summaryrefslogtreecommitdiffstats
path: root/roles/IMAP
Commit message (Collapse)AuthorAgeFiles
* IMAP: don't include mailbox under the virtual namespace in LIST responses.Guilhem Moulin2016-07-061
| | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes.
* dovecot: use the MSA postfix instance for sieve redirection.Guilhem Moulin2016-07-012
| | | | | We don't want to use the default instance since its SIZE limit is tighter than the ones on the MX:es.
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* dovecot: don't listen on the IP dedicated for IPSec when there is a single host.Guilhem Moulin2016-05-231
|
* dovecot: also listen on the virtual IP dedicated to IPSec.Guilhem Moulin2016-05-222
| | | | | | (On port 143.) Moreover, add the whole IPSec virtual subnet to ‘login_trusted_networks’ since our IPSec tunnels provide end-to-end encryption and we therefore don't need the extra SSL/TLS protection.
* spamassassin: list our IPSec subnet in trusted_networks.Guilhem Moulin2016-05-223
|
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-181
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* postfix: unset 'smtpd_tls_session_cache_database'.Guilhem Moulin2016-05-181
| | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-181
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Remove SMTP message size limit on non public MTAs.Guilhem Moulin2016-03-211
|
* Let's EncryptGuilhem Moulin2016-03-021
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-123
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-202
|
* dovecot: remove !SSLv2 from ssl_cipher_list.Guilhem Moulin2015-12-151
|
* Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵Guilhem Moulin2015-12-031
| | | | cert itself.
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* dovecot-sieve: Enable the 'editheader' extension (5293).Guilhem Moulin2015-11-261
| | | | | Which is disabled by default, as per http://wiki.dovecot.org/Pigeonhole/Sieve
* Remove \Recent flags when a virtual mailbox is SELECTed.Guilhem Moulin2015-09-304
|
* IMAP: Store virtual indexes in memory.Guilhem Moulin2015-09-301
|
* dovecot: Disable SSLv3.Guilhem Moulin2015-09-171
|
* Fix address verification probes on the MSA.Guilhem Moulin2015-09-161
| | | | | Put all relay restrictions under smtpd_relay_restrictions and leave smtpd_recipient_restrictions empty, since we don't do DNSBL.
* Enable the IMAP COMPRESS extension [RFC4978].Guilhem Moulin2015-09-151
|
* Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions.Guilhem Moulin2015-07-121
|
* Configure munin nodes & master.Guilhem Moulin2015-06-103
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Dovecot: Collect IMAP statistics.Guilhem Moulin2015-06-104
|
* Allow 'vmail' users with a UID lower than 500.Guilhem Moulin2015-06-101
| | | | Fix regression introduced in f7c8011.
* SQL: Set empty passwords for auth_socket authentication.Guilhem Moulin2015-06-071
|
* Prefer '/usr/sbin/nologin' over '/bin/false' for system users.Guilhem Moulin2015-06-071
|
* logjam mitigation.Guilhem Moulin2015-06-072
|
* Upgrade Dovecot config to Jessie.Guilhem Moulin2015-06-0712
|
* Remove reject_unknown_sender_domain from the MDA and outgoing SMTP.Guilhem Moulin2015-06-071
| | | | | | | | | | We already removed it from the MX:es (see 32e605d4); we need to remove it from the MDA and outgoing SMTP as well, otherwise mails could bounce or get stuck in the middle (the're rejected with 450: deferred by default). However we can keep the restriction on the entry points (MSA and webmail).
* Hash certs using a lookup in the template instead of add a new task.Guilhem Moulin2015-06-072
|
* Fix $smtpd_sender_restrictions.Guilhem Moulin2015-06-071
| | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting.
* Explain why we use static transport maps and custom subdomains.Guilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-073
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-076
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Add a tag 'tls_policy' to facilitate rekeying.Guilhem Moulin2015-06-071
| | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy).
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-074
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-071
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Increase the timeout in the smtpd waiting for the reinjection from amavis.Guilhem Moulin2015-06-071
| | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s).
* Tell Dovecot we have a remote IMAP proxy.Guilhem Moulin2015-06-071
|
* Performance tuning in Dovecot's configuration.Guilhem Moulin2015-06-072
|
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-071
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-072
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-071
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-077
| | | | For DKIM signing and virus checking.
* Don't auto-create home directories when adding system users.Guilhem Moulin2015-06-071
| | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no).
* Use stunnel to secure the connection from the IMAP proxy to the IMAP server.Guilhem Moulin2015-06-071
| | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-076
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.