Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | fail2ban: Only install the roundcube/dovecot filters if needed. | Guilhem Moulin | 2018-12-15 | 1 |
| | | | | | | It doesn't hurt to install them on all machines, but we're overriding the provided /etc/fail2ban/filter.d/dovecot.conf and would rather keep our delta minimal. | |||
* | submission: Prospective SPF checking. | Guilhem Moulin | 2018-12-12 | 2 |
| | | | | Cf. http://www.openspf.org/Best_Practices/Outbound . | |||
* | IPsec: use Suite-B-GCM-256 algorithms for IKEv2 & ESP. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | | | (That is, remove algorithms from Suite-B-GCM-128.) Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations . | |||
* | MSA verification probes: enable opportunistic encryption. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | | And use ‘noreply.fripost.org’ as HELO name rather than $myhostname (i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo and envelope sender identities. | |||
* | Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 6 |
| | ||||
* | Disable resume device. | Guilhem Moulin | 2018-12-09 | 3 |
| | | | | We don't need suspend-on-disk (hibernation). | |||
* | systemd.service: Tighten hardening options. | Guilhem Moulin | 2018-12-09 | 2 |
| | ||||
* | bacula-*.service: Don't fork in the background. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | Inspired from /lib/systemd/system/bacula-fd.service. | |||
* | Upgrade 'lists' role to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | Firewall: disable outgoing access to git:// remote servers. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | We don't need it anymore as we use https:// these days. | |||
* | systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’. | Guilhem Moulin | 2018-12-09 | 2 |
| | | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’. | |||
* | Firewall: REJECT outgoing connections instead of DROPing them. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | Don't install the haveged entropy daemon. | Guilhem Moulin | 2018-12-09 | 2 |
| | | | | | It's not really needed on our metal hosts, and our KVM guests use virtio-rng. | |||
* | ntp.conf: reduce delta with the packaged version. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | | Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f) the postscreen(8) server can run chrooted, meaning we can also chroot the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons. | |||
* | postfix: remove explicit default 'mail_owner = postfix'. | Guilhem Moulin | 2018-12-06 | 1 |
| | ||||
* | postfix ≥3.0: don't advertise SMTPUTF8 support. | Guilhem Moulin | 2018-12-06 | 1 |
| | | | | | | | | | | | | | | | | | We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some downstream SMTP servers, not all of which are under our control. Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers yields undeliverable messages, and the bounces make us a potential backscatter source. So it's better to disable SMTPUTF8 at this point. Cf. also http://www.postfix.org/SMTPUTF8_README.html and https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 . See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 : “Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the envelope is definitely problematic for a receiver that does not support SMTPUTF8, while UTF8 in a message header is less so.” | |||
* | DKIM: also include the "d=" tag in key filenames, not only the "s=" tag. | Guilhem Moulin | 2018-12-05 | 1 |
| | | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily. | |||
* | Install unbound on metal hosts. | Guilhem Moulin | 2018-12-03 | 4 |
| | | | | (A validating, recursive, caching DNS resolver.) | |||
* | Define new host "calima" serving Nextcloud. | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | Upgrade syntax to Ansible 2.7 (apt module). | Guilhem Moulin | 2018-12-03 | 9 |
| | ||||
* | Postfix: replace cdb & btree tables with lmdb ones. | Guilhem Moulin | 2018-12-03 | 4 |
| | | | | Cf. lmdb_table(5). | |||
* | IPsec: allow ISAKMP over IPv6. | Guilhem Moulin | 2018-12-03 | 2 |
| | ||||
* | Upgrade baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 15 |
| | ||||
* | Skip samhain installation. | Guilhem Moulin | 2018-12-03 | 4 |
| | | | | It's become too verbose (too many false-positive)… | |||
* | Harden anti spam on the MX:es. | Guilhem Moulin | 2018-06-09 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2018-04-04 | 3 |
| | ||||
* | Postfix: replace 'fifo' types with 'unix', as it's the new default. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | sympa: wibble | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Firewall: Allow DNS queries over TCP. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | APT: use deb.debian.org as archive source. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Perform recipient address verification on the MSA itself. | Guilhem Moulin | 2018-04-04 | 2 |
| | ||||
* | Upgrade syntax to Ansible 2.5. | Guilhem Moulin | 2018-04-04 | 3 |
| | ||||
* | Upgrade syntax to Ansible 2.4. | Guilhem Moulin | 2017-11-23 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2017-09-14 | 3 |
| | ||||
* | Fix detection of KVM guests. | Guilhem Moulin | 2017-07-29 | 3 |
| | ||||
* | rkhunter: Disable remote updates to fix CVE-2017-7480. | Guilhem Moulin | 2017-07-29 | 1 |
| | ||||
* | Use MariaDB as default MySQL flavor. | Guilhem Moulin | 2017-07-29 | 1 |
| | ||||
* | Don't install debsecan anymore by default. | Guilhem Moulin | 2017-06-26 | 2 |
| | | | | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789196 | |||
* | Webmail: don't allow outgoing TCP/993 connections. | Guilhem Moulin | 2017-06-15 | 1 |
| | | | | We're going through IPsec to communicate with the IMAP server. | |||
* | More logcheck-database tweaks. | Guilhem Moulin | 2017-06-07 | 1 |
| | ||||
* | postfix-sender-login: wibble | Guilhem Moulin | 2017-06-05 | 1 |
| | ||||
* | dovecot: enable user iteration and add a cronjob for `doveadm purge -A` | Guilhem Moulin | 2017-06-05 | 1 |
| | ||||
* | postfix: enable XFORWARD command from our internal relays. | Guilhem Moulin | 2017-06-02 | 1 |
| | ||||
* | postfix: don't rate-limit our IPsec subnet. | Guilhem Moulin | 2017-06-02 | 2 |
| | ||||
* | Don't let authenticated client use arbitrary sender addresses. | Guilhem Moulin | 2017-06-01 | 1 |
| | | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed. | |||
* | /lib/systemd/system → /etc/systemd/system | Guilhem Moulin | 2017-05-31 | 5 |
| | ||||
* | Also install non-free firmwares on civett. | Guilhem Moulin | 2017-05-30 | 2 |
| | ||||
* | Change group of executables in /usr/local/{bin,sbin} from root to staff. | Guilhem Moulin | 2017-05-14 | 2 |
| | ||||
* | MSA: reject null sender address. | Guilhem Moulin | 2017-05-14 | 1 |
| |