Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | LDAP: Rotate soon-to-be expired key material.HEADmaster | Guilhem Moulin | 2024-09-08 | 7 |
| | | | | | Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl. | |||
* | Fail2ban: Remove obsolete filter dovecot.conf. | Guilhem Moulin | 2024-09-08 | 1 |
| | ||||
* | Nextcloud: Tweak opcache settings. | Guilhem Moulin | 2024-09-08 | 1 |
| | ||||
* | Nextcloud: Upgrade backend to PHP7.4. | Guilhem Moulin | 2024-09-08 | 4 |
| | ||||
* | wibble | Guilhem Moulin | 2024-09-08 | 1 |
| | ||||
* | Firewall: Harden IPsec configuration by pining the reqids. | Guilhem Moulin | 2024-09-08 | 2 |
| | ||||
* | OpenDMARC: Adjust configuration to bullseye. | Guilhem Moulin | 2024-09-08 | 1 |
| | ||||
* | Sympa: Default to dmarc_protection_mode=dmarc_reject. | Guilhem Moulin | 2024-09-08 | 1 |
| | ||||
* | Sympa: Update Content-Security-Policy. | Guilhem Moulin | 2024-09-08 | 1 |
| | ||||
* | APT: Prepare config bump to Debian 12. | Guilhem Moulin | 2024-09-08 | 2 |
| | ||||
* | logcheck-database update. | Guilhem Moulin | 2024-09-08 | 2 |
| | ||||
* | typofix | Guilhem Moulin | 2024-09-08 | 1 |
| | ||||
* | DKIM key generation: Adjust ownership. | Guilhem Moulin | 2024-09-08 | 1 |
| | | | | | As of bullseye amavis needs the private key material to be reabled by the 'amavis' user. | |||
* | MSA: Set smtpd_forbid_bare_newline to defeat SMTP smuggling attacks. | Guilhem Moulin | 2024-09-08 | 1 |
| | ||||
* | IMAP: Adjust dovecot configuration to bullseye. | Guilhem Moulin | 2024-09-08 | 12 |
| | | | | | | | Provisioning /etc/dovecot/conf.d/*.conf is a pain on upgrade so we consolidate that by reverting these files to the distro-provided ones and shipping a single /etc/dovecot/conf.d/99-local.conf override instead. | |||
* | levante: Adjust pinned key material and modules due to new hardware. | Guilhem Moulin | 2024-09-08 | 3 |
| | ||||
* | Roundcube: Set $config['max_recipients'] = 15 to avoid timeout. | Guilhem Moulin | 2024-09-08 | 1 |
| | | | | Cf. msgid=<ZFe5tjHTGbVemNTD@fripost.org> | |||
* | Don't take roundcube from backports. | Guilhem Moulin | 2024-09-08 | 2 |
| | ||||
* | Webmail: Upgrade backend to PHP7.4. | Guilhem Moulin | 2024-09-08 | 4 |
| | ||||
* | Sympa: Enable French support. | Guilhem Moulin | 2024-06-12 | 1 |
| | | | | Cf. msgid=<c368f04c-b8d1-4623-98f0-b6a3b724f90d@dubre.me>. | |||
* | Use dedicated DKIM key for himmelkanten.se, vimmelkanten.se and ↵ | Guilhem Moulin | 2023-10-22 | 4 |
| | | | | hemskaklubben.se. | |||
* | Use dedicated DKIM key for dubre.me. | Guilhem Moulin | 2023-08-20 | 2 |
| | ||||
* | Use dedicated DKIM key for ljhms.se. | Guilhem Moulin | 2023-07-20 | 2 |
| | ||||
* | Nextcloud: Set ‘X-Robots-Tag: noindex, nofollow’. | Guilhem Moulin | 2023-03-26 | 1 |
| | | | | Per upstream recommendation at https://cloud.fripost.org/settings/admin/overview . | |||
* | Sympa: Update robot.conf to fix HTTP 421 on virtual hosts. | Guilhem Moulin | 2023-01-13 | 3 |
| | | | | | | See https://github.com/sympa-community/sympa/issues/879 , https://www.sympa.community/manual/upgrade/notes.html#from-version-prior-to-6256 and https://www.sympa.community/gpldoc/man/sympa_config.5.html#wwsympa_url_local . | |||
* | Improve Debian 11's fail2ban rules. | Guilhem Moulin | 2022-12-18 | 7 |
| | ||||
* | Use dedicated DKIM key for r0x.se. | Guilhem Moulin | 2022-12-13 | 2 |
| | ||||
* | Port baseline to Debian 11 (codename Bullseye). | Guilhem Moulin | 2022-10-13 | 23 |
| | ||||
* | openldap module: Fix python3's bytes vs str mismatch. | Guilhem Moulin | 2022-10-11 | 2 |
| | ||||
* | Remove module ‘mysql_user2’. | Guilhem Moulin | 2022-10-11 | 5 |
| | | | | These days upstream's ‘mysql_user’ is good enough. | |||
* | Roundcube: managesieve: Disable ‘reject’ and ‘ereject’ extensions. | Guilhem Moulin | 2022-10-11 | 1 |
| | ||||
* | clamav-freshclam: Remove ‘SafeBrowsing’ option. | Guilhem Moulin | 2022-10-11 | 1 |
| | ||||
* | fetch_cmd: Replace deprecated ‘_remote_checksum()’ with ↵ | Guilhem Moulin | 2022-10-11 | 1 |
