summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc
Commit message (Collapse)AuthorAgeFiles
...
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-072
| | | | For DKIM signing and virus checking.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Remove IPSec related files.Guilhem Moulin2015-06-071
|
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-071
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Log SASL usernames for longer, but don't include mail.log into syslog.Guilhem Moulin2015-06-072
|
* Don't install 'unhide.rb'.Guilhem Moulin2015-06-071
|
* Don't use generic maps.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header.
* More logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* Make use of Ansible 1.5 new features.Guilhem Moulin2015-06-072
| | | | Most notably pipelining=True and sysctl_set=yes.
* Fix the catch-all resolution again.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Mailing lists (using mlmmj).Guilhem Moulin2015-06-071
| | | | | | | | | Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.
* Excplicitely make local services run on localhost.Guilhem Moulin2015-06-071
|
* Fix catchall resolution.Guilhem Moulin2015-06-071
| | | | | | | | It has to be performed last, to give a chance to be accepted as a regular mailbox. We introduce a new, dedicated, smtpd daemon whose only purpose is to resolve catch-alls.
* Configure the webmail.Guilhem Moulin2015-06-072
|
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-071
|
* Configure the Mail Delivery Agent.Guilhem Moulin2015-06-071
|
* Configure the MX:es.Guilhem Moulin2015-06-071
|
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-071
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Use a dedicated SMTP port for samhain.Guilhem Moulin2015-06-072
| | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian
* Reorganization.Guilhem Moulin2015-06-071
|
* Reformulate the headers showing the license.Guilhem Moulin2015-06-074
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-071
|
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-072
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Fix unattended-upgrades's configuration.Guilhem Moulin2015-06-071
| | | | | ${distro_codename} doesn't work properly there, so we put stable and/or oldstable instead.
* Replace the 'syslog' facility (5) by 'user' (1).Guilhem Moulin2015-06-071
| | | | | 'syslog' is meant for the messages generated internally by syslogd, whereas 'user' is for user-level messages.
* wibbleGuilhem Moulin2015-06-071
|
* Be more specific regarding the protocol in use for IPSec policies.Guilhem Moulin2015-06-071
| | | | We use ESP only, so other protocols shouldn't be ACCEPTed.
* Prohibit binding against the IP reserved for IPSec.Guilhem Moulin2015-06-071
| | | | | | | | | Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666
* Use a dedicated, non-routable, IPv4 for IPSec.Guilhem Moulin2015-06-072
| | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
* Major refactoring of the firewall.Guilhem Moulin2015-06-071
| | | | | | | | | | Also, added some options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only
* Configure the (basic) logging policy.Guilhem Moulin2015-06-073
|
* Configure rkhunter.Guilhem Moulin2015-06-072
|
* Configure samhain.Guilhem Moulin2015-06-071
|
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-071
|
* Configure APT.Guilhem Moulin2015-06-073