summaryrefslogtreecommitdiffstats
path: root/roles/IMAP
Commit message (Collapse)AuthorAgeFiles
* Remove reject_unknown_sender_domain from the MDA and outgoing SMTP.Guilhem Moulin2015-06-071
| | | | | | | | | | We already removed it from the MX:es (see 32e605d4); we need to remove it from the MDA and outgoing SMTP as well, otherwise mails could bounce or get stuck in the middle (the're rejected with 450: deferred by default). However we can keep the restriction on the entry points (MSA and webmail).
* Hash certs using a lookup in the template instead of add a new task.Guilhem Moulin2015-06-072
|
* Fix $smtpd_sender_restrictions.Guilhem Moulin2015-06-071
| | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting.
* Explain why we use static transport maps and custom subdomains.Guilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-073
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-076
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Add a tag 'tls_policy' to facilitate rekeying.Guilhem Moulin2015-06-071
| | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy).
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-074
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-071
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Increase the timeout in the smtpd waiting for the reinjection from amavis.Guilhem Moulin2015-06-071
| | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s).
* Tell Dovecot we have a remote IMAP proxy.Guilhem Moulin2015-06-071
|
* Performance tuning in Dovecot's configuration.Guilhem Moulin2015-06-072
|
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-071
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-072
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-071
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-077
| | | | For DKIM signing and virus checking.
* Don't auto-create home directories when adding system users.Guilhem Moulin2015-06-071
| | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no).
* Use stunnel to secure the connection from the IMAP proxy to the IMAP server.Guilhem Moulin2015-06-071
| | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-076
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-071
|
* Don't use mailbox list indexes.Guilhem Moulin2015-06-071
| | | | | | | In 2.1.7 they are buggy, and make Dovecot crash (when connected through Evolution for instance). They have improved a lot since, though: http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS
* Fix syntax error.Guilhem Moulin2015-06-071
|
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-072
|
* Create a nightly cron job to purge expunged messages.Guilhem Moulin2015-06-071
| | | | | This is required for dbox, see http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
* Dovecot wibble.Guilhem Moulin2015-06-071
|
* Fix YAML syntax error.Guilhem Moulin2015-06-071
|
* chown root:root /home/mail && chmod 0755 /home/mailGuilhem Moulin2015-06-071
| | | | | This ensures that Dovecot won't deliver messages if the disk hasn't been mounted, for instance.
* The 'vmail' user may have a UID lower than 500.Guilhem Moulin2015-06-071
| | | | So we set 'first_valid_uid' to 1, to accept any UID.
* Support boken SMTP clients and LOGIN SASL mechanism.Guilhem Moulin2015-06-071
|
* Compress messages on the IMAP backend.Guilhem Moulin2015-06-072
|
* Install dovecot from backports (for imapc).Guilhem Moulin2015-06-071
| | | | | Interesting features include caching of mail headers (v2.2.8+) as well as new IMAP capabilities.
* Assume a DNS entry for each role.Guilhem Moulin2015-06-072
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Decongestion potential bottlenecks on trivial_rewrite(8).Guilhem Moulin2015-06-073
| | | | | | | | | | | | | Which might be caused by slow LDAP lookups in transport_maps. Instead, we alias each addresses for which we want a custom transport to a dedicated "dummy" domain, and use a static (CDB) transport_maps to map said domains to their transport; the receiver can then use canonical(8) to restore the original envelope recipient. Since the alias resolution is performed by cleanup(8), which can run in parallel with other instances, it should decongestion bottlenecks under heavy loads. So far only the MX:es have been decongestioned. The list manager and the MDA should be treated as well.
* Ansible automatically creates parent directories.Guilhem Moulin2015-06-071
|
* Make the *_maps file names uniform.Guilhem Moulin2015-06-074
| | | | That is, don't put a leading virtual_ or a trailing _maps in file names.
* wibbleGuilhem Moulin2015-06-071
|
* Fix the catch-all resolution again.Guilhem Moulin2015-06-073
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Excplicitely make local services run on localhost.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-072
|
* Fix catchall resolution.Guilhem Moulin2015-06-072
| | | | | | | | It has to be performed last, to give a chance to be accepted as a regular mailbox. We introduce a new, dedicated, smtpd daemon whose only purpose is to resolve catch-alls.
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-073
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.
* Make the virtual mailboxes visible under RoundCube.Guilhem Moulin2015-06-077
| | | | | | RoundCubes lists subscribed mailboxes only (determined using LIST-EXTENDED by default); also, it seems to ignore new subscriptions to mailboxes not listed by the LIST command.
* Configure the webmail.Guilhem Moulin2015-06-072
|
* Compile Spamassassin rules.Guilhem Moulin2015-06-073
| | | | See /usr/share/doc/spamassassin/README.Debian.gz
* Auto-update Spamassassin's ruleset.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-073
|
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-075
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* Enable IMAP virtual mailboxes.Guilhem Moulin2015-06-077
| | | | | | | | | | | | | | Using dovecot's 'virtual' plugin, cf. http://wiki2.dovecot.org/Plugins/Virtual The 'virtual/' namespace is visible in the NAMESPACE command (hidden=no), but not in LIST (list=no). This should ensure that the namespace isn't automatically synced by offlineimap, but nevertheless visible by roundcube, cf. http://trac.roundcube.net/ticket/1486796 http://mailman2.u.washington.edu/pipermail/imap-protocol/2010-May/001076.html
* wibbleGuilhem Moulin2015-06-071
|
* Configure the content filter.Guilhem Moulin2015-06-0712
| | | | | | | | | | | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)