summaryrefslogtreecommitdiffstats
path: root/roles/IMAP
Commit message (Collapse)AuthorAgeFiles
* Prefix ‘ipaddr’ and ‘ipv4’ with ‘ansible.utils.’.Guilhem Moulin2022-10-111
| | | | | | | This silences the following deprecation warning: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
* Postfix: Install -lmdb in all roles using db=lmdb.Guilhem Moulin2020-05-211
| | | | | | And drop -ldap from all roles other than MX. -lmdb is included in roles/common but it can be helpful to have it individual roles as well as they can be run individually.
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-214
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* dovecot-auth-proxy: Bump protocol version to 2.2.Guilhem Moulin2020-05-201
| | | | | | | | This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f. There are no relevant interface changes between 2.2.27 (stretch) and 2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h` and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h .
* IMAP: Update role to Debian Buster.Guilhem Moulin2020-05-1911
| | | | | | | | For `ssl_cipher_list` we pick the suggested value from https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’ to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
* AEAD ciphers: Add EECDH+CHACHA20 macro.Guilhem Moulin2020-05-181
| | | | | | | This adds the following two ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
* dovecot: raise default_vsz_limit from 256MB to 512MB.Guilhem Moulin2019-05-231
| | | | | | | | | This avoids lmtp errors like Error: mmap(size=0) failed with file […] dbox-Mails/dovecot.index.cache: Cannot allocate memory See https://www.dovecot.org/list/dovecot/2012-August/137569.html and https://www.dovecot.org/list/dovecot/2011-December/132455.html .
* IMAP: raise per user maximum number of inotify instances from 128 to 512.Guilhem Moulin2018-12-121
|
* Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.Guilhem Moulin2018-12-0915
|
* IMAP: Ensure /home/mail is mounted before creating sub-directories.Guilhem Moulin2018-12-091
|
* systemd.service: Tighten hardening options.Guilhem Moulin2018-12-091
|
* systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’.Guilhem Moulin2018-12-091
| | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
* postfix: remove explicit default 'mail_owner = postfix'.Guilhem Moulin2018-12-061
|
* Upgrade syntax to Ansible 2.7 (apt module).Guilhem Moulin2018-12-033
|
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-032
| | | | Cf. lmdb_table(5).
* Upgrade syntax to Ansible 2.4.Guilhem Moulin2017-11-231
|
* dovecot-auth-proxy: Fix synopsis line.Guilhem Moulin2017-06-051
|
* dovecot: enable user iteration and add a cronjob for `doveadm purge -A`Guilhem Moulin2017-06-058
|
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-141
|
* IMAP: new script list-users.Guilhem Moulin2017-05-142
|
* dovecot: Deduplicate attachments hourly, just before automatic backup.Guilhem Moulin2016-12-111
|
* dovecot: use Single-Instance Storage for mail attachments.Guilhem Moulin2016-12-103
|
* Dovecot: Explicitly disable LDAP.Guilhem Moulin2016-12-081
|
* Dovecot: use fallocate(2) to preallocate new mdbox files.Guilhem Moulin2016-12-081
|
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-121
|
* postfix: commit the master.cf symlinks.Guilhem Moulin2016-07-121
|
* Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks.Guilhem Moulin2016-07-101
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-102
|
* Postfix: avoid hardcoding the instance names.Guilhem Moulin2016-07-101
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-102
|
* postfix: Don't explicitly set inet_interfaces=all as it's the default.Guilhem Moulin2016-07-101
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* IMAP: don't include mailbox under the virtual namespace in LIST responses.Guilhem Moulin2016-07-061
| | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes.
* dovecot: use the MSA postfix instance for sieve redirection.Guilhem Moulin2016-07-012
| | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es.
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* dovecot: don't listen on the IP dedicated for IPSec when there is a single host.Guilhem Moulin2016-05-231
|
* dovecot: also listen on the virtual IP dedicated to IPSec.Guilhem Moulin2016-05-222
| | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection.
* spamassassin: list our IPSec subnet in trusted_networks.Guilhem Moulin2016-05-223
|
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-181
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* postfix: unset 'smtpd_tls_session_cache_database'.Guilhem Moulin2016-05-181
| | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-181
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Remove SMTP message size limit on non public MTAs.Guilhem Moulin2016-03-211
|
* Let's EncryptGuilhem Moulin2016-03-021
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-123
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-202
|
* dovecot: remove !SSLv2 from ssl_cipher_list.Guilhem Moulin2015-12-151
|
* Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵Guilhem Moulin2015-12-031
| | | | cert itself.
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* dovecot-sieve: Enable the 'editheader' extension (5293).Guilhem Moulin2015-11-261
| | | | | Which is disabled by default, as per http://wiki.dovecot.org/Pigeonhole/Sieve