summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/templates
Commit message (Collapse)AuthorAgeFiles
* postfix-sender-login: Better hardening.Guilhem Moulin2020-05-211
| | | | Run as a dedicated user, not ‘postfix’.
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-211
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* LDAP: Update role to Debian Buster.Guilhem Moulin2020-05-191
|
* s/LDAP-provider/LDAP_provider/Guilhem Moulin2020-05-192
| | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
* Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.Guilhem Moulin2018-12-091
|
* LDAP: Expose part of the database to Nextcloud.Guilhem Moulin2018-04-041
|
* Don't let authenticated client use arbitrary sender addresses.Guilhem Moulin2017-06-012
| | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
* Set a rootdn on cn=Monitor.Guilhem Moulin2015-06-111
|
* slapd monitoring.Guilhem Moulin2015-06-101
| | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds.
* Enforce "strong" authentication and FPS in LDAP.Guilhem Moulin2015-06-071
| | | | | Which is now possible since all LDAP clients and servers have been upgraded to Jessie, and Postfix is now able to perform SASL binds.
* Upgrade the MX configuration from Wheezy to Jessie.Guilhem Moulin2015-06-071
| | | | | | In particular, since Postfix is now able to perform LDAP lookups using SASL, previous hacks with simble binds on cn=postfix,ou=services,… can now be removed.
* typoGuilhem Moulin2015-06-071
|
* Configure the list manager (Sympa).Guilhem Moulin2015-06-071
|
* Upgrade the LDAP config to Jessie.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Add an index on the 'fripostCanAddDomain' LDAP attribute.Guilhem Moulin2015-06-071
|
* Add extra indexes on the LDAP provider.Guilhem Moulin2015-06-071
| | | | Those will be useful for the tools.
* Use the raw 'fripostListManager' as routing internal subdomain.Guilhem Moulin2015-06-071
|
* Ensure Postfix's LDAP searchBase exists when doing a lookup.Guilhem Moulin2015-06-072
| | | | | | | | Postfix interprets Error Code 32 (No Such Object) as lookup failures, but that's ugly... Also, make Postfix simple bind against cn=postfix,ou=services,dc=fripost,dc=org.
* Fix issue with delete entries in the replication.Guilhem Moulin2015-06-071
| | | | | | | | It looks as if the SyncRepl need read access on the 'entry' and 'objectClass' attributes of the entry being deleted, and the entry being deleted no longer matches the ACL filters, so we have to grant access globally. (We still have fine-grain control on the other attributes which are not disclosed, though.)
* Add an LDAP attribute to check if the user wants to use the content filter.Guilhem Moulin2015-06-071
| | | | | This decision is left to the MX (as for 'fripostIsStatusActive'), which will set the envelope recipient accordingly.
* Fix client verification policy.Guilhem Moulin2015-06-071
|
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-071
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Add note how to test SASL EXTERNAL authentication via TLS.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-072
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Enable zero-copy updates to the LDAP directory.Guilhem Moulin2015-06-071
|
* Assume a DNS entry for each role.Guilhem Moulin2015-06-071
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Fix the catch-all resolution again.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Mailing lists (using mlmmj).Guilhem Moulin2015-06-071
| | | | | | | | | Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.
* Remove list commands.Guilhem Moulin2015-06-071
| | | | | | They were only a dirty hack for list commands à la Mailman such as mylist-request. If we are to use another list manager such as mlmmj, which uses a VERP delimiter instead, the problem disappears.
* Remove the 'fripostLocalAlias' attribute.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | Instead, we pretend that lists are valid users (via a match in the mailbox_transport_maps) but choose a different transport (with the same request in transport_maps). The advantage is that we get rid of the ugly hack for list transport… A minor drawback is that we now have two LDAP lookups instead of one for non local addresses (ie, everything but reserved addresses). Hopefully the requests are cached; but even if they aren't, querying a local LDAP server is supposed to be cheap.
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* wibbleGuilhem Moulin2015-06-071
|
* Configure the content filter.Guilhem Moulin2015-06-071
| | | | | | | | | | | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
* wibbleGuilhem Moulin2015-06-071
|
* oopsGuilhem Moulin2015-06-071
|
* LDAP Sync Replication.Guilhem Moulin2015-06-072
|
* Postfix is compiled without SASL support.Guilhem Moulin2015-06-071
| | | | As of 2.9.6 (2.10), at least. See bug #730848.
* Configure the MX:es.Guilhem Moulin2015-06-071
|
* Provision /etc/default/slapdGuilhem Moulin2015-06-071
| | | | | | | This is because the UNIX domain socket to connect to when performing LDAP lookups needs to be in the chroot. Also, don't open a INET socket unless we're a Sync Provider.
* Allow flexible ACLs for SASL's EXTERNAL mechanism.Guilhem Moulin2015-06-071
| | | | | | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by "gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102 is postfix's UID and 106 its primary GID (looked up from /etc/passwd).
* Reorganization.Guilhem Moulin2015-06-071