Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | dovecot: enable user iteration and add a cronjob for `doveadm purge -A` | Guilhem Moulin | 2017-06-05 | 1 |
| | ||||
* | postfix: don't rate-limit our IPsec subnet. | Guilhem Moulin | 2017-06-02 | 1 |
| | ||||
* | /lib/systemd/system → /etc/systemd/system | Guilhem Moulin | 2017-05-31 | 3 |
| | ||||
* | MSA: reject null sender address. | Guilhem Moulin | 2017-05-14 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-12-08 | 1 |
| | ||||
* | Firewall: allow duplicates rules. | Guilhem Moulin | 2016-09-18 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-08-22 | 2 |
| | ||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-07-09 | 2 |
| | ||||
* | IPSec → IPsec | Guilhem Moulin | 2016-06-29 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-06-29 | 3 |
| | ||||
* | update-firewall.sh: COMMIT empty iptables rule files. | Guilhem Moulin | 2016-06-29 | 1 |
| | ||||
* | typo | Guilhem Moulin | 2016-05-24 | 1 |
| | ||||
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 1 |
| | | | | There is no need to bother with X.509 cruft here. | |||
* | genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH ↵ | Guilhem Moulin | 2016-05-22 | 2 |
| | | | | parameters. | |||
* | Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 1 |
| | ||||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 4 |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | |||
* | postfix: master.cf wibble | Guilhem Moulin | 2016-05-18 | 1 |
| | ||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | |||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | |||
* | Add hardening options to our systemd unit files. | Guilhem Moulin | 2016-05-12 | 1 |
| | ||||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 3 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-03-13 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-02-17 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-12-15 | 2 |
| | ||||
* | typo | Guilhem Moulin | 2015-12-04 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-12-01 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-11-12 | 1 |
| | ||||
* | genkeypair: use install(1) for atomic file creation with permission mode. | Guilhem Moulin | 2015-10-28 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-10-14 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-09-24 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-09-21 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-09-15 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-08-21 | 3 |
| | ||||
* | Update unattended-upgrades configuration. | Guilhem Moulin | 2015-07-19 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-22 | 1 |
| | ||||
* | logcheck: Match only hexdigits in postfix queue ID. | Guilhem Moulin | 2015-06-19 | 1 |
| | ||||
* | Match IPv6 addresses in logcheck rules. | Guilhem Moulin | 2015-06-19 | 1 |
| | ||||
* | Use a single LDAP connection per Munin round to collect slapd statistics. | Guilhem Moulin | 2015-06-11 | 2 |
| | | | | Using multigraphs instead. | |||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-10 | 3 |
| | ||||
* | slapd monitoring. | Guilhem Moulin | 2015-06-10 | 1 |
| | | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds. | |||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 8 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Don't assume that Postfix queue ID are always 10-digits long. | Guilhem Moulin | 2015-06-10 | 1 |
| | ||||
* | Add a reserved domain 'discard.fripost.org' to discard messages. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | ‘noreply@’ aliases can be added by routing them to ‘@discard.fripost.org’. | |||
* | Make the webmail connect directly to the outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | (Hence delete the 'webmail' Postfix instance.) This shortens the delay caused by the recipient verification probes. | |||
* | Use recipient address verification probes. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | This is specially useful for mailing lists and the webmail, since it prevents our outgoing gateway from accepting mails known to be bouncing. However the downside is that it adds a delay of up to 6s after the RCPT TO command. | |||
* | Configure Bacula File Daemon / Storage Daemon / Director. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel. | |||
* | firewall: allow 127.0.0.1/8 on lo. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | genkeypair.sh: Merge privkey and pubkey for identical filekeys. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | Also, set ‘subjectKeyIdentifier = hash’ in the CSR. |