Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | IPsec: use Suite-B-GCM-256 algorithms for IKEv2 & ESP. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | | | (That is, remove algorithms from Suite-B-GCM-128.) Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations . | |||
* | MSA verification probes: enable opportunistic encryption. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | | And use ‘noreply.fripost.org’ as HELO name rather than $myhostname (i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo and envelope sender identities. | |||
* | Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 2 |
| | ||||
* | Firewall: disable outgoing access to git:// remote servers. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | We don't need it anymore as we use https:// these days. | |||
* | ntp.conf: reduce delta with the packaged version. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | | Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f) the postscreen(8) server can run chrooted, meaning we can also chroot the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons. | |||
* | postfix: remove explicit default 'mail_owner = postfix'. | Guilhem Moulin | 2018-12-06 | 1 |
| | ||||
* | postfix ≥3.0: don't advertise SMTPUTF8 support. | Guilhem Moulin | 2018-12-06 | 1 |
| | | | | | | | | | | | | | | | | | We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some downstream SMTP servers, not all of which are under our control. Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers yields undeliverable messages, and the bounces make us a potential backscatter source. So it's better to disable SMTPUTF8 at this point. Cf. also http://www.postfix.org/SMTPUTF8_README.html and https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 . See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 : “Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the envelope is definitely problematic for a receiver that does not support SMTPUTF8, while UTF8 in a message header is less so.” | |||
* | Install unbound on metal hosts. | Guilhem Moulin | 2018-12-03 | 1 |
| | | | | (A validating, recursive, caching DNS resolver.) | |||
* | Define new host "calima" serving Nextcloud. | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | Postfix: replace cdb & btree tables with lmdb ones. | Guilhem Moulin | 2018-12-03 | 1 |
| | | | | Cf. lmdb_table(5). | |||
* | IPsec: allow ISAKMP over IPv6. | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | Upgrade baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 5 |
| | ||||
* | Postfix: replace 'fifo' types with 'unix', as it's the new default. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Firewall: Allow DNS queries over TCP. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | APT: use deb.debian.org as archive source. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Perform recipient address verification on the MSA itself. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Upgrade syntax to Ansible 2.5. | Guilhem Moulin | 2018-04-04 | 2 |
| | ||||
* | Fix detection of KVM guests. | Guilhem Moulin | 2017-07-29 | 2 |
| | ||||
* | Don't install debsecan anymore by default. | Guilhem Moulin | 2017-06-26 | 1 |
| | | | | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789196 | |||
* | Webmail: don't allow outgoing TCP/993 connections. | Guilhem Moulin | 2017-06-15 | 1 |
| | | | | We're going through IPsec to communicate with the IMAP server. | |||
* | postfix: enable XFORWARD command from our internal relays. | Guilhem Moulin | 2017-06-02 | 1 |
| | ||||
* | postfix: don't rate-limit our IPsec subnet. | Guilhem Moulin | 2017-06-02 | 1 |
| | ||||
* | Don't let authenticated client use arbitrary sender addresses. | Guilhem Moulin | 2017-06-01 | 1 |
| | | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed. | |||
* | Also install non-free firmwares on civett. | Guilhem Moulin | 2017-05-30 | 2 |
| | ||||
* | Fix Ansible 2.2.0 compatibility of a Jinja2 template. | Guilhem Moulin | 2017-01-14 | 1 |
| | ||||
* | postfix: Remove obsolete templates tls_policy/relay_clientcerts. | Guilhem Moulin | 2016-07-12 | 1 |
| | ||||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 3 |
| | ||||
* | Postfix: avoid hardcoding the instance names. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Localize the NTP pool hostnames. | Guilhem Moulin | 2016-07-09 | 1 |
| | ||||
* | Localize the debian archive hostnames. | Guilhem Moulin | 2016-07-09 | 1 |
| | ||||
* | ClamAV (FreshClam): use a localized Database Mirror. | Guilhem Moulin | 2016-07-09 | 1 |
| | | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines. | |||
* | IPSec → IPsec | Guilhem Moulin | 2016-06-29 | 2 |
| | ||||
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 1 |
| | | | | There is no need to bother with X.509 cruft here. | |||
* | Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 3 |
| | ||||
* | Tunnel munin-update traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 3 |
| | ||||
* | Tunnel internal NTP traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 2 |
| | | | | | | | More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure. | |||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 5 |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | |||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | |||
* | postfix: disable weak ciphers for the 'encrypt' TLS security level. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | That is, on the MSA and in our local infrastructure. | |||
* | bacula: Set heartbeat options. | Guilhem Moulin | 2016-05-12 | 2 |
| | | | | and also TCP keepalive options in the stunnel config. | |||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 2 |
| | ||||
* | s/ansible_ssh_/ansible_/ | Guilhem Moulin | 2016-02-12 | 2 |
| | ||||
* | Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵ | Guilhem Moulin | 2015-12-03 | 1 |
| | | | | cert itself. | |||
* | Internal Postfix config: Disable TLS protocols <1.2 rather than enable 1.2 only. | Guilhem Moulin | 2015-10-27 | 1 |
| | ||||
* | stunnel: disable compression. | Guilhem Moulin | 2015-10-27 | 2 |
| | ||||
* | stunnel: use GCM ciphers only; use SSL options rather than ciphers to ↵ | Guilhem Moulin | 2015-10-27 | 2 |
| | | | | disable protocols. | |||
* | Change match to "^(Genuine)?Intel.*" for Intel processors. | Guilhem Moulin | 2015-07-12 | 2 |
| | ||||
* | Use a single LDAP connection per Munin round to collect slapd statistics. | Guilhem Moulin | 2015-06-11 | 1 |
| | | | | Using multigraphs instead. |