Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | Firewall: Allow DNS queries over TCP. | Guilhem Moulin | 2018-04-04 | 1 | |
| | |||||
* | APT: use deb.debian.org as archive source. | Guilhem Moulin | 2018-04-04 | 1 | |
| | |||||
* | Perform recipient address verification on the MSA itself. | Guilhem Moulin | 2018-04-04 | 2 | |
| | |||||
* | Upgrade syntax to Ansible 2.5. | Guilhem Moulin | 2018-04-04 | 3 | |
| | |||||
* | Upgrade syntax to Ansible 2.4. | Guilhem Moulin | 2017-11-23 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2017-09-14 | 3 | |
| | |||||
* | Fix detection of KVM guests. | Guilhem Moulin | 2017-07-29 | 3 | |
| | |||||
* | rkhunter: Disable remote updates to fix CVE-2017-7480. | Guilhem Moulin | 2017-07-29 | 1 | |
| | |||||
* | Use MariaDB as default MySQL flavor. | Guilhem Moulin | 2017-07-29 | 1 | |
| | |||||
* | Don't install debsecan anymore by default. | Guilhem Moulin | 2017-06-26 | 2 | |
| | | | | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789196 | ||||
* | Webmail: don't allow outgoing TCP/993 connections. | Guilhem Moulin | 2017-06-15 | 1 | |
| | | | | We're going through IPsec to communicate with the IMAP server. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2017-06-07 | 1 | |
| | |||||
* | postfix-sender-login: wibble | Guilhem Moulin | 2017-06-05 | 1 | |
| | |||||
* | dovecot: enable user iteration and add a cronjob for `doveadm purge -A` | Guilhem Moulin | 2017-06-05 | 1 | |
| | |||||
* | postfix: enable XFORWARD command from our internal relays. | Guilhem Moulin | 2017-06-02 | 1 | |
| | |||||
* | postfix: don't rate-limit our IPsec subnet. | Guilhem Moulin | 2017-06-02 | 2 | |
| | |||||
* | Don't let authenticated client use arbitrary sender addresses. | Guilhem Moulin | 2017-06-01 | 1 | |
| | | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed. | ||||
* | /lib/systemd/system → /etc/systemd/system | Guilhem Moulin | 2017-05-31 | 5 | |
| | |||||
* | Also install non-free firmwares on civett. | Guilhem Moulin | 2017-05-30 | 2 | |
| | |||||
* | Change group of executables in /usr/local/{bin,sbin} from root to staff. | Guilhem Moulin | 2017-05-14 | 2 | |
| | |||||
* | MSA: reject null sender address. | Guilhem Moulin | 2017-05-14 | 1 | |
| | |||||
* | Fix Ansible 2.2.0 compatibility of a Jinja2 template. | Guilhem Moulin | 2017-01-14 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-12-08 | 1 | |
| | |||||
* | Postfix: ensure common aliases are present. | Guilhem Moulin | 2016-09-18 | 2 | |
| | |||||
* | FreshClam: change ownership of /etc/clamav/freshclam.conf. | Guilhem Moulin | 2016-09-18 | 1 | |
| | | | | | | | | To match the stock version shipped by clamav-freshclam 0.99.2+dfsg-0+deb8u2 ~$ stat -c '%U:%G %a' /etc/clamav/freshclam.conf clamav:adm 444 | ||||
* | Firewall: allow duplicates rules. | Guilhem Moulin | 2016-09-18 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-08-22 | 2 | |
| | |||||
* | postfix: Remove obsolete templates tls_policy/relay_clientcerts. | Guilhem Moulin | 2016-07-12 | 1 | |
| | |||||
* | Route all internal SMTP traffic through IPsec. | Guilhem Moulin | 2016-07-10 | 4 | |
| | |||||
* | Postfix: avoid hardcoding the instance names. | Guilhem Moulin | 2016-07-10 | 1 | |
| | |||||
* | Postfix: don't share the master.cf between the instances. | Guilhem Moulin | 2016-07-10 | 2 | |
| | |||||
* | Route SMTP traffic from the webmail through IPsec. | Guilhem Moulin | 2016-07-10 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-07-09 | 2 | |
| | |||||
* | Localize the NTP pool hostnames. | Guilhem Moulin | 2016-07-09 | 1 | |
| | |||||
* | Localize the debian archive hostnames. | Guilhem Moulin | 2016-07-09 | 1 | |
| | |||||
* | ClamAV (FreshClam): use a localized Database Mirror. | Guilhem Moulin | 2016-07-09 | 2 | |
| | | | | | | As db.local.clamav.net is not always properly localized. Furthermore, our previous Ansiblee script did not ensure ordering of the DatabaseMirror lines. | ||||
* | IPSec → IPsec | Guilhem Moulin | 2016-06-29 | 5 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-06-29 | 3 | |
| | |||||
* | update-firewall.sh: COMMIT empty iptables rule files. | Guilhem Moulin | 2016-06-29 | 1 | |
| | |||||
* | Use stunnel to secure the connection from the webmail to ldap.fripost.org. | Guilhem Moulin | 2016-06-05 | 1 | |
| | | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting. | ||||
* | typo | Guilhem Moulin | 2016-05-24 | 1 | |
| | |||||
* | IPSec: replace (self-signed) X.509 certs by their raw pubkey for authentication. | Guilhem Moulin | 2016-05-24 | 3 | |
| | | | | There is no need to bother with X.509 cruft here. | ||||
* | genkeypair, gendhparam: use -rand /dev/urandom when generating keys or DH ↵ | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | parameters. | ||||
* | Tunnel bacula (dir → {fd,sd} and fd → sd) traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 6 | |
| | |||||
* | Tunnel munin-update traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 7 | |
| | |||||
* | Tunnel internal NTP traffic through IPSec. | Guilhem Moulin | 2016-05-22 | 2 | |
| | | | | | | | More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure. | ||||
* | Set up IPSec tunnels between each pair of hosts. | Guilhem Moulin | 2016-05-22 | 13 | |
| | | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed. | ||||
* | postfix: master.cf wibble | Guilhem Moulin | 2016-05-18 | 1 | |
| | |||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 2 | |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | ||||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 2 | |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. |