Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | postfix: Remove obsolete templates tls_policy/relay_clientcerts. | Guilhem Moulin | 2016-07-12 | 1 | |
| | |||||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 3 | |
| | |||||
* | Postfix: avoid hardcoding the instance names. | Guilhem Moulin | 2016-07-10 | 1 | |
| | |||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 1 | |
| | |||||
* | Localize the NTP pool hostnames. | Guilhem Moulin | 2016-07-09 | 1 | |
| | |||||
* | Localize the debian archive hostnames. | Guilhem Moulin | 2016-07-09 | 1 | |
| | |||||
* | ClamAV (FreshClam): use a localized Database Mirror. | Guilhem Moulin | 2016-07-09 | 1 | |
| | | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines. | ||||
* | IPSec → IPsec | Guilhem Moulin | 2016-06-29 | 2 | |
| | |||||
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 1 | |
| | | | | There is no need to bother with X.509 cruft here. | ||||
* | Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 3 | |
| | |||||
* | Tunnel munin-update traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 3 | |
| | |||||
* | Tunnel internal NTP traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | | | | More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure. | ||||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 5 | |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | ||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 1 | |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | ||||
* | postfix: disable weak ciphers for the 'encrypt' TLS security level. | Guilhem Moulin | 2016-05-18 | 1 | |
| | | | | That is, on the MSA and in our local infrastructure. | ||||
* | bacula: Set heartbeat options. | Guilhem Moulin | 2016-05-12 | 2 | |
| | | | | and also TCP keepalive options in the stunnel config. | ||||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 2 | |
| | |||||
* | s/ansible_ssh_/ansible_/ | Guilhem Moulin | 2016-02-12 | 2 | |
| | |||||
* | Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵ | Guilhem Moulin | 2015-12-03 | 1 | |
| | | | | cert itself. | ||||
* | Internal Postfix config: Disable TLS protocols <1.2 rather than enable 1.2 only. | Guilhem Moulin | 2015-10-27 | 1 | |
| | |||||
* | stunnel: disable compression. | Guilhem Moulin | 2015-10-27 | 2 | |
| | |||||
* | stunnel: use GCM ciphers only; use SSL options rather than ciphers to ↵ | Guilhem Moulin | 2015-10-27 | 2 | |
| | | | | disable protocols. | ||||
* | Change match to "^(Genuine)?Intel.*" for Intel processors. | Guilhem Moulin | 2015-07-12 | 2 | |
| | |||||
* | Use a single LDAP connection per Munin round to collect slapd statistics. | Guilhem Moulin | 2015-06-11 | 1 | |
| | | | | Using multigraphs instead. | ||||
* | slapd monitoring. | Guilhem Moulin | 2015-06-10 | 1 | |
| | | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds. | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 4 | |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | ||||
* | Configure Bacula File Daemon / Storage Daemon / Director. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel. | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Configure ikiwiki (website + wiki). | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Allow outgoing HKP and WHOIS traffic on the LDAP provider. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Allow outgoing SSH traffic. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Add wildcard Pin version in apt preferences. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Configure the list manager (Sympa). | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Enable the use of git:// clients. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Don't install intel-microcode on Xen guests. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | It should be installed on the dom0 instead. | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Fix NTP configuration. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | We've yet to get authenticated time, though. | ||||
* | Ensure have a TLS policy for each of our host we want to relay to. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Fix Dovecot's mail location. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Perform the alias resolution and address validation solely on the MX:es. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | We can therefore spare some lookups on the MDA, and use static:all instead. | ||||
* | Configure SyncRepl (OpenLDAP replication) and related ACLs. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute. | ||||
* | Tell vim the underlying filetype of templates for syntax highlighting. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | Remove IPSec related files. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Whitelist our IPs against fail2ban. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | This is important as we don't want the IMAP server baning the webmail, for instance. (The fail2ban instance running next to the webmail should ban the attacker, but that running next to the IMAP server shouldn't ban legit users.) |