summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* Roundcube: Change document root to /var/lib/roundcube/public_html.Guilhem Moulin2021-01-271
| | | | Per https://salsa.debian.org/roundcube-team/roundcube/commit/7df02624eec4857053432d8ebe9b4e2b36f22bc5 .
* Postfix: pin key material to our MX:es for fripost.org and its subdomains.Guilhem Moulin2021-01-266
| | | | | | | | | | | | | | | | | | | | | | | | | | This solves an issue where an attacker would strip the STARTTLS keyword from the EHLO response, thereby preventing connection upgrade; or spoof DNS responses to route outgoing messages to an attacker-controlled SMTPd, thereby allowing message MiTM'ing. With key material pinning in place, smtp(8postfix) immediately aborts the connection (before the MAIL command) and places the message into the deferred queue instead: postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified) This applies to the smarthost as well as for verification probes on the Mail Submission Agent. Placing message into the deferred queue might yield denial of service, but we argue that it's better than a privacy leak. This only covers *internal messages* (from Fripost to Fripost) though: only messages with ‘fripost.org’ (or a subdomain of such) as recipient domain. Other domains, even those using mx[12].fripost.org as MX, are not covered. A scalable solution for arbitrary domains would involve either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there is some merit in hardcoding our internal policy (when the client and server are both under our control) in the configuration. It for instance enables us to harden TLS ciphers and protocols, and makes the verification logic independent of DNS.
* typofixGuilhem Moulin2021-01-241
|
* Use dedicated DKIM key for jakmedlem.se.Guilhem Moulin2021-01-242
|
* certs/gencerts.sh: Don't hard-code the intermediate CA.Guilhem Moulin2021-01-071
| | | | | | Since mid December Let's Encrypt has been using /C=US/O=Let's Encrypt/CN=R3 (CAID #183267) instead of the old /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (CAID #16418).
* ansible.cfg: Use ControlPath=$XDG_RUNTIME_DIR/ssh-ansible-%CGuilhem Moulin2020-12-121
| | | | | | | Best not to pollute the homedir with UNIX domain sockets… Note that variable expansion is only available in OpenSSH 8.4 and later, cf. https://bugzilla.mindrot.org/show_bug.cgi?id=3140 .
* nginx: Update trusted certificate used for OCSP stapling.Guilhem Moulin2020-12-051
| | | | See https://bugs.debian.org/975862 .
* Firewall: Always include 172.16.0.0/12 to the bogon list.Guilhem Moulin2020-11-151
| | | | | Our IPsec subnet is in that subnet but the setup won't deal well with subnet overlap so it's best to explicitely not support NATed machines with an IP in 172.16.0.0/12.
* Firewall: Add counter to dropped ICMP packets.Guilhem Moulin2020-11-151
|
* rkhunter: workaround for mix usrmerge/non-usrmerge environments.Guilhem Moulin2020-11-151
| | | | See https://bugs.debian.org/932594#15 .
* Firewall: ICMPv6: accept link-local multicast receiver notification messages.Guilhem Moulin2020-11-151
|
* typofixGuilhem Moulin2020-11-151
| | | | Regression from ead9aaa3dd7ca48012b2b21cc930ee73c8eaa9d3.
* Change NTP client to systemd-timesyncd.Guilhem Moulin2020-11-155
| | | | | | | | | (Excluding our NTP master.) It's simpler, arguably more secure, and provides enough functionality when only simple client use-cases are desired. We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd can connect to the fallbacks NTP servers.
* Bacula: tweak fileset and retention policy.Guilhem Moulin2020-11-151
| | | | | | In particular, trigger weekly differential backups for mailboxes, and exclude Dovecot's transaction/index/etc log and cache files which are constantly updated but not useful assets to backup.
* logcheck-database update.Guilhem Moulin2020-11-154
|
* Firewall: allow ICMP type 11 (time time-exceeded).Guilhem Moulin2020-11-031
| | | | This is in particular needed for traceroutes and routing loop detection.
* Revert "Bacula Director: Properly quote shell command."Guilhem Moulin2020-11-031
| | | | This reverts commit 26bae877102752a41a903cab2ee0891f8f261d38.
