summaryrefslogtreecommitdiffstats
path: root/roles/webmail/files/etc
Commit message (Collapse)AuthorAgeFiles
* Roundcube: Add minimal config confile for thunderbird_labels plugin.Guilhem Moulin2020-10-021
|
* Roundcube: Don't allow overriding authres_status's ↵Guilhem Moulin2020-10-021
| | | | use_fallback_verifier/trusted_mtas.
* stunnel4: Harden and socket-activate.Guilhem Moulin2020-05-183
|
* AEAD ciphers: Add EECDH+CHACHA20 macro.Guilhem Moulin2020-05-181
| | | | | | | This adds the following two ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
* nginx: Add Expires: HTTP headers.Guilhem Moulin2020-05-171
|
* webmail: Add .webp to the list of static resources.Guilhem Moulin2020-05-171
|
* Webmail: Compress static resources.Guilhem Moulin2020-05-171
| | | | | | | | | | | We leave dynamic pages (those passed to PHP-FPM) alone for now: compressing them would make us vulnerable to BREACH attacks. This will be revisited once Roundcube 1.5 is released: 1.5 adds support for the same-site cookie attribute which once set to 'Strict' makes it immune to BREACH attacks: https://github.com/roundcube/roundcubemail/pull/6772 https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies
* Webmail: Fix allowed extensions for static resources.Guilhem Moulin2020-05-171
| | | | | $ find -L /usr/share/roundcube/{plugins,program/js,program/resources,skins} -xtype f -printf "%f\\n" \ | sed -r "s/^([^.]+)(.*)/\1\2\t\2/" | sort -k2 | uniq -c -f1
* Webmail: Improve Content-Security-Policy.Guilhem Moulin2020-05-171
|
* Roundcube: Port to Debian 10.Guilhem Moulin2020-05-176
| | | | | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1) for the elastic theme.
* Roundcube: improve serving of static resources.Guilhem Moulin2018-12-061
| | | | | | | | | | | | | | | We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c
* Upgrade webmail baseline to Debian Stretch.Guilhem Moulin2018-12-033
|
* Don't make Roundcube add a 'X-Sender' header with the sender's identity.Guilhem Moulin2017-06-011
|
* webmail: use Zend opcache and configure APCu.Guilhem Moulin2017-05-141
|
* nginx: add support for HTTP/2.Guilhem Moulin2016-12-131
|
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-121
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* Use stunnel to secure the connection from the webmail to ldap.fripost.org.Guilhem Moulin2016-06-051
| | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
* roundube: Pin X.509 certificate for sieve.fripost.org:4190.Guilhem Moulin2016-05-171
|
* Roundcube's CSP: remove 'upgrade-insecure-requests' and ↵Guilhem Moulin2016-04-081
| | | | 'block-all-mixed-content'.
* Roundcube's CSP: allow loading images from data: URIs and arbitrary URLs.Guilhem Moulin2016-04-071
| | | | Per user request: https://wiki.fripost.org/tracker/CSP_too_strict/
* Set frame-ancestors from 'none' to 'self' in roundcube's CSP.Guilhem Moulin2016-04-021
|
* wibbleGuilhem Moulin2016-04-021
|
* Set a HPKP on the webmail, website/wiki/git and list manager.Guilhem Moulin2016-04-011
|
* Set a CSP on the webmail, website/wiki and list manager.Guilhem Moulin2016-04-011
|
* Set HTTP security headers.Guilhem Moulin2016-03-301
| | | | See https://securityheaders.io .
* Let's EncryptGuilhem Moulin2016-03-021
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-201
|
* nginx: Move include.d/* to snippets/.Guilhem Moulin2015-12-201
|
* nginx: s/conf.d/include.d/Guilhem Moulin2015-12-151
|
* wibbleGuilhem Moulin2015-12-091
|
* ngnix: mv ssl/config conf.d/sslGuilhem Moulin2015-12-091
|
* Use a dedicated subdomain for ManageSieve.Guilhem Moulin2015-12-031
|
* Roundcube managesieve SSL options: use AESGCM and disable compression.Guilhem Moulin2015-10-271
|
* Add jqueryui configuration.Guilhem Moulin2015-09-291
|
* Make roundcube plugin configuration static files.Guilhem Moulin2015-09-293
|
* Upgrade the webmail configuration from Wheezy to Jessie.Guilhem Moulin2015-06-071
|
* Make Nginx send the intermediate certificate along with the server's.Guilhem Moulin2015-06-071
|
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-071
|
* Allow Roundcube to offer JavaScript.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Configure the webmail.Guilhem Moulin2015-06-071