| | | | | | | | | | | ‘_execute_remote_stat()’. This silences the following deprecation warning: The '_remote_checksum()' method is deprecated. The plugin author should update the code to use '_execute_remote_stat()' instead. This feature will be removed in version 2.16. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. | |||
* | Use dedicated DKIM key for guilhem.se. | Guilhem Moulin | 2022-10-11 | 2 |
| | ||||
* | postmulti: Fix encoding issue. | Guilhem Moulin | 2022-10-11 | 1 |
| | ||||
* | logcheck-database update. | Guilhem Moulin | 2022-10-11 | 3 |
| | ||||
* | postfix: Adjust anonymize_sender.pcre. | Guilhem Moulin | 2022-10-11 | 1 |
| | ||||
* | dovecot: Bump VSZ to 1G. | Guilhem Moulin | 2022-10-11 | 1 |
| | ||||
* | mysql_user2: Remove load_mycnf(). | Guilhem Moulin | 2022-10-11 | 1 |
| | | | | | | We're not using this, and it makes ansible croak with An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ModuleNotFoundError: No module named 'ConfigParser' | |||
* | Prefix ‘ipaddr’ and ‘ipv4’ with ‘ansible.utils.’. | Guilhem Moulin | 2022-10-11 | 12 |
| | | | | | | | This silences the following deprecation warning: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. | |||
* | Nextcloud: Adapt configuration to v21. | Guilhem Moulin | 2021-05-23 | 2 |
| | ||||
* | Rename '_lacme' user to '_lacme-client'. | Guilhem Moulin | 2021-02-24 | 2 |
| | | | | For a smooth upgrade to Bullseye's lacme 0.8-1. | |||
* | logcheck-database update. | Guilhem Moulin | 2021-02-13 | 1 |
| | | | | ansible 2.10.7 uses "ansible-ansible.legacy.stat: Invoked with […]". | |||
* | Use dedicated DKIM key for gbg.cmsmarx.org. | Guilhem Moulin | 2021-02-13 | 2 |
| | ||||
* | Don't restart amavis on DKIM key generation. | Guilhem Moulin | 2021-02-13 | 1 |
| | | | | | We want to give people the time add the key to DNS before we update the signing policy. | |||
* | munin: Skip ntp_* plugins when ntpq(1) is missing. | Guilhem Moulin | 2021-02-06 | 1 |
| | ||||
* | Roundcube: Fix favicon path. | Guilhem Moulin | 2021-01-27 | 1 |
| | ||||
* | Roundcube: Serve assets pre-compressed when possible. | Guilhem Moulin | 2021-01-27 | 1 |
| | | | | See https://salsa.debian.org/roundcube-team/roundcube/-/commit/f1e89494e8b777d69564e67f2d8b47ac84eb02f4 . | |||
* | Roundcube: Change document root to /var/lib/roundcube/public_html. | Guilhem Moulin | 2021-01-27 | 1 |
| | | | | Per https://salsa.debian.org/roundcube-team/roundcube/commit/7df02624eec4857053432d8ebe9b4e2b36f22bc5 . | |||
* | Postfix: pin key material to our MX:es for fripost.org and its subdomains. | Guilhem Moulin | 2021-01-26 | 6 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | This solves an issue where an attacker would strip the STARTTLS keyword from the EHLO response, thereby preventing connection upgrade; or spoof DNS responses to route outgoing messages to an attacker-controlled SMTPd, thereby allowing message MiTM'ing. With key material pinning in place, smtp(8postfix) immediately aborts the connection (before the MAIL command) and places the message into the deferred queue instead: postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified) This applies to the smarthost as well as for verification probes on the Mail Submission Agent. Placing message into the deferred queue might yield denial of service, but we argue that it's better than a privacy leak. This only covers *internal messages* (from Fripost to Fripost) though: only messages with ‘fripost.org’ (or a subdomain of such) as recipient domain. Other domains, even those using mx[12].fripost.org as MX, are not covered. A scalable solution for arbitrary domains would involve either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there is some merit in hardcoding our internal policy (when the client and server are both under our control) in the configuration. It for instance enables us to harden TLS ciphers and protocols, and makes the verification logic independent of DNS. |