summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-216
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* dovecot-auth-proxy: Bump protocol version to 2.2.Guilhem Moulin2020-05-201
| | | | | | | | This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f. There are no relevant interface changes between 2.2.27 (stretch) and 2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h` and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
* IMAP: Update role to Debian Buster.Guilhem Moulin2020-05-1912
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* MSA: Update role to Debian Buster.Guilhem Moulin2020-05-193
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* LDAP: Update role to Debian Buster.Guilhem Moulin2020-05-192
|
* s/LDAP-provider/LDAP_provider/Guilhem Moulin2020-05-198
| | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
* wibbleGuilhem Moulin2020-05-181
|
* stunnel4: Harden and socket-activate.Guilhem Moulin2020-05-187
|
* Firewall: note on reqid matching.Guilhem Moulin2020-05-181
| | | | To be done when we upgrade to Bullseye for more fine-grained control.
* AEAD ciphers: Add EECDH+CHACHA20 macro.Guilhem Moulin2020-05-184
| | | | | | | This adds the following two ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
* cgit and HTTP backend: Remove unused files.Guilhem Moulin2020-05-182
| | | | We replace uwsgi in 70f16ac939497e3e424bad05c5f82ce36d1bceda.
* Firewall: Use `meta secpath exists` to match xfrm associations.Guilhem Moulin2020-05-181
| | | | | Marking incoming ESP packets and matching decapsulated packets doesn't work with NAT traverslate (UDP encapsulation aka MOBIKE).
* nginx: Add Expires: HTTP headers.Guilhem Moulin2020-05-176
|
* webmail: Add .webp to the list of static resources.Guilhem Moulin2020-05-171
|
* Nextcloud: Fix location{} directives.Guilhem Moulin2020-05-171
| | | | For use with Nextcloud 18, cf. https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx .
* lacme: Port to Debian 10.Guilhem Moulin2020-05-172
| | | | | We also rename the ‘lacme’ system user to ‘_lacme’ per Debian Policy §9.2.1: https://www.debian.org/doc/debian-policy/ch-opersys.html#introduction .
* lists.fripost.org: Improve gzip support.Guilhem Moulin2020-05-171
|
* git, wiki, website: Improve gzip support.Guilhem Moulin2020-05-173
|
* Webmail: Compress static resources.Guilhem Moulin2020-05-171
| | | | | | | | | | | We leave dynamic pages (those passed to PHP-FPM) alone for now: compressing them would make us vulnerable to BREACH attacks. This will be revisited once Roundcube 1.5 is released: 1.5 adds support for the same-site cookie attribute which once set to 'Strict' makes it immune to BREACH attacks: https://github.com/roundcube/roundcubemail/pull/6772 https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies
* Webmail: Fix allowed extensions for static resources.Guilhem Moulin2020-05-171
| | | | | $ find -L /usr/share/roundcube/{plugins,program/js,program/resources,skins} -xtype f -printf "%f\\n" \ | sed -r "s/^([^.]+)(.*)/\1\2\t\2/" | sort -k2 | uniq -c -f1
* Webmail: Improve Content-Security-Policy.Guilhem Moulin2020-05-171
|
* nginx: Add MIME type declaration for .woff2 files.Guilhem Moulin2020-05-171
|
* Remove 'meta: flush_handlers' directives under conditionals.Guilhem Moulin2020-05-172
| | | | They don't appear to be supported anymore.
* Roundcube: skip 'keyboard_shortcuts' plugin.Guilhem Moulin2020-05-171
| | | | | It doesn't integrate too well with the new elastic theme at the moment. https://github.com/corbosman/keyboard_shortcuts
* roles/amavis: Drop packages that no longer exist.Guilhem Moulin2020-05-171
|
* Roundcube: Port to Debian 10.Guilhem Moulin2020-05-1713
| | | | | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1) for the elastic theme.
* common-web: Remove snippets/acme-challenge.conf.Guilhem Moulin2020-05-162
| | | | lacme now ships that file as /etc/lacme/nginx.conf.
* MX: Port to Debian 10.Guilhem Moulin2020-05-162
| | | | | | | | For postfix, don't defer if "abused legit". (I.e., DBL return code in the 127.0.1.100+ range.) This used to work for Postfix 3.1.14 (Stretch) but for 3.4.8 (Buster) the 'defer_if_reject' also applies to $smtpd_relay_restrictions, to reject_unauth_destination & reject_unlisted_recipient in particular.
