin guilhem@fripost.org 2025-09-10T13:14:45+00:00 4b48f1b6dd799d1a69f0c9e2a157a007fcdcbe25 Instead of admin@f.o. Per msgid=<ad724342-b3bb-48d9-9984-6d277714910d@fripost.org>. 
Instead of admin@f.o. Per msgid=<ad724342-b3bb-48d9-9984-6d277714910d@fripost.org>.
Resolver: Use systemd-resolved. 2025-01-28T13:26:18+00:00 Guilhem Moulin guilhem@fripost.org 2025-01-28T13:26:18+00:00 20cd6ac5299a725558a85df7c93c34f4a67b15d5 






Firewall: Harden IPsec configuration by pining the reqids.
2024-09-08T00:32:24+00:00

Guilhem Moulin
guilhem@fripost.org

2024-09-08T00:32:24+00:00

bc41db5237d188c339d25d96a20465e488ea5475












APT: Prepare config bump to Debian 12.
2024-09-08T00:29:10+00:00

Guilhem Moulin
guilhem@fripost.org

2024-09-08T00:29:10+00:00

21fdc8853dc29c64bf0405348120945049adf694












Improve Debian 11's fail2ban rules.
2022-12-18T12:29:34+00:00

Guilhem Moulin
guilhem@fripost.org

2022-12-14T11:01:33+00:00

7ea3baad594b889f6f7f4e7e4ccc4dc7c0099bc6












Port baseline to Debian 11 (codename Bullseye).
2022-10-13T20:12:05+00:00

Guilhem Moulin
guilhem@fripost.org

2022-10-11T23:43:23+00:00

85347041a04d17f6803100dd2cec9b489c9db47d












clamav-freshclam: Remove ‘SafeBrowsing’ option.
2022-10-11T13:44:33+00:00

Guilhem Moulin
guilhem@fripost.org

2022-10-11T13:44:33+00:00

cb4737983f4058531308ac083a89040c3cbfd05d












Prefix ‘ipaddr’ and ‘ipv4’ with ‘ansible.utils.’.
2022-10-11T11:57:22+00:00

Guilhem Moulin
guilhem@fripost.org

2022-10-11T11:24:54+00:00

a69c2e1c3c771db93d98a253192e131af40c9830

This silences the following deprecation warning:

  Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01.
  Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.





This silences the following deprecation warning:

  Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01.
  Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.







Postfix: pin key material to our MX:es for fripost.org and its subdomains.
2021-01-26T12:35:40+00:00

Guilhem Moulin
guilhem@fripost.org

2021-01-26T11:39:10+00:00

44100bab38d32596392a3bc7199b4daa202b4032

This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing.  With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:

    postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)

This applies to the smarthost as well as for verification probes on the
Mail Submission Agent.  Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.

This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain.  Other domains, even those using mx[12].fripost.org as MX, are
not covered.  A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461].  Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration.  It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.





This solves an issue where an attacker would strip the STARTTLS keyword
from the EHLO response, thereby preventing connection upgrade; or spoof
DNS responses to route outgoing messages to an attacker-controlled
SMTPd, thereby allowing message MiTM'ing.  With key material pinning in
place, smtp(8postfix) immediately aborts the connection (before the MAIL
command) and places the message into the deferred queue instead:

    postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified)

This applies to the smarthost as well as for verification probes on the
Mail Submission Agent.  Placing message into the deferred queue might
yield denial of service, but we argue that it's better than a privacy
leak.

This only covers *internal messages* (from Fripost to Fripost) though:
only messages with ‘fripost.org’ (or a subdomain of such) as recipient
domain.  Other domains, even those using mx[12].fripost.org as MX, are
not covered.  A scalable solution for arbitrary domains would involve
either DANE and TLSA records, or MTA-STS [RFC8461].  Regardless, there
is some merit in hardcoding our internal policy (when the client and
server are both under our control) in the configuration.  It for
instance enables us to harden TLS ciphers and protocols, and makes the
verification logic independent of DNS.







Firewall: Always include 172.16.0.0/12 to the bogon list.
2020-11-15T17:45:13+00:00

Guilhem Moulin
guilhem@fripost.org

2020-11-15T17:45:13+00:00

03715d2f15999a33f67f55e418c3c8e912c64a12

Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap
so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.





Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap
so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.