| Commit message (Collapse) | Author | Age | Files |
|---|
| |
|
|
|
|
|
|
|
| |
Clients now have to use the NAMESPACE extension [RFC 2342] to discover
mailboxes under the “virtual/” namespace. (Plus an extra LIST command,
causing an overhead two roundtrips.) Of course the downside is that non
namespace-aware clients lose access to the “virtual/{all,flagged,…}”
mailboxes, but on second thought it's probably better this way rather
than having such clients treat these mailboxes as regular mailboxes.
|
| |
|
|
|
| |
We don't want to use the default instance since its SIZE limit is
tighter than the ones on the MX:es.
|
| |
|
|
| |
To avoid new commits upon cert renewal.
|
| | |
|
| |
|
|
|
|
| |
(On port 143.) Moreover, add the whole IPSec virtual subnet to
‘login_trusted_networks’ since our IPSec tunnels provide end-to-end
encryption and we therefore don't need the extra SSL/TLS protection.
|
| | |
|
| |
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
|
| |
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11
http://article.gmane.org/gmane.mail.postfix.user/251935
|
| |
|
|
|
|
|
|
|
|
| |
Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.
https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
But we postpone that for now until we are reasonably certain that older
client won't be left out.
|
| |
|
|
|
|
| |
locally.
And use this to fetch all X.509 leaf certificates.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
cert itself.
|
| | |
|
| |
|
|
|
| |
Which is disabled by default, as per
http://wiki.dovecot.org/Pigeonhole/Sieve
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Put all relay restrictions under smtpd_relay_restrictions and leave
smtpd_recipient_restrictions empty, since we don't do DNSBL.
|
| | |
|
| | |
|
| |
|
|
|
| |
Interhost communications are protected by stunnel4. The graphs are only
visible on the master itself, and content is generated by Fast CGI.
|
| | |
|
| |
|
|
| |
Fix regression introduced in f7c8011.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
We already removed it from the MX:es (see 32e605d4); we need to remove
it from the MDA and outgoing SMTP as well, otherwise mails could bounce
or get stuck in the middle (the're rejected with 450: deferred by
default).
However we can keep the restriction on the entry points (MSA and
webmail).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
On the MDA the domain is our 'mda.fripost.org', there is no need to
perform an extra DNS lookup.
The MSA does not perform local or virtual delivery, but relays
everything to the outgoing SMTP proxy.
On the MX, there is no need to check for recipient validity as we are
the final destination; but unsure that the RCPT TO address is a valid
recipient before doing the greylisting.
|
| | |
|
| | |
|
| |
|
|
|
| |
We can therefore spare some lookups on the MDA, and use static:all
instead.
|
| |
|
|
|
| |
First generate all certs (-t genkey), then build the TLS policy maps (
-t tls_policy).
|
| |
|
|
|
|
| |
So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand).
|
| |
|
|
| |
Also, it's now possible to reuse an existing private key (with -f).
|
| |
|
|
|
|
|
|
| |
SMTP client connection caching was introduced in 2.6.0: the SMTP session is
held for the next task (in adaptative mode, only when there was a delay of only
5s between the two previous mails), but Postfix will terminate it if the next
mail doesn't come soon enough, or if amavis does't terminate it itself (usually
after 15s).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
(Unless a new instance is created, or the master.cf change is modified.)
Changing some variables, such as inet_protocols, require a full restart,
but most of the time it's overkill.
|
| |
|
|
|
|
| |
And don't restart or reload either upon change of pcre: files that are
used by smtpd(8), cleanup(8) or local(8), following the suggestion from
http://www.postfix.org/DATABASE_README.html#detect .
|
| |
|
|
| |
For DKIM signing and virus checking.
|
| |
|
|
|
| |
Unlike adduser(8), ansible's 'user' module copies skeletal configuration
files even for system users (unless called with createhome=no).
|
| |
|
|
|
|
|
| |
The reason is that we don't want to rely on CAs to verify the
certificate of our server. Dovecot currently doesn't offer a way to
match said cert against a local copy or known fingerprint. stunnel
does.
|
| |
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
