summaryrefslogtreecommitdiffstats
path: root/roles/MX
Commit message (Collapse)AuthorAgeFiles
* Postscreen: Give temporary whitelist status to primary MX addresses only.Guilhem Moulin2016-09-201
|
* postfix: commit the master.cf symlinks.Guilhem Moulin2016-07-121
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-102
|
* Postfix MX/MSA instances: put certs in the the instance's $config_directory.Guilhem Moulin2016-07-102
|
* Postfix MX/MSA instances: don't ask the remote SMTP client for a client ↵Guilhem Moulin2016-07-101
| | | | | | | certificate. See postconf(5). This avoids the “(Client did not present a certificate)” messages in the Received headers.
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-102
|
* postfix: Don't explicitly set inet_interfaces=all as it's the default.Guilhem Moulin2016-07-101
|
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* postfix: Update to recommended TLS settings.Guilhem Moulin2016-05-181
| | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
* postfix: unset 'smtpd_tls_session_cache_database'.Guilhem Moulin2016-05-181
| | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935
* Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.Guilhem Moulin2016-05-181
| | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
* postfix: disable weak ciphers for the 'encrypt' TLS security level.Guilhem Moulin2016-05-181
| | | | That is, on the MSA and in our local infrastructure.
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Let's EncryptGuilhem Moulin2016-03-021
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-121
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-202
|
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* Fix address verification probes on the MSA.Guilhem Moulin2015-09-161
| | | | | Put all relay restrictions under smtpd_relay_restrictions and leave smtpd_recipient_restrictions empty, since we don't do DNSBL.
* Don't bounce unverified recipients upon 4xx errors.Guilhem Moulin2015-06-111
| | | | | | | We don't want to bounce messages for which the recipient(s)' MTA replies 451 due to some greylisting in place. We would like to accept 451 alone, but unfortunately it's not possible to bounce unverified recipients due to DNS or networking errors.
* Configure munin nodes & master.Guilhem Moulin2015-06-102
| | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI.
* Add a reserved domain 'discard.fripost.org' to discard messages.Guilhem Moulin2015-06-072
| | | | | ‘noreply@’ aliases can be added by routing them to ‘@discard.fripost.org’.
* Upgrade the MX configuration from Wheezy to Jessie.Guilhem Moulin2015-06-079
| | | | | | In particular, since Postfix is now able to perform LDAP lookups using SASL, previous hacks with simble binds on cn=postfix,ou=services,… can now be removed.
* logjam mitigation.Guilhem Moulin2015-06-071
|
* Configure the list manager (Sympa).Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Split templates / files in lookup tables.Guilhem Moulin2015-06-078
|
* Replace Postgrey with postscreen.Guilhem Moulin2015-06-079
| | | | | | | | | | | See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not.
* Verify the validity of users before that of aliases.Guilhem Moulin2015-06-071
|
* Remove reject_unknown_sender_domain from the MX.Guilhem Moulin2015-06-071
| | | | | There are false-positive with that, for instead due to SOA records pointing to non-existing subdomains.
* wibbleGuilhem Moulin2015-06-071
|
* Use the raw 'fripostListManager' as routing internal subdomain.Guilhem Moulin2015-06-071
|
* Fix $smtpd_sender_restrictions.Guilhem Moulin2015-06-071
| | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting.
* Explain why we use static transport maps and custom subdomains.Guilhem Moulin2015-06-072
|
* Use $virtual_alias_domains not $virtual_mailbox_domains.Guilhem Moulin2015-06-075
| | | | | | | | | | | | | | | | | | | | | | | | | Quoting postconf(5): smtpd_reject_unlisted_recipient (default: yes) Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no explicit reject_unlisted_recipient access restriction is specified. This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages. An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping. […] * The recipient domain matches $virtual_alias_domains but the recipient is not listed in $virtual_alias_maps. * The recipient domain matches $virtual_mailbox_domains but the recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null. Since we alias everything under special, "invalid", domains (mda.f.o and mailman.f.o), our $virtual_mailbox_maps was null, which led to reject_unlisted_recipient not being triggered for say, "noone@fripost.org". However, replacing $virtual_mailbox_domains with $virtual_alias_domains fits into the second point above.
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-0710
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Ensure Postfix's LDAP searchBase exists when doing a lookup.Guilhem Moulin2015-06-076
| | | | | | | | Postfix interprets Error Code 32 (No Such Object) as lookup failures, but that's ugly... Also, make Postfix simple bind against cn=postfix,ou=services,dc=fripost,dc=org.
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-077
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Fix a corner case in reserved-alias.pl.Guilhem Moulin2015-06-071
| | | | | 'if $l' is false when $l is 0, while 0@example.org is a perfectly valid address.
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-071
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-072
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-071
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-072
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-071
|
* Support boken SMTP clients and LOGIN SASL mechanism.Guilhem Moulin2015-06-071
|
* Assume a DNS entry for each role.Guilhem Moulin2015-06-074
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Decongestion potential bottlenecks on trivial_rewrite(8).Guilhem Moulin2015-06-077
| | | | | | | | | | | | | Which might be caused by slow LDAP lookups in transport_maps. Instead, we alias each addresses for which we want a custom transport to a dedicated "dummy" domain, and use a static (CDB) transport_maps to map said domains to their transport; the receiver can then use canonical(8) to restore the original envelope recipient. Since the alias resolution is performed by cleanup(8), which can run in parallel with other instances, it should decongestion bottlenecks under heavy loads. So far only the MX:es have been decongestioned. The list manager and the MDA should be treated as well.
* Fix the catch-all resolution again.Guilhem Moulin2015-06-0711
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Don't use IPSec to relay messages to localhost.Guilhem Moulin2015-06-071
|