summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/tasks
Commit message (Collapse)AuthorAgeFiles
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-141
|
* IMAP: new script list-users.Guilhem Moulin2017-05-141
|
* dovecot: use Single-Instance Storage for mail attachments.Guilhem Moulin2016-12-101
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-101
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-101
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* dovecot: use the MSA postfix instance for sieve redirection.Guilhem Moulin2016-07-011
| | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es.
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* dovecot: also listen on the virtual IP dedicated to IPSec.Guilhem Moulin2016-05-221
| | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection.
* spamassassin: list our IPSec subnet in trusted_networks.Guilhem Moulin2016-05-222
|
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-122
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-201
|
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions.Guilhem Moulin2015-07-121
|
* Configure munin nodes & master.Guilhem Moulin2015-06-102
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* SQL: Set empty passwords for auth_socket authentication.Guilhem Moulin2015-06-071
|
* Prefer '/usr/sbin/nologin' over '/bin/false' for system users.Guilhem Moulin2015-06-071
|
* Upgrade Dovecot config to Jessie.Guilhem Moulin2015-06-072
|
* Hash certs using a lookup in the template instead of add a new task.Guilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-071
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-071
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Add a tag 'tls_policy' to facilitate rekeying.Guilhem Moulin2015-06-071
| | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy).
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-071
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Tell Dovecot we have a remote IMAP proxy.Guilhem Moulin2015-06-071
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-071
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-071
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-073
| | | | For DKIM signing and virus checking.
* Don't auto-create home directories when adding system users.Guilhem Moulin2015-06-071
| | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no).
* Use stunnel to secure the connection from the IMAP proxy to the IMAP server.Guilhem Moulin2015-06-071
| | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-072
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Fix syntax error.Guilhem Moulin2015-06-071
|
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-071
|
* Create a nightly cron job to purge expunged messages.Guilhem Moulin2015-06-071
| | | | | This is required for dbox, see http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
* Fix YAML syntax error.Guilhem Moulin2015-06-071
|
* chown root:root /home/mail && chmod 0755 /home/mailGuilhem Moulin2015-06-071
| | | | | This ensures that Dovecot won't deliver messages if the disk hasn't been mounted, for instance.
* Decongestion potential bottlenecks on trivial_rewrite(8).Guilhem Moulin2015-06-071
| | | | | | | | | | | | | Which might be caused by slow LDAP lookups in transport_maps. Instead, we alias each addresses for which we want a custom transport to a dedicated "dummy" domain, and use a static (CDB) transport_maps to map said domains to their transport; the receiver can then use canonical(8) to restore the original envelope recipient. Since the alias resolution is performed by cleanup(8), which can run in parallel with other instances, it should decongestion bottlenecks under heavy loads. So far only the MX:es have been decongestioned. The list manager and the MDA should be treated as well.
* Ansible automatically creates parent directories.Guilhem Moulin2015-06-071
|
* Make the *_maps file names uniform.Guilhem Moulin2015-06-071
| | | | That is, don't put a leading virtual_ or a trailing _maps in file names.
* wibbleGuilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-071
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.
* Compile Spamassassin rules.Guilhem Moulin2015-06-071
| | | | See /usr/share/doc/spamassassin/README.Debian.gz
* Auto-update Spamassassin's ruleset.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* Enable IMAP virtual mailboxes.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | Using dovecot's 'virtual' plugin, cf. http://wiki2.dovecot.org/Plugins/Virtual The 'virtual/' namespace is visible in the NAMESPACE command (hidden=no), but not in LIST (list=no). This should ensure that the namespace isn't automatically synced by offlineimap, but nevertheless visible by roundcube, cf. http://trac.roundcube.net/ticket/1486796 http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html
* Configure the content filter.Guilhem Moulin2015-06-073
| | | | | | | | | | | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
* Configure the Mail Delivery Agent.Guilhem Moulin2015-06-072
|
* Configure the IMAP server.Guilhem Moulin2015-06-072
(For now, only LMTP and IMAP processes, without replication.)