* Move bacula and munin master to new host levante from benjamin.Guilhem Moulin2020-11-035
|
* Bacula: refactor systemd service files.Guilhem Moulin2020-11-036
| | | | | | Use unit overrides on top of upstream's service files instead of overriding entire service files. In particular, upstream uses flag `-P` so we don't need to use RuntimeDirectory= anymore.
* Firewall: Move IPsec/ICMP/ICMPv6 rules to ingress chain.Guilhem Moulin2020-11-031
| | | | | | | | This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24, as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour discovery). Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3.
* Firewall: Move martian and bogus TCP filters early in the packet flow.Guilhem Moulin2020-11-021
| | | | | This is more efficient: the earlier we filter the crap out the less resources they consume.
* kernel parameters: Disable SYN cookies and improve SYN backlog handling.Guilhem Moulin2020-11-021
| | | | See tcp(7) and https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a .
* Refactor SQL custom configuration.Guilhem Moulin2020-11-023
| | | | As of MariaDB 10.3 this should be more future proof.
* Bacula Director: Properly quote shell command.Guilhem Moulin2020-11-021
|
* typofixGuilhem Moulin2020-11-021
|
* Munin master: Bug fix for the HTML rendering.Guilhem Moulin2020-11-022
|
* Wiki: Install dependencies for static web content.Guilhem Moulin2020-11-021
| | | | See https://git.fripost.org/fripost-wiki/commit/?id=72983121e68289a7497927417e52a8ec5f16aa7b .
* typofixGuilhem Moulin2020-10-021
|
* Roundcube: Add minimal config confile for thunderbird_labels plugin.Guilhem Moulin2020-10-022
|
* Roundcube: Don't allow overriding authres_status's ↵Guilhem Moulin2020-10-022
| | | | use_fallback_verifier/trusted_mtas.
* Use dedicated DKIM key for tevs.net.Guilhem Moulin2020-10-012
|
* Add PHP modules required for Nextcloud 19.Guilhem Moulin2020-08-191
|
* slapcat-all.sh: Use ldapsearch(1) to generate the LDIF.Guilhem Moulin2020-05-262
| | | | | Unlike slapcat(1) it doesn't require write access to ~openldap, so we don't have to weaken bacula-fd.service.
* munin: `sed s,/var/run/,/run,`Guilhem Moulin2020-05-262
|
* bacula-dir: Add jobs for nextcloud-data.Guilhem Moulin2020-05-261
|
* bacula-{dir,sd}: Upgrade role to Debian Buster.Guilhem Moulin2020-05-264
|
* Wiki: Content-Security-Policy: Add data: to img-src.Guilhem Moulin2020-05-222
| | | | | This is needed for BS4's navbar-toggler-icon which uses an SVG background-image.
* Use dedicated DKIM key for hemdal.se.Guilhem Moulin2020-05-222
|
* cgit: Tighten Content-Security-Policy.Guilhem Moulin2020-05-211
| | | | Add frame-ancestors and form-action.
* LDAP: Add ACLs for group ‘styrelse’.Guilhem Moulin2020-05-211
|
* Postfix: Install -lmdb in all roles using db=lmdb.Guilhem Moulin2020-05-214
| | | | | | And drop -ldap from all roles other than MX. -lmdb is included in roles/common but it can be helpful to have it individual roles as well as they can be run individually.
* postfix-sender-login: Better hardening.Guilhem Moulin2020-05-214
| | | | Run as a dedicated user, not ‘postfix’.
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-216
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* dovecot-auth-proxy: Bump protocol version to 2.2.Guilhem Moulin2020-05-201
| | | | | | | | This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f. There are no relevant interface changes between 2.2.27 (stretch) and 2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h` and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
* IMAP: Update role to Debian Buster.Guilhem Moulin2020-05-1912
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* MSA: Update role to Debian Buster.Guilhem Moulin2020-05-193
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* LDAP: Update role to Debian Buster.Guilhem Moulin2020-05-192
|
* s/LDAP-provider/LDAP_provider/Guilhem Moulin2020-05-198
| | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
* wibbleGuilhem Moulin2020-05-181
|
* stunnel4: Harden and socket-activate.Guilhem Moulin2020-05-187
|