Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Remove module ‘mysql_user2’. | Guilhem Moulin | 2022-10-11 | 1 |
| | | | | These days upstream's ‘mysql_user’ is good enough. | |||
* | Postfix: Install -lmdb in all roles using db=lmdb. | Guilhem Moulin | 2020-05-21 | 1 |
| | | | | | | And drop -ldap from all roles other than MX. -lmdb is included in roles/common but it can be helpful to have it individual roles as well as they can be run individually. | |||
* | dovecot-auth-proxy: replace directory traversal with LDAP lookups. | Guilhem Moulin | 2020-05-21 | 1 |
| | | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair. | |||
* | IMAP: Update role to Debian Buster. | Guilhem Moulin | 2020-05-19 | 1 |
| | | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’. | |||
* | IMAP: raise per user maximum number of inotify instances from 128 to 512. | Guilhem Moulin | 2018-12-12 | 1 |
| | ||||
* | IMAP: Ensure /home/mail is mounted before creating sub-directories. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | Upgrade syntax to Ansible 2.7 (apt module). | Guilhem Moulin | 2018-12-03 | 3 |
| | ||||
* | Postfix: replace cdb & btree tables with lmdb ones. | Guilhem Moulin | 2018-12-03 | 1 |
| | | | | Cf. lmdb_table(5). | |||
* | Upgrade syntax to Ansible 2.4. | Guilhem Moulin | 2017-11-23 | 1 |
| | ||||
* | dovecot: enable user iteration and add a cronjob for `doveadm purge -A` | Guilhem Moulin | 2017-06-05 | 1 |
| | ||||
* | Change group of executables in /usr/local/{bin,sbin} from root to staff. | Guilhem Moulin | 2017-05-14 | 1 |
| | ||||
* | IMAP: new script list-users. | Guilhem Moulin | 2017-05-14 | 1 |
| | ||||
* | dovecot: use Single-Instance Storage for mail attachments. | Guilhem Moulin | 2016-12-10 | 1 |
| | ||||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Change the pubkey extension from .pem to .pub. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | dovecot: use the MSA postfix instance for sieve redirection. | Guilhem Moulin | 2016-07-01 | 1 |
| | | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es. | |||
* | certs/public: fetch each cert's pubkey (SPKI), not the cert itself. | Guilhem Moulin | 2016-06-15 | 1 |
| | | | | To avoid new commits upon cert renewal. | |||
* | dovecot: also listen on the virtual IP dedicated to IPSec. | Guilhem Moulin | 2016-05-22 | 1 |
| | | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection. | |||
* | spamassassin: list our IPSec subnet in trusted_networks. | Guilhem Moulin | 2016-05-22 | 2 |
| | ||||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | |||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 2 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | Automatically fetch X.509 certificates, and add them to git. | Guilhem Moulin | 2015-12-03 | 1 |
| | ||||
* | Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions. | Guilhem Moulin | 2015-07-12 | 1 |
| | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 2 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | SQL: Set empty passwords for auth_socket authentication. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Prefer '/usr/sbin/nologin' over '/bin/false' for system users. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade Dovecot config to Jessie. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Hash certs using a lookup in the template instead of add a new task. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Fix Dovecot's mail location. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Perform the alias resolution and address validation solely on the MX:es. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | We can therefore spare some lookups on the MDA, and use static:all instead. | |||
* | Add a tag 'tls_policy' to facilitate rekeying. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy). | |||
* | Add ability to add custom OrganizationalUnits in genkeypair. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | Also, it's now possible to reuse an existing private key (with -f). | |||
* | Tell Dovecot we have a remote IMAP proxy. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Reload Postfix upon configuration change, but don't restart it. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill. | |||
* | Don't restart/reload Postifx upon change of a file based database. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect . | |||
* | Install amavisd-new on the outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 3 |
| | | | | For DKIM signing and virus checking. | |||
* | Don't auto-create home directories when adding system users. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no). | |||
* | Use stunnel to secure the connection from the IMAP proxy to the IMAP server. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does. | |||
* | Replace IPSec tunnels by app-level ephemeral TLS sessions. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. | |||
* | Fix syntax error. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Generate certs for Dovecot and Nginx if they are not there. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Create a nightly cron job to purge expunged messages. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | This is required for dbox, see http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox | |||
* | Fix YAML syntax error. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | chown root:root /home/mail && chmod 0755 /home/mail | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | This ensures that Dovecot won't deliver messages if the disk hasn't been mounted, for instance. | |||
* | Decongestion potential bottlenecks on trivial_rewrite(8). | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | | | Which might be caused by slow LDAP lookups in transport_maps. Instead, we alias each addresses for which we want a custom transport to a dedicated "dummy" domain, and use a static (CDB) transport_maps to map said domains to their transport; the receiver can then use canonical(8) to restore the original envelope recipient. Since the alias resolution is performed by cleanup(8), which can run in parallel with other instances, it should decongestion bottlenecks under heavy loads. So far only the MX:es have been decongestioned. The list manager and the MDA should be treated as well. | |||
* | Ansible automatically creates parent directories. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Make the *_maps file names uniform. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | That is, don't put a leading virtual_ or a trailing _maps in file names. | |||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| |