| Commit message (Collapse) | Author | Age | Files |
... | |
| |
|
| |
|
|
|
|
|
|
|
| |
More precisely, between our NTP-master (stratum 1) host and the other
machines (all stratum 2). Providing authentification and integrity for
internal NTP traffic ensures a consistent time within our internal
infrastructure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.
Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).
The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.
|
|
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
|
|
|
|
| |
That is, on the MSA and in our local infrastructure.
|
|
|
|
| |
and also TCP keepalive options in the stunnel config.
|
| |
|
| |
|
|
|
|
| |
cert itself.
|
| |
|
| |
|
|
|
|
| |
disable protocols.
|
| |
|
|
|
|
| |
Using multigraphs instead.
|
|
|
|
|
| |
We don't use the provided 'slapd_' Munin plugin because it doesn't
support SASL binds.
|
|
|
|
|
| |
Interhost communications are protected by stunnel4. The graphs are only
visible on the master itself, and content is generated by Fast CGI.
|
|
|
|
|
| |
Using client-side data signing/encryption and wrapping inter-host
communication into stunnel.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
It should be installed on the dom0 instead.
|
| |
|
|
|
|
| |
We've yet to get authenticated time, though.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
We can therefore spare some lookups on the MDA, and use static:all
instead.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The clients are identified using their certificate, and connect securely
to the SyncProv.
There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
- Authentication (XXX: strong authentication) is required prior to any DIT
operation (see 'olcRequires').
- We force a Security Strength Factor of 128 or above for all operations (see
'olcSecurity'), meaning one must use either a local connection (eg,
ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
least 128 bits of security.
- XXX: Services may not simple bind other than locally on a ldapi:// socket.
If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
socket whenever possible (if the service itself supports SASL binds).
If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
socket, and their identity should be derived from the CN of the client
certificate only (hence services may not simple bind).
- Admins have restrictions similar to that of the services.
- User access is only restricted by our global 'olcSecurity' attribute.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
This is important as we don't want the IMAP server baning the webmail,
for instance. (The fail2ban instance running next to the webmail should
ban the attacker, but that running next to the IMAP server shouldn't ban
legit users.)
|
|
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In fact we want to only rewrite the envelope sender:
:/etc/postfix/main.cf
# Overwrite local FQDN envelope sender addresses
sender_canonical_classes = envelope_sender
propagate_unmatched_extensions =
sender_canonical_maps = cdb:$config_directory/sender_canonical
:/etc/postfix/sender_canonical
@elefant.fripost.org admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, generate a server certificate for each host (on the machine
itself). Then fetch all these certs locally, and copy them over to each
IPSec peer. That requires more certs to be stored on each machines (n
vs 2), but it can be done automatically, and is easier to deploy.
Note: When adding a new machine to the inventory, one needs to run the
playbook on that machine (to generate the cert and fetch it locally)
first, then on all other machines.
|
|
|
|
| |
Also, always install contrib's intel-microcode on Intel CPUs.
|
|
|
|
|
|
| |
E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone
would be provisioned by ansible, too.) It's a bit unclear how to index
the subdomains (mx{1,2,3}, etc), though.
|
| |
|