| Commit message (Collapse) | Author | Age | Files |
... | |
| |
|
|
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In fact we want to only rewrite the envelope sender:
:/etc/postfix/main.cf
# Overwrite local FQDN envelope sender addresses
sender_canonical_classes = envelope_sender
propagate_unmatched_extensions =
sender_canonical_maps = cdb:$config_directory/sender_canonical
:/etc/postfix/sender_canonical
@elefant.fripost.org admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, generate a server certificate for each host (on the machine
itself). Then fetch all these certs locally, and copy them over to each
IPSec peer. That requires more certs to be stored on each machines (n
vs 2), but it can be done automatically, and is easier to deploy.
Note: When adding a new machine to the inventory, one needs to run the
playbook on that machine (to generate the cert and fetch it locally)
first, then on all other machines.
|
|
|
|
|
| |
But not in the installer, as busybox's implementation of mktemp didn't
deprecate -t/-p.
|
|
|
|
| |
Most notably pipelining=True and sysctl_set=yes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
virtual_alias_maps:
mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
transport_maps:
mlmmj.localhost.localdomain mlmmj:
|
|
|
|
|
|
|
|
|
| |
Right now the list server cannot be hosted with a MX, due to bug 51:
http://mlmmj.org/bugs/bug.php?id=51
Web archive can be compiled with MHonArc, but the web server
configuration is not there yet.
|
| |
|
|
|
|
|
|
|
|
| |
It has to be performed last, to give a chance to be accepted as a
regular mailbox.
We introduce a new, dedicated, smtpd daemon whose only purpose is to
resolve catch-alls.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
And use main.cf's 'master_service_disable' setting to deactivate each
service that's useless for a given instance. (Hence solve conflict when
trying to listen twice on the same port, for instance.)
|
|
|
|
|
|
|
| |
It's unfortunate that samhain cannot use the sendmail binary, and wants
to use a inet socket instead. We use a custom port to avoid
conflicts with the usual SMTP port the MX:es need to listen on.
See also: /usr/share/doc/samhain/TODO.Debian
|
| |
|
|
|
|
|
| |
To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence.
|
| |
|
|
|
|
| |
We use a dedicated instance for each role: MDA, MTA out, MX, etc.
|
|
|
|
|
| |
${distro_codename} doesn't work properly there, so we put stable and/or
oldstable instead.
|
|
|
|
|
| |
Replaced [ -n "$string" ] with [ "$string" ], and [ -z "$string" ] with
[ ! "$string" ].
|
|
|
|
|
| |
'syslog' is meant for the messages generated internally by syslogd,
whereas 'user' is for user-level messages.
|
| |
|
|
|
|
| |
We use ESP only, so other protocols shouldn't be ACCEPTed.
|
|
|
|
|
|
|
|
|
| |
Packets originating from our (non-routable) $ipsec are marked; there is
no xfrm lookup (i.e., no matching IPSec association), the packet will
retain its mark and be null routed later on, thanks to
ip rule add fwmark "$secmark" table 666 priority 666
ip route add blackhole default table 666
|
|
|
|
| |
Also, use ESP tunnel mode instead of transport mode.
|
|
|
|
| |
I.e., as packets are treated along the way: mangle -> nat -> filter.
|
| |
|
|
|
|
|
|
|
| |
At the each IPSec end-point the traffic is DNAT'ed to / MASQUERADE'd
from our dedicated IP after ESP decapsulation. Also, some IP tables
ensure that alien (not coming from / going to the tunnel end-point) is
dropped.
|
|
|
|
|
|
|
|
|
|
| |
Also, added some options:
-f force: no confirmation asked
-c check: check (dry-run) mode
-v verbose: see the difference between old and new ruleset
-4 IPv4 only
-6 IPv6 only
|
|
|
|
|
| |
These rules are automatically included by third-party servers such as
strongSwan or fail2ban.
|
|
|
|
| |
So it doesn't mess with the high-priority rules regarding IPSec.
|
|
|
|
|
| |
update-firewall.sh -c does not update the firewall, but returns a
non-zero value iff. running it without the switch would modify it.
|
| |
|
| |
|
| |
|
| |
|
|
|