Commit message (Collapse) | Author | Age | Files | |
---|---|---|---|---|
* | Roundcube: Set $config['max_recipients'] = 15 to avoid timeout. | Guilhem Moulin | 2024-09-08 | 1 |
| | | | | Cf. msgid=<ZFe5tjHTGbVemNTD@fripost.org> | |||
* | Don't take roundcube from backports. | Guilhem Moulin | 2024-09-08 | 1 |
| | ||||
* | Webmail: Upgrade backend to PHP7.4. | Guilhem Moulin | 2024-09-08 | 4 |
| | ||||
* | Roundcube: managesieve: Disable ‘reject’ and ‘ereject’ extensions. | Guilhem Moulin | 2022-10-11 | 1 |
| | ||||
* | Prefix ‘ipaddr’ and ‘ipv4’ with ‘ansible.utils.’. | Guilhem Moulin | 2022-10-11 | 2 |
| | | | | | | | This silences the following deprecation warning: Use 'ansible.utils.ipaddr' module instead. This feature will be removed from ansible.netcommon in a release after 2024-01-01. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. | |||
* | Roundcube: Fix favicon path. | Guilhem Moulin | 2021-01-27 | 1 |
| | ||||
* | Roundcube: Serve assets pre-compressed when possible. | Guilhem Moulin | 2021-01-27 | 1 |
| | | | | See https://salsa.debian.org/roundcube-team/roundcube/-/commit/f1e89494e8b777d69564e67f2d8b47ac84eb02f4 . | |||
* | Roundcube: Change document root to /var/lib/roundcube/public_html. | Guilhem Moulin | 2021-01-27 | 1 |
| | | | | Per https://salsa.debian.org/roundcube-team/roundcube/commit/7df02624eec4857053432d8ebe9b4e2b36f22bc5 . | |||
* | typofix | Guilhem Moulin | 2020-10-02 | 1 |
| | ||||
* | Roundcube: Add minimal config confile for thunderbird_labels plugin. | Guilhem Moulin | 2020-10-02 | 2 |
| | ||||
* | Roundcube: Don't allow overriding authres_status's ↵ | Guilhem Moulin | 2020-10-02 | 2 |
| | | | | use_fallback_verifier/trusted_mtas. | |||
* | s/LDAP-provider/LDAP_provider/ | Guilhem Moulin | 2020-05-19 | 1 |
| | | | | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166. | |||
* | stunnel4: Harden and socket-activate. | Guilhem Moulin | 2020-05-18 | 5 |
| | ||||
* | AEAD ciphers: Add EECDH+CHACHA20 macro. | Guilhem Moulin | 2020-05-18 | 1 |
| | | | | | | | This adds the following two ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD | |||
* | nginx: Add Expires: HTTP headers. | Guilhem Moulin | 2020-05-17 | 1 |
| | ||||
* | webmail: Add .webp to the list of static resources. | Guilhem Moulin | 2020-05-17 | 1 |
| | ||||
* | Webmail: Compress static resources. | Guilhem Moulin | 2020-05-17 | 1 |
| | | | | | | | | | | | We leave dynamic pages (those passed to PHP-FPM) alone for now: compressing them would make us vulnerable to BREACH attacks. This will be revisited once Roundcube 1.5 is released: 1.5 adds support for the same-site cookie attribute which once set to 'Strict' makes it immune to BREACH attacks: https://github.com/roundcube/roundcubemail/pull/6772 https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies | |||
* | Webmail: Fix allowed extensions for static resources. | Guilhem Moulin | 2020-05-17 | 1 |
| | | | | | $ find -L /usr/share/roundcube/{plugins,program/js,program/resources,skins} -xtype f -printf "%f\\n" \ | sed -r "s/^([^.]+)(.*)/\1\2\t\2/" | sort -k2 | uniq -c -f1 | |||
* | Webmail: Improve Content-Security-Policy. | Guilhem Moulin | 2020-05-17 | 1 |
| | ||||
* | Remove 'meta: flush_handlers' directives under conditionals. | Guilhem Moulin | 2020-05-17 | 1 |
| | | | | They don't appear to be supported anymore. | |||
* | Roundcube: skip 'keyboard_shortcuts' plugin. | Guilhem Moulin | 2020-05-17 | 1 |
| | | | | | It doesn't integrate too well with the new elastic theme at the moment. https://github.com/corbosman/keyboard_shortcuts | |||
* | Roundcube: Port to Debian 10. | Guilhem Moulin | 2020-05-17 | 10 |
| | | | | | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1) for the elastic theme. | |||
* | Roundcube: improve serving of static resources. | Guilhem Moulin | 2018-12-06 | 1 |
