summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/files/etc
Commit message (Collapse)AuthorAgeFiles
* systemd.service: Tighten hardening options.Guilhem Moulin2018-12-091
|
* systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.Guilhem Moulin2018-12-091
| | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
* dovecot: enable user iteration and add a cronjob for `doveadm purge -A`Guilhem Moulin2017-06-055
|
* dovecot: Deduplicate attachments hourly, just before automatic backup.Guilhem Moulin2016-12-111
|
* dovecot: use Single-Instance Storage for mail attachments.Guilhem Moulin2016-12-102
|
* Dovecot: use fallocate(2) to preallocate new mdbox files.Guilhem Moulin2016-12-081
|
* IMAP: don't include mailbox under the virtual namespace in LIST responses.Guilhem Moulin2016-07-061
| | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes.
* dovecot: use the MSA postfix instance for sieve redirection.Guilhem Moulin2016-07-011
| | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es.
* dovecot: also listen on the virtual IP dedicated to IPSec.Guilhem Moulin2016-05-221
| | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection.
* spamassassin: list our IPSec subnet in trusted_networks.Guilhem Moulin2016-05-221
|
* Let's EncryptGuilhem Moulin2016-03-021
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-201
|
* dovecot: remove !SSLv2 from ssl_cipher_list.Guilhem Moulin2015-12-151
|
* dovecot-sieve: Enable the 'editheader' extension (5293).Guilhem Moulin2015-11-261
| | | | | Which is disabled by default, as per http://wiki.dovecot.org/Pigeonhole/Sieve
* Remove \Recent flags when a virtual mailbox is SELECTed.Guilhem Moulin2015-09-304
|
* IMAP: Store virtual indexes in memory.Guilhem Moulin2015-09-301
|
* dovecot: Disable SSLv3.Guilhem Moulin2015-09-171
|
* Enable the IMAP COMPRESS extension [RFC4978].Guilhem Moulin2015-09-151
|
* Dovecot: Collect IMAP statistics.Guilhem Moulin2015-06-104
|
* Allow 'vmail' users with a UID lower than 500.Guilhem Moulin2015-06-101
| | | | Fix regression introduced in f7c8011.
* logjam mitigation.Guilhem Moulin2015-06-071
|
* Upgrade Dovecot config to Jessie.Guilhem Moulin2015-06-079
|
* Explain why we use static transport maps and custom subdomains.Guilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-072
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-074
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-074
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Performance tuning in Dovecot's configuration.Guilhem Moulin2015-06-072
|
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-071
| | | | For DKIM signing and virus checking.
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-072
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Don't use mailbox list indexes.Guilhem Moulin2015-06-071
| | | | | | | In 2.1.7 they are buggy, and make Dovecot crash (when connected through Evolution for instance). They have improved a lot since, though: http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-071
|
* Dovecot wibble.Guilhem Moulin2015-06-071
|
* The 'vmail' user may have a UID lower than 500.Guilhem Moulin2015-06-071
| | | | So we set 'first_valid_uid' to 1, to accept any UID.
* Support boken SMTP clients and LOGIN SASL mechanism.Guilhem Moulin2015-06-071
|
* Compress messages on the IMAP backend.Guilhem Moulin2015-06-072
|
* Install dovecot from backports (for imapc).Guilhem Moulin2015-06-071
| | | | | Interesting features include caching of mail headers (v2.2.8+) as well as new IMAP capabilities.
* Decongestion potential bottlenecks on trivial_rewrite(8).Guilhem Moulin2015-06-071
| | | | | | | | | | | | | Which might be caused by slow LDAP lookups in transport_maps. Instead, we alias each addresses for which we want a custom transport to a dedicated "dummy" domain, and use a static (CDB) transport_maps to map said domains to their transport; the receiver can then use canonical(8) to restore the original envelope recipient. Since the alias resolution is performed by cleanup(8), which can run in parallel with other instances, it should decongestion bottlenecks under heavy loads. So far only the MX:es have been decongestioned. The list manager and the MDA should be treated as well.
* Make the *_maps file names uniform.Guilhem Moulin2015-06-072
| | | | That is, don't put a leading virtual_ or a trailing _maps in file names.
* Fix the catch-all resolution again.Guilhem Moulin2015-06-072
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Fix catchall resolution.Guilhem Moulin2015-06-072
| | | | | | | | It has to be performed last, to give a chance to be accepted as a regular mailbox. We introduce a new, dedicated, smtpd daemon whose only purpose is to resolve catch-alls.
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-072
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.
* Make the virtual mailboxes visible under RoundCube.Guilhem Moulin2015-06-077
| | | | | | RoundCubes lists subscribed mailboxes only (determined using LIST-EXTENDED by default); also, it seems to ignore new subscriptions to mailboxes not listed by the LIST command.
* Configure the webmail.Guilhem Moulin2015-06-072
|
* Compile Spamassassin rules.Guilhem Moulin2015-06-071
| | | | See /usr/share/doc/spamassassin/README.Debian.gz
* wibbleGuilhem Moulin2015-06-072
|
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-074
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* Enable IMAP virtual mailboxes.Guilhem Moulin2015-06-076
| | | | | | | | | | | | | | Using dovecot's 'virtual' plugin, cf. http://wiki2.dovecot.org/Plugins/Virtual The 'virtual/' namespace is visible in the NAMESPACE command (hidden=no), but not in LIST (list=no). This should ensure that the namespace isn't automatically synced by offlineimap, but nevertheless visible by roundcube, cf. http://trac.roundcube.net/ticket/1486796 http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html
* Configure the content filter.Guilhem Moulin2015-06-074
| | | | | | | | | | | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
* Rename the role 'mx' into 'MX'.Guilhem Moulin2015-06-072
| | | | Other abreviations are upper case.
* Configure the Mail Delivery Agent.Guilhem Moulin2015-06-073
|