summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* postfix-sender-login: pre-fork 2 servers.Guilhem Moulin2017-06-011
| | | | | On Linux perl's allow multiple children to block in a call to accept(2) so we don't need to place a lock around the call.
* Don't make Roundcube add a 'X-Sender' header with the sender's identity.Guilhem Moulin2017-06-011
|
* Don't let authenticated client use arbitrary sender addresses.Guilhem Moulin2017-06-0111
| | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
* /lib/systemd/system → /etc/systemd/systemGuilhem Moulin2017-05-3117
|
* Also install non-free firmwares on civett.Guilhem Moulin2017-05-304
|
* Install more sympa dependencies.Guilhem Moulin2017-05-291
|
* Rotate civett's IPsec's key.Guilhem Moulin2017-05-292
|
* Use blackhole subdomain for sender addresses of verify probes.Guilhem Moulin2017-05-163
| | | | | | | | | | | These addresses need to be accepted on the MX:es, as recipients sometimes phone back during the SMTP session to check whether the sender exists. Since a time-dependent suffix is added to the local part (cf. http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's not enough to drop incoming mails to ‘double-bounce@fripost.org’, and it's impractical to do the same for /^double-bounce.*@fripost\.org$/.
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-147
|
* webmail: use Zend opcache and configure APCu.Guilhem Moulin2017-05-143
|
* sympa: don't tweak /etc/logrotate.d/sympa.Guilhem Moulin2017-05-141
|
* wwsympa: allow write access to /var/spool/sympa.Guilhem Moulin2017-05-141
| | | | Request to post and moderate messages using the web interface.
* MSA: reject null sender address.Guilhem Moulin2017-05-144
|
* IMAP: new script list-users.Guilhem Moulin2017-05-142
|
* Change civett's CNAME from civett.friprogramvarusyndikatet.se to ↵Guilhem Moulin2017-05-142
| | | | civett.fripost.org
* Fix Ansible 2.2.0 compatibility of a Jinja2 template.Guilhem Moulin2017-01-141
|
* Allow SMTP client from whitelisted IPs to bypass postscreen checks.Guilhem Moulin2017-01-141
|
* nginx: set Referrer-Policy HTTP header to "no-referrer".Guilhem Moulin2016-12-131
|
* nginx: add support for HTTP/2.Guilhem Moulin2016-12-135
|
* dovecot: Deduplicate attachments hourly, just before automatic backup.Guilhem Moulin2016-12-111
|
* dovecot: use Single-Instance Storage for mail attachments.Guilhem Moulin2016-12-104
|
* More logcheck-database tweaks.Guilhem Moulin2016-12-081
|
* wiki: Add instruction for how to add the post-update hook.Guilhem Moulin2016-12-081
|
* Dovecot: Explicitly disable LDAP.Guilhem Moulin2016-12-081
|
* gitolite: allow hook.* git config keys.Guilhem Moulin2016-12-081
|
* Upgrade to lacme 0.2-1.Guilhem Moulin2016-12-082
|
* Webmail: Install XCache (PHP opcode cacher).Guilhem Moulin2016-12-081
|
* Dovecot: use fallocate(2) to preallocate new mdbox files.Guilhem Moulin2016-12-081
|
* Make Ansible modules compatible with Ansible 2.2.0.0.Guilhem Moulin2016-12-082
|
* Postscreen: Give temporary whitelist status to primary MX addresses only.Guilhem Moulin2016-09-202
|
* systemd: Ensure sympa service is enabled.Guilhem Moulin2016-09-181
|
* lacme-certs.conf: don't restart but reload dovecot after renewing IMAPS cert.Guilhem Moulin2016-09-181
| | | | | | Unfortunately as of Debian 8.6 (Jessie) dovecot's service file doesn't have a “Reload” directive, so we can't use `/bin/systemctl restart dovecot` as notification. It'll be fixed in Stretch, though.
* Postfix: ensure common aliases are present.Guilhem Moulin2016-09-183
|
* FreshClam: change ownership of /etc/clamav/freshclam.conf.Guilhem Moulin2016-09-181
| | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444
* Firewall: allow duplicates rules.Guilhem Moulin2016-09-181
|
* HPKP: increase max-mage directive to 6 months from 1 hour.Guilhem Moulin2016-09-181
|
* gencerts: improve workning: s/pubkey/SPKI/Guilhem Moulin2016-09-181
|
* More logcheck-database tweaks.Guilhem Moulin2016-08-222
|
* Improve certs formatting.Guilhem Moulin2016-07-121
|
* gencerts: Print the SHA1 digests in hex not base64 format.Guilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* HSTS: use the standard capitalization of includeSubDomains.Guilhem Moulin2016-07-121
| | | | Cf. RFC 6797 sec. 6.1.2.
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-124
|
* gencerts: make the SSHFPR output match the X509 ones.Guilhem Moulin2016-07-121
|
* gencerts: Include SAN for the website and webmail.Guilhem Moulin2016-07-121
|
* gencerts: base64-encode the SHA256 digests.Guilhem Moulin2016-07-121
| | | | Also, include the backup pins in the .asc.
* postfix: commit the master.cf symlinks.Guilhem Moulin2016-07-125
|
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-1218
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* gencerts: exclude expired certs in the CRT queries.Guilhem Moulin2016-07-101
|