| | | | | | | | | | | | | | | | We only serve whitelisted extensions (css, js, png, etc.), and only for some selected sub-directories. Access to everything else (incl. log files and config files) is denied with a 404. This is unlike upstream's .htaccess file, which blacklists restricted locations and happily serves the rest: https://github.com/roundcube/roundcubemail/blob/master/.htaccess#L8 To find out which extensions exist on the file system, run find -L /var/lib/roundcube/{plugins,program/js,program/resources,skins} -type f \ | sed -n 's/.*\.//p' | sort | uniq -c | |||
* | Upgrade webmail baseline to Debian Stretch. | Guilhem Moulin | 2018-12-03 | 6 |
| | ||||
* | Upgrade syntax to Ansible 2.7 (apt module). | Guilhem Moulin | 2018-12-03 | 1 |
| | ||||
* | Upgrade syntax to Ansible 2.4. | Guilhem Moulin | 2017-11-23 | 1 |
| | ||||
* | Don't make Roundcube add a 'X-Sender' header with the sender's identity. | Guilhem Moulin | 2017-06-01 | 1 |
| | ||||
* | Don't let authenticated client use arbitrary sender addresses. | Guilhem Moulin | 2017-06-01 | 1 |
| | | | | | | | | | | | | | | The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed. | |||
* | webmail: use Zend opcache and configure APCu. | Guilhem Moulin | 2017-05-14 | 3 |
| | ||||
* | nginx: add support for HTTP/2. | Guilhem Moulin | 2016-12-13 | 1 |
| | ||||
* | Webmail: Install XCache (PHP opcode cacher). | Guilhem Moulin | 2016-12-08 | 1 |
| | ||||
* | nginx: Don't hard-code the HPKP headers. | Guilhem Moulin | 2016-07-12 | 3 |
| | | | | | Instead, lookup the pubkeys and compute the digests on the fly. But never modify the actual header snippet to avoid locking our users out. | |||
* | Change the pubkey extension from .pem to .pub. | Guilhem Moulin | 2016-07-10 | 1 |
| | ||||
* | Route SMTP traffic from the webmail through IPsec. | Guilhem Moulin | 2016-07-10 | 6 |
| | ||||
* | IMAP: don't include mailbox under the virtual namespace in LIST responses. | Guilhem Moulin | 2016-07-06 | 1 |
| | | | | | | | | | Clients now have to use the NAMESPACE extension [RFC 2342] to discover mailboxes under the “virtual/” namespace. (Plus an extra LIST command, causing an overhead two roundtrips.) Of course the downside is that non namespace-aware clients lose access to the “virtual/{all,flagged,…}” mailboxes, but on second thought it's probably better this way rather than having such clients treat these mailboxes as regular mailboxes. | |||
* | certs/public: fetch each cert's pubkey (SPKI), not the cert itself. | Guilhem Moulin | 2016-06-15 | 1 |
| | | | | To avoid new commits upon cert renewal. | |||
* | Use stunnel to secure the connection from the webmail to ldap.fripost.org. | Guilhem Moulin | 2016-06-05 | 4 |
| | | | | | We should use IPSec instead, but doing so would force us to weaken slapd.conf's ‘security’ setting. | |||
* | Roundcube: route IMAP and managesieve traffic through IPSec. | Guilhem Moulin | 2016-05-28 | 2 |
| | ||||
* | Roundcube: add a link to our webpage as support URL. | Guilhem Moulin | 2016-05-24 | 1 |
| | ||||
* | Roundcube: add a warning regarding IMAP hostname change. | Guilhem Moulin | 2016-05-23 | 1 |
| | ||||
* | Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵ | Guilhem Moulin | 2016-05-18 | 1 |
| | | | | | | locally. And use this to fetch all X.509 leaf certificates. | |||
* | roundube: Pin X.509 certificate for sieve.fripost.org:4190. | Guilhem Moulin | 2016-05-17 | 2 |
| | ||||
* | Use systemd unit files for stunnel4. | Guilhem Moulin | 2016-05-12 | 3 |
| | ||||
* | Roundcube's CSP: remove 'upgrade-insecure-requests' and ↵ | Guilhem Moulin | 2016-04-08 | 1 |
| | | | | 'block-all-mixed-content'. | |||
* | Roundcube's CSP: allow loading images from data: URIs and arbitrary URLs. | Guilhem Moulin | 2016-04-07 | 1 |
| | | | | Per user request: https://wiki.fripost.org/tracker/CSP_too_strict/ | |||
* | Set frame-ancestors from 'none' to 'self' in roundcube's CSP. | Guilhem Moulin | 2016-04-02 | 1 |
| | ||||
* | wibble | Guilhem Moulin | 2016-04-02 | 1 |
| | ||||
* | Set a HPKP on the webmail, website/wiki/git and list manager. | Guilhem Moulin | 2016-04-01 | 1 |
| | ||||
* | Set a CSP on the webmail, website/wiki and list manager. | Guilhem Moulin | 2016-04-01 | 1 |
| | ||||
* | Set HTTP security headers. | Guilhem Moulin | 2016-03-30 | 1 |
| | | | | See https://securityheaders.io . |