| Commit message (Collapse) | Author | Age | Files |
|
|
|
| |
See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
|
|
|
|
| |
Cf. http://www.openspf.org/Best_Practices/Outbound .
|
|
|
|
|
|
|
| |
(That is, remove algorithms from Suite-B-GCM-128.)
Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations .
|
|
|
|
|
|
| |
And use ‘noreply.fripost.org’ as HELO name rather than $myhostname
(i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo
and envelope sender identities.
|
| |
|
|
|
|
| |
We don't need it anymore as we use https:// these days.
|
| |
|
|
|
|
|
|
| |
Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some
downstream SMTP servers, not all of which are under our control.
Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers
yields undeliverable messages, and the bounces make us a potential
backscatter source. So it's better to disable SMTPUTF8 at this point.
Cf. also http://www.postfix.org/SMTPUTF8_README.html and
https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 .
See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 :
“Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the
envelope is definitely problematic for a receiver that does not
support SMTPUTF8, while UTF8 in a message header is less so.”
|
|
|
|
| |
(A validating, recursive, caching DNS resolver.)
|
| |
|
|
|
|
| |
Cf. lmdb_table(5).
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789196
|
|
|
|
| |
We're going through IPsec to communicate with the IMAP server.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following policy is now implemented:
* users can use their SASL login name as sender address;
* alias and/or list owners can use the address as envelope sender;
* domain postmasters can use arbitrary sender addresses under their
domains;
* domain owners can use arbitrary sender addresses under their domains,
unless it is also an existing account name;
* for known domains without owner or postmasters, other sender addresses
are not allowed; and
* arbitrary sender addresses under unknown domains are allowed.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
As db.local.clamav.net is not always properly localized. Furthermore,
our previous Ansiblee script did not ensure ordering of the
DatabaseMirror lines.
|
| |
|
|
|
|
| |
There is no need to bother with X.509 cruft here.
|
| |
|
| |
|
|
|
|
|
|
|
| |
More precisely, between our NTP-master (stratum 1) host and the other
machines (all stratum 2). Providing authentification and integrity for
internal NTP traffic ensures a consistent time within our internal
infrastructure.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore
the subnet is nullrouted in the absence of xfrm lookup (i.e., when there
is no matching IPSec Security Association) to avoid data leaks.
Each host is associated with an IP in that subnet (thus only reachble
within that subnet, either by the host itself or by its IPSec peers).
The peers authenticate each other using RSA public key authentication.
Kernel traps are used to ensure that connections are only established
when traffic is detected between the peers; after 30m of inactivity
(this value needs to be less than the rekeying period) the connection is
brought down and a kernel trap is installed.
|
|
|
|
|
|
|
|
| |
Following Viktor Dukhovni's 2015-08-06 recommendation
http://article.gmane.org/gmane.mail.postfix.user/251935
(We're using stronger ciphers and protocols in our own infrastructure.)
|
|
|
|
| |
That is, on the MSA and in our local infrastructure.
|
|
|
|
| |
and also TCP keepalive options in the stunnel config.
|
| |
|
| |
|
|
|
|
| |
cert itself.
|
| |
|
| |
|
|
|
|
| |
disable protocols.
|