summaryrefslogtreecommitdiffstats
path: root/roles/common/templates
Commit message (Collapse)AuthorAgeFiles
...
* Ensure have a TLS policy for each of our host we want to relay to.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-071
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-071
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-073
|
* Remove IPSec related files.Guilhem Moulin2015-06-072
|
* typoGuilhem Moulin2015-06-071
|
* Whitelist our IPs against fail2ban.Guilhem Moulin2015-06-071
| | | | | | | This is important as we don't want the IMAP server baning the webmail, for instance. (The fail2ban instance running next to the webmail should ban the attacker, but that running next to the IMAP server shouldn't ban legit users.)
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-073
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-072
|
* Log SASL usernames for longer, but don't include mail.log into syslog.Guilhem Moulin2015-06-071
|
* Don't use generic maps.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header.
* wibbleGuilhem Moulin2015-06-071
|
* Don't require a PKI for IPSec.Guilhem Moulin2015-06-071
| | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
* Support non-free firmwares. (Can be required :-()Guilhem Moulin2015-06-072
| | | | Also, always install contrib's intel-microcode on Intel CPUs.
* Assume a DNS entry for each role.Guilhem Moulin2015-06-072
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Don't use IPSec to relay messages to localhost.Guilhem Moulin2015-06-071
|
* Excplicitely make local services run on localhost.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-071
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.
* Configure the webmail.Guilhem Moulin2015-06-072
|
* Force expansion of escape sequences.Guilhem Moulin2015-06-072
| | | | | By using double quoted scalars, cf. https://groups.google.com/forum/#!topic/ansible-project/ZaB6o-eqDzw
* Configure NTP.Guilhem Moulin2015-06-072
| | | | | | We use a "master" NTP server, which synchronizes against stratum 1 servers (hence is a stratum 2 itself); all other clients synchronize to this master server through IPSec.
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-072
|
* wibbleGuilhem Moulin2015-06-071
|
* Configure the IMAP server.Guilhem Moulin2015-06-072
| | | | (For now, only LMTP and IMAP processes, without replication.)
* Configure the MX:es.Guilhem Moulin2015-06-073
|
* Share master.cf accross all Postfix instances.Guilhem Moulin2015-06-071
| | | | | | And use main.cf's 'master_service_disable' setting to deactivate each service that's useless for a given instance. (Hence solve conflict when trying to listen twice on the same port, for instance.)
* Use a dedicated SMTP port for samhain.Guilhem Moulin2015-06-071
| | | | | | | It's unfortunate that samhain cannot use the sendmail binary, and wants to use a inet socket instead. We use a custom port to avoid conflicts with the usual SMTP port the MX:es need to listen on. See also: /usr/share/doc/samhain/TODO.Debian
* Reorganization.Guilhem Moulin2015-06-071
|
* Reformulate the headers showing the license.Guilhem Moulin2015-06-071
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* Configure debsecan.Guilhem Moulin2015-06-071
|
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-071
|
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-071
| | | | We use a dedicated instance for each role: MDA, MTA out, MX, etc.
* wibbleGuilhem Moulin2015-06-071
|
* Prefer maching on policy rather than marks.Guilhem Moulin2015-06-071
| | | | Also, use ESP tunnel mode instead of transport mode.
* Use a dedicated 'fail2ban' chain for fail2ban.Guilhem Moulin2015-06-071
| | | | So it doesn't mess with the high-priority rules regarding IPSec.
* Configure IPSec.Guilhem Moulin2015-06-072
|
* Configure fail2ban.Guilhem Moulin2015-06-071
|
* Configure v4 and v6 iptable rulesets.Guilhem Moulin2015-06-071
|
* Configure APT.Guilhem Moulin2015-06-072
|
* Configure /etc/{hosts,hostname,mailname}.Guilhem Moulin2015-06-072