summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/tasks/imap.yml
Commit message (Collapse)AuthorAgeFiles
* IMAP: Adjust dovecot configuration to bullseye.Guilhem Moulin2024-09-081
| | | | | | | Provisioning /etc/dovecot/conf.d/*.conf is a pain on upgrade so we consolidate that by reverting these files to the distro-provided ones and shipping a single /etc/dovecot/conf.d/99-local.conf override instead.
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-211
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* IMAP: Update role to Debian Buster.Guilhem Moulin2020-05-191
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* IMAP: raise per user maximum number of inotify instances from 128 to 512.Guilhem Moulin2018-12-121
|
* IMAP: Ensure /home/mail is mounted before creating sub-directories.Guilhem Moulin2018-12-091
|
* Upgrade syntax to Ansible 2.7 (apt module).Guilhem Moulin2018-12-031
|
* dovecot: enable user iteration and add a cronjob for `doveadm purge -A`Guilhem Moulin2017-06-051
|
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-141
|
* IMAP: new script list-users.Guilhem Moulin2017-05-141
|
* dovecot: use Single-Instance Storage for mail attachments.Guilhem Moulin2016-12-101
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* dovecot: use the MSA postfix instance for sieve redirection.Guilhem Moulin2016-07-011
| | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es.
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* dovecot: also listen on the virtual IP dedicated to IPSec.Guilhem Moulin2016-05-221
| | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-121
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-201
|
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* Configure munin nodes & master.Guilhem Moulin2015-06-101
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Prefer '/usr/sbin/nologin' over '/bin/false' for system users.Guilhem Moulin2015-06-071
|
* Upgrade Dovecot config to Jessie.Guilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-071
|
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-071
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Tell Dovecot we have a remote IMAP proxy.Guilhem Moulin2015-06-071
|
* Don't auto-create home directories when adding system users.Guilhem Moulin2015-06-071
| | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no).
* Use stunnel to secure the connection from the IMAP proxy to the IMAP server.Guilhem Moulin2015-06-071
| | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-071
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Fix syntax error.Guilhem Moulin2015-06-071
|
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-071
|
* Create a nightly cron job to purge expunged messages.Guilhem Moulin2015-06-071
| | | | | This is required for dbox, see http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
* Fix YAML syntax error.Guilhem Moulin2015-06-071
|
* chown root:root /home/mail && chmod 0755 /home/mailGuilhem Moulin2015-06-071
| | | | | This ensures that Dovecot won't deliver messages if the disk hasn't been mounted, for instance.
* Ansible automatically creates parent directories.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-071
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* Enable IMAP virtual mailboxes.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | Using dovecot's 'virtual' plugin, cf. http://wiki2.dovecot.org/Plugins/Virtual The 'virtual/' namespace is visible in the NAMESPACE command (hidden=no), but not in LIST (list=no). This should ensure that the namespace isn't automatically synced by offlineimap, but nevertheless visible by roundcube, cf. http://trac.roundcube.net/ticket/1486796 http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html
* Configure the IMAP server.Guilhem Moulin2015-06-071
(For now, only LMTP and IMAP processes, without replication.)