| Commit message (Collapse) | Author | Age | Files | ||
|---|---|---|---|---|---|
| ... | |||||
| * | Upgrade the MX configuration from Wheezy to Jessie. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | In particular, since Postfix is now able to perform LDAP lookups using SASL, previous hacks with simble binds on cn=postfix,ou=services,… can now be removed. | ||||
| * | logjam mitigation. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | |||||
| * | Upgrade samhain config to Jessie. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Upgrade custom logcheck-database to Jessie. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Upgrade rkhunter config to Jessie. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Upgrade amavis config to Jessie. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Upgrade Postfix config to Jessie (MSA & outgoing proxy). | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Upgrade Dovecot config to Jessie. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Configure the list manager (Sympa). | Guilhem Moulin | 2015-06-07 | 3 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Disable rsyslog's rate-limiting. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | The default for rsyslog v7, but not for rsyslog v5. | ||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | |||||
| * | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Key usage 'keyCertSign' is required for self-signed certificates. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Amavis is logging to syslog with severity 'notice'. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Don't merge amavis' logs into /var/log/syslog. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | As they contain user information, we keep it in /var/log/mail.log only. These logs are kept for 3 days "only", as per our policy. | ||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Replace Postgrey with postscreen. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | | | | | | | | | See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not. | ||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Fix Amavis' Policy Banks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | | | | | | It turns out that in a policy bank, a *_by_ccat doesn't replace the default but is merely merged into the default (if the keys overlap, those in the bank take precedence of course). Hence it's pointless to use CC_CATCHALL in a bank unless all the other keys have been overridden, for instance. Also, treat unchecked (eg, encrypted) mails as clean in the OUTGOING Policy Bank. | ||||
| * | Add a logcheck rule to ignore cyrus' annoying log messages. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | Namely, "DIGEST-MD5 common mech free". See also bug #631932. | ||||
| * | 'default_days' in openssl.cnf doesn't work, use -days instead. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | |||||
| * | Add ability to add custom OrganizationalUnits in genkeypair. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | Also, it's now possible to reuse an existing private key (with -f). | ||||
| * | Add ability to chmod, chown and set the key usage in genkeypair. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Increase the timeout in the smtpd waiting for the reinjection from amavis. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s). | ||||
| * | Install amavisd-new on the outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | | For DKIM signing and virus checking. | ||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Remove IPSec related files. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Replace IPSec tunnels by app-level ephemeral TLS sessions. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. | ||||
| * | Outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Log SASL usernames for longer, but don't include mail.log into syslog. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | |||||
| * | Don't install 'unhide.rb'. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Don't use generic maps. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header. | ||||
| * | Make genkeypair.sh able to display TXT record for DKIM signatures. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | Add support for CSR and subjectAltName in genkeypair.sh. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | |||||
| * | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | |||||
| * | logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | |||||
| * | Don't require a PKI for IPSec. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines. | ||||
| * | Replace mktemp's deprecated -t option by --tmpdir. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | But not in the installer, as busybox's implementation of mktemp didn't deprecate -t/-p. | ||||
| * | Make use of Ansible 1.5 new features. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | | Most notably pipelining=True and sysctl_set=yes. | ||||
