summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-076
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* Enable IMAP virtual mailboxes.Guilhem Moulin2015-06-077
| | | | | | | | | | | | | | Using dovecot's 'virtual' plugin, cf. http://wiki2.dovecot.org/Plugins/Virtual The 'virtual/' namespace is visible in the NAMESPACE command (hidden=no), but not in LIST (list=no). This should ensure that the namespace isn't automatically synced by offlineimap, but nevertheless visible by roundcube, cf. http://trac.roundcube.net/ticket/1486796 http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html
* wibbleGuilhem Moulin2015-06-0711
|
* Include amavisd-new's LDAP schema.Guilhem Moulin2015-06-071
| | | | | | It'd certainly be nicer if we didn't have to deploy amavis' schema everywhere, but we need the 'objectClass' in our replicates, hence they need to be aware of the 'amavisAccount' class.
* Configure the content filter.Guilhem Moulin2015-06-0714
| | | | | | | | | | | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
* bugfixGuilhem Moulin2015-06-071
|
* Convert legacy *.schema into *.ldif.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-072
|
* oopsGuilhem Moulin2015-06-071
|
* Install common packages.Guilhem Moulin2015-06-071
|
* Configure S.M.A.R.T.Guilhem Moulin2015-06-072
|
* Configure NTP.Guilhem Moulin2015-06-076
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* Rename the role 'mx' into 'MX'.Guilhem Moulin2015-06-0715
| | | | Other abreviations are upper case.
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-0710
|
* Configure the Mail Delivery Agent.Guilhem Moulin2015-06-079
|
* wibbleGuilhem Moulin2015-06-076
|
* Configure the IMAP server.Guilhem Moulin2015-06-0715
| | | | (For now, only LMTP and IMAP processes, without replication.)
* oopsGuilhem Moulin2015-06-071
|
* Configure the LDAP provider.Guilhem Moulin2015-06-075
| | | | (Hence the SyncProv overlay.)
* Automatically configure Overlays.Guilhem Moulin2015-06-071
| | | | | | | | | | | A 'suffix=' parameter has been added to choose the database to configure the overlay for. The ability to delete overlays would be desirable, but sadly there is no cleane way to remove/replace overlays, short of stopping slapd and digging into the slapd.d directory: http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays
* LDAP Sync Replication.Guilhem Moulin2015-06-076
|
* Postfix is compiled without SASL support.Guilhem Moulin2015-06-077
| | | | As of 2.9.6 (2.10), at least. See bug #730848.
* Configure the MX:es.Guilhem Moulin2015-06-0719
|
* Provision /etc/default/slapdGuilhem Moulin2015-06-072
| | | | | | | This is because the UNIX domain socket to connect to when performing LDAP lookups needs to be in the chroot. Also, don't open a INET socket unless we're a Sync Provider.
* Not all LDAPError's have an 'info' key.Guilhem Moulin2015-06-071
|
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-074
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Use a dedicated SMTP port for samhain.Guilhem Moulin2015-06-074
| | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian
* wibbleGuilhem Moulin2015-06-071
|
* Allow flexible ACLs for SASL's EXTERNAL mechanism.Guilhem Moulin2015-06-072
| | | | | | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by "gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102 is postfix's UID and 106 its primary GID (looked up from /etc/passwd).
* Reorganization.Guilhem Moulin2015-06-0710
|
* Tell ansible we generally want to use sudo(8).Guilhem Moulin2015-06-072
| | | | I.e., put 'sudo=True' in ansible.cfg.
* Optimize LDAP modifications.Guilhem Moulin2015-06-072
| | | | | | | For non-indexed attributes, do not ask the LDAP server to modify values in the symmetric difference of A (the entry found in the directory) and B (the target). That is, we replace A by B only when they are disjoint; otherwise we remove values in A-B and add those in B-A.
* Load our schema *before* the database.Guilhem Moulin2015-06-071
| | | | Since indices are specified in the database LDIF.
* Deal with python strange support of encodings.Guilhem Moulin2015-06-073
| | | | | | | It's not happy with non-ASCII characters in comments, unless the encoding is made explicit… http://www.python.org/dev/peps/pep-0263/
* Reformulate the headers showing the license.Guilhem Moulin2015-06-079
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* Configure debsecan.Guilhem Moulin2015-06-072
|
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-077
|
* Common MySQL configuration.Guilhem Moulin2015-06-073
|
* Remove spaces in MySQL privileges strings.Guilhem Moulin2015-06-071
| | | | | | | In order to allow strings of the form: priv="db.table1:SELECT, UPDATE,DELETE /db.table2:SELECT,INSERT, DELETE"
* Add support for MySQL's Authentication Plugins.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | A.k.a "IDENTIFIED WITH ...". The plugin is automatically loaded on first use. References: - https://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html - https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html Sadly as of MySQL 5.5, the "ALTER USER" command does not allow changing the Authentication Plugin, so we have to manually manipulate `mysql.user` (and FLUSH PRIVILEGES) instead. See also http://bugs.mysql.com/bug.php?id=67449
* Imported Ansible's 'mysql_user' module.Guilhem Moulin2015-06-071
| | | | | | From ref origin/release1.4.0, commit 2a58c2bbe33236ccfdde9fe7466d8a65956f21a5
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-0713
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Fix unattended-upgrades's configuration.Guilhem Moulin2015-06-071
| | | | | ${distro_codename} doesn't work properly there, so we put stable and/or oldstable instead.
* wibbleGuilhem Moulin2015-06-071
| | | | | Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with [ ! "$string" ].
* Replace the 'syslog' facility (5) by 'user' (1).Guilhem Moulin2015-06-072
| | | | | 'syslog' is meant for the messages generated internally by syslogd, whereas 'user' is for user-level messages.
* wibbleGuilhem Moulin2015-06-073
|
* Be more specific regarding the protocol in use for IPSec policies.Guilhem Moulin2015-06-073
| | | | We use ESP only, so other protocols shouldn't be ACCEPTed.
* Don't start daemons when there is a triggered handler.Guilhem Moulin2015-06-074
| | | | This is pointless since the service will be restarted anyway.
* Flush pending handlers between each include.Guilhem Moulin2015-06-076
| | | | | | | | | In particular, run 'apt-get update' right after configured APT, and restart daemon right after configured them. The advantage being that if ansible crashes in some "task", the earlier would already be restarted if neeeded. (This may not happen in the next run since the configuration should already be up to date.)
* We are not using nf_conntrack.Guilhem Moulin2015-06-071
|