| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
|
|
|
|
| |
(Excluding our NTP master.) It's simpler, arguably more secure, and
provides enough functionality when only simple client use-cases are
desired.
We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd
can connect to the fallbacks NTP servers.
|
| |
|
|
|
|
| |
This is in particular needed for traceroutes and routing loop detection.
|
|
|
|
|
|
| |
Use unit overrides on top of upstream's service files instead of
overriding entire service files. In particular, upstream uses flag `-P`
so we don't need to use RuntimeDirectory= anymore.
|
|
|
|
|
|
|
|
| |
This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24,
as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour
discovery).
Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3.
|
|
|
|
|
| |
This is more efficient: the earlier we filter the crap out the less
resources they consume.
|
|
|
|
| |
See tcp(7) and https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a .
|
| |
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
|
|
|
|
|
|
|
| |
For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’.
|
|
|
|
| |
This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.
|
| |
|
|
|
|
| |
To be done when we upgrade to Bullseye for more fine-grained control.
|
|
|
|
|
|
|
| |
This adds the following two ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
|
|
|
|
|
| |
Marking incoming ESP packets and matching decapsulated packets doesn't
work with NAT traverslate (UDP encapsulation aka MOBIKE).
|
|
|
|
| |
They don't appear to be supported anymore.
|
|
|
|
|
| |
We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1)
for the elastic theme.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Since 1.5 (Buster) APT supports https:// natively. There is no need to
install ‘apt-transport-https’ (now a dummy transitional package)
anymore. Plain-text connection don't undermine security as APT checks
package OpenPGP signatures locally, but there is no reason not to use
TLS here.
|
|
|
|
|
|
|
|
|
| |
* Use nftables sets with a timeout
* Start daemon with a hardened unit file and restricted Capability
Bounding Set. (This requires to change the log path to
/var/log/fail2ban/*.)
* Skip database as we don't care about persistence.
* Refactor jail.local
|
|
|
|
| |
Debian Buster uses the nftables framework by default.
|
|
|
|
|
|
| |
Our internal IPs don't have a reverse PTR record, and skipping the
resolution speeds up mail delivery.
http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set
to allow bad characters in group names by default, this will change, but
still be user configurable on deprecation. This feature will be removed
in version 2.10. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not
replaced, use -vvvv to see details
|
|
|
|
| |
See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
|
|
|
|
|
|
|
| |
This is useful when an ESTABLISHED connection is seen as NEW because the
client was offline for some time. For instance, clients now gracefully
close existing SSH connections immediately after resuming from a suspend
state, rather that waiting for the TCP timeout.
|
|
|
|
|
|
| |
It doesn't hurt to install them on all machines, but we're overriding
the provided /etc/fail2ban/filter.d/dovecot.conf and would rather keep
our delta minimal.
|
|
|
|
| |
Cf. http://www.openspf.org/Best_Practices/Outbound .
|
|
|
|
|
|
|
| |
(That is, remove algorithms from Suite-B-GCM-128.)
Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations .
|
|
|
|
|
|
| |
And use ‘noreply.fripost.org’ as HELO name rather than $myhostname
(i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo
and envelope sender identities.
|
| |
|
|
|
|
| |
We don't need suspend-on-disk (hibernation).
|
| |
|
|
|
|
| |
Inspired from /lib/systemd/system/bacula-fd.service.
|
| |
|
|
|
|
| |
We don't need it anymore as we use https:// these days.
|
|
|
|
| |
And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’.
|
| |
|
|
|
|
|
| |
It's not really needed on our metal hosts, and our KVM guests use
virtio-rng.
|
| |
|
|
|
|
|
|
| |
Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f)
the postscreen(8) server can run chrooted, meaning we can also chroot
the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some
downstream SMTP servers, not all of which are under our control.
Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers
yields undeliverable messages, and the bounces make us a potential
backscatter source. So it's better to disable SMTPUTF8 at this point.
Cf. also http://www.postfix.org/SMTPUTF8_README.html and
https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 .
See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 :
“Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the
envelope is definitely problematic for a receiver that does not
support SMTPUTF8, while UTF8 in a message header is less so.”
|
|
|
|
|
| |
While the combination of "s=" tag (selector) & "d=" tag signing domain
maps to a unique key, the selector alone doesn't necessarily.
|
|
|
|
| |
(A validating, recursive, caching DNS resolver.)
|
| |
|
| |
|
|
|
|
| |
Cf. lmdb_table(5).
|
| |
|
| |
|