fripost-ansible - Fripost ansible scripts

	Commit message (Collapse)	Author	Age	Files
*	Don't let authenticated client use arbitrary sender addresses.	Guilhem Moulin	2017-06-01	1
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
*	Ensure Postfix's LDAP searchBase exists when doing a lookup.	Guilhem Moulin	2015-06-07	1
\| \| \| \| \| \| \| \|	Postfix interprets Error Code 32 (No Such Object) as lookup failures, but that's ugly... Also, make Postfix simple bind against cn=postfix,ou=services,dc=fripost,dc=org.
*	Configure SyncRepl (OpenLDAP replication) and related ACLs.	Guilhem Moulin	2015-06-07	1
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
*	LDAP Sync Replication.	Guilhem Moulin	2015-06-07	1
\|
*	Provision /etc/default/slapd	Guilhem Moulin	2015-06-07	1
	This is because the UNIX domain socket to connect to when performing LDAP lookups needs to be in the chroot. Also, don't open a INET socket unless we're a Sync Provider.