Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | firewall: gracefully close invalid connections. | Guilhem Moulin | 2018-12-22 | 1 |
| | | | | | | | This is useful when an ESTABLISHED connection is seen as NEW because the client was offline for some time. For instance, clients now gracefully close existing SSH connections immediately after resuming from a suspend state, rather that waiting for the TCP timeout. | |||
* | fail2ban: Only install the roundcube/dovecot filters if needed. | Guilhem Moulin | 2018-12-15 | 1 |
| | | | | | | It doesn't hurt to install them on all machines, but we're overriding the provided /etc/fail2ban/filter.d/dovecot.conf and would rather keep our delta minimal. | |||
* | submission: Prospective SPF checking. | Guilhem Moulin | 2018-12-12 | 2 |
| | | | | Cf. http://www.openspf.org/Best_Practices/Outbound . | |||
* | IPsec: use Suite-B-GCM-256 algorithms for IKEv2 & ESP. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | | | (That is, remove algorithms from Suite-B-GCM-128.) Cf. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites and https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations . | |||
* | MSA verification probes: enable opportunistic encryption. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | | And use ‘noreply.fripost.org’ as HELO name rather than $myhostname (i.e., ‘smtp.fripost.org’), so the same SPF policy can be used for ehlo and envelope sender identities. | |||
* | Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 6 |
| | ||||
* | Disable resume device. | Guilhem Moulin | 2018-12-09 | 3 |
| | | | | We don't need suspend-on-disk (hibernation). | |||
* | systemd.service: Tighten hardening options. | Guilhem Moulin | 2018-12-09 | 2 |
| | ||||
* | bacula-*.service: Don't fork in the background. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | Inspired from /lib/systemd/system/bacula-fd.service. | |||
* | Upgrade 'lists' role to Debian Stretch. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | Firewall: disable outgoing access to git:// remote servers. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | We don't need it anymore as we use https:// these days. | |||
* | systemd: Replace ‘ProtectSystem=full’ with ‘ProtectSystem=strict’. | Guilhem Moulin | 2018-12-09 | 2 |
| | | | | And remove ‘ReadOnlyDirectories=/’ as it's implied by ‘ProtectSystem=strict’. | |||
* | Firewall: REJECT outgoing connections instead of DROPing them. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | Don't install the haveged entropy daemon. | Guilhem Moulin | 2018-12-09 | 2 |
| | | | | | It's not really needed on our metal hosts, and our KVM guests use virtio-rng. | |||
* | ntp.conf: reduce delta with the packaged version. | Guilhem Moulin | 2018-12-09 | 1 |
| | ||||
* | MX: chroot postscreen(8), smtpd(8) and cleanup(8) daemons. | Guilhem Moulin | 2018-12-09 | 1 |
| | | | | | | Unlike what we wrote in 2014 (cf. 4fb4be4d279dd94cab33fc778cfa318b93d6926f) the postscreen(8) server can run chrooted, meaning we can also chroot the smtpd(8), tlsproxy(8), dnsblog(8) and cleanup(8) daemons. | |||
* | postfix: remove explicit default 'mail_owner = postfix'. | Guilhem Moulin | 2018-12-06 | 1 |
| | ||||
* | postfix ≥3.0: don't advertise SMTPUTF8 support. | Guilhem Moulin | 2018-12-06 | 1 |
| | | | | | | | | | | | | | | | | | We're relaying messages to our LMTP daemons (Dovecot, Amavisd) and some downstream SMTP servers, not all of which are under our control. Forwarding messages with UTF-8 envelope addresses or RFC 5322 headers yields undeliverable messages, and the bounces make us a potential backscatter source. So it's better to disable SMTPUTF8 at this point. Cf. also http://www.postfix.org/SMTPUTF8_README.html and https://unix.stackexchange.com/questions/320091/configure-postfix-and-dovecot-lmtp-to-receive-mail-via-smtputf8 . See also upstream's comment at https://marc.info/?l=postfix-users&m=149183235529042&w=2 : “Perhaps SMTPUTF8 autodetection could be more granular: UTF8 in the envelope is definitely problematic for a receiver that does not support SMTPUTF8, while UTF8 in a message header is less so.” | |||
