summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP
Commit message (Collapse)AuthorAgeFiles
* postfix-sender-login: Better hardening.Guilhem Moulin2020-05-211
| | | | Run as a dedicated user, not ‘postfix’.
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-211
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* LDAP: Update role to Debian Buster.Guilhem Moulin2020-05-191
|
* s/LDAP-provider/LDAP_provider/Guilhem Moulin2020-05-193
| | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
* Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.Guilhem Moulin2018-12-091
|
* Upgrade syntax to Ansible 2.7 (apt module).Guilhem Moulin2018-12-031
|
* LDAP: Expose part of the database to Nextcloud.Guilhem Moulin2018-04-041
|
* Don't let authenticated client use arbitrary sender addresses.Guilhem Moulin2017-06-012
| | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-141
|
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-121
|
* genkeypair: use install(1) for atomic file creation with permission mode.Guilhem Moulin2015-10-281
|
* Set a rootdn on cn=Monitor.Guilhem Moulin2015-06-111
|
* Use a single LDAP connection per Munin round to collect slapd statistics.Guilhem Moulin2015-06-111
| | | | Using multigraphs instead.
* slapd monitoring.Guilhem Moulin2015-06-104
| | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds.
* Change slapd dump filenames.Guilhem Moulin2015-06-071
| | | | E.g., ‘0.ldif’ → ‘slapd-0.ldif’.
* Configure Bacula File Daemon / Storage Daemon / Director.Guilhem Moulin2015-06-072
| | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel.
* wibbleGuilhem Moulin2015-06-071
|
* Enforce "strong" authentication and FPS in LDAP.Guilhem Moulin2015-06-071
| | | | | Which is now possible since all LDAP clients and servers have been upgraded to Jessie, and Postfix is now able to perform SASL binds.
* Upgrade the MX configuration from Wheezy to Jessie.Guilhem Moulin2015-06-071
| | | | | | In particular, since Postfix is now able to perform LDAP lookups using SASL, previous hacks with simble binds on cn=postfix,ou=services,… can now be removed.
* typoGuilhem Moulin2015-06-071
|
* Configure the list manager (Sympa).Guilhem Moulin2015-06-071
|
* Upgrade the LDAP config to Jessie.Guilhem Moulin2015-06-073
|
* Key usage 'keyCertSign' is required for self-signed certificates.Guilhem Moulin2015-06-071
|
* Add a keyring and alternative contact to the LDAP DIT.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Add an index on the 'fripostCanAddDomain' LDAP attribute.Guilhem Moulin2015-06-071
|
* Add extra indexes on the LDAP provider.Guilhem Moulin2015-06-071
| | | | Those will be useful for the tools.
* Use the raw 'fripostListManager' as routing internal subdomain.Guilhem Moulin2015-06-071
|
* Ensure Postfix's LDAP searchBase exists when doing a lookup.Guilhem Moulin2015-06-072
| | | | | | | | Postfix interprets Error Code 32 (No Such Object) as lookup failures, but that's ugly... Also, make Postfix simple bind against cn=postfix,ou=services,dc=fripost,dc=org.
* Fix issue with delete entries in the replication.Guilhem Moulin2015-06-071
| | | | | | | | It looks as if the SyncRepl need read access on the 'entry' and 'objectClass' attributes of the entry being deleted, and the entry being deleted no longer matches the ACL filters, so we have to grant access globally. (We still have fine-grain control on the other attributes which are not disclosed, though.)
* Add an LDAP attribute to check if the user wants to use the content filter.Guilhem Moulin2015-06-072
| | | | | This decision is left to the MX (as for 'fripostIsStatusActive'), which will set the envelope recipient accordingly.
* Fix client verification policy.Guilhem Moulin2015-06-071
|
* Make the Ansible LDAP plugin able to delete entries and attributes.Guilhem Moulin2015-06-071
| | | | | Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on the 'config' database.
* Fix race condition when generating cerificates for slapd.Guilhem Moulin2015-06-071
| | | | | The SyncProv won't start if the file olcTLSCACertificateFile points to doesn't exist.
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-074
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Add note how to test SASL EXTERNAL authentication via TLS.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-073
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Enable zero-copy updates to the LDAP directory.Guilhem Moulin2015-06-072
|
* Assume a DNS entry for each role.Guilhem Moulin2015-06-071
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Add XXX comments for ad hoc fixes for some known bugs.Guilhem Moulin2015-06-071
| | | | (To be removed when the fix enters stable.)
* Fix the catch-all resolution again.Guilhem Moulin2015-06-072
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Mailing lists (using mlmmj).Guilhem Moulin2015-06-071
| | | | | | | | | Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.
* Remove list commands.Guilhem Moulin2015-06-072
| | | | | | They were only a dirty hack for list commands à la Mailman such as mylist-request. If we are to use another list manager such as mlmmj, which uses a VERP delimiter instead, the problem disappears.
* Remove the 'fripostLocalAlias' attribute.Guilhem Moulin2015-06-072
| | | | | | | | | | | | | Instead, we pretend that lists are valid users (via a match in the mailbox_transport_maps) but choose a different transport (with the same request in transport_maps). The advantage is that we get rid of the ugly hack for list transport… A minor drawback is that we now have two LDAP lookups instead of one for non local addresses (ie, everything but reserved addresses). Hopefully the requests are cached; but even if they aren't, querying a local LDAP server is supposed to be cheap.
* wibbleGuilhem Moulin2015-06-071
|
* Configure dovecot's antispam filter.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | Mails to be retrained are stored in the spooldir /home/mail/spamspool; later a daemon catches them up and feed them to sa-learn(1p). (On busy systems batch-process the learning should be much more efficient.) The folder transisition matrix along with the corresponding actions can be found there: http://hg.dovecot.org/dovecot-antispam-plugin/raw-file/5ebc6aae4d7c/doc/dovecot-antispam.7.txt See also dovecot-antispam(7).
* wibbleGuilhem Moulin2015-06-072
|
* Include amavisd-new's LDAP schema.Guilhem Moulin2015-06-071
| | | | | | It'd certainly be nicer if we didn't have to deploy amavis' schema everywhere, but we need the 'objectClass' in our replicates, hence they need to be aware of the 'amavisAccount' class.