|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | See http://www.postfix.org/POSTSCREEN_README.html and
    http://rob0.nodns4.us/postscreen.html
It's infortunate that smtpd(8) cannot be chrooted any longer, which
means that we have to un-chroot cleanup(8) as well.  Indeed, currently
smtpd(8) uses $virtual_alias_maps for recipient validation; later
cleanup(8) uses it again for rewriting.  So these processes need to be
both chrooted, or both not. | 
| | |  | 
| | 
| 
| 
| | We've yet to get authenticated time, though. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | We can therefore spare some lookups on the MDA, and use static:all
instead. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | It turns out that in a policy bank, a *_by_ccat doesn't replace the
default but is merely merged into the default (if the keys overlap,
those in the bank take precedence of course).  Hence it's pointless to
use CC_CATCHALL in a bank unless all the other keys have been
overridden, for instance.
Also, treat unchecked (eg, encrypted) mails as clean in the OUTGOING
Policy Bank. | 
| | 
| 
| 
| | Namely, "DIGEST-MD5 common mech free".  See also bug #631932. | 
| | 
| 
| 
| | (It opens the key as root, but then drops the permissions.) | 
| | 
| 
| 
| 
| | First generate all certs (-t genkey), then build the TLS policy maps (
-t tls_policy). | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The clients are identified using their certificate, and connect securely
to the SyncProv.
There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute. | 
| | 
| 
| 
| | Also, it's now possible to reuse an existing private key (with -f). | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | SMTP client connection caching was introduced in 2.6.0: the SMTP session is
held for the next task (in adaptative mode, only when there was a delay of only
5s between the two previous mails), but Postfix will terminate it if the next
mail doesn't come soon enough, or if amavis does't terminate it itself (usually
after 15s). | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | (Unless a new instance is created, or the master.cf change is modified.)
Changing some variables, such as inet_protocols, require a full restart,
but most of the time it's overkill. | 
| | 
| 
| 
| 
| 
| | And don't restart or reload either upon change of pcre: files that are
used by smtpd(8), cleanup(8) or local(8), following the suggestion from
http://www.postfix.org/DATABASE_README.html#detect . | 
| | |  | 
| | 
| 
| 
| | For DKIM signing and virus checking. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | This is important as we don't want the IMAP server baning the webmail,
for instance.  (The fail2ban instance running next to the webmail should
ban the attacker, but that running next to the IMAP server shouldn't ban
legit users.) | 
| | |  | 
| | 
| 
| 
| 
| | For some reason giraff doesn't like IPSec.  App-level TLS sessions are
less efficient, but thanks to ansible it still scales well. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | In fact we want to only rewrite the envelope sender:
    :/etc/postfix/main.cf
    # Overwrite local FQDN envelope sender addresses
    sender_canonical_classes       = envelope_sender
    propagate_unmatched_extensions =
    sender_canonical_maps          = cdb:$config_directory/sender_canonical
    :/etc/postfix/sender_canonical
    @elefant.fripost.org     admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Instead, generate a server certificate for each host (on the machine
itself).  Then fetch all these certs locally, and copy them over to each
IPSec peer.  That requires more certs to be stored on each machines (n
vs 2), but it can be done automatically, and is easier to deploy.
Note: When adding a new machine to the inventory, one needs to run the
playbook on that machine (to generate the cert and fetch it locally)
first, then on all other machines. | 
| | |  | 
| | 
| 
| 
| | Also, always install contrib's intel-microcode on Intel CPUs. | 
| | |  |