summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
...
* Also install non-free firmwares on civett.Guilhem Moulin2017-05-304
|
* Install more sympa dependencies.Guilhem Moulin2017-05-291
|
* Rotate civett's IPsec's key.Guilhem Moulin2017-05-292
|
* Use blackhole subdomain for sender addresses of verify probes.Guilhem Moulin2017-05-163
| | | | | | | | | | | These addresses need to be accepted on the MX:es, as recipients sometimes phone back during the SMTP session to check whether the sender exists. Since a time-dependent suffix is added to the local part (cf. http://www.postfix.org/postconf.5.html#address_verify_sender_ttl) it's not enough to drop incoming mails to ‘double-bounce@fripost.org’, and it's impractical to do the same for /^double-bounce.*@fripost\.org$/.
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-147
|
* webmail: use Zend opcache and configure APCu.Guilhem Moulin2017-05-143
|
* sympa: don't tweak /etc/logrotate.d/sympa.Guilhem Moulin2017-05-141
|
* wwsympa: allow write access to /var/spool/sympa.Guilhem Moulin2017-05-141
| | | | Request to post and moderate messages using the web interface.
* MSA: reject null sender address.Guilhem Moulin2017-05-144
|
* IMAP: new script list-users.Guilhem Moulin2017-05-142
|
* Change civett's CNAME from civett.friprogramvarusyndikatet.se to ↵Guilhem Moulin2017-05-142
| | | | civett.fripost.org
* Fix Ansible 2.2.0 compatibility of a Jinja2 template.Guilhem Moulin2017-01-141
|
* Allow SMTP client from whitelisted IPs to bypass postscreen checks.Guilhem Moulin2017-01-141
|
* nginx: set Referrer-Policy HTTP header to "no-referrer".Guilhem Moulin2016-12-131
|
* nginx: add support for HTTP/2.Guilhem Moulin2016-12-135
|
* dovecot: Deduplicate attachments hourly, just before automatic backup.Guilhem Moulin2016-12-111
|
* dovecot: use Single-Instance Storage for mail attachments.Guilhem Moulin2016-12-104
|
* More logcheck-database tweaks.Guilhem Moulin2016-12-081
|
* wiki: Add instruction for how to add the post-update hook.Guilhem Moulin2016-12-081
|
* Dovecot: Explicitly disable LDAP.Guilhem Moulin2016-12-081
|
* gitolite: allow hook.* git config keys.Guilhem Moulin2016-12-081
|
* Upgrade to lacme 0.2-1.Guilhem Moulin2016-12-082
|
* Webmail: Install XCache (PHP opcode cacher).Guilhem Moulin2016-12-081
|
* Dovecot: use fallocate(2) to preallocate new mdbox files.Guilhem Moulin2016-12-081
|
* Make Ansible modules compatible with Ansible 2.2.0.0.Guilhem Moulin2016-12-082
|
* Postscreen: Give temporary whitelist status to primary MX addresses only.Guilhem Moulin2016-09-202
|
* systemd: Ensure sympa service is enabled.Guilhem Moulin2016-09-181
|
* lacme-certs.conf: don't restart but reload dovecot after renewing IMAPS cert.Guilhem Moulin2016-09-181
| | | | | | Unfortunately as of Debian 8.6 (Jessie) dovecot's service file doesn't have a “Reload” directive, so we can't use `/bin/systemctl restart dovecot` as notification. It'll be fixed in Stretch, though.
* Postfix: ensure common aliases are present.Guilhem Moulin2016-09-183
|
* FreshClam: change ownership of /etc/clamav/freshclam.conf.Guilhem Moulin2016-09-181
| | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444
* Firewall: allow duplicates rules.Guilhem Moulin2016-09-181
|
* HPKP: increase max-mage directive to 6 months from 1 hour.Guilhem Moulin2016-09-181
|
* gencerts: improve workning: s/pubkey/SPKI/Guilhem Moulin2016-09-181
|
* More logcheck-database tweaks.Guilhem Moulin2016-08-222
|
* Improve certs formatting.Guilhem Moulin2016-07-121
|
* gencerts: Print the SHA1 digests in hex not base64 format.Guilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* typoGuilhem Moulin2016-07-121
|
* HSTS: use the standard capitalization of includeSubDomains.Guilhem Moulin2016-07-121
| | | | Cf. RFC 6797 sec. 6.1.2.
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-124
|
* gencerts: make the SSHFPR output match the X509 ones.Guilhem Moulin2016-07-121
|
* gencerts: Include SAN for the website and webmail.Guilhem Moulin2016-07-121
|
* gencerts: base64-encode the SHA256 digests.Guilhem Moulin2016-07-121
| | | | Also, include the backup pins in the .asc.
* postfix: commit the master.cf symlinks.Guilhem Moulin2016-07-125
|
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-1218
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* gencerts: exclude expired certs in the CRT queries.Guilhem Moulin2016-07-101
|
* Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks.Guilhem Moulin2016-07-102
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-1020
|
* Postfix MX/MSA instances: put certs in the the instance's $config_directory.Guilhem Moulin2016-07-105
|
* Postfix MX/MSA instances: don't ask the remote SMTP client for a client ↵Guilhem Moulin2016-07-102
| | | | | | | certificate. See postconf(5). This avoids the “(Client did not present a certificate)” messages in the Received headers.