| Commit message (Collapse) | Author | Age | Files |
... | |
|
|
|
|
| |
Unlike adduser(8), ansible's 'user' module copies skeletal configuration
files even for system users (unless called with createhome=no).
|
|
|
|
|
|
|
| |
This is important as we don't want the IMAP server baning the webmail,
for instance. (The fail2ban instance running next to the webmail should
ban the attacker, but that running next to the IMAP server shouldn't ban
legit users.)
|
|
|
|
|
|
|
| |
The reason is that we don't want to rely on CAs to verify the
certificate of our server. Dovecot currently doesn't offer a way to
match said cert against a local copy or known fingerprint. stunnel
does.
|
| |
|
|
|
|
|
| |
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
|
| |
|
|
|
|
|
|
|
| |
In 2.1.7 they are buggy, and make Dovecot crash (when connected through
Evolution for instance). They have improved a lot since, though:
http://hg.dovecot.org/dovecot-2.2/file/c55c660d6e9d/NEWS
|
|
|
|
|
|
| |
Sadly not doing so and keeping a table message ID -> username, like we
do for SASL authenticated users, doesn't seem trivial here. We could
encrypt the header, though.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In fact we want to only rewrite the envelope sender:
:/etc/postfix/main.cf
# Overwrite local FQDN envelope sender addresses
sender_canonical_classes = envelope_sender
propagate_unmatched_extensions =
sender_canonical_maps = cdb:$config_directory/sender_canonical
:/etc/postfix/sender_canonical
@elefant.fripost.org admin@fripost.org
However, when canonical(5) processes a mail sent vias sendmail(1), it
rewrites the envelope sender which seems to *later* be use as From:
header.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This is required for dbox, see
http://wiki2.dovecot.org/MailboxFormat/dbox#Multi-dbox
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There seem to be multiple bugs with the version from wheezy-backports
(2.2.9-1~bpo70+1), and the client is killed on THREAD commands:
guilhem@elefant:~$ telnet localhost 143
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready.
a LOGIN guilhem xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE NOTIFY] Logged in
b SELECT INBOX
* FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
* OK [PERMANENTFLAGS (\Answered \Flagged \Deleted \Seen \Draft \*)] Flags permitted.
* 8060 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 1302032711] UIDs valid
* OK [UIDNEXT 78905] Predicted next UID
* OK [NOMODSEQ] No permanent modsequences
b OK [READ-WRITE] Select completed (0.395 secs).
c THREAD REFERENCES UTF-8 ALL
Connection closed by foreign host.
:/var/log/syslog
Jun 27 21:58:01 elefant dovecot: imap(guilhem@fripost.org): Fatal: master: service(imap): child 24907 killed with signal 11 (core dumps disabled)
Jun 27 21:58:01 elefant kernel: [248570.057270] imap[24907]: segfault at 400 ip 00007f7651596e09 sp 00007fff6e267760 error 4 in libdovecot.so.0.0.0[7f765153a000+cc000]
Other (less scary) errors can be found in the syslog:
Jun 27 20:26:09 elefant dovecot: imap(xxxx@fripost.org): Error: file_dotlock_open() failed with file /home/imapproxy/fripost.org/xxxx/imapc/dovecot.list.index.log: No such file or directory
Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc(imap.fripost.org:993): Command '11 APPEND "Sent" (\Seen) {2512485}' timed out, disconnecting
Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Error: imapc: COPY failed: Disconnected from server
Jun 27 21:30:10 elefant dovecot: imap(xxxx@fripost.org): Disconnected: IMAP session state is inconsistent, please relogin. in=2512632 out=969
This is infortunate as we cannot benefit from the 'fetch-headers'
imapc_features right now. However, the bugs (at least the segfault) seems to
be fixed as of 2.2.13-1, the version which can currently be found in testing.
Hopefully it'll be backported soon :-)
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This ensures that Dovecot won't deliver messages if the disk hasn't been
mounted, for instance.
|
|
|
|
| |
So we set 'first_valid_uid' to 1, to accept any UID.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Interesting features include caching of mail headers (v2.2.8+) as well
as new IMAP capabilities.
|
|
|
|
|
|
| |
Recent versions have a whole bunch of bugfixes and nice new features:
http://trac.roundcube.net/wiki/Changelog
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, generate a server certificate for each host (on the machine
itself). Then fetch all these certs locally, and copy them over to each
IPSec peer. That requires more certs to be stored on each machines (n
vs 2), but it can be done automatically, and is easier to deploy.
Note: When adding a new machine to the inventory, one needs to run the
playbook on that machine (to generate the cert and fetch it locally)
first, then on all other machines.
|
| |
|
|
|
|
| |
Also, always install contrib's intel-microcode on Intel CPUs.
|
| |
|
|
|
|
|
|
| |
E.g., ldap.fripost.org, ntp.fripost.org, etc. (Ideally the DNS zone
would be provisioned by ansible, too.) It's a bit unclear how to index
the subdomains (mx{1,2,3}, etc), though.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Which might be caused by slow LDAP lookups in transport_maps. Instead,
we alias each addresses for which we want a custom transport to a
dedicated "dummy" domain, and use a static (CDB) transport_maps to map
said domains to their transport; the receiver can then use canonical(8)
to restore the original envelope recipient. Since the alias resolution
is performed by cleanup(8), which can run in parallel with other
instances, it should decongestion bottlenecks under heavy loads.
So far only the MX:es have been decongestioned. The list manager and
the MDA should be treated as well.
|
| |
|
|
|
|
| |
(To be removed when the fix enters stable.)
|
|
|
|
|
| |
(Disable SSLv3 and extend STS' max age to 180 days.) See
https://www.ssllabs.com/ssltest/ .
|
|
|
|
|
| |
But not in the installer, as busybox's implementation of mktemp didn't
deprecate -t/-p.
|
|
|
|
| |
Most notably pipelining=True and sysctl_set=yes.
|
| |
|
| |
|
|
|
|
| |
Hence put the CSS and fonts under /usr/share/.
|
|
|
|
| |
That is, don't put a leading virtual_ or a trailing _maps in file names.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
virtual_alias_maps:
mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
transport_maps:
mlmmj.localhost.localdomain mlmmj:
|
|
|
|
|
|
|
|
|
| |
Right now the list server cannot be hosted with a MX, due to bug 51:
http://mlmmj.org/bugs/bug.php?id=51
Web archive can be compiled with MHonArc, but the web server
configuration is not there yet.
|