|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| ... |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | For some reason giraff doesn't like IPSec.  App-level TLS sessions are
less efficient, but thanks to ansible it still scales well. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | In fact we want to only rewrite the envelope sender:
    :/etc/postfix/main.cf
    # Overwrite local FQDN envelope sender addresses
    sender_canonical_classes       = envelope_sender
    propagate_unmatched_extensions =
    sender_canonical_maps          = cdb:$config_directory/sender_canonical
    :/etc/postfix/sender_canonical
    @elefant.fripost.org     admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | Most notably pipelining=True and sysctl_set=yes. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
  virtual_alias_maps:
    mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
  transport_maps:
    mlmmj.localhost.localdomain mlmmj: | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Right now the list server cannot be hosted with a MX, due to bug 51:
    http://mlmmj.org/bugs/bug.php?id=51
Web archive can be compiled with MHonArc, but the web server
configuration is not there yet. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | It has to be performed last, to give a chance to be accepted as a
regular mailbox.
We introduce a new, dedicated, smtpd daemon whose only purpose is to
resolve catch-alls. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | And use main.cf's 'master_service_disable' setting to deactivate each
service that's useless for a given instance. (Hence solve conflict when
trying to listen twice on the same port, for instance.) | 
| | 
| 
| 
| 
| 
| 
| | It's unfortunate that samhain cannot use the sendmail binary, and wants
to use a inet socket instead. We use a custom port to avoid
conflicts with the usual SMTP port the MX:es need to listen on.
See also: /usr/share/doc/samhain/TODO.Debian | 
| | |  | 
| | 
| 
| 
| 
| | To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence. | 
| | |  | 
| | 
| 
| 
| | We use a dedicated instance for each role: MDA, MTA out, MX, etc. | 
| | 
| 
| 
| 
| | ${distro_codename} doesn't work properly there, so we put stable and/or
oldstable instead. | 
| | 
| 
| 
| 
| | 'syslog' is meant for the messages generated internally by syslogd,
whereas 'user' is for user-level messages. | 
| | |  | 
| | 
| 
| 
| | We use ESP only, so other protocols shouldn't be ACCEPTed. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
    ip rule  add fwmark "$secmark" table 666 priority 666
    ip route add blackhole default table 666 | 
| | 
| 
| 
| 
| 
| 
| | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | Also, added some options:
    -f force:   no confirmation asked
    -c check:   check (dry-run) mode
    -v verbose: see the difference between old and new ruleset
    -4 IPv4 only
    -6 IPv6 only | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
|  |  |