Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 2 |
| | ||||
* | dovecot: remove !SSLv2 from ssl_cipher_list. | Guilhem Moulin | 2015-12-15 | 1 |
| | ||||
* | Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵ | Guilhem Moulin | 2015-12-03 | 1 |
| | | | | cert itself. | |||
* | Automatically fetch X.509 certificates, and add them to git. | Guilhem Moulin | 2015-12-03 | 1 |
| | ||||
* | dovecot-sieve: Enable the 'editheader' extension (5293). | Guilhem Moulin | 2015-11-26 | 1 |
| | | | | | Which is disabled by default, as per http://wiki.dovecot.org/Pigeonhole/Sieve | |||
* | Remove \Recent flags when a virtual mailbox is SELECTed. | Guilhem Moulin | 2015-09-30 | 4 |
| | ||||
* | IMAP: Store virtual indexes in memory. | Guilhem Moulin | 2015-09-30 | 1 |
| | ||||
* | dovecot: Disable SSLv3. | Guilhem Moulin | 2015-09-17 | 1 |
| | ||||
* | Fix address verification probes on the MSA. | Guilhem Moulin | 2015-09-16 | 1 |
| | | | | | Put all relay restrictions under smtpd_relay_restrictions and leave smtpd_recipient_restrictions empty, since we don't do DNSBL. | |||
* | Enable the IMAP COMPRESS extension [RFC4978]. | Guilhem Moulin | 2015-09-15 | 1 |
| | ||||
* | Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions. | Guilhem Moulin | 2015-07-12 | 1 |
| | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 3 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Dovecot: Collect IMAP statistics. | Guilhem Moulin | 2015-06-10 | 4 |
| | ||||
* | Allow 'vmail' users with a UID lower than 500. | Guilhem Moulin | 2015-06-10 | 1 |
| | | | | Fix regression introduced in f7c8011. | |||
* | SQL: Set empty passwords for auth_socket authentication. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Prefer '/usr/sbin/nologin' over '/bin/false' for system users. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | logjam mitigation. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Upgrade Dovecot config to Jessie. | Guilhem Moulin | 2015-06-07 | 12 |
| | ||||
* | Remove reject_unknown_sender_domain from the MDA and outgoing SMTP. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | We already removed it from the MX:es (see 32e605d4); we need to remove it from the MDA and outgoing SMTP as well, otherwise mails could bounce or get stuck in the middle (the're rejected with 450: deferred by default). However we can keep the restriction on the entry points (MSA and webmail). | |||
* | Hash certs using a lookup in the template instead of add a new task. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Fix $smtpd_sender_restrictions. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting. | |||
* | Explain why we use static transport maps and custom subdomains. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Fix Dovecot's mail location. | Guilhem Moulin | 2015-06-07 | 3 |
| | ||||
* | Perform the alias resolution and address validation solely on the MX:es. | Guilhem Moulin | 2015-06-07 | 6 |
| | | | | | We can therefore spare some lookups on the MDA, and use static:all instead. | |||
* | Add a tag 'tls_policy' to facilitate rekeying. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy). | |||
* | Remove o=mailHosting from the LDAP directory suffix. | Guilhem Moulin | 2015-06-07 | 4 |
| | | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand). | |||
* | Add ability to add custom OrganizationalUnits in genkeypair. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | Also, it's now possible to reuse an existing private key (with -f). | |||
* | Increase the timeout in the smtpd waiting for the reinjection from amavis. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s). | |||
* | Tell Dovecot we have a remote IMAP proxy. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Performance tuning in Dovecot's configuration. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Tell vim the underlying filetype of templates for syntax highlighting. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Reload Postfix upon configuration change, but don't restart it. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill. | |||
* | Don't restart/reload Postifx upon change of a file based database. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect . | |||
* | Install amavisd-new on the outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 7 |
| | | | | For DKIM signing and virus checking. | |||
* | Don't auto-create home directories when adding system users. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no). | |||
* | Use stunnel to secure the connection from the IMAP proxy to the IMAP server. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does. | |||
* | Replace IPSec tunnels by app-level ephemeral TLS sessions. | Guilhem Moulin | 2015-06-07 | 6 |
| | | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. | |||
* | Outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't use mailbox list indexes. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | In 2.1.7 they are buggy, and make Dovecot crash (when connected through Evolution for instance). They have improved a lot since, though: http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS | |||
* | Fix syntax error. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Generate certs for Dovecot and Nginx if they are not there. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Create a nightly cron job to purge expunged messages. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | This is required for dbox, see http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox | |||
* | Dovecot wibble. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Fix YAML syntax error. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | chown root:root /home/mail && chmod 0755 /home/mail | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | This ensures that Dovecot won't deliver messages if the disk hasn't been mounted, for instance. | |||
* | The 'vmail' user may have a UID lower than 500. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | So we set 'first_valid_uid' to 1, to accept any UID. | |||
* | Support boken SMTP clients and LOGIN SASL mechanism. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Compress messages on the IMAP backend. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Install dovecot from backports (for imapc). | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | Interesting features include caching of mail headers (v2.2.8+) as well as new IMAP capabilities. | |||
* | Assume a DNS entry for each role. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though. |