summaryrefslogtreecommitdiffstats
path: root/roles/common
Commit message (Collapse)AuthorAgeFiles
...
* IPsec: allow ISAKMP over IPv6.Guilhem Moulin2018-12-032
|
* Upgrade baseline to Debian Stretch.Guilhem Moulin2018-12-0315
|
* Skip samhain installation.Guilhem Moulin2018-12-034
| | | | It's become too verbose (too many false-positive)…
* Harden anti spam on the MX:es.Guilhem Moulin2018-06-091
|
* More logcheck-database tweaks.Guilhem Moulin2018-04-043
|
* Postfix: replace 'fifo' types with 'unix', as it's the new default.Guilhem Moulin2018-04-041
|
* sympa: wibbleGuilhem Moulin2018-04-041
|
* Firewall: Allow DNS queries over TCP.Guilhem Moulin2018-04-041
|
* APT: use deb.debian.org as archive source.Guilhem Moulin2018-04-041
|
* Perform recipient address verification on the MSA itself.Guilhem Moulin2018-04-042
|
* Upgrade syntax to Ansible 2.5.Guilhem Moulin2018-04-043
|
* Upgrade syntax to Ansible 2.4.Guilhem Moulin2017-11-231
|
* More logcheck-database tweaks.Guilhem Moulin2017-09-143
|
* Fix detection of KVM guests.Guilhem Moulin2017-07-293
|
* rkhunter: Disable remote updates to fix CVE-2017-7480.Guilhem Moulin2017-07-291
|
* Use MariaDB as default MySQL flavor.Guilhem Moulin2017-07-291
|
* Don't install debsecan anymore by default.Guilhem Moulin2017-06-262
| | | | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789196
* Webmail: don't allow outgoing TCP/993 connections.Guilhem Moulin2017-06-151
| | | | We're going through IPsec to communicate with the IMAP server.
* More logcheck-database tweaks.Guilhem Moulin2017-06-071
|
* postfix-sender-login: wibbleGuilhem Moulin2017-06-051
|
* dovecot: enable user iteration and add a cronjob for `doveadm purge -A`Guilhem Moulin2017-06-051
|
* postfix: enable XFORWARD command from our internal relays.Guilhem Moulin2017-06-021
|
* postfix: don't rate-limit our IPsec subnet.Guilhem Moulin2017-06-022
|
* Don't let authenticated client use arbitrary sender addresses.Guilhem Moulin2017-06-011
| | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
* /lib/systemd/system → /etc/systemd/systemGuilhem Moulin2017-05-315
|
* Also install non-free firmwares on civett.Guilhem Moulin2017-05-302
|
* Change group of executables in /usr/local/{bin,sbin} from root to staff.Guilhem Moulin2017-05-142
|
* MSA: reject null sender address.Guilhem Moulin2017-05-141
|
* Fix Ansible 2.2.0 compatibility of a Jinja2 template.Guilhem Moulin2017-01-141
|
* More logcheck-database tweaks.Guilhem Moulin2016-12-081
|
* Postfix: ensure common aliases are present.Guilhem Moulin2016-09-182
|
* FreshClam: change ownership of /etc/clamav/freshclam.conf.Guilhem Moulin2016-09-181
| | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444
* Firewall: allow duplicates rules.Guilhem Moulin2016-09-181
|
* More logcheck-database tweaks.Guilhem Moulin2016-08-222
|
* postfix: Remove obsolete templates tls_policy/relay_clientcerts.Guilhem Moulin2016-07-121
|
* Route all internal SMTP traffic through IPsec.Guilhem Moulin2016-07-104
|
* Postfix: avoid hardcoding the instance names.Guilhem Moulin2016-07-101
|
* Postfix: don't share the master.cf between the instances.Guilhem Moulin2016-07-102
|
* Route SMTP traffic from the webmail through IPsec.Guilhem Moulin2016-07-101
|
* More logcheck-database tweaks.Guilhem Moulin2016-07-092
|
* Localize the NTP pool hostnames.Guilhem Moulin2016-07-091
|
* Localize the debian archive hostnames.Guilhem Moulin2016-07-091
|
* ClamAV (FreshClam): use a localized Database Mirror.Guilhem Moulin2016-07-092
| | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines.
* IPSec → IPsecGuilhem Moulin2016-06-295
|
* More logcheck-database tweaks.Guilhem Moulin2016-06-293
|
* update-firewall.sh: COMMIT empty iptables rule files.Guilhem Moulin2016-06-291
|
* Use stunnel to secure the connection from the webmail to ldap.fripost.org.Guilhem Moulin2016-06-051
| | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
* typoGuilhem Moulin2016-05-241
|
* IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication.Guilhem Moulin2016-05-243
| | | | There is no need to bother with X.509 cruft here.
* genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH ↵Guilhem Moulin2016-05-222
| | | | parameters.