summaryrefslogtreecommitdiffstats
path: root/roles/MSA/tasks
Commit message (Collapse)AuthorAgeFiles
* Postfix: pin key material to our MX:es for fripost.org and its subdomains.Guilhem Moulin2021-01-261
| | | | | | | | | | | | | | | | | | | | | | | | | | This solves an issue where an attacker would strip the STARTTLS keyword from the EHLO response, thereby preventing connection upgrade; or spoof DNS responses to route outgoing messages to an attacker-controlled SMTPd, thereby allowing message MiTM'ing. With key material pinning in place, smtp(8postfix) immediately aborts the connection (before the MAIL command) and places the message into the deferred queue instead: postfix-out/smtp[NNN]: … dsn=4.7.5, status=undeliverable (Server certificate not verified) This applies to the smarthost as well as for verification probes on the Mail Submission Agent. Placing message into the deferred queue might yield denial of service, but we argue that it's better than a privacy leak. This only covers *internal messages* (from Fripost to Fripost) though: only messages with ‘fripost.org’ (or a subdomain of such) as recipient domain. Other domains, even those using mx[12].fripost.org as MX, are not covered. A scalable solution for arbitrary domains would involve either DANE and TLSA records, or MTA-STS [RFC8461]. Regardless, there is some merit in hardcoding our internal policy (when the client and server are both under our control) in the configuration. It for instance enables us to harden TLS ciphers and protocols, and makes the verification logic independent of DNS.
* Postfix: Install -lmdb in all roles using db=lmdb.Guilhem Moulin2020-05-211
| | | | | | And drop -ldap from all roles other than MX. -lmdb is included in roles/common but it can be helpful to have it individual roles as well as they can be run individually.
* postfix-sender-login: Better hardening.Guilhem Moulin2020-05-211
| | | | Run as a dedicated user, not ‘postfix’.
* submission: Prospective SPF checking.Guilhem Moulin2018-12-121
| | | | Cf. http://www.openspf.org/Best_Practices/Outbound .
* Upgrade syntax to Ansible 2.7 (apt module).Guilhem Moulin2018-12-031
|
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-031
| | | | Cf. lmdb_table(5).
* Don't let authenticated client use arbitrary sender addresses.Guilhem Moulin2017-06-011
| | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
* MSA: reject null sender address.Guilhem Moulin2017-05-141
|
* Postfix MX/MSA instances: put certs in the the instance's $config_directory.Guilhem Moulin2016-07-101
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-101
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-121
|
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* Configure munin nodes & master.Guilhem Moulin2015-06-101
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-071
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-071
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-071