|  | Commit message (Collapse) | Author | Age | Files | 
|---|
| ... |  | 
| | 
| 
| 
| 
| 
| 
| 
| | This is required to receive incoming traffic to our IPsec IP in 172.16.0.0/24,
as well as linked-scoped ICMPv6 traffic from/to fe80::/10 (for neighbour
discovery).
Regression from a6b8c0b3a4758f8d84a7ad07bb9e068075d098d3. | 
| | 
| 
| 
| 
| | This is more efficient: the earlier we filter the crap out the less
resources they consume. | 
| | 
| 
| 
| | See tcp(7) and https://levelup.gitconnected.com/linux-kernel-tuning-for-high-performance-networking-high-volume-incoming-connections-196e863d458a . | 
| | 
| 
| 
| | As of MariaDB 10.3 this should be more future proof. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | See https://git.fripost.org/fripost-wiki/commit/?id=72983121e68289a7497927417e52a8ec5f16aa7b . | 
| | |  | 
| | |  | 
| | 
| 
| 
| | use_fallback_verifier/trusted_mtas. | 
| | |  | 
| | 
| 
| 
| 
| | Unlike slapcat(1) it doesn't require write access to ~openldap, so we
don't have to weaken bacula-fd.service. | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| | This is needed for BS4's navbar-toggler-icon which uses an SVG
background-image. | 
| | 
| 
| 
| | Add frame-ancestors and form-action. | 
| | |  | 
| | 
| 
| 
| 
| 
| | And drop -ldap from all roles other than MX.  -lmdb is included in
roles/common but it can be helpful to have it individual roles as well
as they can be run individually. | 
| | 
| 
| 
| | Run as a dedicated user, not ‘postfix’. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user.  We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around.  This is fair. | 
| | 
| 
| 
| 
| 
| 
| 
| | This a regression rom 829f4d830aefedd95a75e61cfc9aa3e03f039c6f.
There are no relevant interface changes between 2.2.27 (stretch) and
2.3.4 (buster) cf. `git diff 2.2.27..2.3.4 src/lib-dict/dict-client.h`
and https://github.com/dovecot/core/commits/2.3.4/src/lib-dict/dict-client.h . | 
| | 
| 
| 
| 
| 
| 
| 
| | For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=dovecot&version=2.3.9&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’. | 
| | 
| 
| 
| 
| 
| 
| 
| | For `ssl_cipher_list` we pick the suggested value from
https://ssl-config.mozilla.org/#server=postfix&version=3.4.10&config=intermediate&openssl=1.1.1d
At the moment it's equivalent (modulo order) to adding ‘EDH+AESGCM+aRSA’
to ‘EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL’. | 
| | |  | 
| | 
| 
| 
| | This was forgotten after a092bfd947773281a23419ee0ab62358371b7166. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | To be done when we upgrade to Bullseye for more fine-grained control. | 
| | 
| 
| 
| 
| 
| 
| | This adds the following two ciphers:
  ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH  Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
  ECDHE-RSA-CHACHA20-POLY1305   TLSv1.2 Kx=ECDH  Au=RSA   Enc=CHACHA20/POLY1305(256) Mac=AEAD | 
| | 
| 
| 
| | We replace uwsgi in 70f16ac939497e3e424bad05c5f82ce36d1bceda. | 
| | 
| 
| 
| 
| | Marking incoming ESP packets and matching decapsulated packets doesn't
work with NAT traverslate (UDP encapsulation aka MOBIKE). | 
| | |  | 
| | |  | 
| | 
| 
| 
| | For use with Nextcloud 18, cf. https://docs.nextcloud.com/server/18/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx . | 
| | 
| 
| 
| 
| | We also rename the ‘lacme’ system user to ‘_lacme’ per Debian Policy
§9.2.1: https://www.debian.org/doc/debian-policy/ch-opersys.html#introduction . | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | We leave dynamic pages (those passed to PHP-FPM) alone for now:
compressing them would make us vulnerable to BREACH attacks.  This will
be revisited once Roundcube 1.5 is released: 1.5 adds support for the
same-site cookie attribute which once set to 'Strict' makes it immune to
BREACH attacks:
    https://github.com/roundcube/roundcubemail/pull/6772
    https://www.sjoerdlangkemper.nl/2016/11/07/current-state-of-breach-attack/#same-site-cookies | 
| | 
| 
| 
| 
| | $ find -L /usr/share/roundcube/{plugins,program/js,program/resources,skins} -xtype f -printf "%f\\n" \
      | sed -r "s/^([^.]+)(.*)/\1\2\t\2/" | sort -k2 | uniq -c -f1 | 
| | |  | 
| | |  | 
| | 
| 
| 
| | They don't appear to be supported anymore. | 
| | 
| 
| 
| 
| | It doesn't integrate too well with the new elastic theme at the moment.
https://github.com/corbosman/keyboard_shortcuts | 
| | |  | 
| | 
| 
| 
| 
| | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1)
for the elastic theme. | 
| | 
| 
| 
| | lacme now ships that file as /etc/lacme/nginx.conf. | 
| | 
| 
| 
| 
| 
| 
| 
| | For postfix, don't defer if "abused legit".  (I.e., DBL return code in
the 127.0.1.100+ range.)  This used to work for Postfix 3.1.14 (Stretch)
but for 3.4.8 (Buster) the 'defer_if_reject' also applies to
$smtpd_relay_restrictions, to reject_unauth_destination &
reject_unlisted_recipient in particular. | 
| | |  |