Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Allow outgoing HKP and WHOIS traffic on the LDAP provider. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Allow outgoing SSH traffic. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Add wildcard Pin version in apt preferences. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Don't instal smartd on KVM guests. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Upgrade the common package list. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Add a 'root' alias to root@fripost.org. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Upgrade samhain config to Jessie. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Upgrade custom logcheck-database to Jessie. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Upgrade rkhunter config to Jessie. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Upgrade amavis config to Jessie. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Upgrade Postfix config to Jessie (MSA & outgoing proxy). | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Upgrade Dovecot config to Jessie. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Configure the list manager (Sympa). | Guilhem Moulin | 2015-06-07 | 5 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Enable the use of git:// clients. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Disable rsyslog's rate-limiting. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | The default for rsyslog v7, but not for rsyslog v5. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Key usage 'keyCertSign' is required for self-signed certificates. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | Amavis is logging to syslog with severity 'notice'. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Don't install intel-microcode on Xen guests. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | It should be installed on the dom0 instead. | ||||
* | Don't install smartd on Xen guests. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | S.M.A.R.T makes little sense for virtual HDDs. | ||||
* | Don't merge amavis' logs into /var/log/syslog. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | As they contain user information, we keep it in /var/log/mail.log only. These logs are kept for 3 days "only", as per our policy. | ||||
* | Install auditd. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Replace Postgrey with postscreen. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | | | | | | | | See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not. | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Fix NTP configuration. | Guilhem Moulin | 2015-06-07 | 3 | |
| | | | | We've yet to get authenticated time, though. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | Ensure have a TLS policy for each of our host we want to relay to. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Fix Dovecot's mail location. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | Perform the alias resolution and address validation solely on the MX:es. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | We can therefore spare some lookups on the MDA, and use static:all instead. | ||||
* | Fix Amavis' Policy Banks. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | | | | | It turns out that in a policy bank, a *_by_ccat doesn't replace the default but is merely merged into the default (if the keys overlap, those in the bank take precedence of course). Hence it's pointless to use CC_CATCHALL in a bank unless all the other keys have been overridden, for instance. Also, treat unchecked (eg, encrypted) mails as clean in the OUTGOING Policy Bank. | ||||
* | Add a logcheck rule to ignore cyrus' annoying log messages. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | Namely, "DIGEST-MD5 common mech free". See also bug #631932. | ||||
* | Postfix needs to be restarted after rekeying. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | (It opens the key as root, but then drops the permissions.) | ||||
* | Add a tag 'tls_policy' to facilitate rekeying. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy). | ||||
* | 'default_days' in openssl.cnf doesn't work, use -days instead. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 | |
| | |||||
* | Configure SyncRepl (OpenLDAP replication) and related ACLs. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute. |