Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | crt.sh: Replace SHA1 by SHA256 as SPKI digest to list certificates. | Guilhem Moulin | 2016-06-15 | 1 | |
| | |||||
* | certs/public: fetch each cert's pubkey (SPKI), not the cert itself. | Guilhem Moulin | 2016-06-15 | 16 | |
| | | | | To avoid new commits upon cert renewal. | ||||
* | Rename letsencrypt-tiny to lacme. | Guilhem Moulin | 2016-06-15 | 8 | |
| | |||||
* | wwsympa systemd service file: Set PrivateTmp=yes. | Guilhem Moulin | 2016-06-07 | 1 | |
| | | | | The CGI wants to create a temp file during bulk subcription. | ||||
* | clamav: Don't set obsolete option 'AllowSupplementaryGroups'. | Guilhem Moulin | 2016-06-05 | 1 | |
| | |||||
* | Use stunnel to secure the connection from the webmail to ldap.fripost.org. | Guilhem Moulin | 2016-06-05 | 5 | |
| | | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting. | ||||
* | postfix: rotate the sender address for verify probes. | Guilhem Moulin | 2016-06-02 | 2 | |
| | | | | | In order to avoid ‘double-bounce@’ ending up on spammer mailing lists. See http://www.postfix.org/ADDRESS_VERIFICATION_README.html . | ||||
* | Remove the IMAP caching proxy. | Guilhem Moulin | 2016-05-28 | 11 | |
| | | | | | | | | | Dovecot imapc requires two authentication rounds to the IMAP backend for each connection. It seems suboptimal that Roundcube keeps connecting to the IMAP server for each new connection, but benchmarks shows little advantage in caching the IMAP sessions with imapproxy: http://www.dovecot.org/list/dovecot/2012-February/133544.html | ||||
* | Roundcube: route IMAP and managesieve traffic through IPSec. | Guilhem Moulin | 2016-05-28 | 3 | |
| | |||||
* | Renew cert for https://lists.fripost.org. | Guilhem Moulin | 2016-05-28 | 1 | |
| | |||||
* | Roundcube: add a link to our webpage as support URL. | Guilhem Moulin | 2016-05-24 | 1 | |
| | |||||
* | typo | Guilhem Moulin | 2016-05-24 | 2 | |
| | |||||
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 9 | |
| | | | | There is no need to bother with X.509 cruft here. | ||||
* | dovecot: don't listen on the IP dedicated for IPSec when there is a single host. | Guilhem Moulin | 2016-05-23 | 1 | |
| | |||||
* | Restore the public part of Bacula's data encryption master key. | Guilhem Moulin | 2016-05-23 | 1 | |
| | | | | | | Which was incorrectly removed at commit 8cf4032ecec5b9f58d829e89f231179170432539 | ||||
* | Roundcube: add a warning regarding IMAP hostname change. | Guilhem Moulin | 2016-05-23 | 1 | |
| | |||||
* | Dovecot imapc: use the version from jessie-backports. | Guilhem Moulin | 2016-05-23 | 7 | |
| | | | | | Since many bug have been fixed since 2.2.13, and we really want passthrough search on the caching proxy. | ||||
* | Dovecot imapc: don't hardcode the master IMAP server's IP. | Guilhem Moulin | 2016-05-23 | 4 | |
| | |||||
* | Dovecot imapc: change imapproxy's homedir from /home/imapproxy to ↵ | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | /var/lib/imapproxy. | ||||
* | dovecot: also listen on the virtual IP dedicated to IPSec. | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection. | ||||
* | spamassassin: list our IPSec subnet in trusted_networks. | Guilhem Moulin | 2016-05-22 | 3 | |
| | |||||
* | IMAP proxy: copy only the leaf cert, not the whole chain. | Guilhem Moulin | 2016-05-22 | 1 | |
| | | | | The comment regarding stunnel4 seems to not be relevant any longer. | ||||
* | Remove CAcert certificates. | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | | We're now using the Let's Encrypt CA for our public internet-facing services. | ||||
* | gencerts: improve formatting. | Guilhem Moulin | 2016-05-22 | 1 | |
| | |||||
* | wiki.fripost.org CSP: allow inline styles/scripts, and form actions to Paypal. | Guilhem Moulin | 2016-05-22 | 1 | |
| | |||||
* | wiki: replace the formatting engine from Markdown.pl to pandoc | Guilhem Moulin | 2016-05-22 | 4 | |
| | | | | | Using https://raw.githubusercontent.com/sciunto-org/ikiwiki-pandoc/master/pandoc.pm at revision 60fd07b46c750e0891e3474f75e26076348b66c5 | ||||
* | genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH ↵ | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | parameters. | ||||
* | Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 24 | |
| | |||||
* | Fix munin-cgi-graph systemd service file. | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | By allowing to place graphs into /var/lib/munin/cgi-tmp/munin-cgi-graph. | ||||
* | Tunnel munin-update traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 17 | |
| | |||||
* | Tunnel internal NTP traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 3 | |
| | | | | | | | More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure. | ||||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 21 | |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | ||||
* | postfix: master.cf wibble | Guilhem Moulin | 2016-05-18 | 1 | |
| | |||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 7 | |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | ||||
* | postfix: unset 'smtpd_tls_session_cache_database'. | Guilhem Moulin | 2016-05-18 | 5 | |
| | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935 | ||||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 8 | |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | ||||
* | postfix: disable weak ciphers for the 'encrypt' TLS security level. | Guilhem Moulin | 2016-05-18 | 3 | |
| | | | | That is, on the MSA and in our local infrastructure. | ||||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 23 | |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | ||||
* | Renew imap.fripost.org:993 and smtp.fripost.org:587 X.509 certificates. | Guilhem Moulin | 2016-05-18 | 4 | |
| | |||||
* | dovecot imapc: wibble | Guilhem Moulin | 2016-05-17 | 2 | |
| | |||||
* | roundube: Pin X.509 certificate for sieve.fripost.org:4190. | Guilhem Moulin | 2016-05-17 | 2 | |
| | |||||
* | bacula: Set heartbeat options. | Guilhem Moulin | 2016-05-12 | 6 | |
| | | | | and also TCP keepalive options in the stunnel config. | ||||
* | bacula-sd: wibble | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | bacula-dir: Fix Reschedule Interval from 17 months to 17 mins. | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | MySQL: set flush InnoDB flush method to 'O_DIRECT' | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | Add hardening options to our systemd unit files. | Guilhem Moulin | 2016-05-12 | 6 | |
| | |||||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 26 | |
| | |||||
* | Roundcube's CSP: remove 'upgrade-insecure-requests' and ↵ | Guilhem Moulin | 2016-04-08 | 1 | |
| | | | | 'block-all-mixed-content'. | ||||
* | Roundcube's CSP: allow loading images from data: URIs and arbitrary URLs. | Guilhem Moulin | 2016-04-07 | 1 | |
| | | | | Per user request: https://wiki.fripost.org/tracker/CSP_too_strict/ | ||||
* | nginx: update ssl_ciphers to follow Mozilla's TLS server recommendation. | Guilhem Moulin | 2016-04-02 | 1 | |
| | | | | https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate |