summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
...
* fail2ban: Only install the roundcube/dovecot filters if needed.Guilhem Moulin2018-12-151
| | | | | | It doesn't hurt to install them on all machines, but we're overriding the provided /etc/fail2ban/filter.d/dovecot.conf and would rather keep our delta minimal.
* submission: Prospective SPF checking.Guilhem Moulin2018-12-125
| | | | Cf. http://www.openspf.org/Best_Practices/Outbound .
* Outgoing SMTP: masquerade internal hostnames.Guilhem Moulin2018-12-123
| | | | | | Use admin@fripost.org instead. We were sending out (to the admin team) system messages with non-existing or invalid envelope sender addresses, such as <logcheck@antilop.fripost.org> or <root@mistral.fripost.org>.
* IMAP: raise per user maximum number of inotify instances from 128 to 512.Guilhem Moulin2018-12-121
|
* IPsec: use Suite-B-GCM-256 algorithms for IKEv2 & ESP.Guilhem Moulin2018-12-091
| | | | | | | (That is, remove algorithms from Suite-B-GCM-128.) Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations .
* MSA verification probes: enable opportunistic encryption.Guilhem Moulin2018-12-092
| | | | | | And use ‘noreply.fripost.org’ as HELO name rather than $myhostname (i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo and envelope sender identities.
* Use mariadb.service not mysql.service.Guilhem Moulin2018-12-092
| | | | | Since d8d07afe49e69114f8deb807031bec71a327d3ae our MySQL flavor is MariaDB.
* Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.Guilhem Moulin2018-12-0925
|
* Disable resume device.Guilhem Moulin2018-12-093
| | | | We don't need suspend-on-disk (hibernation).
* IMAP: Ensure /home/mail is mounted before creating sub-directories.Guilhem Moulin2018-12-091
|
* bacula-sd: Ensure /mnt/backup is mounted before creating sub-directories.Guilhem Moulin2018-12-091
|
* bacula: Backup MySQL database for the nextcloud host.Guilhem Moulin2018-12-092
|
* Add ssh-ed25519 hostkey for benjamin.Guilhem Moulin2018-12-091
|
* systemd.service: Tighten hardening options.Guilhem Moulin2018-12-099
|
* bacula-*.service: Don't fork in the background.Guilhem Moulin2018-12-093
| | | | Inspired from /lib/systemd/system/bacula-fd.service.
* Upgrade 'lists' role to Debian Stretch.Guilhem Moulin2018-12-098
|
* Firewall: disable outgoing access to git:// remote servers.Guilhem Moulin2018-12-091
| | | | We don't need it anymore as we use https:// these days.
* systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.Guilhem Moulin2018-12-099
| | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
* Firewall: REJECT outgoing connections instead of DROPing them.Guilhem Moulin2018-12-091
|
* Upgrade 'out' role to Debian Stretch.Guilhem Moulin2018-12-091
|
* Don't install the haveged entropy daemon.Guilhem Moulin2018-12-092
| | | | | It's not really needed on our metal hosts, and our KVM guests use virtio-rng.
* ntp.conf: reduce delta with the packaged version.Guilhem Moulin2018-12-091
|
* MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons.Guilhem Moulin2018-12-098
| | | | | | Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f) the postscreen(8) server can run chrooted, meaning we can also chroot the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
* MX: don't override 5XY reject codes to 554.Guilhem Moulin2018-12-091
|
* postfix: remove explicit default 'mail_owner = postfix'.Guilhem Moulin2018-12-066
|
* postfix ≥3.0: don't advertise SMTPUTF8 support.Guilhem Moulin2018-12-061
| | | | | | | | | | | | | | | | | We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some downstream SMTP servers, not all of which are under our control. Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers yields undeliverable messages, and the bounces make us a potential backscatter source. So it's better to disable SMTPUTF8 at this point. Cf. also http://www.postfix.org/SMTPUTF8_README.html and https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 . See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 : “Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the envelope is definitely problematic for a receiver that does not support SMTPUTF8, while UTF8 in a message header is less so.”
* Upgrade 'ikiwiki-pandoc' to v0.5.1.Guilhem Moulin2018-12-061
| | | | | https://raw.githubusercontent.com/sciunto-org/ikiwiki-pandoc/v0.5.1/pandoc.pm Currently at commit 9292e45cea1be120adb3babd5b835b547f4c825a .
* Roundcube: improve serving of static resources.Guilhem Moulin2018-12-061
| | | | | | | | | | | | | | | We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c
* Remove trailing spaces.Guilhem Moulin2018-12-053
|
* DKIM: also include the "d=" tag in key filenames, not only the "s=" tag.Guilhem Moulin2018-12-057
| | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily.
* Upgrade DKIM keys to rsa2048, and allow for multiple keys.Guilhem Moulin2018-12-047
|
* Don't include hostname in ansible headers.Guilhem Moulin2018-12-031
|
* gencerts: Also show the algorithm for SSH host keys.Guilhem Moulin2018-12-031
|
* Install unbound on metal hosts.Guilhem Moulin2018-12-034
| | | | (A validating, recursive, caching DNS resolver.)
* Define new host "calima" serving Nextcloud.Guilhem Moulin2018-12-0319
|
* Upgrade wiki baseline to Debian Stretch.Guilhem Moulin2018-12-034
|
* Upgrade MX baseline to Debian Stretch.Guilhem Moulin2018-12-032
|
* Upgrade webmail baseline to Debian Stretch.Guilhem Moulin2018-12-037
|
* ssh_known_hosts: also list ed25519 host (pub)keys.Guilhem Moulin2018-12-031
|
* Upgrade syntax to Ansible 2.7 (apt module).Guilhem Moulin2018-12-0325
|
* certs/gencerts.sh: wibbleGuilhem Moulin2018-12-031
|
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-0315
| | | | Cf. lmdb_table(5).
* IPsec: allow ISAKMP over IPv6.Guilhem Moulin2018-12-032
|
* Upgrade baseline to Debian Stretch.Guilhem Moulin2018-12-0323
|
* Skip samhain installation.Guilhem Moulin2018-12-034
| | | | It's become too verbose (too many false-positive)…
* Harden anti spam on the MX:es.Guilhem Moulin2018-06-096
|
* More logcheck-database tweaks.Guilhem Moulin2018-04-043
|
* lacme: explicitely bind to [::]:80.Guilhem Moulin2018-04-041
|
* Postfix: replace 'fifo' types with 'unix', as it's the new default.Guilhem Moulin2018-04-041
|
* sympa: wibbleGuilhem Moulin2018-04-042
|