|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | 
| 
| 
| | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Clients now have to use the NAMESPACE extension [RFC 2342] to discover
mailboxes under the “virtual/” namespace.  (Plus an extra LIST command,
causing an overhead two roundtrips.)  Of course the downside is that non
namespace-aware clients lose access to the “virtual/{all,flagged,…}”
mailboxes, but on second thought it's probably better this way rather
than having such clients treat these mailboxes as regular mailboxes. | 
| | 
| 
| 
| 
| | We don't want to use the default instance since its SIZE limit is
tighter than the ones on the MX:es. | 
| | 
| 
| 
| 
| 
| | (On port 143.)  Moreover, add the whole IPSec virtual subnet to
‘login_trusted_networks’ since our IPSec tunnels provide end-to-end
encryption and we therefore don't need the extra SSL/TLS protection. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | Which is disabled by default, as per
http://wiki.dovecot.org/Pigeonhole/Sieve | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Fix regression introduced in f7c8011. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | We can therefore spare some lookups on the MDA, and use static:all
instead. | 
| | 
| 
| 
| 
| 
| | So our suffix is now a mere 'dc=fripost,dc=org'.  We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand). | 
| | |  | 
| | 
| 
| 
| | For DKIM signing and virus checking. | 
| | 
| 
| 
| 
| | For some reason giraff doesn't like IPSec.  App-level TLS sessions are
less efficient, but thanks to ansible it still scales well. | 
| | 
| 
| 
| 
| 
| 
| | In 2.1.7 they are buggy, and make Dovecot crash (when connected through
Evolution for instance). They have improved a lot since, though:
  http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS | 
| | |  | 
| | |  | 
| | 
| 
| 
| | So we set 'first_valid_uid' to 1, to accept any UID. | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | Interesting features include caching of mail headers (v2.2.8+) as well
as new IMAP capabilities. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Which might be caused by slow LDAP lookups in transport_maps.  Instead,
we alias each addresses for which we want a custom transport to a
dedicated "dummy" domain, and use a static (CDB) transport_maps to map
said domains to their transport;  the receiver can then use canonical(8)
to restore the original envelope recipient.  Since the alias resolution
is performed by cleanup(8), which can run in parallel with other
instances, it should decongestion bottlenecks under heavy loads.
So far only the MX:es have been decongestioned.  The list manager and
the MDA should be treated as well. | 
| | 
| 
| 
| | That is, don't put a leading virtual_ or a trailing _maps in file names. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
  virtual_alias_maps:
    mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
  transport_maps:
    mlmmj.localhost.localdomain mlmmj: | 
| | 
| 
| 
| 
| 
| 
| 
| | It has to be performed last, to give a chance to be accepted as a
regular mailbox.
We introduce a new, dedicated, smtpd daemon whose only purpose is to
resolve catch-alls. | 
| | 
| 
| 
| 
| | Also, add the 'managesieve' RoundCube plugin to communicate with our
server. | 
| | 
| 
| 
| 
| 
| | RoundCubes lists subscribed mailboxes only (determined using
LIST-EXTENDED by default); also, it seems to ignore new subscriptions to
mailboxes not listed by the LIST command. | 
| | |  | 
| | 
| 
| 
| | See /usr/share/doc/spamassassin/README.Debian.gz | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Mails to be retrained are stored in the spooldir /home/mail/spamspool;
later a daemon catches them up and feed them to sa-learn(1p). (On busy
systems batch-process the learning should be much more efficient.)
The folder transisition matrix along with the corresponding actions can
be found there:
  http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt
See also dovecot-antispam(7). | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Using dovecot's 'virtual' plugin, cf.
  http://wiki2.dovecot.org/Plugins/Virtual
The 'virtual/' namespace is visible in the NAMESPACE command
(hidden=no), but not in LIST (list=no). This should ensure that the
namespace isn't automatically synced by offlineimap, but nevertheless
visible by roundcube, cf.
  http://trac.roundcube.net/ticket/1486796
  http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new.
Each user has his/her amavis preferences, and own Bayes filter (to
maximize privacy).
One question remains, though: how to set spamassassin's trusted_networks
/ internal_networks / msa_networks? It seems not obivious to get it
write with IPSec and dynamic IPs.
(Cf. https://wiki.apache.org/spamassassin/AwlWrongWay) | 
| | 
| 
| 
| | Other abreviations are upper case. | 
| | |  | 
|  | (For now, only LMTP and IMAP processes, without replication.) |