|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | 
| 
| 
| 
| 
| | There is a real security gain in not using the 'www-data' user: nginx
workers can't read Nextcloud config files and data directory, so should
our nginx configuration be insecure a leak is much less likely. | 
| | 
| 
| 
| | This was forgotten in 0bfbe0e49f7fc77abfe7bb5d92c72dbdf6742204. | 
| | |  | 
| | 
| 
| 
| 
| 
| | Also, update baseline to Debian 10 (codename Buster) and deploy a local
Redis instance for Transactional File Locking
https://docs.nextcloud.com/server/18/admin_manual/configuration_server/caching_configuration.html#id2 | 
| | |  | 
| | 
| 
| 
| 
| 
| | Instead of using the fallback key.  That way messages from our lists
have proper DMARC alignment (at least when envelope sender and From
header are under domain lists.fripost.org). | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Cf. https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html .  \o/
It's also fairly easy to deploy onto the Debian infrastucture:
    $ USERNAME="guilhem"
    $ SELECTOR="5d30c523ff3622ed454230a16a11ddf6.$USERNAME.user"
    $ printf "dkimPubKey: %s %s\n" "$SELECTOR" \
                "$(openssl pkey -pubin -in "./certs/dkim/$SELECTOR:debian.org.pub" -outform DER | base64 -w0)" \
        | gpg --clearsign | s-nail -r "USERNAME@debian.org" -s dkimPubKey changes@db.debian.org | 
| | 
| 
| 
| 
| 
| 
| 
| | Since 1.5 (Buster) APT supports https:// natively.  There is no need to
install ‘apt-transport-https’ (now a dummy transitional package)
anymore.  Plain-text connection don't undermine security as APT checks
package OpenPGP signatures locally, but there is no reason not to use
TLS here. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | * Use nftables sets with a timeout
 * Start daemon with a hardened unit file and restricted Capability
   Bounding Set.  (This requires to change the log path to
   /var/log/fail2ban/*.)
 * Skip database as we don't care about persistence.
 * Refactor jail.local | 
| | 
| 
| 
| | Debian Buster uses the nftables framework by default. | 
| | 
| 
| 
| 
| 
| | Our internal IPs don't have a reverse PTR record, and skipping the
resolution speeds up mail delivery.
http://www.postfix.org/postconf.5.html#smtpd_peername_lookup | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This avoids
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set
to allow bad characters in group names by default, this will change, but
still be user configurable on deprecation. This feature will be removed
in version 2.10. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not
replaced, use -vvvv to see details | 
| | 
| 
| 
| 
| 
| 
| 
| | This avoids the
[WARNING]: The value False (type bool) in a string field was converted
to u'False' (type string). If this does not look like what you expect,
quote the entire value to ensure it does not change. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | This avoids lmtp errors like
        Error: mmap(size=0) failed with file […] dbox-Mails/dovecot.index.cache: Cannot allocate memory
See https://www.dovecot.org/list/dovecot/2012-August/137569.html and
https://www.dovecot.org/list/dovecot/2011-December/132455.html . | 
| | 
| 
| 
| | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete". | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | This is useful when an ESTABLISHED connection is seen as NEW because the
client was offline for some time.  For instance, clients now gracefully
close existing SSH connections immediately after resuming from a suspend
state, rather that waiting for the TCP timeout. | 
| | 
| 
| 
| 
| 
| | It doesn't hurt to install them on all machines, but we're overriding
the provided /etc/fail2ban/filter.d/dovecot.conf and would rather keep
our delta minimal. | 
| | 
| 
| 
| | Cf. http://www.openspf.org/Best_Practices/Outbound . | 
| | 
| 
| 
| 
| 
| | Use admin@fripost.org instead.  We were sending out (to the admin team)
system messages with non-existing or invalid envelope sender addresses,
such as <logcheck@antilop.fripost.org> or <root@mistral.fripost.org>. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | (That is, remove algorithms from Suite-B-GCM-128.)
Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations . | 
| | 
| 
| 
| 
| 
| | And use ‘noreply.fripost.org’ as HELO name rather than $myhostname
(i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo
and envelope sender identities. | 
| | 
| 
| 
| 
| | Since d8d07afe49e69114f8deb807031bec71a327d3ae our MySQL flavor is
MariaDB. | 
| | |  | 
| | 
| 
| 
| | We don't need suspend-on-disk (hibernation). | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Inspired from /lib/systemd/system/bacula-fd.service. | 
| | |  | 
| | 
| 
| 
| | We don't need it anymore as we use https:// these days. | 
| | 
| 
| 
| | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’. | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | It's not really needed on our metal hosts, and our KVM guests use
virtio-rng. | 
| | |  | 
| | 
| 
| 
| 
| 
| | Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons. | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some
downstream SMTP servers, not all of which are under our control.
Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers
yields undeliverable messages, and the bounces make us a potential
backscatter source.  So it's better to disable SMTPUTF8 at this point.
Cf. also http://www.postfix.org/SMTPUTF8_README.html and
https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 .
See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 :
    “Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the
     envelope is definitely problematic for a receiver that does not
     support SMTPUTF8, while UTF8 in a message header is less so.” | 
| | 
| 
| 
| 
| | https://raw.githubusercontent.com/sciunto-org/ikiwiki-pandoc/v0.5.1/pandoc.pm
Currently at commit 9292e45cea1be120adb3babd5b835b547f4c825a . | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We only serve whitelisted extensions (css, js, png, etc.), and only for
some selected sub-directories.  Access to everything else (incl. log
files and config files) is denied with a 404.  This is unlike upstream's
.htaccess file, which blacklists restricted locations and happily serves
the rest:
    https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8
To find out which extensions exist on the file system, run
    find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \
        | sed -n 's/.*\.//p' | sort | uniq -c | 
| | |  | 
| | 
| 
| 
| 
| | While the combination of "s=" tag (selector) & "d=" tag signing domain
maps to a unique key, the selector alone doesn't necessarily. | 
| | |  | 
| | |  | 
| | |  |