summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* typoGuilhem Moulin2016-07-121
|
* HSTS: use the standard capitalization of includeSubDomains.Guilhem Moulin2016-07-121
| | | | Cf. RFC 6797 sec. 6.1.2.
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-124
|
* gencerts: make the SSHFPR output match the X509 ones.Guilhem Moulin2016-07-121
|
* gencerts: Include SAN for the website and webmail.Guilhem Moulin2016-07-121
|
* gencerts: base64-encode the SHA256 digests.Guilhem Moulin2016-07-121
| | | | Also, include the backup pins in the .asc.
* postfix: commit the master.cf symlinks.Guilhem Moulin2016-07-125
|
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-1218
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* gencerts: exclude expired certs in the CRT queries.Guilhem Moulin2016-07-101
|
* Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks.Guilhem Moulin2016-07-102
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-1020
|
* Postfix MX/MSA instances: put certs in the the instance's $config_directory.Guilhem Moulin2016-07-105
|
* Postfix MX/MSA instances: don't ask the remote SMTP client for a client ↵Guilhem Moulin2016-07-102
| | | | | | | certificate. See postconf(5). This avoids the “(Client did not present a certificate)” messages in the Received headers.
* Postfix: avoid hardcoding the instance names.Guilhem Moulin2016-07-102
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-1013
|
* postfix: Don't explicitly set inet_interfaces=all as it's the default.Guilhem Moulin2016-07-105
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-1016
|
* Route SMTP traffic from the webmail through IPsec.Guilhem Moulin2016-07-1010
|
* More logcheck-database tweaks.Guilhem Moulin2016-07-092
|
* Localize the NTP pool hostnames.Guilhem Moulin2016-07-091
|
* Localize the debian archive hostnames.Guilhem Moulin2016-07-091
|
* ClamAV (FreshClam): use a localized Database Mirror.Guilhem Moulin2016-07-093
| | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines.
* IMAP: don't include mailbox under the virtual namespace in LIST responses.Guilhem Moulin2016-07-062
| | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes.
* dovecot: use the MSA postfix instance for sieve redirection.Guilhem Moulin2016-07-012
| | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es.
* IPSec → IPsecGuilhem Moulin2016-06-296
|
* More logcheck-database tweaks.Guilhem Moulin2016-06-293
|
* update-firewall.sh: COMMIT empty iptables rule files.Guilhem Moulin2016-06-291
|
* Postfix MSA: don't allow unauthenticated clients from $mynetworks.Guilhem Moulin2016-06-291
|
* ansible: _make_tmp_path now takes an argument.Guilhem Moulin2016-06-292
|
* typoGuilhem Moulin2016-06-151
|
* crt.sh: Replace SHA1 by SHA256 as SPKI digest to list certificates.Guilhem Moulin2016-06-151
|
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-1516
| | | | To avoid new commits upon cert renewal.
* Rename letsencrypt-tiny to lacme.Guilhem Moulin2016-06-158
|
* wwsympa systemd service file: Set PrivateTmp=yes.Guilhem Moulin2016-06-071
| | | | The CGI wants to create a temp file during bulk subcription.
* clamav: Don't set obsolete option 'AllowSupplementaryGroups'.Guilhem Moulin2016-06-051
|
* Use stunnel to secure the connection from the webmail to ldap.fripost.org.Guilhem Moulin2016-06-055
| | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
* postfix: rotate the sender address for verify probes.Guilhem Moulin2016-06-022
| | | | | In order to avoid ‘double-bounce@’ ending up on spammer mailing lists. See http://www.postfix.org/ADDRESS_VERIFICATION_README.html .
* Remove the IMAP caching proxy.Guilhem Moulin2016-05-2811
| | | | | | | | | Dovecot imapc requires two authentication rounds to the IMAP backend for each connection. It seems suboptimal that Roundcube keeps connecting to the IMAP server for each new connection, but benchmarks shows little advantage in caching the IMAP sessions with imapproxy: http://www.dovecot.org/list/dovecot/2012-February/133544.html
* Roundcube: route IMAP and managesieve traffic through IPSec.Guilhem Moulin2016-05-283
|
* Renew cert for https://lists.fripost.org.Guilhem Moulin2016-05-281
|
* Roundcube: add a link to our webpage as support URL.Guilhem Moulin2016-05-241
|
* typoGuilhem Moulin2016-05-242
|
* IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.Guilhem Moulin2016-05-249
| | | | There is no need to bother with X.509 cruft here.
* dovecot: don't listen on the IP dedicated for IPSec when there is a single host.Guilhem Moulin2016-05-231
|
* Restore the public part of Bacula's data encryption master key.Guilhem Moulin2016-05-231
| | | | | | Which was incorrectly removed at commit 8cf4032ecec5b9f58d829e89f231179170432539
* Roundcube: add a warning regarding IMAP hostname change.Guilhem Moulin2016-05-231
|
* Dovecot imapc: use the version from jessie-backports.Guilhem Moulin2016-05-237
| | | | | Since many bug have been fixed since 2.2.13, and we really want passthrough search on the caching proxy.
* Dovecot imapc: don't hardcode the master IMAP server's IP.Guilhem Moulin2016-05-234
|
* Dovecot imapc: change imapproxy's homedir from /home/imapproxy to ↵Guilhem Moulin2016-05-222
| | | | /var/lib/imapproxy.
* dovecot: also listen on the virtual IP dedicated to IPSec.Guilhem Moulin2016-05-222
| | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection.