Commit message (Collapse) | Author | Age | Files | ||
---|---|---|---|---|---|
... | |||||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 2 | |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | ||||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 2 | |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | ||||
* | postfix: disable weak ciphers for the 'encrypt' TLS security level. | Guilhem Moulin | 2016-05-18 | 1 | |
| | | | | That is, on the MSA and in our local infrastructure. | ||||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 3 | |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | ||||
* | bacula: Set heartbeat options. | Guilhem Moulin | 2016-05-12 | 2 | |
| | | | | and also TCP keepalive options in the stunnel config. | ||||
* | Add hardening options to our systemd unit files. | Guilhem Moulin | 2016-05-12 | 1 | |
| | |||||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 11 | |
| | |||||
* | sysctl: don't set IPv6 privacy extensions globaly. | Guilhem Moulin | 2016-04-01 | 1 | |
| | |||||
* | sysctl: set net.ipv6.conf.all.accept_ra = 0. | Guilhem Moulin | 2016-03-30 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-03-13 | 1 | |
| | |||||
* | Ansible: Using bare variables is deprecated, and will be removed in a future ↵ | Guilhem Moulin | 2016-03-02 | 2 | |
| | | | | release. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2016-02-17 | 1 | |
| | |||||
* | s/ansible_ssh_/ansible_/ | Guilhem Moulin | 2016-02-12 | 2 | |
| | |||||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 5 | |
| | |||||
* | Only install letsencrypt-tiny to the relevant hosts. | Guilhem Moulin | 2015-12-28 | 2 | |
| | |||||
* | Copy and install Let's Encrypt ACME client. | Guilhem Moulin | 2015-12-20 | 1 | |
| | |||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 2 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-12-15 | 2 | |
| | |||||
* | typo | Guilhem Moulin | 2015-12-04 | 1 | |
| | |||||
* | Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵ | Guilhem Moulin | 2015-12-03 | 1 | |
| | | | | cert itself. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-12-01 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-11-12 | 1 | |
| | |||||
* | Internal Postfix config: Generate RSA 4096 keys by default. | Guilhem Moulin | 2015-10-28 | 1 | |
| | |||||
* | genkeypair: use install(1) for atomic file creation with permission mode. | Guilhem Moulin | 2015-10-28 | 2 | |
| | |||||
* | Internal Postfix config: Disable TLS protocols <1.2 rather than enable 1.2 only. | Guilhem Moulin | 2015-10-27 | 1 | |
| | |||||
* | stunnel: disable compression. | Guilhem Moulin | 2015-10-27 | 2 | |
| | |||||
* | stunnel: use GCM ciphers only; use SSL options rather than ciphers to ↵ | Guilhem Moulin | 2015-10-27 | 2 | |
| | | | | disable protocols. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-10-14 | 2 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-09-24 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-09-21 | 2 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-09-15 | 1 | |
| | |||||
* | Configure FreshClam. | Guilhem Moulin | 2015-09-15 | 2 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-08-21 | 3 | |
| | |||||
* | Update unattended-upgrades configuration. | Guilhem Moulin | 2015-07-19 | 1 | |
| | |||||
* | Change match to "^(Genuine)?Intel.*" for Intel processors. | Guilhem Moulin | 2015-07-12 | 3 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-22 | 1 | |
| | |||||
* | logcheck: Match only hexdigits in postfix queue ID. | Guilhem Moulin | 2015-06-19 | 1 | |
| | |||||
* | Match IPv6 addresses in logcheck rules. | Guilhem Moulin | 2015-06-19 | 1 | |
| | |||||
* | Use a single LDAP connection per Munin round to collect slapd statistics. | Guilhem Moulin | 2015-06-11 | 3 | |
| | | | | Using multigraphs instead. | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-10 | 3 | |
| | |||||
* | slapd monitoring. | Guilhem Moulin | 2015-06-10 | 2 | |
| | | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds. | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 15 | |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | ||||
* | Don't assume that Postfix queue ID are always 10-digits long. | Guilhem Moulin | 2015-06-10 | 1 | |
| | |||||
* | Add a reserved domain 'discard.fripost.org' to discard messages. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | ‘noreply@’ aliases can be added by routing them to ‘@discard.fripost.org’. | ||||
* | Make the webmail connect directly to the outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 2 | |
| | | | | | (Hence delete the 'webmail' Postfix instance.) This shortens the delay caused by the recipient verification probes. | ||||
* | Use recipient address verification probes. | Guilhem Moulin | 2015-06-07 | 1 | |
| | | | | | | | This is specially useful for mailing lists and the webmail, since it prevents our outgoing gateway from accepting mails known to be bouncing. However the downside is that it adds a delay of up to 6s after the RCPT TO command. | ||||
* | Configure Bacula File Daemon / Storage Daemon / Director. | Guilhem Moulin | 2015-06-07 | 7 | |
| | | | | | Using client-side data signing/encryption and wrapping inter-host communication into stunnel. | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | firewall: allow 127.0.0.1/8 on lo. | Guilhem Moulin | 2015-06-07 | 1 | |
| | |||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2015-06-07 | 1 | |
| |