Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Change the pubkey extension from .pem to .pub. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | certs/public: fetch each cert's pubkey (SPKI), not the cert itself. | Guilhem Moulin | 2016-06-15 | 1 |
| | | | | To avoid new commits upon cert renewal. | |||
* | wwsympa systemd service file: Set PrivateTmp=yes. | Guilhem Moulin | 2016-06-07 | 1 |
| | | | | The CGI wants to create a temp file during bulk subcription. | |||
* | postfix: Update to recommended TLS settings. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation http://article.gmane.org/gmane.mail.postfix.user/251935 (We're using stronger ciphers and protocols in our own infrastructure.) | |||
* | postfix: unset 'smtpd_tls_session_cache_database'. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | Following Viktor Dukhovni's 2015-08-06 recommendation for Postfix >= 2.11 http://article.gmane.org/gmane.mail.postfix.user/251935 | |||
* | Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public. | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | | | | | Ideally we we should also increase the Diffie-Hellman group size from 2048-bit to 3072-bit, as per ENISA 2014 report. https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014 But we postpone that for now until we are reasonably certain that older client won't be left out. | |||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | |||
* | Add hardening options to our systemd unit files. | Guilhem Moulin | 2016-05-12 | 1 |
| | ||||
* | Set a HPKP on the webmail, website/wiki/git and list manager. | Guilhem Moulin | 2016-04-01 | 1 |
| | ||||
* | Set a CSP on the webmail, website/wiki and list manager. | Guilhem Moulin | 2016-04-01 | 1 |
| | ||||
* | Set HTTP security headers. | Guilhem Moulin | 2016-03-30 | 1 |
| | | | | See https://securityheaders.io . | |||
* | Remove SMTP message size limit on non public MTAs. | Guilhem Moulin | 2016-03-21 | 1 |
| | ||||
* | Let's Encrypt | Guilhem Moulin | 2016-03-02 | 1 |
| | ||||
* | Upgrade playbooks to Ansible 2.0. | Guilhem Moulin | 2016-02-12 | 2 |
| | ||||
* | Update all Fripost links from http:// to https://. | Guilhem Moulin | 2015-12-28 | 1 |
| | ||||
* | Use the Let's Encrypt CA for our public certs. | Guilhem Moulin | 2015-12-20 | 2 |
| | ||||
* | nginx: Move include.d/* to snippets/. | Guilhem Moulin | 2015-12-20 | 1 |
| | ||||
* | nginx: s/conf.d/include.d/ | Guilhem Moulin | 2015-12-15 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-12-09 | 1 |
| | ||||
* | ngnix: mv ssl/config conf.d/ssl | Guilhem Moulin | 2015-12-09 | 1 |
| | ||||
* | Postfix TLS policy: Store the fingerprint of the cert's pubkey, not of the ↵ | Guilhem Moulin | 2015-12-03 | 1 |
| | | | | cert itself. | |||
* | Automatically fetch X.509 certificates, and add them to git. | Guilhem Moulin | 2015-12-03 | 1 |
| | ||||
* | nginx: adjust expiration date for static content. | Guilhem Moulin | 2015-10-30 | 1 |
| | ||||
* | Fix address verification probes on the MSA. | Guilhem Moulin | 2015-09-16 | 1 |
| | | | | | Put all relay restrictions under smtpd_relay_restrictions and leave smtpd_recipient_restrictions empty, since we don't do DNSBL. | |||
* | Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions. | Guilhem Moulin | 2015-07-12 | 1 |
| | ||||
* | Configure munin nodes & master. | Guilhem Moulin | 2015-06-10 | 2 |
| | | | | | Interhost communications are protected by stunnel4. The graphs are only visible on the master itself, and content is generated by Fast CGI. | |||
* | Prefer 302 over 301 redirections. | Guilhem Moulin | 2015-06-10 | 1 |
| | ||||
* | Add references to bug reports. | Guilhem Moulin | 2015-06-10 | 1 |
| | ||||
* | Fix log filenames for lists.f.o. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Add a reserved domain 'discard.fripost.org' to discard messages. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | ‘noreply@’ aliases can be added by routing them to ‘@discard.fripost.org’. | |||
* | VERP management. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Restart services when updating systemd unit files. | Guilhem Moulin | 2015-06-07 | 2 |
| | ||||
* | SQL: Set empty passwords for auth_socket authentication. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Prefer '/usr/sbin/nologin' over '/bin/false' for system users. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | logjam mitigation. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Don't restart sympa on logrotate. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | This is unnecessary since it uses syslog. | |||
* | Configure the list manager (Sympa). | Guilhem Moulin | 2015-06-07 | 18 |
| | ||||
* | Use $virtual_alias_domains not $virtual_mailbox_domains. | Guilhem Moulin | 2015-06-07 | 3 |
| | | | | | | | | | | | | | | | | | | | | | | | | | Quoting postconf(5): smtpd_reject_unlisted_recipient (default: yes) Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no explicit reject_unlisted_recipient access restriction is specified. This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages. An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping. […] * The recipient domain matches $virtual_alias_domains but the recipient is not listed in $virtual_alias_maps. * The recipient domain matches $virtual_mailbox_domains but the recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null. Since we alias everything under special, "invalid", domains (mda.f.o and mailman.f.o), our $virtual_mailbox_maps was null, which led to reject_unlisted_recipient not being triggered for say, "noone@fripost.org". However, replacing $virtual_mailbox_domains with $virtual_alias_domains fits into the second point above. | |||
* | Remove o=mailHosting from the LDAP directory suffix. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand). | |||
* | Increase the timeout in the smtpd waiting for the reinjection from amavis. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s). | |||
* | Tell vim the underlying filetype of templates for syntax highlighting. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Reload Postfix upon configuration change, but don't restart it. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill. | |||
* | Don't auto-create home directories when adding system users. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no). | |||
* | Replace IPSec tunnels by app-level ephemeral TLS sessions. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well. | |||
* | Outgoing SMTP proxy. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Assume a DNS entry for each role. | Guilhem Moulin | 2015-06-07 | 1 |
| | | | | | | E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone would be provisioned by ansible, too.) It's a bit unclear how to index the subdomains (mx{1,2,3}, etc), though. | |||
* | Ansible automatically creates parent directories. | Guilhem Moulin | 2015-06-07 | 1 |
| | ||||
* | Use Debian's usual location for static web content. | Guilhem Moulin | 2015-06-07 | 2 |
| | | | | Hence put the CSS and fonts under /usr/share/. | |||
* | Make the *_maps file names uniform. | Guilhem Moulin | 2015-06-07 | 3 |
| | | | | That is, don't put a leading virtual_ or a trailing _maps in file names. |