| Commit message (Collapse) | Author | Age | Files |
| |
|
|
|
|
| |
This is in particular needed for traceroutes and routing loop detection.
|
|
|
|
| |
This reverts commit 26bae877102752a41a903cab2ee0891f8f261d38.
|
| |
|
|
|
|
|
|
| |
Use unit overrides on top of upstream's service files instead of
overriding entire service files. In particular, upstream uses flag `-P`
so we don't need to use RuntimeDirectory= anymore.
|
|
|
|
|
|
|
|
| |
This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24,
as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour
discovery).
Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3.
|
|
|
|
|
| |
This is more efficient: the earlier we filter the crap out the less
resources they consume.
|
|
|
|
| |
See tcp(7) and https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a .
|
|
|
|
| |
As of MariaDB 10.3 this should be more future proof.
|
| |
|
| |
|
| |
|
|
|
|
| |
See https://git.fripost.org/fripost-wiki/commit/?id=72983121e68289a7497927417e52a8ec5f16aa7b .
|
| |
|
| |
|
|
|
|
| |
use_fallback_verifier/trusted_mtas.
|
| |
|
| |
|
|
|
|
|
| |
Unlike slapcat(1) it doesn't require write access to ~openldap, so we
don't have to weaken bacula-fd.service.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This is needed for BS4's navbar-toggler-icon which uses an SVG
background-image.
|
| |
|
|
|
|
| |
Add frame-ancestors and form-action.
|
| |
|
|
|
|
|
|
| |
And drop -ldap from all roles other than MX. -lmdb is included in
roles/common but it can be helpful to have it individual roles as well
as they can be run individually.
|
|
|
|
| |
Run as a dedicated user, not ‘postfix’.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user. We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around. This is fair.
|
|
|
|
|
|
|
|
| |
This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f.
There are no relevant interface changes between 2.2.27 (stretch) and
2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h`
and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
| |
|
|
|
|
| |
This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
|
| |
|
| |
|
|
|
|
| |
To be done when we upgrade to Bullseye for more fine-grained control.
|
|
|
|
|
|
|
| |
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
|
|
|
| |
We replace uwsgi in 70f16ac939497e3e424bad05c5f82ce36d1bceda.
|
|
|
|
|
| |
Marking incoming ESP packets and matching decapsulated packets doesn't
work with NAT traverslate (UDP encapsulation aka MOBIKE).
|
| |
|
| |
|
|
|
|
| |
For use with Nextcloud 18, cf. https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx .
|
|
|
|
|
| |
We also rename the ‘lacme’ system user to ‘_lacme’ per Debian Policy
§9.2.1: https://www.debian.org/doc/debian-policy/ch-opersys.html#introduction .
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We leave dynamic pages (those passed to PHP-FPM) alone for now:
compressing them would make us vulnerable to BREACH attacks. This will
be revisited once Roundcube 1.5 is released: 1.5 adds support for the
same-site cookie attribute which once set to 'Strict' makes it immune to
BREACH attacks:
https://github.com/roundcube/roundcubemail/pull/6772
https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies
|
|
|
|
|
| |
$ find -L /usr/share/roundcube/{plugins,program/js,program/resources,skins} -xtype f -printf "%f\\n" \
| sed -r "s/^([^.]+)(.*)/\1\2\t\2/" | sort -k2 | uniq -c -f1
|
| |
|
| |
|