summaryrefslogtreecommitdiffstats
path: root/roles/IMAP/tasks
Commit message (Collapse)AuthorAgeFiles
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-211
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* IMAP: Update role to Debian Buster.Guilhem Moulin2020-05-191
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* IMAP: raise per user maximum number of inotify instances from 128 to 512.Guilhem Moulin2018-12-121
|
* IMAP: Ensure /home/mail is mounted before creating sub-directories.Guilhem Moulin2018-12-091
|
* Upgrade syntax to Ansible 2.7 (apt module).Guilhem Moulin2018-12-033
|
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-031
| | | | Cf. lmdb_table(5).
* Upgrade syntax to Ansible 2.4.Guilhem Moulin2017-11-231
|
* dovecot: enable user iteration and add a cronjob for `doveadm purge -A`Guilhem Moulin2017-06-051
|
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-141
|
* IMAP: new script list-users.Guilhem Moulin2017-05-141
|
* dovecot: use Single-Instance Storage for mail attachments.Guilhem Moulin2016-12-101
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-101
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-101
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* dovecot: use the MSA postfix instance for sieve redirection.Guilhem Moulin2016-07-011
| | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es.
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* dovecot: also listen on the virtual IP dedicated to IPSec.Guilhem Moulin2016-05-221
| | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection.
* spamassassin: list our IPSec subnet in trusted_networks.Guilhem Moulin2016-05-222
|
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-122
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-201
|
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions.Guilhem Moulin2015-07-121
|
* Configure munin nodes & master.Guilhem Moulin2015-06-102
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* SQL: Set empty passwords for auth_socket authentication.Guilhem Moulin2015-06-071
|
* Prefer '/usr/sbin/nologin' over '/bin/false' for system users.Guilhem Moulin2015-06-071
|
* Upgrade Dovecot config to Jessie.Guilhem Moulin2015-06-072
|
* Hash certs using a lookup in the template instead of add a new task.Guilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-071
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-071
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Add a tag 'tls_policy' to facilitate rekeying.Guilhem Moulin2015-06-071
| | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy).
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-071
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Tell Dovecot we have a remote IMAP proxy.Guilhem Moulin2015-06-071
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-071
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-071
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-073
| | | | For DKIM signing and virus checking.
* Don't auto-create home directories when adding system users.Guilhem Moulin2015-06-071
| | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no).
* Use stunnel to secure the connection from the IMAP proxy to the IMAP server.Guilhem Moulin2015-06-071
| | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-072
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Fix syntax error.Guilhem Moulin2015-06-071
|
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-071
|
* Create a nightly cron job to purge expunged messages.Guilhem Moulin2015-06-071
| | | | | This is required for dbox, see http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
* Fix YAML syntax error.Guilhem Moulin2015-06-071
|
* chown root:root /home/mail && chmod 0755 /home/mailGuilhem Moulin2015-06-071
| | | | | This ensures that Dovecot won't deliver messages if the disk hasn't been mounted, for instance.
* Decongestion potential bottlenecks on trivial_rewrite(8).Guilhem Moulin2015-06-071
| | | | | | | | | | | | | Which might be caused by slow LDAP lookups in transport_maps. Instead, we alias each addresses for which we want a custom transport to a dedicated "dummy" domain, and use a static (CDB) transport_maps to map said domains to their transport; the receiver can then use canonical(8) to restore the original envelope recipient. Since the alias resolution is performed by cleanup(8), which can run in parallel with other instances, it should decongestion bottlenecks under heavy loads. So far only the MX:es have been decongestioned. The list manager and the MDA should be treated as well.
* Ansible automatically creates parent directories.Guilhem Moulin2015-06-071
|
* Make the *_maps file names uniform.Guilhem Moulin2015-06-071
| | | | That is, don't put a leading virtual_ or a trailing _maps in file names.
* wibbleGuilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-071
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.