summaryrefslogtreecommitdiffstats
path: root/roles/webmail
Commit message (Collapse)AuthorAgeFiles
* webmail: use Zend opcache and configure APCu.Guilhem Moulin2017-05-143
|
* nginx: add support for HTTP/2.Guilhem Moulin2016-12-131
|
* Webmail: Install XCache (PHP opcode cacher).Guilhem Moulin2016-12-081
|
* nginx: Don't hard-code the HPKP headers.Guilhem Moulin2016-07-123
| | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out.
* Change the pubkey extension from .pem to .pub.Guilhem Moulin2016-07-101
|
* Route SMTP traffic from the webmail through IPsec.Guilhem Moulin2016-07-106
|
* IMAP: don't include mailbox under the virtual namespace in LIST responses.Guilhem Moulin2016-07-061
| | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes.
* certs/public: fetch each cert's pubkey (SPKI), not the cert itself.Guilhem Moulin2016-06-151
| | | | To avoid new commits upon cert renewal.
* Use stunnel to secure the connection from the webmail to ldap.fripost.org.Guilhem Moulin2016-06-054
| | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting.
* Roundcube: route IMAP and managesieve traffic through IPSec.Guilhem Moulin2016-05-282
|
* Roundcube: add a link to our webpage as support URL.Guilhem Moulin2016-05-241
|
* Roundcube: add a warning regarding IMAP hostname change.Guilhem Moulin2016-05-231
|
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* roundube: Pin X.509 certificate for sieve.fripost.org:4190.Guilhem Moulin2016-05-172
|
* Use systemd unit files for stunnel4.Guilhem Moulin2016-05-123
|
* Roundcube's CSP: remove 'upgrade-insecure-requests' and ↵Guilhem Moulin2016-04-081
| | | | 'block-all-mixed-content'.
* Roundcube's CSP: allow loading images from data: URIs and arbitrary URLs.Guilhem Moulin2016-04-071
| | | | Per user request: https://wiki.fripost.org/tracker/CSP_too_strict/
* Set frame-ancestors from 'none' to 'self' in roundcube's CSP.Guilhem Moulin2016-04-021
|
* wibbleGuilhem Moulin2016-04-021
|
* Set a HPKP on the webmail, website/wiki/git and list manager.Guilhem Moulin2016-04-011
|
* Set a CSP on the webmail, website/wiki and list manager.Guilhem Moulin2016-04-011
|
* Set HTTP security headers.Guilhem Moulin2016-03-301
| | | | See https://securityheaders.io .
* Let's EncryptGuilhem Moulin2016-03-021
|
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-122
|
* Use the Let's Encrypt CA for our public certs.Guilhem Moulin2015-12-202
|
* nginx: Move include.d/* to snippets/.Guilhem Moulin2015-12-201
|
* nginx: s/conf.d/include.d/Guilhem Moulin2015-12-151
|
* wibbleGuilhem Moulin2015-12-091
|
* ngnix: mv ssl/config conf.d/sslGuilhem Moulin2015-12-091
|
* Use a dedicated subdomain for ManageSieve.Guilhem Moulin2015-12-031
|
* Automatically fetch X.509 certificates, and add them to git.Guilhem Moulin2015-12-031
|
* Roundcube managesieve SSL options: use AESGCM and disable compression.Guilhem Moulin2015-10-271
|
* stunnel: disable compression.Guilhem Moulin2015-10-271
|
* stunnel: use GCM ciphers only; use SSL options rather than ciphers to ↵Guilhem Moulin2015-10-271
| | | | disable protocols.
* roundcube: Raise 'imap_timeout' from 1 to 3 minutes.Guilhem Moulin2015-09-301
| | | | See http://wiki.fripost.org/tracker/Error_on_search_in_roundcube/ .
* roundcube: Use php5-enchant and GNU Aspell for spell-checking.Guilhem Moulin2015-09-291
|
* Add jqueryui configuration.Guilhem Moulin2015-09-292
|
* Make roundcube plugin configuration static files.Guilhem Moulin2015-09-294
|
* Upgrade Roundcube to 1.1.2.Guilhem Moulin2015-09-248
|
* Make the webmail connect directly to the outgoing SMTP proxy.Guilhem Moulin2015-06-076
| | | | | (Hence delete the 'webmail' Postfix instance.) This shortens the delay caused by the recipient verification probes.
* Use recipient address verification probes.Guilhem Moulin2015-06-071
| | | | | | | This is specially useful for mailing lists and the webmail, since it prevents our outgoing gateway from accepting mails known to be bouncing. However the downside is that it adds a delay of up to 6s after the RCPT TO command.
* Upgrade the webmail configuration from Wheezy to Jessie.Guilhem Moulin2015-06-073
|
* Don't make Roundcube add a 'X-Sender' header with the sender's identity.Guilhem Moulin2015-06-071
|
* Roundcube's 'password' plugin.Guilhem Moulin2015-06-071
|
* Make Nginx send the intermediate certificate along with the server's.Guilhem Moulin2015-06-071
|
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-071
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-071
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-071
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-072
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Replace IPSec tunnels by app-level ephemeral TLS sessions.Guilhem Moulin2015-06-073
| | | | | For some reason giraff doesn't like IPSec. App-level TLS sessions are less efficient, but thanks to ansible it still scales well.