Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Add wildcard Pin version in apt preferences. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't instal smartd on KVM guests. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade the common package list. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Add a 'root' alias to root@fripost.org. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade samhain config to Jessie. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade custom logcheck-database to Jessie. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade rkhunter config to Jessie. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Upgrade amavis config to Jessie. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Upgrade Postfix config to Jessie (MSA & outgoing proxy). | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Upgrade Dovecot config to Jessie. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Configure the list manager (Sympa). | Guilhem Moulin | 2015-06-07 | 5 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Enable the use of git:// clients. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Disable rsyslog's rate-limiting. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | The default for rsyslog v7, but not for rsyslog v5. | |||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 |
| | ||||
* | typo | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Key usage 'keyCertSign' is required for self-signed certificates. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | Amavis is logging to syslog with severity 'notice'. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't install intel-microcode on Xen guests. | Guilhem Moulin | 2015-06-07 | 3 |
| | | | | It should be installed on the dom0 instead. | |||
* | Don't install smartd on Xen guests. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | S.M.A.R.T makes little sense for virtual HDDs. | |||
* | Don't merge amavis' logs into /var/log/syslog. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | As they contain user information, we keep it in /var/log/mail.log only. These logs are kept for 3 days "only", as per our policy. | |||
* | Install auditd. | Guilhem Moulin | 2015-06-07 | 3 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Replace Postgrey with postscreen. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | | | | | | | See http://www.postfix.org/POSTSCREEN_README.html and http://rob0.nodns4.us/postscreen.html It's infortunate that smtpd(8) cannot be chrooted any longer, which means that we have to un-chroot cleanup(8) as well. Indeed, currently smtpd(8) uses $virtual_alias_maps for recipient validation; later cleanup(8) uses it again for rewriting. So these processes need to be both chrooted, or both not. | |||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Fix NTP configuration. | Guilhem Moulin | 2015-06-07 | 3 |
| | | | | We've yet to get authenticated time, though. | |||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 |
| | ||||
* | Ensure have a TLS policy for each of our host we want to relay to. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | typo | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Fix Dovecot's mail location. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Perform the alias resolution and address validation solely on the MX:es. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | We can therefore spare some lookups on the MDA, and use static:all instead. | |||
* | Fix Amavis' Policy Banks. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | It turns out that in a policy bank, a *_by_ccat doesn't replace the default but is merely merged into the default (if the keys overlap, those in the bank take precedence of course). Hence it's pointless to use CC_CATCHALL in a bank unless all the other keys have been overridden, for instance. Also, treat unchecked (eg, encrypted) mails as clean in the OUTGOING Policy Bank. | |||
* | Add a logcheck rule to ignore cyrus' annoying log messages. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | Namely, "DIGEST-MD5 common mech free". See also bug #631932. | |||
* | Postfix needs to be restarted after rekeying. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | (It opens the key as root, but then drops the permissions.) | |||
* | Add a tag 'tls_policy' to facilitate rekeying. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy). | |||
* | 'default_days' in openssl.cnf doesn't work, use -days instead. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 3 |
| | ||||
* | Configure SyncRepl (OpenLDAP replication) and related ACLs. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute. | |||
* | Add ability to add custom OrganizationalUnits in genkeypair. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | Also, it's now possible to reuse an existing private key (with -f). | |||
* | Add ability to chmod, chown and set the key usage in genkeypair. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Increase the timeout in the smtpd waiting for the reinjection from amavis. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s). |