summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
...
* Don't install smartd on Xen guests.Guilhem Moulin2015-06-072
| | | | S.M.A.R.T makes little sense for virtual HDDs.
* Don't merge amavis' logs into /var/log/syslog.Guilhem Moulin2015-06-071
| | | | | As they contain user information, we keep it in /var/log/mail.log only. These logs are kept for 3 days "only", as per our policy.
* Install auditd.Guilhem Moulin2015-06-073
|
* Split templates / files in lookup tables.Guilhem Moulin2015-06-078
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* wibbleGuilhem Moulin2015-06-072
|
* Replace Postgrey with postscreen.Guilhem Moulin2015-06-0712
| | | | | | | | | | | See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not.
* Verify the validity of users before that of aliases.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Fix NTP configuration.Guilhem Moulin2015-06-073
| | | | We've yet to get authenticated time, though.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Add an index on the 'fripostCanAddDomain' LDAP attribute.Guilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* Remove reject_unknown_sender_domain from the MX.Guilhem Moulin2015-06-071
| | | | | There are false-positive with that, for instead due to SOA records pointing to non-existing subdomains.
* wibbleGuilhem Moulin2015-06-071
|
* Hash certs using a lookup in the template instead of add a new task.Guilhem Moulin2015-06-074
|
* Ensure have a TLS policy for each of our host we want to relay to.Guilhem Moulin2015-06-072
|
* Add extra indexes on the LDAP provider.Guilhem Moulin2015-06-071
| | | | Those will be useful for the tools.
* Use the raw 'fripostListManager' as routing internal subdomain.Guilhem Moulin2015-06-072
|
* Fix $smtpd_sender_restrictions.Guilhem Moulin2015-06-073
| | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting.
* Explain why we use static transport maps and custom subdomains.Guilhem Moulin2015-06-073
|
* typoGuilhem Moulin2015-06-071
|
* Use $virtual_alias_domains not $virtual_mailbox_domains.Guilhem Moulin2015-06-078
| | | | | | | | | | | | | | | | | | | | | | | | | Quoting postconf(5): smtpd_reject_unlisted_recipient (default: yes) Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no explicit reject_unlisted_recipient access restriction is specified. This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages. An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping. […] * The recipient domain matches $virtual_alias_domains but the recipient is not listed in $virtual_alias_maps. * The recipient domain matches $virtual_mailbox_domains but the recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null. Since we alias everything under special, "invalid", domains (mda.f.o and mailman.f.o), our $virtual_mailbox_maps was null, which led to reject_unlisted_recipient not being triggered for say, "noone@fripost.org". However, replacing $virtual_mailbox_domains with $virtual_alias_domains fits into the second point above.
* More logcheck-database tweaks.Guilhem Moulin2015-06-071
|
* Make Nginx send the intermediate certificate along with the server's.Guilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-074
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-0717
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Ensure Postfix's LDAP searchBase exists when doing a lookup.Guilhem Moulin2015-06-078
| | | | | | | | Postfix interprets Error Code 32 (No Such Object) as lookup failures, but that's ugly... Also, make Postfix simple bind against cn=postfix,ou=services,dc=fripost,dc=org.
* Fix Amavis' Policy Banks.Guilhem Moulin2015-06-072
| | | | | | | | | | | It turns out that in a policy bank, a *_by_ccat doesn't replace the default but is merely merged into the default (if the keys overlap, those in the bank take precedence of course). Hence it's pointless to use CC_CATCHALL in a bank unless all the other keys have been overridden, for instance. Also, treat unchecked (eg, encrypted) mails as clean in the OUTGOING Policy Bank.
* Add a logcheck rule to ignore cyrus' annoying log messages.Guilhem Moulin2015-06-071
| | | | Namely, "DIGEST-MD5 common mech free". See also bug #631932.
* Fix issue with delete entries in the replication.Guilhem Moulin2015-06-071
| | | | | | | | It looks as if the SyncRepl need read access on the 'entry' and 'objectClass' attributes of the entry being deleted, and the entry being deleted no longer matches the ACL filters, so we have to grant access globally. (We still have fine-grain control on the other attributes which are not disclosed, though.)
* Add an LDAP attribute to check if the user wants to use the content filter.Guilhem Moulin2015-06-072
| | | | | This decision is left to the MX (as for 'fripostIsStatusActive'), which will set the envelope recipient accordingly.
* Fix client verification policy.Guilhem Moulin2015-06-071
|
* Postfix needs to be restarted after rekeying.Guilhem Moulin2015-06-071
| | | | (It opens the key as root, but then drops the permissions.)
* Add a tag 'tls_policy' to facilitate rekeying.Guilhem Moulin2015-06-073
| | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy).
* 'default_days' in openssl.cnf doesn't work, use -days instead.Guilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Make the Ansible LDAP plugin able to delete entries and attributes.Guilhem Moulin2015-06-074
| | | | | Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on the 'config' database.
* Fix race condition when generating cerificates for slapd.Guilhem Moulin2015-06-072
| | | | | The SyncProv won't start if the file olcTLSCACertificateFile points to doesn't exist.
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-0720
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Add note how to test SASL EXTERNAL authentication via TLS.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* Generate the DKIM key on the outgoing instance only.Guilhem Moulin2015-06-071
|
* Fix a corner case in reserved-alias.pl.Guilhem Moulin2015-06-071
| | | | | 'if $l' is false when $l is 0, while 0@example.org is a perfectly valid address.
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-077
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-074
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Add ability to chmod, chown and set the key usage in genkeypair.Guilhem Moulin2015-06-071
|
* Enable zero-copy updates to the LDAP directory.Guilhem Moulin2015-06-076
|
* Move ansible modules to another directory.Guilhem Moulin2015-06-075
|