Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Dovecot: use fallocate(2) to preallocate new mdbox files. | Guilhem Moulin | 2016-12-08 | 1 |
| | ||||
* | postfix: Remove obsolete templates tls_policy/relay_clientcerts. | Guilhem Moulin | 2016-07-12 | 1 |
| | ||||
* | postfix: commit the master.cf symlinks. | Guilhem Moulin | 2016-07-12 | 1 |
| | ||||
* | Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 2 |
| | ||||
* | Postfix: avoid hardcoding the instance names. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 2 |
| | ||||
* | postfix: Don't explicitly set inet_interfaces=all as it's the default. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Change the pubkey extension from .pem to .pub. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | IMAP: don't include mailbox under the virtual namespace in LIST responses. | Guilhem Moulin | 2016-07-06 | 1 |
| | | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes. | |||
* | dovecot: use the MSA postfix instance for sieve redirection. | Guilhem Moulin | 2016-07-01 | 2 |
| | | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es. | |||
* | certs/public: fetch each cert's pubkey (SPKI), not the cert itself. | Guilhem Moulin | 2016-06-15 | 1 |
| | | | | To avoid new commits upon cert renewal. | |||
* | dovecot: don't listen on the IP dedicated for IPSec when there is a single host. | Guilhem Moulin | 2016-05-23 | 1 |
| | ||||
* | dovecot: also listen on the virtual IP dedicated to IPSec. | Guilhem Moulin | 2016-05-22 | 2 |
| | | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection. | |||
* | spamassassin: list our IPSec subnet in trusted_networks. | Guilhem Moulin | 2016-05-22 | 3 |
| | ||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | |||
* | postfix: unset 'smtpd_tls_session_cache_database'. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935 | |||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | |||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | |||
* | Remove SMTP message size limit on non public MTAs. | Guilhem Moulin | 2016-03-21 | 1 |
| | ||||
* | Let's Encrypt | Guilhem Moulin | 2016-03-02 | 1 |
| | ||||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 3 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 2 |
| | ||||
* | dovecot: remove !SSLv2 from ssl_cipher_list. | Guilhem Moulin | 2015-12-15 | 1 |
| | ||||
* | Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵ | Guilhem Moulin | 2015-12-03 | 1 |
| | | | | cert itself. | |||
* | Automatically fetch X.509 certificates, and add them to git. | Guilhem Moulin | 2015-12-03 | 1 |
| | ||||
* | dovecot-sieve: Enable the 'editheader' extension (5293). | Guilhem Moulin | 2015-11-26 | 1 |
| | | | | | Which is disabled by default, as per http://wiki.dovecot.org/Pigeonhole/Sieve | |||
* | Remove \Recent flags when a virtual mailbox is SELECTed. | Guilhem Moulin | 2015-09-30 | 4 |
| | ||||
* | IMAP: Store virtual indexes in memory. | Guilhem Moulin | 2015-09-30 | 1 |
| | ||||
* | dovecot: Disable SSLv3. | Guilhem Moulin | 2015-09-17 | 1 |
| | ||||
* | Fix address verification probes on the MSA. | Guilhem Moulin | 2015-09-16 | 1 |
| | | | | | Put all relay restrictions under smtpd_relay_restrictions and leave smtpd_recipient_restrictions empty, since we don't do DNSBL. | |||
* | Enable the IMAP COMPRESS extension [RFC4978]. | Guilhem Moulin | 2015-09-15 | 1 |
| | ||||
* | Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions. | Guilhem Moulin | 2015-07-12 | 1 |
| | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 3 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Dovecot: Collect IMAP statistics. | Guilhem Moulin | 2015-06-10 | 4 |
| | ||||
* | Allow 'vmail' users with a UID lower than 500. | Guilhem Moulin | 2015-06-10 | 1 |
| | | | | Fix regression introduced in f7c8011. | |||
* | SQL: Set empty passwords for auth_socket authentication. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Prefer '/usr/sbin/nologin' over '/bin/false' for system users. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | logjam mitigation. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Upgrade Dovecot config to Jessie. | Guilhem Moulin | 2015-06-07 | 12 |
| | ||||
* | Remove reject_unknown_sender_domain from the MDA and outgoing SMTP. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | We already removed it from the MX:es (see 32e605d4); we need to remove it from the MDA and outgoing SMTP as well, otherwise mails could bounce or get stuck in the middle (the're rejected with 450: deferred by default). However we can keep the restriction on the entry points (MSA and webmail). | |||
* | Hash certs using a lookup in the template instead of add a new task. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Fix $smtpd_sender_restrictions. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting. | |||
* | Explain why we use static transport maps and custom subdomains. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Fix Dovecot's mail location. | Guilhem Moulin | 2015-06-07 | 3 |
| | ||||
* | Perform the alias resolution and address validation solely on the MX:es. | Guilhem Moulin | 2015-06-07 | 6 |
| | | | | | We can therefore spare some lookups on the MDA, and use static:all instead. | |||
* | Add a tag 'tls_policy' to facilitate rekeying. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy). | |||
* | Remove o=mailHosting from the LDAP directory suffix. | Guilhem Moulin | 2015-06-07 | 4 |
| | | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand). | |||
* | Add ability to add custom OrganizationalUnits in genkeypair. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | Also, it's now possible to reuse an existing private key (with -f). | |||
* | Increase the timeout in the smtpd waiting for the reinjection from amavis. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s). |