| Commit message (Collapse) | Author | Age | Files |
... | |
|
|
|
|
|
| |
Since mid December Let's Encrypt has been using /C=US/O=Let's
Encrypt/CN=R3 (CAID #183267) instead of the old /C=US/O=Let's
Encrypt/CN=Let's Encrypt Authority X3 (CAID #16418).
|
|
|
|
|
|
|
| |
Best not to pollute the homedir with UNIX domain sockets…
Note that variable expansion is only available in OpenSSH 8.4 and later,
cf. https://bugzilla.mindrot.org/show_bug.cgi?id=3140 .
|
|
|
|
| |
See https://bugs.debian.org/975862 .
|
|
|
|
|
| |
Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap
so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
|
| |
|
|
|
|
| |
See https://bugs.debian.org/932594#15 .
|
| |
|
|
|
|
| |
Regression from ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3.
|
|
|
|
|
|
|
|
|
| |
(Excluding our NTP master.) It's simpler, arguably more secure, and
provides enough functionality when only simple client use-cases are
desired.
We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd
can connect to the fallbacks NTP servers.
|
|
|
|
|
|
| |
In particular, trigger weekly differential backups for mailboxes, and exclude
Dovecot's transaction/index/etc log and cache files which are constantly
updated but not useful assets to backup.
|
| |
|
|
|
|
| |
This is in particular needed for traceroutes and routing loop detection.
|
|
|
|
| |
This reverts commit 26bae877102752a41a903cab2ee0891f8f261d38.
|
| |
|
|
|
|
|
|
| |
Use unit overrides on top of upstream's service files instead of
overriding entire service files. In particular, upstream uses flag `-P`
so we don't need to use RuntimeDirectory= anymore.
|
|
|
|
|
|
|
|
| |
This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24,
as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour
discovery).
Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3.
|
|
|
|
|
| |
This is more efficient: the earlier we filter the crap out the less
resources they consume.
|
|
|
|
| |
See tcp(7) and https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a .
|
|
|
|
| |
As of MariaDB 10.3 this should be more future proof.
|
| |
|
| |
|
| |
|
|
|
|
| |
See https://git.fripost.org/fripost-wiki/commit/?id=72983121e68289a7497927417e52a8ec5f16aa7b .
|
| |
|
| |
|
|
|
|
| |
use_fallback_verifier/trusted_mtas.
|
| |
|
| |
|
|
|
|
|
| |
Unlike slapcat(1) it doesn't require write access to ~openldap, so we
don't have to weaken bacula-fd.service.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This is needed for BS4's navbar-toggler-icon which uses an SVG
background-image.
|
| |
|
|
|
|
| |
Add frame-ancestors and form-action.
|
| |
|
|
|
|
|
|
| |
And drop -ldap from all roles other than MX. -lmdb is included in
roles/common but it can be helpful to have it individual roles as well
as they can be run individually.
|
|
|
|
| |
Run as a dedicated user, not ‘postfix’.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user. We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around. This is fair.
|
|
|
|
|
|
|
|
| |
This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f.
There are no relevant interface changes between 2.2.27 (stretch) and
2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h`
and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
| |
|
|
|
|
| |
This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
|
| |
|
| |
|
|
|
|
| |
To be done when we upgrade to Bullseye for more fine-grained control.
|
|
|
|
|
|
|
| |
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
|
|
|
| |
We replace uwsgi in 70f16ac939497e3e424bad05c5f82ce36d1bceda.
|
|
|
|
|
| |
Marking incoming ESP packets and matching decapsulated packets doesn't
work with NAT traverslate (UDP encapsulation aka MOBIKE).
|