fripost-ansible - Fripost ansible scripts

	Commit message (Collapse)	Author	Age	Files
*	postfix: Remove obsolete templates tls_policy/relay_clientcerts.	Guilhem Moulin	2016-07-12	1
\|
*	postfix: commit the master.cf symlinks.	Guilhem Moulin	2016-07-12	1
\|
*	nginx: Don't hard-code the HPKP headers.	Guilhem Moulin	2016-07-12	1
\| \| \| \| \|	Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
*	Postfix lists/MDA instances: only include the MX:es' IPs in $mynetworks.	Guilhem Moulin	2016-07-10	1
\|
*	Route all internal SMTP traffic through IPsec.	Guilhem Moulin	2016-07-10	1
\|
*	Postfix: don't share the master.cf between the instances.	Guilhem Moulin	2016-07-10	1
\|
*	postfix: Don't explicitly set inet_interfaces=all as it's the default.	Guilhem Moulin	2016-07-10	1
\|
*	postfix: Update to recommended TLS settings.	Guilhem Moulin	2016-05-18	1
\| \| \| \| \| \| \| \|	Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.)
*	postfix: unset 'smtpd_tls_session_cache_database'.	Guilhem Moulin	2016-05-18	1
\| \| \| \| \| \|	Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935
*	Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.	Guilhem Moulin	2016-05-18	1
\| \| \| \| \| \| \| \| \| \|	Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out.
*	Remove SMTP message size limit on non public MTAs.	Guilhem Moulin	2016-03-21	1
\|
*	Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵	Guilhem Moulin	2015-12-03	1
\| \| \| \|	cert itself.
*	Fix address verification probes on the MSA.	Guilhem Moulin	2015-09-16	1
\| \| \| \| \|	Put all relay restrictions under smtpd_relay_restrictions and leave smtpd_recipient_restrictions empty, since we don't do DNSBL.
*	logjam mitigation.	Guilhem Moulin	2015-06-07	1
\|
*	Configure the list manager (Sympa).	Guilhem Moulin	2015-06-07	3
\|
*	Increase the timeout in the smtpd waiting for the reinjection from amavis.	Guilhem Moulin	2015-06-07	1
\| \| \| \| \| \| \| \|	SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s).
*	Tell vim the underlying filetype of templates for syntax highlighting.	Guilhem Moulin	2015-06-07	1
\|
*	Replace IPSec tunnels by app-level ephemeral TLS sessions.	Guilhem Moulin	2015-06-07	1
\| \| \| \| \|	For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
*	Outgoing SMTP proxy.	Guilhem Moulin	2015-06-07	1
\|
*	Assume a DNS entry for each role.	Guilhem Moulin	2015-06-07	1
\| \| \| \| \| \|	E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though.
*	Make the *_maps file names uniform.	Guilhem Moulin	2015-06-07	1
\| \| \| \|	That is, don't put a leading virtual_ or a trailing _maps in file names.
*	Mailing lists (using mlmmj).	Guilhem Moulin	2015-06-07	1
	Right now the list server cannot be hosted with a MX, due to bug 51: http://mlmmj.org/bugs/bug.php?id=51 Web archive can be compiled with MHonArc, but the web server configuration is not there yet.