summaryrefslogtreecommitdiffstats
path: root/roles
Commit message (Collapse)AuthorAgeFiles
* Fix $smtpd_sender_restrictions.Guilhem Moulin2015-06-073
| | | | | | | | | | | | On the MDA the domain is our 'mda.fripost.org', there is no need to perform an extra DNS lookup. The MSA does not perform local or virtual delivery, but relays everything to the outgoing SMTP proxy. On the MX, there is no need to check for recipient validity as we are the final destination; but unsure that the RCPT TO address is a valid recipient before doing the greylisting.
* Explain why we use static transport maps and custom subdomains.Guilhem Moulin2015-06-073
|
* typoGuilhem Moulin2015-06-071
|
* Use $virtual_alias_domains not $virtual_mailbox_domains.Guilhem Moulin2015-06-078
| | | | | | | | | | | | | | | | | | | | | | | | | Quoting postconf(5): smtpd_reject_unlisted_recipient (default: yes) Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no explicit reject_unlisted_recipient access restriction is specified. This prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON messages. An address is always considered "known" when it matches a virtual(5) alias or a canonical(5) mapping. […] * The recipient domain matches $virtual_alias_domains but the recipient is not listed in $virtual_alias_maps. * The recipient domain matches $virtual_mailbox_domains but the recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null. Since we alias everything under special, "invalid", domains (mda.f.o and mailman.f.o), our $virtual_mailbox_maps was null, which led to reject_unlisted_recipient not being triggered for say, "noone@fripost.org". However, replacing $virtual_mailbox_domains with $virtual_alias_domains fits into the second point above.
* More logcheck-database tweaks.Guilhem Moulin2015-06-071
|
* Make Nginx send the intermediate certificate along with the server's.Guilhem Moulin2015-06-071
|
* Fix Dovecot's mail location.Guilhem Moulin2015-06-074
|
* Perform the alias resolution and address validation solely on the MX:es.Guilhem Moulin2015-06-0717
| | | | | We can therefore spare some lookups on the MDA, and use static:all instead.
* Ensure Postfix's LDAP searchBase exists when doing a lookup.Guilhem Moulin2015-06-078
| | | | | | | | Postfix interprets Error Code 32 (No Such Object) as lookup failures, but that's ugly... Also, make Postfix simple bind against cn=postfix,ou=services,dc=fripost,dc=org.
* Fix Amavis' Policy Banks.Guilhem Moulin2015-06-072
| | | | | | | | | | | It turns out that in a policy bank, a *_by_ccat doesn't replace the default but is merely merged into the default (if the keys overlap, those in the bank take precedence of course). Hence it's pointless to use CC_CATCHALL in a bank unless all the other keys have been overridden, for instance. Also, treat unchecked (eg, encrypted) mails as clean in the OUTGOING Policy Bank.
* Add a logcheck rule to ignore cyrus' annoying log messages.Guilhem Moulin2015-06-071
| | | | Namely, "DIGEST-MD5 common mech free". See also bug #631932.
* Fix issue with delete entries in the replication.Guilhem Moulin2015-06-071
| | | | | | | | It looks as if the SyncRepl need read access on the 'entry' and 'objectClass' attributes of the entry being deleted, and the entry being deleted no longer matches the ACL filters, so we have to grant access globally. (We still have fine-grain control on the other attributes which are not disclosed, though.)
* Add an LDAP attribute to check if the user wants to use the content filter.Guilhem Moulin2015-06-072
| | | | | This decision is left to the MX (as for 'fripostIsStatusActive'), which will set the envelope recipient accordingly.
* Fix client verification policy.Guilhem Moulin2015-06-071
|
* Postfix needs to be restarted after rekeying.Guilhem Moulin2015-06-071
| | | | (It opens the key as root, but then drops the permissions.)
* Add a tag 'tls_policy' to facilitate rekeying.Guilhem Moulin2015-06-073
| | | | | First generate all certs (-t genkey), then build the TLS policy maps ( -t tls_policy).