* wiki/website: harden config and port to Debian 10.Guilhem Moulin2020-05-168
|
* git browser and HTTP backend: harden config and port to Debian 10.Guilhem Moulin2020-05-168
|
* MX: Install OpenDMARC to add Authentication-Results headers.Guilhem Moulin2020-05-166
| | | | | | | | On the infrastructure boundary. We don't reject/quarantine as it would affect members who forward their mail sent to <user@example.com> to <user@fripost.org>. Members can install Sieve rules to send any messages with failed Authentication-Results headers directly in their spambox.
* wwsympa.service: Use existing directory /run/sympa.Guilhem Moulin2020-05-161
| | | | | We shouldn't use RuntimeDirectory to create it anew because is belongs to the Sympa daemon and WWSympa looks up for PID files in there.
* sympa.conf: remove deprecated options.Guilhem Moulin2020-05-161
|
* antilop: Upgrade baseline to Debian 10.Guilhem Moulin2020-05-163
|
* nextcloud: Set php values in pool configuration.Guilhem Moulin2020-05-162
|
* typofixGuilhem Moulin2020-05-161
|
* Upgrade baseline to Debian 10.Guilhem Moulin2020-05-1623
|
* wibbleGuilhem Moulin2020-05-161
|
* Nextcloud: Minor redis-server config tweak.Guilhem Moulin2020-05-161
|
* Nextcloud: use dedicated user and PHP FPM pool.Guilhem Moulin2020-05-165
| | | | | | There is a real security gain in not using the 'www-data' user: nginx workers can't read Nextcloud config files and data directory, so should our nginx configuration be insecure a leak is much less likely.
* Add nextcloud's logrotate file.Guilhem Moulin2020-05-161
| | | | This was forgotten in 0bfbe0e49f7fc77abfe7bb5d92c72dbdf6742204.
* role/common-web: Upgrade baseline to Debian 10.Guilhem Moulin2020-05-164
|
* Nextcloud: Better separation between code/data/logs/cache.Guilhem Moulin2020-05-124
| | | | | | Also, update baseline to Debian 10 (codename Buster) and deploy a local Redis instance for Transactional File Locking https://docs.nextcloud.com/server/18/admin_manual/configuration_server/caching_configuration.html#id2
* Use dedicated DKIM key for guilhem.org.Guilhem Moulin2020-04-222
|
* Add dedicated DKIM key for lists.fripost.org.Guilhem Moulin2020-04-222
| | | | | | Instead of using the fallback key. That way messages from our lists have proper DMARC alignment (at least when envelope sender and From header are under domain lists.fripost.org).
* Add own DKIM key for debian.org address.Guilhem Moulin2020-04-133
| | | | | | | | | | | | Cf. https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html . \o/ It's also fairly easy to deploy onto the Debian infrastucture: $ USERNAME="guilhem" $ SELECTOR="5d30c523ff3622ed454230a16a11ddf6.$USERNAME.user" $ printf "dkimPubKey: %s %s\n" "$SELECTOR" \ "$(openssl pkey -pubin -in "./certs/dkim/$SELECTOR:debian.org.pub" -outform DER | base64 -w0)" \ | gpg --clearsign | s-nail -r "USERNAME@debian.org" -s dkimPubKey changes@db.debian.org
* /etc/apt/sources.list: Use https:// URIs.Guilhem Moulin2020-01-251
| | | | | | | | Since 1.5 (Buster) APT supports https:// natively. There is no need to install ‘apt-transport-https’ (now a dummy transitional package) anymore. Plain-text connection don't undermine security as APT checks package OpenPGP signatures locally, but there is no reason not to use TLS here.
* Improve/harden fail2ban configuration.Guilhem Moulin2020-01-257
| | | | | | | | | * Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
* Convert firewall to nftables.Guilhem Moulin2020-01-2312
| | | | Debian Buster uses the nftables framework by default.
* Postfix: disable DNS lookups on the internal SMTPds.Guilhem Moulin2020-01-231
| | | | | | Our internal IPs don't have a reverse PTR record, and skipping the resolution speeds up mail delivery. http://www.postfix.org/postconf.5.html#smtpd_peername_lookup