summaryrefslogtreecommitdiffstats
path: root/roles/common
Commit message (Collapse)AuthorAgeFiles
* Add a logcheck rule to ignore cyrus' annoying log messages.Guilhem Moulin2015-06-071
| | | | Namely, "DIGEST-MD5 common mech free". See also bug #631932.
* Postfix needs to be restarted after rekeying.Guilhem Moulin2015-06-071
| | | | (It opens the key as root, but then drops the permissions.)
* Add a tag 'tls_policy' to facilitate rekeying.Guilhem Moulin2015-06-071
| | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy).
* 'default_days' in openssl.cnf doesn't work, use -days instead.Guilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-072
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Add ability to chmod, chown and set the key usage in genkeypair.Guilhem Moulin2015-06-071
|
* Increase the timeout in the smtpd waiting for the reinjection from amavis.Guilhem Moulin2015-06-071
| | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s).
* Don't install daemontools.Guilhem Moulin2015-06-071
|
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-073
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-072
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-071
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* wibbleGuilhem Moulin2015-06-072
|
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-073
| | | | For DKIM signing and virus checking.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Remove IPSec related files.Guilhem Moulin2015-06-075
|
* typoGuilhem Moulin2015-06-071
|
* Whitelist our IPs against fail2ban.Guilhem Moulin2015-06-071
| | | | | | | This is important as we don't want the IMAP server baning the webmail, for instance. (The fail2ban instance running next to the webmail should ban the attacker, but that running next to the IMAP server shouldn't ban legit users.)
* Tel logcheck which logs to monitor.Guilhem Moulin2015-06-071
|
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-077
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Outgoing SMTP proxy.Guilhem Moulin2015-06-073
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Log SASL usernames for longer, but don't include mail.log into syslog.Guilhem Moulin2015-06-075
|
* Fix syntax error.Guilhem Moulin2015-06-071
|
* Don't install 'unhide.rb'.Guilhem Moulin2015-06-072
|
* Don't use generic maps.Guilhem Moulin2015-06-073
| | | | | | | | | | | | | | | | | In fact we want to only rewrite the envelope sender: :/etc/postfix/main.cf # Overwrite local FQDN envelope sender addresses sender_canonical_classes = envelope_sender propagate_unmatched_extensions = sender_canonical_maps = cdb:$config_directory/sender_canonical :/etc/postfix/sender_canonical @elefant.fripost.org admin@fripost.org However, when canonical(5) processes a mail sent vias sendmail(1), it rewrites the envelope sender which seems to *later* be use as From: header.
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-071
|
* Make genkeypair.sh able to display TXT record for DKIM signatures.Guilhem Moulin2015-06-073
|
* Add support for CSR and subjectAltName in genkeypair.sh.Guilhem Moulin2015-06-072
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-074
|
* logcheck-database tweaks.Guilhem Moulin2015-06-074
|
* wibbleGuilhem Moulin2015-06-071
|
* Don't require a PKI for IPSec.Guilhem Moulin2015-06-075
| | | | | | | | | | | Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
* Don't try to start smart on VMs.Guilhem Moulin2015-06-071
|
* Support non-free firmwares. (Can be required :-()Guilhem Moulin2015-06-072
| | | | Also, always install contrib's intel-microcode on Intel CPUs.
* wibbleGuilhem Moulin2015-06-072
|
* Assume a DNS entry for each role.Guilhem Moulin2015-06-072
| | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
* Replace mktemp's deprecated -t option by --tmpdir.Guilhem Moulin2015-06-071
| | | | | But not in the installer, as busybox's implementation of mktemp didn't deprecate -t/-p.
* Make use of Ansible 1.5 new features.Guilhem Moulin2015-06-075
| | | | Most notably pipelining=True and sysctl_set=yes.
* wibbleGuilhem Moulin2015-06-071
|
* Fix the catch-all resolution again.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
* Mailing lists (using mlmmj).Guilhem Moulin2015-06-071
| | | | | | | | | Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.
* Don't use IPSec to relay messages to localhost.Guilhem Moulin2015-06-071
|
* Excplicitely make local services run on localhost.Guilhem Moulin2015-06-072
|
* typoGuilhem Moulin2015-06-071
|
* Fix catchall resolution.Guilhem Moulin2015-06-071
| | | | | | | | It has to be performed last, to give a chance to be accepted as a regular mailbox. We introduce a new, dedicated, smtpd daemon whose only purpose is to resolve catch-alls.
* Install haveged.Guilhem Moulin2015-06-072
| | | | | | To avoid low-entropy conditions, see http://www.issihosts.com/haveged/
* Install ClamAV.Guilhem Moulin2015-06-072
|