summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFiles
* Load relevant MySQL authplugins.Guilhem Moulin2015-06-073
| | | | Also, turn off all TCP/IP listener ports.
* Use postmulti to run postconf per instance.Guilhem Moulin2015-06-072
|
* Force expansion of escape sequences.Guilhem Moulin2015-06-073
| | | | | By using double quoted scalars, cf. https://groups.google.com/forum/#!topic/ansible-project/ZaB6o-eqDzw
* Compile Spamassassin rules.Guilhem Moulin2015-06-073
| | | | See /usr/share/doc/spamassassin/README.Debian.gz
* Auto-update Spamassassin's ruleset.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-076
|
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-076
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* Enable IMAP virtual mailboxes.Guilhem Moulin2015-06-077
| | | | | | | | | | | | | | Using dovecot's 'virtual' plugin, cf. http://wiki2.dovecot.org/Plugins/Virtual The 'virtual/' namespace is visible in the NAMESPACE command (hidden=no), but not in LIST (list=no). This should ensure that the namespace isn't automatically synced by offlineimap, but nevertheless visible by roundcube, cf. http://trac.roundcube.net/ticket/1486796 http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html
* wibbleGuilhem Moulin2015-06-0711
|
* Include amavisd-new's LDAP schema.Guilhem Moulin2015-06-071
| | | | | | It'd certainly be nicer if we didn't have to deploy amavis' schema everywhere, but we need the 'objectClass' in our replicates, hence they need to be aware of the 'amavisAccount' class.
* Configure the content filter.Guilhem Moulin2015-06-0714
| | | | | | | | | | | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
* bugfixGuilhem Moulin2015-06-071
|
* Convert legacy *.schema into *.ldif.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-072
|
* oopsGuilhem Moulin2015-06-071
|
* Install common packages.Guilhem Moulin2015-06-071
|
* Configure S.M.A.R.T.Guilhem Moulin2015-06-072
|
* Configure NTP.Guilhem Moulin2015-06-076
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* Rename the role 'mx' into 'MX'.Guilhem Moulin2015-06-0715
| | | | Other abreviations are upper case.
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-0710
|
* Configure the Mail Delivery Agent.Guilhem Moulin2015-06-079
|
* wibbleGuilhem Moulin2015-06-076
|
* Configure the IMAP server.Guilhem Moulin2015-06-0715
| | | | (For now, only LMTP and IMAP processes, without replication.)
* oopsGuilhem Moulin2015-06-071
|
* Configure the LDAP provider.Guilhem Moulin2015-06-075
| | | | (Hence the SyncProv overlay.)
* Automatically configure Overlays.Guilhem Moulin2015-06-071
| | | | | | | | | | | A 'suffix=' parameter has been added to choose the database to configure the overlay for. The ability to delete overlays would be desirable, but sadly there is no cleane way to remove/replace overlays, short of stopping slapd and digging into the slapd.d directory: http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays
* LDAP Sync Replication.Guilhem Moulin2015-06-076
|
* Postfix is compiled without SASL support.Guilhem Moulin2015-06-077
| | | | As of 2.9.6 (2.10), at least. See bug #730848.
* Configure the MX:es.Guilhem Moulin2015-06-0719
|
* Provision /etc/default/slapdGuilhem Moulin2015-06-072
| | | | | | | This is because the UNIX domain socket to connect to when performing LDAP lookups needs to be in the chroot. Also, don't open a INET socket unless we're a Sync Provider.
* Not all LDAPError's have an 'info' key.Guilhem Moulin2015-06-071
|
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-074
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Use a dedicated SMTP port for samhain.Guilhem Moulin2015-06-074
| | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian
* wibbleGuilhem Moulin2015-06-071
|
* Allow flexible ACLs for SASL's EXTERNAL mechanism.Guilhem Moulin2015-06-072
| | | | | | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by "gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102 is postfix's UID and 106 its primary GID (looked up from /etc/passwd).
* Reorganization.Guilhem Moulin2015-06-0710
|
* Tell ansible we generally want to use sudo(8).Guilhem Moulin2015-06-072
| | | | I.e., put 'sudo=True' in ansible.cfg.
* Optimize LDAP modifications.Guilhem Moulin2015-06-072
| | | | | | | For non-indexed attributes, do not ask the LDAP server to modify values in the symmetric difference of A (the entry found in the directory) and B (the target). That is, we replace A by B only when they are disjoint; otherwise we remove values in A-B and add those in B-A.
* Load our schema *before* the database.Guilhem Moulin2015-06-071
| | | | Since indices are specified in the database LDIF.
* Deal with python strange support of encodings.Guilhem Moulin2015-06-073
| | | | | | | It's not happy with non-ASCII characters in comments, unless the encoding is made explicit… http://www.python.org/dev/peps/pep-0263/
* Reformulate the headers showing the license.Guilhem Moulin2015-06-079
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* Configure debsecan.Guilhem Moulin2015-06-072
|
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-077
|
* Common MySQL configuration.Guilhem Moulin2015-06-073
|
* Remove spaces in MySQL privileges strings.Guilhem Moulin2015-06-071
| | | | | | | In order to allow strings of the form: priv="db.table1:SELECT, UPDATE,DELETE /db.table2:SELECT,INSERT, DELETE"
* Add support for MySQL's Authentication Plugins.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | A.k.a "IDENTIFIED WITH ...". The plugin is automatically loaded on first use. References: - https://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html - https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html Sadly as of MySQL 5.5, the "ALTER USER" command does not allow changing the Authentication Plugin, so we have to manually manipulate `mysql.user` (and FLUSH PRIVILEGES) instead. See also http://bugs.mysql.com/bug.php?id=67449
* Imported Ansible's 'mysql_user' module.Guilhem Moulin2015-06-071
| | | | | | From ref origin/release1.4.0, commit 2a58c2bbe33236ccfdde9fe7466d8a65956f21a5
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-0713
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Fix unattended-upgrades's configuration.Guilhem Moulin2015-06-071
| | | | | ${distro_codename} doesn't work properly there, so we put stable and/or oldstable instead.
* wibbleGuilhem Moulin2015-06-071
| | | | | Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with [ ! "$string" ].