summaryrefslogtreecommitdiffstats
path: root/group_vars
Commit message (Collapse)AuthorAgeFiles
* Use dedicated DKIM key for jakmedlem.se.Guilhem Moulin28 hours1
|
* Move bacula and munin master to new host levante from benjamin.Guilhem Moulin2020-11-031
|
* Use dedicated DKIM key for tevs.net.Guilhem Moulin2020-10-011
|
* Use dedicated DKIM key for hemdal.se.Guilhem Moulin2020-05-221
|
* Use dedicated DKIM key for guilhem.org.Guilhem Moulin2020-04-221
|
* Add dedicated DKIM key for lists.fripost.org.Guilhem Moulin2020-04-221
| | | | | | Instead of using the fallback key. That way messages from our lists have proper DMARC alignment (at least when envelope sender and From header are under domain lists.fripost.org).
* Add own DKIM key for debian.org address.Guilhem Moulin2020-04-131
| | | | | | | | | | | | Cf. https://lists.debian.org/debian-devel-announce/2020/04/msg00004.html . \o/ It's also fairly easy to deploy onto the Debian infrastucture: $ USERNAME="guilhem" $ SELECTOR="5d30c523ff3622ed454230a16a11ddf6.$USERNAME.user" $ printf "dkimPubKey: %s %s\n" "$SELECTOR" \ "$(openssl pkey -pubin -in "./certs/dkim/$SELECTOR:debian.org.pub" -outform DER | base64 -w0)" \ | gpg --clearsign | s-nail -r "USERNAME@debian.org" -s dkimPubKey changes@db.debian.org
* DKIM: also include the "d=" tag in key filenames, not only the "s=" tag.Guilhem Moulin2018-12-051
| | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily.
* Upgrade DKIM keys to rsa2048, and allow for multiple keys.Guilhem Moulin2018-12-041
|
* Define new host "calima" serving Nextcloud.Guilhem Moulin2018-12-031
|
* Upgrade MX baseline to Debian Stretch.Guilhem Moulin2018-12-031
|
* Harden anti spam on the MX:es.Guilhem Moulin2018-06-091
|
* Don't let authenticated client use arbitrary sender addresses.Guilhem Moulin2017-06-011
| | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
* Also install non-free firmwares on civett.Guilhem Moulin2017-05-301
|
* Postscreen: Give temporary whitelist status to primary MX addresses only.Guilhem Moulin2016-09-201
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-101
|
* Route SMTP traffic from the webmail through IPsec.Guilhem Moulin2016-07-101
|
* IPSec → IPsecGuilhem Moulin2016-06-291
|
* typoGuilhem Moulin2016-05-241
|
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-221
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* Make the webmail connect directly to the outgoing SMTP proxy.Guilhem Moulin2015-06-071
| | | | | (Hence delete the 'webmail' Postfix instance.) This shortens the delay caused by the recipient verification probes.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-071
|
* Assume a DNS entry for each role.Guilhem Moulin2015-06-071
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Mailing lists (using mlmmj).Guilhem Moulin2015-06-071
| | | | | | | | | Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.
* Fix catchall resolution.Guilhem Moulin2015-06-071
| | | | | | | | It has to be performed last, to give a chance to be accepted as a regular mailbox. We introduce a new, dedicated, smtpd daemon whose only purpose is to resolve catch-alls.
* Use a local IMAP caching proxy under the webmail.Guilhem Moulin2015-06-071
| | | | | | | | | | | | (Unless the webmail is itself a full IMAP server.) It replaces RoundCube's own IMAP and message caches. Dovecot's IMAPC storage backend is not very documented, but provides smart IMAP proxying. References include: http://dovecot.org/pipermail/dovecot/2011-January/056975.html http://wiki2.dovecot.org/HowTo/ImapcProxy http://wiki2.dovecot.org/Migration/Dsync
* Configure the webmail.Guilhem Moulin2015-06-071
|
* Configure NTP.Guilhem Moulin2015-06-071
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* LDAP Sync Replication.Guilhem Moulin2015-06-071
|
* Configure the MX:es.Guilhem Moulin2015-06-071
|
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-071
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Reorganization.Guilhem Moulin2015-06-071