summaryrefslogtreecommitdiffstats
path: root/roles/webmail/tasks
Commit message (Collapse)AuthorAgeFiles
* Don't let authenticated client use arbitrary sender addresses.Guilhem Moulin2017-06-011
| | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
* webmail: use Zend opcache and configure APCu.Guilhem Moulin2017-05-141
|
* Webmail: Install XCache (PHP opcode cacher).Guilhem Moulin2016-12-081
|
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-121
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* Route SMTP traffic from the webmail through IPsec.Guilhem Moulin2016-07-103
|
* IMAP: don't include mailbox under the virtual namespace in LIST responses.Guilhem Moulin2016-07-061
| | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes.
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* Use stunnel to secure the connection from the webmail to ldap.fripost.org.Guilhem Moulin2016-06-052
| | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
* Roundcube: route IMAP and managesieve traffic through IPSec.Guilhem Moulin2016-05-281
|
* Roundcube: add a link to our webpage as support URL.Guilhem Moulin2016-05-241
|
* Roundcube: add a warning regarding IMAP hostname change.Guilhem Moulin2016-05-231
|
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* roundube: Pin X.509 certificate for sieve.fripost.org:4190.Guilhem Moulin2016-05-171
|
* Use systemd unit files for stunnel4.Guilhem Moulin2016-05-121
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-122
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-201
|
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* roundcube: Raise 'imap_timeout' from 1 to 3 minutes.Guilhem Moulin2015-09-301
| | | | See http://wiki.fripost.org/tracker/Error_on_search_in_roundcube/ .
* roundcube: Use php5-enchant and GNU Aspell for spell-checking.Guilhem Moulin2015-09-291
|
* Add jqueryui configuration.Guilhem Moulin2015-09-291
|
* Make roundcube plugin configuration static files.Guilhem Moulin2015-09-291
|
* Upgrade Roundcube to 1.1.2.Guilhem Moulin2015-09-241
|
* Make the webmail connect directly to the outgoing SMTP proxy.Guilhem Moulin2015-06-073
| | | | | (Hence delete the 'webmail' Postfix instance.) This shortens the delay caused by the recipient verification probes.
* Upgrade the webmail configuration from Wheezy to Jessie.Guilhem Moulin2015-06-071
|
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-071
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-071
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-071
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.
* Fix syntax error.Guilhem Moulin2015-06-071
|
* Generate certs for Dovecot and Nginx if they are not there.Guilhem Moulin2015-06-071
|
* Force Roundcube to connect the IMAP server on localhost:143.Guilhem Moulin2015-06-071
|
* Install Rouncube from backports.Guilhem Moulin2015-06-071
| | | | | | Recent versions have a whole bunch of bugfixes and nice new features: http://trac.roundcube.net/wiki/Changelog
* wibbleGuilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Configure Sieve and ManageSieve.Guilhem Moulin2015-06-071
| | | | | Also, add the 'managesieve' RoundCube plugin to communicate with our server.
* Use a local IMAP caching proxy under the webmail.Guilhem Moulin2015-06-071
| | | | | | | | | | | | (Unless the webmail is itself a full IMAP server.) It replaces RoundCube's own IMAP and message caches. Dovecot's IMAPC storage backend is not very documented, but provides smart IMAP proxying. References include: http://dovecot.org/pipermail/dovecot/2011-January/056975.html http://wiki2.dovecot.org/HowTo/ImapcProxy http://wiki2.dovecot.org/Migration/Dsync
* Configure the webmail.Guilhem Moulin2015-06-073