Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | Dovecot: Explicitly disable LDAP. | Guilhem Moulin | 2016-12-08 | 1 | |
| | |||||
* | gitolite: allow hook.* git config keys. | Guilhem Moulin | 2016-12-08 | 1 | |
| | |||||
* | Upgrade to lacme 0.2-1. | Guilhem Moulin | 2016-12-08 | 2 | |
| | |||||
* | Webmail: Install XCache (PHP opcode cacher). | Guilhem Moulin | 2016-12-08 | 1 | |
| | |||||
* | Dovecot: use fallocate(2) to preallocate new mdbox files. | Guilhem Moulin | 2016-12-08 | 1 | |
| | |||||
* | Make Ansible modules compatible with Ansible 2.2.0.0. | Guilhem Moulin | 2016-12-08 | 2 | |
| | |||||
* | Postscreen: Give temporary whitelist status to primary MX addresses only. | Guilhem Moulin | 2016-09-20 | 2 | |
| | |||||
* | systemd: Ensure sympa service is enabled. | Guilhem Moulin | 2016-09-18 | 1 | |
| | |||||
* | lacme-certs.conf: don't restart but reload dovecot after renewing IMAPS cert. | Guilhem Moulin | 2016-09-18 | 1 | |
| | | | | | | Unfortunately as of Debian 8.6 (Jessie) dovecot's service file doesn't have a “Reload” directive, so we can't use `/bin/systemctl restart dovecot` as notification. It'll be fixed in Stretch, though. | ||||
* | Postfix: ensure common aliases are present. | Guilhem Moulin | 2016-09-18 | 3 | |
| | |||||
* | FreshClam: change ownership of /etc/clamav/freshclam.conf. | Guilhem Moulin | 2016-09-18 | 1 | |
| | | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444 | ||||
* | Firewall: allow duplicates rules. | Guilhem Moulin | 2016-09-18 | 1 | |
| | |||||
* | HPKP: increase max-mage directive to 6 months from 1 hour. | Guilhem Moulin | 2016-09-18 | 1 | |
| | |||||
* | gencerts: improve workning: s/pubkey/SPKI/ | Guilhem Moulin | 2016-09-18 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-08-22 | 2 | |
| | |||||
* | Improve certs formatting. | Guilhem Moulin | 2016-07-12 | 1 | |
| | |||||
* | gencerts: Print the SHA1 digests in hex not base64 format. | Guilhem Moulin | 2016-07-12 | 1 | |
| | |||||
* | typo | Guilhem Moulin | 2016-07-12 | 1 | |
| | |||||
* | typo | Guilhem Moulin | 2016-07-12 | 1 | |
| | |||||
* | HSTS: use the standard capitalization of includeSubDomains. | Guilhem Moulin | 2016-07-12 | 1 | |
| | | | | Cf. RFC 6797 sec. 6.1.2. | ||||
* | postfix: Remove obsolete templates tls_policy/relay_clientcerts. | Guilhem Moulin | 2016-07-12 | 4 | |
| | |||||
* | gencerts: make the SSHFPR output match the X509 ones. | Guilhem Moulin | 2016-07-12 | 1 | |
| | |||||
* | gencerts: Include SAN for the website and webmail. | Guilhem Moulin | 2016-07-12 | 1 | |
| | |||||
* | gencerts: base64-encode the SHA256 digests. | Guilhem Moulin | 2016-07-12 | 1 | |
| | | | | Also, include the backup pins in the .asc. | ||||
* | postfix: commit the master.cf symlinks. | Guilhem Moulin | 2016-07-12 | 5 | |
| | |||||
* | nginx: Don't hard-code the HPKP headers. | Guilhem Moulin | 2016-07-12 | 18 | |
| | | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out. | ||||
* | gencerts: exclude expired certs in the CRT queries. | Guilhem Moulin | 2016-07-10 | 1 | |
| | |||||
* | Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks. | Guilhem Moulin | 2016-07-10 | 2 | |
| | |||||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 20 | |
| | |||||
* | Postfix MX/MSA instances: put certs in the the instance's $config_directory. | Guilhem Moulin | 2016-07-10 | 5 | |
| | |||||
* | Postfix MX/MSA instances: don't ask the remote SMTP client for a client ↵ | Guilhem Moulin | 2016-07-10 | 2 | |
| | | | | | | | certificate. See postconf(5). This avoids the “(Client did not present a certificate)” messages in the Received headers. | ||||
* | Postfix: avoid hardcoding the instance names. | Guilhem Moulin | 2016-07-10 | 2 | |
| | |||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 13 | |
| | |||||
* | postfix: Don't explicitly set inet_interfaces=all as it's the default. | Guilhem Moulin | 2016-07-10 | 5 | |
| | |||||
* | Change the pubkey extension from .pem to .pub. | Guilhem Moulin | 2016-07-10 | 16 | |
| | |||||
* | Route SMTP traffic from the webmail through IPsec. | Guilhem Moulin | 2016-07-10 | 10 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-07-09 | 2 | |
| | |||||
* | Localize the NTP pool hostnames. | Guilhem Moulin | 2016-07-09 | 1 | |
| | |||||
* | Localize the debian archive hostnames. | Guilhem Moulin | 2016-07-09 | 1 | |
| | |||||
* | ClamAV (FreshClam): use a localized Database Mirror. | Guilhem Moulin | 2016-07-09 | 3 | |
| | | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines. | ||||
* | IMAP: don't include mailbox under the virtual namespace in LIST responses. | Guilhem Moulin | 2016-07-06 | 2 | |
| | | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes. | ||||
* | dovecot: use the MSA postfix instance for sieve redirection. | Guilhem Moulin | 2016-07-01 | 2 | |
| | | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es. | ||||
* | IPSec → IPsec | Guilhem Moulin | 2016-06-29 | 6 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-06-29 | 3 | |
| | |||||
* | update-firewall.sh: COMMIT empty iptables rule files. | Guilhem Moulin | 2016-06-29 | 1 | |
| | |||||
* | Postfix MSA: don't allow unauthenticated clients from $mynetworks. | Guilhem Moulin | 2016-06-29 | 1 | |
| | |||||
* | ansible: _make_tmp_path now takes an argument. | Guilhem Moulin | 2016-06-29 | 2 | |
| | |||||
* | typo | Guilhem Moulin | 2016-06-15 | 1 | |
| | |||||
* | crt.sh: Replace SHA1 by SHA256 as SPKI digest to list certificates. | Guilhem Moulin | 2016-06-15 | 1 | |
| | |||||
* | certs/public: fetch each cert's pubkey (SPKI), not the cert itself. | Guilhem Moulin | 2016-06-15 | 16 | |
| | | | | To avoid new commits upon cert renewal. |