|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| ... |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | In fact we want to only rewrite the envelope sender:
    :/etc/postfix/main.cf
    # Overwrite local FQDN envelope sender addresses
    sender_canonical_classes       = envelope_sender
    propagate_unmatched_extensions =
    sender_canonical_maps          = cdb:$config_directory/sender_canonical
    :/etc/postfix/sender_canonical
    @elefant.fripost.org     admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | This is required for dbox, see
http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | There seem to be multiple bugs with the version from wheezy-backports
(2.2.9-1~bpo70+1), and the client is killed on THREAD commands:
  guilhem@elefant:~$ telnet localhost 143
  Trying ::1...
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
  a LOGIN guilhem xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE NOTIFY] Logged in
  b SELECT INBOX
  * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
  * OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
  * 8060 EXISTS
  * 0 RECENT
  * OK [UIDVALIDITY 1302032711] UIDs valid
  * OK [UIDNEXT 78905] Predicted next UID
  * OK [NOMODSEQ] No permanent modsequences
  b OK [READ-WRITE] Select completed (0.395 secs).
  c THREAD REFERENCES UTF-8 ALL
  Connection closed by foreign host.
  :/var/log/syslog
  Jun 27 21:58:01 elefant dovecot: imap(guilhem@fripost.org): Fatal: master: service(imap): child 24907 killed with signal 11 (core dumps disabled)
  Jun 27 21:58:01 elefant kernel: [248570.057270] imap[24907]: segfault at 400 ip 00007f7651596e09 sp 00007fff6e267760 error 4 in libdovecot.so.0.0.0[7f765153a000+cc000]
Other (less scary) errors can be found in the syslog:
  Jun 27 20:26:09 elefant dovecot: imap(xxxx@fripost.org): Error: file_dotlock_open() failed with file /home/imapproxy/fripost.org/xxxx/imapc/dovecot.list.index.log: No such file or directory
  Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc(imap.fripost.org:993): Command '11 APPEND "Sent" (\Seen) {2512485}' timed out, disconnecting
  Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc: COPY failed: Disconnected from server
  Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Disconnected: IMAP session state is inconsistent, please relogin. in=2512632 out=969
This is infortunate as we cannot benefit from the 'fetch-headers'
imapc_features right now.  However, the bugs (at least the segfault) seems to
be fixed as of 2.2.13-1, the version which can currently be found in testing.
Hopefully it'll be backported soon :-) | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | This ensures that Dovecot won't deliver messages if the disk hasn't been
mounted, for instance. | 
| | 
| 
| 
| | So we set 'first_valid_uid' to 1, to accept any UID. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | Interesting features include caching of mail headers (v2.2.8+) as well
as new IMAP capabilities. | 
| | 
| 
| 
| 
| 
| | Recent versions have a whole bunch of bugfixes and nice new features:
    http://trac.roundcube.net/wiki/Changelog | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Instead, generate a server certificate for each host (on the machine
itself).  Then fetch all these certs locally, and copy them over to each
IPSec peer.  That requires more certs to be stored on each machines (n
vs 2), but it can be done automatically, and is easier to deploy.
Note: When adding a new machine to the inventory, one needs to run the
playbook on that machine (to generate the cert and fetch it locally)
first, then on all other machines. | 
| | |  | 
| | 
| 
| 
| | Also, always install contrib's intel-microcode on Intel CPUs. | 
| | |  | 
| | 
| 
| 
| 
| 
| | E.g., ldap.fripost.org, ntp.fripost.org, etc.  (Ideally the DNS zone
would be provisioned by ansible, too.)  It's a bit unclear how to index
the subdomains (mx{1,2,3}, etc), though. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Which might be caused by slow LDAP lookups in transport_maps.  Instead,
we alias each addresses for which we want a custom transport to a
dedicated "dummy" domain, and use a static (CDB) transport_maps to map
said domains to their transport;  the receiver can then use canonical(8)
to restore the original envelope recipient.  Since the alias resolution
is performed by cleanup(8), which can run in parallel with other
instances, it should decongestion bottlenecks under heavy loads.
So far only the MX:es have been decongestioned.  The list manager and
the MDA should be treated as well. | 
| | |  | 
| | 
| 
| 
| | (To be removed when the fix enters stable.) | 
| | 
| 
| 
| 
| | (Disable SSLv3 and extend STS' max age to 180 days.) See
https://www.ssllabs.com/ssltest/ . | 
| | 
| 
| 
| 
| | But not in the installer, as busybox's implementation of mktemp didn't
deprecate -t/-p. | 
| | 
| 
| 
| | Most notably pipelining=True and sysctl_set=yes. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Hence put the CSS and fonts under /usr/share/. | 
| | 
| 
| 
| | That is, don't put a leading virtual_ or a trailing _maps in file names. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
  virtual_alias_maps:
    mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
  transport_maps:
    mlmmj.localhost.localdomain mlmmj: | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Right now the list server cannot be hosted with a MX, due to bug 51:
    http://mlmmj.org/bugs/bug.php?id=51
Web archive can be compiled with MHonArc, but the web server
configuration is not there yet. | 
| | 
| 
| 
| 
| 
| | They were only a dirty hack for list commands à la Mailman such as
mylist-request. If we are to use another list manager such as mlmmj,
which uses a VERP delimiter instead, the problem disappears. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | It has to be performed last, to give a chance to be accepted as a
regular mailbox.
We introduce a new, dedicated, smtpd daemon whose only purpose is to
resolve catch-alls. | 
| | 
| 
| 
| 
| 
| | To avoid low-entropy conditions, see
    http://www.issihosts.com/haveged/ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Instead, we pretend that lists are valid users (via a match in the
mailbox_transport_maps) but choose a different transport (with the same
request in transport_maps).
The advantage is that we get rid of the ugly hack for list transport…
A minor drawback is that we now have two LDAP lookups instead of one for
non local addresses (ie, everything but reserved addresses). Hopefully
the requests are cached; but even if they aren't, querying a local LDAP
server is supposed to be cheap. | 
| | 
| 
| 
| 
| | Also, add the 'managesieve' RoundCube plugin to communicate with our
server. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | (Unless the webmail is itself a full IMAP server.) It replaces
RoundCube's own IMAP and message caches.
Dovecot's IMAPC storage backend is not very documented, but provides
smart IMAP proxying. References include:
http://dovecot.org/pipermail/dovecot/2011-January/056975.html
http://wiki2.dovecot.org/HowTo/ImapcProxy
http://wiki2.dovecot.org/Migration/Dsync | 
| | |  |