Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Fix Ansible 2.2.0 compatibility of a Jinja2 template. | Guilhem Moulin | 2017-01-14 | 1 |
| | ||||
* | postfix: Remove obsolete templates tls_policy/relay_clientcerts. | Guilhem Moulin | 2016-07-12 | 1 |
| | ||||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 2 |
| | ||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | |||
* | postfix: disable weak ciphers for the 'encrypt' TLS security level. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | That is, on the MSA and in our local infrastructure. | |||
* | Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵ | Guilhem Moulin | 2015-12-03 | 1 |
| | | | | cert itself. | |||
* | Internal Postfix config: Disable TLS protocols <1.2 rather than enable 1.2 only. | Guilhem Moulin | 2015-10-27 | 1 |
| | ||||
* | Configure the list manager (Sympa). | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Ensure have a TLS policy for each of our host we want to relay to. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Tell vim the underlying filetype of templates for syntax highlighting. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Replace IPSec tunnels by app-level ephemeral TLS sessions. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. | |||
* | Outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't use generic maps. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header. | |||
* | Assume a DNS entry for each role. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though. | |||
* | Don't use IPSec to relay messages to localhost. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Excplicitely make local services run on localhost. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure the MX:es. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Share master.cf accross all Postfix instances. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.) | |||
* | Use a dedicated SMTP port for samhain. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian | |||
* | Postfix master (nullmailer) configuration | Guilhem Moulin | 2015-06-07 | 1 |
We use a dedicated instance for each role: MDA, MTA out, MX, etc. |