Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Postfix MX/MSA instances: put certs in the the instance's $config_directory. | Guilhem Moulin | 2016-07-10 | 2 |
| | ||||
* | Postfix MX/MSA instances: don't ask the remote SMTP client for a client ↵ | Guilhem Moulin | 2016-07-10 | 1 |
| | | | | | | | certificate. See postconf(5). This avoids the “(Client did not present a certificate)” messages in the Received headers. | |||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 2 |
| | ||||
* | postfix: Don't explicitly set inet_interfaces=all as it's the default. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Change the pubkey extension from .pem to .pub. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Postfix MSA: don't allow unauthenticated clients from $mynetworks. | Guilhem Moulin | 2016-06-29 | 1 |
| | ||||
* | certs/public: fetch each cert's pubkey (SPKI), not the cert itself. | Guilhem Moulin | 2016-06-15 | 1 |
| | | | | To avoid new commits upon cert renewal. | |||
* | postfix: rotate the sender address for verify probes. | Guilhem Moulin | 2016-06-02 | 1 |
| | | | | | In order to avoid ‘double-bounce@’ ending up on spammer mailing lists. See http://www.postfix.org/ADDRESS_VERIFICATION_README.html . | |||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | |||
* | postfix: unset 'smtpd_tls_session_cache_database'. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935 | |||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | |||
* | postfix: disable weak ciphers for the 'encrypt' TLS security level. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | That is, on the MSA and in our local infrastructure. | |||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | |||
* | Let's Encrypt | Guilhem Moulin | 2016-03-02 | 1 |
| | ||||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 1 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | Automatically fetch X.509 certificates, and add them to git. | Guilhem Moulin | 2015-12-03 | 1 |
| | ||||
* | Fix address verification probes on the MSA. | Guilhem Moulin | 2015-09-16 | 1 |
| | | | | | Put all relay restrictions under smtpd_relay_restrictions and leave smtpd_recipient_restrictions empty, since we don't do DNSBL. | |||
* | Use 'double-bounce@fripost.org' as envelope sender for verification probes. | Guilhem Moulin | 2015-06-11 | 1 |
| | ||||
* | Don't bounce unverified recipients upon 4xx errors. | Guilhem Moulin | 2015-06-11 | 1 |
| | | | | | | | We don't want to bounce messages for which the recipient(s)' MTA replies 451 due to some greylisting in place. We would like to accept 451 alone, but unfortunately it's not possible to bounce unverified recipients due to DNS or networking errors. | |||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 2 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Use recipient address verification probes. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | This is specially useful for mailing lists and the webmail, since it prevents our outgoing gateway from accepting mails known to be bouncing. However the downside is that it adds a delay of up to 6s after the RCPT TO command. | |||
* | logjam mitigation. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade Postfix config to Jessie (MSA & outgoing proxy). | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Fix $smtpd_sender_restrictions. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting. | |||
* | Tell vim the underlying filetype of templates for syntax highlighting. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Reload Postfix upon configuration change, but don't restart it. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill. | |||
* | Don't restart/reload Postifx upon change of a file based database. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect . | |||
* | Replace IPSec tunnels by app-level ephemeral TLS sessions. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. | |||
* | Outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Support boken SMTP clients and LOGIN SASL mechanism. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Assume a DNS entry for each role. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though. | |||
* | Don't pass the client information unless necessary. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't use IPSec to relay messages to localhost. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure the Mail Submission Agent. | Guilhem Moulin | 2015-06-07 | 4 |