summaryrefslogtreecommitdiffstats
path: root/roles/common/files/etc
Commit message (Collapse)AuthorAgeFiles
...
* Replace Postgrey with postscreen.Guilhem Moulin2015-06-072
| | | | | | | | | | | See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-071
|
* Fix Amavis' Policy Banks.Guilhem Moulin2015-06-071
| | | | | | | | | | | It turns out that in a policy bank, a *_by_ccat doesn't replace the default but is merely merged into the default (if the keys overlap, those in the bank take precedence of course). Hence it's pointless to use CC_CATCHALL in a bank unless all the other keys have been overridden, for instance. Also, treat unchecked (eg, encrypted) mails as clean in the OUTGOING Policy Bank.
* Add a logcheck rule to ignore cyrus' annoying log messages.Guilhem Moulin2015-06-071
| | | | Namely, "DIGEST-MD5 common mech free". See also bug #631932.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* Increase the timeout in the smtpd waiting for the reinjection from amavis.Guilhem Moulin2015-06-071
| | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s).
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-072
| | | | For DKIM signing and virus checking.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Remove IPSec related files.Guilhem Moulin2015-06-071
|
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-071
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Log SASL usernames for longer, but don't include mail.log into syslog.Guilhem Moulin2015-06-072
|
* Don't install 'unhide.rb'.Guilhem Moulin2015-06-071
|
* Don't use generic maps.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header.
* More logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* Make use of Ansible 1.5 new features.Guilhem Moulin2015-06-072
| | | | Most notably pipelining=True and sysctl_set=yes.
* Fix the catch-all resolution again.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Mailing lists (using mlmmj).Guilhem Moulin2015-06-071
| | | | | | | | | Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.
* Excplicitely make local services run on localhost.Guilhem Moulin2015-06-071
|
* Fix catchall resolution.Guilhem Moulin2015-06-071
| | | | | | | | It has to be performed last, to give a chance to be accepted as a regular mailbox. We introduce a new, dedicated, smtpd daemon whose only purpose is to resolve catch-alls.
* Configure the webmail.Guilhem Moulin2015-06-072
|
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-071
|
* Configure the Mail Delivery Agent.Guilhem Moulin2015-06-071
|
* Configure the MX:es.Guilhem Moulin2015-06-071
|
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-071
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Use a dedicated SMTP port for samhain.Guilhem Moulin2015-06-072
| | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian
* Reorganization.Guilhem Moulin2015-06-071
|
* Reformulate the headers showing the license.Guilhem Moulin2015-06-074
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-071
|
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-072
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* Fix unattended-upgrades's configuration.Guilhem Moulin2015-06-071
| | | | | ${distro_codename} doesn't work properly there, so we put stable and/or oldstable instead.
* Replace the 'syslog' facility (5) by 'user' (1).Guilhem Moulin2015-06-071
| | | | | 'syslog' is meant for the messages generated internally by syslogd, whereas 'user' is for user-level messages.
* wibbleGuilhem Moulin2015-06-071
|
* Be more specific regarding the protocol in use for IPSec policies.Guilhem Moulin2015-06-071
| | | | We use ESP only, so other protocols shouldn't be ACCEPTed.
* Prohibit binding against the IP reserved for IPSec.Guilhem Moulin2015-06-071
| | | | | | | | | Packets originating from our (non-routable) $ipsec are marked; there is no xfrm lookup (i.e., no matching IPSec association), the packet will retain its mark and be null routed later on, thanks to ip rule add fwmark "$secmark" table 666 priority 666 ip route add blackhole default table 666
* Use a dedicated, non-routable, IPv4 for IPSec.Guilhem Moulin2015-06-072
| | | | | | | At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd from our dedicated IP after ESP decapsulation. Also, some IP tables ensure that alien (not coming from / going to the tunnel end-point) is dropped.
* Major refactoring of the firewall.Guilhem Moulin2015-06-071
| | | | | | | | | | Also, added some options: -f force: no confirmation asked -c check: check (dry-run) mode -v verbose: see the difference between old and new ruleset -4 IPv4 only -6 IPv6 only
* Configure the (basic) logging policy.Guilhem Moulin2015-06-073
|
* Configure rkhunter.Guilhem Moulin2015-06-072
|
* Configure samhain.Guilhem Moulin2015-06-071
|
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-071
|
* Configure APT.Guilhem Moulin2015-06-073