Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | ansible ssh transport wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Upgrade Dovecot config to Jessie. | Guilhem Moulin | 2015-06-07 | 14 | |
| | |||||
* | Configure the list manager (Sympa). | Guilhem Moulin | 2015-06-07 | 26 | |
| | |||||
* | Upgrade the LDAP config to Jessie. | Guilhem Moulin | 2015-06-07 | 6 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Enable the use of git:// clients. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Disable rsyslog's rate-limiting. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | The default for rsyslog v7, but not for rsyslog v5. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | Don't make Roundcube add a 'X-Sender' header with the sender's identity. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | Roundcube's 'password' plugin. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Key usage 'keyCertSign' is required for self-signed certificates. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Add a keyring and alternative contact to the LDAP DIT. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | Remove reject_unknown_sender_domain from the MDA and outgoing SMTP. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | | | | | | | We already removed it from the MX:es (see 32e605d4); we need to remove it from the MDA and outgoing SMTP as well, otherwise mails could bounce or get stuck in the middle (the're rejected with 450: deferred by default). However we can keep the restriction on the entry points (MSA and webmail). | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Amavis is logging to syslog with severity 'notice'. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Don't install intel-microcode on Xen guests. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | It should be installed on the dom0 instead. | ||||
* | Don't install smartd on Xen guests. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | S.M.A.R.T makes little sense for virtual HDDs. | ||||
* | Don't merge amavis' logs into /var/log/syslog. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | As they contain user information, we keep it in /var/log/mail.log only. These logs are kept for 3 days "only", as per our policy. | ||||
* | Install auditd. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | Split templates / files in lookup tables. | Guilhem Moulin | 2015-06-07 | 8 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | wibble | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Replace Postgrey with postscreen. | Guilhem Moulin | 2015-06-07 | 12 | |
| | | | | | | | | | | | See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not. | ||||
* | Verify the validity of users before that of aliases. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Fix NTP configuration. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | We've yet to get authenticated time, though. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Add an index on the 'fripostCanAddDomain' LDAP attribute. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | Remove reject_unknown_sender_domain from the MX. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | There are false-positive with that, for instead due to SOA records pointing to non-existing subdomains. | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Hash certs using a lookup in the template instead of add a new task. | Guilhem Moulin | 2015-06-07 | 4 | |
| | |||||
* | Ensure have a TLS policy for each of our host we want to relay to. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Add extra indexes on the LDAP provider. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | Those will be useful for the tools. | ||||
* | Use the raw 'fripostListManager' as routing internal subdomain. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Fix $smtpd_sender_restrictions. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting. | ||||
* | Explain why we use static transport maps and custom subdomains. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Use $virtual_alias_domains not $virtual_mailbox_domains. | Guilhem Moulin | 2015-06-07 | 8 | |
| | | | | | | | | | | | | | | | | | | | | | | | | | Quoting postconf(5): smtpd_reject_unlisted_recipient (default: yes) Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no explicit reject_unlisted_recipient access restriction is specified. This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages. An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping. […] * The recipient domain matches $virtual_alias_domains but the recipient is not listed in $virtual_alias_maps. * The recipient domain matches $virtual_mailbox_domains but the recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null. Since we alias everything under special, "invalid", domains (mda.f.o and mailman.f.o), our $virtual_mailbox_maps was null, which led to reject_unlisted_recipient not being triggered for say, "noone@fripost.org". However, replacing $virtual_mailbox_domains with $virtual_alias_domains fits into the second point above. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Make Nginx send the intermediate certificate along with the server's. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Fix Dovecot's mail location. | Guilhem Moulin | 2015-06-07 | 4 | |
| | |||||
* | Perform the alias resolution and address validation solely on the MX:es. | Guilhem Moulin | 2015-06-07 | 17 | |
| | | | | | We can therefore spare some lookups on the MDA, and use static:all instead. |