| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
| |
Interhost communications are protected by stunnel4. The graphs are only
visible on the master itself, and content is generated by Fast CGI.
|
|
|
|
|
| |
Using client-side data signing/encryption and wrapping inter-host
communication into stunnel.
|
|
|
|
|
| |
XXX: this is a workaround the CAcert root CAs not being present in
Jessie. In stretch, we would merely install the 'ca-cacert' package.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
It should be installed on the dom0 instead.
|
|
|
|
| |
S.M.A.R.T makes little sense for virtual HDDs.
|
| |
|
| |
|
|
|
|
| |
We've yet to get authenticated time, though.
|
| |
|
|
|
|
| |
(It opens the key as root, but then drops the permissions.)
|
|
|
|
|
| |
First generate all certs (-t genkey), then build the TLS policy maps (
-t tls_policy).
|
|
|
|
| |
Also, it's now possible to reuse an existing private key (with -f).
|
| |
|
|
|
|
|
|
| |
(Unless a new instance is created, or the master.cf change is modified.)
Changing some variables, such as inet_protocols, require a full restart,
but most of the time it's overkill.
|
|
|
|
|
|
| |
And don't restart or reload either upon change of pcre: files that are
used by smtpd(8), cleanup(8) or local(8), following the suggestion from
http://www.postfix.org/DATABASE_README.html#detect .
|
| |
|
| |
|
| |
|
|
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In fact we want to only rewrite the envelope sender:
:/etc/postfix/main.cf
# Overwrite local FQDN envelope sender addresses
sender_canonical_classes = envelope_sender
propagate_unmatched_extensions =
sender_canonical_maps = cdb:$config_directory/sender_canonical
:/etc/postfix/sender_canonical
@elefant.fripost.org admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, generate a server certificate for each host (on the machine
itself). Then fetch all these certs locally, and copy them over to each
IPSec peer. That requires more certs to be stored on each machines (n
vs 2), but it can be done automatically, and is easier to deploy.
Note: When adding a new machine to the inventory, one needs to run the
playbook on that machine (to generate the cert and fetch it locally)
first, then on all other machines.
|
| |
|
| |
|
|
|
|
| |
Most notably pipelining=True and sysctl_set=yes.
|
|
|
|
|
|
| |
To avoid low-entropy conditions, see
http://www.issihosts.com/haveged/
|
| |
|
| |
|
| |
|
|
|
|
|
| |
By using double quoted scalars, cf.
https://groups.google.com/forum/#!topic/ansible-project/ZaB6o-eqDzw
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
We use a "master" NTP server, which synchronizes against stratum 1
servers (hence is a stratum 2 itself); all other clients synchronize to
this master server through IPSec.
|
| |
|
|
|
|
|
|
| |
And use main.cf's 'master_service_disable' setting to deactivate each
service that's useless for a given instance. (Hence solve conflict when
trying to listen twice on the same port, for instance.)
|
|
|
|
|
|
|
| |
It's unfortunate that samhain cannot use the sendmail binary, and wants
to use a inet socket instead. We use a custom port to avoid
conflicts with the usual SMTP port the MX:es need to listen on.
See also: /usr/share/doc/samhain/TODO.Debian
|