* 'default_days' in openssl.cnf doesn't work, use -days instead.Guilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Make the Ansible LDAP plugin able to delete entries and attributes.Guilhem Moulin2015-06-072
| | | | | Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on the 'config' database.
* Fix race condition when generating cerificates for slapd.Guilhem Moulin2015-06-072
| | | | | The SyncProv won't start if the file olcTLSCACertificateFile points to doesn't exist.
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-0719
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Add note how to test SASL EXTERNAL authentication via TLS.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* More logcheck-database tweaks.Guilhem Moulin2015-06-073
|
* Generate the DKIM key on the outgoing instance only.Guilhem Moulin2015-06-071
|
* Fix a corner case in reserved-alias.pl.Guilhem Moulin2015-06-071
| | | | | 'if $l' is false when $l is 0, while 0@example.org is a perfectly valid address.
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-075
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Add ability to add custom OrganizationalUnits in genkeypair.Guilhem Moulin2015-06-074
| | | | Also, it's now possible to reuse an existing private key (with -f).
* Add ability to chmod, chown and set the key usage in genkeypair.Guilhem Moulin2015-06-071
|
* Enable zero-copy updates to the LDAP directory.Guilhem Moulin2015-06-073
|
* Increase the timeout in the smtpd waiting for the reinjection from amavis.Guilhem Moulin2015-06-073
| | | | | | | | SMTP client connection caching was introduced in 2.6.0: the SMTP session is held for the next task (in adaptative mode, only when there was a delay of only 5s between the two previous mails), but Postfix will terminate it if the next mail doesn't come soon enough, or if amavis does't terminate it itself (usually after 15s).
* Disable Nagle's algorithm (and SSLv3) in stunnel.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Tell Dovecot we have a remote IMAP proxy.Guilhem Moulin2015-06-071
|
* Performance tuning in Dovecot's configuration.Guilhem Moulin2015-06-073
|
* Don't install daemontools.Guilhem Moulin2015-06-071
|
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-0710
|
* Reload Postfix upon configuration change, but don't restart it.Guilhem Moulin2015-06-0714
| | | | | | (Unless a new instance is created, or the master.cf change is modified.) Changing some variables, such as inet_protocols, require a full restart, but most of the time it's overkill.
* Don't restart/reload Postifx upon change of a file based database.Guilhem Moulin2015-06-075
| | | | | | And don't restart or reload either upon change of pcre: files that are used by smtpd(8), cleanup(8) or local(8), following the suggestion from http://www.postfix.org/DATABASE_README.html#detect .
* Loopia's maximum length for TXT records is 255 chars.Guilhem Moulin2015-06-073
| | | | So unfortunately we can't fit a 2048-bits RSA key.
* wibbleGuilhem Moulin2015-06-072
|
* typoGuilhem Moulin2015-06-072
|
* Install amavisd-new on the outgoing SMTP proxy.Guilhem Moulin2015-06-0713
| | | | For DKIM signing and virus checking.
* More logcheck-database tweaks.Guilhem Moulin2015-06-072
|
* Remove IPSec related files.Guilhem Moulin2015-06-075
|
* Make the IMAP caching proxy listen on ::1.Guilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* Don't auto-create home directories when adding system users.Guilhem Moulin2015-06-073
| | | | | Unlike adduser(8), ansible's 'user' module copies skeletal configuration files even for system users (unless called with createhome=no).
* Whitelist our IPs against fail2ban.Guilhem Moulin2015-06-071
| | | | | | | This is important as we don't want the IMAP server baning the webmail, for instance. (The fail2ban instance running next to the webmail should ban the attacker, but that running next to the IMAP server shouldn't ban legit users.)
* Use stunnel to secure the connection from the IMAP proxy to the IMAP server.Guilhem Moulin2015-06-076
| | | | | | | The reason is that we don't want to rely on CAs to verify the certificate of our server. Dovecot currently doesn't offer a way to match said cert against a local copy or known fingerprint. stunnel does.