summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
...
* Make Ansible modules compatible with Ansible 2.2.0.0.Guilhem Moulin2016-12-082
|
* Postscreen: Give temporary whitelist status to primary MX addresses only.Guilhem Moulin2016-09-202
|
* systemd: Ensure sympa service is enabled.Guilhem Moulin2016-09-181
|
* lacme-certs.conf: don't restart but reload dovecot after renewing IMAPS cert.Guilhem Moulin2016-09-181
| | | | | | Unfortunately as of Debian 8.6 (Jessie) dovecot's service file doesn't have a “Reload” directive, so we can't use `/bin/systemctl restart dovecot` as notification. It'll be fixed in Stretch, though.
* Postfix: ensure common aliases are present.Guilhem Moulin2016-09-183
|
* FreshClam: change ownership of /etc/clamav/freshclam.conf.Guilhem Moulin2016-09-181
| | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444
* Firewall: allow duplicates rules.Guilhem Moulin2016-09-181
|
* HPKP: increase max-mage directive to 6 months from 1 hour.Guilhem Moulin2016-09-181
|
* gencerts: improve workning: s/pubkey/SPKI/Guilhem Moulin2016-09-181
|
* More logcheck-database tweaks.Guilhem Moulin2016-08-222
|
* Improve certs formatting.Guilhem Moulin2016-07-121
|
* gencerts: Print the SHA1 digests in hex not base64 format.Guilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* HSTS: use the standard capitalization of includeSubDomains.Guilhem Moulin2016-07-121
| | | | Cf. RFC 6797 sec. 6.1.2.
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-124
|
* gencerts: make the SSHFPR output match the X509 ones.Guilhem Moulin2016-07-121
|
* gencerts: Include SAN for the website and webmail.Guilhem Moulin2016-07-121
|
* gencerts: base64-encode the SHA256 digests.Guilhem Moulin2016-07-121
| | | | Also, include the backup pins in the .asc.
* postfix: commit the master.cf symlinks.Guilhem Moulin2016-07-125
|
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-1218
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* gencerts: exclude expired certs in the CRT queries.Guilhem Moulin2016-07-101
|
* Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks.Guilhem Moulin2016-07-102
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-1020
|
* Postfix MX/MSA instances: put certs in the the instance's $config_directory.Guilhem Moulin2016-07-105
|
* Postfix MX/MSA instances: don't ask the remote SMTP client for a client ↵Guilhem Moulin2016-07-102
| | | | | | | certificate. See postconf(5). This avoids the “(Client did not present a certificate)” messages in the Received headers.
* Postfix: avoid hardcoding the instance names.Guilhem Moulin2016-07-102
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-1013
|
* postfix: Don't explicitly set inet_interfaces=all as it's the default.Guilhem Moulin2016-07-105
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-1016
|
* Route SMTP traffic from the webmail through IPsec.Guilhem Moulin2016-07-1010
|
* More logcheck-database tweaks.Guilhem Moulin2016-07-092
|
* Localize the NTP pool hostnames.Guilhem Moulin2016-07-091
|
* Localize the debian archive hostnames.Guilhem Moulin2016-07-091
|
* ClamAV (FreshClam): use a localized Database Mirror.Guilhem Moulin2016-07-093
| | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines.
* IMAP: don't include mailbox under the virtual namespace in LIST responses.Guilhem Moulin2016-07-062
| | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes.
* dovecot: use the MSA postfix instance for sieve redirection.Guilhem Moulin2016-07-012
| | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es.
* IPSec → IPsecGuilhem Moulin2016-06-296
|
* More logcheck-database tweaks.Guilhem Moulin2016-06-293
|
* update-firewall.sh: COMMIT empty iptables rule files.Guilhem Moulin2016-06-291
|
* Postfix MSA: don't allow unauthenticated clients from $mynetworks.Guilhem Moulin2016-06-291
|
* ansible: _make_tmp_path now takes an argument.Guilhem Moulin2016-06-292
|
* typoGuilhem Moulin2016-06-151
|
* crt.sh: Replace SHA1 by SHA256 as SPKI digest to list certificates.Guilhem Moulin2016-06-151
|
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-1516
| | | | To avoid new commits upon cert renewal.
* Rename letsencrypt-tiny to lacme.Guilhem Moulin2016-06-158
|
* wwsympa systemd service file: Set PrivateTmp=yes.Guilhem Moulin2016-06-071
| | | | The CGI wants to create a temp file during bulk subcription.
* clamav: Don't set obsolete option 'AllowSupplementaryGroups'.Guilhem Moulin2016-06-051
|
* Use stunnel to secure the connection from the webmail to ldap.fripost.org.Guilhem Moulin2016-06-055
| | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
* postfix: rotate the sender address for verify probes.Guilhem Moulin2016-06-022
| | | | | In order to avoid ‘double-bounce@’ ending up on spammer mailing lists. See http://www.postfix.org/ADDRESS_VERIFICATION_README.html .