* | DKIM: also include the "d=" tag in key filenames, not only the "s=" tag. | Guilhem Moulin | 2018-12-05 | 1 |
| | | | | | While the combination of "s=" tag (selector) & "d=" tag signing domain maps to a unique key, the selector alone doesn't necessarily. | |||
* | Install unbound on metal hosts. | Guilhem Moulin | 2018-12-03 | 4 |
| | | | | (A validating, recursive, caching DNS resolver.) | |||
* | Define new host "calima" serving Nextcloud. | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | Upgrade syntax to Ansible 2.7 (apt module). | Guilhem Moulin | 2018-12-03 | 9 |
| | ||||
* | Postfix: replace cdb & btree tables with lmdb ones. | Guilhem Moulin | 2018-12-03 | 4 |
| | | | | Cf. lmdb_table(5). | |||
* | IPsec: allow ISAKMP over IPv6. | Guilhem Moulin | 2018-12-03 | 2 |
| | ||||
* | Upgrade baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 15 |
| | ||||
* | Skip samhain installation. | Guilhem Moulin | 2018-12-03 | 4 |
| | | | | It's become too verbose (too many false-positive)… | |||
* | Harden anti spam on the MX:es. | Guilhem Moulin | 2018-06-09 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2018-04-04 | 3 |
| | ||||
* | Postfix: replace 'fifo' types with 'unix', as it's the new default. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | sympa: wibble | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Firewall: Allow DNS queries over TCP. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | APT: use deb.debian.org as archive source. | Guilhem Moulin | 2018-04-04 | 1 |
| | ||||
* | Perform recipient address verification on the MSA itself. | Guilhem Moulin | 2018-04-04 | 2 |
| | ||||
* | Upgrade syntax to Ansible 2.5. | Guilhem Moulin | 2018-04-04 | 3 |
| | ||||
* | Upgrade syntax to Ansible 2.4. | Guilhem Moulin | 2017-11-23 | 1 |
| | ||||
* | More logcheck-database tweaks. | Guilhem Moulin | 2017-09-14 | 3 |
| | ||||
* | Fix detection of KVM guests. | Guilhem Moulin | 2017-07-29 | 3 |
| | ||||
* | rkhunter: Disable remote updates to fix CVE-2017-7480. | Guilhem Moulin | 2017-07-29 | 1 |
| | ||||
* | Use MariaDB as default MySQL flavor. | Guilhem Moulin | 2017-07-29 | 1 |
| | ||||
* | Don't install debsecan anymore by default. | Guilhem Moulin | 2017-06-26 | 2 |
| | | | | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789196 | |||
* | Webmail: don't allow outgoing TCP/993 connections. | Guilhem Moulin | 2017-06-15 | 1 |
| | | | | We're going through IPsec to communicate with the IMAP server. | |||
* | More logcheck-database tweaks. | Guilhem Moulin | 2017-06-07 | 1 |
| | ||||
* | postfix-sender-login: wibble | Guilhem Moulin | 2017-06-05 | 1 |
| | ||||
* | dovecot: enable user iteration and add a cronjob for `doveadm purge -A` | Guilhem Moulin | 2017-06-05 | 1 |
| | ||||
* | postfix: enable XFORWARD command from our internal relays. | Guilhem Moulin | 2017-06-02 | 1 |
| | ||||
* | postfix: don't rate-limit our IPsec subnet. | Guilhem Moulin | 2017-06-02 | 2 |
| | ||||
* | Don't let authenticated client use arbitrary sender addresses. | Guilhem Moulin | 2017-06-01 | 1 |
| | | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed. | |||
* | /lib/systemd/system → /etc/systemd/system | Guilhem Moulin | 2017-05-31 | 5 |
| | ||||
* | Also install non-free firmwares on civett. | Guilhem Moulin | 2017-05-30 | 2 |
| | ||||
* | Change group of executables in /usr/local/{bin,sbin} from root to staff. | Guilhem Moulin | 2017-05-14 | 2 |
| |