summaryrefslogtreecommitdiffstats
path: root/roles/IMAP
Commit message (Collapse)AuthorAgeFiles
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-121
|
* postfix: commit the master.cf symlinks.Guilhem Moulin2016-07-121
|
* Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks.Guilhem Moulin2016-07-101
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-102
|
* Postfix: avoid hardcoding the instance names.Guilhem Moulin2016-07-101
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-102
|
* postfix: Don't explicitly set inet_interfaces=all as it's the default.Guilhem Moulin2016-07-101
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* IMAP: don't include mailbox under the virtual namespace in LIST responses.Guilhem Moulin2016-07-061
| | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes.
* dovecot: use the MSA postfix instance for sieve redirection.Guilhem Moulin2016-07-012
| | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es.
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* dovecot: don't listen on the IP dedicated for IPSec when there is a single host.Guilhem Moulin2016-05-231
|
* dovecot: also listen on the virtual IP dedicated to IPSec.Guilhem Moulin2016-05-222
| | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection.
* spamassassin: list our IPSec subnet in trusted_networks.Guilhem Moulin2016-05-223
|
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-181
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* postfix: unset 'smtpd_tls_session_cache_database'.Guilhem Moulin2016-05-181
| | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-181
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Remove SMTP message size limit on non public MTAs.Guilhem Moulin2016-03-211
|
* Let's EncryptGuilhem Moulin2016-03-021
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-123
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-202
|
* dovecot: remove !SSLv2 from ssl_cipher_list.Guilhem Moulin2015-12-151
|
* Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵Guilhem Moulin2015-12-031
| | | | cert itself.
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* dovecot-sieve: Enable the 'editheader' extension (5293).Guilhem Moulin2015-11-261
| | | | | Which is disabled by default, as per http://wiki.dovecot.org/Pigeonhole/Sieve
* Remove \Recent flags when a virtual mailbox is SELECTed.Guilhem Moulin2015-09-304
|
* IMAP: Store virtual indexes in memory.Guilhem Moulin2015-09-301
|
* dovecot: Disable SSLv3.Guilhem Moulin2015-09-171
|
* Fix address verification probes on the MSA.Guilhem Moulin2015-09-161
| | | | | Put all relay restrictions under smtpd_relay_restrictions and leave smtpd_recipient_restrictions empty, since we don't do DNSBL.
* Enable the IMAP COMPRESS extension [RFC4978].Guilhem Moulin2015-09-151
|
* Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions.Guilhem Moulin2015-07-121
|
* Configure munin nodes & master.Guilhem Moulin2015-06-103
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Dovecot: Collect IMAP statistics.Guilhem Moulin2015-06-104
|
* Allow 'vmail' users with a UID lower than 500.Guilhem Moulin2015-06-101
| | | | Fix regression introduced in f7c8011.
* SQL: Set empty passwords for auth_socket authentication.Guilhem Moulin2015-06-071
|
* Prefer '/usr/sbin/nologin' over '/bin/false' for system users.Guilhem Moulin2015-06-071
|
* logjam mitigation.Guilhem Moulin2015-06-072
|
* Upgrade Dovecot config to Jessie.Guilhem Moulin2015-06-0712
|
* Remove reject_unknown_sender_domain from the MDA and outgoing SMTP.Guilhem Moulin2015-06-071
| | | | | | | | | | We already removed it from the MX:es (see 32e605d4); we need to remove it from the MDA and outgoing SMTP as well, otherwise mails could bounce or get stuck in the middle (the're rejected with 450: deferred by default). However we can keep the restriction on the entry points (MSA and webmail).
* Hash certs using a lookup in the template instead of add a new task.Guilhem Moulin2015-06-072
|
* Fix $smtpd_sender_restrictions.Guilhem Moulin2015-06-071
| | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting.
* Explain why we use static transport maps and custom subdomains.Guilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-073
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-076
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Add a tag 'tls_policy' to facilitate rekeying.Guilhem Moulin2015-06-071
| | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy).
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-074
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-071
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Increase the timeout in the smtpd waiting for the reinjection from amavis.Guilhem Moulin2015-06-071
| | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s).
* Tell Dovecot we have a remote IMAP proxy.Guilhem Moulin2015-06-071
|