| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
|
|
| |
Provisioning /etc/dovecot/conf.d/*.conf is a pain on upgrade so we
consolidate that by reverting these files to the distro-provided ones
and shipping a single /etc/dovecot/conf.d/99-local.conf override
instead.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user. We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around. This is fair.
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
|
|
|
|
|
|
| |
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
| |
|
| |
|
|
|
|
| |
And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Clients now have to use the NAMESPACE extension [RFC 2342] to discover
mailboxes under the “virtual/” namespace. (Plus an extra LIST command,
causing an overhead two roundtrips.) Of course the downside is that non
namespace-aware clients lose access to the “virtual/{all,flagged,…}”
mailboxes, but on second thought it's probably better this way rather
than having such clients treat these mailboxes as regular mailboxes.
|
|
|
|
|
| |
We don't want to use the default instance since its SIZE limit is
tighter than the ones on the MX:es.
|
|
|
|
|
|
| |
(On port 143.) Moreover, add the whole IPSec virtual subnet to
‘login_trusted_networks’ since our IPSec tunnels provide end-to-end
encryption and we therefore don't need the extra SSL/TLS protection.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Which is disabled by default, as per
http://wiki.dovecot.org/Pigeonhole/Sieve
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Fix regression introduced in f7c8011.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
We can therefore spare some lookups on the MDA, and use static:all
instead.
|
|
|
|
|
|
| |
So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand).
|
| |
|
|
|
|
| |
For DKIM signing and virus checking.
|
|
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
|
|
|
|
|
|
| |
In 2.1.7 they are buggy, and make Dovecot crash (when connected through
Evolution for instance). They have improved a lot since, though:
http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS
|
| |
|
| |
|
|
|
|
| |
So we set 'first_valid_uid' to 1, to accept any UID.
|
| |
|
| |
|
|
|
|
|
| |
Interesting features include caching of mail headers (v2.2.8+) as well
as new IMAP capabilities.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Which might be caused by slow LDAP lookups in transport_maps. Instead,
we alias each addresses for which we want a custom transport to a
dedicated "dummy" domain, and use a static (CDB) transport_maps to map
said domains to their transport; the receiver can then use canonical(8)
to restore the original envelope recipient. Since the alias resolution
is performed by cleanup(8), which can run in parallel with other
instances, it should decongestion bottlenecks under heavy loads.
So far only the MX:es have been decongestioned. The list manager and
the MDA should be treated as well.
|
|
|
|
| |
That is, don't put a leading virtual_ or a trailing _maps in file names.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
virtual_alias_maps:
mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
transport_maps:
mlmmj.localhost.localdomain mlmmj:
|
|
|
|
|
|
|
|
| |
It has to be performed last, to give a chance to be accepted as a
regular mailbox.
We introduce a new, dedicated, smtpd daemon whose only purpose is to
resolve catch-alls.
|
|
|
|
|
| |
Also, add the 'managesieve' RoundCube plugin to communicate with our
server.
|
|
|
|
|
|
| |
RoundCubes lists subscribed mailboxes only (determined using
LIST-EXTENDED by default); also, it seems to ignore new subscriptions to
mailboxes not listed by the LIST command.
|
| |
|
|
|
|
| |
See /usr/share/doc/spamassassin/README.Debian.gz
|
| |
|